PC can still access internet without MAC binding in USG2200

Publication Date:  2013-08-29 Views:  177 Downloads:  0
Issue Description
A customer wanted to implement this requirement that only those PC with MAC-binding IP can access the Internet, and other PC with no MAC-binding IP can’t access the Internet. But when the customer did the mac-binding configuration , he found that those PC with no MAC-binding IP can still access the Internet.
Take this topology as an example.

The customer expected that PC1 can access internet while PC2 can’t.
The version of USG2200 is V300R001C00SPC900.
The mac-binding configuration is as follows:
firewall mac-binding enable
firewall mac-binding 192.168.1.2  cccc-90ed-fd57
firewall mac-binding 192.168.1.3  cccc-90ed-fc40

And the NAT configuration is as follows:
nat-policy interzone trust untrust outbound
policy 5
  action source-nat
  policy source 192.168.1.0 24
  easy-ip GigabitEthernet0/0/1
Alarm Information
None
Handling Process
For current version, there are two solutions for this problem.
Solution 1:
(1) The customer now implemented this requirement in this way, he bound all the IP with no exact MAC to 0000-0000-0001. From the process, we can see that the source MAC in data packet can’t match the MAC in ARP table, so the data packet will be deny.

Solution 2:
(2) In the interzone policy, only permit those source IP which is mac-binding, so other IP can’t access Internet.
policy interzone trust untrust outbound
policy 5
  action permit
  policy source rang 192.168.1.2 192.168.1.3

  policy 10
  action deny
Root Cause
This function is not implemented in the version before V300R001C00SPC900(included).
In the current version , the process of MAC-binding is as follows:

In the process, we can see that if an IP is not mac-binding, the firewall will permit the data packet. That is why those PC with no MAC-binding IP can still access the Internet.
Suggestions
In the future there will be a version to support this feature that only those PC with MAC-binding IP can access the Internet, and other PC with no MAC-binding IP can’t access the Internet, but the version before V300R001C00SPC900(included), you can usd the above two solution to implement it.

END