Zte ZXR10 8900 Series User manual
ZXR108900Series
10GRoutingSwitch
UserManual(FWVolume)
Version2.8.02.C
ZTECORPORATION
ZTEPlaza,KejiRoadSouth,
Hi-TechIndustrialPark,
NanshanDistrict,Shenzhen,
P .R.China
518057
Tel:(86)75526771900800-9830-9830
Fax:(86)75526772236
URL:http://support.zte.com.cn
E-mail:[email protected]
LEGALINFORMATION
Copyright©2006ZTECORPORATION.
Thecontentsofthisdocumentareprotectedbycopyrightlawsandinternationaltreaties.Anyreproductionordistributionof
thisdocumentoranyportionofthisdocument,inanyformbyanymeans,withoutthepriorwrittenconsentofZTECORPO-
RATIONisprohibited.Additionally,thecontentsofthisdocumentareprotectedbycontractualcondentialityobligations.
Allcompany,brandandproductnamesaretradeorservicemarks,orregisteredtradeorservicemarks,ofZTECORPORATION
oroftheirrespectiveowners.
Thisdocumentisprovided“asis” ,andallexpress,implied,orstatutorywarranties,representationsorconditionsaredis-
claimed,includingwithoutlimitationanyimpliedwarrantyofmerchantability,tnessforaparticularpurpose,titleornon-in-
fringement.ZTECORPORATIONanditslicensorsshallnotbeliablefordamagesresultingfromtheuseoforrelianceonthe
informationcontainedherein.
ZTECORPORATIONoritslicensorsmayhavecurrentorpendingintellectualpropertyrightsorapplicationscoveringthesubject
matterofthisdocument.ExceptasexpresslyprovidedinanywrittenlicensebetweenZTECORPORATIONanditslicensee,
theuserofthisdocumentshallnotacquireanylicensetothesubjectmatterherein.
ZTECORPORATIONreservestherighttoupgradeormaketechnicalchangetothisproductwithoutfurthernotice.
UsersmayvisitZTEtechnicalsupportwebsitehttp://ensupport.zte.com.cntoinquirerelatedinformation.
TheultimaterighttointerpretthisproductresidesinZTECORPORATION.
RevisionHistory
RevisionNo.RevisionDateRevisionReason
R1.020090630FirstRelease
SerialNumber:sjzl20093843
Contents
AboutThisManual..............................................i
FirewallOverview.............................................1
FunctionOverview..........................................................1
WorkingPrinciple........................................................2
WorkingModes...........................................................4
ManagementModes........................................................5
LoggingintoFWthroughConsolePort...........................5
LoggingintoFWthroughTelnet....................................6
LoggingintoFWthroughBrowser.................................7
SystemManagementConguration...................9
SystemManagementOverview.........................................9
QueryingSystemBasicInformation.................................10
QueryingSystemRunningInformation.............................10
ConguringSystemManagement.....................................11
SettingSystemParameters.........................................11
ManagingSystemServices.........................................15
SettingOpenServices................................................16
SettingWEBUIAuthentication.....................................20
CongurationMaintenance..............................................21
CongurationMaintenanceOverview............................21
ConguringMaintenance............................................22
RestoringSystem......................................................23
RebootingSystem.....................................................23
ConguringSystemManager...........................................23
SystemManagerOverview..........................................23
ConguringSystemManager.......................................23
SystemManagerCongurationExample.......................26
ResourceManagementConguration..............27
ResourceManagementOverview.....................................27
ConguringAddressResource.........................................28
AddressResourceCongurationOverview.....................28
SettingHostResource................................................28
SettingAddressRangeResource..................................31
SettingSubnetResource............................................35
SettingAddressGroup...............................................38
ConguringAreaResource..............................................41
AreaResourceCongurationOverview.........................41
ConguringAreaResource..........................................41
ConguringTimeResource.............................................44
TimeResourceCongurationOverview.........................44
ConguringWeekCycle..............................................45
ConguringYearCycle...............................................47
ConguringServiceResource..........................................50
ServiceResourceCongurationOverview......................50
ShowingSystemDenedServices................................50
ConguringCustomizedServices.................................51
ConguringServerGroup...........................................54
ZXR10FWFunctionManagement....................57
ZXR10FWFunctionManagementOverview.......................57
ConguringZXR10FW...................................................58
AccessingandExitingFWCongurationMode................58
CreatingandDeletingFW-TemplateMode.....................58
BindingManagementIP..............................................59
ConguringFlowRecovery..........................................60
BindingSlotNumber..................................................60
ConguringNATIP....................................................61
ConguringSession...................................................62
BindingFWT emplateforSpecicVLAN.........................62
ViewingManagementConguration..............................63
ConguringVLAN......................................................64
PacketFilteringandAccessControlRule
Conguration............................................67
ConguringPacketFilteringPolicy....................................67
PacketFilteringOverview............................................67
ConguringPacketFilteringPolicy................................67
PacketFilteringPolicyCongurationExample................73
PacketFilteringPolicyCongurationExample
One.....................................................73
PacketFilteringPolicyCongurationExample
Two......................................................75
ConguringAccessControlRules.....................................76
AccessControlRuleOverview......................................76
ConguringAccessControlRule...................................76
AccessControlRuleCongurationExample...................82
AccessControlRuleCongurationExample
One.....................................................82
AccessControlRuleCongurationExample
Two......................................................84
ConguringIDSInteraction.............................................86
IDSInteractionOverview............................................86
ConguringIDSInteraction.........................................86
NATConguration...........................................89
NATOverview...............................................................89
ConguringNAT............................................................90
NATCongurationExample.............................................96
Address-BasedSourceAddressTranslation
CongurationExample.......................................96
IPAddress-BasedDestinationAddressTranslation
CongurationExample.......................................97
Port-BasedDestinationAddressTranslation
CongurationExample.......................................98
ProtocolFilteringConguration.....................101
ProtocolFilteringOverview...........................................101
ConguringApplicationPortBinding...............................101
ApplicationPortBindingOverview..............................101
ConguringApplicationPortBinding...........................102
ApplyingPortBindingCongurationExample...............104
ConguringSIPService................................................104
IntrusionPreventionConguration...............107
IntrusionPreventionOverview.......................................107
ConguringIntrusionDetectionRule..............................107
LoadBalancingConguration........................113
LoadBalancingOverview..............................................113
ConguringLoadBalancing...........................................113
ConguringLoadBalancingServer.............................113
ConguringLoadBalancingGroup.............................116
HighAvailabilityCongurationExample..........................119
LogandAlarmConguration.........................123
LogandAlarmOverview...............................................123
LogConguration....................................................123
ViewingLog............................................................123
Alarms...................................................................124
ConguringLogsandAlamrs.........................................124
ConguringLog.......................................................124
ViewingLog............................................................126
ConguringAlarms..................................................127
Figures..........................................................133
Tables...........................................................135
Glossary........................................................137
AboutThisManual
ThismanualisZXR108900Series(V2.8.02.C)10GRout-
ingSwitchUserManual(FWVolume)andappliestoZXR10
8902/8905/8908/891210Groutingswitch(V2.8.02.C).
ZXR108900series10Groutingswitchhasthefollowingrelated
manuals:
ManualSummary
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchHardwareInstallation
Manual
Thismanualdescribes
installationpreparation,
19-inchcabinetinstallation,
maindeviceinstallation,
powercableconnection,cable
connectionandhardware
inspection.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchHardwareManual
Thismanualdescribes
devicefunctions,technical
characteristicsand
parameters,workingprinciple,
hardwarestructure,MCS,LIC,
powermoduleandfanplug-in
box.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(Basic
ConfigurationVolume)
Thismanualdescribesusing
andoperationofdevice,
systemmanagement,
CLIprivilegeranking
configuration,port
configuration,network
protocolconfiguration,
DHCPconfiguration,
VRRPconfiguration,
ACLconfiguration,QoS
configuration,DOTIX
configuration,cluster
managementconfiguration,
networkmanagement
configuration,IPTV
configuration,VBAS
configuration,CPUguard,
URPFconfigurationandUDLD
configuration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(Ethernet
SwitchingVolume)
Thismanualdescribes
deviceVLANconfiguration,
STPconfiguration,MAC
addresstableoperation,link
aggregationconfiguration,
IGMPSnoopingconfiguration,
linkprotectionconfiguration,
EthernetOAMconfiguration
andEPONOLTconfiguration.
