No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer-3 Dual-NGFW Module Deployment, Switch Stack, and VLAN-based Traffic Diversion

Layer-3 Dual-NGFW Module Deployment, Switch Stack, and VLAN-based Traffic Diversion

Networking Requirements

As shown in Figure 1-30, two CE12800s form a stack, and two NGFW Modules are installed in slot 1 of the switches respective and implement hot standby. The NGFW modules implement security check on traffic sent by intranet users to access the server area or the Internet.

Figure 1-30 Switch stack and NGFW Module hot standby networking
NOTE:

The NGFW Module has four fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/3. The numbering of internal Ethernet interfaces on the CE12800 is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the CE12800, the internal Ethernet interfaces used by the CE12800 are 10GE1/0/0 to 10GE1/0/3.

Deployment Solution

The NGFW Modules work at Layer 3 and are connected to upstream and downstream gateways. The switches are deployed at Layer 2.

  1. The interfaces connecting each NGFW Module and switch are bundled into an Eth-Trunk interface. The Eth-Trunk interface is Eth-Trunk 1 on each NGFW Module, Eth-Trunk 10 on the CE12800-1, and Eth-Trunk 11 on the CE12800-2.
  2. The Eth-Trunk at the switch side is configured to work in Trunk mode and allows packets from VLANs 301, 302, and 200 to pass. Configure three Eth-Trunk subinterfaces at the NGFW Module side to carry out dot1q termination for packets from VLANs 301, 302, and 200 respectively and perform Layer-3 forwarding.
  3. Two NGFW modules form hot standby in active/standby mode. Therefore, a VRRP group needs to be configured on the upstream and downstream subinterfaces of each NGFW Module. One NGFW Module is added to an active VGMP group, and the other NGFW Module is added to a standby VGMP group.

    The virtual gateway IP addresses of the VRRP group are the gateway addresses of the downstream and upstream networks.

    Figure 1-31 provides logical networking.

    Figure 1-31 Configuring Eth-Trunk subinterfaces and VRRP on the NGFW Modules
    NOTE:

    Figure 1-31 provides information only interfaces related to the switches and NGFW Modules.

  4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk interface, which functions as the heartbeat interface and backup channel and enable hot standby.
  5. Configure security functions, such as security policies and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <CE-FWA> system-view
    [CE-FWA] sysname Module_A

    # Add the interfaces connecting NGFW Module_A to its connected switch to Eth-Trunk 1.

    NOTE:

    Ensure that only Layer-3 physical interfaces with empty configuration can be added to an Eth-Trunk interface. For exmaple, if LLDP is enabled on a physical interface of a NGFW Modle, run the undo lldp enable command to disable LLDP and then add the physical interface to an Eth-Trunk interface.

    [Module_A] interface Eth-Trunk 1
    [Module_A-Eth-Trunk1] description To_CE12800-1_trunk10
    [Module_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/0
    [Module_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
    [Module_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
    [Module_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/3
    [Module_A-Eth-Trunk1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_A and map them to VLANs 301, 302, and 200 respectively.

    NOTE:

    In actual networking, the number of required subinterfaces depends on the number of VLANs from which packets need to be terminated.

    [Module_A] interface Eth-Trunk 1.301
    [Module_A-Eth-Trunk1.301] vlan-type dot1q 301
    [Module_A-Eth-Trunk1.301] ip address 10.1.0.1 24
    [Module_A-Eth-Trunk1.301] quit
    [Module_A] interface Eth-Trunk 1.302
    [Module_A-Eth-Trunk1.302] vlan-type dot1q 302
    [Module_A-Eth-Trunk1.302] ip address 10.2.0.1 24
    [Module_A-Eth-Trunk1.302] quit
    [Module_A] interface Eth-Trunk 1.200
    [Module_A-Eth-Trunk1.200] vlan-type dot1q 200
    [Module_A-Eth-Trunk1.200] ip address 10.3.0.1 24
    [Module_A-Eth-Trunk1.200] quit
    

    # Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] description hrp_interface
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] trunkport GigabitEthernet 0/0/1
    [Module_A-Eth-Trunk0] trunkport GigabitEthernet 0/0/2
    [Module_A-Eth-Trunk0] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface Eth-Trunk 1.200
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-Trunk 1.302
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-Trunk 1.301
    [Module_A-zone-trust] quit
    [Module_A] firewall zone name hrp
    [Module_A-zone-hrp] set priority 75
    [Module_A-zone-hrp] add interface Eth-Trunk 0
    [Module_A-zone-hrp] quit

    # Configure device name on NGFW Module_B.

    <CE-FWA> system-view
    [CE-FWA] sysname Module_B

    # Add the interfaces connecting NGFW Module_B to its connected switch to Eth-Trunk 1.

    [Module_B] interface Eth-Trunk 1
    [Module_B-Eth-Trunk1] description To_CE12800-2_trunk11
    [Module_B-Eth-Trunk1] trunkport GigabitEthernet 1/0/0
    [Module_B-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
    [Module_B-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
    [Module_B-Eth-Trunk1] trunkport GigabitEthernet 1/0/3
    [Module_B-Eth-Trunk1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_B and map them to VLANs 301, 302, and 200 respectively.

    [Module_B] interface Eth-Trunk 1.301
    [Module_B-Eth-Trunk1.301] vlan-type dot1q 301
    [Module_B-Eth-Trunk1.301] ip address 10.1.0.2 24
    [Module_B-Eth-Trunk1.301] quit
    [Module_B] interface Eth-Trunk 1.302
    [Module_B-Eth-Trunk1.302] vlan-type dot1q 302
    [Module_B-Eth-Trunk1.302] ip address 10.2.0.2 24
    [Module_B-Eth-Trunk1.302] quit
    [Module_B] interface Eth-Trunk 1.200
    [Module_B-Eth-Trunk1.200] vlan-type dot1q 200
    [Module_B-Eth-Trunk1.200] ip address 10.3.0.2 24
    [Module_B-Eth-Trunk1.200] quit
    

    # Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [Module_B] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] description hrp_interface
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] trunkport GigabitEthernet 0/0/1
    [Module_B-Eth-Trunk0] trunkport GigabitEthernet 0/0/2
    [Module_B-Eth-Trunk0] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface Eth-Trunk 1.200
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-Trunk 1.302
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-Trunk 1.301
    [Module_B-zone-trust] quit
    [Module_B] firewall zone name hrp
    [Module_B-zone-hrp] set priority 75
    [Module_B-zone-hrp] add interface Eth-Trunk 0
    [Module_B-zone-hrp] quit

  2. On NGFW Module_A, configure a default route to the Internet.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-Trunk 1.301
    [Module_A-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 active
    [Module_A-Eth-Trunk1.301] quit
    [Module_A] interface Eth-Trunk 1.302
    [Module_A-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 active
    [Module_A-Eth-Trunk1.302] quit
    [Module_A] interface Eth-Trunk 1.200
    [Module_A-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 active
    [Module_A-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0 remote 10.10.0.2
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-Trunk 1.301
    [Module_B-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 standby
    [Module_B-Eth-Trunk1.301] quit
    [Module_B] interface Eth-Trunk 1.302
    [Module_B-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 standby
    [Module_B-Eth-Trunk1.302] quit
    [Module_B] interface Eth-Trunk 1.200
    [Module_B-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 standby
    [Module_B-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0 remote 10.10.0.1
    [Module_B] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow intranet users to access the server zone (network segment 10.2.0.0/24).

    HRP_M[Module_A] security-policy
    HRP_M[Module_A-policy-security] rule name policy_to_server
    HRP_M[Module_A-policy-security-rule-policy_to_server] source-zone trust 
    HRP_M[Module_A-policy-security-rule-policy_to_server] destination-zone dmz
    HRP_M[Module_A-policy-security-rule_policy_to_server] destination-address 10.2.0.0 24
    HRP_M[Module_A-policy-security-rule-policy_to_server] service http ftp
    HRP_M[Module_A-policy-security-rule-policy_to_server] action permit
    HRP_M[Module_A-policy-security-rule-policy_to_server] quit
    HRP_M[Module_A-policy-security] quit
    

    # On NGFW Module_A, configure a security policy to allow intranet users to access the Internet and configure intrusion prevention.

