< Home

Example for Configuring the Egress of a Large-Sized Campus (Firewalls Are Connected to Core Switches in Bypass Mode)

Configuration Notes

  • This example uses Huawei S series modular switches, USG firewalls, and NE routers to describe the configuration procedure.

  • The configuration procedure in this example involves only the enterprise network egress. For the internal network configuration, see "Large-Sized Campus Networks" in the Huawei S Series Campus Switch Quick Configuration Guide.

  • Only the connection configurations between firewalls and switches and the HRP configurations on firewalls are provided in the following procedure. For the security service plan on the firewalls and security policies, attack defense, bandwidth management, and IPSec on the campus network, see Firewall Configuration Examples.

  • This example describes only the routers and switches at the egress of campus network. For the Internet-side configurations on routers, see the NE Router Configuration Guide.

Networking Requirements

At the egress of a large-sized campus network, core switches connect to routers to access the Internet through upstream interfaces. Firewalls connect to the core switches in bypass mode to filter service traffic.

To simplify network and improve reliability, a switch cluster is deployed at the core layer.

HRP (active/standby mode) is deployed on firewalls. If one firewall fails, services are switched to another firewall.

Each of the core switches is dual homed to two egress routers, and VRRP is configured between routers to ensure reliability.

To improve link reliability, Eth-Trunks are configured between core switches and egress routers, core switches and firewalls, and two firewalls.

The networking diagram is as follows:

Figure 1 Campus egress (HRP firewalls in bypass mode)

In Layer 3 forwarding environment, traffic inside and outside the campus network is directly forwarded by switches, but does not pass through FW1 and FW2. When traffic needs to be filtered by FWs, the VRF function must be configured on switches. The CSS is divided into a virtual switch VRF-A and a root switch Public, which are separated from each other.

Public is connected to the egress routers, and forwards traffic from the Internet to FWs for filtering and traffic from FWs to the egress routers.

VRF-A is connected to the intranet, and forwards traffic from FWs to the intranet and traffic from intranet to FWs for filtering.

The following logical network diagram shows the traffic forwarding paths.

Figure 2 Connections between physical interfaces of switches, routers, and firewalls

In this example, the core switches work in Layer 3 mode. The firewalls connect to Layer 3 switches through upstream and downstream interfaces. VRRP needs to be configured on both upstream and downstream service interfaces of firewalls, as shown below.

Figure 3 Connections between Layer 3 interfaces of switches, routers, and firewalls

The traffic (in blue) from the intranet to the Internet is forwarded as follows:
  1. When traffic from the intranet to the Internet reaches VRF-A, it is then forwarded to the firewalls based on the static route (next hop is the downstream VRRP virtual IP address of firewalls) configured on VRF-A.
  2. After filtering the traffic, the firewalls forward traffic to Public based on the static route (next hop is the CSS's VLANIF 20).
  3. Public forwards traffic to routers based on the static route (next hop is the router VRRP virtual IP address).
The traffic (in red) from the Internet to the intranet is forwarded as follows:
  1. The traffic from the Internet to the intranet reaches the routers, and is then forwarded to Public based on the OSPF routing table.
  2. Public forwards the traffic to firewalls based on the static route (next hop is the upstream VRRP virtual IP address of firewalls).
  3. After filtering the traffic, the firewalls forward traffic to VRF-A based on the static route (next hop is the CSS's VLANIF 30).
  4. VRF-A forwards the traffic to aggregation switches based on OSPF routing table, and then the aggregation switches forward the traffic to service networks.

Device Selection

This example applies to the following products and versions. If other products or versions are used, the configurations may vary. For details, see a related configuration manual.

Device Type

Device Model

Device Version

Access router

AR3600 series routers

V200R007C00

Firewall

USG9500 series firewalls

V500R001C20

Core switches

S12700 series switches

V200R008C00

Aggregation switch

S5720-EI series switches

V200R008C00

Data Plan

Table 1 Link aggregation data plan

Device

Interface Number

Member Interface

VLANIF

IP Address

Remote Device

Remote Interface Number

Router1

Eth-trunk1.100

10GE1/0/1

10GE1/0/2

-

10.10.4.2/24

Switch 1

Switch 2

Eth-Trunk1

Router2

Eth-trunk1.100

10GE1/0/1

10GE1/0/2

-

10.10.4.3/24

Switch 1

Switch 2

Eth-Trunk2

VRRP of Router 1 and Router 2

-

-

-

10.10.4.100/24

-

-

CSS (Switch 1 and Switch 2)

Eth-trunk1

10GE1/4/0/0

10GE2/4/0/0

VLANIF10

10.10.4.1/24

Router 1

Eth-Trunk1

Eth-trunk2

10GE1/4/0/1

10GE2/4/0/1

VLANIF10

10.10.4.1/24

Router 2

Eth-Trunk1

Eth-trunk4

GE1/1/0/7

GE2/1/0/7

VLANIF20

10.10.2.1/24

FW 1

Eth-Trunk4

Eth-trunk5

GE1/1/0/8

GE2/1/0/8

VLANIF30

10.10.3.1/24

FW 1

Eth-Trunk5

Eth-trunk6

GE1/2/0/7

GE2/2/0/7

VLANIF20

10.10.2.1/24

FW 2

Eth-Trunk6

Eth-trunk7

GE1/2/0/8

GE2/2/0/8

VLANIF30

10.10.3.1/24

FW 2

Eth-Trunk7

Eth-trunk8

GE1/3/0/1

GE2/3/0/1

VLANIF100

10.10.100.1/24

Service network 1

- (omitted in this example)

