No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Application of Firewalls in the Security Solution for Cloud Computing Networks

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of Firewalls in the Security Solution for Cloud Computing Networks

Application of Firewalls in the Security Solution for Cloud Computing Networks

Introduction

A firewall is attached to a core switch of the cloud computing network in off-line mode. Virtual machine services on the network are isolated using virtual systems. Two firewalls are deployed in hot standby mode to improve service availability.

This document is based on USG6000&USG9500 V500R005C00 and can be used as a reference for USG6000&USG9500 V500R005C00, Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, USG6000E V600R006C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

Introduction to Cloud Computing Networks

The rapid development of cloud computing makes it easy for enterprises to access a cloud computing network to obtain server, storage, and application resources. This reduces the CapEx on the IT infrastructure and speeds up the development of information services.

As shown in Figure 1-1, an "industrial cloud" provides enterprise users with cloud computing services. Services on the network are as follows:

  • Enterprise users access virtual machines to obtain custom resources.
  • Enterprise users access the Portal system to apply for accounts and manage virtual machine spaces.
  • The management component in the cloud computing network manages the virtual machines, Portal system, and network devices.
Figure 1-1 Cloud computing network

Application of Firewalls in the Security Solution for Cloud Computing Networks

As shown in Figure 1-2, a firewall is attached to a core switch of the cloud computing network. The addresses of the Portal system and virtual machines are advertised for access of enterprise users. Virtual machine services accessed by enterprise users are isolated.

Figure 1-2 Application of firewalls in a cloud computing network

The following firewall functions are used on the cloud computing network:

  • Hot standby

    Two firewalls are deployed in hot standby mode to improve service availability.

  • NAT Server

    The public addresses of the Portal system and virtual machines are advertised through the NAT server for access of enterprise users on the Internet.

  • Virtual system

    A virtual system is built on each virtual machine to isolate virtual machine services accessed by enterprise users. Security policies are also configured for the virtual system for access control.

Solution 1: Firewall Serving as Gateway

Typical Networking

On the cloud computing network, the core switches are the CE12800, the access switches are the CE6800, and the firewalls are the USG9500. The present case focuses on the configuration on the firewalls. Figure 1-3 shows the overall networking.

Figure 1-3 Cloud computing network

The cloud computing network requires that:

  • Access of different extranet enterprise users to the virtual machines must be isolated, and the bandwidth resources available for each virtual machine service is limited to a specific range to avoid the consumption of large quantities of resources.
  • Private addresses are configured for the Portal system and virtual machines for intranet use, and their public addresses are advertised to the extranet to allow external enterprise users to access the Portal system and virtual machines.
  • Access behavior of extranet enterprise users to the Portal system and virtual machines is controlled to permit only service access traffic.
  • Device availability is improved to avoid service interruption caused by the failure of only one device.

The firewalls are attached to the CE12800 core switches in off-path mode. The above requirements are satisfied by the following features:

  • Virtual system: Virtual systems are used to isolate virtual machine services accessed by external enterprise users. Each virtual machine belongs to one virtual system, and each virtual system has its maximum bandwidth.
  • Subinterface: The firewall is connected to the CE12800 through subinterfaces. The subinterfaces are assigned to the virtual systems and the root system. The subinterfaces in the virtual systems carry virtual machine services, and the subinterface in the root system carries portal services.
  • NAT server: The NAT servers advertise the public addresses of the Portal system and virtual machines to the extranet. A NAT server dedicated to a virtual machine is configured in each virtual system, and NAT servers dedicated to the Portal system are configured in the root system.
  • Security policy: Security policies are applied to control access to the Portal system and virtual machines. Security policies used to control access to services of a virtual machine are configured in each virtual system, and security policies used to control access to services of the Portal system are configured in the root system.
  • Hot standby: Two firewalls are deployed in hot standby mode to improve availability. When the active firewall fails, the standby firewall takes over without services interrupted.

Service Planning

As shown in Figure 1-4, the FW is attached to the CE12800 and works at Layer 3. Logically, the CE12800 includes upstream part and downstream interfaces. The upstream interfaces provide Layer-3 forwarding, and the downstream interfaces provide Layer-2 forwarding. OSPF runs between the FW and the upstream interfaces the CE1800, and VRRP runs between the FW and the downstream interface of the CE12800. The virtual IP addresses of the VRRP groups on the FW serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the upstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the downstream interfaces of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the downstream interfaces of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the downstream interfaces of the CE12800.

Figure 1-4 Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones

This section describes the connection between FW_A and CE12800_A.

As shown in Figure 1-5, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:

  • Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
  • 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 1-5 GE1/0/1 connection of FW_A

As shown in Figure 1-6, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:

  • Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
  • 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of multiple VLANs.
  • The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the Portal system and terminate VLAN services. CE12800_A transparently transmits L2 packets.
Figure 1-6 GE1/0/2 connection of FW_A

As shown in Figure 1-7, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:

  • Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
  • 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs.
  • The virtual IP addresses of the VRRP groups on the subinterfaces of FW_A serve as gateway addresses for the virtual machines and terminate VLAN services. CE12800_A transparently transmits L2 packets.
Figure 1-7 GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same.

NOTE:

One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.

Table 1-1 describes the planning of interfaces and security zones on the FWs.

Table 1-1 Planning of interfaces and security zones

FW_A

FW_B

Description

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

Connected to 10GE1/1/0/1 of the CE12800.

GE1/0/1.10

IP address: 172.16.10.252/24

Virtual system: vfw1

Security zone: Untrust

GE1/0/1.10

IP address: 172.16.10.253/24

Virtual system: vfw1

Security zone: Untrust

subinterface of vfw1.

GE1/0/1.11

IP address: 172.16.11.252/24

Virtual system: vfw2

Security zone: Untrust

GE1/0/1.11

IP address: 172.16.11.253/24

Virtual system: vfw2

Security zone: Untrust

subinterface of vfw2.

GE1/0/1.1000

IP address: 172.16.9.252/24

Virtual system: public

Security zone: Untrust

GE1/0/1.1000

IP address: 172.16.9.253/24

Virtual system: public

Security zone: Untrust

subinterface of the root system.

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

Connected to 10GE1/1/0/2 of the CE12800.

GE1/0/2.1

IP address: 10.159.1.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: active

GE1/0/2.1

IP address: 10.159.1.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: standby

subinterface of the root system.

10.159.1.254 serves as a gateway for the Portal system.

GE1/0/2.2

IP address: 10.159.2.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: active

GE1/0/2.2

IP address: 10.159.2.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: standby

subinterface of the root system.

10.159.2.254 serves as a gateway for the Portal system.

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

Connected to 10GE1/1/0/3 of the CE12800.

GE1/0/3.10

IP address: 10.159.10.252/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 10

Virtual IP address: 10.159.10.254

State: active

GE1/0/3.10

IP address: 10.159.10.253/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 10

Virtual IP address: 10.159.10.254

State: standby

subinterface of vfw1.

10.159.10.254 serves as a gateway for the virtual machine.

GE1/0/3.11

IP address: 10.159.11.252/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 11

Virtual IP address: 10.159.11.254

State: active

GE1/0/3.11

IP address: 10.159.11.253/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 11

Virtual IP address: 10.159.11.254

State: standby

subinterface of vfw2.

10.159.11.254 serves as a gateway for the virtual machine.

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.1/30

Virtual system: public

Security zone: hrpzone

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.2/30

Virtual system: public

Security zone: hrpzone

HRP backup interface.

Virtual Systems

Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.

Table 1-2 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.

Table 1-2 Planning of virtual systems

Item

FW_A

FW_B

Description

Resource classes

Name: vfw1_car

Maximum bandwidth: 100M

Name: vfw1_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw1 is 100M.

Name: vfw2_car

Maximum bandwidth: 100M

Name: vfw2_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw2 is 100M.

Virtual systems

Name: vfw1

Resource class: vfw1_car

Name: vfw1

Resource class: vfw1_car

-

Name: vfw2

Resource class: vfw2_car

Name: vfw2

Resource class: vfw2_car

-

Routes

There are routes in the root system and routes in virtual systems, both including the default route, black-hole route, and OSPF route. The OSPF routes run on the upstream subinterface connecting the FW to the CE12800, as shown in Figure 1-8.

Figure 1-8 OSPF routes on FW_A

Specifically:

  • A default route is configured for the root system with the next hop being the related VLANIF IP address of CE12800_A. A default route is configured for each virtual system with the next hop being the related VLANIF IP address of CE12800_A.
  • Black-hole routes with destination addresses being the public addresses of the Portal system are configured in the root system. These black-hole routes are advertised to CE12800_A by the root system through OSPF. A black-hole route with the destination address being the public address of the virtual machine is configured for each virtual system. This black-hole route is advertised to CE12800_A by the virtual system through OSPF.
  • OSPF runs on both the root system and virtual systems. The VPN instance corresponding to a virtual system is bound in the root system to run OSPF in the virtual system.

OSPF also runs on CE12800_A to advertise the network segment of each VLANIF interface.

Table 1-3 describes the planning of routes on the FWs.

Table 1-3 Planning of routes

Item

FW_A

FW_B

Description

Routes in the root system

Default route

Next hop: 172.16.9.251

Default route

Next hop: 172.16.9.251

Default routes of the root system, the next-hop address being the CE12800.

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole routes to the global addresses of the Portal system to prevent a routing loop.

OSPF

Advertised network segment: 172.16.9.0/24

Static routes are used.

OSPF

Advertised network segment: 172.16.9.0/24

Static routes are used.

The global addresses of the Portal system are introduced to OSPF and advertised to the CE12800.

Routes in the virtual system vfw1

Default route

Next hop: 172.16.10.251

Default route

Next hop: 172.16.10.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.1/32

Black-hole route

Destination address: 118.1.1.1/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

OSPF

Bound VPN instance: vfw1

Advertised network segment: 172.16.10.0/24

Static routes are used.

OSPF

Bound VPN instance: vfw1

Advertised network segment: 172.16.10.0/24

Static routes are used.

The global address of the virtual machine is introduced to OSPF and advertised to the CE12800.

Routes in the virtual system vfw2

Default route

Next hop: 172.16.11.251

Default route

Next hop: 172.16.11.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.2/32

Black-hole route

Destination address: 118.1.1.2/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

OSPF

Bound VPN instance: vfw2

Advertised network segment: 172.16.11.0/24

Static routes are used.

OSPF

Bound VPN instance: vfw2

Advertised network segment: 172.16.11.0/24

Static routes are used.

The global address of the virtual machine is introduced to OSPF and advertised to the CE12800.

Hot Standby

The hot standby networking is typical, where firewalls are connected to upstream Layer-3 devices and connected to downstream Layer-2 devices. Figure 1-9 shows the logical networking where extranet enterprise users access services of the virtual machines.

Figure 1-9 Logical networking of virtual machine services

Figure 1-10 shows the logical networking where extranet enterprise users access services of the Portal system.

Figure 1-10 Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 1-11, when the network is normal, FW_A advertises routes normally, and the cost of routes advertised by FW_A increases by 65,500 (default value, configurable). When Router_A or Router_B forwards the traffic of extranet enterprise users to a Portal system or virtual machine, it selects a path with a smaller cost. Therefore, the traffic is forwarded by FW_A.

For the return traffic, when the Portal system or virtual machine requests the MAC address of the gateway, only the active firewall FW_A responds and sends the virtual MAC address to the Portal system or virtual machine. The CE6800 records the mapping between the virtual MAC address and port and forwards the return traffic to FW_A.

Figure 1-11 Normal traffic flow

When FW_A or the link of FW_A fails, an active/standby switchover takes place. Then, FW_B advertises routes normally, and the cost of routes advertised by FW_A increases by 65,500. After the routes converge again, all traffic is forwarded by FW_B, as shown in Figure 1-12.

For the return traffic, after the active/standby switchover, FW_B sends a gratuitous ARP packet to make the CE6800 update the mapping between the virtual MAC address and port. Then, the return traffic is forwarded by the CE6800 to FW_B.

Figure 1-12 Traffic flow when the active link fails

Security Policies

There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system and permit OSPF packets exchanged between the root system and the CE12800. Security policies in a virtual system permit packets from extranet enterprise users to the virtual machine and permit OSPF packets exchanged between the virtual system and the CE12800.

In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.

Table 1-4 describes the planning of security policies on the FWs.

Table 1-4 Planning of security policies

Item

FW_A

FW_B

Description

Security policies in the root system

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.159.0.0/16

Action: permit

Antivirus: default

IPS: default

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.159.0.0/16

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the Portal system.

Name: sec_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

Security policies in the virtual system vfw1

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.10.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.10.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the virtual machine.

Name: sec_vm1_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_vm1_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

Security policies in the virtual system vfw2

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.11.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.159.11.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from extranet enterprise users to the virtual machine.

Name: sec_vm2_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Name: sec_vm2_ospf

Source security zone: Untrust and Local

Destination security zone: Local and Untrust

Service: ospf

Action: permit

Permit OSPF packets exchanged between the FW and CE12800.

NAT Servers

There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.

In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 1-5 describes the planning of NAT servers on the FWs.

Table 1-5 Planning of NAT servers

Item

FW_A

FW_B

Description

NAT servers in the root system

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.159.1.100

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.159.1.100

NAT servers of the Portal system

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.159.2.100

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.159.2.100

NAT servers of the Portal system

NAT server in the virtual system vfw1

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.159.10.100

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.159.10.100

NAT server of the virtual machine

NAT server in the virtual system vfw2

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.159.11.100

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.159.11.100

NAT server of the virtual machine

Precautions

Virtual System

By default, the USG9500 supports 10 virtual systems. To have more virtual systems, you must apply for a license.

OSPF

You cannot configure OSPF directly in a virtual system. You must bind the VPN instance corresponding to the virtual system when creating the OSPF process in the root system.

Black-hole Route

Configure black-hole routes to the public addresses of the Portal system in the root system and black-hole routes to the public addresses of virtual machines in the virtual systems to prevent routing loops. These black-hole routes can be advertised through OSPF.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Prerequisites

The license file of virtual systems has been obtained and activated successfully on FW_A and FW_B.

Procedure

  1. Configure interfaces and security zones.

    # Create subinterfaces on FW_A.

    <FW_A> system-view 
    [FW_A] interface GigabitEthernet 1/0/1.10 
    [FW_A-GigabitEthernet1/0/1.10] quit 
    [FW_A] interface GigabitEthernet 1/0/1.11 
    [FW_A-GigabitEthernet1/0/1.11] quit 
    [FW_A] interface GigabitEthernet 1/0/1.1000 
    [FW_A-GigabitEthernet1/0/1.1000] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] quit 
    [FW_A] interface GigabitEthernet 1/0/3.10 
    [FW_A-GigabitEthernet1/0/3.10] quit 
    [FW_A] interface GigabitEthernet 1/0/3.11 
    [FW_A-GigabitEthernet1/0/3.11] quit

    # Create subinterfaces on FW_B.

    <FW_B> system-view 
    [FW_B] interface GigabitEthernet 1/0/1.10 
    [FW_B-GigabitEthernet1/0/1.10] quit 
    [FW_B] interface GigabitEthernet 1/0/1.11 
    [FW_B-GigabitEthernet1/0/1.11] quit 
    [FW_B] interface GigabitEthernet 1/0/1.1000 
    [FW_B-GigabitEthernet1/0/1.1000] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] quit 
    [FW_B] interface GigabitEthernet 1/0/3.10 
    [FW_B-GigabitEthernet1/0/3.10] quit 
    [FW_B] interface GigabitEthernet 1/0/3.11 
    [FW_B-GigabitEthernet1/0/3.11] quit

    # Configure an Eth-trunk interface on FW_A.

    [FW_A] interface Eth-Trunk 1 
    [FW_A-Eth-Trunk1] ip address 10.1.1.1 30 
    [FW_A-Eth-Trunk1] quit 
    [FW_A] interface GigabitEthernet 2/0/1 
    [FW_A-GigabitEthernet2/0/1] eth-trunk 1 
    [FW_A-GigabitEthernet2/0/1] quit 
    [FW_A] interface GigabitEthernet 2/0/2 
    [FW_A-GigabitEthernet2/0/2] eth-trunk 1 
    [FW_A-GigabitEthernet2/0/2] quit

    # Configure an Eth-trunk interface on FW_B.

    [FW_B] interface Eth-Trunk 1 
    [FW_B-Eth-Trunk1] ip address 10.1.1.2 30 
    [FW_B-Eth-Trunk1] quit 
    [FW_B] interface GigabitEthernet 2/0/1 
    [FW_B-GigabitEthernet2/0/1] eth-trunk 1 
    [FW_B-GigabitEthernet2/0/1] quit 
    [FW_B] interface GigabitEthernet 2/0/2 
    [FW_B-GigabitEthernet2/0/2] eth-trunk 1 
    [FW_B-GigabitEthernet2/0/2] quit

    # Configure IP addresses for root system interfaces on FW_A, and assign the interfaces to the security zones of the root system.

    [FW_A] interface GigabitEthernet 1/0/1.1000 
    [FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24 
    [FW_A-GigabitEthernet1/0/1.1000] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24 
    [FW_A-GigabitEthernet1/0/2.2] quit 
    [FW_A] firewall zone trust 
    [FW_A-zone-trust] add interface GigabitEthernet 1/0/3 
    [FW_A-zone-trust] quit 
    [FW_A] firewall zone untrust 
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1 
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000 
    [FW_A-zone-untrust] quit 
    [FW_A] firewall zone dmz 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2 
    [FW_A-zone-dmz] quit 
    [FW_A] firewall zone name hrpzone 
    [FW_A-zone-hrpzone] set priority 65 
    [FW_A-zone-hrpzone] add interface Eth-Trunk 1 
    [FW_A-zone-hrpzone] quit

    # Configure IP addresses for root system interfaces on FW_B, and assign the interfaces to the security zones of the root system.

    [FW_B] interface GigabitEthernet 1/0/1.1000 
    [FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24 
    [FW_B-GigabitEthernet1/0/1.1000] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24 
    [FW_B-GigabitEthernet1/0/2.2] quit 
    [FW_B] firewall zone trust 
    [FW_B-zone-trust] add interface GigabitEthernet 1/0/3 
    [FW_B-zone-trust] quit 
    [FW_B] firewall zone untrust 
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1 
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000 
    [FW_B-zone-untrust] quit 
    [FW_B] firewall zone dmz 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2 
    [FW_B-zone-dmz] quit 
    [FW_B] firewall zone name hrpzone 
    [FW_B-zone-hrpzone] set priority 65 
    [FW_B-zone-hrpzone] add interface Eth-Trunk 1 
    [FW_B-zone-hrpzone] quit

  2. Configure virtual systems.

    # Enable the virtual system function on FW_A.

    [FW_A] vsys enable

    # Enable the virtual system function on FW_B.

    [FW_B] vsys enable

    Configure resource classes on FW_A.

    [FW_A] resource-class vfw1_car 
    [FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire 
    [FW_A-resource-class-vfw1_car] quit 
    [FW_A] resource-class vfw2_car 
    [FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire 
    [FW_A-resource-class-vfw2_car] quit

    Configure resource classes on FW_B.

    [FW_B] resource-class vfw1_car 
    [FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire 
    [FW_B-resource-class-vfw1_car] quit 
    [FW_B] resource-class vfw2_car 
    [FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire 
    [FW_B-resource-class-vfw2_car] quit

    # Create virtual systems on FW_A, and allocate resources to the virtual systems.

    [FW_A] vsys name vfw1 
    [FW_A-vsys-vfw1] assign resource-class vfw1_car 
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 
    [FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive 
    [FW_A-vsys-vfw1] quit 
    [FW_A] vsys name vfw2 
    [FW_A-vsys-vfw2] assign resource-class vfw2_car 
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 
    [FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive 
    [FW_A-vsys-vfw2] quit

    # Create virtual systems on FW_B, and allocate resources to the virtual systems.

    [FW_B] vsys name vfw1 
    [FW_B-vsys-vfw1] assign resource-class vfw1_car 
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 
    [FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive 
    [FW_B-vsys-vfw1] quit 
    [FW_B] vsys name vfw2 
    [FW_B-vsys-vfw2] assign resource-class vfw2_car 
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 
    [FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive 
    [FW_B-vsys-vfw2] quit

    # Configure IP addresses for interfaces in virtual system vfw1 on FW_A, and assign the interfaces to security zones.

    [FW_A] switch vsys vfw1 
    <FW_A-vfw1> system-view 
    [FW_A-vfw1] interface GigabitEthernet 1/0/1.10 
    [FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24 
    [FW_A-vfw1-GigabitEthernet1/0/1.10] quit 
    [FW_A-vfw1] interface GigabitEthernet 1/0/3.10 
    [FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24 
    [FW_A-vfw1-GigabitEthernet1/0/3.10] quit 
    [FW_A-vfw1] firewall zone untrust 
    [FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 
    [FW_A-vfw1-zone-untrust] quit 
    [FW_A-vfw1] firewall zone trust 
    [FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 
    [FW_A-vfw1-zone-trust] quit 
    [FW_A-vfw1] quit 
    <FW_A-vfw1> quit

    Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_A, and assign the interfaces to security zones.

    # Configure IP addresses for interfaces in virtual system vfw1 on FW_B, and assign the interfaces to security zones.

    [FW_B] switch vsys vfw1 
    <FW_B-vfw1> system-view 
    [FW_B-vfw1] interface GigabitEthernet 1/0/1.10 
    [FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24 
    [FW_B-vfw1-GigabitEthernet1/0/1.10] quit 
    [FW_B-vfw1] interface GigabitEthernet 1/0/3.10 
    [FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24 
    [FW_B-vfw1-GigabitEthernet1/0/3.10] quit 
    [FW_B-vfw1] firewall zone untrust 
    [FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 
    [FW_B-vfw1-zone-untrust] quit 
    [FW_B-vfw1] firewall zone trust 
    [FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 
    [FW_B-vfw1-zone-trust] quit 
    [FW_B-vfw1] quit 
    <FW_B-vfw1> quit

    Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B, and assign the interfaces to security zones.

