一、实验拓扑
二、实验要求
三、需求分析
1.创建两个vlan
2.在ENSP中配置基于时间的ACL实现对于办公区PC访问OA Server的时间限制(工作日早8到晚6)。
3.通过配置基于MAC地址的ACL来实现对于生产区PC访问Web Server的限制(除PC3外不能访问)。
4.在三层交换机上配置不同VLAN的接口IP地址,并启用路由功能,以确保不同VLAN之间能够进行通信。同时,要为OA Server和Web Server配置相应的IP地址和网关,使它们能够在网络中被正确识别和访问。
四、实验配置
1.配置vlan与access、truck接口
[sw1]vlan 2
[sw1]vlan 3
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type trunk
[sw1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[sw1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]port default vlan 2
[sw1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 3
[sw1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/4
[sw1-GigabitEthernet0/0/4]port link-type access
[sw1-GigabitEthernet0/0/4]port default vlan 3
2.web
[FW]interface GigabitEthernet 1/0/1.1
[FW-GigabitEthernet1/0/1.1]service-manage ping permit
[FW-GigabitEthernet1/0/1.1]interface GigabitEthernet 1/0/1.2
[FW-GigabitEthernet1/0/1.2]service-manage ping permit
3.安全策略
办公区pc在工作日时间可以正常访问oa区其他时间不允许
办公区pc可以任意时刻访问web区
生产区pc可以任意时刻访问oa,但是不能访问web
生产区pc可以在每周一早10-11访问web,用来更新企业最新产品信息
使用ensp完成的方法
接口配置
[FW]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]ip address 10.0.0.254 24
[FW]interface GigabitEthernet 1/0/1.1
[FW-GigabitEthernet1/0/1.1]ip address 192.168.1.126 25
[FW-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[FW-GigabitEthernet1/0/1.1]interface GigabitEthernet 1/0/1.2
[FW-GigabitEthernet1/0/1.2]ip address 192.168.1.254 25
[FW-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/0
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/1.1
[FW-zone-trust]add interface GigabitEthernet 1/0/1.2
[FW]display zone
[FW]interface GigabitEthernet 1/0/1.1
[FW-GigabitEthernet1/0/1.1]service-manage ping permit
[FW-GigabitEthernet1/0/1.1]interface GigabitEthernet 1/0/1.2
[FW-GigabitEthernet1/0/1.2]service-manage ping permit
安全策略配置
[FW]ip address-set bg
[FW-object-address-set-bg]address 192.168.1.0 mask 25
[FW]ip address-set oa
[FW-object-address-set-oa]address 10.0.0.1 mask 32
[FW]time-range work
[FW-time-range-work]period-range 08:00:00 to 18:00:00 working-day
[FW]security-policy
[FW-policy-security]rule name polic1
[FW-policy-security-rule-polic1]description bg_to_oa
[FW-policy-security-rule-polic1]source-zone trust
[FW-policy-security-rule-polic1]destination-zone dmz
[FW-policy-security-rule-polic1]source-address address-set bg
[FW-policy-security-rule-polic1]destination-address address-set oa
[FW-policy-security-rule-polic1]time-range work
[FW-policy-security-rule-polic1]action permit
办公区pc可以任意时刻访问web区
[FW]ip address-set web
[FW-object-address-set-web]address 10.0.0.2 mask 32
[FW]security-policy
[FW-policy-security]rule name polic2
[FW-policy-security-rule-polic2]description bg_to_web
[FW-policy-security-rule-polic2]source-zone trust
[FW-policy-security-rule-polic2]destination-zone dmz
[FW-policy-security-rule-polic2]source-address address-set bg
[FW-policy-security-rule-polic2]destination-address address-set web
[FW-policy-security-rule-polic2]action permit
生产区pc可以任意时刻访问oa,但是不能访问web
[FW]ip address-set sc
[FW-object-address-set-sc]address 192.168.1.128 mask 25
[FW]security-policy
[FW-policy-security]rule name polic3
[FW-policy-security-rule-polic3]description sc_to_oa
[FW-policy-security-rule-polic3]source-zone trust
[FW-policy-security-rule-polic3]destination-zone dmz
[FW-policy-security-rule-polic3]source-address address-set sc
[FW-policy-security-rule-polic3]destination-address address-set oa
10.0.0.1 32)
[FW-policy-security-rule-polic3]action permit
生产区pc可以在每周一早10-11访问web,用来更新企业最新产品信息
[FW]time-range update
[FW-time-range-update]period-range 10:00:00 to 11:00:00 Mon
[FW]security-policy
[FW-policy-security]rule name polic4
[FW-policy-security-rule-polic4]description sc_to_web
[FW-policy-security-rule-polic4]source-zone trust
[FW-policy-security-rule-polic4]destination-zone dmz
[FW-policy-security-rule-polic4]source-address address-set sc
[FW-policy-security-rule-polic4]destination-address address-set web
[FW-policy-security-rule-polic4]time-range update
[FW-policy-security-rule-polic4]action permit
五、结果测试
1.办公区PC访问OA Server
工作时间:成功
其他时间:失败
2.办公区PC访问Web Server
任意时间:成功
3.生产区PC访问OA Server
任意时间:成功
4.生产区PC访问Web Server
周一早10-11:成功
其他时间:失败
查看会话表和server-map表
![[权限提升] Windows 提权 — 系统内核溢出漏洞提权](https://i-blog.csdnimg.cn/direct/8991ae1c32574f218c559f8f1dccde04.jpeg)
![[免费]基于Python的Django博客系统【论文+源码+SQL脚本】](https://i-blog.csdnimg.cn/direct/6e930f3dde3c4f2bb9cf4501c8642e1c.jpeg)
