No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Blacklists on Virtual Firewalls

Example for Configuring Blacklists on Virtual Firewalls

Networking Requirements

On the Router, virtual firewalls can be independently deployed on VPN instances.

As shown in Figure 5-25, virtual firewalls are configured for VPN instances on the Router to isolate department A and department B. Firewall policies are deployed independently and zones are configured for each VPN. Department A detects attack packets from 10.3.1.2 on VPN1. A blacklist needs to be configured on VPN1 to discard packets with source IP address 10.3.1.2.

Figure 5-25  Networking diagram of blacklist configuration on virtual firewalls

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure VPN instances on the Router to isolate department A from department B.

  2. Configure zones on the Router.

  3. Configure a blacklist for VPN1 on the Router to filter out packets with source IP address 10.3.1.2.

Procedure

  1. Configure VPN instances on the Router.

    # Configure VPN instances vpn1 and vpn2 for department A and department B.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] ip vpn-instance vpn1
    [Router-vpn-instance-vpn1] ipv4-family
    [Router-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
    [Router-vpn-instance-vpn1-af-ipv4] quit
    [Router-vpn-instance-vpn1] quit
    [Router] ip vpn-instance vpn2
    [Router-vpn-instance-vpn2] ipv4-family
    [Router-vpn-instance-vpn2-af-ipv4] route-distinguisher 200:1
    [Router-vpn-instance-vpn2-af-ipv4] quit
    [Router-vpn-instance-vpn2] quit

    # Bind VPN instances to private interfaces and configure private IP addresses as gateway addresses.

    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] undo portswitch
    [Router-GigabitEthernet1/0/0] ip binding vpn-instance vpn1
    [Router-GigabitEthernet1/0/0] ip address 10.1.1.1 255.255.255.0
    [Router-GigabitEthernet1/0/0] quit
    [Router] interface gigabitethernet 2/0/0
    [Router-GigabitEthernet2/0/0] undo portswitch
    [Router-GigabitEthernet2/0/0] ip binding vpn-instance vpn2
    [Router-GigabitEthernet2/0/0] ip address 10.2.1.1 255.255.255.0
    [Router-GigabitEthernet2/0/0] quit
    [Router] interface gigabitethernet 3/0/0
    [Router-GigabitEthernet3/0/0] undo portswitch
    [Router-GigabitEthernet3/0/0] ip binding vpn-instance vpn1
    [Router-GigabitEthernet3/0/0] ip address 10.3.1.1 255.255.255.0
    [Router-GigabitEthernet3/0/0] quit
    [Router] interface gigabitethernet 4/0/0
    [Router-GigabitEthernet4/0/0] undo portswitch
    [Router-GigabitEthernet4/0/0] ip binding vpn-instance vpn2
    [Router-GigabitEthernet4/0/0] ip address 10.4.1.1 255.255.255.0
    [Router-GigabitEthernet4/0/0] quit

  2. Configure zones on the Router.

    # Configure zones and an interzone for vpn1 on the Router.

    [Router] firewall zone trust_a
    [Router-zone-trust_a] priority 15
    [Router-zone-trust_a] quit
    [Router] firewall zone untrust_a
    [Router-zone-untrust_a] priority 1
    [Router-zone-untrust_a] quit
    [Router] firewall interzone trust_a untrust_a
    [Router-interzone-trust_a-untrust_a] firewall enable
    [Router-interzone-trust_a-untrust_a] quit
    

    # Configure zones and an interzone for vpn2 on the Router.

    [Router] firewall zone trust_b
    [Router-zone-trust_b] priority 30
    [Router-zone-trust_b] quit
    [Router] firewall zone untrust_b
    [Router-zone-untrust_b] priority 5
    [Router-zone-untrust_b] quit
    [Router] firewall interzone trust_b untrust_b
    [Router-interzone-trust_b-untrust_b] firewall enable
    [Router-interzone-trust_b-untrust_b] quit
    

    # On the Router, add interfaces to zones.

    [Router] interface gigabitethernet 1/0/0
    [Router-GigabitEthernet1/0/0] zone trust_a
    [Router-GigabitEthernet1/0/0] quit
    [Router] interface gigabitethernet 2/0/0
    [Router-GigabitEthernet2/0/0] zone trust_b
    [Router-GigabitEthernet2/0/0] quit
    [Router] interface gigabitethernet 3/0/0
    [Router-GigabitEthernet3/0/0] zone untrust_a
    [Router-GigabitEthernet3/0/0] quit
    [Router] interface gigabitethernet 4/0/0
    [Router-GigabitEthernet4/0/0] zone untrust_b
    [Router-GigabitEthernet4/0/0] quit

  3. Configure the blacklist for vpn1 on the Router.

    # Enable the blacklist function.

    [Router] firewall blacklist enable
    

    # Add a blacklist entry in vpn1.

    [Router] firewall blacklist 10.3.1.2 vpn-instance vpn1
    

  4. Verify the configuration.

    # After the configuration is complete, run the display firewall interzone command on the Router to view interzone policies.

    [Router] display firewall interzone
     interzone trust_a untrust_a                      
     firewall enable                     
     packet-filter default deny inbound               
     packet-filter default permit outbound            
                          
     interzone trust_b untrust_b                      
     firewall enable                     
     packet-filter default deny inbound               
     packet-filter default permit outbound            
                         
     total number is : 2 

    # Run the display firewall blacklist all command on the Router to view blacklist information.

    [Router] display firewall blacklist all
     Firewall blacklist items :                     
    ------------------------------------------------------------------------------   
    IP-Address      Reason       Expire-Time(m) VPN-Instance                      
    ------------------------------------------------------------------------------   
    10.3.1.2        Manual       Permanent      vpn1                      
    ------------------------------------------------------------------------------   
     Total number is : 1 

    # Packets of PC3 cannot pass through virtual firewall vpn1.

Configuration Files

Configuration file of the Router

#
 sysname Router
#
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 100:1
#
ip vpn-instance vpn2
 ipv4-family
  route-distinguisher 200:1
#
firewall zone trust_a
 priority 15
#
firewall zone trust_b
 priority 30
#
firewall zone untrust_a
 priority 1
#
firewall zone untrust_b
 priority 5
#
firewall interzone trust_a untrust_a
 firewall enable
#
firewall interzone trust_b untrust_b
 firewall enable
#
 firewall blacklist enable
 firewall blacklist 10.3.1.2 vpn-instance vpn1
#
interface GigabitEthernet1/0/0
 undo portswitch
 ip binding vpn-instance vpn1
 ip address 10.1.1.1 255.255.255.0
 zone trust_a
#
interface GigabitEthernet2/0/0
 undo portswitch
 ip binding vpn-instance vpn2
 ip address 10.2.1.1 255.255.255.0
 zone trust_b
#
interface GigabitEthernet3/0/0
 undo portswitch
 ip binding vpn-instance vpn1
 ip address 10.3.1.1 255.255.255.0
 zone untrust_a
#
interface GigabitEthernet4/0/0
 undo portswitch
 ip binding vpn-instance vpn2
 ip address 10.4.1.1 255.255.255.0
 zone untrust_b
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95534

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next