Você está na página 1de 126

HDLC Principles and

Configuration

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


This section describes the principles and
configuration for High-level Data Link Control.

HDLC is an ISO based Data link layer


protocol standard. It is used to encapsulate
data on over serial links.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 2


Upon completion of this section, you should

expect to:
Develop an understanding of the
HDLC frame structure
Acquire the skills necessary to
configure HDLC

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 3


Chapter 1 Protocol Overview and Data
Encapsulation

Chapter 2 Configuration of HDLC

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 4


Overview of the HDLC Protocol

High-level Data Link Control, HDLC for short, is a bit-based line


protocol.
All the protocols of the standard HDLC protocol suite run on the
synchronous serial link.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 5


Structure of the HDLC Frame

Flag Flag
Address Control Information FCS
01111110 01111110

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 6


Types of HDLC Frame

Information frame (I frame)

Supervisory (S frame)

Unnumbered frame (U frame)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 7


Chapter 1 Protocol Overview and Data
Encapsulation

Chapter 2 Configuration of HDLC

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 8


Basic Configuration of HDLC

[RTA]interface Serial 0/0/1


[RTA-Serial0/0/1]link-protocol hdlc
[RTA-Serial0/0/1]ip address 10.1.1.1 30

S0/0/1 S0/0/1
HDLC
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTB]interface Serial 0/0/1


[RTB-Serial0/0/1]link-protocol hdlc
[RTB-Serial0/0/1]ip address 10.1.1.2 30

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 9


Validation

S0/0/1 S0/0/1
HDLC
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTA]ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=31 ms

--- 10.1.1.2 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/31/31 ms

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 10


Configuration of IP Address Borrowing

[RTA-LoopBack0]ip address 10.1.1.1 32


[RTA]interface Serial 0/0/1
[RTA-Serial0/0/1]link-protocol hdlc
[RTA-Serial0/0/1]ip address unnumbered interface LoopBack 0
[RTA]ip route-static 10.1.1.0 24 Serial 0/0/1

10.1.1.1/32
Loop0

S0/0/1 HDLC S0/0/1


RTA RTB
10.1.1.2/24

[RTB]interface Serial 0/0/1


[RTB-Serial0/0/1]link-protocol hdlc
[RTB-Serial0/0/1]ip address 10.1.1.2 24

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 11


Validation
10.1.1.1/32
Loop0

S0/0/1 HDLC S0/0/1


RTA RTB
10.1.1.2/24

[RTA]display ip interface brief


*down: administratively down
(l): loopback
(s): spoofing
Interface IP Address Physical Protocol Description
LoopBack0 10.1.1.1 up up(s) HUAWEI, Quidway
Serial0/0/0 unassigned up up HUAWEI, Quidway
Serial0/0/1 10.1.1.1 up up HUAWEI, Quidway

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 12


Validation

[RTA]ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=31 ms
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/13/31 ms

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 13


Summary

What is HDLC?
The HDLC frame structure is
comprised of which fields?

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 14


PPP Principle and
Configuration

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


This section will introduce the principles
and configuration surrounding the Point-
to-Point Protocol.

PPP provides a standard method for


transporting multi-protocol datagrams
over point-to-point links. It is a widely
used point-to-point data link layer based
communication protocol.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 16


Upon completion of this section, you should
expect to:
Develop an understanding main PPP
protocol principles
Acquire skills to support basic
configuration of PPP

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 17


Chapter 1 Protocol Overview and Data

Encapsulation

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 18


The Position of PPP in TCP/IP Stack

HTTP FTP TFTP SNMP

TCP UDP

IP

Ethernet FR PPP

BIT

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 19


The Three Components of PPP

Name Function

Datagram encapsulation Define the method of encapsulating multi-


method protocol datagram

Link Control Protocol Define the method of establishing,


configuring, and testing the data-link
connection
Network Control Protocol Define a set of protocols for establishing

connection and negotiating parameters for


different network-layer protocols

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 20


PPP Frame

Protocol2 Bytes Information Padding (optional)

maximal total length


maximal total length
MRU
MRU
Protocol example

0x0021 IP datagram Padding (optional)

0xc021 LCP Padding (optional)

0x8021 IP control protocol Padding (optional)


IPCP

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 21


Transmit PPP Datagram over Serial Link

Follow HDLC Follow HDLC


standard standard

Flag Address Control FCS Flag


PPP frame
01111110 11111111 00000011 16 bits 01111110

Protocol2 Bytes Information Padding (optional)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 22


Basic Configuration of PPP over Serial Link

[RTA]interface Serial 1/0


[RTA-Serial1/0]link-protocol ppp
[RTA-Serial1/0]ip address 10.1.1.1 30
[RTA-Serial1/0]quit
[RTA]

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTB]interface Serial 1/0


[RTB-Serial1/0]link-protocol ppp
[RTB-Serial1/0]ip address 10.1.1.2 30
[RTB-Serial1/0]quit
[RTB]

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 23


Chapter 1 Protocol Overview and Data

Encapsulation

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 24


Summary of Messages Used by LCP Negotiation

Message Type Function

Configure-Request Include the parameters for link establishment


and link configuration
Configure-Ack Confirmation sent once all Configure-Request
parameters have been validated
Configure-Nak The parameters included in Configure-
Request are recognized but not all accepted
Configure-Reject The parameters included in Configure-
Request from the peer are not all recognized

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 25


LCP Link Parameters NegotiationSuccessful

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

Configure-Request

Configure-Ack

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 26


LCP Link Parameters Negotiation
Unsuccessful

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

Configure-Request

Configure-Nak
Configure-Request (modify
parameter value)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 27


LCP Link Parameters Negotiation
Parameters Can Not Be Identified

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

Configure-Request

Configure-Reject
Configure-Request (delete some
parameters)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 28


Common Link Parameters of LCP Negotiation
Parameter Function Rule Default
Maximum Use the smaller one of
The total length of Information the two values set by
receiving unit and Padding field PPP frame 1500
MRU peers
The authenticated device
must support the
Authentication Authentication protocol used by authentication protocol No
protocol the peer used by the authenticator, authentication
otherwise the negotiation
will be unsuccessful
One peer supports, but
the other peer does not
Magic-Number is generated support, then no loop
randomly, used for link loop
detection, if the Magic-Number exists and negotiation is
successful; the two peers
Magic-Number in LCP packet received is the Enable
same with the local Magic- both support it, then loop
Number, then loop exists. detection mechanism will
be used for loop
detection.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 29


LCP Closes Connection

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

Terminate-Request

Terminate-Ack

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 30


LCP Detects Link State

S1/0 PPP S1/0


RTA 10.1.1.1/30 10.1.1.2/30 RTB

Echo-Request

Echo-Reply

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 31


Chapter 1 Protocol Overview and Data

Encapsulation

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 32


PAP Authentication Mode---Configuration
[RTA]aaa
[RTA-aaa]local-user huawei password simple hello
[RTA-aaa]local-user huawei service-type ppp
[RTA]interface Serial 0
[RTA-Serial0]link-protocol ppp
[RTA-Serial0]ppp authentication-mode pap
[RTA-Serial0]ip address 10.1.1.1 30

Authenticator Authenticated
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"

[RTB]interface Serial 0
[RTB-Serial0]link-protocol ppp
[RTB-Serial0]ppp pap local-user huawei password simple hello
[RTB-Serial0]ip address 10.1.1.2 30

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 33


PAP Authentication Mode---Principle
Authenticator Authenticated
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"

Authenticate-Request
Check whether Send user name and password by plain text
the user name
and password are Authenticate-Ack/Authenticate/Nak
correct or not Authenticate successfully/ unsuccessfully

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 34


CHAP Authentication Mode---Configuration
[RTA]aaa
[RTA-aaa]local-user huawei password cipher hello
[RTA-aaa]local-user huawei service-type ppp
[RTA]interface Serial 0
[RTA-Serial0]link-protocol ppp
[RTA-Serial0]ppp authentication-mode chap
[RTA-Serial0]ip address 10.1.1.1 30

Authenticator Authenticated
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"
[RTB]interface Serial 0
[RTB-Serial0]link-protocol ppp
[RTB-Serial0]ppp chap user huawei
[RTB-Serial0]ppp chap password cipher hello
[RTB-Serial0]ip address 10.1.1.2 30

