No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Stack-based 2-Layer Data Center Network

Configuring a Stack-based 2-Layer Data Center Network

Applicable Products and Versions

This example applies to all CE series switches running V100R001C00 or later. The CE12800E does not support the stack function after FD-X series cards are installed.

Networking Requirements

The data center network shown in Figure 1-4 consists of the access layer and core layer. To simplify network and improve network reliability, two CE12800 switches at the core layer set up a CSS, and multiple CE6800 switches at the access layer set up an iStack. The devices at access layer and core layer are connected by inter-chassis Eth-Trunk to prevent loops. The Eth-Trunks are configured to preferentially forward local traffic so that loads on inter-chassis links are reduced. VRF instances are created on the core layer to separate service network routes and public network routes. Two firewalls are connected to CE12800 switches in bypass mode, and work in hot standby mode to improve reliability.

Figure 1-4 Diagram of a stack-based 2-Layer data center network
Table 1-3 Data Preparation

Device Name

Interface Number

IP Address

Interconnected Device and Interface Number

Router Eth-Trunk1
  • XGigabitEthernet1/0/1
  • XGigabitEthernet1/0/2

10.10.10.2/24

CSS: Eth-Trunk1
CSS Stack-Port1/1
  • 10GE1/1/0/1 to 10GE1/1/0/4
  • 10GE1/2/0/1 to 10GE1/2/0/4

-

CSS: Stack-Port2/1

Stack-Port2/1
  • 10GE2/1/0/1 to 10GE2/1/0/4
  • 10GE2/2/0/1 to 10GE2/2/0/4

-

CSS: Stack-Port1/1

10GE1/1/0/10

-

CSS: 10GE2/1/0/10

10GE1/2/0/10

-

CSS: 10GE2/2/0/10

Eth-Trunk1
  • 10GE1/1/0/11
  • 10GE2/1/0/11

VLANIF 1001: 10.10.10.1/24

Router: Eth-Trunk1

Eth-Trunk2
  • 10GE1/1/0/5
  • 10GE1/2/0/5
  • 10GE2/1/0/5
  • 10GE2/2/0/5

VLANIF 100: 10.10.1.1/24

iStack-1: Eth-Trunk2

Eth-Trunk3
  • 10GE1/1/0/6
  • 10GE1/2/0/6
  • 10GE2/1/0/6
  • 10GE2/2/0/6

iStack-2: Eth-Trunk3

Eth-Trunk4
  • 10GE1/1/0/7
  • 10GE2/1/0/7

VLANIF 200: 10.10.2.1/24

FW-1: Eth-Trunk4

Eth-Trunk6
  • 10GE1/2/0/7
  • 10GE2/2/0/7

FW-2: Eth-Trunk4

Eth-Trunk5
  • 10GE1/1/0/8
  • 10GE2/1/0/8

VLANIF 300: 10.10.3.1/24

FW-1: Eth-Trunk5

Eth-Trunk7
  • 10GE1/2/0/8
  • 10GE2/2/0/8

FW-2: Eth-Trunk5

iStack-1

Stack-Port1/1
  • 10GE1/0/1 to 10GE1/0/4

-

iStack-1: Stack-Port2/1

Stack-Port2/1
  • 10GE2/0/1 to 10GE2/0/4

-

iStack-1: Stack-Port1/1

10GE1/0/9

-

iStack-1: 10GE2/0/9

10GE1/0/10

-

iStack-1: 10GE2/0/10

Eth-Trunk2
  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk2

iStack-2

Stack-Port1/1
  • 10GE1/0/1 to 10GE1/0/4

-

iStack-2: Stack-Port2/1

Stack-Port2/1
  • 10GE2/0/1 to 10GE2/0/4

-

iStack-2: Stack-Port1/1

10GE1/0/9

-

iStack-2: 10GE2/0/9

10GE1/0/10

-

iStack-2: 10GE2/0/10

Eth-Trunk3
  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk3

FW-1

Eth-Trunk1
  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.1/24

FW-2: Eth-Trunk1

Eth-Trunk4
  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.2/24

CSS: Eth-Trunk4

Eth-Trunk5
  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.2/24

CSS: Eth-Trunk5

FW-2

Eth-Trunk1
  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.2/24

FW-1: Eth-Trunk1

Eth-Trunk4
  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.3/24

CSS: Eth-Trunk6

Eth-Trunk5
  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.3/24

CSS: Eth-Trunk7

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure CSS at the core layer and iStack at the access layer to implement device backup.
  2. Configure Eth-Trunks between core layer, upstream devices, downstream devices, and firewalls to form a reliable, loop-free network.
  3. Configure the routes between CSS, firewalls, and router to implement Layer 3 connection. Run OSPF between the CSS and router and configure static routes between the CSS and firewalls. Create VRF-A on the CSS, and bind the service ports and downstream ports connected to firewalls to VRF-A to separate service network segment routes and public network routes. The default route of VRF-A is destined for the firewalls.
  4. Configure the hot standby, security policy, attack defense, and intrusion protection functions on firewalls.

Procedure

  1. Configure the CSS function on core switches CE12800-1 and CE12800-2.

    1. Connect stack cables between CE12800-1 and CE12800-2 according to Figure 1-5.
      Figure 1-5 Physical connections of CSS
    2. Configure stack attributes for CE12800-1 and CE12800-2. (Set a higher priority for CE12800-1, so CE12800-1 will become the master switch.)

      # Set the stack ID of CE12800-1 to 1, priority to 150, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-1
      [*HUAWEI] commit
      [~CE12800-1] stack
      [~CE12800-1-stack] stack member 1         //Configure the stack member ID. The default value is 1.
      [*CE12800-1-stack] stack priority 150     //Configure the stack priority. The default value is 100.
      [*CE12800-1-stack] stack domain 10        //Configure the domain ID.
      [*CE12800-1-stack] stack link-type mainboard-direct     //Configure the connection mode. The default mode is mainboard-direct.
      [*CE12800-1-stack] quit
      [*CE12800-1] commit
      

      # Set the stack ID of CE12800-2 to 2, priority to 100, domain ID to 10, and connection mode to MPU connection.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE12800-2
      [*HUAWEI] commit
      [~CE12800-2] stack
      [~CE12800-2-stack] stack member 2
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE12800-2-stack] stack priority 100
      [*CE12800-2-stack] stack domain 10
      [*CE12800-2-stack] stack link-type mainboard-direct
      [*CE12800-2-stack] quit
      [*CE12800-2] commit
      
    3. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-1, add 10GE1/0/1-10GE1/0/4 and 10GE2/0/1-10GE2/0/4 to the stack port.

      [~CE12800-1] port-group group1       //Create a port group.
      [*CE12800-1-port-group-group1] group-member 10ge 1/0/1 to 10ge 1/0/4       //Add ports to a port group.
      [*CE12800-1-port-group-group1] group-member 10ge 2/0/1 to 10ge 2/0/4
      [*CE12800-1-port-group-group1] shutdown       //Shut down the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] interface stack-port 1
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 1/0/1 to 1/0/4       //Add physical ports to the stack port.
      [*CE12800-1-Stack-Port1] port member-group interface 10ge 2/0/1 to 2/0/4
      [*CE12800-1-Stack-Port1] quit
      [*CE12800-1] commit
      [~CE12800-1] port-group group1
      [~CE12800-1-port-group-group1] undo shutdown       //Enable the port.
      [*CE12800-1-port-group-group1] quit
      [*CE12800-1] commit
      [~CE12800-1] return
      

      # The configuration procedure on CE12800-2 is the same as the configuration procedure on CE12800-1, and is not mentioned here.

    4. Enable the stack function.

      # Enable the stack function on CE12800-1 and restart the device.

      <CE12800-1> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-1> system-view
      [~CE12800-1] stack
      [~CE12800-1-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      

      # Enable the stack function on CE12800-2 and restart the device.

      <CE12800-2> save
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y
      <CE12800-2> system-view
      [~CE12800-2] stack
      [~CE12800-2-stack] stack enable
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode.
      Current configuration will be converted to the next startup saved-configuration file of stack mode.
      System will reboot. Continue? [Y/N]: y
      
    5. Rename the stack system CSS.

      <CE12800-1> system-view
      [~CE12800-1] sysname CSS
      [*CE12800-1] commit
      

  2. Configure the iStack function on the access layer switches. The configurations on CE6800-1 and CE6800-2 are used as an example here. The configurations on other switches are similar.

    1. Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)

      # On CE6800-1, set the stack ID to 1, priority to 150, and domain ID to 20. (By default, the stack member ID of a switch is 1. In this example, CE6800-1 retains the default stack member ID 1, and you do not configure this parameter.)

      <HUAWEI> system-view
      [~HUAWEI] sysname CE6800-1
      [*HUAWEI] commit
      [~CE6800-1] stack
      [~CE6800-1-stack] stack member 1 priority 150
      [*CE6800-1-stack] stack member 1 domain 20
      [*CE6800-1-stack] quit
      [*CE6800-1] commit
      

      # On CE6800-2, set the stack ID to 2 and domain ID to 20.

      <HUAWEI> system-view
      [~HUAWEI] sysname CE6800-2
      [*HUAWEI] commit
      [~CE6800-2] stack
      [~CE6800-2-stack] stack member 1 renumber 2 inherit-config
      Warning: The stack configuration of member ID 1 will be inherited to member ID 2 after the device resets. Continue? [Y/N]: y
      [*CE6800-2-stack] stack member 1 priority 100
      [*CE6800-2-stack] stack member 1 domain 20
      [*CE6800-2-stack] quit
      [*CE6800-2] commit
      
    2. Configure stack ports. Two switches are connected by four 10GE optical ports.

      # On CE6800-1, add 10GE1/0/1-10GE1/0/4 to stack port 1/1.

      [~CE6800-1] interface stack-port 1/1
      [*CE6800-1-Stack-Port1/1] port member-group interface 10ge 1/0/1 to 1/0/4
      Warning: The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode. [Y/N]: y
      [*CE6800-1-Stack-Port1/1] quit
      [*CE6800-1] commit
      

      # The configuration procedure on CE6800-2 is the same as that on CE6800-1, and is not mentioned here.

    3. Save the configurations of CE6800-1 and CE6800-2, power off the two switches, connect stack cables, and power on the switches.

    4. Rename the stack system iStack-1. CE6800-1 functions as the master switch in this example.

      <CE6800-1> system-view
      [~CE6800-1] sysname iStack-1
      [*CE6800-1] commit
      
    5. Configure the stack consisting of CE6800-3 and CE6800-4 according to the preceding configurations. Rename the stack system iStack-2. CE6800-3 functions as the master switch in this example.

  3. Configure DAD in direct mode in the CSS and iStacks to ensure high reliability. The following uses the configuration of DAD in direct mode in the CSS as an example.

    # Configure DAD in direct mode on the directly connected interfaces between the two chassis in the CSS.

    [~CSS] interface 10ge 1/1/0/10
    [~CSS-10GE1/1/0/10] dual-active detect mode direct          //10GE1/1/0/10 is directly connected to 10GE2/1/0/10.
    Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
    [*CSS-10GE1/1/0/10] quit
    [*CSS] interface 10ge 2/1/0/10
    [*CSS-10GE2/1/0/10] dual-active detect mode direct
    Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
    [*CSS-10GE2/1/0/10] quit
    [*CSS] interface 10ge 1/2/0/10
    [*CSS-10GE1/2/0/10] dual-active detect mode direct          //10GE1/2/0/10 is directly connected to 10GE2/2/0/10.
    Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
    [*CSS-10GE1/2/0/10] quit
    [*CSS] interface 10ge 2/2/0/10
    [*CSS-10GE2/2/0/10] dual-active detect mode direct
    Warning: The interface will block common data packets, except BPDU packets. Continue? [Y/N]: y
    [*CSS-10GE2/2/0/10] quit
    [*CSS] commit
    

    # Configure DAD in direct mode in iStacks according to the preceding method. The configuration is not mentioned here.

  4. Connect the core layer, upstream device, downstream device, and firewalls through inter-chassis Eth-Trunks. The connection between CSS and iStack-1 is used as an example.

    # Create Eth-Trunk2 on the CSS, and add 10GE1/1/0/5, 10GE1/2/0/5, 10GE2/1/0/5, and 10GE2/2/0/5 to Eth-Trunk2.

    [~CSS] interface eth-trunk 2
    [*CSS-Eth-Trunk2] description To_iStack-1
    [*CSS-Eth-Trunk2] trunkport 10ge 1/1/0/5 1/2/0/5 2/1/0/5 2/2/0/5
    [*CSS-Eth-Trunk2] quit
    [*CSS] commit
    

    # Create Eth-Trunk2 on iStack-1, and add 10GE1/0/5, 10GE1/0/6, 10GE2/0/5, and 10GE2/0/6 to Eth-Trunk2.

    [~iStack-1] interface eth-trunk 2
    [*iStack-1-Eth-Trunk2] description To_CSS
    [*iStack-1-Eth-Trunk2] trunkport 10ge 1/0/5 to 1/0/6
    [*iStack-1-Eth-Trunk2] trunkport 10ge 2/0/5 to 2/0/6
    [*iStack-1-Eth-Trunk2] quit
    [*iStack-1] commit
    

    # The configuration is the same as the configurations on other Eth-Trunks in Table 1-3, and is not mentioned here.

  5. Create VLAN100 on the CSS and add the interface connected to the iStack to VLAN100 to implement Layer 2 connection.

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-1.

    [~CSS] interface eth-trunk 2
    [*CSS-Eth-Trunk2] port link-type trunk
    [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk2] port trunk allow-pass vlan 100
    [*CSS-Eth-Trunk2] quit
    [*CSS] commit
    

    # On iStack-1, allow VLAN100 on the Eth-Trunk interface connected to the CSS.

    [~iStack-1] interface eth-trunk 2
    [*iStack-1-Eth-Trunk2] port link-type trunk
    [*iStack-1-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [*iStack-1-Eth-Trunk2] port trunk allow-pass vlan 100
    [*iStack-1-Eth-Trunk2] quit
    [*iStack-1] commit
    

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-2. The configuration is the same as the configuration in the preceding step.

  6. Assign an IP address to each interface.

    # Configure the IP addresses for the Layer 3 interfaces connecting CSS to firewalls and router. The IP address configuration of VLANIF200 is used as an example.

    [~CSS] vlan batch 200
    [*CSS] interface Vlanif 200
    [*CSS-Vlanif200] ip address 10.10.2.1 24
    [*CSS-Vlanif200] quit
    [*CSS] interface eth-trunk 4
    [*CSS-Eth-Trunk4] port link-type trunk
    [*CSS-Eth-Trunk4] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk4] port trunk allow-pass vlan 200
    [*CSS-Eth-Trunk4] port trunk pvid vlan 200
    [*CSS-Eth-Trunk4] quit
    [*CSS] interface eth-trunk 6
    [*CSS-Eth-Trunk6] port link-type trunk
    [*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
    [*CSS-Eth-Trunk6] port trunk allow-pass vlan 200
    [*CSS-Eth-Trunk6] port trunk pvid vlan 200
    [*CSS-Eth-Trunk6] quit
    [*CSS] commit
    

    # Configure IP addresses for other Layer 3 interfaces connected to firewalls and router in Table 1-3 according to the preceding method.

  7. Configure the routes between CSS, firewalls, and router to implement Layer 3 connection. Run OSPF between the CSS and router and configure static routes between the CSS and firewalls. Create VRF-A on the CSS, bind the service ports and downstream ports connected to firewalls to VRF-A. The default route of VRF-A is destined for the downstream VRRP virtual IP address of firewalls.

    # Create VRF-A on the CSS, bind VLANIF100 and VLANIF200 to VRF-A, and set the destination address of the default route to the virtual IP address of firewalls.

    NOTE:

    When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.

    [~CSS] ip vpn-instance VRF-A     //Create VRF-A.
    [*CSS-vpn-instance-VRF-A] ipv4-family
    [*CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
    [*CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
    [*CSS-vpn-instance-VRF-A-af-ipv4] quit
    [*CSS-vpn-instance-VRF-A] quit
    [*CSS] interface Vlanif 100
    [*CSS-Vlanif100] ip binding vpn-instance VRF-A     //Bind VLANIF100 to VRF-A.
    [*CSS-Vlanif100] ip address 10.10.1.1 24
    [*CSS-Vlanif100] quit
    [*CSS] interface Vlanif 200
    [*CSS-Vlanif200] ip binding vpn-instance VRF-A     //Bind VLANIF200 to VRF-A.
    [*CSS-Vlanif200] ip address 10.10.2.1 24
    [*CSS-Vlanif200] quit
    [*CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5    //Add a default route destined for the downstream VRRP virtual IP address of firewalls to VRF-A.
    [*CSS] commit
    

    # Configure a static route from the CSS to service network segment with the firewalls as the next hop. Run OSPF between CSS and router, and import the static route to OSPF.

    [~CSS] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5     //Configure a static route destined for the service network segment. The next hop is the upstream VRRP virtual IP address of firewalls.
    [*CSS] ospf 100       //Run OSPF between CSS and router.
    [*CSS-ospf-100] area 0
    [*CSS-ospf-100-area-0.0.0.0] network 10.10.10.0 0.0.0.255
    [*CSS-ospf-100-area-0.0.0.0] quit
    [*CSS-ospf-100] import-route static      //Import the static route.
    [*CSS-ospf-100] quit
    [*CSS] commit
    

    # Run OSPF on egress router. The configuration procedure is not mentioned here.

  8. Configure the firewalls.

    In this example, the firewalls are Huawei USG firewalls.

    # Perform the basic configurations on FW-1, including device name, interface, and security zone.

    <USG> system-view
    [USG] sysname FW-1
    [FW-1] interface Eth-Trunk 4
    [FW-1-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1
    [FW-1-Eth-Trunk4] ip address 10.10.2.2 24
    [FW-1-Eth-Trunk4] quit
    [FW-1] interface Eth-Trunk 5
    [FW-1-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1
    [FW-1-Eth-Trunk5] ip address 10.10.3.2 24
    [FW-1-Eth-Trunk5] quit
    [FW-1] interface Eth-Trunk 1
    [FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1
    [FW-1-Eth-Trunk1] ip address 10.1.1.1 24
    [FW-1-Eth-Trunk1] quit
    [FW-1] firewall zone trust
    [FW-1-zone-trust] add interface Eth-Trunk 4
    [FW-1-zone-trust] quit
    [FW-1] firewall zone untrust
    [FW-1-zone-untrust] add interface Eth-Trunk 5
    [FW-1-zone-untrust] quit
    [FW-1] firewall zone dmz
    [FW-1-zone-dmz] add interface Eth-Trunk 1
    [FW-1-zone-dmz] quit

    # Perform the basic configurations on FW-2, including device name, interface, and security zone.

    <USG> system-view
    [USG] sysname FW-2
    [FW-2] interface Eth-Trunk 4
    [FW-2-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1
    [FW-2-Eth-Trunk4] ip address 10.10.2.3 24
    [FW-2-Eth-Trunk4] quit
    [FW-2] interface Eth-Trunk 5
    [FW-2-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1
    [FW-2-Eth-Trunk5] ip address 10.10.3.3 24
    [FW-2-Eth-Trunk5] quit
    [FW-2] interface Eth-Trunk 1
    [FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1
    [FW-2-Eth-Trunk1] ip address 10.1.1.2 24
    [FW-2-Eth-Trunk1] quit
    [FW-2] firewall zone trust
    [FW-2-zone-trust] add interface Eth-Trunk 4
    [FW-2-zone-trust] quit
    [FW-2] firewall zone untrust
    [FW-2-zone-untrust] add interface Eth-Trunk 5
    [FW-2-zone-untrust] quit
    [FW-2] firewall zone dmz
    [FW-2-zone-dmz] add interface Eth-Trunk 1
    [FW-2-zone-dmz] quit

    # Configure the static route on FW-1.

    [FW-1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      //Configure a route from the internal network to the external network. The next hop is the IP address of VLANIF300 connected to the upstream interface of the firewall.
    [FW-1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      //Configure a route from the external network to the internal network. The destination address is the network segment where the internal server resides, and the next hop is the IP address of VLANIF200 connected to the downstream interface of the firewall.

    # Configure the static route on FW-2.

    [FW-2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      
    [FW-2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      
    

    # Configure hot standby on FW-1.

    [FW-1] interface Eth-Trunk 4
    [FW-1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master     //Configure the downstream VRRP virtual IP address.
    [FW-1-Eth-Trunk4] quit
    [FW-1] interface Eth-Trunk 5
    [FW-1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master     //Configure the upstream VRRP virtual IP address.
    [FW-1-Eth-Trunk5] quit
    [FW-1] hrp interface Eth-Trunk 1 remote 10.1.1.2
    [FW-1] firewall packet-filter default permit interzone local dmz
    [FW-1] hrp enable

    # Configure hot standby on FW-2.

    [FW-2] interface Eth-Trunk 4
    [FW-2-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave
    [FW-2-Eth-Trunk4] quit
    [FW-2] interface Eth-Trunk 5
    [FW-2-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave
    [FW-2-Eth-Trunk5] quit
    [FW-2] hrp interface Eth-Trunk 1 remote 10.1.1.1
    [FW-2] firewall packet-filter default permit interzone local dmz
    [FW-2] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW-1.

