- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Security zone configuration
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2021 10:48 AM
06-11-2021 10:48 AM
Security zone configuration
Hi,
I have a HPE MSR 954 JH296A and I did a firmware upgrade to CMW710-R0707P12. The issue is that I want to learn configuring the security zone and to add an interface in the security zone DMZ. Because the Configuration Guide is older the name of the interfaces are different. I have only VLAN1 and the interfaces are untagged.
I follow the guide and after import interface GE0/1 I received the message: please specify a VLAN list for the layer 2 interface. What I have to do? Add a VLAN to GE0/1?
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 12:44 AM
06-14-2021 12:44 AM
Re: Security zone configuration
Hello,
Can you please share the software version and config which you are configuring?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 01:12 AM
06-14-2021 01:12 AM
Re: Security zone configuration
Hi,
MSR954 – JH296A , S/N: CN7BHB106P Firmware 7.10.R0809P27
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 01:26 AM
06-14-2021 01:26 AM
Re: Security zone configuration
- #
- version 7.1.064, Release 0809P27
- #
- sysname HPE
- #
- clock timezone Bucharest add 02:00:00
- clock protocol none
- #
- dialer-group 1 rule ip permit
- dialer-group 2 rule ip permit
- #
- dhcp enable
- dhcp server always-broadcast
- #
- dns proxy enable
- #
- password-recovery enable
- #
- vlan 1
- #
- vlan 10
- #
- vlan 20
- #
- dhcp server ip-pool lan1
- gateway-list 192.168.0.1
- network 192.168.0.0 mask 255.255.254.0
- address range 192.168.1.100 192.168.1.200
- dns-list 193.231.252.1 213.154.124.1
- #
- controller Cellular0/0
- description Multiple_Line_Other
- serial-set 0
- #
- controller Cellular0/1
- #
- interface Dialer0
- bandwidth 1000000
- ppp chap password cipher $c$3$oR4YtxoF7TjdoJhYO/yk64QBY/beUMCsxleuy5I=
- ppp chap user CRPBB253005505
- ppp ipcp dns admit-any
- ppp ipcp dns request
- ppp pap local-user CRPBB253005505 password cipher $c$3$dOnRFmZ2zaFLn4n8xJO8MFzOnl2NN7azhNHbubo=
- dialer bundle enable
- dialer-group 2
- dialer timer idle 0
- dialer timer autodial 5
- ip address ppp-negotiate
- qos car inbound any cir 1000000 cbs 62500000 ebs 0 green pass red discard yellow pass
- qos car outbound any cir 1000000 cbs 62500000 ebs 0 green pass red discard yellow pass
- nat outbound
- nat server protocol tcp global current-interface 80 inside 192.168.1.2 80
- nat server protocol tcp global current-interface 9988 inside 192.168.1.2 9988
- nat server protocol udp global current-interface 9989 inside 192.168.1.2 9989
- nat server protocol udp global current-interface 10001 inside 192.168.1.2 10001
- nat static enable
- #
- interface Serial0/0:0
- shutdown
- ppp ipcp dns admit-any
- ppp ipcp dns request
- dialer circular enable
- dialer-group 1
- dialer timer autodial 5
- dialer number *99# autodial
- ip address ppp-negotiate
- qos car inbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
- qos car outbound any cir 100000 cbs 6250000 ebs 0 green pass red discard yellow pass
- nat outbound
- nat static enable
- #
- interface NULL0
- #
- interface Vlan-interface1
- ip address 192.168.0.1 255.255.254.0
- tcp mss 1280
- #
- interface Vlan-interface10
- ip address 192.168.10.1 255.255.255.0
- #
- interface Vlan-interface20
- #
- interface GigabitEthernet0/0
- port link-mode route
- description Multiple_Line
- pppoe-client dial-bundle-number 0
- #
- interface GigabitEthernet0/5
- port link-mode route
- shutdown
- nat static enable
- #
- interface GigabitEthernet0/1
- port link-mode bridge
- port access vlan 10
- #
- interface GigabitEthernet0/2
- port link-mode bridge
- #
- interface GigabitEthernet0/3
- port link-mode bridge
- #
- interface GigabitEthernet0/4
- port link-mode bridge
- port access vlan 20
- #
- security-zone name Local
- #
- security-zone name Trust
- #
- security-zone name DMZ
- import interface Vlan-interface10
- #
- security-zone name Untrust
- #
- security-zone name Management
- #
- scheduler logfile size 16
- #
- line class console
- user-role network-admin
- #
- line class tty
- user-role network-operator
- #
- line class vty
- user-role network-operator
- #
- line con 0
- user-role network-admin
- #
- line tty 1
- user-role network-operator
- modem enable both
- #
- line vty 0 63
- authentication-mode scheme
- user-role network-operator
- #
- ip route-static 0.0.0.0 0 Serial0/0:0
- ip route-static 0.0.0.0 0 Dialer0
- #
- password-control enable
- undo password-control aging enable
- undo password-control history enable
- password-control length 6
- password-control login-attempt 3 exceed lock-time 10
- password-control update-interval 0
- password-control login idle-time 0
- #
- domain system
- #
- domain default enable system
- #
- role name level-0
- description Predefined level-0 role
- #
- role name level-1
- description Predefined level-1 role
- #
- role name level-2
- description Predefined level-2 role
- #
- role name level-3
- description Predefined level-3 role
- #
- role name level-4
- description Predefined level-4 role
- #
- role name level-5
- description Predefined level-5 role
- #
- role name level-6
- description Predefined level-6 role
- #
- role name level-7
- description Predefined level-7 role
- #
- role name level-8
- description Predefined level-8 role
- #
- role name level-9
- description Predefined level-9 role
- #
- role name level-10
- description Predefined level-10 role
- #
- role name level-11
- description Predefined level-11 role
- #
- role name level-12
- description Predefined level-12 role
- #
- role name level-13
- description Predefined level-13 role
- #
- role name level-14
- description Predefined level-14 role
- #
- user-group system
- #
- local-user admin class manage
- service-type telnet http
- authorization-attribute user-role network-admin
- #
- cwmp
- cwmp enable
- #
- ip http enable
- #
- ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo
- #
- return
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2021 11:54 PM
06-14-2021 11:54 PM
Re: Security zone configuration
Hello,
Are you getting message when you are importing interfacwe gi0/1 into 'security-zone name DMZ'?
Can you try to make interface gi0/1 as route port and import into the zone?
Adding HPE FlexNetwork MSR Router Series configuration file link for your reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101876en_us
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2021 12:59 AM
06-15-2021 12:59 AM
Re: Security zone configuration
Hi,
In the Web Manager, Edit Security Zone DMZ I have in the list of available interfaces only GE0/0, GE0/5 and all VLANs.
I am a begginer and I try to understand the way HPE router works. In cheap router I solved this server issue introducing the IP of the server in to DMZ zone. On the HPE router I need to do some pair links based on trafic and the DMZ zone is isolated logicaly and phisicaly. My server use 2 ports on TCP (80 and 9988) and UDP (10001 and 9989).
Please give me a recommandation about how to do it on this router.
Best regards,
Sabian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2021 09:45 AM
06-16-2021 09:45 AM
Re: Security zone configuration
Hi,
I partialy solved this, in case you have one server, with this Port forwarding mechanism:
- nat outbound
- nat server protocol tcp global current-interface 80 inside 192.168.1.2 80
- nat server protocol tcp global current-interface 9988 inside 192.168.1.2 9988
- nat server protocol udp global current-interface 9989 inside 192.168.1.2 9989
- nat server protocol udp global current-interface 10001 inside 192.168.1.2 10001
- nat static enable
I did this after I setup a new VLAN for this server but on the VLAN the internet access is affected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2021 06:24 AM
07-06-2021 06:24 AM
Re: Security zone configuration
Hello,
Case closed! MSR954 it is not on the hardware compatibility for security zones and objects! This is the correct answer! But I learn a lot trying to work with security zones! So in this moment I will search for another way to do DMZ for servers.
Best regards,
Sabian