Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where PBR-based Traffic Diversion Is Implemented

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where PBR-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 3-313, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 3-313 Networking for Layer-3 dual-NGFW Module deployment and switch CSS

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Data Planning

Item		Data	Description
Hot standby		NGFW Module_A: active NGFW Module_B: standby	-
NAT	Source NAT	NAT type: PAT Address pool: 1.1.1.1 to 1.1.1.2	The source address is automatically translated for Internet access from a specified private subnet.
NAT	NAT Server	Global address: 1.1.1.3 Inside address: 192.168.2.8	A specified server address is translated from a private address to a public address for Internet users to access.
Security policy	Policy 1: policy_sec1	Source security zone: Trust Destination security zone: Untrust Source IP address: 192.168.1.0 Action: permit	Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.
Security policy	Policy 2: policy_sec2	Source security zone: Untrust Destination security zone: DMZ Destination IP address: 192.168.2.0 Action: permit	Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution

Figure 3-313 can be abstracted as Figure 3-314. You can understand the mapping between the two figures based on interface numbers and actual traffic directions.

As shown in Figure 3-314, a default route (next hop: VLANIF201) to the public network, a specific route (next hop: VLANIF202) to the Trust zone, and a specific route (next hop: VLANIF203) to the DMZ need to be configured on the NGFW modules. PBR needs to be configured on the switches to direct traffic to the firewalls.

Figure 3-314 Configuring VRRP on the NGFW modules and PBR on the switches

Figure 3-314 lists only the switch interfaces involved in the connection with the NGFW Modules.
Specify Eth-trunk0 as the heartbeat interface and enable hot standby on each NGFW Module.
Configure security functions, such as security policies, nat policies, and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

Complete interface and basic network configurations on NGFW Modules.

# Configure device name on NGFW Module_A.

<sysname> system-view
[sysname] sysname Module_A

# Configure IP addresses for the interfaces on NGFW Module_A.

[Module_A] interface Eth-trunk 1
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
[Module_A] interface Eth-trunk 1.1
[Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
[Module_A-Eth-Trunk1.1] vlan-type dot1q 201
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk 1.2
[Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
[Module_A-Eth-Trunk1.2] vlan-type dot1q 202
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk 1.3
[Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
[Module_A-Eth-Trunk1.3] vlan-type dot1q 203
[Module_A-Eth-Trunk1.3] quit
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit

# Assign the interfaces of NGFW Module_A to security zones.

[Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-trunk 1.1
[Module_A-zone-untrust] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-trunk 1.2
[Module_A-zone-trust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-trunk 1.3
[Module_A-zone-dmz] quit
[Module_A] firewall zone name hrpzone
[Module_A-zone-hrpzone] set priority 65
[Module_A-zone-hrpzone] add interface Eth-Trunk 0
[Module_A-zone-hrpzone] quit

# Configure device name on NGFW Module_B.

<sysname> system-view
[sysname] sysname Module_B

# Configure IP addresses for the interfaces on NGFW Module_B.

[Module_B] interface Eth-trunk 1
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
[Module_B] interface Eth-trunk 1.1
[Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
[Module_B-Eth-Trunk1.1] vlan-type dot1q 201
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk 1.2
[Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
[Module_B-Eth-Trunk1.2] vlan-type dot1q 202
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk 1.3
[Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
[Module_B-Eth-Trunk1.3] vlan-type dot1q 203
[Module_B-Eth-Trunk1.3] quit
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit

# Assign the interfaces of NGFW Module_B to security zones.

[Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-trunk 1.1
[Module_B-zone-untrust] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-trunk 1.2
[Module_B-zone-trust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-trunk 1.3
[Module_B-zone-dmz] quit
[Module_B] firewall zone name hrpzone
[Module_B-zone-hrpzone] set priority 65
[Module_B-zone-hrpzone] add interface Eth-Trunk 0
[Module_B-zone-hrpzone] quit

Create static routes on NGFW Modules.
# On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.
```
[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
```
# On NGFW Module_A, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.
```
[Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
```
# On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.
```
[Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
```
# On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.
```
[Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0
```
# On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.
```
[Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0
```
# On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.
```
[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
```
# On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.
```
[Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
```
# On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.
```
[Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
```
# On NGFW Module_B, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.
```
[Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0
```
# On NGFW Module_B, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.
```
[Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0
```

Configure hot standby on NGFW Modules.

# Configure VRRP groups on NGFW Module_A.

[Module_A] interface Eth-trunk1.1
[Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk1.2
[Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk1.3
[Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
[Module_A-Eth-Trunk1.3] quit

# Specify the heartbeat interface and enable hot standby on NGFW Module_A.

[Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable

# Configure VRRP groups on NGFW Module_B.

[Module_B] interface Eth-trunk1.1
[Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk1.2
[Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk1.3
[Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
[Module_B-Eth-Trunk1.3] quit

# Specify the heartbeat interface and enable hot standby on NGFW Module_B.

[Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.

After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

When configuring intrusion prevention, use the default intrusion prevention profile default.

Configure security services on NGFW Modules.

# On NGFW Module_A, configure a security policy to allow users in the Trust zone (network segment 192.168.1.0/24) to access the Internet.

HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_sec1
HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust 
HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
HRP_A[Module_A-policy-security-rule-policy_sec1] quit

# On NGFW Module_A, configure a security policy to allow extranet users to access the DMZ (network segment 192.168.2.0/24) and configure intrusion prevention.

HRP_A[Module_A-policy-security] rule name policy_sec2
HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust 
HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
HRP_A[Module_A-policy-security-rule-policy_sec2] quit
HRP_A[Module_A-policy-security] quit

# Configure ASPF on NGFW Module_A. FTP is used as an example.

HRP_A[Module_A] firewall interzone untrust dmz
HRP_A[Module_A-interzone-dmz-untrust] detect ftp
HRP_A[Module_A-interzone-dmz-untrust] quit

# Configure a NAT address pool.

HRP_A[Module_A] nat address-group addressgroup1
HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
HRP_A[Module_A-address-group-addressgroup1] quit

# Configure a source NAT policy for Internet access from the specified private subnet.

HRP_A[Module_A] nat-policy
HRP_A[Module_A-policy-nat] rule name policy_nat1
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 
HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
HRP_A[Module_A-policy-nat] quit

# Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server in the DMZ is translated into public address 1.1.1.3:8000.

HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80

# Save configurations on NGFW Module_A and NGFW Module_B.

HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

Configure the core switches to form a CSS.

Install the hardware and connect the cables. For details, see the CSS Installation Guide.

Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

# Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
[SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.

# Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

<Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10

Enable the CSS function.

# To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

# Enable CSS on SwitchB and then restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

Check whether the CSS is established.

# Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

<SwitchA> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

Rename the cluster system to CSS.

<SwitchA> system-view
[SwitchA] sysname CSS
[CSS]

Configure interfaces and VLANs for switches. This example describes how to configure interoperation between the switch and NGFW modules.

[CSS] vlan batch 201 to 203          //Create VLANs.
[CSS] interface eth-trunk 5                
[CSS-Eth-Trunk5] description To_NGFW_Module_A
[CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1  //Create Eth-Trunk5 on the CSS and add internal Ethernet interfaces to Eth-Trunk5.
[CSS-Eth-Trunk5] port link-type trunk                      
[CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk5 to permit traffic from VLANs 201, 202, and 203.
[CSS-Eth-Trunk5] quit   
[CSS] interface eth-trunk 6                
[CSS-Eth-Trunk6] description To_NGFW_Module_B
[CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1  //Create Eth-Trunk6 on the CSS and add internal Ethernet interfaces to Eth-Trunk6.
[CSS-Eth-Trunk6] port link-type trunk                      
[CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk6 to permit traffic from VLANs 201, 202, and 203.
[CSS-Eth-Trunk6] quit                    
[CSS] interface vlanif 201
[CSS-Vlanif201] ip address 10.3.1.4 24
[CSS-Vlanif201] quit                       //Configure an IP address for VLANIF201.
[CSS] interface vlanif 202
[CSS-Vlanif202] ip address 10.3.2.4 24
[CSS-Vlanif202] quit                       //Configure an IP address for VLANIF202.
[CSS] interface vlanif 203
[CSS-Vlanif203] ip address 10.3.3.4 24
[CSS-Vlanif203] quit                       //Configure an IP address for VLANIF203.

Configure traffic diversion on the switch. This example describes how to configure interoperation between the switch and NGFW modules.

[CSS] acl 3001  //Create ACL3001.
[CSS-acl-adv-3001] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255  //Configure a rule for ACL3001: source network segment 192.168.1.0 and destination network segment 192.168.2.0.
[CSS-acl-adv-3001] rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255  //Configure a rule for ACL3001: source network segment 192.168.2.0 and destination network segment 192.168.1.0.
[CSS-acl-adv-3001] quit
[CSS] traffic classifier c1 precedence 5  //Create traffic classifier c1.
[CSS-classifier-c1] if-match acl 3001  //Match packets exchanged between the Trust zone and DMZ with the ACL3001 rule.
[CSS-classifier-c1] quit
[CSS] traffic behavior b1  //Create traffic behavior b1.
[CSS-behavior-b1] permit  //Permit the matching packets.
[CSS-behavior-b1] quit
[CSS] acl 3002  //Create ACL3002.
[CSS-acl-adv-3002] rule 5 permit ip source 192.168.1.0 0.0.0.255  //Configure a rule for ACL3002: source network segment 192.168.1.0.
[CSS-acl-adv-3002] quit
[CSS] traffic classifier c2 precedence 10  //Create traffic classifier c2.
[CSS-classifier-c2] if-match acl 3002  //Match the packets from network segment 192.168.1.0, namely, packets from the Trust zone to the Internet, with ACL3002.
[CSS-classifier-c2] quit
[CSS] traffic behavior b2  //Create traffic behavior b2.
[CSS-behavior-b2] redirect ip-nexthop 10.3.2.1  //Redirect the matching packets to address 10.3.2.1, namely, the connected NGFW Module.
[CSS-behavior-b2] quit
[CSS] traffic policy p1  //Create traffic policy p1.
[CSS-trafficpolicy-p1] classifier c1 behavior b1  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p1. All packets exchanged between the Trust zone and DMZ are directly forwarded by the switch, without being forwarded to the NGFW Module.
[CSS-trafficpolicy-p1] classifier c2 behavior b2  //Bind traffic classifier c2 and traffic behavior b2 with traffic policy p1. All packets from the Trust zone to the Internet are redirected to the NGFW Module.
[CSS-trafficpolicy-p1] quit
[CSS] interface eth-trunk 2  //Access the interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk2] traffic-policy p1 inbound  //Apply traffic policy P1 in the inbound direction of the interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk2] quit
[CSS] acl 3003  //Create ACL3003.
[CSS-acl-adv-3003] rule 5 permit ip source 192.168.2.0 0.0.0.255  //Configure a rule for ACL3003: source network segment 192.168.2.0.
[CSS-acl-adv-3003] quit
[CSS] traffic classifier c3 precedence 15  //Create traffic classifier c3.
[CSS-classifier-c3] if-match acl 3003  //Match all packets from network segment 192.168.2.0, namely, all packets from the DMZ to the Internet, with the ACL3003 rule.
[CSS-classifier-c3] quit
[CSS] traffic behavior b3  //Create traffic behavior b3.
[CSS-behavior-b3] redirect ip-nexthop 10.3.3.1  //Redirect the matching packets to address 10.3.3.1, namely the NGFW Module.
[CSS-behavior-b3] quit
[CSS] traffic policy p3  //Create traffic policy p3.
[CSS-trafficpolicy-p3] classifier c1 behavior b1  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p3. All packets exchanged between the Trust zone and DMZ are directly forwarded by the switch, without being forwarded to the NGFW Module.
[CSS-trafficpolicy-p3] classifier c3 behavior b3   //Bind traffic classifier c3 and traffic behavior b3 with traffic policy p3. All traffic from the DMZ to the Internet are directed to the NGFW Module.
[CSS-trafficpolicy-p3] quit
[CSS] interface eth-trunk 3  //Access the view of the interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk3] traffic-policy p3 inbound  //Apply traffic policy p3 in the inbound direction of the interface connecting the switch to the DMZ.
[CSS-Eth-Trunk3] quit
[CSS] ip route-static 1.1.1.1 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
[CSS] ip route-static 1.1.1.2 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
[CSS] ip route-static 1.1.1.3 32 10.3.1.1  //Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.

In this example, the source NAT and NAT server functions are configured on the NGFW Module. For the switch, the destination address of traffic sent from the public network the private network is a post-NAT address. Therefore, you can configure a static route on the switch to direct the traffic sent from the public address to the private network to the NGFW Module.

If no source NAT or NAT server function is configured on the NGFW Module, for the switch, the destination address of traffic sent from the public network to the private network is still a private network. In this case, you need to configure a traffic policy on the upstream interface of the switch to direct the traffic to the NGFW Module.

[CSS] acl 3004  //Create ACL3004.
[CSS-acl-adv-3004] rule 5 permit ip destination 192.168.1.0 0.0.0.255  //Configure a rule for ACL3004: destination network segment 192.168.1.0.
[CSS-acl-adv-3004] rule 10 permit ip destination 192.168.2.0 0.0.0.255  //Configure a rule for ACL3004: destination network segment 192.168.2.0.
[CSS-acl-adv-3004] quit
[CSS] traffic classifier c4 precedence 20  //Create traffic classifier c4.
[CSS-classifier-c4] if-match acl 3004   //Match the packets whose destination network segments are 192.168.1.0 and 192.168.2.0, namely, all packets from the Internet to the intranet, with the ACL3004 rule.
[CSS-classifier-c4] quit
[CSS] traffic behavior b4  //Create traffic behavior b4.
[CSS-behavior-b4] redirect ip-nexthop 10.3.1.1  //Redirect the matching packets to address 10.3.1.1, namely, the NGFW Module.
[CSS-behavior-b4] quit
[CSS] traffic policy p4  //Create traffic policy p4.
[CSS-trafficpolicy-p4] classifier c4 behavior b4 precedence 20  //Bind traffic classifier c4 and traffic behavior b4 with traffic policy p4. All traffic from the Internet to the intranet is directed to the NGFW Module.
[CSS-trafficpolicy-p4] quit
[CSS] interface eth-trunk 4  //Access the view of the interface connecting the switch to the Internet.
[CSS-Eth-Trunk4] traffic-policy p4 inbound  //Apply traffic policy p4 in the inbound direction of the interface connecting the switch to the Internet.
[CSS-Eth-Trunk4] quit

Verification

Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

HRP_A[Module_A] display hrp state
 The firewall's config state is: ACTIVE                                         
                                                                                
 Backup channel usage: 0.01%                                                    
 Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
 Current state of virtual routers configured as active:                         
                     Eth-Trunk1.3    vrid   3 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                     Eth-Trunk1.2    vrid   2 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                     Eth-Trunk1.1    vrid   1 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up

Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.
```
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
```
```
HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
```
According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]

HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]

Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A	NGFW Module_B
# sysname Module_A # hrp enable hrp interface Eth-Trunk0 # nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www # interface Eth-Trunk0 ip address 10.10.0.1 255.255.255.0 # interface Eth-Trunk1 portswitch port link-type access # interface Eth-Trunk1.1 vlan-type dot1q 201 ip address 10.3.1.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.3.1.1 active # interface Eth-Trunk1.2 vlan-type dot1q 202 ip address 10.3.2.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.2.1 active # interface Eth-Trunk1.3 vlan-type dot1q 203 ip address 10.3.3.2 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.3.1 active # interface GigabitEthernet0/0/1 eth-trunk 0 # interface GigabitEthernet0/0/2 eth-trunk 0 # interface GigabitEthernet1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1.2 # firewall zone untrust set priority 5 add interface Eth-Trunk1.1 # firewall zone dmz set priority 50 add interface Eth-Trunk1.3 # firewall zone hrpzone set priority 65 add interface Eth-Trunk0 # firewall interzone dmz untrust detect ftp # ip route-static 0.0.0.0 0.0.0.0 10.3.1.4 ip route-static 1.1.1.1 255.255.255.255 NULL0 ip route-static 1.1.1.2 255.255.255.255 NULL0 ip route-static 1.1.1.3 255.255.255.255 NULL0 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4 # nat address-group addressgroup1 0 section 0 1.1.1.1 1.1.1.2 # security-policy rule name policy_sec1 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action permit rule name policy_sec2 source-zone untrust destination-zone dmz destination-address 192.168.2.0 mask 255.255.255.0 service http service ftp profile ips default action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action nat address-group addressgroup1 # return	# sysname Module_B # hrp enable hrp interface Eth-Trunk0 hrp standby-device //This command is required only in versions earlier than V100R001C30SPC300. # nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www # interface Eth-Trunk0 ip address 10.10.0.2 255.255.255.0 # interface Eth-Trunk1 portswitch port link-type access # interface Eth-Trunk1.1 vlan-type dot1q 201 ip address 10.3.1.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.3.1.1 standby # interface Eth-Trunk1.2 vlan-type dot1q 202 ip address 10.3.2.3 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.2.1 standby # interface Eth-Trunk1.3 vlan-type dot1q 203 ip address 10.3.3.3 255.255.255.0 vrrp vrid 3 virtual-ip 10.3.3.1 standby # interface GigabitEthernet0/0/1 eth-trunk 0 # interface GigabitEthernet0/0/2 eth-trunk 0 # interface GigabitEthernet1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1.2 # firewall zone untrust set priority 5 add interface Eth-Trunk1.1 # firewall zone dmz set priority 50 add interface Eth-Trunk1.3 # firewall zone hrpzone set priority 65 add interface Eth-Trunk0 # firewall interzone dmz untrust detect ftp # ip route-static 0.0.0.0 0.0.0.0 10.3.1.4 ip route-static 1.1.1.1 255.255.255.255 NULL0 ip route-static 1.1.1.2 255.255.255.255 NULL0 ip route-static 1.1.1.3 255.255.255.255 NULL0 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4 # nat address-group addressgroup1 0 section 0 1.1.1.1 1.1.1.2 # security-policy rule name policy_sec1 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action permit rule name policy_sec2 source-zone untrust destination-zone dmz destination-address 192.168.2.0 mask 255.255.255.0 service http service ftp profile ips default action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 192.168.1.0 mask 255.255.255.0 action nat address-group addressgroup1 # return

NGFW Module_A

NGFW Module_B

#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
# 
 firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# 
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#    
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0
    action nat address-group addressgroup1 
#
return

#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0
 hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
# 
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 standby
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
#
firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
#
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#     
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit   
# 
 nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0
    action nat address-group addressgroup1 
#
return

Configuration script of CSS:

# ----Traffic diversion configuration----
vlan batch 201 to 203
#
acl number 3001
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
 rule 5 permit ip source 192.168.1.0 0.0.0.255
acl number 3003
 rule 5 permit ip source 192.168.2.0 0.0.0.255
acl number 3004
 rule 5 permit destination 192.168.1.0 0.0.0.255
 rule 10 permit destination 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
 if-match acl 3001
traffic classifier c2 operator or precedence 10
 if-match acl 3002
traffic classifier c3 operator or precedence 15
 if-match acl 3003
traffic classifier c4 operator or precedence 20
 if-match acl 3004
#
traffic behavior b1
 permit
traffic behavior b2
 permit
 redirect ip-nexthop 10.3.2.1
traffic behavior b3
 permit
 redirect ip-nexthop 10.3.3.1
traffic behavior b4
 permit
 redirect ip-nexthop 10.3.1.1
#
traffic policy p1 match-order config
 classifier c1 behavior b1
 classifier c2 behavior b2
traffic policy p3 match-order config
 classifier c1 behavior b1
 classifier c3 behavior b3
traffic policy p4 match-order config
 classifier c4 behavior b4
 #
interface Vlanif201
 ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
 ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
 ip address 10.3.3.4 255.255.255.0
#
interface Eth-Trunk2
  traffic-policy p1 inbound
#
interface Eth-Trunk3
  traffic-policy p3 inbound
#
interface Eth-Trunk4
 traffic-policy p4 inbound
#
interface Eth-Trunk5
 description To_NGFW_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface Eth-Trunk6
 description To_NGFW_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface XGigabitEthernet1/1/0/0
  eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
  eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
  eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
  eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
#
return

Service Requirements
Data Planning
Deployment Solution
Configuration Scripts

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-07-29

Document ID: EDOC1000069520

Downloads: 41246

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate