請教各位先請,之前有請教如何在vlan 192.168.53.xx上的pc不能上網,但去現場發現53.xx的pc可以ping hinet和google dns,以下是config,請大家指導一下,謝謝
!Current Configuration:
!Software Capability "Stack Limit = 8, VLAN Limit = 1024"
!Image File "N3000AdvLitev6.5.3.3"
!System Description "Dell EMC Networking N3024EF-ON, 6.5.3.3, Linux 3.6.5-e3cd5a07, v1.0.5"
!System Software Version 6.5.3.3
!
configure
vlan 52,55
exit
vlan 52
name "IPCAM"
exit
vlan 55
name "Management"
exit
hostname "N3024F"
slot 1/0 2 ! Dell EMC Networking N3024F
slot 2/0 13 ! Dell EMC Networking N3024EF-ON
sntp unicast client enable
sntp server 220.130.158.52
sntp server 118.163.81.62
clock timezone 8 minutes 0
stack
member 1 2 ! N3024F
member 2 9 ! N3024EF-ON
exit
ip access-list BLOCK_53_TO_INTERNET
1000 deny ip 192.168.53.0 0.0.0.255 192.168.50.11 0.0.0.0
1010 permit every
exit
ip routing
interface vlan 1
ip address 192.168.50.254 255.255.255.0
ip address 192.168.51.254 255.255.255.0 secondary
ip address 192.168.53.254 255.255.255.0 secondary
ip access-group BLOCK_53_TO_INTERNET in 1
exit
interface vlan 52
ip address 192.168.52.254 255.255.255.0
ip address 192.168.10.254 255.255.255.0 secondary
exit
interface vlan 55
ip address 192.168.55.254 255.255.255.0
exit
已邀請的邦友 {{ invite_list.length }}/5
ip access-group BLOCK_53_TO_INTERNET in 1
這裡寫使用那個 access-group
ip access-list BLOCK_53_TO_INTERNET
1000 deny ip 192.168.53.0 0.0.0.255 192.168.50.11 0.0.0.0
1010 permit every
這裡只拒絕192.168.53.0 不能去 192.168.50.11
其他都是通過的
所以沒限制它能上Internet
1001 deny ip 192.168.53.0 0.0.0.255 any 設定之前如需通往其他網段要先permit
192.168.50.11是DNS/GATEWAY吧?
你以為用ACL把電腦封了抓不到GATEWAY就上不了網, 這個應用是錯誤的
因為ACL是針對IP層面, 旦你把上網封包交到GATEWAY是LAYER 2層面的事情
ACL對LAYER 2層面沒作用的
如果非要用ACL來達到目的, 方向應該是OUT, 指令如下
ip access-list BLOCK_53_TO_INTERNET
1001 permit ip 192.168.53.0 0.0.0.255 192.168.0.0 0.0.255.255
1010 deny ip 192.168.53.0 0.0.0.255 every
exit
interface vlan 1
ip access-group BLOCK_53_TO_INTERNET out
iThome鐵人賽
看影片追技術