No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudCampus Solution V100R019C10 Deployment Guide for Large- and Medium-Sized Campus Networks (Virtualization Scenario)
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Security Zones and Interfaces

Configuring Security Zones and Interfaces

Context

A security zone is a collection of networks connected through one or more interfaces. Users on the networks in a security zone have the same security attributes. Most security policies are implemented based on security zones. Each security zone identifies a network, and a firewall connects networks. Firewalls use security zones to divide networks and mark the routes of packets. When packets travel between security zones, security check is triggered and corresponding security policies are enforced. Security zones are isolated by default.

In this document, each logical interface connecting to the firewall on the internal service network of the campus is added to an independent security zone. The interfaces that connect to the network management zone are added to the demilitarized zone (DMZ). The interfaces that connect to the Internet are added to the untrusted zone.

Data Plan

Table 4-11 Data plan for security zones

Device

Zone Name

Other Parameters

Description

FW-a

rd_trust

Default

Security zone corresponding to RD_VN, which needs to be customized

market_trust

Default

Security zone corresponding to Market_VN, which needs to be customized

guest_trust

Default

Security zone corresponding to Guest_VN, which needs to be customized

dmz

Default

Security zone corresponding to the network management zone, which is provided by the system

untrust

Default

Security zone corresponding to the external network, which is provided by the system

FW-b

rd_trust

Default

Security zone corresponding to RD_VN, which needs to be customized

market_trust

Default

Security zone corresponding to Market_VN, which needs to be customized

guest_trust

Default

Security zone corresponding to Guest_VN, which needs to be customized

dmz

Default

Security zone corresponding to the network management zone, which is provided by the system

untrust

Default

Security zone corresponding to the external network, which is provided by the system
Table 4-12 Data plan for link aggregation

Device

Interface Name

Interface Type

Virtual System

Security Zone

Mode

Member Interfaces

Other Parameters

FW-a

Eth-Trunk1

Aggregation interface

public

-

Routing

XGE0/0/5 and XGE0/0/15

Default

FW-b

Eth-Trunk1

Aggregation interface

public

-

Routing

XGE0/0/6 and XGE0/0/16

Default
Table 4-13 Interface data plan 1

Device

Interface Name

Interface Type

Security Zone

VLAN Tag

IP Address

Default Gateway

Remarks

FW-a

XGE0/0/1

-

untrust

-

192.0.2.2/24

192.0.2.1

Interface on FW-a connected to ISP1

XGE0/0/2

-

untrust

-

198.51.100.2/24

198.51.100.1

Interface on FW-a connected to ISP2

XGE0/0/3

-

dmz

-

192.168.9.1/24

-

Interface for connecting the heartbeat link of the firewalls in hot standby mode

Eth-Trunk1.1

Sub-interface

rd_trust

3950

192.168.5.1/24

-

Interface on FW-a connected to RD_VN

Eth-Trunk1.2

Sub-interface

market_trust

3951

192.168.6.1/24

-

Interface on FW-a connected to Market_VN

Eth-Trunk1.3

Sub-interface

guest_trust

3952

192.168.7.1/24

-

Interface on FW-a connected to Guest_VN

Eth-Trunk1.4

Sub-interface

dmz

2953

192.168.8.1/24

-

Interface on FW-a connected to the network management zone

FW-b

XGE0/0/1

-

untrust

-

192.0.2.3/24

192.0.2.1

Interface on FW-b connected to ISP1

XGE0/0/2

-

untrust

-

198.51.100.3/24

198.51.100.1

Interface on FW-b connected to ISP2

XGE0/0/3

-

dmz

-

192.168.9.2/24

-

Interface for connecting the heartbeat link of the firewalls in hot standby mode

Eth-Trunk1.1

Sub-interface

rd_trust

3950

192.168.5.2/24

-

Interface on FW-b connected to RD_VN

Eth-Trunk1.2

Sub-interface

market_trust

3951

192.168.6.2/24

-

Interface on FW-b connected to Market_VN

Eth-Trunk1.3

Sub-interface

guest_trust

3952

192.168.7.2/24

-

Interface on FW-b connected to Guest_VN

Eth-Trunk1.4

Sub-interface

dmz

2953

192.168.8.2/24

-

Interface on FW-b connected to the network management zone
Table 4-14 Interface data plan 2

Virtual System

Mode

Connection Type

Other Parameters

public

Routing

Static IP

Default

Procedure

  1. Choose Network > Zone, and click Create to create a user-defined security zone based on the data plan. The following example creates the security zone rd_trust on FW-a.

  2. Choose Network > Interface, and click Create to create an Eth-Trunk interface based on the data plan. The following example creates the interface Eth-trunk1 on FW-a.

  3. Choose Network > Interface, and click Create to create an Eth-Trunk sub-interface based on the data plan. The following example creates the sub-interface Eth-trunk1.1 on FW-a.

  4. Choose Network > Interface, select a physical interface from the interface list, and click to configure the physical interface based on the data plan. The following example configures XGE0/0/1 on FW-a.

Translation
简体中文
Download
Updated: 2021-04-29

Document ID: EDOC1100141248

Views: 125285

Downloads: 509

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :