< Home

Web: Configuring IPv6 Users to Access the Internet Through Virtual Systems

This section describes how to configure virtual systems based on IPv6 forwarding.

Networking Requirements

As shown in Figure 1, area A in a large campus network deploys an IPv6 network and uses a FW as the access gateway. The network of area A comprises the R&D and non-R&D departments, and the two departments have different network access permissions. Requirements are as follows:

  • Some employees in the R&D department can access the Internet, and all employees in the non-R&D department can access the Internet.
  • The R&D and non-R&D departments are isolated from each other and cannot communicate.
  • The service volumes of the R&D and non-R&D departments are nearly the same. Therefore, the same virtual system resources are allocated to them.
Figure 1 Networking diagram for configuring IPv6 virtual systems

Data Planning

Item

Data

Description

vsysa
  • Virtual system name: vsysa
  • Outside interface: GE0/0/1
  • Outside interface IP address: 1::1/64
  • Security zone to which the outside interface belongs: untrust
  • Inside interface: GE0/0/3
  • Inside interface IP address: 3::1/64
  • Private IP address range: 3::/64
  • Security zone to which the inside interface belongs: trust
  • IP addresses allowed to access the Internet: 3::2-3::200

-

vsysb
  • Virtual system name: vsysb
  • Outside interface: GE0/0/2
  • Outside interface IP address: 2::1/64
  • Security zone to which the outside interface belongs: untrust
  • Inside interface: GE0/0/4
  • Inside interface IP address: 4::1/64
  • Private IP address range: 4::/64
  • Security zone to which the inside interface belongs: trust

-

Resource class
  • Name: r1
  • Reserved Number for session: 10000
  • Maximum Number for session: 50000
  • User: 300
  • User Group: 10
  • Policy: 300
  • Outbound Reserved Bandwidth: 20 Mbps

-

Configuration Roadmap

  1. The public system administrator creates two virtual systems vsysa, and vsysb, assigns resources.
  2. The public system administrator configures IP addresses, routes, and security policies for vsysa.
  3. The public system administrator configures IP addresses, routes, and security policies for vsysb.

Procedure

  1. Enable the virtual system function.
    1. Click Dashboard on the main menu. In the Device Information area, click Configure on the line of Virtual System to enable the virtual system function.

    2. Click Configure on the line of IPv6 to enable the IPv6 function.

  2. Configure a resource class.
    1. Choose System > Virtual System > Resource Class.

    2. Click Add and set the following parameters.

  3. In the root system, create virtual systems vsysa and vsysb and allocate resources to them.
    1. Choose System > Virtual System > Virtual System.

    2. Click Add and then the Basic Configuration tab and set the following parameters.

    3. Click the Interface Settings tab and allocate interfaces to the virtual system.

    4. Set GE0/0/1 as the public interface.

      Bandwidth resource configurations in resource classes take effect only after the public interface is configured.

      In this example, the bandwidth should be limited for intranet users to access the Internet. Set WAN interface GE0/0/1 as the public interface. Then all traffic from intranet users to the Internet is forwarded through GE0/0/1, which is called the outgoing direction. This function can work with Uplink Bandwidth configured in 2.b to limit the bandwidth for intranet users to access the Internet.

    5. Repeat these steps to create vsysb and allocate the resource class r1 and interfaces GE0/0/2 and GE0/0/4 to it.
  4. Configure interface IPv6 addresses and security zones.
    1. Choose Network > Interface.
    2. Click the interface name and set the following parameters.

    3. Repeat the preceding steps to configure GE0/0/2, GE0/0/3, and GE0/0/4.

      Interface

      GE0/0/2

      GE0/0/3

      GE0/0/4

      Security Zone

      untrust

      trust

      trust

      IPv6

      IPv6 Address

      2::1/64

      3::1/64

      4::1/64

  5. Configure default routes.
    1. Choose Network > Route > Static Route.

    2. Click Add and configure the following static route for vsysa.

    3. Click Add and configure the following static route for vsysb.

  6. Configure security policies in vsysa.
    1. Select vsysa from the Virtual System drop-down list in the upper right corner to access vsysa.

    2. Choose Object > Address > Address.

    3. Click Add and set the following IP address range.

    4. Choose Policy > Security Policy > Security Policy.
    5. Choose Add Security Policy and configure the following security policy for vsysa to allow R&D employees on a specific network segment to access the Internet. Packets from employees on other network segments to the Internet will match the default security policy and are denied.

  7. The public system administrator configures IP addresses, routes, and security policies for vsysb.

    The configuration is similar to that of the R&D department except the following:

    • The IP address of the inside interface is different.
    • The public interface of vsysb is set to GE0/0/2.
    • You do not need to create an IP address range for the non-R&D department. You only need to configure a security policy to allow all IP addresses to access the Internet.

Verification

  1. In the root system, view the routing table of the virtual system.

  2. The public IP address can be pinged from the PC. Session entries can be queried on the FW.

Configuration Scripts

Configuration script of the public system

#
sysname FW
# 
ipv6
# 
vsys enable 
# 
resource-class r1    
 resource-item-limit ipv6 session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit user reserved-number 300     
 resource-item-limit bandwidth 20 outbound
 resource-item-limit user-group reserved-number 10
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3 
#                    
vsys name vsysb 2    
 assign resource-class r1        
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/1
 set public-interface
 ip binding vpn-instance vsysa
 ipv6 enable
 ipv6 address 1::1 64
#
interface GigabitEthernet0/0/2
 set public-interface
 ip binding vpn-instance vsysb
 ipv6 enable
 ipv6 address 2::1 64
# 
interface GigabitEthernet0/0/3
 ip binding vpn-instance vsysa
 ipv6 enable
 ipv6 address 3::1 64
# 
interface GigabitEthernet0/0/4
 ip binding vpn-instance vsysb
 ipv6 enable
 ipv6 address 4::1 64
#  
ipv6 route-static vpn-instance vsysa :: 0 1::2
ipv6 route-static vpn-instance vsysb :: 0 2::2
#  
return

Configuration script of vsysa

#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#
ip address-set ipaddress1 type object 
 address 0 range 3::2 3::200   
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  source-address address-set ipaddress1 
  action permit      
#    
return

Configuration script of vsysb

#                    
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#                    
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#                    
security-policy      
 rule name to_internet
  source-zone trust  
  destination-zone untrust
  action permit
#    
return
Parent Topic: Virtual System
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >