1. 作业要求:
根据拓扑图,实现各个部门都能访问服务器,而他们之间却无法通信!
即 vlan1 vlan10 vlan20 都能顺利访问vlan30 ,而vlan1 vlan10 vlan20之间不能够通信!
2. 拓扑图
3. 设备描述:
路由器:H3C Quidway R2621
交换机:H3C Quidway S3526E
4. 设备配置:
路由器:
[Router]sysname R1
[R1]int e1 // 由于vlan1默认不打标签,如果不设置ip,vlan1 的信息无法通过
[R1- Ethernet 1]ip address 192.168.1.254 24 //配ip
[R1-Ethernet1]int e1.10 //进入子接口
[R1-Ethernet1.10]vlan-type dot1q vid 10 //打标签
[R1-Ethernet1.10]ip add 192.168.10.254 255.255.255.0 //配ip
[R1-Ethernet1.10]int e1.20
[R1-Ethernet1.20]vlan-type dot1q vid 20
[R1-Ethernet1.20]ip add 192.168.20.254 255.255.255.0
[R1-Ethernet1.20]int e1.30
[R1-Ethernet1.30]vlan-type dot1q vid 30
[R1-Ethernet1.30]ip add 192.168.30.254 255.255.255.0
[R1]acl 3000 //访问控制列表
[R1-acl-3000]rule deny ip source 192.168.1.0 0.0.0.255 dest 192.168.10.0 0.0.0.255
Rule has been added to normal pac
[R1-acl-3000]rule deny ip source 192.168.1.0 0.0.0.255 dest 192.168.20.0 0.0.0.255
Rule has been added to normal pac
[R1]acl 3001
[R1-acl-3001]rule deny ip source 192.168.10.0 0.0.0.255 dest 192.168.20.0 0.0.0.255
Rule has been added to normal packet-filtering rules
[R1]int e1.1
[R1-Ethernet1.1]firewall packet-filter ?
<2000-2999> Basic access-list
<3000-3999> Advanced access-list
[R1-Ethernet1.1]firewall packet-filter 3000 //应用访问控制列表
[R1-Ethernet1.1]int e1.10
[R1-Ethernet1.10]firewall packet-filter 3001
交换机:
[s38]vlan 10 //新建vlan
[s38-vlan10]port eth0/10 to eth0/11 //划分端口
[s38-vlan10]vlan 20
[s38-vlan20]port eth0/20 to eth0/21
[s38-Vlan-interface20]vlan 30
[s38-vlan30]port eth0/22 to e0/23
[s38-Vlan-interface30]int eth0/24
[s38-Ethernet0/24]port link-type trunk //trunk链路
[s38-Ethernet0/24]port trunk permit vlan all //允许所有vlan通过,也可以写vlan号
Please wait........................................... Done.
5. 测试:
5.1服务器端与客户端之间的配置
服务器端(vlan30)本地连接配置:
顺序:
先ping本机网关
再ping vlan1网关
再ping vlan10网关 ping vlan10 中的pc
再ping vlan20网关 ping vlan20 中的pc
5.2 客户端之间的测试
客户端设置在vlan20中的pc
上述证明:客户端之间不能通信,即部门之间不能通信
转载于:https://blog.51cto.com/guojiping/969743