No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Deploying Firewalls in Off-Path Mode

Deploying Firewalls in Off-Path Mode

Networking Requirements

At the egress of a large campus network, core switches connect to routers to access the Internet through uplink interfaces. Firewalls connect to the core switches in off-path mode to filter service traffic. Core switches function as user gateways to allocate IP addresses to users. The networking requirements are as follows:

  • Core switches typically set up a CSS to simplify network and improve reliability.
  • HRP is deployed on firewalls, which are then working in active/standby mode. If one firewall fails, services are switched to the other firewall.
  • Each of the core switches is dual homed to two egress routers, and VRRP is deployed on the two routers to ensure reliability.
  • To improve link reliability, Eth-Trunk interfaces are used to connect core switches and egress routers, connect core switches and firewalls, and connect two firewalls.

In this example, two aggregation switches (AGG1 and AGG2) connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.

Figure 2-16 Deploying firewalls in off-path mode

In Layer 3 forwarding, internal and external traffic of a campus network is directly forwarded by switches without passing through FWA and FWB. When traffic needs to be forwarded between core switches and firewalls for filtering, the VPN routing and forwarding (VRF) function must be configured on core switches to divide the switches into a virtual switch VRF-A and a root switch Public, which are separated from each other.

In Figure 2-17, Public connects to egress routers. Public forwards traffic from the Internet to firewalls for filtering and traffic from firewalls to egress routers.

VRF-A connects to the internal network. VRF-A forwards traffic from firewalls to the internal network and traffic from the internal network to firewalls for filtering.

Figure 2-17 Physical interface connections of the campus egress where firewalls are deployed in off-path mode

Device Requirements and Versions

Location

Device Used in This Example

Version Used in This Example

Egress

AR6300

V300R019C10

USG6300E

V600R007C00

Core layer

S12700E

V200R019C10

Aggregation layer

S5731-H

V200R019C10

Deployment Roadmap

Step

Deployment Roadmap

Devices Involved

1

Configure CSS and MAD to improve device reliability.

Core switches

2

Configure Eth-Trunk interfaces to improve link reliability and configure IP addresses for interfaces.

Core switches, aggregation switches, egress routers, and firewalls

3

Configure DHCP to allocate IP addresses to users.

Core switches

4

Configure VRRP to ensure reliability between core switches and egress routers.

Egress routers

5

Configure routing to enable network connectivity.

  • Configure the VRF function on core switches to divide the switches into a virtual switch VRF-A and a root switch Public, which separate service network routes and public network routes.
  • To steer the uplink traffic on each device, configure a default route on core switches, of which the next hop is the VRRP virtual IP address of two egress routers.
  • To steer the return traffic of two egress routers, configure OSPF between the egress routers and core switches, and advertise all user network segments on the core switches into OSPF on the egress routers.
  • To steer the uplink traffic of service networks to firewalls, configure a default route on core switches, of which the next hop is the virtual IP address of the VRRP group with VRID 2 of firewalls.
  • To steer the downlink traffic of service networks 1 and 2 to firewalls, configure a default route on core switches, of which the next hop is the virtual IP address of the VRRP group with VRID 1 of firewalls.
  • To steer the uplink traffic of service networks to core switches, configure a default route on firewalls, of which the next hop is the IP address of VLANIF 20 on core switches.
  • To steer the downlink traffic of service networks 1 and 2 to core switches, configure a default route on firewalls, of which the next hop is the IP address of VLANIF 30 on core switches.

Core switches, egress routers, and firewalls

6

Configure HRP to improve device reliability.

Firewalls

7

Configure security policies to allow services to pass through firewalls.

Firewalls

Data Plan

Device

Interface Number

Member Interface

VLANIF Interface

IP Address

RouterA

Eth-Trunk 1.100

XGE1/0/1

XGE1/0/2

-

10.10.4.2/24

RouterB

Eth-Trunk 1.100

XGE1/0/1

XGE1/0/2

-

10.10.4.3/24

VRRP of RouterA and RouterB

-

-

-

10.10.4.100/24

CORE

Eth-Trunk 1

XGE1/4/0/0

XGE2/4/0/0

VLANIF 10

10.10.4.1/24

Eth-Trunk 2

XGE1/4/0/1

XGE2/4/0/1

VLANIF 10

10.10.4.1/24

Eth-Trunk 4

GE1/3/0/7

GE2/3/0/7

VLANIF 20

10.10.2.1/24

Eth-Trunk 5

GE1/3/0/8

GE2/3/0/8

VLANIF 30

10.10.3.1/24

Eth-Trunk 6

GE1/5/0/7

GE2/5/0/7

VLANIF 20

10.10.2.1/24

Eth-Trunk 7

GE1/5/0/8

GE2/5/0/8

VLANIF 30

10.10.3.1/24

Eth-Trunk10

XGE1/1/0/1

XGE2/1/0/2

VLANIF50

10.10.50.1/24 (gateway for users connected to AGG1)

Eth-Trunk20

XGE1/1/0/2

XGE2/1/0/1

VLANIF60

10.10.60.1/24 (gateway for users connected to AGG2)

AGG1

Eth-Trunk10

XGE0/0/1

XGE1/0/1

-

-

AGG2

Eth-Trunk20

XGE0/0/1

XGE1/0/1

-

-

FWA

Eth-Trunk 1

GE2/0/0

GE2/0/1

-

10.1.1.1/24

Eth-Trunk 4

GE1/0/0

GE1/0/1

-

10.10.2.2/24

Eth-Trunk 5

GE1/1/0

GE1/1/1

-

10.10.3.2/24

FWB

Eth-Trunk 1

GE2/0/0

GE2/0/1

-

10.1.1.2/24

Eth-Trunk 6

GE1/0/0

GE1/0/1

-

10.10.2.3/24

Eth-Trunk 7

GE1/1/0

GE1/1/1

-

10.10.3.3/24

VRRP1 of FWA and FWB (in uplink direction)

-

-

-

10.10.2.5/24

VRRP2 of FWA and FWB (in downlink direction)

-

-

-

10.10.3.5/24

Deployment Procedure

  1. Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
  2. Configure Eth-Trunk interfaces and configure IP addresses for interfaces.

    1. Configure RouterA. The configuration of RouterB is similar to that of RouterA.

      # Create Eth-Trunk 1 and add member interfaces to Eth-Trunk 1.

      <HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface Eth-Trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface XGigabitethernet 1/0/1  
[RouterA-XGigabitEthernet1/0/1] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/1] quit
[RouterA] interface XGigabitethernet 1/0/2  
[RouterA-XGigabitEthernet1/0/2] Eth-Trunk 1
[RouterA-XGigabitEthernet1/0/2] quit

      # Configure a sub-interface for dot1q VLAN tag termination, configure an IP address for the sub-interface, and configure the sub-interface to terminate VLAN 10.

      [RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.4.2 24
[RouterA-Eth-Trunk1.100] dot1q termination vid 10
[RouterA-Eth-Trunk1.100] quit
    2. Configure CORE.

      # Create Eth-Trunk 1 to connect CORE to RouterA, and add member interfaces to Eth-Trunk 1.

      <HUAWEI> system-view
[HUAWEI] sysname CORE  
[CORE] interface Eth-Trunk 1
[CORE-Eth-Trunk1] mode lacp
[CORE-Eth-Trunk1] quit
[CORE] interface XGigabitethernet 1/4/0/0
[CORE-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CORE-XGigabitEthernet1/4/0/0] quit
[CORE] interface XGigabitethernet 2/4/0/0 
[CORE-XGigabitEthernet2/4/0/0] Eth-Trunk 1
[CORE-XGigabitEthernet2/4/0/0] quit

      # Create Eth-Trunk 2 to connect CORE to RouterB, and add member interfaces to Eth-Trunk 2.

      [CORE] interface Eth-Trunk 2
[CORE-Eth-Trunk2] mode lacp
[CORE-Eth-Trunk2] quit
[CORE] interface XGigabitethernet 1/4/0/1 
[CORE-XGigabitEthernet1/4/0/1] Eth-Trunk 2
[CORE-XGigabitEthernet1/4/0/1] quit
[CORE] interface XGigabitethernet 2/4/0/1 
[CORE-XGigabitEthernet2/4/0/1] Eth-Trunk 2
[CORE-XGigabitEthernet2/4/0/1] quit

      # Create Eth-Trunk 4 to connect Public to FWA, and add member interfaces to Eth-Trunk 4.

      [CORE] interface Eth-Trunk 4
[CORE-Eth-Trunk4] mode lacp
[CORE-Eth-Trunk4] quit
[CORE] interface Gigabitethernet 1/3/0/7  
[CORE-Gigabitethernet1/3/0/7] Eth-Trunk 4
[CORE-Gigabitethernet1/3/0/7] quit
[CORE] interface Gigabitethernet 2/3/0/7 
[CORE-Gigabitethernet2/3/0/7] Eth-Trunk 4
[CORE-Gigabitethernet2/3/0/7] quit

      # Create Eth-Trunk 5 to connect VRF-A to FWA, and add member interfaces to Eth-Trunk 5.

      [CORE] interface Eth-Trunk 5
[CORE-Eth-Trunk5] mode lacp
[CORE-Eth-Trunk5] quit
[CORE] interface Gigabitethernet 1/3/0/8  
[CORE-Gigabitethernet1/3/0/8] Eth-Trunk 5
[CORE-Gigabitethernet1/3/0/8] quit
[CORE] interface Gigabitethernet 2/3/0/8  
[CORE-Gigabitethernet2/3/0/8] Eth-Trunk 5
[CORE-Gigabitethernet2/3/0/8] quit

      # Create Eth-Trunk 6 to connect Public to FWB, and add member interfaces to Eth-Trunk 6.

      [CORE] interface Eth-Trunk 6
[CORE-Eth-Trunk6] mode lacp
[CORE-Eth-Trunk6] quit
[CORE] interface Gigabitethernet 1/5/0/7 
[CORE-Gigabitethernet1/5/0/7] Eth-Trunk 6
[CORE-Gigabitethernet1/5/0/7] quit
[CORE] interface Gigabitethernet 2/5/0/7 
[CORE-Gigabitethernet2/5/0/7] Eth-Trunk 6
[CORE-Gigabitethernet2/5/0/7] quit

      # Create Eth-Trunk 7 to connect VRF-A to FWB, and add member interfaces to Eth-Trunk 7.

      [CORE] interface Eth-Trunk 7
[CORE-Eth-Trunk7] mode lacp
[CORE-Eth-Trunk7] quit
[CORE] interface Gigabitethernet 1/5/0/8 
[CORE-Gigabitethernet1/5/0/8] Eth-Trunk 7
[CORE-Gigabitethernet1/5/0/8] quit
[CORE] interface Gigabitethernet 2/5/0/8 
[CORE-Gigabitethernet2/5/0/8] Eth-Trunk 7
[CORE-Gigabitethernet2/5/0/8] quit

      # Create Eth-Trunk 10 to connect CORE to AGG1, and add member interfaces to Eth-Trunk 10.

      [CORE] interface Eth-Trunk 10
[CORE-Eth-Trunk10] mode lacp
[CORE-Eth-Trunk10] quit
[CORE] interface xgigabitethernet 1/1/0/1 
[CORE-XGigabitethernet1/1/0/1] Eth-Trunk 10
[CORE-XGigabitethernet1/1/0/1] quit
[CORE] interface xgigabitethernet 2/1/0/2 
[CORE-XGigabitethernet2/1/0/2] Eth-Trunk 10
[CORE-XGigabitethernet2/1/0/2] quit

      # Create Eth-Trunk 20 to connect CORE to AGG2, and add member interfaces to Eth-Trunk 20.

      [CORE] interface Eth-Trunk 20
[CORE-Eth-Trunk20] mode lacp
[CORE-Eth-Trunk20] quit
[CORE] interface xgigabitethernet 1/1/0/2 
[CORE-XGigabitethernet1/1/0/2] Eth-Trunk 20
[CORE-XGigabitethernet1/1/0/2] quit
[CORE] interface xgigabitethernet 2/1/0/1 
[CORE-XGigabitethernet2/1/0/1] Eth-Trunk 20
[CORE-XGigabitethernet2/1/0/1] quit

      # Create VLANIF interfaces and configure IP addresses to them.

      [CORE] vlan batch 10 20 30 50 60
[CORE] interface Eth-Trunk 1    //Add Eth-Trunk 1 to VLAN 10.
[CORE-Eth-Trunk1] port link-type trunk
[CORE-Eth-Trunk1] port trunk allow-pass vlan 10
[CORE-Eth-Trunk1] quit
[CORE] interface Eth-Trunk 2   //Add Eth-Trunk 2 to VLAN 10.
[CORE-Eth-Trunk2] port link-type trunk
[CORE-Eth-Trunk2] port trunk allow-pass vlan 10
[CORE-Eth-Trunk2] quit
[CORE] interface Vlanif 10   //Create VLANIF 10 to enable CORE to communicate with RouterA and RouterB.
[CORE-Vlanif10] ip address 10.10.4.1 24
[CORE-Vlanif10] quit
[CORE] interface Eth-Trunk 4   //Add Eth-Trunk 4 to VLAN 20.
[CORE-Eth-Trunk4] port link-type access
[CORE-Eth-Trunk4] port default vlan 20
[CORE-Eth-Trunk4] quit
[CORE] interface Eth-Trunk 6   //Add Eth-Trunk 6 to VLAN 20.
[CORE-Eth-Trunk6] port link-type access
[CORE-Eth-Trunk6] port default vlan 20
[CORE-Eth-Trunk6] quit
[CORE] interface Vlanif 20   //Create VLANIF 20 to connect Public to FWA and FWB.
[CORE-Vlanif20] ip address 10.10.2.1 24
[CORE-Vlanif20] quit
[CORE] interface Eth-Trunk 5   //Add Eth-Trunk 5 to VLAN 30.
[CORE-Eth-Trunk5] port link-type access
[CORE-Eth-Trunk5] port default vlan 30
[CORE-Eth-Trunk5] quit
[CORE] interface Eth-Trunk 7   //Add Eth-Trunk 7 to VLAN 30.
[CORE-Eth-Trunk7] port link-type access
[CORE-Eth-Trunk7] port default vlan 30
[CORE-Eth-Trunk7] quit
[CORE] interface Vlanif 30   //Create VLANIF 30 to connect VRF-A to FWA and FWB.
[CORE-Vlanif30] ip address 10.10.3.1 24
[CORE-Vlanif30] quit
[CORE] interface Eth-Trunk 10   //Add Eth-Trunk 10 to VLAN 50.
[CORE-Eth-Trunk10] port link-type trunk
[CORE-Eth-Trunk10] port trunk allow-pass vlan 50
[CORE-Eth-Trunk10] quit
[CORE] interface Vlanif 50   //Create VLANIF 50 to connect CORE to AGG1.
[CORE-Vlanif50] ip address 10.10.50.1 24
[CORE-Vlanif50] quit
[CORE] interface Eth-Trunk 20   //Add Eth-Trunk 20 to VLAN 60.
[CORE-Eth-Trunk20] port link-type trunk
[CORE-Eth-Trunk20] port trunk allow-pass vlan 60
[CORE-Eth-Trunk20] quit
[CORE] interface Vlanif 60   //Create VLANIF 60 to connect CORE to AGG2.
[CORE-Vlanif60] ip address 10.10.60.1 24
[CORE-Vlanif60] quit
    3. Configuring the AGGs.

