No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Stack-based 3-Layer Data Center Network

Configuring a Stack-based 3-Layer Data Center Network

Applicable Products and Versions

  • CloudEngine series switches running V100R001C00 or later versions
  • The CE12800E does not support the stack function after FD-X series cards are installed.

Networking Requirements

On a 3-Layer network as shown in Figure 1-1, the core layer contains two CE12800 switches. The two switches are connected through an Eth-Trunk with two 10GE member links for link backup. The aggregation layer has a CE12800 stack. The stack connects to upstream and downstream devices through inter-chassis Eth-Trunk interfaces. The Eth-Trunks are configured to preferentially forward local traffic so that loads on inter-chassis links are reduced. VRF instances are created on the aggregation layer to separate service network routes and public network routes. Two firewalls are connected to CE12800 switches in bypass mode, and work in hot standby mode to improve reliability.

Figure 1-1 Diagram of a stack-based 3-Layer data center network
Table 1-1 Data preparation

Device Name

Interface Number

IP Address

Interconnected Device and Interface Number

Router

XGigabitEthernet1/0/1

10.10.7.2/24

CE12800-1: 10GE1/0/1

XGigabitEthernet1/0/2

10.10.8.2/24

CE12800-2: 10GE1/0/1

CE12800-1

10GE1/0/1

10.10.7.1/24

Router: XGigabitEthernet1/0/1

Eth-Trunk1

  • 10GE1/0/2
  • 10GE2/0/2

10.10.6.1/24

CE12800-2: Eth-Trunk1

Eth-Trunk8

  • 10GE1/0/3
  • 10GE2/0/3

10.10.4.2/24

CSS: Eth-Trunk8

CE12800-2

10GE1/0/1

10.10.8.1/24

Router: XGigabitEthernet1/0/2

Eth-Trunk1

  • 10GE1/0/2
  • 10GE2/0/2

10.10.6.2/24

CE12800-1: Eth-Trunk1

Eth-Trunk9

  • 10GE1/0/3
  • 10GE2/0/3

10.10.5.2/24

CSS: Eth-Trunk9

CSS

Stack-Port1/1

  • 10GE1/1/0/1 to 10GE1/1/0/4
  • 10GE1/2/0/1 to 10GE1/2/0/4

-

CSS: Stack-Port2/1

Stack-Port2/1

  • 10GE2/1/0/1 to 10GE2/1/0/4
  • 10GE2/2/0/1 to 10GE2/2/0/4

-

CSS: Stack-Port1/1

Eth-Trunk2

  • 10GE1/1/0/5
  • 10GE1/2/0/5
  • 10GE2/1/0/5
  • 10GE2/2/0/5

VLANIF 100: 10.10.1.1/24

iStack-1: Eth-Trunk2

Eth-Trunk3

  • 10GE1/1/0/6
  • 10GE1/2/0/6
  • 10GE2/1/0/6
  • 10GE2/2/0/6

iStack-2: Eth-Trunk3

Eth-Trunk4

  • 10GE1/1/0/7
  • 10GE2/1/0/7

VLANIF 200: 10.10.2.1/24

FW-1: Eth-Trunk4

Eth-Trunk6

  • 10GE1/2/0/7
  • 10GE2/2/0/7

FW-2: Eth-Trunk4

Eth-Trunk5

  • 10GE1/1/0/8
  • 10GE2/1/0/8

VLANIF 300: 10.10.3.1/24

FW-1: Eth-Trunk5

Eth-Trunk7

  • 10GE1/2/0/8
  • 10GE2/2/0/8

FW-2: Eth-Trunk5

Eth-Trunk8

  • 10GE1/1/0/9
  • 10GE2/1/0/9

10.10.4.1/24

CE12800-1: Eth-Trunk8

Eth-Trunk9

  • 10GE1/2/0/9
  • 10GE2/2/0/9

10.10.5.1/24

CE12800-2: Eth-Trunk9

iStack-1

Stack-Port1/1

  • 10GE1/0/1 to 10GE1/0/4

-

iStack-1: Stack-Port2/1

Stack-Port2/1

  • 10GE2/0/1 to 10GE2/0/4

-

iStack-1: Stack-Port1/1

Eth-Trunk2

  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk2

iStack-2

Stack-Port1/1

  • 10GE1/0/1 to 10GE1/0/4

-

iStack-2: Stack-Port2/1

Stack-Port2/1

  • 10GE2/0/1 to 10GE2/0/4

-

iStack-2: Stack-Port1/1

Eth-Trunk3

  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk3

FW-1

Eth-Trunk1

  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.1/24

FW-2: Eth-Trunk1

Eth-Trunk4

  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.2/24

CSS: Eth-Trunk4

Eth-Trunk5

  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.2/24

CSS: Eth-Trunk5

FW-2

Eth-Trunk1

  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.2/24

FW-1: Eth-Trunk1

Eth-Trunk4

  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.3/24

CSS: Eth-Trunk6

Eth-Trunk5

  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.3/24

CSS: Eth-Trunk7

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure CSS at the aggregation layer and iStack at the access layer to implement device backup.
  2. Configure Eth-Trunks between the aggregation/access switches and their upstream/downstream devices, and firewalls to form a reliable, loop-free network.