  3. Configure routes.

    # Configure routes of the root system on FW_A.

    [FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 
    [FW_A] ip route-static 117.1.1.1 32 NULL 0 
    [FW_A] ip route-static 117.1.1.2 32 NULL 0 
    [FW_A] ospf 1000 
    [FW_A-ospf-1000] import-route static 
    [FW_A-ospf-1000] area 0 
    [FW_A-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255 
    [FW_A-ospf-1000-area-0.0.0.0] quit 
    [FW_A-ospf-1000] quit

    # Configure routes of the root system on FW_B.

    [FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 
    [FW_B] ip route-static 117.1.1.1 32 NULL 0 
    [FW_B] ip route-static 117.1.1.2 32 NULL 0 
    [FW_B] ospf 1000 
    [FW_B-ospf-1000] import-route static 
    [FW_B-ospf-1000] area 0 
    [FW_B-ospf-1000-area-0.0.0.0] network 172.16.9.0 0.0.0.255 
    [FW_B-ospf-1000-area-0.0.0.0] quit 
    [FW_B-ospf-1000] quit

    # Configure routes of the virtual systems on FW_A.

    [FW_A] ip vpn-instance vfw1 
    [FW_A-vpn-instance-vfw1] route-distinguisher 10:1 
    [FW_A-vpn-instance-vfw1] quit 
    [FW_A] ip vpn-instance vfw2 
    [FW_A-vpn-instance-vfw2] route-distinguisher 11:1 
    [FW_A-vpn-instance-vfw2] quit 
    [FW_A] ospf 1 vpn-instance vfw1 
    [FW_A-ospf-1] import-route static 
    [FW_A-ospf-1] area 0 
    [FW_A-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 
    [FW_A-ospf-1-area-0.0.0.0] quit 
    [FW_A-ospf-1] quit 
    [FW_A] ospf 2 vpn-instance vfw2 
    [FW_A-ospf-2] import-route static 
    [FW_A-ospf-2] area 0 
    [FW_A-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255 
    [FW_A-ospf-2-area-0.0.0.0] quit 
    [FW_A-ospf-2] quit 
    [FW_A] switch vsys vfw1 
    <FW_A-vfw1> system-view 
    [FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
    [FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0 
    [FW_A-vfw1] quit 
    <FW_A-vfw1> quit 
    [FW_A] switch vsys vfw2 
    <FW_A-vfw2> system-view 
    [FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
    [FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0 
    [FW_A-vfw2] quit 
    <FW_A-vfw2> quit

    # Configure routes of the virtual systems on FW_B.

    [FW_B] ip vpn-instance vfw1 
    [FW_B-vpn-instance-vfw1] route-distinguisher 10:1 
    [FW_B-vpn-instance-vfw1] quit 
    [FW_B] ip vpn-instance vfw2 
    [FW_B-vpn-instance-vfw2] route-distinguisher 11:1 
    [FW_B-vpn-instance-vfw2] quit 
    [FW_B] ospf 1 vpn-instance vfw1 
    [FW_B-ospf-1] import-route static 
    [FW_B-ospf-1] area 0 
    [FW_B-ospf-1-area-0.0.0.0] network 172.16.10.0 0.0.0.255 
    [FW_B-ospf-1-area-0.0.0.0] quit 
    [FW_B-ospf-1] quit 
    [FW_B] ospf 2 vpn-instance vfw2 
    [FW_B-ospf-2] import-route static 
    [FW_B-ospf-2] area 0 
    [FW_B-ospf-2-area-0.0.0.0] network 172.16.11.0 0.0.0.255 
    [FW_B-ospf-2-area-0.0.0.0] quit 
    [FW_B-ospf-2] quit 
    [FW_B] switch vsys vfw1 
    <FW_B-vfw1> system-view 
    [FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
    [FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0 
    [FW_B-vfw1] quit 
    <FW_B-vfw1> quit 
    [FW_B] switch vsys vfw2 
    <FW_B-vfw2> system-view 
    [FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
    [FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0 
    [FW_B-vfw2] quit 
    <FW_B-vfw2> quit

  4. Configure hot standby.

    # Configure a VGMP group to track GE1/0/1 on FW_A.

    [FW_A] hrp track interface GigabitEthernet 1/0/1

    # Configure OSPF cost adjustment according to the VGMP status on FW_A.

    [FW_A] hrp adjust ospf-cost enable

    # Configure VRRP groups on FW_A, setting their states to Active.

    [FW_A] interface GigabitEthernet 1/0/3.10 
    [FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10 
    [FW_A-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 active 
    [FW_A-GigabitEthernet1/0/3.10] quit 
    [FW_A] interface GigabitEthernet 1/0/3.11 
    [FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11 
    [FW_A-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 active 
    [FW_A-GigabitEthernet1/0/3.11] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1 
    [FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2 
    [FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active 
    [FW_A-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_A and enable hot standby.

    [FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2 
    [FW_A] hrp enable

    # Configure a VGMP group to track GE1/0/1 on FW_B.

    [FW_B] hrp track interface GigabitEthernet 1/0/1

    # Configure OSPF cost adjustment according to the VGMP status on FW_B.

    [FW_B] hrp adjust ospf-cost enable

    # Configure VRRP groups on FW_B, setting their states to Standby.

    [FW_B] interface GigabitEthernet 1/0/3.10 
    [FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10 
    [FW_B-GigabitEthernet1/0/3.10] vrrp vrid 10 virtual-ip 10.159.10.254 standby 
    [FW_B-GigabitEthernet1/0/3.10] quit 
    [FW_B] interface GigabitEthernet 1/0/3.11 
    [FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11 
    [FW_B-GigabitEthernet1/0/3.11] vrrp vrid 11 virtual-ip 10.159.11.254 standby 
    [FW_B-GigabitEthernet1/0/3.11] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1 
    [FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2 
    [FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby 
    [FW_B-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_B and enable hot standby.

    [FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1 
    [FW_B] hrp enable

  5. Configure security policies.

    # Configure security policies in the root system on FW_A.

    HRP_M[FW_A] security-policy 
    HRP_M[FW_A-policy-security] rule name sec_portal 
    HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust 
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz 
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.159.0.0 16 
    HRP_M[FW_A-policy-security-rule-sec_portal] action permit 
    HRP_M[FW_A-policy-security-rule-sec_portal] profile av default 
    HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default 
    HRP_M[FW_A-policy-security-rule-sec_portal] quit 
    HRP_M[FW_A-policy-security] rule name sec_ospf 
    HRP_M[FW_A-policy-security-rule-sec_ospf] source-zone untrust local 
    HRP_M[FW_A-policy-security-rule-sec_ospf] destination-zone local untrust 
    HRP_M[FW_A-policy-security-rule-sec_ospf] service ospf 
    HRP_M[FW_A-policy-security-rule-sec_ospf] action permit 
    HRP_M[FW_A-policy-security-rule-sec_ospf] quit 
    HRP_M[FW_A-policy-security] quit

    # Configure security policies in virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1 
    HRP_M<FW_A-vfw1> system-view 
    HRP_M[FW_A-vfw1] security-policy 
    HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.159.10.0 24 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit 
    HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1_ospf 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] source-zone untrust local 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] destination-zone local untrust 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] service ospf 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] action permit 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1_ospf] quit 
    HRP_M[FW_A-vfw1-policy-security] quit 
    HRP_M[FW_A-vfw1] quit 
    HRP_M<FW_A-vfw1> quit

    Similarly, configure security policies in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure security policies manually on FW_B.

  6. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-A] policy accelerate standby enable

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure policy backup-based acceleration function manually on FW_B.

  7. Configure NAT servers.

    NOTE:

    The NAT server configuration commands are only exemplary. In practice, NAT servers are configured on the management component, and the management component delivers the configuration to the FW.

    # Configure NAT servers in the root system on FW_A.

    HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.159.1.100 
    HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.159.2.100

    # Configure a NAT server in virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1 
    HRP_M<FW_A-vfw1> system-view 
    HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.159.10.100 
    HRP_M[FW_A-vfw1] quit 
    HRP_M<FW_A-vfw1> quit

    Similarly, configure a NAT server in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure NAT servers manually on FW_B.

  8. Configure other network devices.

    The present case focuses on the configuration on the FW. For the configuration on other network devices, note that:

    • You need to configure routes to the global addresses of the Portal system and virtual machines on the upstream router, and set the next hop of the routes to the CE12800.
    • When configuring OSPF on the CE12800, you need to run the default-route-advertise always command in the OSPF process.
    • The CE6800 transmits Layer-2 packets transparently, and you only need to configure Layer-2 forwarding on it.

Verification

  1. Run the display hrp state command on FW_A and FW_B. The current HRP state is normal.
  2. Enterprise users on the Internet can access virtual machine services normally.
  3. Enterprise users on the Internet can access the Portal system normally.
  4. Run the shutdown command on GE1/0/2.1 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.

Configuration Scripts

Configuration script for FW_A:

