|
|
 |
|
|
| 1. 基于MAC地址的访问控制问题,麦子及各位大侠进来帮忙看看! |
  |
|
 |
|
HP : 0 / 261
MP : 51 / 3948
EXP : 46%
|
|
武林奇才
成员等级: 11
发表总数: 154
金币总数: 272
所属组别: 普通成员
注册日期: 2003/11/11
|
我在公司的cisco4506上要做了基于MAC的访问控制,可是把列表绑定到F3/27端口上去,结果是不起作用,请各位大侠帮忙看一下!
show run
Building configuration...
Current configuration : 10540 bytes
!
! Last configuration change at 10:25:11 Peking Tue Jun 13 2006
! NVRAM config last updated at 10:16:53 Peking Tue Jun 13 2006
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname SWSHFC45H01
!
enable password qdu
!
clock timezone Peking 8
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 64,66,68
ip dhcp snooping
ip arp inspection vlan 64,66,68
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!
mac access-list extended teach
permit host 0011.11cf.c4e0 any
permit host 000f.eab7.3025 any
permit host 000f.eab7.273e any
permit host 000f.eab6.d2df any
permit host 000f.eab6.b547 any
permit host 000f.eab6.8ca9 any
permit host 000f.fac3.0d4d any
permit host 000f.eab7.6b26 any
permit host 0010.5cf8.25eb any
permit host 0011.11cf.74b0 any
permit host 0011.11cf.c4be any
permit host 0011.11cf.e600 any
permit host 0011.11cf.e25d any
permit host 000f.eab7.2780 any
permit host 0010.5cf8.c22d any
permit host 000f.eab6.b6db any
permit host 0011.11cf.e32c any
permit host 0013.2046.68e3 any
permit host 0011.11cf.8cf9 any
permit host 0010.5cf6.f2b6 any
permit host 0011.1110.fc33 any
permit host 0011.11cf.91d0 any
permit host 0011.11cf.c6e1 any
permit host 0013.2046.7369 any
permit host 0011.11cf.e30e any
permit host 0011.11cf.e2d1 any
permit host 0010.5cf7.cdcf any
permit host 0010.5cf7.c28f any
permit host 0010.5cf6.f5b7 any
permit host 0010.5cf6.ff99 any
permit host 0010.5cf7.ce0e any
permit host 0010.5cf7.c1e0 any
permit host 0010.5cf7.cf38 any
permit host 0010.5cf6.fafa any
permit host 0010.5cf6.f575 any
permit host 0010.5cf7.caa5 any
permit host 0013.2046.11a5 any
permit host 0013.2046.6443 any
permit host 0013.2046.684f any
permit host 0013.2046.743e any
permit host 0013.2046.5f9f any
permit host 0013.2046.7435 any
permit host 0011.115e.6ce9 any
permit host 000f.eab7.2f62 any
permit host 000f.eab7.2de9 any
permit host 000f.eab6.8cea any
permit host 000f.eab7.6b9f any
permit host 000f.eab6.6113 any
permit host 000f.eab6.d02b any
permit host 000f.eab6.8bbf any
permit host 000f.eab6.d0bf any
permit host 0013.2046.653c any
permit host 0011.11cf.e347 any
permit host 0010.5cf6.5c98 any
permit host 0011.11cf.750a any
permit host 0010.5cf6.fab9 any
permit host 000f.eab6.d232 any
permit host 0010.5cf7.9d34 any
permit host 000f.eab6.cf89 any
permit host 0011.11cf.c752 any
permit host 000f.eab6.b55a any
permit host 000c.769d.b2da any
permit host 000c.769e.d01f any
permit host 0013.2046.7461 any
permit host 0013.2046.62a0 any
permit host 0013.2008.790f any
permit host 0013.2046.676f any
permit host 0010.5cfd.5de2 any
permit host 0011.09fa.c8e5 any
permit host 0011.09f5.3e31 any
permit host 0010.5cfd.5df5 any
permit host 0011.09f5.3b0d any
permit host 0011.09f5.3e3f any
permit host 0011.11cf.94e4 any
permit host 0011.11cf.c7ef any
permit host 0013.2046.60f4 any
permit host 0013.2046.73f3 any
permit host 0013.2046.7301 any
permit host 0013.2046.74ec any
permit host 0013.2046.674f any
permit host 0011.11cf.b2a5 any
permit host 0013.2046.66f1 any
permit host 0010.5cf7.a28b any
permit host 00e0.4c39.352d any
permit host 0010.5cf7.c647 any
permit host 0010.5cf7.16e8 any
permit host 0010.5cf7.9ec0 any
permit host 0010.5cf7.a4e9 any
permit host 0010.5cf7.cf24 any
permit host 0010.5cf7.9ddc any
permit host 0010.5cf7.cb46 any
permit host 0010.5cf7.91ee any
permit host 0010.5cf7.cfea any
permit host 000f.eab6.cf4f any
permit host 000f.eab7.2dce any
permit host 000f.eab6.621d any
permit host 000f.eab7.69fe any
permit host 000f.eab7.277d any
permit host 0010.5cfe.2514 any
permit host 0010.5cf8.2861 any
permit host 000f.eab7.3275 any
!
!
!
vlan internal allocation policy ascending
!
interface Loopback0
ip address 10.0.6.1 255.255.255.255
!
interface GigabitEthernet1/1
no switchport
ip address 10.6.100.2 255.255.255.252
!
interface GigabitEthernet1/2
no switchport
ip address 10.6.100.6 255.255.255.252
!
interface GigabitEthernet2/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,64,66,68
switchport mode trunk
ip arp inspection trust
!
interface GigabitEthernet2/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,66,68
switchport mode trunk
ip arp inspection trust
!
interface GigabitEthernet2/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,66,68
switchport mode trunk
ip arp inspection trust
!
interface GigabitEthernet2/4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,66,68
switchport mode trunk
ip arp inspection trust
!
interface GigabitEthernet2/5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,66,68
switchport mode trunk
ip arp inspection trust
!
interface GigabitEthernet2/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 64,66,68
switchport mode trunk
ip arp inspection trust
!
interface FastEthernet3/1
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/2
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/3
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/4
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/5
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/6
switchport access vlan 961
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/7
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/8
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/9
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/10
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/11
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/12
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/13
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/14
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/15
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/16
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/17
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/18
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/19
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/20
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/21
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/22
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/23
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/24
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/25
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/26
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/27
switchport access vlan 64
switchport mode access
mac access-group teach in
!
interface FastEthernet3/28
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/29
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/30
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/31
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/32
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/33
switchport access vlan 66
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/34
switchport access vlan 66
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/35
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface FastEthernet3/36
switchport access vlan 64
switchport mode access
ip arp inspection trust
!
interface Vlan1
ip address 10.6.0.1 255.255.255.240
!
interface Vlan64
ip address 10.6.5.254 255.255.254.0
ip access-group virus-prevent in
ip access-group virus-prevent out
ip helper-address 10.0.101.1
ip helper-address 10.0.101.2
!
interface Vlan66
ip address 10.6.7.254 255.255.254.0
ip access-group virus-prevent in
ip access-group virus-prevent out
ip helper-address 10.0.101.1
ip helper-address 10.0.101.2
!
interface Vlan68
ip address 10.6.9.254 255.255.254.0
ip access-group virus-prevent in
ip access-group virus-prevent out
ip helper-address 10.0.101.1
ip helper-address 10.0.101.2
!
interface Vlan961
ip address 10.0.116.126 255.255.255.224
!
router ospf 100
log-adjacency-changes
auto-cost reference-bandwidth 10000
network 0.0.0.0 255.255.255.255 area 6
!
no ip http server
!
!
!
ip access-list extended virus-prevent
deny tcp any any eq 135
deny udp any any eq 135
deny udp any any range netbios-ns netbios-ss
deny tcp any any range 137 139
deny udp any any eq netbios-ss
deny tcp any any eq 445
deny udp any any eq 445
deny tcp any any eq 593
deny udp any any eq 593
deny udp any any eq 1434
deny udp any any eq 4000
deny tcp any any eq 4444
permit ip any any
!
logging 1.1.1.10
!
snmp-server community qdu_public RO
snmp-server community qdu_private RW
snmp-server enable traps tty
snmp-server enable traps vtp
snmp-server enable traps config
snmp-server enable traps copy-config
snmp-server enable traps bridge
snmp-server host 1.1.1.10 qdu_private
!
!
line con 0
stopbits 1
line vty 0 4
password qdu
login
!
ntp clock-period 17179484
ntp peer 10.6.100.1
end
SWSHFC45H01# |
|
|
|
| 2. Re:基于MAC地址的访问控制问题,麦子及各位大侠进来帮忙看看!... |
|
|
 |
|
HP : 0 / 18
MP : 2 / 147
EXP : 73%
|
|
新手上路
成员等级: 1
发表总数: 8
金币总数: 17
所属组别: 普通成员
注册日期: 2006/04/11
|
条目还真多的说。。。。 |
|
|
|
| 3. Re:基于MAC地址的访问控制问题,麦子及各位大侠进来帮忙看看!... |
|
|
 |
|
HP : 250 / 1254
MP : 1625 / 21993
EXP : 16%
|
|
迟则生变
成员等级: 51
发表总数: 4877
金币总数: 308
所属组别: 管理员
注册日期: 2003/01/9
|
不能同时支持二层和三层的访问控制列表,去掉interface vlan 64上in方向的access-list 再试试。
没有谁能像一座孤岛/在大海里独踞/每个人都像一块小小的泥土/连接成整个陆地/如果一块泥土被海水冲去/欧洲将缺其一隅/这如同一座山岬/也如同你的朋友和你自己/无论谁死了/都是自己的一部分在死去/因为我包含在人类这个概念里/因此我从不问丧钟为谁而鸣/它为我,也为你
No man is an Island, entire of itself; every man is a piece of the Continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a man or of thy friends or of thine own were; any man's death diminishes me, because I am involved in Mankind; And therefore never send to know for whom the bell tolls; It tolls for thee.
|
|
|
|
| 4. Re:基于MAC地址的访问控制问题,麦子及各位大侠进来帮忙看看!... |
|
|
 |
|
HP : 0 / 80
MP : 10 / 675
EXP : 22%
|
|
江湖游客
成员等级: 4
发表总数: 30
金币总数: 55
所属组别: 普通成员
注册日期: 2006/02/26
|
我上回有在3550上做过基于MAC的ACL,发现应用后只能阻止对本网段的访问,而跨网段的访问却仍然可以,郁闷~!
access-list 101 permit MM any host me
access-list 101 permit Money any host me |
|
|
