YAMAHA, ネットワーク

RTX1200+SWX2200 VLAN双方向フィルター設定

 

設定

  • RTX1200とL2スイッチのポート接続
    RTX1200のLAN1から、SWX2200の8ポートにタグVLANで接続

    switch select lan1:8

  • ネットワーク
    LAN1:192.168.1.0/24
    WAN LAN3:DHCP ネットワーク接続型プロバイダ NURO
  • VLANネットワーク
    VLAN121:192.168.121.0/24
    VLAN131:192.168.131.0/24
    VLAN132:192.168.132.0/24
    VLAN133:192.168.133.0/24
  • フィルター
    VLANに所属しているネットワーク同士は、双方向で通信を不可とします。
    各VLANのIN側から他のVLANにパケット送信を不可にすることで実装可能

 

 

完成 シンプルコンフィグ

console character ascii
login timer 1200
ip route default gateway dhcp lan3
ip keepalive 1 icmp-echo 10 5 dhcp lan3
ip lan1 address 192.168.1.251/24
ip lan1 proxyarp on
switch control use lan1 on
vlan lan1/1 802.1q vid=131 name=VLAN131
ip lan1/1 address 192.168.131.1/24
ip lan1/1 secure filter in 600011 600012 600013 200000
vlan lan1/2 802.1q vid=132 name=VLAN132
ip lan1/2 address 192.168.132.1/24
ip lan1/2 secure filter in 600021 600022 600023 200000
vlan lan1/3 802.1q vid=133 name=VLAN133
ip lan1/3 address 192.168.133.1/24
ip lan1/3 secure filter in 600031 600032 600033 200000
vlan lan1/4 802.1q vid=121 name=VLAN121
ip lan1/4 address 192.168.121.1/24
ip lan1/4 secure filter in 600000 600001 600002 200000
ip lan3 address dhcp
ip lan3 secure filter in 101020 101021 101022 101023 101024 200000
ip lan3 nat descriptor 200
ip filter 101020 reject * * udp,tcp 135 *
ip filter 101021 reject * * udp,tcp * 135
ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 101024 reject * * udp,tcp 445 *
ip filter 101030 pass * 192.168.1.0/24 icmp * *
ip filter 101032 pass * 192.168.1.0/24 tcp * ident
ip filter 102001 pass * 192.168.1.0/24 tcp www
ip filter 200000 pass * *
ip filter 600000 reject 192.168.121.0/24 192.168.131.0/24 
ip filter 600001 reject 192.168.121.0/24 192.168.132.0/24 
ip filter 600002 reject 192.168.121.0/24 192.168.133.0/24 
ip filter 600011 reject 192.168.131.0/24 192.168.121.0/24
ip filter 600012 reject 192.168.131.0/24 192.168.132.0/24
ip filter 600013 reject 192.168.131.0/24 192.168.133.0/24
ip filter 600021 reject 192.168.132.0/24 192.168.121.0/24
ip filter 600022 reject 192.168.132.0/24 192.168.131.0/24
ip filter 600023 reject 192.168.132.0/24 192.168.133.0/24
ip filter 600031 reject 192.168.133.0/24 192.168.121.0/24
ip filter 600032 reject 192.168.133.0/24 192.168.131.0/24
ip filter 600033 reject 192.168.133.0/24 192.168.132.0/24
nat descriptor log on
nat descriptor type 200 masquerade
nat descriptor address outer 200 primary
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.2-192.168.1.150/24 expire 4:00 maxexpire 4:00
dhcp scope 121 192.168.121.2-192.168.121.93/24 expire 4:00 maxexpire 4:00
dhcp scope 131 192.168.131.2-192.168.131.93/24 expire 4:00 maxexpire 4:00
dhcp scope 132 192.168.132.2-192.168.132.93/24 expire 4:00 maxexpire 4:00
dhcp scope 133 192.168.133.2-192.168.133.93/24 expire 4:00 maxexpire 4:00
dhcp scope option 1 dns=8.8.8.8,1.1.1.1
dhcp scope option 121 dns=8.8.8.8,1.1.1.1
dhcp scope option 131 dns=8.8.8.8,1.1.1.1
dhcp scope option 132 dns=8.8.8.8,1.1.1.1
dhcp scope option 133 dns=8.8.8.8,1.1.1.1
dns host lan
dns server 8.8.8.8 1.1.1.1
dns server dhcp lan3
dns server select 500201 dhcp lan3 any .
dns private address spoof on
switch select lan1:8
 switch control function set vlan-port-mode 8 hybrid
 switch control function set vlan-access 1 121
 switch control function set vlan-access 2 121
 switch control function set vlan-access 3 131
 switch control function set vlan-access 4 131
 switch control function set vlan-access 5 132
 switch control function set vlan-access 6 132
 switch control function set vlan-access 7 133
 switch control function set vlan-trunk 8 121 join
 switch control function set vlan-trunk 8 131 join
 switch control function set vlan-trunk 8 132 join
 switch control function set vlan-trunk 8 133 join

 

 

言語とログインタイマー

login timer 1200
console character ascii

 

