Cisco 3550-24-EMI e ACL

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
maggiore81
Cisco pathologically enlightened user
Messaggi: 216
Iscritto il: gio 15 feb , 2007 8:34 pm
Località: Ravenna - ITALY -
Contatta:
Contatta maggiore81

Buondì
ho uno switch L3 cisco 3550-24-EMI con ultima IOS dentro.

In pratica ho 3 vlan create.
su ogni vlan ho un indirizzo

tipo 192.168.1.254/24 vlan1, 2.254/24 vlan2 etc.

Come faccio a mettere una ACL in modo che tutto il traffico che esce da una VLAN per andare nelle altre venga "filtrato" ?
Dott. Spadoni
Network Administrator
Top
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao,
per avere una risposta migliore penso che devi dare qualche informazione in più sulla topologia della rete e servizi vari.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Top
maggiore81
Cisco pathologically enlightened user
Messaggi: 216
Iscritto il: gio 15 feb , 2007 8:34 pm
Località: Ravenna - ITALY -
Contatta:
Contatta maggiore81

Buongiorno Paolo,
direi che a mio avviso la domanda è decisamente chiara.

Se ho uno switch con più VLAN attestate, e volessi mettere una ACL che mi filtra il traffico che arriva da una VLAN (quindi dalla VLAN deve attraversare lo switch) e io volessi mettere una ACL, come posso fare?

Se la applico in ingresso sulla VLAN non matcha.



version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname c3550-zxcne
!
logging buffered informational
no logging console
no logging monitor
!
username zzzzzzzzzz privilege 15 password 7 xxxxxxxxx
no aaa new-model
clock timezone CET 2
ip subnet-zero
no ip source-route
ip routing
no ip gratuitous-arps
ip domain round-robin
ip domain-name zzzzzzzzzzzzz
ip name-server 212.97.32.2
ip name-server 94.141.24.92
!
!
login on-failure log
!
!
!
!

!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp selective-ack
ip tcp timestamp
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh version 2
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/1

switchport access vlan 2
switchport mode access
!
interface FastEthernet0/2

switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface FastEthernet0/4

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,4
switchport mode trunk
!
interface FastEthernet0/5
switchport mode access
!
interface FastEthernet0/6

switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,6
switchport mode trunk
!
interface FastEthernet0/7
switchport mode access
!
interface FastEthernet0/8
switchport mode access
!
interface FastEthernet0/9
switchport mode access
!
interface FastEthernet0/10
switchport mode access
!
interface FastEthernet0/11
description c2610 - DNS1 - 10MbFD
switchport mode access
duplex full
!
interface FastEthernet0/12
switchport mode access
!
interface FastEthernet0/13
switchport mode access
!
interface FastEthernet0/14
switchport mode access
!
interface FastEthernet0/15
switchport mode access
!
interface FastEthernet0/16
switchport mode access
!
interface FastEthernet0/17
switchport mode access
!
interface FastEthernet0/18
switchport mode access
!
interface FastEthernet0/19
switchport mode access
!
interface FastEthernet0/20
switchport mode access
!
interface FastEthernet0/21
switchport mode access
!
interface FastEthernet0/22
switchport mode access
!
interface FastEthernet0/23
switchport mode access
!
interface FastEthernet0/24
switchport mode access
!
interface GigabitEthernet0/1
switchport mode access
!
interface GigabitEthernet0/2
switchport mode access
!
interface Vlan1
description VLAN 1 - Default Network
ip address 172.16.0.100 255.255.254.0
no ip redirects
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 xxxxxxxxxxxxxxxxxxx
!
interface Vlan2

ip address 172.16.2.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map PBR
!
interface Vlan4

ip address 172.16.4.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map PBR
!
interface Vlan6

ip address 172.16.6.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip policy route-map PBR
!
router ospf 1
log-adjacency-changes
area 0 authentication message-digest
area 2 stub
area 4 stub
area 6 stub
network 172.16.0.0 0.0.1.255 area 0
network 172.16.2.0 0.0.0.255 area 2
network 172.16.4.0 0.0.0.255 area 4
network 172.16.6.0 0.0.0.255 area 6
!
ip classless
no ip forward-protocol udp domain
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended CPEs-TO-R1
permit ip host 172.16.2.1 any
permit ip any host 172.16.2.1
permit ip host 172.16.2.2 any
permit ip any host 172.16.2.2
permit ip host 172.16.2.3 any
permit ip any host 172.16.2.3
permit ip host 172.16.2.4 any
permit ip any host 172.16.2.4
permit ip host 172.16.2.5 any
permit ip any host 172.16.2.5
permit ip host 172.16.2.7 any
permit ip any host 172.16.2.6
permit ip host 172.16.2.6 any
permit ip any host 172.16.2.7
permit ip host 172.16.2.8 any
permit ip any host 172.16.2.8
permit ip host 172.16.2.9 any
permit ip any host 172.16.2.9
permit ip host 172.16.2.10 any
permit ip any host 172.16.2.10
permit ip host 172.16.2.11 any
permit ip any host 172.16.2.11
permit ip host 172.16.2.12 any
permit ip any host 172.16.2.12
permit ip host 172.16.2.13 any
permit ip any host 172.16.2.13
permit ip host 172.16.2.14 any
permit ip any host 172.16.2.14
permit ip host 172.16.2.15 any
permit ip any host 172.16.2.15
permit ip host 172.16.2.17 any
permit ip any host 172.16.2.17
permit ip host 172.16.6.1 any
permit ip any host 172.16.6.1
permit ip host 172.16.6.2 any
permit ip any host 172.16.6.2
permit ip host 172.16.6.3 any
permit ip any host 172.16.6.3
permit ip host 172.16.6.4 any
permit ip any host 172.16.6.4
permit ip host 172.16.6.5 any
permit ip any host 172.16.6.5
permit ip host 172.16.2.16 any
permit ip any host 172.16.2.16
permit ip host 172.16.6.6 any
permit ip any host 172.16.6.6
permit ip host 172.16.6.7 any
permit ip any host 172.16.6.7
permit ip host 172.16.6.200 any
permit ip any host 172.16.6.200
permit ip any host 172.16.4.1
permit ip host 172.16.4.1 any
ip access-list extended CPEs-TO-R3
permit ip host 172.16.4.200 any
permit ip any host 172.16.4.200
!
access-list 99 permit 77.93.235.238
access-list 99 permit 172.16.0.0 0.0.1.255
route-map PBR permit 100
match ip address CPEs-TO-R1
set ip next-hop 172.16.0.1
!
route-map PBR permit 300
match ip address CPEs-TO-R3
set ip next-hop 172.16.0.243
!
snmp-server community public RO 99
snmp-server location HQ xxxxxx
snmp-server contact xxxxxxxxx
snmp ifmib ifindex persist
!
control-plane
!
!
line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login
!
ntp server 192.43.244.18
end
Ultima modifica di maggiore81 il lun 19 dic , 2011 10:04 am, modificato 1 volta in totale.
Dott. Spadoni
Network Administrator
Top
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

OK.
Devi creare delle VACL
.

Purtroppo, non lavorando con switch, le conosco solo teoricamente.

Buona giornata
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Top
maggiore81
Cisco pathologically enlightened user
Messaggi: 216
Iscritto il: gio 15 feb , 2007 8:34 pm
Località: Ravenna - ITALY -
Contatta:
Contatta maggiore81

Buongiorno Paolo, grazie per la tua info.

Ora provo a guardare quell'argomento, se nel frattempo nel forum c'è qualcuno che è pratico e mi volesse dare un esempio, gli sarei molto grato.

A presto
Dott. Spadoni
Network Administrator
Top
Rispondi

Torna a “Configurazioni”