Eth-trunk9

GE1/3/0/2

GE2/3/0/2

VLANIF200

10.10.200.1/24

Service network 2

- (omitted in this example)

FW1

Eth-trunk1

GE2/0/0

GE2/0/1

-

10.1.1.1/24

FW2

Eth-Trunk1

Eth-Trunk4

GE1/0/0

GE1/0/1

-

10.10.2.2/24

Switch 1

Switch 2

Eth-Trunk4

Eth-Trunk5

GE1/1/0

GE1/1/1

-

10.10.3.2/24

Switch 1

Switch 2

Eth-Trunk5

FW2

Eth-trunk1

GE2/0/0

GE2/0/1

-

10.1.1.2/24

FW1

Eth-Trunk1

Eth-Trunk6

GE1/0/0

GE1/0/1

-

10.10.2.3/24

Switch 1

Switch 2

Eth-Trunk6

Eth-Trunk7

GE1/1/0

GE1/1/1

-

10.10.3.3/24

Switch 1

Switch 2

Eth-Trunk7

VRRP1 of FW 1 and FW 2 (upstream)

-

-

-

10.10.2.5/24

-

-

VRRP2 of FW 1 and FW 2 (downstream)

-

-

-

10.10.3.5/24

-

-

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the CSS for core switches.

  2. Assign IP addresses to the interfaces between switches, firewalls, and routers.

    To improve link reliability, configure inter-chassis Eth-Trunks between switches and firewalls and between switches and routers.

    Configure security zones on the firewalls' interfaces.

  3. Configure VRRP on egress routers.

    To ensure reliability between the core switches and two egress routers, deploy VRRP between the two egress routers so that VRRP heartbeat packets are exchanged through the core switches. Router1 functions as the master device, and Router2 functions as the backup device.

  4. Deploy routing.

    Configure the VRF function on switches to divide the CSS into a virtual switch VRF-A and a root switch Public, which separate the service network routes and public network routes.

    To steer the upstream traffic on each device, configure a default route on core switches, of which the next hop is the VRRP virtual IP address of the egress routers.

    To steer the return traffic of two egress routers, configure OSPF between the egress routers and core switches, and advertise all user network segment routes on the core switches into OSPF on egress routers.

    To forward the upstream traffic of service networks to firewalls, configure a default route on switches, of which the next hop is the virtual IP address of VRRP VRID2 on firewalls.

    To forward the downstream traffic of service network 1 to firewalls, configure a default route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on firewalls.

    To forward the downstream traffic of service network 2 to firewalls, configure a default route on switches, of which the next hop is the virtual IP address of VRRP VRID1 on firewalls.

    To forward the upstream traffic of service networks to switches, configure a default route on firewalls, of which the next hop is the IP address of VLANIF 20 on switches.

    To forward the downstream traffic of service network 1 to switches, configure a default route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.

    To forward the downstream traffic of service network 2 to switches, configure a default route on firewalls, of which the next hop is the IP address of VLANIF 30 on switches.

  5. Configure HRP on firewalls.

Procedure

  1. On switch 1 and switch 2: Configure CSSs.
    1. Connect CSS cards through cables.

      In the following figure, the S12700 switches have the CSS cards EH1D2VS08000 installed. An S12700 has a maximum number of MPUs, SFUs, and CSS cards installed. Each chassis must have at least one MPU and one SFU installed. You are advised to install two SFUs and two CSS cards in each chassis.

      Figure 4 CSS card connections

      • The two chassis are connected by at least one CSS cable.

      • One CSS card can only be connected to one CSS card in the other chassis but not the local chassis.
      • An interface in group 1 of a CSS card can only be connected to any interface in group 1 of the CSS card on the other chassis. The requirements for interfaces in group 2 are the same.
      • CSS cards have the same number of cluster cables connected. (If the CSS cards have different numbers of cluster cables connected, the total cluster bandwidth depends on the cluster with the least cluster cables connected.) In addition, interfaces on CSS cards are connected based on interface numbers.

    2. Configure clustering on Switch 1.

      # Set the cluster mode to CSS card (the default value does not need to be configured). Retain the default cluster ID 1 (the default value does not need to be configured) and set the priority to 100.

      <HUAWEI> system-view
[HUAWEI] set css mode css-card   //Default setting. You do not need to run this command. The step is used for reference.
[HUAWEI] set css id 1   //Default setting. You do not need to run this command. The step is used for reference.
[HUAWEI] set css priority 100   //The default CSS priority is 1. Change the priority of the master switch to be higher than that of the backup switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y //Restart the switch.

    3. Configure clustering on Switch 2.

      Set the cluster mode to CSS card (the default value does not need to be configured). Set the CSS ID to 2 and retain the default priority 1 (the default value does not need to be configured).

      <HUAWEI> system-view
[HUAWEI] set css id 2   //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is CSS-card. Reboot now? [Y/N]:y //Restart the switch.

