No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring M-LAG, VSs, and Firewalls in Bypass Mode

Configuring M-LAG, VSs, and Firewalls in Bypass Mode

Applicable Products and Versions

This example mine applies to the CE12800/CE7800/CE6800/CE5800 of V100R005C10 or later and the CE8800 of V100R006C00 or later. The CE12800E does not support the VS function after FD-X series cards are installed.

Networking Requirements

On the data center network shown in Figure 1-21:

  • Core switches are connected to aggregation switches through 10GE interfaces.
  • Firewalls at the aggregation layer connect to upstream and downstream devices through GE interfaces.
  • Aggregation switches connect to upstream and downstream devices through 10GE interfaces.
  • Multiple devices are deployed at the access layer and access devices connect to devices at the aggregation layer through 10GE interfaces.
This example uses the CE12804 switch and USG9520 gateway.
Figure 1-21 Networking for configuring M-LAG, VSs, and firewalls in bypass mode

Table 1-13 Data preparation

Device Name

Interface

IP Address

Virtual MAC Address

SwitchA

Management interface

10.1.1.1/24

-

SwitchB

Management interface

10.1.1.2/24

-

SwitchC

Admin-VS

Management interface

10.2.1.1/24

-

VLANIF 11

10.4.1.1/24

0000-5e00-0102

VLANIF 20

10.5.1.1/24

0000-5e00-0103

VS1

Management interface

10.3.1.1/24

-

VLANIF 30

10.6.1.1/24

0000-5e00-0104

VLANIF 40

10.7.2.1/24

-

10GE1/0/29

10.7.1.1/24

-

10GE1/0/30

10.8.1.1/24

-

10GE1/0/31

10.8.2.1/24

-

SwitchD

Admin-VS

Management interface

10.2.1.2/24

-

VLANIF 11

10.4.1.1/24

0000-5e00-0102

VLANIF 20

10.5.1.1/24

0000-5e00-0103

VS1

Management interface

10.3.1.2/24

-

VLANIF 30

10.6.1.1/24

0000-5e00-0104

VLANIF 40

10.7.2.2/24

-

10GE1/0/29

10.7.1.2/24

-

10GE1/0/30

10.9.1.1/24

-

10GE1/0/31

10.9.2.1/24

-

SwitchE

10GE1/0/1

10.8.1.2/24

-

10GE1/0/2

10.9.2.2/24

-

SwitchF

10GE1/0/1

10.9.1.2/24

-

10GE1/0/2

10.8.2.2/24

-

SeGW A

GigabitEthernet 3/0/0

10.10.0.1/24

-

Uplink interface

Floating IP address: 10.6.1.3/24

-

Downlink interface

Floating IP address: 10.5.1.3/24

-

SeGW B

GigabitEthernet 3/0/0

10.10.0.2/24

-

Uplink interface

Floating IP address: 10.6.1.3/24

-

Downlink interface

Floating IP address: 10.5.1.3/24

-

Network segment where servers are located

-

10.4.1.0/24

-

Requirement Analysis

The customer wants to build a stable large Layer 2 network where the dual-homing mode is used to ensure reliability and traffic is load balanced between links to improve the link efficiency. VSs are deployed at the aggregation layer to improve the cabinet usage. To ensure the server service security, the SeGWs are connected in bypass mode at the aggregation layer to provide security defense.
  • Devices at the core and aggregation layers establish cross connections to load balance traffic based on ECMP (preferential forwarding of local traffic is used with M-LAG at the aggregation layer).

  • VSs are assigned at the aggregation layer and Layer 3 firewalls are deployed to improve the cabinet use efficiency.

  • Security gateways at the aggregation layer use the routing mode(static route), are enabled with the Hot Redundancy Protocol (HRP), and work in active/standby mode to enhance network robustness.

  • M-LAG is deployed at the aggregation and access layers to form a loop-free topology.

Figure 1-22 shows the logical networking after M-LAG, VSs, and firewalls are deployed.

Figure 1-22 Networking for configuring M-LAG, VSs, and firewalls in bypass mode

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure VSs on SwitchC and SwitchD.

  2. Configure M-LAG between SwitchA and SwitchB, between Admin-VS (SwitchC) and Admin-VS (SwitchD), and between SwitchC-VS1 and SwitchD-VS1 to implement dual-homing access. When access and aggregation switches work normally, links load balance traffic and a fault of any aggregation switch does not affect services. High service reliability is therefore ensured.

    • Configure SwitchC and SwitchD as root bridges and enable root protection on downstream interfaces to ensure that the interfaces can forward traffic normally. Configure interfaces on SwitchA and SwitchB connected to user terminals as edge interfaces to accelerate route convergence and enable BPDU protection to enhance network stability.

    • Create VLANIF interfaces on Admin-VS (SwitchC), Admin-VS (SwitchD), SwitchC-VS1, and SwitchD-VS1 and configure IP addresses and MAC addresses for the VLANIF interfaces as the user-side gateway and next hop of the firewall.
  3. Configure security gateways at the aggregation layer to use the routing mode, enable HRP, and configure them to work in active/standby mode to enhance network robustness.

  4. Enable OSPF on aggregation and core switches.

Procedure

  1. Configure VS assignment.

    SwitchC is used as an example. The configuration of SwitchD is similar to the configuration of SwitchC, and is not mentioned here.

    1. Create VS1 in port group mode and configure VS1 to use the default logical resource specifications. Allocate 10GE1/0/24 to 10GE1/0/47 and 10GE2/0/24 to 10GE2/0/47 to VS1.

      <HUAWEI> system-view
      [~HUAWEI] sysname SwitchC
      [*HUAWEI] commit
      [~SwitchC] admin
      [~SwitchC-admin] virtual-system vs1
      [*SwitchC-admin-vs:vs1] port-mode group
      [*SwitchC-admin-vs:vs1] assign interface 10GE 1/0/24
      Warning: All configurations of the interfaces will be deleted. Interfaces 10GE1/0/24-47 of the same group will be assigned. Continue?
       [Y/N]: y
      [*SwitchC-admin-vs:vs1] assign interface 10GE 2/0/24
      Warning: All configurations of the interfaces will be deleted. Interfaces 10GE2/0/24-47 of the same group will be assigned. Continue?
       [Y/N]: y
      [*SwitchC-admin-vs:vs1] quit
      [*SwitchC-admin] commit

    2. Verify the configuration.

      # Check VS1 information.

      [~SwitchC-admin] display virtual-system name vs1 verbose
      Name         : vs1
      Status       : running
      Description  :
      Create time  : 2016-10-13 09:34:22
      Port mode    : group
      System MAC   : 000a-0b0c-0d05
      Assigned slot(s)
      pvmb         : 5
      pvmb         : 6
      CPU(s)
      slot 5       : 0%
      slot 6       : 0%
      Memory(s)
      slot 5       : 5%, 202632/3884636 (Used Kbytes/Max Kbytes)
      slot 6       : 2%, 201272/8021592 (Used Kbytes/Max Kbytes)
      Assigned interface(s)
        10GE1/0/24, slot 1
        10GE1/0/25, slot 1
        10GE1/0/26, slot 1
        10GE1/0/27, slot 1
        10GE1/0/28, slot 1
        10GE1/0/29, slot 1
        10GE1/0/30, slot 1
        10GE1/0/31, slot 1
        10GE1/0/32, slot 1
        10GE1/0/33, slot 1
        10GE1/0/34, slot 1
        10GE1/0/35, slot 1
        10GE1/0/36, slot 1
        10GE1/0/37, slot 1
        10GE1/0/38, slot 1
        10GE1/0/39, slot 1
        10GE1/0/40, slot 1
        10GE1/0/41, slot 1
        10GE1/0/42, slot 1
        10GE1/0/43, slot 1
        10GE1/0/44, slot 1
        10GE1/0/45, slot 1
        10GE1/0/46, slot 1
        10GE1/0/47, slot 1
        10GE2/0/24, slot 2
        10GE2/0/25, slot 2
        10GE2/0/26, slot 2
        10GE2/0/27, slot 2
        10GE2/0/28, slot 2
        10GE2/0/29, slot 2
        10GE2/0/30, slot 2
        10GE2/0/31, slot 2
        10GE2/0/32, slot 2
        10GE2/0/33, slot 2
        10GE2/0/34, slot 2
        10GE2/0/35, slot 2
        10GE2/0/36, slot 2
        10GE2/0/37, slot 2
        10GE2/0/38, slot 2
        10GE2/0/39, slot 2
        10GE2/0/40, slot 2
        10GE2/0/41, slot 2
        10GE2/0/42, slot 2
        10GE2/0/43, slot 2
        10GE2/0/44, slot 2
        10GE2/0/45, slot 2
        10GE2/0/46, slot 2
        10GE2/0/47, slot 2
      Assigned resource(s)
      u4route      : 60000(Max)
      m4route      : 1000(Max)
      u6route      : 16000(Max)
      m6route      : 100(Max)
      vlan         : 4063(Max)
      vpn-instance : 4096(Max)
      cpu          : 5(weight)
      memory       : 100(ratio-threshold)
      mpls         : enable
      trill        : enable
      mcast        : enable
      

  2. Configure M-LAG.
    1. Configure V-STP, dual-active detection links, DFS groups, peer-links, and M-LAG member interfaces on SwitchA, SwitchB, Admin-VS (SwitchC), Admin-VS (SwitchD), SwitchC-VS1, and SwitchD-VS1.

      The dual-active detection links are connected to management interfaces to implement interworking, DFS groups must be bound to IP addresses of management interfaces to ensure communication, and management interfaces are bound to VPN instances to implement isolation.

      It is recommended that Eth-Trunk member interfaces of the peer-link be deployed on different cards to prevent the peer-link fault caused by a single-point failure.

      # Configure SwitchA.

      Configure the Eth-Trunk on SwitchA connected to servers as the edge interface and enable BPDU protection on the Eth-Trunk. The Eth-Trunk on the access switch connected to Server 1 is used as an example.

      The uplink interface of the server connected to the switch needs to be bound to an aggregated link, and the link aggregation modes on the server and switch must be consistent.

      <HUAWEI> system-view
      [~HUAWEI] sysname SwitchA
      [*HUAWEI] commit
      [~SwitchA] stp mode rstp
      [*SwitchA] stp v-stp enable
      [*SwitchA] stp flush disable
      [*SwitchA] ip vpn-instance VRF-A     //Create VRF-A.
      [*SwitchA-vpn-instance-VRF-A] ipv4-family
      [*SwitchA-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
      [*SwitchA-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
      [*SwitchA-vpn-instance-VRF-A-af-ipv4] quit
      [*SwitchA-vpn-instance-VRF-A] quit
      [*SwitchA] interface meth 0/0/0
      [*SwitchA-MEth0/0/0] ip binding vpn-instance VRF-A     //Bind the management interface to VRF-A.
      [*SwitchA-MEth0/0/0] ip address 10.1.1.1 24
      [*SwitchA-MEth0/0/0] quit
      [*SwitchA] dfs-group 1
      [*SwitchA-dfs-group-1] source ip 10.1.1.1 vpn-instance VRF-A     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchA-dfs-group-1] priority 150
      [*SwitchA-dfs-group-1] quit
      [*SwitchA] interface eth-trunk 0
      [*SwitchA-Eth-Trunk0] trunkport 10ge 1/0/4
      [*SwitchA-Eth-Trunk0] trunkport 10ge 2/0/4     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
      [*SwitchA-Eth-Trunk0] mode lacp-static
      [*SwitchA-Eth-Trunk0] peer-link 1
      [*SwitchA-Eth-Trunk0] port vlan exclude 1
      [*SwitchA-Eth-Trunk0] quit
      [*SwitchA] vlan batch 11
      [*SwitchA] interface eth-trunk 10
      [*SwitchA-Eth-Trunk10] mode lacp-dynamic
      [*SwitchA-Eth-Trunk10] port link-type access
      [*SwitchA-Eth-Trunk10] port default vlan 11
      [*SwitchA-Eth-Trunk10] trunkport 10ge 1/0/1
      [*SwitchA-Eth-Trunk10] dfs-group 1 m-lag 1
      [*SwitchA-Eth-Trunk10] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchA-Eth-Trunk10] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchA-Eth-Trunk10] quit
      [*SwitchA] interface eth-trunk 20
      [*SwitchA-Eth-Trunk20] mode lacp-dynamic
      [*SwitchA-Eth-Trunk20] port link-type access
      [*SwitchA-Eth-Trunk20] port default vlan 11
      [*SwitchA-Eth-Trunk20] trunkport 10ge 1/0/2
      [*SwitchA-Eth-Trunk20] dfs-group 1 m-lag 2
      [*SwitchA-Eth-Trunk20] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchA-Eth-Trunk20] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchA-Eth-Trunk20] quit
      [*SwitchA] interface eth-trunk 30
      [*SwitchA-Eth-Trunk30] mode lacp-dynamic
      [*SwitchA-Eth-Trunk30] port link-type access
      [*SwitchA-Eth-Trunk30] port default vlan 11
      [*SwitchA-Eth-Trunk30] trunkport 10ge 1/0/3
      [*SwitchA-Eth-Trunk30] dfs-group 1 m-lag 3
      [*SwitchA-Eth-Trunk30] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchA-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchA-Eth-Trunk30] quit
      [*SwitchA] stp bpdu-protection     //Enable BPDU protection on the edge interface.
      [*SwitchA] interface eth-trunk 40
      [*SwitchA-Eth-Trunk40] mode lacp-static
      [*SwitchA-Eth-Trunk40] port link-type trunk
      [*SwitchA-Eth-Trunk40] undo port trunk allow-pass vlan 1
      [*SwitchA-Eth-Trunk40] port trunk allow-pass vlan 11
      [*SwitchA-Eth-Trunk40] trunkport 10ge 1/0/6 to 1/0/7
      [*SwitchA-Eth-Trunk40] dfs-group 1 m-lag 4
      [*SwitchA-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchA-Eth-Trunk40] quit
      [*SwitchA] lacp m-lag priority 10
      [*SwitchA] lacp m-lag system-id 00e0-fc00-0000
      [*SwitchA] interface 10ge 1/0/9
      [*SwitchA-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
      [*SwitchA-10GE1/0/9] quit
      [*SwitchA] commit

      # Configure SwitchB.

      Configure the Eth-Trunk on SwitchB connected to servers as the edge interface and enable BPDU protection on the Eth-Trunk. The Eth-Trunk on the access switch connected to Server 1 is used as an example.

      The uplink interface of the server connected to the switch needs to be bound to an aggregated link, and the link aggregation modes on the server and switch must be consistent.

      <HUAWEI> system-view
      [~HUAWEI] sysname SwitchB
      [*HUAWEI] commit
      [~SwitchB] stp mode rstp
      [*SwitchB] stp v-stp enable
      [*SwitchB] stp flush disable
      [*SwitchB] ip vpn-instance VRF-A     //Create VRF-A.
      [*SwitchB-vpn-instance-VRF-A] ipv4-family
      [*SwitchB-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:2
      [*SwitchB-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
      [*SwitchB-vpn-instance-VRF-A-af-ipv4] quit
      [*SwitchB-vpn-instance-VRF-A] quit
      [*SwitchB] interface meth 0/0/0
      [*SwitchB-MEth0/0/0] ip binding vpn-instance VRF-A     //Bind the management interface to VRF-A.
      [*SwitchB-MEth0/0/0] ip address 10.1.1.2 24
      [*SwitchB-MEth0/0/0] quit
      [*SwitchB] dfs-group 1
      [*SwitchB-dfs-group-1] source ip 10.1.1.2 vpn-instance VRF-A     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchB-dfs-group-1] priority 120
      [*SwitchB-dfs-group-1] quit
      [*SwitchB] interface eth-trunk 0
      [*SwitchB-Eth-Trunk0] trunkport 10ge 1/0/4
      [*SwitchB-Eth-Trunk0] trunkport 10ge 2/0/4
      [*SwitchB-Eth-Trunk0] mode lacp-static
      [*SwitchB-Eth-Trunk0] peer-link 1
      [*SwitchB-Eth-Trunk0] port vlan exclude 1
      [*SwitchB-Eth-Trunk0] quit
      [*SwitchB] vlan batch 11
      [*SwitchB] interface eth-trunk 10
      [*SwitchB-Eth-Trunk10] mode lacp-dynamic
      [*SwitchB-Eth-Trunk10] port link-type access
      [*SwitchB-Eth-Trunk10] port default vlan 11
      [*SwitchB-Eth-Trunk10] trunkport 10ge 1/0/1
      [*SwitchB-Eth-Trunk10] dfs-group 1 m-lag 1
      [*SwitchB-Eth-Trunk10] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchB-Eth-Trunk10] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchB-Eth-Trunk10] quit
      [*SwitchB] interface eth-trunk 20
      [*SwitchB-Eth-Trunk20] mode lacp-dynamic
      [*SwitchB-Eth-Trunk20] port link-type access
      [*SwitchB-Eth-Trunk20] port default vlan 11
      [*SwitchB-Eth-Trunk20] trunkport 10ge 1/0/2
      [*SwitchB-Eth-Trunk20] dfs-group 1 m-lag 2
      [*SwitchB-Eth-Trunk20] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchB-Eth-Trunk20] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchB-Eth-Trunk20] quit
      [*SwitchB] interface eth-trunk 30
      [*SwitchB-Eth-Trunk30] mode lacp-dynamic
      [*SwitchB-Eth-Trunk30] port link-type access
      [*SwitchB-Eth-Trunk30] port default vlan 11
      [*SwitchB-Eth-Trunk30] trunkport 10ge 1/0/3
      [*SwitchB-Eth-Trunk30] dfs-group 1 m-lag 3
      [*SwitchB-Eth-Trunk30] stp edged-port enable     //Configure the Eth-Trunk as the edge interface.
      [*SwitchB-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchB-Eth-Trunk30] quit
      [*SwitchB] stp bpdu-protection     //Enable BPDU protection on the edge interface.
      [*SwitchB] interface eth-trunk 40
      [*SwitchB-Eth-Trunk40] mode lacp-static
      [*SwitchB-Eth-Trunk40] port link-type trunk
      [*SwitchB-Eth-Trunk40] undo port trunk allow-pass vlan 1
      [*SwitchB-Eth-Trunk40] port trunk allow-pass vlan 11
      [*SwitchB-Eth-Trunk40] trunkport 10ge 1/0/6 to 1/0/7
      [*SwitchB-Eth-Trunk40] dfs-group 1 m-lag 4
      [*SwitchB-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchB-Eth-Trunk40] quit
      [*SwitchB] lacp m-lag priority 10
      [*SwitchB] lacp m-lag system-id 00e0-fc00-0000
      [*SwitchB] interface 10ge 1/0/9
      [*SwitchB-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
      [*SwitchB-10GE1/0/9] quit
      [*SwitchB] commit

      # Configure Admin-VS (SwitchC).

      Configure Admin-VS (SwitchC) and Admin-VS (SwitchD) as the root bridges of the STP network, and enable root protection on Eth-Trunks of aggregation switches connected to access switches so that the Eth-Trunks can forward traffic normally.

