Configuring a Stack-based 3-Layer Data Center Network
Networking Requirements
On a 3-Layer network as shown in Figure 4-4, the core layer contains two CE12800 switches. The two switches are connected through an Eth-Trunk with two 10GE member links for link backup. The aggregation layer has a CE12800 stack. The stack connects to upstream and downstream devices through inter-chassis Eth-Trunk interfaces. The Eth-Trunks are configured to preferentially forward local traffic so that loads on inter-chassis links are reduced. VRF instances are created on the aggregation layer to separate service network routes and public network routes. Two firewalls are connected to CE12800 switches in bypass mode, and work in hot standby mode to improve reliability.
Device Name |
Interface Number |
IP Address |
Interconnected Device and Interface Number |
---|---|---|---|
Router |
XGigabitEthernet1/0/1 |
10.10.7.2/24 |
CE12800-1: 10GE1/0/1 |
XGigabitEthernet1/0/2 |
10.10.8.2/24 |
CE12800-2: 10GE1/0/1 |
|
CE12800-1 |
10GE1/0/1 |
10.10.7.1/24 |
Router: XGigabitEthernet1/0/1 |
Eth-Trunk1
|
10.10.6.1/24 |
CE12800-2: Eth-Trunk1 |
|
Eth-Trunk8
|
10.10.4.2/24 |
CSS: Eth-Trunk8 |
|
CE12800-2 |
10GE1/0/1 |
10.10.8.1/24 |
Router: XGigabitEthernet1/0/2 |
Eth-Trunk1
|
10.10.6.2/24 |
CE12800-1: Eth-Trunk1 |
|
Eth-Trunk9
|
10.10.5.2/24 |
CSS: Eth-Trunk9 |
|
CSS |
Stack-Port1/1
|
- |
CSS: Stack-Port2/1 |
Stack-Port2/1
|
- |
CSS: Stack-Port1/1 |
|
Eth-Trunk2
|
VLANIF 100: 10.10.1.1/24 |
iStack-1: Eth-Trunk2 |
|
Eth-Trunk3
|
iStack-2: Eth-Trunk3 |
||
Eth-Trunk4
|
VLANIF 200: 10.10.2.1/24 |
FW-1: Eth-Trunk4 |
|
Eth-Trunk6
|
FW-2: Eth-Trunk4 |
||
Eth-Trunk5
|
VLANIF 300: 10.10.3.1/24 |
FW-1: Eth-Trunk5 |
|
Eth-Trunk7
|
FW-2: Eth-Trunk5 |
||
Eth-Trunk8
|
10.10.4.1/24 |
CE12800-1: Eth-Trunk8 |
|
Eth-Trunk9
|
10.10.5.1/24 |
CE12800-2: Eth-Trunk9 |
|
iStack-1 |
Stack-Port1/1
|
- |
iStack-1: Stack-Port2/1 |
Stack-Port2/1
|
- |
iStack-1: Stack-Port1/1 |
|
Eth-Trunk2
|
- |
CSS: Eth-Trunk2 |
|
iStack-2 |
Stack-Port1/1
|
- |
iStack-2: Stack-Port2/1 |
Stack-Port2/1
|
- |
iStack-2: Stack-Port1/1 |
|
Eth-Trunk3
|
- |
CSS: Eth-Trunk3 |
|
FW-1 |
Eth-Trunk1
|
10.1.1.1/24 |
FW-2: Eth-Trunk1 |
Eth-Trunk4
|
10.10.2.2/24 |
CSS: Eth-Trunk4 |
|
Eth-Trunk5
|
10.10.3.2/24 |
CSS: Eth-Trunk5 |
|
FW-2 |
Eth-Trunk1
|
10.1.1.2/24 |
FW-1: Eth-Trunk1 |
Eth-Trunk4
|
10.10.2.3/24 |
CSS: Eth-Trunk6 |
|
Eth-Trunk5
|
10.10.3.3/24 |
CSS: Eth-Trunk7 |
Configuration Roadmap
The configuration roadmap is as follows:
- Configure stack at the aggregation layer and access layer to implement device backup.
- Configure Eth-Trunks between the aggregation/access switches and their upstream/downstream devices, and firewalls to form a reliable, loop-free network.
- Create VLANs and add interfaces to VLANs so that the servers in the same VLAN can communicate with each other.
- Configure routes between aggregation layer and core layer to implement Layer 3 connection. Run OSPF between the aggregation layer, core layer, and router, and configure static routes between CSS and firewall. Create VRF-A on the CSS, and bind the service interfaces and downstream interfaces connected to firewalls to VRF-A to separate service network segment routes and public network routes. The default route of VRF-A is destined for the firewalls.
- Configure the hot standby, security policy, attack defense, and intrusion protection functions on firewalls.
Procedure
- Configure the stack function on aggregation switches CE12800-3 and CE12800-4.
- Connect stack cables between CE12800-3 and CE12800-4
- Configure stack attributes for CE12800-3 and CE12800-4. (Set a higher priority for CE12800-3, so CE12800-3 will become the master switch.)
# On CE12800-3, set the stack priority to 150 and stack domain ID to 10. In this example, CE12800-3 retains the default stack member ID 1 and default stack connection mode MPU connection, and you do not need to configure the two parameters.
<HUAWEI> system-view [~HUAWEI] sysname CE12800-3 [*HUAWEI] commit [~CE12800-3] stack [~CE12800-3-stack] stack priority 150 //Configure the stack priority. The default value is 100. [*CE12800-3-stack] stack domain 10 //Configure the domain ID. [*CE12800-3-stack] quit [*CE12800-3] commit
# On CE12800-4, set the stack member ID to 2 and stack domain ID to 10. In this example, CE12800-4 retains the default stack priority 100 and default stack connection mode MPU connection, and you do not need to configure the two parameters.
<HUAWEI> system-view [~HUAWEI] sysname CE12800-4 [*HUAWEI] commit [~CE12800-4] stack [~CE12800-4-stack] stack member 2 Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y [*CE12800-4-stack] stack domain 10 [*CE12800-4-stack] quit [*CE12800-4] commit
- Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.
# On CE12800-3, add 10GE1/0/1-10GE1/0/4 and 10GE2/0/1-10GE2/0/4 to the stack port.
[~CE12800-3] port-group group1 //Create a port group. [*CE12800-3-port-group-group1] group-member 10ge 1/0/1 to 10ge 1/0/4 //Add ports to the port group. [*CE12800-3-port-group-group1] group-member 10ge 2/0/1 to 10ge 2/0/4 [*CE12800-3-port-group-group1] shutdown //Shut down the port. [*CE12800-3-port-group-group1] quit [*CE12800-3] commit [~CE12800-3] interface stack-port 1 [*CE12800-3-Stack-Port1] port member-group interface 10ge 1/0/1 to 1/0/4 //Add physical ports to the stack port. Warning: After the configuration is complete, 1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist. 2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y [*CE12800-3-Stack-Port1] port member-group interface 10ge 2/0/1 to 2/0/4 Warning: After the configuration is complete, 1.The interface(s) (10GE2/0/1-2/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist. 2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y [*CE12800-3-Stack-Port1] quit [*CE12800-3] commit [~CE12800-3] port-group group1 [~CE12800-3-port-group-group1] undo shutdown //Enable the port. [*CE12800-3-port-group-group1] quit [*CE12800-3] return
# The configuration procedure on CE12800-4 is the same as the configuration procedure on CE12800-3, and is not mentioned here.
- Enable the stack function.
# Enable the stack function on CE12800-3 and restart the device.
<CE12800-3> save Warning: The current configuration will be written to the device. Continue? [Y/N]: y <CE12800-3> system-view [~CE12800-3] stack [~CE12800-3-stack] stack enable Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. Current configuration will be converted to the next startup saved-configuration file of stack mode. System will reboot. Continue? [Y/N]: y
# Enable the stack function on CE12800-4 and restart the device.
<CE12800-4> save Warning: The current configuration will be written to the device. Continue? [Y/N]: y <CE12800-4> system-view [~CE12800-4] stack [~CE12800-4-stack] stack enable Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. Current configuration will be converted to the next startup saved-configuration file of stack mode. System will reboot. Continue? [Y/N]: y
- Rename the stack system CSS.
<CE12800-3> system-view [~CE12800-3] sysname CSS [*CE12800-3] commit
- Configure stack member ports to report the Down state after a delay.
You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.
[~CSS] port-group group-member 10ge 1/1/0/1 to 10ge 1/1/0/4 10ge 1/2/0/1 to 10ge 1/2/0/4 10ge 2/1/0/1 to 10ge 2/1/0/4 10ge 2/2/0/1 to 10ge 2/2/0/4 [~CSS-port-group] carrier down-hold-time 2000 [*CSS-port-group] commit
- Configure the stack function on the access switches. The configurations on CE6800-1 and CE6800-2 are used as an example here. The configurations on other switches are similar.
- Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)
# On CE6800-1, set the stack priority to 150 and stack domain ID to 20. In this example, CE6800-1 retains the default stack member ID 1, and you do not configure this parameter.
<HUAWEI> system-view [~HUAWEI] sysname CE6800-1 [*HUAWEI] commit [~CE6800-1] stack [~CE6800-1-stack] stack member 1 priority 150 [*CE6800-1-stack] stack member 1 domain 20 [*CE6800-1-stack] quit [*CE6800-1] commit
# On CE6800-2, set the stack member ID to 2 and domain ID to 20. In this example, CE6800-2 retains the default stack priority 100, and you do not configure this parameter.
<HUAWEI> system-view [~HUAWEI] sysname CE6800-2 [*HUAWEI] commit [~CE6800-2] stack [~CE6800-2-stack] stack member 1 renumber 2 inherit-config Warning: The stack configuration of member ID 1 will be inherited to member ID 2 after the device resets. Continue? [Y/N]: y [*CE6800-2-stack] stack member 1 domain 20 [*CE6800-2-stack] quit [*CE6800-2] commit
- Configure stack ports. Two switches are connected by four 10GE optical ports.
# On CE6800-1, add 10GE1/0/1-10GE1/0/4 to stack port 1/1.
[~CE6800-1] interface stack-port 1/1 [*CE6800-1-Stack-Port1/1] port member-group interface 10ge 1/0/1 to 1/0/4 Warning: After the configuration is complete, 1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist. 2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y [*CE6800-1-Stack-Port1/1] commit [~CE6800-1-Stack-Port1/1] return
# The configuration procedure on CE6800-2 is the same as that on CE6800-1, and is not mentioned here.
- Save the configurations of CE6800-1 and CE6800-2, power off the two switches, connect stack cables, and power on the switches.
- Rename the stack system iStack-1. CE6800-1 functions as the master switch in this example.
<CE6800-1> system-view [~CE6800-1] sysname iStack-1 [*CE6800-1] commit
- Configure stack member ports to report the Down state after a delay.
You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.
[~iStack-1] port-group group-member 10ge 1/0/1 to 10ge 1/0/4 10ge 2/0/1 to 10ge 2/0/4 [~iStack-1-port-group] carrier down-hold-time 2000 [*iStack-1-port-group] commit
- Configure the stack consisting of CE6800-3 and CE6800-4 according to the preceding configurations. Rename the stack system iStack-2. CE6800-3 functions as the master switch in this example.
- Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)
- Connect the CSS and iStack systems to upstream and downstream devices, and firewalls through Eth-Trunks. The connection between CSS and iStack-1 is used as an example.
# Create Eth-Trunk2 on the CSS, and add 10GE1/1/0/5, 10GE1/2/0/5, 10GE2/1/0/5, and 10GE2/2/0/5 to Eth-Trunk2.
[~CSS] interface eth-trunk 2 [*CSS-Eth-Trunk2] description To_iStack-1 [*CSS-Eth-Trunk2] trunkport 10ge 1/1/0/5 1/2/0/5 2/1/0/5 2/2/0/5 [*CSS-Eth-Trunk2] quit [*CSS] commit
# Create Eth-Trunk2 on iStack-1, and add 10GE1/0/5, 10GE1/0/6, 10GE2/0/5, and 10GE2/0/6 to Eth-Trunk2.
[~iStack-1] interface eth-trunk 2 [*iStack-1-Eth-Trunk2] description To_CSS [*iStack-1-Eth-Trunk2] trunkport 10ge 1/0/5 to 1/0/6 [*iStack-1-Eth-Trunk2] trunkport 10ge 2/0/5 to 2/0/6 [*iStack-1-Eth-Trunk2] quit [*iStack-1] commit
# The configuration is the same as the configurations on other Eth-Trunks in Table 4-3, and is not mentioned here.
- Configure DAD in relay mode in the CSS and iStacks to ensure high reliability. The following uses the configuration of DAD in relay mode in the CSS as an example.
# In the CSS, configure DAD in relay mode on the Eth-Trunks that connect to CE12800-1 and CE12800-2.
[~CSS] interface eth-trunk 8 [~CSS-Eth-Trunk8] dual-active detect mode relay [*CSS-Eth-Trunk8] quit [*CSS] interface eth-trunk 9 [*CSS-Eth-Trunk9] dual-active detect mode relay [*CSS-Eth-Trunk9] quit [*CSS] commit
# Configure the proxy function on the Eth-Trunks that connect CE12800-1 and CE12800-2 to the CSS.
<HUAWEI> system-view [~HUAWEI] sysname CE12800-1 [*HUAWEI] commit [~CE12800-1] interface eth-trunk 8 [~CE12800-1-Eth-Trunk8] dual-active proxy [*CE12800-1-Eth-Trunk8] quit [*CE12800-1] commit <HUAWEI> system-view [~HUAWEI] sysname CE12800-2 [*HUAWEI] commit [~CE12800-2] interface eth-trunk 9 [~CE12800-2-Eth-Trunk9] dual-active proxy [*CE12800-2-Eth-Trunk9] quit [*CE12800-2] commit
# Configure DAD in relay mode in iStacks according to the preceding method. The configuration is not mentioned here.
- Create VLAN100 on the CSS and add the port connected to the iStack to VLAN100 to implement Layer 2 connection.
# On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-1.
[~CSS] interface eth-trunk 2 [*CSS-Eth-Trunk2] port link-type trunk [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1 [*CSS-Eth-Trunk2] port trunk allow-pass vlan 100 [*CSS-Eth-Trunk2] quit [*CSS] commit
# On iStack-1, allow VLAN100 on the Eth-Trunk interface connected to the CSS.
[~iStack-1] interface eth-trunk 2 [*iStack-1-Eth-Trunk2] port link-type trunk [*iStack-1-Eth-Trunk2] undo port trunk allow-pass vlan 1 [*iStack-1-Eth-Trunk2] port trunk allow-pass vlan 100 [*iStack-1-Eth-Trunk2] quit [*iStack-1] commit
# On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-2. The configuration is the same as the configuration in the preceding step.
- Assign an IP address to each interface.
# Configure the IP address for the VLANIF interface connected to the firewall. The IP address configuration of VLANIF200 is used as an example.
[~CSS] vlan batch 200 [*CSS] interface Vlanif 200 [*CSS-Vlanif200] ip address 10.10.2.1 24 [*CSS-Vlanif200] quit [*CSS] interface eth-trunk 4 [*CSS-Eth-Trunk4] port link-type trunk [*CSS-Eth-Trunk4] undo port trunk allow-pass vlan 1 [*CSS-Eth-Trunk4] port trunk allow-pass vlan 200 [*CSS-Eth-Trunk4] port trunk pvid vlan 200 [*CSS-Eth-Trunk4] quit [*CSS] interface eth-trunk 6 [*CSS-Eth-Trunk6] port link-type trunk [*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1 [*CSS-Eth-Trunk6] port trunk allow-pass vlan 200 [*CSS-Eth-Trunk6] port trunk pvid vlan 200 [*CSS-Eth-Trunk6] quit [*CSS] commit
# Configure IP addresses for other VLANIF interfaces connected to firewalls in Table 4-3 according to the preceding method.
# Configure IP addresses for the interfaces connecting CE12800-1 and CE12800-2 to CSS and router. Configure the Ethernet interfaces as Layer 3 interfaces. The configuration on Eth-Trunk1 between CE12800-1 and CE12800-2 is used as an example.
[~CE12800-1] interface eth-trunk 1 [*CE12800-1-Eth-Trunk1] undo portswitch [*CE12800-1-Eth-Trunk1] ip address 10.10.6.1 24 [*CE12800-2] interface eth-trunk 1 [*CE12800-2-Eth-Trunk1] undo portswitch [*CE12800-2-Eth-Trunk1] ip address 10.10.6.2 24
# Configure IP addresses for other Layer 3 Ethernet interfaces in Table 4-3 according to the preceding step.
- Configure the routes between firewalls, CSS, CE12800-1, CE12800-2, and router to implement Layer 3 connection. Run OSPF between CSS, CE12800-1, CE12800-2, and router. Configure a static route between firewalls and CSS. Create VRF-A on the CSS, bind the service interfaces and downstream interfaces connected to firewalls to VRF-A. The default route of VRF-A is destined for the downstream VRRP virtual IP address of firewalls.
# Create VRF-A on the CSS, bind VLANIF100 and VLANIF200 to VRF-A, and set the destination address of the default route to the virtual IP address of firewalls.
NOTE:
When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.
[~CSS] ip vpn-instance VRF-A //Create VRF-A. [*CSS-vpn-instance-VRF-A] ipv4-family [*CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1 [*CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both [*CSS-vpn-instance-VRF-A-af-ipv4] quit [*CSS-vpn-instance-VRF-A] quit [*CSS] interface Vlanif 100 [*CSS-Vlanif100] ip binding vpn-instance VRF-A //Bind VLANIF100 to VRF-A. [*CSS-Vlanif100] ip address 10.10.1.1 24 [*CSS-Vlanif100] quit [*CSS] interface Vlanif 200 [*CSS-Vlanif200] ip binding vpn-instance VRF-A //Bind VLANIF200 to VRF-A. [*CSS-Vlanif200] ip address 10.10.2.1 24 [*CSS-Vlanif200] quit [*CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 //Add a default route destined for the downstream VRRP virtual IP address of firewalls to VRF-A. [*CSS] commit
# Configure a static route from the CSS to service network segment with the firewalls as the next hop. Run OSPF between CSS, CE12800-1, and CE12800-2 and import the static route to OSPF.
[~CSS] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 //Configure a static route destined for the service network segment. The next hop is the upstream VRRP virtual IP address of firewalls. [*CSS] ospf 100 //Run OSPF between CSS and router. [*CSS-ospf-100] area 0 [*CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 [*CSS-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255 [*CSS-ospf-100-area-0.0.0.0] quit [*CSS-ospf-100] import-route static //Import the static route. [*CSS-ospf-100] quit [*CSS] commit
# Configure OSPF on CE12800-1, CE12800-2, and router. The configuration on CE12800-1 is used as an example.
[~CE12800-1] ospf 100 [*CE12800-1-ospf-100] area 0 [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.6.0 0.0.0.255 [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.7.0 0.0.0.255 [*CE12800-1-ospf-100-area-0.0.0.0] quit [*CE12800-1-ospf-100] quit [*CE12800-1] commit
# The configurations on CE12800-2 and router are similar to the configuration on CE12800-1, and are not mentioned here.
- Configure the firewalls.
In this example, the firewalls are Huawei USG firewalls.
# Perform the basic configurations on FW-1, including device name, interface, and security zone.
<USG> system-view [USG] sysname FW-1 [FW-1] interface Eth-Trunk 4 [FW-1-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 [FW-1-Eth-Trunk4] ip address 10.10.2.2 24 [FW-1-Eth-Trunk4] quit [FW-1] interface Eth-Trunk 5 [FW-1-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 [FW-1-Eth-Trunk5] ip address 10.10.3.2 24 [FW-1-Eth-Trunk5] quit [FW-1] interface Eth-Trunk 1 [FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 [FW-1-Eth-Trunk1] ip address 10.1.1.1 24 [FW-1-Eth-Trunk1] quit [FW-1] firewall zone trust [FW-1-zone-trust] add interface Eth-Trunk 4 [FW-1-zone-trust] quit [FW-1] firewall zone untrust [FW-1-zone-untrust] add interface Eth-Trunk 5 [FW-1-zone-untrust] quit [FW-1] firewall zone dmz [FW-1-zone-dmz] add interface Eth-Trunk 1 [FW-1-zone-dmz] quit
# Perform the basic configurations on FW-2, including device name, interface, and security zone.
<USG> system-view [USG] sysname FW-2 [FW-2] interface Eth-Trunk 4 [FW-2-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 [FW-2-Eth-Trunk4] ip address 10.10.2.3 24 [FW-2-Eth-Trunk4] quit [FW-2] interface Eth-Trunk 5 [FW-2-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 [FW-2-Eth-Trunk5] ip address 10.10.3.3 24 [FW-2-Eth-Trunk5] quit [FW-2] interface Eth-Trunk 1 [FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 [FW-2-Eth-Trunk1] ip address 10.1.1.2 24 [FW-2-Eth-Trunk1] quit [FW-2] firewall zone trust [FW-2-zone-trust] add interface Eth-Trunk 4 [FW-2-zone-trust] quit [FW-2] firewall zone untrust [FW-2-zone-untrust] add interface Eth-Trunk 5 [FW-2-zone-untrust] quit [FW-2] firewall zone dmz [FW-2-zone-dmz] add interface Eth-Trunk 1 [FW-2-zone-dmz] quit
# Configure the static route on FW-1.
[FW-1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 //Configure a route from the internal network to the external network. The next hop is the IP address of VLANIF300 connected to the upstream interface of the firewall. [FW-1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 //Configure a route from the external network to the internal network. The destination address is the network segment where the internal server resides, and the next hop is the IP address of VLANIF200 connected to the downstream interface of the firewall.
# Configure the static route on FW-2.
[FW-2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 [FW-2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1
# Configure hot standby on FW-1.
[FW-1] interface Eth-Trunk 4 [FW-1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master //Configure the downstream VRRP virtual IP address. [FW-1-Eth-Trunk4] quit [FW-1] interface Eth-Trunk 5 [FW-1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master //Configure the upstream VRRP virtual IP address. [FW-1-Eth-Trunk5] quit [FW-1] hrp interface Eth-Trunk 1 remote 10.1.1.2 [FW-1] firewall packet-filter default permit interzone local dmz [FW-1] hrp enable
# Configure hot standby on FW-2.
[FW-2] interface Eth-Trunk 4 [FW-2-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave [FW-2-Eth-Trunk4] quit [FW-2] interface Eth-Trunk 5 [FW-2-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave [FW-2-Eth-Trunk5] quit [FW-2] hrp interface Eth-Trunk 1 remote 10.1.1.1 [FW-2] firewall packet-filter default permit interzone local dmz [FW-2] hrp enable
NOTE:
After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW-1.
