准备:路由器,三层交换机,二层交换机,PC,Cisco模拟器
需求:由路由器接入互联网,三层交换机作为数据交换中心,每个部门配置不同的VLAN,有的不能互相访问,有的可以互相访问,每个VLAN都能访问外网。
三层交换机配置
全局模式
interface f0/1
no switchport--------->对此接口开启三层功能
ip address 192.168.1.2 255.255.255.0
ip routing--------->对交换机开启路由协议功能
exit
创建vlan
vlan 10
exit
vlan 20
exit
vlan 30
exit
给vlan配置IP
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan 20
ip address 192.168.20.1 255.255.25.0
no shutdown
interface vlan 30
ip address 192.168.30.1 255.255.255.0
no shutdown
exit
给接口帮绑定vlan
interface f0/2
switchport access vlan 10
no shutdown
interface f0/3
switchport access vlan 20
no shutdown
interface f0/4
switchport access vlan 30
exit
运行DHCP协议,并配置地址池
ip dhcp pool vlan10(自定义名称)
network 192.168.10.0 255.255.255.0
exit
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
exit
ip dhcp pool vlan30
network 192.168.30.0 255.255.255.0
添加路由
ip route 0.0.0.0 0.0.0.0 192.168.1.1
创建拒绝vlan10访问vlan30规则
ip access-list extended deny10to30
deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip any any
exit
把规则绑定到vlan10的入口in
interface vlan 10
ip access-group deny10to30 in
Router配置
no shutdown
interface g0/0/0/0
ip address 192.168.1.1 255.255.255.0
