汇聚层交换机S57关键配置

S5750#sh run
vlan 1
!
vlan 2
!
vlan 3
!
vlan 4
!
ip access-list extended inter_vlan_access1 //不允许VLAN2和VLAN3的PC
互访
10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit ip any any
!
ip access-list extended inter_vlan_access2 //不允许VLAN3和VLAN2的PC
互访
10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip any any
!
interface GigabitEthernet 0/22
switchport mode trunk
ip access-group inter_vlan_access1 in //(可选)禁止VLAN间互访
!
interface GigabitEthernet 0/23
switchport mode trunk
ip access-group inter_vlan_access2 in //(可选)禁止VLAN间互访
!
interface GigabitEthernet 0/24
switchport mode trunk
!
interface VLAN 2
no ip proxy-arp
ip access-group inter_vlan_access1 in //禁止VLAN间互访，按照原则不使
用VACL
ip address 192.168.1.100 255.255.255.0
!
interface VLAN 3
no ip proxy-arp
ip access-group inter_vlan_access2 in //禁止VLAN间互访，按照原则不使
用VACL
ip address 192.168.2.100 255.255.255.0
!
interface VLAN 4
no ip proxy-arp
ip address 192.168.4.1 255.255.255.0
!
End

　　接入层交换机S26关键配置

S26_1#sh run
vlan 1
!
vlan 2
!
ip access-list standard 1 //一个接口只允许接入PC的IP地址为：192.168.
1.2
10 permit host 192.168.1.2
20 deny any
!
ip access-list standard 2//一个接口只允许接入PC的IP地址为：192.168.1.3
10 permit host 192.168.1.3
20 deny any
!
mac access-list extended 700 //一个接口只允许接入PC的MAC地址为：
0000.0000.0001
10 permit host 0000.0000.0001 any etype-any
20 deny any any etype-any
!
mac access-list extended 701 //一个接口只允许接入PC的MAC地址为：0000.
0000.0002
10 permit host 0000.0000.0002 any etype-any
20 deny any any etype-any
!
hostname S26_1
interface FastEthernet 0/1
switchport access vlan 2
ip access-group 1 in //每个接口只允许一个IP地址
!
interface FastEthernet 0/2
switchport access vlan 2
ip access-group 2 in //每个接口只允许一个IP地址
!
interface FastEthernet 0/3
switchport access vlan 2
mac access-group 700 in //(可选)每个接口只允许一个MAC地址
!
interface FastEthernet 0/4
switchport access vlan 2
mac access-group 701 in //(可选)每个接口只允许一个MAC地址

　　通过实际测试表明，锐捷交换机的ACL功能，可以有效防止病毒、防止恶意攻击、控制VLAN间数据流、控制服务器的访问、控制用户接入等，可以满足应用的需求。

　　（作者单位为集美大学网络中心）