Zte ZXR10 8900 Series User Manual page 95

10g routing switch

Hide thumbs Also See for ZXR10 8900 Series:

User manual (186 pages)

Command manual (177 pages)

Command reference manual (147 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

page of 147

/ 147
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 5 Packet Filtering and Access Control Rule Configuration

Configuration Points:

�

Defining area and address resources

�

Defining service resource

�

Defining service group resource

1. Defining area resource: To join gei_2/1, gei_2/2 and gei_2/3

to vlan1, vlan2 and vlan3 respectively in access mode, execute

the following commands:

ZXR10_FW #define area add name area_vlan1 access

on attribute gei_2/1 ZXR10_FW #define area add name area_vlan2

access on attribute gei_2/2 ZXR10_FW #define area add name

area_vlan3 access on attribute gei_2/3

2. Defining host and subnet address resources: To define host

address resource "192.168.100.140" and subnet address

source "intranet resource" inner_web, execute the following

commands:

ZXR10_FW #define host add name 192.168.100.140

ipaddr 192.168.100.140 ZXR10_FW #define subnet add name

inner_web ipaddr 192.168.101.0 mask 255.255.255.0

3. Defining customized service with service name to be Web_port

and port id to be 8080, execute the following command:

ZXR10_FW #define service add name Web_port

protocol tcp port 8080

4. Setting service group resource: To name service group to

inner_web_srv (intranet access service) and include services

Web_port, FTP, Telnet and SSH into this group, execute the

following command:

ZXR10_FW #difine group_service add name

inner_web_srv member Web_port,FTP,TELNET,SSH

5. Setting access control rule:

Permit subnet object (intranet) inner_web (192.168.101.0/24)

in area_vlan3 to access Web_port, FTP, TELNET and SSH ser-

vices (bound with customized service group inner_web_srv)

on server of area_vlan2 with server IP address to be

192.168.100.140.

ZXR10_FW #firewall policy add action accept

srcarea area_vlan3 dstarea area_vlan2 src inner_web dst

192.168.100.140 service inner_web_srv enable yes

Setting service access control rule to only permit extranet

user (area_vlan1) to access services on port 8080 of server

192.168.100.140.

ZXR10_FW #firewall policy add action accept

srcarea area_vlan1

service Web_port enable yes

Notes:

To permit only partial services to be accessed and deny others,

set the default access privilege of destination area to "deny". Sys-

tem will match default access privilege of area automatically after

matching access control rule.

Confidential and Proprietary Information of ZTE CORPORATION

dstarea area_vlan2 dst 192.168.100.140

Table of Contents

Zte ZXR10 8900 Series User Manual page 95

Related Manuals for Zte ZXR10 8900 Series

Related Products for Zte ZXR10 8900 Series

Table of Contents