ConfidentialandProprietaryInformationofZTECORPORATIONi
ZXR108900SeriesUserManual(FWVolume)
ManualSummary
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(IPv4
RoutingVolume)
Thismanualdescribes
staticroutingconfiguration,
RIPconfiguration,OSPF
configuration,IS-IS
configuration,BGP
configuration,loadbalancing
configuration,multicast
routingconfiguration,IP/LDP
FRRconfigurationandBFD
configuration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(MPLS
Volume)
Thismanualdescribesdevice
MPLSconfiguration,MPLS
L3VPNconfigurationandMPLS
L2VPNconfiguration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(IPv6
Volume)
Thismanualdescribesdevice
IPv6addressconfiguration,
IPv6neighbordiscovery
protocolconfiguration,IPv6
tunnelconfiguration,IPv6
staticroutingconfiguration,
RIPngconfiguration,OSPFv3
configuration,IS-ISv6
configurationandBGP+
configuration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(DPI
Volume)
Thismanualdescribes
devicesignaturesymbol
configuration,signature
entryconfiguration,
policyconfiguration,
subserviceconfiguration,
serviceconfigurationand
DPI-templateconfiguration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchUserManual(FW
Volume)
Thischapterdescribes
systemmanagement
configuration,resource
managementconfiguration,
FWfunctionmanagement,
packetfilteringandaccess
controlruleconfiguration,NAT
configuration,protocolfiltering
configuration,intrusion
preventionconfiguration,high
availabilityconfiguration,and
logandalarmconfiguration.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(CommandIndexVolume)
Thismanualdescribesvolume
andsectioncorrespondingto
eachcommandinZXR108900
series10Groutingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(IPv6Volume)
Thismanualdescribes
IPv6-relatedcommandsin
ZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual(IP
RoutingVolumeI)
ThismanualdescribesRIP,
OSPFandIS-IS-related
commandsinZXR108900
series10Groutingswitch.
iiConfidentialandProprietaryInformationofZTECORPORATION
AboutThisManual
ManualSummary
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual(IP
RoutingVolumeII)
ThismanualdescribesBGP,
routemapandrouting
policy-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(MPLSVolume)
Thismanualdescribes
MPLS-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(QoSVolume)
Thismanualdescribes
QoS-relatedcommandsin
ZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(SecurityVolume)
Thismanualdescribes
securityconfiguration-related
commandsinZXR108900
series10Groutingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(BasicConfigurationVolumeI)
Thismanualdescribes
systemmanagement,file
management,userinterface,
logstatistics,FTP/TFTPserver
andIPvr-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(BasicConfigurationVolumeII)
Thismanualdescribes
interfaceconfiguration,DHCP
andVRRP-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(BasicConfigurationVolumeIII)
ThismanualdescribesNAT,
TimeRange,stackand
DEBUG-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(NetworkManagementVolume)
Thismanualdescribes
networkmanagement-related
commandsinZXR108900
series10Groutingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(EthernetSwitchingVolume)
ThismanualdescribesMAC,
VLAN,SuperVLAN,STP,link
aggregation,VBAS,MACPING
andUDLD-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(VoiceandVideoVolume)
ThismanualdescribesVOIP
andIPTV-relatedcommands
inZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(MulticastVolume)
Thismanualdescribes
multicastprotocol-related
commandsinZXR108900
series10Groutingswitch.
ConfidentialandProprietaryInformationofZTECORPORATIONiii
ZXR108900SeriesUserManual(FWVolume)
ManualSummary
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(DPIVolume)
Thismanualdescribes
DPI-relatedcommandsin
ZXR108900series10G
routingswitch.
ZXR108900Series(V2.8.02.C)10G
RoutingSwitchCommandManual
(FWVolume)
Thismanualdescribes
FW-relatedcommandsin
ZXR108900series10G
routingswitch.
CommandssupportedbyZXR108900series(V2.8.02.C)10G
routingswitcharebasedonuniformplatformZXROSV4.8.22.
ZXR108900Series(V2.8.02.C)10GRoutingSwitchUserManual
(FWVolume)containsthefollowingchapters:
ChapterSummary
Chapter1FWOverviewThischapterdescribesFWfunctionalprinciple
andmanagementmode.
Chapter2System
Management
Configuration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWsystemmanagement.
Chapter3Resource
Management
Configuration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWresourcemanagement.
Chapter4ZXR10FW
FunctionManagement
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWfunctionmanagement.
Chapter5Packet
Filteringand
AccessControlRule
Configuration
Thischapterdescribesbasicconcepts,
configurationsandconfigurationexamplesof
FWpacketfilteringandaccesscontrolrule.
Chapter6NAT
Configuration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWNAT.
Chapter7Protocol
FilteringConfiguration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWprotocolfiltering.
Chapter8Intrusion
Prevension
Configuration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWintrusionprevention.
Chapter9HighAvailab
ilityConfiguration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
FWhighavailability.
Chapter10Logand
AlarmConfiguration
Thischapterdescribesbasicconcept,
configurationandconfigurationexampleof
logandalarm.
GlossaryThispartlistsglossariesusedinthismanual.
ivConfidentialandProprietaryInformationofZTECORPORATION
Chapter1
FirewallOverview
TableofContents:
FunctionOverview..............................................................1
ManagementModes............................................................5
FunctionOverview
ZXR108900SeriesSwitchrewall(FW)servicecardhasthefol-
lowingbasicfunctions:
�Supportingroutingandhybridworkingmodes;
�Supportingobject-basednetworkaccesscontrol,includingac-
cesscontrolofnetworklayer ,applicationlayerandotherlay-
ers;
�SupportingNATofmultipletypesofnetworkaddresses;
�Supportingbuilt-inIDSmodule,whichpreventsLand,Smurf,
TearOfDrop,PingofDeath,SynFlood,T arga3,IpSweepand
anotherfewattacksandhasthefunctionofanti-DOS/DDOS.
�SupportinghotstandbybetweenFWcards;
�SupportingFTP,TFTP,MMS,H.323,SIP ,RSTP,SQLNET ,and
PPTPprotocols.
ZXR108900SeriesSwitchFWhasthefollowingfeatures:
�Adoptingthedesignofmulti-interfaces,providingsoundnet-
workapplicationscalability.
�Providinghigh-efciencyapplicationlayeraccesscontrol.
Proxytechnologyisusedfortraditionalaccesscontrolon
applicationlayer .Systemneedstoswitchamongcorelayer ,
applicationlayerandprocessesfrequently,whichconsumesa
lotsystemresourcesandinuencesperformance.
�Showingexiblemanagement.Networkadministratorcanac-
cessFWthroughvariousinterfacesforcentralmanagement.
�Usingabrandnewmanagementportprotocol.Withthispro-
tocol,multiplemanagementservicescanbeenabledonthe
uniqueserviceinterfaceofFW.
�Providinghigh-performancecontentltering.Corelayerof
systemprovidesrestoreandsecurityinspectiontotransmit-
tedpacketsandimplementshigh-performancecontentsecu-
rityprotocol.
ConfidentialandProprietaryInformationofZTECORPORATION1
ZXR108900SeriesUserManual(FWVolume)
WorkingPrinciple
DataFlow
ProcessingFlow
Generally,FWisusedtocontrolaccessfromexternaluntrusted
networks(suchasInternet)tointernaltrustednetworksandmu-
tualaccessesamongdifferentareaswithininternalnetwork.OS
platformusedbyZXR108900SeriesSwitchFWisthelatestmod-
ularOS.ByuploadingaseriesoffunctionalmodulessuchasFW
moduleandpacketlteringmodule,FWmodulecancontroldata
owtraversingsecuritydevicebysettingaccessrules,packetl-
teringrules,interfacepropertiesandothermechanisms.ZXR10
8900SeriesSwitchFWtakesthefollowingbasicstepstoprocess
packets:
1.FastForwarding
Asforanewlyreceivedlegalpacket,FWrstlysearchesses-
siontabletoseeifthispackethasbelongedtooneexistedses-
sion.Ifso,FWprocessesthispacketaccordingtocorrespond-
ingsessioninthesessiontable.Whenthepacketmatches
accessruleandaddresstranslationpolicyofthissession,FW
processesthispacketfast.Ifthesessionisunavailable,itindi-
catesthispacketbelongstoonenewsession.FWwillretrieve
routingtable,addresstranslationpolicytableandaccessrule
tabletocollectpoliciesrelatedtothispacket,thatisentering
"ReceivingandProcessing"ow.
2.ReceivingandProcessing
ZXR108900SeriesSwitchFWmoduleinvokesrelatedfunc-
tionalmoduleandconductsinitialprocessingtoreceivedpack-
ets.Thefollowingfunctionalmodulesareinvoked:
�IDSModule,usedtoperformintrusiondetectiontopack-
ets.IfthereceivedpacketmatchesIDSrule,itisregarded
illegalanddropped.
�IP-MACbindingmodule.IfIPaddressandMACaddress
datacontainedinheaderofreceivedpacketbreakrulesin
IP-MACbindingtable,thepacketwillbedropped.
3.RuleMatching
Atthisstep,FWmatchesthepacketpassingthroughreceiving
andprocessingstepwithaseriesofrules.Thefollowingmod-
ulesareinvoked:
�PFmodule.PFmodulenotonlyconductsL2/L3protocol
lteringtothepacket,butalsochecksifthepacketbelongs
totheservicethatcanpassthrough.
�Addresstranslationmodule.Addresstranslationpolicy
givesprocessingmethodofreceivedpacket.ZXR108900
SeriesSwitchFWmodulesupportsfouraddresstranslation
policies:
–Forwardingdirectly
FWdoesn’tprocesspacketandthepacketisforwarded
directly.Thisisdefaultaddresstranslationpolicyof
ZXR108900SeriesSwitchFW .
–Translatingsourceaddress
2ConfidentialandProprietaryInformationofZTECORPORATION
Chapter1FirewallOverview
FWtranslatessourceIPaddress(orportid)ofthere-
ceivedpackettopresetIPaddress(orportid),andthen
forwardsthepacketwhosesourceaddressismodied.
–Translatingdestinationaddress
FWtranslatesdestinationIPaddressorportidofthe
receivedpacket(FWinterfaceaddressinusualcases)
topresetIPaddressorportid(actualIPaddressorport
id),andthenforwardsthepacketwhosedestination
addressismodied.
–Bi-directionalNAT
FWtranslatessourceaddressanddestinationaddress
(orportid)ofthepacketatthesametime.
�Accesscontrolmodule.AccesscontrolruledenesifFW
permitsthepacketsmatchingrulestopassthrough.When
receivingonepacket,FWmatchesitwithrulesinaccess
ruletableonebyoneaccordingtopolicysequencenum-
berandprocessesthepacketaccordingtooperation(per-
mitordeny)speciedbycorrespondingpolicy.Ifcorre-
spondingaccesspolicyfailstobematched,thepacketwill
beforwardedtodestinationinterface.ZXR108900Series
SwitchFWwillprocesthispacketaccordingtodefaultprop-
erty(permitordeny)oftheareawheredestinationinter-
facelocates.
4.SessionEstablishment
Asforthepacketwithnosessionformatching,ZXR108900
SeriesSwitchFWwillcreateonenewrecordinsessiontableac-
cordingtopacketprocessinginformationinsteps1-3,includ-
ingpacketdestinationaddress,sourceaddress,route,address
translationpolicy,accessruleandotherinformation.Packets
ofthissessionreceivedafterthisnewrecordwillbeprocessed
accordingtorecordinthesessiontable.
5.ProcessingbeforeRouting
Whenpolicychangesduringcommunicationprocess,FWwill
re-invokepacketlteringmoduleandaccesscontrolmodule
tomatchthepacketwithpolicy.
6.RouteQuerying
ZXR108900SeriesSwitchFWmoduleselectspacketforward-
inginterfaceaccordingtoroutingtableorMACaddresstable
learnedoneachinterface.Ifpacketaddressistranslated,FW
willsearchNATtabletondtheactualaddressforrouting.
MatchingAccess
ControlRules
Accesscontrolrulesareasetofpoliciescustomizedbyuser .These
rulescandenewhatpackets(meetingcertainconditions)can
passFWandwhatpackets(meetingsomeotherconditions)willbe
deniedbyFW.Datacontainedineachaccesspolicyinclude:source
addressanddestinationaddressofthepacket,service(protocol
typeandportid)andoperations(forwardingordropping)per-
formedtothepacketsmeetingconditions.
Inaccesspolicy,policysourcedenesthesourceofpacket,which
canbeoneormultipleobjects(suchashost,subnet,scopeandso
on).Whensourceaddressofthepacketbelongstothescopeof
policysource,itisbelievedtomeetconstraintconditionsofpolicy
source.
ConfidentialandProprietaryInformationofZTECORPORATION3
ZXR108900SeriesUserManual(FWVolume)
Policydestinationdenesthescopeofdestinationaddress.The
sameaspolicysource,policydestinationcancontainoneormul-
tiplehosts,subnet,scopeandmultipleareas(orVLAN).
