Networking Requirements

On a 3-Layer network as shown in Figure 4-4, the core layer contains two CE12800 switches. The two switches are connected through an Eth-Trunk with two 10GE member links for link backup. The aggregation layer has a CE12800 stack. The stack connects to upstream and downstream devices through inter-chassis Eth-Trunk interfaces. The Eth-Trunks are configured to preferentially forward local traffic so that loads on inter-chassis links are reduced. VRF instances are created on the aggregation layer to separate service network routes and public network routes. Two firewalls are connected to CE12800 switches in bypass mode, and work in hot standby mode to improve reliability.

Figure 4-4 Diagram of a stack-based 3-Layer data center network

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure stack at the aggregation layer and access layer to implement device backup.
2. Configure Eth-Trunks between the aggregation/access switches and their upstream/downstream devices, and firewalls to form a reliable, loop-free network.
3. Create VLANs and add interfaces to VLANs so that the servers in the same VLAN can communicate with each other.
4. Configure routes between aggregation layer and core layer to implement Layer 3 connection. Run OSPF between the aggregation layer, core layer, and router, and configure static routes between CSS and firewall. Create VRF-A on the CSS, and bind the service interfaces and downstream interfaces connected to firewalls to VRF-A to separate service network segment routes and public network routes. The default route of VRF-A is destined for the firewalls.
5. Configure the hot standby, security policy, attack defense, and intrusion protection functions on firewalls.

Procedure

1. Configure the stack function on aggregation switches CE12800-3 and CE12800-4.
   1. Connect stack cables between CE12800-3 and CE12800-4
   2. Configure stack attributes for CE12800-3 and CE12800-4. (Set a higher priority for CE12800-3, so CE12800-3 will become the master switch.)

      # On CE12800-3, set the stack priority to 150 and stack domain ID to 10. In this example, CE12800-3 retains the default stack member ID 1 and default stack connection mode MPU connection, and you do not need to configure the two parameters.

      <HUAWEI> system-view 
      [~HUAWEI] sysname CE12800-3 
      [*HUAWEI] commit 
      [~CE12800-3] stack 
      [~CE12800-3-stack] stack priority 150     //Configure the stack priority. The default value is 100.
      [*CE12800-3-stack] stack domain 10        //Configure the domain ID.
      [*CE12800-3-stack] quit 
      [*CE12800-3] commit

      # On CE12800-4, set the stack member ID to 2 and stack domain ID to 10. In this example, CE12800-4 retains the default stack priority 100 and default stack connection mode MPU connection, and you do not need to configure the two parameters.

      <HUAWEI> system-view 
      [~HUAWEI] sysname CE12800-4 
      [*HUAWEI] commit 
      [~CE12800-4] stack 
      [~CE12800-4-stack] stack member 2 
      Warning: The device will use the configuration of member ID 2 after the device resets. Continue? [Y/N]: y 
      [*CE12800-4-stack] stack domain 10 
      [*CE12800-4-stack] quit 
      [*CE12800-4] commit

   3. Configure stack ports. The two switches are connected by eight 10GE optical ports on different LPUs.

      # On CE12800-3, add 10GE1/0/1-10GE1/0/4 and 10GE2/0/1-10GE2/0/4 to the stack port.

      [~CE12800-3] port-group group1       //Create a port group.
      [*CE12800-3-port-group-group1] group-member 10ge 1/0/1 to 10ge 1/0/4       //Add ports to the port group. 
      [*CE12800-3-port-group-group1] group-member 10ge 2/0/1 to 10ge 2/0/4 
      [*CE12800-3-port-group-group1] shutdown       //Shut down the port. 
      [*CE12800-3-port-group-group1] quit 
      [*CE12800-3] commit 
      [~CE12800-3] interface stack-port 1 
      [*CE12800-3-Stack-Port1] port member-group interface 10ge 1/0/1 to 1/0/4       //Add physical ports to the stack port. 
      Warning: After the configuration is complete,  
      1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist.  
      2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
      [*CE12800-3-Stack-Port1] port member-group interface 10ge 2/0/1 to 2/0/4 
      Warning: After the configuration is complete,  
      1.The interface(s) (10GE2/0/1-2/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist.  
      2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
      [*CE12800-3-Stack-Port1] quit 
      [*CE12800-3] commit 
      [~CE12800-3] port-group group1 
      [~CE12800-3-port-group-group1] undo shutdown       //Enable the port. 
      [*CE12800-3-port-group-group1] quit 
      [*CE12800-3] return

      # The configuration procedure on CE12800-4 is the same as the configuration procedure on CE12800-3, and is not mentioned here.

   4. Enable the stack function.

      # Enable the stack function on CE12800-3 and restart the device.

      <CE12800-3> save 
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y 
      <CE12800-3> system-view 
      [~CE12800-3] stack 
      [~CE12800-3-stack] stack enable 
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. 
      Current configuration will be converted to the next startup saved-configuration file of stack mode. 
      System will reboot. Continue? [Y/N]: y

      # Enable the stack function on CE12800-4 and restart the device.

      <CE12800-4> save 
      Warning: The current configuration will be written to the device. Continue? [Y/N]: y 
      <CE12800-4> system-view 
      [~CE12800-4] stack 
      [~CE12800-4-stack] stack enable 
      Warning: Make sure that one or more dual-active detection methods are configured once the conversion is complete and the device enters the stack mode. Switches working in different forward modes cannot set up a CSS. 
      Current configuration will be converted to the next startup saved-configuration file of stack mode. 
      System will reboot. Continue? [Y/N]: y

   5. Rename the stack system CSS.

      <CE12800-3> system-view 
      [~CE12800-3] sysname CSS 
      [*CE12800-3] commit

   6. Configure stack member ports to report the Down state after a delay.

      You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.

      [~CSS] port-group group-member 10ge 1/1/0/1 to 10ge 1/1/0/4 10ge 1/2/0/1 to 10ge 1/2/0/4 10ge 2/1/0/1 to 10ge 2/1/0/4 10ge 2/2/0/1 to 10ge 2/2/0/4 
      [~CSS-port-group] carrier down-hold-time 2000 
      [*CSS-port-group] commit

2. Configure the stack function on the access switches. The configurations on CE6800-1 and CE6800-2 are used as an example here. The configurations on other switches are similar.
   1. Configure the stack attributes for CE6800-1 and CE6800-2. (Set a higher priority for CE6800-1, so CE6800-1 will become the master switch.)

      # On CE6800-1, set the stack priority to 150 and stack domain ID to 20. In this example, CE6800-1 retains the default stack member ID 1, and you do not configure this parameter.

      <HUAWEI> system-view 
      [~HUAWEI] sysname CE6800-1 
      [*HUAWEI] commit 
      [~CE6800-1] stack 
      [~CE6800-1-stack] stack member 1 priority 150 
      [*CE6800-1-stack] stack member 1 domain 20 
      [*CE6800-1-stack] quit 
      [*CE6800-1] commit

      # On CE6800-2, set the stack member ID to 2 and domain ID to 20. In this example, CE6800-2 retains the default stack priority 100, and you do not configure this parameter.

      <HUAWEI> system-view 
      [~HUAWEI] sysname CE6800-2 
      [*HUAWEI] commit 
      [~CE6800-2] stack 
      [~CE6800-2-stack] stack member 1 renumber 2 inherit-config 
      Warning: The stack configuration of member ID 1 will be inherited to member ID 2 after the device resets. Continue? [Y/N]: y 
      [*CE6800-2-stack] stack member 1 domain 20 
      [*CE6800-2-stack] quit 
      [*CE6800-2] commit

   2. Configure stack ports. Two switches are connected by four 10GE optical ports.

      # On CE6800-1, add 10GE1/0/1-10GE1/0/4 to stack port 1/1.

      [~CE6800-1] interface stack-port 1/1 
      [*CE6800-1-Stack-Port1/1] port member-group interface 10ge 1/0/1 to 1/0/4 
      Warning: After the configuration is complete,  
      1.The interface(s) (10GE1/0/1-1/0/4) will be converted to stack mode and be configured with the port crc-statistics trigger error-down command if the configuration does not exist. 
      2.The interface(s) may go Error-Down (crc-statistics) because there is no shutdown configuration on the interfaces.Continue? [Y/N]: y 
      [*CE6800-1-Stack-Port1/1] commit 
      [~CE6800-1-Stack-Port1/1] return

      # The configuration procedure on CE6800-2 is the same as that on CE6800-1, and is not mentioned here.

   3. Save the configurations of CE6800-1 and CE6800-2, power off the two switches, connect stack cables, and power on the switches.
   4. Rename the stack system iStack-1. CE6800-1 functions as the master switch in this example.

      <CE6800-1> system-view 
      [~CE6800-1] sysname iStack-1 
      [*CE6800-1] commit

   5. Configure stack member ports to report the Down state after a delay.

      You are advised to set the delay in reporting a port Down event to prevent unstable stack status caused by intermittent port disconnection.

      [~iStack-1] port-group group-member 10ge 1/0/1 to 10ge 1/0/4 10ge 2/0/1 to 10ge 2/0/4 
      [~iStack-1-port-group] carrier down-hold-time 2000 
      [*iStack-1-port-group] commit

   6. Configure the stack consisting of CE6800-3 and CE6800-4 according to the preceding configurations. Rename the stack system iStack-2. CE6800-3 functions as the master switch in this example.

3. Connect the CSS and iStack systems to upstream and downstream devices, and firewalls through Eth-Trunks. The connection between CSS and iStack-1 is used as an example.

   # Create Eth-Trunk2 on the CSS, and add 10GE1/1/0/5, 10GE1/2/0/5, 10GE2/1/0/5, and 10GE2/2/0/5 to Eth-Trunk2.

   [~CSS] interface eth-trunk 2 
   [*CSS-Eth-Trunk2] description To_iStack-1 
   [*CSS-Eth-Trunk2] trunkport 10ge 1/1/0/5 1/2/0/5 2/1/0/5 2/2/0/5 
   [*CSS-Eth-Trunk2] quit 
   [*CSS] commit

   # Create Eth-Trunk2 on iStack-1, and add 10GE1/0/5, 10GE1/0/6, 10GE2/0/5, and 10GE2/0/6 to Eth-Trunk2.

   [~iStack-1] interface eth-trunk 2 
   [*iStack-1-Eth-Trunk2] description To_CSS 
   [*iStack-1-Eth-Trunk2] trunkport 10ge 1/0/5 to 1/0/6 
   [*iStack-1-Eth-Trunk2] trunkport 10ge 2/0/5 to 2/0/6 
   [*iStack-1-Eth-Trunk2] quit 
   [*iStack-1] commit

   # The configuration is the same as the configurations on other Eth-Trunks in Table 4-3, and is not mentioned here.

4. Configure DAD in relay mode in the CSS and iStacks to ensure high reliability. The following uses the configuration of DAD in relay mode in the CSS as an example.

   # In the CSS, configure DAD in relay mode on the Eth-Trunks that connect to CE12800-1 and CE12800-2.

   [~CSS] interface eth-trunk 8 
   [~CSS-Eth-Trunk8] dual-active detect mode relay 
   [*CSS-Eth-Trunk8] quit 
   [*CSS] interface eth-trunk 9 
   [*CSS-Eth-Trunk9] dual-active detect mode relay 
   [*CSS-Eth-Trunk9] quit 
   [*CSS] commit

   # Configure the proxy function on the Eth-Trunks that connect CE12800-1 and CE12800-2 to the CSS.

   <HUAWEI> system-view 
   [~HUAWEI] sysname CE12800-1 
   [*HUAWEI] commit 
   [~CE12800-1] interface eth-trunk 8 
   [~CE12800-1-Eth-Trunk8] dual-active proxy 
   [*CE12800-1-Eth-Trunk8] quit 
   [*CE12800-1] commit
   <HUAWEI> system-view 
   [~HUAWEI] sysname CE12800-2 
   [*HUAWEI] commit 
   [~CE12800-2] interface eth-trunk 9 
   [~CE12800-2-Eth-Trunk9] dual-active proxy 
   [*CE12800-2-Eth-Trunk9] quit 
   [*CE12800-2] commit

   # Configure DAD in relay mode in iStacks according to the preceding method. The configuration is not mentioned here.

5. Create VLAN100 on the CSS and add the port connected to the iStack to VLAN100 to implement Layer 2 connection.

   # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-1.

   [~CSS] interface eth-trunk 2 
   [*CSS-Eth-Trunk2] port link-type trunk 
   [*CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1 
   [*CSS-Eth-Trunk2] port trunk allow-pass vlan 100 
   [*CSS-Eth-Trunk2] quit 
   [*CSS] commit

   # On iStack-1, allow VLAN100 on the Eth-Trunk interface connected to the CSS.

   [~iStack-1] interface eth-trunk 2 
   [*iStack-1-Eth-Trunk2] port link-type trunk 
   [*iStack-1-Eth-Trunk2] undo port trunk allow-pass vlan 1 
   [*iStack-1-Eth-Trunk2] port trunk allow-pass vlan 100 
   [*iStack-1-Eth-Trunk2] quit 
   [*iStack-1] commit

   # On the CSS, allow VLAN100 on the Eth-Trunk interface connected to iStack-2. The configuration is the same as the configuration in the preceding step.

6. Assign an IP address to each interface.

   # Configure the IP address for the VLANIF interface connected to the firewall. The IP address configuration of VLANIF200 is used as an example.

   [~CSS] vlan batch 200 
   [*CSS] interface Vlanif 200 
   [*CSS-Vlanif200] ip address 10.10.2.1 24 
   [*CSS-Vlanif200] quit 
   [*CSS] interface eth-trunk 4 
   [*CSS-Eth-Trunk4] port link-type trunk 
   [*CSS-Eth-Trunk4] undo port trunk allow-pass vlan 1 
   [*CSS-Eth-Trunk4] port trunk allow-pass vlan 200 
   [*CSS-Eth-Trunk4] port trunk pvid vlan 200 
   [*CSS-Eth-Trunk4] quit 
   [*CSS] interface eth-trunk 6 
   [*CSS-Eth-Trunk6] port link-type trunk 
   [*CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1 
   [*CSS-Eth-Trunk6] port trunk allow-pass vlan 200 
   [*CSS-Eth-Trunk6] port trunk pvid vlan 200 
   [*CSS-Eth-Trunk6] quit 
   [*CSS] commit

   # Configure IP addresses for other VLANIF interfaces connected to firewalls in Table 4-3 according to the preceding method.

   # Configure IP addresses for the interfaces connecting CE12800-1 and CE12800-2 to CSS and router. Configure the Ethernet interfaces as Layer 3 interfaces. The configuration on Eth-Trunk1 between CE12800-1 and CE12800-2 is used as an example.

   [~CE12800-1] interface eth-trunk 1 
   [*CE12800-1-Eth-Trunk1] undo portswitch 
   [*CE12800-1-Eth-Trunk1] ip address 10.10.6.1 24
   [*CE12800-2] interface eth-trunk 1 
   [*CE12800-2-Eth-Trunk1] undo portswitch 
   [*CE12800-2-Eth-Trunk1] ip address 10.10.6.2 24

   # Configure IP addresses for other Layer 3 Ethernet interfaces in Table 4-3 according to the preceding step.

7. Configure the routes between firewalls, CSS, CE12800-1, CE12800-2, and router to implement Layer 3 connection. Run OSPF between CSS, CE12800-1, CE12800-2, and router. Configure a static route between firewalls and CSS. Create VRF-A on the CSS, bind the service interfaces and downstream interfaces connected to firewalls to VRF-A. The default route of VRF-A is destined for the downstream VRRP virtual IP address of firewalls.

   # Create VRF-A on the CSS, bind VLANIF100 and VLANIF200 to VRF-A, and set the destination address of the default route to the virtual IP address of firewalls.

   NOTE:

   When an interface is bound to VRF-A, the IP address of the interface will be deleted; therefore, you need to reconfigure the IP address.

   [~CSS] ip vpn-instance VRF-A     //Create VRF-A.
   [*CSS-vpn-instance-VRF-A] ipv4-family 
   [*CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1 
   [*CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both 
   [*CSS-vpn-instance-VRF-A-af-ipv4] quit 
   [*CSS-vpn-instance-VRF-A] quit 
   [*CSS] interface Vlanif 100 
   [*CSS-Vlanif100] ip binding vpn-instance VRF-A     //Bind VLANIF100 to VRF-A.
   [*CSS-Vlanif100] ip address 10.10.1.1 24 
   [*CSS-Vlanif100] quit 
   [*CSS] interface Vlanif 200 
   [*CSS-Vlanif200] ip binding vpn-instance VRF-A     //Bind VLANIF200 to VRF-A.
   [*CSS-Vlanif200] ip address 10.10.2.1 24 
   [*CSS-Vlanif200] quit 
   [*CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5  //Add a default route destined for the downstream VRRP virtual IP address of firewalls to VRF-A.
   [*CSS] commit

   # Configure a static route from the CSS to service network segment with the firewalls as the next hop. Run OSPF between CSS, CE12800-1, and CE12800-2 and import the static route to OSPF.

   [~CSS] ip route-static 10.10.1.0 255.255.255.0 10.10.3.5     //Configure a static route destined for the service network segment. The next hop is the upstream VRRP virtual IP address of firewalls.
   [*CSS] ospf 100       //Run OSPF between CSS and router.
   [*CSS-ospf-100] area 0 
   [*CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 
   [*CSS-ospf-100-area-0.0.0.0] network 10.10.5.0 0.0.0.255 
   [*CSS-ospf-100-area-0.0.0.0] quit 
   [*CSS-ospf-100] import-route static      //Import the static route. 
   [*CSS-ospf-100] quit 
   [*CSS] commit

   # Configure OSPF on CE12800-1, CE12800-2, and router. The configuration on CE12800-1 is used as an example.

   [~CE12800-1] ospf 100 
   [*CE12800-1-ospf-100] area 0 
   [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 
   [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.6.0 0.0.0.255 
   [*CE12800-1-ospf-100-area-0.0.0.0] network 10.10.7.0 0.0.0.255 
   [*CE12800-1-ospf-100-area-0.0.0.0] quit 
   [*CE12800-1-ospf-100] quit 
   [*CE12800-1] commit

   # The configurations on CE12800-2 and router are similar to the configuration on CE12800-1, and are not mentioned here.

8. Configure the firewalls.

   In this example, the firewalls are Huawei USG firewalls.

   # Perform the basic configurations on FW-1, including device name, interface, and security zone.

   <USG> system-view 
   [USG] sysname FW-1 
   [FW-1] interface Eth-Trunk 4 
   [FW-1-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 
   [FW-1-Eth-Trunk4] ip address 10.10.2.2 24 
   [FW-1-Eth-Trunk4] quit 
   [FW-1] interface Eth-Trunk 5 
   [FW-1-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 
   [FW-1-Eth-Trunk5] ip address 10.10.3.2 24 
   [FW-1-Eth-Trunk5] quit 
   [FW-1] interface Eth-Trunk 1 
   [FW-1-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 
   [FW-1-Eth-Trunk1] ip address 10.1.1.1 24 
   [FW-1-Eth-Trunk1] quit 
   [FW-1] firewall zone trust 
   [FW-1-zone-trust] add interface Eth-Trunk 4 
   [FW-1-zone-trust] quit 
   [FW-1] firewall zone untrust 
   [FW-1-zone-untrust] add interface Eth-Trunk 5 
   [FW-1-zone-untrust] quit 
   [FW-1] firewall zone dmz 
   [FW-1-zone-dmz] add interface Eth-Trunk 1 
   [FW-1-zone-dmz] quit

   # Perform the basic configurations on FW-2, including device name, interface, and security zone.

   <USG> system-view 
   [USG] sysname FW-2 
   [FW-2] interface Eth-Trunk 4 
   [FW-2-Eth-Trunk4] trunkport GigabitEthernet 1/0/0 1/0/1 
   [FW-2-Eth-Trunk4] ip address 10.10.2.3 24 
   [FW-2-Eth-Trunk4] quit 
   [FW-2] interface Eth-Trunk 5 
   [FW-2-Eth-Trunk5] trunkport GigabitEthernet 1/1/0 1/1/1 
   [FW-2-Eth-Trunk5] ip address 10.10.3.3 24 
   [FW-2-Eth-Trunk5] quit 
   [FW-2] interface Eth-Trunk 1 
   [FW-2-Eth-Trunk1] trunkport GigabitEthernet 2/0/0 2/0/1 
   [FW-2-Eth-Trunk1] ip address 10.1.1.2 24 
   [FW-2-Eth-Trunk1] quit 
   [FW-2] firewall zone trust 
   [FW-2-zone-trust] add interface Eth-Trunk 4 
   [FW-2-zone-trust] quit 
   [FW-2] firewall zone untrust 
   [FW-2-zone-untrust] add interface Eth-Trunk 5 
   [FW-2-zone-untrust] quit 
   [FW-2] firewall zone dmz 
   [FW-2-zone-dmz] add interface Eth-Trunk 1 
   [FW-2-zone-dmz] quit

   # Configure the static route on FW-1.

   [FW-1] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1      //Configure a route from the internal network to the external network. The next hop is the IP address of VLANIF300 connected to the upstream interface of the firewall.
   [FW-1] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1      //Configure a route from the external network to the internal network. The destination address is the network segment where the internal server resides, and the next hop is the IP address of VLANIF200 connected to the downstream interface of the firewall.

   # Configure the static route on FW-2.

   [FW-2] ip route-static 0.0.0.0 0.0.0.0 10.10.3.1  
   [FW-2] ip route-static 10.10.1.0 255.255.255.0 10.10.2.1

   # Configure hot standby on FW-1.

   [FW-1] interface Eth-Trunk 4 
   [FW-1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master     //Configure the downstream VRRP virtual IP address.
   [FW-1-Eth-Trunk4] quit 
   [FW-1] interface Eth-Trunk 5 
   [FW-1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master     //Configure the upstream VRRP virtual IP address.
   [FW-1-Eth-Trunk5] quit 
   [FW-1] hrp interface Eth-Trunk 1 remote 10.1.1.2 
   [FW-1] firewall packet-filter default permit interzone local dmz 
   [FW-1] hrp enable

   # Configure hot standby on FW-2.

   [FW-2] interface Eth-Trunk 4 
   [FW-2-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave 
   [FW-2-Eth-Trunk4] quit 
   [FW-2] interface Eth-Trunk 5 
   [FW-2-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave 
   [FW-2-Eth-Trunk5] quit 
   [FW-2] hrp interface Eth-Trunk 1 remote 10.1.1.1 
   [FW-2] firewall packet-filter default permit interzone local dmz 
   [FW-2] hrp enable 

   NOTE:

   After hot standby is configured, the configurations and sessions on the active device are synchronized to the standby device; therefore, you only need to perform the following configurations on the active firewall FW-1.

   # Configure the security policy and intrusion protection.

   NOTE:

   Before configuring intrusion protection, ensure that the intrusion signature library is the latest version.

   When configuring intrusion protection, use the default intrusion file default.

   HRP_M[FW-1] policy interzone trust untrust outbound 
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound] policy 1 
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] policy source 10.10.1.0 mask 24     //The source address is the network segment where the internal server resides.
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] action permit 
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] profile ips default       //The default file is used. 
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound-1] quit 
   HRP_M[FW-1-policy-interzone-trust-untrust-outbound] quit 
   HRP_M[FW-1] policy interzone trust untrust inbound 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound] policy 1 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy destination 10.10.1.0 mask 24     //The destination address is the network segment where the internal server resides. 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] policy service service-set ftp http     //The FTP and HTTP protocols are used as an example here. If other applications are running on your network, specify them. 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] action permit 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] profile ips default 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound-1] quit 
   HRP_M[FW-1-policy-interzone-trust-untrust-inbound] quit 
   HRP_M[FW-1] ips enable

   # Configure attack defense.

   NOTE:

   The attack defense thresholds in this example are only for reference. Configure the thresholds according to the traffic volume on your network.

   HRP_M[FW-1] firewall defend syn-flood enable 
   HRP_M[FW-1] firewall defend syn-flood zone untrust max-rate 20000 
   HRP_M[FW-1] firewall defend udp-flood enable 
   HRP_M[FW-1] firewall defend udp-flood zone untrust max-rate 1500 
   HRP_M[FW-1] firewall defend icmp-flood enable 
   HRP_M[FW-1] firewall defend icmp-flood zone untrust max-rate 20000 
   HRP_M[FW-1] firewall blacklist enable 
   HRP_M[FW-1] firewall defend ip-sweep enable 
   HRP_M[FW-1] firewall defend ip-sweep max-rate 4000 
   HRP_M[FW-1] firewall defend port-scan enable 
   HRP_M[FW-1] firewall defend port-scan max-rate 4000 
   HRP_M[FW-1] firewall defend ip-fragment enable 
   HRP_M[FW-1] firewall defend ip-spoofing enable

   # Configure ASPF.

   HRP_M[FW-1] firewall interzone trust untrust 
   HRP_M[FW-1-interzone-trust-untrust] detect ftp        //The FTP protocol is used as an example here. If other applications are running on your network, enable the ASPF function for them. 
   HRP_M[FW-1-interzone-trust-untrust] quit

Verifying the Configuration

After the configurations are complete, check whether the servers and router can ping each other. In this example, the servers ping the router.

PC> ping 10.10.7.2

Ping 10.10.7.2: 32 data bytes, Press Ctrl_C to break 
From 10.10.7.2: bytes=32 seq=1 ttl=251 time=63 ms 
From 10.10.7.2: bytes=32 seq=2 ttl=251 time=94 ms 
From 10.10.7.2: bytes=32 seq=3 ttl=251 time=63 ms 
From 10.10.7.2: bytes=32 seq=4 ttl=251 time=62 ms 
From 10.10.7.2: bytes=32 seq=5 ttl=251 time=47 ms 

--- 10.10.7.2 ping statistics --- 
  5 packet(s) transmitted 
  5 packet(s) received 
  0.00% packet loss 
  round-trip min/avg/max = 47/65/94 ms

Configuration File

• •Configuration file of the router

  # 
  sysname Router 
  # 
  interface XGigabitEthernet1/0/1 
   ip address 10.10.7.2 255.255.255.0 
  # 
  interface XGigabitEthernet1/0/2 
   ip address 10.10.8.2 255.255.255.0 
  # 
  ospf 100 
   area 0.0.0.0 
    network 10.10.7.0 0.0.0.255 
    network 10.10.8.0 0.0.0.255 
  # 
  return

• Configuration file of CE12800-1 at the aggregation layer

  # 
  sysname CE12800-1 
  # 
  interface Eth-Trunk1 
   description To_CE12800-2 
   undo portswitch 
   ip address 10.10.6.1 255.255.255.0 
  # 
  interface Eth-Trunk8 
   description To_CSS 
   undo portswitch 
   ip address 10.10.4.2 255.255.255.0 
   dual-active proxy 
  # 
  interface 10GE1/0/1 
   description To_Router 
   undo portswitch 
   ip address 10.10.7.1 255.255.255.0 
  # 
  interface 10GE1/0/2 
   eth-trunk 1 
  # 
  interface 10GE1/0/3 
   eth-trunk 8 
  # 
  interface 10GE2/0/2 
   eth-trunk 1 
  # 
  interface 10GE2/0/3 
   eth-trunk 8 
  # 
  ospf 100 
   area 0.0.0.0 
    network 10.10.4.0 0.0.0.255 
    network 10.10.6.0 0.0.0.255 
    network 10.10.7.0 0.0.0.255 
  # 
  return

• Configuration file of CE12800-2 at the aggregation layer

  # 
  sysname CE12800-2 
  # 
  interface Eth-Trunk1 
   description To_CE12800-1 
   undo portswitch 
   ip address 10.10.6.2 255.255.255.0 
  # 
  interface Eth-Trunk9 
   description To_CSS 
   undo portswitch 
   ip address 10.10.5.2 255.255.255.0 
   dual-active proxy 
  # 
  interface 10GE1/0/1 
   description To_Router 
   undo portswitch 
   ip address 10.10.8.1 255.255.255.0 
  # 
  interface 10GE1/0/2 
   eth-trunk 1 
  # 
  interface 10GE1/0/3 
   eth-trunk 9 
  # 
  interface 10GE2/0/2 
   eth-trunk 1 
  # 
  interface 10GE2/0/3 
   eth-trunk 9 
  # 
  ospf 100 
   area 0.0.0.0 
    network 10.10.5.0 0.0.0.255 
    network 10.10.6.0 0.0.0.255 
    network 10.10.8.0 0.0.0.255 
  # 
  return

• Configuration file of the CSS at the core layer

  # 
  sysname CSS 
  # 
  vlan batch 100 200 300 
  # 
  ip vpn-instance VRF-A 
   ipv4-family 
    route-distinguisher 100:1 
    vpn-target 111:1 export-extcommunity 
    vpn-target 111:1 import-extcommunity 
  # 
  stack 
   # 
   stack mode 
   # 
   stack member 1 domain 10 
   stack member 1 priority 150 
   # 
   stack member 2 domain 10 
  # 
  interface Vlanif100 
   ip binding vpn-instance VRF-A 
   ip address 10.10.1.1 255.255.255.0 
  # 
  interface Vlanif200 
   ip binding vpn-instance VRF-A 
   ip address 10.10.2.1 255.255.255.0 
  # 
  interface Vlanif300 
   ip address 10.10.3.1 255.255.255.0 
  # 
  interface Eth-Trunk2 
   description To_iStack-1 
   port link-type trunk 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 100 
   dual-active proxy 
  # 
  interface Eth-Trunk3 
   description To_iStack-2 
   port link-type trunk 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 100 
   dual-active proxy 
  # 
  interface Eth-Trunk4 
   description To_FW-1 
   port link-type trunk 
   port trunk pvid vlan 200 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 200 
   # 
  interface Eth-Trunk5 
   description To_FW-1 
   port link-type trunk 
   port trunk pvid vlan 300 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 300 
  # 
  interface Eth-Trunk6 
   description To_FW-2 
   port link-type trunk 
   port trunk pvid vlan 200 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 200 
  # 
  interface Eth-Trunk7 
   description To_FW-2 
   port link-type trunk 
   port trunk pvid vlan 300 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 300 
  # 
  interface Eth-Trunk8 
   description To_CE12800-1 
   undo portswitch 
   ip address 10.10.4.1 255.255.255.0 
   dual-active detect mode relay 
  # 
  interface Eth-Trunk9 
   description To_CE12800-2 
   undo portswitch 
   ip address 10.10.5.1 255.255.255.0 
   dual-active detect mode relay 
  # 
  interface Stack-Port1/1 
  # 
  interface Stack-Port2/1 
  # 
  interface 10GE1/1/0/1 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/1/0/2 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/1/0/3 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/1/0/4 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/1/0/5 
   eth-trunk 2 
  # 
  interface 10GE1/1/0/6 
   eth-trunk 3 
  # 
  interface 10GE1/1/0/7 
   eth-trunk 4 
  # 
  interface 10GE1/1/0/8 
   eth-trunk 5 
  # 
  interface 10GE1/1/0/9 
   eth-trunk 8 
  # 
  interface 10GE1/2/0/1 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/2/0/2 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/2/0/3 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/2/0/4 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/2/0/5 
   eth-trunk 2 
  # 
  interface 10GE1/2/0/6 
   eth-trunk 3 
  # 
  interface 10GE1/2/0/7 
   eth-trunk 6 
  # 
  interface 10GE1/2/0/8 
   eth-trunk 7 
  # 
  interface 10GE1/2/0/9 
   eth-trunk 9 
  # 
  interface 10GE2/1/0/1 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/1/0/2 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/1/0/3 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/1/0/4 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/1/0/5 
   eth-trunk 2 
  # 
  interface 10GE2/1/0/6 
   eth-trunk 3 
  # 
  interface 10GE2/1/0/7 
   eth-trunk 4 
  # 
  interface 10GE2/1/0/8 
   eth-trunk 5 
  # 
  interface 10GE2/1/0/9 
   eth-trunk 8 
  # 
  interface 10GE2/2/0/1 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/2/0/2 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/2/0/3 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/2/0/4 
   port mode stack 
   stack-port 2/1 
  # 
  interface 10GE2/2/0/5 
   eth-trunk 2 
  # 
  interface 10GE2/2/0/6 
   eth-trunk 3 
  # 
  interface 10GE2/2/0/7 
   eth-trunk 6 
  # 
  interface 10GE2/2/0/8 
   eth-trunk 7 
  # 
  interface 10GE2/2/0/9 
   eth-trunk 9 
  # 
  ospf 100 
   import-route static 
   area 0.0.0.0 
    network 10.10.4.0 0.0.0.255 
    network 10.10.5.0 0.0.0.255 
  # 
  ip route-static 10.10.1.0 255.255.255.0 10.10.3.5 
  ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.2.5 
  # 
  port-group group1 
   group-member 10GE1/1/0/1 
   group-member 10GE1/1/0/2 
   group-member 10GE1/1/0/3 
   group-member 10GE1/1/0/4 
   group-member 10GE1/2/0/1 
   group-member 10GE1/2/0/2 
   group-member 10GE1/2/0/3 
   group-member 10GE1/2/0/4 
  # 
  return

• Configuration file of iStack-1 at the access layer

  # 
  sysname iStack-1 
  # 
  vlan batch 100 
  # 
   stack 
   # 
   stack member 1 domain 20 
   stack member 1 priority 150 
   # 
   stack member 2 domain 20 
  # 
  interface Eth-Trunk2 
   description To_CSS 
   port link-type trunk 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 100 
   dual-active detect mode relay 
  # 
  interface Stack-Port1/1 
  #  
  interface Stack-Port2/1 
  #  
  interface 10GE1/0/1 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/2 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/3 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/4 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/5 
   eth-trunk 2 
  # 
  interface 10GE1/0/6 
   eth-trunk 2 
  # 
  interface 10GE2/0/1 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/2 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/3 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/4 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/5 
   eth-trunk 2 
  # 
  interface 10GE2/0/6 
   eth-trunk 2 
  # 
  return

• Configuration file of iStack-2 at the access layer

  # 
  sysname iStack-2 
  # 
  vlan batch 100 
  # 
  stack 
   # 
   stack member 1 domain 30 
   stack member 1 priority 150 
   # 
   stack member 2 domain 30 
  # 
  interface Eth-Trunk3 
   description To_CSS 
   port link-type trunk 
   undo port trunk allow-pass vlan 1 
   port trunk allow-pass vlan 100 
   dual-active detect mode relay 
  # 
  interface Stack-Port1/1 
  #  
  interface Stack-Port2/1 
  #  
  interface 10GE1/0/1 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/2 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/3 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/4 
   port mode stack 
   stack-port 1/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE1/0/5 
   eth-trunk 3 
  # 
  interface 10GE1/0/6 
   eth-trunk 3 
  # 
  interface 10GE2/0/1 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/2 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/3 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/4 
   port mode stack 
   stack-port 2/1 
   port crc-statistics trigger error-down 
   carrier down-hold-time 2000 
  # 
  interface 10GE2/0/5 
   eth-trunk 3 
  # 
  interface 10GE2/0/6 
   eth-trunk 3 
  # 
  return

• Configuration file of FW-1

  # 
  sysname FW-1 
  # 
  firewall packet-filter default permit interzone local dmz direction inbound 
  firewall packet-filter default permit interzone local dmz direction outbound 
  # 
  firewall defend port-scan enable 
  firewall defend ip-sweep enable 
  firewall defend ip-fragment enable 
  firewall defend icmp-flood enable 
  firewall defend udp-flood enable 
  firewall defend syn-flood enable 
  firewall defend ip-spoofing enable 
  firewall defend action discard 
  firewall defend icmp-flood zone untrust max-rate 20000 
  firewall defend udp-flood zone untrust max-rate 1500 
  firewall defend syn-flood zone untrust max-rate 20000 
  # 
  hrp enable 
  hrp interface Eth-Trunk1 remote 10.1.1.2 
  # 
  ips enable 
  # 
  interface Eth-Trunk1 
   ip address 10.1.1.1 255.255.255.0 
  # 
  interface Eth-Trunk4 
   ip address 10.10.2.2 255.255.255.0 
   vrrp vrid 1 virtual-ip 10.10.2.5 master 
  # 
  interface Eth-Trunk5 
   ip address 10.10.3.2 255.255.255.0 
   vrrp vrid 2 virtual-ip 10.10.3.5 master 
  # 
  interface GigabitEthernet1/0/0 
   undo shutdown 
   eth-trunk 4 
  # 
  interface GigabitEthernet1/0/1 
   undo shutdown 
   eth-trunk 4 
  # 
  interface GigabitEthernet1/1/0 
   undo shutdown 
   eth-trunk 5 
  # 
  interface GigabitEthernet1/1/1 
   undo shutdown 
   eth-trunk 5 
  # 
  interface GigabitEthernet2/0/0 
   undo shutdown 
   eth-trunk 1 
  # 
  interface GigabitEthernet2/0/1 
   undo shutdown 
   eth-trunk 1 
  # 
  profile type ips name default 
   signature-set name default 
    os both 
    target both 
    severity low medium high 
    protocol all 
    category all 
  # 
  firewall zone trust 
   set priority 85 
   add interface Eth-Trunk4 
  # 
  firewall zone untrust 
   set priority 5 
   add interface Eth-Trunk5 
  # 
  firewall zone dmz 
   set priority 50 
   add interface Eth-Trunk1 
  # 
  firewall interzone trust untrust 
   detect ftp 
  # 
  policy interzone trust untrust inbound 
   policy 1 
    action permit 
    profile ips default 
    policy service service-set ftp 
    policy service service-set http 
    policy destination 10.10.1.0 mask 24 
  # 
  policy interzone trust untrust outbound 
   policy 1 
    action permit 
    profile ips default 
    policy source 10.10.1.0 mask 24 
  # 
  ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 
  ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 
  # 
  return

• Configuration file of FW-2

  # 
  sysname FW-2 
  # 
  firewall packet-filter default permit interzone local dmz direction inbound 
  firewall packet-filter default permit interzone local dmz direction outbound 
  # 
  firewall defend port-scan enable 
  firewall defend ip-sweep enable 
  firewall defend ip-fragment enable 
  firewall defend icmp-flood enable 
  firewall defend udp-flood enable 
  firewall defend syn-flood enable 
  firewall defend ip-spoofing enable 
  firewall defend action discard 
  firewall defend icmp-flood zone untrust max-rate 20000 
  firewall defend udp-flood zone untrust max-rate 1500 
  firewall defend syn-flood zone untrust max-rate 20000 
  # 
  hrp enable 
  hrp interface Eth-Trunk1 remote 10.1.1.1 
  # 
  ips enable 
  # 
  interface Eth-Trunk1 
   ip address 10.1.1.2 255.255.255.0 
  # 
  interface Eth-Trunk4 
   ip address 10.10.2.3 255.255.255.0 
   vrrp vrid 1 virtual-ip 10.10.2.5 slave 
  # 
  interface Eth-Trunk5 
   ip address 10.10.3.3 255.255.255.0 
   vrrp vrid 2 virtual-ip 10.10.3.5 slave 
  # 
  interface GigabitEthernet1/0/0 
   undo shutdown 
   eth-trunk 4 
  # 
  interface GigabitEthernet1/0/1 
   undo shutdown 
   eth-trunk 4 
  # 
  interface GigabitEthernet1/1/0 
   undo shutdown 
   eth-trunk 5 
  # 
  interface GigabitEthernet1/1/1 
   undo shutdown 
   eth-trunk 5 
  # 
  interface GigabitEthernet2/0/0 
   undo shutdown 
   eth-trunk 1 
  # 
  interface GigabitEthernet2/0/1 
   undo shutdown 
   eth-trunk 1 
  # 
  profile type ips name default 
   signature-set name default 
    os both 
    target both 
    severity low medium high 
    protocol all 
    category all 
  # 
  firewall zone trust 
   set priority 85 
   add interface Eth-Trunk4 
  # 
  firewall zone untrust 
   set priority 5 
   add interface Eth-Trunk5 
  # 
  firewall zone dmz 
   set priority 50 
   add interface Eth-Trunk1 
  # 
  firewall interzone trust untrust 
   detect ftp 
  # 
  policy interzone trust untrust inbound 
   policy 1 
    action permit 
    profile ips default 
    policy service service-set ftp 
    policy service service-set http 
    policy destination 10.10.1.0 mask 24 
  # 
  policy interzone trust untrust outbound 
   policy 1 
    action permit 
    profile ips default 
    policy source 10.10.1.0 mask 24 
  # 
  ip route-static 0.0.0.0 0.0.0.0 10.10.3.1 
  ip route-static 10.10.1.0 255.255.255.0 10.10.2.1 
  # 
  return