Web UI: Example for Configuring Across-Layer-3 MAC Identification

Procedure

1. This example uses Huawei S5700 as an example to describe how to configure basic SNMP functions. For basic network parameter settings of the switch, refer to the S5700 product documentation.
   1. Enable the SNMP agent function.

      <Switch> system-view
      [Switch] snmp-agent

   2. Set the SNMP version.

      [Switch] snmp-agent sys-info version v2c

   3. Set a community name for the switch.

      [Switch] snmp-agent community read Public@123

      

      The community name set on the switch must be the same as that specified on the FW.

2. Configure across-Layer-3 MAC identification on the FW.
   1. Set interface IP addresses on the FW.

      Choose Network > Interface, click Edit of GE0/0/2, and set parameters as follows:

      Security Zone	trust
      IP address	192.168.2.100/24

   2. Configure a security policy for the local -> trust interzone to allow the firewall to send SNMP packets to the switch.

      Choose Policy > Security Policy > Security Policy, click Add Security Policy, and set parameters as follows:

      Name	policy_sec
      Source zone	local
      Destination zone	trust
      Destination address	192.168.2.110/32

   3. Configure across-Layer-3 MAC identification.

      Choose System > Configuration > Across-Layer-3 MAC Identification, enable across-Layer-3 MAC identification, and set parameters as follows:

      

      

      • If multiple Layer-3 devices are deployed between the FW and intranet PC, you need to specify the intranet PC as the target network device.
      • You can also specify multiple Layer-3 devices on different subnets as SNMP clients for the FW to obtain their ARP entries.

3. Check learned MAC addresses.

   <sysname> display snmp-server arp-sync table 
   2018-01-04 18:58:08.370 
   Synchronization status of the IP-MAC address mapping table:  Done 
   The start time of synchronizing IP-MAC mapping table: 2018/1/4 18:58:04 
   The end time of synchronizing IP-MAC mapping table: 2018/1/4 18:58:04 
   -----------------------------------------------------------------
   IP Address          MAC Address     Expire(M)  VPN Instance
   -----------------------------------------------------------------
   10.1.141.1          e468-****-6cbc  20                                          
   10.1.141.132        00e0-****-0010  20                                          
   10.1.141.152        000c-****-f4ca  20                                          
   10.1.141.153        000c-****-e75f  20                                          
   10.1.141.165        0050-****-2329  20                                          
   10.1.141.201        80fb-****-928e  20                                          
   10.1.141.202        80fb-****-928e  20                                          
   192.168.2.100       000c-****-d3f4  20                                          
   192.168.2.110       000c-****-f4de  20                                          
   192.168.4.100     0050-****-ed9f  20                                     
   192.168.4.110     0050-****-49d3  20 
   -----------------------------------------------------------------
   Total:11        

4. After the preceding configurations are complete, you can use the MAC address of the intranet PC as the policy matching condition when configuring service-specific security policies, policy-based routes, traffic policies, and audit policies.

   A security policy is used as an example to set an intranet MAC address as a source address.

   1. Choose Policy > Security Policy and click Add Security Policy.
   2. In Source Address/Region, create a security policy, enter the learned intranet MAC address, and click OK.
      Figure 2 Adding an intranet MAC address
      

   3. Set other security policy parameters by referring to Configuring a Security Policy Using the Web UI.