Shulou(Shulou.com)06/01 Report--

Transparent mode of firewall

1. Transparent deployment environment:

a. Rapid deployment in the current three-tier network

b. When the network structure does not allow redesign

c. The same network segment is not restricted by policy.

d. When you want to increase the security of the same network segment

two。 Zone of L2 in transparent mode

a. System predefined:

Vl-untrust

V1-trust

Vl-dmz

b. Users can define the Zone of L2 by themselves

Set zone name L2-cjclub L2

3. VLAN interface

A. The vlan interface and the section contain hosts in the same section

b. Support for managing IP

c. Physical interface to respond to ARP

4. Default management features of the section:

V1-trust: all of them

Vl-dmz: ping

Vl-untrust: None

L2-user-defined: None

* transparent mode needs to go through two filters (1. Service filtering for physical interfaces 2. Filtering for VLAN1 interface services)

5. Configuration of transparent mode:

a. You need to set up an L2 Zone (using the system default V1 layer 2 Zone)

Set zone name l2-cjclub l2

b. Specify the Zone where the physical interface is put into layer 2

Set interface untrust zone l2-cjclub

Set interface untrust zone v1-untrust

& make sure the interface does not have IP and does not belong to any Zone (belonging to Null Zone)

c. Configure the interface IP of VLAN1 for management

Set interface vlan1 ip 10.1.1.1/24

d. Select the broadcast mode of the VLAN interface:

Default: Flooding (flooding)

When the destination MAC of the received packet is not in the MAC cache, the data is sent except for the incoming port

ARP/Trace-Route

If there is no entry in the MAC address table, the ARP Query packet is flooded (more secure, without flooding the original packet)

Set interface vlan1 broadcast arp

e. Configure services for VLAN1

Set interface vlan1 manage ping

Set interface vlan1 manage telnet

Set interface vlan1 manage web

Common viewing commands in transparent mode:

A. Get interface

B. Get arp

C. Get mac-learn

Manually statically specify IP address: set mac 001c257e84e2 interface trust vlan1

D. Get session

Do not need to do NAT, mainly filter and protect × × traffic

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.