What is an internal network

6

Subnets in a VPC are on the Layer 3 network. An internal network is a Layer 2 network that can manage network plane on an ECS and provide the IP address management and DNS service. All IP addresses of ECSs on a subnet of an internal network belong to this subnet. By default, all ECSs on the subnets of the same internal network can communicate with each other over Layer 2. However, the ECSs cannot perform Layer 3 communication with each other through the internal network. A subnet in an internal network can be any network segment.

Other related questions:
E9000 networking assistant
The E9000 Server Mezz Card-Switch Module Networking Assistant rapidly determines the mapping between mezzanine card ports and switch module ports of an E9000 server, increasing networking efficiency. You can obtain the tool at: E9000 networking assistant

E6000 network port mapping
The on-board NICs of an E6000 are connected to switching planes A1 and A2. The E6000 provides two mezzanine slots (MEZZ 1 and MEZZ 2) for port expansion. The card in MEZZ 1 communicates with B1 and B2 switch modules, and the card in MEZZ 2 communicates with C1 and C2 switch modules.

Configure NAT on the AR router to allow internal hosts to access internal servers using an external IP address
All models of Huawei AR routers in V200R003C01 and later versions allow internal and external users to access internal servers by configuring static NAT. GE1/0/0 on the router connects to the internal network and its IP address is 192.168.1.1/24. GE2/0/0 on the router connects to the external network and its IP address is 11.11.11.1/8. The internal server has an internal IP address 192.168.1.2/24 and an external IP address 11.11.11.6. The internal host at 192.168.1.3/24 wants to access the internal server. The configuration details on the AR router are as follows: 1. Assign IP addresses to interfaces on the router. [Huawei] interface GigabitEthernet1/0/0 [Huawei-GigabitEthernet1/0/0] ip address 192.168.1.1 24 [Huawei-GigabitEthernet1/0/0] quit [Huawei] interface GigabitEthernet2/0/0 [Huawei-GigabitEthernet2/0/0] ip address 11.11.11.1 8 [Huawei-GigabitEthernet2/0/0] quit 2. Configure a default router to ensure interconnection between internal users and the external network. [Huawei] ip route-static 0.0.0.0 0.0.0.0 11.11.11.2 3. Configure internal users to access internal servers. The internal host use 11.11.11.6 to access servers. NAT is implemented through GE1/0/0 and one-to-one NAT is configured on the internal network service only when service requests are initiated from the internal network. [Huawei] acl number 2000 [Huawei-acl-basic-2000] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 11.11.11.6 0 [Huawei-acl-basic-2000] quit [Huawei] interface GigabitEthernet1/0/0 [Huawei-GigabitEthernet1/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 [Huawei-GigabitEthernet1/0/0] nat outbound 2000 [Huawei-GigabitEthernet1/0/0] quit 4. Configure external users to access internal servers to ensure that external users use 11.11.11.6 to access internal servers. [Huawei] interface GigabitEthernet2/0/0 [Huawei-GigabitEthernet2/0/0] nat static global 11.11.11.6 inside 192.168.1.2 netmask 255.255.255.255 [Huawei-GigabitEthernet2/0/0] quit

Display IP addresses of clients connected to S series switch
When an S series switch, except S1700, works at Layer 2, only the MAC address of the interface is displayed, but IP address is not displayed. When an S series switch, except S1700, works at Layer 3 and you have known the MAC address of a connected client, you can run the display arp all command to check the IP address of the client. If you do not know the MAC address of the client, run the ipconfig/all command on your PC. For example: display arp all IP ADDRESSMAC ADDRESSEXPIRE(M) TYPEINTERFACEVPN-INSTANCE VLAN/CEVLAN 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 Total:2 Dynamic:1 Static:0 Interface:1 (1) The IP address of the PC with MAC address 00e0-0987-7890 is 10.137.217.202. (2) The total number of dynamic and static ARP entries is the number of access users.

How do I take measures to prevent internal network attacks
Internal network attacks refer to attacks from Layer 2 protocol packets. Attacks often use ARP to attack network devices. ARP attack defense measures are often used:
  • Strict ARP learning: The device learns only the ARP Reply packets in response to the ARP Request packets sent by itself. Run the arp learning strict command to enable strict ARP learning.
  • ARP gateway anti-collision: If an attacker sends an ARP packet with the source IP address as the gateway address, ARP entries are modified incorrectly. ARP gateway anti-collision can solve this problem. Run the arp anti-attack gateway-duplicate enable command to enable the ARP gateway anti-collision function.
  • Sending gratuitous ARP packets: To ensure that packets sent by hosts on the internal network are forwarded to the gateway or prevent malicious users from intercepting these packets, the device sends gratuitous ARP packets at intervals to update the gateway address in ARP entries of the hosts. Run the arp gratuitous-arp send enable command to enable the device to send gratuitous ARP packets. By default, the device sends gratuitous ARP packets every 90s.
NOTE:

If too many security measures are used, device performance may deteriorate.


If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top