Working Principle - Zte ZXR10 8900 Series User Manual

10g routing switch

Hide thumbs Also See for ZXR10 8900 Series:

User manual (186 pages)

Command manual (177 pages)

Command reference manual (147 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

page of 147

/ 147
Contents
Table of Contents
Bookmarks

Table of Contents

ZXR10 8900 Series User Manual (FW Volume)

Data Flow

Processing Flow

Confidential and Proprietary Information of ZTE CORPORATION

Working Principle

Generally, FW is used to control access from external untrusted

networks (such as Internet) to internal trusted networks and mu-

tual accesses among different areas within internal network. OS

platform used by ZXR10 8900 Series Switch FW is the latest mod-

ular OS. By uploading a series of functional modules such as FW

module and packet filtering module, FW module can control data

flow traversing security device by setting access rules, packet fil-

tering rules, interface properties and other mechanisms. ZXR10

8900 Series Switch FW takes the following basic steps to process

packets:

1. Fast Forwarding

As for a newly received legal packet, FW firstly searches ses-

sion table to see if this packet has belonged to one existed ses-

sion. If so, FW processes this packet according to correspond-

ing session in the session table. When the packet matches

access rule and address translation policy of this session, FW

processes this packet fast. If the session is unavailable, it indi-

cates this packet belongs to one new session. FW will retrieve

routing table, address translation policy table and access rule

table to collect policies related to this packet, that is entering

"Receiving and Processing" flow.

2. Receiving and Processing

ZXR10 8900 Series Switch FW module invokes related func-

tional module and conducts initial processing to received pack-

ets. The following functional modules are invoked:

IDS Module, used to perform intrusion detection to pack-

�

ets. If the received packet matches IDS rule, it is regarded

illegal and dropped.

IP-MAC binding module. If

�

data contained in header of received packet break rules in

IP-MAC binding table, the packet will be dropped.

3. Rule Matching

At this step, FW matches the packet passing through receiving

and processing step with a series of rules. The following mod-

ules are invoked:

PF module. PF module not only conducts L2/L3 protocol

�

filtering to the packet, but also checks if the packet belongs

to the service that can pass through.

Address translation module.

�

gives processing method of received packet. ZXR10 8900

Series Switch FW module supports four address translation

policies:

–

Forwarding directly

FW doesn't process packet and the packet is forwarded

directly. This is default address translation policy of

ZXR10 8900 Series Switch FW.

–

Translating source address

address and

MAC

Address translation policy

address

Table of Contents

Working Principle - Zte ZXR10 8900 Series User Manual

Working Principle

Related Manuals for Zte ZXR10 8900 Series

Related Content for Zte ZXR10 8900 Series

Table of Contents