acl配置问题(锐捷三层交换机)
发布网友
发布时间:2022-04-12 20:49
共3个回答
懂视网
时间:2022-04-13 01:10
3750 配置 : 3750#conf t 3750(config)#int f0/15 3750(config-if)#switchport mode trunk 3750(config)#end 3750#vlan database 3750(vlan)#vtp server 3750(vlan)#vtp domain sy 3750(vlan)#vtp password cisco 3750(vlan)#vlan 10 3750(vlan)#vlan 20 37
3750配置:
3750#conf t
3750(config)#int f0/15
3750(config-if)#switchport mode trunk
3750(config)#end
3750#vlan database
3750(vlan)#vtp server
3750(vlan)#vtp domain sy
3750(vlan)#vtp password cisco
3750(vlan)#vlan 10
3750(vlan)#vlan 20
3750(vlan)#vlan 30
3750(vlan)#vlan 40
3750(vlan)#vlan 100
3750(vlan)#exit
3750(config)#ip routing
3750(config)#int vlan 10
3750(config-if)#ip address 192.168.10.1 255.255.255.0
3750(config-if)#no shutdown
3750(config-if)#exit
3750(config)#int vlan 20
3750(config-if)#ip address 192.168.20.1 255.255.255.0
3750(config-if)#no shutdown
3750(config-if)#exit
3750(config)#int vlan 30
3750(config-if)#ip address 192.168.30.1 255.255.255.0
3750(config-if)#no shutdown
3750(config-if)#exit
3750(config)#int vlan 40
3750(config-if)#ip address 192.168.40.1 255.255.255.0
3750(config-if)#no shutdown
3750(config-if)#exit
3750(config)#int vlan 100
3750(config-if)#ip address 192.168.100.1 255.255.255.0
3750(config-if)#no shutdown
3750(config-if)#exit
3750(config)#end
3750(config)#int f0/1
3750(config-if)#switchport access vlan 100
3750(config-if)#end
配置ACL
3750#conf t
3750(config)#access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
3750(config)#access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
3750(config)#access-list 100 permit ip any any
3750(config)#access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
3750(config)#access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
3750(config)#access-list 101 permit ip any any
3750(config)#access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
3750(config)#access-list 102 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
3750(config)#access-list 102 permit ip any any
3750(config)#ip access-list extended infilter //在入方向放置reflect//
3750(config-ext-nacl)#permit ip any any reflect ccna
3750(config-ext-nacl)#exit
3750(config)#ip access-list extended outfilter //在出方向放置evaluate//
3750(config-ext-nacl)#evaluate ccna
3750(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 any
3750(config-ext-nacl)#deny ip 192.168.20.0 0.0.0.255 any
3750(config-ext-nacl)#deny ip 192.168.30.0 0.0.0.255 any
3750(config-ext-nacl)#permit ip any any
3750(config-ext-nacl)#exit
3750(config)#int vlan 40 //应用到管理接口//
3750(config-if)#ip access-group infilter in
3750(config-if)#ip access-group outfilter out
3750(config-if)#exit
3750(config)#int vlan 10
3750(config-if)#ip access-group 100 in
3750(config-if)#exit
3750(config)#int vlan 20
3750(config-if)#ip access-group 101 in
3750(config-if)#exit
3750(config)#int vlan 30
3750(config-if)#ip access-group 102 in
3750(config-if)#end
2960配置:
2960#conf t
2960(config)#int f0/15
2960(config-if)#switchport mode trunk
2960(config-if)#switchport trunk encapsulation dot1q
2960(config-if)#end
2960#vlan database
2960(vlan)#vtp client
2960(vlan)#vtp domain sy
2960(vlan)#vtp password cisco
2960(vlan)#exit
2960#show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 256
Number of existing VLANs : 10
VTP Operating Mode : Client
VTP Domain Name : sy
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x4D 0xA8 0xC9 0x00 0xDC 0x58 0x2F 0xDD
Configuration last modified by 0.0.0.0 at 3-1-02 00:13:34
2960#show vlan-sw brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/0, Fa0/1, Fa0/2, Fa0/3
Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
100 VLAN0100 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
2960#conf t
2960(config)#int f0/1
2960(config-if)#switchport access vlan 10
2960(config-if)#int f0/2
2960(config-if)#switchport access vlan 20
2960(config-if)#int f0/3
2960(config-if)#switchport access vlan 30
2960(config-if)#int f0/4
2960(config-if)#switchport access vlan 40
2960(config-if)#end
客户机验证:
PC1:
PC1#ping 192.168.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.20, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC1#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC1#ping 192.168.40.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.40, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC1#ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/268/336 ms
PC2:
PC2#ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC2#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC2#ping 192.168.40.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.40, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC2#ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/170/336 ms
PC3:
PC3#ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
.U.U.
Success rate is 0 percent (0/5)
PC3#ping 192.168.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.20, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC3#ping 192.168.40.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.40, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
PC3#ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/218/416 ms
PC4:
PC4#ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 240/331/508 ms
PC4#ping 192.168.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 220/288/356 ms
PC4#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/207/268 ms
PC4#ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/219/440 ms
PC5:
PC5#ping 192.168.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/194/284 ms
PC5#ping 192.168.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/209/336 ms
PC5#ping 192.168.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/184/372 ms
PC5#ping 192.168.40.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 192/239/308 ms
热心网友
时间:2022-04-12 22:18
S5750#conf ----进入全局配置模式
S5750(config)#vlan 10 ----创建VLAN10
S5750(config-vlan)#exit ----退出VLAN配置模式
S5750(config)#vlan 20 ----创建VLAN20
S5750(config-vlan)#exit ----退出VLAN配置模式
S5750(config)#vlan 30 ----创建VLAN30
S5750(config-vlan)#exit ----退出VLAN配置模式
步骤二:将端口加入各自vlan
S5750(config)# interface range gigabitEthernet 0/1-5
----进入gigabitEthernet 0/1-5号端口
S5750(config-if-range)#switchport access vlan 10
----将端口加划分进vlan10
S5750(config-if-range)#exit ----退出端口配置模式
S5750(config)# interface range gigabitEthernet 0/6-10
----进入gigabitEthernet 0/6-10号端口
S5750(config-if-range)#switchport access vlan 20
----将端口加划分进vlan20
S5750(config-if-range)#exit ----退出端口配置模式
S5750(config)# interface range gigabitEthernet 0/11-15
----进入gigabitEthernet 0/11-15号端口
S5750(config-if-range)#switchport access vlan 30
----将端口加划分进vlan30
S5750(config-if-range)#exit ----退出端口配置模式
步骤三:配置vlan10、vlan20、vlan30的网关IP地址
S5750(config)#interface vlan 10 ----创建vlan10的SVI接口
S5750(config-if)#ip address 192.168.10.1 255.255.255.0
----配置VLAN10的网关
S5750(config-if)#exit ----退出端口配置模式
S5750(config)#interface vlan 20 ----创建vlan10的SVI接口
S5750(config-if)#ip address 192.168.20.1 255.255.255.0
----配置VLAN10的网关
S5750(config-if)#exit ----退出端口配置模式
S5750(config)#interface vlan 30 ----创建vlan10的SVI接口
S5750(config-if)#ip address 192.168.30.1 255.255.255.0
----配置VLAN10的网关
S5750(config-if)#exit ----退出端口配置模式
步骤四:创建ACL,使vlan20能访问vlan10,而vlan30不能访问vlan10
S5750(config)#ip access-list extended deny30 ----定义扩展ACL
S5750(config-ext-nacl)#deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
----拒绝vlan30的用户访问vlan10资源
S5750(config-ext-nacl)#permit ip any any
----允许vlan30的用户访问其他任何资源
S5750(config-ext-nacl)#exit ----退出扩展ACL配置模式
步骤五:将ACL应用到vlan30的SVI口in方向
S5750(config)#interface vlan 30 ----创建vlan30的SVI接口
S5750(config-if)#ip access-group deny30 in
----将扩展ACL应用到vlan30的SVI接口下
热心网友
时间:2022-04-12 23:36
2、access-list 110 permit tcp ip(VLAN40的IP范围) eq 21 ftp
3、access-list 110 permit icmp ip(VLAN40的IP范围)
4、access-list 110 deny ip any any
5、Router(config)#interface ethernet 1(连D计算机的接口)
6、Router(config)#ip access-group 110 out
7、#time-range ftp
8、Router(config-if)#absolute start 8:00 end 18:00
试一下,我这里没设备了,没办法测试
