No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Networking

Typical Networking

Networking Diagram

Figure 7-2 shows the typical networking of the FW at the Gi/SGi egress of a mobile core network. The service interface works at Layer 3, and the FW is connected to the backbone and GGSN/P-GW through routers.

Figure 7-2  Typical networking of the FW in a mobile core network

The following functions are deployed on the FW in the networking:

  1. HRP is configured on the FWs so that the FWs work in active/standby mode, improving network reliability and preventing single points of failure. A heartbeat link is connected between the two FWs for active/standby negotiation and status backup.

    If a great deal of data needs to be backed up, multiple heartbeat links are recommended. When a 10GE link serves as an HRP backup channel, it can support 50,000/s new session rate or 5 million concurrent sessions or carry 5G service traffic. The number of required interfaces is assessed based on the actual traffic volume. The N+1 backup mode is recommended for the interfaces. For example, if there are 10 million concurrent sessions, at least two 10GE links are required as HRP backup channels. During design, three 10GE interfaces are bundled for backup.

  2. OSPF is deployed between the FWs and their upstream and downstream devices. The FWs run in OSPF1 process with their upstream backbone network and in OSPF2 process with their downstream GGSN network.

    The hrp adjust ospf-cost enable command is run to enable the function of adjusting the OSPF cost based on the active/standby status for HRP-OSPF association. In normal cases, the cost of OSPF routes advertised by the standby firewall increases by 65,500 so that the traffic is routed to the active firewall in priority. When an interface of the FW or the FW itself fails, an active/standby switchover takes place, and the cost of OSPF routes is adjusted. The cost of the OSPF route over the primary link increases by 65,500, and the cost of the OSPF route over the backup link decreases, so that traffic is routed to the original standby firewall in priority, ensuring service continuity.

  3. The upstream and downstream interfaces of the FW are bound to the same link group, and the HRP track function is configured to monitor the upstream and downstream interfaces.

  4. Unforced delivery of default routes is configured in OSPF2 process to divert traffic to the backbone network from the firewall.

  5. The HRP track BFD function is configured to detect remote link faults, such as faults in the link between RouterC and the backbone network.

    The bfd cfg-name bind peer-ip peer-ip [ interface interface-type interface-number ] command is used to bind a BFD session with a peer IP address, and the link to be detected needs to be specified. The process-interface-status command is used to associate the BFD session with the bound interface.

    If the peer device does not support BFD, IP-link can be used to carry out an active/standby switchover in case of a fault.

  6. The link-group link-group-id binding spu-cpu-limit [ limit-number ] command is used to bind a link group to an SPU CPU. If the SPU CPU fails, the device will check the number of existing SPU CPUs. If the number of existing SPU CPUs is smaller than the limit-number value, the device will change the status of all valid interfaces in the link group to Down.

Availability Analysis

Figure 7-3 shows the switchover upon failure of the active firewall FW_A. The specific process is as follows:

  • Switchover upon failure:

    FW_A fails, and FW_B becomes active. The OSPF neighbor relationships between the routers RouterA and Router C and FW_A no longer exist, and the route is switched to FW_B.

  • Recovery from failure:

    After FW_A recovers from the failure, the OSPF neighbor relationships between the routers RouterA and Router C and FW_A are restored, and FW_A becomes active. The route is switched back to FW_A, and traffic is routed to FW_A again.

Figure 7-3  Firewall failure

Figure 7-4 shows the switchover upon failure of the link connecting the active firewall FW_A fails (the link to the backbone or GGSN/P-GW). The specific process is as follows:

  • Switchover upon failure:

    When the active link fails, FW_A becomes standby, and its neighbor relationship with RouterA (RouterC) is torn down. FW_B becomes active, and the cost of the OSPF routes is adjusted. The route on the right side is selected in priority, and traffic is switched over to the corresponding link.

  • Recovery from failure:

    After the links recovers from the failure, FW_A becomes active, and its neighbor relationship with RouterA (RouterC) is restored. The route is switched back to FW_A, and the traffic is switched back to the original link.

Figure 7-4  Link failure

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18905

Downloads: 780

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next