Zte ZXR10 8900 Series User Manual page 13

10g routing switch

Hide thumbs Also See for ZXR10 8900 Series:

User manual (186 pages)

Command manual (177 pages)

Command reference manual (147 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

page of 147

/ 147
Contents
Table of Contents
Bookmarks

Table of Contents

4. Session Establishment

5. Processing before Routing

6. Route Querying

Access control rules are a set of policies customized by user. These

Matching Access

Control Rules

rules can define what packets (meeting certain conditions) can

pass FW and what packets (meeting some other conditions) will be

denied by FW. Data contained in each access policy include: source

address and destination address of the packet, service (protocol

type and port id) and operations (forwarding or dropping) per-

formed to the packets meeting conditions.

In access policy, policy source defines the source of packet, which

can be one or multiple objects (such as host, subnet, scope and so

on). When source address of the packet belongs to the scope of

policy source, it is believed to meet constraint conditions of policy

source.

FW translates source IP address (or port id) of the re-

ceived packet to preset IP address (or port id), and then

forwards the packet whose source address is modified.

–

Translating destination address

FW translates destination IP address or port id of the

received packet (FW interface address in usual cases)

to preset IP address or port id (actual IP address or port

id), and then forwards the packet whose destination

address is modified.

–

Bi-directional NAT

FW translates source address and destination address

(or port id) of the packet at the same time.

Access control module. Access control rule defines if FW

�

permits the packets matching rules to pass through. When

receiving one packet, FW matches it with rules in access

rule table one by one according to policy sequence num-

ber and processes the packet according to operation (per-

mit or deny) specified by corresponding policy. If corre-

sponding access policy fails to be matched, the packet will

be forwarded to destination interface. ZXR10 8900 Series

SwitchFW will proces this packet according to default prop-

erty (permit or deny) of the area where destination inter-

face locates.

As for the packet with no session for matching, ZXR10 8900

Series SwitchFW will create one new record in session table ac-

cording to packet processing information in steps 1-3, includ-

ing packet destination address, source address, route, address

translation policy, access rule and other information. Packets

of this session received after this new record will be processed

according to record in the session table.

When policy changes during communication process, FW will

re-invoke packet filtering module and access control module

to match the packet with policy.

ZXR10 8900 Series SwitchFW module selects packet forward-

ing interface according to routing table or MAC address table

learned on each interface. If packet address is translated, FW

will search NAT table to find the actual address for routing.

Confidential and Proprietary Information of ZTE CORPORATION

Chapter 1 Firewall Overview

Table of Contents

Zte ZXR10 8900 Series User Manual page 13

Related Manuals for Zte ZXR10 8900 Series

Related Products for Zte ZXR10 8900 Series

Table of Contents