Cisco 1921 上 VLAN 之间的路由

网络工程 思科 路由器 VLAN 思科-ios dhcp
2021-07-17 14:21:29

我已经为正在安装的 VoIP 电话设置了一个新的 VLAN。我想将他们的流量分段到子网 10.20.77.0/24。我向 10.20.77.11 的 DHCP 服务器添加了一个 IP 地址,以帮助为该 VLAN 提供 DHCP 流量。当我将笔记本电脑连接到此 VLAN 上的交换机端口时,它不会获取 IP 地址,而且我也无法 ping DHCP 服务器的地址 10.20.77.11。我想我有一个 ACL 或 NAT 问题,但我对 cisco 的了解不够,无法自己解决这个问题。

路由器的运行配置

Current configuration : 6198 bytes
!
! Last configuration change at 10:09:23 gmt Wed Nov 1 2017 by admin
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EASI-FW1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
ethernet lmi ce
clock timezone gmt -8 0
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name contoso.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
license udi pid CISCO1921/K9 sn 
!
!
!
redundancy
!
!
!
!
lldp run
!
!
class-map match-any Voice
 match protocol sip
 match protocol rtp audio
class-map match-any QoS-Bulk
 match protocol secure-nntp
 match protocol smtp
 match protocol tftp
 match protocol ftp
class-map match-any QoS-Management
 match protocol snmp
 match protocol dns
 match protocol secure-imap
class-map match-any QoS-Inter-Video
 match protocol rtp video
class-map match-any QoS-Voice-Control
 match access-group name Voice-Control
!
policy-map QOS
 class Voice
  priority percent 25
  set dscp ef
 class QoS-Inter-Video
  bandwidth remaining percent 10
  set dscp af41
 class QoS-Bulk
  bandwidth remaining percent 5
  random-detect dscp-based
  set dscp af11
 class QoS-Management
  bandwidth remaining percent 1
  set dscp cs2
 class QoS-Voice-Control
  priority percent 5
  set dscp ef
 class class-default
  fair-queue
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 description LAN
 encapsulation dot1Q 1 native
 ip address 10.20.75.1 255.255.255.0
 ip access-group Local in
 ip access-group Local out
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map LAN
!
interface GigabitEthernet0/0.76
 description SteelNet76
 encapsulation dot1Q 76
 ip address 10.20.76.1 255.255.255.0
 ip access-group Local in
 ip access-group Local out
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map WLAN76
!
interface GigabitEthernet0/0.200
 description Voice
 encapsulation dot1Q 200
 ip address 10.20.77.1 255.255.255.0
 ip access-group Local in
 ip access-group Local out
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map SIP200
!
interface GigabitEthernet0/1
 description TelusWAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 10.20.75.11 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 10.20.75.11 987 interface GigabitEthernet0/1 987
ip nat inside source static tcp 10.20.75.11 1723 interface GigabitEthernet0/1 1723
ip nat inside source route-map LAN interface GigabitEthernet0/1 overload
ip nat inside source route-map SIP200 interface GigabitEthernet0/1 overload
ip nat inside source route-map WLAN76 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended LAN
 permit ip 10.20.75.0 0.0.0.255 any
 deny   ip any any
ip access-list extended SIP200
 permit ip 10.20.77.0 0.0.0.255 any
 deny   ip any any
ip access-list extended WLAN76
 permit ip 10.20.76.0 0.0.0.255 any
 deny   ip any any
!
!
route-map WLAN76 permit 20
 match ip address WLAN76
 set interface GigabitEthernet0/1
 set default interface GigabitEthernet0/1
!
route-map LAN permit 10
 match ip address LAN
 set interface GigabitEthernet0/1
 set default interface GigabitEthernet0/1
!
route-map SIP200 permit 30
 match ip address SIP200
 set interface GigabitEthernet0/1
 set default interface GigabitEthernet0/1
!
!
access-list 23 permit XXX.XX.XXX.196
access-list 23 permit 10.20.75.0 0.0.0.255
access-list 24 permit 10.20.77.0 0.0.0.255
access-list 120 permit ip 0.0.0.11 255.255.255.0 any
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

EASI-FW1#

Route Map 是否应该指定 Gi0/1 的子接口?

1个回答

听起来您的 DHCP 服务器只是在使用同一 VLAN 上的辅助地址作为其主要地址。这是行不通的。您可以简单地为 DHCP 中继添加帮助程序地址。例如:

interface GigabitEthernet0/0.200
 description Voice
 encapsulation dot1Q 200
 ip address 10.20.77.1 255.255.255.0
 ip helper-address 10.20.75.11
!

这会将10.20.77.0/24网络上的任何 DHCP 请求发送到 DHCP 服务器10.20.75.11,并将来自服务器的任何响应发送回原始网络。如果您在 DHCP 服务器上配置了正确的 DHCP 作用域,那么一切都应该正常工作。

这样做不需要 DHCP 服务器在10.20.77.0/24网络上拥有地址,因此您可以删除辅助寻址。

如果您希望在 DHCP 服务器上进行辅助寻址,则需要在交换机和服务器上使用中继接口进行设置。

其它你可能感兴趣的问题
上一篇为什么大多数以太网帧中不包含 FCS? 下一篇合并“工作桌面”和“工作 Wi-Fi”VLAN 的缺点?