    # Configure the security policy and intrusion protection.

    NOTE:

    Before configuring intrusion protection, ensure that the intrusion signature library is the latest version.

    When configuring intrusion protection, use the default intrusion file default.

    HRP_M[FW-1] policy interzone trust untrust outbound
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24     //The source address is the network segment where the internal server resides.
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default       //The default file is used.
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit
    HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit
    HRP_M[FW-1] policy interzone trust untrust inbound
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24     //The destination address is the network segment where the internal server resides.
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http     //The FTP and HTTP protocols are used as an example here. If other applications are running on your network, specify them.
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit
    HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit
    HRP_M[FW-1] ips enable

    # Configure attack defense.

    NOTE:
    The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.
    HRP_M[FW-1] firewall defend syn-flood enable
    HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000
    HRP_M[FW-1] firewall defend udp-flood enable
    HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500
    HRP_M[FW-1] firewall defend icmp-flood enable
    HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000
    HRP_M[FW-1] firewall blacklist enable
    HRP_M[FW-1] firewall defend ip-sweep enable
    HRP_M[FW-1] firewall defend ip-sweep max-rate 4000
    HRP_M[FW-1] firewall defend port-scan enable
    HRP_M[FW-1] firewall defend port-scan max-rate 4000
    HRP_M[FW-1] firewall defend ip-fragment enable
    HRP_M[FW-1] firewall defend ip-spoofing enable

    # Configure ASPF.

    HRP_M[FW-1] firewall interzone trust untrust
    HRP_M[FW-1-interzone-trust-untrust] detect ftp        //The FTP protocol is used as an example here. If other applications are running on your network, enable the ASPF function for them.
    HRP_M[FW-1-interzone-trust-untrust] quit
    

Verifying the Configuration

After the configurations are complete, check whether the servers and router can ping each other. In this example, the servers ping the router.

PC> ping 10.10.10.2

Ping 10.10.10.2: 32 data bytes, Press Ctrl_C to break
From 10.10.10.2: bytes=32 seq=1 ttl=251 time=63 ms
From 10.10.10.2: bytes=32 seq=2 ttl=251 time=94 ms
From 10.10.10.2: bytes=32 seq=3 ttl=251 time=63 ms
From 10.10.10.2: bytes=32 seq=4 ttl=251 time=62 ms
From 10.10.10.2: bytes=32 seq=5 ttl=251 time=47 ms

--- 10.10.10.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/65/94 ms

Configuration File

  • Configuration file of the router

    #
    sysname Router
    #
    interface Eth-Trunk1
     ip address 10.10.10.2 255.255.255.0
    #
    interface XGigabitEthernet1/0/1 
     eth-trunk 1
    #
    interface XGigabitEthernet1/0/2 
     eth-trunk 1
    #
    ospf 100
     area 0.0.0.0
      network 10.10.10.0 0.0.0.255
    #
    return
    
  • Configuration file of the CSS on the core layer

    #
    sysname CSS
    #
    vlan batch 100 200 300 1001
    #
    ip vpn-instance VRF-A 
     ipv4-family
      route-distinguisher 100:1        
      vpn-target 111:1 export-extcommunity 
      vpn-target 111:1 import-extcommunity
    # 
    stack
     #
     stack mode
     #
     stack member 1 domain 10
     stack member 1 priority 150
     #
     stack member 2 domain 10
    #
    interface Vlanif100
     ip binding vpn-instance VRF-A
     ip address 10.10.1.1 255.255.255.0
    #
    interface Vlanif200
     ip binding vpn-instance VRF-A
     ip address 10.10.2.1 255.255.255.0
    #
    interface Vlanif300
     ip address 10.10.3.1 255.255.255.0
    #
    interface Vlanif1001
     ip address 10.10.10.1 255.255.255.0
    #
    interface Eth-Trunk1
     description To_Router
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 1001
     port trunk pvid vlan 1001
    #
    interface Eth-Trunk2
     description To_iStack-1
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
    #
    interface Eth-Trunk3
     description To_iStack-2
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
    #
    interface Eth-Trunk4
     description To_FW-1
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 200
     port trunk pvid vlan 200
    #
    interface Eth-Trunk5
     description To_FW-1
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 300
     port trunk pvid vlan 300
    #
    interface Eth-Trunk6
     description To_FW-2
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 200
     port trunk pvid vlan 200
    #
    interface Eth-Trunk7
     description To_FW-2
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 300
     port trunk pvid vlan 300
    #
    interface Stack-Port1/1
    #
    interface Stack-Port2/1
    #
    interface 10GE1/1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/1/0/5
     eth-trunk 2
    #
    interface 10GE1/1/0/6
     eth-trunk 3
    #
    interface 10GE1/1/0/7
     eth-trunk 4
    #
    interface 10GE1/1/0/8
     eth-trunk 5
    #
    interface 10GE1/1/0/10
     dual-active detect mode direct
    #
    interface 10GE1/1/0/11
     eth-trunk 1
    #
    interface 10GE1/2/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/2/0/5
     eth-trunk 2
    #
    interface 10GE1/2/0/6
     eth-trunk 3
    #
    interface 10GE1/2/0/7
     eth-trunk 6
    #
    interface 10GE1/2/0/8
     eth-trunk 7
    #
    interface 10GE1/2/0/10
     dual-active detect mode direct
    #
    interface 10GE2/1/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/1/0/5
     eth-trunk 2
    #
    interface 10GE2/1/0/6
     eth-trunk 3
    #
    interface 10GE2/1/0/7
     eth-trunk 4
    #
    interface 10GE2/1/0/8
     eth-trunk 5
    #
    interface 10GE1/2/0/10
     dual-active detect mode direct
    #
    interface 10GE2/1/0/11
     eth-trunk 1
    #
    interface 10GE2/2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/2/0/5
     eth-trunk 2
    #
    interface 10GE2/2/0/6
     eth-trunk 3
    #
    interface 10GE2/2/0/7
     eth-trunk 6
    #
    interface 10GE2/2/0/8
     eth-trunk 7
    #
    interface 10GE2/2/0/10
     dual-active detect mode direct
    #
    ospf 100
      import-route static
      area 0.0.0.0
      network 10.10.10.0 0.0.0.255
    #
    ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 
    ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 
    #
    port-group group1
     group-member 10GE1/1/0/1
     group-member 10GE1/1/0/2
     group-member 10GE1/1/0/3
     group-member 10GE1/1/0/4
     group-member 10GE1/2/0/1
     group-member 10GE1/2/0/2
     group-member 10GE1/2/0/3
     group-member 10GE1/2/0/4
    #
    return
    
  • Configuration file of iStack-1 on the access layer

    #
    sysname iStack-1
    #
    vlan batch 100
    #
    stack
     #
     stack member 1 domain 20
     stack member 1 priority 150
     #
     stack member 2 domain 20
    #
    interface Eth-Trunk2
     description To_CSS
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
    #
    interface Stack-Port1/1
    # 
    interface Stack-Port2/1
    # 
    interface 10GE1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/5
     eth-trunk 2
    #
    interface 10GE1/0/6
     eth-trunk 2
    #
    interface 10GE1/0/9
     dual-active detect mode direct
    #
    interface 10GE1/0/10
     dual-active detect mode direct
    #
    interface 10GE2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/5
     eth-trunk 2
    #
    interface 10GE2/0/6
     eth-trunk 2
    #
    interface 10GE2/0/9
     dual-active detect mode direct
    #
    interface 10GE2/0/10
     dual-active detect mode direct
    #
    return
  • Configuration file of iStack-2 on the access layer

    #
    sysname iStack-2
    #
    vlan batch 100
    #
    stack
     #
     stack member 1 domain 30
     stack member 1 priority 150
     #
     stack member 2 domain 30
    #
    interface Eth-Trunk3
     description To_CSS
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100
    #
    interface Stack-Port1/1
    # 
    interface Stack-Port2/1
    # 
    interface 10GE1/0/1
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/2
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/3
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/4
     port mode stack
     stack-port 1/1
    #
    interface 10GE1/0/5
     eth-trunk 3
    #
    interface 10GE1/0/6
     eth-trunk 3
    #
    interface 10GE1/0/9
     dual-active detect mode direct
    #
    interface 10GE1/0/10
     dual-active detect mode direct
    #
    interface 10GE2/0/1
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/2
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/3
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/4
     port mode stack
     stack-port 2/1
    #
    interface 10GE2/0/5
     eth-trunk 3
    #
    interface 10GE2/0/6
     eth-trunk 3
    #
    interface 10GE2/0/9
     dual-active detect mode direct
    #
    interface 10GE2/0/10
     dual-active detect mode direct
    #
    return
  • Configuration file of FW-1

    #
    sysname FW-1
    #
    firewall packet-filter default permit interzone local dmz direction inbound
    firewall packet-filter default permit interzone local dmz direction outbound
    #
    firewall defend port-scan enable
    firewall defend ip-sweep enable
    firewall defend ip-fragment enable
    firewall defend icmp-flood enable
    firewall defend udp-flood enable
    firewall defend syn-flood enable
    firewall defend ip-spoofing enable
    firewall defend action discard
    firewall defend icmp-flood zone untrust max-rate 20000
    firewall defend udp-flood zone untrust max-rate 1500
    firewall defend syn-flood zone untrust max-rate 20000
    #
    hrp enable
    hrp interface Eth-Trunk1 remote 10.1.1.2
    #
    ips enable
    #
    interface Eth-Trunk1
     ip address 10.1.1.1 255.255.255.0
    #
    interface Eth-Trunk4
     ip address 10.10.2.2 255.255.255.0
     vrrp vrid 1 virtual-ip 10.10.2.5 master
    #
    interface Eth-Trunk5
     ip address 10.10.3.2 255.255.255.0
     vrrp vrid 2 virtual-ip 10.10.3.5 master
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/1/0
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet1/1/1
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet2/0/1
     undo shutdown
     eth-trunk 1
    #
    profile type ips name default
     signature-set name default
      os both
      target both
      severity low medium high
      protocol all
      category all
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk4
    #
    firewall zone untrust
     set priority 5
     add interface Eth-Trunk5
    #
    firewall zone dmz
     set priority 50
     add interface Eth-Trunk1
    #
    firewall interzone trust untrust
     detect ftp
    #
    policy interzone trust untrust inbound
     policy 1
      action permit
      profile ips default
      policy service service-set ftp
      policy service service-set http
      policy destination 10.10.1.0 mask 24
    #
    policy interzone trust untrust outbound
     policy 1
      action permit
      profile ips default
      policy source 10.10.1.0 mask 24
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
    ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
    #
    return
  • Configuration file of FW-2

    #
    sysname FW-2
    #
    firewall packet-filter default permit interzone local dmz direction inbound
    firewall packet-filter default permit interzone local dmz direction outbound
    #
    firewall defend port-scan enable
    firewall defend ip-sweep enable
    firewall defend ip-fragment enable
    firewall defend icmp-flood enable
    firewall defend udp-flood enable
    firewall defend syn-flood enable
    firewall defend ip-spoofing enable
    firewall defend action discard
    firewall defend icmp-flood zone untrust max-rate 20000
    firewall defend udp-flood zone untrust max-rate 1500
    firewall defend syn-flood zone untrust max-rate 20000
    #
    hrp enable
    hrp interface Eth-Trunk1 remote 10.1.1.1
    #
    ips enable
    #
    interface Eth-Trunk1
     ip address 10.1.1.2 255.255.255.0
    #
    interface Eth-Trunk4
     ip address 10.10.2.3 255.255.255.0
     vrrp vrid 1 virtual-ip 10.10.2.5 slave
    #
    interface Eth-Trunk5
     ip address 10.10.3.3 255.255.255.0
     vrrp vrid 2 virtual-ip 10.10.3.5 slave
    #
    interface GigabitEthernet1/0/0
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/0/1
     undo shutdown
     eth-trunk 4
    #
    interface GigabitEthernet1/1/0
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet1/1/1
     undo shutdown
     eth-trunk 5
    #
    interface GigabitEthernet2/0/0
     undo shutdown
     eth-trunk 1
    #
    interface GigabitEthernet2/0/1
     undo shutdown
     eth-trunk 1
    #
    profile type ips name default
     signature-set name default
      os both
      target both
      severity low medium high
      protocol all
      category all
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk4
    #
    firewall zone untrust
     set priority 5
     add interface Eth-Trunk5
    #
    firewall zone dmz
     set priority 50
     add interface Eth-Trunk1
    #
    firewall interzone trust untrust
     detect ftp
    #
    policy interzone trust untrust inbound
     policy 1
      action permit
      profile ips default
      policy service service-set ftp
      policy service service-set http
      policy destination 10.10.1.0 mask 24
    #
    policy interzone trust untrust outbound
     policy 1
      action permit
      profile ips default
      policy source 10.10.1.0 mask 24
    #
    ip route-static 0.0.0.0 0.0.0.0 10.10.3.1
    ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
    #
    return
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 118189

Downloads: 7532

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next