No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

Background

The IPS module is a card providing the intrusion defense function. It provides intrusion defense, antivirus, and anti-DDoS for IP networks.

The NGFW module functions as a next-generation firewall that provides the firewall, NAT, and VPN functions for IP networks.

There are many methods to deploy the IPS modules and IPS/NGFW modules. This section provides two typical methods, as described in Table 2-28.

Table 2-28  Deploying IPS modules and IPS/NGFW modules on switches

Method

Description

Deploying IPS modules and NGFW modules on a Layer 2 dual-node system and importing flows through redirection

The NGFW modules work in the interface pair mode, and the flows from switches are received by a Layer 2 Eth-Trunk.

The IP address of the firewall subinterface is the gateway address for upstream and downstream networks.

Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing

The NGFW modules work in the routing mode, and the flows from switches are received by a Layer 3 Eth-Trunk subinterface.

The VLANIF interface address on a switch is the gateway address for upstream and downstream networks.

Table 2-29 lists the products and versions to which this configuration example is applicable.

Table 2-29  Applicable products and versions

Product Model

Software Version

S7700&S9700&S12700

V200R007 and later versions

IPS Module

V100R001C30

NGFW Module

V100R001C30

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Two S12700s are deployed on a network shown in Figure 2-26. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules and NGFW modules work at Layer 2. That is, they access the network transparently.

The customer has the following requirements:

  • The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
  • The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
  • The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 2-27 shows the flow directions.

NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 2-26  Deploying IPS module and NGFW module on a Layer 2 dual-node system and importing flows through redirection

Figure 2-27  Flow direction







Data Plan
Table 2-30, Table 2-31, and Table 2-32 provide the data plan.
Table 2-30  Data plan for link aggregation

Device

Interface Number

Interface Description

Member Interface

S12700 cluster

Eth-trunk100

Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/5/0/0

XGE1/5/0/1

XGE2/5/0/0

XGE2/5/0/1

Eth-trunk101

Connected to NGFW Module_A and NGFW Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/4/0/0

XGE1/4/0/1

XGE2/4/0/0

XGE2/4/0/1

NGFW Module_A

Eth-trunk0

Connected to NGFW Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

NGFW Module_B

Eth-trunk0

Connected to NGFW Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_A

Eth-trunk0

Connected to IPS Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_B

Eth-trunk0

Connected to IPS Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

Table 2-31  VLAN plan

Data

Remarks

100, 300

Server VLANs

101 to 126

Client VLANs

2001

Extranet VLAN

Table 2-32  IP address plan

Device

Data

Remarks

S12700 cluster

VLANIF 100: 10.55.0.1/24

VLANIF 300: 10.55.200.1/24

Server-side gateway

VLANIF 101: 10.55.1.1/24

VLANIF 102: 10.55.2.1/24

...

VLANIF 126: 10.55.26.1/24

Client-side gateway

VLANIF 2001: 10.54.1.253/29

Extranet gateway

IPS Module_A

Eth-trunk 0: 192.168.213.5/30

HRP interface

IPS Module_B

Eth-trunk 0: 192.168.213.6/30

NGFW Module_A

Eth-trunk 0: 192.168.213.1/30

NGFW Module_B

Eth-trunk 0: 192.168.213.2/30

Configuration Roadmap
  1. Configure interfaces on NGFW Module_A and NGFW Module_B and set basic parameters.
  2. Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby system working in load balancing mode.
  3. Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
  4. Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
  5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
  6. Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
  7. Configure the two S12700s as a cluster.
  8. Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
  9. Configure a traffic policy on the S12700 cluster and apply the policy to interfaces to implement redirection.

Procedure

  1. Configure interfaces on NGFW modules and set basic parameters.

    # Log in to the CLI of NGFW Module_A from Switch_A.

    <sysname> connect slot 4
    NOTE:

    To return to the CLI of the switch, press Ctrl+D.

    # Set the device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname NGFW Module_A

    # Create VLANs on NGFW Module_A.

    [NGFW Module_A] vlan batch 100 to 126 300 2001
    

    # Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from upstream and downstream VLANs to pass.

    [NGFW Module_A] interface Eth-Trunk 1
    [NGFW Module_A-Eth-Trunk1] description To-master-trunk101
    [NGFW Module_A-Eth-Trunk1] portswitch
    [NGFW Module_A-Eth-Trunk1] port link-type trunk
    [NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1
    [NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
    [NGFW Module_A-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

    NOTE:

    Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

    [NGFW Module_A] interface GigabitEthernet 1/0/0
    [NGFW Module_A-GigabitEthernet1/0/0] portswitch
    [NGFW Module_A-GigabitEthernet1/0/0] port link-type access
    [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [NGFW Module_A-GigabitEthernet1/0/0] quit
    [NGFW Module_A] interface GigabitEthernet 1/0/1
    [NGFW Module_A-GigabitEthernet1/0/1] portswitch
    [NGFW Module_A-GigabitEthernet1/0/1] port link-type access
    [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [NGFW Module_A-GigabitEthernet1/0/1] quit

    # Create Eth-Trunk 1 interface pair on NGFW Module_A.

    [NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1
    

    # Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [NGFW Module_A] interface Eth-Trunk 0
    [NGFW Module_A-Eth-Trunk0] description hrp-interface
    [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252
    [NGFW Module_A-Eth-Trunk0] quit
    [NGFW Module_A] interface GigabitEthernet 0/0/1
    [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0
    [NGFW Module_A-GigabitEthernet0/0/1] quit
    [NGFW Module_A] interface GigabitEthernet 0/0/2
    [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0
    [NGFW Module_A-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_A to the security zone.

    [NGFW Module_A] firewall zone trust
    [NGFW Module_A-zone-trust] set priority 85
    [NGFW Module_A-zone-trust] add interface Eth-Trunk 1
    [NGFW Module_A-zone-trust] quit
    [NGFW Module_A] firewall zone name hrp
    [NGFW Module_A-zone-hrp] set priority 75
    [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0
    [NGFW Module_A-zone-hrp] quit

    # Log in to the CLI of NGFW Module_B from Switch_B.

    <sysname> connect slot 4

    # Set the device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname NGFW Module_B

    # Create VLANs on NGFW Module_B.

    [NGFW Module_B] vlan batch 100 to 126 300 2001
    

    # Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair mode, and allow the packets from upstream and downstream VLANs to pass.

    [NGFW Module_B] interface Eth-Trunk 1
    [NGFW Module_B-Eth-Trunk1] description To-master-trunk101
    [NGFW Module_B-Eth-Trunk1] portswitch
    [NGFW Module_B-Eth-Trunk1] port link-type trunk
    [NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1
    [NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
    [NGFW Module_B-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

    [NGFW Module_B] interface GigabitEthernet 1/0/0
    [NGFW Module_B-GigabitEthernet1/0/0] portswitch
    [NGFW Module_B-GigabitEthernet1/0/0] port link-type access
    [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [NGFW Module_B-GigabitEthernet1/0/0] quit
    [NGFW Module_B] interface GigabitEthernet 1/0/1
    [NGFW Module_B-GigabitEthernet1/0/1] portswitch
    [NGFW Module_B-GigabitEthernet1/0/1] port link-type access
    [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [NGFW Module_B-GigabitEthernet1/0/1] quit

    # Create Eth-Trunk 1 interface pair on NGFW Module_B.

    [NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1
    

    # Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [NGFW Module_B] interface Eth-Trunk 0
    [NGFW Module_B-Eth-Trunk0] description hrp-interface
    [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252
    [NGFW Module_B-Eth-Trunk0] quit
    [NGFW Module_B] interface GigabitEthernet 0/0/1
    [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0
    [NGFW Module_B-GigabitEthernet0/0/1] quit
    [NGFW Module_B] interface GigabitEthernet 0/0/2
    [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0
    [NGFW Module_B-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_B to the security zone.

    [NGFW Module_B] firewall zone trust
    [NGFW Module_B-zone-trust] set priority 85
    [NGFW Module_B-zone-trust] add interface Eth-Trunk 1
    [NGFW Module_B-zone-trust] quit
    [NGFW Module_B] firewall zone name hrp
    [NGFW Module_B-zone-hrp] set priority 75
    [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0
    [NGFW Module_B-zone-hrp] quit

  2. Configure hot standby for NGFW modules.

    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

    [NGFW Module_A] hrp mirror session enable
    [NGFW Module_A] hrp interface Eth-Trunk 0
    [NGFW Module_A] hrp loadbalance-device
    [NGFW Module_A] hrp enable
    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.
    [NGFW Module_B] hrp mirror session enable
    [NGFW Module_B] hrp interface Eth-Trunk 0
    [NGFW Module_B] hrp loadbalance-device
    [NGFW Module_B] hrp enable

  3. Configure the security service on the NGFW modules.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

    # Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

    HRP_M[NGFW Module_A] security-policy
    HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan
    HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside
    HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit
    HRP_M[NGFW Module_A-policy-security] quit
    

  4. Configure interfaces on IPS modules and set basic parameters.
    1. Log in to the web UI through an Ethernet interface.

      1. Set up a physical connection between the management PC and an IPS module.
      2. Open the browser on the management PC and access https://192.168.0.1:8443.
      3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
      4. Change the password, click OK, and enter the web system.

    2. Choose Network > Interface, click of interface GE1/0/0 and set the connection type of GE1/0/0 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    4. Click Add, and configure Eth-Trunk 1.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    5. Choose Network > Interface Pair, click Add, and configure an interface pair.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.

      NOTE:
      • The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
      • The Eth-Trunk member interfaces on the IPS Modules must be the same.

      Configure a heartbeat interface on one IPS Module.

      Configure a heartbeat interface on the other IPS Module.

    7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

  5. Configure the IPS security service, for example, antivirus.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.

    1. Choose Object > Security Profiles > Anti-Virus.
    2. Click Add and set the parameters as follows:

    3. Click OK.
    4. Repeat the previous steps to set the parameters of AV_ftp profile.

  6. Configure a security policy for the outbound direction.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    1. Choose Policy > Security Policy.
    2. Click Add.
    3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:

      Name

      policy_av_1

      Description

      Intranet-User

      Interface Pair

      Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.

      Action

      permit

      Content Security

      Anti-Virus

      AV_http_pop3

  7. Configure the security policy in the direction from the external to internal servers.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.

    Name

    policy_av_2

    Description

    Intranet-Server

    Interface Pair

    Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.

    Action

    permit

    Content Security

    Anti-Virus

    AV_ftp

  8. Configure the two S12700s as a cluster.

    1. Connect cluster cables. For details, see Switch Cluster Setup Guide.

      Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.

      # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.

      <HUAWEI> system-view
      [HUAWEI] sysname Switch_A
      [Switch_A] set css priority 100
      

      # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.

      <HUAWEI> system-view
      [HUAWEI] sysname Switch_B
      [Switch_B] set css id 2
      [Switch_B] set css priority 10

      # Check the cluster configuration.

      Run the display css status saved command to check whether the configurations are as expected.

      Check the cluster configuration on Switch_A.

      [Switch_A] display css status saved 
      Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
      ------------------------------------------------------------------------------   
      1            1            Off          CSS card    100         Off             
        

      Check the cluster configuration on Switch_B.

      [Switch_B] display css status saved 
      Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
      ------------------------------------------------------------------------------   
      1            2            Off          CSS card    10          Off              
      
    2. Enable the cluster function.

      # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.

      [Switch_A] css enable 
      Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable the cluster function on Switch_B and restart Switch_B.

      [Switch_B] css enable 
      Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
    3. Check whether the cluster is set up successfully.

      # View the indicator status.

      The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.

      The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.

      # Log in to the cluster through the console port on any MPU to check the cluster status.

      [Switch_A] display css status
      CSS Enable switch On
                                                                                        
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force   
      ------------------------------------------------------------------------------   
      1            On           Master          CSS card    100         Off            
      2            On           Standby         CSS card    10          Off           
      

      The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.

      # Check whether cluster links work normally.

      [Switch_A] display css channel

      The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.

    4. Set the cluster system name to CSS.

      [Switch_A] sysname CSS
      [CSS]

  9. Configure the interfaces and VLAN IDs on switches.
    1. Create VLANs.

      [CSS] vlan batch 100 to 126 128 300 2001

    2. Configure upstream and downstream interfaces.

      [CSS] interface GigabitEthernet 1/6/0/36  //Connected to server
      [CSS-GigabitEthernet1/6/0/36] port link-type trunk
      [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300
      [CSS-GigabitEthernet1/6/0/36] quit
      [CSS] interface GigabitEthernet 2/3/0/0  //Connected to extranet
      [CSS-GigabitEthernet2/3/0/0] port link-type trunk
      [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client
      [CSS-GigabitEthernet2/3/0/36] port link-type trunk
      [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126
      [CSS-GigabitEthernet2/3/0/36] quit
      

    3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

      [CSS] interface vlanif 2001
      [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248
      [CSS-Vlanif2001] quit
      [CSS] interface vlanif 100
      [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0
      [CSS-Vlanif100] quit
      [CSS] interface vlanif 300
      [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0
      [CSS-Vlanif300] quit
      [CSS] interface vlanif 101
      [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0
      [CSS-Vlanif101] quit
      [CSS] interface vlanif 102
      [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0
      [CSS-Vlanif102] quit
      [CSS] interface vlanif 126
      [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0
      [CSS-Vlanif126] quit
      

    4. Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and the four interfaces connected to the IPS module to Eth-Trunk 100.

      [CSS] interface eth-trunk 101
      [CSS-Eth-Trunk101] description to-ngfw
      [CSS-Eth-Trunk101] port link-type trunk
      [CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001
      [CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1
      [CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1
      [CSS-Eth-Trunk101] mac-address learning disable
      [CSS-Eth-Trunk101] stp disable
      [CSS-Eth-Trunk101] quit
      [CSS] interface eth-trunk 100
      [CSS-Eth-Trunk100] description to-ips
      [CSS-Eth-Trunk100] port link-type trunk
      [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001
      [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1
      [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1
      [CSS-Eth-Trunk100] mac-address learning disable
      [CSS-Eth-Trunk100] stp disable
      [CSS-Eth-Trunk100] quit
      

    5. Set the load balancing mode on Eth-Trunks.

      [CSS] load-balance-profile sec
      [CSS-load-balance-profile-sec] ipv4 field sip dip
      [CSS-load-balance-profile-sec] quit
      [CSS] interface Eth-Trunk 101
      [CSS-Eth-Trunk101] load-balance enhanced profile sec
      [CSS-Eth-Trunk101] quit
      [CSS] interface Eth-Trunk 100
      [CSS-Eth-Trunk100] load-balance enhanced profile sec
      [CSS-Eth-Trunk100] quit

    6. Configure port isolation on the interfaces between the NGFW/IPS module and switches.

      [CSS] interface Eth-Trunk 101
      [CSS-Eth-Trunk101] port-isolate enable group 1
      [CSS-Eth-Trunk101] quit
      [CSS] interface Eth-Trunk 100
      [CSS-Eth-Trunk100] port-isolate enable group 1
      [CSS-Eth-Trunk100] quit
      

    7. Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

      [CSS] interface GigabitEthernet 1/6/0/36
      [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100
      [CSS-GigabitEthernet1/6/0/36] quit
      [CSS] interface GigabitEthernet 2/3/0/0
      [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] interface GigabitEthernet 2/3/0/36
      [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100
      [CSS-GigabitEthernet2/3/0/36] quit

    8. Configure traffic policies and bind them to interfaces to implement redirection.

      # Create ACLs.

      [CSS] acl 3010  //Match the flows sent from clients
      [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3010] quit
      [CSS] acl 3011  //Match the flows destined for clients
      [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3011] quit
      [CSS] acl 3020  //Match the flows sent from servers
      [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3020] quit
      [CSS] acl 3021  //Match the flows destined for servers
      [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3021] quit
      [CSS] acl 3012  //Match inter-client flows within a subnet
      [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3012] quit
      [CSS] acl 3022  //Match inter-server flows within a subnet
      [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3022] quit

      # Configure traffic classifiers.

      [CSS] traffic classifier from-office operator or precedence 80
      [CSS-classifier-from-office] if-match acl 3010
      [CSS-classifier-from-office] quit
      [CSS] traffic classifier to-office operator or precedence 85
      [CSS-classifier-to-office] if-match acl 3011
      [CSS-classifier-to-office] quit
      [CSS] traffic classifier from-server operator or precedence 75
      [CSS-classifier-from-server] if-match acl 3020
      [CSS-classifier-from-server] quit
      [CSS] traffic classifier to-server operator or precedence 60
      [CSS-classifier-to-server] if-match acl 3021
      [CSS-classifier-to-server] quit
      [CSS] traffic classifier office-office operator or precedence 40
      [CSS-classifier-office-office] if-match acl 3012
      [CSS-classifier-office-office] quit
      [CSS] traffic classifier server-server operator or precedence 65
      [CSS-classifier-server-server] if-match acl 3022
      [CSS-classifier-server-server] quit
      

      # Configure traffic behaviors.

      [CSS] traffic behavior behavior1
      [CSS-behavior-behavior1] permit
      [CSS-behavior-behavior1] quit
      [CSS] traffic behavior to-eth-trunk100
      [CSS-behavior-to-eth-trunk100] permit
      [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100
      [CSS-behavior-to-eth-trunk100] quit
      [CSS] traffic behavior to-eth-trunk101
      [CSS-behavior-to-eth-trunk101] permit
      [CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101
      [CSS-behavior-to-eth-trunk101] quit
      

      # Bind traffic policies to interfaces.

      [CSS] traffic policy ips-to-fw match-order config
      [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101
      [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101
      [CSS-trafficpolicy-ips-to-fw] quit
      [CSS] interface Eth-Trunk 100
      [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS module to the NGFW module
      [CSS-Eth-Trunk100] quit
      [CSS] traffic policy internet-in match-order config
      [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1
      [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module
      [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101  //Redirect the flows from extranet to clients to the NGFW module
      [CSS-trafficpolicy-internet-in] quit
      [CSS] interface GigabitEthernet 2/3/0/0
      [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] traffic policy office-out match-order config
      [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet
      [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module
      [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module
      [CSS-trafficpolicy-office-out] quit
      [CSS] interface GigabitEthernet 2/3/0/36
      [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound
      [CSS-GigabitEthernet2/3/0/36] quit
      [CSS] traffic policy server-out match-order config
      [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet
      [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module
      [CSS-trafficpolicy-server-out] quit
      [CSS] interface GigabitEthernet 1/6/0/36
      [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound
      [CSS-GigabitEthernet1/6/0/36] quit
      

  10. Verify the configuration.

    # Check the configuration of S12700 cluster.

    [CSS] display device
    Chassis 1 (Master Switch)
    S12708's Device status:
    Slot  Sub   Type            Online    Power      Register       Status     Role
    ----------  ------------   ---------------------------------------------------------
    4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
    5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
    6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
    7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
    9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
    10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
    12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
          1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
    PWR1  -     -               Present   PowerOn    Registered     Normal     NA
    CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave
    CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
    FAN1  -     -               Present   PowerOn    Registered     Normal     NA
    FAN2  -     -               Present   PowerOn    Registered     Normal     NA
    FAN3  -     -               Present   PowerOn    Registered     Normal     NA
    FAN4  -     -               Present   PowerOn    Registered     Normal     NA
    Chassis 2   (Standby Switch)
    S12712's D  evice status   :
    Slot  Sub   Type            Online    Power      Register       Status     Role
    ----------  ------------   ---------------------------------------------------------
    3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
    4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
    5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
    7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
    13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
    14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
    18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
          1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
    PWR1  -     -               Present   PowerOn    Registered     Normal     NA
    PWR2  -     -               Present   PowerOn    Registered     Normal     NA
    CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
    FAN1  -     -               Present   PowerOn    Registered     Normal     NA
    FAN2  -     -               Present   PowerOn    Registered     Normal     NA
    FAN3  -     -               Present   PowerOn    Registered     Normal     NA
    FAN4  -     -               Present   PowerOn    Registered     Normal     NA
    FAN5  -     -               Present   PowerOn    Registered     Normal     NA
    

    # Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

    [IPS Module] display interface brief | include up
    2016/5/31 10:49
    PHY: Physical
    *down: administratively down
    ^down: standby down
    (s): spoofing
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
    Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/2      up    up          0%     0%                 0                 0
    Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
    NULL0                       up    up(s)       0%     0%                 0                 0
    
    [NGFW Module_B] display interface brief | include up
    10:56:34  2016/05/31
    PHY: Physical
    *down: administratively down
    ^down: standby down
    (s): spoofing
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
    Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0
    Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
    NULL0                       up    up(s)       0%     0%                 0                 0

    # Check traffic statistics on interfaces.

    • The traffic statistics between clients and servers are correct.

      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up        0.15%  0.15%          0          0
        XGigabitEthernet1/5/0/0   up    up        0.60%     0%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%  0.60%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
      Eth-Trunk101                up    up        0.15%  0.15%          0          0
        XGigabitEthernet1/4/0/0   up    up        0.60%     0%          0          0
        XGigabitEthernet1/4/0/1   up    up           0%  0.60%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
      Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
      GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif128                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      
    • The traffic statistics between clients and extranet are correct.

      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up           0%     0%          0          0
        XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
      Eth-Trunk101                up    up        0.12%  0.12%          0          0
        XGigabitEthernet1/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%  0.33%          0          0
        XGigabitEthernet2/4/0/1   up    up        0.50%  0.17%          0          0
      Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
      GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      
    • The traffic statistics between servers and extranet are correct.
      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up        0.13%  0.13%          0          0
        XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
      Eth-Trunk101                up    up        0.13%  0.13%          0          0
        XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0
        XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
      Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
      GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      

Configuration Files
  • NGFW module configuration files

    NGFW Module_A NGFW Module_B
    #
    sysname NGFW Module_A
    #
    hrp mirror session enable
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0
     description hrp-interface
     ip address 192.168.213.1 255.255.255.252
    #
    interface Eth-Trunk 1
     description To-master-trunk101
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk1
    #
    firewall zone name hrp
     set priority 75
     add interface Eth-Trunk 0
    #
    security-policy
     rule name policy_to_wan
      source-address 10.55.0.0 16
      source-address 10.54.1.248 29
      profile ips default
      action permit
    #
    return
    
    #
    sysname NGFW Module_B
    #
    hrp mirror session enable
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0
     description hrp-interface
     ip address 192.168.213.2 255.255.255.252
    #
    interface Eth-Trunk 1
     description To-master-trunk101
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk1
    #
    firewall zone name hrp
     set priority 75
     add interface Eth-Trunk 0
    #
    security-policy
     rule name policy_to_wan
      source-address 10.55.0.0 16
      source-address 10.54.1.248 29
      profile ips default
      action permit
    #
    return
    
  • IPS module configuration files

    IPS Module_A IPS Module_B
    #
    sysname IPS Module_A
    #
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0
     ip address 192.168.213.5 255.255.255.252
    #
    interface Eth-Trunk 1
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    profile type av name AV_http_pop3   
     description http-pop3     
     http-detect direction download     
     undo ftp-detect      
     undo smtp-detect        
     pop3-detect action delete-attachment  
     undo imap-detect   
     undo nfs-detect 
     undo smb-detect  
     exception application name Netease_Webmail action allow   
     exception av-signature-id 1000  
    profile type av name AV_ftp  
     description ftp   
     undo http-detect  
     ftp-detect direction upload
     undo smtp-detect  
     undo pop3-detect     
     undo imap-detect    
     undo nfs-detect  
     undo smb-detect  
    #
    security-policy
     rule name policy_av_1
      description Intranet-User
      profile av AV_http_pop3
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
     rule name policy_av_2
      description Intranet-Server
      profile av AV_ftp
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
    #
    return
    
    #
    sysname IPS Module_B
    #
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0
     ip address 192.168.213.6 255.255.255.252
    #
    interface Eth-Trunk 1
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    profile type av name AV_http_pop3   
     description http-pop3     
     http-detect direction download     
     undo ftp-detect      
     undo smtp-detect        
     pop3-detect action delete-attachment  
     undo imap-detect   
     undo nfs-detect 
     undo smb-detect  
     exception application name Netease_Webmail action allow   
     exception av-signature-id 1000  
    profile type av name AV_ftp  
     description ftp   
     undo http-detect  
     ftp-detect direction upload
     undo smtp-detect  
     undo pop3-detect     
     undo imap-detect    
     undo nfs-detect  
     undo smb-detect  
    #
    security-policy
     rule name policy_av_1
      description Intranet-User
      profile av AV_http_pop3
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
     rule name policy_av_2
      description Intranet-Server
      profile av AV_ftp
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
    #
    return
    
  • CSS configuration file

    #
    sysname CSS
    #
    vlan batch 100 to 126 128 300 2001
    #
    acl number 3010
     rule 5 permit ip source 10.55.1.0 0.0.0.255
     rule 10 permit ip source 10.55.2.0 0.0.0.255
     rule 15 permit ip source 10.55.26.0 0.0.0.255
    acl number 3011
     rule 5 permit ip destination 10.55.1.0 0.0.0.255
     rule 10 permit ip destination 10.55.2.0 0.0.0.255
     rule 15 permit ip destination 10.55.26.0 0.0.0.255
    acl number 3012
     rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
     rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
     rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
    acl number 3020
     rule 5 permit ip source 10.55.0.0 0.0.0.255
     rule 10 permit ip source 10.55.200.0 0.0.0.255
    acl number 3021
     rule 5 permit ip destination 10.55.0.0 0.0.0.255
     rule 10 permit ip destination 10.55.200.0 0.0.0.255
    acl number 3022
     rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
     rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
    #
    traffic classifier office-office operator or precedence 40
     if-match acl 3012
    traffic classifier from-office operator or precedence 80
     if-match acl 3010
    traffic classifier from-server operator or precedence 75
     if-match acl 3020
    traffic classifier server-server operator or precedence 65
    if-match acl 3022
    traffic classifier to-office operator or precedence 85
     if-match acl 3011
    traffic classifier to-server operator or precedence 60
     if-match acl 3021
    #
    traffic behavior behavior1
     permit
    traffic behavior to-eth-trunk100
     permit
     redirect interface Eth-Trunk100
    traffic behavior to-eth-trunk101
     permit
     redirect interface Eth-Trunk101
    #
    traffic policy office-out match-order config
     classifier office-office behavior behavior1
     classifier to-server behavior to-eth-trunk100
     classifier from-office behavior to-eth-trunk101
    traffic policy internet-in match-order config
     classifier office-office behavior behavior1
     classifier to-server behavior to-eth-trunk100
     classifier to-office behavior to-eth-trunk101
    traffic policy ips-to-fw match-order config
     classifier to-server behavior to-eth-trunk101
     classifier from-server behavior to-eth-trunk101
    traffic policy server-out match-order config
     classifier server-server behavior behavior1
     classifier from-server behavior to-eth-trunk100
    #
    interface Vlanif100
     ip address 10.55.0.1 255.255.255.0
    #
    interface Vlanif101
     ip address 10.55.1.1 255.255.255.0
    #
    interface Vlanif102
     ip address 10.55.2.1 255.255.255.0
    #
    interface Vlanif300
     ip address 10.55.200.1 255.255.255.0
    #
    interface Vlanif2001
     ip address 10.54.1.253 255.255.255.248
    #
    load-balance-profile sec
    #
    interface Eth-Trunk100
     description to-ips
     port link-type trunk
     mac-address learning disable
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100 to 126 300 2001
     stp disable
     traffic-policy ips-to-fw inbound
     load-balance enhanced profile sec
     port-isolate enable group 1
    #
    interface Eth-Trunk101
     description to-ngfw
     port link-type trunk
     mac-address learning disable
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100 to 126 300 2001
     stp disable
     load-balance enhanced profile sec
     port-isolate enable group 1
    #
    interface GigabitEthernet1/6/0/36
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100 300
     traffic-policy server-out inbound
     am isolate Eth-Trunk101 Eth-Trunk100
    #
    interface GigabitEthernet2/3/0/0
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 2001
     traffic-policy internet-in inbound
     am isolate Eth-Trunk101 Eth-Trunk100
    #
    interface GigabitEthernet2/3/0/36
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 101 to 126
     traffic-policy office-out inbound
     am isolate Eth-Trunk101 Eth-Trunk100
    #
    interface XGigabitEthernet1/4/0/0
     eth-trunk 101
    #
    interface XGigabitEthernet1/4/0/1
     eth-trunk 101
    #
    interface XGigabitEthernet1/5/0/0
     eth-trunk 100
    #
    interface XGigabitEthernet1/5/0/1
     eth-trunk 100
    #
    interface XGigabitEthernet2/4/0/0
     eth-trunk 101
    #
    interface XGigabitEthernet2/4/0/1
     eth-trunk 101
    #
    interface XGigabitEthernet2/5/0/0
     eth-trunk 100
    #
    interface XGigabitEthernet2/5/0/1
     eth-trunk 100
    #
    return
    

Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing

Networking Requirements

Two S12700s are deployed on a network shown in Figure 2-28. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules work at Layer 2. That is, they access the network transparently. The NGFW modules work at Layer 3 (flows imported at Layer 3) in active/standby mode.

The customer has the following requirements:

  • The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
  • The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
  • The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 2-29 shows the flow directions.

NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 2-28  Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing

Figure 2-29  Flow direction







Data Plan
Table 2-33, Table 2-34, and Table 2-35 provide the data plan.
Table 2-33  Data plan for link aggregation

Device

Interface Number

Interface Description

Member Interface

S12700 cluster

Eth-trunk100

Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/5/0/0

XGE1/5/0/1

XGE2/5/0/0

XGE2/5/0/1

Eth-trunk105

Connected to NGFW Module_A to transparently transmit the packets from VLAN 128

XGE1/4/0/0

XGE1/4/0/1

Eth-trunk106

Connected to NGFW Module_B to transparently transmit the packets from VLAN 128

XGE2/4/0/0

XGE2/4/0/1

NGFW Module_A

Eth-trunk0

Connected to NGFW Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Layer 3 interface connected to the S12700 cluster

GE1/0/1

GE1/0/2

NGFW Module_B

Eth-trunk0

Connected to NGFW Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Layer 3 interface connected to the S12700 cluster

GE1/0/1

GE1/0/2

IPS Module_A

Eth-trunk0

Connected to IPS Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_B

Eth-trunk0

Connected to IPS Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

Table 2-34  VLAN plan

Data

Remarks

100, 300

Server VLANs

101 to 126

Client VLANs

128

Layer 3 interface between the NGFW module and switch

2001

Extranet VLAN

Table 2-35  IP address plan

Device

Data

Remarks

S12700 cluster

VLANIF 100: 10.55.0.1/24

VLANIF 300: 10.55.200.1/24

Server-side gateway

VLANIF 101: 10.55.1.1/24

VLANIF 102: 10.55.2.1/24

...

