實驗描述:
在本實驗中,SW-3爲三層交換機,在它上面劃分了三個VLAN,分別爲VLAN10,VLAN20,VLAN40。其中VLAN10接PC1,VLAN40接PC2,VLAN20接R1,R1接R2,IP地址如圖所示。R2模擬外網,R1模擬內網出口路由器,在R1上作NAT地址轉換,使內網的用戶通過R1的外網接口E1/0的IP地址出去。並且要求:VLAN40可能訪問VLAN10,但VLAN10不可以訪問VLAN40。
Sw-3#show run
version 12.3
!
hostname sw-3
!
!
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
!
interface FastEthernet0/0
switchport access vlan 40
no ip address
!
interface FastEthernet0/1
switchport access vlan 10
no ip address
!
interface FastEthernet0/2
switchport access vlan 20
no ip address
!
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 1.1.1.1 255.0.0.0
!
interface Vlan20
ip address 2.2.2.1 255.0.0.0
!
interface Vlan40
ip address 4.4.4.1 255.0.0.0
ip access-group vlan40 out
!
ip http server
ip classless
ip route 3.0.0.0 255.0.0.0 2.2.2.2
!
!
!
ip access-list extended vlan40
permit tcp 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255 established
permit icmp 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255 echo-reply
deny ip 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255
permit ip any any
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport preferred all
transport output all
line vty 0 4
!
End
r1#show run
!
version 12.3
!
hostname r1
!
no ip domain lookup
!
ip cef
!
interface FastEthernet0/0
ip address 2.2.2.2 255.0.0.0
ip nat inside
duplex full
!
interface Ethernet1/0
ip address 3.3.3.1 255.0.0.0
ip nat outside
duplex half
!
!
ip nat inside source list 1 interface Ethernet1/0 overload
ip classless
ip route 1.0.0.0 255.0.0.0 2.2.2.1
ip route 4.0.0.0 255.0.0.0 2.2.2.1
!
access-list 1 permit any
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
End
r2#show run
version 12.3
!
hostname r2
!
!
no ip domain lookup
!
ip cef
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 3.3.3.2 255.0.0.0
duplex half
!
!
ip classless
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
end