No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where Static Route-based Traffic Diversion Is Implemented

Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed on a Cluster Switch Where Static Route-based Traffic Diversion Is Implemented

Service Requirements

As shown in Figure 3-311, two switches are deployed in a CSS and two NGFW Modules are installed in slot 1 on the two switches. The two NGFW Modules are required to implement hot standby and perform security detection on traffic passing through the switches. Two NGFW Modules work in active/standby mode.

This example uses NGFW modules running V100R001C30 and switches running V200R008C00.

Figure 3-311 Networking for Layer-3 dual-NGFW Module deployment and switch CSS

The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The numbering of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.

Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.

Data Planning

Item

Data

Description

Hot standby

NGFW Module_A: active

NGFW Module_B: standby

-

NAT

Source NAT

NAT type: PAT

Address pool: 1.1.1.1 to 1.1.1.2

The source address is automatically translated for Internet access from a specified private subnet.

NAT Server

Global address: 1.1.1.3

Inside address: 192.168.2.8

A specified server address is translated from a private address to a public address for Internet users to access.

Security policy

Policy 1: policy_sec1

Source security zone: Trust

Destination security zone: Untrust

Source IP address: 192.168.1.0

Action: permit

Users in the Trust zone (residing on 192.168.1.0/24) are allowed to access the Internet.

Policy 2: policy_sec2

Source security zone: Untrust

Destination security zone: DMZ

Destination IP address: 192.168.2.0

Action: permit

Extranet users are allowed to access the DMZ (residing on 192.168.2.0/24), and intrusion prevention is implemented.

Deployment Solution

  1. Two NGFW Modules form hot standby networking. The switch diverts the passing traffic to the NGFW Module through a static route. After performing security check on the traffic, the NGFW Module rejects the traffic to the switch through a static route.

    Configure VRF on the switches to virtualize the switches as virtual switch Public connecting to the public network (no VPN instance needs to be configured) and virtual switches trust and dmz respectively connecting to the Trust zone and DMZ. Figure 3-312 shows the networking. The virtual switches are separated. Therefore, traffic will be forwarded to the NGFW Modules.

    Figure 3-312 Configuring VRF on switches

  2. Figure 3-312 can be abstracted as Figure 3-313. The NGFW Modules run static routes with upstream and downstream devices. Therefore, you need to configure VRRP groups on the NGFW Modules, so that the switches communicate with the virtual IP addresses of VRRP groups on the NGFW Modules.

    Configure a default route to the Internet on the NGFW Module, and set the next-hop address to the IP address of VLANIF201. Configure a specific route to the intranet on the NGFW Module, and set the next-hop address to the IP address of VLANIF202. Figure 3-313 shows the networking. On the virtual switch Public, configure static routes to the Trust zone and DMZ and set the next-hop address to the IP address of VRRP group 1. On the virtual switch trust, configure a default route to the Internet and set the next-hop address to the IP address of VRRP group 2. On the virtual switch dmz, configure a default route to the Internet and set the next-hop address to the IP address of VRRP group 3.

    Figure 3-313 Configuring VRRP groups on the NGFW Modules and static routes on the switches

    Figure 3-313 lists only the switch interfaces involved in the connection with the NGFW Modules.

  3. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module into an Eth-Trunk0 interface, which functions as the heartbeat interface and backup channel and enable hot standby.

  4. Configure security functions, such as security policies, nat policies, and IPS on NGFW Module_A. NGFW Module_A will automatically synchronize its configurations to NGFW Module_B.

Procedure

  1. Complete interface and basic network configurations on NGFW Modules.

    # Configure device name on NGFW Module_A.

    <sysname> system-view
[sysname] sysname Module_A

    # Configure IP addresses for the interfaces on NGFW Module_A.

    [Module_A] interface Eth-trunk 1
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
[Module_A] interface Eth-trunk 1.1
[Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
[Module_A-Eth-Trunk1.1] vlan-type dot1q 201
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk 1.2
[Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
[Module_A-Eth-Trunk1.2] vlan-type dot1q 202
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk 1.3
[Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
[Module_A-Eth-Trunk1.3] vlan-type dot1q 203
[Module_A-Eth-Trunk1.3] quit
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_A to security zones.

