Deploying Firewalls in Off-Path Mode
Networking Requirements
At the egress of a large campus network, core switches connect to routers to access the Internet through uplink interfaces. Firewalls connect to the core switches in off-path mode to filter service traffic. Core switches function as user gateways to allocate IP addresses to users. The networking requirements are as follows:
- Core switches typically set up a CSS to simplify network and improve reliability.
- HRP is deployed on firewalls, which are then working in active/standby mode. If one firewall fails, services are switched to the other firewall.
- Each of the core switches is dual homed to two egress routers, and VRRP is deployed on the two routers to ensure reliability.
- To improve link reliability, Eth-Trunk interfaces are used to connect core switches and egress routers, connect core switches and firewalls, and connect two firewalls.
In this example, two aggregation switches (AGG1 and AGG2) connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.
In Layer 3 forwarding, internal and external traffic of a campus network is directly forwarded by switches without passing through FWA and FWB. When traffic needs to be forwarded between core switches and firewalls for filtering, the VPN routing and forwarding (VRF) function must be configured on core switches to divide the switches into a virtual switch VRF-A and a root switch Public, which are separated from each other.
In Figure 2-17, Public connects to egress routers. Public forwards traffic from the Internet to firewalls for filtering and traffic from firewalls to egress routers.
VRF-A connects to the internal network. VRF-A forwards traffic from firewalls to the internal network and traffic from the internal network to firewalls for filtering.
Device Requirements and Versions
Location |
Device Used in This Example |
Version Used in This Example |
---|---|---|
Egress |
AR6300 |
V300R019C10 |
USG6300E |
V600R007C00 |
|
Core layer |
S12700E |
V200R019C10 |
Aggregation layer |
S5731-H |
V200R019C10 |
Deployment Roadmap
Step |
Deployment Roadmap |
Devices Involved |
---|---|---|
1 |
Configure CSS and MAD to improve device reliability. |
Core switches |
2 |
Configure Eth-Trunk interfaces to improve link reliability and configure IP addresses for interfaces. |
Core switches, aggregation switches, egress routers, and firewalls |
3 |
Configure DHCP to allocate IP addresses to users. |
Core switches |
4 |
Configure VRRP to ensure reliability between core switches and egress routers. |
Egress routers |
5 |
Configure routing to enable network connectivity.
|
Core switches, egress routers, and firewalls |
6 |
Configure HRP to improve device reliability. |
Firewalls |
7 |
Configure security policies to allow services to pass through firewalls. |
Firewalls |
Data Plan
Device |
Interface Number |
Member Interface |
VLANIF Interface |
IP Address |
---|---|---|---|---|
RouterA |
Eth-Trunk 1.100 |
XGE1/0/1 XGE1/0/2 |
- |
10.10.4.2/24 |
RouterB |
Eth-Trunk 1.100 |
XGE1/0/1 XGE1/0/2 |
- |
10.10.4.3/24 |
VRRP of RouterA and RouterB |
- |
- |
- |
10.10.4.100/24 |
CORE |
Eth-Trunk 1 |
XGE1/4/0/0 XGE2/4/0/0 |
VLANIF 10 |
10.10.4.1/24 |
Eth-Trunk 2 |
XGE1/4/0/1 XGE2/4/0/1 |
VLANIF 10 |
10.10.4.1/24 |
|
Eth-Trunk 4 |
GE1/3/0/7 GE2/3/0/7 |
VLANIF 20 |
10.10.2.1/24 |
|
Eth-Trunk 5 |
GE1/3/0/8 GE2/3/0/8 |
VLANIF 30 |
10.10.3.1/24 |
|
Eth-Trunk 6 |
GE1/5/0/7 GE2/5/0/7 |
VLANIF 20 |
10.10.2.1/24 |
|
Eth-Trunk 7 |
GE1/5/0/8 GE2/5/0/8 |
VLANIF 30 |
10.10.3.1/24 |
|
Eth-Trunk10 |
XGE1/1/0/1 XGE2/1/0/2 |
VLANIF50 |
10.10.50.1/24 (gateway for users connected to AGG1) |
|
Eth-Trunk20 |
XGE1/1/0/2 XGE2/1/0/1 |
VLANIF60 |
10.10.60.1/24 (gateway for users connected to AGG2) |
|
AGG1 |
Eth-Trunk10 |
XGE0/0/1 XGE1/0/1 |
- |
- |
AGG2 |
Eth-Trunk20 |
XGE0/0/1 XGE1/0/1 |
- |
- |
FWA |
Eth-Trunk 1 |
GE2/0/0 GE2/0/1 |
- |
10.1.1.1/24 |
Eth-Trunk 4 |
GE1/0/0 GE1/0/1 |
- |
10.10.2.2/24 |
|
Eth-Trunk 5 |
GE1/1/0 GE1/1/1 |
- |
10.10.3.2/24 |
|
FWB |
Eth-Trunk 1 |
GE2/0/0 GE2/0/1 |
- |
10.1.1.2/24 |
Eth-Trunk 6 |
GE1/0/0 GE1/0/1 |
- |
10.10.2.3/24 |
|
Eth-Trunk 7 |
GE1/1/0 GE1/1/1 |
- |
10.10.3.3/24 |
|
VRRP1 of FWA and FWB (in uplink direction) |
- |
- |
- |
10.10.2.5/24 |
VRRP2 of FWA and FWB (in downlink direction) |
- |
- |
- |
10.10.3.5/24 |
Deployment Procedure
- Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
- Configure Eth-Trunk interfaces and configure IP addresses for interfaces.
- Configure RouterA. The configuration of RouterB is similar to that of RouterA.
# Create Eth-Trunk 1 and add member interfaces to Eth-Trunk 1.
<HUAWEI> system-view [HUAWEI] sysname RouterA [RouterA] interface Eth-Trunk 1 [RouterA-Eth-Trunk1] undo portswitch [RouterA-Eth-Trunk1] mode lacp-static [RouterA-Eth-Trunk1] quit [RouterA] interface XGigabitethernet 1/0/1 [RouterA-XGigabitEthernet1/0/1] Eth-Trunk 1 [RouterA-XGigabitEthernet1/0/1] quit [RouterA] interface XGigabitethernet 1/0/2 [RouterA-XGigabitEthernet1/0/2] Eth-Trunk 1 [RouterA-XGigabitEthernet1/0/2] quit
# Configure a sub-interface for dot1q VLAN tag termination, configure an IP address for the sub-interface, and configure the sub-interface to terminate VLAN 10.
[RouterA] interface Eth-Trunk 1.100 [RouterA-Eth-Trunk1.100] ip address 10.10.4.2 24 [RouterA-Eth-Trunk1.100] dot1q termination vid 10 [RouterA-Eth-Trunk1.100] quit
- Configure CORE.
# Create Eth-Trunk 1 to connect CORE to RouterA, and add member interfaces to Eth-Trunk 1.
<HUAWEI> system-view [HUAWEI] sysname CORE [CORE] interface Eth-Trunk 1 [CORE-Eth-Trunk1] mode lacp [CORE-Eth-Trunk1] quit [CORE] interface XGigabitethernet 1/4/0/0 [CORE-XGigabitEthernet1/4/0/0] Eth-Trunk 1 [CORE-XGigabitEthernet1/4/0/0] quit [CORE] interface XGigabitethernet 2/4/0/0 [CORE-XGigabitEthernet2/4/0/0] Eth-Trunk 1 [CORE-XGigabitEthernet2/4/0/0] quit
# Create Eth-Trunk 2 to connect CORE to RouterB, and add member interfaces to Eth-Trunk 2.
[CORE] interface Eth-Trunk 2 [CORE-Eth-Trunk2] mode lacp [CORE-Eth-Trunk2] quit [CORE] interface XGigabitethernet 1/4/0/1 [CORE-XGigabitEthernet1/4/0/1] Eth-Trunk 2 [CORE-XGigabitEthernet1/4/0/1] quit [CORE] interface XGigabitethernet 2/4/0/1 [CORE-XGigabitEthernet2/4/0/1] Eth-Trunk 2 [CORE-XGigabitEthernet2/4/0/1] quit
# Create Eth-Trunk 4 to connect Public to FWA, and add member interfaces to Eth-Trunk 4.
[CORE] interface Eth-Trunk 4 [CORE-Eth-Trunk4] mode lacp [CORE-Eth-Trunk4] quit [CORE] interface Gigabitethernet 1/3/0/7 [CORE-Gigabitethernet1/3/0/7] Eth-Trunk 4 [CORE-Gigabitethernet1/3/0/7] quit [CORE] interface Gigabitethernet 2/3/0/7 [CORE-Gigabitethernet2/3/0/7] Eth-Trunk 4 [CORE-Gigabitethernet2/3/0/7] quit
# Create Eth-Trunk 5 to connect VRF-A to FWA, and add member interfaces to Eth-Trunk 5.
[CORE] interface Eth-Trunk 5 [CORE-Eth-Trunk5] mode lacp [CORE-Eth-Trunk5] quit [CORE] interface Gigabitethernet 1/3/0/8 [CORE-Gigabitethernet1/3/0/8] Eth-Trunk 5 [CORE-Gigabitethernet1/3/0/8] quit [CORE] interface Gigabitethernet 2/3/0/8 [CORE-Gigabitethernet2/3/0/8] Eth-Trunk 5 [CORE-Gigabitethernet2/3/0/8] quit
# Create Eth-Trunk 6 to connect Public to FWB, and add member interfaces to Eth-Trunk 6.
[CORE] interface Eth-Trunk 6 [CORE-Eth-Trunk6] mode lacp [CORE-Eth-Trunk6] quit [CORE] interface Gigabitethernet 1/5/0/7 [CORE-Gigabitethernet1/5/0/7] Eth-Trunk 6 [CORE-Gigabitethernet1/5/0/7] quit [CORE] interface Gigabitethernet 2/5/0/7 [CORE-Gigabitethernet2/5/0/7] Eth-Trunk 6 [CORE-Gigabitethernet2/5/0/7] quit
# Create Eth-Trunk 7 to connect VRF-A to FWB, and add member interfaces to Eth-Trunk 7.
[CORE] interface Eth-Trunk 7 [CORE-Eth-Trunk7] mode lacp [CORE-Eth-Trunk7] quit [CORE] interface Gigabitethernet 1/5/0/8 [CORE-Gigabitethernet1/5/0/8] Eth-Trunk 7 [CORE-Gigabitethernet1/5/0/8] quit [CORE] interface Gigabitethernet 2/5/0/8 [CORE-Gigabitethernet2/5/0/8] Eth-Trunk 7 [CORE-Gigabitethernet2/5/0/8] quit
# Create Eth-Trunk 10 to connect CORE to AGG1, and add member interfaces to Eth-Trunk 10.
[CORE] interface Eth-Trunk 10 [CORE-Eth-Trunk10] mode lacp [CORE-Eth-Trunk10] quit [CORE] interface xgigabitethernet 1/1/0/1 [CORE-XGigabitethernet1/1/0/1] Eth-Trunk 10 [CORE-XGigabitethernet1/1/0/1] quit [CORE] interface xgigabitethernet 2/1/0/2 [CORE-XGigabitethernet2/1/0/2] Eth-Trunk 10 [CORE-XGigabitethernet2/1/0/2] quit
# Create Eth-Trunk 20 to connect CORE to AGG2, and add member interfaces to Eth-Trunk 20.
[CORE] interface Eth-Trunk 20 [CORE-Eth-Trunk20] mode lacp [CORE-Eth-Trunk20] quit [CORE] interface xgigabitethernet 1/1/0/2 [CORE-XGigabitethernet1/1/0/2] Eth-Trunk 20 [CORE-XGigabitethernet1/1/0/2] quit [CORE] interface xgigabitethernet 2/1/0/1 [CORE-XGigabitethernet2/1/0/1] Eth-Trunk 20 [CORE-XGigabitethernet2/1/0/1] quit
# Create VLANIF interfaces and configure IP addresses to them.
[CORE] vlan batch 10 20 30 50 60 [CORE] interface Eth-Trunk 1 //Add Eth-Trunk 1 to VLAN 10. [CORE-Eth-Trunk1] port link-type trunk [CORE-Eth-Trunk1] port trunk allow-pass vlan 10 [CORE-Eth-Trunk1] quit [CORE] interface Eth-Trunk 2 //Add Eth-Trunk 2 to VLAN 10. [CORE-Eth-Trunk2] port link-type trunk [CORE-Eth-Trunk2] port trunk allow-pass vlan 10 [CORE-Eth-Trunk2] quit [CORE] interface Vlanif 10 //Create VLANIF 10 to enable CORE to communicate with RouterA and RouterB. [CORE-Vlanif10] ip address 10.10.4.1 24 [CORE-Vlanif10] quit [CORE] interface Eth-Trunk 4 //Add Eth-Trunk 4 to VLAN 20. [CORE-Eth-Trunk4] port link-type access [CORE-Eth-Trunk4] port default vlan 20 [CORE-Eth-Trunk4] quit [CORE] interface Eth-Trunk 6 //Add Eth-Trunk 6 to VLAN 20. [CORE-Eth-Trunk6] port link-type access [CORE-Eth-Trunk6] port default vlan 20 [CORE-Eth-Trunk6] quit [CORE] interface Vlanif 20 //Create VLANIF 20 to connect Public to FWA and FWB. [CORE-Vlanif20] ip address 10.10.2.1 24 [CORE-Vlanif20] quit [CORE] interface Eth-Trunk 5 //Add Eth-Trunk 5 to VLAN 30. [CORE-Eth-Trunk5] port link-type access [CORE-Eth-Trunk5] port default vlan 30 [CORE-Eth-Trunk5] quit [CORE] interface Eth-Trunk 7 //Add Eth-Trunk 7 to VLAN 30. [CORE-Eth-Trunk7] port link-type access [CORE-Eth-Trunk7] port default vlan 30 [CORE-Eth-Trunk7] quit [CORE] interface Vlanif 30 //Create VLANIF 30 to connect VRF-A to FWA and FWB. [CORE-Vlanif30] ip address 10.10.3.1 24 [CORE-Vlanif30] quit [CORE] interface Eth-Trunk 10 //Add Eth-Trunk 10 to VLAN 50. [CORE-Eth-Trunk10] port link-type trunk [CORE-Eth-Trunk10] port trunk allow-pass vlan 50 [CORE-Eth-Trunk10] quit [CORE] interface Vlanif 50 //Create VLANIF 50 to connect CORE to AGG1. [CORE-Vlanif50] ip address 10.10.50.1 24 [CORE-Vlanif50] quit [CORE] interface Eth-Trunk 20 //Add Eth-Trunk 20 to VLAN 60. [CORE-Eth-Trunk20] port link-type trunk [CORE-Eth-Trunk20] port trunk allow-pass vlan 60 [CORE-Eth-Trunk20] quit [CORE] interface Vlanif 60 //Create VLANIF 60 to connect CORE to AGG2. [CORE-Vlanif60] ip address 10.10.60.1 24 [CORE-Vlanif60] quit
- Configuring the AGGs.
# On AGG1, create Eth-Trunk 10 to connect AGG1 to CORE, and add member interfaces to Eth-Trunk 10. The configuration of AGG2 is similar to the configuration of AGG1, and is not mentioned here.
<HUAWEI> system-view [HUAWEI] sysname AGG1 [AGG1] vlan batch 50 [AGG1] interface eth-trunk 10 [AGG1-Eth-Trunk10] description connect to CORE [AGG1-Eth-Trunk10] mode lacp [AGG1-Eth-Trunk10] port link-type trunk [AGG1-Eth-Trunk10] undo port trunk allow-pass vlan 1 [AGG1-Eth-Trunk10] port trunk allow-pass vlan 50 [AGG1-Eth-Trunk10] quit [AGG1] interface xgigabitethernet 0/0/1 [AGG1-XGigabitEthernet0/0/1] eth-trunk 10 [AGG1-XGigabitEthernet0/0/1] quit [AGG1] interface xgigabitethernet 1/0/1 [AGG1-XGigabitEthernet1/0/2] eth-trunk 10 [AGG1-XGigabitEthernet1/0/2] quit
- Configure the firewalls.
# Configure interfaces and add interfaces to security zones on FWA.
<sysname> system-view [sysname] sysname FWA [FWA] interface Eth-Trunk 4 //Configure the interface connected to CORE and allocate an IP address to the interface. [FWA-Eth-Trunk4] ip address 10.10.2.2 24 [FWA-Eth-Trunk4] mode lacp-static [FWA-Eth-Trunk4] quit [FWA] interface Gigabitethernet 1/0/0 //Add a member interface to Eth-Trunk 4. [FWA-GigabitEthernet1/0/0] Eth-Trunk 4 [FWA-GigabitEthernet1/0/0] quit [FWA] interface Gigabitethernet 1/0/1 //Add a member interface to Eth-Trunk 4. [FWA-GigabitEthernet1/0/1] Eth-Trunk 4 [FWA-GigabitEthernet1/0/1] quit [FWA] interface Eth-Trunk 5 //Configure the interface connected to CORE and allocate an IP address to the interface. [FWA-Eth-Trunk5] ip address 10.10.3.2 24 [FWA-Eth-Trunk5] mode lacp-static [FWA-Eth-Trunk5] quit [FWA] interface Gigabitethernet 1/1/0 //Add a member interface to Eth-Trunk 5. [FWA-GigabitEthernet1/1/0] Eth-Trunk 5 [FWA-GigabitEthernet1/1/0] quit [FWA] interface Gigabitethernet 1/1/1 //Add a member interface to Eth-Trunk 5. [FWA-GigabitEthernet1/1/1] Eth-Trunk 5 [FWA-GigabitEthernet1/1/1] quit [FWA] interface Eth-Trunk 1 //Configure the interface connecting FWA to FWB. [FWA-Eth-Trunk1] ip address 10.1.1.1 24 [FWA-Eth-Trunk1] mode lacp-static [FWA-Eth-Trunk1] quit [FWA] interface Gigabitethernet 2/0/0 //Add a member interface to Eth-Trunk 1. [FWA-GigabitEthernet2/0/0] Eth-Trunk 1 [FWA-GigabitEthernet2/0/0] quit [FWA] interface Gigabitethernet 2/0/1 //Add a member interface to Eth-Trunk 1. [FWA-GigabitEthernet2/0/1] Eth-Trunk 1 [FWA-GigabitEthernet2/0/1] quit [FWA] firewall zone trust [FWA-zone-trust] add interface Eth-Trunk 5 //Add Eth-Trunk 5 connected to the internal network to the trusted zone. [FWA-zone-trust] quit [FWA] firewall zone untrust [FWA-zone-untrust] add interface Eth-Trunk 4 //Add Eth-Trunk 4 connected to the external network to the untrusted zone. [FWA-zone-untrust] quit [FWA] firewall zone dmz [FWA-zone-dmz] add interface Eth-Trunk 1 //Add the interface connected to FWB to the DMZ. [FWA-zone-dmz] quit
# Configure interfaces and add interfaces to security zones on FWB.
<sysname> system-view [sysname] sysname FWB [FWB] interface Eth-Trunk 6 //Configure the interface connected to CORE and allocate an IP address to the interface. [FWB-Eth-Trunk6] ip address 10.10.2.3 24 [FWB-Eth-Trunk6] mode lacp-static [FWB-Eth-Trunk6] quit [FWB] interface Gigabitethernet 1/0/0 //Add a member interface to Eth-Trunk 6. [FWB-GigabitEthernet1/0/0] Eth-Trunk 6 [FWB-GigabitEthernet1/0/0] quit [FWB] interface Gigabitethernet 1/0/1 //Add a member interface to Eth-Trunk 6. [FWB-GigabitEthernet1/0/1] Eth-Trunk 6 [FWB-GigabitEthernet1/0/1] quit [FWB] interface Eth-Trunk 7 //Configure the interface connected to CORE and allocate an IP address to the interface. [FWB-Eth-Trunk7] ip address 10.10.3.3 24 [FWB-Eth-Trunk7] mode lacp-static [FWB-Eth-Trunk7] quit [FWB] interface Gigabitethernet 1/1/0 //Add a member interface to Eth-Trunk 7. [FWB-GigabitEthernet1/1/0] Eth-Trunk 7 [FWB-GigabitEthernet1/1/0] quit [FWB] interface Gigabitethernet 1/1/1 //Add a member interface to Eth-Trunk 7. [FWB-GigabitEthernet1/1/1] Eth-Trunk 7 [FWB-GigabitEthernet1/1/1] quit [FWB] interface Eth-Trunk 1 //Configure the interface connecting FWB to FWA. [FWB-Eth-Trunk1] ip address 10.1.1.2 24 [FWB-Eth-Trunk1] mode lacp-static [FWB-Eth-Trunk1] quit [FWB] interface Gigabitethernet 2/0/0 //Add a member interface to Eth-Trunk 1. [FWB-GigabitEthernet2/0/0] Eth-Trunk 1 [FWB-GigabitEthernet2/0/0] quit [FWB] interface Gigabitethernet 2/0/1 //Add a member interface to Eth-Trunk 1. [FWB-GigabitEthernet2/0/1] Eth-Trunk 1 [FWB-GigabitEthernet2/0/1] quit [FWB] firewall zone trust [FWB-zone-trust] add interface Eth-Trunk 7 //Add Eth-Trunk 7 connected to the internal network to the trusted zone. [FWB-zone-trust] quit [FWB] firewall zone untrust [FWB-zone-untrust] add interface Eth-Trunk 6 //Add Eth-Trunk 6 connected to the external network to the untrusted zone. [FWB-zone-untrust] quit [FWB] firewall zone dmz [FWB-zone-dmz] add interface Eth-Trunk 1 //Add the interface connected to FWA to the DMZ. [FWB-zone-dmz] quit
- Configure RouterA. The configuration of RouterB is similar to that of RouterA.
- Configure DHCP on CORE.
[CORE] dhcp enable [CORE] interface vlanif 50 [CORE-Vlanif50] dhcp select interface [CORE-Vlanif50] quit [CORE] interface vlanif 60 [CORE-Vlanif60] dhcp select interface [CORE-Vlanif60] quit
- Configure VRRP. Configure RouterA as the VRRP master and RouterB as the VRRP backup.
# Configure RouterA.
[RouterA] interface Eth-Trunk 1.100 [RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address. [RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of RouterA to make it become the master router. [RouterA-Eth-Trunk1.100] quit
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100 [RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure a VRRP virtual IP address. [RouterB-Eth-Trunk1.100] quit
- Configure routing.
- Configure CORE.
# On CORE, create a VPN instance Public, and bind the interfaces connected to routers and firewalls to Public.
[CORE] ip vpn-instance Public //Create the VPN instance Public. [CORE-vpn-instance-Public] ipv4-family [CORE-vpn-instance-Public-af-ipv4] route-distinguisher 100:2 [CORE-vpn-instance-Public-af-ipv4] vpn-target 222:2 both [CORE-vpn-instance-Public-af-ipv4] quit [CORE-vpn-instance-Public] quit [CORE] interface Vlanif 10 [CORE-Vlanif10] ip binding vpn-instance Public //Bind VLANIF 10 connecting CORE to RouterA to Public. [CORE-Vlanif10] ip address 10.10.4.1 24 //Reconfigure an IP address for VLANIF 10. When VLANIF 10 is bound to Public, the IP address of the interface is deleted. [CORE-Vlanif10] quit [CORE] interface Vlanif 20 [CORE-Vlanif20] ip binding vpn-instance Public //Bind VLANIF 20 that connects CORE to the uplink interface of FWA to Public. [CORE-Vlanif20] ip address 10.10.2.1 24 //Reconfigure an IP address for VLANIF 20. When VLANIF 20 is bound to Public, the IP address of the interface is deleted. [CORE-Vlanif20] quit
# Configure a static route in Public to forward uplink traffic, and set the next hop of the route to the VRRP virtual IP address of routers.
[CORE] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
# Configure static routes in Public to forward downlink traffic, and set the next hops of the routes to the virtual IP address of the VRRP group with VRID 1 of firewalls.
[CORE] ip route-static vpn-instance Public 10.10.50.0 255.255.255.0 10.10.2.5 [CORE] ip route-static vpn-instance Public 10.10.60.0 255.255.255.0 10.10.2.5
# Configure OSPF between CORE and routers to forward downlink traffic. Routers can learn the return routes to service networks using OSPF.
[CORE] ospf 100 router-id 1.1.1.1 vpn-instance Public [CORE-ospf-100] area 0 [CORE-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment connected to routers into OSPF. [CORE-ospf-100-area-0.0.0.0] quit [CORE-ospf-100] import-route static //Import static routes into OSPF. [CORE-ospf-100] quit
# Create the VPN instance VRF-A on CORE to forward uplink traffic, and bind the interfaces connected to service networks and interfaces connected to firewalls to VRF-A. Besides, configure a default route in VRF-A, with the next hop being the virtual IP address of the VRRP group with VRID 2 of firewalls.
[CORE] ip vpn-instance VRF-A //Create the VPN instance VRF-A. [CORE-vpn-instance-VRF-A] ipv4-family [CORE-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1 [CORE-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both [CORE-vpn-instance-VRF-A-af-ipv4] quit [CORE-vpn-instance-VRF-A] quit [CORE] interface Vlanif 50 [CORE-Vlanif50] ip binding vpn-instance VRF-A //Bind VLANIF 50 connecting CORE to service network 1 to VRF-A. [CORE-Vlanif50] ip address 10.10.50.1 24 //Reconfigure an IP address for VLANIF 50. When VLANIF 50 is bound to VRF-A, the IP address of the interface is deleted. [CORE-Vlanif50] quit [CORE] interface Vlanif 60 [CORE-Vlanif60] ip binding vpn-instance VRF-A //Bind VLANIF 60 connecting CORE to service network 2 to VRF-A. [CORE-Vlanif60] ip address 10.10.60.1 24 //Reconfigure an IP address for VLANIF 60. When VLANIF 60 is bound to VRF-A, the IP address of the interface is deleted. [CORE-Vlanif60] quit [CORE] interface Vlanif 30 [CORE-Vlanif30] ip binding vpn-instance VRF-A //Bind VLANIF 30 connecting CORE to firewalls to VRF-A. [CORE-Vlanif30] ip address 10.10.3.1 24 //Reconfigure an IP address for VLANIF 30. When VLANIF 30 is bound to VRF-A, the IP address of the interface is deleted. [CORE-Vlanif30] quit
# Configure a default route in VRF-A, and set the next hop to the virtual IP address of the VRRP group with VRID 2 of firewalls.
[CORE] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
- Configure routers.
# Configure OSPF on RouterA.
[RouterA] ospf 100 router-id 2.2.2.2 [RouterA-ospf-100] area 0 [RouterA-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment connected to CORE into OSPF. [RouterA-ospf-100-area-0.0.0.0] quit [RouterA-ospf-100] quit
# Configure OSPF on RouterB.
[RouterB] ospf 100 router-id 3.3.3.3 [RouterB-ospf-100] area 0 [RouterB-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the network segment connected to CORE into OSPF. [RouterB-ospf-100-area-0.0.0.0] quit [RouterB-ospf-100] quit
- Configure the firewalls.
# Configure a static route on FWA. The configuration of FWB is similar to that of FWA, and is not mentioned here.
[FWA] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //Configure a default route to forward uplink traffic, and set the next hop to the IP address of VLANIF 20 on CORE. [FWA] ip route-static 10.10.50.0 255.255.255.0 10.10.3.1 //Configure a static route to forward downlink traffic, and set the destination address to service network 1 and the next hop to the IP address of VLANIF 30 on CORE. [FWA] ip route-static 10.10.60.0 255.255.255.0 10.10.3.1 //Configure a static route to forward downlink traffic, and set the destination address to service network 2 and the next hop to the IP address of VLANIF 30 on CORE.
- Configure CORE.
- Configure HRP.
# Configure HRP on FWA and set FWA as the active.
[FWA] interface Eth-Trunk 4 [FWA-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 active [FWA-Eth-Trunk4] quit [FWA] interface Eth-Trunk 5 [FWA-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 active [FWA-Eth-Trunk5] quit [FWA] hrp interface Eth-Trunk 1 remote 10.1.1.2 //Configure the heartbeat interface and enable HRP. [FWA] hrp enable
# Configure HRP on FWB and set FWB as the standby.
[FWB] interface Eth-Trunk 6 [FWB-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 standby [FWB-Eth-Trunk6] quit [FWB] interface Eth-Trunk 7 [FWB-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 standby [FWB-Eth-Trunk7] quit [FWB] hrp interface Eth-Trunk 1 remote 10.1.1.1 //Configure the heartbeat interface and enable HRP. [FWB] hrp enable
After a hot standby group is successfully established between the active and standby firewalls, the configurations and sessions on the active firewall are automatically synchronized to the standby firewall. Therefore, you only need to perform the following configurations on the active firewall FWA.
- Configure security policies.
This example describes only the configurations for connections between firewalls and switches and the HRP configurations on firewalls. For details about the security service plan and campus security policies on firewalls, see Deploying Firewalls as Egress Devices.
Verifying the Deployment
After the configurations are complete, check whether CORE and routers can ping each other successfully.
# Ping Eth-Trunk 1.100 of RouterA from CORE. The ping result shows that the uplink between CORE and RouterA is reachable.
<CORE> ping -vpn-instance Public 10.10.4.2 Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms Reply From 10.10.4.2: bytes=32 seq=2 ttl=126 time=235 ms Reply From 10.10.4.2: bytes=32 seq=3 ttl=126 time=266 ms Reply From 10.10.4.2: bytes=32 seq=4 ttl=126 time=140 ms Reply From 10.10.4.2: bytes=32 seq=5 ttl=126 time=141 ms --- 10.10.4.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 140/184/266 ms
# Ping VLANIF 50 bound to VRF-A on CORE from RouterA to verify that the downlink between RouterA and VLANIF 50 is reachable.
<RouterA> Ping 10.10.50.1 Ping 10.10.50.1: 32 data bytes, Press Ctrl_C to break Reply From 10.10.50.1: bytes=32 seq=1 ttl=253 time=235 ms Reply From 10.10.50.1: bytes=32 seq=2 ttl=253 time=109 ms Reply From 10.10.50.1: bytes=32 seq=3 ttl=253 time=79 ms Reply From 10.10.50.1: bytes=32 seq=4 ttl=253 time=63 ms Reply From 10.10.50.1: bytes=32 seq=5 ttl=253 time=63 ms --- 10.10.50.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 63/109/235 ms
Configuration Files
RouterA configuration file
# sysname RouterA # interface Eth-Trunk1 undo portswitch mode lacp-static # interface Eth-Trunk1.100 dot1q termination vid 10 ip address 10.10.4.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.4.100 vrrp vrid 1 priority 120 # interface XGigabitEthernet1/0/1 eth-trunk 1 # interface XGigabitEthernet1/0/2 eth-trunk 1 # ospf 100 router-id 2.2.2.2 area 0.0.0.0 network 10.10.4.0 0.0.0.255 # return
RouterB configuration file
# sysname RouterB # interface Eth-Trunk1 undo portswitch mode lacp-static # interface Eth-Trunk1.100 dot1q termination vid 10 ip address 10.10.4.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.4.100 # interface XGigabitEthernet1/0/1 eth-trunk 1 # interface XGigabitEthernet1/0/2 eth-trunk 1 # ospf 100 router-id 3.3.3.3 area 0.0.0.0 network 10.10.4.0 0.0.0.255 # return
CORE configuration file
# sysname CORE # vlan batch 10 20 30 50 60 # ip vpn-instance Public ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # ip vpn-instance VRF-A ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # interface Vlanif10 ip binding vpn-instance Public ip address 10.10.4.1 255.255.255.0 # interface Vlanif20 ip binding vpn-instance Public ip address 10.10.2.1 255.255.255.0 # interface Vlanif30 ip binding vpn-instance VRF-A ip address 10.10.3.1 255.255.255.0 # interface Vlanif50 ip binding vpn-instance VRF-A ip address 10.10.50.1 255.255.255.0 dhcp select interface # interface Vlanif60 ip binding vpn-instance VRF-A ip address 10.10.60.1 255.255.255.0 dhcp select interface # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 10 mode lacp # interface Eth-Trunk2 port link-type trunk port trunk allow-pass vlan 10 mode lacp # interface Eth-Trunk4 port link-type access port default vlan 20 mode lacp # interface Eth-Trunk5 port link-type access port default vlan 30 mode lacp # interface Eth-Trunk6 port link-type access port default vlan 20 mode lacp # interface Eth-Trunk7 port link-type access port default vlan 30 mode lacp # interface Eth-Trunk10 port link-type trunk port trunk allow-pass vlan 50 mode lacp # interface Eth-Trunk20 port link-type trunk port trunk allow-pass vlan 60 mode lacp # interface GigabitEthernet1/3/0/7 eth-trunk 4 # interface GigabitEthernet1/3/0/8 eth-trunk 5 # interface GigabitEthernet1/5/0/7 eth-trunk 6 # interface GigabitEthernet1/5/0/8 eth-trunk 7 # interface XGigabitEthernet1/1/0/1 eth-trunk 10 # interface XGigabitEthernet1/1/0/2 eth-trunk 20 # interface XGigabitEthernet1/1/0/10 mad detect mode direct # interface XGigabitEthernet1/4/0/0 eth-trunk 1 # interface XGigabitEthernet1/4/0/1 eth-trunk 2 # interface GigabitEthernet2/3/0/7 eth-trunk 4 # interface GigabitEthernet2/3/0/8 eth-trunk 5 # interface GigabitEthernet2/5/0/7 eth-trunk 6 # interface GigabitEthernet2/5/0/8 eth-trunk 7 # interface XGigabitEthernet2/1/0/1 eth-trunk 10 # interface XGigabitEthernet2/1/0/2 eth-trunk 20 # interface XGigabitEthernet2/1/0/10 mad detect mode direct # interface XGigabitEthernet2/4/0/0 eth-trunk 1 # interface XGigabitEthernet2/4/0/1 eth-trunk 2 # ospf 100 router-id 1.1.1.1 vpn-instance Public import-route static area 0.0.0.0 network 10.10.4.0 0.0.0.255 # ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5 ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100 ip route-static vpn-instance Public 10.10.50.0 255.255.255.0 10.10.2.5 ip route-static vpn-instance Public 10.10.60.0 255.255.255.0 10.10.2.5 # return
- AGG1 configuration file
# sysname AGG1 # vlan batch 50 # interface Eth-Trunk10 description connect to CORE port link-type trunk port trunk allow-pass vlan 50 mode lacp # interface XGigabitEthernet0/0/1 eth-trunk 10 # interface GigabitEthernet0/0/10 mad detect mode direct # interface XGigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/10 mad detect mode direct # return
- AGG2 configuration file
# sysname AGG2 # vlan batch 60 # interface Eth-Trunk20 description connect to CORE port link-type trunk port trunk allow-pass vlan 60 mode lacp # interface XGigabitEthernet0/0/1 eth-trunk 20 # interface GigabitEthernet0/0/10 mad detect mode direct # interface XGigabitEthernet1/0/1 eth-trunk 20 # interface GigabitEthernet1/0/10 mad detect mode direct # return
FWA configuration file
# sysname FWA # hrp enable hrp interface Eth-Trunk1 remote 10.1.1.2 # interface Eth-Trunk1 ip address 10.1.1.1 255.255.255.0 mode lacp-static # interface Eth-Trunk4 ip address 10.10.2.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 active mode lacp-static # interface Eth-Trunk5 ip address 10.10.3.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 active mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 4 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 4 # interface GigabitEthernet1/1/0 undo shutdown eth-trunk 5 # interface GigabitEthernet1/1/1 undo shutdown eth-trunk 5 # interface GigabitEthernet2/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/1 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk5 # firewall zone untrust set priority 5 add interface Eth-Trunk4 # firewall zone dmz set priority 50 add interface Eth-Trunk1 # ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 ip route-static 10.10.50.0 255.255.255.0 10.10.3.1 ip route-static 10.10.60.0 255.255.255.0 10.10.3.1 # return
FWB configuration file
# sysname FWB # hrp enable hrp interface Eth-Trunk1 remote 10.1.1.1 # interface Eth-Trunk1 ip address 10.1.1.2 255.255.255.0 mode lacp-static # interface Eth-Trunk6 ip address 10.10.2.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.2.5 255.255.255.0 standby mode lacp-static # interface Eth-Trunk7 ip address 10.10.3.3 255.255.255.0 vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 standby mode lacp-static # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 6 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 6 # interface GigabitEthernet1/1/0 undo shutdown eth-trunk 7 # interface GigabitEthernet1/1/1 undo shutdown eth-trunk 7 # interface GigabitEthernet2/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/1 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk7 # firewall zone untrust set priority 5 add interface Eth-Trunk6 # firewall zone dmz set priority 50 add interface Eth-Trunk1 # ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 ip route-static 10.10.50.0 255.255.255.0 10.10.3.1 ip route-static 10.10.60.0 255.255.255.0 10.10.3.1 # return