实现
vlan 10不能访问其它vlan但可以上网，用traffic-filter实现
vlan20 不能访问其它vlan但可以上网，用mqc实现
vlan 30不能上外网，但可以和其它网段通信，用mqc实现

交换机配置 :
[Huawei]dis current-configuration

sysname Huawei

vlan batch 10 20 30 100

dhcp enable

diffserv domain default

acl number 3000
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.25
5
rule 10 permit ip
acl number 3001
rule 5 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.0.0 0.0.255.
255
acl number 3002
rule 5 deny ip source 192.168.30.0 0.0.0.255
rule 15 permit ip

traffic classifier vlan20 operator and //建立流分类
if-match acl 3001

traffic behavior vlan20 //建立流行为
deny

traffic policy vlan20 //建立流策略，并联流分类和流行为
classifier vlan20 behavior vlan20

drop-profile default

vlan 20
traffic-policy vlan20 inbound //调用流策略

interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select interface

interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface

interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select interface

interface Vlanif100
ip address 1.1.1.2 255.255.255.0

interface MEth0/0/1

interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
traffic-filter outbound acl 3002 //接口出去的直接用过滤vlan 30 不给上网

interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
traffic-filter inbound acl 3000 //接口直接用过滤vlan 10 不给访问其它网段

interface GigabitEthernet0/0/3
port link-type access
port default vlan 20

interface GigabitEthernet0/0/4
port link-type access
port default vlan 30

ip route-static 0.0.0.0 0.0.0.0 1.1.1.1