# Configure the security policy and intrusion protection.
NOTE:
Before configuring intrusion protection, ensure that the intrusion signature library is the latest version.
When configuring intrusion protection, use the default intrusion file default.
HRP_M[FW-1] policy interzone trust untrust outbound HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1 HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24 //The source address is the network segment where the internal server resides. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default //The default file is used. HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit HRP_M[FW-1] policy interzone trust untrust inbound HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1 HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24 //The destination address is the network segment where the internal server resides. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http //The FTP and HTTP protocols are used as an example here. If other applications are running on your network, specify them. HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit HRP_M[FW-1] ips enable
# Configure attack defense.
NOTE:
The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.
HRP_M[FW-1] firewall defend syn-flood enable HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000 HRP_M[FW-1] firewall defend udp-flood enable HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500 HRP_M[FW-1] firewall defend icmp-flood enable HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000 HRP_M[FW-1] firewall blacklist enable HRP_M[FW-1] firewall defend ip-sweep enable HRP_M[FW-1] firewall defend ip-sweep max-rate 4000 HRP_M[FW-1] firewall defend port-scan enable HRP_M[FW-1] firewall defend port-scan max-rate 4000 HRP_M[FW-1] firewall defend ip-fragment enable HRP_M[FW-1] firewall defend ip-spoofing enable
# Configure ASPF.
HRP_M[FW-1] firewall interzone trust untrust HRP_M[FW-1-interzone-trust-untrust] detect ftp //The FTP protocol is used as an example here. If other applications are running on your network, enable the ASPF function for them. HRP_M[FW-1-interzone-trust-untrust] quit
Verifying the Configuration
After the configurations are complete, check whether the servers and router can ping each other. In this example, the servers ping the router.
PC> ping 10.10.7.2 Ping 10.10.7.2: 32 data bytes, Press Ctrl_C to break From 10.10.7.2: bytes=32 seq=1 ttl=251 time=63 ms From 10.10.7.2: bytes=32 seq=2 ttl=251 time=94 ms From 10.10.7.2: bytes=32 seq=3 ttl=251 time=63 ms From 10.10.7.2: bytes=32 seq=4 ttl=251 time=62 ms From 10.10.7.2: bytes=32 seq=5 ttl=251 time=47 ms --- 10.10.7.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 47/65/94 ms
Configuration File
- •Configuration file of the router
# sysname Router # interface XGigabitEthernet1/0/1 ip address 10.10.7.2 255.255.255.0 # interface XGigabitEthernet1/0/2 ip address 10.10.8.2 255.255.255.0 # ospf 100 area 0.0.0.0 network 10.10.7.0 0.0.0.255 network 10.10.8.0 0.0.0.255 # return
- Configuration file of CE12800-1 at the aggregation layer
# sysname CE12800-1 # interface Eth-Trunk1 description To_CE12800-2 undo portswitch ip address 10.10.6.1 255.255.255.0 # interface Eth-Trunk8 description To_CSS undo portswitch ip address 10.10.4.2 255.255.255.0 dual-active proxy # interface 10GE1/0/1 description To_Router undo portswitch ip address 10.10.7.1 255.255.255.0 # interface 10GE1/0/2 eth-trunk 1 # interface 10GE1/0/3 eth-trunk 8 # interface 10GE2/0/2 eth-trunk 1 # interface 10GE2/0/3 eth-trunk 8 # ospf 100 area 0.0.0.0 network 10.10.4.0 0.0.0.255 network 10.10.6.0 0.0.0.255 network 10.10.7.0 0.0.0.255 # return
- Configuration file of CE12800-2 at the aggregation layer
# sysname CE12800-2 # interface Eth-Trunk1 description To_CE12800-1 undo portswitch ip address 10.10.6.2 255.255.255.0 # interface Eth-Trunk9 description To_CSS undo portswitch ip address 10.10.5.2 255.255.255.0 dual-active proxy # interface 10GE1/0/1 description To_Router undo portswitch ip address 10.10.8.1 255.255.255.0 # interface 10GE1/0/2 eth-trunk 1 # interface 10GE1/0/3 eth-trunk 9 # interface 10GE2/0/2 eth-trunk 1 # interface 10GE2/0/3 eth-trunk 9 # ospf 100 area 0.0.0.0 network 10.10.5.0 0.0.0.255 network 10.10.6.0 0.0.0.255 network 10.10.8.0 0.0.0.255 # return
- Configuration file of the CSS at the core layer
# sysname CSS # vlan batch 100 200 300 # ip vpn-instance VRF-A ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # stack # stack mode # stack member 1 domain 10 stack member 1 priority 150 # stack member 2 domain 10 # interface Vlanif100 ip binding vpn-instance VRF-A ip address 10.10.1.1 255.255.255.0 # interface Vlanif200 ip binding vpn-instance VRF-A ip address 10.10.2.1 255.255.255.0 # interface Vlanif300 ip address 10.10.3.1 255.255.255.0 # interface Eth-Trunk2 description To_iStack-1 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 dual-active proxy # interface Eth-Trunk3 description To_iStack-2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 dual-active proxy # interface Eth-Trunk4 description To_FW-1 port link-type trunk port trunk pvid vlan 200 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 # interface Eth-Trunk5 description To_FW-1 port link-type trunk port trunk pvid vlan 300 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 300 # interface Eth-Trunk6 description To_FW-2 port link-type trunk port trunk pvid vlan 200 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 200 # interface Eth-Trunk7 description To_FW-2 port link-type trunk port trunk pvid vlan 300 undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 300 # interface Eth-Trunk8 description To_CE12800-1 undo portswitch ip address 10.10.4.1 255.255.255.0 dual-active detect mode relay # interface Eth-Trunk9 description To_CE12800-2 undo portswitch ip address 10.10.5.1 255.255.255.0 dual-active detect mode relay # interface Stack-Port1/1 # interface Stack-Port2/1 # interface 10GE1/1/0/1 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/1/0/2 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/1/0/3 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/1/0/4 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/1/0/5 eth-trunk 2 # interface 10GE1/1/0/6 eth-trunk 3 # interface 10GE1/1/0/7 eth-trunk 4 # interface 10GE1/1/0/8 eth-trunk 5 # interface 10GE1/1/0/9 eth-trunk 8 # interface 10GE1/2/0/1 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/2/0/2 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/2/0/3 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/2/0/4 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/2/0/5 eth-trunk 2 # interface 10GE1/2/0/6 eth-trunk 3 # interface 10GE1/2/0/7 eth-trunk 6 # interface 10GE1/2/0/8 eth-trunk 7 # interface 10GE1/2/0/9 eth-trunk 9 # interface 10GE2/1/0/1 port mode stack stack-port 2/1 # interface 10GE2/1/0/2 port mode stack stack-port 2/1 # interface 10GE2/1/0/3 port mode stack stack-port 2/1 # interface 10GE2/1/0/4 port mode stack stack-port 2/1 # interface 10GE2/1/0/5 eth-trunk 2 # interface 10GE2/1/0/6 eth-trunk 3 # interface 10GE2/1/0/7 eth-trunk 4 # interface 10GE2/1/0/8 eth-trunk 5 # interface 10GE2/1/0/9 eth-trunk 8 # interface 10GE2/2/0/1 port mode stack stack-port 2/1 # interface 10GE2/2/0/2 port mode stack stack-port 2/1 # interface 10GE2/2/0/3 port mode stack stack-port 2/1 # interface 10GE2/2/0/4 port mode stack stack-port 2/1 # interface 10GE2/2/0/5 eth-trunk 2 # interface 10GE2/2/0/6 eth-trunk 3 # interface 10GE2/2/0/7 eth-trunk 6 # interface 10GE2/2/0/8 eth-trunk 7 # interface 10GE2/2/0/9 eth-trunk 9 # ospf 100 import-route static area 0.0.0.0 network 10.10.4.0 0.0.0.255 network 10.10.5.0 0.0.0.255 # ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 # port-group group1 group-member 10GE1/1/0/1 group-member 10GE1/1/0/2 group-member 10GE1/1/0/3 group-member 10GE1/1/0/4 group-member 10GE1/2/0/1 group-member 10GE1/2/0/2 group-member 10GE1/2/0/3 group-member 10GE1/2/0/4 # return
- Configuration file of iStack-1 at the access layer
# sysname iStack-1 # vlan batch 100 # stack # stack member 1 domain 20 stack member 1 priority 150 # stack member 2 domain 20 # interface Eth-Trunk2 description To_CSS port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 dual-active detect mode relay # interface Stack-Port1/1 # interface Stack-Port2/1 # interface 10GE1/0/1 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/2 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/3 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/4 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/5 eth-trunk 2 # interface 10GE1/0/6 eth-trunk 2 # interface 10GE2/0/1 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/2 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/3 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/4 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/5 eth-trunk 2 # interface 10GE2/0/6 eth-trunk 2 # return
- Configuration file of iStack-2 at the access layer
# sysname iStack-2 # vlan batch 100 # stack # stack member 1 domain 30 stack member 1 priority 150 # stack member 2 domain 30 # interface Eth-Trunk3 description To_CSS port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 dual-active detect mode relay # interface Stack-Port1/1 # interface Stack-Port2/1 # interface 10GE1/0/1 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/2 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/3 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/4 port mode stack stack-port 1/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE1/0/5 eth-trunk 3 # interface 10GE1/0/6 eth-trunk 3 # interface 10GE2/0/1 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/2 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/3 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/4 port mode stack stack-port 2/1 port crc-statistics trigger error-down carrier down-hold-time 2000 # interface 10GE2/0/5 eth-trunk 3 # interface 10GE2/0/6 eth-trunk 3 # return
- Configuration file of FW-1
# sysname FW-1 # firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound # firewall defend port-scan enable firewall defend ip-sweep enable firewall defend ip-fragment enable firewall defend icmp-flood enable firewall defend udp-flood enable firewall defend syn-flood enable firewall defend ip-spoofing enable firewall defend action discard firewall defend icmp-flood zone untrust max-rate 20000 firewall defend udp-flood zone untrust max-rate 1500 firewall defend syn-flood zone untrust max-rate 20000 # hrp enable hrp interface Eth-Trunk1 remote 10.1.1.2 # ips enable # interface Eth-Trunk1 ip address 10.1.1.1 255.255.255.0 # interface Eth-Trunk4 ip address 10.10.2.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.2.5 master # interface Eth-Trunk5 ip address 10.10.3.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.10.3.5 master # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 4 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 4 # interface GigabitEthernet1/1/0 undo shutdown eth-trunk 5 # interface GigabitEthernet1/1/1 undo shutdown eth-trunk 5 # interface GigabitEthernet2/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/1 undo shutdown eth-trunk 1 # profile type ips name default signature-set name default os both target both severity low medium high protocol all category all # firewall zone trust set priority 85 add interface Eth-Trunk4 # firewall zone untrust set priority 5 add interface Eth-Trunk5 # firewall zone dmz set priority 50 add interface Eth-Trunk1 # firewall interzone trust untrust detect ftp # policy interzone trust untrust inbound policy 1 action permit profile ips default policy service service-set ftp policy service service-set http policy destination 10.10.1.0 mask 24 # policy interzone trust untrust outbound policy 1 action permit profile ips default policy source 10.10.1.0 mask 24 # ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 # return
- Configuration file of FW-2
# sysname FW-2 # firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound # firewall defend port-scan enable firewall defend ip-sweep enable firewall defend ip-fragment enable firewall defend icmp-flood enable firewall defend udp-flood enable firewall defend syn-flood enable firewall defend ip-spoofing enable firewall defend action discard firewall defend icmp-flood zone untrust max-rate 20000 firewall defend udp-flood zone untrust max-rate 1500 firewall defend syn-flood zone untrust max-rate 20000 # hrp enable hrp interface Eth-Trunk1 remote 10.1.1.1 # ips enable # interface Eth-Trunk1 ip address 10.1.1.2 255.255.255.0 # interface Eth-Trunk4 ip address 10.10.2.3 255.255.255.0 vrrp vrid 1 virtual-ip 10.10.2.5 slave # interface Eth-Trunk5 ip address 10.10.3.3 255.255.255.0 vrrp vrid 2 virtual-ip 10.10.3.5 slave # interface GigabitEthernet1/0/0 undo shutdown eth-trunk 4 # interface GigabitEthernet1/0/1 undo shutdown eth-trunk 4 # interface GigabitEthernet1/1/0 undo shutdown eth-trunk 5 # interface GigabitEthernet1/1/1 undo shutdown eth-trunk 5 # interface GigabitEthernet2/0/0 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/1 undo shutdown eth-trunk 1 # profile type ips name default signature-set name default os both target both severity low medium high protocol all category all # firewall zone trust set priority 85 add interface Eth-Trunk4 # firewall zone untrust set priority 5 add interface Eth-Trunk5 # firewall zone dmz set priority 50 add interface Eth-Trunk1 # firewall interzone trust untrust detect ftp # policy interzone trust untrust inbound policy 1 action permit profile ips default policy service service-set ftp policy service service-set http policy destination 10.10.1.0 mask 24 # policy interzone trust untrust outbound policy 1 action permit profile ips default policy source 10.10.1.0 mask 24 # ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 # return