1、用的华为S5700-24TP-SI,划了3个vlan,分别为vlan 2、vlan 3、vlan 4,对应的IP段为: vlan 2:192.168.2.0/255.255.255.0 vlan 3:192.168.3.0/255.255.255.0 vlan 4:192.186.4.0/255.255.255.0 2、怎么限制vlan2不可以访问vlan 3、vlan4; vlan3不可以访问vlan 2、vlan4; vlan4不可以访问vlan 2、vlan3;
用ACL来实现,具体如下: acl number 3002 rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 acl number 3003 rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255 acl number 3004 rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 用traffic-filter在vlan下应用ACL, traffic-filter vlan 2 inbound acl 3002 traffic-filter vlan 3 inbound acl 3003 traffic-filter vlan 4 inbound acl 3004
|