一.测试拓扑：

 

二.基本配置：

R1：（模拟为一三层交换机）

vlan database

 vlan 2  vlan 3 exit config t interface f0/2  sw mo ac  sw ac vlan 2 interface f0/3  sw mo ac  sw ac vlan 3 interface f0/4  sw mo ac  sw ac vlan 1 int vlan 1  ip add 192.168.1.1 255.255.255.0 int vlan 2  ip add 192.168.2.1 255.255.255.0 int vlan 3  ip add 192.168.3.1 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.4R2：（模拟VLAN2一台PC)

int e0/0

 ip add 192.168.2.2 255.255.255.0  no sh ip route 0.0.0.0 0.0.0.0 192.168.2.1

R3：（模拟VLAN3一台PC)

int e0/0

 ip add 192.168.3.3 255.255.255.0  no sh ip route 0.0.0.0 0.0.0.0 192.168.3.1

R4：(模拟连接互联网的路由器）

int e0/0

 ip add 192.168.1.4 255.255.255.0  no sh int e0/1  ip add 202.100.1.1 255.255.255.0  no sh ip route 0.0.0.0 0.0.0.0 202.100.1.2 ip route 192.168.0.0 255.255.0.0 192.168.1.1

三.访问控制

A.方案一：自反ACL

R1：

ip access-list extended ACLOUT   permit ip  192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect REF   permit ip   any  192.168.3.0 0.0.0.255 ip access-list extended ACLIN   evaluate REF   deny   ip   192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255   permit ip   192.168.3.0 0.0.0.255 any interface Vlan3  ip access-group ACLIN in  ip access-group ACLOUT outR4： ip access-list extended ACLOUT   permit ip  192.168.0.0 0.0.255.255 any reflect REF ip access-list extended ACLIN   evaluate REF interface e0/1  ip access-group ACLIN in  ip access-group ACLOUT outB.方案二：ACL（只能控制TCP的单向访问）

R1:

ip access-list extended ACLIN    permit tcp  192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established    deny   tcp  192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255    permit ip  192.168.3.0 0.0.0.255 any interface Vlan3  ip access-group ACLIN inR4: ip access-list extended ACLIN    permit tcp  any 192.168.0.0 0.0.255.255  established    deny   tcp  any 192.168.0.0 0.0.255.255    permit ip  any 192.168.0.0 0.0.255.255 interface e0/1  ip access-group ACLIN in