No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Solution Overview

Solution Overview

Introduction to Enterprise Campus Networks

An enterprise campus network is an intranet of an enterprise or organization. Its routing structure is managed by the enterprise or organization. The network interworks with the WAN and the data center. Partners, mobile employees, and guests access the enterprise intranet through the VPN, WAN or Internet.

An enterprise campus network is general a non-profiting network with a high user density where large quantities of terminals and users concentrate in limited space. The major concerns of an enterprise campus network are availability, ease of use, ease of deployment, and ease of maintenance. Therefore, the topology of enterprise campus networks is mostly a star structure. The ring structure is not often used (ring structures are usually used in the MAN and backbone networks of carriers to save fiber resources).

Figure 5-1 shows the architecture of of an enterprise network. For traffic originating from intranet users to arrive at the Internet, the traffic needs to pass through the Layer-3 aggregation switch, Layer-3 core switch, and gateway.

Enterprise employees are in different departments based on their business lines. The network must ensure normal Internet access for internal users and keep them secure from attacks. On this basis, Internet access privileges and traffic restrictions must also be defined for the different departments. In addition, branch and travelling employees must be able to access the central network for business communication and resource sharing.

Figure 5-1  Networking of an enterprise network

  • Access layer

    The access layer is normally made up of Ethernet switches. It connects various terminals to the campus network. For some terminals, it may be necessary to add specific access devices, for example, APs for wireless access and IADs for POTS access.

  • Aggregation layer

    Traffic of the access devices and users converges at the aggregation layer and is then forwarded to the core layer. The aggregation layer increases the quantity of users who can access the core layer.

  • Core layer

    The core layer is responsible for the high-speed interworking of the entire campus network. Specific services are generally not deployed here. The core network must ensure high bandwidth efficiency and quick failure convergence.

  • Enterprise campus egress

    The enterprise campus egress is a border between the enterprise campus network and the public extranet. Internal users of the campus network are connected to the public network through an edge network. Extranet users (including customers, partners, branches, and remote users) also access the internal network through the edge network.

  • Data center

    The data center is the area where servers and application systems are deployed. The data center provides data and application services for internal and external users.

  • Network management center

    The network management center is the area where the network, servers, and applications systems are managed. It provides fault management, configuration management, performance management, and security management.

Application of FWs at the Egress of an Enterprise Campus Network

The FW generally serves as an egress gateway of an enterprise campus network. It provides the following features:

  • Hot standby

    To improve network availability, two FWs can be deployed at the egress of the enterprise campus network in hot standby mode. When the link of the active FW fails, traffic on the network is switched to the standby FW to ensure normal communication of the intranet and extranet.

  • NAT

    Because public IPv4 addresses are limited, private addresses are allocated for intranet use, and public addresses are normally not allocated. Therefore, when an internal user needs to access the Internet, address translation is required. The FW is deployed at the egress of the intranet to the Internet to provide NAT functions.

  • Security defense

    The FW provides attach defense to protect the enterprise network against external attacks.

  • Content security

    The FW provides intrusion prevention, antivirus, and URL filtering functions to ensure a green environment for the intranet.

  • Bandwidth management

    The FW provides bandwidth management. It identifies traffic based on the application or user and applies traffic-based control.

Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 19047

Downloads: 782

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next