一、需求：

        局域网内两个网段，vlan10 和 vlan 20，分别实现 vlan10 可访问专网，vlan20 可访问互联网，且两个网段彼此不互通。拓朴如下：

二、配置思路：

        1、S1起 vlan10、20，做 acl 配置网段禁止互访策略，上联口做 trunk口

        2、网关起在 R1 上，R1 下联口做单臂路由

        3、R1 两个出口分别做源 nat （Easy IP）

三、具体配置如下：

[S1]
vlan batch 10 20
#
acl number 2000rule 5 deny source 172.1.1.0 0.0.0.255rule 10 permit
#
acl number 2001rule 5 deny source 10.1.1.0 0.0.0.255rule 10 permit
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 10traffic-filter inbound acl 2000
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 20traffic-filter inbound acl 2001
#
interface GigabitEthernet0/0/24port link-type trunkport trunk allow-pass vlan 2 to 4094
#[R1]
acl number 3000  rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.199.0 0.0.0.255 rule 10 deny ip 
acl number 3001  rule 6 permit ip source 172.1.1.0 0.0.0.255 destination 8.8.8.0 0.0.0.255 rule 10 deny ip 
#
interface GigabitEthernet0/0/0.1dot1q termination vid 10ip address 10.1.1.254 255.255.255.0 arp broadcast enable
#
interface GigabitEthernet0/0/0.2dot1q termination vid 20ip address 172.1.1.254 255.255.255.0 arp broadcast enable
#
interface GigabitEthernet0/0/1ip address 192.168.199.2 255.255.255.0 nat outbound 3000
#
interface GigabitEthernet0/0/2ip address 8.8.8.2 255.255.255.0 nat outbound 3001
#