No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the ACL-based Packet Filtering Firewall

Example for Configuring the ACL-based Packet Filtering Firewall

Networking Requirements

As shown in Figure 29-48, Eth2/0/0 of the Router is connected to a highly secure internal network, and GE3/0/0 is connected to an insecure external network. The Router must filter the packets between the internal network and the external network. The following requirements must be met:
  • A host (10.39.2.3) on the external network is allowed to access the servers in the internal network.
  • Other hosts are not allowed to access servers on the internal network.
Figure 29-48 Network diagram for configuring ACL-based packet filtering

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure zones and an interzone.

  2. Add interfaces to the zones.

  3. Configure an ACL.

  4. Configure ACL-based packet filtering in the interzone.

Procedure

  1. Configure zones and an interzone on the Router .

    <Huawei> system-view
    [Huawei] firewall zone trust
    [Huawei-zone-trust] priority 14
    [Huawei-zone-trust] quit
    [Huawei] firewall zone untrust
    [Huawei-zone-untrust] priority 1
    [Huawei-zone-untrust] quit
    [Huawei] firewall interzone trust untrust
    [Huawei-interzone-trust-untrust] firewall enable
    [Huawei-interzone-trust-untrust] quit
    

  2. Add Router interfaces to zones.

    [Huawei] vlan 100 
    [Huawei-vlan100] quit
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] ip address 10.38.1.1 24 
    [Huawei-Vlanif100] quit       
    [Huawei] interface ethernet 2/0/0
    [Huawei-Ethernet2/0/0] port link-type access  
    [Huawei-Ethernet2/0/0] port default vlan 100 
    [Huawei-Ethernet2/0/0] quit  
    [Huawei] interface vlanif 100 
    [Huawei-Vlanif100] zone trust
    [Huawei-Vlanif100] quit
    [Huawei] interface gigabitethernet 3/0/0
    [Huawei-GigabitEthernet3/0/0] ip address 10.39.2.1 24 
    [Huawei-GigabitEthernet3/0/0] zone untrust
    [Huawei-GigabitEthernet3/0/0] quit

  3. Configure an ACL on the Router .

    [Huawei] acl 3102
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.2 0.0.0.0
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.3 0.0.0.0
    [Huawei-acl-adv-3102] rule permit tcp source 10.39.2.3 0.0.0.0 destination 10.38.1.4 0.0.0.0
    [Huawei-acl-adv-3102] rule deny ip
    [Huawei-acl-adv-3102] quit
    

  4. Configure packet filtering on the Router .

    [Huawei] firewall interzone trust untrust
    [Huawei-interzone-trust-untrust] packet-filter 3102 inbound
    [Huawei-interzone-trust-untrust] quit
    

  5. Verify the configuration.

    After the configuration is complete, only the specified host (10.39.2.3) can access servers on the internal network.

    Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router , and the result is as follows:

    [Huawei] display firewall interzone trust untrust 
    interzone trust untrust                                                         
     firewall enable                                                                
     packet-filter default deny inbound                                             
     packet-filter default permit outbound                                          
     packet-filter 3102 inbound                                                     
    

Configuration Files

Configuration file of the Router

#                                                                               
 vlan batch 100                                                       
#                                                                               
acl number 3102                                                                 
 rule 5 permit tcp source 10.39.2.3 0 destination 10.38.1.2 0                 
 rule 10 permit tcp source 10.39.2.3 0 destination 10.38.1.3 0                
 rule 15 permit tcp source 10.39.2.3 0 destination 10.38.1.4 0                
 rule 20 deny ip                                                                
#
interface Vlanif100  
 ip address 10.38.1.1 255.255.255.0    
 zone trust                                         
# 
firewall zone trust                                                             
 priority 14                                                                    
#                                                                               
firewall zone untrust                                                           
 priority 1                                                                     
#                                                                               
firewall interzone trust untrust                                                
 firewall enable                                                                
 packet-filter 3102 inbound                                                     
#                                                                               
interface Ethernet2/0/0
 port link-type access                                                          
 port default vlan 100                                                          
#                                                                               
interface GigabitEthernet3/0/0
 ip address 10.39.2.1 255.255.255.0
 zone untrust
#
return  
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000079719

Views: 581026

Downloads: 4694

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next