Policyservicedenesnetworkprotocolusedbypacketandspecic
portid.
AccesscontroldenesFWoperationstothepacketmeetingpoli-
cies,includingpermit(permitthepackettopassthrough)and
deny(dropthispacket).
Inthecasethatapacketmatchesoneaccesspolicy,itindicates
sourceaddressofthepacketiswithinthescopedenedbypol-
icysource,destinationaddressofthepacketiswithinthescope
denedbypolicydestination,portidcorrespondingtothepacket
iscontainedinpolicyservice,andpacketreceivingtimemeetthe
requirementofpolicyaccesstime(ifaccesstimeisdened).Only
whenonepacketmeetsallconditionsrequiredbythepolicy,this
policymatchesthispacket.
Itshallbenotedthatonecontentlteringpolicyandoneappli-
cationidentitypolicyshallbedenedforeachaccessruletolter
andinspectdataatapplicationlayer .FWsearchestheaccesspol-
icymatchingapacketaccordingatthefollowingsteps:
ZXR108900SeriesSwitchFWmoduleretrievesaccesscontrolrule
tableaccordingtosequenceofaccesspoliciesandmatchespoli-
cieswithpacketonebyone.Onceanaccesspolicyisfoundto
matchthepacket,FWstopscheckingmatchedaccesspolicyand
processesthepacket(permitordeny)accordingtorulesdened
intherstmatchedaccesspolicy.Ifnoaccesspolicyisfoundto
matchthispacket,FWwillprocessthispacketaccordingtodefault
accesscontrolpropertiesonpacketsendinginterface.
Ifthepacketisforbiddentobeforwarded,itwillbedropped;ifthe
packetispermittedtobeforwarded,checkifthispolicydenesDPI
policyorapplicationidentitypolicy.
Ifapplicationidentitypolicyisdenedinthepolicy,checktoseeif
anyprotocoloftheapplicationidentitypolicyisusedinapplication
layerofthepacket.Ifcorrespondingprotocolisused,processthis
packetaccordingtooperationsdenedbythisapplicationidentity
policy.
WorkingModes
ZXR108900SeriesSwitchFWprotectsVLANinterfacesandsup-
portstwoworkingmodes:routingmodeandhybridmode.
RouteModeInthismode,ZXR108900SeriesSwitchFWprotectsL3packetson
protectedvlaninterface.AllL3packetspassingthroughprotected
vlanareforwardedonlyafterbeingprocessedbyFWmodule.This
modeisapplicabletothecasewheneachareaisinaseparate
networksegment.Similartorouter ,IPaddressshallbecongured
foreachvlaninterfaceinroutingmodeorhybridmodeaccording
toareaplanning.
HybridModeInthismode,ZXR108900SeriesSwitchFWprotectsL2andL3
packetsonprotectedvlaninterface.NomatterinternalL2packets
oftheprotectedvlanorL3packetscross-vlansareforwardedafter
beingprocessedbyFWmodule.
4ConfidentialandProprietaryInformationofZTECORPORATION
Chapter1FirewallOverview
ManagementModes
NetworkadministratorcanmanageZXR108900SeriesSwitchFW
moduleinmanyways,including:
�ThroughCONSOLE(performlocalmanagementthroughCON-
SOLEport)
�ThroughTELNET(performremotemanagementbylogginginto
FWthroughT elnet)
�ThroughWEBUI(performremotemanagementbylogginginto
FWthroughbrowser)
LoggingintoFWthroughConsole
Port
ContextItisavailabletologintoFWmodulethroughCONSOLEportand
conductsomebasicsettingsonFW .
Steps1.Usingoneserialconsolecable(includedinfactoryaccessories)
toconnectserialportofPC(assumethatcom1isavailable)and
consoleportofFW.
2.Settingpropertiesofserialportaccordingtothefollowingpa-
rameters:
ParameterDescription
BitsperSecond
(baudrate):
9600
DataBits:8
ParityCheck:Null
StopBits:1
3.Loggingintoswitchmainboard,accessingFWtemplatecon-
gurationnodeundercongnode,andinputtingthefollowing
commandtoaccessFWcard.
CommandFunction
ZXR10(fw-template-1)#sessionItaccessesFWcard
frommainboard.
