No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical NGFW Module Configuration

Typical NGFW Module Configuration

NGFW modules are service cards used on switches. An NGFW module connects to a switch through two 20GE Ethernet links. On the two Ethernet links, the ports on one end are located on the switch, and the ports on the other end are located on the NGFW module. Services need to be configured on both the switch-side and NGFW module-side, otherwise, the NGFW module cannot work normally.

The minimum NGFW module card version matching the switch is V100R001C10. These NGFW module cards are supported on the switch running V200R005C00 or later.

Layer 2 Load-Balancing Hot Standby on the NGFW Modules Installed on a Cluster Switch Where Redirection-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-30, two switches form a CSS, and two NGFW Modules are installed in slot 1 of the switches respective and implement hot standby. The NGFW Modules work at Layer 2 and are transparently connected to the network. The NGFW Modules implement security check on traffic sent by intranet users to the Internet. The traffic exchanged between different VLANs does not pass the NGFW modules. Instead, the traffic is directly forwarded by the switches.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 2-30  Networking for Layer-2 dual-NGFW Module deployment and switch CSS
NOTE:

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Deployment Solution

The four interfaces connecting the switches to the NGFW modules are bundled into an Eth-Trunk interface, and traffic is distributed among the two NGFW Modules. The two NGFW Modules implement hot standby in Layer-2 load balancing mode.

  1. Add the four interfaces on the switches to Eth-Trunk 10 and four interfaces on the NGFW Modules to Eth-Trunk 1.
  2. Redirection is configured on the switches to direct traffic exchanged between intranet users and the Internet to the NGFW Modules. Eth-Trunk 1 is configured as an interface pair (packets entering the interface are forwarded out of the same interface after being processed) on the NGFW Modules to send traffic back to the switches.
    NOTE:
    When the NGFW Module works in interface pair mode, the switch cannot have the loop-detection function enabled. If the switch has the loop-detection function enabled, broadcast packets are sent out at the interface. Because the NGFW Module works in interface pair mode, all packets received by the interface are sent out from this interface. This causes the switch to detect traffic loops and disable the interface.
  3. The NGFW Modules implement hot standby in Layer-2 load balancing mode. Therefore, configure the VLANs to be tracked of the upstream and downstream interfaces.

    Figure 2-31 provides logical networking for easy understanding.

    Figure 2-31  Configuring hot standby on the NGFW Modules
    NOTE:

    Figure 2-31 provides information only interfaces related to the switches and NGFW Modules.

  4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.
  5. Configure security functions, such as security policies and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname Module_A

    # Create VLANs on NGFW Module_A.

    [Module_A] vlan batch 200 301 to 302
    [Module_A-vlan-302] quit

    # Create Layer-2 Eth-Trunk 1 on NGFW Module_A and permit packets from the upstream and downstream VLANs.

    [Module_A] interface Eth-Trunk 1
    [Module_A-Eth-Trunk1] description To_SwitchA_trunk10
    [Module_A-Eth-Trunk1] portswitch
    [Module_A-Eth-Trunk1] port link-type trunk
    [Module_A-Eth-Trunk1] port trunk permit vlan 200 301 to 302
    [Module_A-Eth-Trunk1] quit

    # Add the interfaces connecting NGFW Module_A to its connected switch to Eth-Trunk 1.

    [Module_A] interface GigabitEthernet 1/0/0
    [Module_A-GigabitEthernet1/0/0] portswitch
    [Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/0] quit
    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] portswitch
    [Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 as an interface pair on NGFW Module_A.

    [Module_A] pair-interface Eth-Trunk 1 Eth-Trunk 1

    # Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] description hrp_interface
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] quit
    [Module_A] interface GigabitEthernet 0/0/1
    [Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/1] quit
    [Module_A] interface GigabitEthernet 0/0/2
    [Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-Trunk 1
    [Module_A-zone-trust] quit
    [Module_A] firewall zone name hrp
    [Module_A-zone-hrp] set priority 75
    [Module_A-zone-hrp] add interface Eth-Trunk 0
    [Module_A-zone-hrp] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname Module_B

    # Create VLANs on NGFW Module_B.

    [Module_B] vlan batch 200 301 to 302
    [Module_B-vlan-302] quit

    # Create Layer-2 Eth-Trunk 1 on NGFW Module_B and permit packets from the upstream and downstream VLANs.

    [Module_B] interface Eth-Trunk 1
    [Module_B-Eth-Trunk1] description To_SwitchB_trunk10
    [Module_B-Eth-Trunk1] portswitch
    [Module_B-Eth-Trunk1] port link-type trunk
    [Module_B-Eth-Trunk1] port trunk permit vlan 200 301 to 302
    [Module_B-Eth-Trunk1] quit

    # Add the interfaces connecting NGFW Module_B to its connected switch to Eth-Trunk 1.

    [Module_B] interface GigabitEthernet 1/0/0
    [Module_B-GigabitEthernet1/0/0] portswitch
    [Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/0] quit
    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] portswitch
    [Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 as an interface pair on NGFW Module_B.

    [Module_B] pair-interface Eth-Trunk 1 Eth-Trunk 1
    

    # Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] description hrp_interface
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] quit
    [Module_B] interface GigabitEthernet 0/0/1
    [Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/1] quit
    [Module_B] interface GigabitEthernet 0/0/2
    [Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-Trunk 1
    [Module_B-zone-trust] quit
    [Module_B] firewall zone name hrp
    [Module_B-zone-hrp] set priority 75
    [Module_B-zone-hrp] add interface Eth-Trunk 0
    [Module_B-zone-hrp] quit

  2. Configure hot standby on NGFW Modules.

    # Enable quick session backup on NGFW Module_A.

    [Module_A] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
    [Module_A] hrp enable
    [Module_A] hrp loadbalance-device //This command is required only in versions earlier than V100R001C30SPC300.

    # Enable quick session backup on NGFW Module_B.

    [Module_B] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
    [Module_B] hrp enable
    [Module_B] hrp loadbalance-device //This command is required only in versions earlier than V100R001C30SPC300.
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  3. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow intranet users to access the Internet and configure intrusion prevention.

    HRP_A[Module_A] security-policy
    HRP_A[Module_A-policy-security] rule name policy_to_wan
    HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.1.0.0 24
    HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.2.0.0 24
    HRP_A[Module_A-policy-security-rule-policy_to_wan] profile ips default
    HRP_A[Module_A-policy-security-rule-policy_to_wan] action permit
    HRP_A[Module_A-policy-security-rule-policy_to_wan] quit
    HRP_A[Module_A-policy-security] quit
    
    NOTE:

    In this example, the configured security policy allows intranet users to access the Internet. To enable the Internet to access the intranet, configure a rule whose the destination address is an intranet address.

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_A[Module_A] firewall zone trust
    HRP_A[Module_A-zone-trust] detect ftp
    HRP_A[Module_A-zone-trust] quit
    

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully

  4. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

      <Huawei> system-view
      [Huawei] sysname SwitchA
      [SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
      [SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
      [SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.
      

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

      <Huawei> system-view
      [Huawei] sysname SwitchB
      [SwitchB] set css mode css-card
      [SwitchB] set css id 2
      [SwitchB] set css priority 10
      

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
      CSS Enable switch On                                                            
                                                                                      
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
      ------------------------------------------------------------------------------  
      1            On           Master          CSS card    100         Off           
      2            On           Standby         CSS card    10          Off           

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS.

      <SwitchA> system-view
      [SwitchA] sysname CSS
      [CSS]

  5. Configure switch interfaces and VLANs. This example describes how to configure interoperation between the switch and NGFW modules.
    1. Create VLANs.

      [CSS] vlan batch 200 301 to 302

    2. Configure upstream and downstream interfaces, isolate the upstream and downstream interfaces from Eth-Trunk10 unidirectionally. Adding the interfaces to Eth-Trunk interfaces is not mentioned here.

      [CSS] interface eth-trunk 2
      [CSS-Eth-Trunk2] port link-type trunk
      [CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk2] port trunk allow-pass vlan 301
      [CSS-Eth-Trunk2] am isolate Eth-Trunk 10
      [CSS-Eth-Trunk2] quit
      [CSS] interface eth-trunk 3
      [CSS-Eth-Trunk3] port link-type trunk
      [CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk3] port trunk allow-pass vlan 302
      [CSS-Eth-Trunk3] am isolate Eth-Trunk 10
      [CSS-Eth-Trunk3] quit
      [CSS] interface eth-trunk 5
      [CSS-Eth-Trunk5] port link-type access
      [CSS-Eth-Trunk5] port default vlan 200
      [CSS-Eth-Trunk5] am isolate Eth-Trunk 10
      [CSS-Eth-Trunk5] quit

    3. Configure VLANIF interfaces as upstream and downstream gateways.

      [CSS] interface vlanif301
      [CSS-Vlanif301] ip address 10.1.0.1 24
      [CSS-Vlanif301] quit
      [CSS] interface vlanif302
      [CSS-Vlanif302] ip address 10.2.0.1 24
      [CSS-Vlanif302] quit
      [CSS] interface vlanif200
      [CSS-Vlanif200] ip address 10.3.0.1 24
      [CSS-Vlanif200] quit

    4. Add the switch interfaces connected to NGFW Module to Eth-Trunk 10.

      [CSS] interface eth-trunk 10
      [CSS-Eth-Trunk10] description To_Module
      [CSS-Eth-Trunk10] port link-type trunk
      [CSS-Eth-Trunk10] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1
      [CSS-Eth-Trunk10] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1
      [CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302
      [CSS-Eth-Trunk10] mac-address learning disable
      [CSS-Eth-Trunk10] undo local-preference enable
      [CSS-Eth-Trunk10] stp disable
      [CSS-Eth-Trunk10] quit
      

    5. Set the load balancing mode of the Eth-Trunk interface.

      NOTE:

      When traffic is forwarded from the switches to the NGFW Modules, the cross-board Eth-Trunk distributes the traffic. To ensure that forward and return packets are forwarded by the same NGFW Module, set the enhanced load balancing mode. In the example, the source and destination IP addresses are used for illustration.

      [CSS] load-balance-profile module
      [CSS-load-balance-profile-module] ipv4 field sip dip
      [CSS-load-balance-profile-module] quit
      [CSS] interface Eth-Trunk 10
      [CSS-Eth-Trunk10] load-balance enhanced profile module
      [CSS-Eth-Trunk10] quit

    6. Configure traffic policies to redirect traffic to the NGFW Modules.

      # Create ACLs.

      [CSS] acl 3001       //Match traffic exchanged between intranet users of different VLANs.
      [CSS-acl-adv-3001] rule permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
      [CSS-acl-adv-3001] rule permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
      [CSS-acl-adv-3001] quit
      [CSS] acl 3002  //Match traffic sent by intranet users to access the Internet.
      [CSS-acl-adv-3002] rule permit ip source 10.1.0.0 0.0.0.255
      [CSS-acl-adv-3002] rule permit ip source 10.2.0.0 0.0.0.255
      [CSS-acl-adv-3002] quit
      [CSS] acl 3004       //Match traffic from the Internet to the intranet.
      [CSS-acl-adv-3004] rule permit ip destination 10.1.0.0 0.0.0.255
      [CSS-acl-adv-3004] rule permit ip destination 10.2.0.0 0.0.0.255
      [CSS-acl-adv-3004] quit
      

      # Configure the switch not to direct the traffic exchanged between intranet users but to direct traffic sent by the intranet to access the Internet to the NGFW Modules.

      [CSS] traffic classifier classifier1 precedence 5       
      [CSS-classifier-classifier1] if-match acl 3001
      [CSS-classifier-classifier1] quit
      [CSS] traffic behavior behavior1      //Permit traffic exchanged between intranet users.
      [CSS-behavior-behavior1] permit
      [CSS-behavior-behavior1] quit
      [CSS] traffic classifier classifier2 precedence 10       
      [CSS-classifier-classifier2] if-match acl 3002
      [CSS-classifier-classifier2] quit
      [CSS] traffic behavior behavior2      //Redirect the traffic from the intranet to the Internet to the interface connecting the switch to the NGFW Module.
      [CSS-behavior-behavior2] redirect interface Eth-Trunk 10
      [CSS-behavior-behavior2] quit
      [CSS] traffic policy policy1       //Configure a traffic policy.
      [CSS-trafficpolicy-policy1] classifier classifier1 behavior behavior1
      [CSS-trafficpolicy-policy1] classifier classifier2 behavior behavior2
      [CSS-trafficpolicy-policy1] quit
      [CSS] interface Eth-Trunk 2
      [CSS-Eth-Trunk2] traffic-policy policy1 inbound
      [CSS-Eth-Trunk2] quit
      [CSS] interface Eth-Trunk 3
      [CSS-Eth-Trunk3] traffic-policy policy1 inbound
      [CSS-Eth-Trunk3] quit
      

      # Configure the switch to redirect the traffic from the Internet to the intranet to the NGFW Module.

      [CSS] traffic classifier classifier4       
      [CSS-classifier-classifier4] if-match acl 3004
      [CSS-classifier-classifier4] quit
      [CSS] traffic behavior behavior4      //Redirect the traffic from the Internet to the intranet to the interface connecting the switch to the NGFW Module.
      [CSS-behavior-behavior4] redirect interface Eth-Trunk 10
      [CSS-behavior-behavior4] quit
      [CSS] traffic policy policy2       //Configure a traffic policy.
      [CSS-trafficpolicy-policy2] classifier classifier4 behavior behavior4
      [CSS-trafficpolicy-policy2] quit
      [CSS] interface Eth-Trunk 5
      [CSS-Eth-Trunk5] traffic-policy policy2 inbound
      [CSS-Eth-Trunk5] quit
      

    7. Configure a static route.

      NOTE:

      After receiving packets, the switch looks up the routing table to complete Layer-3 forwarding although redirection policies are configured. However, the outgoing interfaces of packets are still determined by the redirection policies.

      In the example, when receiving a packet from the intranet to the Internet, the switch first looks up the routing table, changes the VLAN tag from 301 or 302 to 200 based on the default route, and then forwards the packet to the NGFW Module. After receiving a packet from the Internet to the intranet, the switch changes the VLAN tag from 200 to 301 or 302 based on the direct route and then forwards the packet to the NGFW Module.

      If no routing entry is matched, the switch forwards the packet based on the redirection policy without changing the VLAN tag.

      # Configure a default route to the Internet.

      [CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

Verification
  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
     The firewall's config state is: ACTIVE                                                                                             
                                                                                                                                        
     Backup channel usage: 0.01%                                                                                                        
     Time elapsed after the last switchover: 0 days, 0 hours, 36 minutes   
     Current state of interfaces tracked by active: 
               Eth-trunk1 (VLAN 200) : up
               Eth-trunk1 (VLAN 301) : up
               Eth-trunk1 (VLAN 302) : up
     Current state of interfaces tracked by standby: 
               Eth-trunk1 (VLAN 200) : up
               Eth-trunk1 (VLAN 301) : up
               Eth-trunk1 (VLAN 302) : up
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 10.1.0.10:22048 --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 10.1.0.10:22048 --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active and carries services. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp mirror session enable
 hrp enable
 hrp interface Eth-Trunk0
 hrp loadbalance-device //This command is required only in versions earlier than V100R001C30SPC300.
#
vlan batch 200 301 to 302
#
pair-interface Eth-Trunk1 Eth-Trunk1
# 
vlan 200
 hrp track active
 hrp track standby
     Eth-Trunk1
#
vlan 301
 hrp track active
 hrp track standby
     Eth-Trunk1
#
vlan 302
 hrp track active
 hrp track standby
     Eth-Trunk1
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 description To_SwitchA_trunk10
 portswitch 
 port link-type trunk
 port trunk permit vlan 200 301 to 302  
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch 
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch  
 eth-trunk 1
#
firewall zone trust
 set priority 85
 detect ftp
 add interface Eth-Trunk1
# 
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
#   
security-policy  
 rule name policy_to_wan
  source-address 10.1.0.0 mask 255.255.255.0
  source-address 10.2.0.0 mask 255.255.255.0
  profile ips default
  action permit    
#
return
#
 sysname Module_B
#
 hrp mirror session enable
 hrp enable
 hrp interface Eth-Trunk0
 hrp loadbalance-device //This command is required only in versions earlier than V100R001C30SPC300.
#
vlan batch 200 301 to 302
#
pair-interface Eth-Trunk1 Eth-Trunk1
# 
vlan 200
 hrp track active
 hrp track standby
     Eth-Trunk1
#
vlan 301
 hrp track active
 hrp track standby
     Eth-Trunk1
#
vlan 302
 hrp track active
 hrp track standby
     Eth-Trunk1
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 description To_SwitchB_trunk10
 portswitch 
 port link-type trunk
 port trunk permit vlan 200 301 to 302 
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch 
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch 
 eth-trunk 1
#
firewall zone trust
 set priority 85
 detect ftp
 add interface Eth-Trunk1
#
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
#  
security-policy  
 rule name policy_to_wan
  source-address 10.1.0.0 mask 255.255.255.0
  source-address 10.2.0.0 mask 255.255.255.0
  profile ips default
  action permit 
# 
return

Configuration script of CSS:

# ----Traffic diversion configuration----
load-balance-profile module
#
vlan batch 200 301 to 302
#
acl number 3001
 rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
 rule 10 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
acl number 3002
 rule 5 permit ip source 10.1.0.0 0.0.0.255
 rule 10 permit ip source 10.2.0.0 0.0.0.255
acl number 3004
 rule 5 permit ip destination 10.1.0.0 0.0.0.255
 rule 10 permit ip destination 10.2.0.0 0.0.0.255
#
traffic classifier classifier1 operator or precedence 5
 if-match acl 3001
traffic classifier classifier2 operator or precedence 10
 if-match acl 3002
traffic classifier classifier4 operator or precedence 15
 if-match acl 3004
#
traffic behavior behavior1
 permit
traffic behavior behavior2
 permit      
 redirect interface Eth-Trunk10
traffic behavior behavior4
 permit
 redirect interface Eth-Trunk10
#
traffic policy policy1 match-order config      
 classifier classifier1 behavior behavior1
 classifier classifier2 behavior behavior2
traffic policy policy2 match-order config       
 classifier classifier4 behavior behavior4
#
interface Vlanif200
 ip address 10.3.0.1 255.255.255.0
#
interface Vlanif301
 ip address 10.1.0.1 255.255.255.0
#
interface Vlanif302
 ip address 10.2.0.1 255.255.255.0
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 301
 am isolate Eth-Trunk 10
 traffic-policy policy1 inbound
#
interface Eth-Trunk3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 302
 am isolate Eth-Trunk 10
 traffic-policy policy1 inbound
#
interface Eth-Trunk5
 port default vlan 200
 am isolate Eth-Trunk 10
 traffic-policy policy2 inbound
#
interface Eth-Trunk10
 description To_Module
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
 mac-address learning disable
 stp disable
 load-balance enhanced profile module
 undo local-preference enable
#
interface XGigabitEthernet1/1/0/0
 eth-trunk 10
#
interface XGigabitEthernet1/1/0/1
 eth-trunk 10
#
interface xgigabitethernet1/1/0/2
 eth-trunk 2
#
interface xgigabitethernet1/1/0/3
 eth-trunk 3
#
interface xgigabitethernet1/1/0/5
 eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
 eth-trunk 10
#
interface XGigabitEthernet2/1/0/1
 eth-trunk 10
#
interface xgigabitethernet2/1/0/2
 eth-trunk 2
#
interface xgigabitethernet2/1/0/3
 eth-trunk 3
#
interface xgigabitethernet2/1/0/5
 eth-trunk 5
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#
return

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where Static Route-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-32, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 2-32  Networking for Layer-3 dual-NGFW Module deployment and switch CSS
NOTE:

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Data Planning
Item Data Description

Hot standby

NGFW Module_A: active

NGFW Module_B: standby

-

NAT

Source NAT

NAT type: PAT

Address pool: 1.1.1.1 to 1.1.1.2

The source address is automatically translated for Internet access from a specified private subnet.

NAT Server

Global address: 1.1.1.3

Inside address: 192.168.2.8

A specified server address is translated from a private address to a public address for Internet users to access.

Security policy

Policy 1: policy_sec1

Source security zone: Trust

Destination security zone: Untrust

Source IP address: 192.168.1.0

Action: permit

Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.

Policy 2: policy_sec2

Source security zone: Untrust

Destination security zone: DMZ

Destination IP address: 192.168.2.0

Action: permit

Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution
  1. Two NGFW Modules form hot standby networking. The switch diverts the passing traffic to the NGFW Module through a static route. After performing security check on the traffic, the NGFW Module rejects the traffic to the switch through a static route.

    Configure VRF on the switches to virtualize the switches as virtual switch Public connecting to the public network (no VPN instance needs to be configured) and virtual switches trust and dmz respectively connecting to the Trust zone and DMZ. Figure 2-33 shows the networking. The virtual switches are separated. Therefore, traffic will be forwarded to the NGFW Modules.

    Figure 2-33  Configuring VRF on switches
  2. Figure 2-33 can be abstracted as Figure 2-34. The NGFW Modules run static routes with upstream and downstream devices. Therefore, you need to configure VRRP groups on the NGFW Modules, so that the switches communicate with the virtual IP addresses of VRRP groups on the NGFW Modules.

    Configure a default route to the Internet on the NGFW Module, and set the next-hop address to the IP address of VLANIF201. Configure a specific route to the intranet on the NGFW Module, and set the next-hop address to the IP address of VLANIF202. Figure 2-34 shows the networking. On the virtual switch Public, configure static routes to the Trust zone and DMZ and set the next-hop address to the IP address of VRRP group 1. On the virtual switch trust, configure a default route to the Internet and set the next-hop address to the IP address of VRRP group 2. On the virtual switch dmz, configure a default route to the Internet and set the next-hop address to the IP address of VRRP group 3.

    Figure 2-34  Configuring VRRP groups on the NGFW Modules and static routes on the switches
    NOTE:

    Figure 2-34 lists only the switch interfaces involved in the connection with the NGFW Modules.

  3. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.
  4. Configure security functions, such as security policies, nat policies, and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname Module_A

    # Configure IP addresses for the interfaces on NGFW Module_A.

    [Module_A] interface Eth-trunk 1
    [Module_A-Eth-Trunk1] quit
    [Module_A] interface GigabitEthernet 1/0/0
    [Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/0] quit
    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/1] quit
    [Module_A] interface Eth-trunk 1.1
    [Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
    [Module_A-Eth-Trunk1.1] vlan-type dot1q 201
    [Module_A-Eth-Trunk1.1] quit
    [Module_A] interface Eth-trunk 1.2
    [Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
    [Module_A-Eth-Trunk1.2] vlan-type dot1q 202
    [Module_A-Eth-Trunk1.2] quit
    [Module_A] interface Eth-trunk 1.3
    [Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
    [Module_A-Eth-Trunk1.3] vlan-type dot1q 203
    [Module_A-Eth-Trunk1.3] quit
    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] quit
    [Module_A] interface GigabitEthernet 0/0/1
    [Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/1] quit
    [Module_A] interface GigabitEthernet 0/0/2
    [Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface Eth-trunk 1.1
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-trunk 1.2
    [Module_A-zone-trust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-trunk 1.3
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone name hrpzone
    [Module_A-zone-hrpzone] set priority 65
    [Module_A-zone-hrpzone] add interface Eth-Trunk 0
    [Module_A-zone-hrpzone] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname Module_B

    # Configure IP addresses for the interfaces on NGFW Module_B.

    [Module_B] interface Eth-Trunk 1
    [Module_B-Eth-Trunk1] quit
    [Module_B] interface GigabitEthernet 1/0/0
    [Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/0] quit
    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/1] quit
    [Module_B] interface Eth-trunk 1.1
    [Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
    [Module_B-Eth-Trunk1.1] vlan-type dot1q 201
    [Module_B-Eth-Trunk1.1] quit
    [Module_B] interface Eth-trunk 1.2
    [Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
    [Module_B-Eth-Trunk1.2] vlan-type dot1q 202
    [Module_B-Eth-Trunk1.2] quit
    [Module_B] interface Eth-trunk 1.3
    [Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
    [Module_B-Eth-Trunk1.3] vlan-type dot1q 203
    [Module_B-Eth-Trunk1.3] quit
    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] quit
    [Module_B] interface GigabitEthernet 0/0/1
    [Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/1] quit
    [Module_B] interface GigabitEthernet 0/0/2
    [Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface Eth-trunk 1.1
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-trunk 1.2
    [Module_B-zone-trust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-trunk 1.3
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone name hrpzone
    [Module_B-zone-hrpzone] set priority 65
    [Module_B-zone-hrpzone] add interface Eth-Trunk 0
    [Module_B-zone-hrpzone] quit

  2. Create static routes on NGFW Modules.

    # On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_A, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

    # On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_B, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_B, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-trunk1.1
    [Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
    [Module_A-Eth-Trunk1.1] quit
    [Module_A] interface Eth-trunk1.2
    [Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
    [Module_A-Eth-Trunk1.2] quit
    [Module_A] interface Eth-trunk1.3
    [Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
    [Module_A-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-trunk1.1
    [Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
    [Module_B-Eth-Trunk1.1] quit
    [Module_B] interface Eth-trunk1.2
    [Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
    [Module_B-Eth-Trunk1.2] quit
    [Module_B] interface Eth-trunk1.3
    [Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
    [Module_B-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
    [Module_B] hrp enable
    [Module_B] hrp standby-device //This command is required only in versions earlier than V100R001C30SPC300.
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow users in the Trust zone (network segment 192.168.1.0/24) to access the Internet.

    HRP_A[Module_A] security-policy
    HRP_A[Module_A-policy-security] rule name policy_sec1
    HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust 
    HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
    HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
    HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
    HRP_A[Module_A-policy-security-rule-policy_sec1] quit

    # On NGFW Module_A, configure a security policy to allow extranet users to access the DMZ (network segment 192.168.2.0/24) and configure intrusion prevention.

    HRP_A[Module_A-policy-security] rule name policy_sec2
    HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust 
    HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
    HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
    HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
    HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
    HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
    HRP_A[Module_A-policy-security-rule-policy_sec2] quit
    HRP_A[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_A[Module_A] firewall interzone untrust dmz
    HRP_A[Module_A-interzone-dmz-untrust] detect ftp
    HRP_A[Module_A-interzone-dmz-untrust] quit
    

    # Configure a NAT address pool.

    HRP_A[Module_A] nat address-group addressgroup1
    HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
    HRP_A[Module_A-address-group-addressgroup1] quit

    # Configure a source NAT policy for Internet access from the specified private subnet.

    HRP_A[Module_A] nat-policy
    HRP_A[Module_A-policy-nat] rule name policy_nat1
    HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
    HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
    HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
    HRP_A[Module_A-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 
    HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
    HRP_A[Module_A-policy-nat] quit

    # Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server in the DMZ is translated into public address 1.1.1.3:8000.

    HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully

  5. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

      <Huawei> system-view
      [Huawei] sysname SwitchA
      [SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
      [SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
      [SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.
      

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

      <Huawei> system-view
      [Huawei] sysname SwitchB
      [SwitchB] set css mode css-card
      [SwitchB] set css id 2
      [SwitchB] set css priority 10
      

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
      CSS Enable switch On                                                            
                                                                                      
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
      ------------------------------------------------------------------------------  
      1            On           Master          CSS card    100         Off           
      2            On           Standby         CSS card    10          Off           

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS.

      <SwitchA> system-view
      [SwitchA] sysname CSS
      [CSS]

  6. Configure interfaces and VLANs for core switches. This example describes how to configure interoperation between the switch and NGFW modules.

    [CSS] vlan batch 201 to 205          //Create VLANs.
    [CSS] interface eth-trunk 5                
    [CSS-Eth-Trunk5] description To_NGFW_Module_A
    [CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1    //Create Eth-Trunk5 on the CSS and add internal Ethernet interfaces to Eth-Trunk5.
    [CSS-Eth-Trunk5] port link-type trunk                      
    [CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 205  //Configure Eth-Trunk5 to permit traffic from VLANs 201, 202, 203, 204, and 205.
    [CSS-Eth-Trunk5] quit   
    [CSS] interface eth-trunk 6                
    [CSS-Eth-Trunk6] description To_NGFW_Module_B
    [CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1    //Create Eth-Trunk6 on the CSS and add internal Ethernet interfaces to Eth-Trunk6.
    [CSS-Eth-Trunk6] port link-type trunk                      
    [CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 205  //Configure Eth-Trunk6 to permit traffic from VLANs 201, 202, 203, 204, and 205.
    [CSS-Eth-Trunk6] quit  
    [CSS] interface eth-trunk 2                   //Configure the switch interface Eth-Trunk2 that connects to the Trust zone, add the interfaces to Eth-Trunk2 is not mentioned here.     
    [CSS-Eth-Trunk2] description To_TRUST
    [CSS-Eth-Trunk2] port link-type trunk                      
    [CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk2] port trunk allow-pass vlan 204  //Enable Eth-Trunk2 to permit traffic from VLAN204.
    [CSS-Eth-Trunk2] quit    
    [CSS] interface eth-trunk 3                   //Configure the switch interface Eth-Trunk3 that connects to the DMZ, add the interfaces to Eth-Trunk3 is not mentioned here.
    [CSS-Eth-Trunk3] description To_DMZ
    [CSS-Eth-Trunk3] port link-type trunk                      
    [CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk3] port trunk allow-pass vlan 205  //Enable Eth-Trunk3 to permit traffic from VLAN205.
    [CSS-Eth-Trunk3] quit                  
    [CSS] ip vpn-instance trust     //Create VPN instance trust.
    [CSS-vpn-instance-trust] ipv4-family
    [CSS-vpn-instance-trust-af-ipv4] route-distinguisher 100:1
    [CSS-vpn-instance-trust-af-ipv4] vpn-target 111:1 both
    [CSS-vpn-instance-trust-af-ipv4] quit
    [CSS-vpn-instance-trust] quit
    [CSS] ip vpn-instance dmz     //Create VPN instance dmz.
    [CSS-vpn-instance-dmz] ipv4-family
    [CSS-vpn-instance-dmz-af-ipv4] route-distinguisher 200:1
    [CSS-vpn-instance-dmz-af-ipv4] vpn-target 211:1 both
    [CSS-vpn-instance-dmz-af-ipv4] quit
    [CSS-vpn-instance-dmz] quit
    [CSS] interface vlanif 201
    [CSS-Vlanif201] ip address 10.3.1.4 24
    [CSS-Vlanif201] quit                       //Configure an IP address for VLANIF201.
    [CSS] interface vlanif 202
    [CSS-Vlanif202] ip binding vpn-instance trust     
    [CSS-Vlanif202] ip address 10.3.2.4 24     //Bind VLANIF202 to trust.
    [CSS-Vlanif202] quit                       //Configure an IP address for VLANIF202.
    [CSS] interface vlanif 203
    [CSS-Vlanif203] ip binding vpn-instance dmz     //Bind VLANIF203 to dmz.
    [CSS-Vlanif203] ip address 10.3.3.4 24          //Configure an IP address for VLANIF203.
    [CSS-Vlanif203] quit                       
    [CSS] interface vlanif 204
    [CSS-Vlanif204] ip binding vpn-instance trust      //Bind VLANIF204 to trust.
    [CSS-Vlanif204] ip address 10.1.1.2 24          //Configure an IP address for VLANIF204.
    [CSS-Vlanif204] quit    
    [CSS] interface vlanif 205
    [CSS-Vlanif205] ip binding vpn-instance dmz      //Bind VLANIF205 to dmz.
    [CSS-Vlanif205] ip address 10.1.2.2 24        //Configure an IP address for VLANIF205.
    [CSS-Vlanif205] quit    

  7. Configure traffic diversion on the core switch.

    [CSS] ip route-static 1.1.1.1 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module. 
    [CSS] ip route-static 1.1.1.2 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
    [CSS] ip route-static 1.1.1.3 32 10.3.1.1  //Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
    [CSS] ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1    //Configure a default route on the trust virtual switch and set the next hop to the virtual IP address of VRRP group 2.
    [CSS] ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1    //Configure a default route on the dmz virtual switch and set the next hop to the virtual IP address of VRRP group 3.
    [CSS] ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1    //Route from the Trust zone to the DMZ. 10.1.2.1 is the IP address of the VLANIF 205 interface of the access switch.
    [CSS] ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1    //Route from the DMZ to the Trust zone. 10.1.1.1 is the IP address of the VLANIF 204 interface of the access switch.
    NOTE:

    In the example, NAT is configured on the NGFW Modules. Therefore, configure static routes from the Public virtual switch to the Trust zone and DMZ, and the destination IP addresses in the routes should be post-NAT public IP addresses. If NAT is not configured on the NGFW Modules, the destination IP addresses in the routes must be private IP addresses respectively in the Trust zone and DMZ when you configure static routes from the Public virtual switch to the two zones.

    In the example, communication packets between the Trust zone and DMZ are not processed by the NGFW Modules. If the enterprise requires that the NGFW Modules process the communication packets between the Trust zone and DMZ, set the next hop to the IP address of the downlink VRRP group on the NGFW Modules when you configure the route for the communications between the Trust zone and DMZ.

Verification
  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
     The firewall's config state is: ACTIVE                                         
                                                                                    
     Backup channel usage: 0.01%                                                    
     Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
     Current state of virtual routers configured as active:                         
                         Eth-Trunk1.3    vrid   3 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                         Eth-Trunk1.2    vrid   2 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                         Eth-Trunk1.1    vrid   1 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up                               
    
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
    HRP_S[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
  4. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
# 
 firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
#
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#   
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
# 
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0   
    action nat address-group addressgroup1 
#
return
#
 sysname Module_B
#
 hrp enable
 hrp standby-device   //This command is required only in versions earlier than V100R001C30SPC300.
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
# 
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 standby
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
#
firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# 
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#  
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0  
  service http
  service ftp
  profile ips default
  action permit   
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0   
    action nat address-group addressgroup1 
#
return

Configuration script of CSS:

# ----Traffic diversion configuration----
vlan batch 201 to 205
#
ip vpn-instance dmz
 ipv4-family
  route-distinguisher 200:1
  vpn-target 211:1 export-extcommunity
  vpn-target 211:1 import-extcommunity
#
ip vpn-instance trust
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface Vlanif201
 ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
 ip binding vpn-instance trust 
 ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
  ip binding vpn-instance dmz
 ip address 10.3.3.4 255.255.255.0
#
interface Vlanif204
 ip binding vpn-instance trust 
 ip address 10.1.1.2 255.255.255.0
#
interface Vlanif205
  ip binding vpn-instance dmz
 ip address 10.1.2.2 255.255.255.0
#
interface Eth-Trunk2
 description To_TRUST
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 204
#
interface Eth-Trunk3
 description To_DMZ
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 205
#
interface Eth-Trunk5
 description To_NGFW_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 205
#
interface Eth-Trunk6
 description To_NGFW_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 205
#
interface XGigabitEthernet1/1/0/0
  eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
  eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
  eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
  eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1 
ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1
ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1
ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1
#
return

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where PBR-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-35, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 2-35  Networking for Layer-3 dual-NGFW Module deployment and switch CSS
NOTE:

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Data Planning
Item Data Description

Hot standby

NGFW Module_A: active

NGFW Module_B: standby

-

NAT

Source NAT

NAT type: PAT

Address pool: 1.1.1.1 to 1.1.1.2

The source address is automatically translated for Internet access from a specified private subnet.

NAT Server

Global address: 1.1.1.3

Inside address: 192.168.2.8

A specified server address is translated from a private address to a public address for Internet users to access.

Security policy

Policy 1: policy_sec1

Source security zone: Trust

Destination security zone: Untrust

Source IP address: 192.168.1.0

Action: permit

Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.

Policy 2: policy_sec2

Source security zone: Untrust

Destination security zone: DMZ

Destination IP address: 192.168.2.0

Action: permit

Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution
  1. Figure 2-35 can be abstracted as Figure 2-36. You can understand the mapping between the two figures based on interface numbers and actual traffic directions.

    As shown in Figure 2-36, a default route (next hop: VLANIF201) to the public network, a specific route (next hop: VLANIF202) to the Trust zone, and a specific route (next hop: VLANIF203) to the DMZ need to be configured on the NGFW modules. PBR needs to be configured on the switches to direct traffic to the firewalls.

    Figure 2-36  Configuring VRRP on the NGFW modules and PBR on the switches
    NOTE:

    Figure 2-36 lists only the switch interfaces involved in the connection with the NGFW Modules.

  2. Specify Eth-trunk0 as the heartbeat interface and enable hot standby on each NGFW Module.

  3. Configure security functions, such as security policies, nat policies, and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname Module_A

    # Configure IP addresses for the interfaces on NGFW Module_A.

    [Module_A] interface Eth-trunk 1
    [Module_A-Eth-Trunk1] quit
    [Module_A] interface GigabitEthernet 1/0/0
    [Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/0] quit
    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/1] quit
    [Module_A] interface Eth-trunk 1.1
    [Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
    [Module_A-Eth-Trunk1.1] vlan-type dot1q 201
    [Module_A-Eth-Trunk1.1] quit
    [Module_A] interface Eth-trunk 1.2
    [Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
    [Module_A-Eth-Trunk1.2] vlan-type dot1q 202
    [Module_A-Eth-Trunk1.2] quit
    [Module_A] interface Eth-trunk 1.3
    [Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
    [Module_A-Eth-Trunk1.3] vlan-type dot1q 203
    [Module_A-Eth-Trunk1.3] quit
    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] quit
    [Module_A] interface GigabitEthernet 0/0/1
    [Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/1] quit
    [Module_A] interface GigabitEthernet 0/0/2
    [Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface Eth-trunk 1.1
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-trunk 1.2
    [Module_A-zone-trust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-trunk 1.3
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone name hrpzone
    [Module_A-zone-hrpzone] set priority 65
    [Module_A-zone-hrpzone] add interface Eth-Trunk 0
    [Module_A-zone-hrpzone] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname Module_B

    # Configure IP addresses for the interfaces on NGFW Module_B.

    [Module_B] interface Eth-trunk 1
    [Module_B-Eth-Trunk1] quit
    [Module_B] interface GigabitEthernet 1/0/0
    [Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/0] quit
    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/1] quit
    [Module_B] interface Eth-trunk 1.1
    [Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
    [Module_B-Eth-Trunk1.1] vlan-type dot1q 201
    [Module_B-Eth-Trunk1.1] quit
    [Module_B] interface Eth-trunk 1.2
    [Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
    [Module_B-Eth-Trunk1.2] vlan-type dot1q 202
    [Module_B-Eth-Trunk1.2] quit
    [Module_B] interface Eth-trunk 1.3
    [Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
    [Module_B-Eth-Trunk1.3] vlan-type dot1q 203
    [Module_B-Eth-Trunk1.3] quit
    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] quit
    [Module_B] interface GigabitEthernet 0/0/1
    [Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/1] quit
    [Module_B] interface GigabitEthernet 0/0/2
    [Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface Eth-trunk 1.1
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-trunk 1.2
    [Module_B-zone-trust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-trunk 1.3
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone name hrpzone
    [Module_B-zone-hrpzone] set priority 65
    [Module_B-zone-hrpzone] add interface Eth-Trunk 0
    [Module_B-zone-hrpzone] quit

  2. Create static routes on NGFW Modules.

    # On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_A, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

    # On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_B, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
    [Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_B, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-trunk1.1
    [Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
    [Module_A-Eth-Trunk1.1] quit
    [Module_A] interface Eth-trunk1.2
    [Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
    [Module_A-Eth-Trunk1.2] quit
    [Module_A] interface Eth-trunk1.3
    [Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
    [Module_A-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-trunk1.1
    [Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
    [Module_B-Eth-Trunk1.1] quit
    [Module_B] interface Eth-trunk1.2
    [Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
    [Module_B-Eth-Trunk1.2] quit
    [Module_B] interface Eth-trunk1.3
    [Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
    [Module_B-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
    [Module_B] hrp enable
    [Module_B] hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow users in the Trust zone (network segment 192.168.1.0/24) to access the Internet.

    HRP_A[Module_A] security-policy
    HRP_A[Module_A-policy-security] rule name policy_sec1
    HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust 
    HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
    HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
    HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
    HRP_A[Module_A-policy-security-rule-policy_sec1] quit

    # On NGFW Module_A, configure a security policy to allow extranet users to access the DMZ (network segment 192.168.2.0/24) and configure intrusion prevention.

    HRP_A[Module_A-policy-security] rule name policy_sec2
    HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust 
    HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
    HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
    HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
    HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
    HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
    HRP_A[Module_A-policy-security-rule-policy_sec2] quit
    HRP_A[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_A[Module_A] firewall interzone untrust dmz
    HRP_A[Module_A-interzone-dmz-untrust] detect ftp
    HRP_A[Module_A-interzone-dmz-untrust] quit
    

    # Configure a NAT address pool.

    HRP_A[Module_A] nat address-group addressgroup1
    HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
    HRP_A[Module_A-address-group-addressgroup1] quit

    # Configure a source NAT policy for Internet access from the specified private subnet.

    HRP_A[Module_A] nat-policy
    HRP_A[Module_A-policy-nat] rule name policy_nat1
    HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
    HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
    HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
    HRP_A[Module_A-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 
    HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
    HRP_A[Module_A-policy-nat] quit

    # Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server in the DMZ is translated into public address 1.1.1.3:8000.

    HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully

  5. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

      <Huawei> system-view
      [Huawei] sysname SwitchA
      [SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
      [SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
      [SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.
      

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

      <Huawei> system-view
      [Huawei] sysname SwitchB
      [SwitchB] set css mode css-card
      [SwitchB] set css id 2
      [SwitchB] set css priority 10
      

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
      CSS Enable switch On                                                            
                                                                                      
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
      ------------------------------------------------------------------------------  
      1            On           Master          CSS card    100         Off           
      2            On           Standby         CSS card    10          Off           

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS.

      <SwitchA> system-view
      [SwitchA] sysname CSS
      [CSS]

  6. Configure interfaces and VLANs for switches. This example describes how to configure interoperation between the switch and NGFW modules.

    [CSS] vlan batch 201 to 203          //Create VLANs.
    [CSS] interface eth-trunk 5                
    [CSS-Eth-Trunk5] description To_NGFW_Module_A
    [CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1  //Create Eth-Trunk5 on the CSS and add internal Ethernet interfaces to Eth-Trunk5.
    [CSS-Eth-Trunk5] port link-type trunk                      
    [CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk5 to permit traffic from VLANs 201, 202, and 203.
    [CSS-Eth-Trunk5] quit   
    [CSS] interface eth-trunk 6                
    [CSS-Eth-Trunk6] description To_NGFW_Module_B
    [CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1  //Create Eth-Trunk6 on the CSS and add internal Ethernet interfaces to Eth-Trunk6.
    [CSS-Eth-Trunk6] port link-type trunk                      
    [CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
    [CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 203  //Configure Eth-Trunk6 to permit traffic from VLANs 201, 202, and 203.
    [CSS-Eth-Trunk6] quit                    
    [CSS] interface vlanif 201
    [CSS-Vlanif201] ip address 10.3.1.4 24
    [CSS-Vlanif201] quit                       //Configure an IP address for VLANIF201.
    [CSS] interface vlanif 202
    [CSS-Vlanif202] ip address 10.3.2.4 24
    [CSS-Vlanif202] quit                       //Configure an IP address for VLANIF202.
    [CSS] interface vlanif 203
    [CSS-Vlanif203] ip address 10.3.3.4 24
    [CSS-Vlanif203] quit                       //Configure an IP address for VLANIF203.
    

  7. Configure traffic diversion on the switch. This example describes how to configure interoperation between the switch and NGFW modules.

    [CSS] acl 3001  //Create ACL3001.
    [CSS-acl-adv-3001] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255  //Configure a rule for ACL3001: source network segment 192.168.1.0 and destination network segment 192.168.2.0.
    [CSS-acl-adv-3001] rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255  //Configure a rule for ACL3001: source network segment 192.168.2.0 and destination network segment 192.168.1.0.
    [CSS-acl-adv-3001] quit
    [CSS] traffic classifier c1 precedence 5  //Create traffic classifier c1.
    [CSS-classifier-c1] if-match acl 3001  //Match packets exchanged between the Trust zone and DMZ with the ACL3001 rule.
    [CSS-classifier-c1] quit
    [CSS] traffic behavior b1  //Create traffic behavior b1.
    [CSS-behavior-b1] permit  //Permit the matching packets.
    [CSS-behavior-b1] quit
    [CSS] acl 3002  //Create ACL3002.
    [CSS-acl-adv-3002] rule 5 permit ip source 192.168.1.0 0.0.0.255  //Configure a rule for ACL3002: source network segment 192.168.1.0.
    [CSS-acl-adv-3002] quit
    [CSS] traffic classifier c2 precedence 10  //Create traffic classifier c2.
    [CSS-classifier-c2] if-match acl 3002  //Match the packets from network segment 192.168.1.0, namely, packets from the Trust zone to the Internet, with ACL3002.
    [CSS-classifier-c2] quit
    [CSS] traffic behavior b2  //Create traffic behavior b2.
    [CSS-behavior-b2] redirect ip-nexthop 10.3.2.1  //Redirect the matching packets to address 10.3.2.1, namely, the connected NGFW Module.
    [CSS-behavior-b2] quit
    [CSS] traffic policy p1  //Create traffic policy p1.
    [CSS-trafficpolicy-p1] classifier c1 behavior b1  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p1. All packets exchanged between the Trust zone and DMZ are directly forwarded by the switch, without being forwarded to the NGFW Module.
    [CSS-trafficpolicy-p1] classifier c2 behavior b2  //Bind traffic classifier c2 and traffic behavior b2 with traffic policy p1. All packets from the Trust zone to the Internet are redirected to the NGFW Module.
    [CSS-trafficpolicy-p1] quit
    [CSS] interface eth-trunk 2  //Access the interface connecting the switch to the Trust zone.
    [CSS-Eth-Trunk2] traffic-policy p1 inbound  //Apply traffic policy P1 in the inbound direction of the interface connecting the switch to the Trust zone.
    [CSS-Eth-Trunk2] quit
    [CSS] acl 3003  //Create ACL3003.
    [CSS-acl-adv-3003] rule 5 permit ip source 192.168.2.0 0.0.0.255  //Configure a rule for ACL3003: source network segment 192.168.2.0.
    [CSS-acl-adv-3003] quit
    [CSS] traffic classifier c3 precedence 15  //Create traffic classifier c3.
    [CSS-classifier-c3] if-match acl 3003  //Match all packets from network segment 192.168.2.0, namely, all packets from the DMZ to the Internet, with the ACL3003 rule.
    [CSS-classifier-c3] quit
    [CSS] traffic behavior b3  //Create traffic behavior b3.
    [CSS-behavior-b3] redirect ip-nexthop 10.3.3.1  //Redirect the matching packets to address 10.3.3.1, namely the NGFW Module.
    [CSS-behavior-b3] quit
    [CSS] traffic policy p3  //Create traffic policy p3.
    [CSS-trafficpolicy-p3] classifier c1 behavior b1  //Bind traffic classifier c1 and traffic behavior b1 with traffic policy p3. All packets exchanged between the Trust zone and DMZ are directly forwarded by the switch, without being forwarded to the NGFW Module.
    [CSS-trafficpolicy-p3] classifier c3 behavior b3   //Bind traffic classifier c3 and traffic behavior b3 with traffic policy p3. All traffic from the DMZ to the Internet are directed to the NGFW Module.
    [CSS-trafficpolicy-p3] quit
    [CSS] interface eth-trunk 3  //Access the view of the interface connecting the switch to the Trust zone.
    [CSS-Eth-Trunk3] traffic-policy p3 inbound  //Apply traffic policy p3 in the inbound direction of the interface connecting the switch to the DMZ.
    [CSS-Eth-Trunk3] quit
    [CSS] ip route-static 1.1.1.1 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
    [CSS] ip route-static 1.1.1.2 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
    [CSS] ip route-static 1.1.1.3 32 10.3.1.1  //Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group on the NGFW Module.
    
    NOTE:

    In this example, the source NAT and NAT server functions are configured on the NGFW Module. For the switch, the destination address of traffic sent from the public network the private network is a post-NAT address. Therefore, you can configure a static route on the switch to direct the traffic sent from the public address to the private network to the NGFW Module.

    If no source NAT or NAT server function is configured on the NGFW Module, for the switch, the destination address of traffic sent from the public network to the private network is still a private network. In this case, you need to configure a traffic policy on the upstream interface of the switch to direct the traffic to the NGFW Module.

    [CSS] acl 3004  //Create ACL3004.
    [CSS-acl-adv-3004] rule 5 permit ip destination 192.168.1.0 0.0.0.255  //Configure a rule for ACL3004: destination network segment 192.168.1.0.
    [CSS-acl-adv-3004] rule 10 permit ip destination 192.168.2.0 0.0.0.255  //Configure a rule for ACL3004: destination network segment 192.168.2.0.
    [CSS-acl-adv-3004] quit
    [CSS] traffic classifier c4 precedence 20  //Create traffic classifier c4.
    [CSS-classifier-c4] if-match acl 3004   //Match the packets whose destination network segments are 192.168.1.0 and 192.168.2.0, namely, all packets from the Internet to the intranet, with the ACL3004 rule.
    [CSS-classifier-c4] quit
    [CSS] traffic behavior b4  //Create traffic behavior b4.
    [CSS-behavior-b4] redirect ip-nexthop 10.3.1.1  //Redirect the matching packets to address 10.3.1.1, namely, the NGFW Module.
    [CSS-behavior-b4] quit
    [CSS] traffic policy p4  //Create traffic policy p4.
    [CSS-trafficpolicy-p4] classifier c4 behavior b4 precedence 20  //Bind traffic classifier c4 and traffic behavior b4 with traffic policy p4. All traffic from the Internet to the intranet is directed to the NGFW Module.
    [CSS-trafficpolicy-p4] quit
    [CSS] interface eth-trunk 4  //Access the view of the interface connecting the switch to the Internet.
    [CSS-Eth-Trunk4] traffic-policy p4 inbound  //Apply traffic policy p4 in the inbound direction of the interface connecting the switch to the Internet.
    [CSS-Eth-Trunk4] quit
    

Verification
  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
     The firewall's config state is: ACTIVE                                         
                                                                                    
     Backup channel usage: 0.01%                                                    
     Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
     Current state of virtual routers configured as active:                         
                         Eth-Trunk1.3    vrid   3 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                         Eth-Trunk1.2    vrid   2 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                         Eth-Trunk1.1    vrid   1 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up                               
    
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
    HRP_S[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
  4. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
# 
 firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# 
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#    
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0
    action nat address-group addressgroup1 
#
return
#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0
 hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
# 
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 standby
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
#
firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
#
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#     
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit   
# 
 nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0
    action nat address-group addressgroup1 
#
return

Configuration script of CSS:

# ----Traffic diversion configuration----
vlan batch 201 to 203
#
acl number 3001
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
 rule 5 permit ip source 192.168.1.0 0.0.0.255
acl number 3003
 rule 5 permit ip source 192.168.2.0 0.0.0.255
acl number 3004
 rule 5 permit destination 192.168.1.0 0.0.0.255
 rule 10 permit destination 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
 if-match acl 3001
traffic classifier c2 operator or precedence 10
 if-match acl 3002
traffic classifier c3 operator or precedence 15
 if-match acl 3003
traffic classifier c4 operator or precedence 20
 if-match acl 3004
#
traffic behavior b1
 permit
traffic behavior b2
 permit
 redirect ip-nexthop 10.3.2.1
traffic behavior b3
 permit
 redirect ip-nexthop 10.3.3.1
traffic behavior b4
 permit
 redirect ip-nexthop 10.3.1.1
#
traffic policy p1 match-order config
 classifier c1 behavior b1
 classifier c2 behavior b2
traffic policy p3 match-order config
 classifier c1 behavior b1
 classifier c3 behavior b3
traffic policy p4 match-order config
 classifier c4 behavior b4
 #
interface Vlanif201
 ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
 ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
 ip address 10.3.3.4 255.255.255.0
#
interface Eth-Trunk2
  traffic-policy p1 inbound
#
interface Eth-Trunk3
  traffic-policy p3 inbound
#
interface Eth-Trunk4
 traffic-policy p4 inbound
#
interface Eth-Trunk5
 description To_NGFW_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface Eth-Trunk6
 description To_NGFW_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 203
#
interface XGigabitEthernet1/1/0/0
  eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
  eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
  eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
  eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
#
return

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where VLAN-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 2-37, two switches form a CSS, and two NGFW Modules are installed in slot 1 of the switches respective and implement hot standby. The NGFW modules implement security check on traffic sent by intranet users to access the server area or the Internet.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00. For the configuration examples of NGFW Modules running other versions, see Deployment Guide. You can search for "Deployment Guide" in the search bar.

Figure 2-37  Switch CSS and NGFW Module hot standby networking
NOTE:

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Deployment Solution

The NGFW Modules work at Layer 3, and the upstream and downstream network gateways point to the NGFW Modules. The switches work at Layer 2.

  1. The interfaces connecting each NGFW Module and switch are bundled into an Eth-Trunk interface. The Eth-Trunk interface is Eth-Trunk 1 on each NGFW Module, Eth-Trunk 10 on the SwitchA, and Eth-Trunk 11 on the SwitchB.
  2. The Eth-Trunk at the switch side is configured to work in Trunk mode and allows packets from VLANs 301, 302, and 200 to pass. Configure three Eth-Trunk subinterfaces at the NGFW Module side to carry out dot1q termination for packets from VLANs 301, 302, and 200 respectively and perform Layer-3 forwarding.
  3. Two NGFW modules form hot standby in active/standby mode. Therefore, a VRRP group needs to be configured on the upstream and downstream subinterfaces of each NGFW Module. One NGFW Module is added to an active VGMP group, and the other NGFW Module is added to a standby VGMP group.

    The virtual gateway IP addresses of the VRRP group are the gateway addresses of the downstream and upstream networks.

    Figure 2-38 provides logical networking.

    Figure 2-38  Configuring Eth-Trunk subinterfaces and VRRP on the NGFW Modules
    NOTE:

    Figure 2-38 provides information only interfaces related to the switches and NGFW Modules.

  4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.
  5. Configure security functions, such as security policies and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
    [sysname] sysname Module_A

    # Add the interfaces connecting NGFW Module_A to its connected switch to Eth-Trunk 1.

    [Module_A] interface Eth-Trunk 1
    [Module_A-Eth-Trunk1] description To_SWITCHA_trunk10
    [Module_A-Eth-Trunk1] quit
    [Module_A] interface GigabitEthernet 1/0/0
    [Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/0] quit
    [Module_A] interface GigabitEthernet 1/0/1
    [Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_A-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_A and map them to VLANs 301, 302, and 200 respectively.

    NOTE:

    In actual networking, the number of required subinterfaces depends on the number of VLANs from which packets need to be terminated.

    [Module_A] interface Eth-Trunk 1.301
    [Module_A-Eth-Trunk1.301] vlan-type dot1q 301
    [Module_A-Eth-Trunk1.301] ip address 10.1.0.1 24
    [Module_A-Eth-Trunk1.301] quit
    [Module_A] interface Eth-Trunk 1.302
    [Module_A-Eth-Trunk1.302] vlan-type dot1q 302
    [Module_A-Eth-Trunk1.302] ip address 10.2.0.1 24
    [Module_A-Eth-Trunk1.302] quit
    [Module_A] interface Eth-Trunk 1.200
    [Module_A-Eth-Trunk1.200] vlan-type dot1q 200
    [Module_A-Eth-Trunk1.200] ip address 10.3.0.1 24
    [Module_A-Eth-Trunk1.200] quit
    

    # Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [Module_A] interface Eth-Trunk 0
    [Module_A-Eth-Trunk0] description hrp_interface
    [Module_A-Eth-Trunk0] ip address 10.10.0.1 24
    [Module_A-Eth-Trunk0] quit
    [Module_A] interface GigabitEthernet 0/0/1
    [Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/1] quit
    [Module_A] interface GigabitEthernet 0/0/2
    [Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
    [Module_A-zone-untrust] add interface Eth-Trunk 1.200
    [Module_A-zone-untrust] quit
    [Module_A] firewall zone dmz
    [Module_A-zone-dmz] add interface Eth-Trunk 1.302
    [Module_A-zone-dmz] quit
    [Module_A] firewall zone trust
    [Module_A-zone-trust] add interface Eth-Trunk 1.301
    [Module_A-zone-trust] quit
    [Module_A] firewall zone name hrp
    [Module_A-zone-hrp] set priority 75
    [Module_A-zone-hrp] add interface Eth-Trunk 0
    [Module_A-zone-hrp] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
    [sysname] sysname Module_B

    # Add the interfaces connecting NGFW Module_B to its connected switch to Eth-Trunk 1.

    [Module_B] interface Eth-Trunk 1
    [Module_B-Eth-Trunk1] description To_SWITCHB_trunk11
    [Module_B-Eth-Trunk1] quit
    [Module_B] interface GigabitEthernet 1/0/0
    [Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/0] quit
    [Module_B] interface GigabitEthernet 1/0/1
    [Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
    [Module_B-GigabitEthernet1/0/1] quit

    # Configure Eth-Trunk 1 subinterfaces on NGFW Module_B and map them to VLANs 301, 302, and 200 respectively.

    [Module_B] interface Eth-Trunk 1.301
    [Module_B-Eth-Trunk1.301] vlan-type dot1q 301
    [Module_B-Eth-Trunk1.301] ip address 10.1.0.2 24
    [Module_B-Eth-Trunk1.301] quit
    [Module_B] interface Eth-Trunk 1.302
    [Module_B-Eth-Trunk1.302] vlan-type dot1q 302
    [Module_B-Eth-Trunk1.302] ip address 10.2.0.2 24
    [Module_B-Eth-Trunk1.302] quit
    [Module_B] interface Eth-Trunk 1.200
    [Module_B-Eth-Trunk1.200] vlan-type dot1q 200
    [Module_B-Eth-Trunk1.200] ip address 10.3.0.2 24
    [Module_B-Eth-Trunk1.200] quit
    

    # Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [Module_B] interface Eth-Trunk 0
    [Module_B-Eth-Trunk0] description hrp_interface
    [Module_B-Eth-Trunk0] ip address 10.10.0.2 24
    [Module_B-Eth-Trunk0] quit
    [Module_B] interface GigabitEthernet 0/0/1
    [Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/1] quit
    [Module_B] interface GigabitEthernet 0/0/2
    [Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
    [Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
    [Module_B-zone-untrust] add interface Eth-Trunk 1.200
    [Module_B-zone-untrust] quit
    [Module_B] firewall zone dmz
    [Module_B-zone-dmz] add interface Eth-Trunk 1.302
    [Module_B-zone-dmz] quit
    [Module_B] firewall zone trust
    [Module_B-zone-trust] add interface Eth-Trunk 1.301
    [Module_B-zone-trust] quit
    [Module_B] firewall zone name hrp
    [Module_B-zone-hrp] set priority 75
    [Module_B-zone-hrp] add interface Eth-Trunk 0
    [Module_B-zone-hrp] quit

  2. On NGFW Module, configure a default route to the Internet.

    # Default route from NGFW Module_A to the Internet

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

    # Default route from NGFW Module_B to the Internet

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-Trunk 1.301
    [Module_A-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 active
    [Module_A-Eth-Trunk1.301] quit
    [Module_A] interface Eth-Trunk 1.302
    [Module_A-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 active
    [Module_A-Eth-Trunk1.302] quit
    [Module_A] interface Eth-Trunk 1.200
    [Module_A-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 active
    [Module_A-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
    [Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-Trunk 1.301
    [Module_B-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 standby
    [Module_B-Eth-Trunk1.301] quit
    [Module_B] interface Eth-Trunk 1.302
    [Module_B-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 standby
    [Module_B-Eth-Trunk1.302] quit
    [Module_B] interface Eth-Trunk 1.200
    [Module_B-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 standby
    [Module_B-Eth-Trunk1.200] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
    [Module_B] hrp enable
    [Module_B] hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow intranet users to access the server zone (network segment 10.2.0.0/24).

    HRP_A[Module_A] security-policy
    HRP_A[Module_A-policy-security] rule name policy_to_server
    HRP_A[Module_A-policy-security-rule-policy_to_server] source-zone trust 
    HRP_A[Module_A-policy-security-rule-policy_to_server] destination-zone dmz
    HRP_A[Module_A-policy-security-rule-policy_to_server] destination-address 10.2.0.0 24
    HRP_A[Module_A-policy-security-rule-policy_to_server] service http ftp
    HRP_A[Module_A-policy-security-rule-policy_to_server] action permit
    HRP_A[Module_A-policy-security-rule-policy_to_server] quit
    HRP_A[Module_A-policy-security] quit
    

    # On NGFW Module_A, configure a security policy to allow intranet users to access the Internet and configure intrusion prevention.

    HRP_A[Module_A] security-policy
    HRP_A[Module_A-policy-security] rule name policy_to_wan
    HRP_A[Module_A-policy-security-rule-policy_to_wan] source-zone trust 
    HRP_A[Module_A-policy-security-rule-policy_to_wan] destination-zone untrust
    HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.1.0.0 24
    HRP_A[Module_A-policy-security-rule-policy_to_wan] service http ftp
    HRP_A[Module_A-policy-security-rule-policy_to_wan] profile ips default
    HRP_A[Module_A-policy-security-rule-policy_to_wan] action permit
    HRP_A[Module_A-policy-security-rule-policy_to_wan] quit
    HRP_A[Module_A-policy-security] quit
    

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_A[Module_A] firewall interzone trust dmz
    HRP_A[Module_A-interzone-trust-dmz] detect ftp
    HRP_A[Module_A-interzone-trust-dmz] quit
    HRP_A[Module_A] firewall interzone trust untrust
    HRP_A[Module_A-interzone-trust-untrust] detect ftp
    HRP_A[Module_A-interzone-trust-untrust] quit
    

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
    The current configurations will be written to the device.
    Are you sure?[Y/N] y
    Now saving the current configuration to the device......
    Info:The Current Configuration was saved to the device successfully

  5. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

      <Huawei> system-view
      [Huawei] sysname SwitchA
      [SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
      [SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
      [SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.
      

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

      <Huawei> system-view
      [Huawei] sysname SwitchB
      [SwitchB] set css mode css-card
      [SwitchB] set css id 2
      [SwitchB] set css priority 10
      

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
      Warning: The CSS configuration will take effect only after the system is rebooted. T
      he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
      CSS Enable switch On                                                            
                                                                                      
      Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
      ------------------------------------------------------------------------------  
      1            On           Master          CSS card    100         Off           
      2            On           Standby         CSS card    10          Off           

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS.

      <SwitchA> system-view
      [SwitchA] sysname CSS
      [CSS]

  6. Configure switch interfaces.
    1. Create VLANs.

      [CSS] vlan batch 200 301 to 302

    2. Add the switch interfaces connected to NGFW Module_A to Eth-Trunk 10.

      [CSS] interface eth-trunk 10
      [CSS-Eth-Trunk10] description To_Module_A
      [CSS-Eth-Trunk10] port link-type trunk
      [CSS-Eth-Trunk10] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1
      [CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302       //Direct traffic from different VLANs to the NGFW Module.
      [CSS-Eth-Trunk10] quit
      

    3. Add the switch interfaces connected to NGFW Module_B to Eth-Trunk 11.

      [CSS] interface eth-trunk 11
      [CSS-Eth-Trunk11] description To_Module_B
      [CSS-Eth-Trunk11] port link-type trunk
      [CSS-Eth-Trunk11] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1
      [CSS-Eth-Trunk11] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk11] port trunk allow-pass vlan 200 301 to 302      //Direct traffic from different VLANs to the NGFW Module.
      [CSS-Eth-Trunk11] quit
      

    4. Configure Eth-Trunk 2 connected to intranet users. Adding the interfaces to Eth-Trunk 2 is not mentioned here.

      [CSS] interface eth-trunk 2
      [CSS-Eth-Trunk2] port link-type trunk
      [CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk2] port trunk allow-pass vlan 301      
      [CSS-Eth-Trunk2] quit

    5. Configure Eth-Trunk 3 connected to intranet users. Adding the interfaces to Eth-Trunk 3 is not mentioned here.

      [CSS] interface eth-trunk 3
      [CSS-Eth-Trunk3] port link-type trunk
      [CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
      [CSS-Eth-Trunk3] port trunk allow-pass vlan 302      
      [CSS-Eth-Trunk3] quit

    6. Configure Eth-Trunk 5 connected to the egress router. Adding the interfaces to Eth-Trunk 5 is not mentioned here.

      [CSS] interface eth-trunk 5
      [CSS-Eth-Trunk5] port link-type access
      [CSS-Eth-Trunk5] port default vlan 200
      [CSS-Eth-Trunk5] quit

  7. Configure upstream and downstream devices.
    1. Configure the upstream interface Eth-Trunk 2 on the intranet switch to work in trunk mode and allow traffic from VLAN 301 to pass.
    2. Configure the upstream interface Eth-Trunk 3 on the server switch to work in trunk mode and allow traffic from VLAN 302 to pass.
    3. Set the gateway address of intranet PCs to the virtual IP address (10.1.0.3) of the VRRP group to which Eth-Trunk 1.301 belongs.
    4. Set the gateway address of servers to the virtual IP address (10.2.0.3) of the VRRP group to which Eth-Trunk 1.302 belongs.
    5. The next-hop address of the route from the egress router to the intranet is the virtual IP address (10.3.0.3) of the VRRP group to which Eth-Trunk 1.200 belongs.
Verification
  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
     The firewall's config state is: ACTIVE                                         
                                                                                    
     Backup channel usage: 0.01%                                                    
     Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
     Current state of virtual routers configured as active:                         
                       Eth-Trunk1.200    vrid   3 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                       Eth-Trunk1.302    vrid   2 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up  
                       Eth-Trunk1.301    vrid   1 : active
               (GigabitEthernet1/0/0)             : up  
               (GigabitEthernet1/0/1)             : up
    
  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 10.1.0.10:22048 --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 10.1.0.10:22048 --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from users in the intranet to servers succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public 10.1.0.10:22048 --> 10.2.0.8:80
    HRP_S[Module_A] display firewall session table
    Current Total Sessions : 1
      http  VPN: public --> public Remote 10.1.0.10:22048 --> 10.2.0.8:80
    
  4. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active device and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active device and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A NGFW Module_B
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0 
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 description To_SWITCHA_trunk10
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.1 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 active
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
# 
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
# 
 firewall interzone trust untrust
  detect ftp
# 
firewall interzone trust dmz
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 mask 255.255.255.0
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
#
return
#
 sysname Module_B
#
 hrp enable
 hrp interface Eth-Trunk0 
 hrp standby-device  //This command is required only in versions earlier than V100R001C30SPC300.
#
interface Eth-Trunk0
 description hrp_interface
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 description To_SWITCHB_trunk11
#
interface Eth-Trunk1.200
 vlan-type dot1q 200
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
#
interface Eth-Trunk1.301
 vlan-type dot1q 301
 ip address 10.1.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.1.0.3 standby
#
interface Eth-Trunk1.302
 vlan-type dot1q 302
 ip address 10.2.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.2.0.3 standby
#
interface GigabitEthernet0/0/1
  eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.301
#
firewall zone untrust
 set priority 5 
 add Eth-Trunk1.200
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.302
#
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk0
# 
firewall interzone trust untrust
  detect ftp
#
firewall interzone trust dmz
 detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#    
security-policy  
 rule name policy_to_server
  source-zone trust  
  destination-zone dmz
  destination-address 10.2.0.0 mask 255.255.255.0
  service http
  service ftp
  action permit   
 rule name policy_to_wan
  source-zone trust  
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit   
# 
return

Configuration script of CSS:

# ----CSS configuration----
vlan batch 200 301 to 302
#
interface Eth-Trunk2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 301
#
interface Eth-Trunk3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 302
#
interface Eth-Trunk5
 port link-type access
 port default vlan 200
#
interface Eth-Trunk10
 description To_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface Eth-Trunk11
 description To_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200 301 to 302
#
interface XGigabitEthernet1/1/0/0
 eth-Trunk 10
#
interface XGigabitEthernet1/1/0/1
 eth-Trunk 10
#
interface XGigabitEthernet2/1/0/0
 eth-Trunk 11
#
interface XGigabitEthernet2/1/0/1
 eth-Trunk 11
#
return
Download
Updated: 2019-04-20

Document ID: EDOC1000069520

Views: 663847

Downloads: 29855

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next