ip access-list extended V1_ACCESS_V2_V3
permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
//下面两句话是用作测试用的,从172.16.1.1可以ping 172.16.2.1 172.16.3.1但是反向不可以
permit icmp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 echo-reply
permit icmp 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 echo-reply
ip access-list extended V2_V3_ACCESS_V1
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended Default
permit ip any any
vlan access-map PERMIT_V1_ACCESS_V2V3 10
match ip add V1_ACCESS_V2_V3
action forward
vlan access-map PERMIT_V1_ACCESS_V2V3 20
match ip add V2_V3_ACCESS_V1
action drop
vlan access-map PERMIT_V1_ACCESS_V2V3 30
match ip add Default
action forward
vlan filter PERMIT_V1_ACCESS_V2V3 vlan-list 1
如果不行的话就分别给VLAN2 和 VLAN3定义vlan map
permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
//下面两句话是用作测试用的,从172.16.1.1可以ping 172.16.2.1 172.16.3.1但是反向不可以
permit icmp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 echo-reply
permit icmp 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 echo-reply
ip access-list extended V2_V3_ACCESS_V1
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended Default
permit ip any any
vlan access-map PERMIT_V1_ACCESS_V2V3 10
match ip add V1_ACCESS_V2_V3
action forward
vlan access-map PERMIT_V1_ACCESS_V2V3 20
match ip add V2_V3_ACCESS_V1
action drop
vlan access-map PERMIT_V1_ACCESS_V2V3 30
match ip add Default
action forward
vlan filter PERMIT_V1_ACCESS_V2V3 vlan-list 1
如果不行的话就分别给VLAN2 和 VLAN3定义vlan map