A simulation topology shows as below,all the devices are in the same VLAN
The customer wants that except those specific devices can access server without restricts,the rest part of devices can only ping the server.
We have two ways to achieve this requirement,one is using traffic policy,another is VACL.
let's start with traffic policy.
#
acl number 3001
rule 5 permit icmp
#
acl number 4001
rule 5 permit source-mac 5489-98c9-014f
rule 10 deny
#
traffic classifier res operator and
if-match acl 3001
traffic classifier res2 operator and
if-match acl 4001
#
traffic behavior res
permit
#
traffic policy res
classifier res behavior res
classifier res2 behavior res
#
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
traffic-policy res inbound
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
traffic-policy res inbound
#
![[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-2](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/19/113126jh30cz9cug46g4zj.jpg)
![[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-3](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/19/113401vzbuim7ibk9z6n7x.jpg)
- input command ping on the client,
- client package the data,
- consider on network layer,client checks the destination-IP,find that destination-IP on the same network segment,so,it wouldn't search the routing-table and will package the data with source-ip:client's IP address,destination-IP:server's IP address,
- client delivers data segments to data-link layer.On the data-link layer,client adds source-MAC address:client's MAC address,destination-MAC address:server's MAC.client searches the ARP table,and fill the destination-MAC with server's MAC.If client can't find the corresponding item,it will broadcast a ARP message to learn server's MAC.
- It broadcast a ARP message out,the message reaches the switch,switch checks the traffic policy to determine whether the message should be forwarded or abandoned.with traffic policy configured on the interface,switch only forward the ICMP message and other messages with specified MAC address,then,switch will abandon the ARP messages.
![[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-4](https://forum.huawei.com/enterprise/en/data/attachment/forum/201810/19/163505tl8iq0211f9lil88.jpg)
#acl name res1 3001rule 5 permit icmp#acl name res2 4001rule 5 permit source-mac 5489-98c9-014frule 10 deny#acl name res3 number 23001rule 5 permit requestrule 10 permit reply##traffic-filter vlan 10 inbound acl name res1traffic-filter vlan 10 inbound acl name res2traffic-filter vlan 10 inbound acl name res3##interface GigabitEthernet0/0/1port link-type accessport default vlan 10#interface GigabitEthernet0/0/2port link-type accessport default vlan 10#interface GigabitEthernet0/0/3port link-type accessport default vlan 10#
![[case] A revelation caused by a glitch,the route policy configured doesn't take effect-2781501-5](static/image/smiley/default/sweat.gif)