acl 3010 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 接口下调用,支持policy和filter两种,一般调用入方向,或者数据出方向 ---------------------------------------- interface GigabitEthernet0/0/2 port link-type access port default vlan 2 traffic-filter inbound acl 3010 数据源靠近哪边就在哪边做, traffic-filter inbound acl 3333 ------------------------------------ interface GigabitEthernet0/0/3 port link-type access port default vlan 2 traffic-policy deny inbound 数据源靠近哪边就在哪边做, traffic-filter inbound acl 3333 系统视图调用policy方式 ------------------------------------------ acl 3010 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # traffic-policy deny global inbound 进出都生效 traffic-policy deny global outbound 进出都生效 # acl 3010 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # traffic-filter inbound acl 3010 进出都生效 traffic-filter outbound acl 3010 进出都生效 系统视图下filter+vlan方式调用,只支持filter ----------------------------------- traffic-filter vlan 2 outbound acl 3010 不生效 ------------------------------------- traffic-filter vlan 2 inbound acl 3010 生效 --------------------------------------- traffic-filter vlan 3 inbound acl 3010 不生效 --------------------------------------- traffic-filter vlan 3 outbound acl 3010 生效 vlanif下调用,只支持policy ----------------------------------------------- acl number 3010 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 # traffic classifier deny if-match acl 3010 # traffic behavior deny permit # traffic policy deny classifier deny behavior deny # interface Vlanif2 ip address 192.168.2.1 255.255.255.0 traffic-policy deny inbound 数据源靠近哪边就在哪边做,只能做in方向, # interface Vlanif3 ip address 192.168.3.1 255.255.255.0 traffic-policy deny inbound 调在这里不起作用,只能做in方向 vlan下调用,只支持policy ------------------------------------------ # vlan 2 traffic-policy deny inbound 在vlan里面调in方向,数据源靠近,起作用 traffic-policy deny outbound 不起作用 ---------------- vlan 3 traffic-policy deny outbound 起作用 traffic-policy deny inbound 不起作用 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- 想要把拒绝某个vlan不被其它vlan访问 ------------- 例如绝所有vlan访问vlan3 acl number 3010 rule 5 deny ip destination 192.168.3.0 0.0.0.255 # traffic classifier deny if-match acl 3010 # traffic behavior deny permit # traffic policy deny classifier deny behavior deny # vlan 3 目标vlan traffic-policy deny outbound 有效,在vlan3 里出方向调用vlan traffic-policy deny inbound 该命令无效,不起作用 ------------------------------------------ 或者进业务vlan网段,从入方向调用 vlan 2 起源vlan traffic-policy deny inbound 有效,在vlan2 里in方向调用vlan ,导致2无法访问3,其它vlan不受影响 traffic-policy deny outbound 该命令无效,不起作用 其他案例 ----------------------------------------------------------------------------------- 想要把拒绝某个vlan不被其它vlan访问 例如绝所有vlan访问vlan3 acl number 3010 rule 5 deny ip source 192.168.2.0 0.0.0.255 # vlan 3 traffic-policy deny outbound 有效,但太宽泛 文档已经 整理至表格,此处仅供查阅 出方向做,则要做在目标vlan及接口,out方向,需要明确原始网段,(先匹配允许白名单,再匹配默认拒绝) 入方向做,则要做在起源vlan及接口,in方向,需要明确起源网段,(先匹配允许白名单,再匹配默认拒绝) --------------------------------------------------------------------------------------- 禁止内网ACL 先deny内网网段 再permit所有