A company interconnects its departments through the device. The financial database server, President's office, Financial department, and Marketing department belong to different security zones. Configure a packet filter to:
Permit access from the President's office at any time to the financial database server.
Permit access from the Financial department to the financial database server only during working hours (from 8:00 to 18:00) on working days.
Deny access from any other department to the financial database server.
Figure 1 Network diagram
This configuration example was created and verified on F9900 of the F5000-AI120 device.
1. Assign IP addresses to interfaces:
# Assign an IP address to GigabitEthernet 1/0/1.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0
[Device-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
2. Add interfaces to security zones.
[Device] security-zone name Server
[Device-security-zone-Server] import interface gigabitethernet 1/0/1
[Device-security-zone-Server] quit
[Device] security-zone name President
[Device-security-zone-President] import interface gigabitethernet 1/0/2
[Device-security-zone-President] quit
[Device] security-zone name Finance
[Device-security-zone-Finance] import interface gigabitethernet 1/0/3
[Device-security-zone-Finance] quit
[Device] security-zone name Market
[Device-security-zone-Market] import interface gigabitethernet 1/0/4
[Device-security-zone-Market] quit
3. Create a periodic time range from 8:00 to 18:00 on working days.
[Device] time-range work 08:0 to 18:00 working-day
4. Configure ACLs:
# Configure ACL 3000 to permit access from the President's office at any time to the financial database server.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
[Device-acl-ipv4-adv-3000] quit
# Configure ACL 3001 to permit access from the Financial department to the financial database server only during working hours on working days.
[Device] acl advanced 3001
[Device-acl-ipv4-adv-3001] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
[Device-acl-ipv4-adv-3001] quit
# Configure ACL 3002 to deny access from any other department to the financial database server.
[Device] acl advanced 3002
[Device-acl-ipv4-adv-3002] rule deny ip source any destination 192.168.0.100 0
[Device-acl-ipv4-adv-3002] quit
5. Applying ACLs to zone pairs for packet filtering:
# Create a zone pair with the source security zone President and destination security zone Server. Apply ACL 3000 to the zone pair for packet filtering.
[Device] zone-pair security source president destination server
[Device-zone-pair-security-President-Server] packet-filter 3000
[Device-zone-pair-security-President-Server] quit
# Create a zone pair with the source security zone Finance and destination security zone Server. Apply ACL 3001 to the zone pair for packet filtering.
[Device] zone-pair security source finance destination server
[Device-zone-pair-security-Finance-Server] packet-filter 3001
[Device-zone-pair-security-President-Server] quit
# Create a zone pair with the source security zone Market and destination security zone Server. Apply ACL 3002 to the zone pair for packet filtering.
[Device] zone-pair security source market destination server
[Device-zone-pair-security-Market-Server] packet-filter 3002
[Device-zone-pair-security-Market-Server] quit
# Verify that a PC in the Financial department can ping the database server during working hours. (All PCs in this example use Windows XP).
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Reply from 192.168.0.100: bytes=32 time=1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Reply from 192.168.0.100: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
# Verify that a PC in the Marketing department cannot ping the database server during working hours.
C:\> ping 192.168.0.100
Pinging 192.168.0.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
# Display configuration and match statistics for IPv4 advanced ACL 3001 and 3002 on the device during working hours.
[Device] display acl 3001
Advanced IPv4 ACL 3001, 1 rule,
ACL's step is 5
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work (4 times matched) (Active)
[Device] display acl 3002
Advanced IPv4 ACL 3002, 1 rule,
ACL's step is 5
rule 0 deny ip destination 192.168.0.100 0 (4 times matched)
The output shows that the rule in ACL 3001 is active. ACL 3001 and ACL 3002 both have been matched four times as the result of the ping operations.
#
interface GigabitEthernet1/0/1
ip address 192.168.0.1 255.255.255.0
#
security-zone name Server
import interface GigabitEthernet1/0/1
#
security-zone name President
import interface GigabitEthernet1/0/2
#
security-zone name Finance
import interface GigabitEthernet1/0/3
#
security-zone name Market
import interface GigabitEthernet1/0/4
#
time-range work 08:00 to 18:00 working-day
#
acl advanced 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0
#
acl advanced 3001
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work
#
acl advanced 3002
rule 5 deny ip destination 192.168.0.100 0
#
zone-pair security source President destination Server
packet-filter 3000
#
zone-pair security source Finance destination Server
packet-filter 3001
#
zone-pair security source Market destination Server
packet-filter 3002
#