No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Application of Firewalls in the SCG Carrier Scenario

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application of the Firewalls in the SCG Carrier Scenario

Application of the Firewalls in the SCG Carrier Scenario

Introduction

This section describes the application of the firewall in the Service Control Gateway (SCG) carrier scenario. By analyzing the security issues faced by the SCG, this section provides a typical application solution of the firewall.

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00 and can be used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.

Solution Overview

SCG Overview

The Service Control Gateway (SCG) is a wireless comprehensive gateway product developed by Huawei. The SCG provides not only service-based charging and bandwidth control but also WAP/HTTP service awareness and conversion, access control, Ad insertion, and malicious URL filtering. Figure 1-1 shows the position of the SCG on the network. Terminal users access the SCG over the bearer network of a carrier, and the SP/CP provides services for terminal users through the SCG. The FWs are deployed on the uplink and downlink sides of the SCG and provide NAT, interzone isolation, and border protection functions.

Figure 1-1 Application of the firewall in the SCG scenario

NOTE:

The SCG works in explicit or transparent proxy mode based on WAP/HTTP service awareness.

  • Explicit proxy (WAPGW)

    The SCG provides gateway services. In this mode, service access users must set the SCG address as the gateway address on their clients. After receiving a user request, the SCG translates the user address into the SCG address and connects to the Internet.

  • Transparent proxy (Proxy)

    The SCG is similar to a router and does not provide gateway services. In this mode, service access users do not need to set gateway addresses on their clients. User requests are routed to the SCG through network devices. After receiving a user request, the SCG uses the client IP address to connect to the web server. This implementation prevents denial of services or verification code input due to duplicate or intensive user addresses after NAT in explicit proxy mode.

Traffic Models

The GGSN and uplink FW establish a GRE tunnel. The GGSN sends service traffic through the GRE tunnel to the uplink FW to access the SCG. The SCG performs WAP/HTTP service awareness and translation and sends the traffic to the downlink FW. The downlink FW performs NAT and sends the traffic to the Internet.

NOTE:

The GGSN sends user information to the RADIUS server for authentication. If the authentication succeeds, the RADIUS server sends the user information to the FW at the uplink side.

Solution Design

Typical Networking

Networking diagram

As shown in Figure 1-2, the FWs are deployed at the uplink and download sides of the SCG respectively, and the service interfaces of the FWs work at Layer 3. The FW at the uplink side connects to the GGSN via a switch, and the FW at the downlink side connects to the Internet via a router.

Service traffic, such as mobile phone traffic, at the GGSN side reaches the SCG through FW_A and then is forwarded by FW_C to the Internet. OSPF is enabled on the upstream interface of the FW, and VRRP is enabled on the downstream interface of the FW.

Hot standby in active/standby mode is carried out between FW_A and FW_B and between FW_C and FW_D. When services at the uplink side are operating properly, the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is forwarded by FW_B. When services at the downlink side are operating properly, the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is forwarded by FW_D. In this way, service continuity at both sides of the SCG is ensured.

NOTE:

Root systems and virtual systems are designed for the FWs. The root systems of the FWs are configured as the FWs at the uplink side and carry out hot standby. The virtual systems of the FWs are configured as the FWs at downlink side and carry out hot standby.

In this scenario, Only hot standby in active/standby mode is supported.

Figure 1-2 Application of the FWs in the SCG networking

Reliability Analysis

Figure 1-3 shows the active/standby switchovers when FW_A in the active state at the uplink side and its link become faulty and recover. The active/standby switchover processes are as follows:

  • Switchover in case of a fault

    When FW_A and its link fail, FW_B becomes the active firewall, and the route is switched to FW_B.

  • Switchover in case of fault recovery

    After FW_A and its link recover, FW_A preempts to be the active firewall, the route and traffic are switched back to FW_A.

Figure 1-3 Switchover in case of a fault at the uplink side

Figure 1-4 shows the active/standby switchovers when FW_C in the active state and its link become faulty and recover. The active/standby switchover processes are as follows:

  • Switchover in case of a fault

    When FW_C and its connected link fail, FW_D becomes the active firewall, and the route is switched to FW_D.

  • Switchover in case of fault recovery

    After FW_C and its link recover, FW_C preempts to be the active firewall, the route and traffic are switched back to FW_C.

Figure 1-4 Switchover in case of a fault at the downlink side

Service Planning

Interfaces and Security Zones

To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That is, the member interfaces of the Eth-Trunk interface are on different LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk, it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.

The upstream and downstream physical links must have the same bandwidth that is greater than the peak traffic. Otherwise, services are affected due to traffic congestion in case of traffic burst.

Table 1-1 describes the planning of interfaces and security zones on FW_A and FW_B, and Table 1-2 describes the planning of interfaces and security zones on FW_C and FW_D.

Table 1-1 Interface and security zone planning for FW_A and FW_B

FW_A

FW_B

Description

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.1/24
  • Security zone: DMZ

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.2/24
  • Security zone: DMZ

Heartbeat interface

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.0.1/24
    • Security zone: Untrust
  • Subinterface: Eth-Trunk1.2
    • Associated VLAN ID: 12
    • IP address: 10.2.2.1/24
    • Security zone: Untrust

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.0.2/24
    • Security zone: Untrust
  • Subinterface: Eth-Trunk1.2
    • Associated VLAN ID: 12
    • IP address: 10.2.2.2/24
    • Security zone: Untrust

Service interface connected to the GGSN

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.0.1/24
    • Security zone: Trust

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.0.2/24
    • Security zone: Trust

Service interface connected to the SCG

Table 1-2 Interface and security zone planning for FW_C and FW_D

FW_C

FW_D

Description

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.3/24
  • Security zone: DMZ

Eth-Trunk0:

  • Member interface:

    1. GE1/0/0

    2. GE1/0/1

  • IP address: 10.10.0.4/24
  • Security zone: DMZ

Heartbeat interface

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.1.1/24
    • Security zone: Untrust

Eth-Trunk1:

  • Member interface:

    1. GE1/0/2

    2. GE1/0/3

  • Subinterface: Eth-Trunk1.1
    • Associated VLAN ID: 11
    • IP address: 10.2.1.1/24
    • Security zone: Untrust

Interface connected to the Internet

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.1.1/24
    • Security zone: Trust

Eth-Trunk2:

  • Member interface:

    1. GE1/0/4

    2. GE1/0/5

  • Subinterface: Eth-Trunk2.1
    • Associated VLAN ID: 21
    • IP address: 10.3.1.2/24
    • Security zone: Trust

Service interface connected to the SCG

Availability

Hot standby in active/standby mode is carried out between FW_A and FW_B and between FW_C and FW_D. When services at the uplink side are operating properly, the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is forwarded by FW_B. When services at the downlink side are operating properly, the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is forwarded by FW_D. In this way, service continuity at both sides of the SCG is ensured. Table 1-3 describes the availability planning for FW_A and FW_B, and Table 1-4 describes the availability planning for FW_C and FW_D.

Table 1-3 Availability planning

Item

FW_A

FW_B

Backup mode

Active/standby backup

Active/standby backup

Heartbeat interface

Eth-trunk0

Eth-trunk0

Preemption delay

300s

300s

Monitoring interface

Eth-trunk1

Eth-trunk1

Function of automatically adjusting the cost

Enabled

Enabled

Table 1-4 Availability planning

Item

FW_C

FW_D

Backup mode

Active/standby backup

Active/standby backup

Heartbeat interface

Eth-trunk0

Eth-trunk0

Preemption delay

300s

300s

Monitoring interface

Eth-trunk1

Eth-trunk1

Function of automatically adjusting the cost

Enabled

Enabled

GRE Tunnels

GRE tunnels are established between the GGSN and two private networks connected to the uplink FW so that the two network segments can communicate. In this way, service traffic, such as mobile phone traffic, can reach the FW over the GRE tunnels. In this section, two GRE tunnels are planned. Table 1-5 describes the GRE tunnel planning.

NOTE:

Plan the number of GRE tunnels based on actual service requirements.

Table 1-5 GRE tunnel planning

Item

FW_A

FW_B

Loopback interface

Loopback1 address: 10.2.0.10/32

Loopback2 address: 10.2.0.11/32

Loopback1 address: 10.2.0.12/32

Loopback2 address: 10.2.0.13/32

Tunnel interface 1

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback1
  • Key word: 123456
  • Security zone: tunnelzone

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback1
  • Key word: 123456
  • Security zone: tunnelzone

Tunnel interface 2

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback2
  • Key word: 123456
  • Security zone: tunnelzone

Encapsulation parameter

  • Encapsulation protocol: GRE
  • MTU: 1476
  • Source address: loopback2
  • Key word: 123456
  • Security zone: tunnelzone

Route

OSPF is used to advertise routes to direct traffic to a specific GRE tunnel.

