路由器通过以太网的子口建立与下连交换机TRUNK口相连。
要求管理VLAN可以访问其它业务VLAN、办公VLAN、财务VLAN、家庭网VLAN,但是其它VLAN不可以访问管理VLAN。
下面把路由器上的配置附上:
ip access-list extended infilter
evaluate mppacket
deny ip 10.54.16.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.31.0 0.0.0.255
permit ip any any
exit
ip access-list extended outfilter
permit ip any any reflect mppacket
exit
interface fastethernet0
ip address 10.255.49.2 255.255.255.252
exit
interface fastethernet1
exit
interface fastethernet1.1
description Guanli
ip address 10.54.31.254 255.255.255.0
encapsulation dot1q 1
exit
interface fastethernet1.2
description Yewu
ip address 10.54.17.254 255.255.255.0
encapsulation dot1q 2
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.3
description Bangong
ip address 10.54.16.254 255.255.255.0
encapsulation dot1q 3
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.4
description Caiwu
ip address 10.54.18.254 255.255.255.0
encapsulation dot1q 4
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.5
description Jiating
ip address 10.54.19.254 255.255.255.0
encapsulation dot1q 5
ip access-group outfilter out
ip access-group infilter in
exit
ip route 0.0.0.0 0.0.0.0 10.255.49.1文章录入:csh 责任编辑:csh
以上就是【VLAN 之间的访问控制】的全部内容了,欢迎留言评论进行交流!