问题描述:
MER5200 两个网口个建立了一个vlan 分别时51与52地址分别时192.168.51.0和192.168.52.0网段,52网段给的ap用,现在51网段可以ping通52的手机电脑.但是用52ping不通51内的服务器,
配置和诊断信息都在下面,求大神相小白解答解答
组网及组网描述:
- #
- version 7.1.064, Release 0821P18
- #
- sysname MER5200
- #
- clock timezone Beijing add 08:00:00
- clock protocol ntp
- #
- telnet server enable
- telnet server acl 2176
- #
- security-zone intra-zone default permit
- #
- dialer-group 1 rule ip permit
- dialer-group 2 rule ip permit
- #
- ip unreachables enable
- ip ttl-expires enable
- #
- dhcp enable
- dhcp server always-broadcast
- dhcp server mini-ap ip-pool vlan-interface52
- #
- dns proxy enable
- #
- password-recovery enable
- #
- vlan 1
- #
- vlan 41
- #
- vlan 52
- #
- object-group ip address _web_manageTelnet_group_
- 0 network range 192.168.51.1 192.168.51.254
- #
- dhcp server ip-pool ge3
- gateway-list 192.168.100.1
- network 192.168.100.0 mask 255.255.255.0
- address range 192.168.100.1 192.168.100.254
- dns-list 192.168.100.1
- forbidden-ip-range 192.168.100.1 192.168.100.1
- #
- dhcp server ip-pool lan1
- gateway-list 192.168.51.1
- network 192.168.51.0 mask 255.255.255.0
- address range 192.168.51.2 192.168.51.199
- dns-list 192.168.51.1 223.5.5.5
- #
- dhcp server ip-pool vlan-interface41
- gateway-list 192.168.41.1
- network 192.168.41.0 mask 255.255.255.0
- address range 192.168.41.2 192.168.41.99
- dns-list 192.168.41.1 114.114.114.114
- forbidden-ip-range 192.168.41.1 192.168.41.1
- #
- dhcp server ip-pool vlan-interface52
- gateway-list 192.168.52.1
- network 192.168.52.0 mask 255.255.255.0
- address range 192.168.52.1 192.168.52.254
- dns-list 192.168.52.1 223.5.5.5
- forbidden-ip-range 192.168.52.1 192.168.52.1
- option 43 hex 8007000001c0a83401
- option 60 ascii H3C
- #
- ddns policy WAN0(GE0)
- url ***.***/dyndns/update?system=dyndns&hostname=<h>&myip=<a>
- username htsm1990
- password cipher $c$3$58xDNFdxAvWd9imUQGKfMbGAzoJWd9CKiJD9dg6YoQ==
- #
- controller Cellular0/0
- #
- interface Dialer0
- mtu 1492
- ppp chap password cipher $c$3$x3PvALA5FuuRQwWmT0K/w74HXZ1vGGlrJBe7
- ppp chap user CD61741101
- ppp ipcp dns admit-any
- ppp ipcp dns request
- ppp pap local-user CD61741101 password cipher $c$3$kgB8CsqMVReSnU5R2DVbg2kxioP0Gf3XPwsG
- dialer bundle enable
- dialer-group 1
- dialer timer idle 0
- dialer timer autodial 5
- ip address ppp-negotiate
- tcp mss 1280
- ip last-hop hold
- nat outbound
- ddns apply policy WAN0(GE0) fqdn ***.***
- ipsec apply policy WAN0(GE0)
- ipsec no-nat-process enable
- #
- interface Dialer1
- mtu 1492
- ppp chap password cipher $c$3$v8N1a9LPffVuhmZpakpmynsTPUhC3fPh7gEw
- ppp chap user CD02885880539
- ppp ipcp dns admit-any
- ppp ipcp dns request
- ppp pap local-user CD02885880539 password cipher $c$3$u4fAJ7d0btLow4pJj42+QLFF2/cDUPaYgM60
- dialer bundle enable
- dialer-group 2
- dialer timer idle 0
- dialer timer autodial 5
- ip address ppp-negotiate
- tcp mss 1280
- ip last-hop hold
- nat outbound
- #
- interface Virtual-PPP0
- ppp chap password cipher $c$3$As19Tu5t7AK8h6+ifWVsYGIiHm8XHGt6PNIL
- ppp chap user admin
- ip address 10.10.10.10 255.255.255.254
- l2tp-auto-client l2tp-group 1
- nat outbound
- #
- interface NULL0
- #
- interface Vlan-interface1
- description LAN-interface
- ip address 192.168.51.1 255.255.255.0
- tcp mss 1280
