Using a Traffic Policy to Implement Inter-VLAN Access Control

As shown in Figure 1, to ensure communication security, a company divides the network into visitor area, employee area, and server area, and assigns VLAN 10, VLAN 20, and VLAN 30 to the areas, respectively. The company has the following requirements:

Employees, visitors, and servers can access the Internet.
Visitors cannot communicate with employees and can access only Server_1 in the server area.

Figure 1 Using a traffic policy to implement inter-VLAN access control

The central switch (Switch) is configured with VLANIF 10, VLANIF 20, VLANIF 30, and VLANIF 100 and a route to the router, after which employees, visitors, and servers can access the Internet and communicate with each other. To control access rights of visitors, configure a traffic policy on the central switch and define the following rules:

ACL rule 1: denies any packets sent from the IP network segment of visitors to the IP segment of employees.
ACL rule 2: permits any packets from the IP network segment of visitors to the IP address of Server_1, and denies any packets sent to the IP network segment of servers.
ACL rule 3: denies any packets from the IP network segment of employees to the IP network segment of visitors.
ACL rule 4: denies any packets from the IP network segment of servers to the IP network segment of visitors.

Apply the traffic policy to the inbound and outbound directions of the switch interface connected to the visitor area. Visitors can then only access Server_1 and cannot communicate with employees.