网络工程 - 同一 vlan 上的多个访问列表 - 吾爱随笔录

我有 5 个部门，每个部门都有自己的 vlan，我希望其中一些部门 ping 其中一些部门，而只希望其中一些部门 ping 一些部门。基本上创建了一个 vlan 层次结构。

具体来说，我需要

vlan10 to ping all the other vlans 
vlan20 to ping all the other vlans
vlan30 to only ping vlan50
vlan40 to only ping vlan30 and vlan 50
vlan50 to ping none (only it's own vlan)

所以为了让 vlan20 ping 所有的 vlan 并阻止 vlan30、vlan40 和 vlan50 ping 它，我这样做了

ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN20_IN
remark Block ICMP echo requests to VLAN 20
deny icmp any 172.16.32.0 0.0.31.255 echo
remark Permit all other traffic, including ICMP echo reply
permit ip any any
!
interface FastEthernet0/0.3
description FINANCA VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!
interface FastEthernet0/0.4
description ADMIN VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!
interface FastEthernet0/0.5
description OTHERS VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN20_IN in
!

那行得通，但现在如果我想对 vlan10 做同样的事情，第一个被取消，我仍然可以从 vlan30、40 和 50 ping 到 vlan20。

ip access-list extended BLOCK_ECHO_REQUEST_TO_VLAN10_IN
deny icmp any 172.16.0.0 0.0.31.255 echo
permit ip any any
!
interface FastEthernet0/0.3
description FINANCA VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in 
!  
interface FastEthernet0/0.4
description ADMIN VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in
!
interface FastEthernet0/0.5
description OTHERS VLAN
ip access-group BLOCK_ECHO_REQUEST_TO_VLAN10_IN in
!

交换机配置

interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 20
!
interface FastEthernet0/3
switchport access vlan 30
!
interface FastEthernet0/4
switchport access vlan 40
!
interface FastEthernet0/5
switchport access vlan 50
!
interface FastEthernet0/6
switchport mode trunk
.
.
.
.
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 0004.9aeb.4a01
ip address 172.16.0.100 255.255.224.0
!  
interface Vlan20
mac-address 0004.9aeb.4a02
ip address 172.16.32.100 255.255.224.0
!
interface Vlan30
mac-address 0004.9aeb.4a03
ip address 172.16.64.100 255.255.224.0
!
interface Vlan40
mac-address 0004.9aeb.4a04
ip address 172.16.96.100 255.255.224.0
!
interface Vlan50
mac-address 0004.9aeb.4a05
ip address 172.16.128.100 255.255.224.0

路由器配置

Router Running Config - interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 172.16.0.50 255.255.224.0
ip access-group 1 in   
! 
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 172.16.32.50 255.255.224.0
ip access-group 1 in
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 172.16.64.50 255.255.224.0
!
interface FastEthernet0/0.4
encapsulation dot1Q 40
ip address 172.16.96.50 255.255.224.0
!
interface FastEthernet0/0.5
encapsulation dot1Q 50
ip address 172.16.128.50 255.255.224.0