A customer wanted to implement this requirement that only those PC with MAC-binding IP can access the Internet, and other PC with no MAC-binding IP can’t access the Internet. But when the customer did the mac-binding configuration , he found that those PC with no MAC-binding IP can still access the Internet.
Take this topology as an example.
The customer expected that PC1 can access internet while PC2 can’t.
The version of USG2200 is V300R001C00SPC900.
The mac-binding configuration is as follows:
firewall mac-binding enable
firewall mac-binding 192.168.1.2 cccc-90ed-fd57
firewall mac-binding 192.168.1.3 cccc-90ed-fc40
And the NAT configuration is as follows:
nat-policy interzone trust untrust outbound
policy source 192.168.1.0 24
For current version, there are two solutions for this problem.
(1) The customer now implemented this requirement in this way, he bound all the IP with no exact MAC to 0000-0000-0001. From the process, we can see that the source MAC in data packet can’t match the MAC in ARP table, so the data packet will be deny.
(2) In the interzone policy, only permit those source IP which is mac-binding, so other IP can’t access Internet.
policy interzone trust untrust outbound
policy source rang 192.168.1.2 192.168.1.3
This function is not implemented in the version before V300R001C00SPC900(included).
In the current version , the process of MAC-binding is as follows:
In the process, we can see that if an IP is not mac-binding, the firewall will permit the data packet. That is why those PC with no MAC-binding IP can still access the Internet.
In the future there will be a version to support this feature that only those PC with MAC-binding IP can access the Internet, and other PC with no MAC-binding IP can’t access the Internet, but the version before V300R001C00SPC900(included), you can usd the above two solution to implement it.