网络管理：VLAN间访问控制(2)

2.用访问列表控制:
R1#sh run
Building configuration...

Current configuration : 1245 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!


!
!         
!         
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip access-group 120 in
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.254 255.255.255.0
 ip access-group 130 in
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!         
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip http server
!
!
!
access-list 120 deny   ip any 192.168.30.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 deny   ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!         
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
!
end 

3.使用Pvlan

待续

4.三层交换机上,用VLAN间ACL

access-list 120 permit ip any 192.168.30.0 0.0.0.255

access-list 130 permit ip any 192.168.20.0 0.0.0.255

vlan access-map deny20-30 100

  match ip add 120

  action drop

  exit

vlan filter deny20-30 vlan-list 20

vlan access-map deny30-20 101

  match ip add 130

  action drop

   exit

vlan filter deny30-20 vlan-list 30

上面配置由于没有设备无法验证.