用于语音、VLAN和数据的Cisco SMB交换机配置

Question

我希望在我目前面临的一个问题上得到一些帮助.

我有3个思科SMB交换机，(2) SG300托管交换机和(1)非托管交换机。

SWSG1 / 172.16.1.100端口24中继连接到思科ASA防火墙

VLAN 1默认！(所有域服务器、AD、DNS、DHCP、PBX都位于这里)

VLAN-2语音IP地址10.10.200.1

VLAN3数据压缩IP地址10.10.100.1

SWSG2 / 172.16.1.200 -端口24连接到SWSG1交换机端口23

VLAN 1默认值

VLAN 2语音地址未配置IP地址

未配置IP地址的端口7配置为Access Voice 2

SG3 / UnManaged /端口24中继连接到SWSG2交换机端口23

VLAN 1默认值

在这个交换机上连接的所有IP电话

#1思科IP电话连接端口1 IP地址10.10.200.114

#2思科IP电话连接在端口2 IP地址10.10.200.115

工作站连接到IP电话。

IP电话上的VLAN是活动的

语音为VLAN 2，PC为默认VLAN 1。

使用当前的配置，我无法访问VLAN 1上的任何Cisco IP电话或域服务器，VLAN 1是默认的VLAN。

有人能帮我做这个吗？我需要访问域& PBX资源。

配置示例：

config-file-header
SWSG1
v1.4.10.6 / R800_NIK_1_4_214_020
CLI v1.0
set system mode router 

file SSD indicator encrypted
@
ssd-control-start 
ssd config 
ssd file passphrase control unrestricted 
ssd file integrity control enabled 
ssd-control-end #REMOVED FOR SECURITY 
!
time-range RT1 
periodic sun 01:00 to sat 01:00 
exit
spanning-tree loopback-guard
vlan database
vlan 1,2,3 
exit
voice vlan id 2 
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
loopback-detection enable 
errdisable recovery cause loopback-detection 
errdisable recovery cause port-security 
errdisable recovery cause dot1x-src-address 
errdisable recovery cause acl-deny 
errdisable recovery cause stp-bpdu-guard 
errdisable recovery cause stp-loopback-guard 
errdisable recovery cause udld 
green-ethernet energy-detect
no ip arp proxy disable
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp excluded-address
bonjour interface range vlan 1
qos wrr-queue wrtd
mac access-list extended ACL-MAC
exit
ip access-list extended EXTEND-ACL
permit icmp any 172.16.1.50 255.255.255.0 any any ace-priority 1 log-input
permit tcp any any 172.16.1.50 255.255.255.0 any ace-priority 2 log-input
permit icmp any 172.16.7.1 255.255.255.0 any any ace-priority 3 log-input
permit tcp any any 172.16.1.1 255.255.255.0 any ace-priority 4 log-input
permit icmp any 172.16.1.0 255.255.255.0 any any ace-priority 5 log-input
permit tcp any any 172.16.1.0 255.255.255.0 any ace-priority 6 log-input
permit udp any 5060-5090 172.16.1.200 255.255.255.0 5060-5090 ace-priority 7 log-input
permit udp any 9000-11000 172.16.1.200 255.255.255.0 9000-11000 ace-priority 8 log-input
permit tcp any 2195-2196 172.16.1.200 255.255.255.0 2195-2196 ace-priority 9 log-input
permit tcp any 5060-5090 172.16.1.200 255.255.255.0 5060-5090 ace-priority 10 log-input
permit ip any 172.16.1.254 255.255.255.0 ace-priority 11 log-input
permit tcp any 2528 172.16.1.200 255.255.255.0 2528 ace-priority 12 log-input
exit
hostname SWSG1
line console
exec-timeout 30
exit
line ssh
exec-timeout 30
exit
management access-list SECURITY-PROFILE
permit ip-source 172.16.1.47 mask 255.255.255.0 
exit
management access-class SECURITY-PROFILE
logging origin-id ip 
logging file notifications
rmon event 1 log-trap community TECH description TECH-LOGS owner
aaa authentication login authorization Console local none 
aaa authentication enable authorization Console enable none 
line console
login authentication Console
enable authentication Console
password "REMOVED FOR SECURITY" encrypted
exit
username cisco password encrypted "REMOVED FOR SECURITY" privilege 15 
username CISCO password encrypted "REMOVED FOR SECURITY" privilege 15 
ip ssh server
ip ssh password-auth 
ip ssh-client username "REMOVED FOR SECURITY"
snmp-server server
snmp-server location "REMOVED FOR SECURITY"
snmp-server contact "REMOVED FOR SECURITY"
snmp-server community "REMOVED FOR SECURITY" ro view Default 
ip http timeout-policy 1800 
clock timezone " " -4
clock summer-time web recurring usa 
sntp anycast client enable ipv4 
sntp broadcast client enable ipv4 
clock source sntp
clock source browser
sntp authenticate
sntp unicast client enable
sntp unicast client poll
sntp server 172.16.1.59 poll 
sntp server time-a.timefreq.bldrdoc.gov poll 
sntp server time-b.timefreq.bldrdoc.gov poll 
sntp server time-c.timefreq.bldrdoc.gov poll 
ip domain name "REMOVED FOR SECURITY"
ip name-server  "REMOVED FOR SECURITY"
security-suite enable 
security-suite dos protect add stacheldraht 
security-suite dos protect add invasor-trojan 
security-suite dos protect add back-orifice-trojan 
!
interface vlan 1
 ip address 172.16.1.254 255.255.255.0 
 no ip address dhcp 
 service-acl input ACL default-action permit-any 
!
interface vlan 1
 name MANAGEMENT 
 ip address 172.16.100.1 255.255.255.0 
!
interface vlan 2
 name "VOICE VLAN" 
 ip address 172.16.200.1 255.255.255.0 
 service-acl input ACL 
!
interface vlan 3
 name DATA 
 shutdown
!
interface gigabitethernet1
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet2
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet3
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet4
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet5
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet6
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet7
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 spanning-tree link-type point-to-point 
 switchport mode access 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet8
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet9
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet10
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet11
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet12
 negotiation preferred master 
 ip arp inspection trust
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet13
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet14
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet15
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet16
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet17
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet18
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet19
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet20
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet21
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet22
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet23
 negotiation preferred master 
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet24
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet25
 negotiation preferred master 
 description "TRUNK UP-LINK-2 | SWSG2"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 spanning-tree link-type point-to-point 
 switchport trunk allowed vlan add 1-3 
 switchport forbidden vlan add 400 
 macro description switch
 switchport default-vlan tagged 
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet26
 negotiation preferred master 
 description "TRUNK UP-LINK-2 | PoE SW"
 ip arp inspection trust 
 ip source-guard 
 spanning-tree link-type point-to-point 
 switchport trunk allowed vlan add 1-3 
 switchport forbidden vlan add 400 
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch 
!
interface gigabitethernet27
 negotiation preferred master 
 description "TRUNK UP-LINK-1 | ACCESS POINT"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
interface gigabitethernet28
 negotiation preferred master 
 description "REMOVED FOR SECURITY"
 ip arp inspection trust 
 ip source-guard 
 storm-control broadcast enable 
 switchport forbidden vlan add 400 
!
exit
banner login 

macro auto processing type host enabled 
macro auto processing type router enabled 
ip dhcp snooping 
ip dhcp snooping database 
ip arp inspection 
ip arp inspection validate 
ip arp inspection vlan 1 
ip arp inspection vlan 2 
ip arp inspection vlan 3 
ip source-guard 
"REMOVED FOR SECURITY"
encrypted ip ssh-client key rsa key-pair
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted ip ssh-client key dsa key-pair
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: DSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: DSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto key import rsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: RSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: RSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto key import dsa
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
Comment: DSA Private Key
"REMOVED FOR SECURITY"
---- END SSH2 PRIVATE KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: DSA Public Key
"REMOVED FOR SECURITY"
---- END SSH2 PUBLIC KEY ----
.
encrypted crypto certificate 1 import
-----BEGIN RSA ENCRYPTED PRIVATE KEY-----
"REMOVED FOR SECURITY"
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PUBLIC KEY-----
"REMOVED FOR SECURITY"
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
"REMOVED FOR SECURITY"
-----END CERTIFICATE-----
.
encrypted crypto certificate 2 import
-----BEGIN RSA ENCRYPTED PRIVATE KEY-----
"REMOVED FOR SECURITY"
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PUBLIC KEY-----
"REMOVED FOR SECURITY"
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
"REMOVED FOR SECURITY"
-----END CERTIFICATE-----
.
config-file-digest "REMOVED FOR SECURITY"

Answer 1

您的非托管交换机不了解VLAN，因此无法将VLAN中继到它。您不应该在具有多个VLAN的网络中使用它。

另外，在您的“示例配置”中，您有两个接口vlan 1的条目，哪一个是？