测试一下Vlan的访问控制:
起三个VLan:Server,vlan3,vlan4,要求vlan 3,vlan 4不能互访但均可以访问server
测试设备3550一台PC3台。
为测试方便先配置一下DHCP:
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip do lo
Switch(config)#line 0
Switch(config-line)#logg syn
Switch(config-line)#exec-t 0
Switch(config-line)#end
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#no ip do lo
Switch(config)#line 0
Switch(config-line)#logg syn
Switch(config-line)#exec-t 0
Switch(config-line)#end
Switch(config)#hostname DIS01
DIS01(config)#ip ro
DIS01(config)#ip routin
DIS01(config)#ip routing
DIS01(config)#ip cef
DIS01(config)#ip cef
DIS01(config)#ip ro
DIS01(config)#ip routin
DIS01(config)#ip routing
DIS01(config)#ip cef
DIS01(config)#ip cef
配置vlan与SVI接口地址
DIS01(config)#vlan 2
DIS01(config-vlan)#name server
DIS01(config-vlan)#vlan 3
DIS01(config-vlan)#name vlan3
DIS01(config-vlan)#vlan 4
DIS01(config-vlan)#name vlan4
DIS01(config-vlan)#int vlan 2
DIS01(config-if)#ip add 10.1.
*Mar 1 00:06:12.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to down
DIS01(config-if)#ip add 10.1.2.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
DIS01(config-if)#int vlan 2
DIS01(config-if)#int vlan 3
DIS01(config-if)#ip add
*Mar 1 00:06:25.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to down
DIS01(config-if)#ip add 10.1.3.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
DIS01(config-if)#int vlan 4
DIS01(config-if)#ip add 10.1
*Mar 1 00:06:42.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan4, changed state to down
DIS01(config-if)#ip add 10.1.4.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
DIS01(config-vlan)#name server
DIS01(config-vlan)#vlan 3
DIS01(config-vlan)#name vlan3
DIS01(config-vlan)#vlan 4
DIS01(config-vlan)#name vlan4
DIS01(config-vlan)#int vlan 2
DIS01(config-if)#ip add 10.1.
*Mar 1 00:06:12.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan2, changed state to down
DIS01(config-if)#ip add 10.1.2.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
DIS01(config-if)#int vlan 2
DIS01(config-if)#int vlan 3
DIS01(config-if)#ip add
*Mar 1 00:06:25.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to down
DIS01(config-if)#ip add 10.1.3.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
DIS01(config-if)#int vlan 4
DIS01(config-if)#ip add 10.1
*Mar 1 00:06:42.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan4, changed state to down
DIS01(config-if)#ip add 10.1.4.254 255.255.255.0
DIS01(config-if)#no sh
DIS01(config-if)#no shutdown
配置vlan端口
DIS01(config-if)#exit
DIS01(config)#int range fa0/1 - 2
DIS01(config-if-range)#switchport mode access
DIS01(config-if-range)#switchport access vlan 2
DIS01(config)#int range fa0/3 - 4
DIS01(config-if-range)#sw mo ac
DIS01(config-if-range)#sw ac vl 3
DIS01(config-if-range)#exit
DIS01(config)#int range fa0/5 - 6
DIS01(config-if-range)#sw mo ac
DIS01(config-if-range)#sw ac vl 4
DIS01(config-if-range)#end
DIS01(config)#int range fa0/1 - 2
DIS01(config-if-range)#switchport mode access
DIS01(config-if-range)#switchport access vlan 2
DIS01(config)#int range fa0/3 - 4
DIS01(config-if-range)#sw mo ac
DIS01(config-if-range)#sw ac vl 3
DIS01(config-if-range)#exit
DIS01(config)#int range fa0/5 - 6
DIS01(config-if-range)#sw mo ac
DIS01(config-if-range)#sw ac vl 4
DIS01(config-if-range)#end
DIS01(config)#service dhcp //开启DHCP服务
DIS01(config)#ip dhcp excluded-address 10.1.2.0 10.1.2.50
DIS01(config)#ip dhcp excluded-address 10.1.2.240 10.1.2.254
DIS01(config)#ip dhcp excluded-address 10.1.3.0 10.1.3.50
DIS01(config)#ip dhcp excluded-address 10.1.3.240 10.1.3.254
DIS01(config)#ip dhcp excluded-address 10.1.4.0 10.1.4.50
DIS01(config)#ip dhcp excluded-address 10.1.4.240 10.1.4.254
DIS01(config)#ip dhcp excluded-address 10.1.3.0 10.1.3.50
DIS01(config)#ip dhcp excluded-address 10.1.3.240 10.1.3.254
DIS01(config)#ip dhcp excluded-address 10.1.4.0 10.1.4.50
DIS01(config)#ip dhcp excluded-address 10.1.4.240 10.1.4.254
DIS01(config)#ip dhcp pool server
DIS01(dhcp-config)#network 10.1.2.0 255.255.255.0
DIS01(dhcp-config)#default-router 10.1.2.254
DIS01(dhcp-config)#exit
DIS01(config)#ip dhcp pool vlan3
DIS01(dhcp-config)#network 10.1.3.0 255.255.255.0
DIS01(dhcp-config)#default-router 10.1.3.254
DIS01(dhcp-config)#exit
DIS01(config)#ip dhcp pool vlan4
DIS01(dhcp-config)#default-router 10.1.4.254
DIS01(dhcp-config)#network 10.1.4.0 255.255.255.0
DIS01(dhcp-config)#end
DIS01(dhcp-config)#network 10.1.2.0 255.255.255.0
DIS01(dhcp-config)#default-router 10.1.2.254
DIS01(dhcp-config)#exit
DIS01(config)#ip dhcp pool vlan3
DIS01(dhcp-config)#network 10.1.3.0 255.255.255.0
DIS01(dhcp-config)#default-router 10.1.3.254
DIS01(dhcp-config)#exit
DIS01(config)#ip dhcp pool vlan4
DIS01(dhcp-config)#default-router 10.1.4.254
DIS01(dhcp-config)#network 10.1.4.0 255.255.255.0
DIS01(dhcp-config)#end
DIS01(config)#int rang fa0/1 - 10
DIS01(config-if-range)#spanning-tree portfast
DIS01(config-if-range)#spanning-tree portfast
测试vlan与DHCP配置,ping第一个地址
DIS01#ping 10.1.2.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
DIS01#ping 10.1.3.51
Sending 5, 100-byte ICMP Echos to 10.1.2.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
DIS01#ping 10.1.3.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Sending 5, 100-byte ICMP Echos to 10.1.3.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
配置ACL,注意本vlan的也要写不然不能访问,因最后一条是deny any any
DIS01(config)#access-list 101 permit ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
DIS01(config)#access-list 101 permit ip 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255
DIS01(config)#access-list 101 permit ip any host 1.1.1.1
DIS01(config)#access-list 102 permit ip 10.1.4.0 0.0.0.255 10.1.2.0 0.0.0.255
DIS01(config)#access-list 102 permit ip 10.1.4.0 0.0.0.255 10.1.4.0 0.0.0.255
DIS01(config)#access-list 102 permit ip any host 1.1.1.1
DIS01(config)#access-list 101 permit ip 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255
DIS01(config)#access-list 101 permit ip any host 1.1.1.1
DIS01(config)#access-list 102 permit ip 10.1.4.0 0.0.0.255 10.1.2.0 0.0.0.255
DIS01(config)#access-list 102 permit ip 10.1.4.0 0.0.0.255 10.1.4.0 0.0.0.255
DIS01(config)#access-list 102 permit ip any host 1.1.1.1
DIS01(config-if)#ip add 1.1.1.1 255.255.255.0
应用ACL
DIS01(config)#int vlan 3
DIS01(config-if)#ip access-group 101 in
DIS01(config)#int vlan 4
DIS01(config-if)#ip access-group 102 in
DIS01(config-if)#end
DIS01(config-if)#ip access-group 101 in
DIS01(config)#int vlan 4
DIS01(config-if)#ip access-group 102 in
DIS01(config-if)#end
通过PC测试可以发现vlan3,vlan4的PC ping 10.1.2.51,10.1.254,可以ping通.但是不能互ping,或者ping对方网关,显示结果为目标地址不可达.任意可ping 1.1.1.1.
目标完成.
本来还想测试VACL的,正好交换机重启了,本来是一台拆下来送修的,启动一半还报错,说IOS压缩不正确,断电重启又好了.算了看看别人写的vACL好了
Switch(config)# access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Switch(config)# access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
(不同之处:因为VACL对数据流没有inbound和outbound之分,所以要把允许通过某vlan的IP数据流都permit才行。VLAN10允许与VLAN30通讯,而数据流又是双向的,所以要在ACL中增加VLAN30的网段)
Switch(config)# access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
(不同之处:因为VACL对数据流没有inbound和outbound之分,所以要把允许通过某vlan的IP数据流都permit才行。VLAN10允许与VLAN30通讯,而数据流又是双向的,所以要在ACL中增加VLAN30的网段)
Switch(config)# vlan access-map test1 //定义一个vlan access map,取名为test1
Switch(config-vlan-access)# match ip address 101 // 设置匹配规则为acl 101
Switch(config-vlan-access)# action forward // 匹配后,设置数据流转发(forward)
Switch(config)# vlan access-map test2 //定义一个vlan access map,取名为test2
Switch(config-vlan-access)# match ip address 102 // 设置匹配规则为acl 102
Switch(config-vlan-access)# action forward // 匹配后,设置数据流转发(forward)
Switch(config-vlan-access)# match ip address 101 // 设置匹配规则为acl 101
Switch(config-vlan-access)# action forward // 匹配后,设置数据流转发(forward)
Switch(config)# vlan access-map test2 //定义一个vlan access map,取名为test2
Switch(config-vlan-access)# match ip address 102 // 设置匹配规则为acl 102
Switch(config-vlan-access)# action forward // 匹配后,设置数据流转发(forward)
Switch(config)# vlan filter test1 vlan-list 10 //将上面配置的test1应用到vlan10中
Switch(config)# vlan filter test2 vlan-list 20 //将上面配置的test1应用到vlan20中
Switch(config)# vlan filter test2 vlan-list 20 //将上面配置的test1应用到vlan20中
比ACL要多一步,而且命令了没太一样.
转载于:https://blog.51cto.com/basil/186872
1733
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
