L3 Switch Vlan ACL
電腦名稱 |
Ip/遮罩 |
Getway |
vlan |
port |
PC0 |
10.10.1.10/24 |
10.10.1.1 |
10 |
Switch0 Fa0/1 |
PC1 |
10.10.1.20/24 |
10.10.1.1 |
10 |
Switch0 Fa0/2 |
PC3 |
10.10.2.10/24 |
10.10.2.1 |
20 |
Switch1 Fa0/1 |
PC4 |
10.10.2.20/24 |
10.10.2.1 |
20 |
Switch1 Fa0/2 |
PC5 |
10.10.3.10/24 |
10.10.3.1 |
30 |
Switch2 Fa0/1 |
PC6 |
10.10.3.20/24 |
10.10.3.1 |
30 |
Switch2 Fa0/2 |
Server0 |
10.10.3.254/24 |
10.10.3.1 |
30 |
Switch2 Fa0/4 |
PC6 |
10.10.4.10/24 |
10.10.4.1 |
40 |
Switch3 Fa0/2 |
Switch 0 interface FastEthernet0/1 switchport access vlan 10 ! interface FastEthernet0/2 switchport access vlan 10 ! interface FastEthernet0/3 switchport mode trunk |
Switch 1 interface FastEthernet0/1 switchport access vlan 20 ! interface FastEthernet0/2 switchport access vlan 20 ! interface FastEthernet0/3 switchport mode trunk |
Switch 3 interface FastEthernet0/1 switchport access vlan 30 ! interface FastEthernet0/2 switchport access vlan 30 ! interface FastEthernet0/3 switchport mode trunk ! interface FastEthernet0/4 switchport access vlan 30 |
Switch 4 interface FastEthernet0/2 switchport access vlan 40 ! interface FastEthernet0/1 switchport mode trunk |
L3 Switch0 Ip routing #開啟L3 Switch路由 interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk interface Vlan10 ip address 10.10.1.1 255.255.255.0 ! interface Vlan20 mac-address 00e0.b000.dc02 ip address 10.10.2.1 255.255.255.0 ! interface Vlan30 ip address 10.10.3.1 255.255.255.0 ! interface Vlan40 ip address 10.10.4.1 255.255.255.0 |
以上設定完成後就可以使用電腦互ping
以下利用ACL限制PC間連線,以下面條件為例:
- PC0、1、2、3、6能連線至PC4
- PC1、6能連接至Server0
- PC2、3、6能連線至PC5
- PC6能連所有電腦
L3 Switch0 interface Vlan10 ip address 10.10.1.1 255.255.255.0 ip access-group 101 in #在access-list 101的條件進入Vlan10時限制 ! interface Vlan20 ip address 10.10.2.1 255.255.255.0 ip access-group 102 in ! interface Vlan30 ip address 10.10.3.1 255.255.255.0 ip access-group 103 in ! interface Vlan40 ip address 10.10.4.1 255.255.255.0 ip access-group 104 in ! Access-list條件順序是從上到下,如果上面條件符合就不會往下看 access-list 101 permit ip 10.10.1.0 0.0.0.255 host 10.10.3.10 #access-list 101 允許vlan 10傳送資料至PC4 access-list 101 permit ip host 10.10.1.20 host 10.10.3.254 #access-list 101 允許 PC1 傳送資料到Server1 #access-list 101 其他沒允許的皆阻擋 access-list 102 deny ip 10.10.2.0 0.0.0.255 host 10.10.3.254 #access-list 102 阻止Vlan20 傳送資料到 Sever0 access-list 102 permit ip 10.10.2.0 0.0.0.255 10.10.3.0 0.0.0.255 #access-list 102 允許 Vlan 20 傳送資料至 Vlan30 #access-list 102其他沒允許的皆阻擋 access-list 102 permit tcp any any established #access-list 102 允許資料能回傳 access-list 102 permit icmp any any echo-reply #access-list 102 允許回傳echo access-list 104 permit ip 10.10.4.0 0.0.0.255 any #access-list 104 允許Vlan40 傳送資料至任意位置 access-list 104 permit icmp any any echo-reply #access-list 104允許回傳echo access-list 104 deny ip any 10.10.4.0 0.0.0.255 #access-list 104 阻止任意位置傳送至Vlan40 #access-list 104其他沒允許的皆阻擋 access-list 103 permit ip host 10.10.3.254 host 10.10.1.20 #access-list 103 允許server 0 資料傳送至 PC1 access-list 103 permit tcp any any established #access-list 103 允許資料能回傳 access-list 103 permit icmp any any echo-reply #access-list 103允許回傳echo access-list 103 deny ip any any #access-list 103 阻擋其他IP進入 |
Note:
access-list [number] permit icmp any any echo-reply 允許回傳echo訊息
access-list [number] permit tcp any any established 允許將以建立的連線資料回傳
