No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying Firewalls as Egress Devices

Deploying Firewalls as Egress Devices

Networking Requirements

Two firewalls at the campus egress set up a hot standby group that functions as the egress gateway of the campus network to filter service traffic that enters and leaves the campus network, ensuring network security. Two core switches set up a cluster switch system (CSS), which functions as the core of the campus network and functions as the user gateway to allocate IP addresses to users. The specific service requirements are as follows:

  • Service traffic can be automatically distributed to different ISP networks at the network egress, preventing the waste of link resources.
  • Internal network users can access Internet resources but cannot play online games or watch online videos during working hours.
  • External network users can access the HTTP server on the internal network.

In this example, two aggregation switches set up a stack named AGG and connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.

Figure 2-15 Campus network with firewalls as egress devices

Device Requirements and Versions

Location

Device Used in This Example

Version Used in This Example

Egress

USG6300E

V600R007C00

Core layer

S12700E

V200R019C10

Deployment Roadmap

Step

Deployment Roadmap

Devices Involved

1

Configure CSS, stacking, and multi-active detection (MAD) to improve device reliability.

Core switches

2

Configure Eth-Trunk interfaces to improve link reliability.

Core switches and egress firewalls

3

Configure interfaces, IP addresses, and routing to enable network connectivity.

Core switches and egress firewalls

5

Enable the intelligent uplink selection function to dynamically select outbound interfaces based on the egress link bandwidth, improving link resource efficiency and user experience.

Egress firewalls

6

Configure HRP to improve device reliability.

Egress firewalls

7

Configure security policies to allow services to pass through firewalls.

Egress firewalls

8

Configure NAT policies to enable internal network users to access external networks.

Egress firewalls

9

Configure NAT Server to enable external network users to access the HTTP server on the internal network.

Egress firewalls

10

Enable the smart domain name service (DNS) function to ensure that users from different ISPs can obtain addresses on their own ISP networks.

Egress firewalls

11

Configure attack defense and application behavior control to ensure network security and prevent internal network users from playing online games or watching online videos during working hours.

Egress firewalls

Data Plan

Device

Interface Number

Member Interface

VLANIF Interface

IP Address

FWA

GE1/0/1

-

-

192.0.2.1/24

GE1/0/5

-

-

198.51.100.2/24

GE1/0/2

-

-

172.16.111.1/24

Eth-Trunk30

GE1/0/3

-

172.16.10.1/24

GE1/0/4

FWB

GE1/0/1

-

-

192.0.2.2/24

GE1/0/5

-

-

198.51.100.1/24

GE1/0/2

-

-

172.16.111.2/24

Eth-Trunk40

GE1/0/3

-

172.16.10.2/24

GE1/0/4

CORE

XGE1/2/0/20

-

VLANIF 50

172.16.50.1/24

Eth-Trunk30

GE1/3/0/0

VLANIF 10

172.16.10.3/24

GE2/3/0/0

Eth-Trunk40

GE1/3/0/1

VLANIF 10

172.16.10.3/24

GE2/3/0/1

HTTP server

Ethernet interface

-

-

172.16.50.10/24

Deployment Procedure

  1. Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
  2. Configure Eth-Trunk interfaces.

    # On FWA, create Eth-Trunk 30 to connect FWA to CORE, and add member interfaces to Eth-Trunk 30.

    <sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 30
[FWA-Eth-Trunk30] mode lacp-static
[FWA-Eth-Trunk30] quit
[FWA] interface gigabitethernet 1/0/3 
[FWA-GigabitEthernet1/0/3] eth-trunk 30
[FWA-GigabitEthernet1/0/3] quit
[FWA] interface gigabitethernet 1/0/4
[FWA-GigabitEthernet1/0/4] eth-trunk 30
[FWA-GigabitEthernet1/0/4] quit

    # On FWB, create Eth-Trunk 40 to connect FWB to CORE, and add member interfaces to Eth-Trunk 40.

    <sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 40 
[FWB-Eth-Trunk40] mode lacp-static
[FWB-Eth-Trunk40] quit
[FWB] interface gigabitethernet 1/0/3 
[FWB-GigabitEthernet1/0/3] eth-trunk 40
[FWB-GigabitEthernet1/0/3] quit
[FWB] interface gigabitethernet 1/0/4
[FWB-GigabitEthernet1/0/4] eth-trunk 40
[FWB-GigabitEthernet1/0/4] quit

    # On CORE, create Eth-Trunk 30 and Eth-Trunk 40 to connect CORE to FWA and FWB respectively, and add member interfaces to the two Eth-Trunks.

