Huawei quidway s7700 Configuration Manual page 92
Smart routing switch
Hide thumbs
Also See for quidway s7700:
- Configuration manual (833 pages) ,
- Configuration manual - ethernet (648 pages) ,
- Configuration manual - multicast (551 pages)
Table of Contents
Advertisement
Quidway S7700 Smart Routing Switch
Configuration Guide - SPU
[SPU-Eth-Trunk1.2] zone untrust
[SPU-Eth-Trunk1.2] quit
Step 4 Configure the VLAN bridge instance on the SPU.
[SPU] inter-vlan-bridge instance 127
Step 5 Bind the VLAN bridge instance to the sub-interfaces of the SPU.
[SPU] interface Eth-Trunk1.1
[SPU-Eth-Trunk1.1] l2 binding inter-vlan-bridge
[SPU] interface Eth-Trunk1.2
[SPU-Eth-Trunk1.2] l2 binding inter-vlan-bridge
Step 6 Configure an ACL.
[SPU] acl 4100
[SPU-acl-L2-4100] rule 5 permit destination-mac ffff-ffff-ffff
[SPU-acl-L2-4100] rule 10 permit destination-mac 0100-5e00-0000 ffff-ff01-0000
[SPU-acl-L2-4100] rule 15 permit l2-protocol arp
[SPU-acl-L2-4100] rule 20 permit source-mac 000f-1f7e-fec5 l2-protocol ip
[SPU-acl-L2-4100] quit
[SPU] acl 3000
[SPU-acl-adv-3000] rule 5 permit ospf
[SPU-acl-adv-3000] quit
Step 7 Configure packet filtering.
[SPU] firewall interzone trust untrust
[SPU-interzone-trust-untrust] packet-filter 4100 inbound
[SPU-interzone-trust-untrust] packet-filter 3000 inbound
[SPU-interzone-trust-untrust] quit
Step 8 Verify the configuration.
Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the
result is as follows:
[SPU] display firewall interzone trust untrust
interzone trust untrust
firewall enable
packet-filter default deny inbound
packet-filter default permit outbound
packet-filter 3000 inbound
packet-filter 4100 inbound
----End
Configuration Files
l
Issue 01 (2011-07-15)
NOTE
A transparent firewall discards all the packets entering the inter-zone, including service packets and
protocol packets. To permit Layer 2 protocol packets, configure a Layer 2 ACL:
l rule 5 permit destination-mac ffff-ffff-ffff: indicates that broadcast traffic with destination MAC
address FFFF.FFFF.FFFF is allowed to pass the transparent firewall.
l rule 10 permit destination-mac 0100-5e00-0000 ffff-ff01-0000: indicates that multicast traffic with
multicast addresses 0100.5E00.0000-0100.5EFE.FFFF is allowed to pass the transparent firewall.
l rule 15 permit l2-protocol arp: indicates that ARP protocol packets are allowed to pass the transparent
firewall.
l rule 20 permit source-mac 000f-1f7e-fec5 l2-protocol ip: indicates that host (MAC address 000f-1f7e-
fec5) in the untrust zone is allowed to access resources in the trust zone.
Configuration file of the SPU
#
sysname SPU
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
instance 127
instance 127
81
Advertisement
Table of Contents
