Configure VPN instances on an AR router to configure virtual firewalls

30

A virtual firewall is implemented by configuring a VPN instance. A VPN instance corresponds to one virtual firewall. Before configuring a virtual firewall, create a VPN instance first, and then bind an interface with the VPN instance. Interfaces that have the same VPN instance belong to a same virtual firewall, and security policies can be deployed separately for the virtual firewall.
Operation procedure
Run the system-view command to access the system view.
Run the ip vpn-instance vpn-instance-name to create a VPN instance and access the VPN instance view.
(Optional) Run the description description-information command to record the descriptive information of the VPN instance.
Run the route-distinguisher route-distinguisher command to configure a routing label for the VPN instance.
After a VPN instance is created, specify a routing label for the VPN instance; otherwise, subsequent configuration cannot be performed.
Run the interface interface-type interface-number command to access the interface view.
Run the ip binding vpn-instance vpn-instance-name command to bind an interface with the VPN instance.
Bind an interface with the VPN instance, and then configure an IP address for the interface. Otherwise, the configured IP address will be deleted, and you will need to reconfigure an IP address for the interface.
Run the ip address ip-address { mask | mask-length } command to configure an IP address for the interface.

Other related questions:
Configure security features of a virtual firewall on an AR router
The procedure of configuring security features for a virtual firewall is the same as that of configuring for a common firewall. Each firewall must be separately deployed to meet different firewall service requirements. Security features that can be configured include: packet filtering firewall, ASPF, port mapping, session table aging time, and attack defense. Before configuring the following features, specify a VPN instance: manually adding a blacklist/whitelist and configuring ICMP/SYN/UDP flooding defense. The configured features take effect to the firewall only according to the specified VPN instance. For details about the command for configuring security features of a virtual firewall, see the URL: The AR router configures the security features of the virtual firewall .

Configuring virtual routers on the firewall
Perform as follows to configure virtual routers on the firewall: You can configure a virtual router to isolate VPN routes. 1. Choose Network > Route > Virtual Route. 2. In Virtual Router List, click Add. 3. Enter the name of the virtual router to be created. 4. Click OK. If the new virtual router entry is displayed, the operation succeeds.

Configuring an SSL VPN virtual gateway on the firewall
Configuring virtual gateways on the USG 1. system-view 2. v-gateway v-gateway-name { ip-address | interface interface-type interface-number } [ port port-number ] { private [ domain-name ] | public domain-name } //Create a virtual gateway. A private gateway is in exclusive mode, and a public gateway is in shared mode. 3. quit 4. v-gateway v-gateway-name ip address ip-address [ port port-number ] //Assign an IP address and a port number to the virtual gateway. Exclusive virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command adds the virtual gateway IP address. The undo v-gateway v-gateway-name ip address ip-address command deletes the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. Shared virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command changes the virtual gateway IP address. You cannot run the undo v-gateway ip address command to delete the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. If a port bound to the IP address of the virtual gateway is used for other purposes (such as web management or SSH login), the port cannot be configured as the port of the virtual gateway. 5. v-gateway v-gateway-name interface interface-type interface-number [ port port-number ] //Modify the virtual gateway interface. 6. v-gateway v-gateway-name domain domain-name //Modify the virtual gateway domain name. 7. v-gateway v-gateway-name http-redirect enable //Configure the HTTP redirection function of the virtual gateway. 8. v-gateway v-gateway-name max-user max-user //Modify the maximum number of virtual gateway users. Its default value is 1. 9. v-gateway v-gateway-name cur-max-user cur-max-user //Modify the maximum number of concurrent users of the virtual gateway. 10. v-gateway v-gateway-name max-resource max-resource //Modify the maximum number of resources on the virtual gateway. Its default value is 1.

VPN instance configuration on S series switch
For the configuration of BGP/MPLS IP VPN: On the S12700, see Example for Configuring BGP/MPLS IP VPN in the S12700 Typical Configuration Examples. On the S1720&S2700&S3700&S5700&S6700&S7700&S9700, see Example for Configuring BGP/MPLS IP VPN in the S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. On the S9300, see Example for Configuring BGP/MPLS IP VPN in the Sx300 Series Switches Typical Configuration Examples.

How to delete the configuration of SSL VPN on an AR
1. Log in to the web system, and choose VPN > SSL VPN. The Virtual Gateway Management page is displayed. Click delete, and then click yes in the displayed dialog box. The virtual gateway is deleted from the virtual gateway list. 2. Alternatively, run commands to delete a virtual gateway. system-view [Huawei]undo sslvpn gateway huawei //The name of a virtual gateway is huawei.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top