    [CORE] interface eth-trunk 30 
[CORE-Eth-Trunk30] mode lacp
[CORE-Eth-Trunk30] quit
[CORE] interface gigabitethernet 1/3/0/0 
[CORE-GigabitEthernet1/3/0/0] eth-trunk 30
[CORE-GigabitEthernet1/3/0/0] quit
[CORE] interface gigabitethernet 2/3/0/0
[CORE-GigabitEthernet2/3/0/0] eth-trunk 30
[CORE-GigabitEthernet2/3/0/0] quit
[CORE] interface eth-trunk 40  
[CORE-Eth-Trunk40] mode lacp
[CORE-Eth-Trunk40] quit
[CORE] interface gigabitethernet 1/3/0/1 
[CORE-GigabitEthernet1/3/0/1] eth-trunk 40
[CORE-GigabitEthernet1/3/0/1] quit
[CORE] interface gigabitethernet 2/3/0/1
[CORE-GigabitEthernet2/3/0/1] eth-trunk 40
[CORE-GigabitEthernet2/3/0/1] quit

  3. Configure interfaces, IP addresses, and routing.

    1. Configure interfaces, and configure IP addresses for interfaces.

      # Configure IP addresses for interfaces of FWA, and add the interfaces to security zones.

      [FWA] interface loopback 0
[FWA-LoopBack0] ip address 1.1.1.1 32  //Configure an IP address for loopback 0, which is also used as the router ID of FWA.
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/1
[FWA-GigabitEthernet1/0/1] ip address 192.0.2.1 24  //Configure an IP address for the interface connected to the ISPA network.
[FWA-GigabitEthernet1/0/1] gateway 192.0.2.254
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface gigabitethernet 1/0/5
[FWA-GigabitEthernet1/0/5] ip address 198.51.100.2 24  //Configure an IP address for the interface connected to the ISPB network.
[FWA-GigabitEthernet1/0/5] gateway 198.51.100.254
[FWA-GigabitEthernet1/0/5] quit
[FWA] interface gigabitethernet 1/0/2
[FWA-GigabitEthernet1/0/2] ip address 172.16.111.1 24  //Configure an IP address for the heartbeat interface.
[FWA-GigabitEthernet1/0/2] quit
[FWA] interface eth-trunk 30
[FWA-Eth-Trunk30] ip address 172.16.10.1 24  //Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWA-Eth-Trunk30] quit
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 30  //Add Eth-Trunk 30 connected to the internal network to the Trust zone.
[FWA-zone-trust] quit
[FWA] firewall zone name isp1                       //Add the interface connected to the ISPA network to the security zone isp1.
[FWA-zone-isp1] set priority 10
[FWA-zone-isp1] add interface gigabitethernet 1/0/1  
[FWA-zone-isp1] quit
[FWA] firewall zone name isp2                      //Add the interface connected to the ISPB network to the security zone isp2.
[FWA-zone-isp2] set priority 15
[FWA-zone-isp2] add interface gigabitethernet 1/0/5  
[FWA-zone-isp2] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/2  //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit

      # Configure IP addresses for interfaces of FWB, and add the interfaces to security zones.

      [FWB] interface loopback 0
[FWB-LoopBack0] ip address 2.2.2.2 32  //Configure an IP address for loopback 0, which is also used as the router ID of FWB.
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/1
[FWB-GigabitEthernet1/0/1] ip address 192.0.2.2 24  //Configure an IP address for the interface connected to the ISPA network.
[FWB-GigabitEthernet1/0/1] gateway 192.0.2.254
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface gigabitethernet 1/0/5
[FWB-GigabitEthernet1/0/5] ip address 198.51.100.1 24  //Configure an IP address for the interface connected to the ISPB network.
[FWB-GigabitEthernet1/0/5] gateway 198.51.100.254
[FWB-GigabitEthernet1/0/5] quit
[FWB] interface gigabitethernet 1/0/2
[FWB-GigabitEthernet1/0/2] ip address 172.16.111.2 24  //Configure an IP address for the heartbeat interface.
[FWB-GigabitEthernet1/0/2] quit
[FWB] interface eth-trunk 40
[FWB-Eth-Trunk40] ip address 172.16.10.2 24  /Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWB-Eth-Trunk40] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 40  //Add Eth-Trunk 40 connected to the internal network to the Trust zone.
[FWB-zone-trust] quit
[FWB] firewall zone name isp1                      //Add the interface connected to the ISPA network to the security zone isp1.
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/1  
[FWB-zone-isp1] quit
[FWB] firewall zone name isp2                     //Add the interface connected to the ISPB network to the security zone isp2.
[FWB-zone-isp2] set priority 15
[FWB-zone-isp2] add interface gigabitethernet 1/0/5  
[FWB-zone-isp2] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/2  //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit

      # Configure IP addresses for interfaces on CORE.

      [CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32  //Configure an IP address for loopback 0, which is also used as the router ID of CORE.
[CORE-LoopBack0] quit
[CORE] vlan batch 10 50  
[CORE] interface eth-trunk 30
[CORE-Eth-Trunk30] port link-type access
[CORE-Eth-Trunk30] port default vlan 10
[CORE-Eth-Trunk30] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] port link-type access
[CORE-Eth-Trunk40] port default vlan 10
[CORE-Eth-Trunk40] quit
[CORE] interface vlanif 10
[CORE-Vlanif10] ip address 172.16.10.3 24  //Configure an IP address for the VLANIF interface connected to the firewalls.
[CORE-Vlanif10] quit
[CORE] interface xgigabitethernet 1/2/0/20  
[CORE-XGigabitEthernet1/2/0/20] port link-type access
[CORE-XGigabitEthernet1/2/0/20] port default vlan 50
[CORE-XGigabitEthernet1/2/0/20] quit
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 172.16.50.1 24
[CORE-Vlanif50] quit
    2. Configure routing.

      # Configure OSPF on FWA to advertise the network segments where downlink interfaces belong.

      [FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit

      # Configure OSPF on FWB to advertise the network segments where downlink interfaces belong.

      [FWB] ospf 1 router-id 2.2.2.2
[FWB-ospf-1] area 0.0.0.0
[FWB-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit

      # On CORE, configure OSPF to advertise the network segments where uplink interfaces belong.

      [CORE] router id 3.3.3.3
[CORE] ospf 1
[CORE-ospf-1] area 0.0.0.0
[CORE-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 //Advertise the network segment connected to the firewalls.
[CORE-ospf-1-area-0.0.0.0] network 172.16.50.0 0.0.0.255 //Advertise the network segment connected to the HTTP server.
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit

      # On CORE, configure default routes with the next hops being the IP addresses of the firewalls.

      [CORE] ip route-static 0.0.0.0 0.0.0.0 172.16.10.1 
[CORE] ip route-static 0.0.0.0 0.0.0.0 172.16.10.2

  4. Configure intelligent uplink selection on egress firewalls.

    # Enable the IP-link function on FWA to detect whether ISP links are working properly.

    [FWA] ip-link check enable 
[FWA] ip-link name ip_link_1
[FWA-iplink-ip_link_1] destination 192.0.2.254 interface gigabitethernet 1/0/1
[FWA-iplink-ip_link_1] quit
[FWA] ip-link name ip_link_2
[FWA-iplink-ip_link_2] destination 198.51.100.254 interface gigabitethernet 1/0/5
[FWA-iplink-ip_link_2] quit

    # Enable the IP-link function on FWB to detect whether ISP links are working properly.

    [FWB] ip-link name ip_link_1
[FWB-iplink-ip_link_1] destination 192.0.2.254 interface gigabitethernet 1/0/1
[FWB-iplink-ip_link_1] quit
[FWB] ip-link name ip_link_2
[FWB-iplink-ip_link_2] destination 198.51.100.254 interface gigabitethernet 1/0/5
[FWB-iplink-ip_link_2] quit

    # Configure two default routes on FWA, with the next hops pointing to the access points of the two ISP networks respectively.

    [FWA] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
[FWA] ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2

    # Configure two default routes on FWB, with the next hops pointing to the access points of the two ISP networks respectively.

    [FWB] ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link ip_link_1
[FWB] ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link ip_link_2

    # Configure intelligent uplink selection on FWA to implement load balancing based on link bandwidth.

    [FWA] multi-interface
[FWA-multi-inter] mode proportion-of-bandwidth
[FWA-multi-inter] add interface GigabitEthernet1/0/1
[FWA-multi-inter] add interface GigabitEthernet1/0/5
[FWA-multi-inter] quit
[FWA] interface GigabitEthernet 1/0/1
[FWA-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWA-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface GigabitEthernet 1/0/5
[FWA-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWA-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
[FWA-GigabitEthernet1/0/5] quit

    # Configure intelligent uplink selection on FWB to implement load balancing based on link bandwidth.

    [FWB] multi-interface
[FWB-multi-inter] mode proportion-of-bandwidth
[FWB-multi-inter] add interface GigabitEthernet1/0/1
[FWB-multi-inter] add interface GigabitEthernet1/0/5
[FWB-multi-inter] quit
[FWB] interface GigabitEthernet 1/0/1
[FWB-GigabitEthernet1/0/1] bandwidth ingress 800000 threshold 95
[FWB-GigabitEthernet1/0/1] bandwidth egress 800000 threshold 95
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface GigabitEthernet 1/0/5
[FWB-GigabitEthernet1/0/5] bandwidth ingress 200000 threshold 90
[FWB-GigabitEthernet1/0/5] bandwidth egress 200000 threshold 90
[FWB-GigabitEthernet1/0/5] quit

  5. Configure HRP on egress firewalls.

    # Configure a VRRP Group Management Protocol (VGMP) group on FWA to monitor downlink service interfaces.

    [FWA] hrp track interface eth-trunk 30

    # Configure a VGMP group on FWB to monitor downlink service interfaces.

    [FWB] hrp track interface eth-trunk 40

    # On FWA, configure quick session backup, specify the heartbeat interface, and enable HRP.

    [FWA] hrp mirror session enable
[FWA] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
[FWA] hrp enable

    # On FWB, configure quick session backup, specify the heartbeat interface, and enable HRP.

    [FWB] hrp mirror session enable
[FWB] hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
[FWB] hrp enable

  6. Configure security policies.

    # After a hot standby group is successfully established between the active and standby firewalls, the security policies configured on FWA will be automatically synchronized to FWB.

    HRP_M[FWA] security-policy 
HRP_M[FWA-policy-security] rule name policy_dmz       //Allow mutual access between the local zone and DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local 
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz 
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit  
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust  //Allow internal network users to access external networks.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp2
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 172.16.40.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust  //Allow external network users to access the HTTP server.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp2
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-address 172.16.50.0 24
HRP_M[FWA-policy-security-rule-untrust_to_trust] action permit
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit

  7. Configure NAT policies.

    # On FWA, create NAT address pools addressgroup1 (4.4.4.1 to 4.4.4.5) and addressgroup2 (5.5.5.1 to 5.5.5.5). The NAT address pools configured on FWA will be automatically synchronized to FWB.

    HRP_M[FWA] nat address-group addressgroup1
HRP_M[FWA-nat-address-group-addressgroup1] section 0 4.4.4.1 4.4.4.5
HRP_M[FWA-nat-address-group-addressgroup1] mode pat
HRP_M[FWA-nat-address-group-addressgroup1] route enable
HRP_M[FWA-nat-address-group-addressgroup1] quit
HRP_M[FWA] nat address-group addressgroup2
HRP_M[FWA-nat-address-group-addressgroup2] section 1 5.5.5.1 5.5.5.5
HRP_M[FWA-nat-address-group-addressgroup2] mode pat
HRP_M[FWA-nat-address-group-addressgroup2] route enable
HRP_M[FWA-nat-address-group-addressgroup2] quit

    # Configure source NAT policies to allow internal network users to access external networks through post-NAT public IP addresses.

    HRP_M[FWA] nat-policy
HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 172.16.40.1 172.16.40.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit
HRP_M[FWA-policy-nat] rule name policy_nat_2
HRP_M[FWA-policy-nat-rule-policy_nat_2] source-address range 172.16.40.128 172.16.40.254
HRP_M[FWA-policy-nat-rule-policy_nat_2] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_2] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_2] action source-nat address-group addressgroup2
HRP_M[FWA-policy-nat-rule-policy_nat_2] quit
HRP_M[FWA-policy-nat] quit

    # Contact ISP network administrators to configure routes with the destination addresses in addressgroup1 and addressgroup2 and with the next hops being the interface addresses of the firewalls.

  8. Configure NAT Server.

    # Assume that the HTTP server on the internal network applies to ISPA and ISPB for public IP addresses (4.4.4.10 and 5.5.5.10) so that the external network users of ISPA and ISPB access the HTTP server through their respective public IP addresses.

    # Configure static server mapping.

    HRP_M[FWA] nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
HRP_M[FWA] nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse

    # Contact ISP network administrators to configure routes with the destination addresses being the public IP addresses of the HTTP server and with the next hops being the interface addresses of the firewalls.

    # Configure blackhole routes on FWA. Extranet users can access the HTTP server only through port 8080. In other cases, blackhole routes are used to prevent routing loops.

    HRP_M[FWA] ip route-static 4.4.4.10 32 NULL 0
HRP_M[FWA] ip route-static 5.5.5.10 32 NULL 0

    # Configure blackhole routes on FWB.

    HRP_S[FWB] ip route-static 4.4.4.10 32 NULL 0
HRP_S[FWB] ip route-static 5.5.5.10 32 NULL 0

    # On FWA, configure the same interface to receive and send packets.

    HRP_M[FWA] interface GigabitEthernet 1/0/1
HRP_M[FWA-GigabitEthernet1/0/1] redirect-reverse next-hop 192.0.2.254
HRP_M[FWA-GigabitEthernet1/0/1] quit
HRP_M[FWA] interface GigabitEthernet 1/0/5
HRP_M[FWA-GigabitEthernet1/0/5] redirect-reverse next-hop 198.51.100.254
HRP_M[FWA-GigabitEthernet1/0/5] quit

    # On FWB, configure the same interface to receive and send packets.

    HRP_S[FWB] interface GigabitEthernet 1/0/1
HRP_S[FWB-GigabitEthernet1/0/1] redirect-reverse next-hop 192.0.2.254
HRP_S[FWB-GigabitEthernet1/0/1] quit
HRP_S[FWB] interface GigabitEthernet 1/0/5
HRP_S[FWB-GigabitEthernet1/0/5] redirect-reverse next-hop 198.51.100.254
HRP_S[FWB-GigabitEthernet1/0/5] quit

  9. Configure smart DNS.

    This function requires a license and dynamic installation of the corresponding component package.

    HRP_M[FWA] dns-smart enable
HRP_M[FWA] dns-smart group 1 type multi
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/1 map 4.4.4.10
HRP_M[FWA-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 5.5.5.10
HRP_M[FWA-dns-smart-group-1] quit

  10. Configure attack defense and application behavior control.

    # Configure attack defense.

    HRP_M[FWA] firewall defend land enable
HRP_M[FWA] firewall defend smurf enable
HRP_M[FWA] firewall defend fraggle enable
HRP_M[FWA] firewall defend winnuke enable
HRP_M[FWA] firewall defend source-route enable
HRP_M[FWA] firewall defend route-record enable
HRP_M[FWA] firewall defend time-stamp enable
HRP_M[FWA] firewall defend ping-of-death enable
HRP_M[FWA] interface GigabitEthernet 1/0/1
HRP_M[FWA-GigabitEthernet1/0/1] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/1] quit
HRP_M[FWA] interface GigabitEthernet 1/0/5
HRP_M[FWA-GigabitEthernet1/0/5] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/5] quit
HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic

    # Configure application behavior control.

    This function requires a license and dynamic installation of the corresponding component package.

    Create an application behavior control file to prohibit HTTP and FTP operations during working hours.

    HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit

    Create an application behavior control file to permit only HTTP web browsing, HTTP proxy surfing, and HTTP file download during break time.

    HRP_M[FWA] profile type app-control name profile_app_rest
HRP_M[FWA-profile-app-control-profile_app_rest] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_rest] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_rest] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_rest] quit

    Create a time range named working_hours, which indicates working hours.

    HRP_M[FWA] time-range working_hours
HRP_M[FWA-time-range-working_hours] period-range 09:00:00 to 17:30:00 working-day
HRP_M[FWA-time-range-working_hours] quit

    Create a time range named off_hours, which indicates non-working hours.

    HRP_M[FWA] time-range off_hours
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 23:59:59 off-day
HRP_M[FWA-time-range-off_hours] period-range 00:00:00 to 08:59:59 working-day
HRP_M[FWA-time-range-off_hours] period-range 17:30:01 to 23:59:59 working-day
HRP_M[FWA-time-range-off_hours] quit

    Configure the security policy policy_sec_work and reference the time range working_hours and application behavior control file profile_app_work to control the application behavior of users during working hours.

    HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit

    Configure the security policy policy_sec_rest and reference the time range off_hours and application behavior control file profile_app_rest to control the application behavior of users during non-working hours.

    HRP_M[FWA-policy-security] rule name policy_sec_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_rest] destination-zone isp2
HRP_M[FWA-policy-security-rule-policy_sec_rest] user any
HRP_M[FWA-policy-security-rule-policy_sec_rest] time-range off_hours
HRP_M[FWA-policy-security-rule-policy_sec_rest] profile app-control profile_app_rest
HRP_M[FWA-policy-security-rule-policy_sec_rest] action permit
HRP_M[FWA-policy-security-rule-policy_sec_rest] quit

Verifying the Deployment

# Perform ping tests to verify that internal network users can access Internet resources and external network users can access the HTTP server on the internal network. Besides, internal network users cannot play online games or watch online videos during working hours.

