To have a better experience, please upgrade your IE browser.upgrade
Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
Smart Modular Data Centers
Prefabricated Modular Data Centers
Precision Air Conditioners
Data Center Management
Handsets and Terminals
Rapid Deployment System
Enterprise Communications Terminals
Platform or Infrastructure
Enterprise Communications Gateways
Core Network Devices
Radio Access Network Devices
Firewall and Application Security Gateway
DDoS Protection Systems
Anti-APT Based on Big Data Analysis
ME Series Multi-Service Control Gateways
Multi-Service Packet Transport Platforms
AR Series IoT Gateways
AR Series Access Routers
Hybrid Flash Storage
Integrated Video Site Solution
Enterprise Telecom Energy
Smart Site Management System
Multi-Service Transmission Platforms
HD Network Cameras
Video Cloud Nodes
Video Content Management
Indoor Access Points
Outdoor Access Points
Scenario-specific product series
IT Infrastructure Storage Solutions
Data Center Network
Data Center Energy
Enterprise Communications Solution
Contact Center Solution
Advisory and Implementation
Support and Optimization
Training and Certification
Explore Technology Services
National Research and Education Network
Education Cloud Data Center
Multi-Channel HD Telemedicine Solution
Over The Top/Multi-Tenant Data Center (OTT/MTDC)
Internet Exchange Point (IXP)
Internet Access Provider (IAP)
Design & Simulation
Planning & Analytics
Oil & Gas IoT
HPC & Operations Management
Digital Urban Rail
Retail Cloud Platform
Enterprise Data Center
Enterprise Cloud Communications
Network Management System
Buy from Huawei
If you need to get information about your project, please submit your information and we will contact you within one working day.
Consult online customer service regarding products/solutions you are interested in.
If your company has signed an eDeal contract with Huawei, please buy your required product/solution via the link below.
Buy from resellers
Search for a nearby reseller and get direct contact information.
Find a Partner
Become a Partner
Alliance and solution Partner
Huawei Authorized Learning Partner
Huawei Authorized Information and Network Academy
As shown in Figure 6-3, Vlanif 10 and Vlanif 11 are in the Trust zone. Vlanif 5 is in the Untrust zone.
Configure as follows:
Configure rules for ACL 3000.
rule 0 permit ip source 10.0.0.0 0.255.255.255 rule 5 deny ip
Configure rules for ACL 3001.
rule 0 permit ip source 18.104.22.168 0.255.255.255 rule 5 deny ip
Configure NAT address pool 0 and NAT address pool 1.
nat address-group 0 22.214.171.124 126.96.36.199 nat address-group 1 188.8.131.52 184.108.40.206
Configure NAT outbound for the zone between the Trust zone and the Untrust zone and apply the corresponding ACL.
nat outbound 3000 address-group 0 nat outbound 3001 address-group 1 firewall packet-filter default permit interzone trust untrust
After configuration, the test shows that the users on network segment 220.127.116.11 cannot access the users in the Untrust zone.
[USG] acl 3000 [USG-acl-adv-3000] undo rule 5
[USG] acl 3001 [USG-acl-adv-3001] undo rule 5
Run display firewall session table. Then, you can find that, when accessing the untrust zone from the trust zone, the users in network segment 10.0.0.0 use address pool 0 for NAT but the users in network segment 18.104.22.168 do not, with no content in the session table.
The reason is that the ACL matching priorities are as follows for the same inter-zone ACL:
The priority of the ACLs 3000–3999 is higher than that of the ACLs 2000–2999.
For both basic ACLs and advanced ACLs, the ACLs configured earlier have higher priorities than those configured later.
For different rules under the same ACL group, the rule with a small rule ID has a higher priority than the rule with a large rule ID.
Therefore, according to the preceding configurations, users in network segment 22.214.171.124 are matched by rule 5 under ACL 3000 instead of rule 0 under ACL 3001 when accessing the untrust zone from the trust zone.
The matching orders of ACLs are as follows:
During ACL matching, if one rule is matched, the action (permit or deny) is returned and the other rules are not referred any more in this matching attempt. When all the rules are checked and no rule is matched, the system reports that no matched rule is found.
In this case, the USG processes the packet flows according to the default rules of the corresponding module. As a result, some modules allow the traffic to pass through while some modules forbid the traffic to pass through.