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 35


CHAP Authentication Mode---Principle
Authenticator Authenticated
S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB
Username = "huawei"
Password="hello"

Challenge Use the password


Use the password and and MD5 algorithm to
MDS algorithm to encrypt the challenge
encrypt the challenge Response
message
message, and compare
it with the received Sucess/Failure
encrypted message

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 36


Chapter 1 Protocol Overview and Data

Encapsulation

Chapter 2 Link Control Protocol

Chapter 3 PPP Authentication Protocol

Chapter 4 Network Control Protocol

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 37


Common NCP Overview

Protocol Function

IPCP Used for negotiating IP


parameters, and makes PPP can
transmit IP packets.
IPXCP Used for negotiating MPLS
parameters, and makes PPP
transmit MPLS packets.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 38


Use IPCP to Negotiate IP AddressStatic
Configuration

S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

Configure-Request10.1.1.1

Configure-Ack

Configure-Request10.1.1.2

Configure-Ack

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 39


Use IPCP to Negotiate IP AddressStatic
Configuration

S0 PPP S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTB]display ip routing-table
Routing Tables: Public
Destinations : 5 Routes : 5

Destination/Mask Proto Pre Cost NextHop Interface


10.1.1.0/30 Direct 0 0 10.1.1.2 Serial0
10.1.1.1/32 Direct 0 0 10.1.1.1 Serial0
10.1.1.2/32 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 40


Use IPCP to Negotiate IP Address Dynamic
Negotiation

S0 PPP S0
RTA Request for 10.1.1.2/30 RTB
assignment
Configure-Request0.0.0.0

Configure-Nak10.1.1.1

Configure-Request10.1.1.1

Configure-Ack

Configure-Request10.1.1.2

Configure-Ack

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 41


Use IPCP to Negotiate IP AddressDynamic
Negotiation
[RTB]interface Serial 0
[RTA]interface Serial 0 [RTB-Serial0]link-protocol ppp
[RTA-Serial0]link-protocol ppp [RTB-Serial0]ip address 10.1.1.2 30
[RTA-Serial0]ip address ppp-negotiate [RTB-Serial0]remote address 10.1.1.1

S0 PPP S0
RTA Request for 10.1.1.2/30 RTB
assignment
[RTA]display ip routing-table
Routing Tables: Public
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.1/32 Direct 0 0 127.0.0.1 InLoopBack0
10.1.1.2/32 Direct 0 0 10.1.1.2 Serial0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 42


Summary

What are the components in PPP?


Which packets can be used to negotiate link
parameters in LCP?

How many packet exchanges are necessary for

CHAP?

What do the main IPCP parameters negotiate?

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 43


FR Principles and
Configuration

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


Frame relay is a connection-oriented
technology operating at the data link
layer. It is used for LAN and WAN
connection over public or private
networks.

Frame relay is a simplified version of


the X.25 WAN protocol.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 45


Upon completion of this section, you should
expect to:
Understand FR protocol principles
Acquire sufficient knowledge to
configure Frame Relay

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 46


Chapter 1 FR Overview

Chapter 2 FR Configuration

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 47


Overview of Frame Relay

FR is a fast packet switching technology that transfers and


switches data unit with simplified mode at data link layer.

FR adopts virtual circuit technology.

LAN

FR LAN

LAN

LAN
Virtual circuit

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 48


FR Encapsulation Relative to OSI RM

FR is allocated at layer 2 of OSI RM.

Application layer
Representation layer
Session layer IP, IPX

Transport layer
Frame Relay
Network layer
Data link layer
FR IP Packet FR
Physical layer

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 49


FR Features

Data is transmitted as frames.

Bandwidth multiplexing and dynamic bandwidth allocation

As a type of simplified x.25 WAN protocol, it completes statistical

multiplexing, transparent transmission of frames and error detection at

data link layer, but doesnt provide retransmission function.

It provides a set of bandwidth management and congestion

prevention mechanisms

FR adopts the connection-oriented switching technology, and

provides SVC and PVC service.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 50


FR Network

DTE Data Terminal Equipment


DCE Data Circuit-terminating Equipment
DLCI Data Link Connection Identifier

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 51


FR Interface Types

DTE Data Terminal Equipment

DCE Data Circuit-terminating Equipment

NNI Network-to-Network Interface

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 52


Virtual Circuit

PVC Permanent Virtual Circuit


SVC Switched Virtual Circuit

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 53


Allocation of FR DLCI

DLCI is allocated by FR network service provider


The DLCI is only applicable locally
Mapping of peers network address to DLCI

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 54


LMI

LMI - Local Management Interface The LMI is used to monitor the


status of a PVC.

