网络拓扑:

195545836.jpg

本拓扑存在以下VLAN

VLAN 2 172.16.2.0/24

VLAN 3 172.16.3.0/24

VLAN 4 172.16.4.0/24

VLAN 5 172.16.5.0/24  管理VLAN,native vlan

一、通过标准ACL实现VLAN之间互访的限制

定义access-list

access-list 2 deny 172.16.3.0 0.0.0.255

access-list 2 deny 172.16.4.0 0.0.0.255

access-list 2 permit any

功能描述:禁止源为172.16.3.0、172.16.4.0网段的访问,其他放行

access-list 3 deny 172.16.2.0 0.0.0.255

access-list 3 deny 172.16.4.0 0.0.0.255

access-list 3 permit any

功能描述:禁止源为172.16.2.0、172.16.4.0网段的访问,其他放行

access-list 4 deny 172.16.2.0 0.0.0.255

access-list 4 deny 172.16.3.0 0.0.0.255

access-list 4 permit any

功能描述:禁止源为172.16.2.0、172.16.3.0网段的访问,其他放行

interface vlan 2

除了VLAN2,别的VLAN的数据是从别的VLAN的接口进来,然后到VLAN2出来

所以

ip access-group 2 out

interface vlan 3

ip access-group 3 out

interface vlan 4

ip access-group 4 out

结果是VLAN 2、3、4之间是不好互相访问的,但同时可以和VLAN 5进行通信。

二、通过扩展ACL实现其功能需求

ip access-list extended vlan2

deny ip 172.16.3.0 0.0.0.255 172.16.2.0 0.0.0.255

deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255

permit ip any any

exit

ip access-list extended vlan3

deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255

deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255

permit ip any any

exit

ip access-list extended vlan4

deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255

deny ip 172.16.3.0 0.0.0.255 172.16.4.0 0.0.0.255

permit ip any any

exit

int vlan 2

ip access-group vlan2 out

以VLAN2为目的,而当前接口为VLAN 2,所以是out方向

int vlan 3

ip access-group vlan3 out

int vlan 4

ip access-group vlan4 out

结果也是实现了