interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation isl 11
ip address 192.168.0.1 255.255.255.0
ip access-group v11 in
interface FastEthernet0/0.2
encapsulation isl 10
ip address 172.16.1.1 255.255.255.0
ip access-group v10 in
interface FastEthernet0/1
ip address 10.10.10.9 255.255.255.0
ip access-group v13 in
ip route 0.0.0.0 0.0.0.0 10.10.10.10
ip access-list extended v10
permit ip 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit tcp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit udp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit icmp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit tcp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit udp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit icmp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
permit ip any any
ip access-list extended v11
evaluate v111
deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny icmp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny udp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
deny tcp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit udp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit icmp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit tcp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
permit ip any any
ip access-list extended v13
evaluate v133
deny icmp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny ip 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny udp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny tcp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
deny icmp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny tcp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
deny udp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
permit ip any any
ip access-list logging interval 100
以上配置实现三个等级的网段访问,使用于企业的总经理、财务、员工三个网段
测试方法:
配置完成之后,在不同网段使用ping命令开两个窗口,分别ping其他两个网段
这时在router 上用sh ip access-l 查看有没有产生你所需要的acl,如果没有,查看是哪一条acl起效(根据acl后面的条目数,ping的过程会有一个acl的条目逐渐增加)
#p#
升级前后对比:
升级前
Switch#dir flash:
Directory of flash:/
5 drwx 192 Mar 01 1993 00:03:52 c3750-i9-mz.121-19.EA1d
15998976 bytes total (9545728 bytes free)
Switch#
Switch#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3750 Software (C3750-I9-M), Version 12.1(19)EA1d, RELEASE SOFTWARE (fc
1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 05-Apr-04 22:40 by antonino
Image text-base: 0x00003000, data-base: 0x007CBC3C
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWA
RE (fc2)
Switch uptime is 16 minutes
System returned to ROM by power-on
System image file is "flash:c3750-i9-mz.121-19.EA1d/c3750-i9-mz.121-19.EA1d.bin"
cisco WS-C3750G-12S (PowerPC405) processor (revision H0) with 118776K/12288K byt
es of memory.
Processor board ID CAT0849N2YU
Last reset from power-on
1 Virtual Ethernet/IEEE 802.3 interface(s)
12 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:129:97:7C:80
Motherboard assembly number : 73-8307-08
Power supply part number : 341-0048-01
Motherboard serial number : CAT084911NJ
Power supply serial number : DTH08441JZ5
Model revision number : H0
Motherboard revision number : A0
Model number : WS-C3750G-12S-S
System serial number : CAT0849N2YU
Top Assembly Part Number : 800-21966-01
Top Assembly Revision Number : L0
Version ID : N/A
Hardware Board Revision Number : 0x07
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 12 WS-C3750G-12S 12.1(19)EA1d C3750-I9-M
Configuration register is 0xF
Switch#
#p#升级后:Switch#sh flash:
Directory of flash:/
2 -rwx 1075 Mar 1 1993 00:24:27 +00:00 config.text
3 drwx 192 Mar 1 1993 00:23:48 +00:00 c3750-i5-mz.122-25.SEA
5 -rwx 5 Mar 1 1993 00:24:27 +00:00 private-config.text
15998976 bytes total (8053760 bytes free)
Switch#
Switch#sh ver
Cisco IOS Software, C3750 Software (C3750-I5-M), Version 12.2(25)SEA, RELEASE SO
FTWARE (fc)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 25-Jan-05 20:26 by antonino
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.1(19r)EA1b, RELEASE SOFTWA
RE (fc2)
Switch uptime is 2 minutes
System returned to ROM by power-on
System image file is "flash:c3750-i5-mz.122-25.SEA/c3750-i5-mz.122-25.SEA.bin"
cisco WS-C3750G-12S (PowerPC405) processor (revision H0) with 118784K/12280K byt
es of memory.
Processor board ID CAT0849N2YU
Last reset from power-on
1 Virtual Ethernet interface
12 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:129:97:7C:80
Motherboard assembly number : 73-8307-08
Power supply part number : 341-0048-01
Motherboard serial number : CAT084911NJ
Power supply serial number : DTH08441JZ5
Model revision number : H0
Motherboard revision number : A0
Model number : WS-C3750G-12S-S
System serial number : CAT0849N2YU
Top Assembly Part Number : 800-21966-01
Top Assembly Revision Number : L0
Version ID : N/A
Hardware Board Revision Number : 0x07
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 12 WS-C3750G-12S 12.2(25)SEA C3750-I5-M
Configuration register is 0xF
Switch#