Have you wondered with this: Partition VLAN
on switch, and setting the single arm routing on the
Huawei USG2130, while VLAN30 can access VLAN10, VLAN20; but VLAN10 and VLAN20 are unable to access the VLAN30.
Cause
analysis: because the USG2130 only has a three layer interface WAN port, supports the sub interface portand WAN port (E0/0/0), based on the current demand, we would
be the port as the network interface. Through the creation of VLAN, one VLAN
interface as the Internet
interface. If theVLAN in the same region, to realize the VLAN access control is more complex. If the VLAN interface is divided into different areas, through the realization of inter domain packet filtermethod, which is simple and reliable.
How to
configure single arm routing for Huawei USG2130 firewall
Process:
1 Enter sub interface, configure the IP address, and package
the 802.1.
[USG2130]int e0/0/0.1
[USG2130-Ethernet0/0/0.1]description VLAN10
[USG2130-Ethernet0/0/0.1]ip address 192.168.1.1 24
[USG2130-Ethernet0/0/0.1]vlan-type dot1q 10
[USG2130][USG2130]int e0/0/0.2
[USG2130-Ethernet0/0/0.2]description VLAN20
[USG2130-Ethernet0/0/0.2]ip add 192.168.2.1
24
[USG2130-Ethernet0/0/0.2]vlan-type dot1q 20
[USG2130]int e0/0/0.3
[USG2130-Ethernet0/0/0.3]description VLAN30
[USG2130-Ethernet0/0/0.3]ip add 192.168.3.1
24
[USG2130-Ethernet0/0/0.3]vlan-type dot1q 30
2 Creating a VLAN
Internet connection, and configuring
the IP.
[USG2130]vlan 3
[USG2130-vlan3]description WAN
[USG2130]int e1/0/0
[USG2130-Ethernet1/0/0]port access VLAN 3
[USG2130]int VLAN 3
[USG2130-Vlanif3]description TO-INTERNET
[USG2130-Vlanif3]ip add 100.100.100.1
30
3 Custom three regions, and devide the VLAN interface in the regions, make the Vlan 3 into the untrust region.
[USG2130]firewall zone name lan1 joined
the regional
[USG2130-zone-lan1]set priority 60
[USG2130-zone-lan1]add interface e0/0/0.1
[USG2130]firewall zone name lan2
[USG2130-zone-lan2]set priority 65
[USG2130-zone-lan2]add interface e0/0/0.2
[USG2130]firewall zone name lan3
[USG2130-zone-lan3]set priority 70
[USG2130-zone-lan3]add interface e0/0/0.3
[USG2130]firewall zone untrust
[USG2130-zone-untrust]add interface vlan3
4 Creating
for VLAN access control between the ACL, and applied to VLAN region.
[USG2130]acl
3001
[USG2130-acl-adv-3001]rule permit IP source 192.168.3.0 0.0.0.255
[USG2130]acl
3002
[USG2130-acl-adv-3002]rule deny IP source 192.168.1.0 0.0.0.255 destination 192.168.3.00.0.0.255
[USG2130-acl-adv-3002]rule deny IP source 192.168.2.0 0.0.0.255 destination 192.168.3.00.0.0.255
[USG2130-acl-adv-3002]rule permit IP
[USG2130]firewall interzone lan1 lan3
[USG2130-interzone-lan3-lan1]packet-filter
3001 outbound
[USG2130-interzone-lan3-lan1]packet-filter
3001 inbound
[USG2130]firewall interzone lan2 lan3
[USG2130-interzone-lan3-lan2]packet-filter
3001 outbound
[USG2130-interzone-lan3-lan2]packet-filter
3002 inbound
5 (Optional), change the interface region of Ethernet0/0/0
[USG2130-Vlanif3]fire zone untrust
[USG2130-zone-untrust]undo add interface e0/0/0
[USG2130-zone-untrust]firewall Zone Trust
[USG2130-zone-trust]add interface e0/0/0
6 Completed
the NAT configuration
[USG2130-zone-trust]acl
2000
[USG2130-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.3
[USG2130]firewall interzone trust untrust
[USG2130-interzone-trust-untrust]nat outbound 2000 interface VLAN 3
Summary: due to a network
device is limited, in order to meet the special need to break
the normal procedure setting and planning, and use of custom domain USG2130 the type of
firewall between the packet
filtering and VLAN function.
Huawei firewall included USG2220, USG2250, USG5310 more than 30% off on Huanetwork.com, competitive price.
没有评论:
发表评论