Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Using a Traffic Policy to Implement Inter-VLAN Access Control
In Figure 4-21, to ensure communication security, a company divides the network into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and VLAN 30 to the areas respectively. The company has the following requirements:
- Employees, visitors, and servers can access the Internet.
- Visitors cannot communicate with employees and can access only Server_1 in the server area.
After the central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 100 and a route to the router, employees, visitors, and servers can access the Internet and communicate with each other. To control access rights of visitors, configure a traffic policy on the central switch and define the following rules:
- ACL rule 1: denies any packets sent from the IP network segment of visitors to the IP segment of employees.
- ACL rule 2: permits any packets from the IP network segment of visitors to the IP address of Server_1, and denies any packets sent to the IP segment of other servers.
- ACL rule 3: denies any packets from the IP network segment of employees to the IP segment of visitors.
- ACL rule 4: denies any packets from the IP network segment of servers to the IP segment of visitors.
Apply the traffic policy to the inbound and outbound direction of the switch interface connected to the visitor area. Visitors can then only access Server_1 and cannot communicate with employees.