No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Firewall HSB

Example for Configuring Firewall HSB

Networking Requirements

To ensure enterprise intranet security, Enterprise A deploys a firewall between the intranet and extranet. All traffic must pass through the firewall device; therefore, the firewall device failure leads to interruption of all traffic. To enhance network reliability, Enterprise A deploys two firewall devices in HSB mode to ensure uninterrupted network upon the failure of a firewall device, as shown in Figure 6-26.

Figure 6-26  Networking diagram for configuring firewall HSB

Configuration Roadmap

In normal cases, hosts in Enterprise A use RouterA as the default gateway to access the Internet. When RouterA becomes faulty, RouterB takes over services on RouterA. The configuration roadmap is as follows:

  1. Assign an IP address to each interface of devices and configure a routing protocol on each device to ensure network connectivity.
  2. Configure the firewall function on RouterA and RouterB to implement security isolation between the enterprise intranet and extranet.

  3. Configure VRRP groups on RouterA and RouterB. Configure a high priority for RouterA as the master device to forward traffic, and a low priority for RouterB as the backup device.
  4. Configure the HSB function for RouterA and RouterB so that service information on RouterA is backed up to RouterB in batches in real time, ensuring smooth service switchover from the master device to the backup device.
  5. Enable the firewall HSB function on RouterA and RouterB so that the backup firewall device RouterB starts the firewall function upon RouterA failure, ensuring non-stop network running.

Procedure

  1. Configure devices to ensure network connectivity.

    # Assign an IP address to each interface on RouterA. The configuration on RouterB is similar to that on RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] ip address 10.1.1.1 24
    [RouterA-GigabitEthernet2/0/0] quit
    [RouterA] interface gigabitethernet 3/0/0
    [RouterA-GigabitEthernet3/0/0] ip address 192.168.2.1 24
    [RouterA-GigabitEthernet3/0/0] quit

    # Configure Layer 2 transparent transmission on Switch.

    <Huawei> system-view
    [Huawei] sysname Switch
    [Switch] vlan 100
    [Switch-vlan100] quit
    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
    [Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 100
    [Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 100
    [Switch-GigabitEthernet0/0/2] quit
    

  2. Configure the firewall function.

    # Configure the firewall function for RouterA. The configuration on RouterB is similar to that on RouterA.

    [RouterA] firewall zone trust
    [RouterA-zone-trust] priority 15
    [RouterA-zone-trust] quit
    [RouterA] firewall zone untrust
    [RouterA-zone-untrust] priority 1
    [RouterA-zone-untrust] quit
    [RouterA] firewall interzone trust untrust
    [RouterA-interzone-trust-untrust] firewall enable
    [RouterA-interzone-trust-untrust] quit
    

    # Add an interface on RouterA to the security zone. The configuration on RouterB is similar to that on RouterA.

    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] zone untrust
    [RouterA-GigabitEthernet1/0/0] quit
    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] zone trust
    [RouterA-GigabitEthernet2/0/0] quit
    [RouterA] interface gigabitethernet 3/0/0
    [RouterA-GigabitEthernet3/0/0] zone untrust
    [RouterA-GigabitEthernet3/0/0] quit
    

  3. Configure VRRP groups.

    # Create VRRP group 1 on RouterA and set the VRRP priority to 120.

    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111
    [RouterA-GigabitEthernet2/0/0] vrrp vrid 1 priority 120
    [RouterA-GigabitEthernet2/0/0] quit

    # Create VRRP group 1 on RouterB and set the VRRP priority to 100.

    [RouterB] interface gigabitethernet 2/0/0
    [RouterB-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111
    [RouterB-GigabitEthernet2/0/0] quit

  4. Configure the HSB function and enable HSB for the firewall devices.

    # Create HSB service 0 on RouterA and configure the IP addresses and port numbers for the local and peer devices.

    [RouterA] hsb-service 0
    [RouterA-hsb-service-0] service-ip-port local-ip 192.168.1.1 peer-ip 192.168.1.2 local-data-port 10241 peer-data-port 10241
    [RouterA-hsb-service-0] quit

    # Create HSB service 0 on RouterB and configure the IP addresses and port numbers for the local and peer devices.

    [RouterB] hsb-service 0
    [RouterB-hsb-service-0] service-ip-port local-ip 192.168.1.2 peer-ip 192.168.1.1 local-data-port 10241 peer-data-port 10241
    [RouterB-hsb-service-0] quit

    # Create HSB group 0 on RouterA, and bind HSB group 0 to VRRP group 1. The configuration on RouterB is similar to that on RouterA.

    [RouterA] hsb-group 0
    [RouterA-hsb-group-0] bind-service 0
    [RouterA-hsb-group-0] track vrrp vrid 1 interface gigabitethernet 2/0/0
    [RouterA-hsb-group-0] quit

    # Enable the firewall function for RouterA. The configuration on RouterB is similar to that on RouterA.

    [RouterA] hsb-service-type firewall hsb-group 0

    # Enable HSB group 0 on RouterA to make it take effect. The configuration on RouterB is similar to that on RouterA.

    [RouterA] hsb-group 0
    [RouterA-hsb-group-0] hsb enable
    [RouterA-hsb-group-0] quit

  5. Verify the configuration.

    # Run the display hsb-group group-index command on RouterA and RouterB to check the HSB group running status. The command output on Router A and Router B is as follows:

    <RouterA> display hsb-group 0
    Hot Standby Group Configuration:
    ----------------------------------------------------------
      HSB-group ID                : 0                                
      Vrrp Group ID               : 1                                
      Vrrp Interface              : GigabitEthernet2/0/0                        
      Service Index               : 0                                
      Group Vrrp Status           : Master                           
      Group Status                : Active                           
      Group Backup Process        : Realtime                         
      Peer Group Device Name      : Router                     
      Peer Group Software Version : V200R010
      Group Backup Modules        : Firewall                
    <RouterB> display hsb-group 0
    Hot Standby Group Configuration:
    ----------------------------------------------------------
      HSB-group ID                : 0                                
      Vrrp Group ID               : 1                                
      Vrrp Interface              : GigabitEthernet2/0/0                        
      Service Index               : 0                                
      Group Vrrp Status           : Backup                           
      Group Status                : Inactive                         
      Group Backup Process        : Realtime                         
      Peer Group Device Name      : Router                     
      Peer Group Software Version : V200R010
      Group Backup Modules        : Firewall                

    # Run the shutdown command on an interface GE2/0/0 of RouterA to simulate a fault on RouterA.

    [RouterA] interface gigabitethernet 2/0/0
    [RouterA-GigabitEthernet2/0/0] shutdown
    [RouterA-GigabitEthernet2/0/0] quit

    # Run the display hsb-group group-index command on RouterB to check the HSB group status. The command output shows that RouterB is Master.

    <RouterB> display hsb-group 0
    Hot Standby Group Configuration:
    ----------------------------------------------------------
      Hsb-group ID                : 0
      Vrrp Group ID               : 1
      Vrrp Interface              : GigabitEthernet2/0/0
      Service Index               : 0                                
      Group Vrrp Status           : Master                      
      Group Status                : Independent                      
      Group Backup Process        : Realtime                         
      Peer Group Device Name      : Router                     
      Peer Group Software Version : V200R010
      Group Backup Modules        : Firewall                
    

Configuration Files

  • RouterA configuration file

    #
    sysname RouterA
    #
    hsb-service-type firewall hsb-group 0
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.1 255.255.255.0
     zone untrust
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.1 255.255.255.0
     vrrp vrid 1 virtual-ip 10.1.1.111
     vrrp vrid 1 priority 120
     zone trust
    #
    interface GigabitEthernet3/0/0
     ip address 192.168.2.1 255.255.255.0
     zone untrust
    #
    hsb-service 0
     service-ip-port local-ip 192.168.1.1 peer-ip 192.168.1.2 local-data-port 10241 peer-data-port 10241
    # 
    firewall zone trust
     priority 15
    #                                                                               
    firewall zone untrust                                                           
     priority 1                                                                     
    #                                                                               
    firewall interzone trust untrust                                                
     firewall enable
    #
    hsb-group 0
     track vrrp vrid 1 interface GigabitEthernet2/0/0
     bind-service 0
     hsb enable
    #
    return
  • RouterB configuration file

    #
    sysname RouterB
    #
    hsb-service-type firewall hsb-group 0
    #
    interface GigabitEthernet1/0/0
     ip address 192.168.1.2 255.255.255.0
     zone untrust
    #
    interface GigabitEthernet2/0/0
     ip address 10.1.1.2 255.255.255.0
     vrrp vrid 1 virtual-ip 10.1.1.111
     zone trust
    # 
    interface GigabitEthernet3/0/0
     ip address 192.168.2.2 255.255.255.0
     zone untrust
    #
    firewall zone trust
     priority 15
    #                                                                               
    firewall zone untrust                                                           
     priority 1                                                                     
    #                                                                               
    firewall interzone trust untrust                                                
     firewall enable
    #              
    hsb-service 0
     service-ip-port local-ip 192.168.1.2 peer-ip 192.168.1.1 local-data-port 10241 peer-data-port 10241
    #
    hsb-group 0
     track vrrp vrid 1 interface GigabitEthernet2/0/0
     bind-service 0
     hsb enable
    #
    return
  • Configuration file of Switch

    #
    sysname Switch
    #
    vlan batch 100
    #
    interface GigabitEthernet0/0/1
     port hybrid pvid vlan 100
     port hybrid untagged vlan 100
    #
    interface GigabitEthernet0/0/2
     port hybrid pvid vlan 100
     port hybrid untagged vlan 100
    #
    return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128419

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next