1.说明:
1)华为交换机的ACL规则没变,但下发需要通过流策略traffic policy下发;
2)流策略又包括相应的流分类traffic classifier,流行为traffic behavior;
3)流分类traffic classifier用于绑定相应的ACL规则,流行为traffic behavior决定匹配的流分类是否permit或deny;
4)ACL规则里只需配置匹配的流,使用permit标识,而deny基本没啥用;
5)如果有多个ACL number,在流策略traffic policy里需要按顺序绑定(根据业务是先允午后禁止或先禁止后允许);
6)在接口的inbound 方向下发。
2.配置举例,限制访客(10.16.16.0/20)访问正式网络(10.16.0.0/16)
1)根据需求创建流策略即ACL
acl number 3200 rule 21 permit ip source 10.16.16.0 0.0.15.255 destination 10.16.16.0 0.0.15.255 rule 31 permit ip source 10.16.16.0 0.0.15.255 destination 10.16.248.4 0 acl number 3201 rule 21 permit ip source 10.16.16.0 0.0.15.255 destination 10.16.0.0 0.0.255.255
2)创建流分类即traffic classifier
traffic classifier CDG-Guest1 operator and precedence 30 if-match acl 3200 traffic classifier CDG-Guest2 operator and precedence 40 if-match acl 3201
3)创建流行为即traffic behavior
traffic behavior CDG-Guest1 permit traffic behavior CDG-Guest2 deny
4)创建流策略traffic policy
traffic policy CDG-Guest match-order config classifier CDG-Guest1 behavior CDG-Guest1 classifier CDG-Guest2 behavior CDG-Guest2