VLANIF 126: 10.55.26.1/24

Client-side gateway

VLANIF 128: 10.54.28.4/24

Layer 3 interface connected to the NGFW module

VLANIF 2001: 10.54.1.253/29

Extranet gateway

IPS Module_A

Eth-trunk 0: 192.168.213.5/30

HRP interface

IPS Module_B

Eth-trunk 0: 192.168.213.6/30

NGFW Module_A

Eth-trunk 0: 192.168.213.1/30

HRP interface

Eth-trunk 1.1: 10.55.28.2/24

Master IP address of the VRRP group connected to the S12700 cluster

10.55.28.1

VRRP virtual IP address

NGFW Module_B

Eth-trunk 0: 192.168.213.2/30

HRP interface

Eth-trunk 1.1: 10.55.28.3/24

Backup IP address of the VRRP group connected to the S12700 cluster

10.55.28.1

VRRP virtual IP address

Configuration Roadmap
  1. Configure interfaces and static routes on NGFW Module_A and NGFW Module_B and set basic parameters.
  2. Configure NGFW Module_A and NGFW Module_B as a Layer 3 VRRP group working in hot standby mode.
  3. Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
  4. Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
  5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
  6. Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
  7. Configure the two S12700s as a cluster.
  8. Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
  9. Configure a routing policy on the S12700 cluster to implement redirection.

Procedure

  1. Configure interfaces on NGFW modules and set basic parameters.

    # Log in to the CLI of NGFW Module_A from Switch_A.

    <sysname> connect slot 4
    NOTE:

    To return to the CLI of the switch, press Ctrl+D.

    # Set the device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname NGFW Module_A

    # Create VLANs on NGFW Module_A.

    [NGFW Module_A] vlan batch 100 to 126 300 2001
    

    # Create Layer 3 Eth-Trunk 1 on NGFW Module_A.

    [NGFW Module_A] interface Eth-Trunk 1
    [NGFW Module_A-Eth-Trunk1] description To-master-trunk105
    [NGFW Module_A-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

    NOTE:

    Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

    [NGFW Module_A] interface GigabitEthernet 1/0/0
    [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [NGFW Module_A-GigabitEthernet1/0/0] quit
    [NGFW Module_A] interface GigabitEthernet 1/0/1
    [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [NGFW Module_A-GigabitEthernet1/0/1] quit

    # Create a Layer 3 subinterface and configure a VRRP group.

    [NGFW Module_A] interface Eth-Trunk 1.1
    [NGFW Module_A-Eth-Trunk1.1] vlan-type dot1q 128
    [NGFW Module_A-Eth-Trunk1.1] ip address 10.55.28.2 255.255.255.0
    [NGFW Module_A-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active
    [NGFW Module_A-Eth-Trunk1.1] service-manage ping permit
    [NGFW Module_A-Eth-Trunk1.1] quit
    

    # Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [NGFW Module_A] interface Eth-Trunk 0
    [NGFW Module_A-Eth-Trunk0] description hrp-interface
    [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252
    [NGFW Module_A-Eth-Trunk0] quit
    [NGFW Module_A] interface GigabitEthernet 0/0/1
    [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0
    [NGFW Module_A-GigabitEthernet0/0/1] quit
    [NGFW Module_A] interface GigabitEthernet 0/0/2
    [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0
    [NGFW Module_A-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_A to the security zone.

    [NGFW Module_A] firewall zone trust
    [NGFW Module_A-zone-trust] add interface Eth-Trunk 1
    [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1
    [NGFW Module_A-zone-trust] quit
    [NGFW Module_A] firewall zone name hrp
    [NGFW Module_A-zone-hrp] set priority 75
    [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0
    [NGFW Module_A-zone-hrp] quit

    # Configure static routes on NGFW Module_A.

    [NGFW Module_A] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet
    [NGFW Module_A] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside
    [NGFW Module_A] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
    [NGFW Module_A] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
    [NGFW Module_A] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside
    [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
    

    # Log in to the CLI of NGFW Module_B from Switch_B.

    <sysname> connect slot 4

    # Set the device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname NGFW Module_B

    # Create VLANs on NGFW Module_B.

    [NGFW Module_B] vlan batch 100 to 126 300 2001
    

    # Create Layer 3 Eth-Trunk 1 on NGFW Module_B.

    [NGFW Module_B] interface Eth-Trunk 1
    [NGFW Module_B-Eth-Trunk1] description To-master-trunk105
    [NGFW Module_B-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

    [NGFW Module_B] interface GigabitEthernet 1/0/0
    [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [NGFW Module_B-GigabitEthernet1/0/0] quit
    [NGFW Module_B] interface GigabitEthernet 1/0/1
    [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [NGFW Module_B-GigabitEthernet1/0/1] quit

    # Create a Layer 3 subinterface and configure a VRRP group.

    [NGFW Module_B] interface Eth-Trunk 1.1
    [NGFW Module_B-Eth-Trunk1.1] vlan-type dot1q 128
    [NGFW Module_B-Eth-Trunk1.1] ip address 10.55.28.3 255.255.255.0
    [NGFW Module_B-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active
    [NGFW Module_B-Eth-Trunk1.1] service-manage ping permit
    [NGFW Module_B-Eth-Trunk1.1] quit
    

    # Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [NGFW Module_B] interface Eth-Trunk 0
    [NGFW Module_B-Eth-Trunk0] description hrp-interface
    [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252
    [NGFW Module_B-Eth-Trunk0] quit
    [NGFW Module_B] interface GigabitEthernet 0/0/1
    [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0
    [NGFW Module_B-GigabitEthernet0/0/1] quit
    [NGFW Module_B] interface GigabitEthernet 0/0/2
    [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0
    [NGFW Module_B-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_B to the security zone.

    [NGFW Module_B] firewall zone trust
    [NGFW Module_B-zone-trust] add interface Eth-Trunk 1
    [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1
    [NGFW Module_B-zone-trust] quit
    [NGFW Module_B] firewall zone name hrp
    [NGFW Module_B-zone-hrp] set priority 75
    [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0
    [NGFW Module_B-zone-hrp] quit

    # Configure static routes on NGFW Module_B.

    [NGFW Module_B] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet
    [NGFW Module_B] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside
    [NGFW Module_B] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
    [NGFW Module_B] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
    [NGFW Module_B] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside
    [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
    

  2. Configure hot standby for NGFW modules.

    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

    [NGFW Module_A] hrp mirror session enable
    [NGFW Module_A] hrp interface Eth-Trunk 0
    [NGFW Module_A] hrp loadbalance-device
    [NGFW Module_A] hrp enable
    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.
    [NGFW Module_B] hrp mirror session enable
    [NGFW Module_B] hrp interface Eth-Trunk 0
    [NGFW Module_B] hrp loadbalance-device
    [NGFW Module_B] hrp enable

  3. Configure the security service on the NGFW modules.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

    # Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

    HRP_M[NGFW Module_A] security-policy
    HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan
    HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside
    HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit
    HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit
    HRP_M[NGFW Module_A-policy-security] quit
    

  4. Configure interfaces on IPS modules and set basic parameters.
    1. Log in to the web UI through an Ethernet interface.

      1. Set up a physical connection between the management PC and an IPS module.
      2. Open the browser on the management PC and access https://192.168.0.1:8443.
      3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
      4. Change the password, click OK, and enter the web system.

    2. Choose Network > Interface, click of interface GE1/0/0 and set the connection type of GE1/0/0 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    4. Click Add, and configure Eth-Trunk 1.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    5. Choose Network > Interface Pair, click Add, and configure an interface pair.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

    6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.

      NOTE:
      • The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
      • The Eth-Trunk member interfaces on the IPS Modules must be the same.

      Configure a heartbeat interface on one IPS Module.

      Configure a heartbeat interface on the other IPS Module.

    7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

  5. Configure the IPS security service, for example, antivirus.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.

    1. Choose Object > Security Profiles > Anti-Virus.
    2. Click Add and set the parameters as follows:

    3. Click OK.
    4. Repeat the previous steps to set the parameters of AV_ftp profile.

  6. Configure a security policy for the outbound direction.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    1. Choose Policy > Security Policy.
    2. Click Add.
    3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:

      Name

      policy_av_1

      Description

      Intranet-User

      Interface Pair

      Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.

      Action

      permit

      Content Security

      Anti-Virus

      AV_http_pop3

  7. Configure the security policy in the direction from the external to internal servers.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.

    Name

    policy_av_2

    Description

    Intranet-Server

    Interface Pair

    Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.

    Action

    permit

    Content Security

    Anti-Virus

    AV_ftp

  8. Configure the two S12700s as a cluster.

    1. Connect cluster cables. For details, see Switch Cluster Setup Guide.

      Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.

      # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.

      <HUAWEI> system-view
      [HUAWEI] sysname Switch_A
      [Switch_A] set css priority 100
      

      # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.

      <HUAWEI> system-view
      [HUAWEI] sysname Switch_B
      [Switch_B] set css id 2
      [Switch_B] set css priority 10

      # Check the cluster configuration.

      Run the display css status saved command to check whether the configurations are as expected.

      Check the cluster configuration on Switch_A.

      [Switch_A] display css status saved 
      Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
      ------------------------------------------------------------------------------   
      1            1            Off          CSS card    100         Off             
        

      Check the cluster configuration on Switch_B.

      [Switch_B] display css status saved 
      Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
      ------------------------------------------------------------------------------   
      1            2            Off          CSS card    10          Off              
      
    2. Enable the cluster function.

      # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.

      [Switch_A] css enable 
      Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable the cluster function on Switch_B and restart Switch_B.

      [Switch_B] css enable 
      Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
    3. Check whether the cluster is set up successfully.

      # View the indicator status.

      The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.

      The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.

      # Log in to the cluster through the console port on any MPU to check the cluster status.

      [Switch_A] display css status
      CSS Enable switch On
                                                                                       
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force   
      ------------------------------------------------------------------------------   
      1            On           Master          CSS card    100         Off            
      2            On           Standby         CSS card    10          Off           
      

      The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.

      # Check whether cluster links work normally.

      [Switch_A] display css channel

      The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.

    4. Set the cluster system name to CSS.

      [Switch_A] sysname CSS
      [CSS]

  9. Configure the interfaces and VLAN IDs on switches.
    1. Create VLANs.

      [CSS] vlan batch 100 to 126 128 300 2001

    2. Configure upstream and downstream interfaces.

      [CSS] interface GigabitEthernet 1/6/0/36  //Connected to server
      [CSS-GigabitEthernet1/6/0/36] port link-type trunk
      [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300
      [CSS-GigabitEthernet1/6/0/36] quit
      [CSS] interface GigabitEthernet 2/3/0/0  //Connected to the extranet
      [CSS-GigabitEthernet2/3/0/0] port link-type trunk
      [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client
      [CSS-GigabitEthernet2/3/0/36] port link-type trunk
      [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1
      [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126
      [CSS-GigabitEthernet2/3/0/36] quit
      

    3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

      [CSS] interface vlanif 2001
      [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248
      [CSS-Vlanif2001] quit
      [CSS] interface vlanif 100
      [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0
      [CSS-Vlanif100] quit
      [CSS] interface vlanif 300
      [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0
      [CSS-Vlanif300] quit
      [CSS] interface Vlanif 101
      [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0
      [CSS-Vlanif101] quit
      [CSS] interface vlanif 102
      [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0
      [CSS-Vlanif102] quit
      [CSS] interface vlanif 126
      [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0
      [CSS-Vlanif126] quit
      [CSS] interface vlanif 128  //Layer 3 interface connected to the NGFW module
      [CSS-Vlanif128] ip address 10.55.28.4 255.255.255.0
      [CSS-Vlanif128] quit
      

    4. Add the eight interfaces between the switches and NGFW/IPS modules to Eth-Trunk 105, Eth-Trunk 106, and Eth-Trunk 100.

      [CSS] interface eth-trunk 105
      [CSS-Eth-Trunk105] description to-ngfw-a
      [CSS-Eth-Trunk105] port link-type trunk
      [CSS-Eth-Trunk105] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk105] port trunk allow-pass vlan 128
      [CSS-Eth-Trunk105] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1
      [CSS-Eth-Trunk105] quit
      [CSS] interface eth-trunk 106
      [CSS-Eth-Trunk106] description to-ngfw-b
      [CSS-Eth-Trunk106] port link-type trunk
      [CSS-Eth-Trunk106] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk106] port trunk allow-pass vlan 128
      [CSS-Eth-Trunk106] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1
      [CSS-Eth-Trunk106] quit
      [CSS] interface eth-trunk 100
      [CSS-Eth-Trunk100] description to-ips
      [CSS-Eth-Trunk100] port link-type trunk
      [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001
      [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1
      [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1
      [CSS-Eth-Trunk100] mac-address learning disable
      [CSS-Eth-Trunk100] stp disable
      [CSS-Eth-Trunk100] quit
      

    5. Set the load balancing mode on Eth-Trunks.

      [CSS] load-balance-profile sec
      [CSS-load-balance-profile-sec] ipv4 field sip dip
      [CSS-load-balance-profile-sec] quit
      [CSS] interface Eth-Trunk 100
      [CSS-Eth-Trunk100] load-balance enhanced profile sec
      [CSS-Eth-Trunk100] quit
      [CSS] interface Eth-Trunk 105
      [CSS-Eth-Trunk105] load-balance enhanced profile sec
      [CSS-Eth-Trunk105] quit
      [CSS] interface Eth-Trunk 106
      [CSS-Eth-Trunk106] load-balance enhanced profile sec
      [CSS-Eth-Trunk106] quit

    6. Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

      [CSS] interface GigabitEthernet 1/6/0/36
      [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk100
      [CSS-GigabitEthernet1/6/0/36] quit
      [CSS] interface GigabitEthernet 2/3/0/0
      [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk100
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] interface GigabitEthernet 2/3/0/36
      [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk100
      [CSS-GigabitEthernet2/3/0/36] quit

    7. Configure traffic policies and bind them to interfaces to implement redirection.

      # Create ACLs.

      [CSS] acl 3010  //Match the flows sent from clients
      [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3010] quit
      [CSS] acl 3011  //Match the flows destined for clients
      [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3011] quit
      [CSS] acl 3020  //Match the flows sent from servers
      [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3020] quit
      [CSS] acl 3021  //Match the flows destined for servers
      [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3021] quit
      [CSS] acl 3012  //Match inter-client flows within a subnet
      [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
      [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
      [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
      [CSS-acl-adv-3012] quit
      [CSS] acl 3022  //Match inter-server flows within a subnet
      [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
      [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
      [CSS-acl-adv-3022] quit

      # Configure traffic classifiers.

      [CSS] traffic classifier from-office operator or precedence 80
      [CSS-classifier-from-office] if-match acl 3010
      [CSS-classifier-from-office] quit
      [CSS] traffic classifier to-office operator or precedence 85
      [CSS-classifier-to-office] if-match acl 3011
      [CSS-classifier-to-office] quit
      [CSS] traffic classifier from-server operator or precedence 75
      [CSS-classifier-from-server] if-match acl 3020
      [CSS-classifier-from-server] quit
      [CSS] traffic classifier to-server operator or precedence 60
      [CSS-classifier-to-server] if-match acl 3021
      [CSS-classifier-to-server] quit
      [CSS] traffic classifier office-office operator or precedence 40
      [CSS-classifier-office-office] if-match acl 3012
      [CSS-classifier-office-office] quit
      [CSS] traffic classifier server-server operator or precedence 65
      [CSS-classifier-server-server] if-match acl 3022
      [CSS-classifier-server-server] quit
      

      # Configure traffic behaviors.

      [CSS] traffic behavior behavior1
      [CSS-behavior-behavior1] permit
      [CSS-behavior-behavior1] quit
      [CSS] traffic behavior to-eth-trunk100
      [CSS-behavior-to-eth-trunk100] permit
      [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100  //Do not redirect flows
      [CSS-behavior-to-eth-trunk100] quit
      [CSS] traffic behavior to-eth-trunk105-6
      [CSS-behavior-to-eth-trunk105-6] permit
      [CSS-behavior-to-eth-trunk105-6] redirect ip-nexthop 10.55.28.1  //Redirect flows to the NGFW module
      [CSS-behavior-to-eth-trunk105-6] quit
      

      # Bind traffic policies to interfaces.

      [CSS] traffic policy ips-to-fw match-order config
      [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk105-6
      [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk105-6
      [CSS-trafficpolicy-ips-to-fw] quit
      [CSS] interface Eth-Trunk 100
      [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS Module to the NGFW module
      [CSS-Eth-Trunk100] quit
      [CSS] traffic policy internet-in match-order config
      [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1
      [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module
      [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk105-6  //Redirect the flows from extranet to clients to the NGFW module
      [CSS-trafficpolicy-internet-in] quit
      [CSS] interface GigabitEthernet 2/3/0/0
      [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound
      [CSS-GigabitEthernet2/3/0/0] quit
      [CSS] traffic policy office-out match-order config
      [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet
      [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module
      [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk105-6  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module
      [CSS-trafficpolicy-office-out] quit
      [CSS] interface GigabitEthernet 2/3/0/36
      [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound
      [CSS-GigabitEthernet2/3/0/36] quit
      [CSS] traffic policy server-out match-order config
      [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet
      [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module
      [CSS-trafficpolicy-server-out] quit
      [CSS] interface GigabitEthernet 1/6/0/36
      [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound
      [CSS-GigabitEthernet1/6/0/36] quit
      

  10. Verify the configuration.

    # Check the configuration of S12700 cluster.

    [CSS] display device
    Chassis 1 (Master Switch)
    S12708's Device status:
    Slot  Sub   Type            Online    Power      Register       Status     Role
    ----------  ------------   ---------------------------------------------------------
    4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
    5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
    6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
    7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
    9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
    10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
    12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
    1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
    PWR1  -     -               Present   PowerOn    Registered     Normal     NA
    CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave
    CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
    FAN1  -     -               Present   PowerOn    Registered     Normal     NA
    FAN2  -     -               Present   PowerOn    Registered     Normal     NA
    FAN3  -     -               Present   PowerOn    Registered     Normal     NA
    FAN4  -     -               Present   PowerOn    Registered     Normal     NA
    Chassis 2   (Standby Switch)
    S12712's Device status   :
    Slot  Sub   Type            Online    Power      Register       Status     Role
    ----------  ------------   ---------------------------------------------------------
    3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
    4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
    5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
    7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
    13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
    14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
    18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
    1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
    PWR1  -     -               Present   PowerOn    Registered     Normal     NA
    PWR2  -     -               Present   PowerOn    Registered     Normal     NA
    CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
    FAN1  -     -               Present   PowerOn    Registered     Normal     NA
    FAN2  -     -               Present   PowerOn    Registered     Normal     NA
    FAN3  -     -               Present   PowerOn    Registered     Normal     NA
    FAN4  -     -               Present   PowerOn    Registered     Normal     NA
    FAN5  -     -               Present   PowerOn    Registered     Normal     NA
    

    # Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

    [IPS Module] display interface brief | include up
    2016/5/31 10:49
    PHY: Physical
    *down: administratively down
    ^down: standby down
    (s): spoofing
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
    Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/2      up    up          0%     0%                 0                 0
    Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
    NULL0                       up    up(s)       0%     0%                 0                 0
    
    [NGFW Module_B] display interface brief | include up 
    10:56:34  2016/05/31
    PHY: Physical
    *down: administratively down
    ^down: standby down
    (s): spoofing
    InUti/OutUti: input utility/output utility
    Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
    Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
      GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0
    Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
      GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
    Eth-Trunk1.1                up    up       0.01%     0%                 0                 0
    Eth-Trunk1.2                up    up       0.01%     0%                 0                 0
    NULL0                       up    up(s)       0%     0%                 0                 0

    # Check traffic statistics on interfaces.

    • The traffic statistics between clients and servers are correct.
      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up        0.13%  0.13%          0          0
        XGigabitEthernet1/5/0/0   up    up        0.25%     0%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%  0.25%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%  0.25%          0          0
        XGigabitEthernet2/5/0/1   up    up        0.25%     0%          0          0
      Eth-Trunk105                up    up        0.25%  0.25%          0          0
        XGigabitEthernet1/4/0/0   up    up        0.25%     0%          0          0
        XGigabitEthernet1/4/0/1   up    up        0.25%  0.50%          0          0
      Eth-Trunk106                up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
      Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
      GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif128                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      
    • The traffic statistics between clients and extranet are correct.
      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up           0%     0%          0          0
        XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
      Eth-Trunk105                up    up        0.25%  0.25%          0          0
        XGigabitEthernet1/4/0/0   up    up           0%  0.17%          0          0
        XGigabitEthernet1/4/0/1   up    up        0.50%  0.33%          0          0
      Eth-Trunk106                up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
      Ethernet0/0/0/0             up    up        0.01%  0.01%          0          0
      GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif128                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      
    • The traffic statistics between servers and extranet are correct.
      [CSS] display interface brief | include up
      PHY: Physical
      *down: administratively down
      ^down: standby
      ~down: LDT down
      #down: LBDT down
      (l): loopback
      (s): spoofing
      (E): E-Trunk down
      (b): BFD down
      (e): ETHOAM down
      (dl): DLDP down
      (d): Dampening Suppressed
      (ld): LDT block
      (lb): LBDT block
      InUti/OutUti: input utility/output utility
      Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
      Eth-Trunk100                up    up        0.12%  0.12%          0          0
        XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0
        XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
      Eth-Trunk105                up    up        0.25%  0.25%          0          0
        XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0
        XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0
      Eth-Trunk106                up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
        XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
      Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
      GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
      GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
      NULL0                       up    up(s)        0%     0%          0          0
      Vlanif100                   up    up           --     --          0          0
      Vlanif101                   up    up           --     --          0          0
      Vlanif102                   up    up           --     --          0          0
      Vlanif126                   up    up           --     --          0          0
      Vlanif128                   up    up           --     --          0          0
      Vlanif300                   up    up           --     --          0          0
      Vlanif2001                  up    up           --     --          0          0
      

Configuration Files
  • NGFW module configuration files

    NGFW Module_A NGFW Module_B
    #
    sysname NGFW Module_A
    #
    hrp mirror session enable
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    interface Eth-Trunk 0
     description hrp-interface
     ip address 192.168.213.1 255.255.255.252
    #
    interface Eth-Trunk 1
     description To-master-trunk105
    #
    interface Eth-Trunk1.1
     vlan-type dot1q 128
     ip address 10.55.28.2 255.255.255.0
     vrrp vrid 10 virtual-ip 10.55.28.1 active
     service-manage ping permit
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     eth-trunk 1
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk1
     add interface Eth-Trunk1.1
    #
    firewall zone name hrp
     set priority 75
     add interface Eth-Trunk 0
    #
    security-policy
     rule name policy_to_wan
      source-address 10.55.0.0 16
      source-address 10.54.1.248 29
      profile ips default
      action permit
    #
    ip route-static 10.54.1.248 255.255.255.248 10.55.28.4
    ip route-static 10.55.0.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.1.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
    return
    
    #
    sysname NGFW Module_B
    #
    hrp mirror session enable
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    interface Eth-Trunk 0
     description hrp-interface
     ip address 192.168.213.2 255.255.255.252
    #
    interface Eth-Trunk 1
     description To-master-trunk106
    #
    interface Eth-Trunk1.1
     vlan-type dot1q 128
     ip address 10.55.28.3 255.255.255.0
     vrrp vrid 10 virtual-ip 10.55.28.1 standby
     service-manage ping permit
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     eth-trunk 1
    #
    firewall zone trust
     set priority 85
     add interface Eth-Trunk1
     add interface Eth-Trunk1.1
    #
    firewall zone name hrp
     set priority 75
     add interface Eth-Trunk 0
    #
    security-policy
     rule name policy_to_wan
      source-address 10.55.0.0 16
      source-address 10.54.1.248 29
      profile ips default
      action permit
    #
    ip route-static 10.54.1.248 255.255.255.248 10.55.28.4
    ip route-static 10.55.0.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.1.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
    ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
    return
    
  • IPS module configuration files

    IPS Module_A IPS Module_B
    #
    sysname IPS Module_A
    #
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0 
     ip address 192.168.213.5 255.255.255.252
    #
    interface Eth-Trunk 1
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    profile type av name AV_http_pop3   
     description http-pop3     
     http-detect direction download     
     undo ftp-detect      
     undo smtp-detect        
     pop3-detect action delete-attachment  
     undo imap-detect   
     undo nfs-detect 
     undo smb-detect  
     exception application name Netease_Webmail action allow   
     exception av-signature-id 1000  
    profile type av name AV_ftp  
     description ftp   
     undo http-detect  
     ftp-detect direction upload
     undo smtp-detect  
     undo pop3-detect     
     undo imap-detect    
     undo nfs-detect  
     undo smb-detect  
    #
    security-policy
     rule name policy_av_1
      description Intranet-User
      profile av AV_http_pop3
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
     rule name policy_av_2
      description Intranet-Server
      profile av AV_ftp
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
    #
    return
    
    #
    sysname IPS Module_B
    #
    hrp enable
    hrp loadbalance-device
    hrp interface Eth-Trunk 0
    #
    vlan batch 100 to 126 300 2001
    #
    pair-interface 1 Eth-Trunk1 Eth-Trunk1
    #
    interface Eth-Trunk 0 
     ip address 192.168.213.6 255.255.255.252
    #
    interface Eth-Trunk 1
     portswitch
     port link-type trunk
     undo port trunk permit vlan 1
     port trunk permit vlan 100 to 126 300 2001
    #
    interface GigabitEthernet 0/0/1
     eth-trunk 0
    #
    interface GigabitEthernet 0/0/2
     eth-trunk 0
    #
    interface GigabitEthernet 1/0/0
     portswitch
     port link-type access
     eth-trunk 1
    #
    interface GigabitEthernet 1/0/1
     portswitch
     port link-type access
     eth-trunk 1
    #
    profile type av name AV_http_pop3   
     description http-pop3     
     http-detect direction download     
     undo ftp-detect      
     undo smtp-detect        
     pop3-detect action delete-attachment  
     undo imap-detect   
     undo nfs-detect 
     undo smb-detect  
     exception application name Netease_Webmail action allow   
     exception av-signature-id 1000  
    profile type av name AV_ftp  
     description ftp   
     undo http-detect  
     ftp-detect direction upload
     undo smtp-detect  
     undo pop3-detect     
     undo imap-detect    
     undo nfs-detect  
     undo smb-detect  
    #
    security-policy
     rule name policy_av_1
      description Intranet-User
      profile av AV_http_pop3
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
     rule name policy_av_2
      description Intranet-Server
      profile av AV_ftp
      pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
      action permit
    #
    return
    
  • CSS configuration file

    #
    sysname CSS
    #
    vlan batch 100 to 126 128 300 2001
    #
    acl number 3010
     rule 5 permit ip source 10.55.1.0 0.0.0.255
     rule 10 permit ip source 10.55.2.0 0.0.0.255
     rule 15 permit ip source 10.55.26.0 0.0.0.255
    acl number 3011
     rule 5 permit ip destination 10.55.1.0 0.0.0.255
     rule 10 permit ip destination 10.55.2.0 0.0.0.255
     rule 15 permit ip destination 10.55.26.0 0.0.0.255
    acl number 3012
     rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
     rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
     rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
    acl number 3020
     rule 5 permit ip source 10.55.0.0 0.0.0.255
     rule 10 permit ip source 10.55.200.0 0.0.0.255
    acl number 3021
     rule 5 permit ip destination 10.55.0.0 0.0.0.255
     rule 10 permit ip destination 10.55.200.0 0.0.0.255
    acl number 3022
     rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
     rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
    #
    traffic classifier office-office operator or precedence 40
     if-match acl 3012
    traffic classifier from-office operator or precedence 80
     if-match acl 3010
    traffic classifier from-server operator or precedence 75
     if-match acl 3020
    traffic classifier server-server operator or precedence 65
    if-match acl 3022
    traffic classifier to-office operator or precedence 85
     if-match acl 3011
    traffic classifier to-server operator or precedence 60
     if-match acl 3021
    #
    traffic behavior behavior1
     permit
    traffic behavior to-eth-trunk100
     permit
     redirect interface Eth-Trunk100
    traffic behavior to-eth-trunk105-6
     permit
     redirect ip-nexthop 10.55.28.1
    #
    traffic policy office-out match-order config
     classifier office-office behavior behavior1
     classifier to-server behavior to-eth-trunk100
     classifier from-office behavior to-eth-trunk105-6
    traffic policy internet-in match-order config
     classifier office-office behavior behavior1
     classifier to-server behavior to-eth-trunk100
     classifier to-office behavior to-eth-trunk105-6
    traffic policy ips-to-fw match-order config
     classifier to-server behavior to-eth-trunk105-6
     classifier from-server behavior to-eth-trunk105-6
    traffic policy server-out match-order config
     classifier server-server behavior behavior1
     classifier from-server behavior to-eth-trunk100
    #
    interface Vlanif100
     ip address 10.55.0.1 255.255.255.0
    #
    interface Vlanif101
     ip address 10.55.1.1 255.255.255.0
    #
    interface Vlanif102
     ip address 10.55.2.1 255.255.255.0
    #
    interface Vlanif128
     ip address 10.55.28.4 255.255.255.0
     #
    interface Vlanif300
     ip address 10.55.200.1 255.255.255.0
    #
    interface Vlanif2001
     ip address 10.54.1.253 255.255.255.248
    #
    load-balance-profile sec
    #
    interface Eth-Trunk100
     description to-ips
     port link-type trunk
     mac-address learning disable
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100 to 126 300 2001
     stp disable
     traffic-policy ips-to-fw inbound
     load-balance enhanced profile sec
    #
    interface Eth-Trunk105
     description to-ngfw-a
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 128
     load-balance enhanced profile sec
    #
    interface Eth-Trunk106
     description to-ngfw-b
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 128
     load-balance enhanced profile sec
    #
    interface GigabitEthernet1/6/0/36
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 100 300
     traffic-policy server-out inbound
     am isolate Eth-Trunk100
    #
    interface GigabitEthernet2/3/0/0
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 2001
     traffic-policy internet-in inbound
     am isolate Eth-Trunk100
    #
    interface GigabitEthernet2/3/0/36
     port link-type trunk
     undo port trunk allow-pass vlan 1
     port trunk allow-pass vlan 101 to 126
     traffic-policy office-out inbound
     am isolate Eth-Trunk100
    #
    interface XGigabitEthernet1/4/0/0
     eth-trunk 105
    #
    interface XGigabitEthernet1/4/0/1
     eth-trunk 105
    #
    interface XGigabitEthernet1/5/0/0
     eth-trunk 100
    #
    interface XGigabitEthernet1/5/0/1
     eth-trunk 100
    #
    interface XGigabitEthernet2/4/0/0
     eth-trunk 106
    #
    interface XGigabitEthernet2/4/0/1
     eth-trunk 106
    #
    interface XGigabitEthernet2/5/0/0
     eth-trunk 100
    #
    interface XGigabitEthernet2/5/0/1
     eth-trunk 100
    #
    return
    
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 245121

Downloads: 1972

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next