どうも、LANケーブル職人の優です!
さて、今回はYAMAHA RTX1210とSWX2200のタグVLANでネットワークを作ってみましょ~!
もくじ
VLANを行うどうなるの?
VLANとはバーチャルLANといいます。いくつも仮想的にネットワークを作る機能です。
- ネットワークの分離でセキュアに
営業部は総務部にアクセスさせない。ゲスト用の無線ネットワークを別に作るといったことも出来ます。 - ARPリクエストなどブロードキャストの分離
ブロードキャストドメインはVLANで区切ることが出来るので、各ホスト間のCPUの負担も軽減できてしまいます。100クライアント近くになったらVLANを考えましょう。
いい事尽くめのVLAN。使わないわけにはいかない、便利機能ですよね!
ルータ RTX1200
- VLAN1
192.168.101.0/24 - VLAN2
192.168.102.0/24 - VLAN3
192.168.103.0/24 - VLAN4
192.168.104.0/24 - VLAN5
192.168.105.0/24 - VLAN6
192.168.106.0/24 - VLAN7
192.168.107.0/24
ポートの構成
- LAN1
192.168.100.0/24 - LAN1/1
L2スイッチとの接続 - LAN2
WANです。NURO回線
L2スイッチ SWX2200-8G
- ポート1:VLAN1
- ポート2:VLAN2
- ポート3:VLAN3
- ポート4:VLAN4
- ポート5:VLAN5
- ポート6:VLAN6
- ポート7:VLAN7
- ポート8:ルータとの接続
VLAN1~7はそれぞれ疎通できない隔離設定。
console character ja.utf8 ip route default gateway dhcp lan2 ip keepalive 1 icmp-echo 10 5 dhcp lan2 ip lan1 address 192.168.100.1/24 switch control use lan1 on terminal=on vlan lan1/1 802.1q vid=101 name=VLAN101 ip lan1/1 address 192.168.101.1/24 ip lan1/1 secure filter in 600000 600001 600002 600003 600004 600005 600042 vlan lan1/2 802.1q vid=102 name=VLAN102 ip lan1/2 address 192.168.102.1/24 ip lan1/2 secure filter in 600006 600007 600008 600009 600010 600011 600042 vlan lan1/3 802.1q vid=103 name=VLAN103 ip lan1/3 address 192.168.103.1/24 ip lan1/3 secure filter in 600012 600013 600014 600015 600016 600017 600042 vlan lan1/4 802.1q vid=104 name=VLAN104 ip lan1/4 address 192.168.104.1/24 ip lan1/4 secure filter in 600018 600019 600020 600021 600022 600023 600042 vlan lan1/5 802.1q vid=105 name=VLAN105 ip lan1/5 address 192.168.105.1/24 ip lan1/5 secure filter in 600024 600025 600026 600027 600028 600029 600042 vlan lan1/6 802.1q vid=106 name=VLAN106 ip lan1/6 address 192.168.106.1/24 ip lan1/6 secure filter in 600030 600031 600032 600033 600034 600035 600042 vlan lan1/7 802.1q vid=107 name=VLAN107 ip lan1/7 address 192.168.107.1/24 ip lan1/7 secure filter in 600036 600037 600038 600039 600040 600041 600042 description lan2 NURO_LAN2 ip lan2 address dhcp ip lan2 secure filter in 101003 101020 101021 101022 101023 101024 101025 101030 101032 ip lan2 secure filter out 101013 101020 101021 101022 101023 101024 101025 101026 101027 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099 ip lan2 nat descriptor 200 ip filter 101000 reject 10.0.0.0/8 * * * * ip filter 101001 reject 172.16.0.0/12 * * * * ip filter 101002 reject 192.168.0.0/16 * * * * ip filter 101003 reject 192.168.100.0/24 * * * * ip filter 101010 reject * 10.0.0.0/8 * * * ip filter 101011 reject * 172.16.0.0/12 * * * ip filter 101012 reject * 192.168.0.0/16 * * * ip filter 101013 reject * 192.168.100.0/24 * * * ip filter 101020 reject * * udp,tcp 135 * ip filter 101021 reject * * udp,tcp * 135 ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 101024 reject * * udp,tcp 445 * ip filter 101025 reject * * udp,tcp * 445 ip filter 101026 restrict * * tcpfin * www,21,nntp ip filter 101027 restrict * * tcprst * www,21,nntp ip filter 101030 pass * 192.168.100.0/24 icmp * * ip filter 101031 pass * 192.168.100.0/24 established * * ip filter 101032 pass * 192.168.100.0/24 tcp * ident ip filter 101033 pass * 192.168.100.0/24 tcp ftpdata * ip filter 101034 pass * 192.168.100.0/24 tcp,udp * domain ip filter 101035 pass * 192.168.100.0/24 udp domain * ip filter 101036 pass * 192.168.100.0/24 udp * ntp ip filter 101037 pass * 192.168.100.0/24 udp ntp * ip filter 101099 pass * * * * * ip filter 600000 reject 192.168.101.0/24 192.168.102.0/24 ip filter 600001 reject 192.168.101.0/24 192.168.103.0/24 ip filter 600002 reject 192.168.101.0/24 192.168.104.0/24 ip filter 600003 reject 192.168.101.0/24 192.168.105.0/24 ip filter 600004 reject 192.168.101.0/24 192.168.106.0/24 ip filter 600005 reject 192.168.101.0/24 192.168.107.0/24 ip filter 600006 reject 192.168.102.0/24 192.168.101.0/24 ip filter 600007 reject 192.168.102.0/24 192.168.103.0/24 ip filter 600008 reject 192.168.102.0/24 192.168.104.0/24 ip filter 600009 reject 192.168.102.0/24 192.168.105.0/24 ip filter 600010 reject 192.168.102.0/24 192.168.106.0/24 ip filter 600011 reject 192.168.102.0/24 192.168.107.0/24 ip filter 600012 reject 192.168.103.0/24 192.168.101.0/24 ip filter 600013 reject 192.168.103.0/24 192.168.102.0/24 ip filter 600014 reject 192.168.103.0/24 192.168.104.0/24 ip filter 600015 reject 192.168.103.0/24 192.168.105.0/24 ip filter 600016 reject 192.168.103.0/24 192.168.106.0/24 ip filter 600017 reject 192.168.103.0/24 192.168.107.0/24 ip filter 600018 reject 192.168.104.0/24 192.168.101.0/24 ip filter 600019 reject 192.168.104.0/24 192.168.102.0/24 ip filter 600020 reject 192.168.104.0/24 192.168.103.0/24 ip filter 600021 reject 192.168.104.0/24 192.168.105.0/24 ip filter 600022 reject 192.168.104.0/24 192.168.106.0/24 ip filter 600023 reject 192.168.104.0/24 192.168.107.0/24 ip filter 600024 reject 192.168.105.0/24 192.168.101.0/24 ip filter 600025 reject 192.168.105.0/24 192.168.102.0/24 ip filter 600026 reject 192.168.105.0/24 192.168.103.0/24 ip filter 600027 reject 192.168.105.0/24 192.168.104.0/24 ip filter 600028 reject 192.168.105.0/24 192.168.106.0/24 ip filter 600029 reject 192.168.105.0/24 192.168.107.0/24 ip filter 600030 reject 192.168.106.0/24 192.168.101.0/24 ip filter 600031 reject 192.168.106.0/24 192.168.102.0/24 ip filter 600032 reject 192.168.106.0/24 192.168.103.0/24 ip filter 600033 reject 192.168.106.0/24 192.168.104.0/24 ip filter 600034 reject 192.168.106.0/24 192.168.105.0/24 ip filter 600035 reject 192.168.106.0/24 192.168.107.0/24 ip filter 600036 reject 192.168.107.0/24 192.168.101.0/24 ip filter 600037 reject 192.168.107.0/24 192.168.102.0/24 ip filter 600038 reject 192.168.107.0/24 192.168.103.0/24 ip filter 600039 reject 192.168.107.0/24 192.168.104.0/24 ip filter 600040 reject 192.168.107.0/24 192.168.105.0/24 ip filter 600041 reject 192.168.107.0/24 192.168.106.0/24 ip filter 600042 pass * * ip filter dynamic 101080 * * ftp ip filter dynamic 101081 * * domain ip filter dynamic 101082 * * www ip filter dynamic 101083 * * smtp ip filter dynamic 101084 * * pop3 ip filter dynamic 101085 * * submission ip filter dynamic 101098 * * tcp ip filter dynamic 101099 * * udp nat descriptor type 200 masquerade nat descriptor address outer 200 primary dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.100.2-192.168.100.191/24 dhcp scope 10101 192.168.101.2-192.168.101.191/24 dhcp scope 10102 192.168.102.2-192.168.102.191/24 dhcp scope 10103 