限制VLAN之间互访实例
网络拓扑:本拓扑存在以下VLANVLAN 2 172.16.2.0/24VLAN 3 172.16.3.0/24VLAN 4 172.16.4.0/24VLAN 5 172.16.5.0/24管理VLAN,native vlan一、通过标准ACL实现VLAN之间互访的限制定义access-listaccess-list 2 deny 172.16.3.0 0.0.0.255access-list 2 deny 172.16.4.0 0.0.0.255access-list 2 permit any功能描述:禁止源为172.16.3.0、172.16.4.0网段的访问,其他放行access-list 3 deny 172.16.2.0 0.0.0.255access-list 3 deny 172.16.4.0 0.0.0.255access-list 3 permit any功能描述:禁止源为172.16.2.0、172.16.4.0网段的访问,其他放行access-list 4 deny 172.16.2.0 0.0.0.255access-list 4 deny 172.16.3.0 0.0.0.255access-list 4 permit any功能描述:禁止源为172.16.2.0、172.16.3.0网段的访问,其他放行interface vlan 2除了VLAN2,别的VLAN的数据是从别的VLAN的接口进来,然后到VLAN2出来所以ip access-group 2 outinterface vlan 3ip access-group 3 outinterface vlan 4ip access-group 4 out结果是VLAN 2、3、4之间是不好互相访问的,但同时可以和VLAN 5进行通信。二、通过扩展ACL实现其功能需求
ip access-list extended vlan2deny ip 172.16.3.0 0.0.0.255 172.16.2.0 0.0.0.255deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255permit ip any anyexitip access-list extended vlan3deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255permit ip any anyexitip access-list extended vlan4
deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255deny ip 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255permit ip any anyexitint vlan 2ip access-group vlan2 out以VLAN2为目的,而当前接口为VLAN 2,所以是out方向int vlan 3ip access-group vlan3 outint vlan 4ip access-group vlan4 out结果也是实现了
啥时硬件也可以COPY就好了! 看帖回帖是美德!:lol 鸳鸳相抱何时了,鸯在一边看热闹。 不错不错,楼主您辛苦了。。。 解释就系掩饰,掩饰等于无出色,无出色不如回家休息!!! 男人偷腥时的智商仅次于爱因斯坦!
页:
[1]