LAN1端口分离功能

通过本功能,可以从物理上阻断分离的RTX1200的LAN1端口(8端口交换式集线器)之间的通信,并通过策略过滤的设置,确保各终端WAN方向上的通信。

本功能可以提高LAN1的各个终端的独立性并且提高LAN内部的安全性(如:防止病毒交叉感染等)。

整体结构

分离LAN1端口。

LAN1端口的端口1~端口7所连接的终端能够只访问公司内部网,并且允许LAN1端口之间的通信。LAN1的端口8所连接的终端能够只访问互联网,不能与LAN1端口中的其他端口进行通信。能够确保对WAN通信的同时,拦截LAN1端口之间的通信。

RTX1200设置范例

能够只导出下述的设置部分。

ConfigDownload

路由设置 ip route default gateway (ISP提供的网关地址)
IP过滤的设置 ip filter source-route on
ip filter directed-broadcast on
端口分离功能
的设置
lan type lan1 port-based-option=split-into-1234567:8
LAN端口的IP地址的设置 ip lan1 address 172.16.1.254/24
ip lan2 address 172.16.10.1/24
WAN接口
(至ISP的连接)
的设置
ip lan3 address (ISP提供的IP地址)
ip lan3 intrusion detection in on
ip lan3 nat descriptor 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 172.16.1.101-172.16.1.254
inbound过滤的设置 ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 172.16.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip lan3 inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
DHCP的设置 dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 172.16.1.1-172.16.1.100/24
DNS的设置 dns server(ISP提供的DNS服务器地址)
dns private address spoof on
策略过滤的设置 dns serverip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 172.16.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1 pass-nolog * lan2 172.16.1.2-172.16.1.100 * *
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 172.16.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2370 reject-nolog * lan3 * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2440 static-pass-nolog * lan3 * * 104
ip policy filter 2700 pass-nolog * lan3 172.16.1.101-172.16.1.253 * *
ip policy filter 2750 reject-nolog lan3 * * * *
ip policy filter 2760 static-pass-nolog * local * * 104
ip policy filter 2770 pass-log * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 2700 1 1130] 2750 [2770 2760] 2300 [2340 2350 2370 2330] 2400 [2410 2440] 3000
ip policy filter set enable 101

返回顶部