记录一下今天做VACL的实验过程 。
现在手头上有几台C3560设备,终于有机会配配VACL了。
拓扑就一台交换机,连接三台PC。
pc1 192.168.1.1 ======== vlan 1 ip 192.168.1.100
pc2 192.168.2.1 ======== vlan 2 ip 192.168.2.100
pc3 192.168.3.1 -======= vlan 3 ip 192.168.3.100
先作一些基本的配置
- sw1:
- ip routig
- vlan 1
- vlan 2
- vlan 3
- interface vlan 1
- ip add 192.168.1.100 255.255.255.0
- exit
- interface vlan 2
- ip add 192.168.2.100 255.255.255.0
- no sh
- exit
- interface vlan 3
- ip address 192.168.3.100 255.255.255.0
- exit
- interface f0/1
- switchport mode access
- swtichport access vlan 1
- spanning portface
- interface f0/2
- switchport mode access
- switchport access vlan 2
- spannig portfast
- interface f0/3
- switchport mode access
- switchport access vlan 3
- spanning portfast
这样基本是可以在PC间互相ping通了。
接着,配置VACL,禁止PC1访问PC3
- ip access-list extended deny-pc1-to-pc3
- permit ip host 192.168.1.1 host 192.168.3.1
- vlan access-map vlan-map 10
- match ip address deny-pc1-to-pc3
- action drop
- vlan access-map vlan-map 20
- action forward
- vlan filter vlan-map vlan-list 1,2,3
这样就可以了
转载于:https://blog.51cto.com/yeelone/509674