vlan10 192.168.1.0/24
vlan20 192.168.2.0/24
vlan30 192.168.3.0/24
vlan40 192.168.4.0/24
vlan50 192.168.5.0/24
vlan60 192.168.6.0/24
要求vlan40可以访问vlan50,但是vlan50不能访问vlan40
ip access-list extended vlan40
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 reflect pc4topc5 //建立到vlan50的映射表 关键是这条
deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 //根据自己实际需求定义到其他vlan的访问
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
deny ip any any
ip access-list extended vlan50
evaluate pc4topc5 //允许pc4topc5映射表的连接通过
deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 //这条确保不能主动访问vlan