LAN1ネットワーク設定

ip lan1 address 192.168.1.251/24

 

 

LAN3 WAN設定+DNS設定+フィルター

ip route default gateway dhcp lan3
ip keepalive 1 icmp-echo 10 5 dhcp lan3
ip lan3 address dhcp
ip lan3 nat descriptor 200
nat descriptor type 200 masquerade
nat descriptor address outer 200 primary

dns host lan
dns server 8.8.8.8 1.1.1.1
dns server dhcp lan3
dns server select 500201 dhcp lan3 any .
dns private address spoof on

ip lan3 secure filter in 101020 101021 101022 101023 101024 200000
ip filter 101020 reject * * udp,tcp 135 *
ip filter 101021 reject * * udp,tcp * 135
ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 101024 reject * * udp,tcp 445 *
ip filter 101030 pass * 192.168.1.0/24 icmp * *
ip filter 101032 pass * 192.168.1.0/24 tcp * ident
ip filter 102001 pass * 192.168.1.0/24 tcp www
ip filter 200000 pass * *

 

 

DHCPスコープ、DNS配布設定

dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.1.2-192.168.1.150/24 expire 4:00 maxexpire 4:00
dhcp scope 121 192.168.121.2-192.168.121.93/24 expire 4:00 maxexpire 4:00
dhcp scope 131 192.168.131.2-192.168.131.93/24 expire 4:00 maxexpire 4:00
dhcp scope 132 192.168.132.2-192.168.132.93/24 expire 4:00 maxexpire 4:00
dhcp scope 133 192.168.133.2-192.168.133.93/24 expire 4:00 maxexpire 4:00
dhcp scope option 1 dns=8.8.8.8,1.1.1.1
dhcp scope option 121 dns=8.8.8.8,1.1.1.1
dhcp scope option 131 dns=8.8.8.8,1.1.1.1
dhcp scope option 132 dns=8.8.8.8,1.1.1.1
dhcp scope option 133 dns=8.8.8.8,1.1.1.1

 

 

VLAN双方向通信不可 フィルター設定

@see http://blog.sidetech.jp/2014/12/yamaha-rtx-ip-f.html

ip filter 600000 reject 192.168.121.0/24 192.168.131.0/24 
ip filter 600001 reject 192.168.121.0/24 192.168.132.0/24 
ip filter 600002 reject 192.168.121.0/24 192.168.133.0/24 
ip filter 600011 reject 192.168.131.0/24 192.168.121.0/24
ip filter 600012 reject 192.168.131.0/24 192.168.132.0/24
ip filter 600013 reject 192.168.131.0/24 192.168.133.0/24
ip filter 600021 reject 192.168.132.0/24 192.168.121.0/24
ip filter 600022 reject 192.168.132.0/24 192.168.131.0/24
ip filter 600023 reject 192.168.132.0/24 192.168.133.0/24
ip filter 600031 reject 192.168.133.0/24 192.168.121.0/24
ip filter 600032 reject 192.168.133.0/24 192.168.131.0/24
ip filter 600033 reject 192.168.133.0/24 192.168.132.0/24

ip lan1/1 secure filter in 600011 600012 600013 200000
ip lan1/2 secure filter in 600021 600022 600023 200000
ip lan1/3 secure filter in 600031 600032 600033 200000
ip lan1/4 secure filter in 600000 600001 600002 200000

 

 

VLANネットワーク設定

vlan lan1/1 802.1q vid=131 name=VLAN131
ip lan1/1 address 192.168.131.1/24

vlan lan1/2 802.1q vid=132 name=VLAN132
ip lan1/2 address 192.168.132.1/24

vlan lan1/3 802.1q vid=133 name=VLAN133
ip lan1/3 address 192.168.133.1/24

vlan lan1/4 802.1q vid=121 name=VLAN121
ip lan1/4 address 192.168.121.1/24

 

 

VLAN SWX2200 L2スイッチ設定

switch select lan1:8
switch control function set vlan-port-mode 8 hybrid
switch control function set vlan-access 1 121
 switch control function set vlan-access 2 121
 switch control function set vlan-access 3 131
 switch control function set vlan-access 4 131
 switch control function set vlan-access 5 132
 switch control function set vlan-access 6 132
 switch control function set vlan-access 7 133
 switch control function set vlan-trunk 8 121 join
 switch control function set vlan-trunk 8 131 join
 switch control function set vlan-trunk 8 132 join
 switch control function set vlan-trunk 8 133 join

 

 

 

 

 

 

爆速レンタルサーバならConoHa WING

 

サーバはプロに全部お任せ!「仕事」に専念したいあなたにおすすめです。

   

ConoHa VPSで運営してま🐱

 

サーバの勉強がしたいあなたにおすすめ!現役エンジニアの管理人が選んだ、WordPress運用に適したVPSの終着点

   

ConoHa VPSで爆速WordPressを作ろう! 

 

Laravel, AWS ポートフォリオ作成サポート! 定員3名

https://menta.work/plan/2381

Laravel, AWSによるポートフォリオ作成を通して、エンジニア転職をサポートします

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)