No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Matrix seperation betweeen offices by using USG9560

Publication Date:  2019-07-19  |   Views:  842  |   Downloads:  28  |   Author:  l00733387  |   Document ID:  EKB1000426024

Contents

Issue Description

From the figure below, Office Area A is the most ranking office in the entire building with office Area C being the lowest. The office Area A has high level information stored for each department and it is the only area which is allowed to have access to all the other departments. Therefore, they requested for a matrix application that can enhance this change such that the parties in offices B and C are not allowed to visit the parties in Area A but the parties in Area A can visit all the other departments.


Figure 1:


Figure 2


Solution

The below matrix recommendation was therefore provided:

Office Area A: All ports open> To have this range of IPs in the trust zone. On the individual PCs, it is also recommended to have their addresses bound to the users to promote internal department security. The binding is also highlighted in the group for a few PCs.

Office Area B: Close ports to Office Area A

Office Area C: Close ports to office Area A but can access office area B.


The scripts of change are as below; the changes mainly apply to the firewall.

CE5850 SCRIPT

sysname NBO-CE5850-1
#
drop-profile default

#
vlan batch 10 20
#
interface Vlanif10
 description MGMT
 ip address 10.10.9.1 24
#              
interface Vlanif20
 ip address 10.10.10.254 24
#              
interface MEth0/0/0
#
interface Eth-Trunk1
 undo portswitch
 description TO_ATN
 ip address 10.10.8.1 255.255.255.252
#
interface Eth-Trunk2
 description TO_S5710
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk3
 description To_CE5810
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface Eth-Trunk4
 undo portswitch
 description TO_ATN2
 ip address 10.10.8.5 255.255.255.252
 ospf cost 100


S5710 SCRIPT

sysname S5710_1
#
vlan batch 10 20
#
stp bpdu-protection
#
domain agile
#
undo telnet server enable
#
dot1x enable
dot1x authentication-method eap
dot1x free-ip 1.1.1.1 255.255.255.255

interface Vlanif10
 ip address 10.10.9.2 255.255.255.224
#
interface Vlanif10
 description MGMT
 ip address 10.10.9.2 24
#
interface MEth0/0/1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094

#
interface GigabitEthernet0/0/1
 description TO_PC_Office_A
 voice-vlan 201 enable
 port hybrid pvid vlan 151               
 port hybrid tagged vlan 201
 port hybrid untagged vlan 151
 stp edged-port enable
 dot1x mac-bypass mac-auth-first
 dot1x mac-bypass
 dot1x authentication-method eap
#
interface GigabitEthernet0/0/2
 description TO_PC_Office_B
 voice-vlan 201 enable
 port hybrid pvid vlan 151               
 port hybrid tagged vlan 201
 port hybrid untagged vlan 151
 stp edged-port enable
 dot1x mac-bypass mac-auth-first
 dot1x mac-bypass
 dot1x authentication-method eap
#
interface GigabitEthernet0/0/23
 description TO_PC_Office_C
 voice-vlan 201 enable
 port hybrid pvid vlan 151               
 port hybrid tagged vlan 201
 port hybrid untagged vlan 151
 stp edged-port enable
 dot1x mac-bypass mac-auth-first
 dot1x mac-bypass
 dot1x authentication-method eap


USG9560 SCRIPT OF CHANGE FOR MATRIX APPLICATION



#

 sysname USG9560_1
#

#
 slave switchover enable
#
 router id 10.10.4.3

#
 undo telnet server enable
 telnet ipv6 server enable
#
fan speed auto
#
snmp-agent trap type base-trap
#
 firewall session link-state sctp check

#

#
 link-group 1 binding spu-limit
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.10.4.2
 hrp mirror session enable
 hrp preempt delay 120
 hrp track interface Eth-Trunk2
 hrp track interface Eth-Trunk3
#
 web-manager security enable
#
 ips enable
 ips asymmetrical-mode enable
    
#
 undo fragment-reassemble enable
 stream-reassemble session-cache 0
#
 engine log ips enable

#
ip address-set ip_trust type object
 address 0 10.10.8.0 0.0.31.255
 address 1 10.10.9.0 0.0.31.255
 address 2 10.10.11.0 0.0.31.255
 address 3 10.10.4.0 0.0.31.255
 address 4 10.10.6.0 0.0.31.255
 
#
ip address-set ip_untrust type object
 address 0 10.10.10.0 0.0.0.255
 
#
ip address-set matrix type object
 address 0 10.10.5.10 0
 address 1 10.10.5.11 0
 address 2 110.10.5.12 0
 address 3 10.10.5.13 0

#                                        
ip address-set ip_deny type object
 address 1 range 10.10.10.1 10.10.10.8
 address 2 range 10.10.10.9 10.10.10.16

#
ip pool pool_1_mac_bind server           
 gateway 10.10.10.254 255.255.255.0
 section 0 10.10.10.1 10.10.10.24
 static-bind ip-address 10.10.10.1 mac-address 68f7-2807-59dd
 static-bind ip-address 10.10.10.2 mac-address a048-1ca7-0aef
 static-bind ip-address 10.10.10.3 mac-address 28d2-449f-0145
 static-bind ip-address 10.10.10.4 mac-address 308d-9915-b456

#
interface Eth-Trunk1
 description TO USG9560_2
 ip address 10.10.4.1 255.255.255.0
#
interface Eth-Trunk2
 description TO_CE12808_1
 ip address 10.10.6.1 255.255.255.0
 ospf network-type p2p                   
 ospf timer hello 2
#
interface Eth-Trunk3
 description TO_CE12808_1
 ip address 10.10.6.2 255.255.255.0
 traffic-policy FROM_SERVER_TO_SERVER inbound
 ospf network-type p2p
 ospf timer hello 2
#
interface Virtual-Template0
 ppp authentication-mode auto
#
interface GigabitEthernet0/0/0
 speed auto
 duplex auto
 undo shutdown
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/2           
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/2/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/2/1
 undo shutdown
 eth-trunk 1

#

#

 sysname USG9560_1
#

#
 slave switchover enable
#
 router id 10.10.4.3

#
 undo telnet server enable
 telnet ipv6 server enable
#
fan speed auto
#
snmp-agent trap type base-trap
#
 firewall session link-state sctp check

#

#
 link-group 1 binding spu-limit
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.10.4.2
 hrp mirror session enable
 hrp preempt delay 120
 hrp track interface Eth-Trunk2
 hrp track interface Eth-Trunk3
#
 web-manager security enable
#
 ips enable
 ips asymmetrical-mode enable
    
#
 undo fragment-reassemble enable
 stream-reassemble session-cache 0
#
 engine log ips enable

#
ip address-set ip_trust type object
 address 0 10.10.8.0 0.0.31.255
 address 1 10.10.9.0 0.0.31.255
 address 2 10.10.11.0 0.0.31.255
 address 3 10.10.4.0 0.0.31.255
 address 4 10.10.6.0 0.0.31.255
 
#
ip address-set ip_untrust type object
 address 0 10.10.10.0 0.0.0.255
 
#
ip address-set matrix type object
 address 0 10.10.5.10 0
 address 1 10.10.5.11 0
 address 2 110.10.5.12 0
 address 3 10.10.5.13 0

#                                        
ip address-set ip_deny type object
 address 1 range 10.10.10.1 10.10.10.8
 address 2 range 10.10.10.9 10.10.10.16

#

ip service-set matrix type object

(ports to allow):

 service 0 protocol tcp destination-port x-xxxx

#
ip pool pool_1_mac_bind server           
 gateway 10.10.10.254 255.255.255.0
 section 0 10.10.10.1 10.10.10.24
 static-bind ip-address 10.10.10.1 mac-address 68f7-2807-59dd
 static-bind ip-address 10.10.10.2 mac-address a048-1ca7-0aef
 static-bind ip-address 10.10.10.3 mac-address 28d2-449f-0145
 static-bind ip-address 10.10.10.4 mac-address 308d-9915-b456

#
interface Eth-Trunk1
 description TO USG9560_2
 ip address 10.10.4.1 255.255.255.0
#
interface Eth-Trunk2
 description TO GDC_CE12808_1
 ip address 10.10.6.1 255.255.255.0
 ospf network-type p2p                   
 ospf timer hello 2
#
interface Eth-Trunk3
 description TO_CE12808_1
 ip address 10.10.6.2 255.255.255.0
 traffic-policy FROM_SERVER_TO_SERVER inbound
 ospf network-type p2p
 ospf timer hello 2
#
interface Virtual-Template0
 ppp authentication-mode auto
#
interface GigabitEthernet0/0/0
 speed auto
 duplex auto
 undo shutdown
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/2           
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/2/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/2/1
 undo shutdown
 eth-trunk 1

#
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10.1 10.10.10.24
  policy destination 10.10.5.110
  policy destination 10.10.5.12 0


 policy 4
  action permit
  policy service service-set matrix
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10 10.10.10.8
  policy destination address-set noc

 policy 5
  action deny
  policy source range 10.10.10.16 10.10.10.24

 policy 0
  action permit
  policy service service-set matrix
  policy source range 10.10.10.1 10.10.10.24
 


 policy 2
  action deny
  policy source address-set ip_deny
  policy source range 10.10.10.1 10.10.10.16

 policy 3
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set ssh
  policy service service-set telnet      
  policy source address-set ip_untrust

#
policy interzone trust untrust outbound
 policy 1
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set telnet
  policy service service-set ssh
    policy source address-set ip_trust

 sysname USG9560_1
#


#
 slave switchover enable
#
 router id 10.10.4.3

#
 undo telnet server enable
 telnet ipv6 server enable
#
fan speed auto
#
snmp-agent trap type base-trap
#
 firewall session link-state sctp check

#

#
 link-group 1 binding spu-limit
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.10.4.2
 hrp mirror session enable
 hrp preempt delay 120
 hrp track interface Eth-Trunk2
 hrp track interface Eth-Trunk3
#
 web-manager security enable
#
 ips enable
 ips asymmetrical-mode enable
    
#
 undo fragment-reassemble enable
 stream-reassemble session-cache 0
#
 engine log ips enable

#
ip address-set ip_trust type object
 address 0 10.10.8.0 0.0.31.255
 address 1 10.10.9.0 0.0.31.255
 address 2 10.10.11.0 0.0.31.255
 address 3 10.10.4.0 0.0.31.255
 address 4 10.10.6.0 0.0.31.255
 
#
ip address-set ip_untrust type object
 address 0 10.10.10.0 0.0.0.255
 
#
ip address-set matrix type object
 address 0 10.10.5.10 0
 address 1 10.10.5.11 0
 address 2 110.10.5.12 0
 address 3 10.10.5.13 0

#                                        
ip address-set ip_deny type object
 address 1 range 10.10.10.1 10.10.10.8
 address 2 range 10.10.10.9 10.10.10.16

#
ip pool pool_1_mac_bind server           
 gateway 10.10.10.254 255.255.255.0
 section 0 10.10.10.1 10.10.10.24
 static-bind ip-address 10.10.10.1 mac-address 68f7-2807-59dd
 static-bind ip-address 10.10.10.2 mac-address a048-1ca7-0aef
 static-bind ip-address 10.10.10.3 mac-address 28d2-449f-0145
 static-bind ip-address 10.10.10.4 mac-address 308d-9915-b456

#
interface Eth-Trunk1
 description TO USG9560_2
 ip address 10.10.4.1 255.255.255.0
#
interface Eth-Trunk2
 description TO GDC_CE12808_1
 ip address 10.10.6.1 255.255.255.0
 ospf network-type p2p                   
 ospf timer hello 2
#
interface Eth-Trunk3
 description TO_CE12808_1
 ip address 10.10.6.2 255.255.255.0
 traffic-policy FROM_SERVER_TO_SERVER inbound
 ospf network-type p2p
 ospf timer hello 2
#
interface Virtual-Template0
 ppp authentication-mode auto
#
interface GigabitEthernet0/0/0
 speed auto
 duplex auto
 undo shutdown
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 2
 link-group 1
#
interface GigabitEthernet1/0/2           
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 3
 link-group 1
#
interface GigabitEthernet1/2/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/2/1
 undo shutdown
 eth-trunk 1

#
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10.1 10.10.10.24
  policy destination 10.10.5.110
  policy destination 10.10.5.12 0


 policy 4
  action permit
  policy service service-set matrix
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10 10.10.10.8
  policy destination address-set noc

 policy 5
  action deny
  policy source range 10.10.10.16 10.10.10.24

 policy 0
  action permit
  policy service service-set matrix
  policy source range 10.10.10.1 10.10.10.24
 


 policy 2
  action deny
  policy source address-set ip_deny
  policy source range 10.10.10.1 10.10.10.16

 policy 3
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set ssh
  policy service service-set telnet      
  policy source address-set ip_untrust

#
policy interzone trust untrust outbound
 policy 1
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set telnet
  policy service service-set ssh
    policy source address-set ip_trust


#
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10.1 10.10.10.24
  policy destination 10.10.5.110
  policy destination 10.10.5.12 0


 policy 4
  action permit
  policy service service-set matrix
  policy service service-set tcp
  policy service service-set udp
  policy service service-set icmp
  policy source range 10.10.10 10.10.10.8

 policy 5
  action deny
  policy source range 10.10.10.16 10.10.10.24

 policy 0
  action permit
  policy service service-set matrix
  policy source range 10.10.10.1 10.10.10.24
 


 policy 2
  action deny
  policy source address-set ip_deny
  policy source range 10.10.10.1 10.10.10.16

 policy 3
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set ssh
  policy service service-set telnet      
  policy source address-set ip_untrust

#
policy interzone trust untrust outbound
 policy 1
  action permit
  profile ips profile_ips_server
  policy service service-set ospf
  policy service service-set telnet
  policy service service-set ssh
    policy source address-set ip_trust