    4. Check the CSS status after the switches restart.

      • On Switch 1, the active switch of the CSS, the MASTER indicator on the active MPU is steady green. (Figure 1)
      • On Switch 1, the CSS ID indicators numbered 1 on both MPUs are steady green. On Switch 2, the CSS ID indicators numbered 2 on both MPUs are steady green. (Figure 1)
      • The LINK/ALM indicators of interfaces on all CSS cards connected to cluster cables are steady green. (Figure 2)
      • The MASTER indicators on all CSS cards in the active chassis are steady green, and the MASTER indicators on all CSS cards in the standby chassis are off. (Figure 2)
      Figure 5 Indicators of the MPU and CSS card

      • After the CSS is established, subsequent operations will be performed on the master switch (switch 1) and data will be automatically synchronized to the standby switch (switch 2).
      • The interface name in a CSS is in the format like 10GE1/4/0/0. The leftmost part indicates the CSS ID.

  2. Configure the inter-chassis Eth-Trunks between CSS and FWs and between CSS and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.
    1. Configure an inter-chassis Eth-Trunk between switches and routers. Configure VLANIF interfaces and assign IP addresses to them.

      # In the CSS, create Eth-Trunk1 to connect to Router1 and add member interfaces to Eth-Trunk1.

      <HUAWEI> system-view
[HUAWEI] sysname CSS   //Rename the CSS.
[CSS] interface Eth-Trunk 1
[CSS-Eth-Trunk1] quit
[CSS] interface XGigabitethernet 1/4/0/0   //Add an interface on the master switch to Eth-Trunk1.
[CSS-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet1/4/0/0] quit
[CSS] interface XGigabitethernet 2/4/0/0   //Add an interface on the backup switch to Eth-Trunk1.
[CSS-XGigabitEthernet2/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet2/4/0/0] quit

      # In the CSS, create Eth-Trunk2 to connect to Router2 and add member interfaces to Eth-Trunk2.

      [CSS] interface Eth-Trunk 2
[CSS-Eth-Trunk2] quit
[CSS] interface XGigabitethernet 1/4/0/1   //Add an interface on the master switch to Eth-Trunk2.
[CSS-XGigabitEthernet1/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet1/4/0/1] quit
[CSS] interface XGigabitethernet 2/4/0/1   //Add an interface on the backup switch to Eth-Trunk2.
[CSS-XGigabitEthernet2/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet2/4/0/1] quit

      # Create VLANIF interfaces and assign IP addresses to them.

      [CSS] vlan batch 10
[CSS] interface Eth-Trunk 1   //Add Eth-Trunk1 to VLAN 10.
[CSS-Eth-Trunk1] port link-type trunk
[CSS-Eth-Trunk1] port trunk allow-pass vlan 10
[CSS-Eth-Trunk1] quit
[CSS] interface Eth-Trunk 2   //Add Eth-Trunk2 to VLAN 10.
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] port trunk allow-pass vlan 10
[CSS-Eth-Trunk2] quit
[CSS] interface Vlanif 10   //Create VLANIF 10 for the CSS to communicate with Router1 and Router2.
[CSS-Vlanif10] ip address 10.10.4.1 24
[CSS-Vlanif10] quit

    2. Configure the inter-chassis Eth-Trunks between switches and FWs and between CSS and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to them.

      # In the CSS, create Eth-Trunk4 to connect Public to FW1 and add member interfaces to Eth-Trunk4.

      [CSS] interface Eth-Trunk 4
[CSS-Eth-Trunk4] quit
[CSS] interface Gigabitethernet 1/1/0/7   //Add an interface on the master switch to Eth-Trunk4.
[CSS-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet1/1/0/7] quit
[CSS] interface Gigabitethernet 2/1/0/7   //Add an interface on the backup switch to Eth-Trunk4.
[CSS-Gigabitethernet2/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet2/1/0/7] quit

      # In the CSS, create Eth-Trunk5 to connect VRF-A to FW1 and add member interfaces to Eth-Trunk5.

      [CSS] interface Eth-Trunk 5
[CSS-Eth-Trunk5] quit
[CSS] interface Gigabitethernet 1/1/0/8   //Add an interface on the master switch to Eth-Trunk5.
[CSS-Gigabitethernet1/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet1/1/0/8] quit
[CSS] interface Gigabitethernet 2/1/0/8   //Add an interface on the backup switch to Eth-Trunk5.
[CSS-Gigabitethernet2/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet2/1/0/8] quit

      # In the CSS, create Eth-Trunk6 to connect Public to FW2 and add member interfaces to Eth-Trunk6.

      [CSS] interface Eth-Trunk 6
[CSS-Eth-Trunk6] quit
[CSS] interface Gigabitethernet 1/2/0/7   //Add an interface on the master switch to Eth-Trunk6.
[CSS-Gigabitethernet1/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet1/2/0/7] quit
[CSS] interface Gigabitethernet 2/2/0/7   //Add an interface on the backup switch to Eth-Trunk6.
[CSS-Gigabitethernet2/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet2/2/0/7] quit

      # In the CSS, create Eth-Trunk7 to connect VRF-A to FW2 and add member interfaces to Eth-Trunk7.

      [CSS] interface Eth-Trunk 7
[CSS-Eth-Trunk7] quit
[CSS] interface Gigabitethernet 1/2/0/8   //Add an interface on the master switch to Eth-Trunk7.
[CSS-Gigabitethernet1/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet1/2/0/8] quit
[CSS] interface Gigabitethernet 2/2/0/8   //Add an interface on the backup switch to Eth-Trunk7.
[CSS-Gigabitethernet2/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet2/2/0/8] quit

