vlan间访问控制的三种方法
2024-05-10 21:42:13
描述:
VAN10,VLAN20,VLAN30
要求 VLAN20,30都能访问VLAN10,但20,30之间不能相互访问.
要求 VLAN20,30都能访问VLAN10,但20,30之间不能相互访问.
1.用策略路由控制,让去往VLAN10的被路由到正确接口,其他的都被送到丢弃口
access-list 100 permit ip any 192.168.10.0 0.0.0.255
access-list 100 permit ip any 192.168.10.0 0.0.0.255
route-map tovlan1 permit 10
match address 100
set default interface f 0/0.10
route-map tovlan1 permit 20
set default interface null0
match address 100
set default interface f 0/0.10
route-map tovlan1 permit 20
set default interface null0
interface f0/0.20
ip policy route-map tovlan1
interface f0/0.30
ip policy route-map tovlan1
上面配置由于存在显式路由(直连的) 用缺省借口的方法不行
(PBR中:
set ip next-hop 不检查是否存在显式路由,只检查下一跳是否可达
set interface 检查是否存在显式路由,必须存在才能正常
set ip default next-hp 检查是否存在显式路由,必须不存在才正常
set default interface 检查是否存在显式路由,必须不存在才正常
)
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1
R1#, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
改成:
route-map govlan1 permit 10
match address 100
set interface f 0/0.10
route-map govlan1 permit 20
set interface null0
后正常
*Mar 1 02:35:31.059: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.063: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10)
R1#, len 100, FIB policy routed
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1#
*Mar 1 02:35:35.135: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:35.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:37.171: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:37.175: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:39.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:39.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:41.179: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:41.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:43.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:43.191: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
ip policy route-map tovlan1
interface f0/0.30
ip policy route-map tovlan1
上面配置由于存在显式路由(直连的) 用缺省借口的方法不行
(PBR中:
set ip next-hop 不检查是否存在显式路由,只检查下一跳是否可达
set interface 检查是否存在显式路由,必须存在才能正常
set ip default next-hp 检查是否存在显式路由,必须不存在才正常
set default interface 检查是否存在显式路由,必须不存在才正常
)
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.443: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.459: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1
R1#, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.475: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:25:10.551: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy rejected(explicit route) - normal forwarding
改成:
route-map govlan1 permit 10
match address 100
set interface f 0/0.10
route-map govlan1 permit 20
set interface null0
后正常
*Mar 1 02:35:31.059: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.063: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.111: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10)
R1#, len 100, FIB policy routed
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.159: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1, len 100, FIB policy match
*Mar 1 02:35:31.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1#
*Mar 1 02:35:35.135: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:35.139: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:37.171: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:37.175: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:39.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:39.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:41.179: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:41.183: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
R1#
*Mar 1 02:35:43.187: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1, len 100, FIB policy match
*Mar 1 02:35:43.191: IP: s=192.168.20.1 (FastEthernet0/0.20), d=192.168.30.1 (Null0), len 100, FIB policy routed(drop)
2.用访问列表控制:
R1#sh run
Building configuration...
Current configuration : 1245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group 120 in
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip access-group 130 in
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip access-group 120 in
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip access-group 130 in
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
end
3.使用Pvlan
待续
4.三层交换机上,用VLAN间ACL
access-list 120 permit ip any 192.168.30.0 0.0.0.255
access-list 130 permit ip any 192.168.20.0 0.0.0.255
vlan access-map deny20-30 100
match ip add 120
action drop
exit
vlan filter deny20-30 vlan-list 20
vlan access-map deny30-20 101
match ip add 130
action drop
exit
vlan filter deny30-20 vlan-list 30
上面配置由于没有设备无法验证.
转载于:https://blog.51cto.com/charliem/131613
vlan间访问控制的三种方法相关推荐
- 线程间通信的三种方法 (转)
http://www.cnblogs.com/puxidun/archive/2009/12/06/1618142.html 线程间通信的三种方法 多线程通信的方法主要有以下三种: 1.全局变量 进 ...
- VLAN 间路由的几种方法
方法一:给每个VLAN去分配一个路由器的物理连接 第一步,PC设置IP地址和网关 192.168.2.2/24 网关是192.168.2.1 192.168.3.2/24 网关是192.168.3.1 ...
- 如何安全的在不同工程间安全地迁移asset数据?三种方法
如何安全的在不同工程间安全地迁移asset数据?三种方法 答: 1.将Assets和Library一起迁移 2.导出包package 3.用unity自带的assets Server功能 posted ...
- 实现计算机间远程桌面访问的三种方法
下面,我将结合自身实际工作经验,分享三种windows远程桌面访问的方法,解决实际工作场景遇到的远程访问问题.这三种方法分别解决了如下场景下的远程访问: 1. 跨局域网的windows远程桌面访问 2 ...
- 解决服务间调用的三种传统方式
第一种方法:使用HttpRequest第三方工具 第一步:pom依赖 <dependency><groupId>com.github.kevinsawicki</grou ...
- asp.net服务器端跳转页面的三种方法
asp.net服务器端跳转页面的三种方法 1.Response.Redirect这个跳转页面的方法跳转速度不快,因为它要走2次回发(postback). 它可以跳转到任何页面,没有站点页面限制(可以由 ...
- 三维坐标系带偏航角俯仰角_浅谈三维旋转的三种方法及差异
概述 在3D图形学中,几何变换大致分为三种:平移变换(Translation).缩放变换(Scaling).旋转变换(Rotation),而其中又以旋转变换(Rotation)最为复杂,通常旋转变换( ...
- python中none算变量吗_在python中对变量判断是否为None的三种方法总结
三种主要的写法有: 第一种:if X is None; 第二种:if not X: 当X为None, False, 空字符串"", 0, 空列表[], 空字典{}, 空元组()这 ...
- Altium Designer画元器件封装三种方法
下面跟大家分享Altium Designer画元器件封装的三种方法. 如有错误,望大家指正. 一.手工画法. (1)新建个PCB库. 下面以STM8L151C8T6为例画封装,这是它的封装信息 设置好 ...
最新文章
- 一、JVM及Java体系结构
- 极具潜力的新兴职业!
- plsql如何执行存储过程_如何理解Spark应用的执行过程
- packetbeat mysql_简单使用packetbeat
- 两个子集pom互相调用_声明式服务调用组件Feign
- 中国石油计算机文化基础答案,中国石油大学17年秋《计算机文化基础》第二次在线作业答案...
- js datagrid新增一行_Django接口新增页面编写_2(十五)
- VSS 数据库地址批量更改器 - VSS Database Changer
- 基于JAVA+SpringMVC+Mybatis+MYSQL的心理咨询预约系统
- php留言系统源码,XYCMS php留言板 v8.0
- 部编版是什么版本_部编版教材和人教版教材有什么区别
- C#50个经典小程序代码
- bmp图片转换成16进制数据
- 数字IC/FPGA设计面试与工作_sky
- PHP赛事贝格尔编排法--单循环
- css 中的zoom,对CSS中zoom属性的总结
- 网络安全立法探讨(Cyber Security Laws discussion):立法是否应该更严格?
- 上转换纳米颗粒无机复合材料中近红外调控研究应用
- 连接VPN访问内网时保证外网不受影响的网络设置
- Stop c000021a {Fatal System Error} The Session Manager Initialization System Process...