      <SwitchC> system-view
      [~SwitchC] stp mode rstp
      [*SwitchC] stp root primary     //Configure the aggregation device as the root bridge of the STP network.
      [*SwitchC] stp bridge-address 200b-c739-1300     //Configure the MAC address of the root bridge (MAC address of the master device).
      [*SwitchC] stp v-stp enable
      [*SwitchC] stp flush disable
      [*SwitchC] ip vpn-instance VRF-B     //Create VRF-B.
      [*SwitchC-vpn-instance-VRF-B] ipv4-family
      [*SwitchC-vpn-instance-VRF-B-af-ipv4] route-distinguisher 101:1
      [*SwitchC-vpn-instance-VRF-B-af-ipv4] vpn-target 111:1 both
      [*SwitchC-vpn-instance-VRF-B-af-ipv4] quit
      [*SwitchC-vpn-instance-VRF-B] quit
      [*SwitchC] interface meth 0/0/0
      [*SwitchC-MEth0/0/0] ip binding vpn-instance VRF-B     //Bind the management interface to VRF-B.
      [*SwitchC-MEth0/0/0] ip address 10.2.1.1 24
      [*SwitchC-MEth0/0/0] quit
      [*SwitchC] dfs-group 1
      [*SwitchC-dfs-group-1] source ip 10.2.1.1 vpn-instance VRF-B     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchC-dfs-group-1] priority 150
      [*SwitchC-dfs-group-1] quit
      [*SwitchC] interface eth-trunk 0
      [*SwitchC-Eth-Trunk0] trunkport 10ge 1/0/3
      [*SwitchC-Eth-Trunk0] trunkport 10ge 2/0/3     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
      [*SwitchC-Eth-Trunk0] mode lacp-static
      [*SwitchC-Eth-Trunk0] peer-link 1
      [*SwitchC-Eth-Trunk0] port vlan exclude 1
      [*SwitchC-Eth-Trunk0] quit
      [*SwitchC] vlan batch 11 20
      [*SwitchC] interface eth-trunk 30
      [*SwitchC-Eth-Trunk30] mode lacp-static
      [*SwitchC-Eth-Trunk30] port link-type trunk
      [*SwitchC-Eth-Trunk30] undo port trunk allow-pass vlan 1
      [*SwitchC-Eth-Trunk30] port trunk allow-pass vlan 11
      [*SwitchC-Eth-Trunk30] trunkport 10ge 1/0/1 to 1/0/2
      [*SwitchC-Eth-Trunk30] dfs-group 1 m-lag 1
      [*SwitchC-Eth-Trunk30] stp root-protection     //Enable root protection.
      [*SwitchC-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchC-Eth-Trunk30] quit
      [*SwitchC] interface eth-trunk 40
      [*SwitchC-Eth-Trunk40] mode lacp-static
      [*SwitchC-Eth-Trunk40] port link-type trunk
      [*SwitchC-Eth-Trunk40] undo port trunk allow-pass vlan 1
      [*SwitchC-Eth-Trunk40] port trunk allow-pass vlan 20
      [*SwitchC-Eth-Trunk40] trunkport 10ge 1/0/5
      [*SwitchC-Eth-Trunk40] dfs-group 1 m-lag 2
      [*SwitchC-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchC-Eth-Trunk40] quit
      [*SwitchC] interface eth-trunk 50
      [*SwitchC-Eth-Trunk50] mode lacp-static
      [*SwitchC-Eth-Trunk50] port link-type trunk
      [*SwitchC-Eth-Trunk50] undo port trunk allow-pass vlan 1
      [*SwitchC-Eth-Trunk50] port trunk allow-pass vlan 20
      [*SwitchC-Eth-Trunk50] trunkport 10ge 1/0/6
      [*SwitchC-Eth-Trunk50] dfs-group 1 m-lag 3
      [*SwitchC-Eth-Trunk50] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchC-Eth-Trunk50] quit
      [*SwitchC] lacp m-lag priority 10
      [*SwitchC] lacp m-lag system-id 00e0-fc00-0001
      [*SwitchC] interface 10ge 1/0/9
      [*SwitchC-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
      [*SwitchC-10GE1/0/9] quit
      [*SwitchC] commit
      [*SwitchC] quit

      # Configure SwitchC-VS1.

      <SwitchC> switch virtual-system vs1
      <SwitchC-vs1> system-view
      [~SwitchC-vs1] stp mode rstp
      [*SwitchC-vs1] stp v-stp enable
      [*SwitchC-vs1] stp flush disable
      [*SwitchC-vs1] ip vpn-instance VRF-C     //Create VRF-C.
      [*SwitchC-vs1-vpn-instance-VRF-C] ipv4-family
      [*SwitchC-vs1-vpn-instance-VRF-C-af-ipv4] route-distinguisher 102:1
      [*SwitchC-vs1-vpn-instance-VRF-C-af-ipv4] vpn-target 111:1 both
      [*SwitchC-vs1-vpn-instance-VRF-C-af-ipv4] quit
      [*SwitchC-vs1-vpn-instance-VRF-C] quit
      [*SwitchC-vs1] interface meth 0/0/0
      [*SwitchC-vs1-MEth0/0/0] ip binding vpn-instance VRF-C     //Bind the management interface to VRF-C.
      [*SwitchC-vs1-MEth0/0/0] ip address 10.3.1.1 24
      [*SwitchC-vs1-MEth0/0/0] quit
      [*SwitchC-vs1] dfs-group 1
      [*SwitchC-vs1-dfs-group-1] source ip 10.3.1.1 vpn-instance VRF-C     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchC-vs1-dfs-group-1] priority 150
      [*SwitchC-vs1-dfs-group-1] quit
      [*SwitchC-vs1] interface eth-trunk 0
      [*SwitchC-vs1-Eth-Trunk0] trunkport 10ge 1/0/32
      [*SwitchC-vs1-Eth-Trunk0] trunkport 10ge 2/0/32
      [*SwitchC-vs1-Eth-Trunk0] mode lacp-static
      [*SwitchC-vs1-Eth-Trunk0] peer-link 1
      [*SwitchC-vs1-Eth-Trunk0] port vlan exclude 1
      [*SwitchC-vs1-Eth-Trunk0] quit
      [*SwitchC-vs1] vlan batch 30
      [*SwitchC-vs1] interface eth-trunk 60
      [*SwitchC-vs1-Eth-Trunk60] mode lacp-static
      [*SwitchC-vs1-Eth-Trunk60] port link-type trunk
      [*SwitchC-vs1-Eth-Trunk60] undo port trunk allow-pass vlan 1
      [*SwitchC-vs1-Eth-Trunk60] port trunk allow-pass vlan 30
      [*SwitchC-vs1-Eth-Trunk60] trunkport 10ge 1/0/34
      [*SwitchC-vs1-Eth-Trunk60] dfs-group 1 m-lag 2
      [*SwitchC-vs1-Eth-Trunk60] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchC-vs1-Eth-Trunk60] quit
      [*SwitchC-vs1] interface eth-trunk 70
      [*SwitchC-vs1-Eth-Trunk70] mode lacp-static
      [*SwitchC-vs1-Eth-Trunk70] port link-type trunk
      [*SwitchC-vs1-Eth-Trunk70] undo port trunk allow-pass vlan 1
      [*SwitchC-vs1-Eth-Trunk70] port trunk allow-pass vlan 30
      [*SwitchC-vs1-Eth-Trunk70] trunkport 10ge 1/0/35
      [*SwitchC-vs1-Eth-Trunk70] dfs-group 1 m-lag 3
      [*SwitchC-vs1-Eth-Trunk70] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchC-vs1-Eth-Trunk70] quit
      [*SwitchC-vs1] lacp m-lag priority 10
      [*SwitchC-vs1] lacp m-lag system-id 00e0-fc00-0002
      [*SwitchC-vs1] interface 10ge 1/0/39
      [*SwitchC-vs1-10GE1/0/39] shutdown     //Shut down the interface not in use. 10GE 1/0/39 is used as an example.
      [*SwitchC-vs1-10GE1/0/39] quit
      [*SwitchC-vs1] commit
      [~SwitchC-vs1] quit

      # Configure Admin-VS (SwitchD).

      Configure Admin-VS (SwitchC) and Admin-VS (SwitchD) as the root bridges of the STP network, and enable root protection on Eth-Trunks of aggregation switches connected to access switches so that the Eth-Trunks can forward traffic normally.

      <SwitchD> system-view
      [~SwitchD] stp mode rstp
      [*SwitchD] stp root primary     //Configure the aggregation device as the root bridge of the STP network.
      [*SwitchD] stp bridge-address 200b-c739-1300     //Configure the MAC address of the root bridge  (MAC address of the master device).
      [*SwitchD] stp v-stp enable
      [*SwitchD] stp flush disable
      [*SwitchD] ip vpn-instance VRF-B     //Create VRF-B.
      [*SwitchD-vpn-instance-VRF-B] ipv4-family
      [*SwitchD-vpn-instance-VRF-B-af-ipv4] route-distinguisher 101:2
      [*SwitchD-vpn-instance-VRF-B-af-ipv4] vpn-target 111:1 both
      [*SwitchD-vpn-instance-VRF-B-af-ipv4] quit
      [*SwitchD-vpn-instance-VRF-B] quit
      [*SwitchD] interface meth 0/0/0
      [*SwitchD-MEth0/0/0] ip binding vpn-instance VRF-B     //Bind the management interface to VRF-B.
      [*SwitchD-MEth0/0/0] ip address 10.2.1.2 24
      [*SwitchD-MEth0/0/0] quit
      [*SwitchD] dfs-group 1
      [*SwitchD-dfs-group-1] source ip 10.2.1.2 vpn-instance VRF-B     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchD-dfs-group-1] priority 120
      [*SwitchD-dfs-group-1] quit
      [*SwitchD] interface eth-trunk 0
      [*SwitchD-Eth-Trunk0] trunkport 10ge 1/0/3
      [*SwitchD-Eth-Trunk0] trunkport 10ge 2/0/3     //Configure inter-card member interfaces of the Eth-Trunk of the peer-link.
      [*SwitchD-Eth-Trunk0] mode lacp-static
      [*SwitchD-Eth-Trunk0] peer-link 1
      [*SwitchD-Eth-Trunk0] port vlan exclude 1
      [*SwitchD-Eth-Trunk0] quit
      [*SwitchD] vlan batch 11 20
      [*SwitchD] interface eth-trunk 30
      [*SwitchD-Eth-Trunk30] mode lacp-static
      [*SwitchD-Eth-Trunk30] port link-type trunk
      [*SwitchD-Eth-Trunk30] undo port trunk allow-pass vlan 1
      [*SwitchD-Eth-Trunk30] port trunk allow-pass vlan 11
      [*SwitchD-Eth-Trunk30] trunkport 10ge 1/0/1 to 1/0/2
      [*SwitchD-Eth-Trunk30] dfs-group 1 m-lag 1
      [*SwitchD-Eth-Trunk30] stp root-protection //Enable root protection.
      [*SwitchD-Eth-Trunk30] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchD-Eth-Trunk30] quit
      [*SwitchD] interface eth-trunk 40
      [*SwitchD-Eth-Trunk40] mode lacp-static
      [*SwitchD-Eth-Trunk40] port link-type trunk
      [*SwitchD-Eth-Trunk40] undo port trunk allow-pass vlan 1
      [*SwitchD-Eth-Trunk40] port trunk allow-pass vlan 20
      [*SwitchD-Eth-Trunk40] trunkport 10ge 1/0/5
      [*SwitchD-Eth-Trunk40] dfs-group 1 m-lag 2
      [*SwitchD-Eth-Trunk40] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchD-Eth-Trunk40] quit
      [*SwitchD] interface eth-trunk 50
      [*SwitchD-Eth-Trunk50] mode lacp-static
      [*SwitchD-Eth-Trunk50] port link-type trunk
      [*SwitchD-Eth-Trunk50] undo port trunk allow-pass vlan 1
      [*SwitchD-Eth-Trunk50] port trunk allow-pass vlan 20
      [*SwitchD-Eth-Trunk50] trunkport 10ge 1/0/6
      [*SwitchD-Eth-Trunk50] dfs-group 1 m-lag 3
      [*SwitchD-Eth-Trunk50] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchD-Eth-Trunk50] quit
      [*SwitchD] lacp m-lag priority 10
      [*SwitchD] lacp m-lag system-id 00e0-fc00-0001
      [*SwitchD] interface 10ge 1/0/9
      [*SwitchD-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
      [*SwitchD-10GE1/0/9] quit
      [*SwitchD] commit
      [~SwitchD] quit

      # Configure SwitchD-VS1.

      <SwitchD> switch virtual-system vs1
      <SwitchD-vs1> system-view
      [~SwitchD-vs1] stp mode rstp
      [*SwitchD-vs1] stp v-stp enable
      [*SwitchD-vs1] stp flush disable
      [*SwitchD-vs1] ip vpn-instance VRF-C     //Create VRF-C.
      [*SwitchD-vs1-vpn-instance-VRF-C] ipv4-family
      [*SwitchD-vs1-vpn-instance-VRF-C-af-ipv4] route-distinguisher 102:2
      [*SwitchD-vs1-vpn-instance-VRF-C-af-ipv4] vpn-target 111:1 both
      [*SwitchD-vs1-vpn-instance-VRF-C-af-ipv4] quit
      [*SwitchD-vs1-vpn-instance-VRF-C] quit
      [*SwitchD-vs1] interface meth 0/0/0
      [*SwitchD-vs1-MEth0/0/0] ip binding vpn-instance VRF-C     //Bind the management interface to VRF-C.
      [*SwitchD-vs1-MEth0/0/0] ip address 10.3.1.2 24
      [*SwitchD-vs1-MEth0/0/0] quit
      [*SwitchD-vs1] dfs-group 1
      [*SwitchD-vs1-dfs-group-1] source ip 10.3.1.2 vpn-instance VRF-C     //Configure the IPv4 address and VPN instance bound to the DFS group.
      [*SwitchD-vs1-dfs-group-1] priority 120
      [*SwitchD-vs1-dfs-group-1] quit
      [*SwitchD-vs1] interface eth-trunk 0
      [*SwitchD-vs1-Eth-Trunk0] trunkport 10ge 1/0/32
      [*SwitchD-vs1-Eth-Trunk0] trunkport 10ge 2/0/32
      [*SwitchD-vs1-Eth-Trunk0] mode lacp-static
      [*SwitchD-vs1-Eth-Trunk0] peer-link 1
      [*SwitchD-vs1-Eth-Trunk0] port vlan exclude 1
      [*SwitchD-vs1-Eth-Trunk0] quit
      [*SwitchD-vs1] vlan batch 30
      [*SwitchD-vs1] interface eth-trunk 60
      [*SwitchD-vs1-Eth-Trunk60] mode lacp-static
      [*SwitchD-vs1-Eth-Trunk60] port link-type trunk
      [*SwitchD-vs1-Eth-Trunk60] undo port trunk allow-pass vlan 1
      [*SwitchD-vs1-Eth-Trunk60] port trunk allow-pass vlan 30
      [*SwitchD-vs1-Eth-Trunk60] trunkport 10ge 1/0/34
      [*SwitchD-vs1-Eth-Trunk60] dfs-group 1 m-lag 2
      [*SwitchD-vs1-Eth-Trunk60] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchD-vs1-Eth-Trunk60] quit
      [*SwitchD-vs1] interface eth-trunk 70
      [*SwitchD-vs1-Eth-Trunk70] mode lacp-static
      [*SwitchD-vs1-Eth-Trunk70] port link-type trunk
      [*SwitchD-vs1-Eth-Trunk70] undo port trunk allow-pass vlan 1
      [*SwitchD-vs1-Eth-Trunk70] port trunk allow-pass vlan 30
      [*SwitchD-vs1-Eth-Trunk70] trunkport 10ge 1/0/35
      [*SwitchD-vs1-Eth-Trunk70] dfs-group 1 m-lag 3
      [*SwitchD-vs1-Eth-Trunk70] storm suppression broadcast cir 10 mbps     //Set the CIR of broadcast packets to 10 Mbit/s on this interface(The CE8800/CE7800/CE6800/CE5800 Series except CE6870EI and CE6875EI only support GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view and port group view).
      [*SwitchD-vs1-Eth-Trunk70] quit
      [*SwitchD-vs1] commit
      [*SwitchD-vs1] lacp m-lag priority 10
      [*SwitchD-vs1] lacp m-lag system-id 00e0-fc00-0002
      [*SwitchD-vs1] interface 10ge 1/0/39
      [*SwitchD-vs1-10GE1/0/39] shutdown     //Shut down the interface not in use. 10GE 1/0/39 is used as an example.
      [*SwitchD-vs1-10GE1/0/39] quit
      [*SwitchD-vs1] commit
      [~SwitchD-vs1] quit

    2. Create VLANIF interfaces and configure IP addresses and MAC addresses for the VLANIF interfaces on Admin-VS (SwitchC), Admin-VS (SwitchD), SwitchC-VS1, and SwitchD-VS1, and create a dual active gateway on VLANIF 11 as the user-side gateway, a dual active gateway on VLANIF 20 as the downlink next hop of the firewall, and a dual active gateway on VLANIF 30 as the uplink next hop of the firewall. Configure static routes pointing to firewalls on Admin-VS (SwitchC) and Admin-VS (SwitchD), and configure static routes pointing to firewalls on SwitchC-VS1 and SwitchD-VS1.

