VLAN间的单向通信

来源：互联网发布：网络药品销售促成技巧编辑：程序博客网时间：2024/04/25 14:36

实验描述：

在本实验中，SW-3为三层交换机，在它上面划分了三个VLAN，分别为VLAN10，VLAN20，VLAN40。其中VLAN10接PC1，VLAN40接PC2，VLAN20接R1，R1接R2，IP地址如图所示。R2模拟外网，R1模拟内网出口路由器，在R1上作NAT地址转换，使内网的用户通过R1的外网接口E1/0的IP地址出去。并且要求：VLAN40可能访问VLAN10，但VLAN10不可以访问VLAN40。

Sw-3#show run

version 12.3

hostname sw-3

ip subnet-zero

ip cef

no ip domain lookup

interface FastEthernet0/0

switchport access vlan 40

no ip address

interface FastEthernet0/1

switchport access vlan 10

no ip address

interface FastEthernet0/2

switchport access vlan 20

no ip address

interface Vlan1

no ip address

interface Vlan10

ip address 1.1.1.1 255.0.0.0

interface Vlan20

ip address 2.2.2.1 255.0.0.0

interface Vlan40

ip address 4.4.4.1 255.0.0.0

ip access-group vlan40 out

ip http server

ip classless

ip route 3.0.0.0 255.0.0.0 2.2.2.2

ip access-list extended vlan40

permit tcp 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255 established

permit icmp 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255 echo-reply

deny ip 1.0.0.0 0.255.255.255 4.0.0.0 0.255.255.255

permit ip any any

line con 0

exec-timeout 0 0

logging synchronous

transport preferred all

transport output all

line vty 0 4

End

r1#show run

version 12.3

hostname r1

no ip domain lookup

ip cef

interface FastEthernet0/0

ip address 2.2.2.2 255.0.0.0

ip nat inside

duplex full

interface Ethernet1/0

ip address 3.3.3.1 255.0.0.0

ip nat outside

duplex half

ip nat inside source list 1 interface Ethernet1/0 overload

ip classless

ip route 1.0.0.0 255.0.0.0 2.2.2.1

ip route 4.0.0.0 255.0.0.0 2.2.2.1

access-list 1 permit any

line con 0

exec-timeout 0 0

logging synchronous

End

r2#show run

version 12.3

hostname r2

no ip domain lookup

ip cef

interface FastEthernet0/0

no ip address

shutdown

duplex half

interface Ethernet1/0

ip address 3.3.3.2 255.0.0.0

duplex half

ip classless

line con 0

exec-timeout 0 0

logging synchronous

end