安全策略配置实验

安全策略配置实验

1.拓扑

2.需求

2、办公区PC在工作日时间(周一至周五，早8到晚6)可以正常访问OA srver，其他时间不允许

3、办公区PC可以在任意时刻访问web server

4、生产区PC可以在任意时刻访问OA Server，但是不能访问Web server

5、特例:生产区PC3可以在每周一早10到早11访问Web server，用来更新企业最新产品信息

3.配置

防火墙

配置VLAN

[SW2]int e0/0/2
[SW2-Ethernet0/0/2]po	
[SW2-Ethernet0/0/2]port lin	
[SW2-Ethernet0/0/2]port link-t	
[SW2-Ethernet0/0/2]port link-type acc	
[SW2-Ethernet0/0/2]port link-type access 
[SW2-Ethernet0/0/2]po	
[SW2-Ethernet0/0/2]port de	
[SW2-Ethernet0/0/2]port default vlan
Jan 19 2025 22:33:35-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 9, the c
hange loop count is 0, and the maximum number of records is 4095. 2	
[SW2-Ethernet0/0/2]port default vlan 2
[SW2-Ethernet0/0/2]int e0/0/3
[SW2-Ethernet0/0/3]
Jan 19 2025 22:33:45-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 10, the 
change loop count is 0, and the maximum number of records is 4095.po	
[SW2-Ethernet0/0/3]port lin	
[SW2-Ethernet0/0/3]port link-	
[SW2-Ethernet0/0/3]port link-flap	
[SW2-Ethernet0/0/3]port link-type ac	
[SW2-Ethernet0/0/3]port link-type access 
[SW2-Ethernet0/0/3]
Jan 19 2025 22:33:55-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 11, the 
change loop count is 0, and the maximum number of records is 4095.	
[SW2-Ethernet0/0/3]po	
[SW2-Ethernet0/0/3]port def	
[SW2-Ethernet0/0/3]port default vlan 3
[SW2-Ethernet0/0/3]int e
Jan 19 2025 22:34:05-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 12, the 
change loop count is 0, and the maximum number of records is 4095.0/0/4
[SW2-Ethernet0/0/4]po	
[SW2-Ethernet0/0/4]port lin	
[SW2-Ethernet0/0/4]port link-	
[SW2-Ethernet0/0/4]port link-flap	
[SW2-Ethernet0/0/4]port link-type acc	
[SW2-Ethernet0/0/4]port link-type access 
[SW2-Ethernet0/0/4]
Jan 19 2025 22:34:15-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 13, the 
change loop count is 0, and the maximum number of records is 4095. 	
[SW2-Ethernet0/0/4] po	
[SW2-Ethernet0/0/4]port de	
[SW2-Ethernet0/0/4]port default vlan 3
[SW2-Ethernet0/0/4]
Jan 19 2025 22:34:25-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 14, the 
change loop count is 0, and the maximum number of records is 4095.int	
[SW2-Ethernet0/0/4]int e 0/0/1
[SW2-Ethernet0/0/1]por	
[SW2-Ethernet0/0/1]port lin	
[SW2-Ethernet0/0/1]port link-	
[SW2-Ethernet0/0/1]port link-flap	
[SW2-Ethernet0/0/1]port link-type tr	
[SW2-Ethernet0/0/1]port link-type trunk 
[SW2-Ethernet0/0/1]
Jan 19 2025 22:34:55-08:00 SW2 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 15, the 
change loop count is 0, and the maximum number of records is 4095.por	
[SW2-Ethernet0/0/1]port t	
[SW2-Ethernet0/0/1]port trunk al	
[SW2-Ethernet0/0/1]port trunk allow vla	
[SW2-Ethernet0/0/1]port trunk allow vlan all

配IP

左接口

右接口的子接口

测试PING

写策略

4.结果