winlinux 2007-10-31 16:45
求cisco 3560 vlan acl配置
设备为3560,下连华为的3100和CISCO 2950,在3560上配置了VLAN的DHCP池,只许可客户端用动态IP地址,用静态IP将不能上网,需要配置VLAN ACL,许可VLAN2,VLAN3,VLAN4 ,VLAN5能访问VLAN6,但VLAN2,VALN3,VLAN4,VLAN5之间不能互相访问,但配置VLAN ACL后,客户端不能获得IP,求配置方法.
3560配置如下:
3560>en
Password:
3560#show run
Building configuration...
Current configuration : 4107 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3560
!
enable password cisco
!
no aaa new-model
clock timezone WST 8
ip subnet-zero
ip routing
ip dhcp excluded-address 192.10.10.1
ip dhcp excluded-address 192.10.20.1
ip dhcp excluded-address 192.10.30.1
ip dhcp excluded-address 192.10.40.1
ip dhcp excluded-address 192.10.50.1
!
ip dhcp pool vlan2
network 192.10.10.0 255.255.255.0
default-router 192.10.10.1
lease 365
!
ip dhcp pool vlan3
network 192.10.20.0 255.255.255.0
default-router 192.10.20.1
lease 365
!
ip dhcp pool vlan4
network 192.10.30.0 255.255.255.0
default-router 192.10.30.1
lease 365
!
ip dhcp pool vlan5
network 192.10.40.0 255.255.255.0
default-router 192.10.40.1
lease 365
!
ip dhcp pool vlan6
network 192.10.50.0 255.255.255.0
default-router 192.10.50.1
lease 365
!
ip dhcp snooping vlan 2-5
ip arp inspection validate src-mac dst-mac ip
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map map 10
action forward
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description to h3c2
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit rate 300
arp timeout 2
ip dhcp snooping limit rate 300
!
interface FastEthernet0/2
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
description to h3czzz
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit rate 300
arp timeout 2
ip dhcp snooping limit rate 300
!
interface FastEthernet0/23
!
interface FastEthernet0/24
description to 2960
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection limit rate 300
arp timeout 2
ip dhcp snooping limit rate 300
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
ip address 192.10.10.1 255.255.255.0
!
interface Vlan3
ip address 192.10.20.1 255.255.255.0
!
interface Vlan4
ip address 192.10.30.1 255.255.255.0
!
interface Vlan5
ip address 192.10.40.1 255.255.255.0
!
interface Vlan6
ip address 192.10.50.1 255.255.255.0
!
ip classless
ip http server
!
access-list 101 permit ip 192.10.10.0 0.0.0.255 192.10.50.0 0.0.0.255
access-list 101 permit ip 192.10.50.0 0.0.0.255 192.10.10.0 0.0.0.255
access-list 102 permit ip 192.10.20.0 0.0.0.255 192.10.50.0 0.0.0.255
access-list 102 permit ip 192.10.50.0 0.0.0.255 192.10.20.0 0.0.0.255
access-list 103 permit ip 192.10.30.0 0.0.0.255 192.10.50.0 0.0.0.255
access-list 103 permit ip 192.10.50.0 0.0.0.255 192.10.30.0 0.0.0.255
access-list 104 permit ip 192.10.40.0 0.0.0.255 192.10.50.0 0.0.0.255
access-list 104 permit ip 192.10.50.0 0.0.0.255 192.10.40.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
password ciscocisco
no login
line vty 5 15
no login
!
end
3560#
白胡子 2007-11-1 09:04
我没细看,不过你的acl只是定义,都没用在相应接口上,就是说根本没启用
winlinux 2007-11-2 13:11
我启用后客户端不能获得地址,所以就把应用到VLAN端口的给取消了
白胡子 2007-11-3 16:58
那是因为dhcp客户端一开始是要广播的,然后server响应,楼主deny了,所以不能获得地址
winlinux 2007-11-3 18:25
3560作DHCP服务器,为每个VLAN分配地址,客户端必须是动态的地址,这几个VLAN不能互相访问,只能访问服务器所在的VLAN,需要如何设置呢,请告诉我,谢谢!
