1.、配置ACL

1.1、定義允許的ACL規則

[sw1]acl number 3001

[sw1-acl-adv-3001]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.40.1 0

[sw1-acl-adv-3001]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.40.1 0

1.2、定義禁止的ACL規則

[sw1]acl number 3002

[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

[sw1-acl-adv-3002]rule deny ip source 192.138.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[sw1-acl-adv-3002]rule deny ip source 192.168.20.0 0.0.0.255 destination 192.168.40.2 0

[sw1-acl-adv-3002]rule deny ip source 192.168.30.0 0.0.0.255 destination 192.168.40.2 0

1.3、定義流分類

[sw1]traffic classifier tc1 operator and

[sw1-classifier-tc1]if-match acl 3001

[sw1]traffic classifier tc2 operator and

[sw1-classifier-tc2]if-match acl 3002

1.4、定義流行為，這里才是真正決定是允許還是禁止

[sw1]traffic behavior tb1

[sw1-behavior-tc1]permit

[sw1]traffic behavior tb2

[sw1-behavior-tc2]deny

1.5、定義流策略 （這里最好注意順序，避免一些問題發生）

[sw1]traffic policy tp

[sw1-trafficpolicy-tp]classifier tc1 behavior tb1

[sw1-trafficpolicy-tp]classifier tc2 behavior tb2

1.6、靠近源地址端接口（下行）入方向下發

[sw1]vlan 20

[sw1-vlan20]traffic-policy tp inbound

[sw1-vlan20]vlan 30

[sw1-vlan30]traffic-policy tp inbound