      # Create VLANIF interfaces and assign IP addresses to them.

      [CSS] vlan batch 20 30
[CSS] interface Eth-Trunk 4   //Add Eth-Trunk4 to VLAN 20.
[CSS-Eth-Trunk4] port link-type trunk
[CSS-Eth-Trunk4] port trunk allow-pass vlan 20
[CSS-Eth-Trunk4] quit
[CSS] interface Eth-Trunk 6   //Add Eth-Trunk6 to VLAN 20.
[CSS-Eth-Trunk6] port link-type trunk
[CSS-Eth-Trunk6] port trunk allow-pass vlan 20
[CSS-Eth-Trunk6] quit
[CSS] interface Vlanif 20   //Create VLANIF 20 for Public to connect to FW1 and FW2.
[CSS-Vlanif20] ip address 10.10.2.1 24
[CSS-Vlanif20] quit
[CSS] interface Eth-Trunk 5   //Add Eth-Trunk5 to VLAN 30.
[CSS-Eth-Trunk5] port link-type trunk
[CSS-Eth-Trunk5] port trunk allow-pass vlan 30
[CSS-Eth-Trunk5] quit
[CSS] interface Eth-Trunk 7   //Add Eth-Trunk7 to VLAN 30.
[CSS-Eth-Trunk7] port link-type trunk
[CSS-Eth-Trunk7] port trunk allow-pass vlan 30
[CSS-Eth-Trunk7] quit
[CSS] interface Vlanif 30   //Create VLANIF 30 for VRF-A to connect to FW1 and FW2.
[CSS-Vlanif30] ip address 10.10.3.1 24
[CSS-Vlanif30] quit

    3. Configure inter-chassis Eth-Trunks between switches and service networks. Configure VLANIF interfaces and assign IP addresses to them.

      # In the CSS, create Eth-Trunk8 to connect to service network 1 and add member interfaces to Eth-Trunk8.

      [CSS] interface Eth-Trunk 8
[CSS-Eth-Trunk8] quit
[CSS] interface Gigabitethernet 1/3/0/1   //Add an interface on the master switch to Eth-Trunk8.
[CSS-Gigabitethernet1/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet1/3/0/1] quit
[CSS] interface Gigabitethernet 2/3/0/1   //Add an interface on the backup switch to Eth-Trunk8.
[CSS-Gigabitethernet2/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet2/3/0/1] quit

      # In the CSS, create Eth-Trunk9 to connect to service network 2 and add member interfaces to Eth-Trunk9.

      [CSS] interface Eth-Trunk 9
[CSS-Eth-Trunk9] quit
[CSS] interface Gigabitethernet 1/3/0/2   //Add an interface on the master switch to Eth-Trunk9.
[CSS-Gigabitethernet1/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet1/3/0/2] quit
[CSS] interface Gigabitethernet 2/3/0/2   //Add an interface on the backup switch to Eth-Trunk9.
[CSS-Gigabitethernet2/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet2/3/0/2] quit

      # Create VLANIF interfaces and assign IP addresses to them.

      [CSS] vlan batch 100 200
[CSS] interface Eth-Trunk 8   //Add Eth-Trunk8 to VLAN 100.
[CSS-Eth-Trunk8] port link-type trunk
[CSS-Eth-Trunk8] port trunk allow-pass vlan 100
[CSS-Eth-Trunk8] quit
[CSS] interface Vlanif 100   //Create VLANIF 100 for CSS to connect to service network 1.
[CSS-Vlanif100] ip address 10.10.100.1 24
[CSS-Vlanif100] quit
[CSS] interface Eth-Trunk 9   //Add Eth-Trunk9 to VLAN 200.
[CSS-Eth-Trunk9] port link-type trunk
[CSS-Eth-Trunk9] port trunk allow-pass vlan 200
[CSS-Eth-Trunk9] quit
[CSS] interface Vlanif 200   //Create VLANIF 200 for CSS to connect to service network 2.
[CSS-Vlanif200] ip address 10.10.200.1 24
[CSS-Vlanif200] quit

  3. On routers: Configure the interfaces between routers and CSS.

    # Configure Router1, create Eth-Trunk1 on Router1, and add member interfaces to Eth-Trunk1.

    <Huawei> system-view
[Huawei] sysname Router1
[Router1] interface Eth-Trunk 1  
[Router1-Eth-Trunk1] quit
[Router1] interface XGigabitethernet 1/0/1  
[Router1-XGigabitEthernet1/0/1] undo shutdown
[Router1-XGigabitEthernet1/0/1] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/1] quit
[Router1] interface XGigabitethernet 1/0/2  
[Router1-XGigabitEthernet1/0/2] undo shutdown
[Router1-XGigabitEthernet1/0/2] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/2] quit

    # Configure the Dot1q termination subinterface for VLAN 10 and assign an IP address to the subinterface.

    [Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] ip address 10.10.4.2 24
[Router1-Eth-Trunk1.100] dot1q termination vid 10
[Router1-Eth-Trunk1.100] quit

    # The configuration procedure on Router2 is the same as that on Router1 except that the interface addresses are different.

