As shown in Figure , two switches are interconnected through trunk interfaces, and the trunk interfaces allow packets from all VLANs to pass through. The switches connect to downstream PCs through access interfaces.
Figure Applying an ACL-based policy to control inter-VLAN traffic in a switch interconnection scenario
The customer requires that only traffic in VLAN 20 be transmitted in VLAN 30. Assume that the IP address segments of VLANs 10, 20, and 30 are 10.0.0.0/24, 220.127.116.11/24, and 18.104.22.168/24, respectively.
For details about the interface configuration, see Figure.
The key configuration relevant to traffic control on Switch2 is as follows:
acl name vlan30_inbound
rule 5 permit ip source 22.214.171.124 0.0.0.255 destination 126.96.36.199 0.0.0.255
rule 10 deny ip
traffic classifier vlan30_inbound
if-match acl vlan30_inbound
traffic behavior vlan30_inbound
traffic policy vlan30_inbound match-order config
classifier vlan30_inbound behavior vlan30_inbound
traffic-policy vlan30_inbound inbound
After the configuration is complete, the test result is as follows:
1. VLAN 30 allows only traffic from VLAN 20.
2. Traffic from VLAN 10 on Switch1 cannot be transmitted in VLAN 20 on Switch2.