Vlan间路由及ACL限制

初搞网络，今天把学习到的一点东东写出来，供大家扔砖.

 

拓扑图：

 

实验目标：

(1)     第一步实现划分4个vlan，将相应port置入到vlan号中

(2)     第二步实现4个vlan间可以相互ping

(3)     第三步实现sales,tech,manage不可以相互通讯，但允许和server通讯

 

实现过程：

第一步划分vlan如下：

Switch#vlan data

Switch(vlan)#vlan 10 name sales

VLAN 10 added:

    Name: sales

Switch(vlan)#vlan 20 name tech

VLAN 20 added:

    Name: tech

Switch(vlan)#vlan 30 name manage

VLAN 30 added:

    Name: manage

Switch(vlan)#vlan 40 name server

VLAN 40 added:

    Name: server

Switch(vlan)#

 

Switch(config)#int range fa 0/0 - 3

Switch(config-if-range)#switchport access vlan 10

Switch(config-if-range)#exit

Switch(config)#int range fa 0/4 - 6    

Switch(config-if-range)#switchport access vlan 20

Switch(config-if-range)#exit

Switch(config)#int range fa 0/7 - 8

Switch(config-if-range)#switchport access vlan 30

Switch(config-if-range)#exit

Switch(config)#int fa 0/9

Switch(config-if)#swit

Switch(config-if)#switchport acce

Switch(config-if)#switchport access vlan 40

Switch(config-if)#exit

 

查看

Switch#sh vlan-switch

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/10, Fa0/11, Fa0/12, Fa0/13

                                                Fa0/14, Fa0/15

10   sales                            active    Fa0/1, Fa0/2, Fa0/3

20   tech                             active    Fa0/4, Fa0/5, Fa0/6

30   manage                           active    Fa0/7, Fa0/8

40   server                           active    Fa0/9

1002 fddi-default                     active   

……

 

第二步实现4个vlan内的服务器互相ping

Switch(config)#int fa 0/0             

Switch(config-if)#switchport mode trunk

Router(config-if)#exit

Router(config)#int fa 0/0

Router(config-if)#no shut

Router(config-if)#no ip address

Router(config-if)#exit

Router(config)#int fa0/0.1

Router(config-subif)#encapsulation dot1Q 10

Router(config-subif)#ip addre

Router(config-subif)#ip address 192.168.33.1 255.255.255.0

Router(config-subif)#exit

Router(config)#int fa0/0.2                         

Router(config-subif)#encapsulation dot1Q 20               

Router(config-subif)#ip address 192.168.34.1 255.255.255.0

Router(config-subif)#exit

Router(config)#int fa0/0.3                         

Router(config-subif)#encapsulation dot1Q 30              

Router(config-subif)#ip address 192.168.35.1 255.255.255.0

Router(config-subif)#exit

Router(config)#int fa0/0.4                         

Router(config-subif)#encapsulation dot1Q 40              

Router(config-subif)#ip address 192.168.36.1 255.255.255.0

Router(config-subif)#

 

查看

路由器：

interface FastEthernet0/0

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet0/0.1

 encapsulation dot1Q 10

 ip address 192.168.33.1 255.255.255.0

!

interface FastEthernet0/0.2

 encapsulation dot1Q 20

 ip address 192.168.34.1 255.255.255.0

!

interface FastEthernet0/0.3

 encapsulation dot1Q 30

 ip address 192.168.35.1 255.255.255.0

!

interface FastEthernet0/0.4

 encapsulation dot1Q 40

 ip address 192.168.36.1 255.255.255.0

!

 

测试：

VPCS 1 >sh

 

NAME   IP/CIDR              GATEWAY           LPORT   RPORT

PC1    192.168.33.2/24      192.168.33.1      10001   21001

PC2    0.0.0.0/0            0.0.0.0           10002   21002

PC3    0.0.0.0/0            0.0.0.0           10003   21003

PC4    192.168.34.2/24      192.168.34.1      10004   21004

PC5    0.0.0.0/0            0.0.0.0           10005   21005

PC6    0.0.0.0/0            0.0.0.0           10006   21006

PC7    192.168.35.2/24      192.168.35.1      10007   21007

PC8    0.0.0.0/0            0.0.0.0           10008   21008

PC9    192.168.36.2/24      192.168.36.1      10009   21009

 

VPCS 1 >ping 192.168.34.2

192.168.34.2 icmp_seq=1 timeout

192.168.34.2 icmp_seq=2 time=45.000 ms

192.168.34.2 icmp_seq=3 time=47.000 ms

192.168.34.2 icmp_seq=4 time=43.000 ms

192.168.34.2 icmp_seq=5 time=8.000 ms

 

VPCS 1 >ping 192.168.35.2

192.168.35.2 icmp_seq=1 time=43.000 ms

192.168.35.2 icmp_seq=2 time=14.000 ms

192.168.35.2 icmp_seq=3 time=8.000 ms

192.168.35.2 icmp_seq=4 time=10.000 ms

192.168.35.2 icmp_seq=5 time=12.000 ms

 

VPCS 1 >ping 192.168.36.2

192.168.36.2 icmp_seq=1 timeout

192.168.36.2 icmp_seq=2 time=47.000 ms

192.168.36.2 icmp_seq=3 time=6.000 ms

192.168.36.2 icmp_seq=4 time=10.000 ms

192.168.36.2 icmp_seq=5 time=43.000 ms

 

