实验要求:Vlan2、vlan3之间可以互访,vlan4、vlan2,vlan4、vlan3之间不可以互访,同时都可以访问internet 。
配置:
R1#sh run
Building configuration...
Current configuration : 456 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
line con 0
line vty 0 4
login
!
!
end
R0#sh run
Building configuration...
Current configuration : 826 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R0
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
ip route 192.168.4.0 255.255.255.0 192.168.0.2
ip route 0.0.0.0 0.0.0.0 12.1.1.2
!
!
access-list 1 permit any
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
!
!
end
3750sw1#sh run
Building configuration...
Current configuration : 1969 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 3750sw1
!
ip routing
!
no ip domain-lookup
!
!
interface FastEthernet0/1
!
[output cut]
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 102 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 103 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip any any
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
!
!
end
2960sw2#sh run
Building configuration...
Current configuration : 1134 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 2960sw2
!
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
switchport access vlan 3
!
interface FastEthernet0/3
switchport access vlan 4
!
interface FastEthernet0/4
!
[output cut]
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
switchport mode trunk
!
interface GigabitEthernet1/2
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
2960sw3#sh run
Building configuration...
Current configuration : 1111 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 2960sw3
!
!
interface FastEthernet0/1
switchport access vlan 2
!
interface FastEthernet0/2
switchport access vlan 3
!
interface FastEthernet0/3
switchport access vlan 4
!
interface FastEthernet0/4
!
[output cut]
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
验证:
由此PC0得vlan2可以访问vlan3和internet,不可以访问vlan4。
由此PC1得vlan2可以访问vlan2和internet,不可以访问vlan4。
由此PC3得vlan4可以访问internet,不可以访问vlan2和vlan3。