#                                                                                
sysname FW_A 
#                                                                                
 hrp enable                                                                      
 hrp interface Eth-Trunk 1 remote 10.1.1.2                             
 hrp track interface GigabitEthernet 1/0/1 
#                                                                                
vsys enable                                                                      
resource-class vfw1_car                                                          
 resource-item-limit bandwidth 100 entire 
resource-class vfw2_car                                                          
 resource-item-limit bandwidth 100 entire 
#                                                                                
#                                                                                
vsys name vfw1 1                                                                 
 assign interface GigabitEthernet1/0/1.10                                       
 assign interface GigabitEthernet1/0/3.10 
 assign resource-class vfw1_car                                                  
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                  
#                                                                                
vsys name vfw2 2                                                                 
 assign interface GigabitEthernet1/0/1.11                                       
 assign interface GigabitEthernet1/0/3.11 
 assign resource-class vfw2_car                                                  
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                  
#                                                                                
ip vpn-instance vfw1                                                             
 ipv4-family                                                                     
  route-distinguisher 10:1                                                      
 ipv6-family 
#                                                                                
ip vpn-instance vfw2                                                             
 ipv4-family                                                                     
  route-distinguisher 11:1                                                      
 ipv6-family 
#                                                                                
interface Eth-Trunk1                                                             
 ip address 10.1.1.1 255.255.255.252                                             
#                                                                                
interface GigabitEthernet1/0/1                                                   
 undo shutdown                                                                   
#                                                                                 
interface GigabitEthernet1/0/1.10                                               
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.252 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.252 255.255.255.0 
#                                                                                
interface GigabitEthernet1/0/1.1000                                            
 ip address 172.16.9.252 255.255.255.0 
#                                                                                
interface GigabitEthernet1/0/2                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/2.1                                              
 vlan-type dot1q 1 
 ip address 10.159.1.252 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.1.254 active 
#                                                                                
interface GigabitEthernet1/0/2.2                                              
 vlan-type dot1q 2 
 ip address 10.159.2.252 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.159.2.254 active 
#                                                                                
interface GigabitEthernet1/0/3                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.252 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 10.159.10.254 active 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.252 255.255.255.0                                           
 vrrp vrid 11 virtual-ip 10.159.11.254 active 
#                                                                                
interface GigabitEthernet2/0/1                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
interface GigabitEthernet2/0/2                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3                                             
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1                                              
 add interface GigabitEthernet1/0/1.1000 
#                                                                                
firewall zone dmz                                                                
 set priority 50                                                                 
 add interface GigabitEthernet1/0/2                                              
 add interface GigabitEthernet1/0/2.1 
 add interface GigabitEthernet1/0/2.2 
#                                                                                
firewall zone name hrpzone id 4                                                  
 set priority 65                                                                 
 add interface Eth-Trunk1                                                        
#                                                                                
ospf 1 vpn-instance vfw1                                                     
 import-route static 
 area 0.0.0.0 
  network 172.16.10.0 0.0.0.255 
#                                                                                
ospf 2 vpn-instance vfw2                                                     
 import-route static 
 area 0.0.0.0 
  network 172.16.11.0 0.0.0.255 
#                                                                                
ospf 1000                                                    
 import-route static 
 area 0.0.0.0 
  network 172.16.9.0 0.0.0.255 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                     
ip route-static 117.1.1.1 255.255.255.255 NULL 0 
ip route-static 117.1.1.2 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100 
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100 
#                                                                                
security-policy                                                                  
 rule name sec_portal                                                          
  source-zone untrust                                                            
  destination-zone dmz 
  destination-address 10.159.0.0 16 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
# 
return                                                                           
#                                                                                
switch vsys vfw1                                                                 
#                                                                                
interface GigabitEthernet1/0/1.10                                               
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.252 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.252 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 10.159.10.254 active 
#                                                                                
interface Virtual-if1                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.10 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.10 
#                                                                                
security-policy                                                                  
 rule name sec_vm1                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.10.0 24 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_vm1_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
ip route-static 118.1.1.1 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100                
#                                                                                
return 
#                                                                                
switch vsys vfw2                                                                 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.252 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.252 255.255.255.0                                           
 vrrp vrid 11 virtual-ip 10.159.11.254 active 
#                                                                                
interface Virtual-if2                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.11 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.11 
#                                                                                
security-policy                                                                  
 rule name sec_vm2                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.11.0 24 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_vm2_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
ip route-static 118.1.1.2 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100                
#                                                                                
return

Configuration script for FW_B:

#                                                                                
sysname FW_B 
#                                                                                
 hrp enable                                                                      
 hrp interface Eth-Trunk 1 remote 10.1.1.1                             
 hrp track interface GigabitEthernet 1/0/1 
#                                                                                
vsys enable                                                                      
resource-class vfw1_car                                                          
 resource-item-limit bandwidth 100 entire 
resource-class vfw2_car                                                          
 resource-item-limit bandwidth 100 entire 
#                                                                                
#                                                                                
vsys name vfw1 1                                                                 
 assign interface GigabitEthernet1/0/1.10                                       
 assign interface GigabitEthernet1/0/3.10 
 assign resource-class vfw1_car                                                  
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                  
#                                                                                
vsys name vfw2 2                                                                 
 assign interface GigabitEthernet1/0/1.11                                       
 assign interface GigabitEthernet1/0/3.11 
 assign resource-class vfw2_car                                                  
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                  
#                                                                                
ip vpn-instance vfw1                                                             
 ipv4-family                                                                     
  route-distinguisher 10:1                                                      
 ipv6-family 
#                                                                                
ip vpn-instance vfw2                                                             
 ipv4-family                                                                     
  route-distinguisher 11:1                                                      
 ipv6-family 
#                                                                                
interface Eth-Trunk1                                                             
 ip address 10.1.1.2 255.255.255.252                                             
#                                                                                
interface GigabitEthernet1/0/1                                                   
 undo shutdown                                                                   
#                                                                                 
interface GigabitEthernet1/0/1.10                                               
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.253 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.253 255.255.255.0 
#                                                                                
interface GigabitEthernet1/0/1.1000                                            
 ip address 172.16.9.253 255.255.255.0 
#                                                                                
interface GigabitEthernet1/0/2                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/2.1                                              
 vlan-type dot1q 1 
 ip address 10.159.1.253 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.1.254 standby 
#                                                                                
interface GigabitEthernet1/0/2.2                                              
 vlan-type dot1q 2 
 ip address 10.159.2.253 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.2.254 standby 
#                                                                                
interface GigabitEthernet1/0/3                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.253 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 10.159.10.254 standby 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.253 255.255.255.0                                           
 vrrp vrid 11 virtual-ip 10.159.11.254 standby 
#                                                                                
interface GigabitEthernet2/0/1                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
interface GigabitEthernet2/0/2                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3                                             
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1                                              
 add interface GigabitEthernet1/0/1.1000 
#                                                                                
firewall zone dmz                                                                
 set priority 50                                                                 
 add interface GigabitEthernet1/0/2                                              
 add interface GigabitEthernet1/0/2.1 
 add interface GigabitEthernet1/0/2.2 
#                                                                                
firewall zone name hrpzone id 4                                                  
 set priority 65                                                                 
 add interface Eth-Trunk1                                                        
#                                                                                
ospf 1 vpn-instance vfw1                                                     
 import-route static 
 area 0.0.0.0 
  network 172.16.10.0 0.0.0.255 
#                                                                                
ospf 2 vpn-instance vfw2                                                     
 import-route static 
 area 0.0.0.0 
  network 172.16.11.0 0.0.0.255 
#                                                                                
ospf 1000                                                    
 import-route static 
 area 0.0.0.0 
  network 172.16.9.0 0.0.0.255 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                     
ip route-static 117.1.1.1 255.255.255.255 NULL 0 
ip route-static 117.1.1.2 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.159.1.100 
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.159.2.100 
#                                                                                
security-policy                                                                  
 rule name sec_portal                                                          
  source-zone untrust                                                            
  destination-zone dmz 
  destination-address 10.159.0.0 16 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
# 
return                                                                           
#                                                                                
switch vsys vfw1                                                                 
#                                                                                
interface GigabitEthernet1/0/1.10                                               
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.253 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.253 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 10.159.10.254 standby 
#                                                                                
interface Virtual-if1                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.10 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.10 
#                                                                                
security-policy                                                                  
 rule name sec_vm1                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.10.0 24 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_vm1_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
ip route-static 118.1.1.1 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.159.10.100                
#                                                                                
return 
#                                                                                
switch vsys vfw2                                                                 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.253 255.255.255.0                                           
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.253 255.255.255.0                                           
 vrrp vrid 11 virtual-ip 10.159.11.254 standby 
#                                                                                
interface Virtual-if2                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.11 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.11 
#                                                                                
security-policy                                                                  
 rule name sec_vm2                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.11.0 24 
  profile av default 
  profile ips default 
  action permit 
 rule name sec_vm2_ospf                                                              
  source-zone local                                                              
  source-zone untrust                                                            
  destination-zone local                                                         
  destination-zone untrust                                                       
  service ospf                                                                   
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
ip route-static 118.1.1.2 255.255.255.255 NULL 0 
#                                                                                
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.159.11.100                
#                                                                                
return

Solution 2: Switch Serving as Gateway

Typical Networking

On the cloud computing network, the core switches are the CE12800, the access switches are the CE6800, and the firewalls are the USG9500. The present case focuses on the configuration on the firewalls. Figure 1-13 shows the overall networking.

Figure 1-13 Cloud computing network

The cloud computing network requires that:

  • Access of different extranet enterprise users to the virtual machines must be isolated, and the bandwidth resources available for each virtual machine service is limited to a specific range to avoid the consumption of large quantities of resources.
  • Private addresses are configured for the Portal system and virtual machines for intranet use, and their public addresses are advertised to the extranet to allow external enterprise users to access the Portal system and virtual machines.
  • Access behavior of extranet enterprise users to the Portal system and virtual machines is controlled to permit only service access traffic.
  • Device availability is improved to avoid service interruption caused by the failure of only one device.

The firewalls are attached to the CE12800 core switches in off-path mode. The above requirements are satisfied by the following features:

  • Virtual system: Virtual systems are used to isolate virtual machine services accessed by external enterprise users. Each virtual machine belongs to one virtual system, and each virtual system has its maximum bandwidth.
  • Subinterface: The firewall is connected to the CE12800 through subinterfaces. The subinterfaces are assigned to the virtual systems and the root system. The subinterfaces in the virtual systems carry virtual machine services, and the subinterface in the root system carries portal services.
  • NAT server: The NAT servers advertise the public addresses of the Portal system and virtual machines to the extranet. A NAT server dedicated to a virtual machine is configured in each virtual system, and NAT servers dedicated to the Portal system are configured in the root system.
  • Security policy: Security policies are applied to control access to the Portal system and virtual machines. Security policies used to control access to services of a virtual machine are configured in each virtual system, and security policies used to control access to services of the Portal system are configured in the root system.
  • Hot standby: Two firewalls are deployed in hot standby mode to improve availability. When the active firewall fails, the standby firewall takes over without services interrupted.

Service Planning

As shown in Figure 1-14, the FW is attached to the CE12800 and works at Layer 3. VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch (root switch Public) and downstream switches (multiple virtual switches VRF). VRRP runs between the FW and the root switch Public and virtual switches VRF of the CE12800. The virtual IP addresses of the VRRP groups on the CE12800 serve as gateway addresses for the Portal system and virtual machines. Traffic from extranet enterprise users to the Portal system or virtual machines is forwarded by the root switch Public of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the virtual switches VRF of the CE12800 to the Portal system or virtual machines. The return traffic is first forwarded by the virtual switch VRF of the CE12800 to the FW. Then, after processing of the FW, the traffic is forwarded by the root switch Public of the CE12800.

Figure 1-14 Off-line deployment of FWs

The following describes the service planning in detail.

Interfaces and Security Zones

This section describes the connection between FW_A and CE12800_A.

As shown in Figure 1-15, GE1/0/1 of FW_A is connected to 10GE1/1/0/1 of CE12800_A. Details are as follows:

  • Multiple (3 in this case) subinterfaces are defined for GE1/0/1 of FW_A. Each subinterface has an IP address. Most subinterfaces belong to different virtual systems and are assigned to the Untrust zone of the virtual systems. One subinterface belongs to the root system and is assigned to the Untrust zone of the root system.
  • 10GE1/1/0/1 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 1-15 GE1/0/1 connection of FW_A

As shown in Figure 1-16, GE1/0/2 of FW_A is connected to 10GE1/1/0/2 of CE12800_A. Details are as follows:

  • Two (or more as required by the Portal system) subinterfaces are defined for GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the DMZ of the root system.
  • 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of two VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 1-16 GE1/0/2 connection of FW_A

As shown in Figure 1-17, GE1/0/3 of FW_A is connected to 10GE1/1/0/3 of CE12800_A. Details are as follows:

  • Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each subinterface has an IP address. Each subinterface belongs to a different virtual system and is assigned to the Trust zone of the virtual system.
  • 10GE1/1/0/3 of CE12800_A is a trunk interface that permits packets of multiple VLANs. Each VLANIF interface has an IP address and is logically connected to the related subinterface of FW_A.
Figure 1-17 GE1/0/3 connection of FW_A

The connection between FW_B and CE12800_B is the same as the only difference in IP addresses.

