No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer-3 Dual-NGFW Module Deployment, Switch Stack, and PBR-based Traffic Diversion

Layer-3 Dual-NGFW Module Deployment, Switch Stack, and PBR-based Traffic Diversion

Networking Requirements

As shown in Figure 1-28, two CE12800 switches are deployed in a stack and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

Figure 1-28 Networking for Layer-3 dual-NGFW Module deployment and switch stack
NOTE:

The NGFW Module has four fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/3. The numbering of internal Ethernet interfaces on the CE12800 is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the CE12800, the internal Ethernet interfaces used by the CE12800 are 10GE1/0/0 to 10GE1/0/3.

Deployment Solution

  1. Figure 1-28 can be abstracted as Figure 1-29. You can understand the mapping between the two figures based on interface numbers and actual traffic directions.

    As shown in Figure 1-29, a default route (next hop: VLANIF201) to the public network, a specific route (next hop: VLANIF202) to the Trust zone, and a specific route (next hop: VLANIF203) to the DMZ need to be configured on the NGFW modules. PBR needs to be configured on the switches to direct traffic to the firewalls.

    Figure 1-29 Configuring VRRP on the NGFW modules and PBR on the switches
    NOTE:

    Figure 1-29 lists only the core switch interfaces involved in the connection with the NGFW Modules.

  2. Specify Eth-trunk0 as the heartbeat interface and enable hot standby on each NGFW Module.

  3. After configuring hot standby, configure security policies, NAT policies, IPS, and attack defense on NGFW Module_A. The configurations on NGFW Module_A will be automatically synchronized to NGFW Module_B. This example describes only how to configure security policies and NAT policies.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <CE-FWA> system-view
    [CE-FWA] sysname Module_A

    # Configure IP addresses for the interfaces on NGFW Module_A.

    NOTE:

    Ensure that only Layer-3 physical interfaces with empty configuration can be added to an Eth-Trunk interface. For exmaple, if LLDP is enabled on a physical interface of a NGFW Modle, run the undo lldp enable command to disable LLDP and then add the physical interface to an Eth-Trunk interface.

    [Module_A] interface Eth-trunk 1
    [Module_A-Eth-trunk1] trunkport Gigabitethernet 1/0/0 to 1/0/3 
    [Module_A-Eth-trunk1] quit
    [Module_A] interface Eth-trunk 1.1
    [Module_A-Eth-trunk1.1] ip address 10.3.1.2 24
    [Module_A-Eth-trunk1.1] vlan-type dot1q 201
    [Module_A-Eth-trunk1.1] quit
    [Module_A] interface Eth-trunk 1.2
    [Module_A-Eth-trunk1.2] ip address 10.3.2.2 24
    [Module_A-Eth-trunk1.2] vlan-type dot1q 202
    [Module_A-Eth-trunk1.2] quit
    [Module_A] interface Eth-trunk 1.3
    [Module_A-Eth-trunk1.3] ip address 10.3.3.2 24
    [Module_A-Eth-trunk1.3] vlan-type dot1q 203
    [Module_A-Eth-trunk1.3] quit
    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2
    [Module_A-Eth-Trunk0] quit
    

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface Eth-trunk 1.1
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-trunk 1.2
    [Module_A-zone-trust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-trunk 1.3
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone name hrpzone
    [Module_A-zone-hrpzone] set priority 65
    [Module_A-zone-hrpzone] add interface Eth-Trunk 0
    [Module_A-zone-hrpzone] quit

