networking: The production network (the red line) and office network(the green line) are both lining to ME60.
Symptom: Using ACL method to seperate the production network and office network, after that, the user of production network can only visit production server, but can not visit office application, such as email and espace.
How to seperate the production network and office network? It will be shown as belows.
1. create a new user group named user production
2. create new acl6004, acl6005, for domain access control
put the whitelist into acl6004, whitelist are ip addresses which are allowed to be visited by production users
acl number 6004
rule XX permit ip source user-group production destination ip-address X.X.X.X X
acl number 6005
rule 5 permit ip source user-group production
3. Define traffic classification, and enables policy
traffic classifier permitacl operator or
if-match acl 6004
traffic classifier denyacl operator or
if-match acl 6005
traffic behavior permit
traffic behavior deny
traffic policy global
classifier permitacl behavior permit
classifier denyacl behavior deny
traffic-policy global inbound
traffic-policy global outbound
4.modify the user group in production domain
As we know, the office network can be easily infected by virus, from email or other office application. If the production network and office network can be operated between each other, the virus from office network can infect the production network, which may lead to a big loss.
Using ACL method to seperate the production network and office network