输入您的问题查找答案
   
 
相关文库文档
更多相关文库文档 >>
联系客服
在线技术支持
客户服务热线:

电话销售热线:

服务时间(法定节假日除外):
家庭产品:
周一~周五:8:30~20:30
周六:9:00~18:00
商用产品:
周一~周五:8:30~18:30
周六:9:00~18:00
广东话支持:
周一~周五:9:00~12:00;13:00~18:00
商用网络动态

与 NETGEAR 监控专用交换机亲密接触

选择德才兼备的 PoE 交换机

NETGEAR 交换机助力聊城第二人民医院智能监控建设

更多动态 >>

网件文库 » 交换机产品  »  如何在7000系列三层交换机7.x版本上设置IP ACL
如何在7000系列三层交换机7.x版本上设置IP ACL

编号:30154       来自:NetGear       更新日期:2012-03-21       访问数量:7341

一、网络拓扑及配置目标

1.1 网络拓扑图

1.2 配置目标

每个交换机上划分6个VLAN,1个VLAN含4个端口。

以A交换机FSM7328S作为三层交换机,配置VLAN路由。

各VLAN IP地址:VLAN1-192.168.1.1,VLAN2-192.168.2.1,VLAN3-192.168.3.1,VLAN4-192.168.4.1, VLAN5-192.168.5.1,VLAN6-192.168.0.1。

要求VLAN1234之间不能互相访问,但能访问VLAN5VLAN6及通过VLAN6的路由器上网。

本文以A交换机为例,在已配置好 VLAN 路由的情况下,介绍如何在7000系列三层交换机7.x版本上设置 IP ACL以 限制VLAN之间访问

二、通过 WEB 界面设置 IP ACL

2.1 登陆交换机管理页面

打开IE,在地址栏输入交换机的管理地址(VLAN IP地址)如192.168.0.1,输入用户名和密码。

2.2 打开Security>ACL>IP ACL下的IP ACL设置页面

2.3 创建 ACL

在IP ACL ID下输入ACL号码,100-199为扩展ACL号,为实现VLAN1,2,3,4不能互防,需要分别为这4个VLAN建立4个ACL,例如IP ACL ID为101,102,103,104,输入ACL ID后点Add添加:

2.4 设置 ACL 规则

打开Security>ACL>IP Extended Rules页面设置ACL规则:

1)选择ACL ID,然后点击Add打开ACL规则配置页面,进行规则设置,例如第一条规则禁止VLAN1访问VLAN2:

Rule ID写1(规则号1-23从小到大执行),

Action 选择为 Deny,

Match Every 选择为 False,

Protocol 选择为 IP,

Source IP Address 填源 IP 段 192.168.1.0

Source IP Mask 填写源 IP 反掩码 0.0.0.255

Destination IP Address 填目标 IP 段192.168.2.0

Destination IP Mask 填写目标 IP 反掩码0.0.0.255

最后点apply应用。

2)重复操作添加规则2,3分别禁止VLAN1访问VLAN3,VLAN4。

3)最后添加一条规则4,Action选Permit,Match Every选择为True,允许其他所有的通讯。

4)重复该部分1-3步骤,为 VLAN2 设置 ACL 102 的规则,禁止 VLAN2 访问 VLAN1,VLAN3,VLAN4,最后允许其他通讯。

5)继续重复1-3步骤,为VLAN3和VLAN4设置103号,104号规则。

2.5 将 ACL 应用到端口

1)打开Security>ACL>IP ACL>IP Binding Configuration页面。

2)选择ACL ID,如101,Direction为Inbound,Sequence Number保留为0(交换机会自动生成),点击Unit 1展开端口选择,在端口1,2,3,4下点击选中,最后点Apply应用。

3)重复操作,将ACL 102,103,104应用到相应端口。

三、通过命令行界面配置 IP ACL

3.1 登陆交换机并进入全局配置模式

User:admin

Password:

(FSM7328S) >enable

Password:

(FSM7328S) #configure

(FSM7328S) (Config)#

3.2 为 VLAN1 不能访问 VLAN2,3,4创建扩展 ACL 及规则

(FSM7328S) (Config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

#禁止192.168.1.0访问192.168.2.0,此处写反掩码0.0.0.255

(FSM7328S) (Config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

(FSM7328S) (Config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

(FSM7328S) (Config)#access-list 101 permit ip any any

#NETGEAR的默认规则是deny全部,因此最后要允许其他全部访问

3.3 同样为 VLAN2,VLAN3,VLAN4 创建 ACL

(FSM7328S) (Config)#access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

(FSM7328S) (Config)#access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

(FSM7328S) (Config)#access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

(FSM7328S) (Config)#access-list 102 permit ip any any

(FSM7328S) (Config)#access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

(FSM7328S) (Config)#access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

(FSM7328S) (Config)#access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

(FSM7328S) (Config)#access-list 103 permit ip any any

(FSM7328S) (Config)#access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

(FSM7328S) (Config)#access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

(FSM7328S) (Config)#access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

(FSM7328S) (Config)#access-list 104 permit ip any any

3.4 将ACL应用到相应的物理端口,如101应用到VLAN1的端口,102应用到VLAN2的端口。

(FSM7328S) (Config)#interface range 1/0/1-1/0/4

(FSM7328S) (conf-if-range-1/0/1-1/0/4)#ip access-group 101 in

(FSM7328S) (conf-if-range-1/0/1-1/0/4)#exit

(FSM7328S) (Config)#interface range 1/0/5-1/0/8

(FSM7328S) (conf-if-range-1/0/5-1/0/8)#ip access-group 102 in

(FSM7328S) (conf-if-range-1/0/5-1/0/8)#exit

(FSM7328S) (Config)#interface range 1/0/9-1/0/13

(FSM7328S) (conf-if-range-1/0/9-1/0/13)#ip access-group 103 in

(FSM7328S) (conf-if-range-1/0/9-1/0/13)#exit

(FSM7328S) (Config)#interface range 1/0/13-1/0/16

(FSM7328S) (conf-if-range-1/0/13-1/0/16)#ip access-group 104 in

(FSM7328S) (conf-if-range-1/0/13-1/0/16)#exit

3.5 配置完成后,查看当前配置。

(FSM7328S) #show running-config changed

!Current Configuration:

!

!System Description "FSM7328S 24+4 L3 Stackable Switch"

!System Description 7.3.0.7

!

set prompt "FSM7328S"

network protocol none

vlan database

vlan2

vlan3

vlan4

vlan5

vlan6

vlan routing 1

vlan routing 2

vlan routing 3

vlan routing 4

vlan routing 5

vlan routing 6

exit

configure

sntp client mode unicast

! sntp server status is active

sntp server time-d.netgear.com

stack

exit

logging buffered

slot 1/0 3

set slot power 1/0

no set slot disable 1/0

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.0.254

lineconfig

exit

spanning-tree configuration name 00-0F-B5-9C-18-67

snmp-server community public@2

snmp-server community public@3

snmp-server community public@4

snmp-server community public@5

snmp-server community public@6

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 102 permit ip any any

access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 103 permit ip any any

access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 104 permit ip any any

interface1/0/1

ip access-group 101 in 1

exit

interface1/0/2

ip access-group 101 in 1

exit

interface1/0/3

ip access-group 101 in 1

exit

interface1/0/4

ip access-group 101 in 1

exit

interface1/0/5

vlan pvid 2

vlan participation include 2

ip access-group 102 in 1

exit

interface1/0/6

vlan pvid 2

vlan participation include 2

ip access-group 102 in 1

exit

interface1/0/7

vlan pvid 2

vlan participation include 2

ip access-group 102 in 1

exit

interface1/0/8

vlan pvid 2

vlan participation include 2

ip access-group 102 in 1

exit

interface1/0/9

vlan pvid 3

vlan participation include 3

ip access-group 103 in 1

exit

interface1/0/10

vlan pvid 3

vlan participation include 3

ip access-group 103 in 1

exit

interface1/0/11

vlan pvid 3

vlan participation include 3

ip access-group 103 in 1

exit

interface1/0/12

vlan pvid 3

vlan participation include 3

ip access-group 103 in 1

exit

interface1/0/13

vlan pvid 4

vlan participation include 4

ip access-group 104 in 1

exit

interface1/0/14

vlan pvid 4

vlan participation include 4

ip access-group 104 in 1

exit

interface1/0/15

vlan pvid 4

vlan participation include 4

ip access-group 104 in 1

exit

interface1/0/16

vlan pvid 4

vlan participation include 4

ip access-group 104 in 1

exit

interface1/0/17

vlan pvid 5

vlan participation include 5

exit

interface1/0/18

vlan pvid 5

vlan participation include 5

exit

interface1/0/19

vlan pvid 5

vlan participation include 5

exit

interface1/0/20

vlan pvid 5

vlan participation include 5

exit

interface1/0/21

vlan pvid 6

vlan participation include 6

exit

interface1/0/22

vlan pvid 6

vlan participation include 6

exit

interface1/0/23

vlan pvid 6

vlan participation include 6

exit

interface1/0/24

vlan pvid 6

vlan participation include 6

exit

interface1/0/25

vlan tagging 1

vlan participation include 2

vlan tagging 2

vlan participation include 3

vlan tagging 3

vlan participation include 4

vlan tagging 4

vlan participation include 5

vlan tagging 5

vlan participation include 6

vlan tagging 6

exit

interface1/0/26

vlan tagging 1

vlan participation include 2

vlan tagging 2

vlan participation include 3

vlan tagging 3

vlan participation include 4

vlan tagging 4

vlan participation include 5

vlan tagging 5

vlan participation include 6

vlan tagging 6

exit

interface vlan 1

routing

ip address192.168.1.1255.255.255.0

exit

interface vlan 2

routing

ip address192.168.2.1255.255.255.0

exit

interface vlan 3

routing

ip address192.168.3.1255.255.255.0

exit

interface vlan 4

routing

ip address192.168.4.1255.255.255.0

exit

interface vlan 5

routing

ip address192.168.5.1255.255.255.0

exit

interface vlan 6

routing

ip address192.168.0.1255.255.255.0

exit

exit

(FSM7328S) #

 

序号 no.

日期 date

作者 author

摘要 summary

1

2010-11-03

NETGEAR

文档创建

  
 
以上内容是否为您所需要的答案?
以上内容是否清晰、简明和易于理解的?
您是如何知道网件社区的?