OK,这一步也成功了。

 

第三步，实现我们的限制功能了

Router(config)# access-list 111 deny   ip 192.168.33.0 0.0.0.255 192.168.34.0 0.0.0.255

Router(config)# access-list 111 deny   ip 192.168.33.0 0.0.0.255 192.168.35.0 0.0.0.255

Router(config)# access-list 111 permit ip any any

Router(config)#

Router(config)# access-list 112 deny   ip 192.168.34.0 0.0.0.255 192.168.33.0 0.0.0.255

Router(config)# access-list 112 deny   ip 192.168.34.0 0.0.0.255 192.168.35.0 0.0.0.255

Router(config)# access-list 112 permit ip any any

Router(config)#

Router(config)# access-list 113 deny   ip 192.168.35.0 0.0.0.255 192.168.33.0 0.0.0.255

Router(config)# access-list 113 deny   ip 192.168.35.0 0.0.0.255 192.168.34.0 0.0.0.255

Router(config)# access-list 113 permit ip any any

 

Router(config)#int fa 0/0.1

Router(config-subif)#ip access-group 111 in

Router(config-subif)#exit

 

Router(config)#int fa 0/0.2

Router(config-subif)#ip access-group 112 in

Router(config-subif)#exit

Router(config)#int fa 0/0.3

Router(config-subif)#ip acce

Router(config-subif)#ip access-group 113 in

Router(config-subif)#exit

 

查看：

Router(config)#do sh ip access-list

Extended IP access list 111

    10 deny ip 192.168.33.0 0.0.0.255 192.168.34.0 0.0.0.255

    20 deny ip 192.168.33.0 0.0.0.255 192.168.35.0 0.0.0.255

    30 permit ip any any

Extended IP access list 112

    10 deny ip 192.168.34.0 0.0.0.255 192.168.33.0 0.0.0.255

    20 deny ip 192.168.34.0 0.0.0.255 192.168.35.0 0.0.0.255

    30 permit ip any any

Extended IP access list 113

    10 deny ip 192.168.35.0 0.0.0.255 192.168.33.0 0.0.0.255

    20 deny ip 192.168.35.0 0.0.0.255 192.168.34.0 0.0.0.255

30 permit ip any any

 

Router(config)#do sh run          

……

interface FastEthernet0/0.1

 encapsulation dot1Q 10

 ip address 192.168.33.1 255.255.255.0

 ip access-group 111 in

!

interface FastEthernet0/0.2

 encapsulation dot1Q 20

 ip address 192.168.34.1 255.255.255.0

 ip access-group 112 in

!

interface FastEthernet0/0.3

 encapsulation dot1Q 30

 ip address 192.168.35.1 255.255.255.0

 ip access-group 113 in

!

interface FastEthernet0/0.4

 encapsulation dot1Q 40

 ip address 192.168.36.1 255.255.255.0

!

……

 

测试:

VPCS 1 >ping 192.168.34.2

192.168.34.2 icmp_seq=1 timeout

192.168.34.2 icmp_seq=2 timeout

192.168.34.2 icmp_seq=3 timeout

192.168.34.2 icmp_seq=4 timeout

192.168.34.2 icmp_seq=5 timeout

 

VPCS 1 >ping 192.168.35.2

192.168.35.2 icmp_seq=1 timeout

192.168.35.2 icmp_seq=2 timeout

192.168.35.2 icmp_seq=3 timeout

192.168.35.2 icmp_seq=4 timeout

192.168.35.2 icmp_seq=5 timeout

 

VPCS 1 >ping 192.168.36.2

192.168.36.2 icmp_seq=1 time=14.000 ms

192.168.36.2 icmp_seq=2 time=39.000 ms

192.168.36.2 icmp_seq=3 time=10.000 ms

192.168.36.2 icmp_seq=4 time=14.000 ms

192.168.36.2 icmp_seq=5 time=6.000 ms

 

换另一台测试

VPCS 1 >4

VPCS 4 >ping 192.168.33.2

192.168.33.2 icmp_seq=1 timeout

192.168.33.2 icmp_seq=2 timeout

192.168.33.2 icmp_seq=3 timeout

192.168.33.2 icmp_seq=4 timeout

192.168.33.2 icmp_seq=5 timeout

 

VPCS 4 >ping 192.168.35.2

192.168.35.2 icmp_seq=1 timeout

192.168.35.2 icmp_seq=2 timeout

192.168.35.2 icmp_seq=3 timeout

192.168.35.2 icmp_seq=4 timeout

192.168.35.2 icmp_seq=5 timeout

 

VPCS 4 >ping 192.168.36.2

192.168.36.2 icmp_seq=1 time=17.000 ms

192.168.36.2 icmp_seq=2 time=47.000 ms

192.168.36.2 icmp_seq=3 time=39.000 ms

192.168.36.2 icmp_seq=4 time=40.000 ms

192.168.36.2 icmp_seq=5 time=47.000 ms

 

好了，三步已经全部做完了，都已经实现了我所期望的。呵呵!

本文转自hahazhu0634 51CTO博客，原文链接：http://blog.51cto.com/5ydycm/642100，如需转载请自行联系原作者