  • network 172.16.2.0 0.0.0.255//tunnel interface

OSPF is used to advertise routes to direct traffic to a specific GRE tunnel.

  • network 172.16.2.0 0.0.0.255//tunnel interface

Security policy

Permit GRE packets.

  • Configure a security policy to permit pre-encapsulated GRE packets.
  • Configure a security policy to permit encapsulated GRE packets.

Permit GRE packets.

  • Configure a security policy to permit pre-encapsulated GRE packets.
  • Configure a security policy to permit encapsulated GRE packets.

Security Policies

This section describes how to configure security policies to permit packet exchanges between security zones. Table 1-6 describes the security policy planning of FW_A and FW_B, and Table 1-7 describes the security policy planning of FW_C and FW_D.

Table 1-6 Security policy planning

Item

Data Flow Direction

Description

trust - tunnelzone

Outbound

Security policy for pre-encapsulated GRE packets

Inbound

Security policy for pre-encapsulated GRE packets

local - dmz

Outbound

Security policy for the backup interfaces of the active and standby firewalls

Inbound

Security policy for the backup interfaces of the active and standby firewalls

local- untrust

Outbound

Security policy for encapsulated GRE packets

Inbound

Security policy for encapsulated GRE packets

Table 1-7 Security policy planning

Item

Data Flow Direction

Description

local - dmz

Outbound

Security policy for the backup interfaces of the active and standby firewalls

Inbound

Security policy for the backup interfaces of the active and standby firewalls

trust - untrust

Outbound

Security policy for implementing source NAT for private addresses

Inbound

Security policy for implementing source NAT for private addresses

NAT

The GGSN sends user information to the RADIUS server for authentication. If the authentication succeeds, the RADIUS server sends the user information to the FW. The NAT Server function is configured at the SCG side to translate private addresses of the SCG network into public addresses for the RADIUS server to access, as listed in Table 1-8.

NOTE:

You are advised to set the number of public addresses of the downlink firewall to [Maximum number of online users x 60%]/[2 x 60000].

Table 1-8 NAT Server planning

Item

FW_A

FW_B

Public IP address

3.3.3.3

3.3.3.3

Private IP address

10.3.0.10

10.3.0.10

The FW needs to perform NAT for traffic sent by users connected to the SCG so that these users can use post-NAT addresses (public addresses) to access Internet services. NAT saves public address resources and improves intranet security.

The FW usually uses NAT PAT. Table 1-9 describes the NAT address pool planning. The active and standby firewalls must have the same NAT address pool planning.

Table 1-9 NAT address pool planning

Item

FW_C

FW_D

Security zone

Trust - Untrust

Trust - Untrust

Direction

Outbound

Outbound

Action

source-nat

source-nat

Addresses in the address pool

1.1.1.6 to 1.1.1.10

1.1.1.6 to 1.1.1.10

Routes

As shown in Figure 1-5, the egress gateways of the SCG are the FWs at the uplink and downlink sides of the GGSN. OSPF process 1 is planned on FW_A and FW_B to connect to the GGSN, and OSPF process 2 is planned on FW_C and FW_D to connect to the Internet.

The route planning is as follows:

  • The FW advertises routes through OSPF.
  • A black-hole route is configured on FW_C and FW_D.
  • The firewalls work in active/standby mode. Therefore, the recommended interface cost is 10 on the active firewall and 1000 on the standby firewall. The firewall adjusts the OSPF cost based on the HRP status to adjust the routes for service forwarding.
NOTE:

Different costs are set for FW interfaces to advertise the routes from the firewalls to the SCG to the GGSN and Internet so that return packets will be sent to the active firewalls.

The Holddown timer and Multipath parameter use their default values on the Layer-2 switch at the GGSN side and the router at the Internet.

Figure 1-5 Route Planning

Table 1-10 describes route planning for FW_A and FW_B.

Table 1-10 Route planning

Item

FW_A

FW_B

Protocol type

OSPF

OSPF

Area ID

0.0.0.0

0.0.0.0

Process ID

1

1

Authentication mode

MD5

MD5

Authentication password

NOTE:

You can set an authentication password as required.

Huawei-123

Huawei-123

Cost

10

1000

Hello interval

30s

30s

OSPF interface mode

P2P

P2P

SPF calculation interval

Default value

Default value

Network segment

  • 10.2.0.0 0.0.0.255
  • 10.3.0.0 0.0.0.255
  • 10.2.0.0 0.0.0.255
  • 10.3.0.0 0.0.0.255

Table 1-11 describes route planning for FW_C and FW_D.

Table 1-11 Route planning

Item

FW_C

FW_D

Protocol type

OSPF

OSPF

Area ID

0.0.0.0

0.0.0.0

Process ID

2

2

Authentication mode

MD5

MD5

Authentication password

NOTE:

You can set an authentication password as required.

Huawei-123

Huawei-123

Cost

10

1000

Hello interval

30s

30s

OSPF interface mode

P2P

P2P

SPF calculation interval

Default value

Default value

Network segment

  • 10.2.1.0 0.0.0.255
  • 10.3.1.0 0.0.0.255
  • 10.2.1.0 0.0.0.255
  • 10.3.1.0 0.0.0.255

Configure a black-hole route to avoid routing loops.

  • Destination address:

    1.1.1.6

    1.1.1.7

    1.1.1.8

    1.1.1.9

    1.1.1.10

  • Next-hop address:

    NULL0

  • Destination address:

    1.1.1.6

    1.1.1.7

    1.1.1.8

    1.1.1.9

    1.1.1.10

  • Next-hop address:

    NULL0

Others

ASPF

If multi-channel protocols, such as FTP, RTSP, and PPTP, are used between zones, run the detect command in the interzone view. Recommended detect commands are as follows:

detect rtsp

detect ftp

detect pptp

NOTE:

The detect qq and detect msn commands are not recommended in the interzone view.

Attack Defense

Attack defense is configured on the FWs to provide security protection. Recommended attack defense configuration commands are as follows:

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

NMS (SNMP)

The Simple Network Management Protocol (SNMP) is the most widely used network management protocol on TCP/IP networks. On the FW, configure the SNMP proxy to manage the FWs through the NMS server.

Precautions

Hot Standby

  • In this scenario, Only hot standby in active/standby mode is supported.
  • The recommended HRP preemption delay is 300s.
  • The traffic bandwidth of the heartbeat interface must not be less than 20% of device traffic.
  • The interfaces connecting the FWs at the uplink and downlink sides to the intranet switches need to be added to link groups.

Routes

  • Different costs are set for FW interfaces to advertise the routes from the firewalls to the SCG to the GGSN and Internet so that return packets will be sent to the active firewalls.
  • The Holddown timer and Multipath parameter use their default values on the Layer-2 switch at the GGSN side and the router at the Internet.

NAT

You are advised to set the number of public addresses of the downlink firewall to [Maximum number of online users x 60%]/[2 x 60000].

ASPF

The detect qq and detect msn commands are not recommended in the interzone view.

Attack Defense

You are advised to use the recommended attack defense configuration.

Solution Configuration

Procedure

Configuring Interfaces and Security Zones

Procedure
  1. Configure interfaces and security zones for FW_A.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_A> system-view 
    [FW_A] interface Eth-Trunk 0 
    [FW_A-Eth-Trunk0] description To_FW_B 
    [FW_A-Eth-Trunk0] ip address 10.10.0.1 24 
    [FW_A-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 1 
    [FW_A-Eth-Trunk1] quit 
    [FW_A] interface Eth-Trunk 1.1 
    [FW_A-Eth-Trunk1.1] description To_GGSN1 
    [FW_A-Eth-Trunk1.1] ip address 10.2.0.1 24 
    [FW_A-Eth-Trunk1.1] vlan-type dot1q 11 
    [FW_A-Eth-Trunk1.1] quit

    # Create Eth-Trunk 1.2 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 1.2 
    [FW_A-Eth-Trunk1.2] description To_GGSN2 
    [FW_A-Eth-Trunk1.2] ip address 10.2.2.1 24 
    [FW_A-Eth-Trunk1.2] vlan-type dot1q 12 
    [FW_A-Eth-Trunk1.2] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_A] interface Eth-Trunk 2 
    [FW_A-Eth-Trunk2] quit 
    [FW_A] interface Eth-Trunk 2.1 
    [FW_A-Eth-Trunk2.1] description To_SCG 
    [FW_A-Eth-Trunk2.1] ip address 10.3.0.1 24 
    [FW_A-Eth-Trunk2.1] vlan-type dot1q 21 
    [FW_A-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_A] interface GigabitEthernet 1/0/0 
    [FW_A-GigabitEthernet1/0/0] eth-trunk 0 
    [FW_A-GigabitEthernet1/0/0] quit 
    [FW_A] interface GigabitEthernet 1/0/1 
    [FW_A-GigabitEthernet1/0/1] eth-trunk 0 
    [FW_A-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_A] interface GigabitEthernet 1/0/2 
    [FW_A-GigabitEthernet1/0/2] eth-trunk 1 
    [FW_A-GigabitEthernet1/0/2] quit 
    [FW_A] interface GigabitEthernet 1/0/3 
    [FW_A-GigabitEthernet1/0/3] eth-trunk 1 
    [FW_A-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_A] interface GigabitEthernet 1/0/4 
    [FW_A-GigabitEthernet1/0/4] eth-trunk 2 
    [FW_A-GigabitEthernet1/0/4] quit 
    [FW_A] interface GigabitEthernet 1/0/5 
    [FW_A-GigabitEthernet1/0/5] eth-trunk 2 
    [FW_A-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_A] firewall zone name dmz 
    [FW_A-zone-dmz] add interface Eth-Trunk 0 
    [FW_A-zone-dmz] quit

    # Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.

    [FW_A] firewall zone untrust 
    [FW_A-zone-untrust] add interface Eth-Trunk 1.1 
    [FW_A-zone-untrust] add interface Eth-Trunk 1.2 
    [FW_A-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_A] firewall zone trust 
    [FW_A-zone-trust] add interface Eth-Trunk 2.1 
    [FW_A-zone-trust] quit

  2. Configure interfaces and security zones for FW_B.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_B> system-view 
    [FW_B] interface Eth-Trunk 0 
    [FW_B-Eth-Trunk0] description To_FW_A 
    [FW_B-Eth-Trunk0] ip address 10.10.0.2 24 
    [FW_B-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_B] interface Eth-Trunk 1 
    [FW_B-Eth-Trunk1] quit 
    [FW_B] interface Eth-Trunk 1.1 
    [FW_B-Eth-Trunk1.1] description To_GGSN1 
    [FW_B-Eth-Trunk1.1] ip address 10.2.0.2 24 
    [FW_B-Eth-Trunk1.1] vlan-type dot1q 11 
    [FW_B-Eth-Trunk1.1] quit

    # Create Eth-Trunk 1.2 and configure an IP address for it.

    [FW_B] interface Eth-Trunk 1.2 
    [FW_B-Eth-Trunk1.2] description To_GGSN2 
    [FW_B-Eth-Trunk1.2] ip address 10.2.2.2 24 
    [FW_B-Eth-Trunk1.2] vlan-type dot1q 12 
    [FW_B-Eth-Trunk1.2] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_B] interface Eth-Trunk 2 
    [FW_B-Eth-Trunk2] quit 
    [FW_B] interface Eth-Trunk 2.1 
    [FW_B-Eth-Trunk2.1] description To_SCG 
    [FW_B-Eth-Trunk2.1] ip address 10.3.0.2 24 
    [FW_B-Eth-Trunk2.1] vlan-type dot1q 21 
    [FW_B-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_B] interface GigabitEthernet 1/0/0 
    [FW_B-GigabitEthernet1/0/0] eth-trunk 0 
    [FW_B-GigabitEthernet1/0/0] quit 
    [FW_B] interface GigabitEthernet 1/0/1 
    [FW_B-GigabitEthernet1/0/1] eth-trunk 0 
    [FW_B-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_B] interface GigabitEthernet 1/0/2 
    [FW_B-GigabitEthernet1/0/2] eth-trunk 1 
    [FW_B-GigabitEthernet1/0/2] quit 
    [FW_B] interface GigabitEthernet 1/0/3 
    [FW_B-GigabitEthernet1/0/3] eth-trunk 1 
    [FW_B-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_B] interface GigabitEthernet 1/0/4 
    [FW_B-GigabitEthernet1/0/4] eth-trunk 2 
    [FW_B-GigabitEthernet1/0/4] quit 
    [FW_B] interface GigabitEthernet 1/0/5 
    [FW_B-GigabitEthernet1/0/5] eth-trunk 2 
    [FW_B-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_B] firewall zone name dmz 
    [FW_B-zone-dmz] add interface Eth-Trunk 0 
    [FW_B-zone-dmz] quit

    # Assign Eth-Trunk 1.1 and Eth-Trunk 1.2 to the untrust zone.

    [FW_B] firewall zone untrust 
    [FW_B-zone-untrust] add interface Eth-Trunk 1.1 
    [FW_B-zone-untrust] add interface Eth-Trunk 1.2 
    [FW_B-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_B] firewall zone trust 
    [FW_B-zone-trust] add interface Eth-Trunk 2.1 
    [FW_B-zone-trust] quit

  3. Configure interfaces and security zones for FW_C.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_C> system-view 
    [FW_C] interface Eth-Trunk 0 
    [FW_C-Eth-Trunk0] description To_FW_D 
    [FW_C-Eth-Trunk0] ip address 10.10.0.3 24 
    [FW_C-Eth-Trunk0] quit

    # Create Eth-Trunk 1 and configure an IP address for it.

    [FW_C] interface Eth-Trunk 1 
    [FW_C-Eth-Trunk1] quit 
    [FW_C] interface Eth-Trunk 1.1 
    [FW_C-Eth-Trunk1.1] description To_Internet 
    [FW_C-Eth-Trunk1.1] ip address 10.2.1.1 24 
    [FW_C-Eth-Trunk1.1] vlan-type dot1q 11 
    [FW_C-Eth-Trunk1.1] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_C] interface Eth-Trunk 2 
    [FW_C-Eth-Trunk2] quit 
    [FW_C] interface Eth-Trunk 2.1 
    [FW_C-Eth-Trunk2.1] description To_SCG 
    [FW_C-Eth-Trunk2.1] ip address 10.3.1.1 24 
    [FW_C-Eth-Trunk2.1] vlan-type dot1q 21 
    [FW_C-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_C] interface GigabitEthernet 1/0/0 
    [FW_C-GigabitEthernet1/0/0] eth-trunk 0 
    [FW_C-GigabitEthernet1/0/0] quit 
    [FW_C] interface GigabitEthernet 1/0/1 
    [FW_C-GigabitEthernet1/0/1] eth-trunk 0 
    [FW_C-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_C] interface GigabitEthernet 1/0/2 
    [FW_C-GigabitEthernet1/0/2] eth-trunk 1 
    [FW_C-GigabitEthernet1/0/2] quit 
    [FW_C] interface GigabitEthernet 1/0/3 
    [FW_C-GigabitEthernet1/0/3] eth-trunk 1 
    [FW_C-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_C] interface GigabitEthernet 1/0/4 
    [FW_C-GigabitEthernet1/0/4] eth-trunk 2 
    [FW_C-GigabitEthernet1/0/4] quit 
    [FW_C] interface GigabitEthernet 1/0/5 
    [FW_C-GigabitEthernet1/0/5] eth-trunk 2 
    [FW_C-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_C] firewall zone name dmz 
    [FW_C-zone-dmz] add interface Eth-Trunk 0 
    [FW_C-zone-dmz] quit

    # Assign Eth-Trunk 1.1 to the untrust zone.

    [FW_C] firewall zone untrust 
    [FW_C-zone-untrust] add interface Eth-Trunk 1.1 
    [FW_C-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_C] firewall zone trust 
    [FW_C-zone-trust] add interface Eth-Trunk 2.1 
    [FW_C-zone-trust] quit

  4. Configure interfaces and security zones for FW_D.

    # Create Eth-Trunk 0 and configure an IP address for it.

    <FW_D> system-view 
    [FW_D] interface Eth-Trunk 0 
    [FW_D-Eth-Trunk0] description To_FW_C 
    [FW_D-Eth-Trunk0] ip address 10.10.0.4 24 
    [FW_D-Eth-Trunk0] quit

    # Create Eth-Trunk 1.1 and configure an IP address for it.

    [FW_D] interface Eth-Trunk 1 
    [FW_D-Eth-Trunk1] quit 
    [FW_D] interface Eth-Trunk 1.1 
    [FW_D-Eth-Trunk1.1] description To_Internet 
    [FW_D-Eth-Trunk1.1] ip address 10.2.1.2 24 
    [FW_D-Eth-Trunk1.1] vlan-type dot1q 11 
    [FW_D-Eth-Trunk1.1] quit

    # Create Eth-Trunk 2.1 and configure an IP address for it.

    [FW_D] interface Eth-Trunk 2 
    [FW_D-Eth-Trunk2] quit 
    [FW_D] interface Eth-Trunk 2.1 
    [FW_D-Eth-Trunk2.1] description To_SCG 
    [FW_D-Eth-Trunk2.1] ip address 10.3.1.2 24 
    [FW_D-Eth-Trunk2.1] vlan-type dot1q 21 
    [FW_D-Eth-Trunk2.1] quit

    # Add GigabitEthernet1/0/0 and GigabitEthernet1/0/1 to Eth-Trunk 0.

    [FW_D] interface GigabitEthernet 1/0/0 
    [FW_D-GigabitEthernet1/0/0] eth-trunk 0 
    [FW_D-GigabitEthernet1/0/0] quit 
    [FW_D] interface GigabitEthernet 1/0/1 
    [FW_D-GigabitEthernet1/0/1] eth-trunk 0 
    [FW_D-GigabitEthernet1/0/1] quit

    # Add GigabitEthernet1/0/2 and GigabitEthernet1/0/3 to Eth-Trunk 1.

    [FW_D] interface GigabitEthernet 1/0/2 
    [FW_D-GigabitEthernet1/0/2] eth-trunk 1 
    [FW_D-GigabitEthernet1/0/2] quit 
    [FW_D] interface GigabitEthernet 1/0/3 
    [FW_D-GigabitEthernet1/0/3] eth-trunk 1 
    [FW_D-GigabitEthernet1/0/3] quit

    # Add GigabitEthernet1/0/4 and GigabitEthernet1/0/5 to Eth-Trunk 2.

    [FW_D] interface GigabitEthernet 1/0/4 
    [FW_D-GigabitEthernet1/0/4] eth-trunk 2 
    [FW_D-GigabitEthernet1/0/4] quit 
    [FW_D] interface GigabitEthernet 1/0/5 
    [FW_D-GigabitEthernet1/0/5] eth-trunk 2 
    [FW_D-GigabitEthernet1/0/5] quit

    # Assign Eth-Trunk 0 to the dmz zone.

    [FW_D] firewall zone name dmz 
    [FW_D-zone-dmz] add interface Eth-Trunk 0 
    [FW_D-zone-dmz] quit

    # Assign Eth-Trunk 1.1 to the untrust zone.

    [FW_D] firewall zone untrust 
    [FW_D-zone-untrust] add interface Eth-Trunk 1.1 
    [FW_D-zone-untrust] quit

    # Assign Eth-Trunk 2.1 to the trust zone.

    [FW_D] firewall zone trust 
    [FW_D-zone-trust] add interface Eth-Trunk 2.1 
    [FW_D-zone-trust] quit

Configuring Availability

Procedure
  1. Configure the hot standby configuration on FW_A.

    # Enable the HRP function.

    [FW_A] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_A] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_A] hrp preempt delay 300
    NOTE:

    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_A] hrp interface Eth-Trunk 0 remote 10.10.0.2

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_A] hrp track interface Eth-Trunk 1.1 
    [FW_A] hrp track interface Eth-Trunk 1.2

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to active.

    [FW_A] interface Eth-Trunk 2.1 
    [FW_A-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 active 
    [FW_A-Eth-Trunk2.1] quit

    # Add the interfaces connected to the intranet switch to a link group.

    [FW_A] interface GigabitEthernet 1/0/2 
    [FW_A-GigabitEthernet 1/0/2] link-group 1 [FW_A] 
    interface GigabitEthernet 1/0/3 
    [FW_A-GigabitEthernet 1/0/3] link-group 1 
    [FW_A] interface GigabitEthernet 1/0/4 
    [FW_A-GigabitEthernet 1/0/4] link-group 1 [FW_A] 
    interface GigabitEthernet 1/0/5 
    [FW_A-GigabitEthernet 1/0/5] link-group 1

  2. Configure the hot standby configuration on FW_B.

    # Enable the HRP function.

    [FW_B] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_B] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_B] hrp preempt delay 300
    NOTE:

    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_B] hrp interface Eth-Trunk 0 remote 10.10.0.1

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_B] hrp track interface Eth-Trunk 1.1 
    [FW_B] hrp track interface Eth-Trunk 1.2

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to slave.

    [FW_B] interface Eth-trunk 2.1 
    [FW_B-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 standby 
    [FW_B-Eth-Trunk2.1] quit

  3. Configure the hot standby configuration on FW_C.

    # Enable the HRP function.

    [FW_C] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_C] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_C] hrp preempt delay 300
    NOTE:

    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_C] hrp interface Eth-Trunk 0 remote 10.10.0.4

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_C] hrp track interface Eth-Trunk 1.1

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to active.

    [FW_C] interface Eth-trunk 2.1 
    [FW_C-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 active 
    [FW_C-Eth-Trunk2.1] quit

    # Add the interfaces connected to the intranet switch to a link group.

    [FW_C] interface GigabitEthernet 1/0/2  
    [FW_C-GigabitEthernet 1/0/2] link-group 1 
    [FW_C] interface GigabitEthernet 1/0/3  
    [FW_C-GigabitEthernet 1/0/3] link-group 1 
    [FW_C] interface GigabitEthernet 1/0/4  
    [FW_C-GigabitEthernet 1/0/4] link-group 1 
    [FW_C] interface GigabitEthernet 1/0/5  
    [FW_C-GigabitEthernet 1/0/5] link-group 1

  4. Configure the hot standby configuration on FW_D.

    # Enable the HRP function.

    [FW_D] hrp enable

    # Enable the function of adjusting the OSPF cost based on the VGMP group status.

    [FW_D] hrp ospf-cost adjust-enable

    # Set the preemption delay of the VGMP group.

    [FW_D] hrp preempt delay 300
    NOTE:

    The recommended preemption delay is 300s.

    # Configure a heartbeat interface.

    [FW_D] hrp interface Eth-Trunk 0 remote 10.10.0.3

    # Configure the VGMP group to monitor upstream service interfaces.

    [FW_D] hrp track interface Eth-Trunk 1.1

    # Configure VRRP group 1 on the downstream service interface and set the status of the VRRP group to slave.

    [FW_D] interface Eth-Trunk 2.1 
    [FW_D-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 standby 
    [FW_D-Eth-Trunk2.1] quit

Configuring GRE Tunnels

Procedure
  1. Configure GRE tunnels on FW_A and FW_B.

    NOTE:

    Set required parameters on the devices at both end of a GRE tunnel.

    For details on security policy configuration, see the related section.

    Configure GRE tunnels on FW_A.

    HRP_M[FW_A] interface loopback 1 
    HRP_M[FW_A-loopback1] ospf cost 10 
    HRP_M[FW_A-loopback1] ip address 10.2.0.10 32 
    HRP_M[FW_A-loopback1] quit 
    HRP_M[FW_A] interface loopback 2 
    HRP_M[FW_A-loopback2] ospf cost 10 
    HRP_M[FW_A-loopback2] ip address 10.2.0.11 32 
    HRP_M[FW_A-loopback2] quit 
    HRP_M[FW_A] interface Tunnel 1 
    HRP_M[FW_A-Tunnel1 ]ip address 172.16.2.1 32 
    HRP_M[FW_A-Tunnel1] quit 
    HRP_M[FW_A] interface Tunnel 2 
    HRP_M[FW_A-Tunnel2] ip address 172.16.2.2 32 
    HRP_M[FW_A-Tunnel2] quit 
    HRP_M[FW_A]firewall zone name tunnelzone 
    HRP_M[FW_A-zone-tunnelzone] set priority 20 
    HRP_M[FW_A-zone-tunnelzone] add interface tunnel 1 
    HRP_M[FW_A-zone-tunnelzone] add interface tunnel 2 
    HRP_M[FW_A-zone-tunnelzone] quit 
    HRP_M[FW_A] ospf 1 
    HRP_M[FW_A-ospf-1] area 1 
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255 
    HRP_M[FW_A-ospf-1] quit 
    HRP_M[FW_A] interface Tunnel 1 
    HRP_M[FW_A-Tunnel1] tunnel-protocol gre 
    HRP_M[FW_A-Tunnel1] source loopback1 
    HRP_M[FW_A-Tunnel1] destination 10.2.10.1//IP address of the peer tunnel interface 
    HRP_M[FW_A-Tunnel1] gre key cipher 123456 
    HRP_M[FW_A-Tunnel1] ospf timer hello 30 
    HRP_M[FW_A-Tunnel1] quit  
    HRP_M[FW_A] interface Tunnel 2 
    HRP_M[FW_A-Tunnel2] tunnel-protocol gre 
    HRP_M[FW_A-Tunnel2] source loopback2 
    HRP_M[FW_A-Tunnel2] destination 10.2.11.1//IP address of the peer tunnel interface 
    HRP_M[FW_A-Tunnel2] gre key cipher 123456 
    HRP_M[FW_A-Tunnel2] ospf timer hello 30 
    HRP_M[FW_A-Tunnel2] quit

    Configure GRE tunnels on FW_B.

