Single arm routing configuration for Huawei USG2130 firewall

Have you wondered with this: Partition VLAN on switch, and setting the single arm

routing on the Huawei USG2130 , while VLAN30 can access VLAN10, VLAN20; but

VLAN10 and VLAN20 are unable to access the VLAN30. 

Cause analysis: because the USG2130 only has a three layer interface WAN

port, supports the sub interface portand WAN port (E0/0/0), based on the

current demand, we would be the port as the network interface. Through the creation of

VLAN, one VLAN interface as the Internet interface. If theVLAN in the same region, to

realize the VLAN access control is more complex. If the VLAN interface is divided into

different areas, through the realization of inter domain packet filtermethod, which is

simple and reliable.

How to configure single arm routing for Huawei USG2130 firewall

Process:

1 Enter sub interface, configure the IP address, and package the 802.1.

[USG2130]int e0/0/0.1

[USG2130-Ethernet0/0/0.1]description VLAN10

[USG2130-Ethernet0/0/0.1]ip address 192.168.1.1 24

[USG2130-Ethernet0/0/0.1]vlan-type dot1q 10

[USG2130][USG2130]int e0/0/0.2

[USG2130-Ethernet0/0/0.2]description VLAN20

[USG2130-Ethernet0/0/0.2]ip add 192.168.2.1 24

[USG2130-Ethernet0/0/0.2]vlan-type dot1q 20

[USG2130]int e0/0/0.3

[USG2130-Ethernet0/0/0.3]description VLAN30

[USG2130-Ethernet0/0/0.3]ip add 192.168.3.1 24

[USG2130-Ethernet0/0/0.3]vlan-type dot1q 30

2 Creating a VLAN Internet connection, and configuring the IP.

[USG2130]vlan 3

[USG2130-vlan3]description WAN

[USG2130]int e1/0/0

1

[USG2130-Ethernet1/0/0]port access VLAN 3

[USG2130]int VLAN 3

[USG2130-Vlanif3]description TO-INTERNET

[USG2130-Vlanif3]ip add 100.100.100.1 30

3 Custom three regions, and devide the VLAN interface in the regions, make the

Vlan 3 into the untrust region.

[USG2130]firewall zone name lan1 joined the regional

[USG2130-zone-lan1]set priority 60

[USG2130-zone-lan1]add interface e0/0/0.1

[USG2130]firewall zone name lan2

[USG2130-zone-lan2]set priority 65

[USG2130-zone-lan2]add interface e0/0/0.2

[USG2130]firewall zone name lan3

[USG2130-zone-lan3]set priority 70

[USG2130-zone-lan3]add interface e0/0/0.3

[USG2130]firewall zone untrust

[USG2130-zone-untrust]add interface vlan3

4 Creating for VLAN access control between the ACL, and applied to VLAN region.

[USG2130]acl 3001

[USG2130-acl-adv-3001]rule permit IP source 192.168.3.0 0.0.0.255

[USG2130]acl 3002

[USG2130-acl-adv-3002]rule deny IP source 192.168.1.0 0.0.0.255 destination 192.168.3

.00.0.0.255

[USG2130-acl-adv-3002]rule deny IP source 192.168.2.0 0.0.0.255 destination 192.168.3

.00.0.0.255

[USG2130-acl-adv-3002]rule permit IP

[USG2130]firewall interzone lan1 lan3

[USG2130-interzone-lan3-lan1]packet-filter 3001 outbound

[USG2130-interzone-lan3-lan1]packet-filter 3001 inbound

2

[USG2130]firewall interzone lan2 lan3

[USG2130-interzone-lan3-lan2]packet-filter 3001 outbound

[USG2130-interzone-lan3-lan2]packet-filter 3002 inbound

5 (Optional), change the interface region of Ethernet0/0/0

[USG2130-Vlanif3]fire zone untrust

[USG2130-zone-untrust]undo add interface e0/0/0

[USG2130-zone-untrust]firewall Zone Trust

[USG2130-zone-trust]add interface e0/0/0

6 Completed the NAT configuration

[USG2130-zone-trust]acl 2000

[USG2130-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.3

[USG2130]firewall interzone trust untrust

[USG2130-interzone-trust-untrust]nat outbound 2000 interface VLAN 3

Summary: due to a network device is limited, in order to meet the special

need to break the normal procedure setting and planning, and use

of custom domain USG2130 the type of firewall between the packet filtering and VLAN

function.

More related:

Three switch styles of switches

The latest version of Huawei switch configuration commands: start the FTP service

Data Center Switches-Huawei End-To-End Date Center Network Solution

More Huawei products and Reviews you can visit: http://www.huanetwork.com/blog

Huanetwork.com is a world leading Huawei networking products distributor, we wholesale

original new Huawei networking equipments, including Huawei switches, Huawei routers,

Huaweisymantec security products, Huawei IAD, Huawei SFP and other Huawei networking

products. Our customers include telecom operators, Huawei resellers, ISP and system integrators.

3

Right now most of our sales are contributed by regular customers

Our website: http://www. hu anetwork.com

Telephone: +852-30501940

Email:  sales@huanetwork.com

Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong

4