由于我不允许共享实际配置,下面的每个发布的配置都是编造或更改的。
我们在全国拥有 250 多个地点。所有位置都有光纤连接,最低速度为 100 Mbit 上行/下行。一切都通过 MPLS 连接,我们的主要位置执行所有 VRF 路由,其中四个 Cisco ASA 5585-X 防火墙检查 VRF 之间的流量。我们的主要位置还拥有我们的 40 Gbit 上行/下行互联网连接。
所有位置都有所有 VRF,并且路由表使用 IP 前缀列表聚合到仅默认路由。
每个位置上的每个主路由器都拥有第 3 层 VLAN。
使用以下配置示例:是否可以将 VTY 访问限制为除 MGMT VLAN 和环回之外的所有第 3 层 VLAN?每个位置都需要能够访问 MGMT VLAN 和环回,但应阻止对任何其他 SVI 的 VTY 访问。
位置配置:
-- truncated --
ip routing
ip vrf MGMT
rd 1:10
route-target export 1:10
route-target import 1:10
ip vrf VRF01
rd 1:1
route-target export 1:1
route-target import 1:1
ip vrf VRF02
rd 1:2
route-target export 1:2
route-target import 1:2
ip vrf VRF03
rd 1:3
route-target export 1:3
route-target import 1:3
ip vrf VRF04
rd 1:4
route-target export 1:4
route-target import 1:4
no errdisable detect cause gbic-invalid
errdisable recovery cause all
errdisable recovery interval 120
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree portfast default
spanning-tree vlan 1-4094 priority 0
auto qos srnd4
udld aggressive
interface Loopback0
description ROUTER ID
ip vrf forwarding MGMT
ip address 172.29.0.254 255.255.255.255
vlan 200
name LOCAL_MGMT
vlan 101
name VRF01
vlan 102
name VRF02
vlan 103
name VRF03
vlan 104
name VRF04
vlan 301
name DATA
vlan 302
name VoIP
vlan 303
name WIFI
-- interfaces truncated --
interface Vlan200
description LOCAL_MGMT
ip vrf forwarding MGMT
ip address 172.29.0.1 255.255.255.128
no shut
interface Vlan101
description VRF01
ip vrf forwarding VRF01
ip address 10.29.0.2 255.255.255.248
no shut
interface Vlan102
description VRF02
ip vrf forwarding VRF02
ip address 10.29.0.10 255.255.255.248
no shut
interface Vlan103
description VRF03
ip vrf forwarding VRF03
ip address 10.29.0.18 255.255.255.248
no shut
interface Vlan104
description VRF04
ip vrf forwarding VRF04
ip address 10.29.0.26 255.255.255.248
no shut
interface Vlan110
description MGMT
ip vrf forwarding MGMT
ip address 10.29.0.250 255.255.255.248
no shut
interface Vlan801
description DATA
ip vrf forwarding VRF01
ip address 172.16.0.1 255.255.255.0
ip helper-address 172.30.1.10
no shut
interface Vlan802
description VoIP
ip vrf forwarding VRF01
ip address 172.16.1.1 255.255.255.0
ip helper-address 172.30.1.10
no shut
interface Vlan803
description WIFI
ip vrf forwarding VRF01
ip address 172.16.2.1 255.255.255.0
ip helper-address 172.30.1.10
no shut
ip prefix-list default seq 5 permit 0.0.0.0/0
ip prefix-list default seq 10 deny 0.0.0.0/0 le 32
router bgp 65331
bgp router-id 172.29.0.254
bgp log-neighbor-changes
address-family ipv4 vrf MGMT
redistribute connected
neighbor 10.29.0.249 remote-as XXXXX
neighbor 10.29.0.249 password -- removed --
neighbor 10.29.0.249 timers 10 30
neighbor 10.29.0.249 activate
neighbor 10.29.0.249 prefix-list default in
exit-address-family
address-family ipv4 vrf VRF01
redistribute connected
neighbor 10.29.0.1 remote-as XXXXX
neighbor 10.29.0.1 password -- removed --
neighbor 10.29.0.1 timers 10 30
neighbor 10.29.0.1 activate
neighbor 10.29.0.1 prefix-list default in
exit-address-family
address-family ipv4 vrf VRF02
redistribute connected
neighbor 10.29.0.9 remote-as XXXXX
neighbor 10.29.0.9 password -- removed --
neighbor 10.29.0.9 timers 10 30
neighbor 10.29.0.9 activate
neighbor 10.29.0.9 prefix-list default in
exit-address-family
address-family ipv4 vrf VRF03
redistribute connected
neighbor 10.29.0.17 remote-as XXXXX
neighbor 10.29.0.17 password -- removed --
neighbor 10.29.0.17 timers 10 30
neighbor 10.29.0.17 activate
neighbor 10.29.0.17 prefix-list default in
exit-address-family
address-family ipv4 vrf VRF04
redistribute connected
neighbor 10.29.0.25 remote-as XXXXX
neighbor 10.29.0.25 password -- removed --
neighbor 10.29.0.25 timers 10 30
neighbor 10.29.0.25 activate
neighbor 10.29.0.25 prefix-list default in
exit-address-family
no ip http server
no ip http secure-server
-- truncated --
line con 0
exec-timeout 480 0
line vty 0 4
exec-timeout 480 0
transport input SSH
line vty 5 15
exec-timeout 480 0
transport input SSH
如果还有什么需要,请评论。