No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Requirements Analysis

Table 8-1  Scheme Implementation Analysis
Scheme Advantages Implementation
The 6RD tunneling technology is used to access IPv6 services.

Compared with IPv6 over IPv4 tunneling technologies, the 6RD tunneling features the following advantages:

  • The 6RD tunneling technology is improved based on the 6to4 tunneling technology while inheriting all the advantages of the 6to4 tunneling technology, for example, point-to-multipoint connection and automatic discovery of the remote end of a tunnel.
  • Compared with the 6to4 tunnel, the 6RD uses IPv6 prefixes of the carriers rather than the well-known 2002::/16 prefix. Therefore, different carriers can use different prefixes to deploy 6RD tunnels, which facilitates the network planning.

Implement the following configurations on the CGN and CPE:

  • CGN

    • Create a tunnel interface.
    • Set the tunnel encapsulation mode to 6RD.
    • Specify the source address or source interface of the 6RD tunnel.
    • Set the 6RD prefix and prefix length.
    • Set the IPv4 prefix length for the 6RD tunnel.
    • Configure the IPv6 address for the tunnel interface using the calculated delegated prefix.
  • CPE

    Different from the CGN, the 6RD BR IPv4 address must be configured on the CPE. In this case, the IPv4 address is the private IPv4 address used by the CGN to connect to the internal MAN.

Two-level NAT (NAT444) function is used to enable private IPv4 users to access the IPv4 Internet.

Without upgrading the live network to the IPv6 network, the NAT444 function can be deployed to resolve the IPv4 address shortage issue. The IPv4-based NAT technology is mature and widely applied on IPv4 networks. Therefore, the two-level NAT444 scheme is a feasible transition scheme.

Deploy two-level NAT on the CPE and CGN.

  • Set the NAT mode of the CPE to Easy IP, that is, replacing the source IP address in a packet with the address of the outbound interface.
  • The CGN translates addresses using NAPT, which requires configuration of a public address pool. On the CGN, a port is pre-allocated to the CPE to facilitate the ease of user tracing.

Data Planning

Figure 8-8 shows the networking diagram with data to facilitate configurations and understanding.

Figure 8-8  NAT444+6RD networking diagram with data

Table 8-2 describes the general network data planning.

Table 8-2  Data planning
Item IP Address Description
CPE GE1/0/0 (Trust zone) IPv4 private address: 192.168.0.1/24 GE1/0/0 (Trust zone) is used to connect to the private IPv4 user
GE1/0/1 (Trust zone)

The prefix is allocated based on the calculated 6RD delegated prefixes.

In this case, the 6RD delegated prefix is 22:0:101:100::/56. The address of the GE1/0/1 interface is set to 22:0:101:101::1/64.

IPv6 users on the CPE belong to the same 6RD domain.
GE1/0/2 (Untrust zone) Private IPv4 address of the carrier: 10.1.1.1/24 GE1/0/2 (Untrust zone) is used to connect to the MAN of the carrier. Assume that the next hop address that connects to the MAN is 10.1.1.2.
Tunnel1 interface (Untrust zone)

6RD prefix: 22::/32

IPv4 prefix length: 8

NOTE:

The IPv4 prefix length of the 6RD tunnel may be different from the mask length of the interface. The length of the IPv4 address in the IPv6 address equals to the value that 32 is subtracted by the IPv4 prefix length.

IPv6 address: The IPv6 address is calculated based on the 6RD delegated prefix and source address of the 6RD tunnel. In this case, the 6RD delegated prefix is 22:0:101:100::/56. The address of the Tunnel1 interface is set to 22:0:101:100::1/56.

6RD BR IPv4 address: 10.1.2.1/24

The Tunnel1 interface (Untrust zone) is used to create a 6RD tunnel with the CGN.

Address pool The address of the GE1/0/2 interface is used as the translated address. The address pool is used to translate the private IPv4 addresses of the users to the private IPv4 address of the carrier.
CGN GE1/0/0 (Untrust zone) IPv4 Internet address: 1.1.1.1/24 GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.
GE1/0/1 (Untrust zone) IPv6 address: 3000::1/64 GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.
GE1/0/2 (Trust zone) IPv4 private address: 10.1.2.1/24 GE1/0/2 (Trust zone) is used to connect to the MAN of the carrier. Assume that the next hop address that connects to the MAN is 10.1.2.2.
Tunnel1 interface (Trust zone)

6RD prefix: 22::/32

IPv4 prefix length: 8

NOTE:

The IPv4 prefix length of the 6RD tunnel may be different from the mask length of the interface. The length of the IPv4 address in the IPv6 address equals to the value that 32 is subtracted by the IPv4 prefix length.

IPv6 address: The IPv6 address is calculated based on the 6RD delegated prefix and source address of the 6RD tunnel. In this case, the 6RD delegated prefix is 22:0:102:100::/56. The address of the Tunnel1 interface is set to 22:0:102:100::1/56.

The Tunnel1 interface (Trust zone) is used to create a 6RD tunnel with the CPE.
Address pool

Addresses in the address pool: 1.1.2.1 to 1.1.2.5.

The size of the pre-allocated port block is 256 bytes.

The address pool is used to translate the private IPv4 addresses of the carrier to the public IPv4 addresses.
PC1 IPv4 private address: 192.168.0.2/24 -
PC2 IPv6 address: 22:0:101:100::2/64 The address prefix is the 6RD delegate prefix calculated by the CPE.
PC3 IPv6 address: 3000::2/64 -
FTP Server IPv4 Internet address: 1.1.3.1/32 -

Table 8-3 shows the IPv4 route planning.

Table 8-3  IPv4 route planning
Item Routing Protocol Target Network Segment Next Hop Address Description
CPE Static IPv4 route 10.1.2.0/24 10.1.1.2 Route connecting the CPE to the MAN interface of the CGN
CGN Static IPv4 route 10.1.1.0/24 10.1.2.2 Route connecting the CGN to the MAN interface of the CPE
Static IPv4 route 1.1.3.1/32 1.1.1.2 Route connecting the CGN to the server on the IPv4 Internet

Table 8-4 shows the IPv6 route planning.

Table 8-4  IPv6 route planning
Item Routing Protocol Destination Network Segment Next Hop Address and Interface Description
CPE Static IPv6 route 22::/32 Tunnel1 interface Route from the CPE to the 6RD tunnel interface of the CGN
Static IPv6 route 3000::/64 22:0:102:100::1 Route connecting the CPE to the IPv6 network interface of the CGN
CGN Static IPv6 route 22::/32 Tunnel1 Route connecting the CGN to the 6RD tunnel interface and 6RD domain of the CPE
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16474

Downloads: 708

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next