No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where VLAN-based Traffic Diversion Is Implemented

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where VLAN-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 3-315, two switches form a CSS, and two NGFW Modules are installed in slot 1 of the switches respective and implement hot standby. The NGFW modules implement security check on traffic sent by intranet users to access the server area or the Internet.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 3-315 Switch CSS and NGFW Module hot standby networking

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Deployment Solution

The NGFW Modules work at Layer 3, and the upstream and downstream network gateways point to the NGFW Modules. The switches work at Layer 2.

  1. The interfaces connecting each NGFW Module and switch are bundled into an Eth-Trunk interface. The Eth-Trunk interface is Eth-Trunk 1 on each NGFW Module, Eth-Trunk 10 on the SwitchA, and Eth-Trunk 11 on the SwitchB.
  2. The Eth-Trunk at the switch side is configured to work in Trunk mode and allows packets from VLANs 301, 302, and 200 to pass. Configure three Eth-Trunk subinterfaces at the NGFW Module side to carry out dot1q termination for packets from VLANs 301, 302, and 200 respectively and perform Layer-3 forwarding.

  3. Two NGFW modules form hot standby in active/standby mode. Therefore, a VRRP group needs to be configured on the upstream and downstream subinterfaces of each NGFW Module. One NGFW Module is added to an active VGMP group, and the other NGFW Module is added to a standby VGMP group.

    The virtual gateway IP addresses of the VRRP group are the gateway addresses of the downstream and upstream networks.

    Figure 3-316 provides logical networking.

    Figure 3-316 Configuring Eth-Trunk subinterfaces and VRRP on the NGFW Modules

    Figure 3-316 provides information only interfaces related to the switches and NGFW Modules.

  4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.

  5. Configure security functions, such as security policies and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
[sysname] sysname Module_A

    # Add the interfaces connecting NGFW Module_A to its connected switch to Eth-Trunk 1.

    [Module_A] interface Eth-Trunk 1
[Module_A-Eth-Trunk1] description To_SWITCHA_trunk10
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_A and map them to VLANs 301, 302, and 200 respectively.

    In actual networking, the number of required subinterfaces depends on the number of VLANs from which packets need to be terminated. 

    [Module_A] interface Eth-Trunk 1.301
[Module_A-Eth-Trunk1.301] vlan-type dot1q 301
[Module_A-Eth-Trunk1.301] ip address 10.1.0.1 24
[Module_A-Eth-Trunk1.301] quit
[Module_A] interface Eth-Trunk 1.302
[Module_A-Eth-Trunk1.302] vlan-type dot1q 302
[Module_A-Eth-Trunk1.302] ip address 10.2.0.1 24
[Module_A-Eth-Trunk1.302] quit
[Module_A] interface Eth-Trunk 1.200
[Module_A-Eth-Trunk1.200] vlan-type dot1q 200
[Module_A-Eth-Trunk1.200] ip address 10.3.0.1 24
[Module_A-Eth-Trunk1.200] quit

    # Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] description hrp_interface
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-Trunk 1.200
[Module_A-zone-untrust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-Trunk 1.302
[Module_A-zone-dmz] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-Trunk 1.301
[Module_A-zone-trust] quit
[Module_A] firewall zone name hrp
[Module_A-zone-hrp] set priority 75
[Module_A-zone-hrp] add interface Eth-Trunk 0
[Module_A-zone-hrp] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
[sysname] sysname Module_B

    # Add the interfaces connecting NGFW Module_B to its connected switch to Eth-Trunk 1.

    [Module_B] interface Eth-Trunk 1
[Module_B-Eth-Trunk1] description To_SWITCHB_trunk11
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_B and map them to VLANs 301, 302, and 200 respectively. 

    [Module_B] interface Eth-Trunk 1.301
[Module_B-Eth-Trunk1.301] vlan-type dot1q 301
[Module_B-Eth-Trunk1.301] ip address 10.1.0.2 24
[Module_B-Eth-Trunk1.301] quit
[Module_B] interface Eth-Trunk 1.302
[Module_B-Eth-Trunk1.302] vlan-type dot1q 302
[Module_B-Eth-Trunk1.302] ip address 10.2.0.2 24
[Module_B-Eth-Trunk1.302] quit
[Module_B] interface Eth-Trunk 1.200
[Module_B-Eth-Trunk1.200] vlan-type dot1q 200
[Module_B-Eth-Trunk1.200] ip address 10.3.0.2 24
[Module_B-Eth-Trunk1.200] quit

    # Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] description hrp_interface
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-Trunk 1.200
[Module_B-zone-untrust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-Trunk 1.302
[Module_B-zone-dmz] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-Trunk 1.301
[Module_B-zone-trust] quit
[Module_B] firewall zone name hrp
[Module_B-zone-hrp] set priority 75
[Module_B-zone-hrp] add interface Eth-Trunk 0
[Module_B-zone-hrp] quit

  2. On NGFW Module, configure a default route to the Internet.

    # Default route from NGFW Module_A to the Internet

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

    # Default route from NGFW Module_B to the Internet

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-Trunk 1.301
[Module_A-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 active
[Module_A-Eth-Trunk1.301] quit
[Module_A] interface Eth-Trunk 1.302
[Module_A-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 active
[Module_A-Eth-Trunk1.302] quit
[Module_A] interface Eth-Trunk 1.200
[Module_A-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 active
[Module_A-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-Trunk 1.301
[Module_B-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 standby
[Module_B-Eth-Trunk1.301] quit
[Module_B] interface Eth-Trunk 1.302
[Module_B-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[Module_B-Eth-Trunk1.302] quit
[Module_B] interface Eth-Trunk 1.200
[Module_B-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 standby
[Module_B-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow intranet users to access the server zone (network segment 10.2.0.0/24).

    HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_to_server
HRP_A[Module_A-policy-security-rule-policy_to_server] source-zone trust 
HRP_A[Module_A-policy-security-rule-policy_to_server] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy_to_server] destination-address 10.2.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_server] service http ftp
HRP_A[Module_A-policy-security-rule-policy_to_server] action permit
HRP_A[Module_A-policy-security-rule-policy_to_server] quit
HRP_A[Module_A-policy-security] quit

    # On NGFW Module_A, configure a security policy to allow intranet users to access the Internet and configure intrusion prevention.

    HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_to_wan
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-zone trust 
HRP_A[Module_A-policy-security-rule-policy_to_wan] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.1.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_wan] service http ftp
HRP_A[Module_A-policy-security-rule-policy_to_wan] profile ips default
HRP_A[Module_A-policy-security-rule-policy_to_wan] action permit
HRP_A[Module_A-policy-security-rule-policy_to_wan] quit
HRP_A[Module_A-policy-security] quit

    # Configure ASPF on NGFW Module_A. FTP is used as an example. 

    HRP_A[Module_A] firewall interzone trust dmz
HRP_A[Module_A-interzone-trust-dmz] detect ftp
HRP_A[Module_A-interzone-trust-dmz] quit
HRP_A[Module_A] firewall interzone trust untrust
HRP_A[Module_A-interzone-trust-untrust] detect ftp
HRP_A[Module_A-interzone-trust-untrust] quit

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

  5. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100. 

      <Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
[SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10. 

      <Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS. 

      <SwitchA> system-view
[SwitchA] sysname CSS
[CSS]

  6. Configure switch interfaces.
    1. Create VLANs. 

      [CSS] vlan batch 200 301 to 302

    2. Add the switch interfaces connected to NGFW Module_A to Eth-Trunk 10. 

      [CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] description To_Module_A
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302       //Direct traffic from different VLANs to the NGFW Module.
[CSS-Eth-Trunk10] quit

    3. Add the switch interfaces connected to NGFW Module_B to Eth-Trunk 11. 

      [CSS] interface eth-trunk 11
[CSS-Eth-Trunk11] description To_Module_B
[CSS-Eth-Trunk11] port link-type trunk
[CSS-Eth-Trunk11] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1
[CSS-Eth-Trunk11] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk11] port trunk allow-pass vlan 200 301 to 302      //Direct traffic from different VLANs to the NGFW Module.
[CSS-Eth-Trunk11] quit

    4. Configure Eth-Trunk 2 connected to intranet users. Adding the interfaces to Eth-Trunk 2 is not mentioned here. 

      [CSS] interface eth-trunk 2
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk2] port trunk allow-pass vlan 301      
[CSS-Eth-Trunk2] quit

    5. Configure Eth-Trunk 3 connected to intranet users. Adding the interfaces to Eth-Trunk 3 is not mentioned here. 

      [CSS] interface eth-trunk 3
[CSS-Eth-Trunk3] port link-type trunk
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk3] port trunk allow-pass vlan 302      
[CSS-Eth-Trunk3] quit

    6. Configure Eth-Trunk 5 connected to the egress router. Adding the interfaces to Eth-Trunk 5 is not mentioned here. 

      [CSS] interface eth-trunk 5
[CSS-Eth-Trunk5] port link-type access
[CSS-Eth-Trunk5] port default vlan 200
[CSS-Eth-Trunk5] quit

  7. Configure upstream and downstream devices.
    1. Configure the upstream interface Eth-Trunk 2 on the intranet switch to work in trunk mode and allow traffic from VLAN 301 to pass.
    2. Configure the upstream interface Eth-Trunk 3 on the server switch to work in trunk mode and allow traffic from VLAN 302 to pass.
    3. Set the gateway address of intranet PCs to the virtual IP address (10.1.0.3) of the VRRP group to which Eth-Trunk 1.301 belongs.
    4. Set the gateway address of servers to the virtual IP address (10.2.0.3) of the VRRP group to which Eth-Trunk 1.302 belongs.
    5. The next-hop address of the route from the egress router to the intranet is the virtual IP address (10.3.0.3) of the VRRP group to which Eth-Trunk 1.200 belongs.

Verification

  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
 The firewall's config state is: ACTIVE                                         
                                                                                
 Backup channel usage: 0.01%                                                    
 Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
 Current state of virtual routers configured as active:                         
                   Eth-Trunk1.200    vrid   3 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                   Eth-Trunk1.302    vrid   2 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                   Eth-Trunk1.301    vrid   1 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up

  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module. 

    HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 10.1.0.10:22048 --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 10.1.0.10:22048 --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from users in the intranet to servers succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 10.1.0.10:22048 --> 10.2.0.8:80
    HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 10.1.0.10:22048 --> 10.2.0.8:80

  4. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active device and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A NGFW Module_B 
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0 
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 description To_SWITCHA_trunk10
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 active
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
# 
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
# 
 firewall interzone trust untrust
  detect ftp
# 
firewall interzone trust dmz
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 mask 255.255.255.0
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
#
return

#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0 
 hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 description To_SWITCHB_trunk11
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 standby
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 standby
#
interface GigabitEthernet0/0/1
  eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5 
 add Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
#
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
# 
firewall interzone trust untrust
  detect ftp
#
firewall interzone trust dmz
 detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 mask 255.255.255.0
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit   
# 
return

Configuration script of CSS:

# ----CSS configuration----
vlan batch 200 301 to 302
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 301
#
interface Eth-Trunk3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 302
#
interface Eth-Trunk5
 port link-type access
 port default vlan 200
#
interface Eth-Trunk10
 description To_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface Eth-Trunk11
 description To_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface XGigabitEthernet1/1/0/0
 eth-Trunk 10
#
interface XGigabitEthernet1/1/0/1
 eth-Trunk 10
#
interface XGigabitEthernet2/1/0/0
 eth-Trunk 11
#
interface XGigabitEthernet2/1/0/1
 eth-Trunk 11
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1872222

Downloads: 41274

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :