No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking


After the IPv4 and IPv6 services on carrier A's network are developed for a period, the IPv4 public addresses are exhausted. Services are gradually migrated to the IPv6 network. The IPv6 traffic dominates the service traffic. The carrier's MAN is completely upgraded to the IPv6 network. To meet the network development requirements, carrier A uses the DS-Lite+NAT64 solution, as shown in Figure 8-13.

  • For the IPv6 users, the IPv6 users can directly access the IPv6 Internet over the IPv6 routes because the IPv6 routes are reachable.

  • For the IPv4 users, the DS-Lite function must be configured because the access to the IPv4 Internet requires the IPv6 MAN. The configuration procedure of the DS-Lite function is as follows:

    1. Configure a DS-Lite tunnel between the CPE and the CGN.
    2. Configure the DS-Lite NAT policy on the CGN.
  • If the IPv6 users need to access the IPv4 Internet, the NAT64 function is configured on the CGN so that the IPv6 addresses are translated into IPv4 public addresses.

Figure 8-13  DS-Lite+NAT64

CPE: Customer Premises Equipment CGN: Carrier Grade NAT
BRAS: Broadband Remote Access Server  
  • The CPE is used to connect terminal users and allocate addresses to the users.

    • The CPE allocates private IPv4 addresses to IPv4 users.
    • The CPE allocates private IPv6 addresses to IPv6 users.

    The DS-Lite tunnel must be established between the CPE and the CGN.

  • As an egress gateway of the MAN, the CGN provides DS-Lite tunnels for the IPv4 users to access the IPv4 Internet and translates IPv4 addresses into IPv4 Internet address; the CGN provides routing channels for addresses for the IPv6 users to access the IPv4 network and translates IPv6 addresses into IPv4 ones.
  • As a device at the convergence layer, the BRAS allocates IPv6 addresses for the CPEs to connect to the MAN.

Application of the FW in the Networking

The FW serves the CPE and the CGN in the scenario and provides the following functions:

  • Providing the DS-Lite function

    To enable private IPv4 users to access the IPv4 Internet using the IPv6 MAN of a carrier, it is necessary to configure the DS-Lite tunnel on the CPE and the CGN. It is also necessary to configure the DS-Lite NAT policy on the CGN.

  • Providing routing tunnels

    The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore, they must support both the IPv6 and IPv6 protocol stacks.

  • Providing NAT from IPv6 addresses to IPv4 addresses

    To enable the IPv6 users to access the IPv4 network, configure NAT64 on the CGN.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16582

Downloads: 713

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next