案例四:如果想限制某些终端能上网,哪些不能上网有什么方法呢?

 作者:网络之路一天  首发公众号:网络之路博客(ID:NetworkBlog)

实战案例(4)如果想限制某些终端能上网,哪些不能上网有什么方法呢?_DHCP

实际中有这样的需求,客户那边希望某些区域只能boss上网或者boss随时都可以上,但是员工需要休息时间才能上,针对这样的需求我们来看看怎么去实现!


采用正常配置模式的步骤与思路

(1)防火墙确定好内外网接口,配置对应的对接方式以及加入安全区域,开启DHCP

(2)关于只让某一个能够上网或者不上网,在防火墙里面控制有两个办法,第一个是控制IP,第二个是控制MAC,如果我们要控制IP的话 就需要在DHCP静态绑定,这样保证每次获取的IP是同一个,MAC的话直接安全策略输入即可。

(3)根据需求跟规划配置对应的安全策略与NAT策略

(4)如果涉及到基于时间的策略,那么一定要确保防火墙的时间是正确的。


整体配置

#
dhcp enable
#
#
interface
GigabitEthernet1/0/0
undo shutdown
ip address 192.168.101.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
dhcp select interface
dhcp server ip-range 192.168.101.1 192.168.101.254
dhcp server gateway-list 192.168.101.254
dhcp server dns-list 223.5.5.5 114.114.114.114
#                                        
interface
GigabitEthernet1/0/1
undo shutdown
ip address 192.168.102.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
dhcp select interface
dhcp server ip-range 192.168.102.1 192.168.102.254
dhcp server gateway-list 192.168.102.254
dhcp server
static-bind ip-address 192.168.102.250 mac-address 5489-9843-18af
dhcp server dns-list 223.5.5.5 114.114.114.114
#
interface
GigabitEthernet1/0/2
undo shutdown
ip address dhcp-alloc
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
#
ip address-set 不允许上网
type object
address 0 192.168.102.250 mask 32
#
ip address-set 102允许上网
type object
address 0 192.168.102.0 mask 24
#
ip address-set
BOSS_server type object
address 0 5489-9864-0d2c
address 1 192.168.101.249 mask 32
#
ip address-set 101网段
type object
address 0 192.168.101.0 mask 24
#
time-range 休息时间
 period-range 12:00:00 to 13:30:00 working-day
#
security-policy
rule name PC4_deny_internet
 source-zone trust
 destination-zone untrust
 source-address address-set 不允许上网
 action deny
rule name 允许102其他上网
 source-zone trust
 destination-zone untrust
 source-address address-set 102允许上网
 action permit
rule name Local_any
 source-zone local
 action permit
rule name BOSS
 source-zone trust
 destination-zone untrust
 source-address address-set BOSS_server
 action permit
rule name 休息时间允许上网
 source-zone trust
 destination-zone untrust
 source-address address-set 101网段
 time-range 休息时间                    
 action permit
#
nat-policy
rule name 允许上网
 source-zone trust
 destination-zone untrust
 action source-nat easy-ip

容易忽略的点

(1)内网根据客户的需求是划分在同一个网段还是不同网段,如果是同一个网段要把接口切换成二层,然后配置VLANIF,在开DHCP(上面案例演示的是不同网段)

(2)在DHCP静态绑定里面,如果这个绑定的主机MAC已经分配到了一个IP,必须先清空该数据,在进行绑定(用命令行reset ip pool interface GigabitEthernet1/0/1 192.168.101.250释放掉该MAC绑定的IP )

实战案例(4)如果想限制某些终端能上网,哪些不能上网有什么方法呢?_DHCP_02

3)安全策略的顺序,一定要从精细到粗犷的顺序来规划配置。


实战案例(4)如果想限制某些终端能上网,哪些不能上网有什么方法呢?_DHCP_03

作者:网络之路一天,公众号:网络之路博客(ID:NetworkBlog)。让你的网络之路不在孤单,一起学习,一起成长。