Professional Documents
Culture Documents
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 1 4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure......................................................................... 4.4 Complete Configuration ..........................................................................
www.h3c.com
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support.) Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward packets, you need to execute the firewall packet-filter default permit command
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, assume that the firewall board is seated in slot 4 of the S9500 switch. The internal host and the external host reside in the Trust zone and the Untrust zone of the firewall respectively. Now it is required that all the packets sourced from the external host be filtered within 100 minutes. The IP address of the external network host is 202.0.0.1.
Page 1 of 5
# Configure a route, setting the next hop of the external network packets to the SecBlade firewall.
[S9500] ip route-static 0.0.0.0 0 30.0.0.254
# Enter SecBlade view, configure the interconnecting sub-interface and external network sub-interface of the SecBlade (by default, the username and password are SecBlade, case sensitive).
Copyright 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
<S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system-view [SecBlade_FW]interface GigabitEthernet 0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW-GigabitEthernet0/0.50] ip address 50.0.0.254 24 [SecBlade_FW] interface g0/0.30 [SecBlade_FW-GigabitEthernet0/0.30] vlan-type dot1q vid 30 [SecBlade_FW-GigabitEthernet0/0.30] ip address 30.0.0.254 24
# Add the interconnecting sub-interface to the trust zone and the external network sub-interface to the untrust zone.
[SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.30 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.50
# Configure the routes, the next hop of the internal network packet is S9500, and the next hop of external network packet is the router.
[SecBlade_FW] ip route-static 0.0.0.0 0 50.0.0.1 [SecBlade_FW] ip route-static 10.0.0.0 24 30.0.0.1
Page 3 of 5
# interface Ethernet3/1/1 port access vlan 50 # ip route-static 0.0.0.0 0 30.0.0.254 preference 60 # secblade module test secblade-interface vlan-interface 30 security-vlan 50 map to slot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case sensitive).
secblade slot 4 user:SecBlade password:SecBlade system
Page 4 of 5
Table of Contents
1 Versions Applicable ...................................................................................................................... 1 2 Precautions .................................................................................................................................... 1 3 Configuration Examples ............................................................................................................... 1 3.1 Network Requirements ......................................................................................................... 1 3.2 Networking Diagram ............................................................................................................. 2 3.3 Configuration Procedure....................................................................................................... 2 3.4 Complete Configuration ........................................................................................................ 3
www.h3c.com
2 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward packets, you need to execute the firewall packet-filter default permit command.
3 Configuration Examples
3.1 Network Requirements
In the network shown in Figure 3-1, assume that the firewall is seated in slot 4 of the S9500 switch and is operating in route mode. All the gateways of both the internal host and external host are on the firewall. In this case, you can configure no Layer 3 interfaces and the S9500 switch can act as a Layer 2-only device. All the Layer 3 forwarding operations are carried out by the firewall.
Page 1 of 5
E2/1/2
# Configure SecBlade module, and configure internal VLAN 50 and external VLAN60 as safe.
[S9500]secblade module test [S9500-secblade-test] security-vlan 50 60 [S9500-secblade-test] map to slot 4
# Enter SecBlade view, configure the sub-interface and add it to the corresponding zone (by default, the username and password are SecBlade, case sensitive).
<S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system-view
# In SecBlade view, configure the firewall mode as route mode, configure and add the IP address of the interface to the corresponding zone.
[SecBlade_FW] firewall mode route [SecBlade_FW] interface g0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] ip address 50.1.1.254 24 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW] interface GigabitEthernet 0/0.60 [SecBlade_FW-GigabitEthernet0/0.60] ip address 60.1.1.254 24
Page 2 of 5
[SecBlade_FW-GigabitEthernet0/0.60] vlan-type dot1q vid 60 [SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.50 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.60
# Enter SecBlade view (by default, the username and password are SecBlade, case sensitive).
secblade slot 4 user:SecBlade password:SecBlade system
Page 3 of 5
Page 4 of 5
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 1 4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
www.h3c.com
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware versions: LSB1FW8DB0, LSB2FW8DB0
3 Precautions