Configuring M-LAG and Transparent Firewalls
Applicable Products and Versions
This example applies to CE12800, CE7800, CE6800, and CE5800 series switches running V100R005C10 or later versions, CE8800 series switches running V100R006C00 or later versions, CE9800 series switches running V200R020C00 or later versions, CloudEngine 16800 series switches running V200R005C20 or later versions, and CE12800E series switches running V200R005C00 or later versions.
For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Networking Requirements
On the data center network shown in Figure 1-16:
- Two core switches are connected through 10GE link aggregation.
- Firewalls at the aggregation layer connect to upstream and downstream devices through GE interfaces.
- Aggregation switches connect to upstream and downstream devices through 10GE interfaces.
- Multiple devices are deployed at the access layer and access devices connect to devices at the aggregation layer through 10GE interfaces.
Device Name |
Interface |
IP Address |
Virtual MAC Address |
---|---|---|---|
SwitchA |
Management interface |
10.1.1.1/24 |
- |
SwitchB |
Management interface |
10.1.1.2/24 |
- |
SwitchC |
Management interface |
10.2.1.1/24 |
- |
VLANIF 11 |
10.3.1.1/24 |
0000-5e00-0101 |
|
VLANIF 200 |
10.4.1.1/24 |
- |
|
VLANIF 300 |
10.6.1.1/24 |
- |
|
SwitchD |
Management interface |
10.2.1.2/24 |
- |
VLANIF 11 |
10.3.1.1/24 |
0000-5e00-0101 |
|
VLANIF 200 |
10.5.1.1/24 |
- |
|
VLANIF 300 |
10.6.1.2/24 |
- |
|
SwitchE |
VLANIF 200 |
10.4.1.2/24 |
- |
VLANIF 400 |
10.7.1.1/24 |
- |
|
SwitchF |
VLANIF 200 |
10.5.1.2/24 |
- |
VLANIF 400 |
10.7.1.2/24 |
- |
|
SeGW A |
GigabitEthernet 3/0/0 |
10.10.0.1/24 |
- |
SeGW B |
GigabitEthernet 3/0/0 |
10.10.0.2/24 |
- |
Requirement Analysis
Devices at the core and aggregation layers constitute a square-shaped network so that traffic from gateways is sent and received along the same path.
Security gateways at the aggregation layer use the transparent mode, are enabled with the Hot Redundancy Protocol (HRP), and work in load balance mode to enhance network robustness.
M-LAG is deployed at the aggregation and access layers to form a loop-free topology.
Figure 1-17 shows the logical networking after M-LAG and transparent firewalls are deployed.
Configuration Roadmap
The configuration roadmap is as follows:
Configure M-LAG between SwitchA and SwitchB and between SwitchC and SwitchD to implement dual-homing access. When access and aggregation switches work normally, links load balance traffic and a fault of any aggregation switch does not affect services. High service reliability is therefore ensured.
Configure SwitchC and SwitchD as root bridges and enable root protection on downstream interfaces to ensure that the interfaces can forward traffic normally. Configure interfaces on SwitchA and SwitchB connected to user terminals as edge interfaces to accelerate route convergence and enable BPDU protection to enhance network stability.
Create VLANIF interfaces on SwitchC and SwitchD and configure the same IP addresses and MAC address for the VLANIF interfaces to provide dual-active gateways.
Configure security gateways at the aggregation layer to use the transparent mode, enable HRP, and configure them to work in load balance mode to enhance network robustness.
Enable OSPF on SwitchC, SwitchD, SwitchE, and SwitchF to implement Layer 3 connectivity.
Procedure
- Configure M-LAG.
- Configure SeGWA and SeGWB to work in transparent mode and enable HRP.
- Enable OSPF on SwitchC, SwitchD, SwitchE, and SwitchF.
- Verify the configuration.
Run the display dfs-group command to check M-LAG information.
# Check information about the M-LAG with DFS group 1.
[~SwitchA] display dfs-group 1 m-lag * : Local node Heart beat state : OK Node 1 * Dfs-Group ID : 1 Priority : 150 Address : ip address 10.1.1.1 State : Master Causation : - System ID : 0025-9e95-7c01 SysName : SwitchA Version : V100R006C00 Device Type : CE12800 Node 2 Dfs-Group ID : 1 Priority : 120 Address : ip address 10.1.1.2 State : Backup Causation : - System ID : 0025-9e95-7c11 SysName : SwitchB Version : V100R006C00 Device Type : CE12800
[~SwitchC] display dfs-group 1 m-lag * : Local node Heart beat state : OK Node 1 * Dfs-Group ID : 1 Priority : 150 Address : ip address 10.2.1.1 State : Master Causation : - System ID : 200b-c739-1300 SysName : SwitchC Version : V100R006C00 Device Type : CE12800 Node 2 Dfs-Group ID : 1 Priority : 120 Address : ip address 10.2.1.2 State : Backup Causation : - System ID : 200b-c739-1311 SysName : SwitchD Version : V100R006C00 Device Type : CE12800
# Check M-LAG information on SwitchA.
[~SwitchA] display dfs-group 1 node 1 m-lag brief * - Local node M-Lag ID Interface Port State Status 1 Eth-Trunk 10 Up active(*)-active 2 Eth-Trunk 20 Up active(*)-active 3 Eth-Trunk 30 Up active(*)-active 4 Eth-Trunk 40 Up active(*)-active
# Check M-LAG information on SwitchC.
[~SwitchC] display dfs-group 1 node 2 m-lag brief * - Local node M-Lag ID Interface Port State Status 1 Eth-Trunk 30 Up active-active(*)
In the preceding information, the value of Heart beat state is OK, indicating that the dual-active detection status is normal. SwitchA and SwitchC are used as Node 1, the priority is 150, and the value of State is Master. SwitchB and SwitchD are used as Node 2, the priority is 120, and the value of State is Backup. The value of Causation is -, the values of Port State of Node 1 and Node 2 are both Up, and the M-LAG status of both Node 1 and Node 2 is active, indicating that the MC-LAG configuration is correct.
Run the display hrp state command on SeGW A to check the HRP status. The following information indicates that the HRP is set up successfully.
HRP_M[SeGWA] display hrp state Role: active, peer: active Running priority: 51008, peer: 51008 Core state: normal, peer: normal Backup channel usage: 0% Stable time: 0 days, 18 hours, 41 minutes
Configuration Files
SwitchA configuration file
# sysname SwitchA # dfs-group 1 priority 150 source ip 10.1.1.1 vpn-instance VRF-A # vlan batch 11 # stp mode rstp stp v-stp enable stp bpdu-protection stp flush disable # lacp m-lag system-id 00e0-fc00-0000 lacp m-lag priority 10 # ip vpn-instance VRF-A ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface MEth0/0/0 ip binding vpn-instance VRF-A ip address 10.1.1.1 255.255.255.0 # interface Eth-Trunk0 mode lacp-static peer-link 1 port vlan exclude 1 # interface Eth-Trunk10 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 1 storm suppression broadcast cir 10 mbps # interface Eth-Trunk20 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 2 storm suppression broadcast cir 10 mbps # interface Eth-Trunk30 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 3 storm suppression broadcast cir 10 mbps # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 11 mode lacp-static dfs-group 1 m-lag 4 storm suppression broadcast cir 10 mbps # interface 10GE1/0/1 eth-trunk 10 # interface 10GE1/0/2 eth-trunk 20 # interface 10GE1/0/3 eth-trunk 30 # interface 10GE1/0/4 eth-trunk 0 # interface 10GE1/0/6 eth-trunk 40 # interface 10GE1/0/7 eth-trunk 40 # interface 10GE1/0/9 shutdown # interface 10GE4/0/5 eth-trunk 0 # return
SwitchB configuration file
# sysname SwitchB # dfs-group 1 priority 120 source ip 10.1.1.2 vpn-instance VRF-A # vlan batch 11 # stp mode rstp stp v-stp enable stp bpdu-protection stp flush disable # lacp m-lag system-id 00e0-fc00-0000 lacp m-lag priority 10 # ip vpn-instance VRF-A ipv4-family route-distinguisher 100:2 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface MEth0/0/0 ip binding vpn-instance VRF-A ip address 10.1.1.2 255.255.255.0 # interface Eth-Trunk0 mode lacp-static peer-link 1 port vlan exclude 1 # interface Eth-Trunk10 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 1 storm suppression broadcast cir 10 mbps # interface Eth-Trunk20 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 2 storm suppression broadcast cir 10 mbps # interface Eth-Trunk30 port default vlan 11 stp edged-port enable mode lacp-dynamic dfs-group 1 m-lag 3 storm suppression broadcast cir 10 mbps # interface Eth-Trunk40 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 11 mode lacp-static dfs-group 1 m-lag 4 storm suppression broadcast cir 10 mbps # interface 10GE1/0/1 eth-trunk 10 # interface 10GE1/0/2 eth-trunk 20 # interface 10GE1/0/3 eth-trunk 30 # interface 10GE1/0/4 eth-trunk 0 # interface 10GE1/0/6 eth-trunk 40 # interface 10GE1/0/7 eth-trunk 40 # interface 10GE1/0/9 shutdown # interface 10GE4/0/5 eth-trunk 0 # return
SwitchC configuration file
# sysname SwitchC # dfs-group 1 priority 150 source ip 10.2.1.1 vpn-instance VRF-B # vlan batch 11 200 300 # stp bridge-address 200b-c739-1300 stp mode rstp stp v-stp enable stp instance 0 root primary stp flush disable # lacp m-lag system-id 00e0-fc00-0001 lacp m-lag priority 10 # ip vpn-instance VRF-B ipv4-family route-distinguisher 101:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface Vlanif11 ip address 10.3.1.1 255.255.255.0 mac-address 0000-5e00-0101 # interface Vlanif200 ip address 10.4.1.1 255.255.255.0 ospf network-type p2p # interface Vlanif300 ip address 10.6.1.1 255.255.255.0 ospf network-type p2p # interface MEth0/0/0 ip binding vpn-instance VRF-B ip address 10.2.1.1 255.255.255.0 # interface Eth-Trunk0 mode lacp-static peer-link 1 port vlan exclude 1 200 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 11 stp root-protection mode lacp-static dfs-group 1 m-lag 1 storm suppression broadcast cir 10 mbps # interface 10GE1/0/1 eth-trunk 30 # interface 10GE1/0/2 eth-trunk 30 # interface 10GE1/0/3 eth-trunk 0 # interface 10GE1/0/5 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 storm suppression broadcast 1 # interface 10GE1/0/9 shutdown # interface 10GE4/0/4 eth-trunk 0 # ospf 1 import-route direct area 0.0.0.0 network 10.4.1.0 0.0.0.255 network 10.6.1.0 0.0.0.255 # return
SwitchD configuration file
# sysname SwitchD # dfs-group 1 priority 120 source ip 10.2.1.2 vpn-instance VRF-B # vlan batch 11 200 300 # stp bridge-address 200b-c739-1300 stp mode rstp stp v-stp enable stp instance 0 root primary stp flush disable # lacp m-lag system-id 00e0-fc00-0001 lacp m-lag priority 10 # ip vpn-instance VRF-B ipv4-family route-distinguisher 101:2 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface Vlanif11 ip address 10.3.1.1 255.255.255.0 mac-address 0000-5e00-0101 # interface Vlanif200 ip address 10.5.1.1 255.255.255.0 ospf network-type p2p # interface Vlanif300 ip address 10.6.1.2 255.255.255.0 ospf network-type p2p # interface MEth0/0/0 ip binding vpn-instance VRF-B ip address 10.2.1.2 255.255.255.0 # interface Eth-Trunk0 mode lacp-static peer-link 1 port vlan exclude 1 200 # interface Eth-Trunk30 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 11 stp root-protection mode lacp-static dfs-group 1 m-lag 1 storm suppression broadcast cir 10 mbps # interface 10GE1/0/1 eth-trunk 30 # interface 10GE1/0/2 eth-trunk 30 # interface 10GE1/0/3 eth-trunk 0 # interface 10GE1/0/5 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 storm suppression broadcast 1 # interface 10GE1/0/9 shutdown # interface 10GE4/0/4 eth-trunk 0 # ospf 1 import-route direct area 0.0.0.0 network 10.5.1.0 0.0.0.255 network 10.6.1.0 0.0.0.255 # return
SwitchE configuration file
# sysname SwitchE # vlan batch 200 400 # interface Vlanif200 ip address 10.4.1.2 255.255.255.0 ospf network-type p2p # interface Vlanif400 ip address 10.7.1.1 255.255.255.0 ospf network-type p2p # interface 10GE1/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 storm suppression broadcast 1 # interface 10GE1/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 400 storm suppression broadcast 1 # interface 10GE1/0/9 shutdown # ospf 1 area 0.0.0.0 network 10.4.1.0 0.0.0.255 network 10.7.1.0 0.0.0.255 # return
SwitchF configuration file
# sysname SwitchF # vlan batch 200 400 # interface Vlanif200 ip address 10.5.1.2 255.255.255.0 ospf network-type p2p # interface Vlanif400 ip address 10.7.1.2 255.255.255.0 ospf network-type p2p # interface 10GE1/0/1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 storm suppression broadcast 1 # interface 10GE1/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 400 storm suppression broadcast 1 # interface 10GE1/0/9 shutdown # ospf 1 area 0.0.0.0 network 10.5.1.0 0.0.0.255 network 10.7.1.0 0.0.0.255 # return
SeGW A configuration file
# sysname SeGWA # hrp enable hrp track vlan 200 hrp mirror session enable hrp interface GigabitEthernet 3/0/0 remote 10.10.0.2 # vlan 200 port GigabitEthernet 1/0/0 port GigabitEthernet 2/0/0 # interface GigabitEthernet 1/0/0 portswitch # interface GigabitEthernet 2/0/0 portswitch # interface GigabitEthernet3/0/0 ip address 10.10.0.1 24 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet 3/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet 2/0/0 # return
SeGW B configuration file
# sysname SeGWB # hrp enable hrp track vlan 200 hrp mirror session enable hrp interface GigabitEthernet 3/0/0 remote 10.10.0.1 # vlan 200 port GigabitEthernet 1/0/0 port GigabitEthernet 2/0/0 # interface GigabitEthernet 1/0/0 portswitch # interface GigabitEthernet 2/0/0 portswitch # interface GigabitEthernet3/0/0 ip address 10.10.0.2 24 # firewall zone trust set priority 85 add interface GigabitEthernet 1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet 3/0/0 # firewall zone untrust set priority 5 add interface GigabitEthernet 2/0/0 # return