No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples(V100 and V200)

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting Firewalls to Egress Routers Directly

Connecting Firewalls to Egress Routers Directly

Networking Requirements

At the egress of a large campus network, core switches are directly connected to upstream firewalls and connected to egress gateways through firewalls. Two routers function as egress gateways and are directly connected to the Internet. Two firewalls set up a hot standby group to filter service traffic that enters and leaves the campus network, ensuring network security. Two core switches set up a CSS, which functions as the core of the campus network and functions as the user gateway to allocate IP addresses to users. The specific service requirements are as follows:

  • Users in department A can access the Internet, whereas users in department B cannot.
  • Users on internal and external networks can access the HTTP server.

In this example, every two of four aggregation switches set up a stack (a total of two stacks, AGG1 and AGG2) and connect to core switches, which set up a CSS named CORE. For details about the networking below the core layer, see Campus Network Connectivity Deployment.

Figure 2-18 Campus network where firewalls are directly connected to egress routers

Device Requirements and Versions

Location

Device Used in This Example

Version Used in This Example

Egress

AR6300

V300R019C10

USG6300E

V600R007C00

Core layer

S12700E

V200R019C10

Deployment Roadmap

Step

Deployment Roadmap

Devices Involved

1

Configure CSS, stacking, and MAD to improve device reliability.

Core switches

2

Configure Eth-Trunk interfaces to improve link reliability.

Core switches and firewalls

3

Configure IP addresses for interfaces.

Egress routers, firewalls, and core switches

4

Configure routing to enable network connectivity.

Egress routers, firewalls, and core switches

5

Configure security zones and security policies for interfaces so that service traffic can pass through firewalls.

Firewalls

6

Configure HRP on firewalls to implement load balancing.

Firewalls

8

Configure NAT to enable users in department A to access the Internet and external network users to access the HTTP server on the internal network.

Egress routers

Data Plan

Device

Interface Number

Member Interface

VLANIF Interface

IP Address

RouterA

GE0/0/1

-

-

10.1.1.1/24

GE0/0/2

-

-

8.8.8.1/24

RouterB

GE0/0/1

-

-

10.2.1.1/24

GE0/0/2

-

-

9.9.9.1/24

FWA

GE1/0/1

-

-

10.1.1.2/24

GE1/0/7

-

-

10.10.1.1/24

Eth-Trunk 10

GE2/0/3

-

10.3.1.1/24

GE2/0/4

FWB

GE1/0/1

-

-

10.2.1.2/24

GE1/0/7

-

-

10.10.1.2/24

Eth-Trunk 20

GE2/0/3

-

10.4.1.1/24

GE2/0/4

CORE

XGE1/1/0/5

-

VLANIF 300

10.100.1.1

Eth-Trunk 10

GE1/3/0/3

-

10.3.1.2/24

GE2/3/0/3

Eth-Trunk 20

GE1/3/0/4

-

10.4.1.2/24

GE2/3/0/4

HTTP server

Ethernet interface

-

-

10.100.1.10/24

Deployment Procedure

  1. Configure the CSS and MAD functions on core switches. For details, see Typical CSS and Stack Deployment.
  2. Configure Eth-Trunk interfaces.

    1. Configure the firewalls.
      # On FWA, create Eth-Trunk 10 to connect FWA to CORE, and add member interfaces to Eth-Trunk 10.
      <sysname> system-view
[sysname] sysname FWA
[FWA] interface eth-trunk 10
[FWA-Eth-Trunk10] mode lacp-static 
[FWA-Eth-Trunk10] quit 
[FWA] interface gigabitethernet 2/0/3  
[FWA-GigabitEthernet2/0/3] eth-trunk 10 
[FWA-GigabitEthernet2/0/3] quit 
[FWA] interface gigabitethernet 2/0/4
[FWA-GigabitEthernet2/0/4] eth-trunk 10
[FWA-GigabitEthernet2/0/4] quit

      # On FWB, create Eth-Trunk 20 to connect FWB to CORE, and add member interfaces to Eth-Trunk 20.

      <sysname> system-view
[sysname] sysname FWB
[FWB] interface eth-trunk 20 
[FWB-Eth-Trunk20] mode lacp-static 
[FWB-Eth-Trunk20] quit
[FWB] interface gigabitethernet 2/0/3 
[FWB-GigabitEthernet2/0/3] eth-trunk 20 
[FWB-GigabitEthernet2/0/3] quit 
[FWB] interface gigabitethernet 2/0/4 
[FWB-GigabitEthernet2/0/4] eth-trunk 20 
[FWB-GigabitEthernet2/0/4] quit
    2. Configure CORE.

      # On CORE, create Eth-Trunk 10 to connect CORE to FWA, and add member interfaces to Eth-Trunk 10.

      [CORE] interface eth-trunk 10
[CORE-Eth-Trunk10] mode lacp 
[CORE-Eth-Trunk10] quit
[CORE] interface gigabitethernet 1/3/0/3  
[CORE-GigabitEthernet1/3/0/3] eth-trunk 10 
[CORE-GigabitEthernet1/3/0/3] quit 
[CORE] interface gigabitethernet 2/3/0/3 
[CORE-GigabitEthernet2/3/0/3] eth-trunk 10 
[CORE-GigabitEthernet2/3/0/3] quit

      # On CORE, create Eth-Trunk 20 to connect CORE to FWB, and add member interfaces to Eth-Trunk 20.

      [CORE] interface eth-trunk 20 
[CORE-Eth-Trunk20] mode lacp  
[CORE-Eth-Trunk20] quit
[CORE] interface gigabitethernet 1/3/0/4  
[CORE-GigabitEthernet1/3/0/4] eth-trunk 20  
[CORE-GigabitEthernet1/3/0/4] quit 
[CORE] interface gigabitethernet 2/3/0/4 
[CORE-GigabitEthernet2/3/0/4] eth-trunk 20 
[CORE-GigabitEthernet2/3/0/4] quit

  3. Configure IP addresses for interfaces.

    # Configure RouterA.

    <HUAWEI> system-view
[HUAWEI] sysname RouterA
[RouterA] interface loopback 0 
[RouterA-LoopBack0] ip address 1.1.1.1 32 //Configure an IP address for loopback 0, which is also used as the router ID of RouterA.
[RouterA-LoopBack0] quit 
[RouterA] interface gigabitethernet 0/0/1 
[RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //Configure an IP address for the interface connected to FWA.
[RouterA-GigabitEthernet0/0/1] quit
[RouterA] interface gigabitethernet 0/0/2 
[RouterA-GigabitEthernet0/0/2] ip address 8.8.8.1 24 //Configure an IP address for the interface connected to the Internet.
[RouterA-GigabitEthernet0/0/2] quit

    # Configure RouterB.

    <HUAWEI> system-view
[HUAWEI] sysname RouterB
[RouterB] interface loopback 0 
[RouterB-LoopBack0] ip address 2.2.2.2 32  //Configure an IP address for loopback 0, which is also used as the router ID of RouterB.
[RouterB-LoopBack0] quit 
[RouterB] interface gigabitethernet 0/0/1 
[RouterB-GigabitEthernet0/0/1] ip address 10.2.1.1 24  //Configure an IP address for the interface connected to FWB.
[RouterB-GigabitEthernet0/0/1] quit
[RouterB] interface gigabitethernet 0/0/2 
[RouterB-GigabitEthernet0/0/2] ip address 9.9.9.1 24  //Configure an IP address for the interface connected to the Internet.
[RouterB-GigabitEthernet0/0/2] quit

    # Configure FWA.

    [FWA] interface loopback 0 
[FWA-LoopBack0] ip address 3.3.3.3 32  //Configure an IP address for loopback 0, which is also used as the router ID of FWA.
[FWA-LoopBack0] quit 
[FWA] interface gigabitethernet 1/0/1 
[FWA-GigabitEthernet1/0/1] ip address 10.1.1.2 24  //Configure an IP address for the interface connected to RouterA.
[FWA-GigabitEthernet1/0/1] quit 
[FWA] interface gigabitethernet 1/0/7 
[FWA-GigabitEthernet1/0/7] ip address 10.10.1.1 24  //Configure an IP address for the heartbeat interface.
[FWA-GigabitEthernet1/0/7] quit 
[FWA] interface eth-trunk 10 
[FWA-Eth-Trunk10] ip address 10.3.1.1 24  //Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWA-Eth-Trunk10] quit

    # Configure FWB.

    [FWB] interface loopback 0 
[FWB-LoopBack0] ip address 4.4.4.4 32  //Configure an IP address for loopback 0, which is also used as the router ID of FWB.
[FWB-LoopBack0] quit 
[FWB] interface gigabitethernet 1/0/1 
[FWB-GigabitEthernet1/0/1] ip address 10.2.1.2 24   //Configure an IP address for the interface connected to RouterB.
[FWB-GigabitEthernet1/0/1] quit 
[FWB] interface gigabitethernet 1/0/7 
[FWB-GigabitEthernet1/0/7] ip address 10.10.1.2 24  //Configure an IP address for the heartbeat interface.
[FWB-GigabitEthernet1/0/7] quit 
[FWB] interface eth-trunk 20 
[FWB-Eth-Trunk20] ip address 10.4.1.1 24  //Configure an IP address for the Eth-Trunk interface connected to CORE.
[FWB-Eth-Trunk20] quit

    # Configure CORE.

    [CORE] interface loopback 0 
[CORE-LoopBack0] ip address 5.5.5.5 32   //Configure an IP address for loopback 0, which is also used as the router ID of CORE.
[CORE-LoopBack0] quit 
[CORE] interface eth-trunk 10 
[CORE-Eth-Trunk10] undo portswitch    //By default, an Eth-Trunk interface works in Layer 2 mode. To use an Eth-Trunk interface as a Layer 3 interface, run the undo portswitch command to change the Eth-Trunk interface to Layer 3 mode.
[CORE-Eth-Trunk10] ip address 10.3.1.2 24   //Configure an IP address for Eth-Trunk 10 connected to FWA.
[CORE-Eth-Trunk10] quit 
[CORE] interface eth-trunk 20 
[CORE-Eth-Trunk20] undo portswitch   
[CORE-Eth-Trunk20] ip address 10.4.1.2 24   //Configure an IP address for Eth-Trunk 20 connected to FWB.
[CORE-Eth-Trunk20] quit 
[CORE] vlan batch 300  
[CORE] interface xgigabitethernet 1/1/0/5
[CORE-XGigabitEthernet1/1/0/5] port link-type access 
[CORE-XGigabitEthernet1/1/0/5] port default vlan 300
[CORE-XGigabitEthernet1/1/0/5] quit 
[CORE] interface vlanif 300   
[CORE-Vlanif300] ip address 10.100.1.1 24
[CORE-Vlanif300] quit

  4. Configure routing.

    1. Configure the area where interfaces connecting routers and firewalls and interfaces connecting firewalls and core switches belong as the OSPF backbone area Area 0.

      # Configure RouterA.

      [RouterA] router id 1.1.1.1  
[RouterA] ospf 1 
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Advertise the network segment connected to FWA into the OSPF backbone area.
[RouterA-ospf-1-area-0.0.0.0] quit 
[RouterA-ospf-1] quit

      # Configure RouterB.

      [RouterB] router id 2.2.2.2
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255   //Advertise the network segment connected to FWB into the OSPF backbone area.
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit

      # Configure FWA.

      [FWA] router id 3.3.3.3
[FWA] ospf 1   
[FWA-ospf-1] area 0 
[FWA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255   //Advertise the network segment connected to RouterA into the OSPF backbone area.
[FWA-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255   //Advertise the network segment connected to CORE into the OSPF backbone area.
[FWA-ospf-1-area-0.0.0.0] quit
[FWA-ospf-1] quit

      # Configure FWB.

      [FWB] router id 4.4.4.4
[FWB] ospf 1  
[FWB-ospf-1] area 0
[FWB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255   //Advertise the network segment connected to RouterB into the OSPF backbone area.
[FWB-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255   //Advertise the network segment connected to CORE into the OSPF backbone area.
[FWB-ospf-1-area-0.0.0.0] quit
[FWB-ospf-1] quit

      # Configure CORE.

      [CORE] router id 5.5.5.5
[CORE] ospf 1  
[CORE-ospf-1] area 0 
[CORE-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255   //Advertise the network segment connected to FWA into the OSPF backbone area.
[CORE-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255   //Advertise the network segment connected to FWB into the OSPF backbone area.
[CORE-ospf-1-area-0.0.0.0] network 10.100.1.0 0.0.0.255   //Advertise the network segment connected to the HTTP server into the OSPF backbone area.
[CORE-ospf-1-area-0.0.0.0] quit
[CORE-ospf-1] quit

    2. Configure default routes.

      # On CORE, configure default routes with the next hops pointing to firewalls.

      [CORE] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1

      # On FWA, configure a default route with the next hop pointing to RouterA.

      [FWA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

      # On FWB, configure a default route with the next hop pointing to RouterB.

      [FWB] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1

      # On RouterA, configure a default route with the next hop being the IP address of the connected carrier network device (public network gateway).

      [RouterA] ip route-static 0.0.0.0 0.0.0.0 8.8.8.2

      # On RouterB, configure a default route with the next hop being the IP address of the connected carrier network device (public network gateway).

      [RouterB] ip route-static 0.0.0.0 0.0.0.0 9.9.9.2

  5. Configure security zones, add interfaces to security zones, and configure security policies on firewalls.

    # Configure FWA.

    [FWA] firewall zone trust 
[FWA-zone-trust] add interface Eth-Trunk 10  //Add Eth-Trunk 10 connected to the internal network to the trusted zone.
[FWA-zone-trust] quit 
[FWA] firewall zone untrust 
[FWA-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the Internet to the untrusted zone.
[FWA-zone-untrust] quit 
[FWA] firewall zone dmz 
[FWA-zone-dmz] add interface gigabitethernet 1/0/7 //Add the heartbeat interface to the DMZ.
[FWA-zone-dmz] quit 
[FWA] security-policy 
[FWA-policy-security] rule name policy_dmz       //Allow mutual access between the local zone and DMZ.
[FWA-policy-security-rule-policy_dmz] source-zone local 
[FWA-policy-security-rule-policy_dmz] source-zone dmz 
[FWA-policy-security-rule-policy_dmz] destination-zone local
[FWA-policy-security-rule-policy_dmz] destination-zone dmz
[FWA-policy-security-rule-policy_dmz] action permit  
[FWA-policy-security-rule-policy_dmz] quit
[FWA-policy-security] rule name trust_to_untrust  //Allow internal network users in department A to access the Internet.
[FWA-policy-security-rule-trust_to_untrust] source-zone trust
[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust] source-address 192.168.1.0 24
[FWA-policy-security-rule-trust_to_untrust] action permit
[FWA-policy-security-rule-trust_to_untrust] quit
[FWA-policy-security] rule name trust_to_untrust1  //Prohibit internal network users in department B from accessing the Internet.
[FWA-policy-security-rule-trust_to_untrust1] source-zone trust
[FWA-policy-security-rule-trust_to_untrust1] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust1] source-address 192.168.2.0 24
[FWA-policy-security-rule-trust_to_untrust1] action deny
[FWA-policy-security-rule-trust_to_untrust1] quit
[FWA-policy-security] rule name untrust_to_trust  //Allow external network users to access the HTTP server.
[FWA-policy-security-rule-untrust_to_trust] source-zone untrust
[FWA-policy-security-rule-untrust_to_trust] destination-zone trust
[FWA-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWA-policy-security-rule-untrust_to_trust] action permit
[FWA-policy-security-rule-untrust_to_trust] quit
[FWA-policy-security] quit

    # Configure FWB.

    [FWB] firewall zone trust
[FWB-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the internal network to the trusted zone.
[FWB-zone-trust] quit 
[FWB] firewall zone untrust 
[FWB-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the Internet to the untrusted zone. 
[FWB-zone-untrust] quit 
[FWB] firewall zone dmz 
[FWB-zone-dmz] add interface gigabitethernet 1/0/7 //Add the heartbeat interface to the DMZ.
[FWB-zone-dmz] quit
[FWB] security-policy 
[FWB-policy-security] rule name policy_dmz       //Allow mutual access between the local zone and DMZ.
[FWB-policy-security-rule-policy_dmz] source-zone local 
[FWB-policy-security-rule-policy_dmz] source-zone dmz 
[FWB-policy-security-rule-policy_dmz] destination-zone local
[FWB-policy-security-rule-policy_dmz] destination-zone dmz
[FWB-policy-security-rule-policy_dmz] action permit  
[FWB-policy-security-rule-policy_dmz] quit
[FWB-policy-security] rule name trust_to_untrust  //Allow internal network users in department A to access the Internet.
[FWB-policy-security-rule-trust_to_untrust] source-zone trust
[FWB-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust] source-address 192.168.1.0 24
[FWB-policy-security-rule-trust_to_untrust] action permit
[FWB-policy-security-rule-trust_to_untrust] quit
[FWB-policy-security] rule name trust_to_untrust1  //Prohibit internal network users in department B from accessing the Internet.
[FWB-policy-security-rule-trust_to_untrust1] source-zone trust
[FWB-policy-security-rule-trust_to_untrust1] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust1] source-address 192.168.2.0 24
[FWB-policy-security-rule-trust_to_untrust1] action deny
[FWB-policy-security-rule-trust_to_untrust1] quit
[FWB-policy-security] rule name untrust_to_trust  //Allow external network users to access the HTTP server.
[FWB-policy-security-rule-untrust_to_trust] source-zone untrust
[FWB-policy-security-rule-untrust_to_trust] destination-zone trust
[FWB-policy-security-rule-untrust_to_trust] destination-address 10.100.1.0 24
[FWB-policy-security-rule-untrust_to_trust] action permit
[FWB-policy-security-rule-untrust_to_trust] quit
[FWB-policy-security] quit

  6. Configure HRP on firewalls.

    # Configure a VGMP group on FWA to monitor uplink and downlink service interfaces.

    [FWA] hrp track interface gigabitethernet 1/0/1   //Configure a VGMP group to monitor the uplink interface.
[FWA] hrp track interface eth-trunk 10   //Configure a VGMP group to monitor the downlink interface.

    # On FWA, adjust the OSPF cost based on the HRP status.

    [FWA] hrp adjust ospf-cost enable

    # Configure a VGMP group on FWB to monitor uplink and downlink service interfaces.

    [FWB] hrp track interface gigabitethernet 1/0/1   
[FWB] hrp track interface eth-trunk 20

    # On FWB, adjust the OSPF cost based on the HRP status.

    [FWB] hrp adjust ospf-cost enable

    # On FWA, specify a heartbeat interface and enable HRP.

    [FWA] hrp interface gigabitethernet 1/0/7 remote 10.10.1.2   //Configure a heartbeat interface and enable HRP.
[FWA] hrp enable   //Enable HRP.
HRP_M[FWA]  hrp mirror session enable   //Enable quick session backup.

    After a hot standby group is successfully established between the active and standby firewalls, the configurations and sessions on the active firewall are automatically synchronized to the standby firewall.

    # On FWB, specify a heartbeat interface and enable HRP.

    [FWB] hrp interface gigabitethernet 1/0/7 remote 10.10.1.1  
[FWB] hrp enable 
HRP_B[FWB] hrp mirror session enable

  7. Configure NAT on egress routers.

    Assume that the carrier allocates the following public IP addresses to enterprise users: 8.8.8.2 to 8.8.8.10 and 9.9.9.2 to 9.9.9.10. IP addresses 8.8.8.2 and 9.9.9.2 are used by RouterA and RouterB respectively to connect to the Internet. IP addresses 8.8.8.10 and 9.9.9.10 are the public IP addresses used by external network users to access the HTTP server. Internal network users use the remaining public IP addresses to access the Internet.

    # Configure outbound NAT on RouterA to translate private IP addresses of users in department A into public IP addresses so that the users can access the Internet.

    [RouterA] nat address-group 1 8.8.8.3 8.8.8.9   //Configure a NAT address pool, which includes the public IP addresses allocated by the carrier.
[RouterA] acl number 2000
[RouterA-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255   //Configure an IP address segment for users to access the Internet.
[RouterA-acl-basic-2000] quit
[RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] nat outbound 2000 address-group 1   //Apply NAT to the interface connected to the Internet.
[RouterA-GigabitEthernet0/0/2] quit

    # Configure outbound NAT on RouterB to translate the private IP addresses of users in department A into public IP addresses.

    [RouterB] nat address-group 1 9.9.9.3 9.9.9.10   //Configure a NAT address pool, which includes the public IP addresses allocated by the carrier.
[RouterB] acl number 2000
[RouterB-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255   //Configure an IP address segment for users to access the Internet.
[RouterB-acl-basic-2000] quit
[RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] nat outbound 2000 address-group 1   //Apply NAT to the interface connected to the Internet.
[RouterB-GigabitEthernet0/0/2] quit

    # Configure NAT Server on RouterA and RouterB so that external network users can access the HTTP server on the internal network.

    [RouterA] interface gigabitethernet 0/0/2
[RouterA-GigabitEthernet0/0/2] nat server protocol tcp global 8.8.8.10 inside 10.100.1.10  
[RouterA-GigabitEthernet0/0/2] quit
    [RouterB] interface gigabitethernet 0/0/2
[RouterB-GigabitEthernet0/0/2] nat server protocol tcp global 9.9.9.10 inside 10.100.1.10 
[RouterB-GigabitEthernet0/0/2] quit

Verifying the Deployment

  1. Users in department A can access the Internet, whereas users in department B cannot.
  2. Users in departments A and B and external network users can ping the HTTP server.

Configuration Files

  • RouterA configuration file
    #
sysname RouterA
#
router id 1.1.1.1  
# 
acl number 2000
 rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 8.8.8.3 8.8.8.9 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 8.8.8.1 255.255.255.0
 nat outbound 2000 address-group 1
 nat server protocol tcp global 8.8.8.10 inside 10.100.1.10 
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 8.8.8.2
#
return
  • RouterB configuration file
    #
sysname RouterB
#
router id 2.2.2.2  
# 
acl number 2000
 rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 9.9.9.3 9.9.9.10 mask 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 9.9.9.1 255.255.255.0
 nat outbound 2000 address-group 1
 nat server protocol tcp global 9.9.9.10 inside 10.100.1.10 
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 10.2.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 9.9.9.2
#
return
  • FWA configuration file
    #
sysname FWA
#       
router id 3.3.3.3  
# 
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.2
hrp track interface GigabitEthernet1/0/1 
hrp track interface Eth-Trunk 10 
#
interface Eth-Trunk10
 ip address 10.3.1.1 255.255.255.0
 mode lacp-static
#
interface GigabitEthernet1/0/1
 undo shutdown 
 ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/7
 undo shutdown 
 ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet2/0/3
 undo shutdown 
 eth-trunk 10
#
interface GigabitEthernet2/0/4
 undo shutdown 
 eth-trunk 10
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
#  
firewall zone trust        
 set priority 85           
 add interface Eth-Trunk10
# 
firewall zone dmz          
 set priority 50           
 add interface GigabitEthernet 1/0/7
#  
firewall zone untrust        
 set priority 5           
 add interface GigabitEthernet 1/0/1
#                                                                               
ospf 1                                                                          
 area 0.0.0.0                                                                
  network 10.1.1.0 0.0.0.255
  network 10.3.1.0 0.0.0.255   
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy 
 rule name policy_dmz 
  source-zone local 
  source-zone dmz 
  destination-zone local 
  destination-zone dmz  
  action permit  
 rule name trust_to_untrust 
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name trust_to_untrust1 
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  action deny
 rule name untrust_to_trust
  source-zone untrust
  destination-zone trust
  destination-address 10.100.1.0 mask 255.255.255.0
  action permit
# 
return
  • FWB configuration file
    #
sysname FWB
#  
router id 4.4.4.4  
# 
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.1
hrp track interface GigabitEthernet1/0/1 
hrp track interface Eth-Trunk 20 
#
interface Eth-Trunk20
 ip address 10.4.1.1 255.255.255.0
 mode lacp-static
#
interface GigabitEthernet1/0/1
 undo shutdown 
 ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/7
 undo shutdown 
 ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet2/0/3
 undo shutdown 
 eth-trunk 20
#
interface GigabitEthernet2/0/4
 undo shutdown 
 eth-trunk 20
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
#  
firewall zone trust        
 set priority 85           
 add interface Eth-Trunk20
# 
firewall zone dmz          
 set priority 50           
 add interface GigabitEthernet 1/0/7
#  
firewall zone untrust        
 set priority 5           
 add interface GigabitEthernet 1/0/1
#                                                                               
ospf 1                                                                          
 area 0.0.0.0                                                                
  network 10.2.1.0 0.0.0.255
  network 10.4.1.0 0.0.0.255   
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
security-policy 
 rule name policy_dmz 
  source-zone local 
  source-zone dmz 
  destination-zone local 
  destination-zone dmz  
  action permit 
 rule name trust_to_untrust 
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name trust_to_untrust1 
  source-zone trust
  destination-zone untrust
  source-address 192.168.2.0 mask 255.255.255.0
  action deny
 rule name untrust_to_trust
  source-zone untrust
  destination-zone trust
  destination-address 10.100.1.0 mask 255.255.255.0
  action permit
# 
return
  • CORE configuration file
    #
sysname CORE
#      
router id 5.5.5.5  
# 
 vlan batch 300
#
ip pool poola
 gateway-list 192.168.1.1                                                          
 network 192.168.1.0 mask 255.255.255.0                                            
#
ip pool poolb
 gateway-list 192.168.2.1                                                          
 network 192.168.2.0 mask 255.255.255.0                                            
#
interface Vlanif300
 ip address 10.100.1.100 255.255.255.0
#
interface Eth-Trunk10
 undo portswitch
 ip address 10.3.1.2 255.255.255.0
 mode lacp-static
#
interface Eth-Trunk20
 undo portswitch
 ip address 10.4.1.2 255.255.255.0
 mode lacp-static
# 
interface GigabitEthernet1/3/0/3
 eth-trunk 10
#
interface GigabitEthernet1/3/0/4
 eth-trunk 20
#
interface XGigabitEthernet1/1/0/5
 port link-type access
 port default vlan 300
#
interface XGigabitEthernet1/1/0/10
  mad detect mode direct
#
interface GigabitEthernet2/3/0/3
 eth-trunk 10
#
interface GigabitEthernet2/3/0/4
 eth-trunk 20
#
interface XGigabitEthernet2/1/0/10
  mad detect mode direct
#
interface LoopBack0
 ip address 5.5.5.5 255.255.255.255
#                                                                                                                      
ospf 1                                                                        
 area 0.0.0.0                                                                
  network 10.3.1.0 0.0.0.255
  network 10.4.1.0 0.0.0.255
  network 10.100.1.0 0.0.0.255 
 #
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
# 
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-07-29

Document ID: EDOC1000069520

Views: 1865413

Downloads: 41253

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :