语音 VLAN 和数据的 Cisco SMB 交换机配置

网络工程 思科 转变 路由器 局域网 思科网络电话
2022-03-04 06:01:12

我希望在我目前面临的当前问题上获得一些帮助......

我有 3 台 Cisco SMB 交换机、(2) 台 SG300 管理型交换机和 (1) 台非管理型交换机。

SWSG1 | 172.16.1.100 | 端口 24 中继上行链路到 Cisco ASA 防火墙
VLAN 1 默认!(所有域服务器、AD DS、DNS、DHCP、PBX 都位于此处)
VLAN 2 语音 | IP 地址10.10.200.1
VLAN 3 数据 | IP地址10.10.100.1

SWSG2 | 172.16.1.200 | 端口 24 中继上行链路到 SWSG1 交换机端口 23
VLAN 1 默认
VLAN 2 语音 | 未配置 IP 地址
VLAN 3 数据 | 未配置 IP 地址 端口 7 配置为接入语音 VLAN 2

SG3 | 非托管 | 到 SWSG2 交换机的端口 24 中继上行链路 端口 23
VLAN 1 默认
此交换机上连接的所有 IP 电话

#1 Cisco IP 电话连接在端口 1 IP 地址10.10.200.114
#2 Cisco IP 电话连接在端口 2 IP 地址10.10.200.115
工作站连接到 IP 电话。

IP 电话上的 VLAN 为活动
VOICE 为 VLAN 2,PC 的默认 VLAN 1

使用此当前配置,我无法访问默认 VLAN 的 VLAN 1 上的任何 Cisco IP 电话或域服务器。

有人可以帮助我吗?我需要访问域和 PBX 资源。

配置示例:

