Working Modes - Zte ZXR10 8900 Series User Manual

10g routing switch

Hide thumbs Also See for ZXR10 8900 Series:

User manual (186 pages)

Command manual (177 pages)

Command reference manual (147 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

page of 147

/ 147
Contents
Table of Contents
Bookmarks

Table of Contents

ZXR10 8900 Series User Manual (FW Volume)

Policy destination defines the scope of destination address. The

same as policy source, policy destination can contain one or mul-

tiple hosts, subnet, scope and multiple areas (or VLAN).

Policy service defines network protocol used by packet and specific

port id.

Access control defines FW operations to the packet meeting poli-

cies, including permit (permit the packet to pass through) and

deny (drop this packet).

In the case that a packet matches one access policy, it indicates

source address of the packet is within the scope defined by pol-

icy source, destination address of the packet is within the scope

defined by policy destination, port id corresponding to the packet

is contained in policy service, and packet receiving time meet the

requirement of policy access time (if access time is defined). Only

when one packet meets all conditions required by the policy, this

policy matches this packet.

It shall be noted that one content filtering policy and one appli-

cation identity policy shall be defined for each access rule to filter

and inspect data at application layer. FW searches the access pol-

icy matching a packet according at the following steps:

ZXR10 8900 Series Switch FW module retrieves access control rule

table according to sequence of access policies and matches poli-

cies with packet one by one. Once an access policy is found to

match the packet, FW stops checking matched access policy and

processes the packet (permit or deny) according to rules defined

in the first matched access policy. If no access policy is found to

match this packet, FW will process this packet according to default

access control properties on packet sending interface.

If the packet is forbidden to be forwarded, it will be dropped; if the

packet is permitted to be forwarded, check if this policy defines

DPI

policy or application identity policy.

If application identity policy is defined in the policy, check to see if

any protocol of the application identity policy is used in application

layer of the packet. If corresponding protocol is used, process this

packet according to operations defined by this application identity

policy.

Working Modes

ZXR10 8900 Series Switch FW protects VLAN interfaces and sup-

ports two working modes: routing mode and hybrid mode.

In this mode, ZXR10 8900 Series Switch FW protects L3 packets on

Route Mode

protected vlan interface. All L3 packets passing through protected

vlan are forwarded only after being processed by FW module. This

mode is applicable to the case when each area is in a separate

network segment. Similar to router, IP address shall be configured

for each vlan interface in routing mode or hybrid mode according

to area planning.

In this mode, ZXR10 8900 Series Switch FW protects L2 and L3

Hybrid Mode

packets on protected vlan interface. No matter internal L2 packets

of the protected vlan or L3 packets cross-vlans are forwarded after

being processed by FW module.

Confidential and Proprietary Information of ZTE CORPORATION

Table of Contents

Working Modes - Zte ZXR10 8900 Series User Manual

Working Modes

Related Manuals for Zte ZXR10 8900 Series

Related Content for Zte ZXR10 8900 Series

Table of Contents