Deploying VRRP on a Data Center Network with 3-Layer Architecture

CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Typical Configuration Examples (V100 and V200)

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Applicable Products and Versions

CloudEngine series switches running V100R001C00 or later versions
USG5500 series products running V300R001
For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Networking Requirements

The data center uses the access, aggregation, and core layers. The requirements are as follows:

To ensure service reliability, deploy link redundancy between access and aggregation layers. When one uplink is disconnected, traffic can be switched to another uplink.
Loops caused by link redundancy between access and aggregation layers are eliminated.
Connect the core device to the firewall to filter service traffic.
Deploy OSPF at aggregation and core layers to implement Layer 3 connectivity.

Figure 1-1 Networking for deploying VRRP on a data center network with 3-layer architecture

Table 1-1 Data preparation (SwitchA, SwitchB, SwitchC, and SwitchD are used as examples)

Device	VLAN and IP Address	Interface Number	Description
SwitchA	VLAN: 2 IP Address: 10.1.2.102/24 Virtual IP Address: 10.1.2.100	10GE1/0/1	TO-CE6800-SWITCHC
		10GE1/0/3	TO-CE12800-SWITCHB
	VLAN: 3 IP Address: 10.1.3.102/24 Virtual IP Address: 10.1.3.100	10GE1/0/2	TO-CE6800-SWITCHD
		10GE1/0/3	TO-CE12800-SWITCHB
	VLAN: 6 IP Address: 10.1.6.102/24	10GE1/0/4	TO-CE12800-SWITCHI
	VLAN: 7 IP Address: 10.1.7.102/24	10GE1/0/5	TO-CE12800-SWITCHJ
SwitchB	VLAN: 2 IP Address: 10.1.2.103/24 Virtual IP Address: 10.1.2.100	10GE1/0/2	TO-CE6800-SWITCHC
		10GE1/0/3	TO-CE12800-SWITCHA
	VLAN: 3 IP Address: 10.1.3.103/24 Virtual IP Address: 10.1.3.100	10GE1/0/1	TO-CE6800-SWITCHD
		10GE1/0/3	TO-CE12800-SWITCHA
	VLAN: 6 IP Address: 10.1.6.103/24	10GE1/0/4	TO-CE12800-SWITCHI
	VLAN: 7 IP Address: 10.1.7.103/24	10GE1/0/5	TO-CE12800-SWITCHJ
SwitchC	VLAN: 2	10GE1/0/1	TO-CE12800-SWITCHA
		10GE1/0/2	TO-CE12800-SWITCHB
		10GE1/0/3	TO-HOSTA
SwitchD	VLAN: 3	10GE1/0/1	TO-CE12800-SWITCHB
		10GE1/0/2	TO-CE12800-SWITCHA
		10GE1/0/3	TO-HOSTB
SwitchI	VLAN: 6 IP Address: 10.1.6.104/24	10GE1/0/1	TO-CE12800-SWITCHA
		10GE1/0/2	TO-CE12800-SWITCHB
		10GE1/0/3	TO-CE12800-SWITCHE
		10GE1/0/4	TO-CE12800-SWITCHF
	VLAN: 8 IP Address: 10.1.8.104/24	10GE1/0/5	TO-ROUTERA
	VLAN: 9 IP Address: 172.16.1.2/24	10GE1/0/6	TO-FW-1
	VLAN: 10 IP Address: 172.16.2.2/24	10GE1/0/7	TO-FW-1
	VLAN: 11 IP Address: 172.16.3.2/24	10GE1/0/8	TO-FW-2
	VLAN: 12 IP Address: 172.16.4.2/24	10GE1/0/9	TO-FW-2
	VLAN: 13 IP Address: 10.1.13.102/24	10GE1/0/14	TO-CE12800-SWITCHJ
SwitchJ	VLAN: 7 IP Address: 10.1.7.104/24	10GE1/0/1	TO-CE12800-SWITCHA
		10GE1/0/2	TO-CE12800-SWITCHB
		10GE1/0/3	TO-CE12800-SWITCHE
		10GE1/0/4	TO-CE12800-SWITCHF
	VLAN: 8 IP Address: 10.1.8.105/24	10GE1/0/5	TO-ROUTERB
	VLAN: 9 IP Address: 172.16.6.2/24	10GE1/0/6	TO-FW-1
	VLAN: 10 IP Address: 172.16.7.2/24	10GE1/0/7	TO-FW-1
	VLAN: 11 IP Address: 172.16.8.2/24	10GE1/0/8	TO-FW-2
	VLAN: 12 IP Address: 172.16.9.2/24	10GE1/0/9	TO-FW-2
	VLAN: 13 IP Address: 10.1.13.103/24	10GE1/0/14	TO-CE12800-SWITCHI
FW-1	172.16.1.1/24	GE1/0/1	TO-SWITCHI-Upstream
	172.16.2.1/24	GE1/0/2	TO-SWITCHI-Downstream
	172.16.3.1/24	GE1/0/3	TO-SWITCHJ-Upstream
	172.16.4.1/24	GE1/0/4	TO-SWITCHJ-Downstream
	172.16.5.1/24	Eth-Trunk1: GE2/0/0	TO-FW-2-HRP
		Eth-Trunk1: GE2/0/1
		Eth-Trunk1: GE2/0/2
		Eth-Trunk1: GE2/0/3
	172.16.100.1/24	Loopback1	NA
	172.16.100.2/24	Loopback2	NA
	172.16.100.3/24	Loopback3	NA
	172.16.100.4/24	Loopback4	NA
FW-2	172.16.6.1/24	GE1/0/1	TO-SWITCHJ-Upstream
	172.16.7.1/24	GE1/0/2	TO-SWITCHJ-Downstream
	172.16.8.1/24	GE1/0/3	TO-SWITCHI-Upstream
	172.16.9.1/24	GE1/0/4	TO-SWITCHI-Downstream
	172.16.10.1/24	Eth-Trunk1: GE2/0/0	TO-FW-1-HRP
		Eth-Trunk1: GE2/0/1
		Eth-Trunk1: GE2/0/2
		Eth-Trunk1: GE2/0/3
	172.16.100.1/24	Loopback1	NA
	172.16.100.2/24	Loopback2	NA
	172.16.100.3/24	Loopback3	NA
	172.16.100.4/24	Loopback4	NA

Requirement Analysis

Deploy VRRP between SwitchA and SwitchB to implement link redundancy at the aggregation layer.
Deploy MSTP between SwitchA, SwitchB, and SwitchC to eliminate loops at the access and aggregation layers.
Configure HSB for FW-1 and FW-2 so that traffic forwarded by SwitchI or SwitchJ is filtered by the firewall and then reaches the data center or Internet.
Deploy OSPF between SwitchA, SwitchB, SwitchI, and SwitchJ to implement Layer 3 connectivity. SwitchA and SwitchB are aggregation devices. SwitchI and SwitchJ are core devices.

Procedure

Configure basic MSTP functions.

Two devices belong to the same MST region when the following parameters on the two devices are the same:

Name of the MST region
Mapping between VLANs and MSTIs
Revision level of the MST region

Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create MSTI 1 and MSTI 2.

# Configure an MST region on SwitchA.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchA
[*HUAWEI] commit
[~SwitchA] stp region-configuration
[~SwitchA-mst-region] region-name RG1
[*SwitchA-mst-region] instance 1 vlan 2
[*SwitchA-mst-region] instance 2 vlan 3
[*SwitchA-mst-region] commit
[~SwitchA-mst-region] quit

# Configure an MST region on SwitchB.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchB
[*HUAWEI] commit
[~SwitchB] stp region-configuration
[~SwitchB-mst-region] region-name RG1
[*SwitchB-mst-region] instance 1 vlan 2
[*SwitchB-mst-region] instance 2 vlan 3
[*SwitchB-mst-region] commit
[~SwitchB-mst-region] quit

# Configure an MST region on SwitchC.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchC
[*HUAWEI] commit
[~SwitchC] stp region-configuration
[~SwitchC-mst-region] region-name RG1
[*SwitchC-mst-region] instance 1 vlan 2
[*SwitchC-mst-region] instance 2 vlan 3
[*SwitchC-mst-region] commit
[~SwitchC-mst-region] quit

# Configure an MST region on SwitchD.

<HUAWEI> system-view
[~HUAWEI] sysname SwitchD
[*HUAWEI] commit
[~SwitchD] stp region-configuration
[~SwitchD-mst-region] region-name RG1
[*SwitchD-mst-region] instance 1 vlan 2
[*SwitchD-mst-region] instance 2 vlan 3
[*SwitchD-mst-region] commit
[~SwitchD-mst-region] quit

Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in the MST region RG1.
- Configure the root bridge and secondary root bridge of MSTI 1.
  
  # Configure SwitchA as the root bridge in MSTI 1.
```
[~SwitchA] stp instance 1 root primary
[*SwitchA] commit
```
  # Configure SwitchB as the secondary root bridge in MSTI 1.
```
[~SwitchB] stp instance 1 root secondary
[*SwitchB] commit
```
- Configure the root bridge and secondary root bridge of MSTI 2.
  
  # Configure SwitchB as the root bridge in MSTI 2.
```
[~SwitchB] stp instance 2 root primary
[*SwitchB] commit
```
  # Configure SwitchA as the secondary root bridge in MSTI 2.
```
[~SwitchA] stp instance 2 root secondary
[*SwitchA] commit
```
Set the path costs of the interfaces to be blocked in MSTI 1 and MSTI 2 to be greater than the default value.
- The path cost range depends on the algorithm. Huawei proprietary algorithm is used as an example. Set the path costs of the interfaces to be blocked in MSTI 1 and MSTI 2 to 20000.
- Switching devices on the same network must use the same algorithm to calculate the path cost of interfaces.
# Configure SwitchA to use Huawei proprietary algorithm to calculate the path cost.
```
[~SwitchA] stp pathcost-standard legacy
[*SwitchA] commit
```
# Configure SwitchB to use Huawei proprietary algorithm to calculate the path cost.
```
[~SwitchB] stp pathcost-standard legacy
[*SwitchB] commit
```
# Configure SwitchC to use Huawei proprietary algorithm to calculate the path cost and set the path cost of 10GE1/0/2 to 20000 in MSTI 1.
```
[~SwitchC] stp pathcost-standard legacy
[*SwitchC] interface 10ge 1/0/2
[*SwitchC-10GE1/0/2] description TO-CE12800-SWITCHB
[*SwitchC-10GE1/0/2] stp instance 1 cost 20000
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit
```
# Configure SwitchD to use Huawei proprietary algorithm to calculate the path cost and set the path cost of 10GE1/0/2 to 20000 in MSTI 2.
```
[~SwitchD] stp pathcost-standard legacy
[*SwitchD] interface 10ge 1/0/2
[*SwitchD-10GE1/0/2] description TO-CE12800-SWITCHA
[*SwitchD-10GE1/0/2] stp instance 2 cost 20000
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit
```

Enable MSTP to eliminate loops.

MSTP is enabled by default.

Enable MSTP globally.

# Enable MSTP on SwitchA.

[~SwitchA] stp enable
[*SwitchA] commit

# Enable MSTP on SwitchB.

[~SwitchB] stp enable
[*SwitchB] commit

# Enable MSTP on SwitchC.

[~SwitchC] stp enable
[*SwitchC] commit

# Enable MSTP on SwitchD.

[~SwitchD] stp enable
[*SwitchD] commit

Configure ports connected to hosts as edge ports.

# Configure 10GE1/0/3 of SwitchC as an edge port.

[~SwitchC] interface 10ge 1/0/3
[*SwitchC-10GE1/0/3] description TO-HOSTA
[*SwitchC-10GE1/0/3] stp edged-port enable
[*SwitchC-10GE1/0/3] commit
[~SwitchC-10GE1/0/3] quit

# Configure 10GE1/0/3 of SwitchD as an edge port.

[~SwitchD] interface 10ge 1/0/3
[*SwitchD-10GE1/0/3] description TO-HOSTB
[*SwitchD-10GE1/0/3] stp edged-port enable
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Enable protection functions on the designated port of each root bridge in each MSTI. Here, root protection is used.

# Enable root protection on 10GE1/0/1 of SwitchA.

[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] description TO-CE6800-SWITCHC
[*SwitchA-10GE1/0/1] stp root-protection
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit

# Enable root protection on 10GE1/0/1 of SwitchB.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] description TO-CE6800-SWITCHD
[*SwitchB-10GE1/0/1] stp root-protection
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit

Configure Layer 2 forwarding on switches on the ring network.

Create VLAN 2 and VLAN 3 on SwitchA, SwitchB, and SwitchC.

# Create VLAN 2 and VLAN 3 on SwitchA.
```
[~SwitchA] vlan batch 2 to 3
```
# Create VLAN 2 and VLAN 3 on SwitchB.
```
[~SwitchB] vlan batch 2 to 3
```
# Create VLAN 2 on SwitchC.
```
[~SwitchC] vlan batch 2
```
# Create VLAN 3 on SwitchC.
```
[~SwitchD] vlan batch 3
```

Add interfaces connecting to the ring to VLANs.

# Add 10GE1/0/1 on SwitchA to VLAN 2.

[~SwitchA] interface 10ge 1/0/1
[~SwitchA-10GE1/0/1] port link-type trunk
[*SwitchA-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/1] port trunk allow-pass vlan 2
[*SwitchA-10GE1/0/1] commit
[~SwitchA-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchA to VLAN 3.

[~SwitchA] interface 10ge 1/0/2
[~SwitchA-10GE1/0/2] description TO-CE6800-SWITCHD
[*SwitchA-10GE1/0/2] port link-type trunk
[*SwitchA-10GE1/0/2] port trunk allow-pass vlan 3
[*SwitchA-10GE1/0/2] commit
[~SwitchA-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchA to VLAN 2 and VLAN 3.

[~SwitchA] interface 10ge 1/0/3
[~SwitchA-10GE1/0/3] description TO-CE12800-SWITCHB
[*SwitchA-10GE1/0/3] port link-type trunk
[*SwitchA-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/3] port trunk allow-pass vlan 2 to 3
[*SwitchA-10GE1/0/3] commit
[~SwitchA-10GE1/0/3] quit

# Add 10GE1/0/1 on SwitchB to VLAN 3.

[~SwitchB] interface 10ge 1/0/1
[~SwitchB-10GE1/0/1] port link-type trunk
[*SwitchB-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/1] port trunk allow-pass vlan 3
[*SwitchB-10GE1/0/1] commit
[~SwitchB-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchB to VLAN 2.

[~SwitchB] interface 10ge 1/0/2
[~SwitchB-10GE1/0/2] description TO-CE6800-SWITCHC
[*SwitchB-10GE1/0/2] port link-type trunk
[*SwitchB-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchB-10GE1/0/2] commit
[~SwitchB-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchB to VLAN 2 and VLAN 3.

[~SwitchB] interface 10ge 1/0/3
[~SwitchB-10GE1/0/3] description TO-CE12800-SWITCHA
[*SwitchB-10GE1/0/3] port link-type trunk
[*SwitchB-10GE1/0/3] undo port trunk allow-pass vlan 1
[*SwitchB-10GE1/0/3] port trunk allow-pass vlan 2 to 3
[*SwitchB-10GE1/0/3] commit
[~SwitchB-10GE1/0/3] quit

# Add 10GE1/0/1 on SwitchC to VLAN 2.

[~SwitchC] interface 10ge 1/0/1
[~SwitchC-10GE1/0/1] description TO-CE12800-SWITCHA
[*SwitchC-10GE1/0/1] port link-type trunk
[*SwitchC-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/1] port trunk allow-pass vlan 2
[*SwitchC-10GE1/0/1] commit
[~SwitchC-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchC to VLAN 2.

[~SwitchC] interface 10ge 1/0/2
[~SwitchC-10GE1/0/2] port link-type trunk
[*SwitchC-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchC-10GE1/0/2] port trunk allow-pass vlan 2
[*SwitchC-10GE1/0/2] commit
[~SwitchC-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchC to VLAN 2.

[~SwitchC] interface 10ge 1/0/3
[~SwitchC-10GE1/0/3] port link-type access
[*SwitchC-10GE1/0/3] port default vlan 2
[*SwitchC-10GE1/0/3] commit
[~SwitchC-10GE1/0/3] quit

# Add 10GE1/0/1 on SwitchD to VLAN 3.

[~SwitchD] interface 10ge 1/0/1
[~SwitchD-10GE1/0/1] description TO-CE12800-SWITCHB
[*SwitchD-10GE1/0/1] port link-type trunk
[*SwitchD-10GE1/0/1] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/1] port trunk allow-pass vlan 3
[*SwitchD-10GE1/0/1] commit
[~SwitchD-10GE1/0/1] quit

# Add 10GE1/0/2 on SwitchD to VLAN 3.

[~SwitchD] interface 10ge 1/0/2
[~SwitchD-10GE1/0/2] port link-type trunk
[*SwitchD-10GE1/0/2] undo port trunk allow-pass vlan 1
[*SwitchD-10GE1/0/2] port trunk allow-pass vlan 3
[*SwitchD-10GE1/0/2] commit
[~SwitchD-10GE1/0/2] quit

# Add 10GE1/0/3 on SwitchD to VLAN 3.

[~SwitchD] interface 10ge 1/0/3
[~SwitchD-10GE1/0/3] port link-type access
[*SwitchD-10GE1/0/3] port default vlan 3
[*SwitchD-10GE1/0/3] commit
[~SwitchD-10GE1/0/3] quit

Configure VRRP groups.

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and the preemption delay to 20s, and set the default priority for SwitchB.

[~SwitchA] interface vlanif 2
[*SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*SwitchA-Vlanif2] vrrp vrid 1 priority 120
[*SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20
[*SwitchA-Vlanif2] commit
[~SwitchA-Vlanif2] quit
[~SwitchB] interface vlanif 2
[*SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[*SwitchB-Vlanif2] commit
[~SwitchB-Vlanif2] quit

# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and the preemption delay to 20s, and set the default priority for SwitchA.

[~SwitchB] interface vlanif 3
[*SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*SwitchB-Vlanif3] vrrp vrid 2 priority 120
[*SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
[*SwitchB-Vlanif3] commit
[~SwitchB-Vlanif3] quit
[~SwitchA] interface vlanif 3
[*SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100
[*SwitchA-Vlanif3] commit
[~SwitchA-Vlanif3] quit

# Set virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of HostA, and virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of HostB.

Configure devices to ensure network connectivity.

# Assign an IP address to each interface. SwitchA is used as an example. The configurations of SwitchB, SwitchI, and SwitchJ are similar to the configuration of SwitchA.

[~SwitchA] vlan batch 6 7
[*SwitchA] interface 10ge 1/0/4
[*SwitchA-10GE1/0/4] description TO-CE12800-SWITCHI
[*SwitchA-10GE1/0/4] port link-type trunk
[*SwitchA-10GE1/0/4] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/4] port trunk allow-pass vlan 6
[*SwitchA-10GE1/0/4] quit
[*SwitchA] interface 10ge 1/0/5
[*SwitchA-10GE1/0/5] description TO-CE12800-SWITCHJ
[*SwitchA-10GE1/0/5] port link-type trunk
[*SwitchA-10GE1/0/5] undo port trunk allow-pass vlan 1
[*SwitchA-10GE1/0/5] port trunk allow-pass vlan 7
[*SwitchA-10GE1/0/5] quit
[*SwitchA] interface vlanif 2
[*SwitchA-Vlanif2] ip address 10.1.2.102 24
[*SwitchA-Vlanif2] quit
[*SwitchA] interface vlanif 3
[*SwitchA-Vlanif3] ip address 10.1.3.102 24
[*SwitchA-Vlanif3] quit
[*SwitchA] interface vlanif 6
[*SwitchA-Vlanif6] ip address 10.1.6.102 24
[*SwitchA-Vlanif6] quit
[*SwitchA] interface vlanif 7
[*SwitchA-Vlanif7] ip address 10.1.7.102 24
[*SwitchA-Vlanif7] quit
[*SwitchA] commit

# Configure OSPF between SwitchA, SwitchB, SwitchI, SwitchJ, and router.

[~SwitchA] ospf 1
[*SwitchA-ospf-1] area 0
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.6.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] network 10.1.7.0 0.0.0.255
[*SwitchA-ospf-1-area-0.0.0.0] quit
[*SwitchA-ospf-1] quit
[*SwitchA] commit

Configure firewalls.

Configure hot standby on FW-1 and FW-2. Packets from SwitchI and SwitchJ are processed by FW-1 and FW-2, and then are forwarded to the data center or Internet.

FW-1 and FW-2 work in load balancing mode. If a firewall fails, service packets are switched to another firewall.

In this example, FW-1 and FW-2 are Huawei USG security gateways.

Perform basic configurations including the device name, interface, and security zone on FW-1.

<USG> system-view
[USG] sysname FW-1
[FW-1] interface GigabitEthernet 1/0/1
[FW-1-GigabitEthernet1/0/1] ip address 172.16.1.1 24
[FW-1-GigabitEthernet1/0/1] quit
[FW-1] interface GigabitEthernet 1/0/2
[FW-1-GigabitEthernet1/0/2] ip address 172.16.2.1 24
[FW-1-GigabitEthernet1/0/2] quit
[FW-1] interface GigabitEthernet 1/0/3
[FW-1-GigabitEthernet1/0/3] ip address 172.16.3.1 24
[FW-1-GigabitEthernet1/0/3] quit
[FW-1] interface GigabitEthernet 1/0/4
[FW-1-GigabitEthernet1/0/4] ip address 172.16.4.1 24
[FW-1-GigabitEthernet1/0/4] quit

[FW-1] interface Eth-Trunk 1
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-1-Eth-Trunk1] ip address 172.16.5.1 24
[FW-1-Eth-Trunk1] quit

[FW-1] firewall zone trust
[FW-1-zone-trust] add interface GigabitEthernet 1/0/1
[FW-1-zone-trust] add interface GigabitEthernet 1/0/3
[FW-1-zone-trust] quit
[FW-1] firewall zone untrust
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-1-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-1-zone-untrust] quit
[FW-1] firewall zone dmz
[FW-1-zone-dmz] add interface Eth-Trunk 1
[FW-1-zone-dmz] quit

[FW-1] interface LoopBack 1
[FW-1-LoopBack1] ip address 172.16.100.1 32
[FW-1-LoopBack1] quit
[FW-1] interface LoopBack 2
[FW-1-LoopBack2] ip address 172.16.100.2 32
[FW-1-LoopBack2] quit
[FW-1] interface LoopBack 3
[FW-1-LoopBack3] ip address 172.16.100.3 32
[FW-1-LoopBack3] quit
[FW-1] interface LoopBack 4
[FW-1-LoopBack4] ip address 172.16.100.4 32
[FW-1-LoopBack4] quit

Perform basic configurations including the device name, interface, and security zone on FW-2.

<USG> system-view
[USG] sysname FW-2
[FW-2] interface GigabitEthernet 1/0/1
[FW-2-GigabitEthernet1/0/1] ip address 172.16.6.1 24
[FW-2-GigabitEthernet1/0/1] quit
[FW-2] interface GigabitEthernet 1/0/2
[FW-2-GigabitEthernet1/0/2] ip address 172.16.7.1 24
[FW-2-GigabitEthernet1/0/2] quit
[FW-2] interface GigabitEthernet 1/0/3
[FW-2-GigabitEthernet1/0/3] ip address 172.16.8.1 24
[FW-2-GigabitEthernet1/0/3] quit
[FW-2] interface GigabitEthernet 1/0/4
[FW-2-GigabitEthernet1/0/4] ip address 172.16.9.1 24
[FW-2-GigabitEthernet1/0/4] quit

[FW-2] interface Eth-Trunk 1
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 2/0/2 2/0/3
[FW-2-Eth-Trunk1] ip address 172.16.10.1 24
[FW-2-Eth-Trunk1] quit

[FW-2] firewall zone trust
[FW-2-zone-trust] add interface GigabitEthernet 1/0/1
[FW-2-zone-trust] add interface GigabitEthernet 1/0/3
[FW-2-zone-trust] quit
[FW-2] firewall zone untrust
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/2
[FW-2-zone-untrust] add interface GigabitEthernet 1/0/4
[FW-2-zone-untrust] quit
[FW-2] firewall zone dmz
[FW-2-zone-dmz] add interface Eth-Trunk 1
[FW-2-zone-dmz] quit

[FW-2] interface LoopBack 1
[FW-2-LoopBack1] ip address 172.16.100.1 32
[FW-2-LoopBack1] quit
[FW-2] interface LoopBack 2
[FW-2-LoopBack2] ip address 172.16.100.2 32
[FW-2-LoopBack2] quit
[FW-2] interface LoopBack 3
[FW-2-LoopBack3] ip address 172.16.100.3 32
[FW-2-LoopBack3] quit
[FW-2] interface LoopBack 4
[FW-2-LoopBack4] ip address 172.16.100.4 32
[FW-2-LoopBack4] quit

Configure OSPF on FW-1 and FW-2. Specify a unique router ID for each process. In addition, the router IDs of OSPF processes on active and standby firewalls must be different to prevent OSPF flapping.

[FW-1] ospf 1 router-id 172.16.100.1
[FW-1-ospf-1] area 0
[FW-1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[FW-1-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-1-ospf-1-area-0.0.0.0] quit
[FW-1-ospf-1] quit
[FW-1] ospf 2 router-id 172.16.100.2
[FW-1-ospf-2] area 0
[FW-1-ospf-2-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[FW-1-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-1-ospf-2-area-0.0.0.0] quit
[FW-1-ospf-2] quit
[FW-1] ospf 3 router-id 172.16.100.3
[FW-1-ospf-3] area 0
[FW-1-ospf-3-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[FW-1-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-1-ospf-3-area-0.0.0.0] quit
[FW-1-ospf-3] quit
[FW-1] ospf 4 router-id 172.16.100.4
[FW-1-ospf-4] area 0
[FW-1-ospf-4-area-0.0.0.0] network 172.16.4.0 0.0.0.255
[FW-1-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-1-ospf-4-area-0.0.0.0] quit
[FW-1-ospf-4] quit

[FW-2] ospf 1 router-id 172.16.100.6
[FW-2-ospf-1] area 0
[FW-2-ospf-1-area-0.0.0.0] network 172.16.6.0 0.0.0.255
[FW-2-ospf-1-area-0.0.0.0] network 172.16.100.1 0.0.0.0
[FW-2-ospf-1-area-0.0.0.0] quit
[FW-2-ospf-1] quit
[FW-2] ospf 2 router-id 172.16.100.7
[FW-2-ospf-2] area 0
[FW-2-ospf-2-area-0.0.0.0] network 172.16.7.0 0.0.0.255
[FW-2-ospf-2-area-0.0.0.0] network 172.16.100.2 0.0.0.0
[FW-2-ospf-2-area-0.0.0.0] quit
[FW-2-ospf-2] quit
[FW-2] ospf 3 router-id 172.16.100.8
[FW-2-ospf-3] area 0
[FW-2-ospf-3-area-0.0.0.0] network 172.16.8.0 0.0.0.255
[FW-2-ospf-3-area-0.0.0.0] network 172.16.100.3 0.0.0.0
[FW-2-ospf-3-area-0.0.0.0] quit
[FW-2-ospf-3] quit
[FW-2] ospf 4 router-id 172.16.100.9
[FW-2-ospf-4] area 0
[FW-2-ospf-4-area-0.0.0.0] network 172.16.9.0 0.0.0.255
[FW-2-ospf-4-area-0.0.0.0] network 172.16.100.4 0.0.0.0
[FW-2-ospf-4-area-0.0.0.0] quit
[FW-2-ospf-4] quit

Configure HSB on FW-1 and FW-2.

Configure HSB on FW-1.

[FW-1] hrp track interface GigabitEthernet 1/0/1
[FW-1] hrp track interface GigabitEthernet 1/0/2
[FW-1] hrp track interface GigabitEthernet 1/0/3
[FW-1] hrp track interface GigabitEthernet 1/0/4
[FW-1] hrp adjust ospf-cost enable
[FW-1] hrp interface Eth-Trunk 1 remote 172.16.10.1
[FW-1] hrp enable
[FW-1] hrp mirror session enable

Configure HSB on FW-2.

[FW-2] hrp track interface GigabitEthernet 1/0/1
[FW-2] hrp track interface GigabitEthernet 1/0/2
[FW-2] hrp track interface GigabitEthernet 1/0/3
[FW-2] hrp track interface GigabitEthernet 1/0/4
[FW-2] hrp adjust ospf-cost enable
[FW-2] hrp interface Eth-Trunk 1 remote 172.16.5.1
[FW-2] hrp enable
[FW-2] hrp mirror session enable

Configure security policies and intrusion prevention.

HRP_M[FW-1] policy interzone trust untrust outbound
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit
HRP_M[FW-1] policy interzone trust untrust inbound
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.2.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.3.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.4.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.1.5.0 mask 24
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit
HRP_M[FW-1] ips enable

Configure attack defense.

The attack defense threshold is used for reference. Set this value according to actual network traffic.

HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood enable
HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall defend udp-flood enable
HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW-1] firewall defend icmp-flood enable
HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW-1] firewall blacklist enable
HRP_M[FW-1] firewall defend ip-sweep enable
HRP_M[FW-1] firewall defend ip-sweep max-rate 4000
HRP_M[FW-1] firewall defend port-scan enable
HRP_M[FW-1] firewall defend port-scan max-rate 4000
HRP_M[FW-1] firewall defend ip-fragment enable
HRP_M[FW-1] firewall defend ip-spoofing enable

Configure Policy-Based Routing (PBR) so that traffic passing through SwitchI and SwitchJ are redirected to the firewall for filtering.

# SwitchI is used as an example. The configuration of SwitchJ is similar to the configuration of SwitchI.

[~SwitchI] acl 3001
[*SwitchI-acl4-advance-3001] rule 5 permit ip source 10.1.2.0 24
[*SwitchI-acl4-advance-3001] rule 10 permit ip source 10.1.3.0 24
[*SwitchI-acl4-advance-3001] rule 15 permit ip source 10.1.4.0 24
[*SwitchI-acl4-advance-3001] rule 20 permit ip source 10.1.5.0 24
[*SwitchI-acl4-advance-3001] commit 
[~SwitchI-acl4-advance-3001] quit
[~SwitchI] traffic classifier c1
[*SwitchI-classifier-c1] if-match acl 3001
[*SwitchI-classifier-c1] quit
[*SwitchI] commit 
[~SwitchI] traffic behavior b1
[*SwitchI-behavior-b1] redirect load-balance nexthop 172.16.100.1 172.16.100.3 
[*SwitchI-behavior-b1] quit
[*SwitchI] commit 
[~SwitchI] traffic policy p1
[*SwitchI-trafficpolicy-p1] classifier c1 behavior b1
[*SwitchI-trafficpolicy-p1] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/1
[~SwitchI-10GE1/0/1] traffic-policy p1 inbound 
[*SwitchI-10GE1/0/1] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/2
[~SwitchI-10GE1/0/2] traffic-policy p1 inbound 
[*SwitchI-10GE1/0/2] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/3
[~SwitchI-10GE1/0/3] traffic-policy p1 inbound 
[*SwitchI-10GE1/0/3] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/4
[~SwitchI-10GE1/0/4] traffic-policy p1 inbound 
[*SwitchI-10GE1/0/4] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/14
[~SwitchI-10GE1/0/14] traffic-policy p1 inbound 
[*SwitchI-10GE1/0/14] quit
[*SwitchI] commit 
[~SwitchI] acl 3003
[*SwitchI-acl4-advance-3003] rule 5 permit ip destination 10.1.2.0 24
[*SwitchI-acl4-advance-3003] rule 10 permit ip destination 10.1.3.0 24
[*SwitchI-acl4-advance-3003] rule 15 permit ip destination 10.1.4.0 24
[*SwitchI-acl4-advance-3003] rule 10 permit ip destination 10.1.5.0 24
[*SwitchI-acl4-advance-3003] commit 
[~SwitchI-acl4-advance-3003] quit
[~SwitchI] traffic classifier c3
[*SwitchI-classifier-c3] if-match acl 3003
[*SwitchI-classifier-c3] quit
[*SwitchI] commit 
[~SwitchI] traffic behavior b3
[*SwitchI-behavior-b3] redirect load-balance nexthop 172.16.100.2 172.16.100.4
[*SwitchI-behavior-b3] quit
[*SwitchI] commit 
[~SwitchI] traffic policy p2
[*SwitchI-trafficpolicy-p2] classifier c3 behavior b3
[*SwitchI-trafficpolicy-p2] quit
[*SwitchI] commit 
[~SwitchI] interface 10ge 1/0/5
[~SwitchI-10GE1/0/5] traffic-policy p2 inbound
[*SwitchI-10GE1/0/5] quit
[*SwitchI] commit

Verifying the Configuration

# After the configuration is complete, run the display vrrp command on SwitchA. You can see that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.

