CLI example: Configuring the address object group whitelist

Network configuration

As shown in Figure-1, configure the address object group whitelist feature on the device to allow all packets from subnet 5.5.5.0/24 to pass through.

Figure-1 Network diagram

Software versions used

This configuration example was created and verified on R9900P25 of the M9000-X06 device.

Procedures

  1. Assign IP addresses to interfaces:

    Assign an IP address to interface GigabitEthernet 1/0/1.

    <Device> system-view

    [Device] interface gigabitethernet 1/0/1

    [Device-GigabitEthernet1/0/1] ip address 192.168.1.1 255.255.0.0

    [Device-GigabitEthernet1/0/1] quit

    # Assign IP addresses to other interfaces in the same way. (Details not shown.)

  2. Add interfaces to security zones.

    [Device] security-zone name trust

    [Device-security-zone-Trust] import interface gigabitethernet 1/0/1

    [Device-security-zone-Trust] quit

    [Device] security-zone name untrust

    [Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

    [Device-security-zone-Untrust] quit

    [Device] security-zone name dmz

    [Device-security-zone-DMZ] import interface gigabitethernet 1/0/3

    [Device-security-zone-DMZ] quit

  3. Configure a security policy:

    # Configure a rule named trust-untrust to allow hosts in security zone trust to access the Internet.

    [Device] security-policy ip

    [Device-security-policy-ip] rule name trust-untrust

    [Device-security-policy-ip-1-trust-untrust] source-zone trust

    [Device-security-policy-ip-1-trust-untrust] destination-zone untrust

    [Device-security-policy-ip-1-trust-untrust] source-ip-subnet 192.168.0.0 16

    [Device-security-policy-ip-1-trust-untrust] action pass

    [Device-security-policy-ip-1-trust-untrust] quit

    # Configure a rule named untrust-dmz to allow hosts on the Internet to access the server.

    [Device-security-policy-ip] rule name untrust-dmz

    [Device-security-policy-ip-2-untrust-dmz] source-zone untrust

    [Device-security-policy-ip-2-untrust-dmz] destination-zone dmz

    [Device-security-policy-ip-2-untrust-dmz] destination-ip-host 10.1.1.2

    [Device-security-policy-ip-2-untrust-dmz] action pass

    [Device-security-policy-ip-2-untrust-dmz] quit

    [Device-security-policy-ip] quit

  4. Configure the address object group whitelist:

    # Create IPv4 address object group obj1. Configure an IPv4 address object with subnet 5.5.5.0/24.

    [Device] object-group ip address obj1

    [Device-obj-grp-ip-obj1] network subnet 5.5.5.0 24

    [Device-obj-grp-ip-obj1] quit

    # Add IPv4 address object group obj1 to the whitelist.

    [Device] whitelist object-group ip obj1

    # Enable the global whitelist feature.

    [Device] whitelist global enable

Verifying the configuration

# Verify that the device allows all packets from subnet 5.5.5.0/24 to pass through unless you execute the undo whitelist object-group command on the device. (Details not shown.)

Configuration files

#

object-group ip address obj1

0 network subnet 5.5.5.0 255.255.255.0

#

interface GigabitEthernet1/0/1

port link-mode route

ip address 192.168.1.1 255.255.0.0

#

interface GigabitEthernet1/0/2

port link-mode route

ip address 202.1.0.1 255.255.0.0

#

interface GigabitEthernet1/0/3

port link-mode route

ip address 10.1.1.1 255.255.255.0

#

security-zone name Trust

import interface GigabitEthernet1/0/1

#

security-zone name DMZ

import interface GigabitEthernet1/0/3

#

security-zone name Untrust

import interface GigabitEthernet1/0/2

#

whitelist global enable

whitelist object-group ip obj1

#

security-policy ip

rule 1 name trust-untrust

action pass

source-zone trust

destination-zone untrust

source-ip-subnet 192.168.0.0 255.255.0.0

rule 2 name untrust-dmz

action pass

source-zone untrust

destination-zone dmz

destination-ip-host 10.1.1.2

#