< Home

Configuring a PCP Policy

This section describes how to configure a PCP policy.

Prerequisites

Configuring a NAT Address Pool has been complete.

Procedure

  1. Access the system view.

    system-view

  2. Access the PCP policy view.

    pcp-policy

  3. Create a PCP policy rule and access the PCP policy rule view.

    rule name rule-name

    If multiple PCP policy rules are configured, the policies are matched top down. If the traffic matches a PCP policy rule, the remaining policy rules are ignored.

    After creating the PCP policy rule, you can use the description description command to describe the rule in a way that makes it easy to remember.

  4. Configure matching conditions in the policy rule.

    All matching conditions are optional for traffic matching. The default conditions of the policy rule are all any. If an optional matching condition is configured, traffic that meets the condition is matched. If it is not configured, traffic is not matched with this matching condition.

    • To match traffic with the policy rule by source address, set the source IP address in the rule to the CPE address.

      source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } [ description description ] | range ipv4-start-address ipv4-end-address [ description description ] | any }

      source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } } [ description description ]

    • To match traffic with the policy rule by source zone, set the zone to the one where the intranet resides.

      source-zone { zone-name &<1-6> | any }

  5. Configure an action for the PCP policy rule.

    action { nat address-group address-group-name | no-nat }

  6. Optional: Enable the endpoint-independent filtering function.

    firewall endpoint-independent filter enable

    By default, the endpoint-independent filtering function is enabled.

    When the endpoint-independent filtering function is enabled, the FW directly forwards the packet sent by the Internet user to communicate with the private network user if the packet matches a PCP MAP IN mapping entry. If the endpoint-independent filtering function is disabled, the FW will search for a matching interzone security policy rule to determine whether to forward the packet.

    You can determine to enable the endpoint-independent filtering function or configure an interzone security policy rule as required.

Follow-up Procedure

After configuring the PCP policy rule, you can perform the following operations in the PCP policy view for the rule.

  • Run the rule rename old-name new-name command to rename the PCP policy rule.

  • Run the rule move rule-name1 { { after | before } rule-name2 | up | down | top | bottom } command to arrange the PCP policy rule in another order.

  • Run the rule copy rule-name new-rule-name command to copy the PCP policy rule.

  • Run the enable or disable command to enable or disable the PCP policy rule.

Parent Topic: Configuring PCP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >