Matrix seperation betweeen offices by using USG9560- Huawei

Contents

Issue Description Solution

Issue Description

From the figure below, Office Area A is the most ranking office in the entire building with office Area C being the lowest. The office Area A has high level information stored for each department and it is the only area which is allowed to have access to all the other departments. Therefore, they requested for a matrix application that can enhance this change such that the parties in offices B and C are not allowed to visit the parties in Area A but the parties in Area A can visit all the other departments.

Figure 1:

Figure 2

Solution

The below matrix recommendation was therefore provided:

Office Area A: All ports open> To have this range of IPs in the trust zone. On the individual PCs, it is also recommended to have their addresses bound to the users to promote internal department security. The binding is also highlighted in the group for a few PCs.

Office Area B: Close ports to Office Area A

Office Area C: Close ports to office Area A but can access office area B.

The scripts of change are as below; the changes mainly apply to the firewall.

CE5850 SCRIPT

sysname NBO-CE5850-1
#
drop-profile default

#
vlan batch 10 20
#
interface Vlanif10
description MGMT
ip address 10.10.9.1 24
#
interface Vlanif20
ip address 10.10.10.254 24
#
interface MEth0/0/0
#
interface Eth-Trunk1
undo portswitch
description TO_ATN
ip address 10.10.8.1 255.255.255.252
#
interface Eth-Trunk2
description TO_S5710
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk3
description To_CE5810
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk4
undo portswitch
description TO_ATN2
ip address 10.10.8.5 255.255.255.252
ospf cost 100

S5710 SCRIPT

sysname S5710_1
#
vlan batch 10 20
#
stp bpdu-protection
#
domain agile
#
undo telnet server enable
#
dot1x enable
dot1x authentication-method eap
dot1x free-ip 1.1.1.1 255.255.255.255

interface Vlanif10
ip address 10.10.9.2 255.255.255.224
#
interface Vlanif10
description MGMT
ip address 10.10.9.2 24
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094

#
interface GigabitEthernet0/0/1
description TO_PC_Office_A
voice-vlan 201 enable
port hybrid pvid vlan 151
port hybrid tagged vlan 201
port hybrid untagged vlan 151
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x authentication-method eap
#
interface GigabitEthernet0/0/2
description TO_PC_Office_B
voice-vlan 201 enable
port hybrid pvid vlan 151
port hybrid tagged vlan 201
port hybrid untagged vlan 151
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x authentication-method eap
#
interface GigabitEthernet0/0/23
description TO_PC_Office_C
voice-vlan 201 enable
port hybrid pvid vlan 151
port hybrid tagged vlan 201
port hybrid untagged vlan 151
stp edged-port enable
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x authentication-method eap

USG9560 SCRIPT OF CHANGE FOR MATRIX APPLICATION

#

sysname USG9560_1
#

#
slave switchover enable
#
router id 10.10.4.3

#
undo telnet server enable
telnet ipv6 server enable
#
fan speed auto
#
snmp-agent trap type base-trap
#
firewall session link-state sctp check

#

#
link-group 1 binding spu-limit
#
hrp enable
hrp interface Eth-Trunk1 remote 10.10.4.2
hrp mirror session enable
hrp preempt delay 120
hrp track interface Eth-Trunk2
hrp track interface Eth-Trunk3
#
web-manager security enable
#
ips enable
ips asymmetrical-mode enable

#
undo fragment-reassemble enable
stream-reassemble session-cache 0
#
engine log ips enable

#
ip address-set ip_trust type object
address 0 10.10.8.0 0.0.31.255
address 1 10.10.9.0 0.0.31.255
address 2 10.10.11.0 0.0.31.255
address 3 10.10.4.0 0.0.31.255
address 4 10.10.6.0 0.0.31.255

#
ip address-set ip_untrust type object
address 0 10.10.10.0 0.0.0.255

#
ip address-set matrix type object
address 0 10.10.5.10 0
address 1 10.10.5.11 0
address 2 110.10.5.12 0
address 3 10.10.5.13 0

#
ip address-set ip_deny type object
address 1 range 10.10.10.1 10.10.10.8
address 2 range 10.10.10.9 10.10.10.16

#
ip pool pool_1_mac_bind server
gateway 10.10.10.254 255.255.255.0
section 0 10.10.10.1 10.10.10.24
static-bind ip-address 10.10.10.1 mac-address 68f7-2807-59dd
static-bind ip-address 10.10.10.2 mac-address a048-1ca7-0aef
static-bind ip-address 10.10.10.3 mac-address 28d2-449f-0145
static-bind ip-address 10.10.10.4 mac-address 308d-9915-b456

#
interface Eth-Trunk1
description TO USG9560_2
ip address 10.10.4.1 255.255.255.0
#
interface Eth-Trunk2
description TO_CE12808_1
ip address 10.10.6.1 255.255.255.0
ospf network-type p2p
ospf timer hello 2
#
interface Eth-Trunk3
description TO_CE12808_1
ip address 10.10.6.2 255.255.255.0
traffic-policy FROM_SERVER_TO_SERVER inbound
ospf network-type p2p
ospf timer hello 2
#
interface Virtual-Template0
ppp authentication-mode auto
#
interface GigabitEthernet0/0/0
speed auto
duplex auto
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 2
link-group 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 2
link-group 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 3
link-group 1
#
interface GigabitEthernet1/0/3
undo shutdown
eth-trunk 3
link-group 1
#
interface GigabitEthernet1/2/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/2/1
undo shutdown
eth-trunk 1

#

sysname USG9560_1
#

#
slave switchover enable
#
router id 10.10.4.3

#
undo telnet server enable
telnet ipv6 server enable
#
fan speed auto
#
snmp-agent trap type base-trap
#
firewall session link-state sctp check

#

#
link-group 1 binding spu-limit
#
hrp enable
hrp interface Eth-Trunk1 remote 10.10.4.2
hrp mirror session enable
hrp preempt delay 120
hrp track interface Eth-Trunk2
hrp track interface Eth-Trunk3
#
web-manager security enable
#
ips enable
ips asymmetrical-mode enable

#
undo fragment-reassemble enable
stream-reassemble session-cache 0
#
engine log ips enable

#
ip address-set ip_trust type object
address 0 10.10.8.0 0.0.31.255
address 1 10.10.9.0 0.0.31.255
address 2 10.10.11.0 0.0.31.255
address 3 10.10.4.0 0.0.31.255
address 4 10.10.6.0 0.0.31.255

#
ip address-set ip_untrust type object
address 0 10.10.10.0 0.0.0.255

#
ip address-set matrix type object
address 0 10.10.5.10 0
address 1 10.10.5.11 0
address 2 110.10.5.12 0
address 3 10.10.5.13 0

#
ip address-set ip_deny type object
address 1 range 10.10.10.1 10.10.10.8
address 2 range 10.10.10.9 10.10.10.16

#

ip service-set matrix type object

(ports to allow):

service 0 protocol tcp destination-port x-xxxx

#
ip pool pool_1_mac_bind server
gateway 10.10.10.254 255.255.255.0
section 0 10.10.10.1 10.10.10.24
static-bind ip-address 10.10.10.1 mac-address 68f7-2807-59dd
static-bind ip-address 10.10.10.2 mac-address a048-1ca7-0aef
static-bind ip-address 10.10.10.3 mac-address 28d2-449f-0145
static-bind ip-address 10.10.10.4 mac-address 308d-9915-b456

#
interface Eth-Trunk1
description TO USG9560_2
ip address 10.10.4.1 255.255.255.0
#
interface Eth-Trunk2
description TO GDC_CE12808_1
ip address 10.10.6.1 255.255.255.0
ospf network-type p2p
ospf timer hello 2
#
interface Eth-Trunk3
description TO_CE12808_1
ip address 10.10.6.2 255.255.255.0
traffic-policy FROM_SERVER_TO_SERVER inbound
ospf network-type p2p
ospf timer hello 2
#
interface Virtual-Template0
ppp authentication-mode auto
#
interface GigabitEthernet0/0/0
speed auto
duplex auto
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 2
link-group 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 2
link-group 1
#
interface GigabitEthernet1/0/2
undo shutdown
eth-trunk 3
link-group 1
#
interface GigabitEthernet1/0/3
undo shutdown
eth-trunk 3
link-group 1
#
interface GigabitEthernet1/2/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/2/1
undo shutdown
eth-trunk 1

#
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set tcp
policy service service-set udp
policy service service-set icmp
policy source range 10.10.10.1 10.10.10.24
policy destination 10.10.5.110
policy destination 10.10.5.12 0

policy 4
action permit
policy service service-set matrix
policy service service-set tcp
policy service service-set udp
policy service service-set icmp
policy source range 10.10.10 10.10.10.8
policy destination address-set noc

policy 5
action deny
policy source range 10.10.10.16 10.10.10.24

policy 0
action permit
policy service service-set matrix
policy source range 10.10.10.1 10.10.10.24

policy 2
action deny
policy source address-set ip_deny
policy source range 10.10.10.1 10.10.10.16

policy 3
action permit
profile ips profile_ips_server
policy service service-set ospf
policy service service-set ssh
policy service service-set telnet
policy source address-set ip_untrust

#
policy interzone trust untrust outbound
policy 1
action permit
profile ips profile_ips_server
policy service service-set ospf
policy service service-set telnet
policy service service-set ssh
policy source address-set ip_trust