No relevant resource is found in the selected language.
MENU
Support Documentation
Stack Best Practices
CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Stack-based 3-Layer Data Center Network

Configuring a Stack-based 3-Layer Data Center Network

Networking Requirements

On a 3-Layer network as shown in Figure 4-4, the core layer contains two CE12800 switches. The two switches are connected through an Eth-Trunk with two 10GE member links for link backup. The aggregation layer has a CE12800 stack. The stack connects to upstream and downstream devices through inter-chassis Eth-Trunk interfaces. The Eth-Trunks are configured to preferentially forward local traffic so that loads on inter-chassis links are reduced. VRF instances are created on the aggregation layer to separate service network routes and public network routes. Two firewalls are connected to CE12800 switches in bypass mode, and work in hot standby mode to improve reliability.

Figure 4-4 Diagram of a stack-based 3-Layer data center network

Table 4-3 Data preparation

Device Name

Interface Number

IP Address

Interconnected Device and Interface Number

Router

XGigabitEthernet1/0/1

10.10.7.2/24

CE12800-1: 10GE1/0/1

XGigabitEthernet1/0/2

10.10.8.2/24

CE12800-2: 10GE1/0/1

CE12800-1

10GE1/0/1

10.10.7.1/24

Router: XGigabitEthernet1/0/1

Eth-Trunk1

  • 10GE1/0/2
  • 10GE2/0/2

10.10.6.1/24

CE12800-2: Eth-Trunk1

Eth-Trunk8

  • 10GE1/0/3
  • 10GE2/0/3

10.10.4.2/24

CSS: Eth-Trunk8

CE12800-2

10GE1/0/1

10.10.8.1/24

Router: XGigabitEthernet1/0/2

Eth-Trunk1

  • 10GE1/0/2
  • 10GE2/0/2

10.10.6.2/24

CE12800-1: Eth-Trunk1

Eth-Trunk9

  • 10GE1/0/3
  • 10GE2/0/3

10.10.5.2/24

CSS: Eth-Trunk9

CSS

Stack-Port1/1

  • 10GE1/1/0/1 to 10GE1/1/0/4
  • 10GE1/2/0/1 to 10GE1/2/0/4

-

CSS: Stack-Port2/1

Stack-Port2/1

  • 10GE2/1/0/1 to 10GE2/1/0/4
  • 10GE2/2/0/1 to 10GE2/2/0/4

-

CSS: Stack-Port1/1

Eth-Trunk2

  • 10GE1/1/0/5
  • 10GE1/2/0/5
  • 10GE2/1/0/5
  • 10GE2/2/0/5

VLANIF 100: 10.10.1.1/24

iStack-1: Eth-Trunk2

Eth-Trunk3

  • 10GE1/1/0/6
  • 10GE1/2/0/6
  • 10GE2/1/0/6
  • 10GE2/2/0/6

iStack-2: Eth-Trunk3

Eth-Trunk4

  • 10GE1/1/0/7
  • 10GE2/1/0/7

VLANIF 200: 10.10.2.1/24

FW-1: Eth-Trunk4

Eth-Trunk6

  • 10GE1/2/0/7
  • 10GE2/2/0/7

FW-2: Eth-Trunk4

Eth-Trunk5

  • 10GE1/1/0/8
  • 10GE2/1/0/8

VLANIF 300: 10.10.3.1/24

FW-1: Eth-Trunk5

Eth-Trunk7

  • 10GE1/2/0/8
  • 10GE2/2/0/8

FW-2: Eth-Trunk5

Eth-Trunk8

  • 10GE1/1/0/9
  • 10GE2/1/0/9

10.10.4.1/24

CE12800-1: Eth-Trunk8

Eth-Trunk9

  • 10GE1/2/0/9
  • 10GE2/2/0/9

10.10.5.1/24

CE12800-2: Eth-Trunk9

iStack-1

Stack-Port1/1

  • 10GE1/0/1 to 10GE1/0/4

-

iStack-1: Stack-Port2/1

Stack-Port2/1

  • 10GE2/0/1 to 10GE2/0/4

-

iStack-1: Stack-Port1/1

Eth-Trunk2

  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk2

iStack-2

Stack-Port1/1

  • 10GE1/0/1 to 10GE1/0/4

-

iStack-2: Stack-Port2/1

Stack-Port2/1

  • 10GE2/0/1 to 10GE2/0/4

-

iStack-2: Stack-Port1/1

Eth-Trunk3

  • 10GE1/0/5 to 10GE1/0/6
  • 10GE2/0/5 to 10GE2/0/6

-

CSS: Eth-Trunk3

FW-1

Eth-Trunk1

  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.1/24

FW-2: Eth-Trunk1

Eth-Trunk4

  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.2/24

CSS: Eth-Trunk4

Eth-Trunk5

  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.2/24

CSS: Eth-Trunk5

FW-2

Eth-Trunk1

  • GigabitEthernet2/0/0
  • GigabitEthernet2/0/1

10.1.1.2/24

FW-1: Eth-Trunk1

Eth-Trunk4

  • GigabitEthernet1/0/0
  • GigabitEthernet1/0/1

10.10.2.3/24

CSS: Eth-Trunk6

Eth-Trunk5

  • GigabitEthernet1/1/0
  • GigabitEthernet1/1/1

10.10.3.3/24

CSS: Eth-Trunk7

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure stack at the aggregation layer and access layer to implement device backup.
  2. Configure Eth-Trunks between the aggregation/access switches and their upstream/downstream devices, and firewalls to form a reliable, loop-free network.
  3. Create VLANs and add interfaces to VLANs so that the servers in the same VLAN can communicate with each other.
  4. Configure routes between aggregation layer and core layer to implement Layer 3 connection. Run OSPF between the aggregation layer, core layer, and router, and configure static routes between CSS and firewall. Create VRF-A on the CSS, and bind the service interfaces and downstream interfaces connected to firewalls to VRF-A to separate service network segment routes and public network routes. The default route of VRF-A is destined for the firewalls.
  5. Configure the hot standby, security policy, attack defense, and intrusion protection functions on firewalls.

Procedure

  1. Configure the stack function on aggregation switches CE12800-3 and CE12800-4.

    1. Connect stack cables between CE12800-3 and CE12800-4
    2. Configure stack attributes for CE12800-3 and CE12800-4. (Set a higher priority for CE12800-3, so CE12800-3 will become the master switch.)

      # On CE12800-3, set the stack priority to 150 and stack domain ID to 10. In this example, CE12800-3 retains the default stack member ID 1 and default stack connection mode MPU connection, and you do not need to configure the two parameters.

      <HUAWEI> system-view 
[~HUAWEI] sysname CE12800-3 
[*HUAWEI] commit 
[~CE12800-3] stack 
[~CE12800-3-stack] stack priority 150     //Configure the stack priority. The default value is 100.
[*CE12800-3-stack] stack domain 10        //Configure the domain ID.
[*CE12800-3-stack] quit 
[*CE12800-3] commit

      # On CE12800-4, set the stack member ID to 2 and stack domain ID to 10. In this example, CE12800-4 retains the default stack priority 100 and default stack connection mode MPU connection, and you do not need to configure the two parameters.

      <HUAWEI> system-view 
[~HUAWEI] sysname CE12800-4 
[*HUAWEI] commit 
[~CE12800-4] stack 
[~CE12800-4-stack] stack member 2 
Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y 
[*CE12800-4-stack] stack domain 10 
[*CE12800-4-stack] quit 
[*CE12800-4] commit
    3. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-3, add 10GE1/0/1-10GE1/0/4 and 10GE2/0/1-10GE2/0/4 to the stack port.

      [~CE12800-3] port-group group1       //Create a port group.
[*CE12800-3-port-group-group1] group-member 10ge 1/0/1 to 10ge 1/0/4       //Add ports to the port group. 
[*CE12800-3-port-group-group1] group-member 10ge 2/0/1 to 10ge 2/0/4 
[*CE12800-3-port-group-group1] shutdown       //Shut down the port. 
[*CE12800-3-port-group-group1] quit 
[*CE12800-3] commit 
[~CE12800-3] interface stack-port 1 
[*CE12800-3-Stack-Port1] port member-group interface 10ge 1/0/1 to 1/0/4       //Add physical ports to the stack port. 
Warning: After the configuration is complete,  
1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist.  
2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
[*CE12800-3-Stack-Port1] port member-group interface 10ge 2/0/1 to 2/0/4 
Warning: After the configuration is complete,  
1.The interface(s) (10GE2/0/1-2/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist.  
2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
[*CE12800-3-Stack-Port1] quit 
[*CE12800-3] commit 
[~CE12800-3] port-group group1 
[~CE12800-3-port-group-group1] undo shutdown       //Enable the port. 
[*CE12800-3-port-group-group1] quit 
[*CE12800-3] return

      # The configuration procedure on CE12800-4 is the same as the configuration procedure on CE12800-3, and is not mentioned here.

    4. Enable the stack function.

      # Enable the stack function on CE12800-3 and restart the device.

      <CE12800-3> save 
Warning: The current configuration will be written to the device. Continue? [Y/N]: y 
<CE12800-3> system-view 
[~CE12800-3] stack 
[~CE12800-3-stack] stack enable 
Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. 
Current configuration will be converted to the next startup saved-configuration file of stack mode. 
System will reboot. Continue? [Y/N]: y

      # Enable the stack function on CE12800-4 and restart the device.

      <CE12800-4> save 
Warning: The current configuration will be written to the device. Continue? [Y/N]: y 
<CE12800-4> system-view 
[~CE12800-4] stack 
[~CE12800-4-stack] stack enable 
Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. 
Current configuration will be converted to the next startup saved-configuration file of stack mode. 
System will reboot. Continue? [Y/N]: y
    5. Rename the stack system CSS.
      <CE12800-3> system-view 
[~CE12800-3] sysname CSS 
[*CE12800-3] commit
    6. Configure stack member ports to report the Down state after a delay.

      You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.

      [~CSS] port-group group-member 10ge 1/1/0/1 to 10ge 1/1/0/4 10ge 1/2/0/1 to 10ge 1/2/0/4 10ge 2/1/0/1 to 10ge 2/1/0/4 10ge 2/2/0/1 to 10ge 2/2/0/4 
[~CSS-port-group] carrier down-hold-time 2000 
[*CSS-port-group] commit

  2. Configure the stack function on the access switches. The configurations on CE6800-1 and CE6800-2 are used as an example here. The configurations on other switches are similar.

    1. Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)

      # On CE6800-1, set the stack priority to 150 and stack domain ID to 20. In this example, CE6800-1 retains the default stack member ID 1, and you do not configure this parameter.

      <HUAWEI> system-view 
[~HUAWEI] sysname CE6800-1 
[*HUAWEI] commit 
[~CE6800-1] stack 
[~CE6800-1-stack] stack member 1 priority 150 
[*CE6800-1-stack] stack member 1 domain 20 
[*CE6800-1-stack] quit 
[*CE6800-1] commit

      # On CE6800-2, set the stack member ID to 2 and domain ID to 20. In this example, CE6800-2 retains the default stack priority 100, and you do not configure this parameter.

      <HUAWEI> system-view 
[~HUAWEI] sysname CE6800-2 
[*HUAWEI] commit 
[~CE6800-2] stack 
[~CE6800-2-stack] stack member 1 renumber 2 inherit-config 
Warning: The stack configuration of member ID 1 will be inherited to member ID 2 after the device resets. Continue? [Y/N]: y 
[*CE6800-2-stack] stack member 1 domain 20 
[*CE6800-2-stack] quit 
[*CE6800-2] commit
    2. Configure stack ports. Two switches are connected by four 10GE optical ports.

      # On CE6800-1, add 10GE1/0/1-10GE1/0/4 to stack port 1/1.

      [~CE6800-1] interface stack-port 1/1 
[*CE6800-1-Stack-Port1/1] port member-group interface 10ge 1/0/1 to 1/0/4 
Warning: After the configuration is complete,  
1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist. 
2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
[*CE6800-1-Stack-Port1/1] commit 
[~CE6800-1-Stack-Port1/1] return

      # The configuration procedure on CE6800-2 is the same as that on CE6800-1, and is not mentioned here.

    3. Save the configurations of CE6800-1 and CE6800-2, power off the two switches, connect stack cables, and power on the switches.
    4. Rename the stack system iStack-1. CE6800-1 functions as the master switch in this example.
      <CE6800-1> system-view 
[~CE6800-1] sysname iStack-1 
[*CE6800-1] commit
    5. Configure stack member ports to report the Down state after a delay.

      You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.

      [~iStack-1] port-group group-member 10ge 1/0/1 to 10ge 1/0/4 10ge 2/0/1 to 10ge 2/0/4 
[~iStack-1-port-group] carrier down-hold-time 2000 
[*iStack-1-port-group] commit
    6. Configure the stack consisting of CE6800-3 and CE6800-4 according to the preceding configurations. Rename the stack system iStack-2. CE6800-3 functions as the master switch in this example.

  3. Connect the CSS and iStack systems to upstream and downstream devices, and firewalls through Eth-Trunks. The connection between CSS and iStack-1 is used as an example.

    # Create Eth-Trunk2 on the CSS, and add 10GE1/1/0/5, 10GE1/2/0/5, 10GE2/1/0/5, and 10GE2/2/0/5 to Eth-Trunk2.

    [~CSS] interface eth-trunk 2 
[*CSS-Eth-Trunk2] description To_iStack-1 
[*CSS-Eth-Trunk2] trunkport 10ge 1/1/0/5 1/2/0/5 2/1/0/5 2/2/0/5 
[*CSS-Eth-Trunk2] quit 
[*CSS] commit

    # Create Eth-Trunk2 on iStack-1, and add 10GE1/0/5, 10GE1/0/6, 10GE2/0/5, and 10GE2/0/6 to Eth-Trunk2.

    [~iStack-1] interface eth-trunk 2 
[*iStack-1-Eth-Trunk2] description To_CSS 
[*iStack-1-Eth-Trunk2] trunkport 10ge 1/0/5 to 1/0/6 
[*iStack-1-Eth-Trunk2] trunkport 10ge 2/0/5 to 2/0/6 
[*iStack-1-Eth-Trunk2] quit 
[*iStack-1] commit

    # The configuration is the same as the configurations on other Eth-Trunks in Table 4-3, and is not mentioned here.

  4. Configure DAD in relay mode in the CSS and iStacks to ensure high reliability. The following uses the configuration of DAD in relay mode in the CSS as an example.

    # In the CSS, configure DAD in relay mode on the Eth-Trunks that connect to CE12800-1 and CE12800-2.

    [~CSS] interface eth-trunk 8 
[~CSS-Eth-Trunk8] dual-active detect mode relay 
[*CSS-Eth-Trunk8] quit 
[*CSS] interface eth-trunk 9 
[*CSS-Eth-Trunk9] dual-active detect mode relay 
[*CSS-Eth-Trunk9] quit 
[*CSS] commit

    # Configure the proxy function on the Eth-Trunks that connect CE12800-1 and CE12800-2 to the CSS.

    <HUAWEI> system-view 
[~HUAWEI] sysname CE12800-1 
[*HUAWEI] commit 
[~CE12800-1] interface eth-trunk 8 
[~CE12800-1-Eth-Trunk8] dual-active proxy 
[*CE12800-1-Eth-Trunk8] quit 
[*CE12800-1] commit
<HUAWEI> system-view 
[~HUAWEI] sysname CE12800-2 
[*HUAWEI] commit 
[~CE12800-2] interface eth-trunk 9 
[~CE12800-2-Eth-Trunk9] dual-active proxy 
[*CE12800-2-Eth-Trunk9] quit 
[*CE12800-2] commit

    # Configure DAD in relay mode in iStacks according to the preceding method. The configuration is not mentioned here.

  5. Create VLAN100 on the CSS and add the port connected to the iStack to VLAN100 to implement Layer 2 connection.

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-1.

    [~CSS] interface eth-trunk 2 
[*CSS-Eth-Trunk2] port link-type trunk 
[*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1 
[*CSS-Eth-Trunk2] port trunk allow-pass vlan 100 
[*CSS-Eth-Trunk2] quit 
[*CSS] commit

    # On iStack-1, allow VLAN100 on the Eth-Trunk interface connected to the CSS.

    [~iStack-1] interface eth-trunk 2 
[*iStack-1-Eth-Trunk2] port link-type trunk 
[*iStack-1-Eth-Trunk2] undo port trunk allow-pass vlan 1 
[*iStack-1-Eth-Trunk2] port trunk allow-pass vlan 100 
[*iStack-1-Eth-Trunk2] quit 
[*iStack-1] commit

    # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-2. The configuration is the same as the configuration in the preceding step.

  6. Assign an IP address to each interface.

    # Configure the IP address for the VLANIF interface connected to the firewall. The IP address configuration of VLANIF200 is used as an example.

    [~CSS] vlan batch 200 
[*CSS] interface Vlanif 200 
[*CSS-Vlanif200] ip address 10.10.2.1 24 
[*CSS-Vlanif200] quit 
[*CSS] interface eth-trunk 4 
[*CSS-Eth-Trunk4] port link-type trunk 
[*CSS-Eth-Trunk4] undo port trunk allow-pass vlan 1 
[*CSS-Eth-Trunk4] port trunk allow-pass vlan 200 
[*CSS-Eth-Trunk4] port trunk pvid vlan 200 
[*CSS-Eth-Trunk4] quit 
[*CSS] interface eth-trunk 6 
[*CSS-Eth-Trunk6] port link-type trunk 
[*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1 
[*CSS-Eth-Trunk6] port trunk allow-pass vlan 200 
[*CSS-Eth-Trunk6] port trunk pvid vlan 200 
[*CSS-Eth-Trunk6] quit 
[*CSS] commit

    # Configure IP addresses for other VLANIF interfaces connected to firewalls in Table 4-3 according to the preceding method.

    # Configure IP addresses for the interfaces connecting CE12800-1 and CE12800-2 to CSS and router. Configure the Ethernet interfaces as Layer 3 interfaces. The configuration on Eth-Trunk1 between CE12800-1 and CE12800-2 is used as an example.

    [~CE12800-1] interface eth-trunk 1 
[*CE12800-1-Eth-Trunk1] undo portswitch 
[*CE12800-1-Eth-Trunk1] ip address 10.10.6.1 24
[*CE12800-2] interface eth-trunk 1 
[*CE12800-2-Eth-Trunk1] undo portswitch 
[*CE12800-2-Eth-Trunk1] ip address 10.10.6.2 24

    # Configure IP addresses for other Layer 3 Ethernet interfaces in Table 4-3 according to the preceding step.

  7. Configure the routes between firewalls, CSS, CE12800-1, CE12800-2, and router to implement Layer 3 connection. Run OSPF between CSS, CE12800-1, CE12800-2, and router. Configure a static route between firewalls and CSS. Create VRF-A on the CSS, bind the service interfaces and downstream interfaces connected to firewalls to VRF-A. The default route of VRF-A is destined for the downstream VRRP virtual IP address of firewalls.

    # Create VRF-A on the CSS, bind VLANIF100 and VLANIF200 to VRF-A, and set the destination address of the default route to the virtual IP address of firewalls.

    NOTE:

    When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.

    [~CSS] ip vpn-instance VRF-A     //Create VRF-A.
[*CSS-vpn-instance-VRF-A] ipv4-family 
[*CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1 
[*CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both 
[*CSS-vpn-instance-VRF-A-af-ipv4] quit 
[*CSS-vpn-instance-VRF-A] quit 
[*CSS] interface Vlanif 100 
[*CSS-Vlanif100] ip binding vpn-instance VRF-A     //Bind VLANIF100 to VRF-A.
[*CSS-Vlanif100] ip address 10.10.1.1 24 
[*CSS-Vlanif100] quit 
[*CSS] interface Vlanif 200 
[*CSS-Vlanif200] ip binding vpn-instance VRF-A     //Bind VLANIF200 to VRF-A.
[*CSS-Vlanif200] ip address 10.10.2.1 24 
[*CSS-Vlanif200] quit 
[*CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5  //Add a default route destined for the downstream VRRP virtual IP address of firewalls to VRF-A.
[*CSS] commit

    # Configure a static route from the CSS to service network segment with the firewalls as the next hop. Run OSPF between CSS, CE12800-1, and CE12800-2 and import the static route to OSPF.

    [~CSS] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5     //Configure a static route destined for the service network segment. The next hop is the upstream VRRP virtual IP address of firewalls.
[*CSS] ospf 100       //Run OSPF between CSS and router.
[*CSS-ospf-100] area 0 
[*CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 
[*CSS-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255 
[*CSS-ospf-100-area-0.0.0.0] quit 
[*CSS-ospf-100] import-route static      //Import the static route. 
[*CSS-ospf-100] quit 
[*CSS] commit

    # Configure OSPF on CE12800-1, CE12800-2, and router. The configuration on CE12800-1 is used as an example.

    [~CE12800-1] ospf 100 
[*CE12800-1-ospf-100] area 0 
[*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 
[*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.6.0 0.0.0.255 
[*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.7.0 0.0.0.255 
[*CE12800-1-ospf-100-area-0.0.0.0] quit 
[*CE12800-1-ospf-100] quit 
[*CE12800-1] commit

    # The configurations on CE12800-2 and router are similar to the configuration on CE12800-1, and are not mentioned here.

  8. Configure the firewalls.

    In this example, the firewalls are Huawei USG firewalls.

    # Perform the basic configurations on FW-1, including device name, interface, and security zone.

    <USG> system-view 
[USG] sysname FW-1 
[FW-1] interface Eth-Trunk 4 
[FW-1-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 
[FW-1-Eth-Trunk4] ip address 10.10.2.2 24 
[FW-1-Eth-Trunk4] quit 
[FW-1] interface Eth-Trunk 5 
[FW-1-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 
[FW-1-Eth-Trunk5] ip address 10.10.3.2 24 
[FW-1-Eth-Trunk5] quit 
[FW-1] interface Eth-Trunk 1 
[FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 
[FW-1-Eth-Trunk1] ip address 10.1.1.1 24 
[FW-1-Eth-Trunk1] quit 
[FW-1] firewall zone trust 
[FW-1-zone-trust] add interface Eth-Trunk 4 
[FW-1-zone-trust] quit 
[FW-1] firewall zone untrust 
[FW-1-zone-untrust] add interface Eth-Trunk 5 
[FW-1-zone-untrust] quit 
[FW-1] firewall zone dmz 
[FW-1-zone-dmz] add interface Eth-Trunk 1 
[FW-1-zone-dmz] quit

    # Perform the basic configurations on FW-2, including device name, interface, and security zone.

    <USG> system-view 
[USG] sysname FW-2 
[FW-2] interface Eth-Trunk 4 
[FW-2-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 
[FW-2-Eth-Trunk4] ip address 10.10.2.3 24 
[FW-2-Eth-Trunk4] quit 
[FW-2] interface Eth-Trunk 5 
[FW-2-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 
[FW-2-Eth-Trunk5] ip address 10.10.3.3 24 
[FW-2-Eth-Trunk5] quit 
[FW-2] interface Eth-Trunk 1 
[FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 
[FW-2-Eth-Trunk1] ip address 10.1.1.2 24 
[FW-2-Eth-Trunk1] quit 
[FW-2] firewall zone trust 
[FW-2-zone-trust] add interface Eth-Trunk 4 
[FW-2-zone-trust] quit 
[FW-2] firewall zone untrust 
[FW-2-zone-untrust] add interface Eth-Trunk 5 
[FW-2-zone-untrust] quit 
[FW-2] firewall zone dmz 
[FW-2-zone-dmz] add interface Eth-Trunk 1 
[FW-2-zone-dmz] quit

    # Configure the static route on FW-1.

    [FW-1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      //Configure a route from the internal network to the external network. The next hop is the IP address of VLANIF300 connected to the upstream interface of the firewall.
[FW-1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      //Configure a route from the external network to the internal network. The destination address is the network segment where the internal server resides, and the next hop is the IP address of VLANIF200 connected to the downstream interface of the firewall.

    # Configure the static route on FW-2.

    [FW-2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1  
[FW-2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1

    # Configure hot standby on FW-1.

    [FW-1] interface Eth-Trunk 4 
[FW-1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master     //Configure the downstream VRRP virtual IP address.
[FW-1-Eth-Trunk4] quit 
[FW-1] interface Eth-Trunk 5 
[FW-1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master     //Configure the upstream VRRP virtual IP address.
[FW-1-Eth-Trunk5] quit 
[FW-1] hrp interface Eth-Trunk 1 remote 10.1.1.2 
[FW-1] firewall packet-filter default permit interzone local dmz 
[FW-1] hrp enable

    # Configure hot standby on FW-2.

    [FW-2] interface Eth-Trunk 4 
[FW-2-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave 
[FW-2-Eth-Trunk4] quit 
[FW-2] interface Eth-Trunk 5 
[FW-2-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave 
[FW-2-Eth-Trunk5] quit 
[FW-2] hrp interface Eth-Trunk 1 remote 10.1.1.1 
[FW-2] firewall packet-filter default permit interzone local dmz 
[FW-2] hrp enable
    NOTE:

    After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW-1.

    # Configure the security policy and intrusion protection.

    NOTE:

    Before configuring intrusion protection, ensure that the intrusion signature library is the latest version.

    When configuring intrusion protection, use the default intrusion file default.

    HRP_M[FW-1] policy interzone trust untrust outbound 
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1 
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24     //The source address is the network segment where the internal server resides.
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit 
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default       //The default file is used. 
HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit 
HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit 
HRP_M[FW-1] policy interzone trust untrust inbound 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24     //The destination address is the network segment where the internal server resides. 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http     //The FTP and HTTP protocols are used as an example here. If other applications are running on your network, specify them. 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit 
HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit 
HRP_M[FW-1] ips enable

    # Configure attack defense.

    NOTE:

    The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.

    HRP_M[FW-1] firewall defend syn-flood enable 
HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000 
HRP_M[FW-1] firewall defend udp-flood enable 
HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500 
HRP_M[FW-1] firewall defend icmp-flood enable 
HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000 
HRP_M[FW-1] firewall blacklist enable 
HRP_M[FW-1] firewall defend ip-sweep enable 
HRP_M[FW-1] firewall defend ip-sweep max-rate 4000 
HRP_M[FW-1] firewall defend port-scan enable 
HRP_M[FW-1] firewall defend port-scan max-rate 4000 
HRP_M[FW-1] firewall defend ip-fragment enable 
HRP_M[FW-1] firewall defend ip-spoofing enable

    # Configure ASPF.

    HRP_M[FW-1] firewall interzone trust untrust 
HRP_M[FW-1-interzone-trust-untrust] detect ftp        //The FTP protocol is used as an example here. If other applications are running on your network, enable the ASPF function for them. 
HRP_M[FW-1-interzone-trust-untrust] quit

Verifying the Configuration

After the configurations are complete, check whether the servers and router can ping each other. In this example, the servers ping the router.

PC> ping 10.10.7.2

Ping 10.10.7.2: 32 data bytes, Press Ctrl_C to break 
From 10.10.7.2: bytes=32 seq=1 ttl=251 time=63 ms 
From 10.10.7.2: bytes=32 seq=2 ttl=251 time=94 ms 
From 10.10.7.2: bytes=32 seq=3 ttl=251 time=63 ms 
From 10.10.7.2: bytes=32 seq=4 ttl=251 time=62 ms 
From 10.10.7.2: bytes=32 seq=5 ttl=251 time=47 ms 

--- 10.10.7.2 ping statistics --- 
  5 packet(s) transmitted 
  5 packet(s) received 
  0.00% packet loss 
  round-trip min/avg/max = 47/65/94 ms

Configuration File

  • •Configuration file of the router
    # 
sysname Router 
# 
interface XGigabitEthernet1/0/1 
 ip address 10.10.7.2 255.255.255.0 
# 
interface XGigabitEthernet1/0/2 
 ip address 10.10.8.2 255.255.255.0 
# 
ospf 100 
 area 0.0.0.0 
  network 10.10.7.0 0.0.0.255 
  network 10.10.8.0 0.0.0.255 
# 
return
  • Configuration file of CE12800-1 at the aggregation layer
    # 
sysname CE12800-1 
# 
interface Eth-Trunk1 
 description To_CE12800-2 
 undo portswitch 
 ip address 10.10.6.1 255.255.255.0 
# 
interface Eth-Trunk8 
 description To_CSS 
 undo portswitch 
 ip address 10.10.4.2 255.255.255.0 
 dual-active proxy 
# 
interface 10GE1/0/1 
 description To_Router 
 undo portswitch 
 ip address 10.10.7.1 255.255.255.0 
# 
interface 10GE1/0/2 
 eth-trunk 1 
# 
interface 10GE1/0/3 
 eth-trunk 8 
# 
interface 10GE2/0/2 
 eth-trunk 1 
# 
interface 10GE2/0/3 
 eth-trunk 8 
# 
ospf 100 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
  network 10.10.6.0 0.0.0.255 
  network 10.10.7.0 0.0.0.255 
# 
return
  • Configuration file of CE12800-2 at the aggregation layer
    # 
sysname CE12800-2 
# 
interface Eth-Trunk1 
 description To_CE12800-1 
 undo portswitch 
 ip address 10.10.6.2 255.255.255.0 
# 
interface Eth-Trunk9 
 description To_CSS 
 undo portswitch 
 ip address 10.10.5.2 255.255.255.0 
 dual-active proxy 
# 
interface 10GE1/0/1 
 description To_Router 
 undo portswitch 
 ip address 10.10.8.1 255.255.255.0 
# 
interface 10GE1/0/2 
 eth-trunk 1 
# 
interface 10GE1/0/3 
 eth-trunk 9 
# 
interface 10GE2/0/2 
 eth-trunk 1 
# 
interface 10GE2/0/3 
 eth-trunk 9 
# 
ospf 100 
 area 0.0.0.0 
  network 10.10.5.0 0.0.0.255 
  network 10.10.6.0 0.0.0.255 
  network 10.10.8.0 0.0.0.255 
# 
return
  • Configuration file of the CSS at the core layer
    # 
sysname CSS 
# 
vlan batch 100 200 300 
# 
ip vpn-instance VRF-A 
 ipv4-family 
  route-distinguisher 100:1 
  vpn-target 111:1 export-extcommunity 
  vpn-target 111:1 import-extcommunity 
# 
stack 
 # 
 stack mode 
 # 
 stack member 1 domain 10 
 stack member 1 priority 150 
 # 
 stack member 2 domain 10 
# 
interface Vlanif100 
 ip binding vpn-instance VRF-A 
 ip address 10.10.1.1 255.255.255.0 
# 
interface Vlanif200 
 ip binding vpn-instance VRF-A 
 ip address 10.10.2.1 255.255.255.0 
# 
interface Vlanif300 
 ip address 10.10.3.1 255.255.255.0 
# 
interface Eth-Trunk2 
 description To_iStack-1 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
 dual-active proxy 
# 
interface Eth-Trunk3 
 description To_iStack-2 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
 dual-active proxy 
# 
interface Eth-Trunk4 
 description To_FW-1 
 port link-type trunk 
 port trunk pvid vlan 200 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 200 
 # 
interface Eth-Trunk5 
 description To_FW-1 
 port link-type trunk 
 port trunk pvid vlan 300 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 300 
# 
interface Eth-Trunk6 
 description To_FW-2 
 port link-type trunk 
 port trunk pvid vlan 200 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 200 
# 
interface Eth-Trunk7 
 description To_FW-2 
 port link-type trunk 
 port trunk pvid vlan 300 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 300 
# 
interface Eth-Trunk8 
 description To_CE12800-1 
 undo portswitch 
 ip address 10.10.4.1 255.255.255.0 
 dual-active detect mode relay 
# 
interface Eth-Trunk9 
 description To_CE12800-2 
 undo portswitch 
 ip address 10.10.5.1 255.255.255.0 
 dual-active detect mode relay 
# 
interface Stack-Port1/1 
# 
interface Stack-Port2/1 
# 
interface 10GE1/1/0/1 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/1/0/2 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/1/0/3 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/1/0/4 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/1/0/5 
 eth-trunk 2 
# 
interface 10GE1/1/0/6 
 eth-trunk 3 
# 
interface 10GE1/1/0/7 
 eth-trunk 4 
# 
interface 10GE1/1/0/8 
 eth-trunk 5 
# 
interface 10GE1/1/0/9 
 eth-trunk 8 
# 
interface 10GE1/2/0/1 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/2/0/2 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/2/0/3 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/2/0/4 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/2/0/5 
 eth-trunk 2 
# 
interface 10GE1/2/0/6 
 eth-trunk 3 
# 
interface 10GE1/2/0/7 
 eth-trunk 6 
# 
interface 10GE1/2/0/8 
 eth-trunk 7 
# 
interface 10GE1/2/0/9 
 eth-trunk 9 
# 
interface 10GE2/1/0/1 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/1/0/2 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/1/0/3 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/1/0/4 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/1/0/5 
 eth-trunk 2 
# 
interface 10GE2/1/0/6 
 eth-trunk 3 
# 
interface 10GE2/1/0/7 
 eth-trunk 4 
# 
interface 10GE2/1/0/8 
 eth-trunk 5 
# 
interface 10GE2/1/0/9 
 eth-trunk 8 
# 
interface 10GE2/2/0/1 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/2/0/2 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/2/0/3 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/2/0/4 
 port mode stack 
 stack-port 2/1 
# 
interface 10GE2/2/0/5 
 eth-trunk 2 
# 
interface 10GE2/2/0/6 
 eth-trunk 3 
# 
interface 10GE2/2/0/7 
 eth-trunk 6 
# 
interface 10GE2/2/0/8 
 eth-trunk 7 
# 
interface 10GE2/2/0/9 
 eth-trunk 9 
# 
ospf 100 
 import-route static 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
  network 10.10.5.0 0.0.0.255 
# 
ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 
# 
port-group group1 
 group-member 10GE1/1/0/1 
 group-member 10GE1/1/0/2 
 group-member 10GE1/1/0/3 
 group-member 10GE1/1/0/4 
 group-member 10GE1/2/0/1 
 group-member 10GE1/2/0/2 
 group-member 10GE1/2/0/3 
 group-member 10GE1/2/0/4 
# 
return
  • Configuration file of iStack-1 at the access layer
    # 
sysname iStack-1 
# 
vlan batch 100 
# 
 stack 
 # 
 stack member 1 domain 20 
 stack member 1 priority 150 
 # 
 stack member 2 domain 20 
# 
interface Eth-Trunk2 
 description To_CSS 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
 dual-active detect mode relay 
# 
interface Stack-Port1/1 
#  
interface Stack-Port2/1 
#  
interface 10GE1/0/1 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/2 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/3 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/4 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/5 
 eth-trunk 2 
# 
interface 10GE1/0/6 
 eth-trunk 2 
# 
interface 10GE2/0/1 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/2 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/3 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/4 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/5 
 eth-trunk 2 
# 
interface 10GE2/0/6 
 eth-trunk 2 
# 
return
  • Configuration file of iStack-2 at the access layer
    # 
sysname iStack-2 
# 
vlan batch 100 
# 
stack 
 # 
 stack member 1 domain 30 
 stack member 1 priority 150 
 # 
 stack member 2 domain 30 
# 
interface Eth-Trunk3 
 description To_CSS 
 port link-type trunk 
 undo port trunk allow-pass vlan 1 
 port trunk allow-pass vlan 100 
 dual-active detect mode relay 
# 
interface Stack-Port1/1 
#  
interface Stack-Port2/1 
#  
interface 10GE1/0/1 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/2 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/3 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/4 
 port mode stack 
 stack-port 1/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE1/0/5 
 eth-trunk 3 
# 
interface 10GE1/0/6 
 eth-trunk 3 
# 
interface 10GE2/0/1 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/2 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/3 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/4 
 port mode stack 
 stack-port 2/1 
 port crc-statistics trigger error-down 
 carrier down-hold-time 2000 
# 
interface 10GE2/0/5 
 eth-trunk 3 
# 
interface 10GE2/0/6 
 eth-trunk 3 
# 
return
  • Configuration file of FW-1
    # 
sysname FW-1 
# 
firewall packet-filter default permit interzone local dmz direction inbound 
firewall packet-filter default permit interzone local dmz direction outbound 
# 
firewall defend port-scan enable 
firewall defend ip-sweep enable 
firewall defend ip-fragment enable 
firewall defend icmp-flood enable 
firewall defend udp-flood enable 
firewall defend syn-flood enable 
firewall defend ip-spoofing enable 
firewall defend action discard 
firewall defend icmp-flood zone untrust max-rate 20000 
firewall defend udp-flood zone untrust max-rate 1500 
firewall defend syn-flood zone untrust max-rate 20000 
# 
hrp enable 
hrp interface Eth-Trunk1 remote 10.1.1.2 
# 
ips enable 
# 
interface Eth-Trunk1 
 ip address 10.1.1.1 255.255.255.0 
# 
interface Eth-Trunk4 
 ip address 10.10.2.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.2.5 master 
# 
interface Eth-Trunk5 
 ip address 10.10.3.2 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.10.3.5 master 
# 
interface GigabitEthernet1/0/0 
 undo shutdown 
 eth-trunk 4 
# 
interface GigabitEthernet1/0/1 
 undo shutdown 
 eth-trunk 4 
# 
interface GigabitEthernet1/1/0 
 undo shutdown 
 eth-trunk 5 
# 
interface GigabitEthernet1/1/1 
 undo shutdown 
 eth-trunk 5 
# 
interface GigabitEthernet2/0/0 
 undo shutdown 
 eth-trunk 1 
# 
interface GigabitEthernet2/0/1 
 undo shutdown 
 eth-trunk 1 
# 
profile type ips name default 
 signature-set name default 
  os both 
  target both 
  severity low medium high 
  protocol all 
  category all 
# 
firewall zone trust 
 set priority 85 
 add interface Eth-Trunk4 
# 
firewall zone untrust 
 set priority 5 
 add interface Eth-Trunk5 
# 
firewall zone dmz 
 set priority 50 
 add interface Eth-Trunk1 
# 
firewall interzone trust untrust 
 detect ftp 
# 
policy interzone trust untrust inbound 
 policy 1 
  action permit 
  profile ips default 
  policy service service-set ftp 
  policy service service-set http 
  policy destination 10.10.1.0 mask 24 
# 
policy interzone trust untrust outbound 
 policy 1 
  action permit 
  profile ips default 
  policy source 10.10.1.0 mask 24 
# 
ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 
ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 
# 
return
  • Configuration file of FW-2
    # 
sysname FW-2 
# 
firewall packet-filter default permit interzone local dmz direction inbound 
firewall packet-filter default permit interzone local dmz direction outbound 
# 
firewall defend port-scan enable 
firewall defend ip-sweep enable 
firewall defend ip-fragment enable 
firewall defend icmp-flood enable 
firewall defend udp-flood enable 
firewall defend syn-flood enable 
firewall defend ip-spoofing enable 
firewall defend action discard 
firewall defend icmp-flood zone untrust max-rate 20000 
firewall defend udp-flood zone untrust max-rate 1500 
firewall defend syn-flood zone untrust max-rate 20000 
# 
hrp enable 
hrp interface Eth-Trunk1 remote 10.1.1.1 
# 
ips enable 
# 
interface Eth-Trunk1 
 ip address 10.1.1.2 255.255.255.0 
# 
interface Eth-Trunk4 
 ip address 10.10.2.3 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.2.5 slave 
# 
interface Eth-Trunk5 
 ip address 10.10.3.3 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.10.3.5 slave 
# 
interface GigabitEthernet1/0/0 
 undo shutdown 
 eth-trunk 4 
# 
interface GigabitEthernet1/0/1 
 undo shutdown 
 eth-trunk 4 
# 
interface GigabitEthernet1/1/0 
 undo shutdown 
 eth-trunk 5 
# 
interface GigabitEthernet1/1/1 
 undo shutdown 
 eth-trunk 5 
# 
interface GigabitEthernet2/0/0 
 undo shutdown 
 eth-trunk 1 
# 
interface GigabitEthernet2/0/1 
 undo shutdown 
 eth-trunk 1 
# 
profile type ips name default 
 signature-set name default 
  os both 
  target both 
  severity low medium high 
  protocol all 
  category all 
# 
firewall zone trust 
 set priority 85 
 add interface Eth-Trunk4 
# 
firewall zone untrust 
 set priority 5 
 add interface Eth-Trunk5 
# 
firewall zone dmz 
 set priority 50 
 add interface Eth-Trunk1 
# 
firewall interzone trust untrust 
 detect ftp 
# 
policy interzone trust untrust inbound 
 policy 1 
  action permit 
  profile ips default 
  policy service service-set ftp 
  policy service service-set http 
  policy destination 10.10.1.0 mask 24 
# 
policy interzone trust untrust outbound 
 policy 1 
  action permit 
  profile ips default 
  policy source 10.10.1.0 mask 24 
# 
ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 
ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 
# 
return
Translation
简体中文
Download
Updated: 2018-07-02

Document ID: EDOC1000177342

Views: 24495

Downloads: 939

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :