本文共 1387 字,大约阅读时间需要 4 分钟。
比如说先的场景:
Vlan 1: 10.99.11.0/255.255.255.0
Vlan 99: 10.99.99.0/255.255.255.0
需求是 让 vlan 99的用户不能访问 vlan1中的某一个IP :
以前用了下面所有的代码:
=========================================
ip access-list extended Deny-Wireless-Guest
5 permit tcp any any eq domain 10 permit udp any any eq domain 15 deny ip 10.99.99.0 0.0.0.255 10.99.10.0 0.0.0.255 18 deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255 20 permit IP any any ip access-list extended Deny-Wireless-Guest no deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255 18 deny ip 10.99.99.0 0.0.0.255 host 10.99.11.11 20 permit IP any any 下面代码无效的,因为不用应用到要被禁止的vlan上: interface vlan 10 no ip access-group Deny-Wireless-Guest in interface vlan 11 no ip access-group Deny-Wireless-Guest in ip access-list extended Deny-Wireless-Guest 18 deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255 interface vlan 11 ip access-group Deny-Wireless-Guest in sw01: interface range gi 0/25 - 28 ip access-group Deny-Wireless-Guest in sw02: interface range gi 0/25 - 28 no ip access-group Deny-Wireless-Guest in其实真正的是:
interface vlan 99
ip access-group Deny-Wireless-Guest in也就是说要在源的那个vlan上设置访问控制列表,这个和router上设置不太一样的
如果要放置到目的端的话本case中的vlan10中的话,要源和目的是反过来写的;因为物理接口上的进方向也就是vlan10的出方向。
最终总结:
交换机的访问控制列表最好是放置在源的vlan上。
interface vlan 99
ip access-group Deny-Wireless-Guest invlan 99就是源的数据包被deny掉到vlan10的就可以了
本文转自 zhangfang526 51CTO博客,原文链接:http://blog.51cto.com/zhangfang526/1839890
转载地址:http://uopja.baihongyu.com/