    # Configure device name on NGFW Module_B.

    <CE-FWA> system-view
    [CE-FWA] sysname Module_B

    # Configure IP addresses for the interfaces on NGFW Module_B.

    [Module_B] interface Eth-trunk 1
    [Module_B-Eth-trunk1] trunkport Gigabitethernet 1/0/0 to 1/0/3 
    [Module_B-Eth-trunk1] quit
    [Module_B] interface Eth-trunk 1.1
    [Module_B-Eth-trunk1.1] ip address 10.3.1.3 24
    [Module_B-Eth-trunk1.1] vlan-type dot1q 201
    [Module_B-Eth-trunk1.1] quit
    [Module_B] interface Eth-trunk 1.2
    [Module_B-Eth-trunk1.2] ip address 10.3.2.3 24
    [Module_B-Eth-trunk1.2] vlan-type dot1q 202
    [Module_B-Eth-trunk1.2] quit
    [Module_B] interface Eth-trunk 1.3
    [Module_B-Eth-trunk1.3] ip address 10.3.3.3 24
    [Module_B-Eth-trunk1.3] vlan-type dot1q 203
    [Module_B-Eth-trunk1.3] quit
    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] trunkport GigabitEthernet 0/0/1 to 0/0/2
    [Module_B-Eth-Trunk0] quit
    

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface Eth-trunk 1.1
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-trunk 1.2
    [Module_B-zone-trust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-trunk 1.3
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone name hrpzone
    [Module_B-zone-hrpzone] set priority 65
    [Module_B-zone-hrpzone] add interface Eth-Trunk 0
    [Module_B-zone-hrpzone] quit

  2. Create static routes on NGFW Modules.

    # On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_A, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

    # On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_B, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_B, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-trunk1.1
    [Module_A-Eth-trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
    [Module_A-Eth-trunk1.1] quit
    [Module_A] interface Eth-trunk1.2
    [Module_A-Eth-trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
    [Module_A-Eth-trunk1.2] quit
    [Module_A] interface Eth-trunk1.3
    [Module_A-Eth-trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
    [Module_A-Eth-trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0 remote 10.10.0.2
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-trunk1.1
    [Module_B-Eth-trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
    [Module_B-Eth-trunk1.1] quit
    [Module_B] interface Eth-trunk1.2
    [Module_B-Eth-trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
    [Module_B-Eth-trunk1.2] quit
    [Module_B] interface Eth-trunk1.3
    [Module_B-Eth-trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
    [Module_B-Eth-trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0 remote 10.10.0.1
    [Module_B] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow users in the Trust zone (network segment 192.168.1.0/24) to access the Internet.

    HRP_M[Module_A] security-policy
    HRP_M[Module_A-policy-security] rule name policy_sec1
    HRP_M[Module_A-policy-security-rule-policy_sec1] source-zone trust 
    HRP_M[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
    HRP_M[Module_A-policy-security-rule_policy-sec1] source-address 192.168.1.0 24
    HRP_M[Module_A-policy-security-rule-policy_sec1] action permit
    HRP_M[Module_A-policy-security-rule-policy_sec1] quit

    # On NGFW Module_A, configure a security policy to allow extranet users to access the DMZ (network segment 192.168.2.0/24) and configure intrusion prevention.

    HRP_M[Module_A-policy-security] rule name policy_sec2
    HRP_M[Module_A-policy-security-rule-policy_sec2] source-zone untrust 
    HRP_M[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
    HRP_M[Module_A-policy-security-rule_policy-sec2] destination-address 192.168.2.0 24
    HRP_M[Module_A-policy-security-rule-policy_sec2] service http ftp
    HRP_M[Module_A-policy-security-rule-policy_sec2] profile ips default
    HRP_M[Module_A-policy-security-rule-policy_sec2] action permit
    HRP_M[Module_A-policy-security-rule-policy_sec2] quit
    HRP_M[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_M[Module_A] firewall interzone untrust dmz
    HRP_M[Module_A-interzone-untrust-dmz] detect ftp
    HRP_M[Module_A-interzone-untrust-dmz] quit
    

    # Configure a NAT address pool and enable port address translation.

    HRP_M[Module_A] nat address-group addressgroup1
    HRP_M[Module_A-address-group-addressgroup1] mode pat
    HRP_M[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
    HRP_M[Module_A-address-group-addressgroup1] quit

    # Configure a source NAT policy for Internet access from the specified private subnet.

    HRP_M[Module_A] nat-policy
    HRP_M[Module_A-policy-nat] rule name policy_nat1
    HRP_M[Module_A-policy-nat-rule-policy_nat1] source-zone trust
    HRP_M[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
    HRP_M[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
    HRP_M[Module_A-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 
    HRP_M[Module_A-policy-nat-rule-policy_nat1] quit
    HRP_M[Module_A-policy-nat] quit

    # Configure the NAT server function to `translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server in the DMZ is translated into public address 1.1.1.3:8000.

    HRP_M[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80

  5. Configure the CSS function on core switches CE12800-1 and CE12800-2.

    1. Configure stack attributes for CE12800-1 and CE12800-2. (Set a higher priority for CE12800-1, so CE12800-1 will become the master switch.)

      # Set the stack ID of CE12800-1 to 1, priority to 150, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-1
      [*HUAWEI] commit
      [~CE12800-1] stack
      [~CE12800-1-stack] stack member 1         //Configure the stack member ID. The default value is 1.
      [~CE12800-1-stack] stack priority 150     //Configure the stack priority. The default value is 100.
      [*CE12800-1-stack] stack domain 10        //Configure the domain ID.
      [*CE12800-1-stack] stack link-type mainboard-direct     //Configure the connection mode. The default mode is mainboard-direct.
      [*CE12800-1-stack] quit
      [*CE12800-1] commit
      

      # Set the stack ID of CE12800-2 to 2, priority to 100, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-2
      [*HUAWEI] commit
      [~CE12800-2] stack
      [~CE12800-2-stack] stack member 2
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE12800-2-stack] stack priority 100
      [*CE12800-2-stack] stack domain 10
      [*CE12800-2-stack] stack link-type mainboard-direct
      [*CE12800-2-stack] quit
      [*CE12800-2] commit
      
    2. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-1, add 10GE3/0/1-10GE3/0/4 and 10GE4/0/1-10GE4/0/4 to the stack port.

      [~CE12800-1] port-group group1       //Create a port group.
      [*CE12800-1-port-group-group1] group-member 10ge 3/0/1 to 10ge 3/0/4       //Add ports to the port group.
      [*CE12800-1-port-group-group1] group-member 10ge 4/0/1 to 10ge 4/0/4
      [*CE12800-1-port-group-group1] shutdown       //Shut down the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] interface stack-port 1
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 3/0/1 to 3/0/4       //Add physical ports to the stack port.
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 4/0/1 to 4/0/4
      [*CE12800-1-Stack-Port1] quit
      [*CE12800-1] commit
      [~CE12800-1] port-group group1
      [~CE12800-1-port-group-group1] undo shutdown       //Enable the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] return
      

      # The configuration procedure on CE12800-2 is the same as the configuration procedure on CE12800-1, and is not mentioned here.

    3. Enable the stack function.

      # Enable the stack function on CE12800-1 and restart the device.

      <CE12800-1> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-1> system-view
      [~CE12800-1] stack
      [~CE12800-1-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      

      # Enable the stack function on CE12800-2 and restart the device.

      <CE12800-2> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-2> system-view
      [~CE12800-2] stack
      [~CE12800-2-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      
    4. e. Rename the stack system CSS.

      <CE12800-1> system-view
      [~CE12800-1] sysname CSS
      [*CE12800-1] commit
      

  6. Configure interfaces and VLANs for core switches. This example describes how to configure interconnection between the CE12800 and NGFW modules.

    [~CSS] vlan batch 201 to 203          //Create VLANs.
    [*CSS] interface eth-trunk 5                
    [*CSS-Eth-Trunk5] description To_NGFW_Module_A
    [*CSS-Eth-Trunk5] trunkport 10ge 1/1/0/0 to 1/1/0/3    //Create Eth-Trunk5 on the CSS and add internal Ethernet interfaces to Eth-Trunk5.
    [*CSS-Eth-Trunk5] port link-type trunk                      
    [*CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk5 to permit traffice from VLANs 201, 202, and 203.
    [*CSS-Eth-Trunk5] quit                      
    [*CSS] commit
    [*CSS] interface eth-trunk 6                
    [*CSS-Eth-Trunk6] description To_NGFW_Module_B
    [*CSS-Eth-Trunk6] trunkport 10ge 2/1/0/0 to 2/1/0/3    //Create Eth-Trunk6 on the CSS and add internal Ethernet interfaces to Eth-Trunk6.
    [*CSS-Eth-Trunk6] port link-type trunk                      
    [*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk6 to permit traffice from VLANs 201, 202, and 203.
    [*CSS-Eth-Trunk6] quit                      
    [*CSS] commit
    [~CSS] interface vlanif 201
    [*CSS-Vlanif201] ip address 10.3.1.4 24
    [*CSS-Vlanif201] quit                       //Configure an IP address for VLANIF201.
    [*CSS] commit
    [~CSS] interface vlanif 202
    [*CSS-Vlanif202] ip address 10.3.2.4 24
    [*CSS-Vlanif202] quit                       //Configure an IP address for VLANIF202.
    [*CSS] commit
    [~CSS] interface vlanif 203
    [*CSS-Vlanif203] ip address 10.3.3.4 24
    [*CSS-Vlanif203] quit                       //Configure an IP address for VLANIF203.
    [*CSS] commit

  7. Configure traffic diversion on the core switch. This example describes how to configure interconnection between the CE12800 and NGFW modules.

    [~CSS] acl 3001  //Create ACL3001.
    [*CSS-acl4-advance-3001] rule 5 permit ip source 192.168.1.0 24 destination 192.168.2.0 24  //Configure a rule for ACL3001: source network segment 192.168.1.0 and destination network segment 192.168.2.0.
    [*CSS-acl4-advance-3001] rule 10 permit ip source 192.168.2.0 24 destination 192.168.1.0 24  //Configure a rule for ACL3001: source network segment 192.168.2.0 and destination network segment 192.168.1.0.
    [*CSS-acl4-advance-3001] quit
    [*CSS] commit
    [~CSS] traffic classifier c1  //Create traffic classifier c1.
    [*CSS-classifier-c1] if-match acl 3001  //Match packets exchanged between the Trust zone and DMZ with the ACL3001 rule.
    [*CSS-classifier-c1] quit
    [*CSS] commit 
    [~CSS] traffic behavior b1  //Create traffic behavior b1.
    [*CSS-behavior-b1] permit  //Permit the matching packets.
    [*CSS-behavior-b1] quit
    [*CSS] commit 
    [~CSS] acl 3002  //Create ACL3002.
    [*CSS-acl4-advance-3002] rule 5 permit ip source 192.168.1.0 24  //Configure a rule for ACL3002: source network segment 192.168.1.0
    .[*CSS-acl4-advance-3002] quit
    [*CSS] commit
    [~CSS] traffic classifier c2  //Create traffic classifier c2.
    [*CSS-classifier-c2] if-match acl 3002  //Match the packets from network segment 192.168.1.0, namely, packets from the Trust zone to the Internet, with ACL3002.
    [*CSS-classifier-c2] quit
    [*CSS] commit 
    [~CSS] traffic behavior b2  //Create traffic behavior b2.
    [*CSS-behavior-b2] redirect nexthop 10.3.2.1  //Redirect the matching packets to address 10.3.2.1, namely, the connected NGFW Module.
    [*CSS-behavior-b2] quit
    [*CSS] commit 
    [~CSS] acl 3003  //Create ACL3003.
    [*CSS-acl4-advance-3003] rule 5 permit ip source 192.168.2.0 24  //Configure a rule for ACL3003: source network segment 192.168.2.0.
    [*CSS-acl4-advance-3003] quit
    [*CSS] commit
    [~CSS] traffic classifier c3  //Create traffic classifier c3.
    [*CSS-classifier-c3] if-match acl 3003  //Match all packets from network segment 192.168.2.0, namely, all packets from the DMZ to the Internet, with the ACL3003 rule.
    [*CSS-classifier-c3] quit
    [*CSS] commit 
    [~CSS] traffic behavior b3  //Create traffic behavior b3.
    [*CSS-behavior-b3] redirect nexthop 10.3.3.1  //Redirect the matching packets to address 10.3.3.1, namely the NGFW Module.
    [*CSS-behavior-b3] quit
    [*CSS] commit
    [~CSS] traffic policy p1  //Create traffic policy p1.
    [*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p1. All packets exchanged between the Trust zone and DMZ are directly forwarded by the CE12800, without being forwarded to the NGFW Module.
    [*CSS-trafficpolicy-p1] classifier c2 behavior b2 precedence 10  //Bind traffic classifier c2 and traffic behavior b2 with traffic policy p1. All packets from the Trust zone to the Internet are redirected to the NGFW Module.
    [*CSS-trafficpolicy-p1] quit
    [*CSS] commit
    [~CSS] traffic policy p2  //Create traffic policy p2.
    [*CSS-trafficpolicy-p2] classifier c1 behavior b1 precedence 5  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p2. All packets exchanged between the Trust zone and DMZ are directly forwarded by the CE12800, without being forwarded to the NGFW Module.
    [*CSS-trafficpolicy-p2] classifier c3 behavior b3 precedence 15  //Bind traffic classifier c3 and traffic behavior b3 with traffic policy p2. All traffic from the DMZ to the Internet are directed to the NGFW Module.
    [*CSS-trafficpolicy-p2] quit
    [*CSS] commit 
    [~CSS] interface eth-trunk 2  //Access the interface connecting the CE12800 to the Trust zone.
    [*CSS-Eth-Trunk2] traffic-policy p1 inbound  //Apply traffic policy p1 in the inbound direction of the interface connecting the CE12800 to the Trust zone.
    [*CSS-Eth-Trunk2] quit 
    [*CSS] commit 
    [~CSS] interface eth-trunk 3  //Access the view of the interface connecting the CE12800 to the DMZ.
    [*CSS-Eth-Trunk3] traffic-policy p2 inbound  //Apply traffic policy P2 in the inbound direction of the interface connecting the CE12800 to the DMZ.
    [*CSS-Eth-Trunk3] quit
    [*CSS] commit  
    [~CSS] ip route-static 1.1.1.1 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module. 
    [*CSS] ip route-static 1.1.1.2 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
    [*CSS] ip route-static 1.1.1.3 32 10.3.1.1  //Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
    [*CSS] commit
    NOTE:

    In this example, the source NAT and NAT server functions are configured on the NGFW Module. For the CE12800, the destination address of traffic sent from the public network the private network is a post-NAT address. Therefore, you can configure a static route on the CE12800 to direct the traffic sent from the public address to the private network to the NGFW Module.

    If no source NAT or NAT server function is configured on the NGFW Module, for the CE12800, the destination address of traffic sent from the public network to the private network is still a private network. In this case, you need to configure a traffic policy on the upstream interface of the CE12800 to direct the traffic to the NGFW Module.

    [~CSS] acl 3004  //Create ACL3004.
    [*CSS-acl4-advance-3004] rule 5 permit ip destination 192.168.1.0 24  //Configure a rule for ACL3004: destination network segment 192.168.1.0.
    [*CSS-acl4-advance-3004] rule 10 permit ip destination 192.168.2.0 24  //Configure a rule for ACL3004: destination network segment 192.168.2.0.
    [*CSS-acl4-advance-3004] quit
    [*CSS] commit
    [~CSS] traffic classifier c4  //Create traffic classifier c4.
    [*CSS-classifier-c4] if-match acl 3004   //Match the packets whose destination network segments are 192.168.1.0 and 192.168.2.0, namely, all packets from the Internet to the intranet, with the ACL3004 rule.
    [*CSS-classifier-c4] quit
    [*CSS] commit 
    [~CSS] traffic behavior b4  //Create traffic behavior b4.
    [*CSS-behavior-b4] redirect nexthop 10.3.1.1  //Redirect the matching packets to address 10.3.1.1, namely, the NGFW Module.
    [*CSS-behavior-b4] quit
    [*CSS] commit 
    [~CSS] traffic policy p4  //Create traffic policy p4.
    [*CSS-trafficpolicy-p4] classifier c4 behavior b4 precedence 20  //Bind traffic classifier c4 and traffic behavior b4 with traffic policy p4. All traffic from the Internet to the intranet is directed to the NGFW Module.
    [*CSS-trafficpolicy-p4] quit
    [*CSS] commit 
    [~CSS] interface eth-trunk 4  //Access the view of the interface connecting the CE12800 to the Internet.
    [*CSS-Eth-Trunk4] traffic-policy p4 inbound  //Apply traffic policy p4 in the inbound direction of the interface connecting the CE12800 to the Internet.
    [*CSS-Eth-Trunk4] quit
    [*CSS] commit
    [~CSS] interface eth-trunk 5  //Access the view of the interface connecting the CE12800 to the Internet.
    [*CSS-Eth-Trunk5] traffic-policy p4 inbound  //Apply traffic policy p4 in the inbound direction of the interface connecting the CE12800 to the Internet.
    [*CSS-Eth-Trunk5] quit
    [*CSS] commit

Verification

  1. Run the display hrp state verbose command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_M[Module_A] display hrp state verbose
     Role: active, peer: standby                                                     
     Running priority: 45000, peer: 45000                                           
     Backup channel usage: 10.00%                                                    
     Stable time: 0 days, 0 hours, 2 minutes                                        
     Last state change information: 2015-09-20 0:59:32 HRP link changes to up.      
                                                                                    
     Configuration:                                                                 
     hello interval:              1000ms                                            
     preempt:                     60s                                               
     mirror configuration:        off                                               
     mirror session:              off                                                
     track trunk member:          on                                                
     auto-sync configuration:     on                                                
     auto-sync connection-status: on                                                
     adjust ospf-cost:            on                                                
     adjust ospfv3-cost:          on                                                
     adjust bgp-cost:             on                                                
     nat resource:                off                                               
                                                                                    
     Detail information:                                                            
               Eth-trunk1.1 vrrp vrid 1: active                             
               Eth-trunk1.2 vrrp vrid 2: active                            
               Eth-trunk1.3 vrrp vrid 3: active                             
                   GigabitEthernet1/0/0: up
                   GigabitEthernet1/0/1: up
                   GigabitEthernet1/0/2: up
                   GigabitEthernet1/0/3: up
                              ospf-cost: +0            
                            ospfv3-cost: +0         
                               bgp-cost: +0
    
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_M[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public Remote 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

    HRP_M[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
    HRP_S[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
  4. Configure a PC in the Trust zone to constantly the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B switches to the active device and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_M, and the command prompt of NGFW Module_A is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A switches to the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_M, and the command prompt of NGFW Module_B is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration script of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.2
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
interface Eth-trunk1.1
 undo shutdown
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
 vlan-type dot1q 201
#
interface Eth-trunk1.2
 undo shutdown
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
 vlan-type dot1q 202
#
interface Eth-trunk1.3
 undo shutdown
 ip address 10.3.3.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 active
 vlan-type dot1q 203
#
firewall zone trust
 set priority 85
 add interface Eth-trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-trunk0
# 
 firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
 ip route-static 1.1.1.1 255.255.255.255 null 0
 ip route-static 1.1.1.2 255.255.255.255 null 0
 ip route-static 1.1.1.3 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 24
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 24
  service http
  service ftp
  profile ips default
  action permit    
# 
nat address-group addressgroup1 0
 mode pat
 section 0 1.1.1.1 1.1.1.2 
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 24   
    action source-nat address-group addressgroup1 
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80
#
return
#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.1
#
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
interface Eth-trunk1.1
 undo shutdown
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
 vlan-type dot1q 201
#
interface Eth-trunk1.2
 undo shutdown
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
 vlan-type dot1q 202
#
interface Eth-trunk1.3
 undo shutdown
 ip address 10.3.3.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 standby
 vlan-type dot1q 203
#
firewall zone trust
 set priority 85
 add interface Eth-trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-trunk0
#
firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
 ip route-static 1.1.1.1 255.255.255.255 null 0
 ip route-static 1.1.1.2 255.255.255.255 null 0
 ip route-static 1.1.1.3 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 24
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 24
  service http
  service ftp
  profile ips default
  action permit   
# 
nat address-group addressgroup1 0
 mode pat
 section 0 1.1.1.1 1.1.1.2 
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 24   
    action source-nat address-group addressgroup1 
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80
# 
return

Configuration script of CE12800 CSS:

# ----CSS configuration----
sysname CSS
#
stack
 #
 stack mode
 #
 stack member 1 domain 10
 stack member 1 priority 150
 #
 stack member 2 domain 10
#
interface Stack-Port1/1
#
interface Stack-Port2/1
#
interface 10GE1/3/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE2/3/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/4
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/4
 port mode stack
 stack-port 2/1
#
port-group group1
 group-member 10GE1/3/0/1
 group-member 10GE1/3/0/2
 group-member 10GE1/3/0/3
 group-member 10GE1/3/0/4
 group-member 10GE1/4/0/1
 group-member 10GE1/4/0/2
 group-member 10GE1/4/0/3
 group-member 10GE1/4/0/4

# ----Traffic diversion configuration----
vlan batch 201 to 203
#
acl number 3001
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
acl number 3002
 rule 5 permit ip source 192.168.1.0 0.0.0.255
#
acl number 3003
 rule 5 permit ip source 192.168.2.0 0.0.0.255
#
traffic classifier c1 type or
 if-match acl 3001
#
traffic classifier c2 type or
 if-match acl 3002
#
traffic classifier c3 type or
 if-match acl 3003
#
traffic behavior b1
 permit
#
traffic behavior b2
 redirect nexthop 10.3.2.1
#
traffic behavior b3
 redirect nexthop 10.3.3.1
#
traffic policy p1
 classifier c1 behavior b1 precedence 5
 classifier c2 behavior b2 precedence 10
#
traffic policy p2
 classifier c1 behavior b1 precedence 5
 classifier c3 behavior b3 precedence 15
#
interface Vlanif201
 ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
 ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
 ip address 10.3.3.4 255.255.255.0
#
interface Eth-Trunk2
 traffic-policy p1 inbound 
#
interface Eth-Trunk3
 traffic-policy p2 inbound 
#
interface Eth-Trunk5
 description To_NGFW_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface Eth-Trunk6
 description To_NGFW_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface 10GE1/1/0/0
  eth-trunk 5
#
interface 10GE1/1/0/1
  eth-trunk 5
#
interface 10GE1/1/0/2
  eth-trunk 5
#
interface 10GE1/1/0/3
  eth-trunk 5
#
interface 10GE2/1/0/0
  eth-trunk 6
#
interface 10GE2/1/0/1
  eth-trunk 6
#
interface 10GE2/1/0/2
  eth-trunk 6
#
interface 10GE2/1/0/3
  eth-trunk 6
#
ip route-static 1.1.1.1 32 10.3.1.1
ip route-static 1.1.1.2 32 10.3.1.1 
ip route-static 1.1.1.3 32 10.3.1.1
#
return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 115786

Downloads: 7526

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next