3Com 10014299 Configure Firewall

554 CHAPTER 39: CONFIGURING FIREWALL

The “depth-first” principle means matching the access rules with the smallest

definition range of data packets. It can be achieved by comparing the wildcards of

address. The smaller the wildcards are, the smaller the range specified by the host

is. For example, 129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1),

while 129.102.1.1.0.0.255.255 specifies a network segment (the range of the

address is from 129.102.1.1 to 129.102.255.255), obviously the former is

arranged in the front of access control rule.

The special standard is the following:

■For the statement of standard access control rules, compare the wildcards of

the source addresses directly, and arrange according configuration sequence if

the wildcards are the same.

■For the access control rules based on interface filtering, the rules configured

with “any”are arranged last, and the rest will be arranged according to the

configuration sequence.

■For extended access control rules, compare the wildcards of source addresses.

If they are the same, then compare the wildcards of the destination address. If

they are still the same, compare the range of port numbers, and the rule with

smaller range will be arranged first. If the port numbers are the same, then

match the rules according to the user's configuration sequence.

The display acl acl-number command can be used to view the executive

sequence of the system access rules, and the rules listed ahead will be selected

first.

Configure Firewall Firewall configuration includes:

■Enabling and Disabling a Firewall

■Configuring Standard Access Control List

■Configuring Extended Access Control List

■Setting the Default Firewall Filtering Mode

■Configuring Special Timerange

■Configuring Rules for Applying Access Control List on Interface

■Specifying Logging Host

Enabling and Disabling a

Firewall A firewall should be enabled for filtering messages to set other configurations into

effect.

Perform the following configurations in system view.

Tabl e 621 Enable/Disable Firewall

Firewalls are disabled by default.