ANSI T1.617 Annex D

ITU-T Q.933 Annex A


(CCITT)

Nonstandard

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 55


Topology of FR Network

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 56


FR Address Mapping

FR address mapping (MAP) associates the protocol address (IP or IPX


address) with the local DLCI.
The Address Mapping table can either be manually configured or
dynamically maintained through Inverse ARP.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 57


Inverse ARP Protocol

Switch notify DLCI 48

Switch notify DLCI 66

RTA notify IP 172.16.11.2 to DCLI 66

RTB notify IP 172.16.11.3 to DLCI 48

Inverse ARP discovers network address of a destination router


dynamically.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 58


Frame Relay & Split Horizon Issues

Router B
Router B forwards routing
update information to
Router C via serial0 of
Router A

DLCI 16 to C
S0

Router C Router A

Router D

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 59


FR Sub-interface

Router B

Subnet2 S0.1
S0.2
S0.3
Router C Router A

Router D

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 60


Chapter 1 FR Overview

Chapter 2 FR Configuration

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 61


Configuration - Inverse ARP

[RTA-Serial0]link-protocol fr ietf
[RTA-Serial0]fr interface-type dce
[RTA-Serial0]fr dlci 100
[RTA-Serial0]ip address 10.1.1.1 30
[RTA-Serial0]fr inarp

S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTA-Serial0]link-protocol fr ietf
[RTB-Serial0]fr interface-type dte
[RTB-Serial0]ip address 10.1.1.2 30
[RTB-Serial0]fr inarp

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 62


Validate the Result of Configuration
S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTA]display fr interface
Serial0, DCE, physical up, protocol up

[RTB]display interface Serial 0


Serial0 current state : UP
Line protocol current state : UP
Description : HUAWEI, Quidway Series, Serial0 Interface
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.1.2/30
Link layer protocol is FR IETF
LMI DLCI is 0, LMI type is Q.933a, frame relay DCE

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 63


Basic Configuration Static Address Mapping

[RTA-Serial0]link-protocol fr ietf
[RTA-Serial0]fr interface-type dce
[RTA-Serial0]fr dlci 100
[RTA-Serial0]undo fr inarp
[RTA-Serial0]ip address 10.1.1.1 30
[RTA-Serial0]fr map ip 10.1.1.2 100
S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTB-Serial0]link-protocol fr ietf
[RTB-Serial0]fr interface-type dte
[RTB-Serial0]ip address 10.1.1.2 30
[RTB-Serial0]undo fr inarp
[RTB-Serial0]fr map ip 10.1.1.1 100

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 64


Validate the Result of Configuration

S0 FR S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

[RTB]display fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 100, IP 10.1.1.1, Serial0
create time = 2007/06/04 16:45:10, status = ACTIVE
encapsulation = ietf, vlink = 9

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 65


Validate the Result of Configuration
FR
S0 S0
RTA 10.1.1.1/30 10.1.1.2/30 RTB

DCE DTE
[RTB-Serial0]ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=31 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=31 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=31 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=31 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=31 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 66


Configuration of Switching Static Routing

[RTA]interface Serial0
[RTA-Serial0]link-protocol fr ietf
[RTA-Serial0]fr interface-type dte
[RTA-Serial0]ip address 10.1.1.1 30

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 67


Configuring FR Switching Route

RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte

[RTB]interface Serial0
[RTB-Serial0]link-protocol fr ietf
[RTB-Serial0]fr interface-type dce
[RTB-Serial0]fr dlci 100
[RTB]fr switching
[RTB-Serial0]fr dlci-switch 100 interface Serial 2 dlci 200
[RTB]interface serial2
[RTB-Serial2]link-protocol fr ietf
[RTB-Serial2]fr interface-type nni
[RTB-Serial2]fr dlci 200
[RTB-Serial2]fr dlci-switch 200 interface Serial 0 dlci 100

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 68


Configuring FR Switching Route
RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte

[RTC]interface Serial2
[RTC-Serial2]link-protocol fr ietf
[RTC-Serial2]fr interface-type nni
[RTC-Serial2]fr dlci 200
[RTC]fr switching
[RTC-Serial2]fr dlci-switch 200 interface Serial 0 dlci 300
[RTC]interface serial0
[RTC-Serial0]link-protocol fr ietf
[RTC-Serial0]fr interface-type dce
[RTC-Serial0]fr dlci 300
[RTC-Serial0]fr dlci-switch 300 interface Serial 2 dlci 200

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 69


Configuration of Switching Static Routing

[RTD]interface Serial0
[RTD-Serial0]link-protocol fr ietf
[RTD-Serial0]fr interface-type dte
[RTD-Serial0]ip address 10.1.1.2 30

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 70


Validate the Result of Configuration

[RTB]dis fr dlci-switch
Frame relay switch statistics
Status Interface(Dlci) ----------> Interface(Dlci)
Active Serial0(100) Serial2(200)
Active Serial2(200) Serial0(100)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 71


Validate the Result of Configuration

RTA RTB FR RTC


S0 S0 S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte

[RTC]display fr dlci-switch
Frame relay switch statistics
Status Interface(Dlci) ----------> Interface(Dlci)
Active Serial0(300) Serial2(200)
Active Serial2(200) Serial0(300)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 72


Validate the Result of Configuration

RTA RTB FR RTC


S0 S0 S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte
[RTA]dis fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 100, IP INARP 10.1.1.2, Serial0
create time = 2007/06/04 17:34:59, status = ACTIVE
encapsulation = ietf, vlink = 20, broadcast

[RTD]dis fr map-info
Map Statistics for interface Serial0 (DTE)
DLCI = 300, IP INARP 10.1.1.1, Serial0
create time = 2007/06/04 17:34:59, status = ACTIVE
encapsulation = ietf, vlink = 1, broadcast

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 73


Configuring the PVC Used for FR Switching

RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte

[RTB]fr switching
[RTB]fr switch 1 interface Serial0 dlci 100
interface Serial2 dlci 200

[RTC]fr switching
[RTC]fr switch 2 interface Serial2 dlci 200
interface Serial0 dlci 300

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 74


Validate the Result of Configuration

RTA FR RTC
S0 S0 RTB
S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte dce nni nni dce dte

[RTB]display fr switch-table all


Total PVC switch records:1
PVC-Name Status Interface(Dlci) <---> Interface(Dlci)
1 Active Serial0(100) Serial2(200)

<RTC>display fr switch-table all


Total PVC switch records:1
PVC-Name Status Interface(Dlci) <-----> Interface(Dlci)
2 Active Serial2(200) Serial0(300)

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 75


Validate the Result of Configuration
RTA RTB FR RTC
S0 S0 S2 S2 S0 S0 RTD
10.1.1.1/30 10.1.1.2/30
DLCI 100 DLCI 200 DLCI 300
dte nni nni dce dte
dce
[RTB]display fr pvc-info
PVC statistics for interface Serial0 (DCE, physical UP)
DLCI = 100, USAGE = SWITCH (1010), Serial0
create time = 2007/03/23 15:51:01, status = ACTIVE
in BECN = 0, in FECN = 0
in packets = 1309, in bytes = 43330
out packets = 1306, out bytes = 43240
PVC statistics for interface Serial2 (NNI, physical UP)
DLCI = 200, USAGE = SWITCH (1010), Serial2
create time = 2007/03/23 15:51:01, status = ACTIVE
in BECN = 0, in FECN = 0
in packets = 468, in bytes = 16708
out packets = 468, out bytes = 16708

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 76


Summary

How many modes does the FR


interface have?
Whats the meaning of FR DLCI?
How is a virtual circuit established?

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 77


Firewall Product Basics

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


This section mainly introduces the
development history of firewall technology
of the Eudemon series firewall products.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 79


Upon completion of this section, you should
expect to:
Gain knowledge of the development
history of firewall technology
Acquire knowledge of the capability and
features, architecture and performance
of the Eudemon series firewall

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 80


Chapter 1 Development of Firewall
Technology

Chapter 2 Eudemon Series Product

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 81


The Firewall
A firewall is a device located between two networks with different
trust degrees (enterprise internal network and Internet), that will
police the communication flow between the two networks; with the
help of implementing uniform security policies. It avoids illegal use
and unauthorized access to important resources in order to
ensure network integrity is maintained.

Firewall = hardware+software+control policy


Loose control policy
permits all, selective restriction
Strict control policy
restricts all, selective permission

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 82


Firewall Technology Firewall Classification

Firewall can be classified into several kinds according to the


implement methods:

Packet Filtering firewall


Proxy firewall
State detection firewall

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 83


Packet Filtering Firewall

The packet from


192.110.10.0/24
permitted
Internal network

Internet

Local office

Packet from
202.110.10.0/24
ACL rule rejected
Headquarters of company Unauthorized user

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 84


Proxy Firewall

WWW, FTP,
Emailpr oxy

Send r equest For war d r equest


Internet
For war d r esponse Request r esponse
Client

Security policy,
audit supervise,
alarm

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 85


State Firewall

User A initiates Telnet session

Firewall creates Session Other Telnet packet is blocked


item
Other users

Protected External
User A network network

The Telnet session reply packet of


user A is permitted target server
Firewall matches Session
item packet

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 86


The Function of a Firewall in a Security System
reinforced house
Door Monitor Intrusion System reinforce, Security transmission
Firewall detection system immunity Encryption, VPN

Forbidden system Guard


Monitor
Identity authentication Scanner,
Security management center
access control Security hole detection

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 87


Firewall Limitations
A firewall is not a total security solution, and cannot solve all the problems
of network security, it is only one part of a network security policy.

Defends from external threats, not internal


Balance should be ensured between depth detection and forwarding
performance

When using end-to-end encryption, such as with VPN, firewalls are


unable to analyze the inbound traffic;

The firewall itself creates a performance bottleneck, through various


means, for example: anti-attack ability, session limitation.

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 88


Chapter 1 Development of Firewall
Technology

Chapter 2 Eudemon Series Product

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 89


Eudemon Series Firewall

Eudemon 300/500/1000

Eudemon 200

Eudemon 100

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 90


Eudemon Series Firewall Performance
Item Technology parameter and performance index

Eudemon Eudemon Eudemon Eudemon Eudemon


100 200 300 500 1000
Total 100Mbps 400Mbps 1Gbps 2Gbps 3Gbps
throughput
rate
Subsequent 200 500 500 800 1000
connection thousand thousand
thousand thousand thousand

New created 5000item/s 20000item/s 100000item/s 100000item/s 100000item/s


connection
Interface 2 fixed FE 2 fixed FE, 2 4slotssupport 4slotssupport 4slotssupport
2slots slots support 1GE/2GE 1GE/2GEoptical 1GE/2GEoptical
FE/2FE/1GEopti optical/electrical /eletrical/8FE/4F /electrical/8FE/4
1 support cal /electrical/1 /8FE/4FE/2FEo E/2FEoptical/ele FE/2FEoptical/e
1FE LPU 155MATM/4E1 ptical/electrical ctrical lectrical

LPU LPU LPU LPU

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 91


Eudemon 200Dual-bus System Structure
Double- channel design
Dual- bus collision decreases, bandwidth increases
Double- channel receive/send independently

PCI card
PCI CPU
PCI card 1
shield System
bridge

PCI card PCI


2 Memory
PCI card
shield
FE FE
i nt er f ace i nt er f ace

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 92


Eudemon 300/500/1000Logical Structure Based
on NP
PCI card CPU Main board
PCI
1 NP card High speed board
PCI card
shield System
FPGA High speed board
bridge NP
PCI card
shield PCI T1 T2
High speed board
2 Memory T3
Monitor
PCI card
Shield
FE FE
interface interface

Fan group1
Power 2
Power 1 Fan group2

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 93


Summary

How many variations of firewall are there,


and what features do they support?
Which models make up the Eudemon
firewall series?

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 94


Eudemon Basic Function
and Configuration

www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved


This section will introduce the modes of
operation for the Eudemon firewall, as
well as security area concepts, Access
Control Lists, Network Address
Translation etc, used to enhance the
defense capability of the firewall

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 96


Upon completion of this section, you should
expect to :

Build an understanding of security areas


Understand the operational modes of a
firewall
Acquire the knowledge to explain and
configure ACL & NAT

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 97


Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 98


Firewall Security Zone

Interface 2
Local Zone Trust Zone
100 85
Zone defined
by user
DMZ Zone
50 UnTrust Zone Interface 3
5

Interface 1 Interface 4

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 99


Security Zone Data Flow ---Inter-zone
inbound
Internal network

outbound

Eudemon
Local
Trust
E1/0/0 E1/0/2 External network

Eth1/0/1 Untrust
outbound
outbound
inbound
inbound
Server
Server
DMZ

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


100
Security Zone Configuration
[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone] set priority 60
[Eudemon-zone-userzone] add interface Ethernet 0/0/1

[Eudemon]display zone username


username

priority is 60
interface of the zone is (1):
Ethernet0/0/1

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


101
Interzone policy configuration

[Eudemon]acl 3000
[Eudemon-acl-adv-3000] rule permit ip
[Eudemon]firewall interzone trust untrust
[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound

PC PC PC
Trust Zone
Untrust Zone

Eudemon
Server Server

Internal network External network

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


102
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


103
Route Mode

10.110.1.254 202.10.0.1
PC PC PC
Trust Zone Untrust Zone

Eudemon
Server Server

Internal network External network


10.110.1.0/24 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


104
Transparent Mode

PC PC PC
Trust
Untrust

Eudemon
Server Server

Internal network 202.10.0.0/24 External network

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


105
Composite Mode

Eudemonactive

PC PC PC
Trust
VRRP Untrust

Server Server

Internal network Eudemonstandby External network

202.10.0.0/24 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


106
Mode Configuration

[Eudemon]firewall mode composite


[Eudemon]quit

<Eudemon>reboot

[Eudemon]display firewall mode


firewall mode composite

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


107
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


108
ACL Application
Packet filtering
Determine whether to discard or forward packet according to ACL
rule
NAT
Determine whether to implement NAT to which packet According
to ACL
IPSec
Determine whether to protect which packet according to ACL
QoS
What is ACL?
Classify flow according to ACL
Permit
Routing policy
Deny
Filter routes according to ACL

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


109
ACL Classification

Basic ACL range: 20002999

Use of source address to define the data flow

Advanced ACL range: 30003999

Use of source address, destination address, source port number,


destination port number and protocol number, combined to define
the data flow.

Firewall ACL range:50005499

Use of source address, destination address, destination port number


to define the data flow

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


110
ACL Classification
acl [ number ] acl-number
rule [ rule-id ] { permit | deny } [ source { source-address
source-wildcard | any } ] [ time-range time-name ]
rule [ rule-id ] { permit | deny } protocol [ source { source-
address source-wildcard | any } ] [ destination { dest-address
dest-mask | any } ] [ source-port operator port1 [ port2 ] ]
[ destination-port operator port1 [ port2 ] ] [ icmp-type
{ icmp-type icmp-code | icmp-message } ] [ precedence
precedence ] [ tos tos ] [ time-range time-name ]

Firewall ACL Advanced ACL Basic ACL

Match the route to an acl-number

Match the route to a rule-id

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


111
ACL Application Example

FTP Server Telnet Server www Server


129.38.1.1 129.38.1.2 129.38.1.3

E0/0/0 129.38.1.5
Special PC in external network
Special PC in internal network Eudemon
202.39.2.3
129.38.1.4 E1/0/0
202.38.160.1

WAN

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


112
ACL Application ExampleConfiguration
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.1 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.2 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.3 0
[Eudemon-acl-adv-3101] rule deny ip
[Eudemon-acl-adv-3101] quit
[Eudemon] acl number 3102

[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0


[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.3 0
[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound

[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


113
Chapter 1 Security Zones

Chapter 2 Modes of Operation

Chapter 3 Access Control Lists

Chapter 4 Network Address Translation

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


114
NAT (Network Address Translation)

NAT is used to translate IP addresses in IP data packet header


to alternative IP addresses.

NAT can solve the following problems:


IP address shortage
Helps reserve public IP addresses
Security element
Shield private networks
Enterprise combination
Easy to merge networks

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


115
Public and Private Addressing

192.168.0.2
192.168.0.1
LAN2

LAN1
Internet

192.168.0.1
Private address range:
10.0.0.0-10.255.255.255
LAN3
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


116
Eudemon NAT
Data packet 1
Source 192.168.1.3
destination 202.120.10.2 Data packet 1 Server B
PC A source 202.169.10.1 202.120.10.2
Destination 202.120.10.2
192.168.1.3

Trust Eudemon Untrust


E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1

Data packet 2 Data packet 2


source 202.120.10.2
Source 202.120.10.2 destination 202.169.10.1
PC B
destination192.168.1.3
192.168.1.2 PC C
202.130.10.3

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


117
Eudemon NAPT
Data packet 1 Data packet 1
source 192.168.1.3 source 202.169.10.1
Source port 1357 Source port 1357

Server B
Data packet 2 Data packet2
PC A source 192.168.1.3 source 202.169.10.1 202.120.10.2
192.168.1.3 Source port 2468 Source port 2468

Trust Eudemon Untrust


E0/0/0 E0/0/0
Internet
192.168.1.1 202.169.10.1
Data packet3 Data packet3
source 192.168.1.1 source 202.169.10.1
Source port 11111 Source port 11111
PC B
192.168.1.2 PC C
Data packet4 Data packet4 202.130.10.3
source 192.168.1.2 source 202.169.10.1
Source port 11111 Source port 22222

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


118
Eudemon Internal Server NAT

Internet
Untrust Data packet 1
Data packet 2
source 202.168.0,2
source 202.168.0.11
E0/0/1 202.168.0.1/26 Destination destination 202.168.0.2
202.168.0.11
Data packet 1 Data packet 2
source 202.168.0,2 source 192.168.0.101
E1/0/0 192.168.1.1/24
ALG function destination destination 202.168.0.2
192.168.0.101
202.168.0.11-192.168.1.101 DMZ

Mail Server Web Server FTP Server


192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


119
Eudemon NAT Implementation

Eudemon

Private ACL Public address


address

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


120
Internal Server NAT Network

Internet
Untrust

202.168.0.1/24 E0/0/1
202.168.0.10-192.168.1.100
Internal network E0/0/0
192.168.0.0/24 202.168.0.11:80-192.168.1.101:8080
192.168.0.1/24
202.168.0.12:1021-192.168.1.102:ftp
192.168.1.1/24 E1/0/0
Trust
DMZ

Mail Server Web Server FTP Server


192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


121
Egress Network NAT Typical Configuration

[Eudemon] acl 2000


[Eudemon-acl-basic-2000]rule permit
[Eudemon-acl-basic-2000]quit
[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20

Configure address pool


[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit ip source-address
192.168.0.0 0.0.0.255
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] packet-filter 2000
outbound
[Eudemon-interzone-trust-untrust] nat outbound 3000
address-group 1
Enable NAT function, bind address pool and ACL

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


122
NAT Server Typical Configuration

[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100


[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside
192.168.1.101 8080
[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside
192.168.1.102 ftp
Configure mapping information between global
address and internal server address
[Eudemon] acl 3000
[Eudemon] rule permit ip destination-address 192.168.1.0
0.0.0.255
[Eudemon] firewall interzone DMZ untrust
[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound
[Eudemon-interzone-DMZ-untrust] detect ftp

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


123
NAT Configuration Verification

[Eudemon] display nat all

NAT address-group information:


1: from 202.168.0.10 to 202.168.0.20, reference 1 times
Total 1 address-groups If address pool is imported, it
NAT outbound information: can not be deleted directly.
interzone-trust-untrust: acl(2000) --- NAT address-group( 1)
Total 1 nat outbounds
Server in private network information:
zone GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN
---- 202.168.0.10 ---- 192.168.1.100 ---- --- public
---- 202.168.0.11 8080 192.168.1.101 8080 6(tcp) public
---- 202.168.0.12 1021 192.168.1.102 21(ftp) 6(tcp) public
Total 3 NAT servers

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


124
Summary

Which operational modes does Eudemon


support?
What are the default Eudemon security zones?
What is the difference between a basic ACL
and an advanced ACL?

Which forms of NAT does Eudemon support?

HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page


125
Thank you
www.huawei.com