No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Requirements Analysis

Table 8-11  Scheme Implementation Analysis
Scheme Advantage Implementation
The DS-Lite technology helps private IPv4 users access the IPv4 Internet over the IPv6 network.

DS-Lite, also called lightweight 4over6, consists of dual-stack hosts and IPv6 network. On DS-Lite networks, only CPEs and CGNs support the dual stack. Other intermediate network nodes need to support only IPv6. Therefore, all the configuration and maintenance operations are performed on CPEs and CGNs.

The configuration of the DS-Lite function is as follows:

  • CPE

    • Configure the tunnel interfaces.
    • Set the encapsulation mode of the tunnel to IPv4 over IPv6.
    • Specify the source address or source interface of the tunnel.
    • Set the destination address of the tunnel.
    • Set the IPv4 address for the tunnel interface.
  • CGN

    • Configure the tunnel interfaces.
    • Set the encapsulation mode of the tunnel to DS-Lite.
    • Specify the source address or source interface of the tunnel.
    • Configure the IPv4 address for the tunnel interface.
    • Configure the address pool.
    • Configure the DS-Lite NAT policy.
The dynamic NAT64 function is used to implement the communication between IPv4 and IPv6 users.

The dynamic NAT64 uses the dynamic address mapping and upper-layer protocol mapping methods to translate a large number of IPv6 addresses with a few IPv4 addresses. The dynamic NAT64 function saves IPv4 public addresses and is applicable to large-scale deployment.

Configure the NAT64 function on the CGN.

  • Configure the NAT64 prefix.
  • Configure the address pool for the IPv4 Internet.
  • Configure the NAT64 policy.

Data Planning

Figure 8-14 shows the networking diagram with data to facilitate configurations and understanding.

Figure 8-14  DS-Lite+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain name translation. The prefix and length configured for the DNS64 are the same as those of the NAT64 device. Figure 8-15 shows the NAT64 networking diagram.

Figure 8-15  NAT64 networking diagram

After the MAN is upgraded to the IPv6 network, the OSPFv3 protocol is still used to plan IPv6 routing. Figure 8-16 shows the protocol planning.

Figure 8-16  OSPFv3 protocol planning on the IPv6 network

Table 8-12 describes the general network data planning.

Table 8-12  Data planning
Item IP Address Description
CPE GE1/0/0 (Trust zone) IPv4 private address: 192.168.0.1/24 The GE1/0/0 (Trust zone) is used to connect to the private IPv4 user
GE1/0/1 (Trust zone) IPv6 address: 2000::1/64 The GE1/0/1 (Trust zone) is used to connect to the IPv6 user.
GE1/0/2 (Untrust zone) IPv6 address: 3000::1/64 The GE1/0/2 (Untrust zone) interface is used to connect to the MAN.
Tunnel1 interface (Untrust zone)

Source address: 3000::1/64

Destination address: 4000::1/64

IPv4 address of the tunnel interface: 10.1.1.1/24

The Tunnel1 interface (Untrust zone) is used to create a IPv4 over IPv6 tunnel with the CGN.
CGN GE1/0/0 (Untrust zone) IPv4 Internet address: 1.1.1.1/24 The GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.
GE1/0/1 (Untrust zone) IPv6 address: 5000::1/64 The GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.
GE1/0/2 (Trust zone) IPv6 address: 4000::1/64 The GE1/0/2 (Untrust zone) interface is used to connect to the MAN.
Tunnel1 interface (Trust zone)

Source address: 4000::1/64

IPv4 address of the tunnel interface: 10.1.1.2/24

The Tunnel1 interface (Trust zone) is used to create a DS-Lite tunnel with the CPE.
Address pool

Addresses in address pool 1: 1.1.2.1 to 1.1.2.5

Addresses in address pool 2: 1.1.2.11 to 1.1.2.15

  • Address pool 1 is used translate IPv4 addresses of the private IPv4 addresses to the IPv4 public addresses based on the DS-Lite NAT policy.
  • Address pool 2 is used translate IPv6 addresses to the IPv4 address of the IPv4 public addresses.
NAT64 prefix 6000::/96 The CGN determines whether to perform the NA64 function on an IPv6 packet by checking whether the IPv6 packet contains the NAT64 prefix.
DNS64 NAT64 prefix 6000::/96 The NAT64 prefix configured on the DNS64 must be the same as that configured on the CGN.
Domain name: www.example.com Address that corresponds to the domain name: 6000::ca01:301 The address that corresponds to the domain name is calculated based on the NAT64 prefix and IPv4 Internet address of the server on the IPv4 Internet.
PC1 IPv4 private address: 192.168.0.2/24 -
PC2 IPv6 address: 2000::2/64 -
PC3 IPv6 address: 5000::2/64 -
Server IPv4 Internet address: 1.1.3.1/32 -

Table 8-13 shows the IPv4 route planning.

Table 8-13  IPv4 route planning
Item Routing Protocol Target Network Segment Next Hop Address and Interface Description
CPE Default IPv4 route 0.0.0.0/0 Tunnel1 Route connecting the CPE to the DS-Lite tunnel of the CGN
CGN Static IPv4 route 1.1.3.1/32 1.1.1.2 Route connecting the CGN to the server on the IPv4 Internet

Table 8-14 shows the IPv6 route planning.

Table 8-14  IPv6 route planning
Item Routing Protocol Advertising Network Segment Area Description
CPE OSPFv3 2000::/64 Area 1 Route connecting the CPE to the IPv6 user interface
OSPFv3 3000::/64 Area 0 Route connecting the CPE to the MAN
CGN OSPFv3 4000::/64 Area 0 Route connecting the CGN to the MAN
OSPFv3 5000::/64 Area 2 Route connecting the CGN to the IPv6 Internet
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16560

Downloads: 712

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next