要求:公司新成立一部門,設置開發部和業務部,需實現新部門人員上網的控制,新部門人員可以訪問現有網絡裏的主機,反之不行;開發部可以訪問業務部,業務部不能訪問開發部。
環境:
1臺路由器,三個以太口,一個做出口,上聯其它路由器;另兩個分別下聯兩個網段。
<DZSW>dis cur
#
sysname DZSW
#
cpu-usage cycle 1min
#
firewall enable
#
nat address-group 5 192.168.142.228 192.168.142.228
nat address-group 6 192.168.142.229 192.168.142.229
#
radius scheme system
#
domain system
#
local-user admin
password simple 12345678
service-type telnet terminal
level 3
service-type ftp
#
acl number 2001
rule 1 permit source 192.168.146.2 0
rule 2 permit source 192.168.146.3 0
rule 3 permit source 192.168.146.4 0
acl number 2002
rule 2 permit source 192.168.148.1 0
rule 3 permit source 192.168.146.1 0
rule 4 permit source 192.168.148.201 0
rule 5 permit source 192.168.148.2 0
#
acl number 3001
nesting 3000
rule 1 permit icmp source 192.168.148.0 0.0.0.255 destination 192.168.146.0 0.g
rule 2 deny ip source 192.168.148.0 0.0.0.255 destination 192.168.146.0 0.0.0.5
rule 3 permit ip
acl number 3002
rule 0 permit icmp source 192.168.146.0 0.0.0.255 destination 192.168.148.0 0.5
rule 1 permit tcp source 192.168.146.0 0.0.0.255 destination 192.168.148.0 0.0g
rule 2 permit ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.148.254 255.255.255.0
firewall packet-filter 3001 inbound
firewall packet-filter 3002 outbound
#
interface Ethernet0/1
ip address 192.168.146.254 255.255.255.0
#
interface Ethernet1/0
ip address 192.168.142.228 255.255.255.0
nat outbound 2002 address-group 5
nat outbound 2001 address-group 6
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address dhcp-alloc
#
interface Serial0/1
clock DTECLK1
link-protocol ppp
ip address dhcp-alloc
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 192.168.142.254 preference 60
#
snmp-agent
snmp-agent local-engineid 000007DB7F0000010000530A
snmp-agent community read public
snmp-agent sys-info version all
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return