      # Configure Admin-VS (SwitchC).

      <SwitchC> system-view
      [~SwitchC] interface vlanif 11
      [*SwitchC-Vlanif11] ip address 10.4.1.1 24
      [*SwitchC-Vlanif11] mac-address 0000-5e00-0102
      [*SwitchC-Vlanif11] quit
      [*SwitchC] interface vlanif 20
      [*SwitchC-Vlanif20] ip address 10.5.1.1 24
      [*SwitchC-Vlanif20] mac-address 0000-5e00-0103
      [*SwitchC-Vlanif20] quit
      [*SwitchC] ip route-static 0.0.0.0 0 10.5.1.3
      [*SwitchC] commit
      [~SwitchC] quit

      # Configure SwitchC-VS1.

      <SwitchC> switch virtual-system vs1
      <SwitchC-vs1> system-view
      [~SwitchC-vs1] interface vlanif 30
      [*SwitchC-vs1-Vlanif30] ip address 10.6.1.1 24
      [*SwitchC-vs1-Vlanif30] mac-address 0000-5e00-0104
      [*SwitchC-vs1-Vlanif30] quit
      [*SwitchC-vs1] ip route-static 10.4.1.0 24 10.6.1.3
      [*SwitchC-vs1] commit
      [~SwitchC-vs1] quit

      # Configure Admin-VS (SwitchD).

      <SwitchD> system-view
      [~SwitchD] interface vlanif 11
      [*SwitchD-Vlanif11] ip address 10.4.1.1 24
      [*SwitchD-Vlanif11] mac-address 0000-5e00-0102
      [*SwitchD-Vlanif11] quit
      [*SwitchD] interface vlanif 20
      [*SwitchD-Vlanif20] ip address 10.5.1.1 24
      [*SwitchD-Vlanif20] mac-address 0000-5e00-0103
      [*SwitchD-Vlanif20] quit
      [*SwitchD] ip route-static 0.0.0.0 0 10.5.1.3
      [*SwitchD] commit
      [~SwitchD] quit

      # Configure SwitchD-VS1.

      <SwitchD> switch virtual-system vs1
      <SwitchD-vs1> system-view
      [~SwitchD-vs1] interface vlanif 30
      [*SwitchD-vs1-Vlanif30] ip address 10.6.1.1 24
      [*SwitchD-vs1-Vlanif30] mac-address 0000-5e00-0104
      [*SwitchD-vs1-Vlanif30] quit
      [*SwitchD-vs1] ip route-static 10.4.1.0 24 10.6.1.3
      [*SwitchD-vs1] commit
      [~SwitchD-vs1] quit

  3. Configure SeGW A and SeGW B to work in routing mode and enable HRP.
    1. Configure uplink and downlink interfaces of SeGW A and SeGW B.

      # Configure SeGW A.

      <USG9000> system-view
      [USG9000] sysname SeGWA
      [SeGWA] interface eth-trunk 1
      [SeGWA-Eth-Trunk1] mode lacp-static
      [SeGWA-Eth-Trunk1] trunkport GigabitEthernet 1/0/0 to 1/0/1
      [SeGWA-Eth-Trunk1] ip address 10.5.1.3 24 float master
      [SeGWA-Eth-Trunk1] quit
      [SeGWA] interface eth-trunk 2
      [SeGWA-Eth-Trunk2] mode lacp-static
      [SeGWA-Eth-Trunk2] trunkport GigabitEthernet 2/0/0 to 2/0/1
      [SeGWA-Eth-Trunk2] ip address 10.6.1.3 24 float master
      [SeGWA-Eth-Trunk2] quit

      # Configure SeGW B.

      <USG9000> system-view
      [USG9000] sysname SeGWB
      [SeGWB] interface eth-trunk 1
      [SeGWB-Eth-Trunk1] mode lacp-static
      [SeGWB-Eth-Trunk1] trunkport GigabitEthernet 1/0/0 to 1/0/1
      [SeGWB-Eth-Trunk1] ip address 10.5.1.3 24 float slave
      [SeGWB-Eth-Trunk1] quit
      [SeGWB] interface eth-trunk 2
      [SeGWB-Eth-Trunk2] mode lacp-static
      [SeGWB-Eth-Trunk2] trunkport GigabitEthernet 2/0/0 to 2/0/1
      [SeGWB-Eth-Trunk2] ip address 10.6.1.3 24 float slave
      [SeGWB-Eth-Trunk2] quit

    2. Configure IP addresses for heartbeat interfaces of SeGW A and SeGW B.

      # Configure SeGW A.

      [SeGWA] interface GigabitEthernet 3/0/0
      [SeGWA-GigabitEthernet3/0/0] ip address 10.10.0.1 24
      [SeGWA-GigabitEthernet3/0/0] quit

      # Configure SeGW B.

      [SeGWB] interface GigabitEthernet 3/0/0
      [SeGWB-GigabitEthernet3/0/0] ip address 10.10.0.2 24
      [SeGWB-GigabitEthernet3/0/0] quit

    3. Add uplink interfaces of SeGW A and SeGW B to the untrusted zone, downlink interfaces to the trusted zone, and heartbeat interfaces to the DMZ.

      # Configure SeGW A.

      [SeGWA] firewall zone untrust
      [SeGWA-zone-untrust] add interface eth-trunk 2
      [SeGWA-zone-untrust] quit
      [SeGWA] firewall zone trust
      [SeGWA-zone-trust] add interface eth-trunk 1
      [SeGWA-zone-trust] quit
      [SeGWA] firewall zone dmz
      [SeGWA-zone-dmz] add interface GigabitEthernet 3/0/0
      [SeGWA-zone-dmz] quit

      # Configure SeGW B.

      [SeGWB] firewall zone untrust
      [SeGWB-zone-untrust] add interface eth-trunk 2
      [SeGWB-zone-untrust] quit
      [SeGWB] firewall zone trust
      [SeGWB-zone-trust] add interface eth-trunk 1
      [SeGWB-zone-trust] quit
      [SeGWB] firewall zone dmz
      [SeGWB-zone-dmz] add interface GigabitEthernet 3/0/0
      [SeGWB-zone-dmz] quit

    4. Specify the heartbeat interface and enable HRP.

      # Configure SeGW A.

      [SeGWA] hrp interface GigabitEthernet 3/0/0 remote 10.10.0.2
      [SeGWA] hrp enable

      # Configure SeGW B.

      [SeGWB] hrp interface GigabitEthernet 3/0/0 remote 10.10.0.1
      [SeGWB] hrp enable

    5. Configure static routes, and specify next hops of uplink and downlink traffic of firewalls.

      # Configure SeGW A.

      [SeGWA] ip route-static 0.0.0.0 0 10.6.1.111
      [SeGWA] ip route-static 10.4.1.0 24 10.5.1.111

      # Configure SeGW B.

      [SeGWB] ip route-static 0.0.0.0 0 10.6.1.111
      [SeGWB] ip route-static 10.4.1.0 24 10.5.1.111

    6. Configure security functions such as the security policy, IPS, and attack defense on SeGW A. The configuration of SeGW A is automatically backed up to SeGW B. For details, see the security gateway documentation.
  4. Enable OSPF on SwitchC-VS1, SwitchD-VS1, SwitchE, and SwitchF and use the main interface to establish the neighbor relationship.

    # Configure SwitchC-VS1.

    <SwitchC> switch virtual-system vs1
    <SwitchC-vs1> system-view
    [~SwitchC-vs1] interface 10ge 1/0/29
    [*SwitchC-vs1-10GE1/0/29] undo portswitch
    [*SwitchC-vs1-10GE1/0/29] ip address 10.7.1.1 24
    [*SwitchC-vs1-10GE1/0/29] ospf enable 1 area 0
    [*SwitchC-vs1-10GE1/0/29] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchC-vs1-10GE1/0/29] ospf cost 10     //Set the OSPF cost of the interface to 10.
    [*SwitchC-vs1-10GE1/0/29] quit
    [*SwitchC-vs1] interface 10ge 1/0/30
    [*SwitchC-vs1-10GE1/0/30] undo portswitch
    [*SwitchC-vs1-10GE1/0/30] ip address 10.8.1.1 24
    [*SwitchC-vs1-10GE1/0/30] ospf enable 1 area 0
    [*SwitchC-vs1-10GE1/0/30] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchC-vs1-10GE1/0/30] quit
    [*SwitchC-vs1] interface 10ge 1/0/31
    [*SwitchC-vs1-10GE1/0/31] undo portswitch
    [*SwitchC-vs1-10GE1/0/31] ip address 10.8.2.1 24
    [*SwitchC-vs1-10GE1/0/31] ospf enable 1 area 0
    [*SwitchC-vs1-10GE1/0/31] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchC-vs1-10GE1/0/31] quit
    [*SwitchC-vs1] vlan batch 40
    [*SwitchC-vs1] interface vlanif 40
    [*SwitchC-vs1-Vlanif40] ip address 10.7.2.1 24
    [*SwitchC-vs1-Vlanif40] ospf network-type p2p
    [*SwitchC-vs1-Vlanif40] ospf cost 100
    [*SwitchC-vs1-Vlanif40] quit
    [*SwitchC-vs1] ospf 1
    [*SwitchC-vs1-ospf-1] area 0
    [*SwitchC-vs1-ospf-1-area-0.0.0.0] network 10.7.1.0 0.0.0.255
    [*SwitchC-vs1-ospf-1-area-0.0.0.0] network 10.7.2.0 0.0.0.255
    [*SwitchC-vs1-ospf-1-area-0.0.0.0] network 10.8.1.0 0.0.0.255
    [*SwitchC-vs1-ospf-1-area-0.0.0.0] network 10.8.2.0 0.0.0.255
    [*SwitchC-vs1-ospf-1-area-0.0.0.0] quit
    [*SwitchC-vs1-ospf-1] import-route static
    [*SwitchC-vs1-ospf-1] quit
    [*SwitchC-vs1] commit
    [~SwitchC-vs1] quit

    # Configure SwitchD-VS1.

    <SwitchD> switch virtual-system vs1
    <SwitchD-vs1> system-view
    [~SwitchD-vs1] interface 10ge 1/0/29
    [*SwitchD-vs1-10GE1/0/29] undo portswitch
    [*SwitchD-vs1-10GE1/0/29] ip address 10.7.1.2 24
    [*SwitchD-vs1-10GE1/0/29] ospf enable 1 area 0
    [*SwitchD-vs1-10GE1/0/29] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchD-vs1-10GE1/0/29] ospf cost 10     //Set the OSPF cost of the interface to 10.
    [*SwitchD-vs1-10GE1/0/29] quit
    [*SwitchD-vs1] interface 10ge 1/0/30
    [*SwitchD-vs1-10GE1/0/30] undo portswitch
    [*SwitchD-vs1-10GE1/0/30] ip address 10.9.1.1 24
    [*SwitchD-vs1-10GE1/0/30] ospf enable 1 area 0
    [*SwitchD-vs1-10GE1/0/30] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchD-vs1-10GE1/0/30] quit
    [*SwitchD-vs1] interface 10ge 1/0/31
    [*SwitchD-vs1-10GE1/0/31] undo portswitch
    [*SwitchD-vs1-10GE1/0/31] ip address 10.9.2.1 24
    [*SwitchD-vs1-10GE1/0/31] ospf enable 1 area 0
    [*SwitchD-vs1-10GE1/0/31] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchD-vs1-10GE1/0/31] quit
    [*SwitchD-vs1] vlan batch 40
    [*SwitchD-vs1] interface vlanif 40
    [*SwitchD-vs1-Vlanif40] ip address 10.7.2.9 24
    [*SwitchD-vs1-Vlanif40] ospf network-type p2p
    [*SwitchD-vs1-Vlanif40] ospf cost 100
    [*SwitchD-vs1-Vlanif40] quit
    [*SwitchD-vs1] ospf 1
    [*SwitchD-vs1-ospf-1] area 0
    [*SwitchD-vs1-ospf-1-area-0.0.0.0] network 10.7.1.0 0.0.0.255
    [*SwitchD-vs1-ospf-1-area-0.0.0.0] network 10.7.2.0 0.0.0.255
    [*SwitchD-vs1-ospf-1-area-0.0.0.0] network 10.9.1.0 0.0.0.255
    [*SwitchD-vs1-ospf-1-area-0.0.0.0] network 10.9.2.0 0.0.0.255
    [*SwitchD-vs1-ospf-1-area-0.0.0.0] quit
    [*SwitchD-vs1-ospf-1] import-route static
    [*SwitchD-vs1-ospf-1] quit
    [*SwitchD-vs1] commit
    [~SwitchD-vs1] quit

    # Configure SwitchE.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchE
    [*HUAWEI] commit
    [~SwitchE] interface 10ge 1/0/1
    [~SwitchE-10GE1/0/1] undo portswitch
    [*SwitchE-10GE1/0/1] ip address 10.8.1.2 24
    [*SwitchE-10GE1/0/1] ospf enable 1 area 0
    [*SwitchE-10GE1/0/1] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchE-10GE1/0/1] quit
    [*SwitchE] interface 10ge 1/0/2
    [*SwitchE-10GE1/0/2] undo portswitch
    [*SwitchE-10GE1/0/2] ip address 10.9.2.2 24
    [*SwitchE-10GE1/0/2] ospf enable 1 area 0
    [*SwitchE-10GE1/0/2] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchE-10GE1/0/2] quit
    [~SwitchE] interface 10ge 1/0/9
    [~SwitchE-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
    [*SwitchE-10GE1/0/9] quit
    [*SwitchE] ospf 1
    [*SwitchE-ospf-1] area 0
    [*SwitchE-ospf-1-area-0.0.0.0] network 10.8.1.0 0.0.0.255
    [*SwitchE-ospf-1-area-0.0.0.0] network 10.9.2.0 0.0.0.255
    [*SwitchE-ospf-1-area-0.0.0.0] quit
    [*SwitchE-ospf-1] quit
    [*SwitchE] commit

    # Configure SwitchF.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchF
    [*HUAWEI] commit
    [~SwitchF] interface 10ge 1/0/1
    [~SwitchF-10GE1/0/1] undo portswitch
    [*SwitchF-10GE1/0/1] ip address 10.9.1.2 24
    [*SwitchF-10GE1/0/1] ospf enable 1 area 0
    [*SwitchF-10GE1/0/1] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchF-10GE1/0/1] quit
    [*SwitchF] interface 10ge 1/0/2
    [*SwitchF-10GE1/0/2] undo portswitch
    [*SwitchF-10GE1/0/2] ip address 10.8.2.2 24
    [*SwitchF-10GE1/0/2] ospf enable 1 area 0
    [*SwitchF-10GE1/0/2] ospf network-type p2p     //Set the network type of the interface to P2P.
    [*SwitchF-10GE1/0/2] quit
    [~SwitchF] interface 10ge 1/0/9
    [~SwitchF-10GE1/0/9] shutdown     //Shut down the interface not in use. 10GE 1/0/9 is used as an example.
    [*SwitchF-10GE1/0/9] quit
    [*SwitchF] ospf 1
    [*SwitchF-ospf-1] area 0
    [*SwitchF-ospf-1-area-0.0.0.0] network 10.8.2.0 0.0.0.255
    [*SwitchF-ospf-1-area-0.0.0.0] network 10.9.1.0 0.0.0.255
    [*SwitchF-ospf-1-area-0.0.0.0] quit
    [*SwitchF-ospf-1] quit
    [*SwitchF] commit

  5. Verify the configuration.

    • Run the display dfs-group command to check M-LAG information.

      # Check information about the M-LAG with DFS group 1. The M-LAG composed of SwitchA and SwitchB is used as an example. The configuration of the M-LAG composed of Admin-VS (SwitchC) and Admin-VS (SwitchD) and the configuration of the M-LAG composed of SwitchC-VS1 and SwitchD-VS1 are similar.

      [~SwitchA] display dfs-group 1 m-lag
      *                : Local node                                                                                                       
      Heart beat state : OK                                                                                                           
      Node 1 *                                                                                                                            
        Dfs-Group ID   : 1                                                                                                                
        Priority       : 150                                                                                                              
        Address        : ip address 10.1.1.1  vpn-instance VRF-A                                                                          
        State          : Master                                                                                                       
        Causation      : -                                                                                                                
        System ID      : 0025-9e95-7c01                                                                                                   
        SysName        : SwitchA                                                                                                              
        Version        : V100R006C00                                
        Device Type    : CE12800                                                                                                          
      Node 2                                                                                                                              
        Dfs-Group ID   : 1                                                                                                                
        Priority       : 120                                                                                                              
        Address        : ip address 10.1.1.2  vpn-instance VRF-A                                                                                   
        State          : Backup                                                                                                       
        Causation      : -                                                                                                                
        System ID      : 0025-9e95-7c11                                                                                                   
        SysName        : SwitchB                                                                                                              
        Version        : V100R006C00
        Device Type    : CE12800    

      # Check M-LAG information on SwitchA.

      [~SwitchA] display dfs-group 1 node 1 m-lag brief
      * - Local node
      
      M-Lag ID     Interface      Port State    Status                                                                                     
             1     Eth-Trunk 10   Up            active(*)-active  
             2     Eth-Trunk 20   Up            active(*)-active  
             3     Eth-Trunk 30   Up            active(*)-active  
             4     Eth-Trunk 40   Up            active(*)-active  

      In the preceding information, the value of Heart beat state is OK, indicating that the dual-active detection status is normal. SwitchA is used as Node 1, its priority is 150, and its status is Master. SwitchB is used as Node 2, its priority is 120, and its status is Backup. The value of Causation is -, the values of Port State of Node 1 and Node 2 are both Up, and the M-LAG status of both Node 1 and Node 2 is active, indicating that the MC-LAG configuration is correct.

    • <SwitchC> switch virtual-system vs1
      <SwitchC-vs1> display vrrp verbose
      Vlanif30 | Virtual Router 1
      State        : Master
      Virtual IP     : 10.6.1.111
      Master IP      : 10.6.1.1
      PriorityRun    : 100
      PriorityConfig : 100                                                        
      MasterPriority : 100                                                        
      Preempt        : YES   Delay Time : 0s    Remain : --    
      Hold Multiplier: 3     
      TimerRun       : 1s                                                              
      TimerConfig    : 1s                                                           
      Auth Type      : NONE                                                            
      Virtual MAC    : 0000-5e00-0102                                                
      Check TTL      : YES                                                             
      Config Type    : Normal                                                   
      Create Time       : 2015-03-20 11:39:18                                           
      Last Change Time  : 2015-03-25 11:38:58 
      <SwitchD> switch virtual-system vs1
      <SwitchD-vs1> display vrrp verbose
      Vlanif30 | Virtual Router 1
      State        : Master
      Virtual IP     : 10.6.1.111
      Master IP      : 10.6.1.2
      PriorityRun    : 100
      PriorityConfig : 100                                                        
      MasterPriority : 100                                                        
      Preempt        : YES   Delay Time : 0s   Remain : --     
      Hold Multiplier: 3     
      TimerRun       : 1s                                                        
      TimerConfig    : 1s                                                        
      Auth Type      : NONE                                                       
      Virtual MAC    : 0000-5e00-0102                                             
      Check TTL      : YES                                                        
      Config Type    : Normal                                                
      Create Time      : 2015-03-20 11:39:18                                      
      Last Change Time : 2015-03-25 11:38:58 
    • Run the display hrp state command on SeGW A to check the HRP status. The following information indicates that the HRP is set up successfully.

      HRP_M[SeGWA] display hrp state
       Role: active, peer: standby                                                    
       Running priority: 51008, peer: 51008                                           
       Core state: normal, peer: normal                                   
       Backup channel usage: 0%                                                       
       Stable time: 0 days, 18 hours, 41 minutes

Configuration Files

  • SwitchA configuration file

    #
    sysname SwitchA
    #
    dfs-group 1
     priority 150
     source ip 10.1.1.1 vpn-instance VRF-A
    #
    vlan batch 11
    #
    stp mode rstp
    stp v-stp enable
    stp bpdu-protection
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0000
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-A
     ipv4-family
      route-distinguisher 100:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-A
     ip address 10.1.1.1 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk10
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 1
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk20
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk30
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk40
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 11
     mode lacp-static
     dfs-group 1 m-lag 4
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/1
     eth-trunk 10
    #
    interface 10GE1/0/2
     eth-trunk 20
    #
    interface 10GE1/0/3
     eth-trunk 30
    #
    interface 10GE1/0/4
     eth-trunk 0
    #
    interface 10GE1/0/6
     eth-trunk 40
    #
    interface 10GE1/0/7
     eth-trunk 40
    #
    interface 10GE1/0/9
     shutdown
    #
    interface 10GE2/0/4
     eth-trunk 0
    #
    return
    
  • SwitchB configuration file

    #
    sysname SwitchB
    #
    dfs-group 1
     priority 120
     source ip 10.1.1.2 vpn-instance VRF-A
    #
    vlan batch 11
    #
    stp mode rstp
    stp v-stp enable
    stp bpdu-protection
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0000
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-A
     ipv4-family
      route-distinguisher 100:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-A
     ip address 10.1.1.2 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk10
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 1
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk20
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk30
     port default vlan 11
     stp edged-port enable
     mode lacp-dynamic
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk40
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 11
     mode lacp-static
     dfs-group 1 m-lag 4
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/1
     eth-trunk 10
    #
    interface 10GE1/0/2
     eth-trunk 20
    #
    interface 10GE1/0/3
     eth-trunk 30
    #
    interface 10GE1/0/4
     eth-trunk 0
    #
    interface 10GE1/0/6
     eth-trunk 40
    #
    interface 10GE1/0/7
     eth-trunk 40
    #
    interface 10GE1/0/9
     shutdown
    #
    interface 10GE2/0/4
     eth-trunk 0
    #
    return
    
  • Admin-VS (SwitchC) configuration file

    #
    sysname SwitchC
    #
    dfs-group 1
     priority 150
     source ip 10.2.1.1 vpn-instance VRF-B
    #
    vlan batch 11 20
    #
    stp bridge-address 200b-c739-1300 
    stp mode rstp
    stp v-stp enable
    stp instance 0 root primary
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0001
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-B
     ipv4-family
      route-distinguisher 101:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface Vlanif11
     ip address 10.4.1.1 255.255.255.0
     mac-address 0000-5e00-0102
    #
    interface Vlanif20
     ip address 10.5.1.1 255.255.255.0
     mac-address 0000-5e00-0103
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-B
     ip address 10.2.1.1 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk30
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 11
     stp root-protection
     mode lacp-static
     dfs-group 1 m-lag 1
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk40
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 20
     mode lacp-static
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk50
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 20
     mode lacp-static
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/1
     eth-trunk 30
    #
    interface 10GE1/0/2
     eth-trunk 30
    #
    interface 10GE1/0/3
     eth-trunk 0
    #
    interface 10GE1/0/5
     eth-trunk 40
    #
    interface 10GE1/0/6
     eth-trunk 50
    #
    interface 10GE1/0/9
     shutdown
    #
    interface 10GE2/0/3
     eth-trunk 0
    #
    ip route-static 0.0.0.0 0.0.0.0 10.5.1.3
    #
    admin
     virtual-system vs1 
      port-mode group
      resource u4route upper-limit 60000
      resource m4route upper-limit 1000
      resource u6route upper-limit 16000
      resource m6route upper-limit 100
      resource vlan upper-limit 4063
      resource mpls enable
      resource trill enable
      resource mcast enable
      resource vpn-instance upper-limit 4096
      resource cpu weight 5
      resource memory ratio-threshold 100
      assign interface 10GE1/0/24
      assign interface 10GE1/0/25
      assign interface 10GE1/0/26
      assign interface 10GE1/0/27
      assign interface 10GE1/0/28
      assign interface 10GE1/0/29
      assign interface 10GE1/0/30
      assign interface 10GE1/0/31
      assign interface 10GE1/0/32
      assign interface 10GE1/0/33
      assign interface 10GE1/0/34
      assign interface 10GE1/0/35
      assign interface 10GE1/0/36
      assign interface 10GE1/0/37
      assign interface 10GE1/0/38
      assign interface 10GE1/0/39
      assign interface 10GE1/0/40
      assign interface 10GE1/0/41
      assign interface 10GE1/0/42
      assign interface 10GE1/0/43
      assign interface 10GE1/0/44
      assign interface 10GE1/0/45
      assign interface 10GE1/0/46
      assign interface 10GE1/0/47
      assign interface 10GE2/0/24
      assign interface 10GE2/0/25
      assign interface 10GE2/0/26
      assign interface 10GE2/0/27
      assign interface 10GE2/0/28
      assign interface 10GE2/0/29
      assign interface 10GE2/0/30
      assign interface 10GE2/0/31
      assign interface 10GE2/0/32
      assign interface 10GE2/0/33
      assign interface 10GE2/0/34
      assign interface 10GE2/0/35
      assign interface 10GE2/0/36
      assign interface 10GE2/0/37
      assign interface 10GE2/0/38
      assign interface 10GE2/0/39
      assign interface 10GE2/0/40
      assign interface 10GE2/0/41
      assign interface 10GE2/0/42
      assign interface 10GE2/0/43
      assign interface 10GE2/0/44
      assign interface 10GE2/0/45
      assign interface 10GE2/0/46
      assign interface 10GE2/0/47
    #
    return
    
  • SwitchC-VS1 configuration file

    #
    sysname vs1
    #
    dfs-group 1
     priority 150
     source ip 10.3.1.1  vpn-instance VRF-C
    #
    vlan batch 30 40
    #
    stp mode rstp
    stp v-stp enable
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0002
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-C
     ipv4-family
      route-distinguisher 102:1
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface Vlanif30
     ip address 10.6.1.1 255.255.255.0
     mac-address 0000-5e00-0104
    #
    interface Vlanif40
     ip address 10.7.2.1 255.255.255.0
     ospf cost 100
     ospf network-type p2p
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-B
     ip address 10.3.1.1 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk60
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 30
     mode lacp-static
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk70
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 30
     mode lacp-static
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/29
     undo portswitch
     ip address 10.7.1.1 255.255.255.0
     ospf cost 10
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/30
     undo portswitch
     ip address 10.8.1.1 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/31
     undo portswitch
     ip address 10.8.2.1 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/32
     eth-trunk 0
    #
    interface 10GE1/0/34
     eth-trunk 60
    #
    interface 10GE1/0/35
     eth-trunk 70
    #
    interface 10GE1/0/39
     shutdown
    #
    interface 10GE2/0/32
     eth-trunk 0
    #
    ip route-static 10.4.1.0 255.255.255.0 10.6.1.3
    #
    ospf 1
     import-route static
     area 0.0.0.0
      network 10.7.1.0 0.0.0.255
      network 10.7.2.0 0.0.0.255
      network 10.8.1.0 0.0.0.255
      network 10.8.2.0 0.0.0.255
    #
    return
    
  • Admin-VS (SwitchD) configuration file

    #
    sysname SwitchD
    #
    dfs-group 1
     priority 120
     source ip 10.2.1.2 vpn-instance VRF-B
    #
    vlan batch 11 20
    #
    stp bridge-address 200b-c739-1300 
    stp mode rstp
    stp v-stp enable
    stp instance 0 root primary
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0001
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-B
     ipv4-family
      route-distinguisher 101:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface Vlanif11
     ip address 10.4.1.2 255.255.255.0
     mac-address 0000-5e00-0102
    #
    interface Vlanif20
     ip address 10.5.1.2 255.255.255.0
     mac-address 0000-5e00-0103
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-B
     ip address 10.2.1.2 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk30
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 11
     stp root-protection
     mode lacp-static
     dfs-group 1 m-lag 1
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk40
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 20
     mode lacp-static
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk50
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 20
     mode lacp-static
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/1
     eth-trunk 30
    #
    interface 10GE1/0/2
     eth-trunk 30
    #
    interface 10GE1/0/3
     eth-trunk 0
    #
    interface 10GE1/0/5
     eth-trunk 40
    #
    interface 10GE1/0/6
     eth-trunk 50
    #
    interface 10GE1/0/9
     shutdown
    #
    interface 10GE2/0/3
     eth-trunk 0
    #
    ip route-static 0.0.0.0 0.0.0.0 10.5.1.3
    #
    admin
     virtual-system vs1 
      port-mode group
      resource u4route upper-limit 60000
      resource m4route upper-limit 1000
      resource u6route upper-limit 16000
      resource m6route upper-limit 100
      resource vlan upper-limit 4063
      resource mpls enable
      resource trill enable
      resource mcast enable
      resource vpn-instance upper-limit 4096
      resource cpu weight 5
      resource memory ratio-threshold 100
      assign interface 10GE1/0/24
      assign interface 10GE1/0/25
      assign interface 10GE1/0/26
      assign interface 10GE1/0/27
      assign interface 10GE1/0/28
      assign interface 10GE1/0/29
      assign interface 10GE1/0/30
      assign interface 10GE1/0/31
      assign interface 10GE1/0/32
      assign interface 10GE1/0/33
      assign interface 10GE1/0/34
      assign interface 10GE1/0/35
      assign interface 10GE1/0/36
      assign interface 10GE1/0/37
      assign interface 10GE1/0/38
      assign interface 10GE1/0/39
      assign interface 10GE1/0/40
      assign interface 10GE1/0/41
      assign interface 10GE1/0/42
      assign interface 10GE1/0/43
      assign interface 10GE1/0/44
      assign interface 10GE1/0/45
      assign interface 10GE1/0/46
      assign interface 10GE1/0/47
      assign interface 10GE2/0/24
      assign interface 10GE2/0/25
      assign interface 10GE2/0/26
      assign interface 10GE2/0/27
      assign interface 10GE2/0/28
      assign interface 10GE2/0/29
      assign interface 10GE2/0/30
      assign interface 10GE2/0/31
      assign interface 10GE2/0/32
      assign interface 10GE2/0/33
      assign interface 10GE2/0/34
      assign interface 10GE2/0/35
      assign interface 10GE2/0/36
      assign interface 10GE2/0/37
      assign interface 10GE2/0/38
      assign interface 10GE2/0/39
      assign interface 10GE2/0/40
      assign interface 10GE2/0/41
      assign interface 10GE2/0/42
      assign interface 10GE2/0/43
      assign interface 10GE2/0/44
      assign interface 10GE2/0/45
      assign interface 10GE2/0/46
      assign interface 10GE2/0/47
    #
    return
    
  • SwitchD-VS1 configuration file

    #
    sysname vs1
    #
    dfs-group 1
     priority 120
     source ip 10.3.1.2  vpn-instance VRF-C
    #
    vlan batch 30 40
    #
    stp mode rstp
    stp v-stp enable
    stp flush disable
    #
    lacp m-lag system-id 00e0-fc00-0002
    lacp m-lag priority 10
    #
    ip vpn-instance VRF-C
     ipv4-family
      route-distinguisher 102:2
      vpn-target 111:1 export-extcommunity
      vpn-target 111:1 import-extcommunity
    #
    interface Vlanif30
     ip address 10.6.1.1 255.255.255.0
     mac-address 0000-5e00-0104
    #
    interface Vlanif40
     ip address 10.7.2.2 255.255.255.0
     ospf cost 100
     ospf network-type p2p
    #
    interface MEth0/0/0
     ip binding vpn-instance VRF-B
     ip address 10.3.1.2 255.255.255.0
    #
    interface Eth-Trunk0
     mode lacp-static
     peer-link 1
     port vlan exclude 1
    #
    interface Eth-Trunk60
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 30
     mode lacp-static
     dfs-group 1 m-lag 2
     storm suppression broadcast cir 10 mbps
    #
    interface Eth-Trunk70
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 30
     mode lacp-static
     dfs-group 1 m-lag 3
     storm suppression broadcast cir 10 mbps
    #
    interface 10GE1/0/29
     undo portswitch
     ip address 10.7.1.2 255.255.255.0
     ospf cost 10
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/30
     undo portswitch
     ip address 10.9.1.1 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/31
     undo portswitch
     ip address 10.9.2.1 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/32
     eth-trunk 0
    #
    interface 10GE1/0/34
     eth-trunk 60
    #
    interface 10GE1/0/35
     eth-trunk 70
    #
    interface 10GE1/0/39
     shutdown
    #
    interface 10GE2/0/32
     eth-trunk 0
    #
    ip route-static 10.4.1.0 255.255.255.0 10.6.1.3
    #
    ospf 1
     import-route static
     area 0.0.0.0
      network 10.7.1.0 0.0.0.255
      network 10.7.2.0 0.0.0.255
      network 10.9.1.0 0.0.0.255
      network 10.9.2.0 0.0.0.255
    #
    return
    
  • SwitchE configuration file

    #
    sysname SwitchE
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 10.8.1.2 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/2
     undo portswitch
     ip address 10.9.2.2 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/9
     shutdown
    #
    ospf 1
     area 0.0.0.0
      network 10.8.1.0 0.0.0.255
      network 10.9.2.0 0.0.0.255
    #
    return
    
  • SwitchF configuration file

    #
    sysname SwitchF
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 10.9.1.2 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/2
     undo portswitch
     ip address 10.8.2.2 255.255.255.0
     ospf network-type p2p
     ospf enable 1 area 0.0.0.0
    #
    interface 10GE1/0/9
     shutdown
    #
    ospf 1
     area 0.0.0.0
      network 10.8.2.0 0.0.0.255
      network 10.9.1.0 0.0.0.255
    #
    return
    
  • SeGW A configuration file

    #
    sysname SeGW A
    #
     hrp enable
     hrp interface GigabitEthernet 3/0/0 remote 10.10.0.2
    #
    interface Eth-Trunk1
     mode lacp-static
     trunkport GigabitEthernet 1/0/0 to 1/0/1
     ip address 10.5.1.3 24 float master
    #
    interface Eth-Trunk2
     mode lacp-static
     trunkport GigabitEthernet 2/0/0 to 2/0/1
     ip address 10.6.1.3 24 float master
    #
    interface GigabitEthernet3/0/0
     ip address 10.10.0.1 24
    #
    firewall zone trust
     set priority 85
     add interface eth-trunk 1
    #
    firewall zone dmz
     set priority 50
     add interface GigabitEthernet 3/0/0
    #
    firewall zone untrust
     set priority 5
     add interface eth-trunk 2
    #
     ip route-static 0.0.0.0 0 10.6.1.111
     ip route-static 10.4.1.0 24 10.5.1.111
    #
    return
  • SeGW B configuration file

    #
    sysname SeGW B
    #
     hrp enable
     hrp interface GigabitEthernet 3/0/0 remote 10.10.0.1
    #
    interface Eth-Trunk1
     mode lacp-static
     trunkport GigabitEthernet 1/0/0 to 1/0/1
     ip address 10.5.1.3 24 float slave
    #
    interface Eth-Trunk2
     mode lacp-static
     trunkport GigabitEthernet 2/0/0 to 2/0/1
     ip address 10.6.1.3 24 float slave
    #
    interface GigabitEthernet3/0/0
     ip address 10.10.0.2 24
    #
    firewall zone trust
     set priority 85
     add interface eth-trunk 1
    #
    firewall zone dmz
     set priority 50
     add interface GigabitEthernet 3/0/0
    #
    firewall zone untrust
     set priority 5
     add interface eth-trunk 2
    #
     ip route-static 0.0.0.0 0 10.6.1.111
     ip route-static 10.4.1.0 24 10.5.1.111
    #
    return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 117637

Downloads: 7529

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next