华为交换机S5700设置acl

1.、配置ACL

1.1、定义允许的ACL规则

[sw1]acl number 3001

[sw1-acl-adv-3001]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.40.1 0

[sw1-acl-adv-3001]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.40.1 0

1.2、定义禁止的ACL规则

[sw1]acl number 3002

[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

[sw1-acl-adv-3002]rule deny ip source 192.138.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.2 0

[sw1-acl-adv-3002]rule deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.2 0

1.3、定义流分类

[sw1]traffic classifier tc1 operator and

[sw1-classifier-tc1]if-match acl 3001

[sw1]traffic classifier tc2 operator and

[sw1-classifier-tc2]if-match acl 3002

1.4、定义流行为，这里才是真正决定是允许还是禁止

[sw1]traffic behavior tb1

[sw1-behavior-tc1]permit

[sw1]traffic behavior tb2

[sw1-behavior-tc2]deny

1.5、定义流策略 （这里最好注意顺序，避免一些问题发生）

[sw1]traffic policy tp

[sw1-trafficpolicy-tp]classifier tc1 behavior tb1

[sw1-trafficpolicy-tp]classifier tc2 behavior tb2

1.6、靠近源地址端接口（下行）入方向下发

[sw1]vlan 20

[sw1-vlan20]traffic-policy tp inbound

[sw1-vlan20]vlan 30

[sw1-vlan30]traffic-policy tp inbound