192.168.103.2-192.168.103.191/24 dhcp scope 10104 192.168.104.2-192.168.104.191/24 dhcp scope 10105 192.168.105.2-192.168.105.191/24 dhcp scope 10106 192.168.106.2-192.168.106.191/24 dhcp scope 10107 192.168.107.2-192.168.107.191/24 dhcp client hostname lan2 primary NURO_DHCP dns host lan1 lan1/1 lan1/2 lan1/3 lan1/4 lan1/5 lan1/6 lan1/7 dns server dhcp lan2 dns server select 500201 dhcp lan2 any . dns private address spoof on schedule at 1 */* 00:00:00 * ntpdate ntp.nict.jp syslog httpd host lan1 dashboard accumulate traffic on switch select 00:xx:xx:xx:xx:30 switch control function set vlan-port-mode 8 hybrid switch control function set vlan-access 1 101 switch control function set vlan-access 2 102 switch control function set vlan-access 3 103 switch control function set vlan-access 4 104 switch control function set vlan-access 5 105 switch control function set vlan-access 6 106 switch control function set vlan-access 7 107 switch control function set vlan-trunk 8 101 join switch control function set vlan-trunk 8 102 join switch control function set vlan-trunk 8 103 join switch control function set vlan-trunk 8 104 join switch control function set vlan-trunk 8 105 join switch control function set vlan-trunk 8 106 join switch control function set vlan-trunk 8 107 join
よくある要望
- VLAN1とVLAN2のネットワークだけはお互いに疎通させたい。
- 他のVLAN間のネットワークの通信は遮断したい
Let’s cooking!
ここにVLAN1とVLAN2のフィルターがあるじゃろ
ip filter 600000 reject 192.168.101.0/24 192.168.102.0/24 ip filter 600006 reject 192.168.102.0/24 192.168.101.0/24
フィルターの適用がこうなっているから…これを
ip lan1/1 secure filter in 600000 600001 600002 600003 600004 600005 600042 ip lan1/2 secure filter in 600006 600007 600008 600009 600010 600011 600042
こうじゃ!
ip lan1/1 secure filter in 600001 600002 600003 600004 600005 600042 ip lan1/2 secure filter in 600007 600008 600009 600010 600011 600042
VLAN1からVLAN2にpingを打ってみよう
はい、通りました~。
# show config
console character ja.utf8 ip route default gateway dhcp lan2 ip keepalive 1 icmp-echo 10 5 dhcp lan2 ip lan1 address 192.168.100.1/24 switch control use lan1 on terminal=on vlan lan1/1 802.1q vid=101 name=VLAN101 ip lan1/1 address 192.168.101.1/24 ip lan1/1 secure filter in 600001 600002 600003 600004 600005 600042 vlan lan1/2 802.1q vid=102 name=VLAN102 ip lan1/2 address 192.168.102.1/24 ip lan1/2 secure filter in 600007 600008 600009 600010 600011 600042 vlan lan1/3 802.1q vid=103 name=VLAN103 ip lan1/3 address 192.168.103.1/24 ip lan1/3 secure filter in 600012 600013 600014 600015 600016 600017 600042 vlan lan1/4 802.1q vid=104 name=VLAN104 ip lan1/4 address 192.168.104.1/24 ip lan1/4 secure filter in 600018 600019 600020 600021 600022 600023 600042 vlan lan1/5 802.1q vid=105 name=VLAN105 ip lan1/5 address 192.168.105.1/24 ip lan1/5 secure filter in 600024 600025 600026 600027 600028 600029 600042 vlan lan1/6 802.1q vid=106 name=VLAN106 ip lan1/6 address 192.168.106.1/24 ip lan1/6 secure filter in 600030 600031 600032 600033 600034 600035 600042 vlan lan1/7 802.1q vid=107 name=VLAN107 ip lan1/7 address 192.168.107.1/24 ip lan1/7 secure filter in 600036 600037 600038 600039 600040 600041 600042 description lan2 NURO_LAN2 ip lan2 address dhcp ip lan2 secure filter in 101003 101020 101021 101022 101023 101024 101025 101030 101032 ip lan2 secure filter out 101013 101020 101021 101022 101023 101024 101025 101026 101027 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099 ip lan2 nat descriptor 200 ip filter 101000 reject 10.0.0.0/8 * * * * ip filter 101001 reject 172.16.0.0/12 * * * * ip filter 101002 reject 192.168.0.0/16 * * * * ip filter 101003 reject 192.168.100.0/24 * * * * ip filter 101010 reject * 10.0.0.0/8 * * * ip filter 101011 reject * 172.16.0.0/12 * * * ip filter 101012 reject * 192.168.0.0/16 * * * ip filter 101013 reject * 192.168.100.0/24 * * * ip filter 101020 reject * * udp,tcp 135 * ip filter 101021 reject * * udp,tcp * 135 ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 101024 reject * * udp,tcp 445 * ip filter 101025 reject * * udp,tcp * 445 ip filter 101026 restrict * * tcpfin * www,21,nntp ip filter 101027 restrict * * tcprst * www,21,nntp ip filter 101030 pass * 192.168.100.0/24 icmp * * ip filter 101031 pass * 192.168.100.0/24 established * * ip filter 101032 pass * 192.168.100.0/24 tcp * ident ip filter 101033 pass * 192.168.100.0/24 tcp ftpdata * ip filter 101034 pass * 192.168.100.0/24 tcp,udp * domain ip filter 101035 pass * 192.168.100.0/24 udp domain * ip filter 101036 pass * 192.168.100.0/24 udp * ntp ip filter 101037 pass * 192.168.100.0/24 udp ntp * ip filter 101099 pass * * * * * ip filter 600000 reject 192.168.101.0/24 192.168.102.0/24 ip filter 600001 reject 192.168.101.0/24 192.168.103.0/24 ip filter 600002 reject 192.168.101.0/24 192.168.104.0/24 ip filter 600003 reject 192.168.101.0/24 192.168.105.0/24 ip filter 600004 reject 192.168.101.0/24 192.168.106.0/24 ip filter 600005 reject 192.168.101.0/24 192.168.107.0/24 ip filter 600006 reject 192.168.102.0/24 192.168.101.0/24 ip filter 600007 reject 192.168.102.0/24 192.168.103.0/24 ip filter 600008 reject 192.168.102.0/24 192.168.104.0/24 ip filter 600009 reject 192.168.102.0/24 192.168.105.0/24 ip filter 600010 reject 192.168.102.0/24 192.168.106.0/24 ip filter 600011 reject 192.168.102.0/24 192.168.107.0/24 ip filter 600012 reject 192.168.103.0/24 192.168.101.0/24 ip filter 600013 reject 192.168.103.0/24 192.168.102.0/24 ip filter 600014 reject 192.168.103.0/24 192.168.104.0/24 ip filter 600015 reject 192.168.103.0/24 192.168.105.0/24 ip filter 600016 reject 192.168.103.0/24 192.168.106.0/24 ip filter 600017 reject 192.168.103.0/24 192.168.107.0/24 ip filter 600018 reject 192.168.104.0/24 192.168.101.0/24 ip filter 600019 reject 192.168.104.0/24 192.168.102.0/24 ip filter 600020 reject 192.168.104.0/24 192.168.103.0/24 ip filter 600021 reject 192.168.104.0/24 192.168.105.0/24 ip filter 600022 reject 192.168.104.0/24 192.168.106.0/24 ip filter 600023 reject 192.168.104.0/24 192.168.107.0/24 ip filter 600024 reject 192.168.105.0/24 192.168.101.0/24 ip filter 600025 reject 192.168.105.0/24 192.168.102.0/24 ip filter 600026 reject 192.168.105.0/24 192.168.103.0/24 ip filter 600027 reject 192.168.105.0/24 192.168.104.0/24 ip filter 600028 reject 192.168.105.0/24 192.168.106.0/24 ip filter 600029 reject 192.168.105.0/24 192.168.107.0/24 ip filter 600030 reject 192.168.106.0/24 192.168.101.0/24 ip filter 600031 reject 192.168.106.0/24 192.168.102.0/24 ip filter 600032 reject 192.168.106.0/24 192.168.103.0/24 ip filter 600033 reject 192.168.106.0/24 192.168.104.0/24 ip filter 600034 reject 192.168.106.0/24 192.168.105.0/24 ip filter 600035 reject 192.168.106.0/24 192.168.107.0/24 ip filter 600036 reject 192.168.107.0/24 192.168.101.0/24 ip filter 600037 reject 192.168.107.0/24 192.168.102.0/24 ip filter 600038 reject 192.168.107.0/24 192.168.103.0/24 ip filter 600039 reject 192.168.107.0/24 192.168.104.0/24 ip filter 600040 reject 192.168.107.0/24 192.168.105.0/24 ip filter 600041 reject 192.168.107.0/24 192.168.106.0/24 ip filter 600042 pass * * ip filter dynamic 101080 * * ftp ip filter dynamic 101081 * * domain ip filter dynamic 101082 * * www ip filter dynamic 101083 * * smtp ip filter dynamic 101084 * * pop3 ip filter dynamic 101085 * * submission ip filter dynamic 101098 * * tcp ip filter dynamic 101099 * * udp nat descriptor type 200 masquerade nat descriptor address outer 200 primary dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.100.2-192.168.100.191/24 dhcp scope 10101 192.168.101.2-192.168.101.191/24 dhcp scope 10102 192.168.102.2-192.168.102.191/24 dhcp scope 10103 192.168.103.2-192.168.103.191/24 dhcp scope 10104 192.168.104.2-192.168.104.191/24 dhcp scope 10105 192.168.105.2-192.168.105.191/24 dhcp scope 10106 192.168.106.2-192.168.106.191/24 dhcp scope 10107 192.168.107.2-192.168.107.191/24 dhcp client hostname lan2 primary NURO_DHCP dns host lan1 lan1/1 lan1/2 lan1/3 lan1/4 lan1/5 lan1/6 lan1/7 dns server dhcp lan2 dns server select 500201 dhcp lan2 any . dns private address spoof on schedule at 1 */* 00:00:00 * ntpdate ntp.nict.jp syslog httpd host lan1 dashboard accumulate traffic on switch select 00:xx:xx:xx:xx:30 switch control function set vlan-port-mode 8 hybrid switch control function set vlan-access 1 101 switch control function set vlan-access 2 102 switch control function set vlan-access 3 103 switch control function set vlan-access 4 104 switch control function set vlan-access 5 105 switch control function set vlan-access 6 106 switch control function set vlan-access 7 107 switch control function set vlan-trunk 8 101 join switch control function set vlan-trunk 8 102 join switch control function set vlan-trunk 8 103 join switch control function set vlan-trunk 8 104 join switch control function set vlan-trunk 8 105 join switch control function set vlan-trunk 8 106 join switch control function set vlan-trunk 8 107 join
ポートベースVLANよりフィルター周りのコンフィグがシンプルな印象ですね(*’∀’人)
パスワード設定
# login password encrypted Old_Password: New_Password: New_Password: # administrator password encrypted Old_Password: New_Password: New_Password:
初期化
RTX1210
MicroSDのボタン, USBのボタン, DownLOADの3つを押しながら起動させる。
SWX2200
MODEボタンを押しながら起動させる。
関連記事 - More from my site -
RTX1200+SWX2200 VLAN双方向フィルター設定
YAMAHA RTX1210, SWX2200, RTX1100で静的ルーティング
RTXルータからSWX スイッチにTelnet出来るようにする
ゲーミング施設を作る勘所
YAMAHA RTX ポート解放 社内サーバ利用
CentOS7でRTXのNATログサーバ
YAMAHA Show系コマンドまとめ
YAMAHA RTXのコンフィグバックアップ、リストア
YAMAHA RTX VRRP
YAMAHA RTXルータ DHCPでDNSアドレスの配布
RTX1210 DHCPIPリリース, NATセッション数 残高確認
RTX1210 不正アクセス検知機能をONにする- RTX1210, 1200 GUIでの拠点間VPNが繋がらない時のチェック YAMAHA
- RTX1200, 1210 ネットボランチ DDNS
Amazonおすすめ
iPad 9世代 2021年最新作
iPad 9世代出たから買い替え。安いぞ!🐱 初めてならiPad。Kindleを外で見るならiPad mini。ほとんどの人には通常のiPadをおすすめします><