Login to the USG6000 series in Layer-2 transparent access mode through a service interface

8

Login to the USG6000 series in Layer-2 transparent access mode through a service interface
The service interface is a Layer-2 interface. It must be added to a VLAN. Then, you can log in to the device through the VLANIF interface. For example, two service interfaces are GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. The configuration is as follows:
# Create a VALN and add the interface to the VLAN (by default, the interface belongs to VLAN1).
system-view
[NGFW] vlan 2
[NGFW-vlan-2] quit
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] portswitch
[NGFW-GigabitEthernet1/0/1] port access vlan 2
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] portswitch
[NGFW-GigabitEthernet1/0/2] port access vlan 2
[NGFW-GigabitEthernet1/0/2] quit
# Configure a VLANIF interface.
[NGFW] interface vlanif 2
[NGFW-Vlanif2] ip address 10.1.3.1 24
[NGFW-Vlanif2] service-manage enable
[NGFW-Vlanif2] service-manage stelnet permit
[NGFW-Vlanif2] service-manage https permit
[NGFW-Vlanif2] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface vlanif 2
[NGFW-zone-trust] quit
After the configuration is complete, you can log in to the device through 10.1.3.1.

Other related questions:
Login through a WAN interface to the USG6000 series
To log in to the USG6000 series from a WAN interface, do as follows: On the WAN interface editing page, select Enable access management, and select HTTP and HTTPS to allow users to access the interface through HTTP and HTTPS to manage the device.

Layer 2 transparent transmission on S series switch
Layer 2 transparent transmission mechanism on S series switches, except S1700: PEs replace the standard multicast destination MAC address of user-side Layer 2 protocol packets with a specified multicast MAC address according to the mappings between multicast destination MAC addresses and Layer 2 protocols. Internal nodes on the backbone network forward the packets across the backbone network as common Layer 2 packets. The egress device of the backbone network restores the original destination MAC address of the packets according to the mappings between multicast destination MAC addresses and Layer 2 protocols, and then forwards the packets to user networks. After the destination MAC address in a user-side packet is replaced, the packet traverses the backbone network, but will not be terminated. The new MAC address in packet is configured by the l2protocol-tunnel group-mac command. S series switches can transparently transmit the following packets: 1. Spanning Tree Protocol (STP) 2. Link Aggregation Control Protocol (LACP) 3. Ethernet Operation, Administration, and Maintenance 802.3ah (EOAM3ah) 4. Link Layer Discovery Protocol (LLDP) 5. Generic VLAN Registration Protocol (GVRP) 6. Generic Multicast Registration Protocol (GMRP) 7. HUAWEI Group Management Protocol (HGMP) 8. VLAN Trunking Protocol (VTP) 9. Unidirectional Link Detection (UDLD) 10. Port Aggregation Protocol (PAGP) 11. Cisco Discovery Protocol (CDP) 12. Per VLAN Spanning Tree Plus (PVST+) 13. Shared Spanning Tree Protocol (SSTP), only supported by fixed switches 14. Dynamic Trunking Protocol (DTP) 15. Device Link Detection Protocol (DLDP) 16. User-defined protocol packets

Firewall working mode of an AR router
To improve networking flexibility of the firewall, a working mode is defined for different interfaces, instead of an entire router. The working mode of interfaces is defined as routing mode. If a router is located between an internal network and an external network, the firewall configures IP addresses of different segments for the interfaces connecting to the internal network and the external network, respectively, and re-plans the original topological structure. Example: PC (internal network: trust) - AR (with embedded firewall) - (external network: untrust) PC Two security zones are planned: trust zone and untrust zone. The interface of the trust zone is connected to the internal network, and the interface of the untrust zone is connected to the external network. It should be noted that the interfaces of the trust zone and untrust zone are located on two different subnets, separately. When packets are forwarded between interfaces of the Layer 3 zone, the router queries the routing table based on IP addresses of the packets. Unlike other router devices, the AR router further processes the IP packets. It queries the session table or the ACL to determine whether to release the packets. Besides, the firewall needs to complete other attack defense check.

Definition of transparent mode for the firewall
For the firewall, the transparent mode is a common deployment mode. The service interfaces of the device work at Layer 2 (data link layer) to forward Layer 2 packets. In this case, the device can serve as a switch and can perform security protection on the traffic without changing the original network structure and configuration after being connected to the original gateway device in transparent mode. Therefore, this deployment mode is usually called the "transparent mode".

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top