BestHub
Sign in
Information Security 11 min read

Huawei Router Configuration: ACL, FTP Access, and Firewall Zones

This guide details a step‑by‑step Huawei router configuration that creates basic and advanced ACLs, defines time‑based FTP access, sets up firewall zones for internal and external networks, and verifies the resulting security policies using command‑line examples.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Huawei Router Configuration: ACL, FTP Access, and Firewall Zones

Configuration Approach Create basic ACLs on the router to classify users, enable basic FTP functions, and apply the ACLs to control access for different users.

Data Preparation Basic ACL number: 2001. Time‑range name for FTP access: ftp-access. Time‑range description: Saturday and Sunday from 14:00 to 18:00 between 2009‑01‑01 and 2011‑12‑31.

Operation Steps – Basic ACL and FTP

Configure time‑range:

system-view
sysname Router
[Router] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
[Router] time-range ftp-access 14:00 to 18:00 off-day

Configure basic ACL:

acl number 2001
[Router-acl-basic-2001] rule permit source 172.16.105.0 0.0.1.255
[Router-acl-basic-2001] rule permit source 172.16.107.0 0.0.1.255 time-range ftp-access
[Router-acl-basic-2001] quit

Enable FTP and bind ACL: ftp acl 2001 Verification:

PC A (172.16.105.111) can FTP to 172.16.104.110.

PC B in subnet 2 (172.16.107.111) cannot FTP outside the defined time‑range, but can during allowed hours.

PC C (10.10.10.1) cannot FTP.

Advanced Security Zone Configuration

Define security zones for internal (company) and external networks, assign priorities, and bind interfaces:

system-view
sysname Router
[Router] firewall zone company
[Router-zone-company] priority 12
[Router-zone-company] quit
[Router] interface vlanif 100
[Router-Vlanif100] zone company
[Router-Vlanif100] quit
[Router] firewall zone external
[Router-zone-external] priority 5
[Router-zone-external] quit
[Router] interface gigabitEthernet 0/0/1
[Router-gigabitEthernet0/0/1] zone external
[Router-gigabitEthernet0/0/1] quit

Enable inter‑zone firewall and create advanced ACLs:

[Router] firewall interzone company external
[Router-interzone-company-external] firewall enable
[Router-interzone-company-external] quit

ACL 3001 – allow specific external user (202.39.2.3) to access internal servers:

[Router] acl 3001
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0
[Router-acl-adv-3001] rule permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0
[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit

ACL 3002 – allow internal servers to access the external network and block other internal users:

[Router] acl 3002
[Router-acl-adv-3002] rule permit ip source 202.169.10.5 0.0.0.0
[Router-acl-adv-3002] rule permit ip source 202.169.10.6 0.0.0.0
[Router-acl-adv-3002] rule permit ip source 202.169.10.7 0.0.0.0
[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit

Apply packet‑filters to the inter‑zone firewall:

[Router] firewall interzone company external
[Router-interzone-company-external] packet-filter 3001 inbound
[Router-interzone-company-external] packet-filter 3002 outbound
[Router-interzone-company-external] quit

Verification of inter‑zone configuration: [Router] display firewall interzone company external Result shows the firewall enabled, default deny inbound, default permit outbound, and the two packet‑filters applied.

Configuration File Extract

# Router configuration file
vlan batch 100
acl number 3001
rule 5 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.5 0.0.0.0
rule 10 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.6 0.0.0.0
rule 15 permit tcp source 202.39.2.3 0.0.0.0 destination 202.169.10.7 0.0.0.0
rule 20 deny ip
acl number 3002
rule 5 permit ip source 202.169.10.5 0.0.0.0
rule 10 permit ip source 202.169.10.6 0.0.0.0
rule 15 permit ip source 202.169.10.7 0.0.0.0
rule 20 deny ip
interface Vlanif100
ip address 202.169.10.1 255.255.255.0
zone company
firewall zone company
priority 12
firewall zone external
priority 5
firewall interzone company external
firewall enable
packet-filter 3001 inbound
packet-filter 3002 outbound
interface Ethernet0/0/0
port link-type access
port default vlan 100
interface GigabitEthernet0/0/1
ip address 129.39.10.8 255.255.255.0
zone external
return
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ACLHuawei
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment