1.组网需求 • 某公司内的各部门之间通过 Device 实现互连,该公司的工作时间为每周工作日的 8 点到 18点。 • 通过配置安全策略规则,允许总裁办在任意时间、财务部在工作时间通过 HTTP 协议访问财务数据库服务器的 Web 服务,禁止其它部门在任何时间、财务部在非工作时间通过 HTTP 协议访问该服务器的 Web 服务。
2. 组网图
3. 配置步骤 (1) 配置接口 IP 地址、路由保证网络可达,具体配置步骤略 (2) 配置时间段 #创建名为 work 的时间段,其时间范围为每周工作日的 8 点到 18 点。 <Device>system-view [Device] time-range work 08:00 to 18:00 working-day (3) 配置安全域 #创建名为 database 的安全域,并将接口 GigabitEthernet1/0/1 加入该安全域中。 [Device] security-zone name database [Device-security-zone-database] import interface gigabitethernet 1/0/1 [Device-security-zone-database] quit #创建president 的安全域,并将接口 GigabitEthernet1/0/2 加入该安全域中。 [Device] security-zone name president [Device-security-zone-president] import interface gigabitethernet 1/0/2 [Device-security-zone-president] quit #创建名为 finance 的安全域,并将接口 GigabitEthernet1/0/3 加入该安全域中。 [Device] security-zone name finance [Device-security-zone-finance] import interface gigabitethernet 1/0/3 [Device-security-zone-finance] quit #创建名为 market 的安全域,并将接口 GigabitEthernet1/0/4 加入该安全域中。 [Device] security-zone name market [Device-security-zone-market] import interface gigabitethernet 1/0/4 [Device-security-zone-market] quit (4) 配置对象 #创建名为 database 的 IP 地址对象组,并定义其子网地址为 192.168.0.0/24。 [Device] object-group ip address database [Device-obj-grp-ip-database] network subnet 192.168.0.0 24 [Device-obj-grp-ip-database] quit #创建名为 president 的 IP 地址对象组,并定义其子网地址为 192.168.1.0/24。 [Device] object-group ip address president [Device-obj-grp-ip-president] network subnet 192.168.1.0 24 [Device-obj-grp-ip-president] quit #创建名为 finance 的 IP 地址对象组,并定义其子网地址为 192.168.2.0/24。 [Device] object-group ip address finance [Device-obj-grp-ip-finance] network subnet 192.168.2.0 24 [Device-obj-grp-ip-finance] quit #创建名为 market 的 IP 地址对象组,并定义其子网地址为 192.168.3.0/24。 [Device] object-group ip address market [Device-obj-grp-ip-market] network subnet 192.168.3.0 24 [Device-obj-grp-ip-market] quit #创建名为 web 的服务对象组,并定义其支持的服务为 HTTP。 [Device] object-group service web [Device-obj-grp-service-web] service 6 destination eq 80 [Device-obj-grp-service-web] quit (5) 配置安全策略及规则 #进入 IPv4 安全策略视图。 [Device] security-policy ip #制订允许总裁办在任意时间通过 HTTP 协议访问财务数据库服务器的安全策略规则,其规则名称为 president-database。 [Device-security-policy-ip] rule 0 name president-database [Device-security-policy-ip-0-president-database] source-zone president [Device-security-policy-ip-0-president-database] destination-zone database [Device-security-policy-ip-0-president-database] source-ip president [Device-security-policy-ip-0-president-database] destination-ip database [Device-security-policy-ip-0-president-database] service web [Device-security-policy-ip-0-president-database] action pass [Device-security-policy-ip-0-president-database] quit #制订只允许财务部在工作时间通过 HTTP 协议访问财务数据库服务器的安全策略规则,其规则名称为 finance-database。 [Device-security-policy-ip] rule 1 name finance-database [Device-security-policy-ip-1-finance-database] source-zone finance [Device-security-policy-ip-1-finance-database] destination-zone database [Device-security-policy-ip-1-finance-database] source-ip finance [Device-security-policy-ip-1-finance-database] destination-ip database [Device-security-policy-ip-1-finance-database] service web [Device-security-policy-ip-1-finance-database] action pass [Device-security-policy-ip-1-finance-database] time-range work [Device-security-policy-ip-1-finance-database] quit #制订禁止市场部在任何时间通过 HTTP 协议访问财务数据库服务器的安全策略规则,其规则名称为 market-database。 [Device-security-policy-ip] rule 2 name market-database [Device-security-policy-ip-2-market-database] source-zone market [Device-security-policy-ip-2-market-database] destination-zone database [Device-security-policy-ip-2-market-database] source-ip market [Device-security-policy-ip-2-market-database] destination-ip database [Device-security-policy-ip-2-market-database] service web [Device-security-policy-ip-2-market-database] action drop [Device-security-policy-ip-2-market-database] quit #激活安全策略规则的加速功能。 [Device-security-policy-ip] accelerate enhanced enable [Device-security-policy-ip] quit 4. 命令查询
