access-list 11 deny 192.168.0.0 0.0.255.255
access-list 11 permit any
进入vlan 11
ip access-group 11 out
把访问控制列表11应用在VLAN 11 OUT方向上,财务部内部可以互访问,可以访问服务器网段和网络打印机网络,可以访问市场部网段,但不能访问设计部网段。
设计部VLAN 12 ,网络打印机 VLAN 13,服务器 VLAN 20 可以访问任意网段,应用访问控制列表access-list 110 在in的方向上,封掉常见病毒端口。
access-list 110 deny tcp any any eq 1068
access-list 110 deny tcp any any eq 2046
access-list 110 deny udp any any eq 2046
access-list 110 deny tcp any any eq 4444
access-list 110 deny udp any any eq 4444
access-list 110 deny tcp any any eq 1434
access-list 110 deny udp any any eq 1434
access-list 110 deny tcp any any eq 5554
access-list 110 deny tcp any any eq 9996
access-list 110 deny tcp any any eq 6881
access-list 110 deny tcp any any eq 6882