SupportDocumentationSecurityProducts RecommendUSGConfiguration & CommissioningConfiguration Examples

HiSecEngine USG6000F Typical Configuration Examples

Web: Example for Configuring Load Balancing Based on Link Bandwidth

Web: Example for Configuring Load Balancing Based on Link Bandwidth

Networking Requirements

As shown in Figure 5-7, an enterprise has a 100M link connected to ISP1 and a 50M link connected to ISP2.

  • The enterprise requires that traffic be forwarded to ISP1 and ISP2 links based on the bandwidth ratio to ensure that bandwidth resources are used to the greatest extent.

  • When one ISP link is down, follow-up traffic will be forwarded on the other ISP link to ensure access availability.

In this example, interface 1, interface 2, and interface 3 represent GE 0/0/1, GE 0/0/2, and GE 0/0/3, respectively.

Figure 5-7 Networking diagram of load balancing based on link bandwidth

Configuration Roadmap

The enterprise requires traffic distribution based on the bandwidth ratio. Therefore, set the intelligent uplink selection mode to load balancing based on link bandwidth. To ensure that DeviceA can use other links to forward traffic when a link is faulty, you need to configure health check function.

  1. Set interface IP addresses, security zones, gateway addresses, bandwidth.
  2. Optional: Configure the health check function, and configure a health check task for ISP1 and ISP2, respectively.

  3. Configure a global route selection policy. Set the intelligent uplink selection mode to load balancing based on link bandwidth, configure the outbound interfaces on DeviceA connecting to ISP1 and ISP2 networks as intelligent uplink selection member interfaces, and reference health check.

  4. Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

Procedure

  1. Set IP addresses for interfaces on the firewall and add the interfaces to security zones.
    1. Choose Network > Interface.
    2. In Interface List, click GE 0/0/1 and set the parameters as follows.

      Security Zone

      untrust

      Mode

      Routing

      IPv4

      Connection Type

      Static IP address

      IP Address

      1.1.1.1/255.255.255.0

      Default Gateway

      1.1.1.254

      Inbound Bandwidth

      100 Mbit/s

      Outbound Bandwidth

      100 Mbit/s

    3. Repeat the preceding steps to set the parameters for GE 0/0/2.

      Security Zone

      untrust

      Mode

      Routing

      IPv4

      Connection Type

      Static IP address

      IP Address

      2.2.2.2/255.255.255.0

      Default Gateway

      2.2.2.254

      Inbound Bandwidth

      50 Mbit/s

      Outbound Bandwidth

      50 Mbit/s

    4. Repeat the preceding steps to set the parameters for GE 0/0/3.

      Security Zone

      untrust

      Mode

      Routing

      IPv4

      Connection Type

      Static IP address

      IP Address

      10.3.0.1/255.255.255.0

  2. Enable the health check function and create a health check for ISP1 and ISP2 link respectively. Assume that the destination network segment is 192.0.2.0/24 for ISP1 and is 198.51.100.0/24 for ISP2.
    1. Choose Object > Health Check.
    2. In Health Check List, click Create.

      Assume that 192.0.2.1 and 198.51.100.1 are known device addresses on the ISP1 network and ISP2 network, respectively.

      If the state remains Down after the health check configuration is complete, check the health check configuration.

      Probe packets for health check are not controlled by security policies and are permitted by default. No security policy needs to be configured.

  3. Configure a global route selection policy to load balance traffic by link bandwidth and reference the health check.
    1. Choose Network > Route > Intelligent Uplink Selection. On the Intelligent Uplink Selection Policy tab page, click Edit in Global Routing Policy.

      In multi-egress intelligent uplink selection, the availability of each link is determined based on each detection node in the health check instead of the status of the health check object.

    2. Configure a global route selection policy.

  4. Configure a Trust-to-Untrust interzone security policy to allow enterprise intranet users to access Internet resources. Assume that the intranet user network segment is 10.3.0.0/24.
    1. Choose Policy > Security Policy > Security Policy.
    2. In Security Policy List, click Add Security Policy and configure a security policy based on the following parameter values.

      Parameter

      policy_sec_trust_untrust

      Source Security Zone

      trust

      Destination Security Zone

      untrust

      Source Address

      10.3.0.0/24

      Action

      Permit

Verifying the Configuration

  • After the network has been running for a period of time, run the display interface brief command on interface 1 (GE 0/0/1) and interface 2 (GE 0/0/2) to check the average bandwidth usage (OutUti field) in the outbound direction within the last 300s and verify that the OutUti ratio (that is, the link bandwidth ratio) of the two interfaces is close to 2:1.
  • Run the display firewall session table interface ge 0/0/1 and display firewall session table interface ge 0/0/2 commands to check the number of sessions on the two interfaces and verify that the ratio is close to 2:1.

Configuration Scripts

# 
sysname DeviceA
#
healthcheck enable
#
healthcheck name isp_health
 destination 192.0.2.1 interface GE0/0/1 next-hop 10.10.1.2 protocol tcp destination-port 10001
 destination 198.51.100.1 interface GE0/0/2 next-hop 10.20.1.2 protocol tcp destination-port 10003
#
interface GE0/0/1
 ip address 1.1.1.1 255.255.255.0
 gateway 1.1.1.254
 bandwidth ingress 100000
 bandwidth egress 100000
#
interface GE0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GE0/0/2
 ip address 2.2.2.2 255.255.255.0
 gateway 2.2.2.254
 bandwidth ingress 50000
 bandwidth egress 50000
#
 firewall zone trust
  set priority 85
  add interface GE0/0/3
#
firewall zone untrust
 set priority 5
 add interface GE0/0/1
 add interface GE0/0/2
#
multi-interface
  add interface GE0/0/1
  add interface GE0/0/2
  healthcheck isp_health
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
return
Translation
Favorite
Download
Update Date:2024-07-17
Document ID:EDOC1100387632
Views:41001
Downloads:1056
Average rating:0.0Points

Related Version

Related Documents

Digital Signature File

digtal sigature tool