Huawei quidway s7700 Configuration Manual page 81

Quidway S7700 Smart Routing Switch
Configuration Guide - SPU
[SPU] acl 3102
[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2
0.0.0.0
[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3
0.0.0.0
[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4
0.0.0.0
[SPU-acl-adv-3102] rule deny ip
[SPU-acl-adv-3102] quit
Step 5 Configure packet filtering on the SPU.
[SPU] firewall interzone trust untrust
[SPU-interzone-trust-untrust] packet-filter 3102 inbound
[SPU-interzone-trust-untrust] quit
Step 6 Verify the configuration.
After the configuration, only the specified host (202.39.2.3) can access the server on the internal
network.
Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the
result is as follows:
[SPU] display firewall interzone trust untrust
interzone trust untrust
firewall enable
packet-filter default deny inbound
packet-filter default permit outbound
packet-filter 3102 inbound
----End
Configuration Files
l
Issue 01 (2011-07-15)
Configuration file of the SPU
#
sysname SPU
#
acl number 3102
rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0
rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0
rule 20 deny ip
#
firewall zone trust
priority 100
#
firewall zone untrust
priority 1
#
firewall interzone trust untrust
firewall enable
packet-filter 3102 inbound
#
interface Eth-trunk0
#
interface XGigabitEthernet 0/0/1
Eth-trunk0
#
interface XGigabitEthernet 0/0/2
Eth-trunk0
#
interface Eth-trunk0.1
control-vid 10 dot1q-termination
dot1q termination vid 10
ip address 129.38.1.1 255.255.255.0
zone trust
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
70