我正在使用路由器/交换机Cisco C1111-8p with IOS XE 16.8。

我有 3 个 VLAN：

• 1：原生/管理
• 20：开发
• 50：客人

我想阻止客人/VLAN50 与互联网以外的任何人进行通信。

为此，我使用 VLAN50 的子网创建了访问列表标准。我将此 ACL 应用于 VLAN1/native/management 和 VLAN20/dev outbound 的 SVI（从路由器的角度来看）。

conf t
access-list 10 deny 192.168.50.0 0.0.0.255
access-list 10 permit any
end

# VLAN 1 DEFAULT NATIVE
conf t
vlan 1
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

# VLAN 20
conf t
vlan 20
name Dev
interface vlan 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

连接到 VLAN1 本机的设备的 Ping 被过滤：

$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200) 56(84) bytes of data.
From 192.168.50.1 icmp_seq=1 Packet filtered
From 192.168.50.1 icmp_seq=2 Packet filtered
From 192.168.50.1 icmp_seq=3 Packet filtered

尽管如此，我仍然可以 ping 通 VLAN1 和 VLAN20 网关192.168.0.1以及192.168.20.1.

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=17.9 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=30.4 ms

$ ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
64 bytes from 192.168.20.1: icmp_seq=1 ttl=255 time=2.73 ms
64 bytes from 192.168.20.1: icmp_seq=2 ttl=255 time=23.7 ms

为什么？

我正在使用无线接入点对每个不同的 VLAN 和 VLAN1 作为本地 VLAN 使用 SSID 进行测试。在使用扩展之前，我想先使用 ACL 标准进行测试。

完整配置供参考（我不写 DHCP 部分）：

vlan internal allocation policy ascending
!         
!         
!         
!         
!         
!         
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!         
interface GigabitEthernet0/0/0
 description WAN
 ip address x.x.x.x 255.255.255.252
 ip nat outside
 negotiation auto
!         
interface GigabitEthernet0/0/1
 no ip address
 shutdown 
 negotiation auto
!         
interface GigabitEthernet0/1/0
 switchport mode trunk
 switchport nonegotiate
!         
interface GigabitEthernet0/1/1
 shutdown 
!         
interface GigabitEthernet0/1/2
 switchport access vlan 10
 switchport mode access
!         
interface GigabitEthernet0/1/3
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet0/1/4
 shutdown 
!         
interface GigabitEthernet0/1/5
 shutdown 
!         
interface GigabitEthernet0/1/6
 switchport mode access
!         
interface GigabitEthernet0/1/7
 switchport mode access
!         
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip access-group 10 in
!         
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip access-group 10 out
!         
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip access-group 10 out
!         
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
!         
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!         
!         
ip access-list standard NAT
 permit 192.168.10.0 0.0.0.255
 permit 192.168.0.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
 permit 192.168.50.0 0.0.0.255
!         
access-list 10 deny   192.168.50.0 0.0.0.255
access-list 10 permit any
!         
!         
!         
!         
control-plane
!         
!         
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!         
wsma agent exec
!         
wsma agent config
!         
wsma agent filesys
!         
wsma agent notify
!         
!         
end