< Home

CLI: Example for Configuring Static IPv6 Addresses for Devices to Communicate

This section provides an example for configuring a firewall to connect intranet users to the Internet. A firewall is assigned a static IPv6 address to access the Internet and provides Internet access services for intranet users.

Networking Requirements

An enterprise deploys a firewall as a security gateway on the network border and purchases broadband services from a carrier to implement intranet users' Internet access using IPv6 addresses.

Figure 1 Networking diagram of accessing the Internet through an IPv6 address

Configuration Roadmap

  1. Configure IP addresses of interfaces and add the interfaces to security zones.
  2. Configure a security policy so that intranet hosts can access the Internet.
  3. Configure a default route on the FW, so that traffic from the intranet can be forwarded to the ISP router.
  4. Configure the default gateway on each host on the intranet, so that the hosts send traffic to the FW when they access the Internet.
  5. Configure static routes on the router, so that the router forwards return traffic from the Internet to the FW.

Procedure

  1. Enable the global IPv6 function to allow the firewall to forward IPv6 packets.

    <FW> system-view
[FW] ipv6

  2. Configure the IPv6 address for GigabitEthernet 0/0/1.

    [FW] interface GigabitEthernet0/0/1
[FW-GigabitEthernet0/0/1] ipv6 enable
[FW-GigabitEthernet0/0/1] ipv6 address 2001:0DB8:0203::1234 48
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/1
[FW-zone-trust] quit

  3. Configure the IPv6 address for GigabitEthernet 0/0/2.

    [FW] interface GigabitEthernet0/0/2
[FW-GigabitEthernet0/0/2] ipv6 enable
[FW-GigabitEthernet0/0/2] ipv6 address 2001:0DB8:0506::1234 48
[FW-GigabitEthernet0/0/2] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/2
[FW-zone-untrust] quit

  4. Configure a security policy. In actual scenarios, more refined security policies can be configured to control Internet access of intranet users.

    [FW] security-policy
[FW-policy-security] rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1] source-zone trust
[FW-policy-security-rule-policy_sec_1] destination-zone untrust
[FW-policy-security-rule-policy_sec_1] action permit
[FW-policy-security-rule-policy_sec_1] quit
[FW-policy-security] quit

  5. Configure a default route on the FW, so that traffic from the intranet can be forwarded to the ISP router.

    [FW] ipv6 route-static 0:0::0:0 0 2001:0DB8:0506::5678

  6. Configure the default gateway on each host on the intranet, so that the hosts send traffic to the FW when they access the Internet.
  7. Configure static routes on the router, so that the router forwards return traffic from the Internet to the FW.

    Contact the ISP network administrator to perform this step.

Configuration Verification

  1. Check the status of GigabitEthernet 0/0/1. The following example uses GigabitEthernet 0/0/1 on FW. If the configuration is successful, the configured global unicast address can be displayed. In addition, the physical status and IPv6 status of the interface is up.

    [FW] display ipv6 interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP                                         
IPv6 protocol current state : UP                                                
IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE00:1708
  Global unicast address(es):                                                   
    2001:0DB8:0203::1234, subnet is 2001:0DB8:0203::/48                                                
  Joined group address(es):                                                     
    FF02::1:FF00:1                                                              
    FF02::2                                                                     
    FF02::1                                                                     
    FF02::1:FF48:3EF                                                            
  MTU is 1500 bytes                                                             
  ND DAD is enabled, number of DAD attempts: 1                                  
  ND reachable time is 30000 milliseconds                                       
  ND retransmit interval is 1000 milliseconds                                   
  ND stale time is 1200 seconds                                                 
  ND advertised reachable time is 0 milliseconds                                
  ND advertised retransmit interval is 0 milliseconds                           
  ND router advertisement max interval 600 seconds, min interval 200 seconds    
  ND router advertisements live for 1800 seconds                                
  ND router advertisements hop-limit 64                                         
  ND default router preference medium                                           
  Hosts use stateless autoconfig for addresses
  2. Check whether intranet hosts can use domain names to access the Internet. If the hosts can access the Internet, the configurations are correct. If the hosts fail to access the Internet, modify the configuration and try again.

Configuration Scripts

Configuration script for FW:

#                                                                                                                
 sysname FW                  
#
 ipv6                                                                           
#
interface GigabitEthernet0/0/1           
 ipv6 enable                                                                    
 ipv6 address 2001:0DB8:0203::1234 48 
#                                                                               
interface GigabitEthernet0/0/2
 ipv6 enable                                                                    
 ipv6 address 2001:0DB8:0506::1234 48 
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1          
#                                                                               
firewall zone trust                                                           
 set priority 85                                                                 
 add interface GigabitEthernet0/0/2
#                                                                               
security-policy                                                                 
  rule name policy_sec_1                                                                                                                 
    source-zone trust                                                                                                              
    destination-zone untrust                                                    
    action permit                                                               
#
ipv6 route-static 0:0::0:0 0 2001:0DB8:0506::5678
#
return
Parent Topic: Accessing the Internet Using One Interface
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >