Zte ZXR10 8900 Series User Manual
  1. Manuals
  2. Brands
  3. Zte Manuals
  4. Switch
  5. ZXR10 8900 Series
  6. User manual

Zte ZXR10 8900 Series User Manual

10g routing switch
Hide thumbs Also See for ZXR10 8900 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Command Manual, User Manual
ZXR10 8900 Series
10G Routing Switch
User Manual (FW Volume)
Version 2.8.02.C
ZTE CORPORATION
ZTE Plaza, Keji Road South,
Hi-Tech Industrial Park,
Nanshan District, Shenzhen,
P. R. China
518057
Tel: (86) 755 26771900 800-9830-9830
Fax: (86) 755 26772236
URL: http://support.zte.com.cn
E-mail: doc@zte.com.cn

Advertisement

Table of Contents
loading

Related Manuals for Zte ZXR10 8900 Series

Summary of Contents for Zte ZXR10 8900 Series

  • Page 1 ZXR10 8900 Series 10G Routing Switch User Manual (FW Volume) Version 2.8.02.C ZTE CORPORATION ZTE Plaza, Keji Road South, Hi-Tech Industrial Park, Nanshan District, Shenzhen, P. R. China 518057 Tel: (86) 755 26771900 800-9830-9830 Fax: (86) 755 26772236 URL: http://support.zte.com.cn...
  • Page 2 The contents of this document are protected by copyright laws and international treaties. Any reproduction or distribution of this document or any portion of this document, in any form by any means, without the prior written consent of ZTE CORPO- RATION is prohibited.

  • Page 3: Table Of Contents

    Contents About This Manual..........i Firewall Overview ..........1 Function Overview ............1 Working Principle............2 Working Modes............4 Management Modes ............5 Logging into FW through Console Port ......5 Logging into FW through Telnet ........6 Logging into FW through Browser ......... 7 System Management Configuration ....9 System Management Overview.........
  • Page 4 Setting Host Resource ..........28 Setting Address Range Resource........31 Setting Subnet Resource ..........35 Setting Address Group ..........38 Configuring Area Resource ..........41 Area Resource Configuration Overview ......41 Configuring Area Resource ..........41 Configuring Time Resource ..........44 Time Resource Configuration Overview ......44 Configuring Week Cycle ..........45 Configuring Year Cycle ..........47 Configuring Service Resource ..........50 Service Resource Configuration Overview......50...
  • Page 5 Access Control Rule Overview........76 Configuring Access Control Rule........76 Access Control Rule Configuration Example ....82 Access Control Rule Configuration Example One .............82 Access Control Rule Configuration Example Two............84 Configuring IDS Interaction..........86 IDS Interaction Overview..........86 Configuring IDS Interaction.........86 NAT Configuration ........... 89 NAT Overview ...............89 Configuring NAT ............90 NAT Configuration Example ..........96...
  • Page 6 Viewing Log ............123 Alarms ..............124 Configuring Logs and Alamrs......... 124 Configuring Log ............124 Viewing Log ............126 Configuring Alarms ..........127 Figures ............133 Tables ............135 Glossary ............137...

  • Page 7: About This Manual

    About This Manual This manual is ZXR10 8900 Series (V2.8.02.C) 10G Rout- ing Switch User Manual (FW Volume) and applies to ZXR10 8902/8905/8908/8912 10G routing switch (V2.8.02.C). ZXR10 8900 series 10G routing switch has the following related manuals: Summary Manual ZXR10 8900 Series (V2.8.02.C) 10G...
  • Page 8 ZXR10 8900 Series User Manual (FW Volume) Manual Summary ZXR10 8900 Series (V2.8.02.C) 10G This manual describes Routing Switch User Manual (IPv4 static routing configuration, Routing Volume) RIP configuration, OSPF configuration, IS-IS configuration, BGP configuration, load balancing configuration, multicast routing configuration, IP/LDP FRR configuration and BFD configuration.
  • Page 9 (Voice and Video Volume) in ZXR10 8900 series 10G routing switch. ZXR10 8900 Series (V2.8.02.C) 10G This manual describes Routing Switch Command Manual multicast protocol-related (Multicast Volume) commands in ZXR10 8900 series 10G routing switch. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 10 ZXR10 8900 series 10G routing switch. Commands supported by ZXR10 8900 series (V2.8.02.C) 10G routing switch are based on uniform platform ZXROS V4.8.22. ZXR10 8900 Series (V2.8.02.C) 10G Routing Switch User Manual (FW Volume) contains the following chapters: Chapter Summary...

  • Page 11: Firewall Overview

    Firewall Overview Table of Contents: Function Overview .............. 1 Management Modes ............5 Function Overview ZXR10 8900 Series Switch firewall (FW) service card has the fol- lowing basic functions: � Supporting routing and hybrid working modes; � Supporting object-based network access control, including ac- cess control of network layer, application layer and other lay- ers;...

