Chapter 2 - Network Basics
Chapter 2 - Network Basics
Foreword
⚫ With the development of the Internet, network attacks keep emerging and network security
becomes all the more important. The application of security technologies to data
communication is an extension of data communication technologies. Before learning
security technologies, knowing basic concepts of networks, such as basic network
communication principles, network infrastructure, and common network protocols, can help
you better understand the working principles and application scenarios of various security
technologies.
⚫ This chapter describes the typical enterprise network architecture, common network devices
and their working principles, as well as the CLI-based and GUI-based firewall configuration
modes.
2 Huawei Confidential
Objectives
⚫ On completion of this course, you will be able to:
Understand the data definition and transmission process.
Describe the working principles of the TCP/IP protocol stack.
Describe the working principles of common protocols.
Describe common network devices and their working principles.
3 Huawei Confidential
Contents
▫ Application Layer
▫ Transport Layer
▫ Network Layer
4 Huawei Confidential
Application and Data
⚫ Applications are developed to meet users' various requirements, such as web page access, online gaming, and online video play.
Information is generated along with applications, which is presented in different modes, such as texts, pictures, and videos.
⚫ For network engineers, applications can generate data. Data is the carrier of all kinds of information and the physical symbol or the
combination of various physical symbols recording the nature, status, and relationships of objects. Data can be symbols, texts, digits,
voice, images, and videos.
⚫ Data generated by most applications needs to be transmitted between devices. Network engineers need to pay more attention to the
end-to-end data transmission process.
5 Huawei Confidential
• A computer can only identify digital data consisting of 0s and 1s. It is incapable
of reading other types of information, so the information needs to be translated
into data by certain rules.
• However, people do not have the capability of reading electronic data. Therefore,
data needs to be converted into information that can be understood by people.
OSI Reference Model
⚫ The open systems interconnection (OSI) reference model was proposed by the International Organization for
Standardization (ISO) in 1984 for network interconnection. The OSI reference model has a seven-layer architecture.
Layer Function
Translates data formats to ensure that the application-layer data of one system can be identified and understood
Presentation layer
by the application layer of another system.
Session layer Establishes, manages, and terminates sessions between communicating parties.
Establishes, maintains, and cancels an end-to-end data transmission process. Controls transmission speeds and
Transport layer
adjusts data sequences.
Network layer Defines logical addresses and transfers data from sources to destinations.
Encapsulates packets into frames, transmits frames in point-to-point or point-to-multipoint mode, and implements
Data link layer
error detection.
Physical layer Transmits bitstreams over transmission media and defines electrical and physical specifications.
6 Huawei Confidential
• The OSI reference model was included in the ISO 7489 standards and released in
1984.
• The OSI reference model is also called the seven-layer model. The seven layers
from top to bottom are as follows:
▫ Application layer: provides network services for applications and is closest to
users.
▫ Presentation layer: provides data encoding and conversion functions so that
data sent by the application layer of one system can be identified by the
application layer of another system.
▫ Session layer: establishes, manages, and terminates communication sessions
between entities at the presentation layer. Communication at this layer is
implemented through service requests and responses transmitted between
applications on different devices.
▫ Transport layer: implements connection-oriented and non-connection-oriented
data transmission, as well as error detection.
▫ Network layer: defines logical addresses for routers to determine paths and
transmits data from source networks to destination networks.
▫ Data link layer: encapsulates bits into bytes and bytes into frames, uses link-
layer addresses (MAC addresses in Ethernet) to access media, and implements
error detection.
▫ Physical layer: transmits bitstreams between devices and defines physical
specifications such as electrical levels, speeds, and cable pins.
TCP/IP Reference Model
⚫ The OSI reference model is complex, and the TCP and IP protocols are widely used in the industry.
Therefore, the TCP/IP reference model has become the actual reference model of the Internet.
Application layer
Session layer
7 Huawei Confidential
• The TCP/IP model is similar to the OSI model in structure and adopts a
hierarchical architecture. Adjacent layers in the TCP/IP model are closely related.
The difference between the TCP/IP model and the OSI model is that in TCP/IP
model, the presentation layer and the session layer are combined into the
application layer. Therefore, the TCP/IP model has four layers from bottom to
top: network interface layer, network layer, transport layer, and application layer.
• The TCP/IP standard model combines the data link layer and the physical layer in
the OSI model into the network interface layer. However, in practice, data is
separately processed at the data link layer and physical layer. Therefore, the
TCP/IP equivalent model that integrates the TCP/IP standard model and the OSI
reference model is proposed. Contents in the following slides are based on the
TCP/IP equivalent model.
Common Protocols of the TCP/IP Protocol Stack
⚫ The TCP/IP protocol stack defines a series of standard protocols.
8 Huawei Confidential
▫ Transport Layer
▫ Network Layer
10 Huawei Confidential
Application Layer
⚫ The application layer provides interfaces for application software so that applications can use network
services. Based on a transport-layer protocol, applications define the port number used at the transport
layer.
11 Huawei Confidential
FTP
⚫ File Transfer Protocol (FTP) transfers files from one host to another to implement file download and upload. This
protocol adopts the client/server (C/S) structure. When FTP is used to transmit data, the control connection and
data connection are established between the server and client.
⚫ The FTP connection can be set up in either proactive or passive mode. The difference between the two modes lies in
whether the data connection is initiated by the server or client. By default, the proactive mode is used. Users can
switch to the passive mode through commands.
12 Huawei Confidential
More
secure
14 Huawei Confidential
Telnet
⚫ Telnet is a standard protocol that provides remote login services on a network.
⚫ It helps users to operate remote devices through local PCs.
⚫ Users log in to a Telnet server through a Telnet client program. The commands entered on the Telnet
client are executed on the Telnet server, as if the commands were entered on the console of the server.
Internet
Switch Router
Client
Access point
Telnet server
15 Huawei Confidential
STelnet
⚫ Secure Telnet (STelnet) is a secure Telnet service enabling users to remotely and securely log in to devices. Through
STelnet, all exchanged data is encrypted, thus implementing secure sessions. Telnet transmits data in plaintext,
which is not secure. Network security can be greatly improved using STelnet.
⚫ STelnet is implemented based on SSH and the destination port number is 22 by default. Negotiations between an
STelnet server and an STelnet client include the following phases:
Version negotiation
Algorithm negotiation STelnet connection Firewall Server
Access point
STelnet server
16 Huawei Confidential
• Version negotiation phase: SSH is available in SSHv1 and SSHv2. The server and
client determine which SSH version to be used through version negotiation.
• Key exchange phase: A session key is generated using a key exchange algorithm.
After that, sessions between the server and client are encrypted through session
keys.
• User authentication phase: The SSH client sends an authentication request to the
SSH server and the server authenticates the client.
• Session interaction phase: After the authentication succeeds, the server and client
exchange data.
HTTP
⚫ Hypertext Transfer Protocol (HTTP) is one of the most widely used network protocols on the Internet.
HTTP was originally designed to provide a method for publishing and receiving hypertext markup
language (HTML) pages.
Internet
Visit www.huawei.com.
17 Huawei Confidential
• WWW is short for World Wide Web, also known as 3W or Web. As a next-
generation user interface on the Internet, WWW replaces the traditional plaintext
mode in which information is exchanged in plain text. Hypertext is a holistic
information architecture, which establishes links for different parts of a
document through keywords so that information can be transmitted in
interactive mode. With the emerging and development of multimedia
technologies, the coverage of hypertext technologies has been extended from
plain texts to multimedia. The concept of hypermedia is therefore developed.
• On the Internet, hypermedia and hypertext modes are combined and information
links are extended to the entire Internet. Web is a kind of hypertext information
system, enabling texts to be switched from one position to another instead of
being fixed at a certain position. Web is unique for its multiple links.
HTTPS
⚫ Hypertext Transfer Protocol Secure (HTTPS): provides secure HTTP channels.
⚫ The Transport Layer Security (TLS) protocol is added to HTTPS based on HTTP to enable identity authentication,
data encryption, and integrity verification for data transmissions. The destination port number of HTTPS is 443 and
the destination port number of HTTP is 80 by default. Currently, most websites use HTTPS to provide secure data
transmission.
Plaintext Cipher-text
communication communication
HTTP client HTTP server HTTPS client HTTPS server
HTTP
HTTP • Identity
authentication
TLS
• Data encryption
TCP
• Integrity
TCP
verification
IP
IP
18 Huawei Confidential
DNS
⚫ To visit a website, users need to enter the character string of the website address. However, a computer needs to
know the IP address corresponding to the domain name of the website for access. In this case, a domain name
system (DNS) is required.
⚫ DNS is classified into dynamic and static domain name resolution. Static domain name resolution is first used to
resolve a domain name. If the resolution fails, dynamic domain name resolution is used.
Client Local DNS server
Internet
Access X.X.X.X.
19 Huawei Confidential
• IPv4 static domain name resolution requires a static domain name resolution
table, which lists the mapping created manually between domain names and
IPv4 addresses. This table is similar to the hosts file in a Windows operating
system. The table contains commonly used domain names. After searching for a
specified domain name in the resolution table, the client can obtain the IP
address mapped to the domain name. This process improves domain name
resolution efficiency.
• Dynamic domain name resolution requires a dedicated DNS server. This server
runs the domain name resolution program, maps domain names to IP addresses,
and receives DNS requests from clients.
Contents
▫ Application Layer
■ Transport Layer
▫ Network Layer
20 Huawei Confidential
Transport Layer
⚫ A transport-layer protocol receives data from an application-layer protocol, encapsulates the data with
the corresponding transport-layer protocol header, and helps establish an end-to-end connection.
Application layer
Transport layer
(segment) Transport-layer protocols:
• TCP: a connection-oriented reliable transport-layer
Network layer communication protocol defined by IETF in RFC 793.
• UDP: a simple connectionless transport-layer protocol
defined by IETF in RFC 768.
Data link layer
Physical layer
21 Huawei Confidential
TCP and UDP – Packet Formats
22 Huawei Confidential
▫ Source port: The field identifies the application that sends the packet and is 16
bits long.
▫ Destination port: The field identifies the application that receives the packet
and is 16 bits long.
▫ Length: The field specifies the total length of a UDP packet header and data.
The possible minimum length of the field is 8 bytes, as a UDP packet header
has used 8 bytes. Due to this field, the total length of a UDP packet cannot
exceed 65535 bytes, including an 8-byte header and 65527 bytes of data.
▫ Checksum: The field indicates the checksum of a UDP packet header and UDP
data and is 16 bits long.
TCP and UDP – Port Numbers
⚫ TCP and UDP distinguish different services using different port numbers. Generally, the source port used by a client is randomly
allocated, and the destination port is specified by the application of a server. The source port number is usually greater than 1023
and is not being used. The destination port number indicates the listening port number of the application (service) enabled on the
server. For example, the default port number for HTTP is 80.
TCP port 1024 TCP port 1231 TCP port 80 TCP port 23
1.1.1.1 (IP address) House number: 2.2.2.2
(IP address)
24 Huawei Confidential
Contents
▫ Application Layer
▫ Transport Layer
■ Network Layer
25 Huawei Confidential
Network Layer
⚫ The transport layer establishes connections between processes on different hosts, and the network
layer transmits data from one host to another.
Application layer
Transport layer
The network layer sends packets from a source host to
Physical layer
26 Huawei Confidential
IP Packet Header
Ethernet IP TCP Ethernet
User data
header header header trailer
0 16 31
Destination IP address
IP options (variable)
27 Huawei Confidential
IP Packet Forwarding
⚫ The network-layer header of a packet sent by a source device carries the network-layer addresses of the source and
destination devices. Each network device (such as a router) with routing functions maintains a routing table. After
receiving a packet, the network device reads the network-layer destination address of the packet, searches the
address in the routing table for the matching entry, and forwards the packet according to the instruction of the
matching entry.
Network Outbound Interface
Route table Network A GE0/0/1
… …
Router
GE0/0/0
PC1
GE0/0/1
PC 1 encapsulates the IP header,
including source and destination
IP addresses.
Network A
PC2
28 Huawei Confidential
▫ When receiving data from an upper layer (such as the transport layer), the
network layer encapsulates an IP packet header and adds the source and
destination IP addresses to the header.
▫ Each passing network device, such as a router, maintains a routing table that
guides IP packet forwarding like a map. After receiving an IP packet, the
router forwards the packet by searching its IP routing table based on the
destination IP address.
▫ When the IP packet reaches the destination host, the destination host
determines whether to accept the packet based on the destination IP address
and then processes the packet accordingly.
• The IP protocol works together with routing protocols such as OSPF, IS-IS, and
BGP to help routers establish routing tables and to conduct network control and
network status diagnosis.
ICMP
⚫ The Internet Control Message Protocol (ICMP) is an auxiliary IP protocol.
⚫ ICMP is used to transmit error and control information between network devices. It plays an important role in
collecting network information as well as diagnosing and rectifying network faults.
29 Huawei Confidential
• ICMP works at the network layer to ensure correct forwarding of IP packets and
successful data packet exchange. ICMP allows hosts or devices to report errors or
exceptions during packet transmission.
▫ The format of an ICMP message depends on the Type and Code fields. The
Type field indicates the message type, and the Code field indicates specific
parameters of the message type.
▫ An ICMP message contains a 32-bit variable field. Generally, this field is not
used and is set to 0.
▪ An Echo Request message contains the identifier and sequence number. The
source device associates a received Echo Reply message with an Echo
Request message it sends based on the two parameters. Especially when
the source sends multiple Echo Request messages to the destination, the
Echo Request and Echo Reply messages must be matched based on the
identifiers and sequence numbers.
ICMP Error Check
⚫ The ICMP Echo Request message and ICMP Echo Reply message are usually used to check network connectivity
between source and destination addresses, and to provide other information, such as the round-trip time of packets.
⚫ A typical ICMP application is the ping command. Ping is a common tool for checking network connectivity and
collecting related information. In the ping command, users can assign different parameters, such as the length and
number of ICMP packets, and the timeout period for waiting for a reply. Devices construct and send ICMP packets
based on the parameters to perform ping tests.
[RTA] ping 20.0.0.2
PING 20.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 20.0.0.2: bytes=56 Sequence=1 ttl=254 time=70 ms
Echo request
Reply from 20.0.0.2: bytes=56 Sequence=2 ttl=254 time=30 ms
10.0.0.0/24 20.0.0.0/24 Reply from 20.0.0.2: bytes=56 Sequence=3 ttl=254 time=30 ms
.1 .2 .1 .2 Reply from 20.0.0.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Router Router Server A Reply from 20.0.0.2: bytes=56 Sequence=5 ttl=254 time=30 ms
Echo reply --- 20.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/40/70 ms
30 Huawei Confidential
ICMP Error Report
⚫ ICMP defines various error messages for diagnosing network connectivity faults. Based on the error messages, the
source device can determine the cause of a data transmission failure. For example, when a network device cannot
access a target network, it automatically sends an ICMP destination unreachable message to the transmit device.
⚫ Tracert traces the packet forwarding path hop by hop based on the time to live (TTL) value in the packet header. It
is an effective method to check the packet loss and delay and to help administrators find routing loops on a
network.
31 Huawei Confidential
• ICMP defines various error messages for diagnosing network connectivity faults.
Based on the error messages, the source can determine the cause of a data
transmission failure.
▫ If a loop occurs on a network, packets are looped and the TTL times out. In
this case, the device sends a TTL timeout message to the sender.
▫ If the destination is unreachable, the intermediate device sends a destination
unreachable message to the sender. Destinations are unreachable due to
various causes. If the device cannot find the destination network, it sends a
destination network unreachable message. If the device cannot find the
destination host on the destination network, it sends a message indicating the
destination host is unreachable.
• Tracert is another typical application of ICMP. Tracert traces the packet
forwarding path hop by hop based on the TTL value in the packet header. To
trace the path to a specific destination address, the source end first sets the TTL
value of the packet to 1. After the packet reaches the first node, the TTL times
out. Therefore, this node sends a TTL timeout message carrying the timestamp to
the source end. Then, the source end sets the TTL value of the packet to 2. After
the packet reaches the second node, the TTL times out. This node also returns a
TTL timeout message. The process repeats until the packet reaches the
destination. In this way, the source end can trace each node through which the
packet passes according to the returned messages. This allows the source end to
calculate the round-trip time according to the timestamp information.
OSPF
⚫ Communications between different networks are implemented through routes. There are three types of
routes: direct routes, static routes, and dynamic routes. Dynamic routes have been widely used on
networks for high flexibility, reliability, and scalability.
⚫ OSPF is the most widely used dynamic routing protocol on enterprise networks.
OSPF
LSDB
synchronization
of each router
Switch
Host
32 Huawei Confidential
• Link State Database (LSDB): indicates the database for saving the link status
information synchronized by OSPF devices for route calculation.
OSPF Area
⚫ An OSPF area ID is used to identify an OSPF area.
⚫ An OSPF area is regarded as a logical group of devices.
⚫ Single-area or multi-area networking can be deployed in enterprises based on scales and requirements.
Firewall
Server cluster
Core switch Area 0
Aggregation
switch
Aggregation Aggregation
switch switch
33 Huawei Confidential
• OSPF areas are classified as either a backbone area (with area ID 0) or non-
backbone areas.
34 Huawei Confidential
Contents
▫ Application layer
▫ Transport Layer
▫ Network Layer
■ Data Link Layer
35 Huawei Confidential
Data Link Layer
⚫ The data link layer is located between the network layer and the physical layer, providing services for
protocols such as IP and IPv6 at the network layer.
⚫ Ethernet is the most common data link layer protocol.
Application layer The data link layer is located between the network layer
and the physical layer.
Transport layer
• The data link layer provides intra-segment
Network layer communication for the network layer.
• The functions of the data link layer include framing,
Data link layer
(frame) physical addressing, and error control.
• Common data link layer protocols include Ethernet,
Physical layer
PPPoE, and PPP.
36 Huawei Confidential
Ethernet Frame Structure
⚫ The frames used by Ethernet technology are referred to as Ethernet frames. Ethernet frames are in two
formats, namely, Ethernet II and IEEE 802.3.
⚫ A medium access control (MAC) address uniquely identifies a network interface card (NIC). MAC
addresses are used for intra-segment communication, with 48 bits in length, such as 00-1E-10-DD-DD-
02.
Total length of a data frame: 64–1518 bytes
6B 6B 2B 46-1500B 4B
Ethernet_II
DMAC SMAC Type User data FCS
format
6B 6B 2B 3B 5B 38-1492B 4B
IEEE 802.3
DMAC SMAC Length LLC SNAP User data FCS
format
3B 2B
37 Huawei Confidential
• Ethernet II frame:
▫ DMAC: indicates the destination MAC address, with 6 bytes in length,
identifying the MAC address of the receiver.
▫ SMAC: indicates the source MAC address, with 6 bytes in length, identifying
the MAC address of the sender.
▫ Type: indicates the protocol type, with 2 bytes in length. Common values
are as follows:
▪ 0 x 0800: Internet Protocol Version 4 (IPv4)
▪ 0 x 0806: Address Resolution Protocol (ARP)
• IEEE 802.3 LLC frame:
▫ SNAP: Sub-network Access Protocol, consisting of the Org Code field and
the Type field.
▫ FCS: Frame Check Sequence, acting as a 32-bit cyclic redundancy check
code (CRCC) detecting whether any error occurs during frame transmission.
▫ Logical link control (LLC) consists of the destination service access point
(DSAP), source service access point (SSAP), and Ctrl field.
▪ DSAP: indicates the destination service access point, with 1 byte in
length. If the subsequent type is IP frame, the value is set to 0x06. The
function of a service access point is similar to the Type field in an
Ethernet II frame or the port number in TCP/UDP.
▪ SSAP: indicates the source service access point, with 1 byte in length.
If the subsequent type is IP frame, the value is set to 0x06.
▪ Ctrl: indicates unnumbered IEEE 802.2 information of a connectionless
service, with 1 byte in length, usually set to 0x03.
ARP
⚫ To enable normal packet forwarding, the destination address or the gateway MAC address should be
obtained. As such, Address Resolution Protocol (ARP) is used to obtain the corresponding MAC address
based on the known IP address.
38 Huawei Confidential
• ARP is a TCP/IP protocol that obtains the data link layer address associated with
a given IP address.
▫ Maintaining the ARP entry used to store the mapping between a MAC
address and a destination IPv4 address.
www.huawei.com
Data Application layer Data
39 Huawei Confidential
• Assume that you are accessing Huawei's official website through the IE browser.
After you enter the website address in the address box and press Enter, the
following things occur on your computer:
▫ The IE browser (the application) uses HTTP (the application layer protocol)
to encapsulate the application-layer data. (As shown in the above figure,
data should also include an HTTP header, which is not shown here.)
▫ The TCP module adds the corresponding TCP header information (such as
the source and destination port numbers) to the data transmitted from the
application layer. In this case, the protocol data unit (PDU) is called a
segment.
▫ After receiving the segment from the TCP module, the IPv4 module
encapsulates the IPv4 header. In this case, the PDU is called a packet.
▫ As the data link layer uses the Ethernet protocol, after the IPv4 module
completes encapsulation, the packet is sent to the Ethernet module (such
as the Ethernet NIC).
▫ After receiving the packet from the IPv4 module, the Ethernet module adds
the corresponding Ethernet header and FCS frame trailer to the packet. In
this case, the PDU is called a frame.
▫ After the Ethernet module encapsulates the packet, it sends the data to the
physical layer.
▫ Based on the physical media, the physical layer converts digital signals into
electrical signals, optical signals, or electromagnetic (wireless) signals.
41 Huawei Confidential
• The data finally reaches the destination server after being transmitted over the
network. Based on the information of different protocol headers, the data is
decapsulated layer by layer, processed, transmitted, and finally sent to
applications deployed on the web server for data processing.
Contents
42 Huawei Confidential
Typical Enterprise Campus Network Architecture
⚫ A typical enterprise campus network consists of switches, routers, firewalls, and servers.
Egress layer
Core layer
Aggregation
layer
Access layer
43 Huawei Confidential
Host A Host B
GE 0/0/1 GE 0/0/2
44 Huawei Confidential
• Layer 2 switches work at the data link layer and forward frames based on MAC
addresses. The switch ports used to send data are independent of the switch
ports used to receive data. Each port belongs to a different collision domain,
which effectively isolates collision domains on the network.
• Layer 2 switches maintain the mapping between MAC addresses and ports by
learning the source MAC addresses of Ethernet frames. The table that stores the
mapping between MAC addresses and ports is called a MAC address table. Layer
2 switches look up the MAC address table to determine the port to which frames
are forwarded based on the destination MAC address.
Router
⚫ Routers work at the network layer to ensure that packets can be forwarded between different
networks.
Host A Router A Router B Router C Host B
Network layer Network layer Network layer Network layer Network layer
Data link layer Data link layer Data link layer Data link layer Data link layer
Physical layer Physical layer Physical layer Physical layer Physical layer
45 Huawei Confidential
DMZ
Zone Default Security Priority
46 Huawei Confidential
47 Huawei Confidential
• The earliest firewalls were developed in the 1980s. Over the two decades, the
development history of firewalls can be divided into the following three phases:
▫ First phase (from 1989 to 1994): Packet filtering firewalls, also known as
first-generation firewalls, were developed in 1989 for simple access control.
Then, proxy firewalls, also known as second-generation firewalls, were
developed, acting as a proxy for communication between the intranet and
extranet at the application layer. After that, firewalls based on the stateful
inspection technology were developed by Check Point in 1994. The firewalls
determine the actions to be taken on packets by dynamically analyzing
packet status. They are also known as third-generation firewalls due to fast
processing speed and high security as they do not need to proxy each
application.
▫ Second phase (from 1995 to 2004): Other functions, such as VPN, were
added to firewalls. In addition, web application firewalls (WAFs) were
developed for web server security protection. In 2004, the industry proposed
the concept of United Threat Management (UTM). With UTM, a firewall
can implement all-round network security protection with the integration of
various functions, including traditional firewall functions, intrusion
detection, antivirus, URL filtering, application control, and mail filtering.
▫ Third phase (from 2005 until now): The rapid development of the UTM
market since 2004 led to the proliferation of UTM products, causing new
challenges. First, the application-layer information detection is limited and
a more advanced detection method is required, facilitating the wide
application of the deep packet inspection (DPI) technology. Second,
performance is affected. When multiple functions are running at the same
time, the processing performance of UTM devices deteriorates greatly. To
solve the performance deterioration issue, the next-generation firewall was
released in the industry in 2008. The firewall can perform management and
control based on users, applications, and content. In 2009, the industry
specified the functions and features of the next-generation firewall.
Subsequently, multiple security vendors launched their next-generation
firewall products, leading to a new era of firewalls.
Firewall Functions
⚫ Firewalls protect a network against attacks and Internet users
Employees on
Partners Branch 2
the move
intrusions from another network. With isolation
and defense attributes, firewalls can be
deployed at enterprise network egresses, subnet
borders of large-scale networks, and data Internet egress firewalls
center (DC) borders.
Branch 1 DMZ
Private line
The functions of firewalls are as follows:
Firewalls in the
Core switch
Isolating networks of different security levels
RADIUS Controller eSight
Implementing access control (using security
policies) between networks of different security ...
levels
LogCenter Sandbox
Implementing user identity authentication
DC DC egress firewalls
Implementing remote access
Implementing data encryption and VPN services Service area 1 Service area 2 Service area 3
Implementing network address translation
Implementing other security functions
49 Huawei Confidential
Comparison Between Firewalls, Switches and Routers
⚫ The main functions of switches, routers, and firewalls are different, as switches for constructing LANs,
routers for connecting different networks, and firewalls deployed at network borders.
⚫ The core feature of routers and switches is packet forwarding, while that of firewalls is network access
control.
Firewall Router
Packet forwarding Addressing and data forwarding,
control, attack as well as network interconnection
defense, assurance
as well as virus
and Trojan horse
prevention
External network
access traffic
Switch
LAN construction Internal network
Layer 2 and Layer 3 fast access traffic
Host packet forwarding
50 Huawei Confidential
▫ The core feature of routers and switches is packet forwarding, while that of
firewalls is network access control.
▫ Switches are usually used to construct LANs as important hubs for LAN
communication and forward packets quickly through Layer 2 or Layer 3
switching.
Username: admin
Password: Admin@123
Info: The max number of VTY users is 21, the number of
current VTY users online is 0, and total number of terminal
users online is 1.
<FW> display this
#
sysname FW
#
command-privilege level 0 view system interface
#
Return
51 Huawei Confidential
• Web login
This command is used to configure an IP address for a physical or logical interface on a device.
⚫ View current configurations.
<FW> display current-configuration
52 Huawei Confidential
• Users can run the ip address ip-address { mask | mask-length } [ sub ] command
to configure an IP address for an interface. In this command, the mask field
indicates the subnet mask, such as 255.255.255.0, and the mask-length field
indicates the mask length, such as 24. Users can either configure the subnet
mask or mask length.
• When configuring an IP address for a physical interface, check the physical status
of the interface. By default, an interface of a Huawei router or switch is in the Up
state. If the interface has been manually disabled, run the undo shutdown
command to enable the interface.
Basic Configuration Commands (2/2)
⚫ Clear saved configuration data.
<FW> reset saved-configuration
The device loads a specified configuration file for next startup during an upgrade by running this command.
<FW> reboot
53 Huawei Confidential
• The display startup command is used to display related system software, backup
system software, configuration files, license files, patch files, and voice files for
current and next startup.
• The reboot command is used to restart a device and prompt users to confirm
whether to save current configurations before the device restarts.
GUI (1/2)
⚫ Firewall GUIs include the function tab, menu navigation tree, operation area, common operation button area, and CLI console.
Operation area
Menu
navigation tree
CLI console
54 Huawei Confidential
GUI (2/2)
⚫ The function tab on the GUI displays firewall functions based on types and is commonly used during
firewall configurations on the web UI.
Dashboard Allows you to quickly view device status and monitor the system running status.
Provides comprehensive O&M methods, allowing you to view logs and statistics as well as diagnosing
Monitor
device faults.
Allows you to configure service policies such as security policies and bandwidth policies to control traffic
Policy
forwarding and defend against network threats.
Allows you to configure common elements such as addresses and services that are referenced by various
Object
service policies, simplifying service configuration.
Allows you to configure network communication functions, such as interfaces, routes, and VPNs, which
Network
are the basis for devices to access the network.
Allows you to configure device management functions, such as administrator, clock, SNMP, and system
System
upgrade, providing a basis for normal system running.
55 Huawei Confidential
Configuration File Management
⚫ Choose System > Configuration File Management to view the current configuration file and specify a
configuration file for next startup.
56 Huawei Confidential
Version Upgrade
⚫ Choose System > System Upgrade to upgrade the system software, patch files, and feature package
files.
57 Huawei Confidential
Quiz
A. HTTP
B. DNS
C. FTP
D. OSPF
2. (True or False) Data connection is initiated by the client in active FTP mode. ( )
A. True
B. False
58 Huawei Confidential
1. ABC
2. B
Summary
⚫ This course describes the TCP/IP reference model, consisting of five layers, including the
application layer, transport layer, network layer, data link layer, and physical layer. Each
layer provides services for the upper layer, each applied with different protocols. The course
also introduces some common protocols, such as ARP, ICMP, FTP, and HTTPS.
⚫ This course describes the typical enterprise network architecture, common network devices,
such as switches, routers, and firewalls, as well as the CLI-based and GUI-based firewall
configuration modes.
59 Huawei Confidential
Recommendations
⚫ Visit Huawei official websites:
Enterprise service: https://e.huawei.com/en/
Technical support: https://support.huawei.com/enterprise/en/index.html
Online learning: https://learning.huawei.com/en/
60 Huawei Confidential
Acronyms and Abbreviations (1/3)
Acronym and Abbreviation Full Name
ACK Acknowledge
ARP Address Resolution Protocol
C/S Client/Server
CLI Command Line Interface
FIN Finish
FTP File Transfer Protocol
HTTP Hyper Text Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ICMP Internet Control Message Protocol
IGMP Internet Group Management Protocol
IP Internet Protocol
61 Huawei Confidential
Acronyms and Abbreviations (2/3)
Acronym and Abbreviation Full Name
IS-IS Intermediate System to Intermediate System
MAC Media Access Control
OSI Open Systems Interconnection
PPP Point-to-Point Protocol
PPPoE Point-to-Point Protocol over Ethernet
SFTP Secure File Transfer Protocol
SMTP Simple Mail Transfer Protocol
SSH Secure Shell Protocol
STelnet Secure Telnet
SYN Synchronize Sequence Numbers
TCP Transmission Control Protocol
62 Huawei Confidential
Acronyms and Abbreviations (3/3)
Acronym and Abbreviation Full Name
TFTP Trivial File Transfer Protocol
TLS Transport Layer Security
TTL Time To Live
UDP User Datagram Protocol
URL Universal Resource Locator
UTM United Threat Management
VPN Virtual Private Network
WAF Web Application Firewall
WWW World Wide Web
OSPF Open Shortest Path First
LSDB Link State Database
63 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.