Firewall Interface Type
physical interface
1) supported by the interface may be a firewall interface or Layer Interface Layer
2) Layer Interface: the portswitch
. 3) Interface Layer: Use the undo the portswitch
logical interface
1) VT (virtual template) interface, dialer Interface
2) Tunnel interfaces, null interfaces
3) vlanif Interface
4) Ethernet sub-interface Layer
5) Eth-Trunk interfaces, loobacp Interface
Firewall Eth-trunk
advantages:
1) to essentially increase the bandwidth of the link
2) Reliability (LACP protocol)
3) load balancing
Eth-trunk pattern classification:
1) manual load balancing mode (default) Note: all forward links to be involved
2) static LACP mode (no dynamic LACP) Note: All can also be configured backup M: N forms
Eth-trunk interface type
1) Layer-Trunk Eth
2) Layer-Trunk Eth
switches is above Eth Layer -trunk
first step: Create Eth-trunk and mode
interface Eth-Trunk1
mode lacp-static ---------默认手工负载分担
Step two: Defining Eth-trunk type
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
The third step: adding an interface Eth-trunk group
method
int XXXX
eth-trunk 1
Method Two
int eth-trunk XX (防火墙不能)
trunkport g0/0/1 to 0/0/2
firewall above for the three Eth-trunk
Step 1: Create ETH-TRUNK and mode
interface Eth-Trunk1
mode lacp-static
Step two: Interface members to the ETH-TRUNK
int XXX
eth-trunk 1
Check the configuration Eth-Trunk
<FW1>display eth-trunk 1
15:10:49 2019/06/02
Eth-Trunk1's state information is:
Local:
LAG ID:1 WorkingMode: STATIC
Preempt Delay: Disable Hash Arichmetic: According to IP
System Priority: 32768 System ID: 2444-27ca-fbff
Least active-linknumber: 1 Max active-linknumber: 8
Operate Status: up Number of Up Port in Trunk: 2
----------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weigth
GigabitEthernet0/0/1 Selected 100M 32768 2 64 10111100 1
GigabitEthernet0/0/2 Selected 100M 32768 3 64 10111100 1
Partner:
----------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 384c-4f60-9d20 32768 1 289 10111100 GigabitEthernet0/0/2 32768 384c-4f60-9d20 32768 2 289 10111100
Sub-interface of the firewall
Sub-interface physical interface
Firewall Configuration sub-interface
interface GigabitEthernet1/0/1.10 -------先取子接口
vlan-type dot1q 10 ----------------------封装VLAN ID
ip address 10.1.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1.16
vlan-type dot1q 16
ip address 192.168.1.10 255.255.255.0
#
Step two: add interfaces handle ZONE
firewall zone trust
add interface GigabitEthernet1/0/1.10
#
firewall zone dmz
add interface GigabitEthernet1/0/1.16
an examination:
[FW1]display zone
20:26:16 2019/03/07
local
priority is 100
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1.10
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/1.16
The third step: test firewall direct communication
by default are not a pass, because Huawei did not release the default firewall security policy between ZONE and ZONE
default policy is to deny
[FW1]display security-policy all
21:35:50 2019/09/05
Total:1
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable deny 275
-------------------------------------------------------------------------------
[FW1]
security-policy
default action permit ----------默认全开安全策略
Test each direct communication
test is completed you must remember to shut down
security-policy
default action deny
Note:
the issue of PING
If PING each ZONE on the firewall, as long as the above release all security policies, you can access
Interface If you access the firewall from various security zone, put the whole security policy useless, must open access management interface PING, PING firewall interfaces so as to pass
step 5: check test
Sub-interface logic interface
Layer eth-trunk can configure the IP
Layer Eth-trunk link type
default hybrid
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 16 40 50
Configuration:
interface Eth-Trunk1.10
vlan-type dot1q 10
ip address 10.1.1.10 255.255.255.0
#
interface Eth-Trunk1.16
vlan-type dot1q 16
ip address 192.168.1.10 255.255.255.0
#
Note:
Note: all firewall interfaces, whether it is physical or logical ZONE need to add
a firewall all interfaces are defined ZONE
firewall zone trust
set priority 85
add interface Eth-Trunk1.10
#
firewall zone untrust
set priority 5
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1.16
Release security policy
security-policy
rule name trust_dmz
source-zone trust
destination-zone dmz
action permit
Firewall vlanif Interface
experimental demonstration firewall above vlanif interface technology
configuration roadmap:
Step 1: Create VLAN
vlan batch 20 30
Step two: an interface configured Layer
interface GigabitEthernet1/0/3
portswitch
port link-type access------------默认为ACCESS,可以修改
port access vlan 20
#
interface GigabitEthernet1/0/4
portswitch
port link-type access
port access vlan 30
Step 3: Create a VLANIF interface
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
service-manage ping permit
#
interface Vlanif30
ip address 10.1.3.10 255.255.255.0
service-manage ping permit
Step Four: ZONE interfaces included
Note: do not need to re-assigned to the interface ZONE, requires only logical sum ZONE
firewall zone trust
add interface Vlanif20
add interface Vlanif30
Step five: Check the test
Note:
no need to configure security policy with a ZONE, can communicate with each other ------ conclusion right?
Now USG6320 V100 version, it is necessary to configure the same security policy ZONE
security-policy
rule name trust_trust
source-zone trust
destination-zone trust
action permit