基于VLAN的ACL

禁止vlan10 访问 vlan30

#
acl number 3000
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
 rule 10 permit ip
#
traffic-filter vlan 10 inbound acl 3000
#

禁止vlan10 访问 vlan20

acl number 3001
 rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
 rule 10 permit ip
#
traffic classifier c1 operator and
 if-match acl 3001
#
traffic behavior b1
 permit
#
traffic policy p1
 classifier c1 behavior b1
#
vlan 10
 traffic-policy p1 inbound

此时 ：traffic-filter vlan 10 inbound acl 3000 配置失效 vlan10 和vlan 30 可以相互访问

[LSW3]ping -a 192.168.10.4 192.168.30.2
Warning: The specified source address is not a local address, the ping command w
ill not check the network connection.
  PING 192.168.30.2: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 192.168.30.2 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[LSW3]ping -a 192.168.10.4 192.168.30.1
Warning: The specified source address is not a local address, the ping command w
ill not check the network connection.
  PING 192.168.30.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 192.168.30.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

[LSW3]ping 192.168.30.1
  PING 192.168.30.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.30.1: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 192.168.30.1: bytes=56 Sequence=2 ttl=255 time=50 ms
    Reply from 192.168.30.1: bytes=56 Sequence=3 ttl=255 time=50 ms

  --- 192.168.30.1 ping statistics ---
    3 packet(s) transmitted
    3 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 50/50/50 ms

[LSW3]ping 192.168.30.2
  PING 192.168.30.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.30.2: bytes=56 Sequence=1 ttl=127 time=90 ms
    Reply from 192.168.30.2: bytes=56 Sequence=2 ttl=127 time=100 ms
    Reply from 192.168.30.2: bytes=56 Sequence=3 ttl=127 time=60 ms
    Reply from 192.168.30.2: bytes=56 Sequence=4 ttl=127 time=60 ms
    Reply from 192.168.30.2: bytes=56 Sequence=5 ttl=127 time=60 ms

  --- 192.168.30.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 60/74/100 ms

[LSW3]dis  ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   192.168.20.1    Vlanif20
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
   192.168.10.0/24  Direct  0    0           D   192.168.10.5    Vlanif10
   192.168.10.5/32  Direct  0    0           D   127.0.0.1       Vlanif10
   192.168.20.0/24  Direct  0    0           D   192.168.20.3    Vlanif20
   192.168.20.3/32  Direct  0    0           D   127.0.0.1       Vlanif20