《多虚拟防火墙的流量分类.pdf》由会员分享,可在线阅读,更多相关《多虚拟防火墙的流量分类.pdf(4页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、当 CISCO的 ASA防火墙划分了多个虚拟防火墙的时候,经过 ASA虚拟防火墙的数据包,都必须经过分类,并发送到相应的虚拟防火墙,进而转发到相应的目的地。ASA通过三种方式来区分各个虚拟防火墙的流量:唯一的物理接口。唯一的 MAC 地址。通过 NAT来决定数据包的走向。本文将对这三种方式的流量分类,做一个简单的介绍。唯一的物理接口:如果一个物理接口被单独的分配给某一个虚拟防火墙,那么 ASA将所有需要转发到这个虚拟防火墙的流量转发到该物理接口。在防火墙的传输模式下,必须为虚拟防火墙分配一个单独的物理接口。所以在没有共享接口的情况下,这种方法作为防火墙分类流量的方法。这种方法比较简单,在这里就
2、不做过多的介绍。唯一的 MAC 地址:由于 ASA的接口有限,所以在多虚拟防火墙的模式下,我们会经常遇到一个接口同时分配给多个虚拟防火墙。这个时候使用物理接口来对流量进行分类的办法将在这种情况下不再适用,因为防火墙无法确定流量究竟应该转发到哪个虚拟防火墙。我们需要使用其他的方法来对流量的走向进行区分,通常我们会使用自动或者手动为这个分配给多个虚拟防火墙的共享接口指定不同的MAC 地址,防火墙将使用 MAC 地址来区分流量的走向。如图1 所示:图 1 使用唯一的 MAC 地址区分流量我们从图中可以看到,当流量进入属于多个虚拟防火墙的共享接口时,防火墙在检查目的 IP 地址的同时也检查MAC 地址
3、,来决定数据包应该转发到哪一个虚拟防火墙下。默认情况下,共享接口没有被指定唯一的MAC 地址,每一个共享这个借口的虚拟防火墙都会使用该接口的物理MAC 地址作为这个接口的MAC地址,这时,防火墙对该数据包的路由将会出现问题。我们可以为该接口指定MAC 地址来解决这个问题。手动指定 MAC 地址:在每个虚拟防火墙的该共享接口下配置:mac-address HHH.HHH.HH 例如:hostname(config)#Interface F0/0 hostname(config-if)#mac-address 0001.0001.0001 文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5
4、 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文
5、档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2
6、C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4
7、Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G
8、2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1
9、R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6
10、V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2自动指定 MAC 地址:在防火墙的 SYSTEM 平台的全局配置模式下配置:mac-address auto 例如:hostname(config)#mac-address auto 通过 NAT来决定数据包的走向:如果没有为接口指定唯一的MAC 地址,防火墙当收到一个通过共享接口的流量时,防火墙只会检查目的IP 地址。
11、通过要使用目的 IP 地址来决定数据包的走向,那么防火墙必须知道目的地址是被定位在哪个虚拟防火墙上。NAT技术可以提供这样的功能。NAT的转换条目可以使防火墙将数据包转发到正确的虚拟防火墙上。如图 2 所示:图 2 使用 NAT区分流量如图所示,当流量进入属于多个虚拟防火墙的共享接口时,防火墙检查目的 IP 地址的时候,发现匹配了NAT转换条目,这时可以通过NAT转换条目将数据包转发到正确的目的地址。文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C1
12、0 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5
13、 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文
14、档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2
15、C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4
16、Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G
17、2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1
18、R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2例如:配置静态 NAT转换:?Context A:static(inside,shared)10.10.10.0 10.10.10.0 netmask 255.255.255.0?Context B:static(inside,shared)10.20.10.0 10.20.10.0 netmask 255.255.255.0?Context C:static(inside,shared)10.30.10.0 10.30.10.0 netmask 255.
19、255.255.0 当我们使用多防火墙模式,并且共享了接口到多个虚拟防火墙的时候,我们需要注意将流量转发到正确的虚拟防火墙上去,如果没有指定 MAC 地址(不管是手动还是自动)并且也没有配置 NAT的话,防火墙将不能找到正确的目的地址而将数据包丢弃。文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H
20、1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R
21、6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3
22、S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L
23、3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M
24、6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2