Customer would like to make an access list, whereby all the traffic of VLAN 30 (webserver vlan) to VLAN150 (Management VLAN) will be dropped. Established traffic from VLAN 30 to VLAN 150 is allowed when this comes from VLAN 150.
This scenario can be achieved on Cloud Engine only if the customer is using TCP for communication.
The customer can configure a TCP establish policy and deny the traffic, if it’s initiated by VLAN30 for VLAN150. Instead, the traffic will be permitted if is initiated by VLAN150 and VLAN30 will reply.
The configuration is as below:
1. Configure traffic classifier
2. Configure traffic behavior
3. Configure ACL 300
4. Configure traffic classifier 2
5. Configure traffic behavior test-3
6. Configure the policy, and set the priority of test-3 higher than test;
7. Apply this policy in the outbound direct of the VLANIF 30;
interface vlanif 30
ip address x.x.29.1 255.255.255.0
traffic-policy test inbound
8. Configure classifier test-2;
9. Configure behavior test-2;
10. Configure policy test-2;
11. Apply policy test-2 in the outbound of VLANIF 150