【RS】华为交换机traffic流控制实现SVI接口vlan间三层不能互访

1.拓扑图

2.配置

AR1配置

[AR1]
#
vlan batch 10 to 11
#
interface Vlanif10
 ip address 192.168.3.254 255.255.252.0 
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0 
#
interface Ethernet0/0/7
 port link-type trunk
 port trunk allow-pass vlan 10 to 11

LSW1配置

基本配置

[LSW1]
#
vlan batch 10 to 11
#
interface GigabitEthernet0/0/24
 port link-type trunk
 port trunk allow-pass vlan 10 to 11
 #
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 11

配置高级ACL并调用

[LSW1]
#
acl number 3000
 rule 10 deny ip source 192.168.0.0 0.0.1.255 destination 192.168.11.0 0.0.0.255
 rule 15 deny ip source 192.168.11.0 0.0.0.255 destination 192.168.0.0 0.0.1.255
#
interface GigabitEthernet0/0/24
 traffic-filter outbound acl 3000

3.检验

192.168.11.20终端设备ping AR1上的地址正常，ping192.168.0.20终端失败

G0/0/24端口取消调用ACL3000

[LSW1]
#
int g0/0/24
 undo traffic-filter outbound acl 3000

​ 再次ping 192.168.0.20设备，通路