華為s5700怎麼做vlan間禁止訪問?
1、用的華為S5700-24TP-SI,劃了3個vlan,分別為vlan 2、vlan 3、vlan 4,對應的IP段為: vlan 2:192.168.2.0/255.255.255.0 vlan 3:192.168.3.0/255.255.255.0 vlan 4:192.186.4.0/255.255.255.0 2、怎麼限制vlan2不可以訪問vlan 3、vlan4; vlan3不可以訪問vlan 2、vlan4; vlan4不可以訪問vlan 2、vlan3;
用ACL來實現,具體如下:
acl number 3002
rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
acl number 3003
rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.4.0 0.0.0.255
acl number 3004
rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule deny ip source 192.168.4.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
用traffic-filter在vlan下應用ACL,
traffic-filter vlan 2 inbound acl 3002
traffic-filter vlan 3 inbound acl 3003
traffic-filter vlan 4 inbound acl 3004