- ip subscriber l2-connected enable
- ip subscriber initiator dhcp enable
- ip subscriber initiator unclassified-ip enable
- ip subscriber dhcp domain ipoeenabledomain
- ip subscriber unclassified-ip domain ipoeenabledomain
- #
- interface Vlan-interface41
- description LAN-interface
- ip address 192.168.41.1 255.255.255.0
- tcp mss 1280
- ip subscriber l2-connected enable
- ip subscriber initiator dhcp enable
- ip subscriber initiator unclassified-ip enable
- ip subscriber dhcp domain ipoeenabledomain
- ip subscriber unclassified-ip domain ipoeenabledomain
- #
- interface Vlan-interface52
- description LAN-interface
- ip address 192.168.52.1 255.255.255.0
- tcp mss 1280
- ip subscriber l2-connected enable
- ip subscriber initiator dhcp enable
- ip subscriber initiator unclassified-ip enable
- ip subscriber dhcp domain ipoeenabledomain
- ip subscriber unclassified-ip domain ipoeenabledomain
- #
- interface GigabitEthernet0/0
- port link-mode route
- description Double_Line1
- combo enable copper
- pppoe-client dial-bundle-number 0
- #
- interface GigabitEthernet0/1
- port link-mode route
- description Double_Line2
- pppoe-client dial-bundle-number 1
- #
- interface GigabitEthernet0/2
- port link-mode bridge
- port link-type trunk
- port trunk permit vlan 1
- #
- interface GigabitEthernet0/3
- port link-mode bridge
- port link-type trunk
- port trunk permit vlan 1
- #
- interface GigabitEthernet0/4
- port link-mode bridge
- port link-type trunk
- undo port trunk permit vlan 1
- port trunk permit vlan 52
- port trunk pvid vlan 52
- #
- interface GigabitEthernet0/5
- port link-mode bridge
- port link-type trunk
- undo port trunk permit vlan 1
- port trunk permit vlan 41
- port trunk pvid vlan 41
- #
- object-policy ip Any-Any
- rule 65533 inspect 8048_url_profile_global disable
- rule 65534 pass
- #
- security-zone name Local
- #
- security-zone name Trust
- #
- security-zone name DMZ
- #
- security-zone name Untrust
- #
- security-zone name Management
- #
- zone-pair security source Any destination Any
- object-policy apply ip Any-Any
- #
- zone-pair security source Local destination Trust
- packet-filter name SWXWSGL
- #
- zone-pair security source Local destination Untrust
- packet-filter name SWXWSGL
- #
- zone-pair security source Trust destination Local
- packet-filter name SWXWSGL
- #
- zone-pair security source Untrust destination Local
- packet-filter name SWXWSGL
- #
- scheduler logfile size 16
- #
- line class console
- user-role network-admin
- #
- line class tty
- user-role network-operator
- #
- line class vty
- user-role network-operator
- #
- line con 0
- user-role network-admin
- #
- line vty 0 63
- authentication-mode scheme
- user-role network-operator
- #
- ip route-static 0.0.0.0 0 Dialer0 track 1023
- ip route-static 0.0.0.0 0 Dialer1 preference 100
- ip route-static 192.168.3.0 24 Virtual-PPP0
- #
- info-center loghost 127.0.0.1 port 3301
- info-center source CFGLOG loghost level informational
- #
- arp static 192.168.52.202 c85a-cf2c-f28c 52 GigabitEthernet0/4
- #
- ntp-service enable
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- ntp-service unicast-server ***.***
- #
- acl basic 2176
- rule 1 permit source object-group _web_manageTelnet_group_
- #
- acl advanced 3999
