vlan之间不能互访

三层交换机vlan划分和访问控制策略方法一：配置基于端口的VLAN#创建vlan1并进入视图（连接ICG2000电信路由器及办公室，信息管理部）H3Csystem-view[H3C]vlan1#向VLAN1中加入端口Ethernet1/0/1和Ethernet1/0/2。将物理端口1、2划分为VLAN1[H3C-vlan1]portEthernet1/0/1Ethernet1/0/2（或者porte1/0/1e1/0/2）#创建VLAN2并进入其视图H3csystem-view[H3c]vlan2#向VLAN2中加入端口Ethernet1/0/3和Ethernet1/0/5。[H3C-vlan2]portEthernet1/0/3toEthernet1/0/5（或者porte1/0/3e1/0/5）#创建VLAN3并进入其视图H3csystem-view[H3C]vlan3#向VLAN3中加入端口Ethernet1/0/6和Ethernet1/0/10[H3C-vlan3]portEthernet1/0/6toEthernet1/0/10（或者porte1/0/6e1/0/10）二：IP地址配置#配置VLAN1的IP地址。H3Csystem-view[H3C]interfaceVlan-interface1[H3C-Vlan-interface1]ipaddress192.168.1.1255.255.255.0#配置VLAN2的IP地址。H3Csystem-view[H3C]interfaceVlan-interface2[H3C-Vlan-interface2]ipaddress192.168.2.1255.255.255.0#配置VLAN3的IP地址。H3Csystem-view[H3C]interfaceVlan-interface3[H3C-Vlan-interface3]ipaddress192.168.3.1255.255.255.0配置好后，交换机上ping各网关之间应该能够互通，在配置好的端口上连上pc设置好ip三：本交换机上建立默认路由[H3C]iproute-static0.0.0.00.0.0.0192.168.1.2preference60(将下一跳指向ICG2000默认关)四、设置ACL策略禁止vlan2vlan3访问//进入3000号的高级访问控制列表视图[H3C]aclnumber3000//定义访问规则禁止(源)Vlan2与（目的）Vlan3之间互访[H3C-acl-adv-3000]rule1denyipsource192.168.2.00.0.0.255destination192.168.3.00.0.0.255[H3C-acl-adv-3000]quit//进入3001号的高级访问控制列表视图[H3C]aclnumber3001//定义访问规则禁止(源)Vlan3与（目的）Vlan2之间互访[H3C-acl-adv-3001]rule1denyipsource192.168.3.00.0.0.255destination192.168.2.00.0.0.255[H3C-acl-adv-3001]quit//在VLAN2上应用ACL3000。[H3C]packet-filtervlan2inboundip-group3000//在VLAN3上应用ACL3001。[H3C]packet-filtervlan3inboundip-group3001这样，2与3网段就不能相互访问了