vlan 10 cannot access
other vlans but can access the Internet, use traffic-filter to realize
vlan20 cannot access other vlans but can access the Internet, use mqc to realize
vlan 30 cannot access the external network, but can communicate with other network segments, use traffic filter to achieve
Switch configuration:
[Huawei]dis current-configuration
sysname Huawei
vlan batch 10 20 30 100
dhcp enable
diffserv domain default
acl number 3000
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.25
5
rule 10 permit ip
acl number 3001
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.0.0 0.0.255.
255
acl number 3002
rule 5 deny ip source 192.168.30.0 0.0.0.255
rule 15 permit ip
traffic classifier vlan20 operator and //establish traffic classification
if-match acl 3001
traffic behavior vlan20 //establish traffic behavior
deny
traffic policy vlan20 //Create traffic policy, parallel traffic classification and traffic behavior
classifier vlan20 behavior vlan20
drop-profile default
vlan 20
traffic-policy vlan20 inbound //call traffic policy
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select interface
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select interface
interface Vlanif100
ip address 1.1.1.2 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
traffic-filter outbound acl 3002 //directly use the filter vlan 30 for the outbound interface to prevent access to the Internet
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
traffic-filter inbound acl 3000 //The interface directly uses filtering vlan 10 to prevent access to other network segments
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
interface GigabitEthernet0/0/4
port link-type access
port default vlan 30
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1