我试图隔离VLAN上的流量,因为一个是我们的访客VLAN(VLAN 3是访客LAN).它是Cisco 881W路由器.

这是我的VLAN配置：

@H_404_4@interface Vlan2 ip address 10.10.100.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone ! interface Vlan3 ip address 10.100.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly zone-member security in-zone !

这是我的ACL

@H_404_4@ access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 10.10.100.0 0.0.0.255 access-list 4 remark CCP_ACL Category=2 access-list 4 permit 10.100.10.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 70.22.148.0 0.0.0.255 any access-list 101 permit ip 10.100.10.0 0.0.0.255 10.100.10.0 0.0.0.255 access-list 101 deny icmp 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 101 deny ip 10.100.10.0 0.0.0.255 10.10.100.0 0.0.0.255 access-list 102 permit ip host 255.255.255.255 any

一旦我将ip access-group 101添加到VLAN 3,VLAN 3就不能再离开路由器了. VLAN 3可以通过10.100.10.1 ping路由器,10.10.100.*不再可以从VLAN 3(所需)ping通.

更新：我还必须添加

@H_404_4@access-list 10 permit udp any any eq bootpc access-list 10 permit udp any any eq bootps

使DHCP工作