Switch>enable Switch# Switch#configure terminal Switch(config)#ip access-list extended deny55 创建ACL扩展名为deny55组 Switch(config-ext-nacl)#1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.35 允许10.30.51.35访问10.30.55.0网段 Switch(config-ext-nacl)#10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 拒绝10.30.55.0网段访问10.30.51.0网段 Switch(config-ext-nacl)#20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 拒绝10.30.55.0网段访问10.30.52.0网段 Switch(config-ext-nacl)#100 permit ip any any 其他IP默认允许访问 Switch(config-ext-nacl)#show this 查看当前ACL deny55组规则,配置注意序号 Building configuration... ! 1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.19 10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 100 permit ip any any ! end Switch(config-ext-nacl)#exit
创建的ACL引用到指定Vlan (亦可应用到设备接口)
1 2 3 4 5 6 7 8 9 10 11 12 13
Switch>enable Switch# Switch#configure terminal Switch(config)#interface vlaN 15 进入VLAN 15配置 Switch(config-if-VLAN 15)#ip access-group deny55 in 把deny55应用到vlan 15 Switch(config-if-VLAN 15)#show this Building configuration... ! ip access-group deny55 in ip address 10.30.55.254 255.255.255.0 ! end Switch(config-if-VLAN 15)#end
查看ACL规则是否正确,并保存
1 2 3 4 5 6 7 8 9 10 11 12
Switch#show access-lists ip access-list extended deny55 查看ACL已添加的规则 1 permit ip 10.30.55.0 0.0.0.255 host 10.30.51.35 10 deny ip 10.30.55.0 0.0.0.255 10.30.51.0 0.0.0.255 20 deny ip 10.30.55.0 0.0.0.255 10.30.52.0 0.0.0.255 30 deny ip 10.30.55.0 0.0.0.255 10.30.53.0 0.0.0.255 40 deny ip 10.30.55.0 0.0.0.255 10.30.54.0 0.0.0.255 50 deny ip 10.30.55.0 0.0.0.255 10.30.56.0 0.0.0.255 60 deny ip 10.30.55.0 0.0.0.255 10.30.58.0 0.0.0.255 70 permit ip any any (2 packets filtered) Switch#write 保存当前配置