VAN10,VLAN20,VLAN30
要求 VLAN20,30都能访问VLAN10,但20,30之间不能相互访问.
1.用策略路由控制,让去往VLAN10的被路由到正确接口,其他的都被送到丢弃口
access-list 100 permit ip any 192.168.10.0 0.0.0.255
route-map tovlan1 permit 10
match address 100
set default interface f 0/0.10
route-map tovlan1 permit 20
set default interface null0
interface f0/0.20
ip policy route-map tovlan1
interface f0/0.30
ip policy route-map tovlan1
上面配置由于存在显式路由(直连的) 用缺省借口的方法不行
(PBR中:
set ip next-hop 不检查是否存在显式路由,只检查下一跳是否可达
set interface 检查是否存在显式路由,必须存在才能正常
set ip default next-hp 检查是否存在显式路由,必须不存在才正常
set default interface 检查是否存在显式路由,必须不存在才正常
)
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1
R1#, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
改成:
route-map govlan1 permit 10
match address 100
set interface f 0/0.10
route-map govlan1 permit 20
set interface null0
后正常
*Mar 1 02:35:31.059: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.063: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10)
R1#, len 100, FIB policy routed
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1#
*Mar 1 02:35:35.135: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:35.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:37.171: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:37.175: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:39.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:39.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:41.179: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:41.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:43.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:43.191: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
2.用访问列表控制:
R1#sh run
Building configuration...
Current configuration : 1245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group 120 in
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip access-group 130 in
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
3.使用Pvlan
待续
4.三层交换机上,用VLAN间ACL
access-list 120 permit ip any 192.168.30.0 0.0.0.255
access-list 130 permit ip any 192.168.20.0 0.0.0.255
vlan access-map deny20-30 100
match ip add 120
action drop
exit
vlan filter deny20-30 vlan-list 20
vlan access-map deny30-20 101
match ip add 130
action drop
exit
vlan filter deny30-20 vlan-list 30
 |
|熊猫同学技术论坛|小黑屋|
网络工程师论坛
( 沪ICP备09076391 )
发表于 2007-1-24 14:30:40
提升卡
置顶卡
变色卡
显身卡
楼主