Got it

AR interzone policy

946 0 0 0 0

【ProblemDescription】


AR is able to ping the destination IP ieSNMP Server ( 10.2.9.11 & 10.1.9.11 ), but SNMPServer is not able to ping our router IP.

The customer wants the network to be reachable.

【ProblemAnalysis】

About this ticket, the issue is AR setting  Interzone Policy to block the traffic from Untrust (SNMP Server) toLocal (10.50.62.97 ).     

But the traffic from Local(10.50.62.97) to Untrust (SNMP Server ) is allowed, so AR is able to ping SNMP Server, and the server is not.

 IF you want the SNMP Server to be able to ping the AR, you can add an Advanced ACL to permit the traffic from SNMP Server(10.2.9.11 & 10.1.9.11) to AR.


Please refer to the below commands:


<Huawei>system-view


[Huawei]acl 3001


[Huawei-acl-adv-3001]rule 5 permit ip source 10.1.9.11  0 destination 10.50.62.97 0


[Huawei-acl-adv-3001]rule 10 permit ip source 10.2.9.11  0 destination 10.50.62.97 0


[Huawei]firewall interzone local untrus


[Huawei-interzone– local - untrust] packet-filter 3001 inbound


 Configure ACL and apply it, please refer to the below link:


http://support.huawei.com/hedex/pages/EDOC1000085855AEG05127/13/EDOC1000085855AEG05127/13/resources/dc/dc_cfg_acl_1032.html?ft=0&fe=10&hib=7.3.17.6.7.2.2&id=dc_cfg_acl_1032&text=Configuring an Advanced ACL&docid=EDOC1000085855


http://support.huawei.com/hedex/pages/EDOC1000085855AEG05127/13/EDOC1000085855AEG05127/13/resources/dc/dc_cfg_fw_0015.html?ft=0&fe=10&hib=7.3.17.7.7.2&id=dc_cfg_fw_0015&text=Configuring ACL-based Packet Filtering in an Interzone&docid=EDOC1000085855


 

P.s

About to tracert of the AR Router,  it’s default unreachable, if you need it to be able to tracers, you should configure it like below:



http://support.huawei.com/hedex/pages/EDOC1000085855AEG05127/13/EDOC1000085855AEG05127/13/resources/dc/dc_ar_troubleshooting_0069.html?ft=0&fe=10&hib=9.2.13.3&id=dc_ar_troubleshooting_0069&text=Ping and Tracert&docid=EDOC1000085855


【Root Cause】

The AR router has been enabled Firewall function, but not permit the traffic.


【SolutionDescription】

Remote to customer's AR router add ACL for permitting traffic, then solve the issue.

  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.