一、需求:
局域网内两个网段,vlan10 和 vlan 20,分别实现 vlan10 可访问专网,vlan20 可访问互联网,且两个网段彼此不互通。拓朴如下:
二、配置思路:
1、S1起 vlan10、20,做 acl 配置网段禁止互访策略,上联口做 trunk口
2、网关起在 R1 上,R1 下联口做单臂路由
3、R1 两个出口分别做源 nat (Easy IP)
三、具体配置如下:
[S1]
vlan batch 10 20
#
acl number 2000
rule 5 deny source 172.1.1.0 0.0.0.255
rule 10 permit
#
acl number 2001
rule 5 deny source 10.1.1.0 0.0.0.255
rule 10 permit
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
traffic-filter inbound acl 2000
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
traffic-filter inbound acl 2001
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
[R1]
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.199.0 0.0.0.255
rule 10 deny ip
acl number 3001
rule 6 permit ip source 172.1.1.0 0.0.0.255 destination 8.8.8.0 0.0.0.255
rule 10 deny ip
#
interface GigabitEthernet0/0/0.1
dot1q termination vid 10
ip address 10.1.1.254 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 20
ip address 172.1.1.254 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 192.168.199.2 255.255.255.0
nat outbound 3000
#
interface GigabitEthernet0/0/2
ip address 8.8.8.2 255.255.255.0
nat outbound 3001
#