No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Service Planning

Service Planning

Requirement Analysis

Table 8-6  Scheme Implementation Analysis
Scheme Advantage Implementation
The dual stack technology is used.

The dual stack technology is the basis for the transition from IPv4 to IPv6. All the other transition technologies are developed on the basis of the dual stack technology. The advantages of the dual stack technology in the transition from the IPv4 network to the IPv6 network are as follows:

  • On the dual-stack network, IPv6 and IPv4 service data is forwarded on respective forwarding planes. Logically, two forwarding planes are considered as two networks, which facilitates network deployment. The dual stack technology supports smooth transition to the IPv6 network.
  • The dual-stack network does not involve interconnection and access between IPv6 services and IPv4 services. Therefore, the implementation is simple.
  • The dual-stack network is easy to maintain and manage.

The configuration of the dual stack function is simple. The configuration of dual stack on the CGN and CPE is as follows:

  • Enable the IPv4 function at the IPv4 service interface. By default, the IPv4 function is enabled.
  • Enable the IPv6 function at the IPv6 service interface. Enable the IPv6 function in the system view.
Two-level NAT (NAT444) function is used to enable private IPv4 users to access the IPv4 Internet.

On the live network, the IPv4 traffic still dominates the service traffic and the Internet IP addresses are insufficient. Therefore, the NAT444 function can be deployed to resolve the IPv4 address shortage issue. The IPv4-based NAT technology is mature and widely applied on the IPv4 network. Therefore, the two-level NAT444 scheme is feasible for transition.

Deploy two-level NAT on the CPE and the CGN.

  • Set the NAT mode of the CPE to Easy IP, that is, replacing the source IP address in a packet with the address of the outbound interface.
  • The CGN translates addresses using NAPT, which requires a public address pool. On the CGN, a port is pre-allocated to the CPE to facilitate the ease of user tracing.
The dynamic NAT64 function is used to implement the interaction between IPv4 and IPv6 users.

The dynamic NAT64 uses the dynamic address mapping and upper-layer protocol mapping methods to translate a large number of IPv6 addresses with a few IPv4 addresses. The dynamic NAT64 function saves IPv4 public addresses and is applicable to large-scale deployment.

Configure the NAT64 function on the CGN.

  • Configure the NAT64 prefix.
  • Configure the address pool for the IPv4 Internet.
  • Configure the NAT64 policy.

Data planning

Figure 8-10 shows the networking diagram with data to facilitate configurations and understanding.

Figure 8-10  Dual stack+NAT444+NAT64 networking diagram with data

Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain name translation. The prefix and length configured for the DNS64 are the same as those of the NAT64 device. Figure 8-11 shows the NAT64 networking diagram.

Figure 8-11  NAT64 networking diagram

After the MAN is upgraded to the dual-stack network, two networks exists, that is, IPv4 and IPv6. For the IPv4 network, the routing plan keeps unchanged. The route between the CPE and the CGN uses the static routing protocol. For the IPv6 network, the OSPFv3 routing protocol is used, as shown in Figure 8-12.

Figure 8-12  OSPFv3 protocol planning on the IPv6 network

Table 8-7 describes the general network data planning.

Table 8-7  Data planning
Item IP Address Description
CPE GE1/0/0 (Trust zone) IPv4 private address: 192.168.0.1/24 The GE1/0/0 (Trust zone) is used to connect to the private IPv4 user
GE1/0/1 (Trust zone) IPv6 address: 2000::1/64 The GE1/0/1 (Trust zone) is used to connect to the IPv6 user.
GE1/0/2 (Untrust zone) Private IPv4 address of the carrier: 10.1.1.1/24 The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv4 MAN. Assume that the next hop address of the to the IPv4 MAN is 10.1.2.2.
GE1/0/3 (Untrust zone) IPv6 address: 3000::1/64 The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv6 MAN.
Address pool The address of the GE1/0/2 interface is used as the translated address. The address pool is used translate IPv4 addresses of the user's private network to the IPv4 address of the carrier's private network.
CGN GE1/0/0 (Untrust zone) IPv4 Internet address: 1.1.1.1/24 The GE1/0/0 (Untrust zone) is used to connect to the IPv4 Internet. Assume that the next hop address is 1.1.1.2/24.
GE1/0/1 (Untrust zone) IPv6 address: 5000::1/64 The GE1/0/1 (Untrust zone) is used to connect to the IPv6 Internet.
GE1/0/2 (Trust zone) Private IPv4 address of the carrier: 10.1.2.1/24 The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv4 MAN. Assume that the next hop address to the IPv4 MAN is 10.1.2.2.
GE1/0/3 (Trust zone) IPv6 address: 4000::1/64 The MAN is upgraded to the dual-stack network. Therefore, the interface is used to connect to the IPv6 MAN.
Address pool

Addresses in the address pool 1: 1.1.2.1 to 1.1.2.5

Addresses in the address pool 2: 1.1.2.11 to 1.1.2.15

  • Address pool 1 is used translate IPv4 addresses of the carrier's private network to the IPv4 address of the IPv4 public addresses.
  • Address pool 2 is used translate IPv6 addresses to the IPv4 address of the IPv4 public addresses.
NAT64 prefix 6000::/96 The CGN determines whether to perform the NA64 function on an IPv6 packet by checking whether the IPv6 packet contains the NAT64 prefix.
DNS64 NAT64 prefix 6000::/96 The NAT64 prefix configured on the DNS64 must be the same as that configured on the CGN.
Domain name: www.example.com Address that corresponds to the domain name: 6000::0101:301 The address that corresponds to the domain name is calculated based on the NAT64 prefix and IPv4 Internet address of the server on the IPv4 Internet.
PC1 IPv4 private address: 192.168.0.2/24 -
PC2 IPv6 address: 2000::2/64 -
PC3 IPv6 address: 5000::2/64 -
Server IPv4 Internet address: 1.1.3.1/32 -

Table 8-8 shows the IPv4 route planning.

Table 8-8  IPv4 route planning
Item Routing Protocol Target Network Segment Next Hop Address Description
CPE Static IPv4 route 10.1.2.0/24 10.1.1.2 Route connecting the CPE to the IPv4 MAN interface of the CGN
CGN Static IPv4 route 10.1.1.0/24 10.1.2.2 Route connecting the CGN to the IPv4 MAN interface of the CPE
Static IPv4 route 1.1.3.1/32 1.1.1.2 Route connecting the CGN to the server on the IPv4 Internet

Table 8-9 shows the IPv6 route planning.

Table 8-9  IPv6 route planning
Item Routing Protocol Advertising Network Segment System Description
CPE OSPFv3 2000::/64 Area 1 Route connecting the CPE to the IPv6 user interface
OSPFv3 3000::/64 Area 0 Route connecting the CPE to the IPv6 MAN
CGN OSPFv3 4000::/64 Area 0 Route connecting the CGN to the IPv6 MAN
OSPFv3 5000::/64 Area 2 Route connecting the CGN to the IPv6 Internet
Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16773

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next