もくじ
設定
- RTX1200とL2スイッチのポート接続
RTX1200のLAN1から、SWX2200の8ポートにタグVLANで接続switch select lan1:8
- ネットワーク
LAN1:192.168.1.0/24
WAN LAN3:DHCP ネットワーク接続型プロバイダ NURO - VLANネットワーク
VLAN121:192.168.121.0/24
VLAN131:192.168.131.0/24
VLAN132:192.168.132.0/24
VLAN133:192.168.133.0/24 - フィルター
VLANに所属しているネットワーク同士は、双方向で通信を不可とします。
各VLANのIN側から他のVLANにパケット送信を不可にすることで実装可能
完成 シンプルコンフィグ
console character ascii login timer 1200 ip route default gateway dhcp lan3 ip keepalive 1 icmp-echo 10 5 dhcp lan3 ip lan1 address 192.168.1.251/24 ip lan1 proxyarp on switch control use lan1 on vlan lan1/1 802.1q vid=131 name=VLAN131 ip lan1/1 address 192.168.131.1/24 ip lan1/1 secure filter in 600011 600012 600013 200000 vlan lan1/2 802.1q vid=132 name=VLAN132 ip lan1/2 address 192.168.132.1/24 ip lan1/2 secure filter in 600021 600022 600023 200000 vlan lan1/3 802.1q vid=133 name=VLAN133 ip lan1/3 address 192.168.133.1/24 ip lan1/3 secure filter in 600031 600032 600033 200000 vlan lan1/4 802.1q vid=121 name=VLAN121 ip lan1/4 address 192.168.121.1/24 ip lan1/4 secure filter in 600000 600001 600002 200000 ip lan3 address dhcp ip lan3 secure filter in 101020 101021 101022 101023 101024 200000 ip lan3 nat descriptor 200 ip filter 101020 reject * * udp,tcp 135 * ip filter 101021 reject * * udp,tcp * 135 ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 101024 reject * * udp,tcp 445 * ip filter 101030 pass * 192.168.1.0/24 icmp * * ip filter 101032 pass * 192.168.1.0/24 tcp * ident ip filter 102001 pass * 192.168.1.0/24 tcp www ip filter 200000 pass * * ip filter 600000 reject 192.168.121.0/24 192.168.131.0/24 ip filter 600001 reject 192.168.121.0/24 192.168.132.0/24 ip filter 600002 reject 192.168.121.0/24 192.168.133.0/24 ip filter 600011 reject 192.168.131.0/24 192.168.121.0/24 ip filter 600012 reject 192.168.131.0/24 192.168.132.0/24 ip filter 600013 reject 192.168.131.0/24 192.168.133.0/24 ip filter 600021 reject 192.168.132.0/24 192.168.121.0/24 ip filter 600022 reject 192.168.132.0/24 192.168.131.0/24 ip filter 600023 reject 192.168.132.0/24 192.168.133.0/24 ip filter 600031 reject 192.168.133.0/24 192.168.121.0/24 ip filter 600032 reject 192.168.133.0/24 192.168.131.0/24 ip filter 600033 reject 192.168.133.0/24 192.168.132.0/24 nat descriptor log on nat descriptor type 200 masquerade nat descriptor address outer 200 primary dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.1.2-192.168.1.150/24 expire 4:00 maxexpire 4:00 dhcp scope 121 192.168.121.2-192.168.121.93/24 expire 4:00 maxexpire 4:00 dhcp scope 131 192.168.131.2-192.168.131.93/24 expire 4:00 maxexpire 4:00 dhcp scope 132 192.168.132.2-192.168.132.93/24 expire 4:00 maxexpire 4:00 dhcp scope 133 192.168.133.2-192.168.133.93/24 expire 4:00 maxexpire 4:00 dhcp scope option 1 dns=8.8.8.8,1.1.1.1 dhcp scope option 121 dns=8.8.8.8,1.1.1.1 dhcp scope option 131 dns=8.8.8.8,1.1.1.1 dhcp scope option 132 dns=8.8.8.8,1.1.1.1 dhcp scope option 133 dns=8.8.8.8,1.1.1.1 dns host lan dns server 8.8.8.8 1.1.1.1 dns server dhcp lan3 dns server select 500201 dhcp lan3 any . dns private address spoof on switch select lan1:8 switch control function set vlan-port-mode 8 hybrid switch control function set vlan-access 1 121 switch control function set vlan-access 2 121 switch control function set vlan-access 3 131 switch control function set vlan-access 4 131 switch control function set vlan-access 5 132 switch control function set vlan-access 6 132 switch control function set vlan-access 7 133 switch control function set vlan-trunk 8 121 join switch control function set vlan-trunk 8 131 join switch control function set vlan-trunk 8 132 join switch control function set vlan-trunk 8 133 join
言語とログインタイマー
login timer 1200 console character ascii
LAN1ネットワーク設定
ip lan1 address 192.168.1.251/24
LAN3 WAN設定+DNS設定+フィルター
