拓圖

要求：

1. vlan1可以訪問Internet
2. vlan2和vlan3不能訪問Internet和vlan1
3. vlan2和vlan3之間可以互相訪問
4. PC配置如圖所示，這里不展示

LSW1接口vlan配置

vlan batch 10 20 30
#
interface Vlanif1ip address 192.168.40.2 255.255.255.0
#
interface Vlanif10ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30ip address 192.168.30.254 255.255.255.0
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/3port link-type accessport default vlan 30
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.1

AR1接口配置

interface GigabitEthernet0/0/0ip address 92.168.40.1 255.255.255.0 
#
interface GigabitEthernet0/0/1ip address 10.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.40.2

下面開始配置三層交換機ACL
LSW1配置ACL：

[LSW1]acl 3000
[LSW1-acl-adv-3000]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 15 permit ip source 192.168.10.0 0.0.0.255
[LSW1-acl-adv-3000]rule 20 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[LSW1-acl-adv-3000]rule 25 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[LSW1-acl-adv-3000]rule 30 deny ip
[LSW1-acl-adv-3000]quit

把配置好的ACL策略應用到vlan上

[LSW1]traffic-filter vlan 10 inbound acl 3000
[LSW1]traffic-filter vlan 20 inbound acl 3000
[LSW1]traffic-filter vlan 30 inbound acl 3000

至此ACL配置完成，下面測試PC2與Internet互聯測試

PC2與PC3互聯測試