急�。。�！VLAN的問題��！謝謝！�。�

grace_redhat

型號：h3c3600si28tp

拓撲：路由器+h3c3600si28tp(1臺)+h3c1526交換機（3臺）， 3臺1526交換機分別接3個子網，分別是192.168.1.0/24  192.168.2.0/24  192.168.3.0/24,

其中3600交換的interface Ethernet1/0/1 interface Ethernet1/0/2屬于VLAN2，interface Ethernet1/0/3--interface Ethernet1/0/6屬于VLAN3

interface Ethernet1/0/7--interface Ethernet1/0/16屬于VLAN4，每個VLAN配置的接口IP為：192.168.1.1  192.168.2.1   192.168.3.1

路由器地址192.168.2.192 屬于VLAN3里，為了控制不同VLAN訪問做了一些ACL，主要是限制VLAN2和VLAN3不能訪問，具體看附件的配置文件。

客戶機設置：VLAN2的客戶機IP都設置為192.168.1.0/24的IP 網關為192.168.1.1，VLAN4的客戶機IP都設置為192.168.3.0/24的IP 網關為192.168.3.1

VLAN3的客戶機IP都設置為192.168.2.0/24的IP 網關為192.168.2.192(192.168.2.192為路由器IP)

現(xiàn)在出現(xiàn)得問題：

例如我是VLAN3的某臺客戶機（IP為192.168.2.10 網關為192.168.2.192），這樣設置后這臺電腦因為ACL得存在是無法訪問VLAN2里面任何一臺的電腦的。

情況1：如何我在這臺客戶機的網卡再添加一個IP為192.168.1.10的IP（網關不變），設置后，這臺客戶機能訪問VLAN3和VLAN2的所有電腦了。
情況2：如果我把這臺客戶機原來IP和網關（192.168.2.10和192.168.2.192）刪除，重新設置IP和網關（192.168.1.10  192.168.1.1），這個明明在VLAN3的客戶機也同樣可以訪問VLAN2的所有機器，但是就不能訪問192.168.2.0/24里的電腦了。

我想實現(xiàn)的：

VLAN2的客戶機只能設置IP為192.168.1.0/24的，設置其他子網的IP都沒用，同理VLAN3 VLAN4也是如此，只能設置自己相對應的子網IP。

麻煩幫我看看是什么問題，謝謝了 （另外配置里面有一個１９２.１６８.２.１９３的ＩＰ是連接我外面一個ＶＰＮ路由器的ＩＰ）

ssffzz1

帖：

交換機配置和出口路由器配置。

grace_redhat

*  Copyright (c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.   *

*  Without the owner's prior written consent,                                  *

*  no decompiling or reverse-engineering shall be allowed.                     *

********************************************************************************





Login authentication





Password:

<H3C>

%Apr 19 21:40:22:630 2000 H3C SHELL/5/LOGIN:- 1 - VTY(192.168.2.17) in unit1 log

in



<H3C>dis cu

#

sysname H3C

#

radius scheme system

#

domain system

#

local-user h3c

password simple h3c360028tpsi

service-type telnet

level 3

#

acl number 3000

rule 1 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.192 0

rule 2 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 3 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 4 deny ip source 192.168.2.192 0 destination 192.168.3.0 0.0.0.255

rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.192 0

acl number 3001

rule 1 deny ip destination 192.168.3.104 0

rule 2 permit ip source 192.168.2.10 0 destination 192.168.3.104 0

rule 3 permit ip source 192.168.2.26 0 destination 192.168.3.104 0

rule 4 permit ip source 192.168.2.27 0 destination 192.168.3.104 0

rule 5 permit ip source 192.168.2.88 0 destination 192.168.3.104 0

rule 6 permit ip source 192.168.2.32 0 destination 192.168.3.104 0

rule 7 permit ip source 192.168.2.11 0 destination 192.168.3.104 0

rule 8 permit ip source 192.168.2.17 0 destination 192.168.3.104 0

rule 9 permit ip source 192.168.2.18 0 destination 192.168.3.104 0

rule 10 permit ip source 192.168.2.19 0 destination 192.168.3.104 0

rule 11 permit ip source 192.168.2.20 0 destination 192.168.3.104 0

rule 12 permit ip source 192.168.2.21 0 destination 192.168.3.104 0

rule 13 permit ip source 192.168.2.22 0 destination 192.168.3.104 0

rule 14 permit ip source 192.168.2.23 0 destination 192.168.3.104 0

rule 15 permit ip source 192.168.2.200 0 destination 192.168.3.104 0

rule 16 permit ip source 192.168.2.250 0 destination 192.168.3.104 0

rule 17 permit ip source 192.168.2.24 0 destination 192.168.3.104 0

rule 18 permit ip source 192.168.2.113 0 destination 192.168.3.104 0

rule 19 permit ip source 192.168.2.50 0 destination 192.168.3.104 0

rule 20 permit ip source 192.168.2.51 0 destination 192.168.3.104 0

rule 21 permit ip source 192.168.2.52 0 destination 192.168.3.104 0

rule 22 permit ip source 192.168.2.53 0 destination 192.168.3.104 0

rule 23 permit ip source 192.168.2.54 0 destination 192.168.3.104 0

rule 24 permit ip source 192.168.2.55 0 destination 192.168.3.104 0

rule 25 permit ip source 192.168.2.35 0 destination 192.168.3.104 0

rule 26 permit ip source 192.168.2.28 0 destination 192.168.3.104 0

acl number 3002

rule 1 deny ip destination 192.168.3.102 0

rule 2 permit ip source 192.168.2.18 0 destination 192.168.3.102 0

rule 3 permit ip source 192.168.2.19 0 destination 192.168.3.102 0

rule 4 permit ip source 192.168.2.21 0 destination 192.168.3.102 0

rule 5 permit ip source 192.168.2.22 0 destination 192.168.3.102 0

rule 6 permit ip source 192.168.2.23 0 destination 192.168.3.102 0

rule 7 permit ip source 192.168.2.24 0 destination 192.168.3.102 0

rule 8 permit ip source 192.168.2.182 0 destination 192.168.3.102 0

rule 9 permit ip source 192.168.2.28 0 destination 192.168.3.102 0

#

vlan 1 to 4092

#

vlan 4094

#

interface Vlan-interface1

#

interface Vlan-interface2

ip address 192.168.1.1 255.255.255.0

#

interface Vlan-interface3

ip address 192.168.2.1 255.255.255.0

#

interface Vlan-interface4

ip address 192.168.3.1 255.255.255.0

#

interface Aux1/0/0

#

interface Ethernet1/0/1

port access vlan 2

#

interface Ethernet1/0/2

port access vlan 2

#

interface Ethernet1/0/3

port access vlan 3

packet-filter inbound ip-group 3000 rule 3

packet-filter inbound ip-group 3001 rule 1

packet-filter inbound ip-group 3001 rule 2

packet-filter inbound ip-group 3001 rule 3

packet-filter inbound ip-group 3001 rule 4

packet-filter inbound ip-group 3001 rule 5

packet-filter inbound ip-group 3001 rule 7

packet-filter inbound ip-group 3001 rule 8

packet-filter inbound ip-group 3001 rule 9

packet-filter inbound ip-group 3001 rule 10

packet-filter inbound ip-group 3001 rule 11

packet-filter inbound ip-group 3001 rule 12

packet-filter inbound ip-group 3001 rule 13

packet-filter inbound ip-group 3001 rule 14

packet-filter inbound ip-group 3001 rule 15

packet-filter inbound ip-group 3001 rule 16

packet-filter inbound ip-group 3001 rule 17

packet-filter inbound ip-group 3001 rule 18

packet-filter inbound ip-group 3001 rule 19

packet-filter inbound ip-group 3001 rule 20

packet-filter inbound ip-group 3001 rule 21

packet-filter inbound ip-group 3001 rule 22

packet-filter inbound ip-group 3001 rule 23

packet-filter inbound ip-group 3001 rule 24

packet-filter inbound ip-group 3001 rule 6

packet-filter inbound ip-group 3001 rule 25

#

interface Ethernet1/0/4

port access vlan 3

packet-filter inbound ip-group 3000 rule 3

#

interface Ethernet1/0/5

port access vlan 3

packet-filter inbound ip-group 3000 rule 3

#

interface Ethernet1/0/6

port access vlan 3

packet-filter inbound ip-group 3000 rule 3

#

interface Ethernet1/0/7

port access vlan 4

#

interface Ethernet1/0/8

port access vlan 4

#

interface Ethernet1/0/9

port access vlan 4

#

interface Ethernet1/0/10

port access vlan 4

#

interface Ethernet1/0/11

port access vlan 4

#

interface Ethernet1/0/12

port access vlan 4

#

interface Ethernet1/0/13

port access vlan 4

#

interface Ethernet1/0/14

port access vlan 4

#

interface Ethernet1/0/15

port access vlan 4

#

interface Ethernet1/0/16

port access vlan 4

#

interface Ethernet1/0/17

#

interface Ethernet1/0/18

#

interface Ethernet1/0/19

#

interface Ethernet1/0/20

#

interface Ethernet1/0/21

#

interface Ethernet1/0/22

#

interface Ethernet1/0/23

#

interface Ethernet1/0/24

#

interface GigabitEthernet1/1/1

#

interface GigabitEthernet1/1/2

#

interface GigabitEthernet1/1/3

#

interface GigabitEthernet1/1/4

#

undo irf-fabric authentication-mode

#

interface NULL0

#

dhcp-snooping

#

voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000

#

ip route-static 192.168.4.0 255.255.255.0 192.168.2.193 preference 60

#

user-interface aux 0 7

user-interface vty 0 4

user privilege level 3

set authentication password simple h3c11360028tpsirr

#

return

grace_redhat

路由器就是普通圖形路由器

ssffzz1

你把VLAN2的機器的網關設置為192.168.2.1 同時斷開和出口路由器的連接，試驗一下還是這個情況嗎？

hehe110

太復雜！
沒有看明白！