扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
以下路由器的配置过程:
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 11
ip address 192.168.0.1 255.255.255.0
ip access-group v11 in
interface FastEthernet0/0.2
encapsulation isl 10
ip address 172.16.1.1 255.255.255.0
ip access-group v10 in
interface FastEthernet0/1
ip address 10.10.10.9 255.255.255.0
ip access-group v13 in
ip route 0.0.0.0 0.0.0.0 10.10.10.10
ip access-list extended v10
permit ip 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit tcp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit udp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit icmp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit tcp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit udp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit icmp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit ip any any
ip access-list extended v11
evaluate v111
deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny icmp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny udp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny tcp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit udp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit icmp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit tcp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit ip any any
ip access-list extended v13
evaluate v133
deny icmp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny ip 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny udp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny tcp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny icmp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny tcp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny udp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
permit ip any any
ip access-list logging interval 100
以上配置实现三个等级的网段访问,使用于企业的总经理、财务、员工三个网段
测试方法:
配置完成之后,在不同网段使用ping命令开两个窗口,分别ping其他两个网段。这时在router 上用sh ip access-l 查看有没有产生你所需要的acl,如果没有,查看是哪一条acl起效(根据acl后面的条目数,ping的过程会有一个acl的条目逐渐增加)
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者