路由器应该如何融入局域网?

网络工程 转变 路由器 VLAN 纳特
2021-07-09 22:54:15

网络

我有一个顾问为一个小办公室设置了一个基本的网络,但我有一些关于实现它的最佳方法的问题。我们使用连接到 Catalyst 3750 的 Cisco 1921 路由器作为主交换机。另外两个 Catalyst 3750 从主交换机分支出来,用于不同的套件。VLAN 中继到主 3750,其中每个 VLAN/子网的网关 (192.168.x.1)。路由器正在使用连接到 ISP 调制解调器的外部接口上的公共 IP 和面向交换网络的内部接口上的私有 IP 执行 NAT。

我想知道的事情:

  1. 每个子网/vlan 的网关是否应该驻留在主 L3 交换机上?
  2. 我需要将任何 VLAN 中继到路由器吗?
  3. 是否有双重 NAT 发生?...电缆调制解调器处于桥接模式
  4. 我应该在我的交换机上配置默认网关吗?
  5. 任何其他建议,例如更改寻址方案?..路由器不是 .1 困扰我

VoIP 公司的一些技术人员声称存在双重 NAT,因为他在跟踪路由中看到了两个私有 IP 地址。据我所知,这是不正确的,因为数据包先到达 L3 交换机上的网关,然后再到达内部路由器接口,然后再进入互联网,所以有两跳。如果我错了,请纠正我。

traceroute to 39.419.1.25 (74.115.98.25), 64 hops max, 52 byte packets
 1  192.168.4.1 (192.168.4.1)  0.739 ms  3.157 ms  0.516 ms  <---Gateway on L3 switch
 2  192.168.1.2 (192.168.1.2)  0.573 ms  0.488 ms  0.466 ms  <---Router Inside Interface
 3  * * *                                                    <---Cable Modem???
 4  ip43-52-53-43.blah.blah.blah.net (43.52.53.43)  9.125 ms  14.633 ms  9.812 ms
 5  * * *
 6  blah.blah.blah.net (45.2.4.90)  30.010 ms  19.896 ms  29.781 ms

路由器配置

Current configuration : 5879 bytes
!
! Last configuration change at 00:33:56 UTC Sun Mar 1 2015 by noc
! NVRAM config last updated at 20:45:24 UTC Mon Mar 2 2015 by noc
! NVRAM config last updated at 20:45:24 UTC Mon Mar 2 2015 by noc
version 15.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname ROUTER-1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 64000
logging console emergencies
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
ip tcp mss 1492
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN
 ip address x.x.x.x 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 7 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 184.191.183.49
ip route 192.168.2.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1
!
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 permit 192.168.2.0 0.0.0.255
access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 remark Standardized inbound anti-spoofing list
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any
access-list 101 deny   ip 14.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 198.18.0.0 0.0.255.255 any log
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip 50.202.143.128 0.0.0.31 any
access-list 101 deny   udp any any eq snmp log
access-list 101 deny   udp any any eq snmptrap log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   udp any any range 135 netbios-ss log
access-list 101 deny   tcp any any eq 6666 log
access-list 101 deny   tcp any any eq 6667 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   udp any any eq 445 log
access-list 101 permit ip any any
access-list 101 deny   ip any any log
!
!
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
ntp server 128.138.141.172
ntp server 216.228.192.69
!
end

配电开关

Current configuration : 9859 bytes
!
! Last configuration change at 20:27:24 UTC Mon Mar 2 2015
! NVRAM config last updated at 20:45:03 UTC Mon Mar 2 2015
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SWITCH-1
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
ip routing
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.4.1 192.168.4.100
!
ip dhcp pool VLAN10
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 
!
ip dhcp pool VLAN20
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 8.8.8.8
!         
ip dhcp pool VLAN30
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 8.8.8.8
!
ip dhcp pool VLAN40
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server 8.8.8.8
!    
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface GigabitEthernet1/0/1
 description ROUTER
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet1/0/2
 description TRUNK-SWITCH-2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 911
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 description TRUNK-SWITCH-3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 911
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 description WLC
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
! 
interface GigabitEthernet1/0/5
 description AP-401
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 description AP-402
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 20
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 description SERVER-1
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/0/8
 description SERVER-2
 switchport access vlan 40
 switchport mode access
!
interface GigabitEthernet1/0/9
 description ADT-DVR
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/10
 description ADT
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/11
 description Printer-402
 switchport access vlan 30
 switchport mode access
!
interface GigabitEthernet1/0/12
 description Printer-401
 switchport access vlan 30
 switchport mode access
 duplex full
!
interface GigabitEthernet1/0/13
 switchport access vlan 30
 switchport mode access
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan30
 ip address 192.168.3.1 255.255.255.0
 ip access-group 101 in
!
interface Vlan40
 ip address 192.168.4.1 255.255.255.0
!
!         
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
ip http secure-server
!
access-list 101 permit udp any eq bootpc any eq bootps
access-list 101 deny   ip any 192.168.1.0 0.0.0.255
access-list 101 deny   ip any 192.168.2.0 0.0.0.255
access-list 101 deny   ip any 192.168.4.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
ntp clock-period 36029145
ntp server 128.138.141.172
ntp server 216.228.192.69
end
2个回答

1.) 是的,网关应该位于 L3 交换机上。如果您在 Stick 上运行路由,您会将他们的网关安装在路由器上。您当前的配置符合所谓的“折叠核心”设计。其中 L3 核心执行交换和 VLAN 路由并充当分布层。

2.) 不,您的 L3 路由应该发生在您的 3750 上。

3.) 如果电缆调制解调器处于桥接模式,则不应存在双重 NAT。桥接模式应禁用所有路由功能,并将电缆调制解调器保留为电缆调制解调器。

4.) 我愿意,这样你就可以访问不同 VLAN 上的设备。

5.) 电缆调制解调器内部接口的地址可能是 0.1。保持原状。正如罗恩所说,它不需要改变。

我们可以看到您路由器的 NAT 配置吗?这将有助于确定您的 NAT 问题。

****编辑****

此链接可能会有所帮助:配置 NAT我没有注意到您最初的 NAT 语句。这使您的 ISP 提出的要求受到质疑。您既可以上网,又可以使用正确的命令进行 PAT。您是否遇到任何问题?

  1. 是的。他们可能是。
  2. 不。
  3. 没有看到 L3 配置就无法判断,但不太可能。
  4. 如果您仅从 VLAN 10 上的设备访问管理接口,则否。如果您想从其他 VLAN 或 Internet(通过 VPN 或类似的东西)访问它们,那么可以。
  5. 路由器没有自我,所以他们不必成为第一;)

我相信您的路由器启用了某些防火墙功能。如果你把路由器和L3交换机的配置贴出来,我们可以给出更明确的答案。

其它你可能感兴趣的问题
上一篇使用 %SW_DAI-4-PACKET_RATE_EXCEEDED 错误禁用动态 ARP 检查端口 下一篇惠普网络交换机 CLI 评论?