实验要求：5个部门之间不能互相访问，但是都可以访问服务器和Internet。服务器不能访问Internet。Internet不能主动发起访问内部服务。

实验器材：路由器route(3620);交换机switch(2950),和6台pc等。

实验目的：了解vlan的划分；访问控制列表的设置；trunk的封装；
以及防火墙的设置等。

以下是具体的操作：

vlan划分部分
route: en
conf t
int fa0/0.1
encapsulation isl vlan 1
ip add 192.168.1.1 255.255.255.0
no shut
int fa0/0.2
encapsulation isl vlan 2
ip add 192.168.2.1 255.255.255.0
no shut
int fa0/0.3
encapsulation isl vlan 3
ip add 192.168.3.1 255.255.255.0
no shut
int fa0/0.4
encapsulation isl vlan 4
ip add 192.168.4.1 255.255.255.0
no shut
intfa0/0.5
encapsulation isl vlan 5
ip add 192.168.5.1 255.255.255.0
no shut
int fa0/0.6
encapsulation isl vlan 6
ip add 192.168.6.1 255.255.255.0
no shut

switch:
en
vlan database
vlan 2 name vlan2
vlan 3 name vlan3
vlan 4 name vlan4
vlan 5 name vlan5
vlan 6 name vlan6
crl+z
en
conf t
int fa0/2
switchport access vlan 2
int fa0/3
switchport access vlan 3
int fa0/4
switchport access vlan 4
int fa0/5
switchport access vlan 5
int fa0/6
switchport access vlan 6
int fa0/7
switchport mode trunk
switchport trunk encapsulation isl

pc1: 192.168.1.2 255.255.255.0
pc2: 192.168.2.2 255.255.255.0
pc3: 192.168.3.2 255.255.255.0
pc4: 192.168.4.2 255.255.255.0
pc5: 192.168.5.2 255.255.255.0
pc6: 192.168.6.2 255.255.255.0


设置访问控制列表部分；以及防火墙的设置:比较烦琐，我不修改他的设置了，重新在最下面为大家举一部分，其它的参照就可以了
route:
en
conf t
access-list 101 deny tcp 192.168.1.2 0.0.0255 any established
permit tcp any any established
access-list102 permit ip 192.168.1.2 0.0.0.255 192.168.2.1 0.0.4.255
access-list103 permit ip 192.168.2.2 0.0.0.255 192.168.1.2 0.0.0.255
deny ip192.168.2.2 0 0.0.255 192.168.3.2 0.0.4.255
access-list 104 permit ip 192.168.3.2 0.0.0.255 192.168.1.2 0.0.0.255
deny ip 192.168.3.2 0.0.0.255 192.168.4.2 0.0.3.255.
deny ip 192.168.3.2 0.0.0.255 192.168.2.2 0.0.0.255
acces-list 105 permit ip 192.168.4.2 0.0.0.255 192.168.1.2 0.0.0.255
deny ip 192.168.4.2 0.0.0.255 192.168.5.2 0.0.2.255
deny ip 192.168.4.2 0.0.0.255 192.168.2.2 0.0.2.255
access-list 106 permit ip 192.168.5.2 0.0.0.255 192.168.1.2 0.0.0.255
deny ip 192.168.5.2 0.0.0.255 192.168.2.1 0.0.3.255
deny ip 192.168.5.2 0.0.0.255 192.168.6.2 0.0.0.255
access-list 107 permit ip 192.168.6.2 0.0.0.255 192.168.1.2 0.0.0.255
deny ip 192.168.6.2 0.0.0.255 192.168.2.2.1 0.0.4.255
int e0/0.1
ip access-group 101
ip access-group 102 in
int e0/0.2
ip access-group 101
ip access-group 103 in
int e0/0.3
ip access-group 101
ip access-group 104 in
int e0/0.4
ip access-group 101
ip access-group 105 in
int e0/0.5
int access-group 101      
int access-group 106 in
int e0/0.6
int access-group 101
int access-group 107 in


access-list 101 permit tcp 192.168.0.0 0.0.7.255 any
int e/0.1
ip access-group 101 out
access-list 102 deny tcp 192.168.3.0 0.0.0.255 any
access-list 102 deny tcp 192.168.4.0 0.0.0.255 any
access-list 102 deny tcp 192.168.5.0 0.0.0.255 any
access-list 102 deny tcp 192.168.6.0 0.0.0.255 any
access-list 102 permit tcp 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any established
int e0/0.2
ip access-group 102 out
本文出自 51CTO.COM技术博客