# Verify that services are automatically switched to the link of ISPB when the link of ISPA is congested.

Configuration Files

  • FWA configuration file
    #
sysname FWA
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.2
hrp track interface Eth-Trunk 30
hrp mirror session enable
#
interface Eth-Trunk 30
 ip address 172.16.10.1 255.255.255.0
 mode lacp-static
#
interface GigabitEthernet1/0/1
 undo shutdown 
 ip address 192.0.2.1 255.255.255.0
 anti-ddos flow-statistic enable 
 gateway 192.0.2.254
 bandwidth ingress 800000 threshold 95
 bandwidth egress 800000 threshold 95
 redirect-reverse next-hop 192.0.2.254
#
interface GigabitEthernet1/0/2
 undo shutdown 
 ip address 172.16.111.1 255.255.255.0
#
interface GigabitEthernet1/0/3
 undo shutdown 
 eth-trunk 30
#
interface GigabitEthernet1/0/4
 undo shutdown 
 eth-trunk 30
#
interface GigabitEthernet1/0/5
 undo shutdown 
 ip address 198.51.100.2 255.255.255.0
 anti-ddos flow-statistic enable  
 gateway 198.51.100.254
 bandwidth egress 200000 threshold 90
 bandwidth ingress 200000 threshold 90
 redirect-reverse next-hop 198.51.100.254 
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#  
firewall zone trust 
 set priority 85 
 add interface Eth-Trunk30
# 
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet1/0/2
#  
firewall zone name isp1 
 set priority 10  
 add interface GigabitEthernet1/0/1
# 
firewall zone name isp2  
 set priority 15  
 add interface GigabitEthernet1/0/5
# 
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
 destination 192.0.2.254 interface GigabitEthernet1/0/1
#
ip-link name ip_link_2
 destination 198.51.100.254 interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link  ip_link_1
ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link  ip_link_2
ip route-static 4.4.4.10 255.255.255.255 NULL 0
ip route-static 5.5.5.10 255.255.255.255 NULL 0
#
multi-interface
 mode proportion-of-bandwidth
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/5
#
security-policy 
 rule name policy_dmz 
  source-zone local 
  source-zone dmz 
  destination-zone local 
  destination-zone dmz  
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address 172.16.40.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone isp1
  source-zone isp2
  destination-zone trust
  destination-address 172.16.50.0 mask 255.255.255.0
  action permit
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range working_hours
  profile app-control profile_app_work
  action permit
 rule name policy_sec_rest
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range off_hours
  profile app-control profile_app_rest
  action permit
#
nat address-group addressgroup1
 mode pat
 route enable
 section 0 4.4.4.1 4.4.4.5
#
nat address-group addressgroup2
 mode pat
 route enable
 section 1 5.5.5.1 5.5.5.5
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address range 172.16.40.1 172.16.40.127
  action source-nat address-group addressgroup1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address range 172.16.40.127 172.16.40.254
  action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse
#
dns-smart enable
dns-smart group 1 type multi
 out-interface GigabitEthernet 1/0/1 map 4.4.4.10
 out-interface GigabitEthernet 1/0/5 map 5.5.5.10
# 
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
 http-control post action deny
 http-control proxy action deny
 http-control web-browse action deny
 http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
 http-control post action deny
 http-control file direction upload action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
time-range working_hours
 period-range 09:00:00 to 17:30:00 working-day
# 
time-range off_hours
 period-range 00:00:00 to 23:59:59 off-day
 period-range 00:00:00 to 08:59:59 working-day
 period-range 17:30:01 to 23:59:59 working-day
#
return
  • FWB configuration file
    #
sysname FWB
# 
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 172.16.111.1
hrp track interface Eth-Trunk 40
hrp mirror session enable
#
interface Eth-Trunk 40
 ip address 172.16.10.2 255.255.255.0
 mode lacp-static
#
interface GigabitEthernet1/0/1
 ip address 192.0.2.2 255.255.255.0
 anti-ddos flow-statistic enable 
 gateway 192.0.2.254
 bandwidth ingress 800000 threshold 95
 bandwidth egress 800000 threshold 95
 redirect-reverse next-hop 192.0.2.254
#
interface GigabitEthernet1/0/2
 undo shutdown 
 ip address 172.16.111.2 255.255.255.0
#
interface GigabitEthernet1/0/3
 undo shutdown 
 eth-trunk 40
#
interface GigabitEthernet1/0/4
 undo shutdown 
 eth-trunk 40
#
interface GigabitEthernet1/0/5
 undo shutdown 
 ip address 198.51.100.1 255.255.255.0
 anti-ddos flow-statistic enable  
 gateway 198.51.100.254
 bandwidth egress 200000 threshold 90
 bandwidth ingress 200000 threshold 90
 redirect-reverse next-hop 198.51.100.254   
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#  
firewall zone trust 
 set priority 85 
 add interface Eth-Trunk40
# 
firewall zone dmz 
 set priority 50 
 add interface GigabitEthernet1/0/2
#  
firewall zone name isp1 
 set priority 10 
 add interface GigabitEthernet1/0/1
# 
firewall zone name isp2 
 set priority 15 
 add interface GigabitEthernet1/0/5
# 
ospf 1 router-id 2.2.2.2 
 area 0.0.0.0 
  network 172.16.10.0 0.0.0.255
#
ip-link check enable
ip-link name ip_link_1
 destination 192.0.2.254 interface GigabitEthernet1/0/1
#
ip-link name ip_link_2
 destination 198.51.100.254 interface GigabitEthernet1/0/5
#
ip route-static 0.0.0.0 0.0.0.0 192.0.2.254 track ip-link  ip_link_1
ip route-static 0.0.0.0 0.0.0.0 198.51.100.254 track ip-link  ip_link_2
ip route-static 4.4.4.10 255.255.255.255 NULL 0
ip route-static 5.5.5.10 255.255.255.255 NULL 0
#
multi-interface
 mode proportion-of-bandwidth
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/5
#
security-policy 
 rule name policy_dmz 
  source-zone local  
  source-zone dmz 
  destination-zone local 
  destination-zone dmz 
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address 172.16.40.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone isp1
  source-zone isp2
  destination-zone trust
  destination-address 172.16.50.0 mask 255.255.255.0
  action permit
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range working_hours
  profile app-control profile_app_work
  action permit
 rule name policy_sec_rest
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  time-range off_hours
  profile app-control profile_app_rest
  action permit
#
nat address-group addressgroup1
 mode pat
 route enable
 section 0 4.4.4.1 4.4.4.5
#
nat address-group addressgroup2
 mode pat
 route enable
 section 1 5.5.5.1 5.5.5.5
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address range 172.16.40.1 172.16.40.127
  action source-nat address-group addressgroup1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address range 172.16.40.127 172.16.40.254
  action source-nat address-group addressgroup2
#
nat server web_for_isp1 zone isp1 protocol tcp global 4.4.4.10 8080 inside 172.16.50.10 80 no-reverse
nat server web_for_isp2 zone isp2 protocol tcp global 5.5.5.10 8080 inside 172.16.50.10 80 no-reverse
#
dns-smart enable
dns-smart group 1 type multi
 out-interface GigabitEthernet 1/0/1 map 4.4.4.10
 out-interface GigabitEthernet 1/0/5 map 5.5.5.10
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
 http-control post action deny
 http-control proxy action deny
 http-control web-browse action deny
 http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
profile type app-control name profile_app_rest
 http-control post action deny
 http-control file direction upload action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
time-range working_hours
 period-range 09:00:00 to 17:30:00 working-day
# 
time-range off_hours
 period-range 00:00:00 to 23:59:59 off-day
 period-range 00:00:00 to 08:59:59 working-day
 period-range 17:30:01 to 23:59:59 working-day
#
return
  • CORE configuration file
    #
sysname CORE
#
router id 3.3.3.3  
# 
vlan batch 10 50
#
interface Vlanif10
 ip address 172.16.10.3 255.255.255.0
#
interface Vlanif50
 ip address 172.16.50.1 255.255.255.0
#
interface Eth-Trunk30
 port link-type access
 port default vlan 10
 mode lacp
#
interface Eth-Trunk40
 port link-type access
 port default vlan 10
 mode lacp
# 
interface GigabitEthernet1/3/0/0 
 eth-trunk 30
#
interface GigabitEthernet1/3/0/1 
 eth-trunk 40
#
interface XGigabitEthernet1/1/0/10
 mad detect mode direct
#
interface XGigabitEthernet1/2/0/20 
 port link-type access
 port default vlan 50 
#
interface GigabitEthernet2/3/0/0
 eth-trunk 30
#
interface GigabitEthernet2/3/0/1 
 eth-trunk 40
#
interface XGigabitEthernet2/1/0/10
  mad detect mode direct
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#                                                                                                                      
ospf 1
 area 0.0.0.0
  network 172.16.10.0 0.0.0.255
  network 172.16.50.0 0.0.0.255   
#
ip route-static 0.0.0.0 0.0.0.0 172.16.10.1
ip route-static 0.0.0.0 0.0.0.0 172.16.10.2
# 
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1864713

Downloads: 41246

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :