Application of Firewalls in the Security Solution for Cloud Computing Networks
Introduction
A firewall is attached to a core switch of the cloud computing network in off-line mode. Virtual machine services on the network are isolated using virtual systems. Two firewalls are deployed in hot standby mode to improve service availability.
This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, USG6000E V600R006C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.
Solution Overview
Introduction to Cloud Computing Networks
The rapid development of cloud computing makes it easy for enterprises to access a cloud computing network to obtain server, storage, and application resources. This reduces the CapEx on the IT infrastructure and speeds up the development of information services.
As shown in Figure 1-1, an "industrial cloud" provides enterprise users with cloud computing services. Services on the network are as follows:
- Enterprise users access virtual machines to obtain custom resources.
- Enterprise users access the Portal system to apply for accounts and manage virtual machine spaces.
- The management component in the cloud computing network manages the virtual machines, Portal system, and network devices.
Application of Firewalls in the Security Solution for Cloud Computing Networks
As shown in Figure 1-2, a firewall is attached to a core switch of the cloud computing network. The addresses of the Portal system and virtual machines are advertised for access of enterprise users. Virtual machine services accessed by enterprise users are isolated.
The following firewall functions are used on the cloud computing network:
- Hot standby
Two firewalls are deployed in hot standby mode to improve service availability.
- NAT Server
The public addresses of the Portal system and virtual machines are advertised through the NAT server for access of enterprise users on the Internet.
- Virtual system
A virtual system is built on each virtual machine to isolate virtual machine services accessed by enterprise users. Security policies are also configured for the virtual system for access control.
Solution 1: Firewall Serving as Gateway
Typical Networking
On the cloud computing network, the core switches are the CE12800, the access switches are the CE6800, and the firewalls are the USG9500. The present case focuses on the configuration on the firewalls. Figure 1-3 shows the overall networking.
The cloud computing network requires that:
- Access of different extranet enterprise users to the virtual machines must be isolated, and the bandwidth resources available for each virtual machine service is limited to a specific range to avoid the consumption of large quantities of resources.
- Private addresses are configured for the Portal system and virtual machines for intranet use, and their public addresses are advertised to the extranet to allow external enterprise users to access the Portal system and virtual machines.
- Access behavior of extranet enterprise users to the Portal system and virtual machines is controlled to permit only service access traffic.
- Device availability is improved to avoid service interruption caused by the failure of only one device.
The firewalls are attached to the CE12800 core switches in off-path mode. The above requirements are satisfied by the following features:
- Virtual system: Virtual systems are used to isolate virtual machine services accessed by external enterprise users. Each virtual machine belongs to one virtual system, and each virtual system has its maximum bandwidth.
- Subinterface: The firewall is connected to the CE12800 through subinterfaces. The subinterfaces are assigned to the virtual systems and the root system. The subinterfaces in the virtual systems carry virtual machine services, and the subinterface in the root system carries portal services.
- NAT server: The NAT servers advertise the public addresses of the Portal system and virtual machines to the extranet. A NAT server dedicated to a virtual machine is configured in each virtual system, and NAT servers dedicated to the Portal system are configured in the root system.
- Security policy: Security policies are applied to control access to the Portal system and virtual machines. Security policies used to control access to services of a virtual machine are configured in each virtual system, and security policies used to control access to services of the Portal system are configured in the root system.
- Hot standby: Two firewalls are deployed in hot standby mode to improve availability. When the active firewall fails, the standby firewall takes over without services interrupted.
Service Planning
As shown in Figure 1-4, the FW is attached to the CE12800 and works at Layer 3. Logically, the CE12800 includes upstream part and downstream interfaces. The upstream interfaces provide Layer-3 forwarding, and the downstream interfaces provide Layer-2 forwarding. OSPF runs between the FW and the upstream interfaces the CE12800, and VRRP runs between the FW and the downstream interface of the CE12800. The virtual IP addresses of the VRRP groups on the FW serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the upstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the downstream interfaces of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the downstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the upstream interfaces of the CE12800.
The following describes the service planning in detail.
Interfaces and Security Zones
This section describes the connection between FW_A and CE12800_A.
As shown in Figure 1-5, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:
- Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
- 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
As shown in Figure 1-6, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:
- Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
- 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of multiple VLANs.
- The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the Portal system and terminate VLAN services. CE12800_A transparently transmits L2 packets.
As shown in Figure 1-7, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:
- Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
- 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs.
- The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the virtual machines and terminate VLAN services. CE12800_A transparently transmits L2 packets.
The connection between FW_B and CE12800_B is the same.
One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.
Table 1-1 describes the planning of interfaces and security zones on the FWs.
FW_A |
FW_B |
Description |
|---|---|---|
GE1/0/1 IP address: none Virtual system: public Security zone: Untrust |
GE1/0/1 IP address: none Virtual system: public Security zone: Untrust |
Connected to 10GE1/1/0/1 of the CE12800. |
GE1/0/1.10 IP address: 172.16.10.252/24 Virtual system: vfw1 Security zone: Untrust |
GE1/0/1.10 IP address: 172.16.10.253/24 Virtual system: vfw1 Security zone: Untrust |
subinterface of vfw1. |
GE1/0/1.11 IP address: 172.16.11.252/24 Virtual system: vfw2 Security zone: Untrust |
GE1/0/1.11 IP address: 172.16.11.253/24 Virtual system: vfw2 Security zone: Untrust |
subinterface of vfw2. |
GE1/0/1.1000 IP address: 172.16.9.252/24 Virtual system: public Security zone: Untrust |
GE1/0/1.1000 IP address: 172.16.9.253/24 Virtual system: public Security zone: Untrust |
subinterface of the root system. |
GE1/0/2 IP address: none Virtual system: public Security zone: DMZ |
GE1/0/2 IP address: none Virtual system: public Security zone: DMZ |
Connected to 10GE1/1/0/2 of the CE12800. |
GE1/0/2.1 IP address: 10.159.1.252/24 Virtual system: public Security zone: DMZ VRRP ID: 1 Virtual IP address: 10.159.1.254 State: active |
GE1/0/2.1 IP address: 10.159.1.253/24 Virtual system: public Security zone: DMZ VRRP ID: 1 Virtual IP address: 10.159.1.254 State: standby |
subinterface of the root system. 10.159.1.254 serves as a gateway for the Portal system. |
GE1/0/2.2 IP address: 10.159.2.252/24 Virtual system: public Security zone: DMZ VRRP ID: 2 Virtual IP address: 10.159.2.254 State: active |
GE1/0/2.2 IP address: 10.159.2.253/24 Virtual system: public Security zone: DMZ VRRP ID: 2 Virtual IP address: 10.159.2.254 State: standby |
subinterface of the root system. 10.159.2.254 serves as a gateway for the Portal system. |
GE1/0/3 IP address: none Virtual system: public Security zone: Trust |
GE1/0/3 IP address: none Virtual system: public Security zone: Trust |
Connected to 10GE1/1/0/3 of the CE12800. |
GE1/0/3.10 IP address: 10.159.10.252/24 Virtual system: vfw1 Security zone: Trust VRRP ID: 10 Virtual IP address: 10.159.10.254 State: active |
GE1/0/3.10 IP address: 10.159.10.253/24 Virtual system: vfw1 Security zone: Trust VRRP ID: 10 Virtual IP address: 10.159.10.254 State: standby |
subinterface of vfw1. 10.159.10.254 serves as a gateway for the virtual machine. |
GE1/0/3.11 IP address: 10.159.11.252/24 Virtual system: vfw2 Security zone: Trust VRRP ID: 11 Virtual IP address: 10.159.11.254 State: active |
GE1/0/3.11 IP address: 10.159.11.253/24 Virtual system: vfw2 Security zone: Trust VRRP ID: 11 Virtual IP address: 10.159.11.254 State: standby |
subinterface of vfw2. 10.159.11.254 serves as a gateway for the virtual machine. |
Eth-Trunk1 Member interfaces: GE1/0/8 and GE2/0/8 IP address: 10.1.1.1/30 Virtual system: public Security zone: hrpzone |
Eth-Trunk1 Member interfaces: GE1/0/8 and GE2/0/8 IP address: 10.1.1.2/30 Virtual system: public Security zone: hrpzone |
HRP backup interface. |
Virtual Systems
Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.
Table 1-2 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Resource classes |
Name: vfw1_car Maximum bandwidth: 100M |
Name: vfw1_car Maximum bandwidth: 100M |
The maximum bandwidth for the virtual system vfw1 is 100M. |
Name: vfw2_car Maximum bandwidth: 100M |
Name: vfw2_car Maximum bandwidth: 100M |
The maximum bandwidth for the virtual system vfw2 is 100M. |
|
Virtual systems |
Name: vfw1 Resource class: vfw1_car |
Name: vfw1 Resource class: vfw1_car |
- |
Name: vfw2 Resource class: vfw2_car |
Name: vfw2 Resource class: vfw2_car |
- |
Routes
There are routes in the root system and routes in virtual systems, both including the default route, black-hole route, and OSPF route. The OSPF routes run on the upstream subinterface connecting the FW to the CE12800, as shown in Figure 1-8.
Specifically:
- A default route is configured for the root system with the next hop being the related VLANIF IP address of CE12800_A. A default route is configured for each virtual system with the next hop being the related VLANIF IP address of CE12800_A.
- Black-hole routes with destination addresses being the public addresses of the Portal system are configured in the root system. These black-hole routes are advertised to CE12800_A by the root system through OSPF. A black-hole route with the destination address being the public address of the virtual machine is configured for each virtual system. This black-hole route is advertised to CE12800_A by the virtual system through OSPF.
- OSPF runs on both the root system and virtual systems. The VPN instance corresponding to a virtual system is bound in the root system to run OSPF in the virtual system.
OSPF also runs on CE12800_A to advertise the network segment of each VLANIF interface.
Table 1-3 describes the planning of routes on the FWs.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Routes in the root system |
Default route Next hop: 172.16.9.251 |
Default route Next hop: 172.16.9.251 |
Default routes of the root system, the next-hop address being the CE12800. |
Black-hole route Destination address: 117.1.1.1/32 and 117.1.1.2/32 |
Black-hole route Destination address: 117.1.1.1/32 and 117.1.1.2/32 |
Black-hole routes to the global addresses of the Portal system to prevent a routing loop. |
|
OSPF Advertised network segment: 172.16.9.0/24 Static routes are used. |
OSPF Advertised network segment: 172.16.9.0/24 Static routes are used. |
The global addresses of the Portal system are introduced to OSPF and advertised to the CE12800. |
|
Routes in the virtual system vfw1 |
Default route Next hop: 172.16.10.251 |
Default route Next hop: 172.16.10.251 |
Default routes of vfw1, the next-hop address being the CE12800. |
Black-hole route Destination address: 118.1.1.1/32 |
Black-hole route Destination address: 118.1.1.1/32 |
Black-hole routes to the global address of the virtual machine to prevent a routing loop. |
|
OSPF Bound VPN instance: vfw1 Advertised network segment: 172.16.10.0/24 Static routes are used. |
OSPF Bound VPN instance: vfw1 Advertised network segment: 172.16.10.0/24 Static routes are used. |
The global address of the virtual machine is introduced to OSPF and advertised to the CE12800. |
|
Routes in the virtual system vfw2 |
Default route Next hop: 172.16.11.251 |
Default route Next hop: 172.16.11.251 |
Default routes of vfw1, the next-hop address being the CE12800. |
Black-hole route Destination address: 118.1.1.2/32 |
Black-hole route Destination address: 118.1.1.2/32 |
Black-hole routes to the global address of the virtual machine to prevent a routing loop. |
|
OSPF Bound VPN instance: vfw2 Advertised network segment: 172.16.11.0/24 Static routes are used. |
OSPF Bound VPN instance: vfw2 Advertised network segment: 172.16.11.0/24 Static routes are used. |
The global address of the virtual machine is introduced to OSPF and advertised to the CE12800. |
Hot Standby
The hot standby networking is typical, where firewalls are connected to upstream Layer-3 devices and connected to downstream Layer-2 devices. Figure 1-9 shows the logical networking where extranet enterprise users access services of the virtual machines.
Figure 1-10 shows the logical networking where extranet enterprise users access services of the Portal system.
After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 1-11, when the network is normal, FW_A advertises routes normally, and the cost of routes advertised by FW_B increases by 65,500 (default value, configurable). When Router_A or Router_B forwards the traffic of extranet enterprise users to a Portal system or virtual machine, it selects a path with a smaller cost. Therefore, the traffic is forwarded by FW_A.
For the return traffic, when the Portal system or virtual machine requests the MAC address of the gateway, only the active firewall FW_A responds and sends the virtual MAC address to the Portal system or virtual machine. The CE6800 records the mapping between the virtual MAC address and port and forwards the return traffic to FW_A.
When FW_A or the link of FW_A fails, an active/standby switchover takes place. Then, FW_B advertises routes normally, and the cost of routes advertised by FW_A increases by 65,500. After the routes converge again, all traffic is forwarded by FW_B, as shown in Figure 1-12.
For the return traffic, after the active/standby switchover, FW_B sends a gratuitous ARP packet to make the CE6800 update the mapping between the virtual MAC address and port. Then, the return traffic is forwarded by the CE6800 to FW_B.
Security Policies
There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system and permit OSPF packets exchanged between the root system and the CE12800. Security policies in a virtual system permit packets from extranet enterprise users to the virtual machine and permit OSPF packets exchanged between the virtual system and the CE12800.
In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.
Table 1-4 describes the planning of security policies on the FWs.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Security policies in the root system |
Name: sec_portal Source security zone: Untrust Destination security zone: DMZ Destination address: 10.159.0.0/16 Action: permit Antivirus: default IPS: default |
Name: sec_portal Source security zone: Untrust Destination security zone: DMZ Destination address: 10.159.0.0/16 Action: permit Antivirus: default IPS: default |
Permit packets from extranet enterprise users to the Portal system. |
Name: sec_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Name: sec_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Permit OSPF packets exchanged between the FW and CE12800. |
|
Security policies in the virtual system vfw1 |
Name: sec_vm1 Source security zone: Untrust Destination security zone: Trust Destination address: 10.159.10.0/24 Action: permit Antivirus: default IPS: default |
Name: sec_vm1 Source security zone: Untrust Destination security zone: Trust Destination address: 10.159.10.0/24 Action: permit Antivirus: default IPS: default |
Permit packets from extranet enterprise users to the virtual machine. |
Name: sec_vm1_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Name: sec_vm1_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Permit OSPF packets exchanged between the FW and CE12800. |
|
Security policies in the virtual system vfw2 |
Name: sec_vm2 Source security zone: Untrust Destination security zone: Trust Destination address: 10.159.11.0/24 Action: permit Antivirus: default IPS: default |
Name: sec_vm2 Source security zone: Untrust Destination security zone: Trust Destination address: 10.159.11.0/24 Action: permit Antivirus: default IPS: default |
Permit packets from extranet enterprise users to the virtual machine. |
Name: sec_vm2_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Name: sec_vm2_ospf Source security zone: Untrust and Local Destination security zone: Local and Untrust Service: ospf Action: permit |
Permit OSPF packets exchanged between the FW and CE12800. |
NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.
In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 1-5 describes the planning of NAT servers on the FWs.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
NAT servers in the root system |
Name: nat_server_portal1 Global address: 117.1.1.1 Inside address: 10.159.1.100 |
Name: nat_server_portal1 Global address: 117.1.1.1 Inside address: 10.159.1.100 |
NAT servers of the Portal system |
Name: nat_server_portal2 Global address: 117.1.1.2 Inside address: 10.159.2.100 |
Name: nat_server_portal2 Global address: 117.1.1.2 Inside address: 10.159.2.100 |
NAT servers of the Portal system |
|
NAT server in the virtual system vfw1 |
Name: nat_server_vm1 Global address: 118.1.1.1 Inside address: 10.159.10.100 |
Name: nat_server_vm1 Global address: 118.1.1.1 Inside address: 10.159.10.100 |
NAT server of the virtual machine |
NAT server in the virtual system vfw2 |
Name: nat_server_vm2 Global address: 118.1.1.2 Inside address: 10.159.11.100 |
Name: nat_server_vm2 Global address: 118.1.1.2 Inside address: 10.159.11.100 |
NAT server of the virtual machine |
Precautions
Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual systems, you must apply for a license.
OSPF
You cannot configure OSPF directly in a virtual system. You must bind the VPN instance corresponding to the virtual system when creating the OSPF process in the root system.
Black-hole Route
Configure black-hole routes to the public addresses of the Portal system in the root system and black-hole routes to the public addresses of virtual machines in the virtual systems to prevent routing loops. These black-hole routes can be advertised through OSPF.
Policy Backup-based Acceleration Function
When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.
Configuration Procedure
Prerequisites
The license file of virtual systems has been obtained and activated successfully on FW_A and FW_B.
Procedure
- Configure interfaces and security zones.
# Create subinterfaces on FW_A.
<FW_A> system-view [FW_A] interface GigabitEthernet 1/0/1.10 [FW_A-GigabitEthernet1/0/1.10] quit [FW_A] interface GigabitEthernet 1/0/1.11 [FW_A-GigabitEthernet1/0/1.11] quit [FW_A] interface GigabitEthernet 1/0/1.1000 [FW_A-GigabitEthernet1/0/1.1000] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] quit [FW_A] interface GigabitEthernet 1/0/3.10 [FW_A-GigabitEthernet1/0/3.10] quit [FW_A] interface GigabitEthernet 1/0/3.11 [FW_A-GigabitEthernet1/0/3.11] quit
# Create subinterfaces on FW_B.
<FW_B> system-view [FW_B] interface GigabitEthernet 1/0/1.10 [FW_B-GigabitEthernet1/0/1.10] quit [FW_B] interface GigabitEthernet 1/0/1.11 [FW_B-GigabitEthernet1/0/1.11] quit [FW_B] interface GigabitEthernet 1/0/1.1000 [FW_B-GigabitEthernet1/0/1.1000] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] quit [FW_B] interface GigabitEthernet 1/0/3.10 [FW_B-GigabitEthernet1/0/3.10] quit [FW_B] interface GigabitEthernet 1/0/3.11 [FW_B-GigabitEthernet1/0/3.11] quit
# Configure an Eth-trunk interface on FW_A.
[FW_A] interface Eth-Trunk 1 [FW_A-Eth-Trunk1] ip address 10.1.1.1 30 [FW_A-Eth-Trunk1] quit [FW_A] interface GigabitEthernet 1/0/8 [FW_A-GigabitEthernet1/0/8] eth-trunk 1 [FW_A-GigabitEthernet1/0/8] quit [FW_A] interface GigabitEthernet 2/0/8 [FW_A-GigabitEthernet2/0/8] eth-trunk 1 [FW_A-GigabitEthernet2/0/8] quit
# Configure an Eth-trunk interface on FW_B.
[FW_B] interface Eth-Trunk 1 [FW_B-Eth-Trunk1] ip address 10.1.1.2 30 [FW_B-Eth-Trunk1] quit [FW_B] interface GigabitEthernet 1/0/8 [FW_B-GigabitEthernet1/0/8] eth-trunk 1 [FW_B-GigabitEthernet1/0/8] quit [FW_B] interface GigabitEthernet 2/0/8 [FW_B-GigabitEthernet2/0/8] eth-trunk 1 [FW_B-GigabitEthernet2/0/8] quit
# Configure IP addresses for root system interfaces on FW_A, and assign the interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000 [FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24 [FW_A-GigabitEthernet1/0/1.1000] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24 [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24 [FW_A-GigabitEthernet1/0/2.2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 1/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000 [FW_A-zone-untrust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2 [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1 [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2 [FW_A-zone-dmz] quit [FW_A] firewall zone name hrpzone [FW_A-zone-hrpzone] set priority 65 [FW_A-zone-hrpzone] add interface Eth-Trunk 1 [FW_A-zone-hrpzone] quit
# Configure IP addresses for root system interfaces on FW_B, and assign the interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000 [FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24 [FW_B-GigabitEthernet1/0/1.1000] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24 [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24 [FW_B-GigabitEthernet1/0/2.2] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 1/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000 [FW_B-zone-untrust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2 [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1 [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2 [FW_B-zone-dmz] quit [FW_B] firewall zone name hrpzone [FW_B-zone-hrpzone] set priority 65 [FW_B-zone-hrpzone] add interface Eth-Trunk 1 [FW_B-zone-hrpzone] quit
- Configure virtual systems.
# Enable the virtual system function on FW_A.
[FW_A] vsys enable
# Enable the virtual system function on FW_B.
[FW_B] vsys enable
Configure resource classes on FW_A.
[FW_A] resource-class vfw1_car [FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire [FW_A-resource-class-vfw1_car] quit [FW_A] resource-class vfw2_car [FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire [FW_A-resource-class-vfw2_car] quit
Configure resource classes on FW_B.
[FW_B] resource-class vfw1_car [FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire [FW_B-resource-class-vfw1_car] quit [FW_B] resource-class vfw2_car [FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire [FW_B-resource-class-vfw2_car] quit
# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1 [FW_A-vsys-vfw1] assign resource-class vfw1_car [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 [FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive [FW_A-vsys-vfw1] quit [FW_A] vsys name vfw2 [FW_A-vsys-vfw2] assign resource-class vfw2_car [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 [FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive [FW_A-vsys-vfw2] quit
# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1 [FW_B-vsys-vfw1] assign resource-class vfw1_car [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 [FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive [FW_B-vsys-vfw1] quit [FW_B] vsys name vfw2 [FW_B-vsys-vfw2] assign resource-class vfw2_car [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 [FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive [FW_B-vsys-vfw2] quit
# Configure IP addresses for interfaces in virtual system vfw1 on FW_A, and assign the interfaces to security zones.
[FW_A] switch vsys vfw1 <FW_A-vfw1> system-view [FW_A-vfw1] interface GigabitEthernet 1/0/1.10 [FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24 [FW_A-vfw1-GigabitEthernet1/0/1.10] quit [FW_A-vfw1] interface GigabitEthernet 1/0/3.10 [FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24 [FW_A-vfw1-GigabitEthernet1/0/3.10] quit [FW_A-vfw1] firewall zone untrust [FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 [FW_A-vfw1-zone-untrust] quit [FW_A-vfw1] firewall zone trust [FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 [FW_A-vfw1-zone-trust] quit [FW_A-vfw1] quit <FW_A-vfw1> quit
Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A, and assign the interfaces to security zones.
# Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and assign the interfaces to security zones.
[FW_B] switch vsys vfw1 <FW_B-vfw1> system-view [FW_B-vfw1] interface GigabitEthernet 1/0/1.10 [FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24 [FW_B-vfw1-GigabitEthernet1/0/1.10] quit [FW_B-vfw1] interface GigabitEthernet 1/0/3.10 [FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24 [FW_B-vfw1-GigabitEthernet1/0/3.10] quit [FW_B-vfw1] firewall zone untrust [FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 [FW_B-vfw1-zone-untrust] quit [FW_B-vfw1] firewall zone trust [FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 [FW_B-vfw1-zone-trust] quit [FW_B-vfw1] quit <FW_B-vfw1> quit
Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B, and assign the interfaces to security zones.
- Configure routes.
# Configure routes of the root system on FW_A.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 [FW_A] ip route-static 117.1.1.1 32 NULL 0 [FW_A] ip route-static 117.1.1.2 32 NULL 0 [FW_A] ospf 1000 [FW_A-ospf-1000] import-route static [FW_A-ospf-1000] area 0 [FW_A-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255 [FW_A-ospf-1000-area-0.0.0.0] quit [FW_A-ospf-1000] quit
# Configure routes of the root system on FW_B.
[FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 [FW_B] ip route-static 117.1.1.1 32 NULL 0 [FW_B] ip route-static 117.1.1.2 32 NULL 0 [FW_B] ospf 1000 [FW_B-ospf-1000] import-route static [FW_B-ospf-1000] area 0 [FW_B-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255 [FW_B-ospf-1000-area-0.0.0.0] quit [FW_B-ospf-1000] quit
# Configure routes of the virtual systems on FW_A.
[FW_A] ip vpn-instance vfw1 [FW_A-vpn-instance-vfw1] route-distinguisher 10:1 [FW_A-vpn-instance-vfw1] quit [FW_A] ip vpn-instance vfw2 [FW_A-vpn-instance-vfw2] route-distinguisher 11:1 [FW_A-vpn-instance-vfw2] quit [FW_A] ospf 1 vpn-instance vfw1 [FW_A-ospf-1] import-route static [FW_A-ospf-1] area 0 [FW_A-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 [FW_A-ospf-1-area-0.0.0.0] quit [FW_A-ospf-1] quit [FW_A] ospf 2 vpn-instance vfw2 [FW_A-ospf-2] import-route static [FW_A-ospf-2] area 0 [FW_A-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255 [FW_A-ospf-2-area-0.0.0.0] quit [FW_A-ospf-2] quit [FW_A] switch vsys vfw1 <FW_A-vfw1> system-view [FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 [FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0 [FW_A-vfw1] quit <FW_A-vfw1> quit [FW_A] switch vsys vfw2 <FW_A-vfw2> system-view [FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 [FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0 [FW_A-vfw2] quit <FW_A-vfw2> quit
# Configure routes of the virtual systems on FW_B.
[FW_B] ip vpn-instance vfw1 [FW_B-vpn-instance-vfw1] route-distinguisher 10:1 [FW_B-vpn-instance-vfw1] quit [FW_B] ip vpn-instance vfw2 [FW_B-vpn-instance-vfw2] route-distinguisher 11:1 [FW_B-vpn-instance-vfw2] quit [FW_B] ospf 1 vpn-instance vfw1 [FW_B-ospf-1] import-route static [FW_B-ospf-1] area 0 [FW_B-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 [FW_B-ospf-1-area-0.0.0.0] quit [FW_B-ospf-1] quit [FW_B] ospf 2 vpn-instance vfw2 [FW_B-ospf-2] import-route static [FW_B-ospf-2] area 0 [FW_B-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255 [FW_B-ospf-2-area-0.0.0.0] quit [FW_B-ospf-2] quit [FW_B] switch vsys vfw1 <FW_B-vfw1> system-view [FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 [FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0 [FW_B-vfw1] quit <FW_B-vfw1> quit [FW_B] switch vsys vfw2 <FW_B-vfw2> system-view [FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 [FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0 [FW_B-vfw2] quit <FW_B-vfw2> quit
- Configure hot standby.
# Configure a VGMP group to track GE1/0/1 on FW_A.
[FW_A] hrp track interface GigabitEthernet 1/0/1
# Configure OSPF cost adjustment according to the VGMP status on FW_A.
[FW_A] hrp adjust ospf-cost enable
# Configure VRRP groups on FW_A, setting their states to Active.
[FW_A] interface GigabitEthernet 1/0/3.10 [FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10 [FW_A-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 active [FW_A-GigabitEthernet1/0/3.10] quit [FW_A] interface GigabitEthernet 1/0/3.11 [FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11 [FW_A-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 active [FW_A-GigabitEthernet1/0/3.11] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1 [FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2 [FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active [FW_A-GigabitEthernet1/0/2.2] quit
# Specify the heartbeat interface on FW_A and enable hot standby.
[FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2 [FW_A] hrp enable
# Configure a VGMP group to track GE1/0/1 on FW_B.
[FW_B] hrp track interface GigabitEthernet 1/0/1
# Configure OSPF cost adjustment according to the VGMP status on FW_B.
[FW_B] hrp adjust ospf-cost enable
# Configure VRRP groups on FW_B, setting their states to Standby.
[FW_B] interface GigabitEthernet 1/0/3.10 [FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10 [FW_B-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 standby [FW_B-GigabitEthernet1/0/3.10] quit [FW_B] interface GigabitEthernet 1/0/3.11 [FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11 [FW_B-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 standby [FW_B-GigabitEthernet1/0/3.11] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1 [FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2 [FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby [FW_B-GigabitEthernet1/0/2.2] quit
# Specify the heartbeat interface on FW_B and enable hot standby.
[FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1 [FW_B] hrp enable
- Configure security policies.
# Configure security policies in the root system on FW_A.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name sec_portal HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.159.0.0 16 HRP_M[FW_A-policy-security-rule-sec_portal] action permit HRP_M[FW_A-policy-security-rule-sec_portal] profile av default HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default HRP_M[FW_A-policy-security-rule-sec_portal] quit HRP_M[FW_A-policy-security] rule name sec_ospf HRP_M[FW_A-policy-security-rule-sec_ospf] source-zone untrust local HRP_M[FW_A-policy-security-rule-sec_ospf] destination-zone local untrust HRP_M[FW_A-policy-security-rule-sec_ospf] service ospf HRP_M[FW_A-policy-security-rule-sec_ospf] action permit HRP_M[FW_A-policy-security-rule-sec_ospf] quit HRP_M[FW_A-policy-security] quit
# Configure security policies in virtual system vfw1 on FW_A.
HRP_M[FW_A] switch vsys vfw1 HRP_M<FW_A-vfw1> system-view HRP_M[FW_A-vfw1] security-policy HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1 HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.159.10.0 24 HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1_ospf HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] source-zone untrust local HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] destination-zone local untrust HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] service ospf HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] action permit HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] quit HRP_M[FW_A-vfw1-policy-security] quit HRP_M[FW_A-vfw1] quit HRP_M<FW_A-vfw1> quit
Similarly, configure security policies in virtual system vfw2 on FW_A.
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure security policies manually on FW_B.
- Configure policy backup-based acceleration function.
When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.
HRP_M[FW-A] policy accelerate standby enable
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure policy backup-based acceleration function manually on FW_B.
- Configure NAT servers.
The NAT server configuration commands are only exemplary. In practice, NAT servers are configured on the management component, and the management component delivers the configuration to the FW.
# Configure NAT servers in the root system on FW_A.
HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.159.1.100 HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.159.2.100
# Configure a NAT server in virtual system vfw1 on FW_A.
HRP_M[FW_A] switch vsys vfw1 HRP_M<FW_A-vfw1> system-view HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.159.10.100 HRP_M[FW_A-vfw1] quit HRP_M<FW_A-vfw1> quit
Similarly, configure a NAT server in virtual system vfw2 on FW_A.
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure NAT servers manually on FW_B.
- Configure other network devices.
The present case focuses on the configuration on the FW. For the configuration on other network devices, note that:
- You need to configure routes to the global addresses of the Portal system and virtual machines on the upstream router, and set the next hop of the routes to the CE12800.
- When configuring OSPF on the CE12800, you need to run the default-route-advertise always command in the OSPF process.
- The CE6800 transmits Layer-2 packets transparently, and you only need to configure Layer-2 forwarding on it.
Verification
- Run the display hrp state command on FW_A and FW_B. The current HRP state is normal.
- Enterprise users on the Internet can access virtual machine services normally.
- Enterprise users on the Internet can access the Portal system normally.
- Run the shutdown command on GE1/0/2.1 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# sysname FW_A # hrp enable hrp interface Eth-Trunk 1 remote 10.1.1.2 hrp track interface GigabitEthernet 1/0/1 # vsys enable resource-class vfw1_car resource-item-limit bandwidth 100 entire resource-class vfw2_car resource-item-limit bandwidth 100 entire # # vsys name vfw1 1 assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/3.10 assign resource-class vfw1_car assign global-ip 118.1.1.1 118.1.1.1 exclusive # vsys name vfw2 2 assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/3.11 assign resource-class vfw2_car assign global-ip 118.1.1.2 118.1.1.2 exclusive # ip vpn-instance vfw1 ipv4-family route-distinguisher 10:1 ipv6-family # ip vpn-instance vfw2 ipv4-family route-distinguisher 11:1 ipv6-family # interface Eth-Trunk1 ip address 10.1.1.1 255.255.255.252 # interface GigabitEthernet1/0/1 undo shutdown # interface GigabitEthernet1/0/1.10 ip binding vpn-instance vfw1 ip address 172.16.10.252 255.255.255.0 # interface GigabitEthernet1/0/1.11 ip binding vpn-instance vfw2 ip address 172.16.11.252 255.255.255.0 # interface GigabitEthernet1/0/1.1000 ip address 172.16.9.252 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown # interface GigabitEthernet1/0/2.1 vlan-type dot1q 1 ip address 10.159.1.252 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.1.254 active # interface GigabitEthernet1/0/2.2 vlan-type dot1q 2 ip address 10.159.2.252 255.255.255.0 vrrp vrid 2 virtual-ip 10.159.2.254 active # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 10.159.10.254 active # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.252 255.255.255.0 vrrp vrid 11 virtual-ip 10.159.11.254 active # interface GigabitEthernet1/0/8 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/8 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1.1000 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.2 # firewall zone name hrpzone id 4 set priority 65 add interface Eth-Trunk1 # ospf 1 vpn-instance vfw1 import-route static area 0.0.0.0 network 172.16.10.0 0.0.0.255 # ospf 2 vpn-instance vfw2 import-route static area 0.0.0.0 network 172.16.11.0 0.0.0.255 # ospf 1000 import-route static area 0.0.0.0 network 172.16.9.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0 # nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100 # security-policy rule name sec_portal source-zone untrust destination-zone dmz destination-address 10.159.0.0 16 profile av default profile ips default action permit rule name sec_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # return # switch vsys vfw1 # interface GigabitEthernet1/0/1.10 ip binding vpn-instance vfw1 ip address 172.16.10.252 255.255.255.0 # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 10.159.10.254 active # interface Virtual-if1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.10 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.10 # security-policy rule name sec_vm1 source-zone untrust destination-zone trust destination-address 10.159.10.0 24 profile av default profile ips default action permit rule name sec_vm1_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 118.1.1.1 255.255.255.255 NULL 0 # nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100 # return # switch vsys vfw2 # interface GigabitEthernet1/0/1.11 ip binding vpn-instance vfw2 ip address 172.16.11.252 255.255.255.0 # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.252 255.255.255.0 vrrp vrid 11 virtual-ip 10.159.11.254 active # interface Virtual-if2 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.11 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.11 # security-policy rule name sec_vm2 source-zone untrust destination-zone trust destination-address 10.159.11.0 24 profile av default profile ips default action permit rule name sec_vm2_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 118.1.1.2 255.255.255.255 NULL 0 # nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100 # return |
# sysname FW_B # hrp enable hrp interface Eth-Trunk 1 remote 10.1.1.1 hrp track interface GigabitEthernet 1/0/1 # vsys enable resource-class vfw1_car resource-item-limit bandwidth 100 entire resource-class vfw2_car resource-item-limit bandwidth 100 entire # # vsys name vfw1 1 assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/3.10 assign resource-class vfw1_car assign global-ip 118.1.1.1 118.1.1.1 exclusive # vsys name vfw2 2 assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/3.11 assign resource-class vfw2_car assign global-ip 118.1.1.2 118.1.1.2 exclusive # ip vpn-instance vfw1 ipv4-family route-distinguisher 10:1 ipv6-family # ip vpn-instance vfw2 ipv4-family route-distinguisher 11:1 ipv6-family # interface Eth-Trunk1 ip address 10.1.1.2 255.255.255.252 # interface GigabitEthernet1/0/1 undo shutdown # interface GigabitEthernet1/0/1.10 ip binding vpn-instance vfw1 ip address 172.16.10.253 255.255.255.0 # interface GigabitEthernet1/0/1.11 ip binding vpn-instance vfw2 ip address 172.16.11.253 255.255.255.0 # interface GigabitEthernet1/0/1.1000 ip address 172.16.9.253 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown # interface GigabitEthernet1/0/2.1 vlan-type dot1q 1 ip address 10.159.1.253 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.1.254 standby # interface GigabitEthernet1/0/2.2 vlan-type dot1q 2 ip address 10.159.2.253 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.2.254 standby # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.253 255.255.255.0 vrrp vrid 10 virtual-ip 10.159.10.254 standby # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.253 255.255.255.0 vrrp vrid 11 virtual-ip 10.159.11.254 standby # interface GigabitEthernet1/0/8 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/8 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1.1000 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.2 # firewall zone name hrpzone id 4 set priority 65 add interface Eth-Trunk1 # ospf 1 vpn-instance vfw1 import-route static area 0.0.0.0 network 172.16.10.0 0.0.0.255 # ospf 2 vpn-instance vfw2 import-route static area 0.0.0.0 network 172.16.11.0 0.0.0.255 # ospf 1000 import-route static area 0.0.0.0 network 172.16.9.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0 # nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100 # security-policy rule name sec_portal source-zone untrust destination-zone dmz destination-address 10.159.0.0 16 profile av default profile ips default action permit rule name sec_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # return # switch vsys vfw1 # interface GigabitEthernet1/0/1.10 ip binding vpn-instance vfw1 ip address 172.16.10.253 255.255.255.0 # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.253 255.255.255.0 vrrp vrid 10 virtual-ip 10.159.10.254 standby # interface Virtual-if1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.10 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.10 # security-policy rule name sec_vm1 source-zone untrust destination-zone trust destination-address 10.159.10.0 24 profile av default profile ips default action permit rule name sec_vm1_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 118.1.1.1 255.255.255.255 NULL 0 # nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100 # return # switch vsys vfw2 # interface GigabitEthernet1/0/1.11 ip binding vpn-instance vfw2 ip address 172.16.11.253 255.255.255.0 # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.253 255.255.255.0 vrrp vrid 11 virtual-ip 10.159.11.254 standby # interface Virtual-if2 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.11 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.11 # security-policy rule name sec_vm2 source-zone untrust destination-zone trust destination-address 10.159.11.0 24 profile av default profile ips default action permit rule name sec_vm2_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust service ospf action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 118.1.1.2 255.255.255.255 NULL 0 # nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100 # return |
Solution 2: Switch Serving as Gateway
Typical Networking
On the cloud computing network, the core switches are the CE12800, the access switches are the CE6800, and the firewalls are the USG9500. The present case focuses on the configuration on the firewalls. Figure 1-13 shows the overall networking.
The cloud computing network requires that:
- Access of different extranet enterprise users to the virtual machines must be isolated, and the bandwidth resources available for each virtual machine service is limited to a specific range to avoid the consumption of large quantities of resources.
- Private addresses are configured for the Portal system and virtual machines for intranet use, and their public addresses are advertised to the extranet to allow external enterprise users to access the Portal system and virtual machines.
- Access behavior of extranet enterprise users to the Portal system and virtual machines is controlled to permit only service access traffic.
- Device availability is improved to avoid service interruption caused by the failure of only one device.
The firewalls are attached to the CE12800 core switches in off-path mode. The above requirements are satisfied by the following features:
- Virtual system: Virtual systems are used to isolate virtual machine services accessed by external enterprise users. Each virtual machine belongs to one virtual system, and each virtual system has its maximum bandwidth.
- Subinterface: The firewall is connected to the CE12800 through subinterfaces. The subinterfaces are assigned to the virtual systems and the root system. The subinterfaces in the virtual systems carry virtual machine services, and the subinterface in the root system carries portal services.
- NAT server: The NAT servers advertise the public addresses of the Portal system and virtual machines to the extranet. A NAT server dedicated to a virtual machine is configured in each virtual system, and NAT servers dedicated to the Portal system are configured in the root system.
- Security policy: Security policies are applied to control access to the Portal system and virtual machines. Security policies used to control access to services of a virtual machine are configured in each virtual system, and security policies used to control access to services of the Portal system are configured in the root system.
- Hot standby: Two firewalls are deployed in hot standby mode to improve availability. When the active firewall fails, the standby firewall takes over without services interrupted.
Service Planning
As shown in Figure 1-14, the FW is attached to the CE12800 and works at Layer 3. VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch (root switch Public) and downstream switches (multiple virtual switches VRF). VRRP runs between the FW and the root switch Public and virtual switches VRF of the CE12800. The virtual IP addresses of the VRRP groups on the CE12800 serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the root switch Public of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the virtual switches VRF of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the virtual switch VRF of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the root switch Public of the CE12800.
The following describes the service planning in detail.
Interfaces and Security Zones
This section describes the connection between FW_A and CE12800_A.
As shown in Figure 1-15, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:
- Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
- 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
As shown in Figure 1-16, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:
- Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
- 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of two VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
As shown in Figure 1-17, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:
- Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
- 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
The connection between FW_B and CE12800_B is the same as the only difference in IP addresses.
One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.
Table 1-6 describes the planning of interfaces and security zones on the FWs.
FW_A |
FW_B |
Description |
|---|---|---|
GE1/0/1 IP address: none Virtual system: public Security zone: Untrust |
GE1/0/1 IP address: none Virtual system: public Security zone: Untrust |
Connected to 10GE1/1/0/1 of the CE12800. |
GE1/0/1.10 IP address: 172.16.10.252/24 Virtual system: vfw1 Security zone: Untrust VRRP ID: 10 Virtual IP address: 172.16.10.254 State: active |
GE1/0/1.10 IP address: 172.16.10.253/24 Virtual system: vfw1 Security zone: Untrust VRRP ID: 10 Virtual IP address: 172.16.10.254 State: standby |
subinterface of vfw1. |
GE1/0/1.11 IP address: 172.16.11.252/24 Virtual system: vfw2 Security zone: Untrust VRRP ID: 11 Virtual IP address: 172.16.11.254 State: active |
GE1/0/1.11 IP address: 172.16.11.253/24 Virtual system: vfw2 Security zone: Untrust VRRP ID: 11 Virtual IP address: 172.16.11.254 State: standby |
subinterface of vfw2. |
GE1/0/1.1000 IP address: 172.16.9.252/24 Virtual system: public Security zone: Untrust VRRP ID: 9 Virtual IP address: 172.16.9.254 State: active |
GE1/0/1.1000 IP address: 172.16.9.253/24 Virtual system: public Security zone: Untrust VRRP ID: 9 Virtual IP address: 172.16.9.254 State: standby |
subinterface of the root system. |
GE1/0/2 IP address: none Virtual system: public Security zone: DMZ |
GE1/0/2 IP address: none Virtual system: public Security zone: DMZ |
Connected to 10GE1/1/0/2 of the CE12800. |
GE1/0/2.1 IP address: 10.159.1.252/24 Virtual system: public Security zone: DMZ VRRP ID: 1 Virtual IP address: 10.159.1.254 State: active |
GE1/0/2.1 IP address: 10.159.1.253/24 Virtual system: public Security zone: DMZ VRRP ID: 1 Virtual IP address: 10.159.1.254 State: standby |
subinterface of the root system. |
GE1/0/2.2 IP address: 10.159.2.252/24 Virtual system: public Security zone: DMZ VRRP ID: 2 Virtual IP address: 10.159.2.254 State: active |
GE1/0/2.2 IP address: 10.159.2.253/24 Virtual system: public Security zone: DMZ VRRP ID: 2 Virtual IP address: 10.159.2.254 State: standby |
subinterface of the root system. |
GE1/0/3 IP address: none Virtual system: public Security zone: Trust |
GE1/0/3 IP address: none Virtual system: public Security zone: Trust |
Connected to 10GE1/1/0/3 of the CE12800. |
GE1/0/3.10 IP address: 10.159.10.252/24 Virtual system: vfw1 Security zone: Trust VRRP ID: 110 Virtual IP address: 10.159.10.254 State: active |
GE1/0/3.10 IP address: 10.159.10.253/24 Virtual system: vfw1 Security zone: Trust VRRP ID: 110 Virtual IP address: 10.159.10.254 State: standby |
subinterface of vfw1. |
GE1/0/3.11 IP address: 10.159.11.252/24 Virtual system: vfw2 Security zone: Trust VRRP ID: 111 Virtual IP address: 10.159.11.254 State: active |
GE1/0/3.11 IP address: 10.159.11.253/24 Virtual system: vfw2 Security zone: Trust VRRP ID: 111 Virtual IP address: 10.159.11.254 State: standby |
subinterface of vfw2. |
Eth-Trunk1 Member interfaces: GE1/0/8 and GE2/0/8 IP address: 10.1.1.1/30 Virtual system: public Security zone: hrpzone |
Eth-Trunk1 Member interfaces: GE1/0/8 and GE2/0/8 IP address: 10.1.1.2/30 Virtual system: public Security zone: hrpzone |
HRP backup interface. |
Virtual System
Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.
Table 1-7 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Resource class |
Name: vfw1_car Maximum bandwidth: 100M |
Name: vfw1_car Maximum bandwidth: 100M |
The maximum bandwidth for the virtual system vfw1 is 100M. |
Name: vfw2_car Maximum bandwidth: 100M |
Name: vfw2_car Maximum bandwidth: 100M |
The maximum bandwidth for the virtual system vfw2 is 100M. |
|
Virtual System |
Name: vfw1 Resource class: vfw1_car |
Name: vfw1 Resource class: vfw1_car |
- |
Name: vfw2 Resource class: vfw2_car |
Name: vfw2 Resource class: vfw2_car |
- |
Routes
Traffic is forwarded using static routes between the FW and CE12800.
- Static routes are configured in the root switch Public on the CE12800. The destination addresses of these static routes are public addresses of the Portal system and virtual machines, and the next-hop addresses are the addresses of the subinterfaces on the FW. With these static routes, traffic from external enterprise users to the Portal system or virtual systems can be forwarded to the FW.
- A default route is configured in each virtual switch VRF on the CE12800. The next-hop addresses of these default routes are the addresses of the subinterfaces on the FW. With these default routes, the return traffic from the Portal system or virtual machines can be forwarded to the FW.
- Static routes are configured on the FW. The destination addresses of these static routes are private addresses of the Portal system and virtual machines, and the next-hop addresses are the VLANIF addresses of the virtual switches VRF of the CE12800. With these static routes, traffic from external enterprise users to the public addresses of the Portal system and virtual systems can be forwarded by the FW after processing to the CE12800.
- Default routes are configured on the FW. The next-hop addresses of these default routes are the VLANIF address of the root switch Public on the CE12800. With these default routes, return traffic from the Portal system or virtual machines can be forwarded by the FW after processing to the CE12800.
Routes on the FW include routes in the root system and routes in the virtual systems. Table 1-8 describes the planning of routes.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Routes in the root system |
Default route Next hop: 172.16.9.251 |
Default route Next hop: 172.16.9.251 |
Default routes of the root system, the next-hop address being the CE12800. |
Black-hole route Destination address: 117.1.1.1/32 and 117.1.1.2/32 |
Black-hole route Destination address: 117.1.1.1/32 and 117.1.1.2/32 |
Black-hole routes to the global addresses of the Portal system to prevent a routing loop. |
|
Static route Destination address: 10.160.1.0/24 Next hop: 10.159.1.251 Destination address: 10.160.2.0/24 Next hop: 10.159.2.251 |
Static route Destination address: 10.160.1.0/24 Next hop: 10.159.1.251 Destination address: 10.160.2.0/24 Next hop: 10.159.2.251 |
Static routes to the private addresses of the Portal system, the next-hop address being the CE12800. |
|
Routes in the virtual system vfw1 |
Default route Next hop: 172.16.10.251 |
Default route Next hop: 172.16.10.251 |
Default routes of vfw1, the next-hop address being the CE12800. |
Black-hole route Destination address: 118.1.1.1/32 |
Black-hole route Destination address: 118.1.1.1/32 |
Black-hole routes to the global address of the virtual machine to prevent a routing loop. |
|
Static route Destination address: 10.160.10.0/24 Next hop: 10.159.10.251 |
Static route Destination address: 10.160.10.0/24 Next hop: 10.159.10.251 |
Static routes to the private address of the virtual machine, the next-hop address being the CE12800. |
|
Routes in the virtual system vfw2 |
Default route Next hop: 172.16.11.251 |
Default route Next hop: 172.16.11.251 |
Default routes of vfw1, the next-hop address being the CE12800. |
Black-hole route Destination address: 118.1.1.2/32 |
Black-hole route Destination address: 118.1.1.2/32 |
Black-hole routes to the global address of the virtual machine to prevent a routing loop. |
|
Static route Destination address: 10.160.11.0/24 Next hop: 10.159.11.251 |
Static route Destination address: 10.160.11.0/24 Next hop: 10.159.11.251 |
Static routes to the private address of the virtual machine, the next-hop address being the CE12800. |
Hot Standby
The hot standby networking is typical where firewalls are connected to Layer-2 devices on both the upstream and the downstream. Figure 1-18 shows the logical networking where extranet enterprise users access services of the virtual machines. For the ease of description, only one virtual machine is described.
Figure 1-19 shows the logical networking where external enterprise users access services of the Portal system. For the ease of description, only one Portal system is described.
After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 1-20, when the network is normal, FW_A responds to the ARP packet sent by the root switch Public of the CE12800 to request the MAC address of the gateway, and traffic from external enterprise users to the Portal system or virtual machines is forwarded by the FW_A. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_A.
When FW_A or the link connecting FW_A fails, an active/standby switchover takes place. Then, FW_B sends a gratuitous ARP packet to make the CE12800 update the mapping between the virtual MAC address and port. All traffic is forwarded by FW_B, as shown in Figure 1-21. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_B.
Security Policies
There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system. Security policies in a virtual system permit packets from external enterprise users to the virtual machine.
In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.
Table 1-9 describes the planning of security policies on the FWs.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
Security policies in the root system |
Name: sec_portal Source security zone: Untrust Destination security zone: DMZ Destination address: 10.160.0.0/16 Action: permit Antivirus: default IPS: default |
Name: sec_portal Source security zone: Untrust Destination security zone: DMZ Destination address: 10.160.0.0/16 Action: permit Antivirus: default IPS: default |
Permit packets from external enterprise users to the Portal system. |
Security policies in the virtual system vfw1 |
Name: sec_vm1 Source security zone: Untrust Destination security zone: Trust Destination address: 10.160.10.0/24 Action: permit Antivirus: default IPS: default |
Name: sec_vm1 Source security zone: Untrust Destination security zone: Trust Destination address: 10.160.10.0/24 Action: permit Antivirus: default IPS: default |
Permit packets from external enterprise users to the virtual machine. |
Security policies in the virtual system vfw2 |
Name: sec_vm2 Source security zone: Untrust Destination security zone: Trust Destination address: 10.160.11.0/24 Action: permit Antivirus: default IPS: default |
Name: sec_vm2 Source security zone: Untrust Destination security zone: Trust Destination address: 10.160.11.0/24 Action: permit Antivirus: default IPS: default |
Permit packets from external enterprise users to the virtual machine. |
NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.
In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 1-10 describes the planning of NAT servers on the FWs.
Item |
FW_A |
FW_B |
Description |
|---|---|---|---|
NAT servers in the root system |
Name: nat_server_portal1 Global address: 117.1.1.1 Inside address: 10.160.1.100 |
Name: nat_server_portal1 Global address: 117.1.1.1 Inside address: 10.160.1.100 |
NAT servers of the Portal system |
Name: nat_server_portal2 Global address: 117.1.1.2 Inside address: 10.160.2.100 |
Name: nat_server_portal2 Global address: 117.1.1.2 Inside address: 10.160.2.100 |
NAT servers of the Portal system |
|
NAT server in the virtual system vfw1 |
Name: nat_server_vm1 Global address: 118.1.1.1 Inside address: 10.160.10.100 |
Name: nat_server_vm1 Global address: 118.1.1.1 Inside address: 10.160.10.100 |
NAT server of the virtual machine |
NAT server in the virtual system vfw2 |
Name: nat_server_vm2 Global address: 118.1.1.2 Inside address: 10.160.11.100 |
Name: nat_server_vm2 Global address: 118.1.1.2 Inside address: 10.160.11.100 |
NAT server of the virtual machine |
Precautions
Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual systems, you must apply for a license.
Black-hole Route
Configure black-hole routes to the public addresses of the Portal systems in the root system and black-hole routes to the public addresses of virtual machines in the virtual systems to prevent routing loops.
Policy Backup-based Acceleration Function
When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.
Configuration Procedure
Prerequisites
The license file of virtual systems has been obtained and activated successfully on FW_A and FW_B.
Procedure
- Configure interfaces and security zones.
# Create subinterfaces on FW_A.
<FW_A> system-view [FW_A] interface GigabitEthernet 1/0/1.10 [FW_A-GigabitEthernet1/0/1.10] quit [FW_A] interface GigabitEthernet 1/0/1.11 [FW_A-GigabitEthernet1/0/1.11] quit [FW_A] interface GigabitEthernet 1/0/1.1000 [FW_A-GigabitEthernet1/0/1.1000] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] quit [FW_A] interface GigabitEthernet 1/0/3.10 [FW_A-GigabitEthernet1/0/3.10] quit [FW_A] interface GigabitEthernet 1/0/3.11 [FW_A-GigabitEthernet1/0/3.11] quit
# Create subinterfaces on FW_B.
<FW_B> system-view [FW_B] interface GigabitEthernet 1/0/1.10 [FW_B-GigabitEthernet1/0/1.10] quit [FW_B] interface GigabitEthernet 1/0/1.11 [FW_B-GigabitEthernet1/0/1.11] quit [FW_B] interface GigabitEthernet 1/0/1.1000 [FW_B-GigabitEthernet1/0/1.1000] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] quit [FW_B] interface GigabitEthernet 1/0/3.10 [FW_B-GigabitEthernet1/0/3.10] quit [FW_B] interface GigabitEthernet 1/0/3.11 [FW_B-GigabitEthernet1/0/3.11] quit
# Configure an Eth-trunk interface on FW_A.
[FW_A] interface Eth-Trunk 1 [FW_A-Eth-Trunk1] ip address 10.1.1.1 30 [FW_A-Eth-Trunk1] quit [FW_A] interface GigabitEthernet 1/0/8 [FW_A-GigabitEthernet1/0/8] eth-trunk 1 [FW_A-GigabitEthernet1/0/8] quit [FW_A] interface GigabitEthernet 2/0/8 [FW_A-GigabitEthernet2/0/8] eth-trunk 1 [FW_A-GigabitEthernet2/0/8] quit
# Configure an Eth-trunk interface on FW_B.
[FW_B] interface Eth-Trunk 1 [FW_B-Eth-Trunk1] ip address 10.1.1.2 30 [FW_B-Eth-Trunk1] quit [FW_B] interface GigabitEthernet 1/0/8 [FW_B-GigabitEthernet1/0/8] eth-trunk 1 [FW_B-GigabitEthernet1/0/8] quit [FW_B] interface GigabitEthernet 2/0/8 [FW_B-GigabitEthernet2/0/8] eth-trunk 1 [FW_B-GigabitEthernet2/0/8] quit
# Configure IP addresses for root system interfaces on FW_A, and assign the interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000 [FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24 [FW_A-GigabitEthernet1/0/1.1000] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24 [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24 [FW_A-GigabitEthernet1/0/2.2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 1/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000 [FW_A-zone-untrust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2 [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1 [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2 [FW_A-zone-dmz] quit [FW_A] firewall zone name hrpzone [FW_A-zone-hrpzone] set priority 65 [FW_A-zone-hrpzone] add interface Eth-Trunk 1 [FW_A-zone-hrpzone] quit
# Configure IP addresses for root system interfaces on FW_B, and assign the interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000 [FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24 [FW_B-GigabitEthernet1/0/1.1000] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24 [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24 [FW_B-GigabitEthernet1/0/2.2] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 1/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1 [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000 [FW_B-zone-untrust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2 [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1 [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2 [FW_B-zone-dmz] quit [FW_B] firewall zone name hrpzone [FW_B-zone-hrpzone] set priority 65 [FW_B-zone-hrpzone] add interface Eth-Trunk 1 [FW_B-zone-hrpzone] quit
- Configure virtual systems.
# Enable the virtual system function on FW_A.
[FW_A] vsys enable
# Enable the virtual system function on FW_B.
[FW_B] vsys enable
Configure resource classes on FW_A.
[FW_A] resource-class vfw1_car [FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire [FW_A-resource-class-vfw1_car] quit [FW_A] resource-class vfw2_car [FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire [FW_A-resource-class-vfw2_car] quit
Configure resource classes on FW_B.
[FW_B] resource-class vfw1_car [FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire [FW_B-resource-class-vfw1_car] quit [FW_B] resource-class vfw2_car [FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire [FW_B-resource-class-vfw2_car] quit
# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1 [FW_A-vsys-vfw1] assign resource-class vfw1_car [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 [FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive [FW_A-vsys-vfw1] quit [FW_A] vsys name vfw2 [FW_A-vsys-vfw2] assign resource-class vfw2_car [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 [FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive [FW_A-vsys-vfw2] quit
# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1 [FW_B-vsys-vfw1] assign resource-class vfw1_car [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 [FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive [FW_B-vsys-vfw1] quit [FW_B] vsys name vfw2 [FW_B-vsys-vfw2] assign resource-class vfw2_car [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 [FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive [FW_B-vsys-vfw2] quit
# Configure IP addresses for interfaces in the virtual system vfw1 on FW_A, and assign the interfaces to security zones.
[FW_A] switch vsys vfw1 <FW_A-vfw1> system-view [FW_A-vfw1] interface GigabitEthernet 1/0/1.10 [FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24 [FW_A-vfw1-GigabitEthernet1/0/1.10] quit [FW_A-vfw1] interface GigabitEthernet 1/0/3.10 [FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24 [FW_A-vfw1-GigabitEthernet1/0/3.10] quit [FW_A-vfw1] firewall zone untrust [FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 [FW_A-vfw1-zone-untrust] quit [FW_A-vfw1] firewall zone trust [FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 [FW_A-vfw1-zone-trust] quit [FW_A-vfw1] quit <FW_A-vfw1> quit
Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A, and assign the interfaces to security zones.
# Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and assign the interfaces to security zones.
[FW_B] switch vsys vfw1 <FW_B-vfw1> system-view [FW_B-vfw1] interface GigabitEthernet 1/0/1.10 [FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24 [FW_B-vfw1-GigabitEthernet1/0/1.10] quit [FW_B-vfw1] interface GigabitEthernet 1/0/3.10 [FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24 [FW_B-vfw1-GigabitEthernet1/0/3.10] quit [FW_B-vfw1] firewall zone untrust [FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 [FW_B-vfw1-zone-untrust] quit [FW_B-vfw1] firewall zone trust [FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 [FW_B-vfw1-zone-trust] quit [FW_B-vfw1] quit <FW_B-vfw1> quit
Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B, and assign the interfaces to security zones.
- Configure routes.
# Configure routes of the root system on FW_A.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 [FW_A] ip route-static 117.1.1.1 32 NULL 0 [FW_A] ip route-static 117.1.1.2 32 NULL 0 [FW_A] ip route-static 10.160.1.0 24 10.159.1.251 [FW_A] ip route-static 10.160.2.0 24 10.159.2.251
# Configure routes of the root system on FW_B.
[FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 [FW_B] ip route-static 117.1.1.1 32 NULL 0 [FW_B] ip route-static 117.1.1.2 32 NULL 0 [FW_B] ip route-static 10.160.1.0 24 10.159.1.251 [FW_B] ip route-static 10.160.2.0 24 10.159.2.251
# Configure routes of the virtual systems on FW_A.
[FW_A] switch vsys vfw1 <FW_A-vfw1> system-view [FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 [FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0 [FW_A-vfw1] ip route-static 10.160.10.0 24 10.159.10.251 [FW_A-vfw1] quit <FW_A-vfw1> quit [FW_A] switch vsys vfw2 <FW_A-vfw2> system-view [FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 [FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0 [FW_A-vfw2] ip route-static 10.160.11.0 24 10.159.11.251 [FW_A-vfw2] quit <FW_A-vfw2> quit
# Configure routes of the virtual systems on FW_B.
[FW_B] switch vsys vfw1 <FW_B-vfw1> system-view [FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 [FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0 [FW_B-vfw1] ip route-static 10.160.10.0 24 10.159.10.251 [FW_B-vfw1] quit <FW_B-vfw1> quit [FW_B] switch vsys vfw2 <FW_B-vfw2> system-view [FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 [FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0 [FW_B-vfw2] ip route-static 10.160.11.0 24 10.159.11.251 [FW_B-vfw2] quit <FW_B-vfw2> quit
- Configure hot standby.
# Configure VRRP groups on FW_A, setting their states to Active.
[FW_A] interface GigabitEthernet 1/0/1.10 [FW_A-GigabitEthernet1/0/1.10] vlan-type dot1q 10 [FW_A-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 active [FW_A-GigabitEthernet1/0/1.10] quit [FW_A] interface GigabitEthernet 1/0/1.11 [FW_A-GigabitEthernet1/0/1.11] vlan-type dot1q 11 [FW_A-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 active [FW_A-GigabitEthernet1/0/1.11] quit [FW_A] interface GigabitEthernet 1/0/1.1000 [FW_A-GigabitEthernet1/0/1.1000] vlan-type dot1q 9 [FW_A-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 active [FW_A-GigabitEthernet1/0/1.1000] quit [FW_A] interface GigabitEthernet 1/0/3.10 [FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10 [FW_A-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 active [FW_A-GigabitEthernet1/0/3.10] quit [FW_A] interface GigabitEthernet 1/0/3.11 [FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11 [FW_A-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 active [FW_A-GigabitEthernet1/0/3.11] quit [FW_A] interface GigabitEthernet 1/0/2.1 [FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1 [FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active [FW_A-GigabitEthernet1/0/2.1] quit [FW_A] interface GigabitEthernet 1/0/2.2 [FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2 [FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active [FW_A-GigabitEthernet1/0/2.2] quit
# Specify the heartbeat interface on FW_A and enable hot standby.
[FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2 [FW_A] hrp enable
# Configure VRRP groups on FW_B, setting their states to Standby.
[FW_B] interface GigabitEthernet 1/0/1.10 [FW_B-GigabitEthernet1/0/1.10] vlan-type dot1q 10 [FW_B-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 standby [FW_B-GigabitEthernet1/0/1.10] quit [FW_B] interface GigabitEthernet 1/0/1.11 [FW_B-GigabitEthernet1/0/1.11] vlan-type dot1q 11 [FW_B-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 standby [FW_B-GigabitEthernet1/0/1.11] quit [FW_B] interface GigabitEthernet 1/0/1.1000 [FW_B-GigabitEthernet1/0/1.1000] vlan-type dot1q 9 [FW_B-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 standby [FW_B-GigabitEthernet1/0/1.1000] quit [FW_B] interface GigabitEthernet 1/0/3.10 [FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10 [FW_B-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 standby [FW_B-GigabitEthernet1/0/3.10] quit [FW_B] interface GigabitEthernet 1/0/3.11 [FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11 [FW_B-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 standby [FW_B-GigabitEthernet1/0/3.11] quit [FW_B] interface GigabitEthernet 1/0/2.1 [FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1 [FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby [FW_B-GigabitEthernet1/0/2.1] quit [FW_B] interface GigabitEthernet 1/0/2.2 [FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2 [FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby [FW_B-GigabitEthernet1/0/2.2] quit
# Specify the heartbeat interface on FW_B and enable hot standby.
[FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1 [FW_B] hrp enable
- Configure security policies.
# Configure security policies in the root system on FW_A.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name sec_portal HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.160.0.0 16 HRP_M[FW_A-policy-security-rule-sec_portal] action permit HRP_M[FW_A-policy-security-rule-sec_portal] profile av default HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default HRP_M[FW_A-policy-security-rule-sec_portal] quit HRP_M[FW_A-policy-security] quit
# Configure security policies in virtual system vfw1 on FW_A.
HRP_M[FW_A] switch vsys vfw1 HRP_M<FW_A-vfw1> system-view HRP_M[FW_A-vfw1] security-policy HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1 HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.160.10.0 24 HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit HRP_M[FW_A-vfw1-policy-security] quit HRP_M[FW_A-vfw1] quit HRP_M<FW_A-vfw1> quit
Similarly, configure security policies in virtual system vfw2 on FW_A.
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure security policies manually on FW_B.
- Configure policy backup-based acceleration function.
When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.
HRP_M[FW-A] policy accelerate standby enable
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure policy backup-based acceleration function manually on FW_B.
- Configure NAT servers.
The NAT server configuration commands are only exemplary. In practice, NAT servers are configured on the management component, and the management component delivers the configuration to the FW.
# Configure NAT servers in the root system on FW_A.
HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.160.1.100 HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.160.2.100
# Configure a NAT server in virtual system vfw1 on FW_A.
HRP_M[FW_A] switch vsys vfw1 HRP_M<FW_A-vfw1> system-view HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.160.10.100 HRP_M[FW_A-vfw1] quit HRP_M<FW_A-vfw1> quit
Similarly, configure a NAT server in virtual system vfw2 on FW_A.
# After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure NAT servers manually on FW_B.
- Configure other network devices.
The present case focuses on the configuration on the FW. For the configuration on other network devices, note that:
- OSPF runs between the upstream router and the CE12800. The upstream router learns the routes to the public addresses of the Portal systems and virtual machines trough OSPF study. The next hop is the CE12800.
- You need to configure multiple virtual switches VRF on the CE12800, binding the VRF switches to the VLANIF addresses, and then configure VRRP groups on the VLANIF interfaces. In addition, you need to configure static routes to the public addresses of the Portal systems and virtual machines on the root switch Public of the CE12800 and set the next hops to the virtual IP addresses of the VRRP groups on the FW; you also need to configure default routes on the virtual machines VRF and set the next hops also to the virtual IP addresses of the VRRP groups on the FW.
- The CE6800 transmits Layer-2 packets transparently, and you only need to configure Layer-2 forwarding on it.
Verification
- Run the display hrp state command on FW_A and FW_B. The current HRP state is normal.
- Enterprise users on the Internet can access virtual machine services normally.
- Enterprise users on the Internet can access the Portal system normally.
- Run the shutdown command on GE1/0/1.10 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# sysname FW_A # hrp enable hrp interface Eth-Trunk 1 remote 10.1.1.2 # vsys enable resource-class vfw1_car resource-item-limit bandwidth 100 entire resource-class vfw2_car resource-item-limit bandwidth 100 entire # # vsys name vfw1 1 assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/3.10 assign resource-class vfw1_car assign global-ip 118.1.1.1 118.1.1.1 exclusive # vsys name vfw2 2 assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/3.11 assign resource-class vfw2_car assign global-ip 118.1.1.2 118.1.1.2 exclusive # interface Eth-Trunk1 ip address 10.1.1.1 255.255.255.252 # interface GigabitEthernet1/0/1 undo shutdown # interface GigabitEthernet1/0/1.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 172.16.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 172.16.10.254 active # interface GigabitEthernet1/0/1.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 172.16.11.252 255.255.255.0 vrrp vrid 11 virtual-ip 172.16.11.254 active # interface GigabitEthernet1/0/1.1000 vlan-type dot1q 9 ip address 172.16.9.252 255.255.255.0 vrrp vrid 9 virtual-ip 172.16.9.254 active # interface GigabitEthernet1/0/2 undo shutdown # interface GigabitEthernet1/0/2.1 vlan-type dot1q 1 ip address 10.159.1.252 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.1.254 active # interface GigabitEthernet1/0/2.2 vlan-type dot1q 2 ip address 10.159.2.252 255.255.255.0 vrrp vrid 2 virtual-ip 10.159.2.254 active # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 110.159.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 10.159.10.254 active # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.252 255.255.255.0 vrrp vrid 111 virtual-ip 10.159.11.254 active # interface GigabitEthernet1/0/8 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/8 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1.1000 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.2 # firewall zone name hrpzone id 4 set priority 65 add interface Eth-Trunk1 # ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0 ip route-static 10.160.1.0 255.255.255.0 10.159.1.251 ip route-static 10.160.2.0 255.255.255.0 10.159.2.251 # nat server nat_server_portal1 0 global 117.1.1.1 inside 10.160.1.100 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.160.2.100 # security-policy rule name sec_portal source-zone untrust destination-zone dmz destination-address 10.160.0.0 16 profile av default profile ips default action permit # return # switch vsys vfw1 # interface GigabitEthernet1/0/1.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 172.16.10.252 255.255.255.0 vrrp vrid 10 virtual-ip 172.16.10.254 active # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.252 255.255.255.0 vrrp vrid 110 virtual-ip 10.159.10.254 active # interface Virtual-if1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.10 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.10 # security-policy rule name sec_vm1 source-zone untrust destination-zone trust destination-address 10.159.10.0 24 profile av default profile ips default action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 118.1.1.1 255.255.255.255 NULL 0 ip route-static 10.160.10.0 255.255.255.0 10.159.10.251 # nat server nat_server_vm1 2 global 118.1.1.1 inside 10.160.10.100 # return # switch vsys vfw2 # interface GigabitEthernet1/0/1.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 172.16.11.252 255.255.255.0 vrrp vrid 11 virtual-ip 172.16.11.254 active # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.252 255.255.255.0 vrrp vrid 111 virtual-ip 10.159.11.254 active # interface Virtual-if2 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.11 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.11 # security-policy rule name sec_vm2 source-zone untrust destination-zone trust destination-address 10.159.11.0 24 profile av default profile ips default action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 118.1.1.2 255.255.255.255 NULL 0 ip route-static 10.160.11.0 255.255.255.0 10.159.11.251 # nat server nat_server_vm2 3 global 118.1.1.2 inside 10.160.11.100 # return |
# sysname FW_B # hrp enable hrp interface Eth-Trunk 1 remote 10.1.1.1 # vsys enable resource-class vfw1_car resource-item-limit bandwidth 100 entire resource-class vfw2_car resource-item-limit bandwidth 100 entire # # vsys name vfw1 1 assign interface GigabitEthernet1/0/1.10 assign interface GigabitEthernet1/0/3.10 assign resource-class vfw1_car assign global-ip 118.1.1.1 118.1.1.1 exclusive # vsys name vfw2 2 assign interface GigabitEthernet1/0/1.11 assign interface GigabitEthernet1/0/3.11 assign resource-class vfw2_car assign global-ip 118.1.1.2 118.1.1.2 exclusive # interface Eth-Trunk1 ip address 10.1.1.2 255.255.255.252 # interface GigabitEthernet1/0/1 undo shutdown # interface GigabitEthernet1/0/1.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 172.16.10.253 255.255.255.0 vrrp vrid 10 virtual-ip 172.16.10.254 standby # interface GigabitEthernet1/0/1.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 172.16.11.253 255.255.255.0 vrrp vrid 11 virtual-ip 172.16.11.254 standby # interface GigabitEthernet1/0/1.1000 vlan-type dot1q 9 ip address 172.16.9.253 255.255.255.0 vrrp vrid 9 virtual-ip 172.16.9.254 standby # interface GigabitEthernet1/0/2 undo shutdown # interface GigabitEthernet1/0/2.1 vlan-type dot1q 1 ip address 10.159.1.253 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.1.254 standby # interface GigabitEthernet1/0/2.2 vlan-type dot1q 2 ip address 10.159.2.253 255.255.255.0 vrrp vrid 1 virtual-ip 10.159.2.254 standby # interface GigabitEthernet1/0/3 undo shutdown # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.253 255.255.255.0 vrrp vrid 110 virtual-ip 10.159.10.254 standby # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.253 255.255.255.0 vrrp vrid 111 virtual-ip 10.159.11.254 standby # interface GigabitEthernet1/0/8 undo shutdown eth-trunk 1 # interface GigabitEthernet2/0/8 undo shutdown eth-trunk 1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1.1000 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.2 # firewall zone name hrpzone id 4 set priority 65 add interface Eth-Trunk1 # ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0 ip route-static 10.160.1.0 255.255.255.0 10.159.1.251 ip route-static 10.160.2.0 255.255.255.0 10.159.2.251 # nat server nat_server_portal1 0 global 117.1.1.1 inside 10.160.1.100 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.160.2.100 # security-policy rule name sec_portal source-zone untrust destination-zone dmz destination-address 10.159.0.0 16 profile av default profile ips default action permit # return # switch vsys vfw1 # interface GigabitEthernet1/0/1.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 172.16.10.253 255.255.255.0 vrrp vrid 10 virtual-ip 172.16.10.254 standby # interface GigabitEthernet1/0/3.10 vlan-type dot1q 10 ip binding vpn-instance vfw1 ip address 10.159.10.253 255.255.255.0 vrrp vrid 110 virtual-ip 10.159.10.254 standby # interface Virtual-if1 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.10 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.10 # security-policy rule name sec_vm1 source-zone untrust destination-zone trust destination-address 10.159.10.0 24 profile av default profile ips default action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 118.1.1.1 255.255.255.255 NULL 0 ip route-static 10.160.10.0 255.255.255.0 10.159.10.251 # nat server nat_server_vm1 2 global 118.1.1.1 inside 10.160.10.100 # return # switch vsys vfw2 # interface GigabitEthernet1/0/1.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 172.16.11.253 255.255.255.0 vrrp vrid 11 virtual-ip 172.16.11.254 standby # interface GigabitEthernet1/0/3.11 vlan-type dot1q 11 ip binding vpn-instance vfw2 ip address 10.159.11.253 255.255.255.0 vrrp vrid 111 virtual-ip 10.159.11.254 standby # interface Virtual-if2 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3.11 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1.11 # security-policy rule name sec_vm2 source-zone untrust destination-zone trust destination-address 10.159.11.0 24 profile av default profile ips default action permit # ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 118.1.1.2 255.255.255.255 NULL 0 ip route-static 10.160.11.0 255.255.255.0 10.159.11.251 # nat server nat_server_vm2 3 global 118.1.1.2 inside 10.160.11.100 # return |
Conclusion and Suggestions
- The virtual machine feature is configured on the FW. Each virtual system corresponds to one virtual machine. The virtual machines are isolated through the virtual systems. Security policies can also be configured in the virtual systems to realize access control.
- Interfaces between the FW and CE12800 are limited. Therefore, multiple subinterfaces are created. The subinterfaces are allocated to the root system and virtual systems. Their use is flexible.
- In solution 1, when OSPF is configured on the FW, because OSPF cannot be configured in a virtual system directly, the VPN instance corresponding to the virtual system must be bound to the OSPF process in the root system.
- In solution 2, VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch (root switch Public) and downstream switches (multiple virtual switches VRF). VRRP runs between the FW and both Public and VRF switches of the CE12800.