Huawei 8

HDLC Principles and
Configuration
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

This section describes the principles and
configuration for High-level Data Link Control.
HDLC is an ISO based Data link layer

protocol standard. It is used to encapsulate
data on over serial links.
HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 2

Upon completion of this section, you should
expect to:
Develop an understanding of the
HDLC frame structure
Acquire the skills necessary to
configure HDLC

Chapter 1 Protocol Overview and Data
Encapsulation
Chapter 2 Configuration of HDLC

Overview of the HDLC Protocol
High-level Data Link Control, HDLC for short, is a bit-based line

protocol.
All the protocols of the standard HDLC protocol suite run on the
synchronous serial link.

Structure of the HDLC Frame
Flag Flag
Address Control Information FCS
01111110 01111110

Types of HDLC Frame
Information frame (I frame)
Supervisory (S frame)
Unnumbered frame (U frame)

Encapsulation
Chapter 2 Configuration of HDLC

Basic Configuration of HDLC
[RTA]interface Serial 0/0/1

[RTA-Serial0/0/1]link-protocol hdlc
[RTA-Serial0/0/1]ip address 10.1.1.1 30
S0/0/1 S0/0/1
HDLC
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB]interface Serial 0/0/1

[RTB-Serial0/0/1]link-protocol hdlc
[RTB-Serial0/0/1]ip address 10.1.1.2 30

Validation
S0/0/1 S0/0/1
HDLC
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTA]ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
--- 10.1.1.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/31/31 ms

Configuration of IP Address Borrowing
[RTA-LoopBack0]ip address 10.1.1.1 32

[RTA]interface Serial 0/0/1
[RTA-Serial0/0/1]link-protocol hdlc
[RTA-Serial0/0/1]ip address unnumbered interface LoopBack 0
[RTA]ip route-static 10.1.1.0 24 Serial 0/0/1
10.1.1.1/32
Loop0
S0/0/1 HDLC S0/0/1

RTA RTB
10.1.1.2/24
[RTB]interface Serial 0/0/1

[RTB-Serial0/0/1]link-protocol hdlc
[RTB-Serial0/0/1]ip address 10.1.1.2 24

Validation
10.1.1.1/32
Loop0
S0/0/1 HDLC S0/0/1

RTA RTB
10.1.1.2/24
[RTA]display ip interface brief

*down: administratively down
(l): loopback
(s): spoofing
Interface IP Address Physical Protocol Description
LoopBack0 10.1.1.1 up up(s) HUAWEI, Quidway
Serial0/0/0 unassigned up up HUAWEI, Quidway
Serial0/0/1 10.1.1.1 up up HUAWEI, Quidway

Validation
[RTA]ping 10.1.1.2
0.00% packet loss
round-trip min/avg/max = 1/13/31 ms

Summary
What is HDLC?
The HDLC frame structure is
comprised of which fields?

PPP Principle and
Configuration
www.huawei.com

This section will introduce the principles
and configuration surrounding the Point-
to-Point Protocol.
PPP provides a standard method for

transporting multi-protocol datagrams
over point-to-point links. It is a widely
used point-to-point data link layer based
communication protocol.

expect to:
Develop an understanding main PPP
protocol principles
Acquire skills to support basic
configuration of PPP

Encapsulation
Chapter 2 Link Control Protocol
Chapter 3 PPP Authentication Protocol
Chapter 4 Network Control Protocol

The Position of PPP in TCP/IP Stack
HTTP FTP TFTP SNMP
TCP UDP
IP
Ethernet FR PPP
BIT

The Three Components of PPP
Name Function
Datagram encapsulation Define the method of encapsulating multi-

method protocol datagram
Link Control Protocol Define the method of establishing,

configuring, and testing the data-link
connection
Network Control Protocol Define a set of protocols for establishing
connection and negotiating parameters for

different network-layer protocols

PPP Frame
Protocol2 Bytes Information Padding (optional)
maximal total length

maximal total length
MRU
MRU
Protocol example
0x0021 IP datagram Padding (optional)
0xc021 LCP Padding (optional)
0x8021 IP control protocol Padding (optional)

IPCP

Transmit PPP Datagram over Serial Link
Follow HDLC Follow HDLC

standard standard
Flag Address Control FCS Flag

PPP frame
01111110 11111111 00000011 16 bits 01111110
Protocol2 Bytes Information Padding (optional)

Basic Configuration of PPP over Serial Link
[RTA]interface Serial 1/0

[RTA-Serial1/0]link-protocol ppp
[RTA-Serial1/0]ip address 10.1.1.1 30
[RTA-Serial1/0]quit
[RTA]
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB]interface Serial 1/0

[RTB-Serial1/0]link-protocol ppp
[RTB-Serial1/0]ip address 10.1.1.2 30
[RTB-Serial1/0]quit
[RTB]

Encapsulation

Summary of Messages Used by LCP Negotiation
Message Type Function
Configure-Request Include the parameters for link establishment

and link configuration
Configure-Ack Confirmation sent once all Configure-Request
parameters have been validated
Configure-Nak The parameters included in Configure-
Request are recognized but not all accepted
Configure-Reject The parameters included in Configure-
Request from the peer are not all recognized

LCP Link Parameters NegotiationSuccessful
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
Configure-Request
Configure-Ack

LCP Link Parameters Negotiation
Unsuccessful
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
Configure-Request
Configure-Nak
Configure-Request (modify
parameter value)

LCP Link Parameters Negotiation
Parameters Can Not Be Identified
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
Configure-Request
Configure-Reject
Configure-Request (delete some
parameters)

Common Link Parameters of LCP Negotiation
Parameter Function Rule Default
Maximum Use the smaller one of
The total length of Information the two values set by
receiving unit and Padding field PPP frame 1500
MRU peers
The authenticated device
must support the
Authentication Authentication protocol used by authentication protocol No
protocol the peer used by the authenticator, authentication
otherwise the negotiation
will be unsuccessful
One peer supports, but
the other peer does not
Magic-Number is generated support, then no loop
randomly, used for link loop
detection, if the Magic-Number exists and negotiation is
successful; the two peers
Magic-Number in LCP packet received is the Enable
same with the local Magic- both support it, then loop
Number, then loop exists. detection mechanism will
be used for loop
detection.

LCP Closes Connection
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
Terminate-Request
Terminate-Ack

LCP Detects Link State
S1/0 PPP S1/0

RTA 10.1.1.1/30 10.1.1.2/30 RTB
Echo-Request
Echo-Reply

Encapsulation

PAP Authentication Mode---Configuration
[RTA]aaa
[RTA-aaa]local-user huawei password simple hello
[RTA-aaa]local-user huawei service-type ppp
[RTA]interface Serial 0
[RTA-Serial0]link-protocol ppp
[RTA-Serial0]ppp authentication-mode pap
[RTA-Serial0]ip address 10.1.1.1 30
Authenticator Authenticated
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"
[RTB]interface Serial 0
[RTB-Serial0]link-protocol ppp
[RTB-Serial0]ppp pap local-user huawei password simple hello
[RTB-Serial0]ip address 10.1.1.2 30

PAP Authentication Mode---Principle
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"
Authenticate-Request
Check whether Send user name and password by plain text
the user name
and password are Authenticate-Ack/Authenticate/Nak
correct or not Authenticate successfully/ unsuccessfully

CHAP Authentication Mode---Configuration
[RTA]aaa
[RTA-aaa]local-user huawei password cipher hello
[RTA-aaa]local-user huawei service-type ppp
[RTA]interface Serial 0
[RTA-Serial0]link-protocol ppp
[RTA-Serial0]ppp authentication-mode chap
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"
[RTB-Serial0]link-protocol ppp
[RTB-Serial0]ppp chap user huawei
[RTB-Serial0]ppp chap password cipher hello

CHAP Authentication Mode---Principle
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"
Challenge Use the password

Use the password and and MD5 algorithm to
MDS algorithm to encrypt the challenge
encrypt the challenge Response
message
message, and compare
it with the received Sucess/Failure
encrypted message

Encapsulation

Common NCP Overview
Protocol Function
IPCP Used for negotiating IP

parameters, and makes PPP can
transmit IP packets.
IPXCP Used for negotiating MPLS
parameters, and makes PPP
transmit MPLS packets.

Use IPCP to Negotiate IP AddressStatic
Configuration
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Configure-Request10.1.1.1
Configure-Ack
Configure-Ack

Use IPCP to Negotiate IP AddressStatic
Configuration
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB]display ip routing-table
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface

10.1.1.0/30 Direct 0 0 10.1.1.2 Serial0
10.1.1.1/32 Direct 0 0 10.1.1.1 Serial0
10.1.1.2/32 Direct 0 0 127.0.0.1 InLoopBack0

Use IPCP to Negotiate IP Address Dynamic
Negotiation
S0 PPP S0
RTA Request for 10.1.1.2/30 RTB
assignment
Configure-Nak10.1.1.1
Configure-Ack
Configure-Ack

Use IPCP to Negotiate IP AddressDynamic
Negotiation
[RTA]interface Serial 0 [RTB-Serial0]link-protocol ppp
[RTA-Serial0]link-protocol ppp [RTB-Serial0]ip address 10.1.1.2 30
[RTA-Serial0]ip address ppp-negotiate [RTB-Serial0]remote address 10.1.1.1
S0 PPP S0
RTA Request for 10.1.1.2/30 RTB
assignment
[RTA]display ip routing-table
Routing Tables: Public
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.2/32 Direct 0 0 10.1.1.2 Serial0

Summary
What are the components in PPP?

Which packets can be used to negotiate link
parameters in LCP?
How many packet exchanges are necessary for
CHAP?
What do the main IPCP parameters negotiate?

FR Principles and
Configuration
www.huawei.com

Frame relay is a connection-oriented
technology operating at the data link
layer. It is used for LAN and WAN
connection over public or private
networks.
Frame relay is a simplified version of

the X.25 WAN protocol.

expect to:
Understand FR protocol principles
Acquire sufficient knowledge to
configure Frame Relay

Chapter 1 FR Overview
Chapter 2 FR Configuration

Overview of Frame Relay
FR is a fast packet switching technology that transfers and

switches data unit with simplified mode at data link layer.
FR adopts virtual circuit technology.
LAN
FR LAN
LAN
LAN
Virtual circuit

FR Encapsulation Relative to OSI RM
FR is allocated at layer 2 of OSI RM.
Application layer
Representation layer
Session layer IP, IPX
Transport layer
Frame Relay
Network layer
Data link layer
FR IP Packet FR
Physical layer

FR Features
Data is transmitted as frames.
Bandwidth multiplexing and dynamic bandwidth allocation
As a type of simplified x.25 WAN protocol, it completes statistical
multiplexing, transparent transmission of frames and error detection at
data link layer, but doesnt provide retransmission function.
It provides a set of bandwidth management and congestion
prevention mechanisms
FR adopts the connection-oriented switching technology, and
provides SVC and PVC service.

FR Network
DTE Data Terminal Equipment

DCE Data Circuit-terminating Equipment
DLCI Data Link Connection Identifier

FR Interface Types
DTE Data Terminal Equipment
DCE Data Circuit-terminating Equipment
NNI Network-to-Network Interface

Virtual Circuit
PVC Permanent Virtual Circuit

SVC Switched Virtual Circuit

Allocation of FR DLCI
DLCI is allocated by FR network service provider

The DLCI is only applicable locally
Mapping of peers network address to DLCI

LMI
LMI - Local Management Interface The LMI is used to monitor the

status of a PVC.
ANSI T1.617 Annex D
ITU-T Q.933 Annex A

(CCITT)
Nonstandard

Topology of FR Network

FR Address Mapping
FR address mapping (MAP) associates the protocol address (IP or IPX

address) with the local DLCI.
The Address Mapping table can either be manually configured or
dynamically maintained through Inverse ARP.

Inverse ARP Protocol
Switch notify DLCI 48
Switch notify DLCI 66
RTA notify IP 172.16.11.2 to DCLI 66
RTB notify IP 172.16.11.3 to DLCI 48
Inverse ARP discovers network address of a destination router

dynamically.

Frame Relay & Split Horizon Issues
Router B
Router B forwards routing
update information to
Router C via serial0 of
Router A
DLCI 16 to C
S0
Router C Router A
Router D

FR Sub-interface
Router B
Subnet2 S0.1
S0.2
S0.3
Router C Router A
Router D

Chapter 1 FR Overview
Chapter 2 FR Configuration

Configuration - Inverse ARP
[RTA-Serial0]link-protocol fr ietf
[RTA-Serial0]fr interface-type dce
[RTA-Serial0]fr dlci 100
[RTA-Serial0]fr inarp
S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB-Serial0]fr interface-type dte
[RTB-Serial0]fr inarp

Validate the Result of Configuration
S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTA]display fr interface
Serial0, DCE, physical up, protocol up
[RTB]display interface Serial 0

Serial0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Quidway Series, Serial0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.1.2/30
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE


Basic Configuration Static Address Mapping
[RTA-Serial0]fr interface-type dce
[RTA-Serial0]fr dlci 100
[RTA-Serial0]undo fr inarp
[RTA-Serial0]fr map ip 10.1.1.2 100
S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB-Serial0]link-protocol fr ietf
[RTB-Serial0]fr interface-type dte
[RTB-Serial0]undo fr inarp
[RTB-Serial0]fr map ip 10.1.1.1 100

S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
[RTB]display fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 100, IP 10.1.1.1, Serial0
create time = 2007/06/04 16:45:10, status = ACTIVE
encapsulation = ietf, vlink = 9

FR
S0 S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
DCE DTE
[RTB-Serial0]ping 10.1.1.1
0.00% packet loss

Configuration of Switching Static Routing
[RTA]interface Serial0
[RTA-Serial0]fr interface-type dte

Configuring FR Switching Route
RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte
[RTB]interface Serial0
[RTB-Serial0]fr interface-type dce
[RTB-Serial0]fr dlci 100
[RTB]fr switching
[RTB-Serial0]fr dlci-switch 100 interface Serial 2 dlci 200
[RTB]interface serial2
[RTB-Serial2]fr interface-type nni
[RTB-Serial2]fr dlci 200
[RTB-Serial2]fr dlci-switch 200 interface Serial 0 dlci 100

Configuring FR Switching Route
RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
[RTC]interface Serial2
[RTC-Serial2]link-protocol fr ietf
[RTC-Serial2]fr interface-type nni
[RTC-Serial2]fr dlci 200
[RTC]fr switching
[RTC-Serial2]fr dlci-switch 200 interface Serial 0 dlci 300
[RTC]interface serial0
[RTC-Serial0]link-protocol fr ietf
[RTC-Serial0]fr interface-type dce
[RTC-Serial0]fr dlci 300
[RTC-Serial0]fr dlci-switch 300 interface Serial 2 dlci 200

Configuration of Switching Static Routing
[RTD]interface Serial0
[RTD-Serial0]link-protocol fr ietf
[RTD-Serial0]fr interface-type dte
[RTD-Serial0]ip address 10.1.1.2 30

[RTB]dis fr dlci-switch
Frame relay switch statistics
Status Interface(Dlci) ----------> Interface(Dlci)
Active Serial0(100) Serial2(200)

RTA RTB FR RTC

S0 S0 S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
[RTC]display fr dlci-switch
Frame relay switch statistics
Status Interface(Dlci) ----------> Interface(Dlci)

RTA RTB FR RTC

10.1.1.1/30 10.1.1.2/30
[RTA]dis fr map-info
DLCI = 100, IP INARP 10.1.1.2, Serial0
encapsulation = ietf, vlink = 20, broadcast
[RTD]dis fr map-info
DLCI = 300, IP INARP 10.1.1.1, Serial0
encapsulation = ietf, vlink = 1, broadcast

Configuring the PVC Used for FR Switching
RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
[RTB]fr switching
[RTB]fr switch 1 interface Serial0 dlci 100
interface Serial2 dlci 200
[RTC]fr switching
[RTC]fr switch 2 interface Serial2 dlci 200
interface Serial0 dlci 300

RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
[RTB]display fr switch-table all

Total PVC switch records:1
PVC-Name Status Interface(Dlci) <---> Interface(Dlci)
1 Active Serial0(100) Serial2(200)
<RTC>display fr switch-table all

Total PVC switch records:1
PVC-Name Status Interface(Dlci) <-----> Interface(Dlci)
2 Active Serial2(200) Serial0(300)

RTA RTB FR RTC
10.1.1.1/30 10.1.1.2/30
dte nni nni dce dte
dce
[RTB]display fr pvc-info
PVC statistics for interface Serial0 (DCE, physical UP)
DLCI = 100, USAGE = SWITCH (1010), Serial0
in BECN = 0, in FECN = 0
in packets = 1309, in bytes = 43330
out packets = 1306, out bytes = 43240
PVC statistics for interface Serial2 (NNI, physical UP)
DLCI = 200, USAGE = SWITCH (1010), Serial2
in BECN = 0, in FECN = 0
in packets = 468, in bytes = 16708
out packets = 468, out bytes = 16708

Summary
How many modes does the FR

interface have?
Whats the meaning of FR DLCI?
How is a virtual circuit established?

Firewall Product Basics
www.huawei.com

This section mainly introduces the
development history of firewall technology
of the Eudemon series firewall products.

expect to:
Gain knowledge of the development
history of firewall technology
Acquire knowledge of the capability and
features, architecture and performance
of the Eudemon series firewall

Chapter 1 Development of Firewall
Technology
Chapter 2 Eudemon Series Product

The Firewall
A firewall is a device located between two networks with different
trust degrees (enterprise internal network and Internet), that will
police the communication flow between the two networks; with the
help of implementing uniform security policies. It avoids illegal use
and unauthorized access to important resources in order to
ensure network integrity is maintained.
Firewall = hardware+software+control policy

Loose control policy
permits all, selective restriction
Strict control policy
restricts all, selective permission

Firewall Technology Firewall Classification
Firewall can be classified into several kinds according to the

implement methods:
Packet Filtering firewall

Proxy firewall
State detection firewall

Packet Filtering Firewall
The packet from

192.110.10.0/24
permitted
Internal network
Internet
Local office
Packet from
202.110.10.0/24
ACL rule rejected
Headquarters of company Unauthorized user

Proxy Firewall
WWW, FTP,
Emailpr oxy
Send r equest For war d r equest

Internet
For war d r esponse Request r esponse
Client
Security policy,
audit supervise,
alarm

State Firewall
User A initiates Telnet session
Firewall creates Session Other Telnet packet is blocked

item
Other users
Protected External
User A network network
The Telnet session reply packet of

user A is permitted target server
Firewall matches Session
item packet

The Function of a Firewall in a Security System
reinforced house
Door Monitor Intrusion System reinforce, Security transmission
Firewall detection system immunity Encryption, VPN
Forbidden system Guard

Monitor
Identity authentication Scanner,
Security management center
access control Security hole detection

Firewall Limitations
A firewall is not a total security solution, and cannot solve all the problems
of network security, it is only one part of a network security policy.
Defends from external threats, not internal

Balance should be ensured between depth detection and forwarding
performance
When using end-to-end encryption, such as with VPN, firewalls are

unable to analyze the inbound traffic;
The firewall itself creates a performance bottleneck, through various

means, for example: anti-attack ability, session limitation.

Chapter 1 Development of Firewall
Technology
Chapter 2 Eudemon Series Product

Eudemon Series Firewall
Eudemon 300/500/1000
Eudemon 200
Eudemon 100

Eudemon Series Firewall Performance
Item Technology parameter and performance index
Eudemon Eudemon Eudemon Eudemon Eudemon

100 200 300 500 1000
Total 100Mbps 400Mbps 1Gbps 2Gbps 3Gbps
throughput
rate
Subsequent 200 500 500 800 1000
connection thousand thousand
thousand thousand thousand
New created 5000item/s 20000item/s 100000item/s 100000item/s 100000item/s

connection
Interface 2 fixed FE 2 fixed FE, 2 4slotssupport 4slotssupport 4slotssupport
2slots slots support 1GE/2GE 1GE/2GEoptical 1GE/2GEoptical
FE/2FE/1GEopti optical/electrical /eletrical/8FE/4F /electrical/8FE/4
1 support cal /electrical/1 /8FE/4FE/2FEo E/2FEoptical/ele FE/2FEoptical/e
1FE LPU 155MATM/4E1 ptical/electrical ctrical lectrical
LPU LPU LPU LPU

Eudemon 200Dual-bus System Structure
Double- channel design
Dual- bus collision decreases, bandwidth increases
Double- channel receive/send independently
PCI card
PCI CPU
PCI card 1
shield System
bridge
PCI card PCI

2 Memory
PCI card
shield
FE FE
i nt er f ace i nt er f ace

Eudemon 300/500/1000Logical Structure Based
on NP
PCI card CPU Main board
PCI
1 NP card High speed board
PCI card
shield System
FPGA High speed board
bridge NP
PCI card
shield PCI T1 T2
High speed board
2 Memory T3
Monitor
PCI card
Shield
FE FE
interface interface
Fan group1
Power 2
Power 1 Fan group2

Summary
How many variations of firewall are there,

and what features do they support?
Which models make up the Eudemon
firewall series?

Eudemon Basic Function
and Configuration
www.huawei.com

This section will introduce the modes of
operation for the Eudemon firewall, as
well as security area concepts, Access
Control Lists, Network Address
Translation etc, used to enhance the
defense capability of the firewall

expect to :
Build an understanding of security areas

Understand the operational modes of a
firewall
Acquire the knowledge to explain and
configure ACL & NAT

Chapter 1 Security Zones
Chapter 2 Modes of Operation
Chapter 3 Access Control Lists
Chapter 4 Network Address Translation

Firewall Security Zone
Interface 2
Local Zone Trust Zone
100 85
Zone defined
by user
DMZ Zone
50 UnTrust Zone Interface 3
5
Interface 1 Interface 4

Security Zone Data Flow ---Inter-zone
inbound
Internal network
outbound
Eudemon
Local
Trust
E1/0/0 E1/0/2 External network
Eth1/0/1 Untrust
outbound
outbound
inbound
inbound
Server
Server
DMZ
HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page

100
Security Zone Configuration
[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone] set priority 60
[Eudemon-zone-userzone] add interface Ethernet 0/0/1
[Eudemon]display zone username

username
priority is 60
interface of the zone is (1):
Ethernet0/0/1

101
Interzone policy configuration
[Eudemon]acl 3000
[Eudemon-acl-adv-3000] rule permit ip
[Eudemon]firewall interzone trust untrust
[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound
PC PC PC
Trust Zone
Untrust Zone
Eudemon
Server Server
Internal network External network

102

103
Route Mode
10.110.1.254 202.10.0.1
PC PC PC
Trust Zone Untrust Zone
Eudemon
Server Server
Internal network External network

10.110.1.0/24 202.10.0.0/24

104
Transparent Mode
PC PC PC
Trust
Untrust
Eudemon
Server Server
Internal network 202.10.0.0/24 External network

105
Composite Mode
Eudemonactive
PC PC PC
Trust
VRRP Untrust
Server Server
Internal network Eudemonstandby External network
202.10.0.0/24 202.10.0.0/24

106
Mode Configuration
[Eudemon]firewall mode composite

[Eudemon]quit
<Eudemon>reboot
[Eudemon]display firewall mode

firewall mode composite

107

108
ACL Application
Packet filtering
Determine whether to discard or forward packet according to ACL
rule
NAT
Determine whether to implement NAT to which packet According
to ACL
IPSec
Determine whether to protect which packet according to ACL
QoS
What is ACL?
Classify flow according to ACL
Permit
Routing policy
Deny
Filter routes according to ACL

109
ACL Classification
Basic ACL range: 20002999
Use of source address to define the data flow
Advanced ACL range: 30003999
Use of source address, destination address, source port number,

destination port number and protocol number, combined to define
the data flow.
Firewall ACL range:50005499
Use of source address, destination address, destination port number

to define the data flow

110
ACL Classification
acl [ number ] acl-number
rule [ rule-id ] { permit | deny } [ source { source-address
source-wildcard | any } ] [ time-range time-name ]
rule [ rule-id ] { permit | deny } protocol [ source { source-
address source-wildcard | any } ] [ destination { dest-address
dest-mask | any } ] [ source-port operator port1 [ port2 ] ]
[ destination-port operator port1 [ port2 ] ] [ icmp-type
{ icmp-type icmp-code | icmp-message } ] [ precedence
precedence ] [ tos tos ] [ time-range time-name ]
Firewall ACL Advanced ACL Basic ACL
Match the route to an acl-number
Match the route to a rule-id

111
ACL Application Example
FTP Server Telnet Server www Server

129.38.1.1 129.38.1.2 129.38.1.3
E0/0/0 129.38.1.5
Special PC in external network
Special PC in internal network Eudemon
202.39.2.3
129.38.1.4 E1/0/0
202.38.160.1
WAN

112
ACL Application ExampleConfiguration
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0
[Eudemon-acl-adv-3101] rule deny ip
[Eudemon-acl-adv-3101] quit
[Eudemon] acl number 3102
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0

[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound
[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound

113

114
NAT (Network Address Translation)
NAT is used to translate IP addresses in IP data packet header

to alternative IP addresses.
NAT can solve the following problems:

IP address shortage
Helps reserve public IP addresses
Security element
Shield private networks
Enterprise combination
Easy to merge networks

115
Public and Private Addressing
192.168.0.2
192.168.0.1
LAN2
LAN1
Internet
192.168.0.1
Private address range:
10.0.0.0-10.255.255.255
LAN3
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

116
Eudemon NAT
Data packet 1
Source 192.168.1.3
destination 202.120.10.2 Data packet 1 Server B
PC A source 202.169.10.1 202.120.10.2
Destination 202.120.10.2
192.168.1.3
Trust Eudemon Untrust

E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1
Data packet 2 Data packet 2

source 202.120.10.2
Source 202.120.10.2 destination 202.169.10.1
PC B
destination192.168.1.3
192.168.1.2 PC C
202.130.10.3

117
Eudemon NAPT
source 192.168.1.3 source 202.169.10.1
Source port 1357 Source port 1357
Server B
Data packet 2 Data packet2
PC A source 192.168.1.3 source 202.169.10.1 202.120.10.2
192.168.1.3 Source port 2468 Source port 2468
Trust Eudemon Untrust

E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1
Data packet3 Data packet3
source 192.168.1.1 source 202.169.10.1
PC B
192.168.1.2 PC C
Data packet4 Data packet4 202.130.10.3
source 192.168.1.2 source 202.169.10.1

118
Eudemon Internal Server NAT
Internet
Untrust Data packet 1
Data packet 2
source 202.168.0,2
source 202.168.0.11
E0/0/1 202.168.0.1/26 Destination destination 202.168.0.2
202.168.0.11
source 202.168.0,2 source 192.168.0.101
E1/0/0 192.168.1.1/24
ALG function destination destination 202.168.0.2
192.168.0.101
202.168.0.11-192.168.1.101 DMZ
Mail Server Web Server FTP Server

192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

119
Eudemon NAT Implementation
Eudemon
Private ACL Public address

address

120
Internal Server NAT Network
Internet
Untrust
202.168.0.1/24 E0/0/1
202.168.0.10-192.168.1.100
Internal network E0/0/0
192.168.0.0/24 202.168.0.11:80-192.168.1.101:8080
192.168.0.1/24
202.168.0.12:1021-192.168.1.102:ftp
192.168.1.1/24 E1/0/0
Trust
DMZ
Mail Server Web Server FTP Server

192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

121
Egress Network NAT Typical Configuration
[Eudemon] acl 2000

[Eudemon-acl-basic-2000]rule permit
[Eudemon-acl-basic-2000]quit
[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20
Configure address pool

[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit ip source-address
192.168.0.0 0.0.0.255
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] packet-filter 2000
outbound
[Eudemon-interzone-trust-untrust] nat outbound 3000
address-group 1
Enable NAT function, bind address pool and ACL

122
NAT Server Typical Configuration
[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100

[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside
192.168.1.101 8080
[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside
192.168.1.102 ftp
Configure mapping information between global
address and internal server address
[Eudemon] acl 3000
[Eudemon] rule permit ip destination-address 192.168.1.0
0.0.0.255
[Eudemon] firewall interzone DMZ untrust
[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound
[Eudemon-interzone-DMZ-untrust] detect ftp

123
NAT Configuration Verification
[Eudemon] display nat all
NAT address-group information:

1: from 202.168.0.10 to 202.168.0.20, reference 1 times
Total 1 address-groups If address pool is imported, it
NAT outbound information: can not be deleted directly.
interzone-trust-untrust: acl(2000) --- NAT address-group( 1)
Total 1 nat outbounds
Server in private network information:
zone GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN
---- 202.168.0.10 ---- 192.168.1.100 ---- --- public
---- 202.168.0.11 8080 192.168.1.101 8080 6(tcp) public
---- 202.168.0.12 1021 192.168.1.102 21(ftp) 6(tcp) public
Total 3 NAT servers

124
Summary
Which operational modes does Eudemon

support?
What are the default Eudemon security zones?
What is the difference between a basic ACL
and an advanced ACL?
Which forms of NAT does Eudemon support?

125
Thank you
www.huawei.com

Huawei 8

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Huawei 8

Transféré par

Droits d'auteur :

Formats disponibles

HDLC Principles and

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

HDLC is an ISO based Data link layer

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 2

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 3

Chapter 2 Configuration of HDLC

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 4

High-level Data Link Control, HDLC for short, is a bit-based line

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 5

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 6

Information frame (I frame)

Unnumbered frame (U frame)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 7

Chapter 2 Configuration of HDLC

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 8

[RTA]interface Serial 0/0/1

[RTB]interface Serial 0/0/1

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 9

--- 10.1.1.2 ping statistics ---

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 10

[RTA-LoopBack0]ip address 10.1.1.1 32

S0/0/1 HDLC S0/0/1

[RTB]interface Serial 0/0/1

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 11

S0/0/1 HDLC S0/0/1

[RTA]display ip interface brief

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 12

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 13

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 14

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

PPP provides a standard method for

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 16

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 17

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 18

HTTP FTP TFTP SNMP

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 19

Datagram encapsulation Define the method of encapsulating multi-

Link Control Protocol Define the method of establishing,

connection and negotiating parameters for

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 20

Protocol2 Bytes Information Padding (optional)

maximal total length

0x0021 IP datagram Padding (optional)

0xc021 LCP Padding (optional)

0x8021 IP control protocol Padding (optional)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 21

Follow HDLC Follow HDLC

Flag Address Control FCS Flag

Protocol2 Bytes Information Padding (optional)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 22

[RTA]interface Serial 1/0

S1/0 PPP S1/0

[RTB]interface Serial 1/0

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 23

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 24

Message Type Function

Configure-Request Include the parameters for link establishment