Shulou(Shulou.com)06/01 Report--

Topology before firewalls are not deployed:

Topology after deployment of the firewall:

After deploying the firewall, modify the configuration as follows:

Delete the address of VLAN21, create a new VLAN2021 on the core switch, and put the address originally defined on VLAN21 on VLAN2021. Use TRUNK to connect to the Feita firewall, and the TRUNK contains VLAN2021 and VLAN21. Through this mode, the client can access the server and pass through the firewall.

Message flow:

1. Client- > server. The message is routed on the switch and sent from vlan2021. The message changes the vlan tag to 21 on the firewall and returns to the server.

2. Server- > client. The message is exchanged on the switch and sent from vlan21. The message changes the vlan tag to 2021 on the firewall, returns, and arrives at the client.

Summary:

The vlan bridge of the Feita firewall can not change the original topology and divert the traffic through the firewall. Checked the information of other families, including Cisco, H4C do not support this feature. Cisco has vlan bridging, but for non-IP protocols. This feature was probably first proposed by netscreen.

Extension: generally, the switch has only one mac address, and the switch judges whether the ARP/IP message is a local message, not directly checking the destination mac address of the message, but first checking whether the vlan has an IP address, and switching if it is not; and then judging whether the mac address is local, and whether the ARP/IP message is processed locally.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.