4.LoggingintoZXR108900SeriesSwitchFWmoduleby
inputtingsystemdefaultusername.Usercanperformcong-
urationmanagementthroughcommandlineafteraccessing
FWmodule.
ConfidentialandProprietaryInformationofZTECORPORATION5
ZXR108900SeriesUserManual(FWVolume)
Tip:
Bothusernameandpasswordarecasesensitive.
ENDOFSTEPS.
LoggingintoFWthroughTelnet
ContextItisavailabletologintoFWmodulethroughT elnetandconduct
somebasicsettingsonFW.
Steps1.Selectingtheinterfaceofvlanwhereadministratorlocatesand
conguringIPaddressfortheinterface.
CommandFunction
ZXR10(config-if-vlan1)#ipaddress<
ipaddress><maskaddress>
ItconfiguresIP
addressandsubnet
maskforL3vlan1.
ParameterDescription:
ParameterDescription
<ipaddress>ItisIPaddress,informofA.B.C.D.
<maskaddress
>
Itissubnetmask,suchas255.255.255.0.
2.AccessingFWcongurationnodeandconguringIPaddressof
VLANinterfacetomanagementIPofmanagedFWcard.
CommandFunction
ZXR10(config-fw)#bindmng-ip<slot
number><ipaddress>
Itconfigures
IPaddressof
VLANinterfaceto
managementIPof
managedFWcard.
ParameterDescription:
ParameterDescription
<slotnumber>ItisthenumberofslotwhereFWcardlocates.
<ipaddress>ItcorrespondstoaboveIPaddressofL3vlan
interface,informofA.B.C.D.
3.Runningtelnet<ipaddress>,thatisIPaddressconguredin
step2,onadministratorPCtoaccesscongurationinterface
ofFWcard.
ENDOFSTEPS.
6ConfidentialandProprietaryInformationofZTECORPORATION
Chapter1FirewallOverview
ExampleThefollowingstepsshowhowtologintoFWthroughTelnet:
1.Bindingfw-template1withslotnumber .
ZXR10(config)#fwZXR10(config-fw)#fw-template1
ZXR10(config-fw-template-1)#bindslot2
ZXR10(config-fw-template-1)#exitZXR10(config-fw)#exit
2.ConguringIPaddressforL3vlaninterface.
ZXR10(config)#vlan2ZXR10(config-vlan2)#exit
ZXR10(config)#intvlan2
ZXR10(config-if-vlan2)ipaddr10.2.2.1255.255.255.0
3.AccessingFWcongurationnodeandconguringIPaddressof
VLANinterfacetomanagementIPofmanagedFWcard.
ZXR10(config-if-vlan2)exitZXR10(config)fw
ZXR10(config-fw)bindmng-ip210.2.2.1
4.AccessingFWcardthroughterminaltelnet.
telnet10.2.2.1
LoggingintoFWthroughBrowser
ContextItisavailabletologintoFWmodulethroughbrowserandconduct
somebasicsettingsonFW.
Steps1.Selectingtheinterfaceofvlanwhereadministratorlocatesand
conguringIPaddressfortheinterface.
CommandFunction
ZXR10(config-if-vlan1)#ipaddress<
ipaddress><maskaddress>
ItconfiguresIP
addressandsubnet
maskforL3vlan1.
ParameterDescription:
ParameterDescription
<ipaddress>ItisIPaddress,informofA.B.C.D.
<maskaddress
>
Itissubnetmask,suchas255.255.255.0.
2.AccessingFWcongurationnodeandconguringIPaddressof
VLANinterfacetomanagementIPofmanagedFWcard.
CommandFunction
ZXR10(config-fw)#bindmng-ip<slot
number><ipaddress>
IPaddressof
vlan1interfaceis
managementIPofFW
cardinslot2.
ParameterDescription:
ConfidentialandProprietaryInformationofZTECORPORATION7
ZXR108900SeriesUserManual(FWVolume)
ParameterDescription
<slotnumber>ItisthenumberofslotwhereFWcardlocates.
<ipaddress>ItisIPaddress,informofA.B.C.D.
3.AdministratorinputsFWmanagementURL(suchashttps://<
ipaddress>)onbrowserofmanagementhostandlogininter-
facepopsup.
ENDOFSTEPS.
ExampleThefollowingstepsshowhowtologinFWthroughbrowserhttps.
1.Bindingfw-template1withslotnumber .
ZXR10(config)#fwZXR10(config-fw)#fw-template1
ZXR10(config-fw-template1)#bindslot2
2.ConguringIPaddressforL3vlaninterface.
ZXR10(config)#vlan2ZXR10(config-vlan2)#exit
ZXR10(config)#intvlan2ZXR10(config-if-vlan2)ipaddr
10.2.2.1255.255.255.0
3.AccessingFWcongurationnodeandconguringIPaddressof
VLANinterfacetomanagementIPofmanagedFWcard.
ZXR10(config-if-vlan2)exitZXR10(config)fw
ZXR10(config-fw)bindmng-ip210.2.2.1
4.LogginginFWcardthroughhttps.
https://10.2.2.1
8ConfidentialandProprietaryInformationofZTECORPORATION
Chapter2
SystemManagement
Configuration
TableofContents:
SystemManagementOverview.............................................9
QueryingSystemBasicInformation.....................................10
QueryingSystemRunningInformation.................................10
ConguringSystemManagement.........................................11
CongurationMaintenance..................................................21
ConguringSystemManager...............................................23
SystemManagement
Overview
Insystemcommandmodule,usercancongurebasicinforma-
tionofZXR108900SeriesSwitchFWservicecard,suchasver-
siondisplay,clockmanagement,NTPsetting,systemconguration
management,systemupgrade,authenticationusermanagement,
administratorinformation,FWrebootcommandandsoon.
Toaccesscommandmodule,executethefollowingcommand:
#system
Toexitfromthiscommandmodule,executethefollowingcom-
mand:
#exit
AfterloggingintoFWandaccessingthiscommandmodule,CLI
administratorcanexecutecorrespondingcomponentmanagement
commands.Thefollowingpartswillintroduceallcomponentman-
agementcommandsunderthiscommandmodule.Theformatof
commandintheexampleisthatafteraccessingthiscommand
module.
ConfidentialandProprietaryInformationofZTECORPORATION9
ZXR108900SeriesUserManual(FWVolume)
QueryingSystemBasic
Information
Usercansearchmodel,softwareplatformversion,systemcurrent
congurationandotherinformationofcurrentdeviceinsystem
commandmodule.
1.Displayingsystemversioninformation
CommandFunction
ZXR10_FW.system#versionItdisplayssystem
versioninformation.
2.Displayingrunningstatusesofsystemservices
CommandFunction
ZXR10_FW.system#servicestatusItdisplaysrunning
statusesofsystem
services(suchas
serverstateandif
variousservicesare
enabled).
3.Displayingsystemname
CommandFunction
ZXR10_FW.system#devnameshowItdisplayssystem
name.
4.Displayingcurrentcongurationofsystem
CommandFunction
ZXR10_FW.system#configshow_runn
ing
Itdisplayscurrent
configurationof
system.
QueryingSystemRunning
Information
RunninginformationindicatescurrentsystemCPU,memory,other
occupationinformationofsystemresources,andconnectioninfor-
mationestablishedthroughFW .
1.Viewingcurrentrunningstatusofdevice.
10ConfidentialandProprietaryInformationofZTECORPORATION
Other manuals for ZXR10 8900 Series
18
Table of contents
Other Zte Switch manuals
Zte
Zte ZXR10 3928A Assembly instructions
Zte
Zte ZXR10 8900 Series Installation manual
Zte
Zte ZXR10 2920 User manual
Zte
Zte ZXR10 8900 Series User manual
Zte
Zte ZXR10 8900 Series Installation manual
Zte
Zte ZXR10 8900 Series Assembly instructions
Zte
Zte ZXR10 8900 Series User manual
Zte
Zte ZXR10 1150-5T Manual
Zte
Zte ZXR10 5250-28TC Technical specifications
Zte
Zte ZXR10 5900E Series User manual
Zte
Zte ZXR10 8900 Series Installation manual
Zte
Zte ZXR10 5900 Series User manual
Zte
Zte ZXR10 8900 Series Installation manual
Zte
Zte ZXR10 5900E Series User manual
Zte
Zte ZXR10 8900 Series User manual
Zte
Zte ZXR10 2900E Series Installation manual
Zte
Zte ZXR10 5900E Series User manual
Zte
Zte ZXR10 8900 Series User manual
Zte
Zte ZXR10 8900 Series User manual
Zte
Zte ZXR10 8900 Series User manual
