怎样配置可以让vlan300不能访问vlan100

假如 A 交换机 vlan100,vlan200,B 交换机 vlan300,vlan400,怎样配置可以让vlan300 不能访问 vlan100?vlan200 可以访问 vlan400?有多种方法可以实现：比如 PVLAN，ACL 等。按照你的拓扑，我用 PT 模拟了一种做法：单臂路由+ACL，可以参考一下，有图，有配置： 交换机 A:interface FastEthernet0/2 switchport access vlan 100 switchport mode access!interface FastEthernet0/3 switchport access vlan 100 switchport mode access!interface FastEthernet0/11 switchport access vlan 200 switchport mode access!interface FastEthernet0/12 switchport access vlan 200 switchport mode access!interface FastEthernet0/1 switchport trunk allowed vlan 100,200 switchport mode trunk 交换机 B:interface FastEthernet0/2 switchport access vlan 300 switchport mode access!interface FastEthernet0/3 switchport access vlan 300 switchport mode access!interface FastEthernet0/11 switchport access vlan 400 switchport mode access!interface FastEthernet0/12 switchport access vlan 400 switchport mode access !interface FastEthernet0/1 switchport trunk allowed vlan 300,400 switchport mode trunk Router:interface FastEthernet0/0.1 encapsulation dot1Q 100 ip address 192.168.1.1 255.255.255.0!interface FastEthernet0/0.2 encapsulation dot1Q 200 ip address 192.168.2.1 255.255.255.0!interface FastEthernet0/1.1 encapsulation dot1Q 400 ip address 192.168.4.1 255.255.255.0!interface FastEthernet0/1.2 encapsulation dot1Q 300 ip address 192.168.3.1 255.255.255.0 ip access-group 1 out!access-list 1 deny 192.168.1.0 0.0.0.255access-list 1 permit any 60 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.2960-24TT starting...Base ethernet MAC Address: 0001.42AD.CAACXmodem file system is available.Initializing Flash...flashfs[0]: 1 files, 0 directoriesflashfs[0]: 0 orphan...