Operation Command

Enable firewall firewall enable

Disable firewall firewall disable

Contents

Main 3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Page Page ABOUT THIS GUIDE This guide describes 3Com routers and how to configure them. Tabl e 2 Text Conventions Conventions Tabl e 1 Notice Icons Page Page Page 1 Overview of the 3Com Router System Architecture of the 3Com Router Figure 1 Schematic diagram of the 3Com Router architecture Features of the 3Com Router Version 1.10 Tabl e 3 List of the 3Com Router 1.x features Page Page Page New Features of the 3Com Router 1.x Page Page 2 Establish Configuration Environment Page Page Page Page Page Command Line Interface (CLI) View Figure 14 Hierarchical view structure of the 3Com Router Page Command Line Online Help helps: Page Page User Identity Management Page Page Page Page 3 Storage Media and File Types Supported by the System Upgrade Boot ROM Software Page Page Upgrade the 3Com Router Main Program Software Page Page Page Page Page Page Page Page Page Page Configure On-Line Upgrading of the Card Page Configuration File Management Page Page Page Page Configure FTP Page Page Page Page 4 Terminal Service Overview Terminal Message Service Page Dumb Terminal Service Page Terminal Service of Telnet Connection Page Page Page Rlogin Terminal Service Page X.25 PAD Remote Access Service Page Page Page Page 5 M SNMP Overview Page Page Page Page Page Tabl e 61 Configure the maximum size of SNMP packets that the agent can send/receive Tabl e 62 Display and debug SNMP Display and Debug SNMP Perform the following commands in all views. Page RMON Overview Page Page Page 6 Display Command Set Debugging Command Set Test Tool of Network Connection Page Page Log Function Page Page Page Page Page 7 POS Access Service Overview Page POS Access Service Configuration POS access service configuration includes: Page Page Display and Debug POS Access T Example of POS Access Service Page Page Page Page Page 8 O Interface Configuration Overview Configure Interface Page Display and Debug Interface Page 9 Ethernet Interface Overview Configure Ethernet Interface Page Display and Debug Ethernet Interface Typical Ethernet Interface Configuration Troubleshooting Page Page 10 WAN Interface Introduction Asynchronous Serial Interface Page Page Page Page AUX Interface Synchronous Serial Interface Page Page Page Page ISDN BRI Interface Page CE1/PRI Interface Page Page Page Page CT1/PRI Interface Page Page Page E1-F Interface Page Page Page T1-F Interface Page Page CE3 Interface Page Page CT3 Interface Page Page Page Page Page 11 Logical Interface Introduction Dialer Interface Loopback Interface Configure Loopback Interface Null Interface Sub-Interface Page Page Standby Center Logic Channel Virtual-Template and Virtual Interface Page Page IV Page 12 PPP Overview Page MP Overview Configure PPP Page Page Page Configure MP Page Page Page Display and Debug PPP Typical PPP Configuration Typi cal MP Configuration Page Fault Diagnosis and Troubleshooting of PPP 13 PPoE Overview Configure PPPoE Client Page Display and Debug PPPoE Client Typical PPPoE Configuration Page Page 14 SLIP Overview Configure SLIP Display and Debug SLIP Typical SLIP Configuration Page Page 15 ISDN Overview Configure ISDN Page Page Display and Debug ISDN Typical Configuration Fault Diagnosis and Troubleshooting of ISDN 16 X.25 and LAPB Protocols Overview PSN Page Configure LAPB Configure X.25 Configure X.25 Interface Page Page Page Page Page Tabl e 245 Set/Cancel the default upper layer protocol borne on X.25 By default, the upper protocol carried by X.25 is IP protocol. Page Page Page Tabl e 250 Specify/Cancel packet pre-acknowledgement Tabl e 251 Configure X.25 user facility Page Page Page Page Page Page Page Tabl e 263 Add/Delete X.25 switching route whose forwarding address is hunt group 5Configure other X.25 switching routes Tabl e 264 Add/delete other X.25 switching routes Configure X.25 over Other Protocols Figure 66 XOT typical application diagram Page Page Page Page Display and Debug LAPB and X.25 Typ ica l L AP B Configuration Typi cal X. 25 Configuration Page Page Page Page Figure 72 Diagram of X.25 sub-interface configuration III. Configuration Procedure aCreate sub-interface serial 0.1 bCreate sub-interface serial 0.2 Page Page Page Page Page Page Page Page Page Page Page Fault Diagnosis and Troubleshooting of LAPB Fault Diagnosis and Troubleshooting of X.25 Page Page Page 17 Frame Relay Protocol Overview Configure Frame Relay Page Page Page Page Page Page Page Page Page Page Page Configure Frame Relay QoS Page Page DE Discarded Transmit Page Page Page Page Page Page Page Configure Frame Relay over Other Protocols Page Page Page Page Display and debug Frame Relay Page T Configuration Page Page Page Page Page Page Page Page Fault Diagnosis and Troubleshooting of Frame Relay Page 18 Configure HDLC Display and Debug HDLC Page 19 Bridge Overview Page Bridge Overview 291 Figure 102 Bridge learns that Workstation A is connected with Port 1 Figure 103 Bridge learns that Workstation B is connected with the port 1 too. 292 CHAPTER 19: CONFIGURING BRIDGE Figure 104 Final bridging address table Figure 105 Forward Page Page Page Multi-Protocol Router Configure Bridges Routing Function Page Page Page Page Page Page Page Page Page Tabl e 349 Configure bridge on VLAN Display and Debug Bridge Tabl e 350 Display and debug bridge Typical Bridge Figure 111 Networking of building transparent bridges between multiple Ethernet segments III. Configuration Procedure 1 2 Page Page Page Page Page Page V Page 20 IP Address Overview Page Page Page Page Page PSTN Troubleshooting IP Address Configuration Map between WAN Interface IP Address and Link Layer Protocol Address Page 21 Configure Address Resolution Protocol (ARP) Configure Domain Name Resolution (DNS) VLAN Configuration Page Page Page DHCP Server Configuration Page Page Page Page Page Page Page Page Page Page Configure DHCP Relay Page Page Page Page Configure Network Address Translation (NAT) Page Page Page Page Page Page Page Page Page 22 Configure IP Performance Configure TCP Performance Page Configure Fast Forwarding Display and Debug IP Performance Troubleshooting IP Performance Configuration 23 IP Count Introduction IP Count Configuration Page Display and Debug IP Count Typical Configuration Example Troubleshooting Page 24 IPX Protocol Overview Page Configure IPX Page Page Page Page Page Page Page Page Page 25 DLSw Protocol Overview Configuration of DLSw Page Page Page Page Page Page Page Page Page Page Page Tabl e 463 Configure acknowledgement wait time T2 of SDLC secondary station By default, the acknowledgement wait time T2 of SDLC secondary station is configured to be 500 ms. Display and Debug DLSw Typi ca l DL Sw Configuration Page Page Figure 141 Networking Diagram of SDLC-LAN III. Configuration Procedure: 1Router A Configuration: 2Router B Configuration: Diagnosis and Troubleshooting of DLSw Fault Page Page VI Page 26 IP Routing Protocol Overview Page Routing Management Strategy Page 27 Static Route Overview Configuring a Static Route Displaying and Debugging the Routing Table Static Route Configuration Example Troubleshooting a Static Route 28 RIP Overview Configure RIP Begin all configuration tasks by first enabling the RIP routing process and Page Page Page Page Page Page Configure filtering the routing information being advertised Tabl e 484 Filter the Routing Information Being Advertised by RIP Tabl e 485 Reset RIP Displaying and Debugging RIP RIP - Unicast Configuration Troubleshooting RIP 29 OSPF Overview Configuring OSPF Page Page Page Page Page Page Page Page Page Page Page Page Page Displaying and Debugging OSPF OSPF Configuration Example Page Page Figure 148 Networking diagram of configuring DR selection of OSPF preference III. Configuration procedure BDR E0 192.1.1.1/24 E0 192.1.1.4/24 E0 10.1.2.3/24 E0 192.1.1.2/24 DR 1.1.1.1 4.4.4.4 2.2.2.2 Page Figure 149 Networking diagram of configuring OSPF virtual link To configure an OSPF virtual link: Page Page Page Page 30 BGP Overview Configuring BGP Page Page Tabl e 515 Configure to Send Community Attribute to the Peer Tabl e 519 Create a Routing Policy for the Peer Tabl e 516 Configure the Peer to be the Client of the Route Reflector 7Configure to distribute default route to the peer. Tabl e 517 Configure to Distribute Default Router to the Peer Tabl e 518 Set the Own IP Address as the Next Hop When the Peer Distributes Route Page Page Page Page Page Page Page Page Page Page Page Page Page Page Tabl e 553 Define a Routing Policy Define a match rule Perform the following configurations in BGP Routing policy view. Tabl e 555 Define An Apply Clause Tabl e 554 Define a Match Rules Page Configure Filtering Route Information being Advertised by BGP Tabl e 557 Filter Routing Information Being Advertised by BGP By default, BGP does not filter any route information that is received or advertised. connections and reset BGP connections to make the new configuration effective. Displaying and Debugging BGP BGP Configuration Example 1003, which are configured with EBGP, confederation EBGP and IBGP. Disable BGP packet debugging Page Figure 155 Networking diagram of configuring route reflector aConfigure BGP peers bEnable OSPF cConfigure Serial 0 dConfigure Serial 1 aConfigure BGP peers and route reflector clients Page Figure 156 Networking diagram of configuring BGP path selection aStart BGP bSpecify BGP transmission network cConfigure peer dConfigure MED attribute of Router A routing diagram is network 1.0.0.0. The MED attribute is 50, and the second MED attribute is 100. Set the local preference attribute of Router C. A). Page Page 31 IP Routing Policy Overview Page Configure IP Routing Policy Tabl e 561 Configure a Matching Rules AND operations in the matching process so the routing information cannot Page Page D C Displaying and Debugging IP Routing Policy Configuring IP Routing Policy Page Troubleshooting IP Routing Policy Page 32 IP Policy Routing Overview Configuring IP Policy Routing Page Displaying and Debugging IP Policy Routing IP Policy Routing Configuration Page Page Page Page 33 IP Multicast Overview IP Multicast Addresses IP Multicast Features IP Multicast Routing Protocols Page IP Multicast Packet Forwarding IP Multicast Application Page 34 IGMP Overview Configuring IGMP Page Displaying and Debugging IGMP IGMP Configuration Example Page Page 35 PIM-DM Overview PIM-DM Configuration Displaying and Debugging PIM-DM PIM-DM Configuration Example 36 PIM-SM Overview PIM-SM Configuration Page Page Displaying and Debugging PIM-SM PIM-SM Configuration Example Troubleshooting PIM-SM Page Page Page 37 S Terminal Access Security Overview Configuring Terminal Access Security EXEC Configuration Example Page Page 38 P AAA Overview RADIUS Overview Page Page Page Configuring AAA and RADIUS Page Page Page Page Page Page Page Page Displaying and Debugging AAA and RADIUS AAA and RADIUS Configuration Examples Page Troubleshooting AAA and RADIUS Page Page 39 Firewall Overview Page Page Page Tabl e 619 Mnemonic Symbol of the Port Number Page Page Configure Firewall Page Page Page Displaying and Debugging Firewall Firewall Configuration Example Page Page 40 IPSec Protocol Overview Page Configuring IPSec Page Page Page Page Creating a Security Policy Page Page Tabl e 643 Configure SPI Parameters of Security Policy Association Tabl e 644 Configure Key Used by Security Policy Association By default, no key is used by any security policy. Page Page Page Displaying and Debugging IPSec Tabl e 653 Display and Debug IPSec Displaying and Debugging the NDEC Card Tabl e 654 Reset crypto card Displaying and Debugging the crypto card Use the debugging, reset and display command in all views. Tabl e 655 Display and Debug NDEC Card IPSec Configuration Example Page Page Page Page Page Page Troubleshooting IPSec Page Page 41 IKE Protocol Overview Configuring IKE Page Page Page Displaying and Debugging IKE IKE Configuration Example Troubleshooting IKE Page Page Page 42 VPN Overview Basic Networking Applications of VPN Page Page 43 VPDN and L2TP Overview Page Page Page Page Basic Configuration at LAC Page Basic Configuration at LNS Page Advanced Configuration at LAC or LNS Configure the Local Name Page Page Page Page Page Display and Debug L2TP L2TP Configuration Page Page Page Page Page Page Page Page Page Page Page Page Page Page Troubleshooting L2TP Page Page 44 GRE Protocol Overview Page Page Configuring GRE Interface Page GRE Configuration Page Page Troubleshooting GRE Page Page 45 Standby Center Overview Configuring the Standby Center Standby center configuration includes: Page Page Displaying and Debugging the Standby Center Configuration Page Page 46 VRRP Overview Configuring VRRP Page Page Displaying and Debugging VRRP VRRP Configuration Examples Internet Troubleshooting VRRP Page Page Page 47 What Is QoS? Three Types of QoS Services Benefits of QoS for the Network Service Page Page 48 AND LINE RATE Traffic Classification Overview Traffic Policing Overview Page Committed Access Rate (CAR) Page Page Page Page Traffic Shaping Page Page Physical Interface Line Rate Displaying and Debugging LR 49 What is Congestion? Congestion Management Policy Overview Selecting Congestion Management Policies Tabl e 719 Comparison of Several Congestion Management Policies Operating Principle of the Congestion Management Policies Page Page Page Configuring Congestion Management Page Page Page Page Page Page Congestion Management Configuration Figure 222 Networking diagram of CQ typical configuration 1 aConfigure the CQ queue bConfigure Serial0 master/slave addresses cApply the CQ queue 1 to Serial0 dConfigure Tunnel0 Page Page 50 Congestion Avoidance Overview Page WRED Configuration Page Page Page Page Page 51 DCC Overview Page Page Page Configuring DCC Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Displaying and Debugging DCC DCC Configuration 3Configure RouterC: 4Configure RouterB: 5Configure RouterC: 3 Page Figure 234 Network for the DCC application providing MP binding Page Page Page Page Page Page Page Page Figure 240 Network for the DCC application providing logic interface standby through dialer route Troubleshooting DCC Use the DCC Debugging Information to Locate Problems Tabl e 774 DCC Fault Messages Page 52 Modem Function Provided by 3Com Routers Page Configuring a Modem Page Page Displaying and Debugging a Modem Modem Configuration Examples Page Troubleshooting