      # On AGG1, create Eth-Trunk 10 to connect AGG1 to CORE, and add member interfaces to Eth-Trunk 10. The configuration of AGG2 is similar to the configuration of AGG1, and is not mentioned here.

      <HUAWEI> system-view
[HUAWEI] sysname AGG1
[AGG1] vlan batch 50
[AGG1] interface eth-trunk 10
[AGG1-Eth-Trunk10] description connect to CORE
[AGG1-Eth-Trunk10] mode lacp
[AGG1-Eth-Trunk10] port link-type trunk
[AGG1-Eth-Trunk10] undo port trunk allow-pass vlan 1
[AGG1-Eth-Trunk10] port trunk allow-pass vlan 50
[AGG1-Eth-Trunk10] quit
[AGG1] interface xgigabitethernet 0/0/1
[AGG1-XGigabitEthernet0/0/1] eth-trunk 10
[AGG1-XGigabitEthernet0/0/1] quit
[AGG1] interface xgigabitethernet 1/0/1
[AGG1-XGigabitEthernet1/0/2] eth-trunk 10
[AGG1-XGigabitEthernet1/0/2] quit
    4. Configure the firewalls.

      # Configure interfaces and add interfaces to security zones on FWA.

      <sysname> system-view
[sysname] sysname FWA
[FWA] interface Eth-Trunk 4   //Configure the interface connected to CORE and allocate an IP address to the interface.
[FWA-Eth-Trunk4] ip address 10.10.2.2 24
[FWA-Eth-Trunk4] mode lacp-static
[FWA-Eth-Trunk4] quit
[FWA] interface Gigabitethernet 1/0/0   //Add a member interface to Eth-Trunk 4.
[FWA-GigabitEthernet1/0/0] Eth-Trunk 4
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface Gigabitethernet 1/0/1   //Add a member interface to Eth-Trunk 4.
[FWA-GigabitEthernet1/0/1] Eth-Trunk 4
[FWA-GigabitEthernet1/0/1] quit
[FWA] interface Eth-Trunk 5   //Configure the interface connected to CORE and allocate an IP address to the interface.
[FWA-Eth-Trunk5] ip address 10.10.3.2 24
[FWA-Eth-Trunk5] mode lacp-static
[FWA-Eth-Trunk5] quit
[FWA] interface Gigabitethernet 1/1/0   //Add a member interface to Eth-Trunk 5.
[FWA-GigabitEthernet1/1/0] Eth-Trunk 5
[FWA-GigabitEthernet1/1/0] quit
[FWA] interface Gigabitethernet 1/1/1   //Add a member interface to Eth-Trunk 5.
[FWA-GigabitEthernet1/1/1] Eth-Trunk 5
[FWA-GigabitEthernet1/1/1] quit
[FWA] interface Eth-Trunk 1   //Configure the interface connecting FWA to FWB.
[FWA-Eth-Trunk1] ip address 10.1.1.1 24
[FWA-Eth-Trunk1] mode lacp-static
[FWA-Eth-Trunk1] quit
[FWA] interface Gigabitethernet 2/0/0   //Add a member interface to Eth-Trunk 1.
[FWA-GigabitEthernet2/0/0] Eth-Trunk 1
[FWA-GigabitEthernet2/0/0] quit
[FWA] interface Gigabitethernet 2/0/1   //Add a member interface to Eth-Trunk 1.
[FWA-GigabitEthernet2/0/1] Eth-Trunk 1
[FWA-GigabitEthernet2/0/1] quit
[FWA] firewall zone trust
[FWA-zone-trust] add interface Eth-Trunk 5   //Add Eth-Trunk 5 connected to the internal network to the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone untrust
[FWA-zone-untrust] add interface Eth-Trunk 4   //Add Eth-Trunk 4 connected to the external network to the untrusted zone.
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] add interface Eth-Trunk 1   //Add the interface connected to FWB to the DMZ.
[FWA-zone-dmz] quit

      # Configure interfaces and add interfaces to security zones on FWB.

      <sysname> system-view
[sysname] sysname FWB
[FWB] interface Eth-Trunk 6   //Configure the interface connected to CORE and allocate an IP address to the interface.
[FWB-Eth-Trunk6] ip address 10.10.2.3 24
[FWB-Eth-Trunk6] mode lacp-static
[FWB-Eth-Trunk6] quit
[FWB] interface Gigabitethernet 1/0/0   //Add a member interface to Eth-Trunk 6.
[FWB-GigabitEthernet1/0/0] Eth-Trunk 6
[FWB-GigabitEthernet1/0/0] quit
[FWB] interface Gigabitethernet 1/0/1   //Add a member interface to Eth-Trunk 6.
[FWB-GigabitEthernet1/0/1] Eth-Trunk 6
[FWB-GigabitEthernet1/0/1] quit
[FWB] interface Eth-Trunk 7   //Configure the interface connected to CORE and allocate an IP address to the interface.
[FWB-Eth-Trunk7] ip address 10.10.3.3 24
[FWB-Eth-Trunk7] mode lacp-static
[FWB-Eth-Trunk7] quit
[FWB] interface Gigabitethernet 1/1/0   //Add a member interface to Eth-Trunk 7.
[FWB-GigabitEthernet1/1/0] Eth-Trunk 7
[FWB-GigabitEthernet1/1/0] quit
[FWB] interface Gigabitethernet 1/1/1   //Add a member interface to Eth-Trunk 7.
[FWB-GigabitEthernet1/1/1] Eth-Trunk 7
[FWB-GigabitEthernet1/1/1] quit
[FWB] interface Eth-Trunk 1   //Configure the interface connecting FWB to FWA.
[FWB-Eth-Trunk1] ip address 10.1.1.2 24
[FWB-Eth-Trunk1] mode lacp-static
[FWB-Eth-Trunk1] quit
[FWB] interface Gigabitethernet 2/0/0   //Add a member interface to Eth-Trunk 1.
[FWB-GigabitEthernet2/0/0] Eth-Trunk 1
[FWB-GigabitEthernet2/0/0] quit
[FWB] interface Gigabitethernet 2/0/1   //Add a member interface to Eth-Trunk 1.
[FWB-GigabitEthernet2/0/1] Eth-Trunk 1
[FWB-GigabitEthernet2/0/1] quit
[FWB] firewall zone trust
[FWB-zone-trust] add interface Eth-Trunk 7   //Add Eth-Trunk 7 connected to the internal network to the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface Eth-Trunk 6   //Add Eth-Trunk 6 connected to the external network to the untrusted zone.
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] add interface Eth-Trunk 1   //Add the interface connected to FWA to the DMZ.
[FWB-zone-dmz] quit

  3. Configure DHCP on CORE.

    [CORE] dhcp enable
[CORE] interface vlanif 50
[CORE-Vlanif50] dhcp select interface
[CORE-Vlanif50] quit
[CORE] interface vlanif 60
[CORE-Vlanif60] dhcp select interface
[CORE-Vlanif60] quit

  4. Configure VRRP. Configure RouterA as the VRRP master and RouterB as the VRRP backup.

    # Configure RouterA.

    [RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100   //Configure a VRRP virtual IP address.
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120   //Increase the priority of RouterA to make it become the master router.
[RouterA-Eth-Trunk1.100] quit

    # Configure RouterB.

    [RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100   //Configure a VRRP virtual IP address.
[RouterB-Eth-Trunk1.100] quit

  5. Configure routing.

    1. Configure CORE.

      # On CORE, create a VPN instance Public, and bind the interfaces connected to routers and firewalls to Public.

      [CORE] ip vpn-instance Public   //Create the VPN instance Public.
[CORE-vpn-instance-Public] ipv4-family
[CORE-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CORE-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CORE-vpn-instance-Public-af-ipv4] quit
[CORE-vpn-instance-Public] quit
[CORE] interface Vlanif 10
[CORE-Vlanif10] ip binding vpn-instance Public   //Bind VLANIF 10 connecting CORE to RouterA to Public.
[CORE-Vlanif10] ip address 10.10.4.1 24    //Reconfigure an IP address for VLANIF 10. When VLANIF 10 is bound to Public, the IP address of the interface is deleted.
[CORE-Vlanif10] quit
[CORE] interface Vlanif 20
[CORE-Vlanif20] ip binding vpn-instance Public   //Bind VLANIF 20 that connects CORE to the uplink interface of FWA to Public.
[CORE-Vlanif20] ip address 10.10.2.1 24    //Reconfigure an IP address for VLANIF 20. When VLANIF 20 is bound to Public, the IP address of the interface is deleted.
[CORE-Vlanif20] quit

      # Configure a static route in Public to forward uplink traffic, and set the next hop of the route to the VRRP virtual IP address of routers.

      [CORE] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100

      # Configure static routes in Public to forward downlink traffic, and set the next hops of the routes to the virtual IP address of the VRRP group with VRID 1 of firewalls.

      [CORE] ip route-static vpn-instance Public 10.10.50.0 255.255.255.0 10.10.2.5   
[CORE] ip route-static vpn-instance Public 10.10.60.0 255.255.255.0 10.10.2.5

      # Configure OSPF between CORE and routers to forward downlink traffic. Routers can learn the return routes to service networks using OSPF.

      [CORE] ospf 100 router-id 1.1.1.1 vpn-instance Public 
[CORE-ospf-100] area 0
[CORE-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the network segment connected to routers into OSPF.
[CORE-ospf-100-area-0.0.0.0] quit
[CORE-ospf-100] import-route static       //Import static routes into OSPF.
[CORE-ospf-100] quit

      # Create the VPN instance VRF-A on CORE to forward uplink traffic, and bind the interfaces connected to service networks and interfaces connected to firewalls to VRF-A. Besides, configure a default route in VRF-A, with the next hop being the virtual IP address of the VRRP group with VRID 2 of firewalls.

      [CORE] ip vpn-instance VRF-A   //Create the VPN instance VRF-A.
[CORE-vpn-instance-VRF-A] ipv4-family
[CORE-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CORE-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CORE-vpn-instance-VRF-A-af-ipv4] quit
[CORE-vpn-instance-VRF-A] quit
[CORE] interface Vlanif 50
[CORE-Vlanif50] ip binding vpn-instance VRF-A   //Bind VLANIF 50 connecting CORE to service network 1 to VRF-A.
[CORE-Vlanif50] ip address 10.10.50.1 24   //Reconfigure an IP address for VLANIF 50. When VLANIF 50 is bound to VRF-A, the IP address of the interface is deleted. 
[CORE-Vlanif50] quit
[CORE] interface Vlanif 60
[CORE-Vlanif60] ip binding vpn-instance VRF-A  //Bind VLANIF 60 connecting CORE to service network 2 to VRF-A.
[CORE-Vlanif60] ip address 10.10.60.1 24    //Reconfigure an IP address for VLANIF 60. When VLANIF 60 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif60] quit
[CORE] interface Vlanif 30
[CORE-Vlanif30] ip binding vpn-instance VRF-A   //Bind VLANIF 30 connecting CORE to firewalls to VRF-A.
[CORE-Vlanif30] ip address 10.10.3.1 24    //Reconfigure an IP address for VLANIF 30. When VLANIF 30 is bound to VRF-A, the IP address of the interface is deleted.
[CORE-Vlanif30] quit

      # Configure a default route in VRF-A, and set the next hop to the virtual IP address of the VRRP group with VRID 2 of firewalls.

      [CORE] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
    2. Configure routers.

      # Configure OSPF on RouterA.

      [RouterA] ospf 100 router-id 2.2.2.2
[RouterA-ospf-100] area 0
[RouterA-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the network segment connected to CORE into OSPF.
[RouterA-ospf-100-area-0.0.0.0] quit
[RouterA-ospf-100] quit

      # Configure OSPF on RouterB.

      [RouterB] ospf 100 router-id 3.3.3.3
[RouterB-ospf-100] area 0
[RouterB-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the network segment connected to CORE into OSPF.
[RouterB-ospf-100-area-0.0.0.0] quit
[RouterB-ospf-100] quit
    3. Configure the firewalls.

      # Configure a static route on FWA. The configuration of FWB is similar to that of FWA, and is not mentioned here.

      [FWA] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1   //Configure a default route to forward uplink traffic, and set the next hop to the IP address of VLANIF 20 on CORE.
[FWA] ip route-static 10.10.50.0 255.255.255.0 10.10.3.1   //Configure a static route to forward downlink traffic, and set the destination address to service network 1 and the next hop to the IP address of VLANIF 30 on CORE.
[FWA] ip route-static 10.10.60.0 255.255.255.0 10.10.3.1   //Configure a static route to forward downlink traffic, and set the destination address to service network 2 and the next hop to the IP address of VLANIF 30 on CORE.

  6. Configure HRP.

    # Configure HRP on FWA and set FWA as the active.

    [FWA] interface Eth-Trunk 4
[FWA-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 active  
[FWA-Eth-Trunk4] quit
[FWA] interface Eth-Trunk 5
[FWA-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 active  
[FWA-Eth-Trunk5] quit
[FWA] hrp interface Eth-Trunk 1 remote 10.1.1.2  //Configure the heartbeat interface and enable HRP.
[FWA] hrp enable

    # Configure HRP on FWB and set FWB as the standby.

    [FWB] interface Eth-Trunk 6
[FWB-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 standby  
[FWB-Eth-Trunk6] quit
[FWB] interface Eth-Trunk 7
[FWB-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 standby    
[FWB-Eth-Trunk7] quit
[FWB] hrp interface Eth-Trunk 1 remote 10.1.1.1   //Configure the heartbeat interface and enable HRP.
[FWB] hrp enable

    After a hot standby group is successfully established between the active and standby firewalls, the configurations and sessions on the active firewall are automatically synchronized to the standby firewall. Therefore, you only need to perform the following configurations on the active firewall FWA.

  7. Configure security policies.

    This example describes only the configurations for connections between firewalls and switches and the HRP configurations on firewalls. For details about the security service plan and campus security policies on firewalls, see Deploying Firewalls as Egress Devices.

Verifying the Deployment

After the configurations are complete, check whether CORE and routers can ping each other successfully.

# Ping Eth-Trunk 1.100 of RouterA from CORE. The ping result shows that the uplink between CORE and RouterA is reachable.

<CORE> ping -vpn-instance Public 10.10.4.2
Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=2 ttl=126 time=235 ms
    Reply From 10.10.4.2: bytes=32 seq=3 ttl=126 time=266 ms
    Reply From 10.10.4.2: bytes=32 seq=4 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=5 ttl=126 time=141 ms

--- 10.10.4.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 140/184/266 ms

# Ping VLANIF 50 bound to VRF-A on CORE from RouterA to verify that the downlink between RouterA and VLANIF 50 is reachable.

<RouterA> Ping 10.10.50.1
Ping 10.10.50.1: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.50.1: bytes=32 seq=1 ttl=253 time=235 ms
    Reply From 10.10.50.1: bytes=32 seq=2 ttl=253 time=109 ms
    Reply From 10.10.50.1: bytes=32 seq=3 ttl=253 time=79 ms
    Reply From 10.10.50.1: bytes=32 seq=4 ttl=253 time=63 ms
    Reply From 10.10.50.1: bytes=32 seq=5 ttl=253 time=63 ms

--- 10.10.50.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 63/109/235 ms

Configuration Files

  • RouterA configuration file

    #
sysname RouterA
#
interface Eth-Trunk1
 undo portswitch
 mode lacp-static
#
interface Eth-Trunk1.100
 dot1q termination vid 10
 ip address 10.10.4.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.4.100
 vrrp vrid 1 priority 120
#
interface XGigabitEthernet1/0/1
 eth-trunk 1
#
interface XGigabitEthernet1/0/2
 eth-trunk 1
#
ospf 100 router-id 2.2.2.2 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
#
return

  • RouterB configuration file

    #
sysname RouterB
#
interface Eth-Trunk1
 undo portswitch
 mode lacp-static
#
interface Eth-Trunk1.100
 dot1q termination vid 10
 ip address 10.10.4.3 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.4.100
#
interface XGigabitEthernet1/0/1
 eth-trunk 1
#
interface XGigabitEthernet1/0/2
 eth-trunk 1
#
ospf 100 router-id 3.3.3.3 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
#
return

