记录一次交换机配置ACL记录,需求是配置某个Vlan限制访问其他Vlan,以及被限制Vlan只能访问其他VLAN里指定的IP毕竟这个平常很少去配置,一配置就各种查找文档资料,很是不方便,毕竟就几条命令而已!废话不多说,直接进入正题。
创建ACL并添加规则
Switch>enableSwitch#Switch#configure terminalSwitch(config)#ip access-list extended deny55 创建ACL扩展名为deny55组Switch(config-ext-nacl)#1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.35 允许10.30.51.35访问10.30.55.0网段Switch(config-ext-nacl)#10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 拒绝10.30.55.0网段访问10.30.51.0网段Switch(config-ext-nacl)#20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 拒绝10.30.55.0网段访问10.30.52.0网段Switch(config-ext-nacl)#100 permit ip any any 其他IP默认允许访问Switch(config-ext-nacl)#show this 查看当前ACL deny55组规则,配置注意序号Building configuration...! 1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.19 10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 100 permit ip any any!endSwitch(config-ext-nacl)#exit创建的ACL引用到指定Vlan (亦可应用到设备接口)
Switch>enableSwitch#Switch#configure terminalSwitch(config)#interface vlaN 15 进入VLAN 15配置Switch(config-if-VLAN 15)#ip access-group deny55 in 把deny55应用到vlan 15Switch(config-if-VLAN 15)#show thisBuilding configuration...! ip access-group deny55 in ip address 10.30.55.254 255.255.255.0!endSwitch(config-if-VLAN 15)#end查看ACL规则是否正确,并保存
Switch#show access-listsip access-list extended deny55 查看ACL已添加的规则 1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.35 10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 30 deny ip 10.30.55.0 0.0.0.255 10.30.53.0 0.0.0.255 40 deny ip 10.30.55.0 0.0.0.255 10.30.54.0 0.0.0.255 50 deny ip 10.30.55.0 0.0.0.255 10.30.56.0 0.0.0.255 60 deny ip 10.30.55.0 0.0.0.255 10.30.58.0 0.0.0.255 70 permit ip any any (2 packets filtered)Switch#write 保存当前配置到此结束