CLI: Configuring IPv6 Users to Access the Internet Through Virtual Systems

Procedure

1. The public system administrator creates virtual systems vsysa, and vsysb, and assigns resources to them.

   # Use the account of the public system administrator to log in to the FW.

   # Enable the virtual system function.

   <FW> system-view
   [FW] vsys enable

   # Configure a resource class.

   [FW] resource-class r1
   [FW-resource-class-r1] resource-item-limit ipv6 session reserved-number 10000 maximum 50000
   [FW-resource-class-r1] resource-item-limit policy reserved-number 300
   [FW-resource-class-r1] resource-item-limit user reserved-number 300
   [FW-resource-class-r1] resource-item-limit user-group reserved-number 10
   [FW-resource-class-r1] resource-item-limit bandwidth 20 outbound
   [FW-resource-class-r1] quit

   # Create virtual systems and allocate resources to them.

   [FW] vsys name vsysa
   [FW-vsys-vsysa] assign resource-class r1
   [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1
   [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/3
   [FW-vsys-vsysa] quit
   [FW] vsys name vsysb
   [FW-vsys-vsysb] assign resource-class r1
   [FW-vsys-vsysb] assign interface GigabitEthernet 0/0/2
   [FW-vsys-vsysb] assign interface GigabitEthernet 0/0/4
   [FW-vsys-vsysb] quit

2. The public system administrator configures IP addresses, routes, and security policies for vsysa.

   # Enable IPv6.

   [FW] ipv6

   # Set interface IPv6 addresses for vsysa.

   [FW] interface GigabitEthernet 0/0/1
   [FW-GigabitEthernet0/0/1] set public-interface
   [FW-GigabitEthernet0/0/1] ipv6 enable
   [FW-GigabitEthernet0/0/1] ipv6 address 1::1 64
   [FW-GigabitEthernet0/0/1] quit
   [FW] interface GigabitEthernet 0/0/3
   [FW-GigabitEthernet0/0/3] ipv6 enable
   [FW-GigabitEthernet0/0/3] ipv6 address 3::1 64
   [FW-GigabitEthernet0/0/3] quit

   # The public system administrator configures a default route for vsysa.

   [FW] ipv6 route-static vpn-instance vsysa :: 0 1::2

   # Assign interfaces of vsysa to security zones.

   [FW] switch vsys vsysa
   <FW-vsysa> system-view
   [FW-vsysa] firewall zone trust
   [FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/3
   [FW-vsysa-zone-trust] quit
   [FW-vsysa] firewall zone untrust
   [FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
   [FW-vsysa-zone-untrust] quit

   # The public system administrator configures an address set for vsysa.

   [FW-vsysa] ip address-set ipaddress1 type object
   [FW-vsysa-object-address-set-ipaddress1] address range 3::2 3::200
   [FW-vsysa-object-address-set-ipaddress1] quit

   # Configure a security policy for vsysa. This security policy allows intranet users of a specific network segment to access the Internet. Packets from employees on other network segments to the Internet will match the default security policy and are denied.

   [FW-vsysa] security-policy                 
   [FW-vsysa-policy-security] rule name to_internet            
   [FW-vsysa-policy-security-rule-to_internet] source-zone trust
   [FW-vsysa-policy-security-rule-to_internet] destination-zone untrust 
   [FW-vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
   [FW-vsysa-policy-security-rule-to_internet] action permit          
   [FW-vsysa-policy-security-rule-to_internet] quit

3. The public system administrator configures IP addresses, routes, and security policies for vsysb.

   The configuration is similar to that of the R&D department except the following:

   • The IP address of the inside interface is different.
   • The public interface of vsysb is set to GE0/0/2.
   • You do not need to create an IP address range for the non-R&D department. You only need to configure a security policy to allow all IP addresses to access the Internet.