CLI: Example for Configuring Quota Management for Enterprise Employees

This section describes how to implement quota management when the FW functions as a security gateway on the intranet border.

Networking Requirements

As shown in Figure 1, an enterprise deploys the FW on the intranet boarder as an egress gateway and purchases a monthly traffic package of 500 GB targeted at small- and medium-sized enterprises from a carrier to enable intranet users to access the Internet. However, the part exceeding the package requires independent settlement. To reduce costs, enterprise managers consider assigning a fixed traffic quota to each employee. In addition, they intend to control employees' Internet access duration to boost productivity.

In a word, the managers hope to use the quota control policy function of the FW to meet the following requirements:

There are altogether 40 employees, including 10 managers and 30 common employees. Each manager is assigned a monthly traffic quota of 20 GB, and each common employee a monthly traffic quota of 10 GB.
For common employees, the daily Internet access duration cannot exceed four hours, and the daily traffic cannot exceed 500 MB.
Once one of these thresholds is exceeded, all of their Internet access requirements are blocked. For managers, once the threshold is exceeded, their maximum bandwidth is limited at 800 Kbit/s.

Figure 1 Implementing quota management for enterprise employees

Data Planning

Assume that the user in this example already exists on the FW, and the authentication configuration is complete.

Quota Data	Manager	Common Employee
Daily traffic quota	-	500 MB
Daily Internet access duration	-	240 minutes
Monthly traffic quota	20000 MB	10000 MB
Start date for monthly traffic statistics collection	First day of each month	First day of each month
Maximum bandwidth limit after the quota is exceeded	800 Kbit/s	0

Procedure

Set interface IP addresses and assign the interfaces to security zones.

Set an IP address for interface GigabitEthernet 0/0/1 and assign the interface to the untrust zone.

<FW> system-view
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

Set an IP address for interface GigabitEthernet 0/0/3 and add the interface to the trust zone.

[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit

Configure a quota control profile for common employees.

[FW] quota-policy
[FW-policy-quota] profile quota_employee
[FW-policy-quota-profile-quota_employee] stream-daily 500
[FW-policy-quota-profile-quota_employee] stream-monthly 10000
[FW-policy-quota-profile-quota_employee] stream-monthly start-date 1
[FW-policy-quota-profile-quota_employee] time-daily 240
[FW-policy-quota-profile-quota_employee] limit-bandwidth 0
[FW-policy-quota-profile-quota_employee] quit

Configure a quota control policy for common employees.

[FW-policy-quota] rule name quota_employee
[FW-policy-quota-rule-quota_employee] user user-group /default/employee
[FW-policy-quota-rule-quota_employee] action quota profile quota_employee
[FW-policy-quota-rule-quota_employee] quit

Configure a quota control profile for management personnel.

[FW-policy-quota] profile quota_manager
[FW-policy-quota-profile-quota_manager] stream-monthly 20000
[FW-policy-quota-profile-quota_manager] stream-monthly start-date 1
[FW-policy-quota-profile-quota_manager] limit-bandwidth 800
[FW-policy-quota-profile-quota_manager] quit

Configure a quota control policy for management personnel.

[FW-policy-quota] rule name quota_manager
[FW-policy-quota-rule-quota_manager] user user-group /default/manager
[FW-policy-quota-rule-quota_manager] action quota profile quota_manager
[FW-policy-quota-rule-quota_manager] quit

Verification

For common employees, their network activities are blocked once any of the following requirements is met:
- The daily Internet access traffic exceeds 500 MB.
- The daily Internet access duration exceeds 240 minutes.
- The monthly Internet access traffic exceeds 10 GB.
For managers, after their monthly Internet access traffic exceeds 20 GB, their maximum bandwidth is limited at 800 Kbit/s.

Configuration Scripts

#
 sysname FW
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
quota-policy                                     
 profile quota_employee                                
  stream-monthly 10000                      
  stream-daily 500                    
  time-daily 240       
 profile quota_manager        
  stream-monthly 20000                 
  limit-bandwidth 800                  
 rule name quota_employee              
  user user-group /default/employee               
  action quota profile quota_employee  
 rule name quota_manager               
  user user-group /default/manager                
  action quota profile quota_manager
#
return