我有一个设置,其中单端口 2600 路由器位于交换机的端口 0/2 上,外部网络位于端口 0/1 上,其余(0/3-0/24)应该是 2600 路由器管理的第二个网络的客户端。
我用两个 VLAN 配置了所有内容:100 用于外部 (0/2-0/24),200 用于内部 (0/1-0/2)。0/2 是这两个 VLAN 的中继端口。
出现的问题是我不能同时打开两个 VLAN:软件不允许这样做。
现在,我可以从路由器 ping 通外部网络设备(172.16.7.1、172.16.7.103),甚至可以 ping 通 google(8.8.8.8),但无法 ping 通交换机。连接的设备正确获得 DHCP 租约,但无法 ping 通网络外部,只能 ping 通路由器 - 172.17.7.1 和交换机本身,172.17.7.7。
路由器和交换机的配置都在这里,以及下文。
路由器:
rt.throom#sho run
Building configuration...
Current configuration : 1015 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rt.throom
!
enable password To053cret
!
!
!
!
!
no ip subnet-zero
ip dhcp excluded-address 172.17.7.1 172.17.7.2
ip dhcp excluded-address 172.17.7.3 172.17.7.4
ip dhcp excluded-address 172.17.7.5
!
ip dhcp pool VLAN200
network 172.17.7.0 255.255.255.0
default-router 172.17.7.1
dns-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.100
encapsulation dot1Q 100
ip address 172.16.7.15 255.255.255.0
ip nat outside
!
interface Ethernet0/0.200
encapsulation dot1Q 200
ip address 172.17.7.1 255.255.255.0
ip nat inside
!
router eigrp 20
network 172.16.0.0
network 172.17.0.0
no auto-summary
no eigrp log-neighbor-changes
!
no ip classless
no ip http server
!
access-list 1 permit 172.17.7.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
转变:
sw.throom#sho run
Building configuration...
Current configuration:
!
version 11.2
no service pad
no service udp-small-servers
no service tcp-small-servers
!
hostname sw.throom
!
enable password Oh5053cret
!
!
no spanning-tree vlan 100
no spanning-tree vlan 200
ip subnet-zero
!
!
interface VLAN1
no ip address
no ip route-cache
!
interface FastEthernet0/1
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 200
spanning-tree portfast
!
!
line con 0
stopbits 1
line vty 0 4
login
line vty 5 9
login
!
end
sho ip route给出:
Gateway of last resort is 172.16.7.1 to network 0.0.0.0
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.7.0 is directly connected, Ethernet0/0.200
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.7.0 is directly connected, Ethernet0/0.100
S* 0.0.0.0/0 [1/0] via 172.16.7.1
编辑 1:这是有效的配置:
路由器:
rt#sho run
Building configuration...
Current configuration : 1018 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rt
!
enable password To053cret
!
!
!
!
!
no ip subnet-zero
ip dhcp excluded-address 172.17.7.1 172.17.7.2
ip dhcp excluded-address 172.17.7.3 172.17.7.4
ip dhcp excluded-address 172.17.7.5
!
ip dhcp pool VLAN200
network 172.17.7.0 255.255.255.0
default-router 172.17.7.1
dns-server 8.8.8.8
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.100
encapsulation dot1Q 100
ip address 172.16.7.15 255.255.255.0
ip nat outside
!
interface Ethernet0/0.200
encapsulation dot1Q 200
ip address 172.17.7.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet0/0.100 overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.7.1
no ip http server
!
access-list 1 permit 172.17.7.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password To053cret
login
!
end
转变:
sw#sho run
Building configuration...
Current configuration:
!
version 11.2
no service pad
no service udp-small-servers
no service tcp-small-servers
!
hostname sw
!
enable password Oh5053cret
!
!
no spanning-tree vlan 100
no spanning-tree vlan 200
ip subnet-zero
ip name-server 8.8.8.8
!
!
interface VLAN1
ip address 172.17.7.7 255.255.255.0
no ip route-cache
shutdown
!
interface VLAN100
no ip route-cache
shutdown
!
interface VLAN200
ip address 172.17.7.7 255.255.255.255
no ip route-cache
!
interface FastEthernet0/1
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/23
switchport access vlan 200
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 200
spanning-tree portfast
!
ip default-gateway 172.17.7.1
!
line con 0
stopbits 1
line vty 0 4
password Oh5053cret
login
line vty 5 9
login
!
end
感谢大家的帮助!
答案1
由于交换机在您的配置中位于内部,因此它需要默认路由才能到达外部设备,就像内部的任何设备一样。在第三层 (TCP/IP),交换机就像普通设备一样。
答案2
为什么要将外部网络连接到交换机而不是路由器?
如果您指的是将 IP 地址分配给多个 VLAN,那么您是对的。该型号交换机仅支持出于管理目的的 IP 地址,并且仅允许为一个 VLAN 分配 IP 地址。至于 VLAN 本身,它当然支持拥有多个 VLAN。
它是第 2 层交换机,因此不支持 SVI(InterVLAN 路由),因此只允许您为一个 VLAN 分配一个 IP 地址...用于管理交换机。
编辑1
抱歉我没早点注意到这一点。外部路由器有 172.17 网络的路由吗?您已在内部路由器上启用了 EIGRP,但没有通过 EIGRP 学习到路由(内部路由器的 sh ip route 输出可证明这一点),这意味着外部路由器的路由表中可能没有 172.17 网络的路由。如果外部路由器没有 172.17 网络的路由,那么它就无法回复(或路由流量)172.17 网络。
编辑2
这就是问题所在。再次抱歉,我没能早点发现。有时我们会忽略一些显而易见的事情。
D-Link 路由器只知道它直接连接到的网络。它不直接连接到 172.17 网络,因此不知道如何将流量路由到该网络。您需要配置 D-Link 以通过内部路由器路由 172.17 网络的流量。
要使 EIGRP 正常工作,两个路由器都必须使用并参与 EIGRP。您的 D-Link 路由器肯定不使用 EIGRP,因此它没有通过内部路由器到 172.17 网络的路由。证据是内部路由器在其路由表中没有显示任何 EIGRP 学习到的路由。这意味着它没有从 D-LINK 路由器接收 EIGRP 路由表更新...因为 D-LINK 路由器不使用 EIGRP。
所以回顾一下:您需要通过内部路由器在 D-LINK 路由器上为 172.17 网络配置路由。
答案3
您的 NAT 配置没有任何作用,我猜是外部设备无法路由回 172.17.1.0/24 网络
需要将 172.17.1.0/24 转换为 172.16.17.15
IP Nat 内部源列表 1 接口 ETH 0/0.100
试一试 - 路由器上的一些显示命令可能会很有趣
Sh IP 翻译
Sh IP 路由