- rule 0 permit ip source 10.10.10.10 0 destination 192.168.3.1 0
- rule 5 permit ip source 192.168.3.1 0 destination 10.10.10.10 0
- rule 10 permit ip source 10.10.10.10 0 destination 192.168.51.2 0
- rule 15 permit ip source 192.168.51.2 0 destination 10.10.10.10 0
- #
- acl advanced name SWXWSGL
- rule 1 permit ip
- #
- acl mac 4998
- rule 0 permit source-mac f460-e2c2-6d32 ffff-ffff-ffff
- rule 0 comment HSL手机
- rule 5 permit source-mac a81e-8429-20f8 ffff-ffff-ffff
- rule 10 permit source-mac 6ce5-f7d5-23ad ffff-ffff-ffff
- rule 10 comment AP1
- rule 15 permit source-mac 6ce5-f7d3-64f5 ffff-ffff-ffff
- rule 15 comment AP2
- rule 20 permit source-mac 7862-5692-5049 ffff-ffff-ffff
- rule 20 comment 李黄进手机
- rule 25 deny
- #
- password-control enable
- undo password-control aging enable
- undo password-control history enable
- password-control length 6
- password-control login-attempt 3 exceed lock-time 10
- password-control update-interval 0
- password-control login idle-time 0
- #
- domain ipoeenabledomain
- authorization-attribute idle-cut 5 1
- authentication ipoe none
- authorization ipoe none
- accounting ipoe none
- #
- domain system
- #
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user admin class manage
- service-type telnet http https
- authorization-attribute user-role network-admin
- #
- local-user kbj class network
- password cipher $c$3$jVomuLnzB7dzzH2ZcqSP5E1cksQaaaCcxQ==
- service-type ppp
- authorization-attribute user-role network-operator
- #
- session statistics enable
- #
- ipsec transform-set WAN0(GE0)@MER5200ZX
- esp encryption-algorithm 3des-cbc
- esp authentication-algorithm sha1
- pfs dh-group1
- #
- ipsec policy-template WAN0(GE0) 65535
- transform-set WAN0(GE0)@MER5200ZX
- description WAN0(GE0)@MER5200ZX
- ike-profile WAN0(GE0)@MER5200ZX
- sa duration time-based 3600
- sa duration traffic-based 1843200
- reverse-route dynamic
- reverse-route preference 100
- #
- ipsec policy WAN0(GE0) 65535 isakmp template WAN0(GE0)
- #
- l2tp-group 1 mode lac
- lns-ip host-name ***.*** host-name ***.***
- undo tunnel authentication
- tunnel name H3C-LAC
- tunnel password cipher $c$3$E5TbYQeX9tQa5kj/KUVRimMk5odbjDD+ag==
- #
- l2tp enable
- #
- ike profile WAN0(GE0)@MER5200ZX
- keychain WAN0(GE0)@MER5200ZX
- dpd interval 60 on-demand
- exchange-mode aggressive
- local-identity fqdn zongbu
- match remote identity address 0.0.0.0 0.0.0.0
- match remote identity fqdn fenbu
- proposal 65535
- #
- ike proposal 65535
- #
- ike keychain WAN0(GE0)@MER5200ZX
- pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$T1d42ty/nm6aeseu7hBb0GjVhKMuY/qPJ+Ny
- #
- ip http enable
- ip https enable
- #
- url-filter category custom severity 65535
- #
- traffic-policy
- rule 1 name web_AppTraffRank
- application app http
- #
- dac log-collect service dpi traffic enable
- dac traffic-statistic application enable
- #
- dac storage service dpi traffic limit hold-time 1
- dac storage service traffic limit hold-time 1
- #
- cloud-management server domain oasis.h3c.com
- #
- return
- 2022-06-01提问
- 举报
-
(0)
已采纳
1、先看服务器的防火墙关闭没有,在看服务器的网关是否填写,并能平通手机网段的网关
2、看你配置了acl ,安全策略,检查是否和这些有关系,先关闭后测试一下
3、无线服务模板里有没有开启用户隔离
- 2022-06-01回答
- 评论(0)
- 举报
-
(0)
编辑答案
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
暂无评论