How to control mutual access between network segments


On AR routers, you can configure advanced ACL and ACL-based traffic classifiers to control mutual access between users on different network segments.

Other related questions:
Configure NAT on the AR to permit Internet access and allow external users to access internal servers
Huawei AR routers support outbound NAT and NAT server to allow the intranet users to access the Internet and external users to access internal servers. The figure on the right page shows the networking diagram. Eth2/0/0 on the router connects to the internal network and its intranet IP address is GE3/0/0 on the router connects to the external network and its extranet IP address is The internal server has an internal IP address and an external IP address The internal host with the IP address wants to access the internal server. The configuration details are as follows: 1. Configure IP addresses for interfaces on the router. [Huawei] vlan 100 [Huawei-vlan100] quit [Huawei] interface vlanif 100 [Huawei-Vlanif100] ip address 24 [Huawei-Vlanif100] quit [Huawei] interface ethernet 2/0/0 [Huawei-Ethernet2/0/0] port link-type access [Huawei-Ethernet2/0/0] port default vlan 100 [Huawei-Ethernet2/0/0] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] ip address 24 [Huawei-GigabitEthernet3/0/0] quit 2. Configure a default route with next-hop address on the router. [Huawei] ip route-static 3. Configure outbound NAT in Easy IP mode to allow internal users to access external networks. [Huawei] acl 2000 [Huawei-acl-basic-2000] rule 5 permit source [Huawei-acl-basic-2000] quit [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat outbound 2000 4. Configure the NAT server to allow external users to access the internal servers. [Huawei] interface gigabitethernet 3/0/0 [Huawei-GigabitEthernet3/0/0] nat server protocol tcp global www inside 8080 [Huawei-GigabitEthernet3/0/0] quit Note: The command that configures the NAT server function takes effect on Layer 3 interfaces, excluding Loopback and NULL interfaces.

How to identify mutual access between local VPNs
Mutual access between local VPNs is implemented by configuring VPN targets of VPN instances. If VPN targets of VPN instances are advertised and imported mutually, mutual access between local VPNs is implemented. For example: # ip vpn-instance vpna ipv4-family route-distinguisher 1000:1 vpn-target 1000:0 200:0 export-extcommunity vpn-target 1000:0 200:0 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 200:2 vpn-target 200:0 1000:0 export-extcommunity vpn-target 200:0 1000:0 import-extcommunity

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top