vlan间访问控制的三种方法
生活随笔
收集整理的這篇文章主要介紹了
vlan间访问控制的三种方法
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
描述: VAN10,VLAN20,VLAN30
要求 VLAN20,30都能訪問VLAN10,但20,30之間不能相互訪問. 1.用策略路由控制,讓去往VLAN10的被路由到正確接口,其他的都被送到丟棄口
access-list 100 permit ip any 192.168.10.0 0.0.0.255 route-map tovlan1 permit 10
match address 100
set default interface f 0/0.10
route-map tovlan1 permit 20
set default interface null0 interface f0/0.20
ip policy route-map tovlan1
interface f0/0.30
ip policy route-map tovlan1
上面配置由于存在顯式路由(直連的) 用缺省借口的方法不行
(PBR中:
set ip next-hop 不檢查是否存在顯式路由,只檢查下一跳是否可達
set interface 檢查是否存在顯式路由,必須存在才能正常
set ip default next-hp 檢查是否存在顯式路由,必須不存在才正常
set default interface 檢查是否存在顯式路由,必須不存在才正常
)
*Mar? 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1
R1#, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
改成:
route-map govlan1 permit 10
match address 100
set interface f 0/0.10
route-map govlan1 permit 20
set interface null0
后正常
*Mar? 1 02:35:31.059: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.063: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10)
R1#, len 100, FIB policy routed
*Mar? 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1#
*Mar? 1 02:35:35.135: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:35.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:37.171: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:37.175: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:39.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:39.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:41.179: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:41.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:43.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:43.191: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
2.用訪問列表控制:
R1#sh run
Building configuration... Current configuration : 1245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!????????
!????????
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
?no ip address
?speed 100
?full-duplex
!
interface FastEthernet0/0.10
?encapsulation dot1Q 10
?ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
?encapsulation dot1Q 20
?ip address 192.168.20.254 255.255.255.0
?ip access-group 120 in
!
interface FastEthernet0/0.30
?encapsulation dot1Q 30
?ip address 192.168.30.254 255.255.255.0
?ip access-group 130 in
!
interface Serial1/0
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial1/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial1/2
?no ip address
?shutdown
?serial restart-delay 0
!????????
interface Serial1/3
?no ip address
?shutdown
?serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny?? ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny?? ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!????????
!
!
!
line con 0
?logging synchronous
line aux 0
line vty 0 4
!
!
end 3.使用Pvlan 待續 4.三層交換機上,用VLAN間ACL access-list 120 permit ip any 192.168.30.0 0.0.0.255 access-list 130 permit ip any 192.168.20.0 0.0.0.255 vlan access-map deny20-30 100 match ip add 120 action drop exit vlan filter deny20-30 vlan-list 20 vlan access-map deny30-20 101 match ip add 130 action drop exit vlan filter deny30-20 vlan-list 30 上面配置由于沒有設備無法驗證.
要求 VLAN20,30都能訪問VLAN10,但20,30之間不能相互訪問. 1.用策略路由控制,讓去往VLAN10的被路由到正確接口,其他的都被送到丟棄口
access-list 100 permit ip any 192.168.10.0 0.0.0.255 route-map tovlan1 permit 10
match address 100
set default interface f 0/0.10
route-map tovlan1 permit 20
set default interface null0 interface f0/0.20
ip policy route-map tovlan1
interface f0/0.30
ip policy route-map tovlan1
上面配置由于存在顯式路由(直連的) 用缺省借口的方法不行
(PBR中:
set ip next-hop 不檢查是否存在顯式路由,只檢查下一跳是否可達
set interface 檢查是否存在顯式路由,必須存在才能正常
set ip default next-hp 檢查是否存在顯式路由,必須不存在才正常
set default interface 檢查是否存在顯式路由,必須不存在才正常
)
*Mar? 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1
R1#, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar? 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
改成:
route-map govlan1 permit 10
match address 100
set interface f 0/0.10
route-map govlan1 permit 20
set interface null0
后正常
*Mar? 1 02:35:31.059: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.063: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10)
R1#, len 100, FIB policy routed
*Mar? 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar? 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar? 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1#
*Mar? 1 02:35:35.135: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:35.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:37.171: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:37.175: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:39.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:39.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:41.179: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:41.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar? 1 02:35:43.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar? 1 02:35:43.191: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
2.用訪問列表控制:
R1#sh run
Building configuration... Current configuration : 1245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!????????
!????????
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
?no ip address
?speed 100
?full-duplex
!
interface FastEthernet0/0.10
?encapsulation dot1Q 10
?ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
?encapsulation dot1Q 20
?ip address 192.168.20.254 255.255.255.0
?ip access-group 120 in
!
interface FastEthernet0/0.30
?encapsulation dot1Q 30
?ip address 192.168.30.254 255.255.255.0
?ip access-group 130 in
!
interface Serial1/0
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial1/1
?no ip address
?shutdown
?serial restart-delay 0
!
interface Serial1/2
?no ip address
?shutdown
?serial restart-delay 0
!????????
interface Serial1/3
?no ip address
?shutdown
?serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny?? ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny?? ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!????????
!
!
!
line con 0
?logging synchronous
line aux 0
line vty 0 4
!
!
end 3.使用Pvlan 待續 4.三層交換機上,用VLAN間ACL access-list 120 permit ip any 192.168.30.0 0.0.0.255 access-list 130 permit ip any 192.168.20.0 0.0.0.255 vlan access-map deny20-30 100 match ip add 120 action drop exit vlan filter deny20-30 vlan-list 20 vlan access-map deny30-20 101 match ip add 130 action drop exit vlan filter deny30-20 vlan-list 30 上面配置由于沒有設備無法驗證.
轉載于:https://blog.51cto.com/charliem/131613
總結
以上是生活随笔為你收集整理的vlan间访问控制的三种方法的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 三杯茶(一本令全世界为之动容的书)(Th
- 下一篇: 网络中心战