Cisco 交换机 ACL访问控制列表配置操作指引
登陆交换机,进入全局配置模式
SWITCH>en
Password:
SWITCH#
SWITCH#config t
Enter configuration commands, one per line. End with CNTL/Z.
SWITCH(config)#
- 通过ACL访问控制,仅允许从某个固定IP地址访问交换机
配置ACL策略
SWITCH(config)# ip access-list extended only-permit-IP
permit ip host 192.168.1.254 any
应用ACL策略
SWITCH(config)#line vty 0 15
access-class only-permit-IP in
- 禁止VLAN30网段访问VLAN20网段以及192.168.1.100服务器
配置ACL策略
SWITCH(config)# ip access-list extended Deny-vlan-30
10 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
20 deny ip 192.168.30.0 0.0.0.255 host 192.168.1.100
99 permit ip any any
应用ACL策略
SWITCH(config)# interface vlan30
ip access-group Deny-vlan-30 in
- 禁止vlan30网段访问某些端口及协议
SWITCH(config)# ip access-list extended Deny-tcp-30
10 deny tcp 172.60.21.0 0.0.0.255 any eq www
20 deny tcp any any eq 3389
30 deny tcp any any eq 445
99 permit ip any any
应用ACL策略
SWITCH(config)# interface vlan30
ip access-group Deny-vlan-30 in
- 通过ACL控制,确定VLAN24内网访问正常,访问外网从下一跳出局
ip access-list extended LAN
permit ip 172.16.24.0 0.0.0.255 172.28.0.0 0.0.255.255
permit ip 172.16.25.0 0.0.0.255 172.28.0.0 0.0.255.255
ip access-list extended OFFICE
permit ip 172.28.25.0 0.0.0.255 any
route-map TO-T2-Policy permit 5
match ip address LAN
route-map TO-T2-Policy permit 10
match ip address OFFICE
set ip next-hop 169.254.15.13
应用ACL策略
SWITCH(config)# interface Vlan24
ip policy route-map TO-T2-Policy
Zabbix5.0企业级分布式监控系统:精讲与企业应用