NOTE:

One virtual machine can request to access the public address of another. The exchanged packets are forwarded by the CE12800.

Table 1-6 describes the planning of interfaces and security zones on the FWs.

Table 1-6 Planning of interfaces and security zones

FW_A

FW_B

Description

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

GE1/0/1

IP address: none

Virtual system: public

Security zone: Untrust

Connected to 10GE1/1/0/1 of the CE12800.

GE1/0/1.10

IP address: 172.16.10.252/24

Virtual system: vfw1

Security zone: Untrust

VRRP ID: 10

Virtual IP address: 172.16.10.254

State: active

GE1/0/1.10

IP address: 172.16.10.253/24

Virtual system: vfw1

Security zone: Untrust

VRRP ID: 10

Virtual IP address: 172.16.10.254

State: standby

subinterface of vfw1.

GE1/0/1.11

IP address: 172.16.11.252/24

Virtual system: vfw2

Security zone: Untrust

VRRP ID: 11

Virtual IP address: 172.16.11.254

State: active

GE1/0/1.11

IP address: 172.16.11.253/24

Virtual system: vfw2

Security zone: Untrust

VRRP ID: 11

Virtual IP address: 172.16.11.254

State: standby

subinterface of vfw2.

GE1/0/1.1000

IP address: 172.16.9.252/24

Virtual system: public

Security zone: Untrust

VRRP ID: 9

Virtual IP address: 172.16.9.254

State: active

GE1/0/1.1000

IP address: 172.16.9.253/24

Virtual system: public

Security zone: Untrust

VRRP ID: 9

Virtual IP address: 172.16.9.254

State: standby

subinterface of the root system.

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

GE1/0/2

IP address: none

Virtual system: public

Security zone: DMZ

Connected to 10GE1/1/0/2 of the CE12800.

GE1/0/2.1

IP address: 10.159.1.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: active

GE1/0/2.1

IP address: 10.159.1.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 1

Virtual IP address: 10.159.1.254

State: standby

subinterface of the root system.

GE1/0/2.2

IP address: 10.159.2.252/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: active

GE1/0/2.2

IP address: 10.159.2.253/24

Virtual system: public

Security zone: DMZ

VRRP ID: 2

Virtual IP address: 10.159.2.254

State: standby

subinterface of the root system.

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

GE1/0/3

IP address: none

Virtual system: public

Security zone: Trust

Connected to 10GE1/1/0/3 of the CE12800.

GE1/0/3.10

IP address: 10.159.10.252/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 110

Virtual IP address: 10.159.10.254

State: active

GE1/0/3.10

IP address: 10.159.10.253/24

Virtual system: vfw1

Security zone: Trust

VRRP ID: 110

Virtual IP address: 10.159.10.254

State: standby

subinterface of vfw1.

GE1/0/3.11

IP address: 10.159.11.252/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 111

Virtual IP address: 10.159.11.254

State: active

GE1/0/3.11

IP address: 10.159.11.253/24

Virtual system: vfw2

Security zone: Trust

VRRP ID: 111

Virtual IP address: 10.159.11.254

State: standby

subinterface of vfw2.

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.1/30

Virtual system: public

Security zone: hrpzone

Eth-Trunk1

Member interfaces: GE2/0/1 and GE2/0/2

IP address: 10.1.1.2/30

Virtual system: public

Security zone: hrpzone

HRP backup interface.

Virtual System

Virtual systems carry virtual machine services. Each virtual system corresponds to one virtual machine. The planning of interfaces for the virtual systems has been described in the above interfaces and security zones. In addition, to limit the bandwidth available for each virtual system, it is also necessary to configure resource classes for the virtual systems.

Table 1-7 describes the planning of virtual systems on the FWs. Only two virtual systems are listed. In practice, you can create multiple virtual systems as needed.

Table 1-7 Planning of virtual systems

Item

FW_A

FW_B

Description

Resource class

Name: vfw1_car

Maximum bandwidth: 100M

Name: vfw1_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw1 is 100M.

Name: vfw2_car

Maximum bandwidth: 100M

Name: vfw2_car

Maximum bandwidth: 100M

The maximum bandwidth for the virtual system vfw2 is 100M.

Virtual System

Name: vfw1

Resource class: vfw1_car

Name: vfw1

Resource class: vfw1_car

-

Name: vfw2

Resource class: vfw2_car

Name: vfw2

Resource class: vfw2_car

-

Routes

Traffic is forwarded using static routes between the FW and CE12800.

  • Static routes are configured in the root switch Public on the CE12800. The destination addresses of these static routes are public addresses of the Portal system and virtual machines, and the next-hop addresses are the addresses of the subinterfaces on the FW. With these static routes, traffic from external enterprise users to the Portal system or virtual systems can be forwarded to the FW.
  • A default route is configured in each virtual switch VRF on the CE12800. The next-hop addresses of these default routes are the addresses of the subinterfaces on the FW. With these default routes, the return traffic from the Portal system or virtual machines can be forwarded to the FW.
  • Static routes are configured on the FW. The destination addresses of these static routes are private addresses of the Portal system and virtual machines, and the next-hop addresses are the VLANIF addresses of the virtual switches VRF of the CE12800. With these static routes, traffic from external enterprise users to the public addresses of the Portal system and virtual systems can be forwarded by the FW after processing to the CE12800.
  • Default routes are configured on the FW. The next-hop addresses of these default routes are the VLANIF address of the root switch Public on the CE12800. With these default routes, return traffic from the Portal system or virtual machines can be forwarded by the FW after processing to the CE12800.

Routes on the FW include routes in the root system and routes in the virtual systems. Table 1-8 describes the planning of routes.

Table 1-8 Planning of routes

Item

FW_A

FW_B

Description

Routes in the root system

Default route

Next hop: 172.16.9.251

Default route

Next hop: 172.16.9.251

Default routes of the root system, the next-hop address being the CE12800.

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole route

Destination address: 117.1.1.1/32 and 117.1.1.2/32

Black-hole routes to the global addresses of the Portal system to prevent a routing loop.

Static route

Destination address: 10.160.1.0/24

Next hop: 10.159.1.251

Destination address: 10.160.2.0/24

Next hop: 10.159.2.251

Static route

Destination address: 10.160.1.0/24

Next hop: 10.159.1.251

Destination address: 10.160.2.0/24

Next hop: 10.159.2.251

Static routes to the private addresses of the Portal system, the next-hop address being the CE12800.

Routes in the virtual system vfw1

Default route

Next hop: 172.16.10.251

Default route

Next hop: 172.16.10.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.1/32

Black-hole route

Destination address: 118.1.1.1/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

Static route

Destination address: 10.160.10.0/24

Next hop: 10.159.10.251

Static route

Destination address: 10.160.10.0/24

Next hop: 10.159.10.251

Static routes to the private address of the virtual machine, the next-hop address being the CE12800.

Routes in the virtual system vfw2

Default route

Next hop: 172.16.11.251

Default route

Next hop: 172.16.11.251

Default routes of vfw1, the next-hop address being the CE12800.

Black-hole route

Destination address: 118.1.1.2/32

Black-hole route

Destination address: 118.1.1.2/32

Black-hole routes to the global address of the virtual machine to prevent a routing loop.

Static route

Destination address: 10.160.11.0/24

Next hop: 10.159.11.251

Static route

Destination address: 10.160.11.0/24

Next hop: 10.159.11.251

Static routes to the private address of the virtual machine, the next-hop address being the CE12800.

Hot Standby

The hot standby networking is typical where firewalls are connected to Layer-2 devices on both the upstream and the downstream. Figure 1-18 shows the logical networking where extranet enterprise users access services of the virtual machines. For the ease of description, only one virtual machine is described.

Figure 1-18 Logical networking of virtual machine services

Figure 1-19 shows the logical networking where external enterprise users access services of the Portal system. For the ease of description, only one Portal system is described.

Figure 1-19 Logical networking of Portal systems

After hot standby is configured, FW_A serves as the active firewall, and FW_B serves as the standby firewall. As shown in Figure 1-20, when the network is normal, FW_A responds to the ARP packet sent by the root switch Public of the CE12800 to request the MAC address of the gateway, and traffic from external enterprise users to the Portal system or virtual machines is forwarded by the FW_A. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_A.

Figure 1-20 Normal traffic flow

When FW_A or the link connecting FW_A fails, an active/standby switchover takes place. Then, FW_B sends a gratuitous ARP packet to make the CE12800 update the mapping between the virtual MAC address and port. All traffic is forwarded by FW_B, as shown in Figure 1-21. Likewise, the return traffic from the Portal system or virtual machines is also forwarded to FW_B.

Figure 1-21 Traffic flow when the active link fails

Security Policies

There are security policies in the root system and security policies in virtual systems. Security policies in the root system permit packets from extranet enterprise users to the Portal system. Security policies in a virtual system permit packets from external enterprise users to the virtual machine.

In addition, antivirus and IPS profiles can be included in the security policies to defend against attacks of viruses, worms, Trojan horses, and zombies. Normally, the default antivirus and IPS profiles can be used.

Table 1-9 describes the planning of security policies on the FWs.

Table 1-9 Planning of security policies

Item

FW_A

FW_B

Description

Security policies in the root system

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.160.0.0/16

Action: permit

Antivirus: default

IPS: default

Name: sec_portal

Source security zone: Untrust

Destination security zone: DMZ

Destination address: 10.160.0.0/16

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the Portal system.

Security policies in the virtual system vfw1

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.10.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm1

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.10.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the virtual machine.

Security policies in the virtual system vfw2

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.11.0/24

Action: permit

Antivirus: default

IPS: default

Name: sec_vm2

Source security zone: Untrust

Destination security zone: Trust

Destination address: 10.160.11.0/24

Action: permit

Antivirus: default

IPS: default

Permit packets from external enterprise users to the virtual machine.

NAT Servers

There are NAT servers in the root system and NAT servers in virtual systems. The NAT servers in the root system mirror the address of Portal system to a public address for access of extranet enterprise users. The NAT server in a virtual system mirrors the address of a virtual machine to a public address to access of extranet enterprise users.

In order that extranet enterprise users can access the Portal system and virtual machines, it is necessary to apply for public addresses for every Portal system and virtual machine. It is assumed that the public addresses for the Portal system are 117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are 118.1.1.1 and 118.1.1.2. Table 1-10 describes the planning of NAT servers on the FWs.

Table 1-10 Planning of NAT servers

Item

FW_A

FW_B

Description

NAT servers in the root system

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.160.1.100

Name: nat_server_portal1

Global address: 117.1.1.1

Inside address: 10.160.1.100

NAT servers of the Portal system

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.160.2.100

Name: nat_server_portal2

Global address: 117.1.1.2

Inside address: 10.160.2.100

NAT servers of the Portal system

NAT server in the virtual system vfw1

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.160.10.100

Name: nat_server_vm1

Global address: 118.1.1.1

Inside address: 10.160.10.100

NAT server of the virtual machine

NAT server in the virtual system vfw2

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.160.11.100

Name: nat_server_vm2

Global address: 118.1.1.2

Inside address: 10.160.11.100

NAT server of the virtual machine

Precautions

Virtual System

By default, the USG9500 supports 10 virtual systems. To have more virtual systems, you must apply for a license.

Black-hole Route

Configure black-hole routes to the public addresses of the Portal systems in the root system and black-hole routes to the public addresses of virtual machines in the virtual systems to prevent routing loops.

Policy Backup-based Acceleration Function

When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

Configuration Procedure

Prerequisites

The license file of virtual systems has been obtained and activated successfully on FW_A and FW_B.

Procedure

  1. Configure interfaces and security zones.

    # Create subinterfaces on FW_A.

    <FW_A> system-view 
    [FW_A] interface GigabitEthernet 1/0/1.10 
    [FW_A-GigabitEthernet1/0/1.10] quit 
    [FW_A] interface GigabitEthernet 1/0/1.11 
    [FW_A-GigabitEthernet1/0/1.11] quit 
    [FW_A] interface GigabitEthernet 1/0/1.1000 
    [FW_A-GigabitEthernet1/0/1.1000] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] quit 
    [FW_A] interface GigabitEthernet 1/0/3.10 
    [FW_A-GigabitEthernet1/0/3.10] quit 
    [FW_A] interface GigabitEthernet 1/0/3.11 
    [FW_A-GigabitEthernet1/0/3.11] quit

    # Create subinterfaces on FW_B.

    <FW_B> system-view 
    [FW_B] interface GigabitEthernet 1/0/1.10 
    [FW_B-GigabitEthernet1/0/1.10] quit 
    [FW_B] interface GigabitEthernet 1/0/1.11 
    [FW_B-GigabitEthernet1/0/1.11] quit 
    [FW_B] interface GigabitEthernet 1/0/1.1000 
    [FW_B-GigabitEthernet1/0/1.1000] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] quit 
    [FW_B] interface GigabitEthernet 1/0/3.10 
    [FW_B-GigabitEthernet1/0/3.10] quit 
    [FW_B] interface GigabitEthernet 1/0/3.11 
    [FW_B-GigabitEthernet1/0/3.11] quit

    # Configure an Eth-trunk interface on FW_A.

    [FW_A] interface Eth-Trunk 1 
    [FW_A-Eth-Trunk1] ip address 10.1.1.1 30 
    [FW_A-Eth-Trunk1] quit 
    [FW_A] interface GigabitEthernet 2/0/1 
    [FW_A-GigabitEthernet2/0/1] eth-trunk 1 
    [FW_A-GigabitEthernet2/0/1] quit 
    [FW_A] interface GigabitEthernet 2/0/2 
    [FW_A-GigabitEthernet2/0/2] eth-trunk 1 
    [FW_A-GigabitEthernet2/0/2] quit

    # Configure an Eth-trunk interface on FW_B.

    [FW_B] interface Eth-Trunk 1 
    [FW_B-Eth-Trunk1] ip address 10.1.1.2 30 
    [FW_B-Eth-Trunk1] quit 
    [FW_B] interface GigabitEthernet 2/0/1 
    [FW_B-GigabitEthernet2/0/1] eth-trunk 1 
    [FW_B-GigabitEthernet2/0/1] quit 
    [FW_B] interface GigabitEthernet 2/0/2 
    [FW_B-GigabitEthernet2/0/2] eth-trunk 1 
    [FW_B-GigabitEthernet2/0/2] quit

    # Configure IP addresses for root system interfaces on FW_A, and assign the interfaces to the security zones of the root system.

    [FW_A] interface GigabitEthernet 1/0/1.1000 
    [FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24 
    [FW_A-GigabitEthernet1/0/1.1000] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24 
    [FW_A-GigabitEthernet1/0/2.2] quit 
    [FW_A] firewall zone trust 
    [FW_A-zone-trust] add interface GigabitEthernet 1/0/3 
    [FW_A-zone-trust] quit 
    [FW_A] firewall zone untrust 
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1 
    [FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000 
    [FW_A-zone-untrust] quit 
    [FW_A] firewall zone dmz 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1 
    [FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2 
    [FW_A-zone-dmz] quit 
    [FW_A] firewall zone name hrpzone 
    [FW_A-zone-hrpzone] set priority 65 
    [FW_A-zone-hrpzone] add interface Eth-Trunk 1 
    [FW_A-zone-hrpzone] quit

    # Configure IP addresses for root system interfaces on FW_B, and assign the interfaces to the security zones of the root system.

    [FW_B] interface GigabitEthernet 1/0/1.1000 
    [FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24 
    [FW_B-GigabitEthernet1/0/1.1000] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24 
    [FW_B-GigabitEthernet1/0/2.2] quit 
    [FW_B] firewall zone trust 
    [FW_B-zone-trust] add interface GigabitEthernet 1/0/3 
    [FW_B-zone-trust] quit 
    [FW_B] firewall zone untrust 
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1 
    [FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000 
    [FW_B-zone-untrust] quit 
    [FW_B] firewall zone dmz 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1 
    [FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2 
    [FW_B-zone-dmz] quit 
    [FW_B] firewall zone name hrpzone 
    [FW_B-zone-hrpzone] set priority 65 
    [FW_B-zone-hrpzone] add interface Eth-Trunk 1 
    [FW_B-zone-hrpzone] quit

  2. Configure virtual systems.

    # Enable the virtual system function on FW_A.

    [FW_A] vsys enable

    # Enable the virtual system function on FW_B.

    [FW_B] vsys enable

    Configure resource classes on FW_A.

    [FW_A] resource-class vfw1_car 
    [FW_A-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire 
    [FW_A-resource-class-vfw1_car] quit 
    [FW_A] resource-class vfw2_car 
    [FW_A-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire 
    [FW_A-resource-class-vfw2_car] quit

    Configure resource classes on FW_B.

    [FW_B] resource-class vfw1_car 
    [FW_B-resource-class-vfw1_car] resource-item-limit bandwidth 100 entire 
    [FW_B-resource-class-vfw1_car] quit 
    [FW_B] resource-class vfw2_car 
    [FW_B-resource-class-vfw2_car] resource-item-limit bandwidth 100 entire 
    [FW_B-resource-class-vfw2_car] quit

    # Create virtual systems on FW_A, and allocate resources to the virtual systems.

    [FW_A] vsys name vfw1 
    [FW_A-vsys-vfw1] assign resource-class vfw1_car 
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 
    [FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 
    [FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive 
    [FW_A-vsys-vfw1] quit 
    [FW_A] vsys name vfw2 
    [FW_A-vsys-vfw2] assign resource-class vfw2_car 
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 
    [FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 
    [FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive 
    [FW_A-vsys-vfw2] quit

    # Create virtual systems on FW_B, and allocate resources to the virtual systems.

    [FW_B] vsys name vfw1 
    [FW_B-vsys-vfw1] assign resource-class vfw1_car 
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10 
    [FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10 
    [FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive 
    [FW_B-vsys-vfw1] quit 
    [FW_B] vsys name vfw2 
    [FW_B-vsys-vfw2] assign resource-class vfw2_car 
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11 
    [FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11 
    [FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive 
    [FW_B-vsys-vfw2] quit

    # Configure IP addresses for interfaces in the virtual system vfw1 on FW_A, and assign the interfaces to security zones.

    [FW_A] switch vsys vfw1 
    <FW_A-vfw1> system-view 
    [FW_A-vfw1] interface GigabitEthernet 1/0/1.10 
    [FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24 
    [FW_A-vfw1-GigabitEthernet1/0/1.10] quit 
    [FW_A-vfw1] interface GigabitEthernet 1/0/3.10 
    [FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24 
    [FW_A-vfw1-GigabitEthernet1/0/3.10] quit 
    [FW_A-vfw1] firewall zone untrust 
    [FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 
    [FW_A-vfw1-zone-untrust] quit 
    [FW_A-vfw1] firewall zone trust 
    [FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 
    [FW_A-vfw1-zone-trust] quit 
    [FW_A-vfw1] quit 
    <FW_A-vfw1> quit

    Similarly, configure IP addresses for interfaces in the virtual system vfw2 on FW_A, and assign the interfaces to security zones.

    # Configure IP addresses for interfaces in the virtual system vfw1 on FW_B, and assign the interfaces to security zones.

    [FW_B] switch vsys vfw1 
    <FW_B-vfw1> system-view 
    [FW_B-vfw1] interface GigabitEthernet 1/0/1.10 
    [FW_B-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.253 24 
    [FW_B-vfw1-GigabitEthernet1/0/1.10] quit 
    [FW_B-vfw1] interface GigabitEthernet 1/0/3.10 
    [FW_B-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.253 24 
    [FW_B-vfw1-GigabitEthernet1/0/3.10] quit 
    [FW_B-vfw1] firewall zone untrust 
    [FW_B-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10 
    [FW_B-vfw1-zone-untrust] quit 
    [FW_B-vfw1] firewall zone trust 
    [FW_B-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10 
    [FW_B-vfw1-zone-trust] quit 
    [FW_B-vfw1] quit 
    <FW_B-vfw1> quit

    Similarly, configure IP addresses for interfaces in virtual system vfw2 on FW_B, and assign the interfaces to security zones.

  3. Configure routes.

    # Configure routes of the root system on FW_A.

    [FW_A] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 
    [FW_A] ip route-static 117.1.1.1 32 NULL 0 
    [FW_A] ip route-static 117.1.1.2 32 NULL 0 
    [FW_A] ip route-static 10.160.1.0 24 10.159.1.251 
    [FW_A] ip route-static 10.160.2.0 24 10.159.2.251

    # Configure routes of the root system on FW_B.

    [FW_B] ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 
    [FW_B] ip route-static 117.1.1.1 32 NULL 0 
    [FW_B] ip route-static 117.1.1.2 32 NULL 0 
    [FW_B] ip route-static 10.160.1.0 24 10.159.1.251 
    [FW_B] ip route-static 10.160.2.0 24 10.159.2.251

    # Configure routes of the virtual systems on FW_A.

    [FW_A] switch vsys vfw1 
    <FW_A-vfw1> system-view 
    [FW_A-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
    [FW_A-vfw1] ip route-static 118.1.1.1 32 NULL 0 
    [FW_A-vfw1] ip route-static 10.160.10.0 24 10.159.10.251 
    [FW_A-vfw1] quit 
    <FW_A-vfw1> quit 
    [FW_A] switch vsys vfw2 
    <FW_A-vfw2> system-view 
    [FW_A-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
    [FW_A-vfw2] ip route-static 118.1.1.2 32 NULL 0 
    [FW_A-vfw2] ip route-static 10.160.11.0 24 10.159.11.251 
    [FW_A-vfw2] quit 
    <FW_A-vfw2> quit

    # Configure routes of the virtual systems on FW_B.

    [FW_B] switch vsys vfw1 
    <FW_B-vfw1> system-view 
    [FW_B-vfw1] ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
    [FW_B-vfw1] ip route-static 118.1.1.1 32 NULL 0 
    [FW_B-vfw1] ip route-static 10.160.10.0 24 10.159.10.251 
    [FW_B-vfw1] quit 
    <FW_B-vfw1> quit 
    [FW_B] switch vsys vfw2 
    <FW_B-vfw2> system-view 
    [FW_B-vfw2] ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
    [FW_B-vfw2] ip route-static 118.1.1.2 32 NULL 0 
    [FW_B-vfw2] ip route-static 10.160.11.0 24 10.159.11.251 
    [FW_B-vfw2] quit 
    <FW_B-vfw2> quit

  4. Configure hot standby.

    # Configure VRRP groups on FW_A, setting their states to Active.

    [FW_A] interface GigabitEthernet 1/0/1.10 
    [FW_A-GigabitEthernet1/0/1.10] vlan-type dot1q 10 
    [FW_A-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 active 
    [FW_A-GigabitEthernet1/0/1.10] quit 
    [FW_A] interface GigabitEthernet 1/0/1.11 
    [FW_A-GigabitEthernet1/0/1.11] vlan-type dot1q 11 
    [FW_A-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 active 
    [FW_A-GigabitEthernet1/0/1.11] quit 
    [FW_A] interface GigabitEthernet 1/0/1.1000 
    [FW_A-GigabitEthernet1/0/1.1000] vlan-type dot1q 9 
    [FW_A-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 active 
    [FW_A-GigabitEthernet1/0/1.1000] quit 
    [FW_A] interface GigabitEthernet 1/0/3.10 
    [FW_A-GigabitEthernet1/0/3.10] vlan-type dot1q 10 
    [FW_A-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 active 
    [FW_A-GigabitEthernet1/0/3.10] quit 
    [FW_A] interface GigabitEthernet 1/0/3.11 
    [FW_A-GigabitEthernet1/0/3.11] vlan-type dot1q 11 
    [FW_A-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 active 
    [FW_A-GigabitEthernet1/0/3.11] quit 
    [FW_A] interface GigabitEthernet 1/0/2.1 
    [FW_A-GigabitEthernet1/0/2.1] vlan-type dot1q 1 
    [FW_A-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 active 
    [FW_A-GigabitEthernet1/0/2.1] quit 
    [FW_A] interface GigabitEthernet 1/0/2.2 
    [FW_A-GigabitEthernet1/0/2.2] vlan-type dot1q 2 
    [FW_A-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 active 
    [FW_A-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_A and enable hot standby.

    [FW_A] hrp interface Eth-Trunk 1 remote 10.1.1.2 
    [FW_A] hrp enable

    # Configure VRRP groups on FW_B, setting their states to Standby.

    [FW_B] interface GigabitEthernet 1/0/1.10 
    [FW_B-GigabitEthernet1/0/1.10] vlan-type dot1q 10 
    [FW_B-GigabitEthernet1/0/1.10] vrrp vrid 10 virtual-ip 172.16.10.254 standby 
    [FW_B-GigabitEthernet1/0/1.10] quit 
    [FW_B] interface GigabitEthernet 1/0/1.11 
    [FW_B-GigabitEthernet1/0/1.11] vlan-type dot1q 11 
    [FW_B-GigabitEthernet1/0/1.11] vrrp vrid 11 virtual-ip 172.16.11.254 standby 
    [FW_B-GigabitEthernet1/0/1.11] quit 
    [FW_B] interface GigabitEthernet 1/0/1.1000 
    [FW_B-GigabitEthernet1/0/1.1000] vlan-type dot1q 9 
    [FW_B-GigabitEthernet1/0/1.1000] vrrp vrid 9 virtual-ip 172.16.9.254 standby 
    [FW_B-GigabitEthernet1/0/1.1000] quit 
    [FW_B] interface GigabitEthernet 1/0/3.10 
    [FW_B-GigabitEthernet1/0/3.10] vlan-type dot1q 10 
    [FW_B-GigabitEthernet1/0/3.10] vrrp vrid 110 virtual-ip 10.159.10.254 standby 
    [FW_B-GigabitEthernet1/0/3.10] quit 
    [FW_B] interface GigabitEthernet 1/0/3.11 
    [FW_B-GigabitEthernet1/0/3.11] vlan-type dot1q 11 
    [FW_B-GigabitEthernet1/0/3.11] vrrp vrid 111 virtual-ip 10.159.11.254 standby 
    [FW_B-GigabitEthernet1/0/3.11] quit 
    [FW_B] interface GigabitEthernet 1/0/2.1 
    [FW_B-GigabitEthernet1/0/2.1] vlan-type dot1q 1 
    [FW_B-GigabitEthernet1/0/2.1] vrrp vrid 1 virtual-ip 10.159.1.254 standby 
    [FW_B-GigabitEthernet1/0/2.1] quit 
    [FW_B] interface GigabitEthernet 1/0/2.2 
    [FW_B-GigabitEthernet1/0/2.2] vlan-type dot1q 2 
    [FW_B-GigabitEthernet1/0/2.2] vrrp vrid 2 virtual-ip 10.159.2.254 standby 
    [FW_B-GigabitEthernet1/0/2.2] quit

    # Specify the heartbeat interface on FW_B and enable hot standby.

    [FW_B] hrp interface Eth-Trunk 1 remote 10.1.1.1 
    [FW_B] hrp enable

  5. Configure security policies.

    # Configure security policies in the root system on FW_A.

    HRP_M[FW_A] security-policy 
    HRP_M[FW_A-policy-security] rule name sec_portal 
    HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust 
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz 
    HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.160.0.0 16 
    HRP_M[FW_A-policy-security-rule-sec_portal] action permit 
    HRP_M[FW_A-policy-security-rule-sec_portal] profile av default 
    HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default 
    HRP_M[FW_A-policy-security-rule-sec_portal] quit 
    HRP_M[FW_A-policy-security] quit

    # Configure security policies in virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1 
    HRP_M<FW_A-vfw1> system-view 
    HRP_M[FW_A-vfw1] security-policy 
    HRP_M[FW_A-vfw1-policy-security] rule name sec_vm1 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] source-zone untrust 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-zone trust 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] destination-address 10.160.10.0 24 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile av default 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] profile ips default 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] action permit 
    HRP_M[FW_A-vfw1-policy-security-rule-sec_vm1] quit 
    HRP_M[FW_A-vfw1-policy-security] quit 
    HRP_M[FW_A-vfw1] quit 
    HRP_M<FW_A-vfw1> quit

    Similarly, configure security policies in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure security policies manually on FW_B.

  6. Configure policy backup-based acceleration function.

    When a large number of policies exist (such as over 500 policies), the policy backup-based acceleration function must be enabled to improve policy matching efficiency during policy modification. If this function is enabled, however, the newly configured policy takes effect only after the policy backup-based acceleration process completes.

    HRP_M[FW-A] policy accelerate standby enable

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure policy backup-based acceleration function manually on FW_B.

  7. Configure NAT servers.

    NOTE:

    The NAT server configuration commands are only exemplary. In practice, NAT servers are configured on the management component, and the management component delivers the configuration to the FW.

    # Configure NAT servers in the root system on FW_A.

    HRP_M[FW_A] nat server nat_server_portal1 global 117.1.1.1 inside 10.160.1.100 
    HRP_M[FW_A] nat server nat_server_portal2 global 117.1.1.2 inside 10.160.2.100

    # Configure a NAT server the virtual system vfw1 on FW_A.

    HRP_M[FW_A] switch vsys vfw1 
    HRP_M<FW_A-vfw1> system-view 
    HRP_M[FW_A-vfw1] nat server nat_server_vm1 global 118.1.1.1 inside 10.160.10.100 
    HRP_M[FW_A-vfw1] quit 
    HRP_M<FW_A-vfw1> quit

    Similarly, configure a NAT server in virtual system vfw2 on FW_A.

    # After hot standby is configured, the configuration on FW_A will be automatically synchronized to FW_B. Therefore, it is not necessary to configure NAT servers manually on FW_B.

  8. Configure other network devices.

    The present case focuses on the configuration on the FW. For the configuration on other network devices, note that:

    • OSPF runs between the upstream router and the CE12800. The upstream router learns the routes to the public addresses of the Portal systems and virtual machines trough OSPF study. The next hop is the CE12800.
    • You need to configure multiple virtual switches VRF on the CE12800, binding the VRF switches to the VLANIF addresses, and then configure VRRP groups on the VLANIF interfaces. In addition, you need to configure static routes to the public addresses of the Portal systems and virtual machines on the root switch Public of the CE12800 and set the next hops to the virtual IP addresses of the VRRP groups on the FW; you also need to configure default routes on the virtual machines VRF and set the next hops also to the virtual IP addresses of the VRRP groups on the FW.
    • The CE6800 transmits Layer-2 packets transparently, and you only need to configure Layer-2 forwarding on it.

Verification

  1. Run the display hrp state command on FW_A and FW_B. The current HRP state is normal.
  2. Enterprise users on the Internet can access virtual machine services normally.
  3. Enterprise users on the Internet can access the Portal system normally.
  4. Run the shutdown command on GE1/0/1.10 of FW_A to simulate a link fault. The active/standby switchover is normal without services interrupted.

Configuration Scripts

Configuration script for FW_A:

#                                                                                
sysname FW_A 
#                                                                                
 hrp enable                                                                      
 hrp interface Eth-Trunk 1 remote 10.1.1.2                             
#                                                                                
vsys enable                                                                      
resource-class vfw1_car                                                          
 resource-item-limit bandwidth 100 entire 
resource-class vfw2_car                                                          
 resource-item-limit bandwidth 100 entire 
#                                                                                
#                                                                                
vsys name vfw1 1                                                                 
 assign interface GigabitEthernet1/0/1.10                                       
 assign interface GigabitEthernet1/0/3.10 
 assign resource-class vfw1_car                                                  
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                  
#                                                                                
vsys name vfw2 2                                                                 
 assign interface GigabitEthernet1/0/1.11                                       
 assign interface GigabitEthernet1/0/3.11 
 assign resource-class vfw2_car                                                  
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                  
#                                                                                
interface Eth-Trunk1                                                             
 ip address 10.1.1.1 255.255.255.252                                             
#                                                                                
interface GigabitEthernet1/0/1                                                   
 undo shutdown                                                                   
#                                                                                 
interface GigabitEthernet1/0/1.10                                               
 vlan-type dot1q 10 
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.252 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 172.16.10.254 active 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 vlan-type dot1q 11 
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.252 255.255.255.0 
 vrrp vrid 11 virtual-ip 172.16.11.254 active 
#                                                                                
interface GigabitEthernet1/0/1.1000                                            
 vlan-type dot1q 9 
 ip address 172.16.9.252 255.255.255.0 
 vrrp vrid 9 virtual-ip 172.16.9.254 active 
#                                                                                
interface GigabitEthernet1/0/2                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/2.1                                              
 vlan-type dot1q 1 
 ip address 10.159.1.252 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.1.254 active 
#                                                                                
interface GigabitEthernet1/0/2.2                                              
 vlan-type dot1q 2 
 ip address 10.159.2.252 255.255.255.0 
 vrrp vrid 2 virtual-ip 10.159.2.254 active 
#                                                                                
interface GigabitEthernet1/0/3                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 110.159.10.252 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 10.159.10.254 active 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.252 255.255.255.0                                           
 vrrp vrid 111 virtual-ip 10.159.11.254 active 
#                                                                                
interface GigabitEthernet2/0/1                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
interface GigabitEthernet2/0/2                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3                                             
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1                                              
 add interface GigabitEthernet1/0/1.1000 
#                                                                                
firewall zone dmz                                                                
 set priority 50                                                                 
 add interface GigabitEthernet1/0/2                                              
 add interface GigabitEthernet1/0/2.1 
 add interface GigabitEthernet1/0/2.2 
#                                                                                
firewall zone name hrpzone id 4                                                  
 set priority 65                                                                 
 add interface Eth-Trunk1                                                        
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                     
ip route-static 117.1.1.1 255.255.255.255 NULL 0 
ip route-static 117.1.1.2 255.255.255.255 NULL 0 
ip route-static 10.160.1.0 255.255.255.0 10.159.1.251 
ip route-static 10.160.2.0 255.255.255.0 10.159.2.251 
#                                                                                
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.160.1.100 
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.160.2.100 
#                                                                                
security-policy                                                                  
 rule name sec_portal                                                          
  source-zone untrust                                                            
  destination-zone dmz 
  destination-address 10.160.0.0 16 
  profile av default 
  profile ips default 
  action permit 
# 
return                                                                           
#                                                                                
switch vsys vfw1                                                                 
#                                                                                
interface GigabitEthernet1/0/1.10                                               
 vlan-type dot1q 10 
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.252 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 172.16.10.254 active 
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.252 255.255.255.0                                           
 vrrp vrid 110 virtual-ip 10.159.10.254 active 
#                                                                                
interface Virtual-if1                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.10 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.10 
#                                                                                
security-policy                                                                  
 rule name sec_vm1                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.10.0 24 
  profile av default 
  profile ips default 
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
ip route-static 118.1.1.1 255.255.255.255 NULL 0 
ip route-static 10.160.10.0 255.255.255.0 10.159.10.251 
#                                                                                
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.160.10.100                
#                                                                                
return 
#                                                                                
switch vsys vfw2                                                                 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 vlan-type dot1q 11 
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.252 255.255.255.0 
 vrrp vrid 11 virtual-ip 172.16.11.254 active 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.252 255.255.255.0                                           
 vrrp vrid 111 virtual-ip 10.159.11.254 active 
#                                                                                
interface Virtual-if2                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.11 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.11 
#                                                                                
security-policy                                                                  
 rule name sec_vm2                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.11.0 24 
  profile av default 
  profile ips default 
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
ip route-static 118.1.1.2 255.255.255.255 NULL 0 
ip route-static 10.160.11.0 255.255.255.0 10.159.11.251 
#                                                                                
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.160.11.100                
#                                                                                
return

Configuration script for FW_B:

#                                                                                
sysname FW_B 
#                                                                                
 hrp enable                                                                      
 hrp interface Eth-Trunk 1 remote 10.1.1.1                             
#                                                                                
vsys enable                                                                      
resource-class vfw1_car                                                          
 resource-item-limit bandwidth 100 entire 
resource-class vfw2_car                                                          
 resource-item-limit bandwidth 100 entire 
#                                                                                
#                                                                                
vsys name vfw1 1                                                                 
 assign interface GigabitEthernet1/0/1.10                                       
 assign interface GigabitEthernet1/0/3.10 
 assign resource-class vfw1_car                                                  
 assign global-ip 118.1.1.1 118.1.1.1 exclusive                                  
#                                                                                
vsys name vfw2 2                                                                 
 assign interface GigabitEthernet1/0/1.11                                       
 assign interface GigabitEthernet1/0/3.11 
 assign resource-class vfw2_car                                                  
 assign global-ip 118.1.1.2 118.1.1.2 exclusive                                  
#                                                                                
interface Eth-Trunk1                                                             
 ip address 10.1.1.2 255.255.255.252                                             
#                                                                                
interface GigabitEthernet1/0/1                                                   
 undo shutdown                                                                   
#                                                                                 
interface GigabitEthernet1/0/1.10                                               
 vlan-type dot1q 10 
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.253 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 172.16.10.254 standby 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 vlan-type dot1q 11 
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.253 255.255.255.0 
 vrrp vrid 11 virtual-ip 172.16.11.254 standby 
#                                                                                
interface GigabitEthernet1/0/1.1000                                            
 vlan-type dot1q 9 
 ip address 172.16.9.253 255.255.255.0 
 vrrp vrid 9 virtual-ip 172.16.9.254 standby 
#                                                                                
interface GigabitEthernet1/0/2                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/2.1                                              
 vlan-type dot1q 1 
 ip address 10.159.1.253 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.1.254 standby 
#                                                                                
interface GigabitEthernet1/0/2.2                                              
 vlan-type dot1q 2 
 ip address 10.159.2.253 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.159.2.254 standby 
#                                                                                
interface GigabitEthernet1/0/3                                                   
 undo shutdown                                                                   
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.253 255.255.255.0                                           
 vrrp vrid 110 virtual-ip 10.159.10.254 standby 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.253 255.255.255.0                                           
 vrrp vrid 111 virtual-ip 10.159.11.254 standby 
#                                                                                
interface GigabitEthernet2/0/1                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
interface GigabitEthernet2/0/2                                               
 undo shutdown 
 eth-trunk 1 
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3                                             
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1                                              
 add interface GigabitEthernet1/0/1.1000 
#                                                                                
firewall zone dmz                                                                
 set priority 50                                                                 
 add interface GigabitEthernet1/0/2                                              
 add interface GigabitEthernet1/0/2.1 
 add interface GigabitEthernet1/0/2.2 
#                                                                                
firewall zone name hrpzone id 4                                                  
 set priority 65                                                                 
 add interface Eth-Trunk1                                                        
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251                                     
ip route-static 117.1.1.1 255.255.255.255 NULL 0 
ip route-static 117.1.1.2 255.255.255.255 NULL 0 
ip route-static 10.160.1.0 255.255.255.0 10.159.1.251 
ip route-static 10.160.2.0 255.255.255.0 10.159.2.251 
#                                                                                
 nat server nat_server_portal1 0 global 117.1.1.1 inside 10.160.1.100 
 nat server nat_server_portal2 1 global 117.1.1.2 inside 10.160.2.100 
#                                                                                
security-policy                                                                  
 rule name sec_portal                                                          
  source-zone untrust                                                            
  destination-zone dmz 
  destination-address 10.159.0.0 16 
  profile av default 
  profile ips default 
  action permit 
# 
return                                                                           
#                                                                                
switch vsys vfw1                                                                 
#                                                                                
interface GigabitEthernet1/0/1.10                                               
 vlan-type dot1q 10 
 ip binding vpn-instance vfw1                                                    
 ip address 172.16.10.253 255.255.255.0                                           
 vrrp vrid 10 virtual-ip 172.16.10.254 standby 
#                                                                                
interface GigabitEthernet1/0/3.10                                               
 vlan-type dot1q 10                                                              
 ip binding vpn-instance vfw1                                                    
 ip address 10.159.10.253 255.255.255.0                                           
 vrrp vrid 110 virtual-ip 10.159.10.254 standby 
#                                                                                
interface Virtual-if1                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.10 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.10 
#                                                                                
security-policy                                                                  
 rule name sec_vm1                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.10.0 24 
  profile av default 
  profile ips default 
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 
ip route-static 118.1.1.1 255.255.255.255 NULL 0 
ip route-static 10.160.10.0 255.255.255.0 10.159.10.251 
#                                                                                
 nat server nat_server_vm1 2 global 118.1.1.1 inside 10.160.10.100                
#                                                                                
return 
#                                                                                
switch vsys vfw2                                                                 
#                                                                                
interface GigabitEthernet1/0/1.11                                               
 vlan-type dot1q 11 
 ip binding vpn-instance vfw2                                                    
 ip address 172.16.11.253 255.255.255.0 
 vrrp vrid 11 virtual-ip 172.16.11.254 standby 
#                                                                                
interface GigabitEthernet1/0/3.11                                               
 vlan-type dot1q 11                                                              
 ip binding vpn-instance vfw2                                                    
 ip address 10.159.11.253 255.255.255.0                                           
 vrrp vrid 111 virtual-ip 10.159.11.254 standby 
#                                                                                
interface Virtual-if2                                                            
#                                                                                
firewall zone trust                                                              
 set priority 85                                                                 
 add interface GigabitEthernet1/0/3.11 
#                                                                                
firewall zone untrust                                                            
 set priority 5                                                                  
 add interface GigabitEthernet1/0/1.11 
#                                                                                
security-policy                                                                  
 rule name sec_vm2                                                              
  source-zone untrust                                             
  destination-zone trust                                                   
  destination-address 10.159.11.0 24 
  profile av default 
  profile ips default 
  action permit 
#                                                                                
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 
ip route-static 118.1.1.2 255.255.255.255 NULL 0 
ip route-static 10.160.11.0 255.255.255.0 10.159.11.251 
#                                                                                
 nat server nat_server_vm2 3 global 118.1.1.2 inside 10.160.11.100                
#                                                                                
return

Conclusion and Suggestions

  • The virtual machine feature is configured on the FW. Each virtual system corresponds to one virtual machine. The virtual machines are isolated through the virtual systems. Security policies can also be configured in the virtual systems to realize access control.
  • Interfaces between the FW and CE12800 are limited. Therefore, multiple subinterfaces are created. The subinterfaces are allocated to the root system and virtual systems. Their use is flexible.
  • In solution 1, when OSPF is configured on the FW, because OSPF cannot be configured in a virtual system directly, the VPN instance corresponding to the virtual system must be bound to the OSPF process in the root system.
  • In solution 2, VRF is configured on the CE12800 to virtualize the CE12800 as an upstream switch (root switch Public) and downstream switches (multiple virtual switches VRF). VRRP runs between the FW and both Public and VRF switches of the CE12800.
Translation
Download
Updated: 2019-06-17

Document ID: EDOC1100087920

Views: 355

Downloads: 19

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next