    [Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-trunk 1.1
[Module_A-zone-untrust] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-trunk 1.2
[Module_A-zone-trust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-trunk 1.3
[Module_A-zone-dmz] quit
[Module_A] firewall zone name hrpzone
[Module_A-zone-hrpzone] set priority 65
[Module_A-zone-hrpzone] add interface Eth-Trunk 0
[Module_A-zone-hrpzone] quit

    # Configure device name on NGFW Module_B.

    <sysname> system-view
[sysname] sysname Module_B

    # Configure IP addresses for the interfaces on NGFW Module_B.

    [Module_B] interface Eth-Trunk 1
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
[Module_B] interface Eth-trunk 1.1
[Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
[Module_B-Eth-Trunk1.1] vlan-type dot1q 201
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk 1.2
[Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
[Module_B-Eth-Trunk1.2] vlan-type dot1q 202
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk 1.3
[Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
[Module_B-Eth-Trunk1.3] vlan-type dot1q 203
[Module_B-Eth-Trunk1.3] quit
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit

    # Assign the interfaces of NGFW Module_B to security zones.

    [Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-trunk 1.1
[Module_B-zone-untrust] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-trunk 1.2
[Module_B-zone-trust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-trunk 1.3
[Module_B-zone-dmz] quit
[Module_B] firewall zone name hrpzone
[Module_B-zone-hrpzone] set priority 65
[Module_B-zone-hrpzone] add interface Eth-Trunk 0
[Module_B-zone-hrpzone] quit

  2. Create static routes on NGFW Modules.

    # On NGFW Module_A, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201.

    [Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_A, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_A, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_A, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_A, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0

    # On NGFW Module_B, configure an upstream static route (default route) with the next-hop address set to the IP address of VLANIF201 on the connected switch.

    [Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4

    # On NGFW Module_B, configure a downstream static route to the Trust zone, with the destination address being the address of the Trust zone and next-hop address being the address of VLANIF202 on the connected switch.

    [Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4

    # On NGFW Module_B, configure a downstream static route to the DMZ, with the destination address being the address of the DMZ and next-hop address being the address of VLANIF203 on the connected switch.

    [Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4

    # On NGFW Module_B, configure a black-hole route to an address in the source NAT address pool to prevent routing loops. In this example, the address range is 1.1.1.1-1.1.1.2 in the source NAT address pool.

    [Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0

    # On NGFW Module_B, configure a black-hole route to the global address of the NAT server to prevent routing loops. In this example, the global address of the NAT server is 1.1.1.3.

    [Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0

  3. Configure hot standby on NGFW Modules.

    # Configure VRRP groups on NGFW Module_A.

    [Module_A] interface Eth-trunk1.1
[Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk1.2
[Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk1.3
[Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
[Module_A-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_A.

    [Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable

    # Configure VRRP groups on NGFW Module_B.

    [Module_B] interface Eth-trunk1.1
[Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk1.2
[Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk1.3
[Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
[Module_B-Eth-Trunk1.3] quit

    # Specify the heartbeat interface and enable hot standby on NGFW Module_B.

    [Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device //This command is required only in versions earlier than V100R001C30SPC300.

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active NGFW Module_A.

    Before configuring intrusion prevention, ensure that the required license is loaded and the intrusion prevention signature database is the latest version.

    When configuring intrusion prevention, use the default intrusion prevention profile default.

  4. Configure security services on NGFW Modules.

    # On NGFW Module_A, configure a security policy to allow users in the Trust zone (network segment 192.168.1.0/24) to access the Internet.

    HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_sec1
HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust 
HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
HRP_A[Module_A-policy-security-rule-policy_sec1] quit

    # On NGFW Module_A, configure a security policy to allow extranet users to access the DMZ (network segment 192.168.2.0/24) and configure intrusion prevention.

    HRP_A[Module_A-policy-security] rule name policy_sec2
HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust 
HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
HRP_A[Module_A-policy-security-rule-policy_sec2] quit
HRP_A[Module_A-policy-security] quit

    # Configure ASPF on NGFW Module_A. FTP is used as an example.

    HRP_A[Module_A] firewall interzone untrust dmz
HRP_A[Module_A-interzone-dmz-untrust] detect ftp
HRP_A[Module_A-interzone-dmz-untrust] quit

    # Configure a NAT address pool.

    HRP_A[Module_A] nat address-group addressgroup1
HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
HRP_A[Module_A-address-group-addressgroup1] quit

    # Configure a source NAT policy for Internet access from the specified private subnet.

    HRP_A[Module_A] nat-policy
HRP_A[Module_A-policy-nat] rule name policy_nat1
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 
HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
HRP_A[Module_A-policy-nat] quit

    # Configure the NAT server function to translate the private address of a specific server in the DMZ into a public address for user access. In this example, private address 192.168.2.8:80 of the web server in the DMZ is translated into public address 1.1.1.3:8000.

    HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80

    # Save configurations on NGFW Module_A and NGFW Module_B.

    HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
    HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully

  5. Configure the core switches to form a CSS.
    1. Install the hardware and connect the cables. For details, see the CSS Installation Guide.
    2. Set the CSS connection mode (such as the CSS card connection mode), CSS ID, and CSS priority.

      # Configure the CSS on SwitchA. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.

      <Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card                //Set the CSS connection mode. The default mode is CSS card connection mode.
[SwitchA] set css id 1                          //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100                 //Set the CSS priority. The default value is 1.

      # Configure the CSS on SwitchB. In the example, the CSS connection mode is CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.

      <Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10

    3. Enable the CSS function.

      # To use SwitchA as the active switch, enable CSS on SwitchA and then restart SwitchA.

      [SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable CSS on SwitchB and then restart SwitchB.

      [SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y

    4. Check whether the CSS is established.

      # Log in to the CSS from the console port of any MPU and run the following command to view the CSS status.

      <SwitchA> display css status
CSS Enable switch On                                                            
                                                                                
Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force  
------------------------------------------------------------------------------  
1            On           Master          CSS card    100         Off           
2            On           Standby         CSS card    10          Off

      If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two member switches are displayed, as shown in the preceding information, the CSS has been established.

      You are advised to configure MAD to minimize the impact of a CSS split on services. Detailed configurations will not be described here.

    5. Rename the cluster system to CSS.

      <SwitchA> system-view
[SwitchA] sysname CSS
[CSS]

  6. Configure interfaces and VLANs for core switches. This example describes how to configure interoperation between the switch and NGFW modules.

    [CSS] vlan batch 201 to 205          //Create VLANs.
[CSS] interface eth-trunk 5                
[CSS-Eth-Trunk5] description To_NGFW_Module_A
[CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1    //Create Eth-Trunk5 on the CSS and add internal Ethernet interfaces to Eth-Trunk5.
[CSS-Eth-Trunk5] port link-type trunk                      
[CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 205  //Configure Eth-Trunk5 to permit traffic from VLANs 201, 202, 203, 204, and 205.
[CSS-Eth-Trunk5] quit   
[CSS] interface eth-trunk 6                
[CSS-Eth-Trunk6] description To_NGFW_Module_B
[CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1    //Create Eth-Trunk6 on the CSS and add internal Ethernet interfaces to Eth-Trunk6.
[CSS-Eth-Trunk6] port link-type trunk                      
[CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 205  //Configure Eth-Trunk6 to permit traffic from VLANs 201, 202, 203, 204, and 205.
[CSS-Eth-Trunk6] quit  
[CSS] interface eth-trunk 2                   //Configure the switch interface Eth-Trunk2 that connects to the Trust zone, add the interfaces to Eth-Trunk2 is not mentioned here.     
[CSS-Eth-Trunk2] description To_TRUST
[CSS-Eth-Trunk2] port link-type trunk                      
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk2] port trunk allow-pass vlan 204  //Enable Eth-Trunk2 to permit traffic from VLAN204.
[CSS-Eth-Trunk2] quit    
[CSS] interface eth-trunk 3                   //Configure the switch interface Eth-Trunk3 that connects to the DMZ, add the interfaces to Eth-Trunk3 is not mentioned here.
[CSS-Eth-Trunk3] description To_DMZ
[CSS-Eth-Trunk3] port link-type trunk                      
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk3] port trunk allow-pass vlan 205  //Enable Eth-Trunk3 to permit traffic from VLAN205.
[CSS-Eth-Trunk3] quit                  
[CSS] ip vpn-instance trust     //Create VPN instance trust.
[CSS-vpn-instance-trust] ipv4-family
[CSS-vpn-instance-trust-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-trust-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-trust-af-ipv4] quit
[CSS-vpn-instance-trust] quit
[CSS] ip vpn-instance dmz     //Create VPN instance dmz.
[CSS-vpn-instance-dmz] ipv4-family
[CSS-vpn-instance-dmz-af-ipv4] route-distinguisher 200:1
[CSS-vpn-instance-dmz-af-ipv4] vpn-target 211:1 both
[CSS-vpn-instance-dmz-af-ipv4] quit
[CSS-vpn-instance-dmz] quit
[CSS] interface vlanif 201
[CSS-Vlanif201] ip address 10.3.1.4 24
[CSS-Vlanif201] quit                       //Configure an IP address for VLANIF201.
[CSS] interface vlanif 202
[CSS-Vlanif202] ip binding vpn-instance trust     
[CSS-Vlanif202] ip address 10.3.2.4 24     //Bind VLANIF202 to trust.
[CSS-Vlanif202] quit                       //Configure an IP address for VLANIF202.
[CSS] interface vlanif 203
[CSS-Vlanif203] ip binding vpn-instance dmz     //Bind VLANIF203 to dmz.
[CSS-Vlanif203] ip address 10.3.3.4 24          //Configure an IP address for VLANIF203.
[CSS-Vlanif203] quit                       
[CSS] interface vlanif 204
[CSS-Vlanif204] ip binding vpn-instance trust      //Bind VLANIF204 to trust.
[CSS-Vlanif204] ip address 10.1.1.2 24          //Configure an IP address for VLANIF204.
[CSS-Vlanif204] quit    
[CSS] interface vlanif 205
[CSS-Vlanif205] ip binding vpn-instance dmz      //Bind VLANIF205 to dmz.
[CSS-Vlanif205] ip address 10.1.2.2 24        //Configure an IP address for VLANIF205.
[CSS-Vlanif205] quit

