比如说先的场景:
Vlan 1: 10.99.11.0/255.255.255.0
Vlan 99: 10.99.99.0/255.255.255.0
需求是 让 vlan 99的用户不能访问 vlan1中的某一个IP :
以前用了下面所有的代码:
=========================================
ip access-list extended Deny-Wireless-Guest
5 permit tcp any any eq domain
10 permit udp any any eq domain
15 deny ip 10.99.99.0 0.0.0.255 10.99.10.0 0.0.0.255
18 deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255
20 permit IP any any
ip access-list extended Deny-Wireless-Guest
no deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255
18 deny ip 10.99.99.0 0.0.0.255 host 10.99.11.11
20 permit IP any any
下面代码无效的,因为不用应用到要被禁止的vlan上:
interface vlan 10
no ip access-group Deny-Wireless-Guest in
interface vlan 11
no ip access-group Deny-Wireless-Guest in
ip access-list extended Deny-Wireless-Guest
18 deny ip 10.99.99.0 0.0.0.255 10.99.11.0 0.0.0.255
interface vlan 11
ip access-group Deny-Wireless-Guest in
sw01:
interface range gi 0/25 - 28
ip access-group Deny-Wireless-Guest in
sw02:
interface range gi 0/25 - 28
no ip access-group Deny-Wireless-Guest in
其实真正的是:
interface vlan 99
ip access-group Deny-Wireless-Guest in
也就是说要在源的那个vlan上设置访问控制列表,这个和router上设置不太一样的
如果要放置到目的端的话本case中的vlan10中的话,要源和目的是反过来写的;因为物理接口上的进方向也就是vlan10的出方向。
最终总结:
交换机的访问控制列表最好是放置在源的vlan上。
interface vlan 99
ip access-group Deny-Wireless-Guest in
vlan 99就是源的数据包被deny掉到vlan10的就可以了
本文转自 zhangfang526 51CTO博客,原文链接:http://blog.51cto.com/zhangfang526/1839890
