CLI: Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-2 Access)
A firewall accesses an enterprise network at Layer 2. You can configure virtual systems with separate administrators to isolate departments of the enterprise.
Networking Requirements
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this enterprise is divided into three subnets respectively for the R&D, financial, and administrative department. The security policies for the three departments are different and must meet the following requirements:
- The FW connects to an existing intranet through Layer-2 access, without changing the intranet's network topology.
- Internet access is granted to all employees of the administrative department, some employees of the R&D department, but none of the employees of the financial department.
- The three departments have similar traffic volumes and therefore are assigned the same amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 1 shows the networking diagram.
Data Planning
Item |
Data |
Description |
|---|---|---|
vsysa |
|
Both the outside interface GE0/0/1 and inside interface GE0/0/2 are trunk interfaces and can be assigned to multiple virtual systems based on VLAN assignment. |
vsysb |
|
- |
vsysc |
|
- |
Resource class |
|
The three departments have similar traffic volumes and therefore are assigned the same resource class. |
Configuration Roadmap
- Configure GE0/0/1 and GE0/0/2 as trunk interfaces and add them to VLANs.
- The public system administrator creates three virtual systems vsysa, vsysb, and vsysc, assigns VLANs and resources, and configures an administrator for each virtual system.
- The administrator of the R&D department logs in to the FW to configure security policies for vsysa.
- The administrator of the financial department logs in to the FW to configure security policies for vsysb.
- The administrator of the administrative department logs in to the FW to configure security policies for vsysc.
Procedure
- Configure GE0/0/1 and GE0/0/2 as trunk interfaces and add them to VLANs.
# Use the account of the public system administrator to log in to the FW.
# Create VLANs.
<FW> system-view [FW] vlan 10 [FW-vlan-10] quit [FW] vlan 20 [FW-vlan-20] quit [FW] vlan 30 [FW-vlan-30] quit
# Configure interfaces.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] portswitch [FW-GigabitEthernet0/0/1] port link-type trunk [FW-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 30 [FW-GigabitEthernet0/0/1] quit [FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet0/0/2] portswitch [FW-GigabitEthernet0/0/2] port link-type trunk [FW-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20 30 [FW-GigabitEthernet0/0/2] quit
- The public system administrator creates virtual systems vsysa, vsysb, and vsysc and assigns VLANs to them.
# Enable the virtual system function.
[FW] vsys enable# Configure a resource class.
[FW] resource-class r1 [FW-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000 [FW-resource-class-r1] resource-item-limit policy reserved-number 300 [FW-resource-class-r1] resource-item-limit user reserved-number 300 [FW-resource-class-r1] resource-item-limit user-group reserved-number 10 [FW-resource-class-r1] quit
# Create virtual systems and allocate resources to them.
[FW] vsys name vsysa [FW-vsys-vsysa] assign resource-class r1 [FW-vsys-vsysa] assign vlan 10 [FW-vsys-vsysa] quit [FW] vsys name vsysb [FW-vsys-vsysb] assign resource-class r1 [FW-vsys-vsysb] assign vlan 20 [FW-vsys-vsysb] quit [FW] vsys name vsysc [FW-vsys-vsysc] assign resource-class r1 [FW-vsys-vsysc] assign vlan 30 [FW-vsys-vsysc] quit
- The public system administrator configures administrators for virtual systems.
# The public system administrator creates administrator account admin@@vsysa for vsysa.
[FW] switch vsys vsysa <FW-vsysa> system-view [FW-vsysa] aaa [FW-vsysa-aaa] manager-user admin@@vsysa [FW-vsysa-aaa-manager-user-admin@@vsysa] password Enter Password: Confirm Password: [FW-vsysa-aaa-manager-user-admin@@vsysa] service-type web telnet ssh [FW-vsysa-aaa-manager-user-admin@@vsysa] level 15 [FW-vsysa-aaa-manager-user-admin@@vsysa] quit [FW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin [FW-vsysa-aaa] quit [FW-vsysa] quit <FW-vsysa> quit
Configure administrators admin@@vsysb for vsysb and admin@@vsysc for vsysc by referring to the preceding substeps.
- The administrator of the R&D department configures security zones and security policies for vsysa.
# Use the administrator account admin@@vsysa of vsysa to log in to the firewall. Change the login password before performing the following operations.
# Configure security zones.
<vsysa> system-view [vsysa] firewall zone trust [vsysa-zone-trust] add interface GigabitEthernet 0/0/2 [vsysa-zone-trust] quit [vsysa] firewall zone untrust [vsysa-zone-untrust] add interface GigabitEthernet 0/0/1 [vsysa-zone-untrust] quit
# Configure an address set.
[vsysa] ip address-set ipaddress1 type object [vsysa-object-address-set-ipaddress1] address range 10.3.0.2 10.3.0.10 [vsysa-object-address-set-ipaddress1] quit
# Configure a security policy. This security policy allows intranet users of a specific network segment to access the Internet.
[vsysa] security-policy [vsysa-policy-security] rule name to_internet [vsysa-policy-security-rule-to_internet] source-zone trust [vsysa-policy-security-rule-to_internet] destination-zone untrust [vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1 [vsysa-policy-security-rule-to_internet] action permit [vsysa-policy-security-rule-to_internet] quit
# Configure a security policy. This security policy prohibits all employees from accessing the Internet. The priority of this policy is lower than that of the previous policy, and therefore no address range needs to be specified.
[vsysa-policy-security] rule name to_internet2 [vsysa-policy-security-rule-to_internet2] source-zone trust [vsysa-policy-security-rule-to_internet2] destination-zone untrust [vsysa-policy-security-rule-to_internet2] action deny [vsysa-policy-security-rule-to_internet2] quit [vsysa-policy-security] quit
- The financial department administrator admin@@vsysb and administrative department administrator admin@@vsysc log in to the FW and configure IP addresses, security zones, and security policies for vsysb and vsysc, respectively.
The configuration is similar to that of the R&D department except the following:
- You only need to configure a security policy to prevent the IP address segment 10.3.1.2-10.3.1.254 from accessing the Internet.
- You only need to configure a security policy to allow the IP address segment 10.3.2.2-10.3.2.254 to access the Internet.
Verification
- Use a PC that is allowed to access the Internet and a PC that is not allowed to access the Internet from the R&D department to access the Internet. If the results are as expected, the security policies of vsysa are correctly configured.
- Access the Internet from the financial department. If the access fails, the security policies of vsysb are correctly configured.
- Access the Internet from the administrative department. If the access succeeds, the security policies of vsysc are correctly configured.
Configuration Scripts
Configuration script of the public system
# sysname FW # vlan batch 10 20 30 # vsys enable # resource-class r1 resource-item-limit session reserved-number 10000 maximum 50000 resource-item-limit policy reserved-number 300 resource-item-limit user reserved-number 300 resource-item-limit user-group reserved-number 10 # vsys name vsysa 1 assign vlan 10 assign resource-class r1 # vsys name vsysb 2 assign vlan 20 assign resource-class r1 # vsys name vsysc 3 assign vlan 30 assign resource-class r1 # interface GigabitEthernet0/0/1 portswitch undo shutdown port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 # interface GigabitEthernet0/0/2 portswitch undo shutdown port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 30 # return
Configuration script of vsysa
# firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # aaa manager-user admin@@vsysa password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@ service-type web telnet ssh level 15 bind manager-user admin@@vsysa role system-admin # ip address-set ipaddress1 type object address 0 range 10.3.0.2 10.3.0.10 # security-policy rule name to_internet source-zone trust destination-zone untrust source-address address-set ipaddress1 action permit rule name to_internet2 source-zone trust destination-zone untrust action deny # return
Configuration script of vsysb
# firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # aaa manager-user admin@@vsysb password cipher %@%@zG{;O|!gEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f] service-type web telnet ssh level 15 bind manager-user admin@@vsysb role system-admin # ip address-set ipaddress1 type object address 0 range 10.3.1.2 10.3.1.254 # security-policy rule name to_internet source-zone trust destination-zone untrust source-address address-set ipaddress1 action deny # return
Configuration script of vsysc
# firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # aaa manager-user admin@@vsysc password cipher %@%@zG{;x|!gEN5"Db/6dvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f] service-type web telnet ssh level 15 bind manager-user admin@@vsysc role system-admin # ip address-set ipaddress1 type object address 0 range 10.3.2.2 10.3.2.254 # security-policy rule name to_internet source-zone trust destination-zone untrust source-address address-set ipaddress1 action permit # return