如果网关是在核心设备上面,还能用MAC地址进行控制吗?
办公区域的网段都在三层上面,防火墙还能基于MAC来控制吗?
采用正常配置模式的步骤与思路
(1)配置思路与上面一样
(2)与上面区别的地方在于网关都配置在三层交换机上面,三层需要与防火墙有一个对接
(3)三层需要划分VLAN以及写默认路由,防火墙需要写回程路由
当这些配置完成后,测试你会发现基于MAC控制的安全策略会失效!!,这是因为数据包在经过一个三层设备的时候,该数据包的源MAC会变成该三层设备出接口的MAC地址,这是IP通信基础转发的原理。
(4)配置跨三层MAC识别,让防火墙从交换机获取正确的ARP表项(注意三层需要开启SNMP功能,防火墙需要制定三层的地址与正确的团体名),注意放行防火墙local_any的流量,否则同步不成功。
三层交换机配置展示
#
dhcp enable
#
vlan batch 101 to 102 250
#
#
interface Vlanif101
ip address 192.168.101.254 255.255.255.0
dhcp select interface
dhcp server dns-list 223.5.5.5 114.114.114.114
#
interface Vlanif102
ip address 192.168.102.254 255.255.255.0
dhcp select interface
dhcp server dns-list 223.5.5.5 114.114.114.114
#
interface Vlanif250
ip address 192.168.250.1 255.255.255.252
#
interface
GigabitEthernet0/0/1
port link-type access
port default vlan 101
#
interface
GigabitEthernet0/0/2
port link-type access
port default vlan 102
#
interface
GigabitEthernet0/0/3
port link-type access
port default vlan 250
#
ip route-static 0.0.0.0 0.0.0.0 192.168.250.2
#
snmp-agent
snmp-agent community
read ccieh3c.com
snmp-agent sys-info
version v2c v3
防火墙配置展示
#
interface
GigabitEthernet1/0/0
undo shutdown
ip address 192.168.250.2 255.255.255.252
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface
GigabitEthernet1/0/2
undo shutdown
ip address dhcp-alloc
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
#
ip address-set 不允许上网
type object
address 0 192.168.102.250 mask 32
#
ip address-set 102允许上网
type object
address 0 192.168.102.0 mask 24
#
ip address-set
BOSS_server type object
address 0 5489-9864-0d2c
address 1 192.168.101.249 mask 32
#
ip address-set 101网段
type object
address 0 192.168.101.0 mask 24
#
time-range 休息时间
period-range 12:00:00 to 13:30:00 working-day
#
security-policy
rule name PC4_deny_internet
source-zone trust
destination-zone untrust
source-address address-set 不允许上网
action deny
rule name 允许102其他上网
source-zone trust
destination-zone untrust
source-address address-set 102允许上网
action permit
rule name Local_any
source-zone local
action permit
rule name BOSS
source-zone trust
destination-zone untrust
source-address address-set BOSS_server
action permit
rule name 休息时间允许上网
source-zone trust
destination-zone untrust
source-address address-set 101网段
time-range 休息时间
action permit
#
nat-policy
rule name 允许上网
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
ip route-static
192.168.101.0 255.255.255.0 192.168.250.1
ip route-static
192.168.102.0 255.255.255.0 192.168.250.1
#
snmp-server arp-sync enable
snmp-server target-host arp-sync address 192.168.250.1community ccieh3c.com
容易忽略的点
(1)三层交换机需要支持标准的SNMP功能(现在主流都支持),配置团体名跟版本
(2)防火墙开启跨三层MAC识别功能,指定核心交换机的地址与团体名(这里地址跟团体名不要错误,否则会获取失败)
(3)容易忘记三层写默认路由,防火墙忘记写回程路由,导致上不了网
(4)防火墙一定要放行Local到Trust(以实际拓扑为准,防火墙对接三层交换机接口所在的区域),如果不放行,防火墙的流量是发送不出去,导致失败。