No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Limit Mutual Access Between Intranet Segments (Using the Web Platform)?

How Do I Limit Mutual Access Between Intranet Segments (Using the Web Platform)?

Networking Requirements

In Figure 29-81, Router serves as the egress gateway of the enterprise and connects to the Internet through GE0/0/1. GE0/0/1 uses a static IP address 10.1.1.110/24; the gateway address of Router is 10.1.1.1; the DNS server addresses of Router are 201.10.1.150 and 202.1.1.148. Intranet users access the Internet after address translation through the network address translation (NAT) service deployed on Router. The customer wants to disable the mutual access between the network segments 192.168.10.0/24 and 192.168.20.0/24, but enable users in the two network segments to access the Internet.

Figure 29-81  Networking diagram for configuring traffic filtering

Configuration Roadmap

The configuration roadmap is as follows:
  1. Complete basic network configurations. (If basic network configurations have been completed, skip this step and go to step 2. You only need to perform rate limit configurations.)
    • Set parameters, such as the interface IP address and gateway address on GE0/0/1.

    • Create VLAN 10 and VLANIF 10 and use VLANIF 10 as the gateway of the network segment 192.168.10.0/24. Create VLAN 20 and VLANIF 20 and use VLANIF 20 as the gateway of the network segment 192.168.20.0/24. Add the Layer 2 Ethernet interface Eth0/0/2 connecting to Switch to VLAN 10 and VLAN 20 as a trunk interface.

  2. Configure a traffic policy to disable the mutual access on the VLANIF interfaces. In the traffic policy, configure a traffic classifier to identify the traffic of mutual access between intranet segments and configure a traffic behavior to limit the identified traffic.

Procedure

  1. Configure GE0/0/1, add the Layer 2 Ethernet interface Eth0/0/2 to VLANs, and create VLANIF interfaces.

    1. Configure GE0/0/1.
      Choose WAN Access > Ethernet Interface and click Create. In the displayed dialog box, set parameters according to Figure 29-82 and click OK.
      Figure 29-82  Creating an Ethernet interface

    2. Choose LAN Access > LAN > VLAN Interface and click Create. In the displayed dialog box, set parameters according to Figure 29-83 and click OK. Figure 29-83 shows the settings for VLANIF 10. The settings for VLANIF 20 are similar, and are not mentioned here.
      Figure 29-83  Creating a VLAN interface

    3. Configure VLANIF 20 by referring to the settings in the previous step.

  2. Configure a traffic policy to disable the mutual access between two network segments.

    1. On the web platform, choose Security > ACL. On the Advanced ACL Setting page, click Create. In the displayed dialog box, configure ACL rules to identify the traffic of mutual access between intranet segments identified by the traffic classifier.
      Configure ACL rules to match traffic of mutual access between intranet segments according to Figure 29-84.
      Figure 29-84  Configuring ACL rules to match traffic of mutual access between intranet segments

    2. On the web platform, choose QoS > Traffic Management. On the Policy Parameter Configuration page, click Create. In the displayed dialog box, set the policy name, and then configure the traffic classifier and traffic behavior.

      Configure a traffic classifier and a traffic behavior for mutual access between intranet segments on VLANIF 10 according to Figure 29-85. Select innerFlow configured above for Matched IPv4 ACL. In the Advanced Classification Rule area, set Traffic filtering to Deny. Click Confirm and OK.
      Figure 29-85  Creating a traffic policy

    3. On the web platform, choose QoS > Traffic Management. On the Policy Application page, click Create. Apply the traffic policy to VLANIF 10 to disable mutual access between the network segments 192.168.10.0/24 and 192.168.20.0/24.
      Figure 29-86  Applying the traffic policy in the inbound direction

      Figure 29-87  Applying the traffic policy in the outbound direction

Precautions

  1. This example uses an AR1220 running V200R007C00SPCb00.
  2. On a gateway, only mutual access between network segments can be limited. Mutual access packets in the same network segment need to be forwarded only through the switch and do not need to be processed by the gateway. Therefore, if mutual access between hosts in the same network segment needs to be limited, the configuration needs to be performed only on the switch connecting to the gateway.
  3. If the web platform of the EasyOperation edition is displayed after your login, as shown in Figure 29-88, click in the upper right corner to switch to the web page of the Classics edition.
    Figure 29-88  Login page of the web platform of the EasyOperation edition

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 448887

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next