F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

259

# Configure the IP address of interface GigabitEthernet 0/1.

[Firewall] interface gigabitethernet 0/1

[Firewall-GigabitEthernet0/1] ip address 192.168.20.99 255.255.255.0

# Enable proxy ARP on interface GigabitEthernet 0/1.

[Firewall-GigabitEthernet0/1] proxy-arp enable

[Firewall-GigabitEthernet0/1] quit

After completing preceding configurations, use the ping command to verify the connectivity between

Host A and Host D.

579BLocal proxy ARP configuration example in case of port isolation

1298BNetwork requirements

As shown in 2482HFigure 173, Host A and Host B belong to the same VLAN, and connect to the switch through

GigabitEthernet 0/3 and GigabitEthernet 0/1 respectively. The switch connects to the firewall through

GigabitEthernet 0/2.

Configure port isolation on GigabitEthernet 0/3 and GigabitEthernet 0/1 of the switch to isolate Host A

from Host B at Layer 2. Enable local proxy ARP on the firewall to allow communication between Host A

and Host B at Layer 3.

In this configuration example, suppose all traffic between the hosts is blocked, so you need to configure

local proxy ARP on GigabitEthernet 0/2 of the firewall to enable communication between Host A and

Host B. If the two ports (GigabitEthernet 0/3 and GigabitEthernet 0/1) on the switch are isolated only at

Layer 2, you can enable communication between the two hosts by configuring local proxy ARP on

VLAN-interface 2 of the switch.

Figure 173 Network diagram

1299BConfiguration procedure

1. Configure the switch:

# Add GigabitEthernet 0/3, GigabitEthernet 0/1 and GigabitEthernet 0/2 to VLAN 2. Configure

port isolation for Host A and Host B.

<Switch> system-view

[Switch] port-isolate group 2

[Switch] vlan 2

[Switch-vlan2] port gigabitethernet 0/3