将HR的优先级设为12
将SALES的优先级设为10
将IT的优先级设为8
将Server1,Server2的优先级设为14
低优先级向高优先级为inbound,高到低位outbound
1、PC1和PC2之间不能访问
开启HR和SALES之间的防火墙
防火墙机制是优先级高的访问低的可以
不能让SALES访问HR过滤高级向低级的报文
2、SALES可以访问WEB但是不可以访问FTP
开启SALES和trust之间的防火墙
Acl做策略
测试
3、IT可以访问WEB和FTP,也能ping通
开启IT和trust的防火墙
做策略
4、只允许VLANIF 1远程登录R1
在SW1上创建VLANIF1地址为192.168.1.1
在R1上用ACL进行匹配
在R1上设置VTY接口
R1配置:
acl number 2000
rule 5 permit source 192.168.1.1 0
acl number 3000
step 10
rule 10 deny ip source 172.16.1.1 0 destination 172.16.2.1 0
acl number 3001
rule 5 permit tcp source 172.16.2.1 0 destination 192.168.1.30 0 destination-port eq www
acl number 3003
step 10
rule 10 permit tcp source 172.16.3.1 0 destination 192.168.1.30 0 destination-port eq www
rule 20 permit tcp source 172.16.3.1 0 destination 192.168.1.10 0 destination-port eq ftp
rule 30 permit icmp source 172.16.3.1 0 destination 192.168.1.30 0
rule 40 permit icmp source 172.16.3.1 0 destination 192.168.1.10 0
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
firewall zone HR
priority 12
firewall zone SALES
priority 10
firewall zone IT
priority 8
firewall zone trust
priority 14
firewall zone Local
priority 15
firewall interzone HR SALES
firewall enable
packet-filter 3000 outbound
#
firewall interzone trust SALES
firewall enable
packet-filter 3001 inbound
#
firewall interzone trust IT
firewall enable
packet-filter 3003 inbound
interface GigabitEthernet0/0/0
ip address 172.16.1.254 255.255.255.0
zone HR
interface GigabitEthernet0/0/1
ip address 172.16.2.254 255.255.255.0
zone SALES
interface GigabitEthernet0/0/2
ip address 172.16.3.254 255.255.255.0
zone IT
interface GigabitEthernet4/0/0
ip address 192.168.1.254 255.255.255.0
zone trust
acl 2000 inbound
authentication-mode password
set authentication password cipher %$%$gSo>0MkMp*n7vgDE^%t&,.-CYH!pUuUEo'(DFv*h