  3. Create VLANs and add interfaces to VLANs so that the servers in the same VLAN can communicate with each other.
  4. Configure routes between aggregation layer and core layer to implement Layer 3 connection. Run OSPF between the aggregation layer, core layer, and router, and configure static routes between CSS and firewall. Create VRF-A on the CSS, and bind the service interfaces and downstream interfaces connected to firewalls to VRF-A to separate service network segment routes and public network routes. The default route of VRF-A is destined for the firewalls.
  5. Configure the hot standby, security policy, attack defense, and intrusion protection functions on firewalls.

Procedure

  1. Configure the CSS function on aggregation switches CE12800-3 and CE12800-4.

    1. Connect stack cables between CE12800-3 and CE12800-4 according to Figure 1-2.
      Figure 1-2 Physical connections of CSS
    2. Configure stack attributes for CE12800-3 and CE12800-4. (Set a higher priority for CE12800-3, so CE12800-3 will become the master switch.)

      # Set the stack ID of CE12800-3 to 1, priority to 150, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-3
      [*HUAWEI] commit
      [~CE12800-3] stack
      [~CE12800-3-stack] stack member 1         
      [*CE12800-3-stack] stack priority 150     
      [*CE12800-3-stack] stack domain 10        
      [*CE12800-3-stack] stack link-type mainboard-direct     
      [*CE12800-3-stack] quit
      [*CE12800-3] commit

      # Set the stack ID of CE12800-4 to 2, priority to 100, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-4
      [*HUAWEI] commit
      [~CE12800-4] stack
      [~CE12800-4-stack] stack member 2
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE12800-4-stack] stack priority 100
      [*CE12800-4-stack] stack domain 10
      [*CE12800-4-stack] stack link-type mainboard-direct
      [*CE12800-4-stack] quit
      [*CE12800-4] commit
    3. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-3, add 10GE1/0/1-10GE1/0/4 and 10GE2/0/1-10GE2/0/4 to the stack port.

      [~CE12800-3] port-group group1       
      [*CE12800-3-port-group-group1] group-member 10ge 1/0/1 to 10ge 1/0/4       
      [*CE12800-3-port-group-group1] group-member 10ge 2/0/1 to 10ge 2/0/4
      [*CE12800-3-port-group-group1] shutdown       
      [*CE12800-3-port-group-group1] quit
      [*CE12800-3] commit
      [~CE12800-3] interface stack-port 1
      [*CE12800-3-Stack-Port1] port member-group interface 10ge 1/0/1 to 1/0/4       
      [*CE12800-3-Stack-Port1] port member-group interface 10ge 2/0/1 to 2/0/4
      [*CE12800-3-Stack-Port1] quit
      [*CE12800-3] commit
      [~CE12800-3] port-group group1
      [~CE12800-3-port-group-group1] undo shutdown       
      [*CE12800-3-port-group-group1] quit
      [*CE12800-3] return

      # The configuration procedure on CE12800-4 is the same as the configuration procedure on CE12800-3, and is not mentioned here.

    4. Enable the stack function.

      # Enable the stack function on CE12800-3 and restart the device.

      <CE12800-3> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-3> system-view
      [~CE12800-3] stack
      [~CE12800-3-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y

      # Enable the stack function on CE12800-4 and restart the device.

      <CE12800-4> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-4> system-view
      [~CE12800-4] stack
      [~CE12800-4-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
    5. Rename the stack system CSS.

      <CE12800-3> system-view
      [~CE12800-3] sysname CSS
      [*CE12800-3] commit

  2. Configure the iStack function on the access switches. The configurations on CE6800-1 and CE6800-2 are used as an example here. The configurations on other switches are similar.

    1. Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)

      # On CE6800-1, set the stack ID to 1, priority to 150, and domain ID to 20. (By default, the stack member ID of a switch is 1. In this example, CE6800-1 retains the default stack member ID 1, and you do not configure this parameter.)

      <HUAWEI> system-view
      [~HUAWEI] sysname CE6800-1
      [*HUAWEI] commit
      [~CE6800-1] stack
      [~CE6800-1-stack] stack member 1 priority 150
      [*CE6800-1-stack] stack member 1 domain 20
      [*CE6800-1-stack] quit
      [*CE6800-1] commit

      # On CE6800-2, set the stack ID to 2 and domain ID to 20.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE6800-2
      [*HUAWEI] commit
      [~CE6800-2] stack
      [~CE6800-2-stack] stack member 1 renumber 2 inherit-config
      Warning: The stack configuration of member ID 1 will be inherited to member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE6800-2-stack] stack member 1 priority 100
      [*CE6800-2-stack] stack member 1 domain 20
      [*CE6800-2-stack] quit
      [*CE6800-2] commit
    2. Configure stack ports. Two switches are connected by four 10GE optical ports.

      # On CE6800-1, add 10GE1/0/1-10GE1/0/4 to stack port 1/1.

      [~CE6800-1] interface stack-port 1/1
      [*CE6800-1-Stack-Port1/1] port member-group interface 10ge 1/0/1 to 1/0/4
      Warning: The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode. [Y/N]: y
      [*CE6800-1-Stack-Port1/1] quit
      [*CE6800-1] commit

      # The configuration procedure on CE6800-2 is the same as that on CE6800-1, and is not mentioned here.

    3. Save the configurations of CE6800-1 and CE6800-2, power off the two switches, connect stack cables, and power on the switches.

    4. Rename the stack system iStack-1. CE6800-1 functions as the master switch in this example.

      <CE6800-1> system-view
      [~CE6800-1] sysname iStack-1
      [*CE6800-1] commit
    5. Configure the stack consisting of CE6800-3 and CE6800-4 according to the preceding configurations. Rename the stack system iStack-2. CE6800-3 functions as the master switch in this example.

  3. Connect the CSS and iStack systems to upstream and downstream devices, and firewalls through Eth-Trunks. The connection between CSS and iStack-1 is used as an example.

    # Create Eth-Trunk2 on the CSS, and add 10GE1/1/0/5, 10GE1/2/0/5, 10GE2/1/0/5, and 10GE2/2/0/5 to Eth-Trunk2.

    [~CSS] interface eth-trunk 2
    [*CSS-Eth-Trunk2] description To_iStack-1
    [*CSS-Eth-Trunk2] trunkport 10ge 1/1/0/5 1/2/0/5 2/1/0/5 2/2/0/5
    [*CSS-Eth-Trunk2] quit
    [*CSS] commit

    # Create Eth-Trunk2 on iStack-1, and add 10GE1/0/5, 10GE1/0/6, 10GE2/0/5, and 10GE2/0/6 to Eth-Trunk2.

    [~iStack-1] interface eth-trunk 2
    [*iStack-1-Eth-Trunk2] description To_CSS
    [*iStack-1-Eth-Trunk2] trunkport 10ge 1/0/5 to 1/0/6
    [*iStack-1-Eth-Trunk2] trunkport 10ge 2/0/5 to 2/0/6
    [*iStack-1-Eth-Trunk2] quit
    [*iStack-1] commit

    # The configuration is the same as the configurations on other Eth-Trunks in Table 1-1, and is not mentioned here.

  4. Configure DAD in relay mode in the CSS and iStacks to ensure high reliability. The following uses the configuration of DAD in relay mode in the CSS as an example.

    # In the CSS, configure DAD in relay mode on the Eth-Trunks that connect to CE12800-1 and CE12800-2.

    [~CSS] interface eth-trunk 8
    [~CSS-Eth-Trunk8] dual-active detect mode relay
    [*CSS-Eth-Trunk8] quit
    [*CSS] interface eth-trunk 9
    [*CSS-Eth-Trunk9] dual-active detect mode relay
    [*CSS-Eth-Trunk9] quit
    [*CSS] commit

    # Configure the proxy function on the Eth-Trunks that connect CE12800-1 and CE12800-2 to the CSS.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE12800-1
    [*HUAWEI] commit
    [~CE12800-1] interface eth-trunk 8
    [~CE12800-1-Eth-Trunk8] dual-active proxy
    [*CE12800-1-Eth-Trunk8] quit
    [*CE12800-1] commit
    <HUAWEI> system-view
    [~HUAWEI] sysname CE12800-2
    [*HUAWEI] commit
    [~CE12800-2] interface eth-trunk 9
    [~CE12800-2-Eth-Trunk9] dual-active proxy
    [*CE12800-2-Eth-Trunk9] quit
    [*CE12800-2] commit

    # Configure DAD in relay mode in iStacks according to the preceding method. The configuration is not mentioned here.

  5. Create VLAN100 on the CSS and add the port connected to the iStack to VLAN100 to implement Layer 2 connection.

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-1.

    [~CSS] interface eth-trunk 2
    [*CSS-Eth-Trunk2] port link-type trunk
    [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk2] port trunk allow-pass vlan 100
    [*CSS-Eth-Trunk2] quit
    [*CSS] commit

    # On iStack-1, allow VLAN100 on the Eth-Trunk interface connected to the CSS.

    [~iStack-1] interface eth-trunk 2
    [*iStack-1-Eth-Trunk2] port link-type trunk
    [*iStack-1-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [*iStack-1-Eth-Trunk2] port trunk allow-pass vlan 100
    [*iStack-1-Eth-Trunk2] quit
    [*iStack-1] commit

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-2. The configuration is the same as the configuration in the preceding step.

  6. Assign an IP address to each interface.

    # Configure the IP address for the VLANIF interface connected to the firewall. The IP address configuration of VLANIF200 is used as an example.

    [~CSS] vlan batch 200
    [*CSS] interface Vlanif 200
    [*CSS-Vlanif200] ip address 10.10.2.1 24
    [*CSS-Vlanif200] quit
    [*CSS] interface eth-trunk 4
    [*CSS-Eth-Trunk4] port link-type trunk
    [*CSS-Eth-Trunk4] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk4] port trunk allow-pass vlan 200
    [*CSS-Eth-Trunk4] port trunk pvid vlan 200
    [*CSS-Eth-Trunk4] quit
    [*CSS] interface eth-trunk 6
    [*CSS-Eth-Trunk6] port link-type trunk
    [*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk6] port trunk allow-pass vlan 200
    [*CSS-Eth-Trunk6] port trunk pvid vlan 200
    [*CSS-Eth-Trunk6] quit
    [*CSS] commit

    # Configure IP addresses for other VLANIF interfaces connected to firewalls in Table 1-1 according to the preceding method. The configuration is not mentioned here.

    # Configure IP addresses for the interfaces connecting CE12800-1 and CE12800-2 to CSS and router. Configure the Ethernet interfaces as Layer 3 interfaces. The configuration on Eth-Trunk1 between CE12800-1 and CE12800-2 is used as an example.

    NOTE:

    For V100R002 and later versions, an Ethernet interface can be configured as a Layer 3 interface by using the undo portswitch command. If your CE switch does not support this function, use a VLANIF interface.

    [~CE12800-1] interface eth-trunk 1
    [*CE12800-1-Eth-Trunk1] undo portswitch
    [*CE12800-1-Eth-Trunk1] ip address 10.10.6.1 24
    [*CE12800-2] interface eth-trunk 1
    [*CE12800-2-Eth-Trunk1] undo portswitch
    [*CE12800-2-Eth-Trunk1] ip address 10.10.6.2 24

    # Configure IP addresses for other Layer 3 Ethernet interfaces in Table 1-1 according to the preceding step. The configuration is not mentioned here.

  7. Configure the routes between firewalls, CSS, CE12800-1, CE12800-2, and router to implement Layer 3 connection. Run OSPF between CSS, CE12800-1, CE12800-2, and router. Configure a static route between firewalls and CSS. Create VRF-A on the CSS, bind the service interfaces and downstream interfaces connected to firewalls to VRF-A. The default route of VRF-A is destined for the downstream VRRP virtual IP address of firewalls.

    # Create VRF-A on the CSS, bind VLANIF100 and VLANIF200 to VRF-A, and set the destination address of the default route to the virtual IP address of firewalls.

    NOTE:

    When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.

    [~CSS] ip vpn-instance VRF-A     
    [*CSS-vpn-instance-VRF-A] ipv4-family
    [*CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
    [*CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
    [*CSS-vpn-instance-VRF-A-af-ipv4] quit
    [*CSS-vpn-instance-VRF-A] quit
    [*CSS] interface Vlanif 100
    [*CSS-Vlanif100] ip binding vpn-instance VRF-A     
    [*CSS-Vlanif100] ip address 10.10.1.1 24
    [*CSS-Vlanif100] quit
    [*CSS] interface Vlanif 200
    [*CSS-Vlanif200] ip binding vpn-instance VRF-A     
    [*CSS-Vlanif200] ip address 10.10.2.1 24
    [*CSS-Vlanif200] quit
    [*CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5    
    [*CSS] commit

    # Configure a static route from the CSS to service network segment with the firewalls as the next hop. Run OSPF between CSS, CE12800-1, and CE12800-2 and import the static route to OSPF.

