华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)

华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)

fw1_2022.04.17.00时29分05秒.txt

sw1_2022.04.17.00时28分45秒.txt

sw1_2022.04.17.00时29分19秒.txt

sw3_2022.04.17.00时29分33秒.txt

图片.png

(1)基本配置

sw2:

#
interface Vlanif1
 ip address 192.168.1.253 255.255.255.0
 alias Vlanif1
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#

interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 192.168.1.254 255.255.255.0
 
ip route-static 0.0.0.0 0.0.0.0 192.168.1.252

fw1:
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface Vlanif1

#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
#
security-policy
 rule name trust-To-untrust
  source-zone trust
  destination-zone untrust
  action permit                           
 rule name untrust-To-trust
  source-zone untrust
  destination-zone trust
  action permit
#

图片.png

sw2:             
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 192.168.1.252 255.255.255.0
#
interface GE1/0/1
 undo portswitch
 undo shutdown
 ip address 172.16.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

sw3:
interface Vlanif1
 ip address 172.16.1.100 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.1.254


(2)测试ping

<sw2>
<sw2>ping 192.168.1.253
  PING 192.168.1.253: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.253: bytes=56 Sequence=1 ttl=255 time=8 ms
    Reply from 192.168.1.253: bytes=56 Sequence=2 ttl=255 time=3 ms
    Reply from 192.168.1.253: bytes=56 Sequence=3 ttl=255 time=3 ms
    Reply from 192.168.1.253: bytes=56 Sequence=4 ttl=255 time=2 ms
    Reply from 192.168.1.253: bytes=56 Sequence=5 ttl=255 time=3 ms
  --- 192.168.1.253 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 2/3/8 ms
<sw2>ping 192.168.1.252
  PING 192.168.1.252: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=20 ms
    Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=4 ms
    Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=4 ms
    Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=4 ms
    Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=4 ms
  --- 192.168.1.252 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/7/20 ms
<sw2>ping 172.16.1.100
  PING 172.16.1.100: 56  data bytes, press CTRL_C to break
    Reply from 172.16.1.100: bytes=56 Sequence=1 ttl=254 time=44 ms
    Reply from 172.16.1.100: bytes=56 Sequence=2 ttl=254 time=6 ms
    Reply from 172.16.1.100: bytes=56 Sequence=3 ttl=254 time=6 ms
    Reply from 172.16.1.100: bytes=56 Sequence=4 ttl=254 time=5 ms
    Reply from 172.16.1.100: bytes=56 Sequence=5 ttl=254 time=8 ms
  --- 172.16.1.100 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 5/13/44 ms
<sw2>

<sw1>
<sw1>
<sw1>ping 192.168.1.252
  PING 192.168.1.252: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=33 ms
    Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=1 ms
  --- 192.168.1.252 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/7/33 ms
<sw1>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=51 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=5 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=3 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=4 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=7 ms
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 3/14/51 ms
<sw1>

<sw3>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=254 time=39 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=254 time=5 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=254 time=9 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=254 time=18 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=254 time=5 ms
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 5/15/39 ms
<sw3>


(3)限制sw1的mac地址访问192.168.1.254

ip address-set DenyMACgroup type object
 address 0 005c-d69f-6000
#

图片.png

security-policy
 rule name DenyMAC
  source-zone trust
  destination-zone untrust
  source-address address-set DenyMACgroup
  action deny
 rule name trust-To-untrust
  source-zone trust
  destination-zone untrust
  action permit
 rule name untrust-To-trust
  source-zone untrust
  destination-zone trust
  action permit
#

图片.png


(4)测试ping, 结果:限制了sw1的接口的mac后,连sw3的流量也通不过防火墙了,因为防火墙限制的是mac地址,属于二层,而且sw2流量到了sw1后,mac信息会变,因为mac是二层的。

<sw2>
<sw2>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=14 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=2 ms
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/3/14 ms
<sw2>ping 192.168.1.253
  PING 192.168.1.253: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.253: bytes=56 Sequence=1 ttl=255 time=12 ms
    Reply from 192.168.1.253: bytes=56 Sequence=2 ttl=255 time=3 ms
    Reply from 192.168.1.253: bytes=56 Sequence=3 ttl=255 time=3 ms
    Reply from 192.168.1.253: bytes=56 Sequence=4 ttl=255 time=4 ms
    Reply from 192.168.1.253: bytes=56 Sequence=5 ttl=255 time=3 ms
  --- 192.168.1.253 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 3/5/12 ms
<sw2>ping 192.168.1.252
  PING 192.168.1.252: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.252: bytes=56 Sequence=1 ttl=255 time=24 ms
    Reply from 192.168.1.252: bytes=56 Sequence=2 ttl=255 time=5 ms
    Reply from 192.168.1.252: bytes=56 Sequence=3 ttl=255 time=4 ms
    Reply from 192.168.1.252: bytes=56 Sequence=4 ttl=255 time=5 ms
    Reply from 192.168.1.252: bytes=56 Sequence=5 ttl=255 time=5 ms
  --- 192.168.1.252 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 4/8/24 ms
<sw2>ping 172.16.1.100
  PING 172.16.1.100: 56  data bytes, press CTRL_C to break
    Reply from 172.16.1.100: bytes=56 Sequence=1 ttl=254 time=50 ms
    Reply from 172.16.1.100: bytes=56 Sequence=2 ttl=254 time=6 ms
    Reply from 172.16.1.100: bytes=56 Sequence=3 ttl=254 time=8 ms
    Reply from 172.16.1.100: bytes=56 Sequence=4 ttl=254 time=10 ms
    Reply from 172.16.1.100: bytes=56 Sequence=5 ttl=254 time=5 ms
  --- 172.16.1.100 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 5/15/50 ms
<sw2>

<sw1>
<sw1>ping 192.168.1.254  
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
<sw1>

<sw3>
<sw3>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
<sw3>

(5)防火墙重启后,防火墙刚刚起来时,mac地址限制是无效的,通了几个包后就可以限制了。
<sw3>ping 192.168.1.254   
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=254 time=593 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=254 time=17 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=254 time=1721 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=254 time=1302 ms
    Request time out

  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    4 packet(s) received
    20.00% packet loss
    round-trip min/avg/max = 17/908/1721 ms
<sw3>
<sw3>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
<sw3>


mac地址(列表、list、全)maclist

http://www.zh-cjh.com/wenzhangguilei/1009.html

文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html


1、本站资源长期持续更新。
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。

转载请保留出处:  www.zh-cjh.com珠海陈坚浩博客 » 华为防火墙策略:限制某设备的MAC地址、设备后面的流量也通不过防火墙了(防火墙重启后,会通几个包)

作者: cjh


手机扫一扫,手机上查看此文章:

一切源于价值!

其他 模板文件不存在: ./template/plugins/comment/pc/index.htm

未雨绸缪、居安思危!

数据安全、有备无患!

注意操作、数据无价!

一切源于价值!