No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Availability Solution

Availability Solution

To prepare for possible failures, disaster recovery is deployed for key areas of the LTE network. The design principles for disaster recovery schemes in different positions are as follows:

Disaster Recovery for Link Failure Between the MME/S-GW and PE

As shown in Figure 9-9, when the link between RSG-1 and the S-GW fails, traffic from FW_A to the S-GW cannot be transferred along this link. Instead, the traffic has to be routed to RSG-2 and then forwarded to the S-GW. Adding Eth Trunk2.3 and Eth Trunk2.2 to OSPF2 ensures the change of the route cost of OSPF2 when this link fails so that decapsulated IPSec traffic is routed to RSG-2 for forwarding.
Figure 9-9  Disaster recovery for link failure between the MME/S-GW and PE

Disaster Recovery for Link Failure Between the AGG and PE

As shown in Figure 9-10, when the link between AGG-1 and RSG-1 fails, the cost of the route in the IP-RAN area changes, and IPSec traffic from the eNodeB to FW_A is no longer carried on this link. Instead, the traffic is routed to AGG-2 and then forwarded to RSG-2. Because Eth Trunk2.1 is added to OSPF1, when the IPSec traffic arrives at RSG-2, the traffic is forwarded by RSG-2 to RSG-1 and then forwarded to FW_A. Here, the cost of the route from RSG-2 to FW_B (standby) is greater than the cost of the route from RSG-2 to FW_A (active). Therefore, it is no need worrying that RSG-2 forwards the IPSec traffic to FW_B.

Figure 9-10  Disaster recovery for link failure between the AGG and PE

Remote Disaster Recovery for the IPSec Gateway

Remote disaster recovery is considered in network planning to ensure normal operation of the communication network during large disasters, such as earthquake, tsunami, and hurricane. As shown in Figure 9-11, the IPSec in the remote site and the IPSec gateway in the local site are mutual remote disaster recovery systems. It is assumed that the local site is impacted by a disaster, that both local IPSec gateways, FW_A and FW_B, fail, and that the EPC area is not impacted. Then, the IPSec traffic sent from the eNodeB has to be forwarded to the remote IPSec gateway. The remote IPSec gateway decapsulates the traffic and forwards it through the PE to the MME and S-GW in the EPC of the local site. In order that the traffic is forwarded along the expected route, it is necessary to add the local IPSec gateway and PE and the remote IPSec gateway to the specified route process to realize route interworking. When the local IPSec gateway fails, the IPSec traffic can be routed to the remote IPSec gateway. In addition, it is necessary to enable the interworking between the route in the local EPC and the route of the remote IPSec gateway, so that the decrypted traffic can be forwarded to the local EPC.
Figure 9-11  Remote disaster recovery for the IPSec gateway
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 15995

Downloads: 694

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next