USG2130 use WAN port do router on the stick and the inter-VLAN access control

Publication Date:  2012-11-16 Views:  331 Downloads:  0
Issue Description

Network equipment: a USG2130, some S2300 exchanges
The demands of the customer: carve up VLAN on the switch, and do router on the stick in USG2130, at the same time require the VLAN30 can access VLAN10 andVLAN20; But VLAN10 and VLAN20 are unable to access VLAN30.


Alarm Information
None.
Handling Process
1, enter the sub interface, configure IP address, and carry on 802.1 Q packaging.
[USG2130]int e0/0/0.1
[USG2130-Ethernet0/0/0.1]description VLAN10
[USG2130-Ethernet0/0/0.1]ip address 192.168.1.1 24
[USG2130-Ethernet0/0/0.1]vlan-type dot1q 10
[USG2130][USG2130]int e0/0/0.2
[USG2130-Ethernet0/0/0.2]description VLAN20
[USG2130-Ethernet0/0/0.2]ip add 192.168.2.1 24
[USG2130-Ethernet0/0/0.2]vlan-type dot1q 20
[USG2130]int e0/0/0.3
[USG2130-Ethernet0/0/0.3]description VLAN30
[USG2130-Ethernet0/0/0.3]ip add 192.168.3.1 24
[USG2130-Ethernet0/0/0.3]vlan-type dot1q 30
2, create the VLAN which is used to connect the Internet, and configure IP.
[USG2130]vlan 3
[USG2130-vlan3]description WAN
[USG2130]int e1/0/0
[USG2130-Ethernet1/0/0]port access vlan 3
[USG2130]int vlan 3
[USG2130-Vlanif3]description TO-INTERNET
[USG2130-Vlanif3]ip add 100.100.100.1 30
3, custom three areas, and join each VLAN sub interface into the area, join the Vlanif 3 in untrust area
[USG2130]firewall zone name lan1
[USG2130-zone-lan1]set priority 60
[USG2130-zone-lan1]add interface e0/0/0.1
[USG2130]firewall zone name lan2
[USG2130-zone-lan2]set priority 65
[USG2130-zone-lan2]add interface e0/0/0.2
[USG2130]firewall zone name lan3
[USG2130-zone-lan3]set priority 70
[USG2130-zone-lan3]add interface e0/0/0.3
[USG2130]firewall zone untrust
[USG2130-zone-untrust]add interface vlan3
4, create the ACl which is used to inter VLAN access control, and applied it between the area of the VLAN.
[USG2130]acl 3001
[USG2130-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255
[USG2130]acl 3002
[USG2130-acl-adv-3002]rule deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[USG2130-acl-adv-3002]rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[USG2130-acl-adv-3002]rule permit ip
[USG2130]firewall interzone lan1 lan3
[USG2130-interzone-lan3-lan1]packet-filter 3001 outbound
[USG2130-interzone-lan3-lan1]packet-filter 3001 inbound

[USG2130]firewall interzone lan2 lan3
[USG2130-interzone-lan3-lan2]packet-filter 3001 outbound
[USG2130-interzone-lan3-lan2]packet-filter 3002 inbound
5, (optional) change the area of interface Ethernet0/0/0
[USG2130-Vlanif3]fire zone untrust
[USG2130-zone-untrust]undo add interface e0/0/0
[USG2130-zone-untrust]firewall zone trust
[USG2130-zone-trust]add interface e0/0/0
6, complete NAT configuration
[USG2130-zone-trust]acl 2000
[USG2130-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.3
[USG2130]firewall interzone trust untrust
[USG2130-interzone-trust-untrust]nat outbound 2000 interface vlan 3
Root Cause
Because USG2130 only has a third layer interface WAN port which supports the sub-interface port (WAN port, namely E0/0/0), based on the current demand, we must use the port as internal network interface. And by creating VLAN, use one of VLAN interface as the Internet interface.
If put each VLAN in the same area, it will be complex to realize inter-VLAN access control. If divide each VLAN sub interface to different area, through the inter domain packet filtering way realizing, it is simple and reliable.
Suggestions
Because of the network equipment limited, have to break the conventional setting and planning in order to meet the special need, clever apply the custom area and inter domain packet filtering and VLAN function of firewall such as USG2130.

END