No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer-3 Dual-NGFW Module Deployment, Switch Stack, and Static Route Traffic Diversion

Layer-3 Dual-NGFW Module Deployment, Switch Stack, and Static Route Traffic Diversion

Networking Requirements

As shown in Figure 1-25, two CE12800 switches are deployed in a stack and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in load balancing mode.

Figure 1-25 Switch stack and NGFW Module hot standby networking
NOTE:

The NGFW Module has four fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/3. The numbering of internal Ethernet interfaces on the CE12800 is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the CE12800, the internal Ethernet interfaces used by the CE12800 are 10GE1/0/0 to 10GE1/0/3.

Deployment Solution

  1. Two NGFW Modules form hot standby networking. The switch diverts the passing traffic to the NGFW Module through a static route. After performing security check on the traffic, the NGFW Module rejects the traffic to the switch through a static route.

    However, the core switches and upstream devices run OSPF. Therefore, traffic cannot be diverted to the NGFW Modules after reaching the core switches. Instead, the traffic is directly forwarded to the upstream devices. You need to configure virtual routing and forwarding (VRF) on the core switches as shown in Figure 1-26. That is, virtualize each core switch into a Public switch for connecting upstream switches and a VRF switch for connecting downstream switches. The two virtual switches are isolated, and therefore traffic can be diverted to the NGFW Modules using static routes.

    Figure 1-26 Configuring VRF on core switches
  2. Figure 1-26 can be abstracted as Figure 1-27. The NGFW Modules run static routes with upstream and downstream devices. Therefore, you need to configure VRRP groups on the NGFW Modules, so that the core switches communicate with the virtual IP addresses of VRRP groups on the NGFW Modules.

    As shown in Figure 1-27, you need to configure a default route to the Internet with the next hop set to the IP address of VLANIF3 and detailed routes to the server area with the next hop set to the IP address of VLANIF2 on the NGFW Module. Configure equal-cost routes on the Public switch with the next hops set to the IP addresses of VRRP groups 1 and 2. Then, configure equal-cost routes on the VRF switch with the next hops set to the IP addresses of VRRP groups 3 and 4.

    Figure 1-27 Configuring VRRP groups on the NGFW Modules and static routes on the switches
    NOTE:

    Figure 1-27 lists only the core switch interfaces involved in the connection with the NGFW Modules.

  3. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk interface, which functions as the heartbeat interface and backup channel and enable hot standby.
  4. Configure security functions, such as security policies and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure IP addresses for the interfaces on NGFW Module_A.

    <Module_A> system-view
    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
    [Module_A-GigabitEthernet1/0/1] quit
    [Module_A] interface GigabitEthernet 1/0/3
    [Module_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
    [Module_A-GigabitEthernet1/0/3] quit
    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] trunkport GigabitEthernet 0/0/1
    [Module_A-Eth-Trunk0] trunkport GigabitEthernet 0/0/2
    [Module_A-Eth-Trunk0] quit
    

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface GigabitEthernet 1/0/1
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-Trunk 0
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface GigabitEthernet 1/0/3
    [Module_A-zone-trust] quit

    # Set the IP addresses for the interfaces on NGFW Module_B.

    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
    [Module_B-GigabitEthernet1/0/1] quit
    [Module_B] interface GigabitEthernet 1/0/3
    [Module_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
    [Module_B-GigabitEthernet1/0/3] quit
    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] trunkport GigabitEthernet 0/0/1
    [Module_B-Eth-Trunk0] trunkport GigabitEthernet 0/0/2
    [Module_B-Eth-Trunk0] quit
    

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface GigabitEthernet 1/0/1
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-Trunk 0
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface GigabitEthernet 1/0/3
    [Module_B-zone-trust] quit

  2. Create static routes on NGFW Modules.

    # Configure an upstream static route (default route) on NGFW Module_A with the next hop set to the IP address of VLANIF3.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.2.0.5

    # Configure a downstream static route on NGFW Module_A with the destination set to the IP address of the server area and the next hop set to the IP address of VLANIF2.

    [Module_A] ip route-static 192.168.0.0 255.255.0.0 10.3.0.5

    # Configure an upstream static route (default route) on NGFW Module_B with the next hop set to the IP address of VLANIF3.

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.2.0.5

    # Configure a downstream static route on NGFW Module_B with the destination set to the IP address of the server area and the next hop set to the IP address of VLANIF2.

    [Module_B] ip route-static 192.168.0.0 255.255.0.0 10.3.0.5

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.2.0.3 active
    [Module_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.4 standby
    [Module_A-GigabitEthernet1/0/1] quit
    [Module_A] interface GigabitEthernet 1/0/3
    [Module_A-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active
    [Module_A-GigabitEthernet1/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby
    [Module_A-GigabitEthernet1/0/3] quit

    # Enable quick session backup on NGFW Module_A.

    [Module_A] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0 remote 10.10.0.2
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 10.2.0.3 standby
    [Module_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.4 active
    [Module_B-GigabitEthernet1/0/1] quit
    [Module_B] interface GigabitEthernet 1/0/3
    [Module_B-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby
    [Module_B-GigabitEthernet1/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active
    [Module_B-GigabitEthernet1/0/3] quit

    # Enable quick session backup on NGFW Module_B.

    [Module_B] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0 remote 10.10.0.1
    [Module_B] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    If NAT is enabled on the NGFW Module, run the hrp nat resource primary-group and hrp nat resource secondary-group commands separately on two NGFW Modules to prevent port conflicts.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # Configure a security policy on NGFW Module_A to allow Internet users to access the server area (subnet: 192.168.0.0/16) in the data center and enable the intrusion prevention.

    HRP_M[Module_A] security-policy
    HRP_M[Module_A-policy-security] rule name policy_sec
    HRP_M[Module_A-policy-security-rule-policy_sec] source-zone untrust 
    HRP_M[Module_A-policy-security-rule-policy_sec] destination-zone trust
    HRP_M[Module_A-policy-security-rule_policy-sec] destination-address 192.168.0.0 16
    HRP_M[Module_A-policy-security-rule-policy_sec] service http ftp
    HRP_M[Module_A-policy-security-rule-policy_sec] profile ips default
    HRP_M[Module_A-policy-security-rule-policy_sec] action permit
    HRP_M[Module_A-policy-security-rule-policy_sec] quit
    HRP_M[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_M[Module_A] firewall interzone trust untrust
    HRP_M[Module_A-interzone-trust-untrust] detect ftp
    HRP_M[Module_A-interzone-trust-untrust] quit
    

  5. Configure the CSS function on core switches CE12800-1 and CE12800-2.

    1. Configure stack attributes for CE12800-1 and CE12800-2. (Set a higher priority for CE12800-1, so CE12800-1 will become the master switch.)

      # Set the stack ID of CE12800-1 to 1, priority to 150, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-1
      [*HUAWEI] commit
      [~CE12800-1] stack
      [~CE12800-1-stack] stack member 1         //Configure the stack member ID. The default value is 1.
      [~CE12800-1-stack] stack priority 150     //Configure the stack priority. The default value is 100.
      [*CE12800-1-stack] stack domain 10        //Configure the domain ID.
      [*CE12800-1-stack] stack link-type mainboard-direct     //Configure the connection mode. The default mode is mainboard-direct.
      [*CE12800-1-stack] quit
      [*CE12800-1] commit
      

      # Set the stack ID of CE12800-2 to 2, priority to 100, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-2
      [*HUAWEI] commit
      [~CE12800-2] stack
      [~CE12800-2-stack] stack member 2
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE12800-2-stack] stack priority 100
      [*CE12800-2-stack] stack domain 10
      [*CE12800-2-stack] stack link-type mainboard-direct
      [*CE12800-2-stack] quit
      [*CE12800-2] commit
      
    2. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-1, add 10GE3/0/1-10GE3/0/4 and 10GE4/0/1-10GE4/0/4 to the stack port.

      [~CE12800-1] port-group group1       //Create a port group.
      [*CE12800-1-port-group-group1] group-member 10ge 3/0/1 to 10ge 3/0/4       //Add ports to the port group.
      [*CE12800-1-port-group-group1] group-member 10ge 4/0/1 to 10ge 4/0/4
      [*CE12800-1-port-group-group1] shutdown       //Shut down the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] interface stack-port 1
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 3/0/1 to 3/0/4       //Add physical ports to the stack port.
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 4/0/1 to 4/0/4
      [*CE12800-1-Stack-Port1] quit
      [*CE12800-1] commit
      [~CE12800-1] port-group group1
      [~CE12800-1-port-group-group1] undo shutdown       //Enable the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] return
      

      # The configuration procedure on CE12800-2 is the same as the configuration procedure on CE12800-1, and is not mentioned here.

    3. Enable the stack function.

      # Enable the stack function on CE12800-1 and restart the device.

      <CE12800-1> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-1> system-view
      [~CE12800-1] stack
      [~CE12800-1-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      

      # Enable the stack function on CE12800-2 and restart the device.

      <CE12800-2> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-2> system-view
      [~CE12800-2] stack
      [~CE12800-2-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      
    4. e.Rename the stack system CSS.

      <CE12800-1> system-view
      [~CE12800-1] sysname CSS
      [*CE12800-1] commit
      

  6. Configure the core switch to divert traffic.
    1. Create a VRF and bind it to downstream VLANIF interfaces.

      [~CSS] vlan batch 2
      [*CSS] interface 10ge 1/1/0/3
      [*CSS-10GE1/1/0/3] port link-type access
      [*CSS-10GE1/1/0/3] port default vlan 2
      [*CSS-10GE1/1/0/3] quit
      [*CSS] interface 10ge 2/1/0/3
      [*CSS-10GE2/1/0/3] port link-type access
      [*CSS-10GE2/1/0/3] port default vlan 2
      [*CSS-10GE2/1/0/3] quit         //Set the interface type to Access and add the interface to the VLAN2.
      [*CSS] commit
      [~CSS] vlan batch 3
      [*CSS] interface 10ge 1/1/0/1
      [*CSS-10GE1/1/0/1] port link-type access
      [*CSS-10GE1/1/0/1] port default vlan 3
      [*CSS-10GE1/1/0/1] quit
      [*CSS] interface 10ge 2/1/0/1
      [*CSS-10GE2/1/0/1] port link-type access
      [*CSS-10GE2/1/0/1] port default vlan 3
      [*CSS-10GE2/1/0/1] quit         //Set the interface type to Access and add the interface to the VLAN3.
      [*CSS] commit
      [~CSS] vlan batch 20  
      [*CSS] interface eth-trunk 2
      [*CSS-Eth-Trunk2] port link-type trunk
      [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk2] port trunk allow-pass vlan 20
      [*CSS-Eth-Trunk2] quit         //Add the downstream switch interface to VLAN20.
      [*CSS] interface eth-trunk 3
      [*CSS-Eth-Trunk3] port link-type trunk
      [*CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk3] port trunk allow-pass vlan 20
      [*CSS-Eth-Trunk3] quit        //Add the downstream switch interface to VLAN20.
      [*CSS] commit
      [~CSS] ip vpn-instance VRF    //Create a VRF.
      [*CSS-vpn-instance-VRF] ipv4-family
      [*CSS-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
      [*CSS-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
      [*CSS-vpn-instance-VRF-af-ipv4] quit
      [*CSS-vpn-instance-VRF] quit
      [*CSS] commit
      [~CSS] interface vlanif 2
      [*CSS-Vlanif2] ip binding vpn-instance VRF     //Bind VLANIF2 to the VRF.
      [*CSS-Vlanif2] ip address 10.3.0.5 24
      [*CSS-Vlanif2] quit
      [*CSS] commit
      [~CSS] interface vlanif 20
      [*CSS-Vlanif20] ip binding vpn-instance VRF    //Bind VLANIF20 to the VRF.
      [*CSS-Vlanif20] ip address 10.4.0.5 24
      [*CSS-Vlanif20] quit
      [*CSS] commit
      [~CSS] interface vlanif 3
      [*CSS-Vlanif3] ip address 10.2.0.5 24
      [*CSS-Vlanif3] quit
      [*CSS] commit
      

    2. Configure static routes.

      [~CSS] ip route-static 192.168.0.0 255.255.0.0 10.2.0.3
      [*CSS] ip route-static 192.168.0.0 255.255.0.0 10.2.0.4           // Configure equal-cost routes on the Public switch with the next hop set to the virtual IP addresses of VRRP groups 1 and 2.
      [*CSS] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.3.0.3   
      [*CSS] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.3.0.4    // Configure equal-cost routes on the VRF switch with the next hop set to the virtual IP addresses of VRRF groups 3 and 4.
      [*CSS] commit

Verification

  1. Run the display hrp state verbose command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_M[Module_A] display hrp state verbose
     Role: active, peer: active                                                     
     Running priority: 45000, peer: 45000                                           
     Backup channel usage: 0.00%                                                    
     Stable time: 0 days, 0 hours, 2 minutes                                        
     Last state change information: 2001-02-20 0:59:32 HRP link changes to up.      
                                                                                    
     Configuration:                                                                 
     hello interval:              1000ms                                            
     preempt:                     60s                                               
     mirror configuration:        off                                               
     mirror session:              on                                                
     track trunk member:          on                                                
     auto-sync configuration:     on                                                
     auto-sync connection-status: on                                                
     adjust ospf-cost:            on                                                
     adjust ospfv3-cost:          on                                                
     adjust bgp-cost:             on                                                
     nat resource:                off                                               
                                                                                    
     Detail information:                                                            
               GigabitEthernet1/0/1 vrrp vrid 1: active                             
               GigabitEthernet1/0/1 vrrp vrid 2: standby                            
               GigabitEthernet1/0/3 vrrp vrid 3: active                             
               GigabitEthernet1/0/3 vrrp vrid 4: standby                            
                                      ospf-cost: +0            
                                    ospfv3-cost: +0           
                                       bgp-cost: +0
  2. Check whether the servers in the server area of the data center are accessible to extranets and check the session table of the NGFW Module.

    HRP_M[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public 3.3.3.3:22048 --> 192.168.1.2:80
    

    The preceding command output shows that the NGFW Module has established a connection.

Configuration Scripts

Configuration script of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.2
 hrp mirror session enable
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.2.0.3 active
 vrrp vrid 2 virtual-ip 10.2.0.4 standby
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
 vrrp vrid 4 virtual-ip 10.3.0.4 standby
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet1/0/1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk0
# 
 firewall interzone trust untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.2.0.5
 ip route-static 192.168.0.0 255.255.0.0 10.3.0.5
#    
security-policy  
 rule name policy_sec
  source-zone untrust  
  destination-zone trust
  destination-address 192.168.0.0 16
  service http
  service ftp
  profile ips default
  action permit    
#
return
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.1
 hrp mirror session enable
#
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.2.0.3 standby
 vrrp vrid 2 virtual-ip 10.2.0.4 active
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
 vrrp vrid 4 virtual-ip 10.3.0.4 active
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet1/0/1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk0
#
firewall interzone trust untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.2.0.5
 ip route-static 192.168.0.0 255.255.0.0 10.3.0.5
#    
security-policy  
 rule name policy_sec
  source-zone untrust  
  destination-zone trust
  destination-address 192.168.0.0 16
  service http
  service ftp
  profile ips default
  action permit   
# 
return

Configuration script of CE12800 CSS:

# ----CSS configuration----
sysname CSS
#
stack
 #
 stack mode
 #
 stack member 1 domain 10
 stack member 1 priority 150
 #
 stack member 2 domain 10
#
interface Stack-Port1/1
#
interface Stack-Port2/1
#
interface 10GE1/3/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE2/3/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/4
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/4
 port mode stack
 stack-port 2/1
#
port-group group1
 group-member 10GE1/3/0/1
 group-member 10GE1/3/0/2
 group-member 10GE1/3/0/3
 group-member 10GE1/3/0/4
 group-member 10GE1/4/0/1
 group-member 10GE1/4/0/2
 group-member 10GE1/4/0/3
 group-member 10GE1/4/0/4

# ----Traffic diversion configuration----
vlan batch 2 to 3 20
#
ip vpn-instance VRF
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface Vlanif2
 ip binding vpn-instance VRF
 ip address 10.3.0.5 255.255.255.0
#
interface Vlanif3
 ip address 10.2.0.5 255.255.255.0
#
interface Vlanif20
 ip binding vpn-instance VRF
 ip address 10.4.0.5 255.255.255.0
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
#
interface Eth-Trunk3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 20
#
interface 10GE1/1/0/1
 port default vlan 3
#
interface 10GE1/1/0/3
 port default vlan 2
#
interface 10GE2/1/0/1
 port default vlan 3
#
interface 10GE2/1/0/3
 port default vlan 2
#
ip route-static 192.168.0.0 255.255.0.0 10.2.0.3
ip route-static 192.168.0.0 255.255.0.0 10.2.0.4 
ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.3.0.3 
ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.3.0.4 
#
return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 116275

Downloads: 7528

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next