华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)
华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)
(1)基本配置
sw2:
#
interface Vlanif1
ip address 192.168.1.253 255.255.255.0
alias Vlanif1
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.1.254 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 192.168.1.252
fw1:
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
#
security-policy
rule name trust-To-untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust-To-trust
source-zone untrust
destination-zone trust
action permit
#
sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.1.252 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.16.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
sw3:
interface Vlanif1
ip address 172.16.1.100 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.254
(2)测试ping
<sw2>
<sw2>ping 192.168.1.253
PING 192.168.1.253: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.253: bytes=56 Sequence=1 ttl=255 time=8 ms
Reply from 192.168.1.253: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 192.168.1.253: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.1.253: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.1.253: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 192.168.1.253 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/8 ms
<sw2>ping 192.168.1.252
PING 192.168.1.252: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=4 ms
--- 192.168.1.252 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/7/20 ms
<sw2>ping 172.16.1.100
PING 172.16.1.100: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.100: bytes=56 Sequence=1 ttl=254 time=44 ms
Reply from 172.16.1.100: bytes=56 Sequence=2 ttl=254 time=6 ms
Reply from 172.16.1.100: bytes=56 Sequence=3 ttl=254 time=6 ms
Reply from 172.16.1.100: bytes=56 Sequence=4 ttl=254 time=5 ms
Reply from 172.16.1.100: bytes=56 Sequence=5 ttl=254 time=8 ms
--- 172.16.1.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/13/44 ms
<sw2>
<sw1>
<sw1>
<sw1>ping 192.168.1.252
PING 192.168.1.252: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=33 ms
Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 192.168.1.252 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/7/33 ms
<sw1>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=51 ms
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=5 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=7 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/14/51 ms
<sw1>
<sw3>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=254 time=39 ms
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=254 time=5 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=254 time=9 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=254 time=18 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=254 time=5 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/15/39 ms
<sw3>
(3)限制sw1的mac地址访问192.168.1.254
ip address-set DenyMACgroup type object
address 0 005c-d69f-6000
#
security-policy
rule name DenyMAC
source-zone trust
destination-zone untrust
source-address address-set DenyMACgroup
action deny
rule name trust-To-untrust
source-zone trust
destination-zone untrust
action permit
rule name untrust-To-trust
source-zone untrust
destination-zone trust
action permit
#
(4)测试ping, 结果:限制了sw1的接口的mac后,连sw3的流量也通不过防火墙了,因为防火墙限制的是mac地址,属于二层,而且sw2流量到了sw1后,mac信息会变,因为mac是二层的。
<sw2>
<sw2>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=14 ms
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=2 ms
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/3/14 ms
<sw2>ping 192.168.1.253
PING 192.168.1.253: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.253: bytes=56 Sequence=1 ttl=255 time=12 ms
Reply from 192.168.1.253: bytes=56 Sequence=2 ttl=255 time=3 ms
Reply from 192.168.1.253: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.1.253: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 192.168.1.253: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 192.168.1.253 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/5/12 ms
<sw2>ping 192.168.1.252
PING 192.168.1.252: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=24 ms
Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=5 ms
Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=5 ms
Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=5 ms
--- 192.168.1.252 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/8/24 ms
<sw2>ping 172.16.1.100
PING 172.16.1.100: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.100: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 172.16.1.100: bytes=56 Sequence=2 ttl=254 time=6 ms
Reply from 172.16.1.100: bytes=56 Sequence=3 ttl=254 time=8 ms
Reply from 172.16.1.100: bytes=56 Sequence=4 ttl=254 time=10 ms
Reply from 172.16.1.100: bytes=56 Sequence=5 ttl=254 time=5 ms
--- 172.16.1.100 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/15/50 ms
<sw2>
<sw1>
<sw1>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw1>
<sw3>
<sw3>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw3>
(5)防火墙重启后,防火墙刚刚起来时,mac地址限制是无效的,通了几个包后就可以限制了。
<sw3>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=254 time=593 ms
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=254 time=17 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=254 time=1721 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=254 time=1302 ms
Request time out
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 17/908/1721 ms
<sw3>
<sw3>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw3>
mac地址(列表、list、全)maclist
http://www.zh-cjh.com/wenzhangguilei/1009.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm