Create an interzone on an AR router

7

Any two security zones constitute an interzone and have a separate interzone view. Most firewall functions are configured in the interzone view. After the firewall functions are configured, the router checks data flows occurring between the two security zones.
Data flows in an interzone have directions, inbound and outbound.
Inbound direction: Data is transmitted from a low-priority security zone to a high-priority security zone.
Outbound direction: Data is transmitted from a high-priority security zone to a low-priority security zone.
For details about the commands for creating a security zone and adding interfaces into the security zone as well as creating an interzone, see the URL:
The AR router creates a secure interzone.

Other related questions:
Enable the firewall functions on an AR router
All configured firewall functions take effect after the firewall functions are enabled in interzones. If an interzone contains the Local zone, to enable the firewall functions to take effect in this interzone, run the ip soft-forward enhance enable command in the system view to enable the IP address enhanced forwarding function of the router. Run the system-view command to access the system view. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view. The zone-name1 and zone-name2 have been created by running the firewall zone command. Run the firewall enable command to enable the firewall functions. By default, the firewall functions of the interzone are not enabled. Run the undo firewall enable command to disable the firewall functions of the interzone. Run the display firewall interzone [ zone-name1 zone-name2 ] command to query information about the interzone.

Configure the ASPF firewall on an AR router
The application specific packet filter (ASPF) firewall can detect and filter FTP, HTTP, SIP, and RTSP packets on the application layer. The ASPF firewall filters packets on the application layer based on status. This firewall can detect application layer session information that attempts to pass the firewall, and prevent packets that do not match rules from passing the firewall. After the ActiveX Blocking is configured, the ASPF will block the ActiveX that is transmitted over HTTP, preventing users from installing insecure or malicious controls. After the Java Blocking is configured, the ASPF will block requests that are sent in order to obtain programs containing the Java Applet from web pages. In the system view: 1. Run the firewall interzone zone-name1 zone-name2 command to access the interzone view. 2. In V200R006 and earlier versions, run the detect aspf { all | ftp | http [ activex-blocking | java-blocking ] | rtsp | sip } command to configure the ASPF firewall. In V200R007, run the detect aspf { ftp | rtsp | sip } command to configure the ASPF firewall. Most of the application layer protocols have bidirectional interaction processes. Therefore, during ASPF configuration, ignore directions, and the router automatically checks the status of inbound and outbound packets. By default, the ASPF firewall is not configured for the interzone. 3. Check the configuration result. Run the display firewall interzone [ zone-name1 zone-name2 ] command to query ASPF information about the interzone.

Create a security zone and add interfaces into the security zone on an AR router
A router considers that data flows occurring within a security zone are trustful and therefore no security policy needs to be implemented. If data flows occur between different security zones, the security check function of the firewall is triggered, and corresponding policy is implemented. To configure firewall services, create relevant security zones and specify priorities for the security zones so as to determine deployment of security services according to the priorities between different security zones. The specified priorities cannot be modified; otherwise, other configuration cannot be performed. Different security zones have different priorities. The larger the value, the higher the priority of a zone. After a security zone is created, interfaces must be added to the zone to activate the firewall. The specific configuration procedure is as follows: 1. Run the system-view command to access the system view. 2. Run the firewall zone zone-name command to create a security zone. By default, no security zone is created on the router. 3. Run the priority security-priority command to configure a priority for the security zone. 4. Run the quit command to access the system view. 5. Run the interface interface-type interface-number command to access the interface view. 6. Run the zone zone-name command to add interfaces to the security zone.//Each security zone can contain multiple interfaces, but an interface can be added to one zone only. Note: The router will automatically create a security zone named Local which has the highest priority. This security zone cannot be deleted or contain any interface, and its priority cannot be modified. To apply the firewall functions to the control packets which are reported to this router, the Local security zone may be used. For details about the commands for creating a security zone and adding interfaces into the security zone as well as creating an interzone, see the URL: The AR router creates a security domain and adds the interface to the security zone.

Method of creating a VLAN through the web NMS on an AR router
The web NMS of the AR series routers does not support VLAN creation or adding of interfaces to a created VLAN. You can create a VLANIF interface, and add the interface to the VLAN. 1. Choose LAN Access > LAN >VLAN Interface to enter the VLAN interface configuration page. 2. In the VLAN Interface List area, click Create. 3. On the Create VLAN Inter page, select parameters or enter values according to requirements to configure a VLAN interface. On the NMS page, only interfaces of the access and trunk types can be configured. Hybrid type interfaces cannot be configured. Use command lines to create a VLAN. In the system view, run the vlan command or the vlan batch command.

How to create the virtual MAC address of the VRRP on the AR router
The virtual MAC address is generated based on the virtual router ID. The format is 00-00-5E-00-01-{VRID}(VRRP); 00-00-5E-00-02-{VRID}(VRRP6).

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top