本举例是在F5000-AI160的E8371版本上进行配置和验证的。
如下图所示,某公司内的各部门之间通过Device实现互连,总裁办、财务部和市场部分别属于President域、Finance域和Market域。该公司的工作时间为每周工作日的8点到18点。
通过在安全域间实例上配置包过滤,允许总裁办在任意时间、财务部在工作时间访问财务数据库服务器,禁止其它部门在任何时间、财务部在非工作时间访问该服务器。
图-1 在安全域间实例上应用包过滤的ACL配置组网图
配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
请参考以上步骤配置其他接口的IP地址,具体配置步骤略。
配置接口加入安全域
# 请根据组网图中规划的信息,创建安全域,并将接口加入对应的安全域,具体配置步骤如下。
[Device] security-zone name Server
[Device-security-zone-Server] import interface gigabitethernet 1/0/1
[Device-security-zone-Server] quit
[Device] security-zone name President
[Device-security-zone-President] import interface gigabitethernet 1/0/2
[Device-security-zone-President] quit
[Device] security-zone name Finance
[Device-security-zone-Finance] import interface gigabitethernet 1/0/3
[Device-security-zone-Finance] quit
[Device] security-zone name Market
[Device-security-zone-Market] import interface gigabitethernet 1/0/4
[Device-security-zone-Market] quit
配置时间段
# 创建名为work的时间段,其时间范围为每周工作日的8点到18点。
[Device] time-range work 08:00 to 18:00 working-day
创建ACL
# 创建IPv4高级ACL 3000,允许总裁办在任意时间访问财务数据库服务器。
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
[Device-acl-ipv4-adv-3000] quit
# 创建IPv4高级ACL 3001,允许财务部在工作时间访问财务数据库服务器。
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
[Device-acl-ipv4-adv-3001] quit
# 创建IPv4高级ACL 3002,禁止其它部门在任何时间访问财务数据库服务器。
[Device] acl advanced 3002
[Device-acl-ipv4-adv-3002] rule deny ip source any destination 192.168.0.100 0
[Device-acl-ipv4-adv-3002] quit
在安全域间实例应用包过滤策略
# 创建安全域间实例(源安全域为President、目的安全域为Server),并在该安全域间实例上引用ACL 3000进行包过滤。
[Device] zone-pair security source president destination server
[Device-zone-pair-security-President-Server] packet-filter 3000
[Device-zone-pair-security-President-Server] quit
# 创建安全域间实例(源安全域为Finance、目的安全域为Server),并在该安全域间实例上引用ACL 3001进行包过滤。
[Device] zone-pair security source finance destination server
[Device-zone-pair-security-Finance-Server] packet-filter 3001
[Device-zone-pair-security-President-Server] quit
# 创建安全域间实例(源安全域为Market、目的安全域为Server),并在该安全域间实例上引用ACL 3002进行包过滤。
[Device] zone-pair security source market destination server
[Device-zone-pair-security-Market-Server] packet-filter 3002
[Device-zone-pair-security-Market-Server] quit
配置完成后,在各部门的PC(假设均为Windows XP操作系统)上可以使用ping命令检验配置效果,在Device上可以使用display acl命令查看ACL的配置和运行情况。例如在工作时间:
# 在财务部的PC上检查到财务数据库服务器是否可达。
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
由此可见,财务部的PC能够在工作时间访问财务数据库服务器。
# 在市场部的PC上检查财务数据库服务器是否可达。
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
由此可见,市场部的PC不能在工作时间访问财务数据库服务器。
# 查看IPv4高级ACL 3001和ACL 3002的配置和运行情况。
[Device] display acl 3001
Advanced IPv4 ACL 3001, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work (4 times matched) (Active)
[Device] display acl 3002
Advanced IPv4 ACL 3002, 1 rule,
ACL's step is 5
rule 0 deny ip destination 192.168.0.100 0 (4 times matched)
由此可见,由于目前是工作时间,因此ACL 3001的规则0是生效的;且由于之前使用了ping命令的缘故,ACL 3001和ACL 3002的规则0分别被匹配了4次。
#
interface GigabitEthernet1/0/1
ip address 192.168.0.1 255.255.255.0
#
security-zone name Server
import interface GigabitEthernet1/0/1
#
security-zone name President
import interface GigabitEthernet1/0/2
#
security-zone name Finance
import interface GigabitEthernet1/0/3
#
security-zone name Market
import interface GigabitEthernet1/0/4
#
time-range work 08:00 to 18:00 working-day
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
#
acl advanced 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
#
acl advanced 3002
rule 5 deny ip destination 192.168.0.100 0
#
zone-pair security source President destination Server
packet-filter 3000
#
zone-pair security source Finance destination Server
packet-filter 3001
#
zone-pair security source Market destination Server
packet-filter 3002