前言:
S5500不支持在接口上直接使用packet_filter调用ACL,不过可以使用QOS实现VLAN互访控制;
VLAN_IDIP/MASK
01192.168.1.0/24
02192.168.2.0/24
03192.168.3.0/24
目的:
在g1/0/1端口上限制VLAN02、VLAN03访问VLAN01;
过程:
#定义高级ACL3000
acl number 3000 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 quit
#定义类C_VLAN
traffice classifier c_vlan if-match acl 3000 quit
#定义行为B_VLAN
traffic behavior b_vlan filter deny quit
#定义QOS策略P_VLAN
qos policy p_vlan classifier c_vlan behavior b_vlan quit
#在g1/0/1端口的inbound方向应用QOS策略
interface g1/0/1 qos apply policy p_vlan inbound quit
完成!