ip route default gateway dhcp lan3 ip keepalive 1 icmp-echo 10 5 dhcp lan3 ip lan3 address dhcp ip lan3 nat descriptor 200 nat descriptor type 200 masquerade nat descriptor address outer 200 primary dns host lan dns server 8.8.8.8 1.1.1.1 dns server dhcp lan3 dns server select 500201 dhcp lan3 any . dns private address spoof on ip lan3 secure filter in 101020 101021 101022 101023 101024 200000 ip filter 101020 reject * * udp,tcp 135 * ip filter 101021 reject * * udp,tcp * 135 ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 101024 reject * * udp,tcp 445 * ip filter 101030 pass * 192.168.1.0/24 icmp * * ip filter 101032 pass * 192.168.1.0/24 tcp * ident ip filter 102001 pass * 192.168.1.0/24 tcp www ip filter 200000 pass * *
DHCPスコープ、DNS配布設定
dhcp service server dhcp server rfc2131 compliant except remain-silent dhcp scope 1 192.168.1.2-192.168.1.150/24 expire 4:00 maxexpire 4:00 dhcp scope 121 192.168.121.2-192.168.121.93/24 expire 4:00 maxexpire 4:00 dhcp scope 131 192.168.131.2-192.168.131.93/24 expire 4:00 maxexpire 4:00 dhcp scope 132 192.168.132.2-192.168.132.93/24 expire 4:00 maxexpire 4:00 dhcp scope 133 192.168.133.2-192.168.133.93/24 expire 4:00 maxexpire 4:00 dhcp scope option 1 dns=8.8.8.8,1.1.1.1 dhcp scope option 121 dns=8.8.8.8,1.1.1.1 dhcp scope option 131 dns=8.8.8.8,1.1.1.1 dhcp scope option 132 dns=8.8.8.8,1.1.1.1 dhcp scope option 133 dns=8.8.8.8,1.1.1.1
VLAN双方向通信不可 フィルター設定
@see http://blog.sidetech.jp/2014/12/yamaha-rtx-ip-f.html
ip filter 600000 reject 192.168.121.0/24 192.168.131.0/24 ip filter 600001 reject 192.168.121.0/24 192.168.132.0/24 ip filter 600002 reject 192.168.121.0/24 192.168.133.0/24 ip filter 600011 reject 192.168.131.0/24 192.168.121.0/24 ip filter 600012 reject 192.168.131.0/24 192.168.132.0/24 ip filter 600013 reject 192.168.131.0/24 192.168.133.0/24 ip filter 600021 reject 192.168.132.0/24 192.168.121.0/24 ip filter 600022 reject 192.168.132.0/24 192.168.131.0/24 ip filter 600023 reject 192.168.132.0/24 192.168.133.0/24 ip filter 600031 reject 192.168.133.0/24 192.168.121.0/24 ip filter 600032 reject 192.168.133.0/24 192.168.131.0/24 ip filter 600033 reject 192.168.133.0/24 192.168.132.0/24 ip lan1/1 secure filter in 600011 600012 600013 200000 ip lan1/2 secure filter in 600021 600022 600023 200000 ip lan1/3 secure filter in 600031 600032 600033 200000 ip lan1/4 secure filter in 600000 600001 600002 200000
VLANネットワーク設定
vlan lan1/1 802.1q vid=131 name=VLAN131 ip lan1/1 address 192.168.131.1/24 vlan lan1/2 802.1q vid=132 name=VLAN132 ip lan1/2 address 192.168.132.1/24 vlan lan1/3 802.1q vid=133 name=VLAN133 ip lan1/3 address 192.168.133.1/24 vlan lan1/4 802.1q vid=121 name=VLAN121 ip lan1/4 address 192.168.121.1/24
VLAN SWX2200 L2スイッチ設定
switch select lan1:8 switch control function set vlan-port-mode 8 hybrid switch control function set vlan-access 1 121 switch control function set vlan-access 2 121 switch control function set vlan-access 3 131 switch control function set vlan-access 4 131 switch control function set vlan-access 5 132 switch control function set vlan-access 6 132 switch control function set vlan-access 7 133 switch control function set vlan-trunk 8 121 join switch control function set vlan-trunk 8 131 join switch control function set vlan-trunk 8 132 join switch control function set vlan-trunk 8 133 join
関連記事 - More from my site -
RTX1210, SWX2200でタグVLAN
RTXルータからSWX スイッチにTelnet出来るようにする
ゲーミング施設を作る勘所
YAMAHA RTX ポート解放 社内サーバ利用
CentOS7でRTXのNATログサーバ
YAMAHA Show系コマンドまとめ
YAMAHA RTXのコンフィグバックアップ、リストア
YAMAHA RTXルータ DHCPでDNSアドレスの配布
RTX1200 外出先からVPN経由で社内のファイルサーバにアクセスする
RTX1210 不正アクセス検知機能をONにする- RTX1210, 1200 GUIでの拠点間VPNが繋がらない時のチェック YAMAHA
- RTX1200, 1210 ネットボランチ DDNS
RTX1200 VPNパススルー設定 PPTP IPsec
YAMAHA RTX1210, SWX2200, RTX1100で静的ルーティング
Amazonおすすめ
iPad 9世代 2021年最新作
iPad 9世代出たから買い替え。安いぞ!🐱 初めてならiPad。Kindleを外で見るならiPad mini。ほとんどの人には通常のiPadをおすすめします><