我试图隔离VLAN上的流量,因为一个是我们的访客VLAN(VLAN 3是访客LAN).它是Cisco 881W路由器.
这是我的VLAN配置:
interface Vlan2 ip address 10.10.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan3 ip address 10.100.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone !
这是我的ACL
access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 10.10.100.0 0.0.0.255 access-list 4 remark CCP_ACL Category=2 access-list 4 permit 10.100.10.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 70.22.148.0 0.0.0.255 any access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255 access-list 101 deny icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 101 deny ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 102 permit ip host 255.255.255.255 any
一旦我将ip access-group 101添加到VLAN 3,VLAN 3就不能再离开路由器了. VLAN 3可以通过10.100.10.1 ping路由器,10.10.100.*不再可以从VLAN 3(所需)ping通.
更新:我还必须添加
access-list 10 permit udp any any eq bootpc access-list 10 permit udp any any eq bootps
使DHCP工作
