多虚拟防火墙的流量分类.pdf

资源ID：56685084 资源大小：527.52KB 全文页数：4页
资源格式： PDF 下载积分：4.3金币

快捷下载

会员登录下载

微信登录下载

三方登录下载：

微信扫一扫登录

下载资源需要4.3金币

邮箱/手机：
温馨提示：	快捷下载时，用户名和密码都是您填写的邮箱或者手机号，方便查询和重复下载（系统自动生成）。如填写123，账号就是123，密码也是123。
支付方式：
验证码：	换一换

账号：
密码：
验证码：	换一换
当日自动登录忘记密码？

友情提示

1、下载资料失败解决办法

2、PDF文件下载后，可能会被浏览器默认打开，此种情况可以点击浏览器菜单，保存网页到桌面，就可以正常下载了。

3、本站不支持迅雷下载，请使用电脑自带的IE浏览器，或者360浏览器、谷歌浏览器下载即可。

4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩，下载后原文更清晰。

5、试题试卷类文档，如果标题没有明确说明有答案则都视为没有答案，请知晓。

网站客服

侵权投诉

多虚拟防火墙的流量分类.pdf

当 CISCO的 ASA防火墙划分了多个虚拟防火墙的时候，经过 ASA虚拟防火墙的数据包，都必须经过分类，并发送到相应的虚拟防火墙，进而转发到相应的目的地。ASA通过三种方式来区分各个虚拟防火墙的流量：唯一的物理接口。唯一的 MAC 地址。通过 NAT来决定数据包的走向。本文将对这三种方式的流量分类，做一个简单的介绍。唯一的物理接口：如果一个物理接口被单独的分配给某一个虚拟防火墙，那么 ASA将所有需要转发到这个虚拟防火墙的流量转发到该物理接口。在防火墙的传输模式下，必须为虚拟防火墙分配一个单独的物理接口。所以在没有共享接口的情况下，这种方法作为防火墙分类流量的方法。这种方法比较简单，在这里就不做过多的介绍。唯一的 MAC 地址：由于 ASA的接口有限，所以在多虚拟防火墙的模式下，我们会经常遇到一个接口同时分配给多个虚拟防火墙。这个时候使用物理接口来对流量进行分类的办法将在这种情况下不再适用，因为防火墙无法确定流量究竟应该转发到哪个虚拟防火墙。我们需要使用其他的方法来对流量的走向进行区分，通常我们会使用自动或者手动为这个分配给多个虚拟防火墙的共享接口指定不同的MAC 地址，防火墙将使用 MAC 地址来区分流量的走向。如图1 所示：图 1 使用唯一的 MAC 地址区分流量我们从图中可以看到，当流量进入属于多个虚拟防火墙的共享接口时，防火墙在检查目的 IP 地址的同时也检查MAC 地址，来决定数据包应该转发到哪一个虚拟防火墙下。默认情况下，共享接口没有被指定唯一的MAC 地址，每一个共享这个借口的虚拟防火墙都会使用该接口的物理MAC 地址作为这个接口的MAC地址，这时，防火墙对该数据包的路由将会出现问题。我们可以为该接口指定MAC 地址来解决这个问题。手动指定 MAC 地址：在每个虚拟防火墙的该共享接口下配置：mac-address HHH.HHH.HH 例如：hostname(config)#Interface F0/0 hostname(config-if)#mac-address 0001.0001.0001 文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2自动指定 MAC 地址：在防火墙的 SYSTEM 平台的全局配置模式下配置：mac-address auto 例如：hostname(config)#mac-address auto 通过 NAT来决定数据包的走向：如果没有为接口指定唯一的MAC 地址，防火墙当收到一个通过共享接口的流量时，防火墙只会检查目的IP 地址。通过要使用目的 IP 地址来决定数据包的走向，那么防火墙必须知道目的地址是被定位在哪个虚拟防火墙上。NAT技术可以提供这样的功能。NAT的转换条目可以使防火墙将数据包转发到正确的虚拟防火墙上。如图 2 所示：图 2 使用 NAT区分流量如图所示，当流量进入属于多个虚拟防火墙的共享接口时，防火墙检查目的 IP 地址的时候，发现匹配了NAT转换条目，这时可以通过NAT转换条目将数据包转发到正确的目的地址。文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2例如：配置静态 NAT转换：?Context A:static(inside,shared)10.10.10.0 10.10.10.0 netmask 255.255.255.0?Context B:static(inside,shared)10.20.10.0 10.20.10.0 netmask 255.255.255.0?Context C:static(inside,shared)10.30.10.0 10.30.10.0 netmask 255.255.255.0 当我们使用多防火墙模式，并且共享了接口到多个虚拟防火墙的时候，我们需要注意将流量转发到正确的虚拟防火墙上去，如果没有指定 MAC 地址（不管是手动还是自动）并且也没有配置 NAT的话，防火墙将不能找到正确的目的地址而将数据包丢弃。文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2文档编码:CC9L3H1R2C10 HQ6M6R6V4Z5 ZE4Z5H3S4G2

注意事项

本文（多虚拟防火墙的流量分类.pdf）为本站会员（H****o）主动上传，淘文阁 - 分享文档赚钱的网站仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若此文所含内容侵犯了您的版权或隐私，请立即通知淘文阁 - 分享文档赚钱的网站（点击联系客服），我们立即给予删除！

温馨提示：如果因为网速或其他原因下载失败请重新下载，重复下载不扣分。