    HRP_S[FW_B] interface loopback 1 
    HRP_S[FW_B-loopback1] ospf cost 1000 
    HRP_S[FW_B-loopback1] ip address 10.2.0.12 32 
    HRP_S[FW_B-loopback1] quit 
    HRP_S[FW_B] interface loopback 2 
    HRP_S[FW_B-loopback2] ospf cost 1000 
    HRP_S[FW_B-loopback2] ip address 10.2.0.13 32 
    HRP_S[FW_B-loopback2] quit 
    HRP_S[FW_B] interface Tunnel 1 
    HRP_S[FW_B-Tunnel1] ip address 172.16.2.3 32 
    HRP_S[FW_B-Tunnel1] quit 
    HRP_S[FW_B] interface Tunnel 2 
    HRP_S[FW_B-Tunnel2] ip address 172.16.2.4 32 
    HRP_S[FW_B-Tunnel2] quit 
    HRP_S[FW_B] ospf 1 
    HRP_S[FW_B-ospf-1] area 1 
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255 
    HRP_S[FW_B-ospf-1] quit 
    HRP_S[FW_B] interface Tunnel 1 
    HRP_S[FW_B-Tunnel1] tunnel-protocol gre 
    HRP_S[FW_B-Tunnel1] source loopback1 
    HRP_S[FW_B-Tunnel1] destination 10.2.10.2//IP address of the peer tunnel interface 
    HRP_S[FW_B-Tunnel1] gre key cipher 123456 
    HRP_S[FW_B-Tunnel1] ospf timer hello 30 
    HRP_S[FW_B-Tunnel1] quit 
    HRP_S[FW_B] interface Tunnel 2 
    HRP_S[FW_B-Tunnel2] tunnel-protocol gre 
    HRP_S[FW_B-Tunnel2] source loopback2 
    HRP_S[FW_B-Tunnel2] destination 10.2.11.2//IP address of the peer tunnel interface 
    HRP_S[FW_B-Tunnel2] gre key cipher 123456 
    HRP_S[FW_B-Tunnel2] ospf timer hello 30 
    HRP_S[FW_B-Tunnel2] quit

Configuring Security Policies

Procedure
  1. Configure security policies on FW_A and FW_B.

    NOTE:

    After hot standby is implemented, the security policy configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure a Trust-tunnelzone interzone security policy to permit pre-encapsulated packets.

    HRP_M[FW_A-policy-security] rule name trust_tunnelzone_outbound 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-zone trust 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] destination-zone tunnelzone 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] source-address 10.3.0.0 24 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] action permit 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_outbound] quit 
    HRP_M[FW_A-policy-security] rule name trust_tunnelzone_inbound 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] source-zone tunnelzone 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-zone trust 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] destination-address 10.3.0.0 24 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] action permit 
    HRP_M[FW_A-policy-interzone-trust_tunnelzone_inbound] quit

    # Configure a Local-DMZ interzone security policy to permit heartbeat packets.

    HRP_M[FW_A-policy-security] rule name local_dmz_outbound 
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-zone local 
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] destination-zone dmz 
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24 
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] action permit 
    HRP_M[FW_A-policy-interzone-local_dmz_outbound] quit 
    HRP_M[FW_A-policy-security] rule name local_dmz_inbound 
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] source-zone dmz 
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-zone local 
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24 
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] action permit 
    HRP_M[FW_A-policy-interzone-local_dmz_inbound] quit

    Configure a Local-Untrust interzone security policy to permit encapsulated GRE packets.

    HRP_M[FW_A-policy-security] rule name local_untrust_outbound 
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-zone untrust 
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] destination-zone local 
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] source-address 10.2.0.0 16 
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] action permit 
    HRP_M[FW_A-policy-security-rule-local_untrust_outbound] quit 
    HRP_M[FW_A-policy-security] rule name local_untrust_inbound 
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust 
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local 
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] destination-address 10.2.0.0 16 
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] action permit 
    HRP_M[FW_A-policy-security-rule-local_untrust_inbound] quit

  2. Configure security policies on FW_C and FW_D.

    NOTE:

    After hot standby is implemented, the security policy configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    # Configure a Local-DMZ interzone security policy to permit heartbeat packets.

    HRP_M[FW_C-policy-security] rule name local_dmz_outbound 
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-zone local 
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] destination-zone dmz 
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] source-address 10.10.0.0 24 
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] action permit 
    HRP_M[FW_C-policy-interzone-local_dmz_outbound] quit 
    HRP_M[FW_C-policy-security] rule name local_dmz_inbound 
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] source-zone dmz 
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-zone local 
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] destination-address 10.10.0.0 24 
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] action permit 
    HRP_M[FW_C-policy-interzone-local_dmz_inbound] quit

    # Configure a Trust-Untrust interzone security policy.

    HRP_M[FW_C-policy-security] rule name trust_untrust_outbound 
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] source-zone trust 
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-zone untrust 
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] destination-address 10.2.1.0 24 
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] action permit 
    HRP_M[FW_C-policy-interzone-trust_untrust_outbound] quit 
    HRP_M[FW_C-policy-security] rule name trust_untrust_inbound 
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-zone trust 
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] destination-zone untrust 
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] source-address 10.2.1.0 24 
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] action permit 
    HRP_M[FW_C-policy-interzone-trust_untrust_inbound] quit

Configuring NAT

Procedure
  1. Configure the NAT Server function on FW_A and FW_B.

    NOTE:

    After hot standby is implemented, the NAT configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure NAT Server based on the service requirements.

    Configure the NAT Server function on FW_A.

    HRP_M[FW_A] nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80

  2. Configure source NAT on FW_C and FW_D.

    NOTE:

    After hot standby is implemented, the NAT and ASPF configurations on FW_C are automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

    # Create a NAT address pool on FW_C.

    HRP_M[FW_C] nat address-group addressgroup1 
    HRP_M[FW_C-address-group-addressgroup1] section 1.1.1.6 1.1.1.10 
    HRP_M[FW_C-address-group-addressgroup1] mode pat 
    HRP_M[FW_C-address-group-addressgroup1] quit

    # Configure a NAT policy. In this section, the source addresses of the packets from network segment 10.3.1.0/24 at the SCG are translated. Add rules to the NAT policy as required.

    HRP_M[FW_C] nat-policy 
    HRP_M[FW_C-policy-nat] rule name trust_untrust_outbound 
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-zone trust 
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] destination-zone untrust 
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-address 10.3.1.0 0.0.0.255 
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1  
    HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] quit 
    HRP_M[FW_C-policy-nat] quit

Configuring Routes

Procedure
  1. Configure routes on FW_A.

    HRP_M[FW_A] acl number 2000 
    HRP_M[FW_A-acl-basic-2000] description ospf1_import_ggsn 
    HRP_M[FW_A-acl-basic-2000] rule 5 permit source 221.180.0.0 0.0.0.255//Network segment of GGSN 
    HRP_M[FW_A-acl-basic-2000] rule 100 deny 
    HRP_M[FW_A] interface eth-Trunk 1 
    HRP_M[FW_A-Eth-trunk1] ospf cost 10 
    HRP_M[FW_A-Eth-trunk1] ospf network-type p2p 
    HRP_M[FW_A-Eth-trunk1] quit 
    HRP_M[FW_A] ospf 1 
    HRP_M[FW_A-ospf-1] filter-policy 2000 import  
    HRP_M[FW_A-ospf-1] area 1 
    HRP_M[FW_A-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123 
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255 
    HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255 
    HRP_M[FW_A-ospf-1-area-0.0.0.1] quit 
    HRP_M[FW_A-ospf-1] quit

  2. Configure routes on FW_B.

    NOTE:

    After hot standby is implemented, the ACL configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    HRP_S[FW_B] interface eth-Trunk 1 
    HRP_S[FW_B-Eth-trunk1] ospf cost 1000 
    HRP_S[FW_B-Eth-trunk1] ospf network-type p2p 
    HRP_S[FW_B-Eth-trunk1] quit 
    HRP_S[FW_B] ospf 1 
    HRP_S[FW_B-ospf-1] filter-policy 2000 import 
    HRP_S[FW_B-ospf-1] area 1 
    HRP_S[FW_B-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123 
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255 
    HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255 
    HRP_S[FW_B-ospf-1-area-0.0.0.1] quit 
    HRP_S[FW_B-ospf-1] quit

  3. Configure routes on FW_C.

    HRP_M[FW_C] acl number 2100 
    HRP_M[FW_C-acl-basic-2000] description ospf1_import_ggsn 
    HRP_M[FW_C-acl-basic-2000] rule 5 permit source 0.0.0.0 0 
    HRP_M[FW_C-acl-basic-2000] rule 1000 deny 
    HRP_M[FW_C] interface eth-Trunk 1 
    HRP_M[FW_C-Eth-trunk1] ospf cost 10 
    HRP_M[FW_C-Eth-trunk1] ospf network-type p2p 
    HRP_M[FW_C-Eth-trunk1] quit 
    HRP_M[FW_C] ospf 2 
    HRP_M[FW_C-ospf-2] filter-policy 2100 import 
    HRP_M[FW_C-ospf-2] import-route static 
    HRP_M[FW_C-ospf-2] area 2 
    HRP_M[FW_C-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123 
    HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255 
    HRP_M[FW_C-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255 
    HRP_M[FW_C-ospf-2-area-0.0.0.2] quit 
    HRP_M[FW_C-ospf-2] quit

    # Configure black-hole routes.

    HRP_M[FW_C] ip route-static 1.1.1.6 32 NULL 0 
    HRP_M[FW_C] ip route-static 1.1.1.7 32 NULL 0 
    HRP_M[FW_C] ip route-static 1.1.1.8 32 NULL 0 
    HRP_M[FW_C] ip route-static 1.1.1.9 32 NULL 0 
    HRP_M[FW_C] ip route-static 1.1.1.10 32 NULL 0

  4. Configure routes on FW_D.

    NOTE:

    After hot standby is implemented, the ACL configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    HRP_S[FW_D] interface eth-Trunk 1 
    HRP_S[FW_D-Eth-trunk1] ospf cost 10 
    HRP_S[FW_D-Eth-trunk1] ospf network-type p2p 
    HRP_S[FW_D-Eth-trunk1] quit 
    HRP_S[FW_D] ospf 2 
    HRP_S[FW_D-ospf-2] filter-policy 2100 import 
    HRP_S[FW_D-ospf-2] import-route static 
    HRP_S[FW_D-ospf-2] area 2 
    HRP_S[FW_D-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123 
    HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255 
    HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255 
    HRP_S[FW_D-ospf-2-area-0.0.0.2] quit 
    HRP_S[FW_D-ospf-2] quit

    # Configure black-hole routes.

    HRP_S[FW_D] ip route-static 1.1.1.6 32 NULL 0 
    HRP_S[FW_D] ip route-static 1.1.1.7 32 NULL 0 
    HRP_S[FW_D] ip route-static 1.1.1.8 32 NULL 0 
    HRP_S[FW_D] ip route-static 1.1.1.9 32 NULL 0 
    HRP_S[FW_D] ip route-static 1.1.1.10 32 NULL 0

Others

Procedure
  1. Configure ASPF.

    NOTE:

    After hot standby is implemented, the ASPF configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    # Configure ASPF on FW_A.

    HRP_M[FW_A] firewall interzone trust untrust 
    HRP_M[FW_A-interzone-trust-untrust] detect rtsp 
    HRP_M[FW_A-interzone-trust-untrust] detect ftp 
    HRP_M[FW_A-interzone-trust-untrust] detect pptp 
    HRP_M[FW_A-interzone-trust-untrust] quit
    NOTE:

    After hot standby is implemented, the NAT and ASPF configurations on FW_C are automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.

    # Configure ASPF on FW_C.

    HRP_M[FW_C] firewall interzone trust untrust 
    HRP_M[FW_C-interzone-trust-untrust] detect rtsp 
    HRP_M[FW_C-interzone-trust-untrust] detect ftp 
    HRP_M[FW_C-interzone-trust-untrust] detect pptp 
    HRP_M[FW_C-interzone-trust-untrust] quit

  2. Configure attack defense.

    NOTE:

    After hot standby is implemented, the attack defense configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    Configure attack defense on FW_A.

    HRP_M[FW_A] firewall defend land enable 
    HRP_M[FW_A] firewall defend smurf enable 
    HRP_M[FW_A] firewall defend fraggle enable 
    HRP_M[FW_A] firewall defend ip-fragment enable 
    HRP_M[FW_A] firewall defend tcp-flag enable 
    HRP_M[FW_A] firewall defend winnuke enable 
    HRP_M[FW_A] firewall defend source-route enable 
    HRP_M[FW_A] firewall defend teardrop enable 
    HRP_M[FW_A] firewall defend route-record enable 
    HRP_M[FW_A] firewall defend time-stamp enable 
    HRP_M[FW_A] firewall defend ping-of-death enable
    NOTE:

    After hot standby is implemented, the attack defense configuration on FW_C is automatically backed up to FW_B. You do not need to repeat the configuration on FW_D.

    Configure attack defense on FW_C.

    HRP_M[FW_C] firewall defend land enable 
    HRP_M[FW_C] firewall defend smurf enable 
    HRP_M[FW_C] firewall defend fraggle enable 
    HRP_M[FW_C] firewall defend ip-fragment enable 
    HRP_M[FW_C] firewall defend tcp-flag enable 
    HRP_M[FW_C] firewall defend winnuke enable 
    HRP_M[FW_C] firewall defend source-route enable 
    HRP_M[FW_C] firewall defend teardrop enable 
    HRP_M[FW_C] firewall defend route-record enable 
    HRP_M[FW_C] firewall defend time-stamp enable 
    HRP_M[FW_C] firewall defend ping-of-death enable

  3. Configure the NMS (SNMP).

    NOTE:

    After hot standby is implemented, the SNMP configuration on FW_A is automatically backed up to FW_B. You do not need to repeat the configuration on FW_B.

    You need to refer to the configuration guide of the NMS that is deployed. Make sure the configuration of authentication parameters on the NMS is consistent with the configuration on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used by the FWs and NMS to communicate.

    Configure the SNMP version on the FW. This step is optional. By default, SNMPv3 is used. To change the SNMP version, perform this step.

    HRP_M[FW_A] snmp-agent sys-info version v3

    # Configure an SNMPv3 user group.

    HRP_M[FW_A] snmp-agent group v3 NMS1 privacy

    # Configure an SNMPv3 user.

    HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456

    # Configure contact information.

    HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang

    # Configure location information.

    HRP_M[FW_A] snmp-agent sys-info location Beijing

    # Configure the SNMP alarm function on the FW.

    HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy 
    HRP_M[FW_A] snmp-agent trap enable  
    Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    NOTE:

    After hot standby is implemented, the SNMP configuration on FW_C is automatically backed up to FW_D. You do not need to repeat the configuration on FW_D.

    You need to refer to the configuration guide of the NMS that is deployed. Make sure the configuration of authentication parameters on the NMS is consistent with the configuration on the FWs. Otherwise, the NMS cannot manage the FWs. In this example, SNMPv3 is used by the FWs and NMS to communicate.

    Configure the SNMP version on the FW. This step is optional. By default, SNMPv3 is used. To change the SNMP version, perform this step.

    HRP_M[FW_C] snmp-agent sys-info version v3

    # Configure an SNMPv3 user group.

    HRP_M[FW_C] snmp-agent group v3 NMS1 privacy

    # Configure an SNMPv3 user.

    HRP_M[FW_C] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 privacy-mode aes256 Admin@456

    # Configure contact information.

    HRP_M[FW_C] snmp-agent sys-info contact Mr.zhang

    # Configure location information.

    HRP_M[FW_C] snmp-agent sys-info location Beijing

    # Configure the SNMP alarm function on the FW.

    HRP_M[FW_C] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname Admin123 v3 privacy 
    HRP_M[FW_A] snmp-agent trap enable  
    Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y

  4. For basic network parameter settings and active/standby configurations of the upstream and downstream switches and routers, see the product documentation of the switches and routers.

Verification

  1. Run the display hrp state command on FW_A to check the HRP status. If the following information is displayed, HRP is successfully configured.
    HRP_M[FW_A] display hrp stateRole: active, peer: standby  
     Running priority: 46002, peer: 46002 
     Backup channel usage: 7% 
     Stable time: 0 days, 0 hours, 12 minutes
  2. Run the shutdown command on GigabitEthernet 1/0/2 or GigabitEthernet 1/0/3 of FW_A or FW_C to simulate a link failure. The active/standby switchover is properly performed, and services are not interrupted.
  3. Run the display firewall session table command on FW_A to view address translation information. RADIUS server address 3.3.3.4 is used as an example.
    HRP_M<FW_A> display firewall session table 
    Current Total Sessions : 1 
      http  VPN:public --> public  3.3.3.4:8080-->3.3.3.3:8080[10.3.0.10:80]
  4. Run the display nat-policy rule rule-name command on FW_C to check the source NAT policy match count. If the value is 1 or greater, there are data flows matching the source NAT policy.
  5. Run the display firewall session table command on FW_C to search for an entry whose source address is the private address of the SCG. If the entry exists and the post-NAT IP address exists in the NAT address pool, the NAT policy is successfully configured. Information in the square brackets ([]) is the post-NAT IP address and port. Address 3.3.3.30 at the Internet side is used as an example.
    HRP_M<FW_C> display firewall session table 
    Current Total Sessions : 1 
     http  VPN:public --> public  10.3.1.0:2474[1.1.1.10:3761]-->3.3.3.30:8080
  6. If the RADIUS server can access intranet servers, server mappings are successfully configured.
  7. Users can access the Internet by using their mobile phones.
  8. The SCG can implement service-based charging and bandwidth control.

Configuration Scripts

FW_A

FW_B

#

hrp enable

hrp interface Eth-Trunk 0 remote 10.10.0.2

hrp adjust ospf-cost enable

hrp preempt delay 300

hrp track interface Eth-Trunk 1.1

hrp track interface Eth-Trunk 1.2

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

interface Eth-Trunk0

description To_FW_B

ip address 10.10.0.1 255.255.255.0

#

interface Eth-Trunk1.1

description To_GGSN1

ip address 10.2.0.1 255.255.255.0

vlan-type dot1q 11

ospf cost 10

ospf network-type p2p

#

interface Eth-Trunk1.2

description To_GGSN2

ip address 10.2.2.1 255.255.255.0

vlan-type dot1q 12

ospf cost 10

ospf network-type p2p

#

interface Eth-Trunk2.1

description To_SCG

ip address 10.3.0.1 255.255.255.0

vlan-type dot1q 21

vrrp vrid 1 virtual-ip 10.3.0.3 24 active

#

interface loopback 1

ip address 10.2.0.10 32

ospf cost 10

#

interface loopback 2

ip address 10.2.0.11 32

ospf cost 10

#

interface GigabitEthernet1/0/0

eth-trunk 0

#

interface GigabitEthernet1/0/1

eth-trunk 0

#

interface GigabitEthernet1/0/2

eth-trunk 1

link-group 1

#

interface GigabitEthernet1/0/3

eth-trunk 1

link-group 1

#

interface GigabitEthernet1/0/4

eth-trunk 2

link-group 1

#

interface GigabitEthernet1/0/5

eth-trunk 2

link-group 1

#

firewall zone trust

set priority 85

add interface Eth-Trunk2.1

#

firewall zone untrust

set priority 5

add interface Eth-Trunk1.1

add interface Eth-Trunk1.2

#

firewall zone dmz

set priority 50

add interface Eth-Trunk0

#

firewall zone tunnelzone

set priority 20

add interface tunnel1

add interface tunnel2

#

firewall interzone trust untrust

detect rtsp

detect ftp

detect pptp

#

security-policy

#

rule name trust_tunnelzone_outbound

source-zone trust

destination-zone tunnelzone

source-address 10.3.0.0 24

action permit

#

rule name trust_tunnelzone_inbound

source-zone tunnelzone

destination-zone trust

destination-address 10.3.0.0 24

action permit

#

rule name local_dmz_outbound

source-zone local

destination-zone dmz

source-address 10.10.0.0 24

action permit

#

rule name local_dmz_inbound

source-zone dmz

destination-zone local

destination-address 10.10.0.0 24

action permit

#

rule name local_untrust_outbound

source-zone local

destination-zone untrust

source-address 10.2.0.0 16

action permit

#

rule name local_untrust_inbound

source-zone dmz

destination-zone local

destination-address 10.2.0.0 16

action permit

#

nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80

#

acl number 2000

description ospf1_import_ggsn

rule 5 permit source 221.180.0.0 0.0.0.255

rule 100 deny

#

ospf 1

filter-policy 2000 import

area 0.0.0.1

authentication-mode md5 1 cipher Huawei-123

network 10.2.0.0 0.0.0.255

network 10.3.0.0 0.0.0.255

network 172.16.2.0 0.0.0.255

#

interface Tunnel1

ip address 172.16.2.1 32

tunnel-protocol gre

source loopback1

destination 10.2.10.1

gre key cipher 123456

ospf timer hello 30

#

interface Tunnel2

ip address 172.16.2.2 32

tunnel-protocol gre

source loopback2

destination 10.2.11.1

gre key cipher 123456

ospf timer hello 30

#

snmp-agent

snmp-agent local-engineid 000007DB7FFFFFFF000077D0

snmp-agent sys-info version v3

snmp-agent sys-info contact Mr.zhang

snmp-agent sys-info location Beijing

snmp-agent group v3 NMS1 privacy

snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager

snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,

5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.

dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4

#

return

#

hrp enable

hrp interface Eth-Trunk 0 remote 10.10.0.1

hrp adjust ospf-cost enable

hrp preempt delay 300

hrp track interface Eth-Trunk 1.1

hrp track interface Eth-Trunk 1.2

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

interface Eth-Trunk0

description To_FW_A

ip address 10.10.0.2 255.255.255.0

#

interface Eth-Trunk1.1

description To_GGSN1

ip address 10.2.0.2 255.255.255.0

vlan-type dot1q 11

ospf cost 1000

ospf network-type p2p

#

interface Eth-Trunk1.2

description To_GGSN2

ip address 10.2.2.2 255.255.255.0

vlan-type dot1q 12

ospf cost 1000

ospf network-type p2p

#

interface Eth-Trunk2.1

description To_SCG

ip address 10.3.0.2 255.255.255.0

vlan-type dot1q 21

vrrp vrid 1 virtual-ip 10.3.0.3 24 standby

#

interface loopback 1

ip address 10.2.0.12 32

ospf cost 1000

#

interface loopback 2

ip address 10.2.0.13 32

ospf cost 1000

#

interface GigabitEthernet1/0/0

eth-trunk 0

#

interface GigabitEthernet1/0/1

eth-trunk 0

#

interface GigabitEthernet1/0/2

eth-trunk 1

#

interface GigabitEthernet1/0/3

eth-trunk 1

#

interface GigabitEthernet1/0/4

eth-trunk 2

#

interface GigabitEthernet1/0/5

eth-trunk 2

#

firewall zone trust

set priority 85

add interface Eth-Trunk2.1

#

firewall zone untrust

set priority 5

add interface Eth-Trunk1.1

add interface Eth-Trunk1.2

#

firewall zone dmz

set priority 50

add interface Eth-Trunk0

#

firewall zone tunnelzone

set priority 20

add interface tunnel1

add interface tunnel2

#

firewall interzone trust untrust

detect rtsp

detect ftp

detect pptp

#

security-policy

#

rule name trust_tunnelzone_outbound

source-zone trust

destination-zone tunnelzone

source-address 10.3.0.0 24

action permit

#

rule name trust_tunnelzone_inbound

source-zone tunnelzone

destination-zone trust

destination-address 10.3.0.0 24

action permit

#

rule name local_dmz_outbound

source-zone local

destination-zone dmz

source-address 10.10.0.0 24

action permit

#

rule name local_dmz_inbound

source-zone dmz

destination-zone local

destination-address 10.10.0.0 24

action permit

#

rule name local_untrust_outbound

source-zone local

destination-zone untrust

source-address 10.2.0.0 16

action permit

#

rule name local_untrust_inbound

source-zone dmz

destination-zone local

destination-address 10.2.0.0 16

action permit

#

nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80

#

acl number 2000

description ospf1_import_ggsn

rule 5 permit source 221.180.0.0 0.0.0.255

rule 100 deny

#

ospf 1

filter-policy 2000 import

area 0.0.0.1

authentication-mode md5 1 cipher Huawei-123

network 10.2.0.0 0.0.0.255

network 10.3.0.0 0.0.0.255

network 172.16.2.0 0.0.0.255

#

interface Tunnel1

ip address 172.16.2.3 32

tunnel-protocol gre

source loopback1

destination 10.2.10.2

gre key cipher 123456

ospf timer hello 30

#

interface Tunnel2

ip address 172.16.2.4 32

tunnel-protocol gre

source loopback2

destination 10.2.11.2

gre key cipher 123456

ospf timer hello 30

#

snmp-agent

snmp-agent local-engineid 000007DB7FFFFFFF000077D0

snmp-agent sys-info version v3

snmp-agent sys-info contact Mr.zhang

snmp-agent sys-info location Beijing

snmp-agent group v3 NMS1 privacy

snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager

snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,

5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.

dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4

#

return

FW_C

FW_D

#

hrp enable

hrp interface Eth-Trunk 0 remote 10.10.0.4

hrp adjust ospf-cost enable

hrp preempt delay 300

hrp track interface Eth-Trunk 1.1

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

interface Eth-Trunk0

description To_FW_D

ip address 10.10.0.3 255.255.255.0

#

interface Eth-Trunk1.1

description To_Internet

ip address 10.2.1.1 255.255.255.0

vlan-type dot1q 11

ospf cost 10

ospf network-type p2p

ospf timer hello 30

#

interface Eth-Trunk2.1

description To_SCG

ip address 10.3.1.1 255.255.255.0

vlan-type dot1q 21

vrrp vrid 1 virtual-ip 10.3.1.3 24 active

#

interface GigabitEthernet1/0/0

eth-trunk 0

#

interface GigabitEthernet1/0/1

eth-trunk 0

#

interface GigabitEthernet1/0/2

eth-trunk 1

link-group 1

#

interface GigabitEthernet1/0/3

eth-trunk 1

link-group 1

#

interface GigabitEthernet1/0/4

eth-trunk 2

link-group 1

#

interface GigabitEthernet1/0/5

eth-trunk 2

link-group 1

#

firewall zone trust

set priority 85

add interface Eth-Trunk2.1

#

firewall zone untrust

set priority 5

add interface Eth-Trunk1.1

#

firewall zone dmz

set priority 50

add interface Eth-Trunk0

#

firewall interzone trust untrust

detect rtsp

detect ftp

detect pptp

#

security-policy

rule name local_dmz_outbound

source-zone local

destination-zone dmz

destination-address 10.10.0.0 24

action permit

rule name local_dmz_intbound

source-zone dmz

destination-zone local

source-address 10.10.0.0 24

action permit

rule name trust_untrust_outbound

source-zone trust

destination-zone untrust

destination-address 10.2.1.0 24

action permit

rule name trust_untrust_intbound

source-zone untrust

destination-zone trust

source-address 10.2.1.0 24

action permit

#

nat address-group 1

mode pat

section 0 1.1.1.6 1.1.1.10

#

nat-policy

rule name trust_untrust_outbound

source-zone trust

destination-zone untrust

source-address 10.3.1.0 0.0.0.255

action source-nat address-group addressgroup1

#

acl number 2100

description ospf2_import_default

rule 5 permit source 0.0.0.0 0

rule 1000 deny

#

ospf 2

filter-policy 2100 import

import-route static

area 0.0.0.2

authentication-mode md5 1 cipher Huawei-123

network 10.2.1.0 0.0.0.255

network 10.3.1.0 0.0.0.255

#

ip route-static 1.1.1.6 255.255.255.255 NULL0

ip route-static 1.1.1.7 255.255.255.255 NULL0

ip route-static 1.1.1.8 255.255.255.255 NULL0

ip route-static 1.1.1.9 255.255.255.255 NULL0

ip route-static 1.1.1.10 255.255.255.255 NULL0

#

snmp-agent

snmp-agent local-engineid 000007DB7FFFFFFF000077D0

snmp-agent sys-info version v3

snmp-agent sys-info contact Mr.zhang

snmp-agent sys-info location Beijing

snmp-agent group v3 NMS1 privacy

snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager

snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,

5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.

dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4

#

return

#

hrp enable

hrp interface Eth-Trunk 0 remote 10.10.0.3

hrp adjust ospf-cost enable

hrp preempt delay 300

hrp track interface Eth-Trunk 1.1

#

firewall defend land enable

firewall defend smurf enable

firewall defend fraggle enable

firewall defend ip-fragment enable

firewall defend tcp-flag enable

firewall defend winnuke enable

firewall defend source-route enable

firewall defend teardrop enable

firewall defend route-record enable

firewall defend time-stamp enable

firewall defend ping-of-death enable

#

interface Eth-Trunk0

description To_FW_C

ip address 10.10.0.4 255.255.255.0

#

interface Eth-Trunk1.1

description To_Internet

ip address 10.2.1.2 255.255.255.0

vlan-type dot1q 11

ospf cost 1000

ospf network-type p2p

ospf timer hello 30

#

interface Eth-Trunk2.1

description To_SCG

ip address 10.3.1.2 255.255.255.0

vlan-type dot1q 21

vrrp vrid 1 virtual-ip 10.3.1.3 24 standby

#

interface GigabitEthernet1/0/0

eth-trunk 0

#

interface GigabitEthernet1/0/1

eth-trunk 0

#

interface GigabitEthernet1/0/2

eth-trunk 1

#

interface GigabitEthernet1/0/3

eth-trunk 1

#

interface GigabitEthernet1/0/4

eth-trunk 2

#

interface GigabitEthernet1/0/5

eth-trunk 2

#

firewall zone trust

set priority 85

add interface Eth-Trunk2.1

#

firewall zone untrust

set priority 5

add interface Eth-Trunk1.1

#

firewall zone dmz

set priority 50

add interface Eth-Trunk0

#

firewall interzone trust untrust

detect rtsp

detect ftp

detect pptp

#

security-policy

rule name local_dmz_outbound

source-zone local

destination-zone dmz

destination-address 10.10.0.0 24

action permit

rule name local_dmz_intbound

source-zone dmz

destination-zone local

source-address 10.10.0.0 24

action permit

rule name trust_untrust_outbound

source-zone trust

destination-zone untrust

destination-address 10.2.1.0 24

action permit

rule name trust_untrust_intbound

source-zone untrust

destination-zone trust

source-address 10.2.1.0 24

action permit

#

nat address-group 1

mode pat

section 0 1.1.1.6 1.1.1.10

#

nat-policy

rule name trust_untrust_outbound

source-zone trust

destination-zone untrust

source-address 10.3.1.0 0.0.0.255

action source-nat address-group addressgroup1

#

acl number 2100

description ospf2_import_default

rule 5 permit source 0.0.0.0 0

rule 1000 deny

#

ospf 2

filter-policy 2100 import

import-route static

area 0.0.0.2

authentication-mode md5 1 cipher Huawei-123

network 10.2.1.0 0.0.0.255

network 10.3.1.0 0.0.0.255

#

ip route-static 1.1.1.6 255.255.255.255 NULL0

ip route-static 1.1.1.7 255.255.255.255 NULL0

ip route-static 1.1.1.8 255.255.255.255 NULL0

ip route-static 1.1.1.9 255.255.255.255 NULL0

ip route-static 1.1.1.10 255.255.255.255 NULL0

#

snmp-agent

snmp-agent local-engineid 000007DB7FFFFFFF000077D0

snmp-agent sys-info version v3

snmp-agent sys-info contact Mr.zhang

snmp-agent sys-info location Beijing

snmp-agent group v3 NMS1 privacy

snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager

snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,

5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.

dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4

#

return

Translation
Download
Updated: 2019-06-17

Document ID: EDOC1100087922

Views: 369

Downloads: 20

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next