No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Typical Configuration Examples (V100 and V200)
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring M-LAG and Transparent Firewalls

Configuring M-LAG and Transparent Firewalls

Applicable Products and Versions

This example applies to CE12800, CE7800, CE6800, and CE5800 series switches running V100R005C10 or later versions, CE8800 series switches running V100R006C00 or later versions, CE9800 series switches running V200R020C00 or later versions, CloudEngine 16800 series switches running V200R005C20 or later versions, and CE12800E series switches running V200R005C00 or later versions.

For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Networking Requirements

On the data center network shown in Figure 1-14:

  • Two core switches are connected through 10GE link aggregation.
  • Firewalls at the aggregation layer connect to upstream and downstream devices through GE interfaces.
  • Aggregation switches connect to upstream and downstream devices through 10GE interfaces.
  • Multiple devices are deployed at the access layer and access devices connect to devices at the aggregation layer through 10GE interfaces.
This example uses the CE12804 switch and USG9520 gateway.
Figure 1-14 Networking for configuring M-LAG and transparent firewalls

Table 1-14 Data plan

Device Name

Interface

IP Address

Virtual MAC Address

SwitchA

Management interface

10.1.1.1/24

-

SwitchB

Management interface

10.1.1.2/24

-

SwitchC

Management interface

10.2.1.1/24

-

VLANIF 11

10.3.1.1/24

0000-5e00-0101

VLANIF 200

10.4.1.1/24

-

VLANIF 300

10.6.1.1/24

-

SwitchD

Management interface

10.2.1.2/24

-

VLANIF 11

10.3.1.1/24

0000-5e00-0101

VLANIF 200

10.5.1.1/24

-

VLANIF 300

10.6.1.2/24

-

SwitchE

VLANIF 200

10.4.1.2/24

-

VLANIF 400

10.7.1.1/24

-

SwitchF

VLANIF 200

10.5.1.2/24

-

VLANIF 400

10.7.1.2/24

-

SeGW A

GigabitEthernet 3/0/0

10.10.0.1/24

-

SeGW B

GigabitEthernet 3/0/0

10.10.0.2/24

-

Requirement Analysis

The customer wants to build a stable large Layer 2 network where the dual-homing mode is used to ensure reliability and links load balance traffic to improve the link use efficiency. To ensure the server service security, switches connect to transparent firewalls (SeGWs) in inline mode to provide security defense.

  • Devices at the core and aggregation layers constitute a square-shaped network so that traffic from gateways is sent and received along the same path.

  • Security gateways at the aggregation layer use the transparent mode, are enabled with the Hot Redundancy Protocol (HRP), and work in load balance mode to enhance network robustness.

  • M-LAG is deployed at the aggregation and access layers to form a loop-free topology.

Figure 1-15 shows the logical networking after M-LAG and transparent firewalls are deployed.

Figure 1-15 Networking for configuring M-LAG and transparent firewalls

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure M-LAG between SwitchA and SwitchB and between SwitchC and SwitchD to implement dual-homing access. When access and aggregation switches work normally, links load balance traffic and a fault of any aggregation switch does not affect services. High service reliability is therefore ensured.

    • Configure SwitchC and SwitchD as root bridges and enable root protection on downstream interfaces to ensure that the interfaces can forward traffic normally. Configure interfaces on SwitchA and SwitchB connected to user terminals as edge interfaces to accelerate route convergence and enable BPDU protection to enhance network stability.

    • Create VLANIF interfaces on SwitchC and SwitchD and configure the same IP addresses and MAC address for the VLANIF interfaces to provide dual-active gateways.

  2. Configure security gateways at the aggregation layer to use the transparent mode, enable HRP, and configure them to work in load balance mode to enhance network robustness.

  3. Enable OSPF on SwitchC, SwitchD, SwitchE, and SwitchF to implement Layer 3 connectivity.

Procedure

  1. Configure M-LAG.
    1. Configure dual-active detection links, V-STP, DFS groups, peer-links, and M-LAG member interfaces on SwitchA, SwitchB, SwitchC, and SwitchD.

      The dual-active detection links are connected to management interfaces to implement interworking, DFS groups must be bound to IP addresses of management interfaces to ensure communication, and management interfaces are bound to VPN instances to implement isolation.

      It is recommended that Eth-Trunk member interfaces of the peer-link be deployed on different cards to prevent the peer-link fault caused by a single-point failure.

      # Configure SwitchA.

      Configure the Eth-Trunk on SwitchA connected to servers as the edge interface and enable BPDU protection on the Eth-Trunk. The Eth-Trunk on the access switch connected to Server 1 is used as an example.

      The uplink interface of the server connected to the switch needs to be bound to an aggregated link, and the link aggregation modes on the server and switch must be consistent.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp mode rstp
[*SwitchA] stp v-stp enable
[*SwitchA] stp flush disable
[*SwitchA] ip vpn-instance VRF-A     //Create VRF-A.
[*SwitchA-vpn-instance-VRF-A] ipv4-family
[*SwitchA-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[*SwitchA-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[*SwitchA-vpn-instance-VRF-A-af-ipv4] quit
[*SwitchA-vpn-instance-VRF-A] quit
[*SwitchA] interface meth 0/0/0
[*SwitchA-MEth0/0/0] ip binding vpn-instance VRF-A     //Bind the management interface to VRF-A.
[*SwitchA-MEth0/0/0] ip address 10.1.1.1 24
[*SwitchA-MEth0/0/0] quit
[*SwitchA] dfs-group 1
[*SwitchA-dfs-group-1] source ip 10.1.1.1 vpn-instance VRF-A     //Configure the IPv4 address and VPN instance bound to the DFS group.
[*SwitchA-dfs-group-1] priority 150
[*SwitchA-dfs-group-1] quit
[*SwitchA] interface eth-trunk 0
[*SwitchA-Eth-Trunk0] trunkport 10ge 1/0/4
[*SwitchA-Eth-Trunk0] trunkport 10ge 4/0/5     //Configure interfaces on different cards as Eth-Trunk member interfaces of the peer-link.
[*SwitchA-Eth-Trunk0] mode lacp-static
[*SwitchA-Eth-Trunk0] peer-link 1
[*SwitchA-Eth-Trunk0] port vlan exclude 1
[*SwitchA-Eth-Trunk0] quit
[*SwitchA] vlan batch 11
[*SwitchA] interface eth-trunk 10     
[*SwitchA-Eth-Trunk10] mode lacp-dynamic
[*SwitchA-Eth-Trunk10] port link-type access
[*SwitchA-Eth-Trunk10] port default vlan 11
[*SwitchA-Eth-Trunk10] trunkport 10ge 1/0/1
[*SwitchA-Eth-Trunk10] dfs-group 1 m-lag 1
[*SwitchA-Eth-Trunk10] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchA-Eth-Trunk10] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (For CE8800, CE7800, CE6800 except the CE6870EI and CE6875EI, and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view).
[*SwitchA-Eth-Trunk10] quit
[*SwitchA] interface eth-trunk 20     
[*SwitchA-Eth-Trunk20] mode lacp-dynamic
[*SwitchA-Eth-Trunk20] port link-type access
[*SwitchA-Eth-Trunk20] port default vlan 11
[*SwitchA-Eth-Trunk20] trunkport 10ge 1/0/2
[*SwitchA-Eth-Trunk20] dfs-group 1 m-lag 2
[*SwitchA-Eth-Trunk20] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchA-Eth-Trunk20] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (For CE8800, CE7800, CE6800 except the CE6870EI and CE6875EI, and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view).
[*SwitchA-Eth-Trunk20] quit
[*SwitchA] interface eth-trunk 30     
[*SwitchA-Eth-Trunk30] mode lacp-dynamic
[*SwitchA-Eth-Trunk30] port link-type access
[*SwitchA-Eth-Trunk30] port default vlan 11
[*SwitchA-Eth-Trunk30] trunkport 10ge 1/0/3
[*SwitchA-Eth-Trunk30] dfs-group 1 m-lag 3
[*SwitchA-Eth-Trunk30] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchA-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchA-Eth-Trunk30] quit
[*SwitchA] stp bpdu-protection     //Enable BPDU protection on the edge interface.
[*SwitchA] interface eth-trunk 40
[*SwitchA-Eth-Trunk40] mode lacp-static
[*SwitchA-Eth-Trunk40] port link-type trunk
[*SwitchA-Eth-Trunk40] undo port trunk allow-pass vlan 1
[*SwitchA-Eth-Trunk40] port trunk allow-pass vlan 11
[*SwitchA-Eth-Trunk40] trunkport 10ge 1/0/6 to 1/0/7
[*SwitchA-Eth-Trunk40] dfs-group 1 m-lag 4
[*SwitchA-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchA-Eth-Trunk40] quit
[*SwitchA] lacp m-lag priority 10
[*SwitchA] lacp m-lag system-id 00e0-fc12-3456
[*SwitchA] interface 10ge 1/0/9
[*SwitchA-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchA-10GE1/0/9] quit
[*SwitchA] commit

      # Configure SwitchB.

      Configure the Eth-Trunk on SwitchB connected to servers as the edge interface and enable BPDU protection on the Eth-Trunk. The Eth-Trunk on the access switch connected to Server 1 is used as an example.

      The uplink interface of the server connected to the switch needs to be bound to an aggregated link, and the link aggregation modes on the server and switch must be consistent.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp mode rstp
[*SwitchB] stp v-stp enable
[*SwitchB] stp flush disable
[*SwitchB] ip vpn-instance VRF-A     //Create VRF-A.
[*SwitchB-vpn-instance-VRF-A] ipv4-family
[*SwitchB-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:2
[*SwitchB-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[*SwitchB-vpn-instance-VRF-A-af-ipv4] quit
[*SwitchB-vpn-instance-VRF-A] quit
[*SwitchB] interface meth 0/0/0
[*SwitchB-MEth0/0/0] ip binding vpn-instance VRF-A     //Bind the management interface to VRF-A.
[*SwitchB-MEth0/0/0] ip address 10.1.1.2 24
[*SwitchB-MEth0/0/0] quit
[*SwitchB] dfs-group 1
[*SwitchB-dfs-group-1] source ip 10.1.1.2 vpn-instance VRF-A     //Configure the IPv4 address and VPN instance bound to the DFS group.
[*SwitchB-dfs-group-1] priority 120
[*SwitchB-dfs-group-1] quit
[*SwitchB] interface eth-trunk 0
[*SwitchB-Eth-Trunk0] trunkport 10ge 1/0/4 
[*SwitchB-Eth-Trunk0] trunkport 10ge 4/0/5     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
[*SwitchB-Eth-Trunk0] mode lacp-static
[*SwitchB-Eth-Trunk0] peer-link 1
[*SwitchB-Eth-Trunk0] port vlan exclude 1
[*SwitchB-Eth-Trunk0] quit
[*SwitchB] vlan batch 11
[*SwitchB] interface eth-trunk 10
[*SwitchB-Eth-Trunk10] mode lacp-dynamic
[*SwitchB-Eth-Trunk10] port link-type access
[*SwitchB-Eth-Trunk10] port default vlan 11
[*SwitchB-Eth-Trunk10] trunkport 10ge 1/0/1
[*SwitchB-Eth-Trunk10] dfs-group 1 m-lag 1
[*SwitchB-Eth-Trunk10] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchB-Eth-Trunk10] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchB-Eth-Trunk10] quit
[*SwitchB] interface eth-trunk 20
[*SwitchB-Eth-Trunk20] mode lacp-dynamic
[*SwitchB-Eth-Trunk20] port link-type access
[*SwitchB-Eth-Trunk20] port default vlan 11
[*SwitchB-Eth-Trunk20] trunkport 10ge 1/0/2
[*SwitchB-Eth-Trunk20] dfs-group 1 m-lag 2
[*SwitchB-Eth-Trunk20] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchB-Eth-Trunk20] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchB-Eth-Trunk20] quit
[*SwitchB] interface eth-trunk 30
[*SwitchB-Eth-Trunk30] mode lacp-dynamic
[*SwitchB-Eth-Trunk30] port link-type access
[*SwitchB-Eth-Trunk30] port default vlan 11
[*SwitchB-Eth-Trunk30] trunkport 10ge 1/0/3
[*SwitchB-Eth-Trunk30] dfs-group 1 m-lag 3
[*SwitchB-Eth-Trunk30] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
[*SwitchB-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchB-Eth-Trunk30] quit
[*SwitchB] stp bpdu-protection     //Enable BPDU protection on the edge interface.
[*SwitchB] interface eth-trunk 40
[*SwitchB-Eth-Trunk40] mode lacp-static
[*SwitchB-Eth-Trunk40] port link-type trunk
[*SwitchB-Eth-Trunk40] undo port trunk allow-pass vlan 1
[*SwitchB-Eth-Trunk40] port trunk allow-pass vlan 11
[*SwitchB-Eth-Trunk40] trunkport 10ge 1/0/6 to 1/0/7
[*SwitchB-Eth-Trunk40] dfs-group 1 m-lag 4
[*SwitchB-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchB-Eth-Trunk40] quit
[*SwitchB] lacp m-lag priority 10
[*SwitchB] lacp m-lag system-id 00e0-fc12-3456
[*SwitchB] interface 10ge 1/0/9
[*SwitchB-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchB-10GE1/0/9] quit
[*SwitchB] commit

      # Configure SwitchC.

      Configure SwitchC as the root bridge of the STP network, and enable root protection on the Eth-Trunk of SwitchC connected to the access switch so that the Eth-Trunk can forward traffic normally.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] stp mode rstp
[*SwitchC] stp root primary     //Configure the aggregation device as the root bridge of the STP network.
[*SwitchC] stp bridge-address 00e0-fc39-1300     //Configure the MAC address of the root bridge (MAC address of the master device).
[*SwitchC] stp v-stp enable
[*SwitchC] stp flush disable
[*SwitchC] ip vpn-instance VRF-B     //Create VRF-B.
[*SwitchC-vpn-instance-VRF-B] ipv4-family
[*SwitchC-vpn-instance-VRF-B-af-ipv4] route-distinguisher 101:1
[*SwitchC-vpn-instance-VRF-B-af-ipv4] vpn-target 111:1 both
[*SwitchC-vpn-instance-VRF-B-af-ipv4] quit
[*SwitchC-vpn-instance-VRF-B] quit
[*SwitchC] interface meth 0/0/0
[*SwitchC-MEth0/0/0] ip binding vpn-instance VRF-B     //Bind the management interface to VRF-B.
[*SwitchC-MEth0/0/0] ip address 10.2.1.1 24
[*SwitchC-MEth0/0/0] quit
[*SwitchC] dfs-group 1
[*SwitchC-dfs-group-1] source ip 10.2.1.1 vpn-instance VRF-B     //Configure the IPv4 address and VPN instance bound to the DFS group.
[*SwitchC-dfs-group-1] priority 150
[*SwitchC-dfs-group-1] quit
[*SwitchC] interface eth-trunk 0
[*SwitchC-Eth-Trunk0] trunkport 10ge 1/0/3
[*SwitchC-Eth-Trunk0] trunkport 10ge 4/0/4     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
[*SwitchC-Eth-Trunk0] mode lacp-static
[*SwitchC-Eth-Trunk0] peer-link 1
[*SwitchC-Eth-Trunk0] port vlan exclude 1
[*SwitchC-Eth-Trunk0] quit
[*SwitchC] vlan batch 11
[*SwitchC] interface eth-trunk 30
[*SwitchC-Eth-Trunk30] mode lacp-static
[*SwitchC-Eth-Trunk30] port link-type trunk
[*SwitchC-Eth-Trunk30] undo port trunk allow-pass vlan 1
[*SwitchC-Eth-Trunk30] port trunk allow-pass vlan 11
[*SwitchC-Eth-Trunk30] trunkport 10ge 1/0/1 to 1/0/2
[*SwitchC-Eth-Trunk30] dfs-group 1 m-lag 1
[*SwitchC-Eth-Trunk30] stp root-protection //Enable root protection.
[*SwitchC-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchC-Eth-Trunk30] quit
[*SwitchC] lacp m-lag priority 10
[*SwitchC] lacp m-lag system-id 00e0-fc12-3451
[*SwitchC] commit

