實驗描述:
共有三個VLAN,分別爲VLAN40、VLAN20、VLAN10
要求:
VLAN40可以訪問VLAN20、VLAN10,但VLAN10、VLAN20不可以訪問VLAN40
VLAN20可以訪問VLAN10,但VLAN10不可以訪問VLAN20
sw#show run
!
version 12.3
!
hostname sw
!
no ip domain lookup
!
interface FastEthernet0/0
switchport access vlan 40
no ip address
!
interface FastEthernet0/1
switchport access vlan 10
no ip address
!
interface FastEthernet0/2
switchport access vlan 20
no ip address
!
!
interface Vlan10
ip address 1.1.1.1 255.0.0.0
ip access-group vlan10 in
!
interface Vlan20
ip address 2.2.2.1 255.0.0.0
ip access-group vlan20 in
!
interface Vlan30
ip address 3.3.3.1 255.0.0.0
!
interface Vlan40
ip address 4.4.4.1 255.0.0.0
ip access-group vlan40 in
!
ip http server
ip classless
!
!
!
ip access-list extended vlan10
evaluate vlan100
deny ip 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255
deny ip 1.0.0.0 0.255.255.255 2.0.0.0 0.255.255.255
permit ip any any
ip access-list extended vlan20
evaluate vlan200
deny ip 2.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255
permit ip 2.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255 reflect vlan100
permit ip any any
ip access-list extended vlan40
permit ip 4.0.0.0 0.255.255.255 2.0.0.0 0.255.255.255 reflect vlan200
permit ip 4.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255 reflect vlan100
!
!
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
End
註明:
permit ip 4.0.0.0 0.255.255.255 2.0.0.0 0.255.255.255 reflect vlan200
evaluate vlan200
這兩條命令的含義:
前者表明允許4.0.0.0網段可以訪問2.0.0.0網段,關鍵字reflect 表明這是一個單向連接,配合關鍵字evaluate 使用,三層交換機會識別出從2.0.0.0返回的流量,並且允許通過。
deny ip 2.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255
如果是從2.0.0.0主動發起的流量則給予拒絕。