网络管理:VLAN间访问控制(一)


  VAN10,VLAN20,VLAN30

  要求 VLAN20,30都能访问VLAN10,但20,30之间不能相互访问.

  1.用策略路由控制,让去往VLAN10的被路由到正确接口,其他的都被送到丢弃口

  access-list 100 permit ip any 192.168.10.0 0.0.0.255route-map tovlan1 permit 10match address 100set default interface f 0/0.10route-map tovlan1 permit 20set default interface null0interface f0/0.20ip policy route-map tovlan1interface f0/0.30ip policy route-map tovlan1上面配置由于存在显式路由(直连的) 用缺省借口的方法不行(PBR中:set ip next-hop 不检查是否存在显式路由,只检查下一跳是否可达set interface 检查是否存在显式路由,必须存在才能正常set ip default next-hp 检查是否存在显式路由,必须不存在才正常set default interface 检查是否存在显式路由,必须不存在才正常)*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1R1#, len 100, FIB policy rejected(explicit route) - normal forwarding*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding改成:route-map govlan1 permit 10match address 100set interface f 0/0.10route-map govlan1 permit 20set interface null0后正常*Mar 1 02:35:31.059: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:35:31.063: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1 (FastEthe0/0.10), len 100, FIB policy routed*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1 (FastEthe0/0.10), len 100, FIB policy routed*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1 (FastEthe0/0.10)R1#, len 100, FIB policy routed*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1 (FastEthe0/0.10), len 100, FIB policy routed*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1, len 100, FIB policy match*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.10.1 (FastEthe0/0.10), len 100, FIB policy routedR1#*Mar 1 02:35:35.135: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1, len 100, FIB policy match*Mar 1 02:35:35.139: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)R1#*Mar 1 02:35:37.171: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1, len 100, FIB policy match*Mar 1 02:35:37.175: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)R1#*Mar 1 02:35:39.183: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1, len 100, FIB policy match*Mar 1 02:35:39.187: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)R1#*Mar 1 02:35:41.179: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1, len 100, FIB policy match*Mar 1 02:35:41.183: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)R1#*Mar 1 02:35:43.187: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1, len 100, FIB policy match*Mar 1 02:35:43.191: IP: s=192.168.20.1 (FastEthe0/0.20),

  d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)

  2.用访问列表控制:R1#sh runBuilding configuration...Current configuration : 1245 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime mso service password-encryption!hostname R1!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5!!ip cef!!!!! ! !!!!!!!!!!!!interface FastEthe0/0 no ip address speed 100 full-duplex!interface FastEthe0/0.10 encapsulation dot1Q 10 ip address 192.168.10.254 255.255.255.0!interface FastEthe0/0.20 encapsulation dot1Q 20 ip address 192.168.20.254 255.255.255.0 ip access-group 120 in!interface FastEthe0/0.30 encapsulation dot1Q 30 ip address 192.168.30.254 255.255.255.0 ip access-group 130 in!interface Serial1/0 no ip address shutdown serial restart-delay 0!interface Serial1/1 no ip address shutdown serial restart-delay 0!interface Serial1/2 no ip address shutdown serial restart-delay 0! interface Serial1/3 no ip address shutdown serial restart-delay 0!ip http server!!!access-list 120 deny ip any 192.168.30.0 0.0.0.255access-list 120 permit ip any anyaccess-list 130 deny ip any 192.168.20.0 0.0.0.255access-list 130 permit ip any any!!!control-plane!!!!!! !!!line con 0 logging synchronousline aux 0line vty 0 4!!end 3.使用Pvlan待续4.三层交换机上,用VLAN间ACLaccess-list 120 permit ip any 192.168.30.0 0.0.0.255access-list 130 permit ip any 192.168.20.0 0.0.0.255vlan access-map deny20-30 100 match ip add 120 action drop exitvlan filter deny20-30 vlan-list 20vlan access-map deny30-20 101 match ip add 130 action drop exitvlan filter deny30-20 vlan-list 30上面配置由于没有设备无法验证.


上一篇:Exchange Server2003管理指导五(上组图)

下一篇:微软Exchange Server 2007统一通信解决方案(一)

winlogins.exe是什么文件?winlogins.exe是不是病毒 winsock2.6.exe是什么文件?winsock2.6.exe是不是病毒 WinDefendor.dll是什么文件?WinDefendor.dll是不是病毒 系统目录是什么文件?系统目录是不是病毒 wholove.exe是什么文件?wholove.exe是不是病毒 winn.ini是什么文件?winn.ini是不是病毒 w6oou.dll是什么文件?w6oou.dll是不是病毒 winduxzawb.exe是什么文件?winduxzawb.exe是不是病毒 wuammgr32.exe是什么文件?wuammgr32.exe是不是病毒 windiws.exe是什么文件?windiws.exe是不是病毒
Copyright © 2002-2019 测速网 www.inhv.cn 皖ICP备2023010105号
测速城市 测速地区 测速街道 网速测试城市 网速测试地区 网速测试街道
温馨提示:部分文章图片数据来源与网络,仅供参考!版权归原作者所有,如有侵权请联系删除!

热门搜索 城市网站建设 地区网站制作 街道网页设计 大写数字 热点城市 热点地区 热点街道 热点时间 房贷计算器