实验目的

想要通过ALC访问控制使pc1 vlan10访问不了pc3 vlan30

pc2 vlan20 可以访问pc3 vlan 30 pc1和pc2可以相互访问

拓扑图如下

实验步骤

1.pc机配置IP 掩码和网关

pc1:192.168.10.1 24 192.168.10.254

pc2:192.168.20.1 24 192.168.20.254

pc3:192.168.30.1 24 192.168.30.254

2.配置中间交换机 创建vlan 分配vlan

[Huawei]vlan 10
[Huawei-vlan10]vlan 20
[Huawei-vlan20]vlan 30
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 10
[Huawei-Ethernet0/0/2]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access 
[Huawei-Ethernet0/0/3]port default vlan 20
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type access 
[Huawei-Ethernet0/0/4]port default vlan 30
[Huawei-Ethernet0/0/4]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk 
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all

3.配置上面的交换机 为其分配网关

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Huawei-GigabitEthernet0/0/1]vlan 10
[Huawei-vlan10]vlan 20
[Huawei-vlan20]vlan 30
[Huawei-vlan30]int vlan 10
[Huawei-Vlanif10]ip add 192.168.10.254 24
int vlan 20
[Huawei-Vlanif20]ip add 192.168.20.254 24
[Huawei-Vlanif20]int vlan 30
[Huawei-Vlanif30]ip add 192.168.30.254 24

4.现在vlan10 vlan20都可ping通vlan30

pc1:ping 192.168.30.1

pc2:ping 192.168.30.1

5.ALC配置

(1)创建一个规则 限制访问

{Huawei]acl name test advance
[Huawei-acl-adv-test]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.
168.30.0 0.0.0.255
[Huawei-acl-adv-test]rule permit ip source any destination any

(2)调用acl规则

[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl name test

6.ping测试

pc1访问pc3网络不通

pc1访问pc2网络互通

pc2访问pc3网络互通

实验完成

实验目的达到