我要分离网络,我有2个vlan 10.76.0.0和172.16.0.0,我不希望它们能相互ping通或通信。我目前能ping通Ex:计算机10.76.2.30能ping通172.16.32.1,我们需要将它们分开,根本不允许它们通话。这是我当前配置的访问列表
ip access-list standard 50
10 permit 192.168.0.0 0.0.255.255
20 permit 10.76.0.0 0.0.0.255
30 permit 10.233.4.0 0.0.1.255
40 permit 10.243.4.0 0.0.1.255
ip access-list extended 101
10 deny ip any 172.16.0.0 0.0.255.255
20 permit ip any any
and here is show ver on the switch
Cisco IOS XE Software, Version 16.12.03a
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Versi on 16.12.3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 28-Apr-20 09:37 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
BOOTLDR: System Bootstrap, Version 16.12.2r, RELEASE SOFTWARE (P)
HQ_9300 uptime is 1 year, 1 week, 4 days, 16 hours, 29 minutes
Uptime for this control processor is 1 year, 1 week, 4 days, 16 hours, 30 minute s
System returned to ROM by PowerOn at 12:53:02 UTC Mon Aug 17 2020
System image file is "flash:packages.conf"
Last reload reason: PowerOn
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
使用.Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws.By using this product you
agree to comply with applicable laws and regulations.If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com。
Technology Package License Information:
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage
AIR License Level: AIR DNA Advantage
Next reload AIR license Level: AIR DNA Advantage
Smart Licensing Status: REGISTERED/AUTHORIZED
cisco C9300-48P (X86) processor with 1343703K/6147K bytes of memory.
Processor board ID FJC2428T0DK
3 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
2 TwentyFive Gigabit Ethernet interfaces
2 Forty Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
1638400K bytes of Crash Files at crashinfo:.
11264000K bytes of Flash at flash:.
0K bytes of WebUI ODM Files at webui:.
Base Ethernet MAC Address :
Motherboard Assembly Number : 73-18274-05
Motherboard Serial Number :
Model Revision Number : A0
Motherboard Revision Number : A0
Model Number : C9300-48P
System Serial Number :
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 65 C9300-48P 16.12.3a CAT9K_IOSXE INSTALL
Configuration register is 0x102
已解决! 转到解答。
它不起作用,因为子网是10.76.2.0/24,而不是您最初说的10.76.0.0。
在上次帖子更改中提供的acl中 —
10.76.0.0 0.0.0.255到10.76.2.0 0.0.0.255
再试一次。
乔恩
我补充说,它仍然可以ping
ping 10.76.2.30路由172.16.32.1
此ping是否成功?
Hello,
是,我可以从172.16.32.1 ping通10.76.2.30,反之亦然
我不知道acl 50应该执行什么操作,但是要满足您的要求 —
ip access-list extended 101
10 deny ip 172.16.0.0 0.0.255.255 10.76.0.0 0.0.0.255
20 permit ip any any
将上述acl应用于172.16.0.x的L3接口的入站流量
ip access-list extended 102
10 deny ip 10.76.0.0 0.0.0.255 172.16.0.0 0.0.255.255
20 permit ip any any
将上述acl应用于10.76.x.x的L3接口的入站流量
乔恩
它不起作用,因为子网是10.76.2.0/24,而不是您最初说的10.76.0.0。
在上次帖子更改中提供的acl中 —
10.76.0.0 0.0.0.255到10.76.2.0 0.0.0.255
再试一次。
乔恩
这很管用,谢谢
我能看到
show ip access-list?
PC的默认网关是SVI IP地址吗?
172.72.0.0/24与172.72.2.0/24不同
为什么?
VLAN的SVI必须与ACL中的IP目标相同。
,
show ip ACL
您会看到与permit any any any匹配,表示子网/掩码中存在错误