    [~CSS] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5     
    [*CSS] ospf 100       
    [*CSS-ospf-100] area 0
    [*CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255
    [*CSS-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255
    [*CSS-ospf-100-area-0.0.0.0] quit
    [*CSS-ospf-100] import-route static      
    [*CSS-ospf-100] quit
    [*CSS] commit

    # Configure OSPF on CE12800-1, CE12800-2, and router. The configuration on CE12800-1 is used as an example.

    [~CE12800-1] ospf 100
    [*CE12800-1-ospf-100] area 0
    [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255
    [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.6.0 0.0.0.255
    [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.7.0 0.0.0.255
    [*CE12800-1-ospf-100-area-0.0.0.0] quit
    [*CE12800-1-ospf-100] quit
    [*CE12800-1] commit

    # The configurations on CE12800-2 and router are similar to the configuration on CE12800-1, and are not mentioned here.

  8. Configure the firewalls.

    In this example, the firewalls are Huawei USG firewalls.

    # Perform the basic configurations on FW-1, including device name, interface, and security zone.

    <USG> system-view
    [USG] sysname FW-1
    [FW-1] interface Eth-Trunk 4
    [FW-1-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1
    [FW-1-Eth-Trunk4] ip address 10.10.2.2 24
    [FW-1-Eth-Trunk4] quit
    [FW-1] interface Eth-Trunk 5
    [FW-1-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1
    [FW-1-Eth-Trunk5] ip address 10.10.3.2 24
    [FW-1-Eth-Trunk5] quit
    [FW-1] interface Eth-Trunk 1
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1
    [FW-1-Eth-Trunk1] ip address 10.1.1.1 24
    [FW-1-Eth-Trunk1] quit
    [FW-1] firewall zone trust
    [FW-1-zone-trust] add interface Eth-Trunk 4
    [FW-1-zone-trust] quit
    [FW-1] firewall zone untrust
    [FW-1-zone-untrust] add interface Eth-Trunk 5
    [FW-1-zone-untrust] quit
    [FW-1] firewall zone dmz
    [FW-1-zone-dmz] add interface Eth-Trunk 1
    [FW-1-zone-dmz] quit

    # Perform the basic configurations on FW-2, including device name, interface, and security zone.

    <USG> system-view
    [USG] sysname FW-2
    [FW-2] interface Eth-Trunk 4
    [FW-2-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1
    [FW-2-Eth-Trunk4] ip address 10.10.2.3 24
    [FW-2-Eth-Trunk4] quit
    [FW-2] interface Eth-Trunk 5
    [FW-2-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1
    [FW-2-Eth-Trunk5] ip address 10.10.3.3 24
    [FW-2-Eth-Trunk5] quit
    [FW-2] interface Eth-Trunk 1
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1
    [FW-2-Eth-Trunk1] ip address 10.1.1.2 24
    [FW-2-Eth-Trunk1] quit
    [FW-2] firewall zone trust
    [FW-2-zone-trust] add interface Eth-Trunk 4
    [FW-2-zone-trust] quit
    [FW-2] firewall zone untrust
    [FW-2-zone-untrust] add interface Eth-Trunk 5
    [FW-2-zone-untrust] quit
    [FW-2] firewall zone dmz
    [FW-2-zone-dmz] add interface Eth-Trunk 1
    [FW-2-zone-dmz] quit

    # Configure the static route on FW-1.

    [FW-1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      
    [FW-1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      

    # Configure the static route on FW-2.

    [FW-2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      
    [FW-2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      
    

    # Configure hot standby on FW-1.

    [FW-1] interface Eth-Trunk 4
    [FW-1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master     
    [FW-1-Eth-Trunk4] quit
    [FW-1] interface Eth-Trunk 5
    [FW-1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master     
    [FW-1-Eth-Trunk5] quit
    [FW-1] hrp interface Eth-Trunk 1 remote 10.1.1.2
    [FW-1] firewall packet-filter default permit interzone local dmz
    [FW-1] hrp enable

    # Configure hot standby on FW-2.

    [FW-2] interface Eth-Trunk 4
    [FW-2-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave
    [FW-2-Eth-Trunk4] quit
    [FW-2] interface Eth-Trunk 5
    [FW-2-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave
    [FW-2-Eth-Trunk5] quit
    [FW-2] hrp interface Eth-Trunk 1 remote 10.1.1.1
    [FW-2] firewall packet-filter default permit interzone local dmz
    [FW-2] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW-1.

    # Configure the security policy and intrusion protection.

    NOTE:

    Before configuring intrusion protection, ensure that the intrusion signature library is the latest version.

    When configuring intrusion protection, use the default intrusion file default.

    HRP_M[FW-1] policy interzone trust untrust outbound
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24     
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default       
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit
    HRP_M[FW-1] policy interzone trust untrust inbound
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24     
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http     
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit
    HRP_M[FW-1] ips enable

    # Configure attack defense.

    NOTE:

    The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.

    HRP_M[FW-1] firewall defend syn-flood enable
    HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000
    HRP_M[FW-1] firewall defend udp-flood enable
    HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500
    HRP_M[FW-1] firewall defend icmp-flood enable
    HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000
    HRP_M[FW-1] firewall blacklist enable
    HRP_M[FW-1] firewall defend ip-sweep enable
    HRP_M[FW-1] firewall defend ip-sweep max-rate 4000
    HRP_M[FW-1] firewall defend port-scan enable
    HRP_M[FW-1] firewall defend port-scan max-rate 4000
    HRP_M[FW-1] firewall defend ip-fragment enable
    HRP_M[FW-1] firewall defend ip-spoofing enable

    # Configure ASPF.

    HRP_M[FW-1] firewall interzone trust untrust
    HRP_M[FW-1-interzone-trust-untrust] detect ftp        
    HRP_M[FW-1-interzone-trust-untrust] quit

Verifying the Configuration

After the configurations are complete, check whether the servers and router can ping each other. In this example, the servers ping the router.

PC> ping 10.10.7.2

Ping 10.10.7.2: 32 data bytes, Press Ctrl_C to break
From 10.10.7.2: bytes=32 seq=1 ttl=251 time=63 ms
From 10.10.7.2: bytes=32 seq=2 ttl=251 time=94 ms
From 10.10.7.2: bytes=32 seq=3 ttl=251 time=63 ms
From 10.10.7.2: bytes=32 seq=4 ttl=251 time=62 ms
From 10.10.7.2: bytes=32 seq=5 ttl=251 time=47 ms

--- 10.10.7.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/65/94 ms

Configuration File

  • Configuration file of the router

    #
    sysname Router
    #
    interface XGigabitEthernet1/0/1 
     ip address 10.10.7.2 255.255.255.0
    #
    interface XGigabitEthernet1/0/2 
     ip address 10.10.8.2 255.255.255.0
    #
    ospf 100
     area 0.0.0.0
      network 10.10.7.0 0.0.0.255
      network 10.10.8.0 0.0.0.255
    #
    return
    
  • Configuration file of CE12800-1 at the core layer

    #
    sysname CE12800-1
    #
    interface Eth-Trunk1
     description To_CE12800-2
     undo portswitch
     ip address 10.10.6.1 255.255.255.0
    #
    interface Eth-Trunk8
     description To_CSS
     undo portswitch
     ip address 10.10.4.2 255.255.255.0
     dual-active proxy
    #
    interface 10GE1/0/1
     description To_Router
     undo portswitch
     ip address 10.10.7.1 255.255.255.0
    #
    interface 10GE1/0/2
     eth-trunk 1
    #
    interface 10GE1/0/3
     eth-trunk 8
    #
    interface 10GE2/0/2
     eth-trunk 1
    #
    interface 10GE2/0/3
     eth-trunk 8
    #
    ospf 100
     area 0.0.0.0
      network 10.10.4.0 0.0.0.255
      network 10.10.6.0 0.0.0.255
      network 10.10.7.0 0.0.0.255
    #
    return
  • Configuration file of CE12800-2 at the core layer

    #
    sysname CE12800-2
    #
    interface Eth-Trunk1
     description To_CE12800-1
     undo portswitch
     ip address 10.10.6.2 255.255.255.0
    #
    interface Eth-Trunk9
     description To_CSS
     undo portswitch
     ip address 10.10.5.2 255.255.255.0
     dual-active proxy
    #
    interface 10GE1/0/1
     description To_Router
     undo portswitch
     ip address 10.10.8.1 255.255.255.0
    #
    interface 10GE1/0/2
     eth-trunk 1
    #
    interface 10GE1/0/3
     eth-trunk 9
    #
    interface 10GE2/0/2
     eth-trunk 1
    #
    interface 10GE2/0/3
     eth-trunk 9
    #
    ospf 100
     area 0.0.0.0
      network 10.10.5.0 0.0.0.255
      network 10.10.6.0 0.0.0.255
      network 10.10.8.0 0.0.0.255
    #
    return
  • Configuration file of the CSS at the aggregation layer

