No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Seperate the production network and office network by doing some configuration on ME60

Publication Date:  2014-01-03 Views:  53 Downloads:  0
Issue Description
version: V600R002C02SPC700
networking: The production network (the red line) and office network(the green line) are both lining to ME60.

Symptom: Using ACL method to seperate the production network and office network, after that, the user of production network can only visit production server, but can not visit office application, such as email and espace.
Alarm Information
NULL
Handling Process
How to seperate the production network and office network? It will be shown as belows.

1. create a new user group named user production

2. create new acl6004, acl6005,  for domain access control
    put the whitelist into acl6004, whitelist are ip addresses which are allowed to be visited by production users

     acl number 6004
description Permit_Group_for_production
rule XX permit ip source user-group production destination ip-address X.X.X.X X
……
    acl number 6005
description other_Group_for_production
rule 5 permit ip source user-group production

3. Define traffic classification, and enables policy

traffic classifier permitacl operator or
if-match acl 6004
traffic classifier denyacl operator or
if-match acl 6005

traffic behavior permit
traffic behavior deny

traffic policy global                   
classifier permitacl behavior permit
classifier denyacl behavior deny

traffic-policy global inbound
traffic-policy global outbound

4.modify the user group in production domain
domain c63f1-5-a
        user-group production
    ……

done!


Root Cause
As we know, the office network can be easily infected by virus, from email or other office application. If the production network and office network can be operated between each other, the virus from office network can infect the production network, which may lead to a big loss.
Suggestions
Using ACL method to seperate the production network and office network

END