Whether isolation can be implemented when the firewall works in Layer 2 mode


Isolation can be implemented only when the firewall works in Layer 3 mode but not in Layer 2 mode.

Firewall working mode of an AR router
To improve networking flexibility of the firewall, a working mode is defined for different interfaces, instead of an entire router. The working mode of interfaces is defined as routing mode. If a router is located between an internal network and an external network, the firewall configures IP addresses of different segments for the interfaces connecting to the internal network and the external network, respectively, and re-plans the original topological structure. Example: PC (internal network: trust) - AR (with embedded firewall) - (external network: untrust) PC Two security zones are planned: trust zone and untrust zone. The interface of the trust zone is connected to the internal network, and the interface of the untrust zone is connected to the external network. It should be noted that the interfaces of the trust zone and untrust zone are located on two different subnets, separately. When packets are forwarded between interfaces of the Layer 3 zone, the router queries the routing table based on IP addresses of the packets. Unlike other router devices, the AR router further processes the IP packets. It queries the session table or the ACL to determine whether to release the packets. Besides, the firewall needs to complete other attack defense check.

Whether the firewall supports Layer 2 or Layer 3 forwarding
The USG2000&5000&6000 support implementing the Layer 2 forwarding function in transparent mode. When the firewall implements route-based forwarding, the Layer 3 forwarding function is used.

Whether the firewall supports Layer 2 and Layer 3 hybrid mode
Does the firewall support Layer 2 and Layer 3 hybrid mode? You can run the portswitch command to switch the interface to Layer 2, which is the transparent mode. For other Layer 3 interfaces, configure IP addresses still and use the routing mode to implement Layer 2 and Layer hybrid mode.

Configuring the intranet interface to work in Layer 2 mode on the firewall
Perform as follows to switch a Layer 3 interface to a Layer 2 interface: [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] portswitch //Configure the interface to work in Layer 2 mode. To switch Layer 3 Ethernet interfaces to Layer 2 mode in batches, run the portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view. By default, a Layer 2 Ethernet interface belongs to VLAN 1 and works as an access port.

Whether USG2000&5000 series virtual firewalls support transparent mode
The virtual firewall supports transparent mode. You can bind virtual firewalls in transparent mode to VLANs one by one to isolate addresses on the same network segment.