      # Configure SwitchD.

      Configure SwitchD as the root bridge of the STP network, and enable root protection on the Eth-Trunk of SwitchD connected to the access switch so that the Eth-Trunk can forward traffic normally.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] stp mode rstp
[*SwitchD] stp root primary     //Configure the aggregation device as the root bridge of the STP network.
[*SwitchD] stp bridge-address 00e0-fc39-1300     //Configure the MAC address of the root bridge (MAC address of the master device).
[*SwitchD] stp v-stp enable
[*SwitchD] stp flush disable
[*SwitchD] ip vpn-instance VRF-B     //Create VRF-B.
[*SwitchD-vpn-instance-VRF-B] ipv4-family
[*SwitchD-vpn-instance-VRF-B-af-ipv4] route-distinguisher 101:2
[*SwitchD-vpn-instance-VRF-B-af-ipv4] vpn-target 111:1 both
[*SwitchD-vpn-instance-VRF-B-af-ipv4] quit
[*SwitchD-vpn-instance-VRF-B] quit
[*SwitchD] interface meth 0/0/0
[*SwitchD-MEth0/0/0] ip binding vpn-instance VRF-B     //Bind the management interface to VRF-B.
[*SwitchD-MEth0/0/0] ip address 10.2.1.2 24
[*SwitchD-MEth0/0/0] quit
[*SwitchD] dfs-group 1
[*SwitchD-dfs-group-1] source ip 10.2.1.2 vpn-instance VRF-B     //Configure the IPv4 address and VPN instance bound to the DFS group.
[*SwitchD-dfs-group-1] priority 120
[*SwitchD-dfs-group-1] quit
[*SwitchD] interface eth-trunk 0
[*SwitchD-Eth-Trunk0] trunkport 10ge 1/0/3
[*SwitchD-Eth-Trunk0] trunkport 10ge 4/0/4     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
[*SwitchD-Eth-Trunk0] mode lacp-static
[*SwitchD-Eth-Trunk0] peer-link 1
[*SwitchD-Eth-Trunk0] port vlan exclude 1
[*SwitchD-Eth-Trunk0] quit
[*SwitchD] vlan batch 11
[*SwitchD] interface eth-trunk 30
[*SwitchD-Eth-Trunk30] mode lacp-static
[*SwitchD-Eth-Trunk30] port link-type trunk
[*SwitchD-Eth-Trunk30] undo port trunk allow-pass vlan 1
[*SwitchD-Eth-Trunk30] port trunk allow-pass vlan 11
[*SwitchD-Eth-Trunk30] trunkport 10ge 1/0/1 to 1/0/2
[*SwitchD-Eth-Trunk30] dfs-group 1 m-lag 1
[*SwitchD-Eth-Trunk30] stp root-protection //Enable root protection.
[*SwitchD-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface. (On the CE8800, CE7800, CE6800 (except the CE6870EI and CE6875EI), and CE5800 series switches, this command can be run only in the GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, and port group view.)
[*SwitchD-Eth-Trunk30] quit
[*SwitchD] lacp m-lag priority 10
[*SwitchD] lacp m-lag system-id 00e0-fc12-3451
[*SwitchD] commit

    2. Create VLANIF interfaces on SwitchC and SwitchD and configure IP addresses and virtual MAC addresses for the VLANIF interfaces to configure active-active gateways.

      # Configure SwitchC.

      [~SwitchC] interface vlanif 11
[*SwitchC-Vlanif11] ip address 10.3.1.1 24
[*SwitchC-Vlanif11] mac-address 0000-5e00-0101
[*SwitchC-Vlanif11] quit
[*SwitchC] commit

      # Configure SwitchD.

      [~SwitchD] interface vlanif 11
[*SwitchD-Vlanif11] ip address 10.3.1.1 24
[*SwitchD-Vlanif11] mac-address 0000-5e00-0101
[*SwitchD-Vlanif11] quit
[*SwitchD] commit

  2. Configure SeGWA and SeGWB to work in transparent mode and enable HRP.
    1. Switch service interfaces of SeGWA and SeGWB to Layer 2 interfaces and add them to the same VLAN.

      # Configure SeGWA.

      <USG9000> system-view
[USG9000] sysname SeGWA
[SeGWA] interface GigabitEthernet 1/0/0
[SeGWA-GigabitEthernet1/0/0] portswitch
[SeGWA-GigabitEthernet1/0/0] quit
[SeGWA] interface GigabitEthernet 2/0/0
[SeGWA-GigabitEthernet2/0/0] portswitch
[SeGWA-GigabitEthernet2/0/0] quit
[SeGWA] vlan 200
[SeGWA-vlan200] port GigabitEthernet 1/0/0
[SeGWA-vlan200] port GigabitEthernet 2/0/0
[SeGWA-vlan200] quit

      # Configure SeGWB.

      <USG9000> system-view
[USG9000] sysname SeGWB
[SeGWB] interface GigabitEthernet 1/0/0
[SeGWB-GigabitEthernet1/0/0] portswitch
[SeGWB-GigabitEthernet1/0/0] quit
[SeGWB] interface GigabitEthernet 2/0/0
[SeGWB-GigabitEthernet2/0/0] portswitch
[SeGWB-GigabitEthernet2/0/0] quit
[SeGWB] vlan 200
[SeGWB-vlan200] port GigabitEthernet 1/0/0
[SeGWB-vlan200] port GigabitEthernet 2/0/0
[SeGWB-vlan200] quit

    2. Configure IP addresses for heartbeat interfaces of SeGWA and SeGWB.

      # Configure SeGWA.

      [SeGWA] interface GigabitEthernet 3/0/0
[SeGWA-GigabitEthernet3/0/0] ip address 10.10.0.1 24
[SeGWA-GigabitEthernet3/0/0] quit

      # Configure SeGWB.

      [SeGWB] interface GigabitEthernet 3/0/0
[SeGWB-GigabitEthernet3/0/0] ip address 10.10.0.2 24
[SeGWB-GigabitEthernet3/0/0] quit

    3. Add uplink interfaces of SeGWA and SeGWB to the untrusted zone, downlink interfaces to the trusted zone, and heartbeat interfaces to the DMZ.

      # Configure SeGWA.

      [SeGWA] firewall zone untrust
[SeGWA-zone-untrust] add interface GigabitEthernet 2/0/0
[SeGWA-zone-untrust] quit
[SeGWA] firewall zone trust
[SeGWA-zone-trust] add interface GigabitEthernet 1/0/0
[SeGWA-zone-trust] quit
[SeGWA] firewall zone dmz
[SeGWA-zone-dmz] add interface GigabitEthernet 3/0/0
[SeGWA-zone-dmz] quit

      # Configure SeGWB.

      [SeGWB] firewall zone untrust
[SeGWB-zone-untrust] add interface GigabitEthernet 2/0/0
[SeGWB-zone-untrust] quit
[SeGWB] firewall zone trust
[SeGWB-zone-trust] add interface GigabitEthernet 1/0/0
[SeGWB-zone-trust] quit
[SeGWB] firewall zone dmz
[SeGWB-zone-dmz] add interface GigabitEthernet 3/0/0
[SeGWB-zone-dmz] quit

    4. Configure the VLAN for the service interface associated with the VGMP group, specify the heartbeat interface, and enable HRP.

      # Configure SeGWA.

      [SeGWA] hrp track vlan 200
[SeGWA] hrp interface GigabitEthernet 3/0/0 remote 10.10.0.2
[SeGWA] hrp enable
[SeGWA] hrp mirror session enable

      # Configure SeGWB.

      [SeGWB] hrp track vlan 200
[SeGWB] hrp interface GigabitEthernet 3/0/0 remote 10.10.0.1
[SeGWB] hrp enable
[SeGWB] hrp mirror session enable

    5. Configure security functions such as the security policy, IPS, and attack defense on SeGWA. The configuration of SeGWA is automatically backed up to SeGWB. For details, see the security gateway documentation.
  3. Enable OSPF on SwitchC, SwitchD, SwitchE, and SwitchF.
    1. Add interfaces on SwitchC, SwitchD, SwitchE, and SwitchF to VLANs and configure IP addresses for VLANIF interfaces.

      # Configure SwitchC.

      [~SwitchC] vlan batch 200 300
[*SwitchC] interface 10ge 1/0/5
[*SwitchC-10GE1/0/5] port link-type trunk
[*SwitchC-10GE1/0/5] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/5] port trunk allow-pass vlan 200
[*SwitchC-10GE1/0/5] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchC-10GE1/0/5] quit
[*SwitchC] interface eth-trunk 0
[*SwitchC-Eth-Trunk0] port vlan exclude 200     //Configure the peer-link interface not to allow packets from  VLAN 200.
[*SwitchC-Eth-Trunk0] quit     
[*SwitchC] interface vlanif 200
[*SwitchC-Vlanif200] ospf network-type p2p
[*SwitchC-Vlanif200] ip address 10.4.1.1 24
[*SwitchC-Vlanif200] quit
[*SwitchC] interface vlanif 300
[*SwitchC-Vlanif300] ospf network-type p2p
[*SwitchC-Vlanif300] ip address 10.6.1.1 24
[*SwitchC-Vlanif300] quit
[*SwitchC] interface 10ge 1/0/9
[*SwitchC-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchC-10GE1/0/9] quit
[*SwitchC] commit

      # Configure SwitchD.

      [~SwitchD] vlan batch 200 300
[*SwitchD] interface 10ge 1/0/5
[*SwitchD-10GE1/0/5] port link-type trunk
[*SwitchD-10GE1/0/5] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/5] port trunk allow-pass vlan 200
[*SwitchD-10GE1/0/5] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchD-10GE1/0/5] quit
[*SwitchD] interface eth-trunk 0
[*SwitchD-Eth-Trunk0] port vlan exclude 200     //Configure the peer-link interface not to allow packets from  VLAN 200.
[*SwitchD-Eth-Trunk0] quit     
[*SwitchD] interface vlanif 200
[*SwitchD-Vlanif200] ospf network-type p2p
[*SwitchD-Vlanif200] ip address 10.5.1.1 24
[*SwitchD-Vlanif200] quit
[*SwitchD] interface vlanif 300
[*SwitchD-Vlanif300] ospf network-type p2p
[*SwitchD-Vlanif300] ip address 10.6.1.2 24
[*SwitchD-Vlanif300] quit
[*SwitchD] interface 10ge 1/0/9
[*SwitchD-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchD-10GE1/0/9] quit
[*SwitchD] commit

      # Configure SwitchE.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchE
[*HUAWEI] commit
[~SwitchE] vlan batch 200 400
[*SwitchE] interface 10ge 1/0/1
[*SwitchE-10GE1/0/1] port link-type trunk
[*SwitchE-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchE-10GE1/0/1] port trunk allow-pass vlan 200
[*SwitchE-10GE1/0/1] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchE-10GE1/0/1] quit
[*SwitchE] interface 10ge 1/0/2
[*SwitchE-10GE1/0/2] port link-type trunk
[*SwitchE-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchE-10GE1/0/2] port trunk allow-pass vlan 400
[*SwitchE-10GE1/0/2] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchE-10GE1/0/2] quit
[*SwitchE] interface vlanif 200
[*SwitchE-Vlanif200] ospf network-type p2p
[*SwitchE-Vlanif200] ip address 10.4.1.2 24
[*SwitchE-Vlanif200] quit
[*SwitchE] interface vlanif 400
[*SwitchE-Vlanif400] ospf network-type p2p
[*SwitchE-Vlanif400] ip address 10.7.1.1 24
[*SwitchE-Vlanif400] quit
[*SwitchE] interface 10ge 1/0/9
[*SwitchE-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchE-10GE1/0/9] quit
[*SwitchE] commit

      # Configure SwitchF.

      <HUAWEI> system-view
[~HUAWEI] sysname SwitchF
[*HUAWEI] commit
[~SwitchF] vlan batch 200 400
[*SwitchF] interface 10ge 1/0/1
[*SwitchF-10GE1/0/1] port link-type trunk
[*SwitchF-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchF-10GE1/0/1] port trunk allow-pass vlan 200
[*SwitchF-10GE1/0/1] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchF-10GE1/0/1] quit
[*SwitchF] interface 10ge 1/0/2
[*SwitchF-10GE1/0/2] port link-type trunk
[*SwitchF-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchF-10GE1/0/2] port trunk allow-pass vlan 400
[*SwitchF-10GE1/0/2] storm suppression broadcast 1       //Configure the percentage of bandwidth occupied by broadcast packets on the interface, and the percentage rate limit is 1%.
[*SwitchF-10GE1/0/2] quit
[*SwitchF] interface vlanif 200
[*SwitchF-Vlanif200] ospf network-type p2p
[*SwitchF-Vlanif200] ip address 10.5.1.2 24
[*SwitchF-Vlanif200] quit
[*SwitchF] interface vlanif 400
[*SwitchF-Vlanif400] ospf network-type p2p
[*SwitchF-Vlanif400] ip address 10.7.1.2 24
[*SwitchF-Vlanif400] quit
[*SwitchF] interface 10ge 1/0/9
[*SwitchF-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
[*SwitchF-10GE1/0/9] quit
[*SwitchF] commit

    2. Configure OSPF on SwitchC, SwitchD, SwitchE, and SwitchF to ensure Layer 3 connectivity.

      # Configure SwitchC.

      [~SwitchC] ospf 1
[~SwitchC-ospf-1] import-route direct      //Configure the switch to import direct routes. You can configure a routing policy to filter unnecessary routes.
[*SwitchC-ospf-1] area 0
[*SwitchC-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[*SwitchC-ospf-1-area-0.0.0.0] network 10.6.1.0 0.0.0.255
[*SwitchC-ospf-1-area-0.0.0.0] quit
[*SwitchC-ospf-1] quit
[*SwitchC] commit

      # Configure SwitchD.

      [~SwitchD] ospf 1
[~SwitchD-ospf-1] import-route direct      //Configure the switch to import direct routes. You can configure a routing policy to filter unnecessary routes.
[*SwitchD-ospf-1] area 0
[*SwitchD-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[*SwitchD-ospf-1-area-0.0.0.0] network 10.6.1.0 0.0.0.255
[*SwitchD-ospf-1-area-0.0.0.0] quit
[*SwitchD-ospf-1] quit
[*SwitchD] commit

      # Configure SwitchE.

      [~SwitchE] ospf 1
[*SwitchE-ospf-1] area 0
[*SwitchE-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255
[*SwitchE-ospf-1-area-0.0.0.0] network 10.7.1.0 0.0.0.255
[*SwitchE-ospf-1-area-0.0.0.0] quit
[*SwitchE-ospf-1] quit
[*SwitchE] commit

      # Configure SwitchF.

      [~SwitchF] ospf 1
[*SwitchF-ospf-1] area 0
[*SwitchF-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255
[*SwitchF-ospf-1-area-0.0.0.0] network 10.7.1.0 0.0.0.255
[*SwitchF-ospf-1-area-0.0.0.0] quit
[*SwitchF-ospf-1] quit
[*SwitchF] commit

  4. Verify the configuration.

    • Run the display dfs-group command to check M-LAG information.

      # Check information about the M-LAG with DFS group 1.

      [~SwitchA] display dfs-group 1 m-lag
*                : Local node                                                                                                       
Heart beat state : OK                                                                                                           
Node 1 *                                                                                                                            
  Dfs-Group ID   : 1                                                                                                                
  Priority       : 150                                                                                                              
  Address        : ip address 10.1.1.1                                                                                              
  State          : Master                                                                                                       
  Causation      : -                                                                                                                
  System ID      : 00e0-fc95-7c01                                                                                                   
  SysName        : SwitchA                                                                                                              
  Version        : V100R006C00                                     
  Device Type    : CE12800                                                                                                          
Node 2                                                                                                                              
  Dfs-Group ID   : 1                                                                                                                
  Priority       : 120                                                                                                              
  Address        : ip address 10.1.1.2                                                                                              
  State          : Backup                                                                                                       
  Causation      : -                                                                                                                
  System ID      : 00e0-fc95-7c11                                                                                                   
  SysName        : SwitchB                                                                                                              
  Version        : V100R006C00                                    
  Device Type    : CE12800    
      [~SwitchC] display dfs-group 1 m-lag
*                : Local node                                                                                                       
Heart beat state : OK                                                                                                           
Node 1 *                                                                                                                            
  Dfs-Group ID   : 1                                                                                                                
  Priority       : 150                                                                                                              
  Address        : ip address 10.2.1.1                                                                                              
  State          : Master                                                                                                       
  Causation      : -                                                                                                                
  System ID      : 00e0-fc39-1300                                                                                                   
  SysName        : SwitchC                                                                                                              
  Version        : V100R006C00                                    
  Device Type    : CE12800                                                                                                          
Node 2                                                                                                                              
  Dfs-Group ID   : 1                                                                                                                
  Priority       : 120                                                                                                              
  Address        : ip address 10.2.1.2                                                                                              
  State          : Backup                                                                                                       
  Causation      : -                                                                                                                
  System ID      : 00e0-fc39-1311                                                                                                   
  SysName        : SwitchD                                                                                                              
  Version        : V100R006C00                                    
  Device Type    : CE12800

      # Check M-LAG information on SwitchA.

      [~SwitchA] display dfs-group 1 node 1 m-lag brief
* - Local node

M-Lag ID     Interface      Port State    Status                                                                                     
       1     Eth-Trunk 10   Up            active(*)-active  
       2     Eth-Trunk 20   Up            active(*)-active  
       3     Eth-Trunk 30   Up            active(*)-active  
       4     Eth-Trunk 40   Up            active(*)-active

      # Check M-LAG information on SwitchC.

      [~SwitchC] display dfs-group 1 node 2 m-lag brief
* - Local node

M-Lag ID     Interface      Port State    Status                                                                                     
       1     Eth-Trunk 30   Up            active-active(*)

      In the preceding information, the value of Heart beat state is OK, indicating that the dual-active detection status is normal. SwitchA and SwitchC are used as Node 1, the priority is 150, and the value of State is Master. SwitchB and SwitchD are used as Node 2, the priority is 120, and the value of State is Backup. The value of Causation is -, the values of Port State of Node 1 and Node 2 are both Up, and the M-LAG status of both Node 1 and Node 2 is active, indicating that the M-LAG configuration is correct.

    • Run the display hrp state command on SeGW A to check the HRP status. The following information indicates that the HRP is set up successfully.

      HRP_M[SeGWA] display hrp state
 Role: active, peer: active                                                    
 Running priority: 51008, peer: 51008                                           
 Core state: normal, peer: normal                                   
 Backup channel usage: 0%                                                       
 Stable time: 0 days, 18 hours, 41 minutes

Configuration Files

  • SwitchA configuration file

    #
sysname SwitchA
#
dfs-group 1
 priority 150
 source ip 10.1.1.1 vpn-instance VRF-A
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
stp bpdu-protection
stp flush disable
#
lacp m-lag system-id 00e0-fc12-3456
lacp m-lag priority 10
#
ip vpn-instance VRF-A
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface MEth0/0/0
 ip binding vpn-instance VRF-A
 ip address 10.1.1.1 255.255.255.0
#
interface Eth-Trunk0
 mode lacp-static
 peer-link 1
 port vlan exclude 1
#
interface Eth-Trunk10
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 1
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk20
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 2
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk30
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 3
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk40
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
 mode lacp-static
 dfs-group 1 m-lag 4
 storm suppression broadcast cir 10 mbps
#
interface 10GE1/0/1
 eth-trunk 10
#
interface 10GE1/0/2
 eth-trunk 20
#
interface 10GE1/0/3
 eth-trunk 30
#
interface 10GE1/0/4
 eth-trunk 0
#
interface 10GE1/0/6
 eth-trunk 40
#
interface 10GE1/0/7
 eth-trunk 40
#
interface 10GE1/0/9
 shutdown
#
interface 10GE4/0/5
 eth-trunk 0
#
return

  • SwitchB configuration file

    #
sysname SwitchB
#
dfs-group 1
 priority 120
 source ip 10.1.1.2 vpn-instance VRF-A
#
vlan batch 11
#
stp mode rstp
stp v-stp enable
stp bpdu-protection
stp flush disable
#
lacp m-lag system-id 00e0-fc12-3456
lacp m-lag priority 10
#
ip vpn-instance VRF-A
 ipv4-family
  route-distinguisher 100:2
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface MEth0/0/0
 ip binding vpn-instance VRF-A
 ip address 10.1.1.2 255.255.255.0
#
interface Eth-Trunk0
 mode lacp-static
 peer-link 1
 port vlan exclude 1
#
interface Eth-Trunk10
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 1
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk20
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 2
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk30
 port default vlan 11
 stp edged-port enable
 mode lacp-dynamic
 dfs-group 1 m-lag 3
 storm suppression broadcast cir 10 mbps
#
interface Eth-Trunk40
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
 mode lacp-static
 dfs-group 1 m-lag 4
 storm suppression broadcast cir 10 mbps
#
interface 10GE1/0/1
 eth-trunk 10
#
interface 10GE1/0/2
 eth-trunk 20
#
interface 10GE1/0/3
 eth-trunk 30
#
interface 10GE1/0/4
 eth-trunk 0
#
interface 10GE1/0/6
 eth-trunk 40
#
interface 10GE1/0/7
 eth-trunk 40
#
interface 10GE1/0/9
 shutdown
#
interface 10GE4/0/5
 eth-trunk 0
#
return

  • SwitchC configuration file

    #
sysname SwitchC
#
dfs-group 1
 priority 150
 source ip 10.2.1.1 vpn-instance VRF-B
#
vlan batch 11 200 300
#
stp bridge-address 00e0-fc39-1300 
stp mode rstp
stp v-stp enable
stp instance 0 root primary
stp flush disable
#
lacp m-lag system-id 00e0-fc12-3451
lacp m-lag priority 10
#
ip vpn-instance VRF-B
 ipv4-family
  route-distinguisher 101:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface Vlanif11
 ip address 10.3.1.1 255.255.255.0
 mac-address 0000-5e00-0101  
#
interface Vlanif200
 ip address 10.4.1.1 255.255.255.0
 ospf network-type p2p
#
interface Vlanif300
 ip address 10.6.1.1 255.255.255.0
 ospf network-type p2p
#
interface MEth0/0/0
 ip binding vpn-instance VRF-B
 ip address 10.2.1.1 255.255.255.0
#
interface Eth-Trunk0
 mode lacp-static
 peer-link 1
 port vlan exclude 1 200     
#
interface Eth-Trunk30
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
 stp root-protection
 mode lacp-static
 dfs-group 1 m-lag 1
 storm suppression broadcast cir 10 mbps
#
interface 10GE1/0/1
 eth-trunk 30
#
interface 10GE1/0/2
 eth-trunk 30
#
interface 10GE1/0/3
 eth-trunk 0
#
interface 10GE1/0/5
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200
 storm suppression broadcast 1
#
interface 10GE1/0/9
 shutdown
#
interface 10GE4/0/4
 eth-trunk 0
#
ospf 1
 import-route direct
 area 0.0.0.0
  network 10.4.1.0 0.0.0.255
  network 10.6.1.0 0.0.0.255
#
return

  • SwitchD configuration file

    #
sysname SwitchD
#
dfs-group 1
 priority 120
 source ip 10.2.1.2 vpn-instance VRF-B
#
vlan batch 11 200 300
#
stp bridge-address 00e0-fc39-1300 
stp mode rstp
stp v-stp enable
stp instance 0 root primary
stp flush disable
#
lacp m-lag system-id 00e0-fc12-3451
lacp m-lag priority 10
#
ip vpn-instance VRF-B
 ipv4-family
  route-distinguisher 101:2
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface Vlanif11
 ip address 10.3.1.1 255.255.255.0
 mac-address 0000-5e00-0101 
#
interface Vlanif200
 ip address 10.5.1.1 255.255.255.0
 ospf network-type p2p
#
interface Vlanif300
 ip address 10.6.1.2 255.255.255.0
 ospf network-type p2p
#
interface MEth0/0/0
 ip binding vpn-instance VRF-B
 ip address 10.2.1.2 255.255.255.0
#
interface Eth-Trunk0
 mode lacp-static
 peer-link 1
 port vlan exclude 1 200     
#
interface Eth-Trunk30
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
 stp root-protection
 mode lacp-static
 dfs-group 1 m-lag 1
 storm suppression broadcast cir 10 mbps
#
interface 10GE1/0/1
 eth-trunk 30
#
interface 10GE1/0/2
 eth-trunk 30
#
interface 10GE1/0/3
 eth-trunk 0
#
interface 10GE1/0/5
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200
 storm suppression broadcast 1
#
interface 10GE1/0/9
 shutdown
#
interface 10GE4/0/4
 eth-trunk 0
#
ospf 1
 import-route direct
 area 0.0.0.0
  network 10.5.1.0 0.0.0.255
  network 10.6.1.0 0.0.0.255
#
return

  • SwitchE configuration file

    #
sysname SwitchE
#
vlan batch 200 400
#
interface Vlanif200
 ip address 10.4.1.2 255.255.255.0
 ospf network-type p2p
#
interface Vlanif400
 ip address 10.7.1.1 255.255.255.0
 ospf network-type p2p
#
interface 10GE1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200
 storm suppression broadcast 1
#
interface 10GE1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 400
 storm suppression broadcast 1
#
interface 10GE1/0/9
 shutdown
#
ospf 1
 area 0.0.0.0
  network 10.4.1.0 0.0.0.255
  network 10.7.1.0 0.0.0.255
#
return

  • SwitchF configuration file

    #
sysname SwitchF
#
vlan batch 200 400
#
interface Vlanif200
 ip address 10.5.1.2 255.255.255.0
 ospf network-type p2p
#
interface Vlanif400
 ip address 10.7.1.2 255.255.255.0
 ospf network-type p2p
#
interface 10GE1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200
 storm suppression broadcast 1
#
interface 10GE1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 400
 storm suppression broadcast 1
#
interface 10GE1/0/9
 shutdown
#
ospf 1
 area 0.0.0.0
  network 10.5.1.0 0.0.0.255
  network 10.7.1.0 0.0.0.255
#
return

  • SeGW A configuration file

    #
sysname SeGWA
#
 hrp enable
 hrp track vlan 200
 hrp mirror session enable
 hrp interface GigabitEthernet 3/0/0 remote 10.10.0.2
#
vlan 200
 port GigabitEthernet 1/0/0
 port GigabitEthernet 2/0/0
#
interface GigabitEthernet 1/0/0
 portswitch
#
interface GigabitEthernet 2/0/0
 portswitch
#
interface GigabitEthernet3/0/0
 ip address 10.10.0.1 24
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/0
#
firewall zone dmz
 set priority 50  
 add interface GigabitEthernet 3/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 2/0/0
#
return

  • SeGW B configuration file

    #
sysname SeGWB
#
 hrp enable
 hrp track vlan 200
 hrp mirror session enable
 hrp interface GigabitEthernet 3/0/0 remote 10.10.0.1
#
vlan 200
 port GigabitEthernet 1/0/0
 port GigabitEthernet 2/0/0
#
interface GigabitEthernet 1/0/0
 portswitch
#
interface GigabitEthernet 2/0/0
 portswitch
#
interface GigabitEthernet3/0/0
 ip address 10.10.0.2 24
#
firewall zone trust
 set priority 85  
 add interface GigabitEthernet 1/0/0
#
firewall zone dmz
 set priority 50  
 add interface GigabitEthernet 3/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 2/0/0
#
return
Translation
Español Français 日本語 Русский 简体中文
Download
Updated: 2021-10-21

Document ID: EDOC1000039339

Views: 471212

Downloads: 10364

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :