某公司内部网络如图所示,现要求对各部门上网流量以及对工资服务器的访问做以下限制:
1.在上班时间(8:30~18:00)仅允许研发经理的主机上网,其余研发部主机只有在下班时间才能够上网。
2.无论任何时间,只有管理部的HostA(10.1.3.1)才能够访问工资服务器(11.1.1.100),其余任何主机均不能访问。
1.QoS策略方式
SwitchA:
定义时间
time-range working_time 8:30 to 18:30 working-day
定义acl 3000 匹配源地址10.1.4.3发送的HTTP报文的访问规则
acl number 3000
rule 0 permit tcp destination-port eq 80 source 10.1.4.3 0 time-range working_time
定义acl 3001 配置在时间段working_time内匹配源IP地址为任意地址的HTTP报文的访问规则
acl number 3001
rule 0 permit tcp destination-port eq 80 source any time-range working_time
定义流rd_manager_http,匹配acl 3000
traffic classifier rd_manager_http operator and
if-match acl 3000
定义流行为rd_manager_http,允许报文通过
traffic behavior rd_manager_http
filter permit
定义流rd_http,匹配acl 3001
traffic classifier rd_http operator and
if-match acl 3001
定义流行为rd_http,拒绝报文通过
traffic behavior rd_http
filter deny
定义qos策略rd_http,关联相应的流和流行为
qos policy rd_http
classifier rd_manager_http behavior rd_manager_http
classifier rd_http behavior rd_http
应用qos
int g1/0/1
qos apply policy rd_http inbound
定义acl 3002 匹配源地址为Host A(10.1.3.1),目的地址为工资服务器(11.1.1.100)的报文
acl number 3002
rule 0 permit destination 11.1.1.100 0 source 10.1.3.1 0
定义acl 3003 ,匹配任意源地址到工资服务器的报文
acl number 3003
rule 0 permit destination 11.1.1.100 source any
定义流hostA,匹配3002
traffic classifier hostA operator and
if-match acl 3002
定义流行为hostA,允许通过
tracffic behavior hostA
filter permit
定义流hostAny,匹配acl3003
traffic classifier hostAny operator and
if-match acl 3003
定义流行为hostAny,拒绝通过
traffic behavior hostAny
filter deny
定义Qos策略 salary_server,关联相应的流和流行为
qos policy salary_server
classifier hostA hebavior hostA
classifier hostAny hebavior hostAny
应用QoS策略
int gi1/0/2
qos apply policy salary_server inbound
完整配置
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 3000
rule 0 permit tcp source 10.1.4.3 0 destination-port eq www time-range working_time
acl number 3001
rule 0 deny tcp destination-port eq www time-range working_time
acl number 3002
rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0
acl number 3003
rule 0 permit ip destination 11.1.1.100 0
#
traffic classifier rd_manager_http operator and
if-match acl 3000
traffic classifier host_a operator and
if-match acl 3002
traffic classifier except_host_a operator and
if-match acl 3003
traffic classifier rd_http operator and
if-match acl 3001
#
traffic behavior rd_manager_http
filter permit
traffic behavior host_a
filter permit
traffic behavior except_host_a
filter deny
traffic behavior rd_http
filter deny
#
qos policy rd_http
classifier rd_manager_http behavior rd_manager_http
classifier rd_http behavior rd_http
qos policy for_salary_server
classifier host_a behavior host_a
classifier except_host_a behavior except_host_a
#
interface GigabitEthernet1/0/1
qos apply policy rd_http inbound
#
interface GigabitEthernet1/0/2
qos apply policy for_salary_server inbound
2.包过滤方式
SwitchA
time-rang working_time 8:30 to 18:00 working-day
acl number 3000
rule 0 permit tcp destination-port eq 80 source 10.1.4.3 0 time-range working_time
rule 0 deny tcp destionation-port eq 80 source any time-range working_time
acl number 3001
rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0
rule 5 deny ip source any destination 11.1.100 0
int gi 1/0/1
packet-filter acl 3000 inbound
int gi 1/0/2
packet-filiter acl 3001inbound
完整配置
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 3000
rule 0 permit tcp source 10.1.4.3 0 destination-port eq www time-range working_time
rule 0 deny tcp destination-port eq www time-range working_time
acl number 3001
rule 0 permit ip source 10.1.3.1 0 destination 11.1.1.100 0
rule 0 permit ip destination 11.1.1.100 0
#
interface GigabitEthernet1/0/1
packet-filter 3000 inbound
#
interface GigabitEthernet1/0/2
packet-filter 3001 inbound