同一交换机的不同VLAN，如何做到隔离？

建立三个vlan vlan10 vlan20 vlan30

PC1 PC3属于vlan10 PC2 PC4属于vlan20 PC5属于vlan30

Vlan10 vlan20 vlan30不能互访 但是能上外网

Pc1 :172.16.10.2 pc2: 172.16.20.2 pc3:172.16.10.3 pc4:172.16.20.3 pc5: 172.16.30.2

配置R1

Int f0/0

Ip add 192.168.1.2 255.255.255.0 配置f0/0

No sh

Int lo0

Ip add 1.1.1.1 255.255.255.0 配置环回地址 以测试各vlan与外网的连通性

No sh

配置静态路由 到三层交换机各vlan的路由

# ip route 172.16.10.0 255.255.255.0 192.168.1.1

# ip route 172.16.20.0 255.255.255.0 192.168.1.1

# ip route 172.16.30.0 255.255.255.0 192.168.1.1

配置 SW1

#conf t

#ip routing 启用三层路由功能

#int f0/0

#no switch

#ip add 192.168.1.1 255.255.255.0

#no sh

#

#ip route 0.0.0.0 0.0.0.0 192.168.1.2 添加到外部网络的默认路由

#

#vlan data

#vlan 10 name caiwu 建立vlan

#vlan 20 name it

#vlan 30 name manager

#vtp server 建立vtp server模式

#vtp domain cisco

#

#int range f0/1 – 2 封装trunk接口

#sw mode trunk

#sw trunk en dot1q

#

#int f0/3 添加接口到vlan 30

#sw mode access

#sw access vlan 30

#

#int vlan10 给各vlan设置地址 也是各个子网段的网关

ip address 172.16.10.1 255.255.255.0

# interface Vlan20

ip address 172.16.20.1 255.255.255.0

# interface Vlan30

ip address 172.16.30.1 255.255.255.0

#

# access-list 100 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255 建立100 101列表

access-list 100 deny ip 172.16.10.0 0.0.0.255 172.16.30.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 deny ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 101 deny ip 172.16.20.0 0.0.0.255 172.16.30.0 0.0.0.255

access-list 101 permit ip any any

access-list 102 deny ip 172.16.30.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 102 deny ip 172.16.30.0 0.0.0.255 172.16.30.0 0.0.0.255

access-list 102 permit ip any any

注：在vlan间的acl中当源地址段为应用 vlan接口的ip段时，就是用in方向；当目的地址段为应用vlan接口的ip段时，就是用out方向 举例说明

Host 1.1.1.1 vlan10（1.1.1.2）SW vlan20（2.2.2.2） host 2.2.2.1

禁止host 1.1.1.1访问2.2.2.1

方法 一

Access-list 100 deny ip host 1.1.1.1 host 2.2.2.1

Access-list 100 permit ip any any

Int vlan 10

Ip access-list 100 in

方法 二

Access-list 100 deny ip host 1.1.1.1 host 2.2.2.1

Access-list 100 permit ip any any

Int vlan 20

Ip access-list 100 out

#int vlan 10 将访问控制列表加载到各个vlan

#ip access-group 100 in

#int vlan 20

#ip access-group 101 in

#int vlan 30

Ip access-group 102 in

配置 SW2

#int f0/0

#sw m trunk

#sw t en dot1q

#

#vlan data

#vtp client

#vtp domain cisco

#

#int f0/1

#sw m acce

#sw access vlan 10

#int f0/2

#sw m acce

#sw access vlan 20

#

SW3 同上