config-file-header
SWSG1
v1.4.10.6 / R800_NIK_1_4_214_020
CLI v1.0
set system mode router 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
ssd file integrity control enabled 
ssd-control-end #REMOVED FOR SECURITY 
!
time-range RT1 
periodic sun 01:00 to sat 01:00 
exit
spanning-tree loopback-guard
vlan database
vlan 1,2,3 
exit
voice vlan id 2 
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
loopback-detection enable 
errdisable recovery cause loopback-detection 
errdisable recovery cause port-security 
errdisable recovery cause dot1x-src-address 
errdisable recovery cause acl-deny 
errdisable recovery cause stp-bpdu-guard 
errdisable recovery cause stp-loopback-guard 
errdisable recovery cause udld 
green-ethernet energy-detect
no ip arp proxy disable
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp excluded-address
bonjour interface range vlan 1
qos wrr-queue wrtd
mac access-list extended ACL-MAC
exit
ip access-list extended EXTEND-ACL
permit icmp any 172.16.1.50 255.255.255.0 any any ace-priority 1 log-input
permit tcp any any 172.16.1.50 255.255.255.0 any ace-priority 2 log-input
permit icmp any 172.16.7.1 255.255.255.0 any any ace-priority 3 log-input
permit tcp any any 172.16.1.1 255.255.255.0 any ace-priority 4 log-input
permit icmp any 172.16.1.0 255.255.255.0 any any ace-priority 5 log-input
permit tcp any any 172.16.1.0 255.255.255.0 any ace-priority 6 log-input
permit udp any 5060-5090 172.16.1.200 255.255.255.0 5060-5090 ace-priority 7 log-input
permit udp any 9000-11000 172.16.1.200 255.255.255.0 9000-11000 ace-priority 8 log-input
permit tcp any 2195-2196 172.16.1.200 255.255.255.0 2195-2196 ace-priority 9 log-input
permit tcp any 5060-5090 172.16.1.200 255.255.255.0 5060-5090 ace-priority 10 log-input
permit ip any 172.16.1.254 255.255.255.0 ace-priority 11 log-input
permit tcp any 2528 172.16.1.200 255.255.255.0 2528 ace-priority 12 log-input
exit
hostname SWSG1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
management access-list SECURITY-PROFILE
permit ip-source 172.16.1.47 mask 255.255.255.0 
exit
management access-class SECURITY-PROFILE
logging origin-id ip 
logging file notifications
rmon event 1 log-trap community TECH description TECH-LOGS owner
aaa authentication login authorization Console local none 
aaa authentication enable authorization Console enable none 
line console
login authentication Console
enable authentication Console
password "REMOVED FOR SECURITY" encrypted
exit
username cisco password encrypted "REMOVED FOR SECURITY" privilege 15 
username CISCO password encrypted "REMOVED FOR SECURITY" privilege 15 
ip ssh server
ip ssh password-auth 
ip ssh-client username "REMOVED FOR SECURITY"
snmp-server server
snmp-server location "REMOVED FOR SECURITY"
snmp-server contact "REMOVED FOR SECURITY"
snmp-server community "REMOVED FOR SECURITY" ro view Default 
ip http timeout-policy 1800 
clock timezone " " -4
clock summer-time web recurring usa 
sntp anycast client enable ipv4 
sntp broadcast client enable ipv4 
clock source sntp
clock source browser
sntp authenticate
sntp unicast client enable
sntp unicast client poll
sntp server 172.16.1.59 poll 
sntp server time-a.timefreq.bldrdoc.gov poll 
sntp server time-b.timefreq.bldrdoc.gov poll 
sntp server time-c.timefreq.bldrdoc.gov poll 
ip domain name "REMOVED FOR SECURITY"
ip name-server  "REMOVED FOR SECURITY"
security-suite enable 
security-suite dos protect add stacheldraht 
security-suite dos protect add invasor-trojan 
security-suite dos protect add back-orifice-trojan 
!
interface vlan 1
 ip address 172.16.1.254 255.255.255.0 
 no ip address dhcp 
 service-acl input ACL default-action permit-any 
!
interface vlan 1
 name MANAGEMENT 
 ip address 172.16.100.1 255.255.255.0 
!
interface vlan 2
 name "VOICE VLAN" 
 ip address 172.16.200.1 255.255.255.0 
 service-acl input ACL 
!
interface vlan 3
 name DATA 
 shutdown
!
interface gigabitethernet1
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet2
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet3
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet4
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet5
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet6
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet7
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 spanning-tree link-type point-to-point 
 switchport mode access 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet8
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet9
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet10
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet11
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet12
 negotiation preferred master 
 ip arp inspection trust
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet13
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet14
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet15
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet16
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet17
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet18
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet19
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet20
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet21
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet22
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet23
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet24
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet25
 negotiation preferred master 
 description "TRUNK UP-LINK-2 | SWSG2"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport trunk allowed vlan add 1-3 
 switchport forbidden vlan add 400 
 macro description switch
 switchport default-vlan tagged 
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet26
 negotiation preferred master 
 description "TRUNK UP-LINK-2 | PoE SW"
 ip arp inspection trust 
 ip source-guard 
 spanning-tree link-type point-to-point 
 switchport trunk allowed vlan add 1-3 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet27
 negotiation preferred master 
 description "TRUNK UP-LINK-1 | ACCESS POINT"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet28
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
exit
banner login 

macro auto processing type host enabled 
macro auto processing type router enabled 
ip dhcp snooping 
ip dhcp snooping database 
ip arp inspection 
ip arp inspection validate 
ip arp inspection vlan 1 
ip arp inspection vlan 2 
ip arp inspection vlan 3 
ip source-guard 
"REMOVED FOR SECURITY"
encrypted ip ssh-client key rsa key-pair
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted ip ssh-client key dsa key-pair
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: DSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: DSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto key import rsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto key import dsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: DSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: DSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto certificate 1 import
-----BEGIN RSA ENCRYPTED PRIVATE KEY-----
"REMOVED FOR SECURITY"
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PUBLIC KEY-----
"REMOVED FOR SECURITY"
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
"REMOVED FOR SECURITY"
-----END CERTIFICATE-----
.
encrypted crypto certificate 2 import
-----BEGIN RSA ENCRYPTED PRIVATE KEY-----
"REMOVED FOR SECURITY"
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PUBLIC KEY-----
"REMOVED FOR SECURITY"
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
"REMOVED FOR SECURITY"
-----END CERTIFICATE-----
.
config-file-digest "REMOVED FOR SECURITY"
1个回答

您的非托管交换机不了解 VLAN,因此您无法将 VLAN 中继到它。您不应在具有多个 VLAN 的网络中使用它。

此外,在您的“示例配置”中,您有两个用于接口 vlan 1 的条目。它是哪一个?

其它你可能感兴趣的问题
上一篇这两个私有子网是否完全相互隔离? 下一篇交换机后面的 ARP 源地址