  • Page 12: Working Principle

    (such as Internet) to internal trusted networks and mu- tual accesses among different areas within internal network. OS platform used by ZXR10 8900 Series Switch FW is the latest mod- ular OS. By uploading a series of functional modules such as FW...
  • Page 13 If corre- sponding access policy fails to be matched, the packet will be forwarded to destination interface. ZXR10 8900 Series SwitchFW will proces this packet according to default prop- erty (permit or deny) of the area where destination inter- face locates.

  • Page 14: Working Modes

    ZXR10 8900 Series Switch FW protects VLAN interfaces and sup- ports two working modes: routing mode and hybrid mode. In this mode, ZXR10 8900 Series Switch FW protects L3 packets on Route Mode protected vlan interface. All L3 packets passing through protected vlan are forwarded only after being processed by FW module.

  • Page 15: Management Modes

    Function It accesses FW card ZXR10(fw-template-1)#session from main board. 4. Logging into ZXR10 8900 Series Switch FW module by inputting system default username. User can perform config- uration management through command line after accessing FW module. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 16: Logging Into Fw Through Telnet

    ZXR10 8900 Series User Manual (FW Volume) Tip: Both username and password are case sensitive. ND OF STEPS Logging into FW through Telnet It is available to log into FW module through Telnet and conduct Context some basic settings on FW.

  • Page 17: Logging Into Fw Through Browser

    VLAN interface to management IP of managed FW card. Command Function ZXR10(config-fw)#bind mng-ip <slot IP address of number >< ipaddress > vlan 1 interface is management IP of FW card in slot 2. Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 18 ZXR10 8900 Series User Manual (FW Volume) Parameter Description <slot number > It is the number of slot where FW card locates. < ipaddress > It is IP address, in form of A.B.C.D. 3. Administrator inputs FW management URL (such as https://<...

  • Page 19: System Management Configuration

    Configuring System Manager..........23 System Management Overview In system command module, user can configure basic informa- tion of ZXR10 8900 Series Switch FW service card, such as ver- sion display, clock management, setting, system configuration management, system upgrade, authentication user management, administrator information, FW reboot command and so on.

  • Page 20: Querying System Basic Information

    ZXR10 8900 Series User Manual (FW Volume) Querying System Basic Information User can search model, software platform version, system current configuration and other information of current device in system command module. 1. Displaying system version information Command Function It displays system ZXR10_FW.system #version...

  • Page 21: Configuring System Management

    Once the login failure number of an admin- istrator exceeds threshold, system will lock the login to prevent illegal users logging into ZXR10 8900 Series Switch FW service card through brute force of password. To access authset command module, execute the following com-...
  • Page 22 ZXR10 8900 Series User Manual (FW Volume) Command Function This sets max ZXR10_FW.system authset #authfail authentication set maxnum <number> failure-related parameter. This can prevent brute force of password. Parameter Description: Parameter Description set maxnum Setting system name <number> This is the max number, in range of 1-10.
  • Page 23 This shows max ZXR10_FW.system authset #managerm axlogin show concurrent manag ement site-related parameter. 7. Setting max concurrent administrator number. Command Function It sets max concurrent ZXR10_FW.system authset #maxonline administrator number. adm set maxnum<number> Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 24 ZXR10 8900 Series User Manual (FW Volume) Parameter Description set maxnum This sets max concurrent administrator number. <number> This is the max number, in range of 1-256. Example: To set the max concurrent administrator number to 16, execute the following command: ZXR10_FW.system .authset # maxonlineadm set maxnum 16...

  • Page 25: Managing System Services

    3. Enabling SSH service. Command Function ZXR10_FW.system#sshd start This enables SSH service. 4. Disabling SSH service. Command Function ZXR10_FW.system#sshd stop This disables SSH service. 5. Enabling Telnet service. Command Function ZXR10_FW.system#telnetd start This enables Telnet service. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 26: Setting Open Services

    ZXR10 8900 Series User Manual (FW Volume) 6. Disabling Telnet service. Command Function ZXR10_FW.system#telnetd stop This disables Telnet service. 7. Enabling HTTP service. Command Function ZXR10_FW.system#httpd start This enables HTTP service. 8. Disabling HTTP service. Command Function ZXR10_FW.system#httpd stop This disables HTTP service.
  • Page 27 It is MONITOR service. ping It is PING service. telnet It is telnet service. It is IDS service. auth It is AUTH service. It is NTP service. update It is upgrade service. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 28 ZXR10 8900 Series User Manual (FW Volume) Parameter Description It is DHCP service. dhcp It is RIP service. l2tp It is L2TP service. pptp It is PPTP service. webui It manages GW through WEBUI. ipsecvpn It is the service opened when establishing IPSEC tunnel.
  • Page 29 This deletes one open <number> service rule. Parameter Description: Parameter Description delete This deletes one open service rule. This selects id of service opened by GW. <number> It is a number. Command Illustration: Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 30: Setting Webui Authentication

    ZXR10 8900 Series User Manual (FW Volume) To view the id needed for deleting one service, execute com- mand service show. Setting WEBUI Authentication WEBUI authentication means administrator can access ZXR10 8900 Series Switch FW service card only after passing both certificate authentication and username/password authentication.

  • Page 31: Configuration Maintenance

    (that is import and export all system configurations for one time) and others. System also enables administrator to restore configuration to factory ones for user reconfiguration. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 32: Configuring Maintenance

    ZXR10 8900 Series User Manual (FW Volume) Configuring Maintenance 1. Validating the configurations newly added to system. Command Function ZXR10_FW.system #config implement This validates the configurations newly added to system. Command Illustration: With this command, the newly added configurations get valid on device immediately but they are not saved.

  • Page 33: Restoring System

    ZXR10 8900 Series Switch FW ser- vice card. Configuring System Manager As for ZXR10 8900 Series Switch FW service card, only super man- ager can configure manager account and add another manager. 1. Adding device manager information: name, password and privilege information.
  • Page 34 ZXR10 8900 Series User Manual (FW Volume) Command Function ZXR10_FW. system #admininfo add This adds device manager information: input manager’s name:<string1> name, password and new password:<string2> re_enter password: <string2> privilege information. choose manager’s privilege[audit| config|vs]:<audit|config|vs> input the comment[y/n]: <y|n> input the comment: <string3>...
  • Page 35 5. Showing names, login addresses and online time of online managers. Command Function This shows names, ZXR10_FW. system #admininfo showonline login addresses and online time of online managers. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 36: System Manager Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) System Manager Configuration Example 1. Adding device configuration security management manager "test". # admininfo add input manager’s name:test new password: re_enter password: choose manager’s privilege[audit | config ]:config input the comment[y/n]:y input the comment:config_test_user It prompts manager is added successfully.

  • Page 37: Resource Management Configuration

    8900 Series Switch FW service card. When one resource changes, manager only needs to modify properties of resource and doesn’t need to modify all policies and rules related to this resource. As for ZXR10 8900 Series Switch FW service card, user can cus- tomize the following resource types: �...

  • Page 38: Configuring Address Resource

    "’", """, "\", ";", """, "$", "&", "@", "%", "|", "~", "<", ">", "#", "+", "!", "=", "^", "?", "‘" (the key under "~"). ZXR10 8900 Series SwitchIt is available to rename resource on FW service card. Configuring Address...
  • Page 39 <macaddress>][session <number1>][h alfsession <number2>] Parameter Description: Parameter Description modify This modifies one host. name This specifies the name of host to be modified. <string1> This is one string, indicating name of the host. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 40 ZXR10 8900 Series User Manual (FW Volume) Parameter Description ipaddr This specifies one new IP address. <string2> This is one string, indicating IP address. macaddr This specifies one new MAC address. <macaddress> This is one string, indicating MAC address. session This specifies the new number of max sessions.

  • Page 41: Setting Address Range Resource

    ZXR10_FW.define#host show This views all hosts. Setting Address Range Resource 1. Adding address configuration range. Command Function ZXR10_FW.define#range add This adds address name <string1> ip1 <string2> ip2 configuration range. <string3>[except <string4>][session <number1>] Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 42 The value of parameter Except shall be within the range between Ipaddress1 and Ipaddress2. The default range configuration for ZXR10 8900 Series Switch FW service card is any0.0.0.0-255.255.255.255. At the same moment, the number of connections of individual addresses within the address range cannot exceed the number of max sessions.
  • Page 43 This specifies new name for address range. <string2> This is one string, indicating the new name of address range. Example: To rename address range1 to range2, execute the following command: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 44 ZXR10 8900 Series User Manual (FW Volume) ZXR10_FW.define# range rename oldname range1 newname range2 4. Deleting one address range. Command Function ZXR10_FW.define#range delete [id This deletes one <number1>][name <string>] address range. Parameter Description: Parameter Description delete This deletes address range.

  • Page 45: Setting Subnet Resource

    255.255.255.0, execute the following command: ZXR10_FW.define# subnet add name subnet1 ipaddr 192.168.10.0 mask 255.255.255.0 2. Modifying one subnet. Command Function ZXR10_FW.define#subnet modify name This modifies one <string1>[ipaddr <ipaddress>][mask subnet. <netmask>][except <string2>][session <number1>] Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 46 ZXR10 8900 Series User Manual (FW Volume) Parameter Description modify This modifies one subnet. name This specifies the name of subnet to be modified. <string> This is one string, indicating name of the subnet. ipaddr This sets new address for subnet.
  • Page 47 5. This deletes all subnets not quoted by policy. Command Function ZXR10_FW.define#subnet clean This deletes all subnets not quoted by policy. 6. Showing all subnets. Command Function ZXR10_FW.define#subnet show This shows all subnets. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 48: Setting Address Group

    ZXR10 8900 Series User Manual (FW Volume) Setting Address Group Different address resources can be combined to one address group to define policy destination or policy source. With address group, resource management is more flexible. 1. Adding one address group.
  • Page 49 [id <number1>][name <string>] address group. Parameter Description: Parameter Description delete This deletes one address group. This specifies ID of the address group to be deleted. <number1> This is one number, indicating ID of address group. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 50 ZXR10 8900 Series User Manual (FW Volume) Parameter Description name This specifies the name of address group to be deleted. <string> This is one string, indicating the name of address group. Command Illustration: To delete address group, it is available to delete the address group according to address group name, address group id or both.

