web configuration guide(v100r001c01_01).pdf

HUAWEI EGW2100

V100R001C01

Web Configuration Guide

Issue 01

Date 2010-02-20

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For anyassistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are the property of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but the statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

http://www.huawei.com

mailto:[email protected]

Contents

About This Document.....................................................................................................................1

1 Configuration Example of Logging in to Web.....................................................................1-1

2 Configuration Example of Quick Config..............................................................................2-1

3 Configuration Example of the Basic Operation...................................................................3-1

4 Configuration Example of the Internetworking..................................................................4-14.1 Configuration Example of ADSL by Using PPPoE........................................................................................4-24.2 Configuration Example of SHDSL.................................................................................................................4-74.3 Configuration Example of DHCP Server......................................................................................................4-104.4 Configuration Example of RIP......................................................................................................................4-154.5 Configuration Example of OSPF..................................................................................................................4-184.6 Configuration Example of the 3G Interface for Dial-on-Demand................................................................4-214.7 Configuration Example of the 3G Interface for Automatic Dialup...............................................................4-304.8 Configuration Example of a WLAN (Crypto Service Class)........................................................................4-364.9 Configuration Example of a WLAN (Plain Service Class)...........................................................................4-404.10 Configuration Example of a WLAN (802.1X)............................................................................................4-43

5 Configuration Example of the ACL........................................................................................5-1

6 Configuration Example of NAT..............................................................................................6-1

7 Configuration Example of the Dual-System Hot Backup in Routing Mode..................7-1

8 Configuration Example of the VPN........................................................................................8-18.1 Configuration Example of GRE......................................................................................................................8-28.2 Configuration Example of L2TP IPSec..........................................................................................................8-6

A Acronyms and Abbreviations................................................................................................A-1

HUAWEI EGW2100Web Configuration Guide Contents

Issue 01 (2010-02-20) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

Figures

Figure 1-1 Networking diagram for logging in....................................................................................................1-1Figure 1-2 Login page..........................................................................................................................................1-1Figure 2-1 Networking diagram for the web-manager function..........................................................................2-1Figure 2-2 Configuring the ADSL.......................................................................................................................2-2Figure 2-3 Configuring the 3G.............................................................................................................................2-3Figure 2-4 Configuring the LAN..........................................................................................................................2-3Figure 2-5 Configuring the WLAN......................................................................................................................2-3Figure 2-6 Saving the configuration.....................................................................................................................2-4Figure 3-1 Configuring the VLAN.......................................................................................................................3-1Figure 3-2 Creating interface Dialer 0..................................................................................................................3-2Figure 3-3 Configuring interface Ethernet0/0/0...................................................................................................3-2Figure 3-4 Creating ACL 3001............................................................................................................................3-2Figure 3-5 Configuring a rule...............................................................................................................................3-3Figure 3-6 Configuring the interzone packet filtering rule..................................................................................3-3Figure 3-7 Saving the configuration.....................................................................................................................3-4Figure 4-1 Networking of the ADSL configuration example..............................................................................4-2Figure 4-2 Configuring the ADSL interface........................................................................................................4-2Figure 4-3 Configuring the PVC..........................................................................................................................4-3Figure 4-4 Obtaining the IP address in PPP negotiation mode............................................................................4-3Figure 4-5 Configuring the PPP user on the Dialer interface...............................................................................4-4Figure 4-6 Configuring the Dialer interface.........................................................................................................4-4Figure 4-7 Configuring the packet filtering rule between the Trust security zone and the Untrust security zone...............................................................................................................................................................................4-4Figure 4-8 Configuring the static route................................................................................................................4-5Figure 4-9 Configuring the NAT..........................................................................................................................4-5Figure 4-10 Enabling the DHCP function............................................................................................................4-6Figure 4-11 Configuring the processing mode for DHCP packets on the interface.............................................4-6Figure 4-12 Enabling the DNS proxy...................................................................................................................4-6Figure 4-13 Configuring the DNS server address................................................................................................4-7Figure 4-14 Saving the configuration...................................................................................................................4-7Figure 4-15 Networking of the ADSL configuration example............................................................................4-8Figure 4-16 Basic configuration of the SHDSL interface....................................................................................4-8Figure 4-17 Configuring the SHDSL interface....................................................................................................4-9

HUAWEI EGW2100Web Configuration Guide Figures


iii

Figure 4-18 Configuring the packet filtering rule between the Trust security zone and the Untrust security zone...............................................................................................................................................................................4-9Figure 4-19 Configuring the static route..............................................................................................................4-9Figure 4-20 Saving the configuration.................................................................................................................4-10Figure 4-21 Networking for configuring the DHCP client................................................................................4-11Figure 4-22 Setting the Vlanif20 interface process mode of DHCP packets.....................................................4-12Figure 4-23 Setting the Vlanif10 interface process mode of DHCP packets.....................................................4-12Figure 4-24 Configuring the forbidden IP addresses.........................................................................................4-13Figure 4-25 Configuring the forbidden IP addresses.........................................................................................4-13Figure 4-26 Configuring the forbidden IP addresses.........................................................................................4-13Figure 4-27 Configuring the forbidden IP addresses.........................................................................................4-13Figure 4-28 Configuring attributes of DHCP address pool 1 ............................................................................4-14Figure 4-29 Configuring attributes of DHCP address pool 2.............................................................................4-14Figure 4-30 Saving the configuration.................................................................................................................4-15Figure 4-31 Networking of the RIP configuration example...............................................................................4-16Figure 4-32 Configuring the packet receiving and packet sending functions....................................................4-17Figure 4-33 Enabling the RIP function..............................................................................................................4-17Figure 4-34 Configuring the IP address of the RIP network segment...............................................................4-17Figure 4-35 Enabling RIP on the Specified Network Segment..........................................................................4-18Figure 4-36 Saving the configuration.................................................................................................................4-18Figure 4-37 Networking diagram of OSPF configurations................................................................................4-19Figure 4-38 Configuring process 100.................................................................................................................4-20Figure 4-39 Configuring area 0..........................................................................................................................4-20Figure 4-40 Configuring area 1..........................................................................................................................4-21Figure 4-41 Saving the configuration.................................................................................................................4-21Figure 4-42 Networking diagram of dial-on-demand through the Dialer interface...........................................4-22Figure 4-43 Configuring the Modem.................................................................................................................4-22Figure 4-44 Configuring the dialer rule.............................................................................................................4-22Figure 4-45 Creating interface Dialer 0..............................................................................................................4-23Figure 4-46 Adding the Dialer0 interface to the Untrust zone...........................................................................4-23Figure 4-47 Obtaining the IP address in PPP negotiation mode........................................................................4-23Figure 4-48 Configuring the PPP user on the Dialer0 interface.........................................................................4-24Figure 4-49 Configuring circular DCC..............................................................................................................4-24Figure 4-50 Configuring the PPP user on the Cellular interface........................................................................4-25Figure 4-51 Adding the Cellular interface to the Dialer circular group.............................................................4-25Figure 4-52 Configuring the operator................................................................................................................4-25Figure 4-53 Configuring Ethernet 0/0/0 interface..............................................................................................4-26Figure 4-54 Creating ACL 3001........................................................................................................................4-26Figure 4-55 Configuring a rule...........................................................................................................................4-27Figure 4-56 Configuring the NAT......................................................................................................................4-27Figure 4-57 Configuring the interzone packet filtering rule..............................................................................4-28Figure 4-58 Configuring the static route............................................................................................................4-28Figure 4-59 Enabling the DHCP function..........................................................................................................4-28

FiguresHUAWEI EGW2100


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

Figure 4-60 Configuring the processing mode for DHCP packets on the interface...........................................4-29Figure 4-61 Enabling the DNS proxy.................................................................................................................4-29Figure 4-62 Configuring the DNS server address..............................................................................................4-29Figure 4-63 Saving the configuration.................................................................................................................4-29Figure 4-64 Networking diagram of automatic dialup through the Dialer interface..........................................4-30Figure 4-65 Configuring the Modem.................................................................................................................4-30Figure 4-66 Configuring the dialer rule.............................................................................................................4-31Figure 4-67 Adding Cellular5/0/0 interface to the Untrust zone........................................................................4-31Figure 4-68 Obtaining the IP address in PPP negotiation mode........................................................................4-31Figure 4-69 Configuring the PPP user...............................................................................................................4-32Figure 4-70 Configuring circular DCC..............................................................................................................4-32Figure 4-71 Configuring the Ethernet 0/0/0 interface........................................................................................4-33Figure 4-72 Creating ACL 3001........................................................................................................................4-33Figure 4-73 Configuring a rule...........................................................................................................................4-34Figure 4-74 Configuring the NAT......................................................................................................................4-34Figure 4-75 Configuring the interzone packet filtering rule..............................................................................4-35Figure 4-76 Configuring the static route............................................................................................................4-35Figure 4-77 Enabling the DHCP function..........................................................................................................4-35Figure 4-78 Configuring the processing mode for DHCP packets on the interface...........................................4-36Figure 4-79 Enabling the DNS proxy.................................................................................................................4-36Figure 4-80 Saving the configuration.................................................................................................................4-36Figure 4-81 Networking diagram of configuring a WLAN (Crypto service class)...........................................4-37Figure 4-82 Creating a Service Class.................................................................................................................4-37Figure 4-83 Configuring the crypto service class...............................................................................................4-38Figure 4-84 Creating the WLAN-BSS interface................................................................................................4-38Figure 4-85 Configuring interface Wlan-Bss2...................................................................................................4-39Figure 4-86 Configuring the interzone packet filtering rule..............................................................................4-39Figure 4-87 Configuring the NAT......................................................................................................................4-39Figure 4-88 Configuring the static route............................................................................................................4-40Figure 4-89 Saving the configuration.................................................................................................................4-40Figure 4-90 Networking diagram of configuring a WLAN (Plain service class)..............................................4-41Figure 4-91 Enabling the DHCP function..........................................................................................................4-41Figure 4-92 Configuring the processing mode for DHCP packets on the interface...........................................4-42Figure 4-93 Configuring the plain service class.................................................................................................4-42Figure 4-94 Configuring interface Wlan-Bss0...................................................................................................4-43Figure 4-95 Saving the configuration.................................................................................................................4-43Figure 4-96 Networking diagram of configuring a WLAN (802.1X)................................................................4-44Figure 4-97 Creating a Service Class.................................................................................................................4-44Figure 4-98 Configuring the crypto service class...............................................................................................4-45Figure 4-99 Creating 802.1X domain abc..........................................................................................................4-45Figure 4-100 Creating the WLAN-BSS interface..............................................................................................4-45Figure 4-101 Configuring interface Wlan-Bss2.................................................................................................4-46



v

Figure 4-102 Configuring the RADIUS template..............................................................................................4-46Figure 4-103 Configuring the RADIUS authentication server...........................................................................4-47Figure 4-104 Configuring the RADIUS authentication scheme........................................................................4-47Figure 4-105 Configuring the domain................................................................................................................4-47Figure 4-106 Configuring the AAA domain policy...........................................................................................4-48Figure 4-107 Saving the configuration...............................................................................................................4-48Figure 5-1 Networking of the ACL configuration example.................................................................................5-2Figure 5-2 Creating VLAN 5............................................................................................................................... 5-2Figure 5-3 Creating Vlanif 5................................................................................................................................5-2Figure 5-4 Setting basic parameters of the Vlanif 5 interface .............................................................................5-3Figure 5-5 Configuring interface Ethernet0/0/0...................................................................................................5-3Figure 5-6 Configuring the static route................................................................................................................5-4Figure 5-7 Configuring ACL rule 1..................................................................................................................... 5-4Figure 5-8 Configuring ACL rule 2..................................................................................................................... 5-5Figure 5-9 Configuring ACL rule 3..................................................................................................................... 5-6Figure 5-10 Configuring packet filtering rule 1...................................................................................................5-6Figure 5-11 Configuring interzone ASPF............................................................................................................5-7Figure 5-12 Configuring ACL rule 4................................................................................................................... 5-7Figure 5-13 Configuring ACL rule 5................................................................................................................... 5-8Figure 5-14 Configuring packet filtering rule 2...................................................................................................5-8Figure 5-15 Saving the configuration...................................................................................................................5-9Figure 6-1 Networking of a NAT configuration example....................................................................................6-1Figure 6-2 Configuring the advanced ACL rule 0................................................................................................6-2Figure 6-3 Configuring advanced ACL rule 5 .................................................................................................... 6-3Figure 6-4 Configuring the packet filtering rule between the DMZ security zone and the Untrust security zone...............................................................................................................................................................................6-3Figure 6-5 Configuring the ASPF between the DMZ security zone and the Untrust security zone....................6-4Figure 6-6 Configuring the address mapping of the WWW server......................................................................6-4Figure 6-7 Configuring the address mapping of the FTP server..........................................................................6-4Figure 6-8 Saving the configuration.....................................................................................................................6-5Figure 7-1 Networking of the dual-system hot backup in routing mode ............................................................ 7-2Figure 7-2 Configuring VRRP backup group 1................................................................................................... 7-2Figure 7-3 Configuring VRRP backup group 2................................................................................................... 7-3Figure 7-4 Configuring VRRP backup group 3................................................................................................... 7-3Figure 7-5 Configuring VGMP............................................................................................................................7-4Figure 7-6 HRP two-node cluster hot backup in routing mode........................................................................... 7-4Figure 7-7 Saving the configuration.....................................................................................................................7-5Figure 8-1 GRE tunnel using static routes........................................................................................................... 8-2Figure 8-2 Creating an interface named Tunnel1.................................................................................................8-2Figure 8-3 Configuring the tunnel1 interface.......................................................................................................8-3Figure 8-4 Configuring the static route................................................................................................................8-3Figure 8-5 Configuring the static route................................................................................................................8-4Figure 8-6 Creating an interface named Tunnel1.................................................................................................8-4

FiguresHUAWEI EGW2100


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

Figure 8-7 Configuring the tunnel1 interface.......................................................................................................8-5Figure 8-8 Configuring the static route................................................................................................................8-5Figure 8-9 Configuring the static route................................................................................................................8-6Figure 8-10 Networking diagram of L2TP IPSec................................................................................................8-7Figure 8-11 Configuring the Virtual-Template1 interface...................................................................................8-8Figure 8-12 Configuring PPP...............................................................................................................................8-8Figure 8-13 Disabling the fast forwarding function.............................................................................................8-9Figure 8-14 Configuring the local user................................................................................................................8-9Figure 8-15 Configuring the IP pool....................................................................................................................8-9Figure 8-16 Configuring the L2TP-group..........................................................................................................8-10Figure 8-17 Configuring the IKE proposal........................................................................................................8-10Figure 8-18 Configuring the IKE peer...............................................................................................................8-11Figure 8-19 Configuring the IPSec proposal......................................................................................................8-11Figure 8-20 Configuring the IPSec policy template...........................................................................................8-12Figure 8-21 Configuring the IPSec policy.........................................................................................................8-12Figure 8-22 Applying the policy........................................................................................................................8-12Figure 8-23 Saving the configuration.................................................................................................................8-13



vii

About This Document

PurposeThis document provides the methods for configuring the functions of the EGW2100.

Product VersionThe following table lists the product versions related to this document.

Product Name Version

HUAWEI EGW2100 V100R001C01

Intended AudienceThis document is intended for:

l Technical support engineer

l Maintenance engineer

l Network engineer

l Network administrator

l Network maintenance engineer

OrganizationThis document is organized as follows.

Chapter Description

1 Configuration Exampleof Logging in to Web

This chapter describes the configuration of logging in to web.

2 Configuration Exampleof Quick Config

This chapter describes the configuration of quick config.

HUAWEI EGW2100Web Configuration Guide About This Document


1

Chapter Description

3 Configuration Exampleof the Basic Operation

This chapter describes the configuration of the basic operation.

4 Configuration Exampleof the Internetworking

This chapter describes the internetworking configuration of theEGW2100.

5 Configuration Exampleof the ACL

This chapter describes the configuration of the ACL.

6 Configuration Exampleof NAT

This chapter describes the configuration of the NAT.

7 Configuration Exampleof the Dual-System HotBackup in Routing Mode

This chapter describes the configuration of the dual-system hotbackup in routing mode.

8 Configuration Exampleof the VPN

This chapter describes the configuration of the VPN.

A Acronyms andAbbreviations

This chapter describes the abbreviations in this document.

Conventions

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which, if notavoided, could result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, which,if not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

About This DocumentHUAWEI EGW2100


2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

General ConventionsThe general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are inboldface. For example, log in as user root.

Italic Book titles are in italics.

Courier New Examples of information displayed on the screen are inCourier New.

Command ConventionsThe command conventions that may be found in this document are defined as follows.


Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

GUI ConventionsThe GUI conventions that may be found in this document are defined as follows.


Boldface Buttons, menus, parameters, tabs, windows, and dialog titlesare in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">"sign. For example, choose File > Create > Folder.

HUAWEI EGW2100Web Configuration Guide About This Document


3

Keyboard OperationsThe keyboard operations that may be found in this document are defined as follows.

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A meansthe two keys should be pressed in turn.

Mouse OperationsThe mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without movingthe pointer.

Double-click Press the primary mouse button twice continuously andquickly without moving the pointer.

Drag Press and hold the primary mouse button and move thepointer to a certain position.

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Updates in Issue 01 (2010-02-20)Initial commercial release.

About This DocumentHUAWEI EGW2100


4 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

1 Configuration Example of Logging in to Web

Networking Requirements

As shown in Figure 1-1, the PC is connected to Ethernet1/0/0 of the EGW2100. You can controland manage the EGW2100 by accessing its IP address 192.168.0.1 through the Web browser onthe PC.

Figure 1-1 Networking diagram for logging in

EGW

Ethernet1/0/0Vlanif1

192.168.0.1/24

PC192.168.0.2/24

Procedure

Step 1 The PC is connected to Ethernet1/0/0 of the EGW2100.

Step 2 Configure the IP address of the PC.

The configuration details are not mentioned here.

Step 3 Access the EGW2100 through the Web browser of the PC.

Input http://192.168.0.1 in the Internet Explorer to enter the Web login page. Figure 1-2 showsthe login page.

Figure 1-2 Login page

HUAWEI EGW2100Web Configuration Guide 1 Configuration Example of Logging in to Web


1-1

Step 4 Input username admin and password Admin@123. The configuration interface is shown.

----End

1 Configuration Example of Logging in to WebHUAWEI EGW2100


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

2 Configuration Example of Quick Config

Networking RequirementsAs shown in Figure 2-1, the EGW2100 connects to a LAN through WLAN and LAN usersaccess the Internet through the ADSL and 3G. The ADSL is the master link, otherwise, the 3Gis the backup link.

Figure 2-1 Networking diagram for the web-manager function

PC

PC

ADSL WLAN

192.168.0.0/24 3G

Data PreparationItem EGW2100 Station

ADSL PVC 0/33 -

User Name adsl -

Password password -

3G User Name internet -

Password password -

Dialer Number *99# -

Access point name APN -

HUAWEI EGW2100Web Configuration Guide 2 Configuration Example of Quick Config


2-1

Item EGW2100 Station

WLAN Access Mode encrypted (WPA/WPA2-PSK mixed)

encrypted (WPA/WPA2-PSK mixed)

SSID WLAN100 WLAN100

Key Value abcdef123 abcdef123

NOTEObtain the parameters for ADSL or 3G dial-up, such as the user name and password from the operator ornetwork administrator.

Procedure

Step 1 Configure the Internet access.1. Choose Quick Config > Internet Access. The Internet Access page is displayed.2. In the ADSL Configuration group box, Figure 2-2 shows the parameter setting.

Figure 2-2 Configuring the ADSL

3. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayedto complete the configuration.

4. Click Refresh, ADSL IP disconnected (as shown in Figure 2-2) turns to the obtained IPaddress. This indicates the ADSL connection succeeds.

5. In the 3G configuration group box, Figure 2-3 shows the parameter setting.

2 Configuration Example of Quick ConfigHUAWEI EGW2100



Issue 01 (2010-02-20)

Figure 2-3 Configuring the 3G


7. Click Refresh, 3G IP (as shown in Figure 2-3) turns to the obtained IP address. Thisindicates the 3G connection succeeds.

Step 2 Configure the LAN and WLAN.

1. Choose Quick Config > LAN/WLAN. The LAN/WLAN page is displayed.

2. In the LAN configuration group box, Figure 2-4 shows the parameter setting.

Figure 2-4 Configuring the LAN


4. In the WLAN configuration group box, Figure 2-5 shows the parameter setting.

Figure 2-5 Configuring the WLAN


Step 3 Save the configuration.

1. Click Save on the upper right of the page to save the configuration. Figure 2-6 shows theparameter setting.

HUAWEI EGW2100Web Configuration Guide 2 Configuration Example of Quick Config


2-3

Figure 2-6 Saving the configuration

2. Click OK in the This will save current configuration, if you switch to other pages, youwill not get the operation result. Are you sure to save? dialog box that is displayed tocomplete the configuration.

Step 4 Save the Station.Change the TCP/IP setting of the Station to obtain its IP address automatically. For help, see theoperating system documentation for the Station.

----End

2 Configuration Example of Quick ConfigHUAWEI EGW2100



Issue 01 (2010-02-20)

3 Configuration Example of the BasicOperation

Networking RequirementsThis describes the basic procedure for configuring the device, including:l Configure the VLAN and add interfaces.

l Create an interface.

l Configure an interface.

l Configure the ACL.

l Configure the Packet-Filter.

l Save the configuration.

ProcedureStep 1 Create VLAN 5 and Add Ethernet 1/0/0 to VLAN 5.

1. Choose NetWork > VLAN. The VLAN page is displayed.2. Click New to enter the VLAN Config interface. Figure 3-1 shows the parameter setting.

Figure 3-1 Configuring the VLAN


Step 2 Create interface Dialer 0.1. Choose NetWork > Interface. The Interface page is displayed.2. Click New to enter the Create New Interface interface. Figure 3-2 shows the parameter

setting.

HUAWEI EGW2100Web Configuration Guide 3 Configuration Example of the Basic Operation


3-1

Figure 3-2 Creating interface Dialer 0


Step 3 Configure an IP address for Ethernet 0/0/0 and add Ethernet 0/0/0 to the Untrust zone.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Ethernet0/0/0 to enter the Interface Basic Config interface.

Figure 3-3 shows the parameter setting.

Figure 3-3 Configuring interface Ethernet0/0/0


Step 4 Create ACL 3001 and configure the rule for ACL 3001: The action of the packets whose sourceIP addresses are in network segment 10.1.1.0/24 is configured as Permit.1. Choose Resource > ACL. The ACL page is displayed.2. Click New to enter the ACL Basic Config interface. Figure 3-4 shows the parameter

setting.

Figure 3-4 Creating ACL 3001


4. Click New to enter the Rule Config interface. Figure 3-5 shows the parameter setting.

3 Configuration Example of the Basic OperationHUAWEI EGW2100



Issue 01 (2010-02-20)

Figure 3-5 Configuring a rule


Step 5 Configure the packet filtering rule between the Trust zone and Untrust zone as Permit.1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.2. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.


Figure 3-6 Configuring the interzone packet filtering rule


Step 6 Save the configuration.1. Click Save on the upper right of the page to save the configuration. Figure 3-7 shows the

parameter setting.

HUAWEI EGW2100Web Configuration Guide 3 Configuration Example of the Basic Operation


3-3



----End

3 Configuration Example of the Basic OperationHUAWEI EGW2100



Issue 01 (2010-02-20)

4 Configuration Example of theInternetworking

About This Chapter

4.1 Configuration Example of ADSL by Using PPPoE

4.2 Configuration Example of SHDSL

4.3 Configuration Example of DHCP ServerThe locations and number of terminals in the network change frequently, so you need to use theDynamic Host Configuration Protocol (DHCP) to allocate dynamic IP addresses to the terminals.The EGW2100 can serve as a DHCP server to offer IP addresses to the DHCP client.

4.4 Configuration Example of RIPRouting Information Protocol (RIP) is a type of protocol based on the distance-vector (D-V)algorithm. By using RIP, you can exchange routing information through UDP packets. Thisprotocol is widely used in simple small-/medium-sized networks.

4.5 Configuration Example of OSPFOSPF is an internal network gateway protocol based on the link status developed by the IETFand is also a dynamic routing protocol applied to the internal of the AS.

4.6 Configuration Example of the 3G Interface for Dial-on-Demand

4.7 Configuration Example of the 3G Interface for Automatic Dialup

4.8 Configuration Example of a WLAN (Crypto Service Class)

4.9 Configuration Example of a WLAN (Plain Service Class)

4.10 Configuration Example of a WLAN (802.1X)

HUAWEI EGW2100Web Configuration Guide 4 Configuration Example of the Internetworking


4-1

4.1 Configuration Example of ADSL by Using PPPoE


The EGW2100 connects to a LAN through Ethernet 0/0/0 and LAN users access the Internetthrough the ADSL interface (ATM 2/0/0).

Networking Diagram

Figure 4-1 shows the networking of the ADSL configuration example.

Figure 4-1 Networking of the ADSL configuration example

ATM 2/0/0

PPPoE ServerEGW DSLAM

Ethernet 0/0/0192.168.1.1/24

Procedure

Step 1 Configure an IP address for Ethernet 0/0/0 and add Ethernet 0/0/0 to the Trust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Create Virtual-Ethernet 1 (VE 1) interface and add VE 1 to the Untrust zone. Create Dialer 1interface and add Dialer 1 to the Untrust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 3 Configure the ADSL interface.

1. Choose NetWork > Interface. The Interface page is displayed.

2. Click MORE corresponding to Atm2/0/0 to enter the Interface Basic Config interface.Figure 4-2 shows the parameter setting.

Figure 4-2 Configuring the ADSL interface


4 Configuration Example of the InternetworkingHUAWEI EGW2100



Issue 01 (2010-02-20)

4. In the Interface Physical Config group box, select activate. Then click OK in the Areyou sure to submit? dialog box that is displayed to activate the interface.

5. In the PVC Configuration group box, select New. The PVC Configuration interface isdisplayed. Figure 4-3 shows the parameter setting.

Figure 4-3 Configuring the PVC

NOTEYou can obtain the PVC from the operator.


Step 4 Configure the PPPoE session.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Dialer1 to enter the Interface Basic Config interface.3. In the Interface Basic Config group box, click IP Address Detail Config. The IP Address

Config interface is displayed. Figure 4-4 shows the parameter setting.

Figure 4-4 Obtaining the IP address in PPP negotiation mode


5. Click back, then return to Interface interface.6. In the PPP User and Dialer group box, click PPP User and Dialer. The PPP User




4-3

Figure 4-5 Configuring the PPP user on the Dialer interface


8. Click back, then return to Interface interface.9. In the PPPOE Dialer interface Config group box, click Detail Config. The Dialer

interface detail Config interface is displayed. Figure 4-6 shows the parameter setting.

Figure 4-6 Configuring the Dialer interface


Step 5 Configure the interzone packet filtering rule.1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.2. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.


Figure 4-7 Configuring the packet filtering rule between the Trust security zone and theUntrust security zone


Step 6 Configure a specific route.




Issue 01 (2010-02-20)

1. Choose NetWork > Route Config. The Route Config page is displayed.

2. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Figure4-8 shows the parameter setting.

Figure 4-8 Configuring the static route


Step 7 Configure NAT.

1. Create ACL 3001 and configure the rule for ACL 3001: Match all IP packets.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

2. Choose Service > NAT > Nat-Policy. The Nat-Policy page is displayed.

3. Select NAT-Policy tab. Click New. The NAT-Policy page is displayed. Figure 4-9 showsthe parameter setting.

Figure 4-9 Configuring the NAT

NOTEWhen selecting the ACL, you can select basic ACL or advanced ACL from the drop-down list.Then select the proper ACL in the ACL classification table.


Step 8 Configure the DHCP function, which can dynamically assign IP addresses to intranet users.

1. Choose Service > DHCP > DHCP Basic. The DHCP Basic Config page is displayed.



4-5

2. In the DHCP Basic Config group box, select the DHCP Enable check box. Click OK inthe Are you sure to enable? dialog box to enable the DHCP function. Figure 4-10 showsthe parameter setting.

Figure 4-10 Enabling the DHCP function

3. In the Setting Interface Process Mode Of DHCP Packet group box, configure theprocessing mode for DHCP packets on Ethernet0/0/0. Figure 4-11 shows the parametersetting.

Figure 4-11 Configuring the processing mode for DHCP packets on the interface


Step 9 Configure the DNS.1. Choose NetWork > DNS Config. The DNS Config page is displayed.2. Click the Basic Configurations tab. Select the Enable DNS Proxy check box to enable

the DNS proxy function. Figure 4-12 shows the parameter setting.

Figure 4-12 Enabling the DNS proxy

3. Click the DNS Server Address tab. Choose the interface Dialer1, Figure 4-13 shows theparameter setting.




Issue 01 (2010-02-20)

Figure 4-13 Configuring the DNS server address

4. Click add. Then click OK in the Are you sure to submit? dialog box that is displayed tocomplete the configuration.


parameter setting.



----End

4.2 Configuration Example of SHDSL

Networking RequirementsThe EGW2100 connects to a LAN through Ethernet 0/0/0 and LAN users access the Internetthrough the SHDSL interface (ATM 2/0/0).

Networking DiagramFigure 4-15 shows the networking of the SHDSL configuration example.



4-7

Figure 4-15 Networking of the ADSL configuration example

EGW

ATM 2/0/0VE 1192.168.2.1/24

BAS

DSLAM

192.168.2.2/24

Eth 0/0/010.1.1.1/24

Trust Untrust

Procedure

Step 1 Configure an IP address for Ethernet 0/0/0 and add Ethernet 0/0/0 to the Trust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Configure an IP address for Virtual-Ethernet 1 (VE 1) interface and add VE 1 to the Untrustzone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 3 Configure the SHDSL interface.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Atm2/0/0 to enter the Interface Basic Config interface.


Figure 4-16 Basic configuration of the SHDSL interface

3. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayedto complete the configuration.Completing the operations on the EGW2100 takes a while (about 10 seconds). Wait withpatience. The progress bar at the bottom of the Web page shows the progress.

4. In the PVC Configuration group box, click New. The GSHDSL Port Configurationinterface is displayed. Figure 4-17 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 4-17 Configuring the SHDSL interface

NOTEYou can obtain the PVC from the operator.


Step 4 Configure the interzone packet filtering rule.

1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.

2. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.Figure 4-18 shows the parameter setting.

Figure 4-18 Configuring the packet filtering rule between the Trust security zone and theUntrust security zone


Step 5 Configure a specific route.


2. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Figure4-19 shows the parameter setting.




4-9



parameter setting.



----End

4.3 Configuration Example of DHCP ServerThe locations and number of terminals in the network change frequently, so you need to use theDynamic Host Configuration Protocol (DHCP) to allocate dynamic IP addresses to the terminals.The EGW2100 can serve as a DHCP server to offer IP addresses to the DHCP client.

Networking RequirementsA DHCP server dynamically assigns the IP addresses to a client in the same network segment.The address pool segment 10.1.1.0/24 is divided into two segments: 10.1.1.0/25 and10.1.1.128/25. The two network segments are in the Trust zone.

The IP addresses of the two Ethernet interfaces on the DHCP server are 10.1.1.1/25 and10.1.1.129/25.

The IP lease of the segment 10.1.1.0/25 is 10 days and 12 hours, with domain name asdhcpserver.com, DNS address as 10.1.1.2, egress device address as 10.1.1.126 and without theNetBIOS address.

The IP lease of the segment 10.1.1.128/25 is 5 days, with DNS address as 10.1.1.2, egress deviceaddress as 10.1.1.254, and NetBIOS address as 10.1.1.4.

Networking DiagramFigure 4-21 shows the networking for configuring the DHCP server.




Issue 01 (2010-02-20)

Figure 4-21 Networking for configuring the DHCP client

DHCP client

DHCP server

NetBIOS server

DHCP client

DNS server

DHCP client

DHCP client

DHCP client

DHCP client

Ethernet1/0/1Vlan20

10.1.1.1/25

Ethernet1/0/0Vlan1010.1.1.129/25

Network: 10.1.1.0/25 Network: 10.1.1.128/25

EGW

Procedure

Step 1 Configure the VLANs that Vlanif interfaces belong to, set the IP addresses of the Vlanifinterfaces, and add the Vlanif interfaces to the specified zones.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Configure the packet filtering rule between the Trust security zone and the Untrust security zone.1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.2. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.

Select the permit option button respectively next to Inbound Default Packet-filter andOutbound Default Packet-filter.


CAUTIONThe default packet filtering rule that allows all the packets to pass may cause securitytroubles. Therefore, it is recommended to apply the ACL rule in interzones.

Step 3 Enable DHCP and set the interface process mode of DHCP packets.1. Select Service > DHCP > DHCP Basic. The DHCP Basic page is displayed.2. Click the Select button next to the Main Interface text box to select Vlanif20. Set the

parameters based on Figure 4-22.



4-11

Figure 4-22 Setting the Vlanif20 interface process mode of DHCP packets


4. Click the Select button next to the Main Interface text box to select Vlanif10. Set theparameters based on Figure 4-23.

Figure 4-23 Setting the Vlanif10 interface process mode of DHCP packets


Step 4 Configure the IP addresses that do not participate in auto-allocation, including addresses of theDNS server, the NetBIOS server and the egress gateway.1. Select Service > DHCP > DHCP Server. The DHCP Server page is displayed.2. Select Forbidden Ip tab. Click New. The Forbidden IP Config page is displayed. Set the

parameters based on Figure 4-24.




Issue 01 (2010-02-20)

Figure 4-24 Configuring the forbidden IP addresses


4. Select Forbidden Ip tab. Click New. The Forbidden IP Config page is displayed. Set theparameters based on Figure 4-25.











4-13

Step 5 Configure related attributes for the DHCP address pool.1. Select Service > DHCP > DHCP Server. The DHCP Server page is displayed.2. Select Global Ip-pool tab. Click New. The Global Ip Pool Config page is displayed. Set

the parameters based on Figure 4-28.

Figure 4-28 Configuring attributes of DHCP address pool 1


4. Select Global Ip-pool tab. Click New. The Global Ip Pool Config page is displayed. Setthe parameters based on Figure 4-29.

Figure 4-29 Configuring attributes of DHCP address pool 2



parameter setting.




Issue 01 (2010-02-20)



----End

4.4 Configuration Example of RIPRouting Information Protocol (RIP) is a type of protocol based on the distance-vector (D-V)algorithm. By using RIP, you can exchange routing information through UDP packets. Thisprotocol is widely used in simple small-/medium-sized networks.

Networking RequirementsThree subnetworks (192.1.2.0/24, 192.1.3.0/24, and 192.1.4.0/24) in a Local Area Network(LAN) cooperate with each other through the EGW2100 and two routers. Routing InformationProtocol (RIP) works on both the EGW2100 and routers. After the configuration, theEGW2100, Router B, and Router C can learn routing information from each other.

The EGW2100, Router B, and Router C respectively serve as the default gateways of the192.1.2.0/24, 192.1.3.0/24, and 192.1.4.0/24 network segments. The EGW2100 connects to theEthernet interfaces of Router B and Router C through Ethernet interfaces. The EGW2100(192.1.1.1) receives RIP packets broadcasted by Router B (192.1.1.2) and Router C (192.1.1.3).The EGW2100 sends RIP broadcast packets to Router B and Router C at the same time.

Networking DiagramFigure 4-31 shows the networking of the RIP configuration example.



4-15

Figure 4-31 Networking of the RIP configuration example

Eth0/0/0192.1.1.1

Eth2/0/0192.1.1.3

Eth2/0/0192.1.1.2

RouterBRouterC

EGW

192.1.2.0/24

192.1.4.0/24 192.1.3.0/24

Untrust

Trust

Procedure

Step 1 Configure the EGW2100.1. Set the IP address of the interface, and then add the interface to the specified zone.

For the configuration procedure, see 3 Configuration Example of the Basic Operation.2. Configure the Packet-Filter.

For the configuration procedure, see 3 Configuration Example of the Basic Operation.3. Choose NetWork > RIP. The RIP page is displayed.4. Click the Interface Configuration tab.5. Click New. The Interface Configuration page is displayed. Set the parameters of the

interface on this page, as shown in Figure 4-32.




Issue 01 (2010-02-20)

Figure 4-32 Configuring the packet receiving and packet sending functions


7. Click the RIP Config tab. Select the RIP Enable check box to enable the RIP function, asshown in Figure 4-33.

Figure 4-33 Enabling the RIP function

8. Click MORE. The RIP Config page is displayed. Set the parameters based on Figure4-34.

Figure 4-34 Configuring the IP address of the RIP network segment



4-17

9. Click Add.10. Enabling RIP on the Specified Network Segment. Set the parameters based on Figure

4-35.

Figure 4-35 Enabling RIP on the Specified Network Segment

11. Click Add.12. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayed

to complete the configuration.


parameter setting.



Step 3 Configure Router B and Router C.For the configuration procedure, see the configurations of the EGW2100.

----End

4.5 Configuration Example of OSPFOSPF is an internal network gateway protocol based on the link status developed by the IETFand is also a dynamic routing protocol applied to the internal of the AS.


Start OSPF process 100 on the Ethernet0/0/0 interface of the EGW2100 and the interface is inarea 0. Start OSPF process 100 on the Vlanif 5 interface and the interface is in area 1.




Issue 01 (2010-02-20)

Respectively set up the neighbor relationship between Router A and the EGW2100 and betweenRouter B and the EGW2100.

Start OSPF process 100 on the Ethernet1/0/0 interface of Router A and the interface is in area0.

Start OSPF process 100 on the Ethernet2/0/0 interface of Router B and the interface is in area1.

Networking DiagramFigure 4-37 shows the networking diagram of OSPF configurations.

Figure 4-37 Networking diagram of OSPF configurations

Eth1/0/0172.10.1.2/16

EGW

Router A

Router B

Eth0/0/0172.10.1.1/16

Eth1/0/0Vlan5131.108.1.3/16Process 100

Area 1Ethernet2/0/0131.108.1.1/16

Process 100Area 0

Untrust

Trust

Procedure

Step 1 Configure the EGW2100.1. Configure the VLANs that Vlanif interfaces belong to, set the IP addresses of the Vlanif

interfaces, and add the Vlanif interfaces to the specified zones.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

2. Choose Security > Packet-Filter. The Packet-Filter page is displayed.3. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.

Select the permit option button respectively next to Inbound Default Packet-filter andOutbound Default Packet-filter.




4-19

CAUTIONThe default packet filtering rule that allows all the packets to pass may cause securitytroubles. Therefore, it is recommended to apply the ACL rule in interzones.

5. Choose NetWork > OSPF to enter the OSPF interface.

6. Click the Process Config tab.

7. Click New to enter the Process Config interface. Figure 4-38 shows the parameter setting.

Figure 4-38 Configuring process 100

NOTE

Router ID in the diagram is the router ID that uniquely identifies a router in the OSPF protocol.


9. Click MORE corresponding to 100 and choose the Area Config tab.

10. Click New to enter the Area Config interface. Figure 4-39 shows the parameter setting.

Figure 4-39 Configuring area 0

11. Click Add to add the 172.10.0.0/16 network segment to area 0.


13. Click New to enter the Area Config interface. Figure 4-40 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 4-40 Configuring area 1

14. Click Add to add the 131.108.0.0/16 network segment to area 1.15. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayed



parameter setting.



Step 3 Configure Router A and Router B.For the configuration procedure, see the configurations of the EGW2100.

----End

4.6 Configuration Example of the 3G Interface for Dial-on-Demand


The EGW2100 connects to the enterprise intranet through Ethernet 0/0/0 and to the Internetthrough USB WCDMA 3G card. The networking requirements are as follows:

l The intranet of the enterprise is in network segment 192.168.1.0/24.

l Dialer interface is used for dial-on-demand.

l The IP address of the 3G interface is allocated by the radio network through negotiation.

Networking Diagram

Figure 4-42 shows the networking diagram of dial-on-demand through the Dialer interface.



4-21

Figure 4-42 Networking diagram of dial-on-demand through the Dialer interface

192.168.1.0/24

Ethernet 0/0/0192.168.1.1/24 3G interface

EGW

Procedure

Step 1 Configure the Modem.1. Choose NetWork > Modem. The Modem Config page is displayed. Figure 4-43 shows

the parameter setting.

Figure 4-43 Configuring the Modem


Step 2 Configure the dialer rule.1. Choose NetWork > Dial Rule. The Dial Rule page is displayed.2. Click New to enter the Dialer Rule Config interface. Figure 4-44 shows the parameter

setting.

Figure 4-44 Configuring the dialer rule


Step 3 Configure the Dialer interface and associate dialup access group 1 with the interface. Enablecircular DCC and configure the dialing string.1. Choose NetWork > Interface. The Interface page is displayed.2. Click New to enter the Create New Interface interface. Figure 4-45 shows the parameter

setting.




Issue 01 (2010-02-20)

Figure 4-45 Creating interface Dialer 0


4. Click MORE corresponding to Dialer0 to enter the Interface Dialer0 Config interface.Figure 4-46 shows the parameter setting.

Figure 4-46 Adding the Dialer0 interface to the Untrust zone


6. In the Interface Basic Config group box, click IP Address Detail Config. The IP AddressConfig interface is displayed. Figure 4-47 shows the parameter setting.



8. Click back. Then return to the Interface Dialer0 Config interface.

9. In the PPP User and Dialer group box, click PPP User and Dialer. The PPP UserConfig interface is displayed. Figure 4-48 shows the parameter setting.

CAUTIONl Configure access authentication (according to the actual networking).

l The corresponding authentication configuration on the physical interface (Cellular) isrequired.



4-23

Figure 4-48 Configuring the PPP user on the Dialer0 interface


11. Click back. Then return to the Interface Dialer0 Config interface.12. In the Dial Control Center group box, click DCC Configuration. The DCC

Configuration interface is displayed. Figure 4-49 shows the parameter setting.

CAUTIONYou can obtain the Peer Number from the operator.

Figure 4-49 Configuring circular DCC


Step 4 Configure the Cellular5/0/0 interface.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Cellular5/0/0 to enter the Cellular5/0/0 Interface

Config interface.3. In the PPP User and Dialer group box, click PPP User and Dialer. The PPP User





Issue 01 (2010-02-20)

CAUTIONIf the authentication is configured on the Dialer interface, the corresponding configurationon the Cellular interface is also required.

Figure 4-50 Configuring the PPP user on the Cellular interface


5. Click back. Then return to the Cellular5/0/0 Interface Config interface.6. In the Dial Control Center group box, click DCC Configuration. The DCC


Figure 4-51 Adding the Cellular interface to the Dialer circular group


8. In the Data Card Config group box, click Data Card Config. Then click the OperatorManage tab. The Operator Config interface is displayed. Figure 4-52 shows theparameter setting.

Figure 4-52 Configuring the operator



4-25

CAUTIONl For WCDMA data cards, you should set the Access Point Name (APN).

l You can obtain the APN from the operator.


Step 5 Configure Ethernet 0/0/0 interface.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Ethernet0/0/0 to enter the Ethernet0/0/0 Interface

Config interface. Figure 4-53 shows the parameter setting.

Figure 4-53 Configuring Ethernet 0/0/0 interface


Step 6 Configure the NAT rule, the routing rule, and the packet filtering rule.1. Choose Resource > ACL. The ACL page is displayed.2. Click New to enter the ACL Basic Config interface. Figure 4-54 shows the parameter

setting.







Issue 01 (2010-02-20)



6. Choose Service > NAT > Nat-Policy. The Nat-Policy page is displayed.7. Click new to enter the NAT-Policy interface. Figure 4-56 shows the parameter setting.


8. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayed

to complete the configuration.9. Choose Security > Packet-Filter. The Packet-Filter page is displayed.10. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.




4-27



12. Choose NetWork > Route Config. The Route Config page is displayed.13. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Figure

4-58 shows the parameter setting.



Step 7 Configure the DHCP function, which can dynamically assign IP addresses to intranet users.1. Choose Service > DHCP > DHCP Basic. The DHCP Basic Config page is displayed.2. In the DHCP Basic Config group box, select the DHCP Enable check box. Click OK in

the Are you sure to enable? dialog box to enable the DHCP function. Figure 4-59 showsthe parameter setting.






Issue 01 (2010-02-20)






3. Click the DNS Server Address tab. Choose the interface Dialer0, Figure 4-62 shows theparameter setting.

Figure 4-62 Configuring the DNS server address

4. Click add. Then click OK in the Are you sure to submit? dialog box that is displayed tocomplete the configuration.


parameter setting.



----End



4-29

4.7 Configuration Example of the 3G Interface forAutomatic Dialup

Networking RequirementsThe EGW2100 connects to the enterprise intranet through Ethernet 0/0/0 and to the Internetthrough USB 3G card. The networking requirements are as follows:

l The intranet of the enterprise is in network segment 192.168.1.0/24.

l Cellular interface is used for automatic dialup.

l The IP address of the 3G interface is allocated by the radio network through negotiation.

Networking DiagramFigure 4-64 shows the networking diagram of automatic dialup through the Dialer interface.

Figure 4-64 Networking diagram of automatic dialup through the Dialer interface

192.168.1.0/24

Ethernet 0/0/0192.168.1.1/24 3G interface

EGW

ProcedureStep 1 Configure the Modem.

1. Choose NetWork > Modem. The Modem Config page is displayed. Figure 4-65 showsthe parameter setting.

Figure 4-65 Configuring the Modem


Step 2 Configure the dialer rule.1. Choose NetWork > Dial Rule. The Dial Rule page is displayed.2. Click New to enter the Dialer Rule Config interface. Figure 4-66 shows the parameter

setting.




Issue 01 (2010-02-20)

Figure 4-66 Configuring the dialer rule


Step 3 Configure the Cellular interface, enable the circular DCC, and configure the dialup route.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Cellular5/0/0 to enter the Interface Cellular5/0/0


Figure 4-67 Adding Cellular5/0/0 interface to the Untrust zone


4. In the Interface Basic Config group box, click IP Address Detail Config. The IP AddressConfig interface is displayed. Figure 4-68 shows the parameter setting.



6. Click back. Then return to the Interface Cellular5/0/0 Config interface.7. In the PPP User and Dialer group box, click PPP User and Dialer. The PPP User




4-31

CAUTIONl Configure access authentication (according to the actual networking).

l Generally, the user names and passwords of TD-SCDMA users are free and those ofCDMA (EVDO) users are card.

Figure 4-69 Configuring the PPP user


9. Click back. Then return to the Interface Cellular5/0/0 Config interface.10. In the Dial Control Center group box, click DCC Configuration. The DCC


CAUTIONYou can obtain the Peer Number from the operator.

Figure 4-70 Configuring circular DCC




Issue 01 (2010-02-20)


Step 4 Configure the Ethernet 0/0/0 interface.1. Choose NetWork > Interface. The Interface page is displayed.2. Click MORE corresponding to Ethernet0/0/0 to enter the Ethernet0/0/0 Interface


Figure 4-71 Configuring the Ethernet 0/0/0 interface.


Step 5 Configure the NAT rule, the routing rule, and the packet filtering rule.1. Choose Resource > ACL. The ACL page is displayed.2. Click New to enter the ACL Basic Config interface. Figure 4-72 shows the parameter

setting.






4-33



6. Choose Service > NAT > Nat-Policy. The Nat-Policy page is displayed.7. Click new to enter the NAT-Policy interface. Figure 4-74 shows the parameter setting.



to complete the configuration.9. Choose Security > Packet-Filter. The Packet-Filter page is displayed.10. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.





Issue 01 (2010-02-20)



12. Choose NetWork > Route Config. The Route Config page is displayed.13. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Figure

4-76 shows the parameter setting.



Step 6 Configure the DHCP function, which can dynamically assign IP addresses to intranet users.1. Choose Service > DHCP > DHCP Basic. The DHCP Basic Config page is displayed.2. In the DHCP Basic Config group box, select the DHCP Enable check box. Click OK in

the Are you sure to enable? dialog box to enable the DHCP function. Figure 4-77 showsthe parameter setting.





4-35







parameter setting.



----End

4.8 Configuration Example of a WLAN (Crypto ServiceClass)

Networking Requirementsl The EGW2100 (AP) is connected to the Router through Ethernet 0/0/0 (already added to

the Untrust zone).l The fixed IP address of Ethernet 0/0/0 is 202.169.10.1/24 and the IP address of Ethernet

1/0/0 on the Router is 202.169.10.2/24.l The IP addresses of the two stations are 192.168.1.2/24 and 192.168.1.3/24.

l The stations use wireless network cards to connect to the AP, with the SSID of WLAN100.




Issue 01 (2010-02-20)

l The authentication mode is WPA-WPA2-PSK, the pre-shared key is abcdefgh, and theCCMP and TKIP encryption suite is adopted.

The stations can access the Internet in wireless mode through the configuration of a WLAN.

Networking DiagramFigure 4-81 shows the networking diagram of configuring a WLAN (Crypto service class).

Figure 4-81 Networking diagram of configuring a WLAN (Crypto service class)

EGW

Station

Station

WLAN100

Eth0/0/0Eth1/0/0

Procedure

Step 1 Set the IP address of Ethernet 0/0/0 of the EGW2100, and add the interface to the Untrust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Create VLAN 2. Set the IP address of interface Vlanif 2 to 192.168.1.1/24, and add the interfaceto the Trust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 3 Configure the service class.

NOTE

By default, Service Class 0 is enabled. If Service Class 0 is not needed, it is recommended to disable theService Class.

1. Choose NetWork > Wlan > Service Class. The Service Class page is displayed.2. Click New to enter the Create a Service Class interface. Figure 4-82 shows the parameter

setting.

Figure 4-82 Creating a Service Class


4. Click MORE corresponding to Service Class Number 2 to enter the Service ClassConfig interface. Figure 4-83 shows the parameter setting.



4-37

Figure 4-83 Configuring the crypto service class

NOTEThe Pre-shared Key is abcdefgh.


6. Click ENABLE corresponding to service class number 2. Click OK in the Are you sureto enalbe? dialog box that is displayed, and click OK in the Info: Service-class 2 is enabledsuccessfully! dialog box that is displayed to complete the configuration.

Step 4 Configure the binding between the service class and the WLAN-BSS interface.1. Choose NetWork > Wlan > Radio Setting. The Radio Setting page is displayed.2. Click New Bss in the Wlan Bss group box to access the Interface Basic Config interface.


Figure 4-84 Creating the WLAN-BSS interface


4. Click MORE corresponding to Wlan-Bss2 in the Wlan Bss group box. The configurationinterface of interface Wlan-Bss2 is displayed. Figure 4-85 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 4-85 Configuring interface Wlan-Bss2


Step 5 Configure the packet filtering rule.1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.2. Click MORE corresponding to trust-untrust. The Packet-Filter Config page is displayed.




Step 6 Configure the NAT.1. Create ACL 3001 and configure the rule for ACL 3001: Match all IP packets.

For the configuration procedure, see 3 Configuration Example of the Basic Operation.2. Choose Service > NAT > Nat-Policy. The Nat-Policy page is displayed.3. Click new to enter the NAT-Policy interface. Figure 4-87 shows the parameter setting.




4-39


Step 7 Configure the static route.


2. Click the Route-Static tab. Click New. The Route-Static page is displayed. Figure 4-88shows the parameter setting.







Step 9 Configure the wireless network cards on the client.

l Manually set the IP addresses of the wireless network cards to 192.168.1.2/24 and192.168.1.3/24.

l The SSID, encryption mode, authentication mode, and pre-shared key on the wirelessnetwork cards should be consistent with those on the EGW2100.

----End

4.9 Configuration Example of a WLAN (Plain Service Class)


the Untrust zone).




Issue 01 (2010-02-20)

l The fixed IP address of Ethernet 0/0/0 is 202.169.10.1/24 and the IP address of Ethernet1/0/0 on the Router is 202.169.10.2/24.

l The two stations automatically obtain IP addresses through DHCP.

l The stations use wireless network cards to connect to the AP, with the SSID of WLAN100.


Networking Diagram

Figure 4-90 shows the networking diagram of configuring a WLAN (Plain service class).

Figure 4-90 Networking diagram of configuring a WLAN (Plain service class)

EGW

Station

Station

Eth0/0/0Eth1/0/0

WLAN100

Procedure



Step 3 Configure the DHCP function.

1. Choose Service > DHCP > DHCP Basic. The DHCP Basic Config page is displayed.

2. In the DHCP Basic Config group box, select the DHCP Enable check box. Click OK inthe Are you sure to enable? dialog box to enable the DHCP function. Figure 4-91 showsthe parameter setting.


3. In the Setting Interface Process Mode Of DHCP Packet group box, configure theprocessing mode for DHCP packets on Vlanif2. Figure 4-92 shows the parameter setting.



4-41



Step 4 Configure the service class.1. Choose NetWork > Wlan > Service Class. The Service Class page is displayed.

NOTEBy default, the number of the plain service class of the EGW2100 is 0.

2. Click DISABLE corresponding to service class number 0. Click OK in the Are you sureto disable? dialog box that is displayed, and click OK in the Info: Service class 0 isdisabled successfully, and the status of BSS 0 changes to down! dialog box that isdisplayed to disable service class number 0.

3. Click MORE corresponding to service class number 0 to enter the Service Class Configinterface. Figure 4-93 shows the parameter setting.

Figure 4-93 Configuring the plain service class


5. Click ENABLE corresponding to service class number 0. Click OK in the Are you sureto enalbe? dialog box that is displayed, and click OK in the Info: Service-class 0 is enabledsuccessfully, and the status of BSS 0 changes to up! dialog box that is displayed tocomplete the configuration.

Step 5 Configure the binding between the service class and the WLAN-BSS interface.1. Choose NetWork > Wlan > Radio Setting. The Radio Setting page is displayed.2. Click MORE corresponding to Wlan-Bss0 in the Wlan Bss group box. The configuration

interface of interface Wlan-Bss0 is displayed. Figure 4-94 shows the parameter setting.




Issue 01 (2010-02-20)



Step 6 Configuring the NAT, packet filtering, and default route.The configuration procedure is similar to that for the WLAN of the crypto service class, see 4.8Configuration Example of a WLAN (Crypto Service Class).


parameter setting.



Step 8 Configure the wireless network cards on the client.l Configure the wireless network cards to automatically obtain IP addresses.

l The SSID, encryption mode, and authentication mode on the wireless network cards shouldbe consistent with those on the EGW2100.

----End

4.10 Configuration Example of a WLAN (802.1X)


the Untrust zone).l The fixed IP address of Ethernet 0/0/0 is 202.169.10.1/24 and the IP address of Ethernet

1/0/0 on the Router is 202.169.10.2/24.l The two stations automatically obtain IP addresses through DHCP.

l The stations use wireless network cards to connect to the AP , with the SSID of WLAN100.

l 802.1X authentication is enabled. The IP address of the RADIUS server is202.169.10.100/24 and the key is hello.




4-43

Networking Diagram

Figure 4-96 shows the networking diagram of configuring a WLAN (802.1X).

Figure 4-96 Networking diagram of configuring a WLAN (802.1X)

EGW

Station

Station

WLAN100

Eth0/0/0

Eth1/0/0

RADIUS Server

Precautions

Select WPA, WPA2 or WPA-WPA2 for the authentication mode when configuring 802.1X.

Procedure



Step 3 Configure the service class.

NOTE

By default, Service Class 0 is enabled. If Service Class 0 is not needed, it is recommended to disable theService Class.

1. Choose NetWork > Wlan > Service Class. The Service Class page is displayed.2. Click New to enter the Create a Service Class interface. Figure 4-97 shows the parameter

setting.

Figure 4-97 Creating a Service Class


4. Click MORE corresponding to Service Class Number 2 to enter the Service ClassConfig interface. Figure 4-98 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 4-98 Configuring the crypto service class

5. Select the check box to the left of Advanced Config. The advanced configuration interfaceis displayed. Figure 4-99 shows the parameter setting.

Figure 4-99 Creating 802.1X domain abc


7. Click ENABLE corresponding to service class number 2. Click OK in the Are you sureto enalbe? dialog box that is displayed, and click OK in the Info: Service-class 2 is enabledsuccessfully! dialog box that is displayed to complete the configuration.

Step 4 Configure the binding between the service class and the WLAN-BSS interface.1. Choose NetWork > Wlan > Radio Setting. The Radio Setting page is displayed.2. Click New Bss in the Wlan Bss group box to access the Interface Basic Config interface.


Figure 4-100 Creating the WLAN-BSS interface



4-45


4. Click MORE corresponding to Wlan-Bss2 in the Wlan Bss group box. The configurationinterface of interface Wlan-Bss2 is displayed. Figure 4-101 shows the parameter setting.



Step 5 Configuring the NAT, packet filtering, and default route.The configuration procedure is similar to that for the WLAN of the crypto service class, see 4.8Configuration Example of a WLAN (Crypto Service Class).

Step 6 Configuring the DHCP.The configuration procedure is similar to that for the WLAN of the plain service class, see 4.9Configuration Example of a WLAN (Plain Service Class).

Step 7 Configure the RADIUS.

1. Choose Resource > AAA > Radius. The Radius interface is displayed.

2. Click new. The Radius Template Config interface is displayed. Figure 4-102 shows theparameter setting.

Figure 4-102 Configuring the RADIUS template


4. Click MORE corresponding to template name test, and click the Server Info tab. TheRadius Server Config interface is displayed. Figure 4-103 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 4-103 Configuring the RADIUS authentication server


Step 8 Configure AAA.

1. Choose Resource > AAA > Scheme. The Scheme interface is displayed.

2. Click the Authentication Scheme tab, and click new. The Authentication SchemeConfig interface is displayed. Figure 4-104 shows the parameter setting.

Figure 4-104 Configuring the RADIUS authentication scheme


4. Choose Resource > AAA > Domain. The Domain interface is displayed.

5. Click new. The Domain Basic Config interface is displayed. Figure 4-105 shows theparameter setting.

Figure 4-105 Configuring the domain



4-47


7. Click MORE corresponding to domain name abc, and click the AAA Policy tab. TheDomain AAA Policy Config interface is displayed. Figure 4-106 shows the parametersetting.

Figure 4-106 Configuring the AAA domain policy


Step 9 Save the configuration.1. Click Save on the upper right of the page to save the configuration. Figure 4-107 shows

the parameter setting.



Step 10 Configure the wireless network cards on the client.l Configure the wireless network cards to automatically obtain IP addresses.

l The SSID and authentication mode on the wireless network cards should be consistent withthose on the AP.

l The user name, password and certificate for 802.1X authentication should be consistent withthose on the RADIUS server.

----End




Issue 01 (2010-02-20)

5 Configuration Example of the ACL

When planning the network, you need to use different policies to manage different users. In theexternal network, only a specific user can access the internal server. In the internal network,only a specific host can access the external network.

Networking RequirementsA EGW2100 is deployed at the network egress of the company.

l The Ethernet1/0/0 interface is connected to the internal network of the company.

l The Ethernet0/0/0 interface is connected to the Internet.

l The company provides WWW, FTP, and Telnet services for external users. The networksegment of the internal network is 10.100.20.0/24.

l The IP address of a specific external user is 202.39.2.3.

Configuration requirement:

l In the external network, only host 202.39.2.3 can access the internal FTP server, Telnetserver, WWW server.

l In the internal network, only host 10.100.20.3 and host 10.100.20.4 can access the externalnetwork.

Networking DiagramFigure 5-1 shows the networking of the ACL configuration example.

HUAWEI EGW2100Web Configuration Guide 5 Configuration Example of the ACL


5-1

Figure 5-1 Networking of the ACL configuration example

Ethernet0/0/0202.38.10.2/24

Ethernet1/0/0Vlanif510.100.20.2/24

EGW

WWW Server10.100.20.5/24

Telnet Server10.100.20.4/24

FTP Server10.100.20.3/24

PC202.39.2.3/16

202.38.10.6/24

ProcedureStep 1 Configure the IP addresses of interfaces of the EGW2100 and add the interfaces to related

security zones.1. Choose NetWork > VLAN. The VLAN page is displayed.2. Click New to enter the VLAN Config interface. Enter 5 in VLAN ID.3. Click Select Select Ethernet1/0/0 in the interface list. Click choose to return to the VLAN

Config interface. Click Add to add Ethernet1/0/0 to VLAN 5. As shown in Figure 5-2.

Figure 5-2 Creating VLAN 5

4. Choose NetWork > Interface. The Interface page is displayed.5. Click New to enter the Create New Interface interface. Figure 5-3 shows the parameter

setting.

Figure 5-3 Creating Vlanif 5

5 Configuration Example of the ACLHUAWEI EGW2100



Issue 01 (2010-02-20)


to complete the configuration.7. Click MORE corresponding to Vlanif5 to enter the Interface Basic Config interface.


Figure 5-4 Setting basic parameters of the Vlanif 5 interface


to complete the configuration.9. Choose NetWork > Interface. The Interface page is displayed.10. Click MORE corresponding to Ethernet0/0/0 to enter the Ethernet0/0/0 Interface


Figure 5-5 Configuring interface Ethernet0/0/0


Step 2 Configure a specific route to the external network.1. Choose NetWork > Route Config. The Route Config page is displayed.2. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Set




5-3




Step 3 Configuration requirement 1: In the external network, only host 202.39.2.3 can access theinternal FTP server, Telnet server, WWW server.1. Choose Resource > ACL. The ACL page is displayed.2. Click New. The ACL Basic Configuration page is displayed.3. In ACL Number, enter 3102.4. Click apply to create an ACL rule.5. In the ACL Rule Configuration area, click New. The Rule Configuration page is

displayed. Set the parameters based on Figure 5-7.

Figure 5-7 Configuring ACL rule 1




Issue 01 (2010-02-20)


7. In the ACL Rule Configuration area, click New. The Rule Configuration page isdisplayed. Set the parameters based on Figure 5-8.



to complete the configuration.9. In the ACL Rule Configuration area, click New. The Rule Configuration page is




5-5



11. Choose Security > Packet-Filter. The Packet-Filter page is displayed.

12. Click MORE corresponding to dmz-untrust. The Packet-Filter Config page is displayed.Set the parameters based on Figure 5-10.

Figure 5-10 Configuring packet filtering rule 1


14. Choose Security > ASPF. The ASPF Config page is displayed.

15. Click the InterZone ASPF tab. In the InterZone, select DMZ and Untrust.

16. Click confirm. Set the parameters based on Figure 5-11.




Issue 01 (2010-02-20)

Figure 5-11 Configuring interzone ASPF



Step 4 Configuration requirement 2: In the internal network, only host 10.100.20.3 and host 10.100.20.4can access the external network.1. Choose Resource > ACL. The ACL page is displayed.2. Click New. The ACL Basic Configuration page is displayed.3. In ACL Number, enter 3103.4. Click apply to create an ACL rule.5. In the ACL Rule Configuration area, click New. The Rule Configuration page is







5-7

7. In the ACL Rule Configuration area, click New. The Rule Configuration page isdisplayed. Set the parameters based on Figure 5-13.



to complete the configuration.9. Choose Security > Packet-Filter. The Packet-Filter page is displayed.10. Click MORE corresponding to dmz-untrust. The Packet-Filter Config page is displayed.

Set the parameters based on Figure 5-14.

Figure 5-14 Configuring packet filtering rule 2







Issue 01 (2010-02-20)




----End



5-9

6 Configuration Example of NAT

In practice, you can configure an internal server through the NAT process so that the internalserver can be accessed by the external network.


The company networks with different service are in the EGW2100 security zones with differentsecurity levels. The mappings are described as follows:

l The WWW server and the FTP server are in the DMZ security zone, and the networksegment is 10.100.20.0/24. Internal employees and external users can access the servers.

l The external network is in the Untrust security zone.

Requirement: Two internal servers are provide to external users. The internal IP address of theWWW server is 10.100.20.1/24, and the port is 8080. The internal IP address of the FTP serveris 10.100.20.3/24. For both severs, the external IP address is 202.38.10.2 and the external portnumbers are the default numbers.

Networking Diagram

Figure 6-1 shows the networking of a NAT configuration example.

Figure 6-1 Networking of a NAT configuration example

PC

WWW Server10.100.20.1/24

EGW

Ethernet1/0/0Vlanif5

10.100.20.2/24

Untrust

FTP Server10.100.20.3/24

DMZ

Ethernet0/0/0202.38.10.2/24

HUAWEI EGW2100Web Configuration Guide 6 Configuration Example of NAT


6-1

Procedure

Step 1 Configure the VLANs that Vlanif interfaces belong to, set the IP addresses of the Vlanifinterfaces, and add the Vlanif interfaces to the specified zones.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Create an ACL rule.1. Choose Resource > ACL. The ACL page is displayed.2. Click New. The ACL Basic Configuration page is displayed.3. In ACL Number, enter 3100.4. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayed

to complete the configuration.5. Click New. The Rule Configuration page is displayed. Set the parameters based on Figure

6-2.

Figure 6-2 Configuring the advanced ACL rule 0


to complete the configuration.7. Click New. The Rule Configuration page is displayed. Set the parameters based on Figure

6-3.

6 Configuration Example of NATHUAWEI EGW2100



Issue 01 (2010-02-20)

Figure 6-3 Configuring advanced ACL rule 5



Step 3 Configure the interzone packet filtering rule.1. Choose Security > Packet-Filter. The Packet-Filter page is displayed.2. Click MORE corresponding to dmz-untrust. The Packet-Filter Config page is displayed.

Set the parameters based on Figure 6-4.

Figure 6-4 Configuring the packet filtering rule between the DMZ security zone and theUntrust security zone



Step 4 Configure the function of filtering application layer-based FTP packets on the EGW2100.1. Choose Security > ASPF and then click InterZone ASPF. The ASPF Config page is




6-3

Figure 6-5 Configuring the ASPF between the DMZ security zone and the Untrust securityzone


Step 5 Configure the address mapping function of the EGW2100.

1. Choose Service > NAT > Address-Map. The Address-Map page is displayed.

2. Click New. The Configuraition of Address Mapping page is displayed. Set the parametersbased on Figure 6-6.

Figure 6-6 Configuring the address mapping of the WWW server


4. Click New. The Configuraition of Address Mapping page is displayed. Set the parametersbased on Figure 6-7.

Figure 6-7 Configuring the address mapping of the FTP server

6 Configuration Example of NATHUAWEI EGW2100



Issue 01 (2010-02-20)



parameter setting.



----End



6-5

7 Configuration Example of the Dual-SystemHot Backup in Routing Mode

As a security device, the EGW2100 is deployed between a protected network and other networks.In order to maintain the stability of devices, two EGW2100s are used in master/backup mode.

PrerequisiteThe operating mode of two EGW2100s have been configured in routing mode.

Networking RequirementsThe network is planned as follows:l The network to be protected is deployed in the Trust security zone with the network segment

of 10.100.10.0/24.l Interfaces Ethernet 0/0/0 on both EGW2100s are configured to connect to a heartbeat line.

The network segment is 10.100.20.0/24. The DMZ zone connects to the interfaces Ethernet0/0/0.

l The external networks are classified into the Untrust zone, and the Untrust zone connectsto the interfaces Ethernet 1/0/1 (Vlanif 6) of the EGW2100s.

l Two EGW2100s are connected to each zone through a LAN switch.

The mappings between the virtual IP addresses of the backup groups and the security zones areas follows:l Trust: 10.100.10.1

l DMZ: 10.100.20.1

l Untrust: 202.38.10.1

HUAWEI EGW2100Web Configuration Guide

7 Configuration Example of the Dual-System Hot Backup inRouting Mode


7-1

Network topology diagram

Figure 7-1 Networking of the dual-system hot backup in routing mode

EGW AMaster

EGW BBackup

Backup group 1

Backup group 2

Backup group 3

UntrustTrust

10.100.10.0/24

10.100.10.1/24Virtual IP Address

10.100.20.1/24Virtual IP Address

10.100.20.3/24

Vlanif5:10.100.10.3/24 Vlanif6:202.38.10.3/24202.38.10.1/24

Virtual IP Address

Vlanif6:202.38.10.2/24

Eth0/0/010.100.20.2/24

Vlanif5:10.100.10.2/24

Heartbeat line

Eth0/0/0

Eth1/0/0

Eth1/0/0

Eth1/0/1

Eth1/0/1

DMZ

Procedure

Step 1 Configure the IP addresses of interfaces of the EGW2100 A and add the interfaces to relatedsecurity zones.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 2 Configure the Packet-Filtering between the Trust security zone, DMZ security zone, and Untrustsecurity zone of the EGW2100 A.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

Step 3 Create the VRRP backup groups of the EGW2100 A.1. Click Reliability > VRRP. The VRRP page is displayed.2. Click New. The Basic Configuration of the VRRP Vrid page is displayed. Figure 7-2

shows the parameter setting.

Figure 7-2 Configuring VRRP backup group 1




Issue 01 (2010-02-20)


4. Click New. The Basic Configuration of the VRRP Vrid page is displayed. Figure 7-3shows the parameter setting.



6. Click New. The Basic Configuration of the VRRP Vrid page is displayed. Figure 7-4shows the parameter setting.



Step 4 Enable the HRP function of the EGW2100 A.

1. Choose Reliability > HRP. The HRP page is displayed.

2. Click the VGMP Config tab. The VGMP Config page is displayed.

3. Click New. The VGMP Config page is displayed. Figure 7-5 shows the parameter setting.




7-3

Figure 7-5 Configuring VGMP


5. Click the HRP Config tab. The HRP Config page is displayed.

6. Select the Enable HRP check box. Figure 7-6 shows the parameter setting.

Figure 7-6 HRP two-node cluster hot backup in routing mode


Step 5 Configure EGW2100 B.

The procedure for configuring the EGW2100 B is the same as that for configuring theEGW2100 A. The following parameters, however, are different:

l The interface IP addresses of EGW2100 B are different from those of the EGW2100 A.

l The default priority of the VRRP management group on EGW2100 B is 100.






Issue 01 (2010-02-20)



----End




7-5

8 Configuration Example of the VPN

About This Chapter

8.1 Configuration Example of GRE

8.2 Configuration Example of L2TP IPSec

HUAWEI EGW2100Web Configuration Guide 8 Configuration Example of the VPN


8-1

8.1 Configuration Example of GRE

Networking RequirementsAs show in Figure 8-1, network A and network B connect to the Internet through EGW2100Aand EGW2100B respectively. The GRE tunnel is required to be configured to use static routes,so that network A and network B can interwork using GRE.

Network topology diagram

Figure 8-1 GRE tunnel using static routes

Netwrok A

EGW A

Netwrok B

GRE tunnel

Eth1/0/0Vlan5

10.100.20.2/24Eth0/0/0

202.38.10.2/24

Eth1/0/0Vlan5

10.1.3.1/24Eth0/0/0131.108.5.2/24

EGW B202.38.10.3/24 131.108.5.1/24Trust Trust

Untrust Untrust

Procedure

Step 1 Configure the EGW2100 A.1. Configure the VLANs that Vlanif interfaces belong to, set the IP addresses of the Vlanif

interfaces, and add the Vlanif interfaces to the specified zones.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

2. Choose NetWork > Interface. The Interface page is displayed.3. Click New. The Create New Interface page is displayed. Configure the parameters as

shown in Figure 8-2.

Figure 8-2 Creating an interface named Tunnel1


to complete the configuration.5. Click MORE in the Tunnel1 row. The page for configure the Tunnel interface is displayed.

Configure the parameters as shown in Figure 8-3.

8 Configuration Example of the VPNHUAWEI EGW2100



Issue 01 (2010-02-20)

Figure 8-3 Configuring the tunnel1 interface


to complete the configuration.7. Choose NetWork > Route Config.8. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Set




to complete the configuration.10. Click New. The Route-Static Config page is displayed. Set the parameters based on Figure

8-5.



8-3



to complete the configuration.12. Choose Security > Packet-Filter. The Packet-Filter page is displayed.13. Click MORE in the trust-untrust row. The Packet-Filter Config page is displayed. Select

the permit option button respectively next to Inbound Default Packet-filter andOutbound Default Packet-filter.


NOTEThe default Packet-Filtering rule that allows all the packets to pass may cause security troubles.Therefore, it is recommended to apply the ACL rule between security zones.

15. Click Save on the upper right of the page to save the configuration.

Step 2 Configure the IP addresses of interfaces of the EGW2100 B and add the interfaces to relatedsecurity zones.1. Choose NetWork > Interface. The Interface page is displayed.2. Click New. The Create New Interface page is displayed. Configure the parameters as

shown in Figure 8-6.

Figure 8-6 Creating an interface named Tunnel1


to complete the configuration.4. Click MORE in the Tunnel1 row. The Interface Configuration page is displayed.

Configure the parameters as shown in Figure 8-7.




Issue 01 (2010-02-20)

Figure 8-7 Configuring the tunnel1 interface


to complete the configuration.6. Choose NetWork > Route Config.7. Click the Route-Static tab. Click New. The Route-Static Config page is displayed. Set




to complete the configuration.9. Click New. The Route-Static Config page is displayed. Set the parameters based on Figure

8-9.



8-5



to complete the configuration.11. Choose Security > Packet-Filter. The Packet-Filter page is displayed.12. Click MORE in the trust-untrust row. The Packet-Filter Config page is displayed. Select

the permit option button respectively next to Inbound Default Packet-filter andOutbound Default Packet-filter.


NOTEThe default Packet-Filtering rule that allows all the packets to pass may cause security troubles.Therefore, it is recommended to apply the ACL rule between security zones.

14. Click Save on the upper right of the page to save the configuration.

----End

8.2 Configuration Example of L2TP IPSec

Networking RequirementsThe company headquarters access the Internet through the EGW2100. The VPN Client isinstalled on the PC of the employees on business trip; the employee sends a connection requestto the EGW2100 and an L2TP+IPSec VPN tunnel is then established, through which theemployee can communicate with other internal users of the company.

Networking DiagramFigure 8-10 shows the networking diagram of L2TP IPSec.




Issue 01 (2010-02-20)

Figure 8-10 Networking diagram of L2TP IPSec

EGW

Remote userVPN client

L2TP tunnel

Eth0/0/0202.1.1.1/24Eth1/0/1

Vlanif 1:10.1.1.1/24

Data PreparationItem EGW2100 VPN client

L2TP Remote-Name client LNS

Tunnel Local Name LNS client

Authentication-Mode

CHAP CHAP

Tunnel-Authentication

123456 123456

IPSec Encapsulation-Mode

Tunnel Tunnel

Transform ESP ESP

ESPAuthentication-Algorithm

MD5 MD5

ESP Encryption-Algorithm

DES DES

Nat-Traversal Enable Enable

IKE Pre-Shared-Key abcde abcde

Exchange-Mode aggressive aggressive

Local-Id-Type Name Name

IKE Local-Name server client

Remote-Name client server

Authentication-Algorithm

MD5 MD5



8-7

Procedure

Step 1 Configure interfaces.1. Set the IP address of the Vlanif 1 interface to 10.1.1.1/24 and add the Vlanif 1 interface to

the Trust zone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

2. Set the IP address of Ethernet 0/0/0 to 202.1.1.1/24, and add Ethernet 0/0/0 to the Untrustzone.For the configuration procedure, see 3 Configuration Example of the Basic Operation.

3. Create the Virtual-Template1 interface (VT 1).For the configuration procedure, see 3 Configuration Example of the Basic Operation.

4. Choose NetWork > Interface. The Interface page is displayed.5. Click MORE corresponding to Virtual-Template1 to enter the Virtual-Template1

Interface Config interface.6. In the Interface Basic Config group box, Figure 8-11 shows the parameter setting.

Figure 8-11 Configuring the Virtual-Template1 interface


8. Click PPP Config to enter the PPP Config interface. Figure 8-12 shows the parametersetting.

Figure 8-12 Configuring PPP

NOTEThe specified address pool number should be the same as that in the AAA page.


Step 2 Disable the fast forwarding function on Ethernet 0/0/0.1. Choose NetWork > Interface. The Interface page is displayed.




Issue 01 (2010-02-20)

2. Click MORE corresponding to Ethernet0/0/0 to enter the Ethernet0/0/0 InterfaceConfig interface.

3. In the Fast Forwarding Config group box, Figure 8-13 shows the parameter setting.

Figure 8-13 Disabling the fast forwarding function


Step 3 Configure the local user.1. Choose Resource > AAA > Local User. The Local User page is displayed.2. Click new. The Local User Configuration page is displayed. Figure 8-14 shows the

parameter setting.

Figure 8-14 Configuring the local user


Step 4 Configure the IP Address Pool.1. Choose Resource > AAA > IP Pool. The IP Pool page is displayed.2. Click new. The IP Pool Config page is displayed. Figure 8-15 shows the parameter setting.

Figure 8-15 Configuring the IP pool




8-9

Step 5 Configure the L2TP.

1. Choose VPN > L2TP > L2TP-Group. The L2TP-Group page is displayed.

2. Select the L2TP Enable check box. Then click OK in the Are you sure to enalbe? dialogbox that is displayed to complete the configuration.

3. Click new. The L2TP-Group Config page is displayed. Figure 8-16 shows the parametersetting.

Figure 8-16 Configuring the L2TP-group


Step 6 Configure the IKE.

1. Choose VPN > IPSec > IKE. The IKE page is displayed.

2. Choose IKE Proposal tab, then click new. The IKE Proposal Config page is displayed.Figure 8-17 shows the parameter setting.

Figure 8-17 Configuring the IKE proposal


4. Choose IKE Peer tab, then click new. The IKE Peer Config page is displayed. Figure8-18 shows the parameter setting.




Issue 01 (2010-02-20)

Figure 8-18 Configuring the IKE peer


Step 7 Configure the IPSec.1. Choose VPN > IPSec > IPSec. The IPSec page is displayed.2. Choose IPSec Proposal tab, then click new. The IPSec Proposal Config page is displayed.


Figure 8-19 Configuring the IPSec proposal


4. Choose IPSec Policy Template tab, then click new. The IPSec Policy Template page isdisplayed. Figure 8-20 shows the parameter setting.



8-11

Figure 8-20 Configuring the IPSec policy template


6. Choose IPSec Policy tab, then click new. The IPSec Policy page is displayed. Figure8-21 shows the parameter setting.

Figure 8-21 Configuring the IPSec policy

7. Click Apply. Then click OK in the Are you sure to submit? dialog box that is displayedto complete the configuration. Apply the policy on Ethernet 0/0/0, Figure 8-22 shows theparameter setting.

Figure 8-22 Applying the policy

NOTEThe policy should be applied on the upstream interface of the obtained IP address. For example, whenthe 3G uplink is adopted, the policy should be applied on the Dialer interface.






Issue 01 (2010-02-20)



Step 9 Configure the VPN Client.l Install the VPN Client on the PC of the remote user.

l Create the dial-up program (the parameters should be consistent with those on theEGW2100).

l Click the connection to start communications with the headquarters.

----End



8-13

A Acronyms and Abbreviations

A

AAA Authorization, Authentication and Accounting

ACL Access Control List

ASPF Application Specific Packet Filter

D

DHCP Dynamic Host Configuration Protocol

DMZ DeMilitarized Zone

F

FTP File Transfer Protocol

H

HTTP Hypertext Transfer Protocol

I

ICMP Internet Control Message Protocol

IP Internet Protocol

M

MAC Media Access Control

HUAWEI EGW2100Web Configuration Guide A Acronyms and Abbreviations


A-1

N

NAPT Network Address Port Translation

NAT Network Address Translation

P

PC Personal Computer

R

RADIUS Remote Authentication Dial in User Service

RIP Routing Information Protocol

T

TFTP Trivial File Transfer Protocol

V

VLAN Virtual Local Area Network

W

WWW World Wide Web

A Acronyms and AbbreviationsHUAWEI EGW2100


A-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 01 (2010-02-20)

web configuration guide(v100r001c01_01).pdf

Documents

huawei trademarks

huawei proprietary

configuration example

configuration example

configuration example

configuration example

huawei industrial basebantian

thepurchase scope