BackgroundRecently, a certain enterprise has recently undergone a network transformation and needs to isolate the department's access rights to the private network and the public network, that is, "the R&D department uses a certain C firewall to access the R&D private network, and the office area can access the Internet, but it must be ensured that both can access each other." The topology is simplified as follows:
After deployment in the above manner, IT staff found that only the R&D department VLAN10 could access the office area VLAN20 but not vice versa. After investigation, they found that the reason was that the access paths were not equal and the firewall dropped the packet! Problem AnalysisThose who have played with firewalls (hereinafter referred to as FWs) have more or less heard that FWs can lose packets due to unequal paths. What is the principle behind this? Let's take a look based on this topology. First, check that VLAN10->VLAN20 is successful. The path is as follows: It can be seen that the path from VLAN10 to VLAN20 is (PC2-FW-core SW-PC1), that is, ①②③④. After the ICMP Request sent by PC2 passes through the FW, a Session is generated and the packet is forwarded. The reply path of VLAN20 is (PC2-Core SW-PC1), which is ⑤⑥. This ICMP Reply goes directly to the R&D department without passing through the firewall, and the round trip is successful. Then see VLAN20->VLAN10 fails, the path is as follows: The path for VLAN20 to access VLAN10 is ①②. The ICMP Request can be received by the R&D equipment without any problem. However, the reply path for VLAN20 is ③④. At this time, when the FW receives the ICMP Reply, it will check whether the Session status exists. The answer is no! Because no Request has been received. After the session check, the FW discards the ICMP Reply. This is the principle of discarding packets with unequal paths in the FW networking scenario. The same is true for the TCP three-way handshake. I will not go into details here. So how to solve this problem? SolutionThe above analysis shows that the firewall drops packets based on the session state detection mechanism, which is the default "strict mode". The H3C firewall can achieve a similar loose effect by configuring the session state machine to "loose mode". The relevant commands are as follows: Note: Enabling "loose mode" may bring certain security risks. It is recommended to configure it carefully according to the specific network environment and security requirements, and combine it with other security measures to ensure network security. |
<<: A brief discussion on "lossless network": ECN and PFC technology
I am a Linux operation and maintenance engineer a...
"Point and hit" is often used to descri...
[51CTO.com original article] On June 21, the WOT2...
Hengchuang Technology is an IDC brand under Hong ...
At HUAWEI CONNECT 2019, Huawei officially launche...
The TCP/IP model is the foundation of the Interne...
Enterprises that need to upgrade their traditiona...
I searched and found that the blog shared informa...
It has been exactly half a year since I last shar...
ITLDC's Black Friday promotion this year last...
According to the overall arrangement for the form...
Wi-Fi is an indispensable part of modern people...
RepriseHosting is a foreign hosting company estab...
[[413351]] Differences between UDP and TCP In the...