  7. Configure traffic diversion on the core switch.

    [CSS] ip route-static 1.1.1.1 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module. 
[CSS] ip route-static 1.1.1.2 32 10.3.1.1  //Configure a static route to an address in the NAT address pool of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static 1.1.1.3 32 10.3.1.1  //Configure a static route to the global address of the NAT server configured on the NGFW Module and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1    //Configure a default route on the trust virtual switch and set the next hop to the virtual IP address of VRRP group 2.
[CSS] ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1    //Configure a default route on the dmz virtual switch and set the next hop to the virtual IP address of VRRP group 3.
[CSS] ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1    //Route from the Trust zone to the DMZ. 10.1.2.1 is the IP address of the VLANIF 205 interface of the access switch.
[CSS] ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1    //Route from the DMZ to the Trust zone. 10.1.1.1 is the IP address of the VLANIF 204 interface of the access switch.

    In the example, NAT is configured on the NGFW Modules. Therefore, configure static routes from the Public virtual switch to the Trust zone and DMZ, and the destination IP addresses in the routes should be post-NAT public IP addresses. If NAT is not configured on the NGFW Modules, the destination IP addresses in the routes must be private IP addresses respectively in the Trust zone and DMZ when you configure static routes from the Public virtual switch to the two zones.

    In the example, communication packets between the Trust zone and DMZ are not processed by the NGFW Modules. If the enterprise requires that the NGFW Modules process the communication packets between the Trust zone and DMZ, set the next hop to the IP address of the downlink VRRP group on the NGFW Modules when you configure the route for the communications between the Trust zone and DMZ.

Verification

  1. Run the display hrp state command on NGFW Module_A to check the current HRP status. If the following output is displayed, an HRP relationship is successfully established.

    HRP_A[Module_A] display hrp state
 The firewall's config state is: ACTIVE                                         
                                                                                
 Backup channel usage: 0.01%                                                    
 Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes             
 Current state of virtual routers configured as active:                         
                     Eth-Trunk1.3    vrid   3 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                     Eth-Trunk1.2    vrid   2 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up  
                     Eth-Trunk1.1    vrid   1 : active
           (GigabitEthernet1/0/0)             : up  
           (GigabitEthernet1/0/1)             : up

  2. Check whether the access from the intranet to the Internet succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80
    HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80

    According to the preceding output, NGFW Module_A has created a session entry for the access from the intranet to the Internet. A session entry with the Remote tag exists on NGFW Module_B, which indicates that session backup succeeds after you configure hot standby.

  3. Check whether the access from the Internet to servers in the DMZ succeeds and check the session table of each NGFW Module.

    HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
    HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
  http  VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]

  4. Configure a PC in the Trust zone to constantly ping the public address and run the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_B becomes the active and carries services. The command prompt of NGFW Module_B is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

    Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and check the status switchover of the NGFW Module and discarded ping packets. If the status switchover is normal, NGFW Module_A becomes the active and starts to carry service after the preemption delay (60s by default) expires. The command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and the command prompt of NGFW Module_B is changed from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on actual network environments) are discarded.

Configuration Scripts

Configuration scripts of the NGFW Modules:

NGFW Module_A

NGFW Module_B

 
#
 sysname Module_A
#
 hrp enable
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
#
interface Eth-Trunk0
 ip address 10.10.0.1 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 active
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
# 
 firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
#
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#   
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  service http
  service ftp
  profile ips default
  action permit    
# 
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0   
    action source-nat address-group addressgroup1 
#
return

#
 sysname Module_B
#
 hrp enable
 hrp standby-device   //This command is required only in versions earlier than V100R001C30SPC300.
 hrp interface Eth-Trunk0
#
nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 www
# 
interface Eth-Trunk0
 ip address 10.10.0.2 255.255.255.0
#
interface Eth-Trunk1
 portswitch
 port link-type access
#
interface Eth-Trunk1.1
 vlan-type dot1q 201
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface Eth-Trunk1.2
 vlan-type dot1q 202
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface Eth-Trunk1.3
 vlan-type dot1q 203
 ip address 10.3.3.3 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.3.1 standby
#
interface GigabitEthernet0/0/1
 eth-trunk 0
#
interface GigabitEthernet0/0/2
 eth-trunk 0
#
interface GigabitEthernet1/0/0
 portswitch
 port link-type access
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 portswitch
 port link-type access
 eth-trunk 1
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk1.2
#
firewall zone untrust
 set priority 5   
 add interface Eth-Trunk1.1
#
firewall zone dmz  
 set priority 50   
 add interface Eth-Trunk1.3
#
firewall zone hrpzone
 set priority 65
 add interface Eth-Trunk0
#
firewall interzone dmz untrust
  detect ftp
#
 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
 ip route-static 1.1.1.1 255.255.255.255 NULL0
 ip route-static 1.1.1.2 255.255.255.255 NULL0
 ip route-static 1.1.1.3 255.255.255.255 NULL0
 ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# 
 nat address-group addressgroup1 0
 section 0 1.1.1.1 1.1.1.2 
#  
security-policy  
 rule name policy_sec1
  source-zone trust  
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit    
 rule name policy_sec2
  source-zone untrust  
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0  
  service http
  service ftp
  profile ips default
  action permit   
#  
nat-policy  
  rule name policy_nat1 
    source-zone trust 
    destination-zone untrust  
    source-address 192.168.1.0 mask 255.255.255.0   
    action source-nat address-group addressgroup1 
#
return

Configuration script of CSS:

# ----Traffic diversion configuration----
vlan batch 201 to 205
#
ip vpn-instance dmz
 ipv4-family
  route-distinguisher 200:1
  vpn-target 211:1 export-extcommunity
  vpn-target 211:1 import-extcommunity
#
ip vpn-instance trust
 ipv4-family
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
interface Vlanif201
 ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
 ip binding vpn-instance trust 
 ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
  ip binding vpn-instance dmz
 ip address 10.3.3.4 255.255.255.0
#
interface Vlanif204
 ip binding vpn-instance trust 
 ip address 10.1.1.2 255.255.255.0
#
interface Vlanif205
  ip binding vpn-instance dmz
 ip address 10.1.2.2 255.255.255.0
#
interface Eth-Trunk2
 description To_TRUST
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 204
#
interface Eth-Trunk3
 description To_DMZ
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 205
#
interface Eth-Trunk5
 description To_NGFW_Module_A
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 205
#
interface Eth-Trunk6
 description To_NGFW_Module_B
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 201 to 205
#
interface XGigabitEthernet1/1/0/0
  eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
  eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
  eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
  eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1 
ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1
ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1
ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1
#
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-10-27

Document ID: EDOC1000069520

Views: 1925556

Downloads: 41859

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :