使用三层交换机的ACL实现不同vlan间的隔离
建立三个vlan vlan10 vlan20 vlan30 www.2cto.com
PC1 PC3属于vlan10 PC2 PC4属于vlan20 PC5属于vlan30
Vlan10 vlan20 vlan30不能互访 但是能上外网
Pc1 :172.16.10.2 pc2: 172.16.20.2 pc3:172.16.10.3 pc4:172.16.20.3 pc5: 172.16.30.2
配置R1
Int f0/0
Ip add 192.168.1.2 255.255.255.0 配置f0/0
No sh
Int lo0
Ip add 1.1.1.1 255.255.255.0 配置环回地址 以测试各vlan与外网的连通性
No sh
配置静态路由 到三层交换机各vlan的路由
# ip route 172.16.10.0 255.255.255.0 192.168.1.1
# ip route 172.16.20.0 255.255.255.0 192.168.1.1
# ip route 172.16.30.0 255.255.255.0 192.168.1.1
配置 SW1
#conf t
#ip routing 启用三层路由功能
#int f0/0
#no switch
#ip add 192.168.1.1 255.255.255.0
#no sh
#
#ip route 0.0.0.0 0.0.0.0 192.168.1.2 添加到外部网络的默认路由
#
#vlan data
#vlan 10 name caiwu 建立vlan
#vlan 20 name it
#vlan 30 name manager
#vtp server 建立vtp server模式
#vtp domain cisco
#
#int range f0/1 – 2 封装trunk接口
#sw mode trunk
#sw trunk en dot1q
#
#int f0/3 添加接口到vlan 30
#sw mode access
#sw access vlan 30
#
#int vlan10 给各vlan设置地址 也是各个子网段的网关
ip address 172.16.10.1 255.255.255.0
# interface Vlan20
ip address 172.16.20.1 255.255.255.0
# interface Vlan30
ip address 172.16.30.1 255.255.255.0
#
# access-list 100 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255 建立100 101列表
access-list 100 deny ip 172.16.10.0 0.0.0.255 172.16.30.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 deny ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 101 deny ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 102 deny ip 172.16.30.0 0.0.0.255 172.16.30.0 0.0.0.255
access-list 102 permit ip any any
注:在vlan间的acl中当源地址段为应用 vlan接口的ip段时,就是用in方向;当目的地址段为应用vlan接口的ip段时,就是用out方向 举例说明
Host 1.1.1.1 vlan10(1.1.1.2)SW vlan20(2.2.2.2) host 2.2.2.1
禁止host 1.1.1.1访问2.2.2.1
方法 一
Access-list 100 deny ip host 1.1.1.1 host 2.2.2.1
Access-list 100 permit ip any any
Int vlan 10
Ip access-list 100 in
方法 二
Access-list 100 deny ip host 1.1.1.1 host 2.2.2.1
Access-list 100 permit ip any any
Int vlan 20
Ip access-list 100 out
#int vlan 10 将访问控制列表加载到各个vlan
#ip access-group 100 in
#int vlan 20
#ip access-group 101 in
#int vlan 30
Ip access-group 102 in
配置 SW2
#int f0/0
#sw m trunk
#sw t en dot1q
#
#vlan data
#vtp client
#vtp domain cisco
#
#int f0/1
#sw m acce
#sw access vlan 10
#int f0/2
#sw m acce
#sw access vlan 20
#
SW3 同上
来源:https://www.cnblogs.com/fjping0606/p/4573792.html