No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting an Egress Router in a Branch to the Headquarters Through a Private Line

Connecting an Egress Router in a Branch to the Headquarters Through a Private Line

Networking Requirements

Two firewalls in a campus branch set up a hot standby group that functions as the egress gateway of the campus network and connects to the Internet to filter service traffic that enters and leaves the campus network, ensuring network security. In addition, a router also functions as the egress gateway of the campus network and connects to the headquarters through a private line. Two core switches set up a CSS, which functions as the core of the campus network and functions as the user gateway to allocate IP addresses to users. The specific service requirements are as follows:

  • Internal network users can access Internet resources but cannot play online games or watch online videos.
  • External network users are prohibited from accessing the internal network.

In this example, two aggregation switches set up a stack named AGG and connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.

Figure 2-21 Connecting an egress router in a branch to the headquarters through a private line

Device Requirements and Versions

Location

Device Used in This Example

Version Used in This Example

Egress

USG6300E

V600R007C00

AR6300

V300R019C10

Core layer

S12700E

V200R019C10

Deployment Roadmap

Step

Deployment Roadmap

Devices Involved

1

Configure CSS, stacking, and MAD to improve device reliability.

Core switches

2

Configure Eth-Trunk interfaces to improve link reliability.

Core switches and egress firewalls

3

Configure IP addresses and routing to enable network connectivity.

Core switches and egress firewalls

5

Configure VRRP and HRP to improve device reliability.

Egress firewalls

6

Configure security policies to allow services to pass through firewalls.

Egress firewalls

7

Configure NAT policies to enable internal network users to access the Internet.

Egress firewalls

8

Configure attack defense and application behavior control to ensure network security.

Egress firewalls

9

Configure IPSec VPN to implement secure communication between the branch and headquarters.

Egress router

Data Plan

Device

Interface Number

Member Interface

VLANIF Interface

IP Address

FWA

GE1/0/0

-

-

203.0.113.1/24

GE1/0/3

-

-

10.4.0.1/24

Eth-Trunk 1

GE1/0/1

-

10.3.0.1/24

GE1/0/2

FWB

GE1/0/0

-

-

203.0.113.2/24

GE1/0/3

-

-

10.4.0.2/24

Eth-Trunk2

GE1/0/1

-

10.3.0.2/24

GE1/0/2

Router

GE3/0/0

-

-

10.7.0.1/24

Eth-Trunk 40

GE1/0/0

-

10.8.0.254/24

GE2/0/0

CORE

Eth-Trunk1

GE1/3/0/0

VLANIF 20

10.3.0.254/24

GE2/3/0/1

Eth-Trunk2

GE2/3/0/0

GE1/3/0/1

Eth-Trunk 40

GE1/6/0/1

VLANIF 50

10.8.0.1/24

GE2/6/0/1

Procedure

  1. Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
  2. Configure Eth-Trunk interfaces.

    1. Configure the firewalls.
      # On FWA, create Eth-Trunk 1 to connect FWA to CORE, and add member interfaces to Eth-Trunk 1.
      <sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] mode lacp-static 
[FWA-Eth-Trunk1] quit
[FWA] interface gigabitethernet 1/0/1 
[FWA-GigabitEthernet1/0/1] eth-trunk 1 
[FWA-GigabitEthernet1/0/1] quit 
[FWA] interface gigabitethernet 1/0/2
[FWA-GigabitEthernet1/0/2] eth-trunk 1
[FWA-GigabitEthernet1/0/2] quit

      # On FWB, create Eth-Trunk 2 to connect FWB to CORE, and add member interfaces to Eth-Trunk 2.

      <sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 2 
[FWB-Eth-Trunk2] mode lacp-static 
[FWB-Eth-Trunk2] quit 
[FWB] interface gigabitethernet 1/0/1 
[FWB-GigabitEthernet1/0/1] eth-trunk 2 
[FWB-GigabitEthernet1/0/1] quit 
[FWB] interface gigabitethernet 1/0/2 
[FWB-GigabitEthernet1/0/2] eth-trunk 2 
[FWB-GigabitEthernet1/0/2] quit
    2. Configure the egress router.

      # On the router, create Eth-Trunk 40 to connect the router to CORE, and add member interfaces to Eth-Trunk 40.

      <HUAWEI> system-view 
[HUAWEI] sysname Router
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] mode lacp-static
[Router-Eth-Trunk40] quit
[Router] interface Gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] eth-trunk 40
[Router-GigabitEthernet1/0/0] quit
[Router] interface Gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] eth-trunk 40
[Router-GigabitEthernet2/0/0] quit
    3. Configure CORE.

      # On CORE, create Eth-Trunk 1 to connect CORE to FWA, and add member interfaces to Eth-Trunk 1.

      [CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] mode lacp 
[CORE-Eth-Trunk1] quit
[CORE] interface gigabitethernet 1/3/0/0 
[CORE-GigabitEthernet1/3/0/0] eth-trunk 1 
[CORE-GigabitEthernet1/3/0/0] quit 
[CORE] interface gigabitethernet 2/3/0/1
[CORE-GigabitEthernet2/3/0/1] eth-trunk 1 
[CORE-GigabitEthernet2/3/0/1] quit

      # On CORE, create Eth-Trunk 2 to connect CORE to FWB, and add member interfaces to Eth-Trunk 2.

      [CORE] interface eth-trunk 2 
[CORE-Eth-Trunk2] mode lacp
[CORE-Eth-Trunk2] quit  
[CORE] interface gigabitethernet 1/3/0/1  
[CORE-GigabitEthernet1/3/0/1] eth-trunk 2  
[CORE-GigabitEthernet1/3/0/1] quit 
[CORE] interface gigabitethernet 2/3/0/0 
[CORE-GigabitEthernet2/3/0/0] eth-trunk 2 
[CORE-GigabitEthernet2/3/0/0] quit

      # On CORE, create Eth-Trunk 40 to connect CORE to the router, and add member interfaces to Eth-Trunk 40.

      [CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] mode lacp
[CORE-Eth-Trunk40] quit  
[CORE] interface gigabitethernet 1/6/0/1  
[CORE-GigabitEthernet1/6/0/1] eth-trunk 40 
[CORE-GigabitEthernet1/6/0/1] quit 
[CORE] interface gigabitethernet 2/6/0/1 
[CORE-GigabitEthernet2/6/0/1] eth-trunk 40
[CORE-GigabitEthernet2/6/0/1] quit

  3. Configure IP addresses and routing.

    1. Configure IP addresses for interfaces.

      # Configure IP addresses for interfaces of FWA, and add the interfaces to security zones.

      [FWA] interface loopback 0
[FWA-LoopBack0] ip address 1.1.1.1 32   //Configure an IP address for loopback 0, which is also used as the router ID of FWA.
[FWA-LoopBack0] quit
[FWA] interface gigabitethernet 1/0/0
[FWA-GigabitEthernet1/0/0] ip address 203.0.113.1 24  //Configure an IP address for the interface connected to the Internet.
[FWA-GigabitEthernet1/0/0] gateway 203.0.113.254
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface gigabitethernet 1/0/3
[FWA-GigabitEthernet1/0/3] ip address 10.4.0.1 24  //Configure an IP address for the heartbeat interface.
[FWA-GigabitEthernet1/0/3] quit
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] ip address 10.3.0.1 24  //Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWA-Eth-Trunk1] quit
[FWA] firewall zone trust
[FWA-zone-trust] set priority 85
[FWA-zone-trust] add interface eth-trunk 1  //Add Eth-Trunk 1 connected to the internal network to the trusted zone.
[FWA-zone-trust] quit
[FWA] firewall zone name isp1                    
[FWA-zone-isp1] set priority 10
[FWA-zone-isp1] add interface gigabitethernet 1/0/0  //Add the interface connected to the Internet to the security zone isp1.
[FWA-zone-isp1] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] set priority 50
[FWA-zone-dmz] add interface gigabitethernet 1/0/3   //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit

      # Configure IP addresses for interfaces of FWB, and add the interfaces to security zones.

      [FWB] interface loopback 0
[FWB-LoopBack0] ip address 2.2.2.2 32  //Configure an IP address for loopback 0, which is also used as the router ID of FWB.
[FWB-LoopBack0] quit
[FWB] interface gigabitethernet 1/0/0
[FWB-GigabitEthernet1/0/0] ip address 203.0.113.2 24  //Configure an IP address for the interface connected to the Internet.
[FWB-GigabitEthernet1/0/0] gateway 203.0.113.254
[FWB-GigabitEthernet1/0/0] quit
[FWB] interface gigabitethernet 1/0/3
[FWB-GigabitEthernet1/0/3] ip address 10.4.0.2 24  //Configure an IP address for the heartbeat interface.
[FWB-GigabitEthernet1/0/3] quit
[FWB] interface eth-trunk 2
[FWB-Eth-Trunk2] ip address 10.3.0.2 24  //Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWB-Eth-Trunk2] quit
[FWB] firewall zone trust
[FWB-zone-trust] set priority 85
[FWB-zone-trust] add interface eth-trunk 2  //Add Eth-Trunk 2 connected to the internal network to the trusted zone.
[FWB-zone-trust] quit
[FWB] firewall zone name isp1                     
[FWB-zone-isp1] set priority 10
[FWB-zone-isp1] add interface gigabitethernet 1/0/0   //Add the interface connected to the Internet to the security zone isp1.
[FWB-zone-isp1] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] set priority 50
[FWB-zone-dmz] add interface gigabitethernet 1/0/3  //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit

      # Configure IP addresses for interfaces on the router.

      [Router] interface loopback 0
[Router-LoopBack0] ip address 4.4.4.4 32  //Configure an IP address for loopback 0, which is also used as the router ID of the router.
[Router-LoopBack0] quit
[Router] interface gigabitethernet 3/0/0
[Router-GigabitEthernet3/0/0] ip address 10.7.0.1 24  //Configure an IP address for the interface connected to the Internet.
[Router-GigabitEthernet3/0/0] quit
[Router] interface Eth-Trunk 40
[Router-Eth-Trunk40] ip address 10.8.0.254 24  //Configure an IP address for the interface connected to CORE.
[Router-Eth-Trunk40] quit

      # Configure IP addresses for interfaces on CORE.

      [CORE] interface loopback 0
[CORE-LoopBack0] ip address 3.3.3.3 32  //Configure an IP address for loopback 0, which is also used as the router ID of CORE.
[CORE-LoopBack0] quit
[CORE] vlan batch 20 50
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] port link-type access
[CORE-Eth-Trunk1] port default vlan 20
[CORE-Eth-Trunk1] quit
[CORE] interface eth-trunk 2
[CORE-Eth-Trunk2] port link-type access
[CORE-Eth-Trunk2] port default vlan 20
[CORE-Eth-Trunk2] quit
[CORE] interface eth-trunk 40
[CORE-Eth-Trunk40] port link-type trunk
[CORE-Eth-Trunk40] port trunk pvid vlan 50
[CORE-Eth-Trunk40] port trunk allow-pass vlan 50
[CORE-Eth-Trunk40] quit
[CORE] interface vlanif 20
[CORE-Vlanif20] ip address 10.3.0.254 24  //Configure an IP address for the VLANIF interface connected to the firewalls.
[CORE-Vlanif20] quit
[CORE] interface vlanif 50
[CORE-Vlanif50] ip address 10.8.0.1 24  //Configure an IP address for the VLANIF interface connected to the router.
[CORE-Vlanif50] quit
    2. Configure routing.

      # Configure OSPF on FWA to advertise the network segments where downlink interfaces belong.

      [FWA] ospf 1 router-id 1.1.1.1
[FWA-ospf-1] area 0.0.0.0
[FWA-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit

      # Configure a default route on FWA and set the next hop to a public IP address.

      [FWA] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254

      # Configure OSPF on FWB to advertise the network segments where downlink interfaces belong.

      [FWB] ospf 1 router-id 2.2.2.2
[FWB-ospf-1] area 0.0.0.0
[FWB-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit

      # Configure a default route on FWB and set the next hop to a public IP address.

      [FWB] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254

      # Configure OSPF on the router to advertise the network segments where uplink and downlink interfaces belong.

      [Router] ospf 1 router-id 4.4.4.4
[Router-ospf-1] area 0.0.0.0
[Router-ospf-1-area-0.0.0.0] network 10.7.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 10.8.0.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit

      # On CORE, configure OSPF to advertise the network segments where uplink interfaces belong.

      [CORE] router id 3.3.3.3
[CORE] ospf 1
[CORE-ospf-1] area 0.0.0.0
[CORE-ospf-1-area-0.0.0.0] network 10.3.0.0 0.0.0.255 //Advertise the network segment connected to the firewalls.
[CORE-ospf-1-area-0.0.0.0] network 10.8.0.0 0.0.0.255 //Advertise the network segment connected to the router.
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit

      # On CORE, configure a default route with the next hop being the VRRP virtual IP address of the firewalls.

      [CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.0.3

  4. Configure VRRP and HRP on the firewalls.

    1. Configure VRRP groups.

      # On FWA, configure VRRP group 1 on the uplink service interface GE1/0/0, and set the VRRP group status to active. Configure VRRP group 2 on the downlink service interface Eth-Trunk 1, and set the VRRP group status to active.

      [FWA] interface GigabitEthernet 1/0/0
[FWA-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 active
[FWA-GigabitEthernet1/0/0] quit
[FWA] interface eth-trunk 1
[FWA-Eth-Trunk1] vrrp vrid 2 virtual-ip 10.3.0.3 24 active
[FWA-Eth-Trunk1] quit

      # On FWB, configure VRRP group 1 on the uplink service interface GE1/0/0, and set the VRRP group status to standby. Configure VRRP group 2 on the downlink service interface Eth-Trunk 2, and set the VRRP group status to standby.

      [FWB] interface GigabitEthernet 1/0/0
[FWB-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 203.0.113.3 24 standby
[FWB-GigabitEthernet1/0/0] quit
[FWB] interface eth-trunk 2
[FWB-Eth-Trunk2] vrrp vrid 2 virtual-ip 10.3.0.3 24 standby
[FWB-Eth-Trunk2] quit
    2. Configure HRP.

      # On FWA, specify a heartbeat interface and enable HRP.

      [FWA] hrp interface gigabitethernet 1/0/3 remote 10.4.0.2   
[FWA] hrp enable   
HRP_M[FWA]  hrp mirror session enable   //Enable quick session backup.

      # On FWB, specify a heartbeat interface and enable HRP.

      [FWB] hrp interface gigabitethernet 1/0/3 remote 10.4.0.1  
[FWB] hrp enable 
HRP_B[FWB] hrp mirror session enable

  5. Configure security policies.

    # After a hot standby group is successfully established between the active and standby firewalls, the security policies configured on FWA will be automatically synchronized to FWB.

    HRP_M[FWA] security-policy 
HRP_M[FWA-policy-security] rule name policy_dmz       //Allow mutual access between the local zone and DMZ.
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone local 
HRP_M[FWA-policy-security-rule-policy_dmz] source-zone dmz 
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone local
HRP_M[FWA-policy-security-rule-policy_dmz] destination-zone dmz
HRP_M[FWA-policy-security-rule-policy_dmz] action permit  
HRP_M[FWA-policy-security-rule-policy_dmz] quit
HRP_M[FWA-policy-security] rule name trust_to_untrust  //Allow internal network users to access the Internet.
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FWA-policy-security-rule-trust_to_untrust] destination-zone isp1
HRP_M[FWA-policy-security-rule-trust_to_untrust] source-address 10.6.0.0 24
HRP_M[FWA-policy-security-rule-trust_to_untrust] action permit
HRP_M[FWA-policy-security-rule-trust_to_untrust] quit
HRP_M[FWA-policy-security] rule name untrust_to_trust  //Prohibit external network users from accessing the internal network.
HRP_M[FWA-policy-security-rule-untrust_to_trust] source-zone isp1
HRP_M[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
HRP_M[FWA-policy-security-rule-untrust_to_trust] action deny
HRP_M[FWA-policy-security-rule-untrust_to_trust] quit
HRP_M[FWA-policy-security] quit

  6. Configure NAT policies.

    # On FWA, create a NAT address pool addressgroup1 (192.0.2.1 to 192.0.2.5). The NAT address pool configured on FWA will be automatically synchronized to FWB.

    HRP_M[FWA] nat address-group addressgroup1
HRP_M[FWA-nat-address-group-addressgroup1] section 0 192.0.2.1 192.0.2.5
HRP_M[FWA-nat-address-group-addressgroup1] mode pat
HRP_M[FWA-nat-address-group-addressgroup1] route enable
HRP_M[FWA-nat-address-group-addressgroup1] quit

    # Configure source NAT policies to allow internal network users using the IP address 10.6.0.0/24 to access the Internet through post-NAT public IP addresses.

    HRP_M[FWA-policy-nat] rule name policy_nat_1
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-address range 10.6.0.1 10.6.0.127
HRP_M[FWA-policy-nat-rule-policy_nat_1] source-zone trust
HRP_M[FWA-policy-nat-rule-policy_nat_1] destination-zone untrust
HRP_M[FWA-policy-nat-rule-policy_nat_1] action nat address-group addressgroup1
HRP_M[FWA-policy-nat-rule-policy_nat_1] quit

    # Contact ISP network administrators to configure routes with the destination addresses in addressgroup1 and the next hops being the interface addresses of the firewalls.

  7. Configure attack defense and application behavior control.

    # Configure attack defense.

    HRP_M[FWA] firewall defend land enable
HRP_M[FWA] firewall defend smurf enable
HRP_M[FWA] firewall defend fraggle enable
HRP_M[FWA] firewall defend winnuke enable
HRP_M[FWA] firewall defend source-route enable
HRP_M[FWA] firewall defend route-record enable
HRP_M[FWA] firewall defend time-stamp enable
HRP_M[FWA] firewall defend ping-of-death enable
HRP_M[FWA] interface GigabitEthernet 1/0/0
HRP_M[FWA-GigabitEthernet1/0/0] anti-ddos flow-statistic enable
HRP_M[FWA-GigabitEthernet1/0/0] quit
HRP_M[FWA] anti-ddos baseline-learn start
HRP_M[FWA] anti-ddos baseline-learn tolerance-value 100
HRP_M[FWA] anti-ddos baseline-learn apply
HRP_M[FWA] anti-ddos syn-flood source-detect
HRP_M[FWA] anti-ddos udp-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos udp-frag-flood dynamic-fingerprint-learn
HRP_M[FWA] anti-ddos http-flood defend alert-rate 2000
HRP_M[FWA] anti-ddos http-flood source-detect mode basic

    # Configure application behavior control.

    This function requires a license and dynamic installation of the corresponding component package.

    # Create an application behavior control file to prohibit HTTP and FTP operations during working hours.

    HRP_M[FWA] profile type app-control name profile_app_work
HRP_M[FWA-profile-app-control-profile_app_work] http-control post action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control proxy action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control web-browse action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] http-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file delete action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction upload action deny
HRP_M[FWA-profile-app-control-profile_app_work] ftp-control file direction download action deny
HRP_M[FWA-profile-app-control-profile_app_work] quit

    # Create a time range named working_hours.

    HRP_M[FWA] time-range working_hours
HRP_M[FWA-time-range-working_hours] period-range all
HRP_M[FWA-time-range-working_hours] quit

    Configure the security policy policy_sec_work and reference the time range working_hours and application behavior control file profile_app_work to prohibit HTTP and FTP operations during working hours.

    HRP_M[FWA] security-policy
HRP_M[FWA-policy-security] rule name policy_sec_work
HRP_M[FWA-policy-security-rule-policy_sec_work] source-zone trust
HRP_M[FWA-policy-security-rule-policy_sec_work] destination-zone isp1
HRP_M[FWA-policy-security-rule-policy_sec_work] user any
HRP_M[FWA-policy-security-rule-policy_sec_work] time-range working_hours
HRP_M[FWA-policy-security-rule-policy_sec_work] profile app-control profile_app_work
HRP_M[FWA-policy-security-rule-policy_sec_work] action permit
HRP_M[FWA-policy-security-rule-policy_sec_work] quit

Verifying the Deployment

# Perform ping tests to verify that devices on the private networks of the headquarters and branch can ping each other successfully. External network users cannot access the internal network. Internal network users can access the Internet but cannot play online games or watch online videos.

Configuration Files

  • FWA configuration file
    #
sysname FWA
#
 hrp enable
 hrp interface GigabitEthernet1/0/3 remote 10.4.0.2
 hrp mirror session enable 
#                                                                            
interface Eth-Trunk1
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 active
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 203.0.113.1 255.255.255.0
 vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 active
 anti-ddos flow-statistic enable
 gateway 203.0.113.254
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.4.0.1 255.255.255.0
#
interface LoopBack0                                                             
 ip address 1.1.1.1 255.255.255.255                                             
# 
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
 add interface Eth-Trunk1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
#
firewall zone name isp1 
 set priority 10
 add interface GigabitEthernet1/0/0
#
ospf 1 router-id 1.1.1.1
 area 0.0.0.0
  network 10.3.0.0 0.0.0.255
  network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
 http-control post action deny
 http-control proxy action deny
 http-control web-browse action deny
 http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
time-range working_hours
 period-range all
# 
nat address-group addressgroup1 0
 mode pat
 route enable
 section 0 192.0.2.1 192.0.2.5
#
security-policy 
 rule name policy_dmz 
  source-zone local  
  source-zone dmz 
  destination-zone local 
  destination-zone dmz 
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  source-address 10.6.0.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone isp1
  destination-zone trust
  action deny
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  time-range working_hours
  profile app-control profile_app_work
  action permit
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  source-address range 10.6.0.1 10.6.0.127
  action nat address-group addressgroup1
#
return
  • FWB configuration file
    #
sysname FWB
#
 hrp enable
 hrp interface GigabitEthernet1/0/3 remote 10.4.0.1
 hrp mirror session enable 
#                                                                            
interface Eth-Trunk2
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.0.3 255.255.255.0 standby
 mode lacp-static
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 203.0.113.2 255.255.255.0
 vrrp vrid 1 virtual-ip 203.0.113.3 255.255.255.0 standby
 anti-ddos flow-statistic enable
 gateway 203.0.113.254
#
interface GigabitEthernet1/0/1
 undo shutdown
 eth-trunk 2
#
interface GigabitEthernet1/0/2
 undo shutdown
 eth-trunk 2
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.4.0.2 255.255.255.0
#
interface LoopBack0                                                             
 ip address 2.2.2.2 255.255.255.255                                             
#  
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
 add interface Eth-Trunk2
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/3
#
firewall zone name isp1 
 set priority 10
 add interface GigabitEthernet1/0/0
#
ospf 1 router-id 2.2.2.2
 area 0.0.0.0
  network 10.3.0.0 0.0.0.255
  network 10.4.0.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
#
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend winnuke enable
firewall defend fraggle enable
firewall defend ping-of-death enable
firewall defend smurf enable
firewall defend land enable
#
anti-ddos baseline-learn start
anti-ddos baseline-learn tolerance-value 100
anti-ddos baseline-learn apply
anti-ddos syn-flood source-detect
anti-ddos udp-flood dynamic-fingerprint-learn
anti-ddos udp-frag-flood dynamic-fingerprint-learn
anti-ddos http-flood defend alert-rate 2000
anti-ddos http-flood source-detect mode basic
#
profile type app-control name profile_app_work
 http-control post action deny
 http-control proxy action deny
 http-control web-browse action deny
 http-control file direction upload action deny
 http-control file direction download action deny
 ftp-control file delete action deny
 ftp-control file direction upload action deny
 ftp-control file direction download action deny
#
time-range working_hours
 period-range all
# 
nat address-group addressgroup1 0
 mode pat
 route enable
 section 0 192.0.2.1 192.0.2.5
#
security-policy 
 rule name policy_dmz 
  source-zone local  
  source-zone dmz 
  destination-zone local 
  destination-zone dmz 
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone isp1
  source-address 10.6.0.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone isp1
  destination-zone trust
  action deny
 rule name policy_sec_work
  source-zone trust
  destination-zone isp1
  time-range working_hours
  profile app-control profile_app_work
  action permit
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone untrust
  source-address range 10.6.0.1 10.6.0.127
  action nat address-group addressgroup1
#
return
  • Router configuration file
    #
 sysname Router
#
interface Eth-Trunk40
 undo portswitch
 ip address 10.8.0.254 255.255.255.0
 mode lacp-static
#
interface GigabitEthernet1/0/0
 eth-trunk 40
#
interface GigabitEthernet2/0/0
 eth-trunk 40
#
interface GigabitEthernet3/0/0
 ip address 10.7.0.1 255.255.255.0
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
#
ospf 1 router-id 4.4.4.4
 area 0.0.0.0
  network 10.7.0.0 0.0.0.255
  network 10.8.0.0 0.0.0.255
#
return
  • CORE configuration file
    sysname CORE
#
router id 3.3.3.3  
# 
vlan batch 20 50
#
interface Vlanif20
 ip address 10.3.0.254 255.255.255.0
#
interface Vlanif50
 ip address 10.8.0.1 255.255.255.0
#
interface Eth-Trunk1
 port link-type access
 port default vlan 20
 mode lacp
#
interface Eth-Trunk2
 port link-type access
 port default vlan 20
 mode lacp
#
interface Eth-Trunk40
 port link-type trunk
 port trunk pvid vlan 50
 port trunk allow-pass vlan 50
 mode lacp
#
interface GigabitEthernet1/3/0/0
 eth-trunk 1
#
interface GigabitEthernet1/3/0/1
 eth-trunk 2
#
interface GigabitEthernet1/6/0/1
 eth-trunk 40
#
interface XGigabitEthernet1/1/0/10
 mad detect mode direct
#
interface GigabitEthernet2/3/0/0
 eth-trunk 2
#
interface GigabitEthernet2/3/0/1
 eth-trunk 1
#
interface GigabitEthernet2/6/0/1
 eth-trunk 40
#
interface XGigabitEthernet2/1/0/10
  mad detect mode direct
#
interface LoopBack0                                                             
 ip address 3.3.3.3 255.255.255.255                                             
#                                                                               
ospf 1                                                                          
 area 0.0.0.0                                                        
  network 10.3.0.0 0.0.0.255     
  network 10.8.0.0 0.0.0.255                                                          
#                                                                               
ip route-static 0.0.0.0 0.0.0.0 10.3.0.3
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1870364

Downloads: 41273

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :