< Home

CLI: Example for Configuring Dual Stack

Context

As shown in Figure 1, the FW that supports the IPv4/IPv6 dual stack can forward IPv4 and IPv6 packets through the same interface after it connects to the IPv4 and IPv6 networks.

Figure 1 Dual-stack networking

Procedure

  1. Perform the following operations on FW_A:

    # Enable the IPv6 function.

    <FW_A> system-view
[FW_A] ipv6

    # Configure an IP address for GigabitEthernet 0/0/1.

    [FW_A] interface GigabitEthernet0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 192.168.0.1 24
[FW_A-GigabitEthernet0/0/1] quit

    # Configure an IP address for GigabitEthernet 0/0/2.

    [FW_A] interface GigabitEthernet0/0/2
[FW_A-GigabitEthernet0/0/2] ipv6 enable
[FW_A-GigabitEthernet0/0/2] ipv6 address 2001:db8:1::1 64
[FW_A-GigabitEthernet0/0/2] quit

    # Add GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to the Trust zone.

    [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet0/0/1
[FW_A-zone-trust] add interface GigabitEthernet0/0/2
[FW_A-zone-trust] quit

    # Configure an IPv4 address and an IPv6 address for GigabitEthernet 0/0/3.

    [FW_A] interface GigabitEthernet0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 2.2.2.1 24
[FW_A-GigabitEthernet0/0/3] ipv6 enable
[FW_A-GigabitEthernet0/0/3] ipv6 address 2001:db8:3::1 64
[FW_A-GigabitEthernet0/0/3] quit

    # Add GigabitEthernet 0/0/3 to the Untrust zone.

    [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet0/0/3
[FW_A-zone-untrust] quit

    # Configure a security policy on FW_A.

    [FW_A] security-policy
[FW_A-policy-security] rule name policy_sec_1
[FW_A-policy-security-rule-policy_sec_1] source-address 192.168.0.1 24
[FW_A-policy-security-rule-policy_sec_1] source-address 2001:db8:1::1 64
[FW_A-policy-security-rule-policy_sec_1] source-zone trust
[FW_A-policy-security-rule-policy_sec_1] destination-zone untrust
[FW_A-policy-security-rule-policy_sec_1] action permit
[FW_A-policy-security-rule-policy_sec_1] quit

    # Configure a static route.

    [FW_A] ip route-static 192.168.1.0 24 2.2.2.2
[FW_A] ipv6 route-static 2001:db8:2:: 64 2001:db8:3::2

  2. Perform the following operations on FW_B:

    # Enable the IPv6 function.

    <FW_B> system-view
[FW_B] ipv6

    # Configure an IP address for GigabitEthernet 0/0/1.

    [FW_B] interface GigabitEthernet0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 192.168.1.1 24
[FW_B-GigabitEthernet0/0/1] quit

    # Configure an IP address for GigabitEthernet 0/0/2.

    [FW_B] interface GigabitEthernet0/0/2
[FW_B-GigabitEthernet0/0/2] ipv6 enable
[FW_B-GigabitEthernet0/0/2] ipv6 address 2001:db8:2::1 64
[FW_B-GigabitEthernet0/0/2] quit

    # Add GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 to the Trust zone.

    [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet0/0/1
[FW_B-zone-trust] add interface GigabitEthernet0/0/2
[FW_B-zone-trust] quit

    # Configure an IPv4 address and an IPv6 address for GigabitEthernet 0/0/3.

    [FW_B] interface GigabitEthernet0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 2.2.2.2 24
[FW_B-GigabitEthernet0/0/3] ipv6 enable
[FW_B-GigabitEthernet0/0/3] ipv6 address 2001:db8:3::2 64
[FW_B-GigabitEthernet0/0/3] quit

    # Add GigabitEthernet 0/0/3 to the Untrust zone.

    [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet0/0/3
[FW_B-zone-untrust] quit

    # Configure a security policy on FW_B.

    [FW_B] security-policy
[FW_B-policy-security] rule name policy_sec_1
[FW_B-policy-security-rule-policy_sec_1] source-address 192.168.1.1 24
[FW_B-policy-security-rule-policy_sec_1] source-address 2001:db8:2::1 64
[FW_B-policy-security-rule-policy_sec_1] source-zone trust
[FW_B-policy-security-rule-policy_sec_1] destination-zone untrust
[FW_B-policy-security-rule-policy_sec_1] action permit
[FW_B-policy-security-rule-policy_sec_1] quit

    # Configure a static route.

    [FW_B] ip route-static 192.168.0.0 24 2.2.2.1
[FW_B] ipv6 route-static 2001:db8:1:: 64 2001:db8:3::1

Verifying the Configuration

# After you complete the preceding configurations, configure PC1 to ping the IP address of PC3.

C:\Documents and Settings\Administrator>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time=9ms TTL=253
Reply from 192.168.1.2: bytes=32 time<1ms TTL=253
Reply from 192.168.1.2: bytes=32 time<1ms TTL=253
Reply from 192.168.1.2: bytes=32 time<1ms TTL=253

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 9ms, Average = 2ms

# Configure PC2 to ping the IP address of PC4.

C:\Documents and Settings\Administrator>ping 2001:db8:2::2

Pinging 2001:db8:2::2 with 32 bytes of data:

Reply from 2001:db8:2::2: bytes=32 time=9ms TTL=253
Reply from 2001:db8:2::2: bytes=32 time<1ms TTL=253
Reply from 2001:db8:2::2: bytes=32 time<1ms TTL=253
Reply from 2001:db8:2::2: bytes=32 time<1ms TTL=253

Ping statistics for 2001:db8:2::2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 9ms, Average = 2ms

Configuration Scripts

FW_A

FW_B

 
#
  sysname FW_A
#
  interface GigabitEthernet0/0/1
    ip address 192.168.0.1 24
#
  interface GigabitEthernet0/0/2
    ipv6 enable
    ipv6 address 2001:db8:1::1 64
#
  interface GigabitEthernet0/0/3
    ip address 2.2.2.1 24
    ipv6 enable
    ipv6 address 2001:db8:3::1 64
#
  firewall zone trust
    set priority 85
    add interface GigabitEthernet0/0/1
    add interface GigabitEthernet0/0/2
#
  firewall zone trust
    set priority 5
    add interface GigabitEthernet0/0/3
#
  security-policy  
    rule name policy_sec_1 
      source-address 192.168.0.1 24
      source-address 2001:db8:1::1 64
      source-zone trust
      destination-zone untrust
      action permit
#
  ip route-static 192.168.1.0 24 2.2.2.2
  ipv6 route-static 2001:db8:2:: 64 2001:db8:3::2
#
 
#
  sysname FW_B
#
  interface GigabitEthernet0/0/1
    ip address 192.168.1.1 24
#
  interface GigabitEthernet0/0/2
    ipv6 enable
    ipv6 address 2001:db8:2::1 64
#
  interface GigabitEthernet0/0/3
    ip address 2.2.2.2 24
    ipv6 enable
    ipv6 address 2001:db8:3::2 64
#
  firewall zone trust
    set priority 85
    add interface GigabitEthernet0/0/1
    add interface GigabitEthernet0/0/2
#
  firewall zone trust
    set priority 5
    add interface GigabitEthernet0/0/3
#
  security-policy  
    rule name policy_sec_1 
      source-address 192.168.1.1 24
      source-address 2001:db8:2::1 64
      source-zone trust
      destination-zone untrust
      action permit
#
  ip route-static 192.168.0.0 24 2.2.2.1
  ipv6 route-static 2001:db8:1:: 64 2001:db8:3::1
#
Parent Topic: Dual Stack
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic