Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Two S12700s are deployed on a network shown in Figure 3-318. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules and NGFW modules work at Layer 2. That is, they access the network transparently.

The customer has the following requirements:

The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 3-319 shows the flow directions.

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 3-318 Deploying IPS module and NGFW module on a Layer 2 dual-node system and importing flows through redirection

Figure 3-319 Flow direction

Data Plan

Table 3-208, Table 3-209, and Table 3-210 provide the data plan.

Table 3-208 Data plan for link aggregation

Device	Interface Number	Interface Description	Member Interface
S12700 cluster	Eth-trunk100	Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet	XGE1/5/0/0
			XGE1/5/0/1
			XGE2/5/0/0
			XGE2/5/0/1
	Eth-trunk101	Connected to NGFW Module_A and NGFW Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet	XGE1/4/0/0
			XGE1/4/0/1
			XGE2/4/0/0
			XGE2/4/0/1
NGFW Module_A	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
NGFW Module_B	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
IPS Module_A	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
IPS Module_B	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2

Table 3-209 VLAN plan

Data	Remarks
100, 300	Server VLANs
101 to 126	Client VLANs
2001	Extranet VLAN

Table 3-210 IP address plan

Device	Data	Remarks
S12700 cluster	VLANIF 100: 10.55.0.1/24 VLANIF 300: 10.55.200.1/24	Server-side gateway
	VLANIF 101: 10.55.1.1/24 VLANIF 102: 10.55.2.1/24 ... VLANIF 126: 10.55.26.1/24	Client-side gateway
	VLANIF 2001: 10.54.1.253/29	Extranet gateway
IPS Module_A	Eth-trunk 0: 192.168.213.5/30	HRP interface
IPS Module_B	Eth-trunk 0: 192.168.213.6/30
NGFW Module_A	Eth-trunk 0: 192.168.213.1/30
NGFW Module_B	Eth-trunk 0: 192.168.213.2/30

Configuration Roadmap

Configure interfaces on NGFW Module_A and NGFW Module_B and set basic parameters.
Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby system working in load balancing mode.
Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
Configure the two S12700s as a cluster.
Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
Configure a traffic policy on the S12700 cluster and apply the policy to interfaces to implement redirection.

Procedure

Configure interfaces on NGFW modules and set basic parameters.

# Log in to the CLI of NGFW Module_A from Switch_A.

<sysname> connect slot 4

To return to the CLI of the switch, press Ctrl+D.

# Set the device name on NGFW Module_A.

<sysname> system-view
[sysname] sysname NGFW Module_A

# Create VLANs on NGFW Module_A.

[NGFW Module_A] vlan batch 100 to 126 300 2001

# Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from upstream and downstream VLANs to pass.

[NGFW Module_A] interface Eth-Trunk 1
[NGFW Module_A-Eth-Trunk1] description To-master-trunk101
[NGFW Module_A-Eth-Trunk1] portswitch
[NGFW Module_A-Eth-Trunk1] port link-type trunk
[NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1
[NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
[NGFW Module_A-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

[NGFW Module_A] interface GigabitEthernet 1/0/0
[NGFW Module_A-GigabitEthernet1/0/0] portswitch
[NGFW Module_A-GigabitEthernet1/0/0] port link-type access
[NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/0] quit
[NGFW Module_A] interface GigabitEthernet 1/0/1
[NGFW Module_A-GigabitEthernet1/0/1] portswitch
[NGFW Module_A-GigabitEthernet1/0/1] port link-type access
[NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/1] quit

# Create Eth-Trunk 1 interface pair on NGFW Module_A.

[NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1

# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

[NGFW Module_A] interface Eth-Trunk 0
[NGFW Module_A-Eth-Trunk0] description hrp-interface
[NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252
[NGFW Module_A-Eth-Trunk0] quit
[NGFW Module_A] interface GigabitEthernet 0/0/1
[NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/1] quit
[NGFW Module_A] interface GigabitEthernet 0/0/2
[NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_A to the security zone.

[NGFW Module_A] firewall zone trust
[NGFW Module_A-zone-trust] set priority 85
[NGFW Module_A-zone-trust] add interface Eth-Trunk 1
[NGFW Module_A-zone-trust] quit
[NGFW Module_A] firewall zone name hrp
[NGFW Module_A-zone-hrp] set priority 75
[NGFW Module_A-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_A-zone-hrp] quit

# Log in to the CLI of NGFW Module_B from Switch_B.

<sysname> connect slot 4

# Set the device name on NGFW Module_B.

<sysname> system-view
[sysname] sysname NGFW Module_B

# Create VLANs on NGFW Module_B.

[NGFW Module_B] vlan batch 100 to 126 300 2001

# Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair mode, and allow the packets from upstream and downstream VLANs to pass.

[NGFW Module_B] interface Eth-Trunk 1
[NGFW Module_B-Eth-Trunk1] description To-master-trunk101
[NGFW Module_B-Eth-Trunk1] portswitch
[NGFW Module_B-Eth-Trunk1] port link-type trunk
[NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1
[NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
[NGFW Module_B-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

[NGFW Module_B] interface GigabitEthernet 1/0/0
[NGFW Module_B-GigabitEthernet1/0/0] portswitch
[NGFW Module_B-GigabitEthernet1/0/0] port link-type access
[NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/0] quit
[NGFW Module_B] interface GigabitEthernet 1/0/1
[NGFW Module_B-GigabitEthernet1/0/1] portswitch
[NGFW Module_B-GigabitEthernet1/0/1] port link-type access
[NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/1] quit

# Create Eth-Trunk 1 interface pair on NGFW Module_B.

[NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1

# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

[NGFW Module_B] interface Eth-Trunk 0
[NGFW Module_B-Eth-Trunk0] description hrp-interface
[NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252
[NGFW Module_B-Eth-Trunk0] quit
[NGFW Module_B] interface GigabitEthernet 0/0/1
[NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/1] quit
[NGFW Module_B] interface GigabitEthernet 0/0/2
[NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_B to the security zone.

[NGFW Module_B] firewall zone trust
[NGFW Module_B-zone-trust] set priority 85
[NGFW Module_B-zone-trust] add interface Eth-Trunk 1
[NGFW Module_B-zone-trust] quit
[NGFW Module_B] firewall zone name hrp
[NGFW Module_B-zone-hrp] set priority 75
[NGFW Module_B-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_B-zone-hrp] quit

Configure hot standby for NGFW modules.

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

[NGFW Module_A] hrp mirror session enable
[NGFW Module_A] hrp interface Eth-Trunk 0
[NGFW Module_A] hrp loadbalance-device
[NGFW Module_A] hrp enable

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.

[NGFW Module_B] hrp mirror session enable
[NGFW Module_B] hrp interface Eth-Trunk 0
[NGFW Module_B] hrp loadbalance-device
[NGFW Module_B] hrp enable

Configure the security service on the NGFW modules.

After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

# Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

HRP_M[NGFW Module_A] security-policy
HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit
HRP_M[NGFW Module_A-policy-security] quit

Configure interfaces on IPS modules and set basic parameters.
1. Log in to the web UI through an Ethernet interface.
  1. Set up a physical connection between the management PC and an IPS module.
  2. Open the browser on the management PC and access https://192.168.0.1:8443.
  3. Enter the default username and password of the system administrator and click Login.
    The default username and password are available in HUAWEI Security Products Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
  4. Change the password, click OK, and enter the web system.
2. Choose Network > Interface, click of interface GE1/0/0 and set the connection type of GE1/0/0 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
4. Click Add, and configure Eth-Trunk 1.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
5. Choose Network > Interface Pair, click Add, and configure an interface pair.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.
  - The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
  - The Eth-Trunk member interfaces on the IPS Modules must be the same.
  Configure a heartbeat interface on one IPS Module.
  
  Configure a heartbeat interface on the other IPS Module.
7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click Add and set the parameters as follows:
3. Click OK.
4. Repeat the previous steps to set the parameters of AV_ftp profile.
Configure a security policy for the outbound direction.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
1. Choose Policy > Security Policy.
2. Click Add.
3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:
  
  Name
  
  policy_av_1
  
  Description
  
  Intranet-User
  
  Interface Pair
  
  Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
  
  Action
  
  permit
  
  Content Security
  
  Anti-Virus
  
  AV_http_pop3
Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.

Name

policy_av_2

Description

Intranet-Server

Interface Pair

Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.

Action

permit

Content Security

Anti-Virus

AV_ftp
Configure the two S12700s as a cluster.
1. Connect cluster cables. For details, see Switch Cluster Setup Guide.
  
  Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.
  
  # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.
```
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] set css priority 100
```
  # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
```
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] set css id 2
[Switch_B] set css priority 10
```
  # Check the cluster configuration.
  
  Run the display css status saved command to check whether the configurations are as expected.
  
  Check the cluster configuration on Switch_A.
```
[Switch_A] display css status saved 
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
------------------------------------------------------------------------------   
1            1            Off          CSS card    100         Off             
  
```
  Check the cluster configuration on Switch_B.
```
[Switch_B] display css status saved 
Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force      
------------------------------------------------------------------------------   
1            2            Off          CSS card    10          Off              
```
2. Enable the cluster function.
  
  # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.
```
[Switch_A] css enable 
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
  # Enable the cluster function on Switch_B and restart Switch_B.
```
[Switch_B] css enable 
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
3. Check whether the cluster is set up successfully.
  
  # View the indicator status.
  
  The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.
  
  The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.
  
  # Log in to the cluster through the console port on any MPU to check the cluster status.
```
[Switch_A] display css status
CSS Enable switch On
                                                                                  
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force   
------------------------------------------------------------------------------   
1            On           Master          CSS card    100         Off            
2            On           Standby         CSS card    10          Off           
```
  The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.
  
  # Check whether cluster links work normally.
```
[Switch_A] display css channel
```
  The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.
4. Set the cluster system name to CSS.
```
[Switch_A] sysname CSS
[CSS]
```

Name	policy_av_1
Description	Intranet-User
Interface Pair	Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_http_pop3

Name	policy_av_2
Description	Intranet-Server
Interface Pair	Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_ftp

Configure the interfaces and VLAN IDs on switches.

Create VLANs.

[CSS] vlan batch 100 to 126 128 300 2001

Configure upstream and downstream interfaces.

[CSS] interface GigabitEthernet 1/6/0/36  //Connected to server
[CSS-GigabitEthernet1/6/0/36] port link-type trunk
[CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0  //Connected to extranet
[CSS-GigabitEthernet2/3/0/0] port link-type trunk
[CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36  //Connected to client
[CSS-GigabitEthernet2/3/0/36] port link-type trunk
[CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126
[CSS-GigabitEthernet2/3/0/36] quit

Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

[CSS] interface vlanif 2001
[CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248
[CSS-Vlanif2001] quit
[CSS] interface vlanif 100
[CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0
[CSS-Vlanif100] quit
[CSS] interface vlanif 300
[CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0
[CSS-Vlanif300] quit
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0
[CSS-Vlanif101] quit
[CSS] interface vlanif 102
[CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0
[CSS-Vlanif102] quit
[CSS] interface vlanif 126
[CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0
[CSS-Vlanif126] quit

Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and the four interfaces connected to the IPS module to Eth-Trunk 100.

[CSS] interface eth-trunk 101
[CSS-Eth-Trunk101] description to-ngfw
[CSS-Eth-Trunk101] port link-type trunk
[CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001
[CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1
[CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1
[CSS-Eth-Trunk101] mac-address learning disable
[CSS-Eth-Trunk101] stp disable
[CSS-Eth-Trunk101] quit
[CSS] interface eth-trunk 100
[CSS-Eth-Trunk100] description to-ips
[CSS-Eth-Trunk100] port link-type trunk
[CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001
[CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1
[CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1
[CSS-Eth-Trunk100] mac-address learning disable
[CSS-Eth-Trunk100] stp disable
[CSS-Eth-Trunk100] quit

Set the load balancing mode on Eth-Trunks.

[CSS] load-balance-profile sec
[CSS-load-balance-profile-sec] ipv4 field sip dip
[CSS-load-balance-profile-sec] quit
[CSS] interface Eth-Trunk 101
[CSS-Eth-Trunk101] load-balance enhanced profile sec
[CSS-Eth-Trunk101] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] load-balance enhanced profile sec
[CSS-Eth-Trunk100] quit

Configure port isolation on the interfaces between the NGFW/IPS module and switches.

[CSS] interface Eth-Trunk 101
[CSS-Eth-Trunk101] port-isolate enable group 1
[CSS-Eth-Trunk101] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] port-isolate enable group 1
[CSS-Eth-Trunk100] quit

Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

[CSS] interface GigabitEthernet 1/6/0/36
[CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet2/3/0/36] quit

Configure traffic policies and bind them to interfaces to implement redirection.

# Create ACLs.

[CSS] acl 3010  //Match the flows sent from clients
[CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255
[CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255
[CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255
[CSS-acl-adv-3010] quit
[CSS] acl 3011  //Match the flows destined for clients
[CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3011] quit
[CSS] acl 3020  //Match the flows sent from servers
[CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255
[CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255
[CSS-acl-adv-3020] quit
[CSS] acl 3021  //Match the flows destined for servers
[CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3021] quit
[CSS] acl 3012  //Match inter-client flows within a subnet
[CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3012] quit
[CSS] acl 3022  //Match inter-server flows within a subnet
[CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3022] quit

# Configure traffic classifiers.

[CSS] traffic classifier from-office operator or precedence 80
[CSS-classifier-from-office] if-match acl 3010
[CSS-classifier-from-office] quit
[CSS] traffic classifier to-office operator or precedence 85
[CSS-classifier-to-office] if-match acl 3011
[CSS-classifier-to-office] quit
[CSS] traffic classifier from-server operator or precedence 75
[CSS-classifier-from-server] if-match acl 3020
[CSS-classifier-from-server] quit
[CSS] traffic classifier to-server operator or precedence 60
[CSS-classifier-to-server] if-match acl 3021
[CSS-classifier-to-server] quit
[CSS] traffic classifier office-office operator or precedence 40
[CSS-classifier-office-office] if-match acl 3012
[CSS-classifier-office-office] quit
[CSS] traffic classifier server-server operator or precedence 65
[CSS-classifier-server-server] if-match acl 3022
[CSS-classifier-server-server] quit

# Configure traffic behaviors.

[CSS] traffic behavior behavior1
[CSS-behavior-behavior1] permit
[CSS-behavior-behavior1] quit
[CSS] traffic behavior to-eth-trunk100
[CSS-behavior-to-eth-trunk100] permit
[CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100
[CSS-behavior-to-eth-trunk100] quit
[CSS] traffic behavior to-eth-trunk101
[CSS-behavior-to-eth-trunk101] permit
[CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101
[CSS-behavior-to-eth-trunk101] quit

# Bind traffic policies to interfaces.

[CSS] traffic policy ips-to-fw match-order config
[CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101
[CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101
[CSS-trafficpolicy-ips-to-fw] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS module to the NGFW module
[CSS-Eth-Trunk100] quit
[CSS] traffic policy internet-in match-order config
[CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1
[CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module
[CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101  //Redirect the flows from extranet to clients to the NGFW module
[CSS-trafficpolicy-internet-in] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] traffic policy office-out match-order config
[CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet
[CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module
[CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module
[CSS-trafficpolicy-office-out] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound
[CSS-GigabitEthernet2/3/0/36] quit
[CSS] traffic policy server-out match-order config
[CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet
[CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module
[CSS-trafficpolicy-server-out] quit
[CSS] interface GigabitEthernet 1/6/0/36
[CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound
[CSS-GigabitEthernet1/6/0/36] quit

Verify the configuration.

# Check the configuration of S12700 cluster.

[CSS] display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot  Sub   Type            Online    Power      Register       Status     Role
----------  ------------   ---------------------------------------------------------
4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
      1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
PWR1  -     -               Present   PowerOn    Registered     Normal     NA
CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave
CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
FAN1  -     -               Present   PowerOn    Registered     Normal     NA
FAN2  -     -               Present   PowerOn    Registered     Normal     NA
FAN3  -     -               Present   PowerOn    Registered     Normal     NA
FAN4  -     -               Present   PowerOn    Registered     Normal     NA
Chassis 2   (Standby Switch)
S12712's D  evice status   :
Slot  Sub   Type            Online    Power      Register       Status     Role
----------  ------------   ---------------------------------------------------------
3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA
4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA
5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA
7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA
13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master
14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave
18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA
      1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA
PWR1  -     -               Present   PowerOn    Registered     Normal     NA
PWR2  -     -               Present   PowerOn    Registered     Normal     NA
CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master
FAN1  -     -               Present   PowerOn    Registered     Normal     NA
FAN2  -     -               Present   PowerOn    Registered     Normal     NA
FAN3  -     -               Present   PowerOn    Registered     Normal     NA
FAN4  -     -               Present   PowerOn    Registered     Normal     NA
FAN5  -     -               Present   PowerOn    Registered     Normal     NA

# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

[IPS Module] display interface brief | include up
2016/5/31 10:49
PHY: Physical
*down: administratively down
^down: standby down
(s): spoofing
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
  GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
  GigabitEthernet0/0/2      up    up          0%     0%                 0                 0
Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
  GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
  GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
NULL0                       up    up(s)       0%     0%                 0                 0

[NGFW Module_B] display interface brief | include up
10:56:34  2016/05/31
PHY: Physical
*down: administratively down
^down: standby down
(s): spoofing
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors
Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0
  GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0
  GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0
Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0
  GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0
  GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0
NULL0                       up    up(s)       0%     0%                 0                 0

# Check traffic statistics on interfaces.

The traffic statistics between clients and servers are correct.

[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
Eth-Trunk100                up    up        0.15%  0.15%          0          0
  XGigabitEthernet1/5/0/0   up    up        0.60%     0%          0          0
  XGigabitEthernet1/5/0/1   up    up           0%  0.60%          0          0
  XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
  XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
Eth-Trunk101                up    up        0.15%  0.15%          0          0
  XGigabitEthernet1/4/0/0   up    up        0.60%     0%          0          0
  XGigabitEthernet1/4/0/1   up    up           0%  0.60%          0          0
  XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
  XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
NULL0                       up    up(s)        0%     0%          0          0
Vlanif100                   up    up           --     --          0          0
Vlanif101                   up    up           --     --          0          0
Vlanif102                   up    up           --     --          0          0
Vlanif126                   up    up           --     --          0          0
Vlanif128                   up    up           --     --          0          0
Vlanif300                   up    up           --     --          0          0
Vlanif2001                  up    up           --     --          0          0

The traffic statistics between clients and extranet are correct.

[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
Eth-Trunk100                up    up           0%     0%          0          0
  XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0
  XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
  XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
  XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
Eth-Trunk101                up    up        0.12%  0.12%          0          0
  XGigabitEthernet1/4/0/0   up    up           0%     0%          0          0
  XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0
  XGigabitEthernet2/4/0/0   up    up           0%  0.33%          0          0
  XGigabitEthernet2/4/0/1   up    up        0.50%  0.17%          0          0
Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0
NULL0                       up    up(s)        0%     0%          0          0
Vlanif100                   up    up           --     --          0          0
Vlanif101                   up    up           --     --          0          0
Vlanif102                   up    up           --     --          0          0
Vlanif126                   up    up           --     --          0          0
Vlanif300                   up    up           --     --          0          0
Vlanif2001                  up    up           --     --          0          0

The traffic statistics between servers and extranet are correct.

[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors
Eth-Trunk100                up    up        0.13%  0.13%          0          0
  XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0
  XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0
  XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0
  XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0
Eth-Trunk101                up    up        0.13%  0.13%          0          0
  XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0
  XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0
  XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0
  XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0
Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0
GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0
GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0
NULL0                       up    up(s)        0%     0%          0          0
Vlanif100                   up    up           --     --          0          0
Vlanif101                   up    up           --     --          0          0
Vlanif102                   up    up           --     --          0          0
Vlanif126                   up    up           --     --          0          0
Vlanif300                   up    up           --     --          0          0
Vlanif2001                  up    up           --     --          0          0

Configuration Files

NGFW module configuration files

NGFW Module_A	NGFW Module_B
# sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return	# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return

NGFW Module_A

NGFW Module_B

#
sysname NGFW Module_A
#
hrp mirror session enable
hrp enable
hrp loadbalance-device
hrp interface Eth-Trunk 0
#
vlan batch 100 to 126 300 2001
#
pair-interface 1 Eth-Trunk1 Eth-Trunk1
#
interface Eth-Trunk 0
 description hrp-interface
 ip address 192.168.213.1 255.255.255.252
#
interface Eth-Trunk 1
 description To-master-trunk101
 portswitch
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 100 to 126 300 2001
#
interface GigabitEthernet 0/0/1
 eth-trunk 0
#
interface GigabitEthernet 0/0/2
 eth-trunk 0
#
interface GigabitEthernet 1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet 1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1
#
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk 0
#
security-policy
 rule name policy_to_wan
  source-address 10.55.0.0 16
  source-address 10.54.1.248 29
  profile ips default
  action permit
#
return

#
sysname NGFW Module_B
#
hrp mirror session enable
hrp enable
hrp loadbalance-device
hrp interface Eth-Trunk 0
#
vlan batch 100 to 126 300 2001
#
pair-interface 1 Eth-Trunk1 Eth-Trunk1
#
interface Eth-Trunk 0
 description hrp-interface
 ip address 192.168.213.2 255.255.255.252
#
interface Eth-Trunk 1
 description To-master-trunk101
 portswitch
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 100 to 126 300 2001
#
interface GigabitEthernet 0/0/1
 eth-trunk 0
#
interface GigabitEthernet 0/0/2
 eth-trunk 0
#
interface GigabitEthernet 1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet 1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1
#
firewall zone name hrp
 set priority 75
 add interface Eth-Trunk 0
#
security-policy
 rule name policy_to_wan
  source-address 10.55.0.0 16
  source-address 10.54.1.248 29
  profile ips default
  action permit
#
return

IPS module configuration files

IPS Module_A	IPS Module_B
# sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return	# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return

IPS Module_A

IPS Module_B

#
sysname IPS Module_A
#
hrp enable
hrp loadbalance-device
hrp interface Eth-Trunk 0
#
vlan batch 100 to 126 300 2001
#
pair-interface 1 Eth-Trunk1 Eth-Trunk1
#
interface Eth-Trunk 0
 ip address 192.168.213.5 255.255.255.252
#
interface Eth-Trunk 1
 portswitch
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 100 to 126 300 2001
#
interface GigabitEthernet 0/0/1
 eth-trunk 0
#
interface GigabitEthernet 0/0/2
 eth-trunk 0
#
interface GigabitEthernet 1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet 1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
profile type av name AV_http_pop3   
 description http-pop3     
 http-detect direction download     
 undo ftp-detect      
 undo smtp-detect        
 pop3-detect action delete-attachment  
 undo imap-detect   
 undo nfs-detect 
 undo smb-detect  
 exception application name Netease_Webmail action allow   
 exception av-signature-id 1000  
profile type av name AV_ftp  
 description ftp   
 undo http-detect  
 ftp-detect direction upload
 undo smtp-detect  
 undo pop3-detect     
 undo imap-detect    
 undo nfs-detect  
 undo smb-detect  
#
security-policy
 rule name policy_av_1
  description Intranet-User
  profile av AV_http_pop3
  pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
  action permit
 rule name policy_av_2
  description Intranet-Server
  profile av AV_ftp
  pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
  action permit
#
return

#
sysname IPS Module_B
#
hrp enable
hrp loadbalance-device
hrp interface Eth-Trunk 0
#
vlan batch 100 to 126 300 2001
#
pair-interface 1 Eth-Trunk1 Eth-Trunk1
#
interface Eth-Trunk 0
 ip address 192.168.213.6 255.255.255.252
#
interface Eth-Trunk 1
 portswitch
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 100 to 126 300 2001
#
interface GigabitEthernet 0/0/1
 eth-trunk 0
#
interface GigabitEthernet 0/0/2
 eth-trunk 0
#
interface GigabitEthernet 1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet 1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
profile type av name AV_http_pop3   
 description http-pop3     
 http-detect direction download     
 undo ftp-detect      
 undo smtp-detect        
 pop3-detect action delete-attachment  
 undo imap-detect   
 undo nfs-detect 
 undo smb-detect  
 exception application name Netease_Webmail action allow   
 exception av-signature-id 1000  
profile type av name AV_ftp  
 description ftp   
 undo http-detect  
 ftp-detect direction upload
 undo smtp-detect  
 undo pop3-detect     
 undo imap-detect    
 undo nfs-detect  
 undo smb-detect  
#
security-policy
 rule name policy_av_1
  description Intranet-User
  profile av AV_http_pop3
  pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
  action permit
 rule name policy_av_2
  description Intranet-Server
  profile av AV_ftp
  pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
  action permit
#
return

CSS configuration file

#
sysname CSS
#
vlan batch 100 to 126 128 300 2001
#
acl number 3010
 rule 5 permit ip source 10.55.1.0 0.0.0.255
 rule 10 permit ip source 10.55.2.0 0.0.0.255
 rule 15 permit ip source 10.55.26.0 0.0.0.255
acl number 3011
 rule 5 permit ip destination 10.55.1.0 0.0.0.255
 rule 10 permit ip destination 10.55.2.0 0.0.0.255
 rule 15 permit ip destination 10.55.26.0 0.0.0.255
acl number 3012
 rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
 rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
 rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
acl number 3020
 rule 5 permit ip source 10.55.0.0 0.0.0.255
 rule 10 permit ip source 10.55.200.0 0.0.0.255
acl number 3021
 rule 5 permit ip destination 10.55.0.0 0.0.0.255
 rule 10 permit ip destination 10.55.200.0 0.0.0.255
acl number 3022
 rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
 rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
#
traffic classifier office-office operator or precedence 40
 if-match acl 3012
traffic classifier from-office operator or precedence 80
 if-match acl 3010
traffic classifier from-server operator or precedence 75
 if-match acl 3020
traffic classifier server-server operator or precedence 65
if-match acl 3022
traffic classifier to-office operator or precedence 85
 if-match acl 3011
traffic classifier to-server operator or precedence 60
 if-match acl 3021
#
traffic behavior behavior1
 permit
traffic behavior to-eth-trunk100
 permit
 redirect interface Eth-Trunk100
traffic behavior to-eth-trunk101
 permit
 redirect interface Eth-Trunk101
#
traffic policy office-out match-order config
 classifier office-office behavior behavior1
 classifier to-server behavior to-eth-trunk100
 classifier from-office behavior to-eth-trunk101
traffic policy internet-in match-order config
 classifier office-office behavior behavior1
 classifier to-server behavior to-eth-trunk100
 classifier to-office behavior to-eth-trunk101
traffic policy ips-to-fw match-order config
 classifier to-server behavior to-eth-trunk101
 classifier from-server behavior to-eth-trunk101
traffic policy server-out match-order config
 classifier server-server behavior behavior1
 classifier from-server behavior to-eth-trunk100
#
interface Vlanif100
 ip address 10.55.0.1 255.255.255.0
#
interface Vlanif101
 ip address 10.55.1.1 255.255.255.0
#
interface Vlanif102
 ip address 10.55.2.1 255.255.255.0
#
interface Vlanif300
 ip address 10.55.200.1 255.255.255.0
#
interface Vlanif2001
 ip address 10.54.1.253 255.255.255.248
#
load-balance-profile sec
#
interface Eth-Trunk100
 description to-ips
 port link-type trunk
 mac-address learning disable
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 126 300 2001
 stp disable
 traffic-policy ips-to-fw inbound
 load-balance enhanced profile sec
 port-isolate enable group 1
#
interface Eth-Trunk101
 description to-ngfw
 port link-type trunk
 mac-address learning disable
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 to 126 300 2001
 stp disable
 load-balance enhanced profile sec
 port-isolate enable group 1
#
interface GigabitEthernet1/6/0/36
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 300
 traffic-policy server-out inbound
 am isolate Eth-Trunk101 Eth-Trunk100
#
interface GigabitEthernet2/3/0/0
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 2001
 traffic-policy internet-in inbound
 am isolate Eth-Trunk101 Eth-Trunk100
#
interface GigabitEthernet2/3/0/36
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 101 to 126
 traffic-policy office-out inbound
 am isolate Eth-Trunk101 Eth-Trunk100
#
interface XGigabitEthernet1/4/0/0
 eth-trunk 101
#
interface XGigabitEthernet1/4/0/1
 eth-trunk 101
#
interface XGigabitEthernet1/5/0/0
 eth-trunk 100
#
interface XGigabitEthernet1/5/0/1
 eth-trunk 100
#
interface XGigabitEthernet2/4/0/0
 eth-trunk 101
#
interface XGigabitEthernet2/4/0/1
 eth-trunk 101
#
interface XGigabitEthernet2/5/0/0
 eth-trunk 100
#
interface XGigabitEthernet2/5/0/1
 eth-trunk 100
#
return

Networking Requirements
Data Plan
Configuration Roadmap

Translation

Español 日本語 Русский 简体中文

Download

Updated: 2023-10-27

Document ID: EDOC1000069520

Downloads: 41843

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate