acl 3010
 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255


  接口下调用,支持policy和filter两种,一般调用入方向,或者数据出方向
----------------------------------------
interface GigabitEthernet0/0/2           
 port link-type access
 port default vlan 2
 traffic-filter inbound acl 3010             数据源靠近哪边就在哪边做,
 traffic-filter inbound acl 3333

------------------------------------
interface GigabitEthernet0/0/3           
 port link-type access
 port default vlan 2
 traffic-policy deny inbound                 数据源靠近哪边就在哪边做,
 traffic-filter inbound acl 3333

系统视图调用policy方式
------------------------------------------
acl 3010
 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
traffic-policy deny global inbound      进出都生效
traffic-policy deny global outbound   进出都生效
#
acl 3010
 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
traffic-filter inbound acl 3010             进出都生效
traffic-filter outbound acl 3010          进出都生效

系统视图下filter+vlan方式调用,只支持filter
-----------------------------------
traffic-filter vlan 2 outbound acl 3010      不生效
-------------------------------------
traffic-filter vlan 2 inbound acl 3010         生效
---------------------------------------
traffic-filter vlan 3 inbound acl 3010         不生效
---------------------------------------
traffic-filter vlan 3 outbound acl 3010      生效


vlanif下调用,只支持policy
-----------------------------------------------
acl number 3010
 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
#
traffic classifier deny
 if-match acl 3010
#
traffic behavior deny
 permit
#
traffic policy deny
 classifier deny behavior deny
#
interface Vlanif2
 ip address 192.168.2.1 255.255.255.0
 traffic-policy deny inbound                 数据源靠近哪边就在哪边做,只能做in方向,
#
interface Vlanif3
 ip address 192.168.3.1 255.255.255.0
 traffic-policy deny inbound                调在这里不起作用,只能做in方向



vlan下调用,只支持policy
------------------------------------------
#
vlan 2
 traffic-policy deny inbound          在vlan里面调in方向,数据源靠近,起作用
 traffic-policy deny outbound        不起作用
----------------
vlan 3
 traffic-policy deny outbound        起作用
 traffic-policy deny inbound          不起作用


----------------------------------------------------------------------------------------------------------------------------------------------------------------------

想要把拒绝某个vlan不被其它vlan访问
-------------
例如绝所有vlan访问vlan3 
acl number 3010
 rule 5 deny ip destination 192.168.3.0 0.0.0.255
#
traffic classifier deny
 if-match acl 3010
#
traffic behavior deny
 permit
#
traffic policy deny
 classifier deny behavior deny
#
vlan 3                                                  目标vlan
 traffic-policy deny outbound               有效,在vlan3 里出方向调用vlan
  traffic-policy deny inbound                该命令无效,不起作用
------------------------------------------

或者进业务vlan网段,从入方向调用
vlan 2                                                 起源vlan
 traffic-policy deny inbound                有效,在vlan2 里in方向调用vlan ,导致2无法访问3,其它vlan不受影响
 traffic-policy deny outbound             该命令无效,不起作用


其他案例
-----------------------------------------------------------------------------------
想要把拒绝某个vlan不被其它vlan访问
例如绝所有vlan访问vlan3 
acl number 3010
 rule 5 deny ip source 192.168.2.0 0.0.0.255 
#
vlan 3
 traffic-policy deny outbound             有效,但太宽泛

文档已经 整理至表格,此处仅供查阅

出方向做,则要做在目标vlan及接口,out方向,需要明确原始网段,(先匹配允许白名单,再匹配默认拒绝)
入方向做,则要做在起源vlan及接口,in方向,需要明确起源网段,(先匹配允许白名单,再匹配默认拒绝)



---------------------------------------------------------------------------------------
禁止内网ACL
先deny内网网段
再permit所有