<SwitchA> display vrrp verbose
  Vlanif2 | Virtual Router 1
    State : Master
    Virtual IP : 10.1.2.100
    Master IP : 10.1.2.102
    PriorityRun : 120
    PriorityConfig : 120                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 20 s   Remain : --
    TimerRun : 1 s                                                              
    TimerConfig : 1 s                                                           
    Auth Type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config Type : normal-vrrp                                                   
    Create Time : 2013-05-11 11:39:18                                          
    Last Change Time : 2013-05-26 11:38:58

  Vlanif3 | Virtual Router 2
    State : Backup
    Virtual IP : 10.1.3.100
    Master IP : 10.1.3.103
    PriorityRun : 100
    PriorityConfig : 100                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 0 s   Remain : --
    TimerRun : 1 s                                                              
    TimerConfig : 1 s                                                           
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0102                                                
    Check TTL : YES                                                             
    Config Type : normal-vrrp                                                   
    Create Time : 2013-05-11 11:40:18                                           
    Last Change Time : 2013-05-26 11:48:58

Run the display vrrp command on SwitchB. You can see that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.

<SwitchB> display vrrp verbose
  Vlanif2 | Virtual Router 1
    State : Backup
    Virtual IP : 10.1.2.100
    Master IP : 10.1.2.102
    PriorityRun : 100
    PriorityConfig : 100                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 0 s   Remain : --
    TimerRun : 1 s                                                              
    TimerConfig : 1 s                                                           
    Auth Type : NONE                                                            
    Virtual MAC : 0000-5e00-0101                                                
    Check TTL : YES                                                             
    Config Type : normal-vrrp                                                   
    Create Time : 2012-05-11 11:39:18                                           
    Last Change Time : 2012-05-26 11:38:58

  Vlanif3 | Virtual Router 2
    State : Master
    Virtual IP : 10.1.3.100
    Master IP : 10.1.3.103
    PriorityRun : 120
    PriorityConfig : 120                                                        
    MasterPriority : 120                                                        
    Preempt : YES   Delay Time : 20 s   Remain : --
    TimerRun : 1 s                                                              
    TimerConfig : 1 s                                                           
    Auth type : NONE                                                            
    Virtual MAC : 0000-5e00-0102                                                
    Check TTL : YES                                                             
    Config Type : normal-vrrp                                                   
    Create Time : 2012-05-11 11:40:18                                           
    Last Change Time : 2012-05-26 11:48:58

Configuration Files

Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 2 to 3 6 to 7
#
stp instance 1 root primary
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
 region-name RG1
 instance 1 vlan 2
 instance 2 vlan 3
#
interface Vlanif2
 ip address 10.1.2.102 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.2.100
 vrrp vrid 1 priority 120
 vrrp vrid 1 preempt timer delay 20
#
interface Vlanif3
 ip address 10.1.3.102 255.255.255.0
 vrrp vrid 2 virtual-ip 10.1.3.100
#
interface Vlanif6
 ip address 10.1.6.102 255.255.255.0
#
interface Vlanif7
 ip address 10.1.7.102 255.255.255.0
#
interface 10GE1/0/1
 description TO-CE6800-SWITCHC
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2
 stp root-protection
#
interface 10GE1/0/2
 description TO-CE6800-SWITCHD
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3
#
interface 10GE1/0/3
 description TO-CE12800-SWITCHB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/4
 description TO-CE12800-SWITCHI
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
#
interface 10GE1/0/5
 description TO-CE12800-SWITCHJ
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255
  network 10.1.3.0 0.0.0.255
  network 10.1.6.0 0.0.0.255
  network 10.1.7.0 0.0.0.255
#
return

Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 3 6 to 7
#
stp instance 1 root secondary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
 region-name RG1
 instance 1 vlan 2
 instance 2 vlan 3
#
interface Vlanif2
 ip address 10.1.2.103 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.2.100
#
interface Vlanif3
 ip address 10.1.3.103 255.255.255.0
 vrrp vrid 2 virtual-ip 10.1.3.100
 vrrp vrid 2 priority 120
 vrrp vrid 2 preempt timer delay 20
#
interface Vlanif6
 ip address 10.1.6.103 255.255.255.0
#
interface Vlanif7
 ip address 10.1.7.103 255.255.255.0
#
interface 10GE1/0/1
 description TO-CE6800-SWITCHD
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3
 stp root-protection
#
interface 10GE1/0/2
 description TO-CE6800-SWITCHC
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2
#
interface 10GE1/0/3
 description TO-CE12800-SWITCHA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2 to 3
#
interface 10GE1/0/4
 description TO-CE12800-SWITCHI
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
#
interface 10GE1/0/5
 description TO-CE12800-SWITCHJ
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
#
ospf 1
 area 0.0.0.0
  network 10.1.2.0 0.0.0.255
  network 10.1.3.0 0.0.0.255
  network 10.1.6.0 0.0.0.255
  network 10.1.7.0 0.0.0.255
#
return

Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 2
#
stp pathcost-standard legacy
#
stp region-configuration
 region-name RG1
 instance 1 vlan 2
 instance 2 vlan 3
#
interface 10GE1/0/1
 description TO-CE12800-SWITCHA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2
#
interface 10GE1/0/2
 description TO-CE12800-SWITCHB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2
 stp instance 1 cost 20000
#
interface 10GE1/0/3
 description TO-HOSTA
 port default vlan 2
 stp disable
#
return

Configuration file of SwitchD

#
sysname SwitchD
#
vlan batch 3
#
stp pathcost-standard legacy
#
stp region-configuration
 region-name RG1
 instance 1 vlan 2
 instance 2 vlan 3
#
interface 10GE1/0/1
 description TO-CE12800-SWITCHB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3
#
interface 10GE1/0/2
 description TO-CE12800-SWITCHA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 3
 stp instance 2 cost 20000
#
interface 10GE1/0/3
 description TO-HOSTB
 port default vlan 3
 stp disable
#
return

Configuration file of SwitchI

#
sysname SwitchI
#
vlan batch 6 8 to 13
#
acl number 3001
 rule 5 permit ip source 10.1.2.0 0.0.0.255
 rule 10 permit ip source 10.1.3.0 0.0.0.255
 rule 15 permit ip source 10.1.4.0 0.0.0.255
 rule 20 permit ip source 10.1.5.0 0.0.0.255
#
acl number 3003
 rule 5 permit ip destination 10.1.2.0 0.0.0.255
 rule 10 permit ip destination 10.1.3.0 0.0.0.255
 rule 15 permit ip destination 10.1.4.0 0.0.0.255
 rule 20 permit ip destination 10.1.5.0 0.0.0.255
#
traffic classifier c1 type or
 if-match acl 3001
#
traffic classifier c3 type or
 if-match acl 3003
#
traffic behavior b1
 redirect load-balance nexthop 172.16.100.1 172.16.100.3
#
traffic behavior b3
 redirect load-balance nexthop 172.16.100.2 172.16.100.4
#
traffic policy p1
 classifier c1 behavior b1 precedence 5
#
traffic policy p2
 classifier c3 behavior b3 precedence 5
#
interface Vlanif6
 ip address 10.1.6.104 255.255.255.0
#
interface Vlanif8
 ip address 10.1.8.104 255.255.255.0
#
interface Vlanif9
 ip address 172.16.1.2 255.255.255.0
#
interface Vlanif10
 ip address 172.16.2.2 255.255.255.0
#
interface Vlanif11
 ip address 172.16.3.2 255.255.255.0
#
interface Vlanif12
 ip address 172.16.4.2 255.255.255.0
#
interface Vlanif13
 ip address 10.1.13.102 255.255.255.0
#
interface 10GE1/0/1
 description TO-CE12800-SWITCHA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
 traffic-policy p1 inbound 
#
interface 10GE1/0/2
 description TO-CE12800-SWITCHB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
 traffic-policy p1 inbound 
#
interface 10GE1/0/3
 description TO-CE12800-SWITCHE
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
 traffic-policy p1 inbound 
#
interface 10GE1/0/4
 description TO-CE12800-SWITCHF
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 6
 traffic-policy p1 inbound 
#
interface 10GE1/0/5
 description TO-ROUTERA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 8
 traffic-policy p2 inbound 
#
interface 10GE1/0/6
 description TO-FW-1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 9
#
interface 10GE1/0/7
 description TO-FW-1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
#
interface 10GE1/0/8
 description TO-FW-2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
#
interface 10GE1/0/9
 description TO-FW-2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 12
#
interface 10GE1/0/14
 description TO-CE12800-SWITCHJ
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 13
 traffic-policy p1 inbound 
#
ospf 1
 area 0.0.0.0
  network 10.1.6.0 0.0.0.255
  network 10.1.8.0 0.0.0.255
  network 10.1.13.0 0.0.0.255
  network 172.16.1.0 0.0.0.255
  network 172.16.2.0 0.0.0.255
  network 172.16.3.0 0.0.0.255
  network 172.16.4.0 0.0.0.255
#
return

Configuration file of SwitchJ

#
sysname SwitchJ
#
vlan batch 7 to 13
#
acl number 3001
 rule 5 permit ip source 10.1.2.0 0.0.0.255
 rule 10 permit ip source 10.1.3.0 0.0.0.255
 rule 15 permit ip source 10.1.4.0 0.0.0.255
 rule 20 permit ip source 10.1.5.0 0.0.0.255
#
acl number 3003
 rule 5 permit ip destination 10.1.2.0 0.0.0.255
 rule 10 permit ip destination 10.1.3.0 0.0.0.255
 rule 15 permit ip destination 10.1.4.0 0.0.0.255
 rule 20 permit ip destination 10.1.5.0 0.0.0.255
#
traffic classifier c1 type or
 if-match acl 3001
#
traffic classifier c3 type or
 if-match acl 3003
#
traffic behavior b1
 redirect load-balance nexthop 172.16.100.1 172.16.100.3
#
traffic behavior b3
 redirect load-balance nexthop 172.16.100.2 172.16.100.4
#
traffic policy p1
 classifier c1 behavior b1 precedence 5
#
traffic policy p2
 classifier c3 behavior b3 precedence 5
#
interface Vlanif7
 ip address 10.1.7.105 255.255.255.0
#
interface Vlanif8
 ip address 10.1.8.105 255.255.255.0
#
interface Vlanif9
 ip address 172.16.6.2 255.255.255.0
#
interface Vlanif10
 ip address 172.16.7.2 255.255.255.0
#
interface Vlanif11
 ip address 172.16.8.2 255.255.255.0
#
interface Vlanif12
 ip address 172.16.9.2 255.255.255.0
#
interface Vlanif13
 ip address 10.1.13.103 255.255.255.0
#
interface 10GE1/0/1
 description TO-CE12800-SWITCHA
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
 traffic-policy p1 inbound 
#
interface 10GE1/0/2
 description TO-CE12800-SWITCHB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
 traffic-policy p1 inbound 
#
interface 10GE1/0/3
 description TO-CE12800-SWITCHE
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
 traffic-policy p1 inbound 
#
interface 10GE1/0/4
 description TO-CE12800-SWITCHF
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 7
 traffic-policy p1 inbound 
#
interface 10GE1/0/5
 description TO-ROUTERB
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 8
 traffic-policy p2 inbound 
#
interface 10GE1/0/6
 description TO-FW-1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 9
#
interface 10GE1/0/7
 description TO-FW-1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10
#
interface 10GE1/0/8
 description TO-FW-2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 11
#
interface 10GE1/0/9
 description TO-FW-2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 12
#
interface 10GE1/0/14
 description TO-CE12800-SWITCHI
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 13
 traffic-policy p1 inbound 
#
ospf 1
 area 0.0.0.0
  network 10.1.7.0 0.0.0.255
  network 10.1.8.0 0.0.0.255
  network 10.1.11.0 0.0.0.255
  network 172.16.6.0 0.0.0.255
  network 172.16.7.0 0.0.0.255
  network 172.16.8.0 0.0.0.255
  network 172.16.9.0 0.0.0.255
#
return

Configuration file of FW-1

#
 sysname FW-1
#
 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 firewall defend port-scan enable
 firewall defend ip-sweep enable
 firewall defend ip-fragment enable
 firewall defend icmp-flood enable
 firewall defend udp-flood enable
 firewall defend syn-flood enable
 firewall defend ip-spoofing enable
 firewall defend action discard
 firewall defend icmp-flood zone untrust max-rate 20000
 firewall defend udp-flood zone untrust max-rate 1500
 firewall defend syn-flood zone untrust max-rate 20000
#
 hrp enable
 hrp adjust ospf-cost enable
 hrp interface Eth-Trunk1 remote 172.16.10.1
 hrp mirror session enable
 hrp track interface GigabitEthernet 1/0/1
 hrp track interface GigabitEthernet 1/0/2
 hrp track interface GigabitEthernet 1/0/3
 hrp track interface GigabitEthernet 1/0/4
#
 ips enable
#
interface Eth-Trunk1
 ip address 172.16.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 description TO-CE12800-SwitchI-Upstream
 ip address 172.16.1.1 255.255.255.0
 undo shutdown 
#
interface GigabitEthernet1/0/2
 description TO-CE12800-SwitchI-Downstream
 ip address 172.16.2.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet1/0/3
 description TO-CE12800-SwitchJ-Upstream
 ip address 172.16.3.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet1/0/4
 description TO-CE12800-SwitchJ-Downstream
 ip address 172.16.4.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet2/0/0
 description TO-FW-2-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 description TO-FW-2-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/2
 description TO-FW-2-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/3
 description TO-FW-2-HRP
 undo shutdown
 eth-trunk 1
#
interface LoopBack 1
 ip address 172.16.100.1 32
#
interface LoopBack 2
 ip address 172.16.100.2 32
#
interface LoopBack 3
 ip address 172.16.100.3 32
#
interface LoopBack 4
 ip address 172.16.100.4 32
#
profile type ips name default
 signature-set name default
  os both
  target both
  severity low medium high
  protocol all
  category all
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/1
 add interface GigabitEthernet 1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 1/0/2
 add interface GigabitEthernet 1/0/4
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
firewall interzone trust untrust
 detect ftp
#
policy interzone trust untrust inbound
 policy 1
  action permit
  profile ips default
  policy service service-set ftp
  policy service service-set http
  policy destination 10.1.2.0 mask 24
  policy destination 10.1.3.0 mask 24
  policy destination 10.1.4.0 mask 24
  policy destination 10.1.5.0 mask 24
#
policy interzone trust untrust outbound
 policy 1
  action permit
  profile ips default
  policy source 10.1.2.0 mask 24
  policy source 10.1.3.0 mask 24
  policy source 10.1.4.0 mask 24
  policy source 10.1.5.0 mask 24
#
ospf 1 router-id 172.16.100.1
 area 0.0.0.0                                                                   
  network 172.16.1.0 0.0.0.255
  network 172.16.100.1 0.0.0.0  
#
ospf 2 router-id 172.16.100.2
 area 0.0.0.0                                                                   
  network 172.16.2.0 0.0.0.255
  network 172.16.100.2 0.0.0.0  
#
ospf 3 router-id 172.16.100.3
 area 0.0.0.0                                                                   
  network 172.16.3.0 0.0.0.255
  network 172.16.100.3 0.0.0.0  
#
ospf 4 router-id 172.16.100.4
 area 0.0.0.0                                                                   
  network 172.16.4.0 0.0.0.255
  network 172.16.100.4 0.0.0.0  
#
return

Configuration file of FW-2

#
 sysname FW-2
#
 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
 firewall defend port-scan enable
 firewall defend ip-sweep enable
 firewall defend ip-fragment enable
 firewall defend icmp-flood enable
 firewall defend udp-flood enable
 firewall defend syn-flood enable
 firewall defend ip-spoofing enable
 firewall defend action discard
 firewall defend icmp-flood zone untrust max-rate 20000
 firewall defend udp-flood zone untrust max-rate 1500
 firewall defend syn-flood zone untrust max-rate 20000
#
 hrp enable
 hrp adjust ospf-cost enable
 hrp interface Eth-Trunk1 remote 172.16.5.1
 hrp mirror session enable
 hrp track interface GigabitEthernet 1/0/1
 hrp track interface GigabitEthernet 1/0/2
 hrp track interface GigabitEthernet 1/0/3
 hrp track interface GigabitEthernet 1/0/4
#
 ips enable
#
interface Eth-Trunk1
 ip address 172.16.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 description TO-CE12800-SwitchI-Upstream
 ip address 172.16.6.1 255.255.255.0
 undo shutdown 
#
interface GigabitEthernet1/0/2
 description TO-CE12800-SwitchI-Downstream
 ip address 172.16.7.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet1/0/3
 description TO-CE12800-SwitchJ-Upstream
 ip address 172.16.8.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet1/0/4
 description TO-CE12800-SwitchJ-Downstream
 ip address 172.16.9.1 255.255.255.0
 undo shutdown
#
interface GigabitEthernet2/0/0
 description TO-FW-1-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 description TO-FW-1-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/2
 description TO-FW-1-HRP
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet2/0/3
 description TO-FW-1-HRP
 undo shutdown
 eth-trunk 1
#
interface LoopBack 1
 ip address 172.16.100.1 32
#
interface LoopBack 2
 ip address 172.16.100.2 32
#
interface LoopBack 3
 ip address 172.16.100.3 32
#
interface LoopBack 4
 ip address 172.16.100.4 32
#
profile type ips name default
 signature-set name default
  os both
  target both
  severity low medium high
  protocol all
  category all
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/1
 add interface GigabitEthernet 1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 1/0/2
 add interface GigabitEthernet 1/0/4
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
firewall interzone trust untrust
 detect ftp
#
policy interzone trust untrust inbound
 policy 1
  action permit
  profile ips default
  policy service service-set ftp
  policy service service-set http
  policy destination 10.1.2.0 mask 24
  policy destination 10.1.3.0 mask 24
  policy destination 10.1.4.0 mask 24
  policy destination 10.1.5.0 mask 24
#
policy interzone trust untrust outbound
 policy 1
  action permit
  profile ips default
  policy source 10.1.2.0 mask 24
  policy source 10.1.3.0 mask 24
  policy source 10.1.4.0 mask 24
  policy source 10.1.5.0 mask 24
#
ospf 1 router-id 172.16.100.6
 area 0.0.0.0                                                                   
  network 172.16.6.0 0.0.0.255
  network 172.16.100.1 0.0.0.0  
#
ospf 2 router-id 172.16.100.7
 area 0.0.0.0                                                                   
  network 172.16.7.0 0.0.0.255
  network 172.16.100.2 0.0.0.0  
#
ospf 3 router-id 172.16.100.8
 area 0.0.0.0                                                                   
  network 172.16.8.0 0.0.0.255
  network 172.16.100.3 0.0.0.0  
#
ospf 4 router-id 172.16.100.9
 area 0.0.0.0                                                                   
  network 172.16.9.0 0.0.0.255
  network 172.16.100.4 0.0.0.0  
#
return

Translation

Español Français 日本語 Русский 简体中文

Download

Updated: 2021-10-21

Document ID: EDOC1000039339

Downloads: 10373

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode