Home > Others

Inter-Vlan routing and ACL restrictions

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

When we first started the network, we wrote a little bit of things we learned today for everyone to throw bricks.
 
Topology:
 
 
Lab objectives:
(1) Step 1: divide four VLANs and place corresponding ports into vlan numbers.
(2) Step 2: implement mutual ping between four VLANs
(3) in step 3, sales, tech, and manage cannot communicate with each other, but can communicate with the server.
 
Implementation process:
Step 1: divide the vlan as follows:
Switch # vlan data
Switch (vlan) # vlan 10 name sales
VLAN 10 added:
Name: sales
Switch (vlan) # vlan 20 name tech
VLAN 20 added:
Name: tech
Switch (vlan) # vlan 30 name manage
VLAN 30 added:
Name: manage
Switch (vlan) # vlan 40 name server
VLAN 40 added:
Name: server
Switch (vlan )#
 
Switch (config) # int range fa 0/0-3
Switch (config-if-range) # switchport access vlan 10
Switch (config-if-range) # exit
Switch (config) # int range fa 0/4-6
Switch (config-if-range) # switchport access vlan 20
Switch (config-if-range) # exit
Switch (config) # int range fa 0/7-8
Switch (config-if-range) # switchport access vlan 30
Switch (config-if-range) # exit
Switch (config) # int fa 0/9
Switch (config-if) # swit
Switch (config-if) # switchport acce
Switch (config-if) # switchport access vlan 40
Switch (config-if) # exit
 
View
Switch # sh vlan-switch
 
VLAN Name Status Ports
----------------------------------------------------------------------------
1 default active Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15
10 sales active Fa0/1, Fa0/2, Fa0/3
20 tech active Fa0/4, Fa0/5, Fa0/6
30 manage active Fa0/7, Fa0/8
40 server active Fa0/9
1002 fddi-default active
......
 
Step 2: ping servers in four VLANs
Switch (config) # int fa 0/0
Switch (config-if) # switchport mode trunk

Router (config-if) # exit
Router (config) # int fa 0/0
Router (config-if) # no shut
Router (config-if) # no ip address
Router (config-if) # exit
Router (config) # int fa0/0.1
Router (config-subif) # encapsulation dot1Q 10
Rodre (config-subif) # ip addh
Router (config-subif) # ip address 192.168.33.1 255.255.255.0
Router (config-subif) # exit
Router (config) # int fa0/0.2
Router (config-subif) # encapsulation dot1Q 20
Router (config-subif) # ip address 192.168.34.1 255.255.255.0
Router (config-subif) # exit
Router (config) # int fa0/0.3
Router (config-subif) # encapsulation dot1Q 30
Router (config-subif) # ip address 192.168.35.1 255.255.255.0
Router (config-subif) # exit
Router (config) # int fa0/0.4
Router (config-subif) # encapsulation dot1Q 40
Router (config-subif) # ip address 192.168.36.1 255.255.255.0
Router (config-subif )#
 
View
Vro:
Interface FastEthernet0/0
No ip address
Duplex auto
Speed auto
!
Interface FastEthernet0/0.1
Encapsulation dot1Q 10
Ip address 192.168.33.1 255.255.255.0
!
Interface FastEthernet0/0.2
Encapsulation dot1Q 20
Ip address 192.168.34.1 255.255.255.0
!
Interface FastEthernet0/0.3
Encapsulation dot1Q 30
Ip address 192.168.35.1 255.255.255.0
!
Interface FastEthernet0/0.4
Encapsulation dot1Q 40
Ip address 192.168.36.1 255.255.255.0
!
 
Test:
VPCS 1> sh
 
Name ip/CIDR GATEWAY LPORT RPORT
PC1 192.168.33.2/24 192.168.33.1 10001 21001
PC2 0.0.0.0/0 0.0.0.0 10002 21002
PC3 0.0.0.0/0 0.0.0.0 10003 21003
PC4 192.168.34.2/24 192.168.34.1 10004 21004
PC5 0.0.0.0/0 0.0.0.0 10005 21005
PC6 0.0.0.0/0 0.0.0.0 10006 21006
PC7 192.168.35.2/24 192.168.35.1 10007 21007
Pc80.0.0.0/0 0.0.0.0 10008 21008
PC9 192.168.36.2/24 192.168.36.1 10009 21009
 
VPCS 1> ping 192.168.34.2
192.168.34.2 icmp_seq = 1 timeout
192.168.34.2 icmp_seq = 2 time = 45.000 MS
192.168.34.2 icmp_seq = 3 time = 47.000 MS
192.168.34.2 icmp_seq = 4 time = 43.000 MS
192.168.34.2 icmp_seq = 5 time = 8.000 MS
 
VPCS 1> ping 192.168.35.2
192.168.35.2 icmp_seq = 1 time = 43.000 MS
192.168.35.2 icmp_seq = 2 time = 14.000 MS
192.168.35.2 icmp_seq = 3 time = 8.000 MS
192.168.35.2 icmp_seq = 4 time = 10.000 MS
192.168.35.2 icmp_seq = 5 time = 12.000 MS
 
VPCS 1> ping 192.168.36.2
192.168.36.2 icmp_seq = 1 timeout
192.168.36.2 icmp_seq = 2 time = 47.000 MS
192.168.36.2 icmp_seq = 3 time = 6.000 MS
192.168.36.2 icmp_seq = 4 time = 10.000 MS
192.168.36.2 icmp_seq = 5 time = 43.000 MS
 
OK, this step is successful.
 
Step 3: implement our restricted functions
Router (config) # access-list 111 deny ip 192.168.33.0 0.0.255 192.168.34.0 0.0.255
Router (config) # access-list 111 deny ip 192.168.33.0 0.0.255 192.168.35.0 0.0.255
Router (config) # access-list 111 permit ip any
Router (config )#
Router (config) # access-list 112 deny ip 192.168.34.0 0.0.255 192.168.33.0 0.0.255
Router (config) # access-list 112 deny ip 192.168.34.0 0.0.255 192.168.35.0 0.0.255
Router (config) # access-list 112 permit ip any
Router (config )#
Router (config) # access-list 113 deny ip 192.168.35.0 0.0.255 192.168.33.0 0.0.255
Router (config) # access-list 113 deny ip 192.168.35.0 0.0.255 192.168.34.0 0.0.255
Router (config) # access-list 113 permit ip any
 
Router (config) # int fa 0/0. 1
Router (config-subif) # ip access-group 111 in
Router (config-subif) # exit
 
Router (config) # int fa 0/0. 2
Router (config-subif) # ip access-group 112 in
Router (config-subif) # exit
Router (config) # int fa 0/0. 3
Router (config-subif) # ip acce
Router (config-subif) # ip access-group 113 in
Router (config-subif) # exit
 
View:
Router (config) # do sh ip access-list
Extended IP address access list 111
10 deny ip 192.168.33.0 0.0.0.255 192.168.34.0 0.0.255
20 deny ip 192.168.33.0 0.0.0.255 192.168.35.0 0.0.255
30 permit ip any
Extended IP address access list 112
10 deny ip 192.168.34.0 0.0.255 192.168.33.0 0.0.0.255
20 deny ip 192.168.34.0 0.0.255 192.168.35.0 0.0.255
30 permit ip any
Extended IP address access list 113
10 deny ip 192.168.35.0 0.0.255 192.168.33.0 0.0.0.255
20 deny ip 192.168.35.0 0.0.0.255 192.168.34.0 0.0.255
30 permit ip any
 
Router (config) # do sh run
......
Interface FastEthernet0/0.1
Encapsulation dot1Q 10
Ip address 192.168.33.1 255.255.255.0
Ip access-group 111 in
!
Interface FastEthernet0/0.2
Encapsulation dot1Q 20
Ip address 192.168.34.1 255.255.255.0
Ip access-group 112 in
!
Interface FastEthernet0/0.3
Encapsulation dot1Q 30
Ip address 192.168.35.1 255.255.255.0
Ip access-group 113 in
!
Interface FastEthernet0/0.4
Encapsulation dot1Q 40
Ip address 192.168.36.1 255.255.255.0
!
......
 
Test:
VPCS 1> ping 192.168.34.2
192.168.34.2 icmp_seq = 1 timeout
192.168.34.2 icmp_seq = 2 timeout
192.168.34.2 icmp_seq = 3 timeout
192.168.34.2 icmp_seq = 4 timeout
192.168.34.2 icmp_seq = 5 timeout
 
VPCS 1> ping 192.168.35.2
192.168.35.2 icmp_seq = 1 timeout
192.168.35.2 icmp_seq = 2 timeout
192.168.35.2 icmp_seq = 3 timeout
192.168.35.2 icmp_seq = 4 timeout
192.168.35.2 icmp_seq = 5 timeout
 
VPCS 1> ping 192.168.36.2
192.168.36.2 icmp_seq = 1 time = 14.000 MS
192.168.36.2 icmp_seq = 2 time = 39.000 MS
192.168.36.2 icmp_seq = 3 time = 10.000 MS
192.168.36.2 icmp_seq = 4 time = 14.000 MS
192.168.36.2 icmp_seq = 5 time = 6.000 MS
 
Change to another test
VPCS 1> 4
VPCS 4> ping 192.168.33.2
192.168.33.2 icmp_seq = 1 timeout
192.168.33.2 icmp_seq = 2 timeout
192.168.33.2 icmp_seq = 3 timeout
192.168.33.2 icmp_seq = 4 timeout
192.168.33.2 icmp_seq = 5 timeout
 
VPCS 4> ping 192.168.35.2
192.168.35.2 icmp_seq = 1 timeout
192.168.35.2 icmp_seq = 2 timeout
192.168.35.2 icmp_seq = 3 timeout
192.168.35.2 icmp_seq = 4 timeout
192.168.35.2 icmp_seq = 5 timeout
 
VPCS 4> ping 192.168.36.2
192.168.36.2 icmp_seq = 1 time = 17.000 MS
192.168.36.2 icmp_seq = 2 time = 47.000 MS
192.168.36.2 icmp_seq = 3 time = 39.000 MS
192.168.36.2 icmp_seq = 4 time = 40.000 MS
192.168.36.2 icmp_seq = 5 time = 47.000 MS
 
Now, all three steps have been completed, and all of them have achieved what I expected. Haha!
This article is from the "bad boy" blog

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More