A customer wanted to implement this requirement that only those PC with MAC-binding IP can access the Internet, and other PC with no MAC-binding IP can’t access the Internet. But when the customer did the mac-binding configuration , he found that those PC with no MAC-binding IP can still access the Internet.
Take this topology as an example.
The customer expected that PC1 can access internet while PC2 can’t.
The version of USG2200 is V300R001C00SPC900.
The mac-binding configuration is as follows:
firewall mac-binding enable
firewall mac-binding 192.168.1.2 cccc-90ed-fd57
firewall mac-binding 192.168.1.3 cccc-90ed-fc40
And the NAT configuration is as follows:
nat-policy interzone trust untrust outbound
policy source 192.168.1.0 24