    HRP_M[Module_A] security-policy
    HRP_M[Module_A-policy-security] rule name policy_to_wan
    HRP_M[Module_A-policy-security-rule-policy_policy_to_wan] source-zone trust 
    HRP_M[Module_A-policy-security-rule-policy_policy_to_wan] destination-zone untrust
    HRP_M[Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.1.0.0 24
    HRP_M[Module_A-policy-security-rule_policy-policy_to_wan] service http ftp
    HRP_M[Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
    HRP_M[Module_A-policy-security-rule-policy_policy_to_wan] action permit
    HRP_M[Module_A-policy-security-rule-policy_policy_to_wan] quit
    HRP_M[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_M[Module_A] firewall interzone trust dmz
    HRP_M[Module_A-interzone-trust-dmz] detect ftp
    HRP_M[Module_A-interzone-trust-dmz] quit
    HRP_M[Module_A] firewall interzone trust untrust
    HRP_M[Module_A-interzone-trust-untrust] detect ftp
    HRP_M[Module_A-interzone-trust-untrust] quit
    

  5. Configure the CSS function on core switches CE12800-1 and CE12800-2.

    1. Configure stack attributes for CE12800-1 and CE12800-2. (Set a higher priority for CE12800-1, so CE12800-1 will become the master switch.)

      # Set the stack ID of CE12800-1 to 1, priority to 150, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-1
      [*HUAWEI] commit
      [~CE12800-1] stack
      [~CE12800-1-stack] stack member 1         //Configure the stack member ID. The default value is 1.
      [~CE12800-1-stack] stack priority 150     //Configure the stack priority. The default value is 100.
      [*CE12800-1-stack] stack domain 10        //Configure the domain ID.
      [*CE12800-1-stack] stack link-type mainboard-direct     //Configure the connection mode. The default mode is mainboard-direct.
      [*CE12800-1-stack] quit
      [*CE12800-1] commit
      

      # Set the stack ID of CE12800-2 to 2, priority to 100, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-2
      [*HUAWEI] commit
      [~CE12800-2] stack
      [~CE12800-2-stack] stack member 2
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE12800-2-stack] stack priority 100
      [*CE12800-2-stack] stack domain 10
      [*CE12800-2-stack] stack link-type mainboard-direct
      [*CE12800-2-stack] quit
      [*CE12800-2] commit
      
    2. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-1, add 10GE3/0/1-10GE3/0/4 and 10GE4/0/1-10GE4/0/4 to the stack port.

      [~CE12800-1] port-group group1       //Create a port group.
      [*CE12800-1-port-group-group1] group-member 10ge 3/0/1 to 10ge 3/0/4       //Add ports to the port group.
      [*CE12800-1-port-group-group1] group-member 10ge 4/0/1 to 10ge 4/0/4
      [*CE12800-1-port-group-group1] shutdown       //Shut down the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] interface stack-port 1
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 3/0/1 to 3/0/4       //Add physical ports to the stack port.
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 4/0/1 to 4/0/4
      [*CE12800-1-Stack-Port1] quit
      [*CE12800-1] commit
      [~CE12800-1] port-group group1
      [~CE12800-1-port-group-group1] undo shutdown       //Enable the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] return
      

      # The configuration procedure on CE12800-2 is the same as the configuration procedure on CE12800-1, and is not mentioned here.

    3. Enable the stack function.

      # Enable the stack function on CE12800-1 and restart the device.

      <CE12800-1> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-1> system-view
      [~CE12800-1] stack
      [~CE12800-1-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      

      # Enable the stack function on CE12800-2 and restart the device.

      <CE12800-2> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-2> system-view
      [~CE12800-2] stack
      [~CE12800-2-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device ente
      rs the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      
    4. e. Rename the stack system CSS.

      <CE12800-1> system-view
      [~CE12800-1] sysname CSS
      [*CE12800-1] commit
      

  6. Configure switch interfaces.
    1. Create VLANs.

      [~CSS] vlan batch 200 301 to 302
      [*CSS] commit

    2. Add the switch interfaces connected to NGFW Module_A to Eth-Trunk 10.

      [~CSS] interface eth-trunk 10
      [*CSS-Eth-Trunk10] description To_Module_A
      [*CSS-Eth-Trunk10] port link-type trunk
      [*CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302      //Direct traffic from different VLANs to the NGFW Module.
      [*CSS-Eth-Trunk10] quit
      [*CSS] commit
      [~CSS] interface 10ge 1/1/0/0
      [*CSS-10GE1/1/0/0] eth-trunk 10
      [*CSS-10GE1/1/0/0] quit
      [*CSS] interface 10ge 1/1/0/1
      [*CSS-10GE1/1/0/1] eth-trunk 10
      [*CSS-10GE1/1/0/1] quit
      [*CSS] interface 10ge 1/1/0/2
      [*CSS-10GE1/1/0/2] eth-trunk 10
      [*CSS-10GE1/1/0/2] quit
      [*CSS] interface 10ge 1/1/0/3
      [*CSS-10GE1/1/0/3] eth-trunk 10
      [*CSS-10GE1/1/0/3] quit
      [*CSS] commit

    3. Add the switch interfaces connected to NGFW Module_B to Eth-Trunk 11.

      [~CSS] interface eth-trunk 11
      [*CSS-Eth-Trunk11] description To_Module_B
      [*CSS-Eth-Trunk11] port link-type trunk
      [*CSS-Eth-Trunk11] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk11] port trunk allow-pass vlan 200 301 to 302      //Direct traffic from different VLANs to the NGFW Module.
      [*CSS-Eth-Trunk11] quit
      [*CSS] commit
      [~CSS] interface 10ge 2/1/0/0
      [*CSS-10GE2/1/0/0] eth-trunk 11
      [*CSS-10GE2/1/0/0] quit
      [*CSS] interface 10ge 2/1/0/1
      [*CSS-10GE2/1/0/1] eth-trunk 11
      [*CSS-10GE2/1/0/1] quit
      [*CSS] interface 10ge 2/1/0/2
      [*CSS-10GE2/1/0/2] eth-trunk 11
      [*CSS-10GE2/1/0/2] quit
      [*CSS] interface 10ge 2/1/0/3
      [*CSS-10GE2/1/0/3] eth-trunk 11
      [*CSS-10GE2/1/0/3] quit
      [*CSS] commit

    4. Configure Eth-Trunk 2 connected to intranet users. Add the interfaces to Eth-Trunk 2 is not mentioned here.

      [~CSS] interface eth-trunk 2
      [*CSS-Eth-Trunk2] port link-type trunk
      [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk2] port trunk allow-pass vlan 301      
      [*CSS-Eth-Trunk2] quit
      [*CSS] commit

    5. Configure Eth-Trunk 3 connected to intranet users. Add the interfaces to Eth-Trunk 3 is not mentioned here.

      [~CSS] interface eth-trunk 3
      [*CSS-Eth-Trunk3] port link-type trunk
      [*CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
      [*CSS-Eth-Trunk3] port trunk allow-pass vlan 302      
      [*CSS-Eth-Trunk3] quit
      [*CSS] commit

    6. Configure Eth-Trunk 5 connected to the egress router. Add the interfaces to Eth-Trunk 5 is not mentioned here.

      [~CSS] interface eth-trunk 5
      [*CSS-Eth-Trunk5] port link-type access
      [*CSS-Eth-Trunk5] port default vlan 200
      [*CSS-Eth-Trunk5] quit
      [*CSS] commit

  7. Configure upstream and downstream devices.
    1. Configure the upstream interface Eth-Trunk 2 on the intranet switch to work in trunk mode and allow traffic from VLAN 301 to pass.
    2. Configure the upstream interface Eth-Trunk 3 on the server switch to work in trunk mode and allow traffic from VLAN 302 to pass.
    3. Set the gateway address of intranet PCs to the virtual IP address (10.1.0.3) of the VRRP group to which Eth-Trunk 1.301 belongs.
    4. Set the gateway address of servers to the virtual IP address (10.2.0.3) of the VRRP group to which Eth-Trunk 1.302 belongs.
    5. The next-hop address of the route from the egress router to the intranet is the virtual IP address (10.3.0.3) of the VRRP group to which Eth-Trunk 1.200 belongs.

Verification

  1. Run the display hrp state verbose command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_M[Module_A] display hrp state verbose
     Role: active, peer: standby                                                     
     Running priority: 45000, peer: 45000                                           
     Backup channel usage: 10.00%                                                    
     Stable time: 0 days, 0 hours, 2 minutes                                        
     Last state change information: 2001-02-20 0:59:32 HRP link changes to up.      
                                                                                    
     Configuration:                                                                 
     hello interval:              1000ms                                            
     preempt:                     60s                                               
     mirror configuration:        off                                               
     mirror session:              off                                                
     track trunk member:          on                                                
     auto-sync configuration:     on                                                
     auto-sync connection-status: on                                                
     adjust ospf-cost:            on                                                
     adjust ospfv3-cost:          on                                                
     adjust bgp-cost:             on                                                
     nat resource:                off                                               
                                                                                    
     Detail information:                                                            
                   Eth-Trunk1.301 vrrp vrid 1: active                             
                   Eth-Trunk1.302 vrrp vrid 2: active                            
                   Eth-Trunk1.200 vrrp vrid 3: active
                          GigabitEthernet1/0/0: up
                          GigabitEthernet1/0/1: up
                          GigabitEthernet1/0/2: up
                          GigabitEthernet1/0/3: up
                                     ospf-cost: +0           
                                   ospfv3-cost: +0            
                                      bgp-cost: +0
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_M[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public 10.1.0.10:22048 --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public Remote 10.1.0.10:22048 --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from users in the intranet to servers succeeds and check the session table of each NGFW Module.

    HRP_M[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public 10.1.0.10:22048 --> 10.2.0.8:80
    HRP_S[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public -> public Remote 10.1.0.10:22048 --> 10.2.0.8:80
    
  4. Configure a PC in the Trust zone to constantly the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B switches to the active device and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_M, and the command prompt of NGFW Module_A is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A switches to the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_M, and the command prompt of NGFW Module_B is changed from HRP_M to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration script of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.2
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 description To_CE12800-1_trunk10
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 active
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 active
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
# 
firewall zone name hrp id 4
 set priority 75
 add interface Eth-Trunk0
# 
 firewall interzone trust untrust
  detect ftp
# 
firewall interzone trust dmz
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 24
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 24
 service http
  service ftp
  profile ips default
  action permit    
#
return
#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0 remote 10.10.0.1
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 description To_CE12800-2_trunk11
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 standby
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 standby
#
interface GigabitEthernet0/0/1
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 undo shutdown
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5 
 add Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
#
firewall zone name hrp id 4
 set priority 75
 add interface Eth-Trunk0
# 
firewall interzone trust untrust
  detect ftp
#
firewall interzone trust dmz
 detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 24
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 24
  service http
  service ftp
  profile ips default
  action permit   
# 
return

Configuration script of CE12800 CSS:

# ----CSS configuration----
sysname CSS
#
stack
 #
 stack mode
 #
 stack member 1 domain 10
 stack member 1 priority 150
 #
 stack member 2 domain 10
#
interface Stack-Port1/1
#
interface Stack-Port2/1
#
interface 10GE1/3/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/3/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/1
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/2
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/3
 port mode stack
 stack-port 1/1
#
interface 10GE1/4/0/4
 port mode stack
 stack-port 1/1
#
interface 10GE2/3/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/3/0/4
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/1
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/2
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/3
 port mode stack
 stack-port 2/1
#
interface 10GE2/4/0/4
 port mode stack
 stack-port 2/1
#
port-group group1
 group-member 10GE1/3/0/1
 group-member 10GE1/3/0/2
 group-member 10GE1/3/0/3
 group-member 10GE1/3/0/4
 group-member 10GE1/4/0/1
 group-member 10GE1/4/0/2
 group-member 10GE1/4/0/3
 group-member 10GE1/4/0/4

# ----Traffic diversion configuration----
vlan batch 200 301 to 302
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 301
#
interface Eth-Trunk3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 302
#
interface Eth-Trunk5
 port default vlan 200
#
interface Eth-Trunk10
 description To_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface Eth-Trunk11
 description To_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface 10GE1/1/0/0
 eth-trunk 10
#
interface 10GE1/1/0/1
 eth-trunk 10
#
interface 10GE1/1/0/2
 eth-trunk 10
#
interface 10GE1/1/0/3
 eth-trunk 10
#
interface 10GE2/1/0/0
 eth-trunk 11
#
interface 10GE2/1/0/1
 eth-trunk 11
#
interface 10GE2/1/0/2
 eth-trunk 11
#
interface 10GE2/1/0/3
 eth-trunk 11
#
return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 115461

Downloads: 7522

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next