  • CORE configuration file

    #
sysname CORE
#
vlan batch 10 20 30 50 60 
#
ip vpn-instance Public
 ipv4-family 
  route-distinguisher 100:2
 vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
ip vpn-instance VRF-A
 ipv4-family 
  route-distinguisher 100:1
 vpn-target 111:1 export-extcommunity
 vpn-target 111:1 import-extcommunity
#
interface Vlanif10
 ip binding vpn-instance Public
 ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
 ip binding vpn-instance Public
 ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
 ip binding vpn-instance VRF-A
 ip address 10.10.3.1 255.255.255.0
#
interface Vlanif50
 ip binding vpn-instance VRF-A
 ip address 10.10.50.1 255.255.255.0
 dhcp select interface 
#
interface Vlanif60
 ip binding vpn-instance VRF-A
 ip address 10.10.60.1 255.255.255.0
 dhcp select interface 
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10
 mode lacp
#
interface Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 10
 mode lacp
#
interface Eth-Trunk4
 port link-type access
 port default vlan 20
 mode lacp
#
interface Eth-Trunk5
 port link-type access
 port default vlan 30
 mode lacp
#
interface Eth-Trunk6
 port link-type access
 port default vlan 20
 mode lacp
#
interface Eth-Trunk7
 port link-type access
 port default vlan 30
 mode lacp
#
interface Eth-Trunk10
 port link-type trunk
 port trunk allow-pass vlan 50
 mode lacp
#
interface Eth-Trunk20
 port link-type trunk
 port trunk allow-pass vlan 60
 mode lacp
#
interface GigabitEthernet1/3/0/7
 eth-trunk 4
#
interface GigabitEthernet1/3/0/8
 eth-trunk 5
#
interface GigabitEthernet1/5/0/7
 eth-trunk 6
#
interface GigabitEthernet1/5/0/8
 eth-trunk 7
#
interface XGigabitEthernet1/1/0/1
 eth-trunk 10
#
interface XGigabitEthernet1/1/0/2
 eth-trunk 20
#
interface XGigabitEthernet1/1/0/10 
 mad detect mode direct 
# 
interface XGigabitEthernet1/4/0/0
 eth-trunk 1
#
interface XGigabitEthernet1/4/0/1
 eth-trunk 2
#
interface GigabitEthernet2/3/0/7
 eth-trunk 4
#
interface GigabitEthernet2/3/0/8
 eth-trunk 5
#
interface GigabitEthernet2/5/0/7
 eth-trunk 6
#
interface GigabitEthernet2/5/0/8
 eth-trunk 7
#
interface XGigabitEthernet2/1/0/1
 eth-trunk 10
#
interface XGigabitEthernet2/1/0/2
 eth-trunk 20
#
interface XGigabitEthernet2/1/0/10 
 mad detect mode direct 
# 
interface XGigabitEthernet2/4/0/0
 eth-trunk 1
#
interface XGigabitEthernet2/4/0/1
 eth-trunk 2
#
ospf 100 router-id 1.1.1.1 vpn-instance Public
 import-route static
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
ip route-static vpn-instance Public 10.10.50.0 255.255.255.0 10.10.2.5
ip route-static vpn-instance Public 10.10.60.0 255.255.255.0 10.10.2.5
#
return
  • AGG1 configuration file
    #
sysname AGG1
#
vlan batch 50
#
interface Eth-Trunk10
 description connect to CORE
 port link-type trunk
 port trunk allow-pass vlan 50
 mode lacp
#
interface XGigabitEthernet0/0/1
 eth-trunk 10
#
interface GigabitEthernet0/0/10 
 mad detect mode direct 
# 
interface XGigabitEthernet1/0/1
 eth-trunk 10
#
interface GigabitEthernet1/0/10 
 mad detect mode direct 
#
return
  • AGG2 configuration file
    #
sysname AGG2
#
vlan batch 60
#
interface Eth-Trunk20
 description connect to CORE
 port link-type trunk
 port trunk allow-pass vlan 60
 mode lacp
#
interface XGigabitEthernet0/0/1
 eth-trunk 20
#
interface GigabitEthernet0/0/10 
 mad detect mode direct 
# 
interface XGigabitEthernet1/0/1
 eth-trunk 20
#
interface GigabitEthernet1/0/10 
 mad detect mode direct 
# 
return

  • FWA configuration file

    #
sysname FWA
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.2
#
interface Eth-Trunk1
 ip address 10.1.1.1 255.255.255.0
 mode lacp-static
#
interface Eth-Trunk4
 ip address 10.10.2.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 active
 mode lacp-static
#
interface Eth-Trunk5
 ip address 10.10.3.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 active
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 4
#
interface GigabitEthernet1/0/1
 undo shutdown 
 eth-trunk 4
#
interface GigabitEthernet1/1/0
 undo shutdown
 eth-trunk 5
#
interface GigabitEthernet1/1/1
 undo shutdown
 eth-trunk 5
#
interface GigabitEthernet2/0/0
 undo shutdown 
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 undo shutdown 
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk5
#
firewall zone untrust
 set priority 5
add interface Eth-Trunk4
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
 ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 
 ip route-static 10.10.50.0 255.255.255.0 10.10.3.1 
 ip route-static 10.10.60.0 255.255.255.0 10.10.3.1 
#
return

  • FWB configuration file

    #
sysname FWB
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
interface Eth-Trunk1
 ip address 10.1.1.2 255.255.255.0 
 mode lacp-static
#
interface Eth-Trunk6
 ip address 10.10.2.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 standby
 mode lacp-static
#
interface Eth-Trunk7
 ip address 10.10.3.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 standby
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown 
 eth-trunk 6
#
interface GigabitEthernet1/0/1
 undo shutdown 
 eth-trunk 6
#
interface GigabitEthernet1/1/0
 undo shutdown 
 eth-trunk 7
#
interface GigabitEthernet1/1/1
 undo shutdown 
 eth-trunk 7
#
interface GigabitEthernet2/0/0
 undo shutdown 
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 undo shutdown 
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk7
#
firewall zone untrust
 set priority 5
add interface Eth-Trunk6
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
 ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 
 ip route-static 10.10.50.0 255.255.255.0 10.10.3.1 
 ip route-static 10.10.60.0 255.255.255.0 10.10.3.1 
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2022-06-28

Document ID: EDOC1000069520

Views: 1501349

Downloads: 38158

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :