• News
  • The actual test of Leichi WAF: lightweight, easy to use and powerful, this is what a WAF should be like!

The actual test of Leichi WAF: lightweight, easy to use and powerful, this is what a WAF should be like! 

In this issue, I will share with you some tips on network applications.

1. Scenario Background
In network environments such as communities and schools, network, monitoring, access control and other equipment often need to be divided into different IP segments, such as:

Network—192.168.1.0/24
Monitoring—192.168.2.0/24
Access control—192.168.3.0/24
But if the device connection ports are not marked in advance, the VLAN division operation is cumbersome. At this time, the three-layer switch [single VLAN + multiple IP] solution can be used to achieve network segment intercommunication without adjusting the physical wiring.



2. Core Principle
Set multiple IP addresses (primary IP + secondary IP) under the same VLAN interface of the core switch. Each IP corresponds to the gateway of a network segment, and use the three-layer routing function to achieve cross-segment communication. 

3. Huawei configuration instructions
Scenario example: Set up 3 network segment gateways in VLAN10 (192.168.10.1/24, 192.168.20.1/24, 192.168.30.1/24)

1. Enter the VLAN interface configuration mode

2. Configure the primary IP address

Copy






ip address 192.168.1.1 24
1.
3. Add the second IP address (configure the remaining network segments in sequence)

Copy
ip address 192.168.2.1 24 sub
ip address 192.168.3.1 24 sub
1.
2.
4. Verify the routing table

Copy
display ip routing-table
1.
Expected result: The routing table shows direct routes for the three network segments, and the next hop points to the corresponding IP

IV. Terminal device configuration
Each network segment device needs to point the gateway to the corresponding second IP, for example:




The gateway of the 192.168.1.0/24 network segment is set to 192.168.1.1
The gateway of the 192.168.2.0/24 network segment is set to 192.168.2.1

Test results show that 192.168.1.0/24 can access 192.168.2.0/24 monitoring and 192.168.3.0/24 access control

5. Notes
Broadcast domain risk: All devices are in the same broadcast domain. It is recommended to enable the "port isolation" function of the access switch (Huawei: port-isolate enable).





Loop protection: Enable spanning tree protocol (STP/RSTP/MSTP) to avoid network loops, such as Huawei devices: 
Scale limitation: This solution is suitable for small and medium-sized networks. For large networks, it is still recommended to use VLAN division to achieve security isolation. 
Through the above configuration, multi-segment intercommunication can be quickly achieved without VLAN division. At the same time, it is recommended to supplement the protection strategy based on the network scale and security requirements.