  • Page 51: Configuring Area Resource

    Access con- trol rule uses area for access control. In case no access control rule matches, ZXR10 8900 Series Switch FW service card will process this packet according to the privilege of area where destination interface locates.
  • Page 52 Command Illustration: Area is section of network space with similar security attribute. As for ZXR10 8900 Series Switch FW service card, access con- trol rule uses area to control access. Example: To add area_gei_1/1 bound with attribute gei_1/1 and permit access to this area, execute the following command: ZXR10_FW.define# area add name area_gei_1/1...
  • Page 53 This is a string, indicating the name of area. Example: To delete area_gei_1/1, execute the following command: ZXR10_FW.define# area delete name area_gei_1/1 4. Renaming one area. Command Function ZXR10_FW.define#area rename This renames one oldname <string1> newname area. <string2> Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 54: Configuring Time Resource

    ZXR10 8900 Series User Manual (FW Volume) Parameter Description: Parameter Description rename This renames one area. oldname This specifies the name of area to be renamed. <string1> This is a string, indicating the name of area. newname This specifies new area name.

  • Page 55: Configuring Week Cycle

    24-hour time format is used for start time and end time in each day period. For example 10pm is expressed as 22:00. Example: To add week1 with period to be 10am to 18pm each Wednes- day, execute the following command: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 56 ZXR10 8900 Series User Manual (FW Volume) ZXR10_FW.define# schedule add name week1 cyctype weekcyc week 3 start 10:00 end 18:00 2. Modifying one week cycle. Command Function This modifies one ZXR10_FW.define#schedule modify name <string1>[type week cycle. Week <weekcyc >][week <string2>][start cycle indicates this <string3>][end <string4>]...

  • Page 57: Configuring Year Cycle

    <string1>[cyctype <yearcyc>][sdate cycle, which indicates <string2>][stime <string3>][edate < it only contains one string4>][etime < string5>] period, such as from am 0 on January 1, 2007 to pm 23 on December 12, 2007. Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 58 ZXR10 8900 Series User Manual (FW Volume) Parameter Description This adds one cycle. name This sets name of cycle. <string1> This is one string, indicating name of cycle. cyctype This sets type of cycle: weekcyc or yearcyc. The former indicates week cycle and the latter indicates year cycle.
  • Page 59 This specifies new name for the cycle. <string2> This is one string, indicating new name of cycle. Example: To rename year1 to year2, execute the following command: ZXR10_FW.define# schedule rename oldname year1newname year2 4. Deleting one cycle. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 60: Configuring Service Resource

    ZXR10 8900 Series User Manual (FW Volume) Command Function ZXR10_FW.define#schedule delete [id This deletes one cycle. <number1>][name <string>] Parameter Description: Parameter Description delete This deletes one cycle. This specifies ID of the cycle to be deleted. <number1> This is one number, indicating ID of cycle.

  • Page 61: Configuring Customized Services

    Command Illustration: Services are classified into default services provided by sys- tem and user customized services. As for default services, user cannot perform add, delete, modify and some other op- erations. Example: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 62 ZXR10 8900 Series User Manual (FW Volume) To add service http8080, set protocol number to 6 and port id to 8080, and set httpservice to be the content of comment, execute the following command: ZXR10_FW.define# service add name http8080 protocol 6 port 8080 comment httpservice 2.
  • Page 63 This is one string, indicating name of the service. Command Illustration: To delete one service, it is available to delete it according to service name, id or both. In case the two are inconsistent, service name shall apply. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 64: Configuring Server Group

    ZXR10 8900 Series User Manual (FW Volume) When no parameter is given, the service not quoted by policy is deleted. Example: To delete service http8000, execute the following command: ZXR10_FW.define# service delete name http8000 5. Deleting all customized services not quoted by policy.
  • Page 65 For details, please refer to section Configuring Customized Services. 3. Renaming service group. Command Function This renames service ZXR10_FW.define#group_service rename oldname <string1> newname group. <string2> Parameter Description: Parameter Description rename This renames service group. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 66 ZXR10 8900 Series User Manual (FW Volume) Parameter Description oldname This specifies the name of service group to be renamed. <string1> This is one string, indicating the name of service group (the service group name has been defined). newname This specifies new name for one service group.

  • Page 67: Zxr10 Fw Function Management

    Configuring ZXR10 FW ............58 ZXR10 FW Function Management Overview Management to most functions of ZXR10 8900 Series Switch FW service card is based on VLAN and implemented on main board with command lines. The following FW-related confutations are available on main board: �...

  • Page 68: Configuring Zxr10 Fw

    ZXR10 8900 Series User Manual (FW Volume) Configuring ZXR10 FW Accessing and Exiting FW Configuration Mode This topic describes how to access and exit FW configuration node. 1. Entering FW configuration mode (used in configure terminal mode) Command Function This enters FW ZXR10(config)#fw configuration mode.

  • Page 69: Binding Management Ip

    This enters FW configuration ZXR10(config)#fw mode. ZXR10(config-fw)#bind mng-ip< ipaddress > This binds management IP with FW. ZXR10(config-fw)#show mng-ip This shows management IP of FW. ZXR10(config-fw)#no bind mng-ip This deletes management IP of FW. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 70: Configuring Flow Recovery

    ZXR10 8900 Series User Manual (FW Volume) To bind one management IP with FW, execute the following com- Example mands: ZXR10(config)#fw ZXR10(config-fw)#fw-template 7 ZXR10(config-fw-templete-7)#bind slot 8 ZXR10(config)#interface vlan 10 ZXR10(config-if-vlan10)#bind fw-template ZXR10(config-if-vlan10)#ip addr 1.2.3.4 255.255.255.0 ZXR10(config-if-vlan10)#exit ZXR10(config)#inter gei_1/2 ZXR10(config-gei_1/2)#switchport mode access...

  • Page 71: Configuring Nat Ip

    This specifies one ZXR10(config-fw-template-1)#nat dip< ipaddr >< ipmask > destination nat address (used in fw-template configuration mode). This specifies one ZXR10(config-fw-template-1)#nat sip< ipaddr >< ipmask > source nat address (used in fw-template configuration mode). Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 72: Configuring Session

    ZXR10 8900 Series User Manual (FW Volume) Note: Masks used in steps 3 and 4 are inverse masks. To specify source mac address of fw-template 7 to 10.1.1.1 Example 255.255.0.0, execute the following commands: ZXR10(config)#fw ZXR10(config-fw)#fw-template 7 ZXR10(config-fw-templete-7)#bind slot 8 ZXR10(config-fw -templete-7)#nat sip 10.1.1.1...

  • Page 73: Viewing Management Configuration

    ZXR10(config)#show fw-template<te This shows mplate-id> fw-template information (used in any mode of main board). ZXR10(config)#show fw-vlan-binding This shows binding between vlan and fw-template (used in any mode of main board). Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 74: Configuring Vlan

    ZXR10 8900 Series User Manual (FW Volume) Configuring VLAN This topic describes how to configure VLAN. 1. Creating specific VLAN and entering VLAN configuration mode (under configure terminal node) Command Function ZXR10(config)#vlan {<vlan-id>} When this vlan doesn’t exist, a vlan whose id is <...
  • Page 75 Ethernet interface. Command Illustration: ZXR10 8900 Series SwitchThere are three VLAN link types for Ethernet interface: Access mode, Trunk mode and Hybrid mode. Access mode is used by default. The port connecting with access link can only belong to �...
  • Page 76 ZXR10 8900 Series User Manual (FW Volume) Command Function ZXR10(config)#interface {vlan This creates VLAN L3 interface. <vlan-id>|<vlan-if>} Command Illustration: To create VLAN L3 interface, it is necessary to create this VLAN firstly. 9. Enabling/Disabling VLAN L3 interface (used under if-vlan node)

  • Page 77: Packet Filtering And Access Control Rule Configuration

    IP packets, filter illegal packets or those denied by rules, and provide protection in the case that GW system doesn’t join GW module. To access this command module, execute the following command: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 78 ZXR10 8900 Series User Manual (FW Volume) To exit from this command module, execute the following com- mand: #exit 1. Setting default packet filtering rule. Command Function ZXR10_FW.pf #rule set default action This sets default <accept|reject> log<yes|no> packet filtering rule.
  • Page 79 3. Adding one ARP/RARP/IPX packet filtering rule. Command Function ZXR10_FW.pf #rule add action This adds one <accept|reject> l2protocol <arp|0806|r ARP/RARP/IPX packet arp|8035|ipx|8137>[log<yes|no>][area filtering rule. <string>][smac < string 2>][dmac < string 3>] Parameter Description: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 80 ZXR10 8900 Series User Manual (FW Volume) Parameter Description This adds one packet filtering rule. action This is the action to packet meeting rules: permit or deny accept|reject permit|deny l2protocol This is the L2 protocol type used by packet. arp|0806|rarp|8035...
  • Page 81 This is the L2 protocol type used by packet. ip|0800 IP protocol|IP protocol number area This specifies area resource. <string1> This is one string, which must be one predefined area resource. This specifies whether to record it into log. yes|no Yes|No Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 82 ZXR10 8900 Series User Manual (FW Volume) Parameter Description smac This sets source mac address. <string2> This is one standard mac address string. dmac This sets destination mac address. <string3> This is one standard mac address string. l3protocol This is the L3 protocol type used by packet.

  • Page 83: Packet Filtering Policy Configuration Example

    MAC address filtering technology, only authorized MAC address can access network resources. In the Figure 1, only forbid the host in Area_Vlan2 and whose MAC address is 00:50:04:C3:B0:31 to access document server (port 8000 in 192.168.83.234/24) in Area_Vlan1. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 84: Figure 1 Packet Filtering Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) IGURE ACKET ILTERING ONFIGURATION XAMPLE Configuration Points: � Specifying server host address; � Configuring default packet block policy � Configuring packet block policy; 1. To configure default packet block policy——permit any packets to pass through FW, execute the following command:...

  • Page 85: Two

    ZXR10_FW #define subnet add name market ipaddr 10.10.10.0 mask 255.255.255.0 4. Adding packet block policy and forbidding market accessing port 8000 of document server. ZXR10_FW #pf rule add sip market dip doc_server dport 8000 action reject Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 86: Configuring Access Control Rules

    ZXR10 8900 Series User Manual (FW Volume) Configuring Access Control Rules Access Control Rule Overview As for access control rule, FW card permits or denies the packets matching access control rule to pass through. After receiving one packet, FW will match it with all rules in ACL se- quentially.
  • Page 87 Multiple address names can be input and space is used between each two address names and all address names are quoted with single quotes, such as ’aa ll’. This is destination address. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 88 ZXR10 8900 Series User Manual (FW Volume) Parameter Description <string6> This is one string, indicating preset address name. Multiple address names can be input and space is used between each two address names and all address names are quoted with single quotes, such as ’aa ll’.
  • Page 89 This is one string. It must be one or more preset area name(s). As for multiple area names, space is used between each two area names and all addresses are quoted with single quotes, such as ’area_gei_5/1’. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 90 ZXR10 8900 Series User Manual (FW Volume) Parameter Description srcvlan This sets source VLAN. <string3> This is one string, indicating preset vlan number. dstvlan This sets destination VLAN. <string4> This is one string, indicating preset vlan number. This is source address.
  • Page 91 Description <number1> This is one string, which must be ID of predefined rule. Example: To delete one access control rule whose id is 8503, execute the following command: ZXR10_FW.firewall #policy delete id 8503 Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 92: Access Control Rule Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) Access Control Rule Configuration Example Access Control Rule Configuration Example One As shown in network structure diagram of an enterprise, FW cards works in hybrid mode. Interface gei_2/1 belongs to intranet area_gei_2/1, is a switch trunk port, belongs to both VLAN.0001 and VLAN 0002, where IP address of vlan 0001 is 10.10.10.1...
  • Page 93 (192.168.100.143 is a bogus extranet address, used to access web server). ZXR10_FW #nat policy add orig_dst 192.168.100.143 orig_service HTTP trans_dst 172.16.1.3 6. Defining access control rule. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 94: Access Control Rule Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) To permit intranet users to access web server, execute the fol- lowing command: ZXR10_FW #firewall policy add action accept srcarea area_gei_2/1 dst 172.16.1.3 service HTTP To permit leaders of project team to access extranet and deny...
  • Page 95 To permit only partial services to be accessed and deny others, set the default access privilege of destination area to "deny". Sys- tem will match default access privilege of area automatically after matching access control rule. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 96: Configuring Ids Interaction

    ZXR10 8900 Series User Manual (FW Volume) Configuring IDS Interaction IDS Interaction Overview It is hard for one security system to integrate all security technolo- gies. It is convenient for management and maintenance to include IDS, anti-virus, content auditing and other functions into FW and it can also degrade performance of FW, so it is inappropriate for FW which acts as GW to integrate all security technologies.
  • Page 97 4. Clearing all IDS interaction servers. Command Function ZXR10_FW.pf #idsserver clean This clears all IDS interaction servers. 5. Showing all IDS interaction rules. Command Function ZXR10_FW.pf #idsserver show This shows all IDS interaction rules. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 98 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 99: Nat Configuration

    Translation Rule work planning and function demands. When user defines address translation rules on FW card, firstly he needs to define source and destination of this rule, that is source address range and destina- Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 100: Configuring Nat

    ZXR10 8900 Series User Manual (FW Volume) tion address range of packet of applicable to address translation rule, then define corresponding services, and the last one is trans- lation control mode. FW card provides the following translation control modes: �...
  • Page 101 VLAN names and all VLAN names are quoted with single quotes, such as ’1 2’. b) When adding destination address translation policy, this parameter mustn’t be set. orig_src This sets source object of original packet. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 102 ZXR10 8900 Series User Manual (FW Volume) Parameter Description <src_addr1> This is one string and source object name of original packet is input here. Tips: a) This parameter must be one predef ined address object name. b) Multiple address objects can be input at the same time, in format of ’test1 test2’.
  • Page 103 Yes is the default value. enable This sets address translation policy switch. yes|no Yes means enabling this address translation policy and no means forbidding this address translation policy temporarily. Tips: Yes is the default value. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 104 ZXR10 8900 Series User Manual (FW Volume) Parameter Description before This places this address translation policy before one policy. <number> This is one number, which shall be ID of the next address translation policy after inputting this address translation policy.
  • Page 105 Values of parameters before and after cannot be set at the same time. <numbe3> This is one number, which is the ID of policy. Tips: Values of parameters before and after cannot be set at the same time. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 106: Nat Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) NAT Configuration Example Address-Based Source Address Translation Configuration Example Source address translation policy of FW card supports address re- source-based source address translation. Address resources that can be translated include single host, host address range and sub- net.

  • Page 107: Ip Address-Based Destination Address Translation

    ZXR10_FW #define area add name area_vlan2 access on attribute interface vlan2 To set area_vlan1 and define default attribute to deny access- ing, execute the following command: ZXR10_FW #define area add name area_vlan1 access off attribute interface vlan1 Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 108: Port-Based Destination Address Translation

    ZXR10 8900 Series User Manual (FW Volume) 2. To specify actual address of WEB server, execute the following command: ZXR10_FW #define host add name WEB_server ipaddr 172.16.1.2 3. To specify public network address of WEB server, execute the following command: ZXR10_FW #define host add name MAP_IP ipaddr 202.99.27.201...
  • Page 109 80 and the port for web server providing services is port 8080. Therefore, destination address NAT is necessary. � When defining destination address NAT, note not to define des- tination AREA and destination VLAN. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 110 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 111: Protocol Filtering Configuration

    2200 is used to provide FTP service for intranet users. In case application port binding is unavailable, FW will not process packets of this connection. Customize application protocol port binding policy. System has the following default standard ports: Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 112: Configuring Application Port Binding

    ZXR10 8900 Series User Manual (FW Volume) Application Default Port Protocol Type Used Protocol Protocol Number Name SMTP TFTP HTTP: IMAP Telnet POP3 Configuring Application Port Binding This topic describes configuration commands of application proto- col filtering. Commands in this module are used for application protocol filter- ing-related configurations.
  • Page 113 3. Deleting one application protocol port binding policy. Command Function ZXR10_FW.dpi #policy delete id This deletes one <number> application protocol port binding policy. Parameter Description: Parameter Description <number> This is one number, which is the ID of policy. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 114: Applying Port Binding Configuration Example

    ZXR10 8900 Series User Manual (FW Volume) Command Illustration: Command policy show can be used to view ID of policy. 4. Clearing all application protocol port binding policies. Command Function ZXR10_FW.dpi #policy clean This clears all application protocol port binding policies.
  • Page 115 To exit from this command module, execute the following com- mand: ZXR10_FW #end 1. Enabling SIP service. Command Function ZXR10_FW.dpi #sip start This enables SIP service. 2. Disabling SIP service. Command Function ZXR10_FW.dpi #sip stop This disables SIP service. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 116 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 117: Intrusion Prevention Configuration

    This topic describes commands of configuring intrusion detection rule. To access this command module, execute the following command: ZXR10_FW #ips To exit from this command module, execute the following com- mand: ZXR10_FW #end Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 118 ZXR10 8900 Series User Manual (FW Volume) 1. Adding protected object (host, subnet, range or address group). Command Function ZXR10_FW.ips #dos rule add This adds the host or protect_name <string> icmpflood subnet to be protected <number1> ipsweep <number2> from intrusion.
  • Page 119 This is the statistics type. User can give choice according to demands. mpflood|portscan|ip sweep threshold This sets threshold of statistics type. <number> This is one number, which is the threshold. 3. Moving intrusion detection rule. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 120 ZXR10 8900 Series User Manual (FW Volume) Command Function ZXR10_FW.ips #dos rule move id This moves intrusion <number1> before <number2> detection rule. Parameter Description: Parameter Description <number1> This is one number, indicating ID of the rule to be modified. <number2>...
  • Page 121 10. Deleting prevention type. Command Function ZXR10_FW.ips #dos type delete This deletes [abntype <land |smurf |pingofdeath prevention type. |winnuke |tcp_sscan |ip_option |teardrop |targa3 |ipspoof>]|[stattype <synflood |udpflood|icmpflood|portscan|ipsweep>] Parameter Description: Parameter Description delete This deletes prevention type. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 122 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 123: Load Balancing Configuration

    ZXR10 8900 Series Switch FW supports session-based load balanc- ing. There are three ways to realize ZXR10 8900 Series Switch FW server load balancing function: 1. Defining server 2. Defining load balancing group 3.
  • Page 124 ZXR10 8900 Series User Manual (FW Volume) User can add, modify or modify and delete server in FW server management. Server here is mainly used for FW load balancing function. To access this command module, execute the following command: ZXR10_FW #define...
  • Page 125 This deletes one <number>][name <string>] server. Parameter Description: Parameter Description delete This deletes one server. This specifies ID of the server to be deleted. <number> This is one number, indicating ID of server. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 126: Configuring Load Balancing Group

    ZXR10 8900 Series User Manual (FW Volume) Parameter Description name This specifies the name of server to be deleted. <string> This is one string, indicating name of the server. Command Illustration: To delete server, it is available to delete the server according to server name, server id or both.
  • Page 127 For details, please refer to section Configuring High Availability. 2. Modifying one load balancing group. Command Function This modifies one load ZXR10_FW.define #virtual_server modify name <string1>[server balancing group. <string2>][balance<rr|wrr|lc|wlc|sh|dh >][backup <number>] Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 128 ZXR10 8900 Series User Manual (FW Volume) Parameter Description: Parameter Description modify This modifies one load balancing group. 3. Renaming load balancing group. Command Function This renames load ZXR10_FW.define #virtual_server rename oldname <string1> newname balancing group. <string2> Parameter Description: Parameter...

  • Page 129: High Availability Configuration Example

    (IP: 192.168.83.240) of FW. FW is connected with extranet through vlan interface (IP: 10.1.1.1). HTTP connection request coming from extranet is scheduled by way of polling. IGURE VAILABILITY ONFIGURATION XAMPLE Configuration Points: Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 130 ZXR10 8900 Series User Manual (FW Volume) � Adding routes on two web servers � Configuring IP and GW on client host; � Configuring FW interface attributes (IP addresses of areas that eth0 and eth1 belong to) � Configuring host �...

  • Page 131: Figure 8 Backing Up And Restoring User Information

    Server1 (IP192.168.83.234) page, as shown in Figure IGURE ACKING UP AND ESTORING NFORMATION Due to setting of polling mechanism, when refreshing the page, it turns to WebServer2 (IP: 192.168.83.235) page, as shown Figure Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 132: Figure 9 Document Group Server

    ZXR10 8900 Series User Manual (FW Volume) IGURE OCUMENT ROUP ERVER Notes: � During configuration process, make sure that no NAT policy and block policy conflict with this rule. � In communication, if one server is deleted from the balancing group, connections on this server will not be disconnected and configuration can get effective only after re-connection.

  • Page 133: Log And Alarm Configuration

    Configuring Logs and Alamrs..........124 Log and Alarm Overview To debug, monitor and manage ZXR10 8900 Series Switch FW ser- vice card FW module conveniently, ZXR10 8900 Series Switch FW service card FW module provides log management and alarm func- tion for user.

  • Page 134: Alarms

    ZXR10 8900 Series User Manual (FW Volume) Alarms ZXR10 8900 Series Switch FW service card FW module has com- prehensive alarm prompt function, supports mail alarming, voice alarming, console alarming and other alarming modes. Firstly, administrator needs to add alarm rules and set alarm objects and parameters.
  • Page 135 Description <string> This is one string, indicating log type, including: mgmt, system, pf, conn, ac, secure, dpi, vpn, avse, sslvpn_conn, sslvpn_admin, sslvpn_system, all or none. 4. Deleting log type transmitted to log server. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 136: Viewing Log

    ZXR10 8900 Series User Manual (FW Volume) Command Function ZXR10_FW.log #log type_set delete This deletes log type <string> transmitted to log server. 1. To set log server to 192.168.1.25, protocol and port to TCP: Example 524, log transmission type to syslog, and permit log transmis- sion, execute the following command: ZXR10_FW.log # log set ipaddr 192.168.1.25 port tcp:524...

  • Page 137: Configuring Alarms

    |hardware|recover|n indicates policy alarm, communication oticetest|all> indicates communication alarm, hardware indicates hardware alarm, recover indicates recover alarm, noticetest indicates test alarm and all indicates alarm of all events. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 138 ZXR10 8900 Series User Manual (FW Volume) Parameter Description noticeid This sets id of alarming mode. <number> This is one number, indicating ID of alarming mode. noticename This sets name of alarming mode. <string> This is one string, indicating name of alarming mode.
  • Page 139 This specifies the name of alarm to be modified. <string1> This is a string, indicating the name of alarm. auth This specifies if the mail server of mail alarm needs authentication. Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 140 ZXR10 8900 Series User Manual (FW Volume) Parameter Description on|off Off indicates authentication is not needed and when selecting this option, it doesn’t need to set the following parameters; on indicates authentication is needed. username This is the username of authentication on mail server.
  • Page 141 User can verify effectiveness of alarm rules through testing after successfully adding alarming mode and setting alarm- triggered security event. To add alarm mail1 sent to user@zte.com.cn and set ip address Example of SMTP mail server to 192.168.1.2, port id to 25 and subject of alarm mail to "Mail Alarm", execute the following command:...
  • Page 142 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 143: Figures

    Figure 6 Port-Based Destination Address Translation Configuration Example ........98 Figure 7 High Availability Configuration Example ....119 Figure 8 Backing up and Restoring User Information .... 121 Figure 9 Document Group Server........122 Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 144 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 145: Tables

    Tables Confidential and Proprietary Information of ZTE CORPORATION...
  • Page 146 ZXR10 8900 Series User Manual (FW Volume) This page is intentionally blank. Confidential and Proprietary Information of ZTE CORPORATION...

  • Page 147: Glossary

    PPTP - PPP Tunnel Protocol RSTP - Rapid Spanning Tree Protocol TELNET - Telecommunication Network Protocol TFTP - Trivial File Transfer Protocol VLAN - Virtual Local Area Network VPN - Virtual Private Network Confidential and Proprietary Information of ZTE CORPORATION...

Table of Contents