    #
    sysname CSS
    #
    vlan batch 100 200 300
    #
    ip vpn-instance VRF-A 
     ipv4-family
      route-distinguisher 100:1        
      vpn-target 111:1 export-extcommunity 
      vpn-target 111:1 import-extcommunity
    #
    stack
     #
     stack mode
     #
     stack member 1 domain 10
     stack member 1 priority 150
     #
     stack member 2 domain 10
    #
    interface Vlanif100
     ip binding vpn-instance VRF-A
     ip address 10.10.1.1 255.255.255.0
    #
    interface Vlanif200
     ip binding vpn-instance VRF-A
     ip address 10.10.2.1 255.255.255.0
    #
    interface Vlanif300
     ip address 10.10.3.1 255.255.255.0
    #
    interface Eth-Trunk2
     description To_iStack-1
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
     dual-active proxy
    #
    interface Eth-Trunk3
     description To_iStack-2
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
     dual-active proxy
    #
    interface Eth-Trunk4
     description To_FW-1
     port link-type trunk
     port trunk pvid vlan 200
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 200
    #
    interface Eth-Trunk5
     description To_FW-1
     port link-type trunk
     port trunk pvid vlan 300
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 300
    #
    interface Eth-Trunk6
     description To_FW-2
     port link-type trunk
     port trunk pvid vlan 200
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 200
    #
    interface Eth-Trunk7
     description To_FW-2
     port link-type trunk
     port trunk pvid vlan 300
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 300
    #
    interface Eth-Trunk8
     description To_CE12800-1
     undo portswitch
     ip address 10.10.4.1 255.255.255.0
     dual-active detect mode relay
    #
    interface Eth-Trunk9
     description To_CE12800-2
     undo portswitch
     ip address 10.10.5.1 255.255.255.0
     dual-active detect mode relay
    #
    interface Stack-Port1/1
    #
    interface Stack-Port2/1
    #
    interface 10GE1/1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/5
     eth-trunk 2
    #
    interface 10GE1/1/0/6
     eth-trunk 3
    #
    interface 10GE1/1/0/7
     eth-trunk 4
    #
    interface 10GE1/1/0/8
     eth-trunk 5
    #
    interface 10GE1/1/0/9
     eth-trunk 8
    #
    interface 10GE1/2/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/5
     eth-trunk 2
    #
    interface 10GE1/2/0/6
     eth-trunk 3
    #
    interface 10GE1/2/0/7
     eth-trunk 6
    #
    interface 10GE1/2/0/8
     eth-trunk 7
    #
    interface 10GE1/2/0/9
     eth-trunk 9
    #
    interface 10GE2/1/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/5
     eth-trunk 2
    #
    interface 10GE2/1/0/6
     eth-trunk 3
    #
    interface 10GE2/1/0/7
     eth-trunk 4
    #
    interface 10GE2/1/0/8
     eth-trunk 5
    #
    interface 10GE2/1/0/9
     eth-trunk 8
    #
    interface 10GE2/2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/5
     eth-trunk 2
    #
    interface 10GE2/2/0/6
     eth-trunk 3
    #
    interface 10GE2/2/0/7
     eth-trunk 6
    #
    interface 10GE2/2/0/8
     eth-trunk 7
    #
    interface 10GE2/2/0/9
     eth-trunk 9
    #
    ospf 100
      import-route static
      area 0.0.0.0
      network 10.10.4.0 0.0.0.255
      network 10.10.5.0 0.0.0.255
    #
    ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 
    ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 
    #
    port-group group1
     group-member 10GE1/1/0/1
     group-member 10GE1/1/0/2
     group-member 10GE1/1/0/3
     group-member 10GE1/1/0/4
     group-member 10GE1/2/0/1
     group-member 10GE1/2/0/2
     group-member 10GE1/2/0/3
     group-member 10GE1/2/0/4
    #
    return
    
  • Configuration file of iStack-1 at the access layer

    #
    sysname iStack-1
    #
    vlan batch 100
    #
    stack
     #
     stack member 1 domain 20
     stack member 1 priority 150
     #
     stack member 2 domain 20
    #
    interface Eth-Trunk2
     description To_CSS
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
     dual-active detect mode relay
    #
    interface Stack-Port1/1
    # 
    interface Stack-Port2/1
    # 
    interface 10GE1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/5
     eth-trunk 2
    #
    interface 10GE1/0/6
     eth-trunk 2
    #
    interface 10GE2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/5
     eth-trunk 2
    #
    interface 10GE2/0/6
     eth-trunk 2
    #
    return
    
  • Configuration file of iStack-2 at the access layer

    #
    sysname iStack-2
    #
    vlan batch 100
    #
    stack
     #
     stack member 1 domain 30
     stack member 1 priority 150
     #
     stack member 2 domain 30
    #
    interface Eth-Trunk3
     description To_CSS
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
     dual-active detect mode relay
    #
    interface Stack-Port1/1
    # 
    interface Stack-Port2/1
    # 
    interface 10GE1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/5
     eth-trunk 3
    #
    interface 10GE1/0/6
     eth-trunk 3
    #
    interface 10GE2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/5
     eth-trunk 3
    #
    interface 10GE2/0/6
     eth-trunk 3
    #
    return
    
  • Configuration file of FW-1

    #
    sysname FW-1
    #
    firewall packet-filter default permit interzone local dmz direction inbound
    firewall packet-filter default permit interzone local dmz direction outbound
    #
    firewall defend port-scan enable
    firewall defend ip-sweep enable
    firewall defend ip-fragment enable
    firewall defend icmp-flood enable
    firewall defend udp-flood enable
    firewall defend syn-flood enable
    firewall defend ip-spoofing enable
    firewall defend action discard
    firewall defend icmp-flood zone untrust max-rate 20000
    firewall defend udp-flood zone untrust max-rate 1500
    firewall defend syn-flood zone untrust max-rate 20000
    #
    hrp enable
    hrp interface Eth-Trunk1 remote 10.1.1.2
    #
     ips enable
    #
    interface Eth-Trunk1
     ip address 10.1.1.1 255.255.255.0
    #
    interface Eth-Trunk4
     ip address 10.10.2.2 255.255.255.0
     vrrp vrid 1 virtual-ip 10.10.2.5 master
    #
    interface Eth-Trunk5
     ip address 10.10.3.2 255.255.255.0
     vrrp vrid 2 virtual-ip 10.10.3.5 master
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/1/0
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet1/1/1
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet2/0/1
     undo shutdown
     eth-trunk 1
    #
    profile type ips name default
     signature-set name default
      os both
      target both
      severity low medium high
      protocol all
      category all
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk4
    #
    firewall zone untrust
     set priority 5
     add interface Eth-Trunk5
    #
    firewall zone dmz
     set priority 50
     add interface Eth-Trunk1
    #
    firewall interzone trust untrust
     detect ftp
    #
    policy interzone trust untrust inbound
     policy 1
      action permit
      profile ips default
      policy service service-set ftp
      policy service service-set http
      policy destination 10.10.1.0 mask 24
    #
    policy interzone trust untrust outbound
     policy 1
      action permit
      profile ips default
      policy source 10.10.1.0 mask 24
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
    ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
    #
    return
  • Configuration file of FW-2

    #
    sysname FW-2
    #
    firewall packet-filter default permit interzone local dmz direction inbound
    firewall packet-filter default permit interzone local dmz direction outbound
    #
    firewall defend port-scan enable
    firewall defend ip-sweep enable
    firewall defend ip-fragment enable
    firewall defend icmp-flood enable
    firewall defend udp-flood enable
    firewall defend syn-flood enable
    firewall defend ip-spoofing enable
    firewall defend action discard
    firewall defend icmp-flood zone untrust max-rate 20000
    firewall defend udp-flood zone untrust max-rate 1500
    firewall defend syn-flood zone untrust max-rate 20000
    #
    hrp enable
    hrp interface Eth-Trunk1 remote 10.1.1.1
    #
    ips enable
    #
    interface Eth-Trunk1
     ip address 10.1.1.2 255.255.255.0
    #
    interface Eth-Trunk4
     ip address 10.10.2.3 255.255.255.0
     vrrp vrid 1 virtual-ip 10.10.2.5 slave
    #
    interface Eth-Trunk5
     ip address 10.10.3.3 255.255.255.0
     vrrp vrid 2 virtual-ip 10.10.3.5 slave
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/1/0
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet1/1/1
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet2/0/1
     undo shutdown
     eth-trunk 1
    #
    profile type ips name default
     signature-set name default
      os both
      target both
      severity low medium high
      protocol all
      category all
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk4
    #
    firewall zone untrust
     set priority 5
     add interface Eth-Trunk5
    #
    firewall zone dmz
     set priority 50
     add interface Eth-Trunk1
    #
    firewall interzone trust untrust
     detect ftp
    #
    policy interzone trust untrust inbound
     policy 1
      action permit
      profile ips default
      policy service service-set ftp
      policy service service-set http
      policy destination 10.10.1.0 mask 24
    #
    policy interzone trust untrust outbound
     policy 1
      action permit
      profile ips default
      policy source 10.10.1.0 mask 24
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
    ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
    #
    return
Download
Updated: 2019-10-14

Document ID: EDOC1000039339

Views: 148909

Downloads: 7850

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next