【新人】acl单向访问+vlan划分

a282244945 · 发表于 2016-10-18 15:53:14

想搭建一个有5个vlan的网络。 it部可以访问其他所有部。
其他部不可以互相访问，但是都可以访问server。
应该是做了单臂路由的关系，我现在搭建出来的是都可以互相访问。
请大神帮忙看看怎么能实现单向访问。（不加单臂路由可以单向访问）

拓扑

====================
R1#show run
Building configuration...
Current configuration : 1274 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
license udi pid CISCO2911/K9 sn FTX15249ZWS
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.70.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 100
router-id 1.1.1.1
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
network 192.168.60.0 0.0.0.255 area 0
network 192.168.70.0 0.0.0.255 area 0
!
ip classless
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

====================
R2#show run
Building configuration...
Current configuration : 1671 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
license udi pid CISCO2911/K9 sn FTX1524967X
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 192.168.50.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.50.0 0.0.0.255 area 0
network 192.168.70.0 0.0.0.255 area 0
!
ip classless
!
access-list 100 permit icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
access-list 100 deny icmp 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 echo
access-list 100 permit ip any any
access-list 100 permit icmp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
access-list 100 deny icmp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 echo
access-list 100 permit icmp 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
access-list 100 deny icmp 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255 echo
access-list 100 permit icmp 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
access-list 100 deny icmp 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255 echo
access-list 100 permit icmp 192.168.80.0 0.0.0.255 192.168.10.0 0.0.0.255 echo-reply
access-list 100 deny icmp 192.168.80.0 0.0.0.255 192.168.10.0 0.0.0.255 echo
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

====================

3层交换机只是划分了vlan 别的没什么设置。

================================
=========

ACL VLAN.rar (26.47 KB, 下载次数: 2) ========
================================

shenxian · 发表于 2016-10-18 15:53:15

R1上配置ACL：
ip access-list extended vlan20
deny ip 192.168.30.0 0.0.0.255 any
deny ip 192.168.40.0 0.0.0.255 any
permit ip any any
ip access-list extended vlan30
deny ip 192.168.20.0 0.0.0.255 any
deny ip 192.168.40.0 0.0.0.255 any
permit ip any any
ip access-list extended vlan40
deny ip 192.168.20.0 0.0.0.255 any
deny ip 192.168.30.0 0.0.0.255 any
permit ip any any
interface ethernet 0/1.20
ip access-group vlan20 out
interface ethernet 0/1.30
ip access-group vlan30 out
interface ethernet 0/1.40
ip access-group vlan40 out

a282244945 · 发表于 2016-10-18 16:04:23

tracert 可以看的出来是路由到了50段。。所以都能互相访问。

a282244945 · 发表于 2016-10-18 16:53:50

大神都在睡觉么

账号		自动登录	找回密码
密码			论坛注册

[求助] 【新人】acl单向访问+vlan划分

最佳答案

客服中心

投诉建议