  4. On firewalls: Configure interfaces and zones.

    # Configure interfaces and zones on FW1.

    <USG> system-view
[USG] sysname FW1
[FW1] interface Eth-Trunk 4   //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk4] ip address 10.10.2.2 24
[FW1-Eth-Trunk4] quit
[FW1] interface Gigabitethernet 1/0/0   //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/0] Eth-Trunk 4
[FW1-GigabitEthernet1/0/0] quit
[FW1] interface Gigabitethernet 1/0/1   //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/1] Eth-Trunk 4
[FW1-GigabitEthernet1/0/1] quit

[FW1] interface Eth-Trunk 5   //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk5] ip address 10.10.3.2 24
[FW1-Eth-Trunk5] quit
[FW1] interface Gigabitethernet 1/1/0   //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/0] Eth-Trunk 5
[FW1-GigabitEthernet1/1/0] quit
[FW1] interface Gigabitethernet 1/1/1   //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/1] Eth-Trunk 5
[FW1-GigabitEthernet1/1/1] quit

[FW1] interface Eth-Trunk 1   //Configure the interface connecting FW1 to FW2.
[FW1-Eth-Trunk1] ip address 10.1.1.1 24
[FW1-Eth-Trunk1] quit
[FW1] interface Gigabitethernet 2/0/0   //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/0] Eth-Trunk 1
[FW1-GigabitEthernet2/0/0] quit
[FW1] interface Gigabitethernet 2/0/1   //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/1] Eth-Trunk 1
[FW1-GigabitEthernet2/0/1] quit

[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 5   //Add Eth-Trunk5 connected to the intranet to a trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface Eth-Trunk 4   //Add Eth-Trunk4 connected to the extranet to an untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface Eth-Trunk 1   //Add the interface between FW1 and FW2 to the DMZ.
[FW1-zone-dmz] quit

    # Configure interfaces and zones on FW2.

    <USG> system-view
[USG] sysname FW2
[FW2] interface Eth-Trunk 6   //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk6] ip address 10.10.2.3 24
[FW2-Eth-Trunk6] quit
[FW2] interface Gigabitethernet 1/0/0   //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/0] Eth-Trunk 6
[FW2-GigabitEthernet1/0/0] quit
[FW2] interface Gigabitethernet 1/0/1   //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/1] Eth-Trunk 6
[FW2-GigabitEthernet1/0/1] quit

[FW2] interface Eth-Trunk 7   //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk7] ip address 10.10.3.3 24
[FW2-Eth-Trunk7] quit
[FW2] interface Gigabitethernet 1/1/0   //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/0] Eth-Trunk 7
[FW2-GigabitEthernet1/1/0] quit
[FW2] interface Gigabitethernet 1/1/1   //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/1] Eth-Trunk 7
[FW2-GigabitEthernet1/1/1] quit

[FW2] interface Eth-Trunk 1   //Configure the interface between FW2 and FW1.
[FW2-Eth-Trunk1] ip address 10.1.1.2 24
[FW2-Eth-Trunk1] quit
[FW2] interface Gigabitethernet 2/0/0   //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/0] Eth-Trunk 1
[FW2-GigabitEthernet2/0/0] quit
[FW2] interface Gigabitethernet 2/0/1   //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/1] Eth-Trunk 1
[FW2-GigabitEthernet2/0/1] quit

[FW2] firewall zone trust
[FW2-zone-trust] add interface Eth-Trunk 7   //Add Eth-Trunk7 connected to the intranet to the trusted zone.
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface Eth-Trunk 6   //Add Eth-Trunk6 connected to the extranet to the untrusted zone.
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface Eth-Trunk 1   //Add the interface between FW1 and FW2 to the DMZ.
[FW2-zone-dmz] quit

  5. On routers: Configure VRRP. Configure Router1 as the VRRP master and Router2 as the VRRP backup.

    # Configure Router1.

    [Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100   //Configure the VRRP virtual IP address.
[Router1-Eth-Trunk1.100] vrrp vrid 1 priority 120   //Increase the priority of Router1 to make Router1 become the Master.
[Router1-Eth-Trunk1.100] quit

    # Configure Router2.

    [Router2] interface Eth-Trunk 1.100
[Router2-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100   //Configure the VRRP virtual IP address.
[Router2-Eth-Trunk1.100] quit

    After the configuration is complete, a VRRP group should have been set up between Router1 and Router2. You can run the display vrrp command to view the VRRP status of Router1 and Router2.

    # Check the VRRP status of Router1. The status is master.

    [Router1] display vrrp
  Eth-Trunk1.100 | Virtual Router 1
    State : Master
    Virtual IP : 10.10.4.100
    Master IP : 10.10.4.2
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2015-05-18 06:53:47 UTC-05:13
    Last change time : 2015-05-18 06:54:14 UTC-05:13

    # Check the VRRP status of Router2. The status is backup.

    [Router2] display vrrp
  Eth-Trunk1.100 | Virtual Router 1
    State : Backup
    Virtual IP : 10.10.4.100
    Master IP : 10.10.4.2
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0101
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2015-05-18 06:53:52 UTC-05:13
    Last change time : 2015-05-18 06:57:12 UTC-05:13

  6. Configure routes between CSS and FWs and between CSS and routers.
    1. Configure OSPF between switches and routers.

      # Create VPN instance Public on CSS and bind the interfaces connected to routers and firewalls to Public.

      [CSS] ip vpn-instance Public   //Create the VPN instance Public.
[CSS-vpn-instance-Public] ipv4-family
[CSS-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CSS-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CSS-vpn-instance-Public-af-ipv4] quit
[CSS-vpn-instance-Public] quit
[CSS] interface Vlanif 10
[CSS-Vlanif10] ip binding vpn-instance Public   //Bind VLANIF 10, which connects the CSS to router, to Public.
[CSS-Vlanif10] ip address 10.10.4.1 24    //Reconfigure an IP address for VLANIF 10, because the preceding operation has deleted the original IP address.
[CSS-Vlanif10] quit
[CSS] interface Vlanif 20
[CSS-Vlanif20] ip binding vpn-instance Public   //Bind VLANIF 20, which connects the CSS to firewall's upstream interface, to Public.
[CSS-Vlanif20] ip address 10.10.2.1 24    //Reconfigure an IP address for VLANIF 20, because the preceding operation has deleted the original IP address.
[CSS-Vlanif20] quit

      # Configure a static route in Public to forward upstream traffic. Set the next hop of the route to the VRRP virtual IP address of routers.

      [CSS] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100    //Configure a default route for Public and set the next hop as the VRRP virtual IP address of the router.

      # Configure OSPF between CSS and routers to forward downstream traffic. Routers can learn the return routes to service networks using OSPF.

      [CSS] ospf 100 router-id 1.1.1.1 vpn-instance Public
[CSS-ospf-100] area 0
[CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the routes on the network segment connected to Router to OSPF.
[CSS-ospf-100-area-0.0.0.0] quit
[CSS-ospf-100] import-route static       //Import the static route to OSPF.
[CSS-ospf-100] quit

      Configure OSPF on Router1 and Router2.

      # Configure Router1.

      [Router1] ospf 100 router-id 2.2.2.2
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the routes on the network segment connected to CSS to OSPF.
[Router1-ospf-100-area-0.0.0.0] quit
[Router1-ospf-100] quit

      # Configure Router2.

      [Router2] ospf 100 router-id 3.3.3.3
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255    //Advertise the routes on the network segment connected to CSS to OSPF.
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit

      # After the configurations are complete, CSS, Router1, and Router2 can set up neighbor relationships. For example, when you view OSPF neighbor information on the CSS, you can find that Router1 and Router2 have set up OSPF neighbor relationships with CSS and the neighbor status is Full.

      [CSS] display ospf peer
           OSPF Process 100 with Router ID 1.1.1.1
             Neighbors 


       Area 0.0.0.0 interface 10.10.4.1(Vlanif10)'s neighbors
       Router ID: 2.2.2.2          Address: 10.10.4.2
         State: Full  Mode:Nbr is  Master  Priority: 1
         DR: 10.10.4.1  BDR: 10.10.4.2  MTU: 0    
         Dead timer due in 31  sec 
         Retrans timer interval: 5 
         Neighbor is up for 00:13:23     
         Authentication Sequence: [ 0 ] 

      Router ID: 3.3.3.3          Address: 10.10.4.3 
        State: Full  Mode:Nbr is  Master  Priority: 1
        DR: 10.10.4.1  BDR: 10.10.4.2  MTU: 0    
       Dead timer due in 37  sec 
        Retrans timer interval: 5
        Neighbor is up for 00:00:52   
        Authentication Sequence: [ 0 ]

    2. Configure static routes between switches and FWs.

      # Create VRF-A on the CSS to forward upstream traffic, and bind the interfaces connected to service networks and downstream interfaces of firewalls to VRF-A. The default route of VRF-A is the downstream VRRP virtual IP address (VRID2) of firewalls.

      [CSS] ip vpn-instance VRF-A   //Create VRF-A.
[CSS-vpn-instance-VRF-A] ipv4-family
[CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-VRF-A-af-ipv4] quit
[CSS-vpn-instance-VRF-A] quit
[CSS] interface Vlanif 100
[CSS-Vlanif100] ip binding vpn-instance VRF-A   //Bind VLANIF 100, which connects the CSS to service network 1, to VRF-A.
[CSS-Vlanif100] ip address 10.10.100.1 24    //Reconfigure an IP address for VLANIF 100, because the preceding operation has deleted the original IP address.
[CSS-Vlanif100] quit
[CSS] interface Vlanif 200
[CSS-Vlanif200] ip binding vpn-instance VRF-A   //Bind VLANIF 200, which connects the CSS to service network 2, to VRF-A.
[CSS-Vlanif200] ip address 10.10.200.1 24    //Reconfigure an IP address for VLANIF 200, because the preceding operation has deleted the original IP address.
[CSS-Vlanif200] quit
[CSS] interface Vlanif 30
[CSS-Vlanif30] ip binding vpn-instance VRF-A   //Bind VLANIF 30, which connects the CSS to the firewall's downstream interface, to VRF-A.
[CSS-Vlanif30] ip address 10.10.3.1 24    //Reconfigure an IP address for VLANIF 30, because the preceding operation has deleted the original IP address.
[CSS-Vlanif30] quit

      # Configure a default route in VRF-A. The next hop is the downstream VRRP 2 virtual IP address (VRID2) of firewalls.

      [CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5

      # Configure a static route in Public to forward downstream traffic. Set the next hop of the route to the upstream VRRP 1 virtual IP address (VRID1) of firewalls.

      [CSS] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5    //The destination address is on service network 1 and the next hop is the VRID2 virtual IP address of the two FWs.
      [CSS] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5    //The destination address is on service network 2 and the next hop is the VRID2 virtual IP address of the two FWs.

    3. Configure static routes on firewalls.

      # Configure a static route on FW1.

      [FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1   //For upstream traffic, the next hop of the default route is the IP address of VLANIF 20 on Public.
[FW1] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1   //For downstream traffic, the destination address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW1] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1   //For downstream traffic, the destination address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.

      # Configure a static route on FW2.

      [FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1   //For upstream traffic, the next hop of the default route is the IP address of VLANIF 20 on Public.
[FW2] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1   //For downstream traffic, the destination address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW2] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1   //For downstream traffic, the destination address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.

      # After the configuration is complete, an OSPF neighbor relationship should have been established between Router 1and Router 2. You can run the display ospf peer command to view the OSPF neighbor status. The following uses the display on CSS switches as an example. You can view that the OSPF neighbor status is Full.

    4. Verify the configuration.

      # Check the routing table on CSS.

      [CSS] display ip routing-table vpn-instance VRF-A    
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: VRF-A
         Destinations : 7        Routes : 7        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.10.3.5       Vlanif30
      10.10.3.0/24  Direct  0    0           D   10.10.3.1       Vlanif30
      10.10.3.1/32  Direct  0    0           D   127.0.0.1       Vlanif30
    10.10.100.0/24  Direct  0    0           D   10.10.100.1     Vlanif100
    10.10.100.1/32  Direct  0    0           D   127.0.0.1       Vlanif100
    10.10.200.0/24  Direct  0    0           D   10.10.200.1     Vlanif200
    10.10.200.1/32  Direct  0    0           D   127.0.0.1       Vlanif200

      In the routing table on VRF-A, the first line indicates that the next hop for the traffic destined for the Internet is the VRRP VRID 2 virtual IP address (10.10.3.5) of firewalls. This indicates that upstream traffic is forcibly directed to firewalls for filtering.

      [CSS] display ip routing-table vpn-instance Public    
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.10.4.100       Vlanif10
      10.10.2.0/24  Direct  0    0           D   10.10.2.1       Vlanif20
      10.10.2.1/32  Direct  0    0           D   127.0.0.1       Vlanif20
      10.10.4.0/24  Direct  0    0           D   10.10.4.1       Vlanif10
      10.10.4.1/32  Direct  0    0           D   127.0.0.1       Vlanif10
      10.10.100.0/24  Static  60   0          RD   10.10.2.5       Vlanif20
      10.10.200.0/24  Static  60   0          RD   10.10.2.5       Vlanif20

      In the routing table on Public, the first line indicates that the next hop for the traffic destined for the Internet is the VRRP VRID 1 virtual IP address (10.10.4.100) of routers.

      The fifth and sixth lines indicate that the next hop for the traffic destined for service networks is the VRRP VRID 1 virtual IP address (10.10.3.5) of firewalls. This indicates that downstream traffic is forcibly directed to firewalls for filtering.

  7. Configure HRP on firewalls.

    # Configure HRP on FW1 and set FW1 as master.

    [FW1] interface Eth-Trunk 4
[FW1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master   //Configure VRRP group 1 on the upstream interface and set it status to master.
[FW1-Eth-Trunk4] quit
[FW1] interface Eth-Trunk 5
[FW1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master   //Configure VRRP group 2 on the downstream interface and set it status to master.
[FW1-Eth-Trunk5] quit
[FW1] hrp interface Eth-Trunk 1 remote 10.1.1.2   //Configure the heartbeat interface and enable HRP.
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
HRP_M[FW1]

    # Configure HRP on FW2 and set FW2 as slave.

    [FW2] interface Eth-Trunk 6
[FW2-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave   //Configure VRRP group 1 on the upstream interface and set it status to slave.
[FW2-Eth-Trunk6] quit
[FW2] interface Eth-Trunk 7
[FW2-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave    //Configure VRRP group 2 on the downstream interface and set it status to slave.
[FW2-Eth-Trunk7] quit
[FW2] hrp interface Eth-Trunk 1 remote 10.1.1.1   //Configure the heartbeat interface and enable HRP.
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
HRP_M[FW2]

    # Check VRRP status. FW1 is the master and FW2 is the slave.

    HRP_M[FW1] display vrrp
  Eth-Trunk4 | Virtual Router 1
     VRRP Group : Master
    State : Master
    Virtual IP : 10.10.2.5
    Virtual MAC : 0000-5e00-0101
    Primary IP : 10.10.2.2
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES
    
Eth-Trunk5 | Virtual Router 2
     VRRP Group : Master
    State : Master
    Virtual IP : 10.10.3.5
    Virtual MAC : 0000-5e00-0102
    Primary IP : 10.10.3.2
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES

    HRP_M[FW2] display vrrp
  Eth-Trunk7 | Virtual Router 2
     VRRP Group : Slave
    State : Backup
    Virtual IP : 10.10.3.5
    Virtual MAC : 0000-5e00-0102
    Primary IP : 10.10.3.3
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES
    
Eth-Trunk6 | Virtual Router 1
     VRRP Group : Slave
    State : Backup
    Virtual IP : 10.10.2.5
    Virtual MAC : 0000-5e00-0101
    Primary IP : 10.10.2.3
    PriorityRun : 120
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
     Advertisement Timer : 1
    Auth type : NONE
    Check TTL : YES
    # Check HRP status.
    HRP_M[FW1] display hrp state
 The firewall's config state is: MASTER

 Current state of virtual routers configured as master:
                       Eth-Trunk4    vrid   1 : master
           (gigabitEthernet1/0/0)             : up  
           (gigabitEthernet1/0/1)             : up  
                       Eth-Trunk5    vrid   2 : master
           (gigabitEthernet1/1/0)             : up  
           (gigabitEthernet1/1/1)             : up

    After HRP is configured, the configurations and sessions on the active firewall are synchronized to the standby firewall; therefore, you only need to perform the following configurations on the active firewall FW1.

  8. Configure security policies on firewalls.

    Only the connection configurations between firewalls and switches and the HRP configurations on firewalls are provided in the following procedure. For the security service plan on the firewalls and security policies, attack defense, bandwidth management, and IPSec on the campus network, see Firewall Configuration Examples.

  9. Verify the configuration.

    After the configurations are complete, check whether the CSS and routers can ping each other.

    # Ping Eth-Trunk1.100 of Router1 from the CSS to check the uplink connectivity.

    <CSS> ping 10.10.4.2

Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=2 ttl=126 time=235 ms
    Reply From 10.10.4.2: bytes=32 seq=3 ttl=126 time=266 ms
    Reply From 10.10.4.2: bytes=32 seq=4 ttl=126 time=140 ms
    Reply From 10.10.4.2: bytes=32 seq=5 ttl=126 time=141 ms

--- 10.10.200.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 140/184/266 ms

    You can find that the CSS and Router1 can ping each other.

    # Ping the VRF-A VLANIF 100 on the CSS from Router1 to check the downlink connectivity.

    <Router1> Ping 10.10.100.1

Ping 10.10.100.1: 32 data bytes, Press Ctrl_C to break
    Reply From 10.10.100.1: bytes=32 seq=1 ttl=253 time=235 ms
    Reply From 10.10.100.1: bytes=32 seq=2 ttl=253 time=109 ms
    Reply From 10.10.100.1: bytes=32 seq=3 ttl=253 time=79 ms
    Reply From 10.10.100.1: bytes=32 seq=4 ttl=253 time=63 ms
    Reply From 10.10.100.1: bytes=32 seq=5 ttl=253 time=63 ms

--- 10.10.100.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 63/109/235 ms

    You can find that Router1 and CSS VLANIF 100 can ping each other.

Configuration Files

  • Router1 configuration file

    #
sysname Router1
#
interface Eth-Trunk1
#
interface Eth-Trunk1.100
 dot1q termination vid 10
 ip address 10.10.4.2 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.4.100
 vrrp vrid 1 priority 120
#
interface XGigabitEthernet1/0/1
 eth-trunk 1
#
interface XGigabitEthernet1/0/2
 eth-trunk 1
#
ospf 100 router-id 2.2.2.2 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
#
return

  • Router2 configuration file

    #
sysname Router2
#
interface Eth-Trunk1
#
interface Eth-Trunk1.100
 dot1q termination vid 10
 ip address 10.10.4.3 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.4.100
#
interface XGigabitEthernet1/0/1
 eth-trunk 1
#
interface XGigabitEthernet1/0/2
 eth-trunk 1
#
ospf 100 router-id 3.3.3.3 
 area 0.0.0.0 
  network 10.10.4.0 0.0.0.255 
#
return

  • CSS configuration file

    #
 sysname CSS
#
vlan batch 10 20 30 100 200 
#
ip vpn-instance Public
 ipv4-family 
  route-distinguisher 100:2
  vpn-target 222:2 export-extcommunity
  vpn-target 222:2 import-extcommunity
#
ip vpn-instance VRF-A
 ipv4-family 
  route-distinguisher 100:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity

#
interface Vlanif1
#
interface Vlanif10
 ip binding vpn-instance Public
 ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
 ip binding vpn-instance Public
 ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
 ip binding vpn-instance VRF-A
 ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
 ip binding vpn-instance VRF-A
 ip address 10.10.100.1 255.255.255.0
#
interface Vlanif200
 ip binding vpn-instance VRF-A
 ip address 10.10.200.1 255.255.255.0
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface Eth-Trunk2
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface Eth-Trunk4
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface Eth-Trunk5
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface Eth-Trunk6
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface Eth-Trunk7
 port link-type trunk
 port trunk allow-pass vlan 30
#
interface Eth-Trunk8
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface Eth-Trunk9
 port link-type trunk
 port trunk allow-pass vlan 200
#
interface Eth-Trunk1.100
 dot1q termination vid 100
 ip address 10.10.100.3 255.255.255.0 
 vrrp vrid 1 virtual-ip 10.10.100.1
 arp broadcast enable
#
interface GigabitEthernet1/1/0/7
  eth-trunk 4
#
interface GigabitEthernet1/1/0/8
  eth-trunk 5
#
interface GigabitEthernet1/2/0/7
  eth-trunk 6
#
interface GigabitEthernet1/2/0/8
  eth-trunk 7
#
interface GigabitEthernet1/3/0/1
  eth-trunk 8
#
interface GigabitEthernet1/3/0/2
  eth-trunk 9
#
interface GigabitEthernet2/1/0/7
  eth-trunk 4
#
interface GigabitEthernet2/1/0/8
  eth-trunk 5
#
interface GigabitEthernet2/2/0/7
  eth-trunk 6
#
interface GigabitEthernet2/2/0/8
  eth-trunk 7
#
interface GigabitEthernet2/3/0/1
  eth-trunk 8
#
interface GigabitEthernet2/3/0/2
  eth-trunk 9
#
interface XGigabitEthernet1/4/0/0
 eth-trunk 1
#
interface XGigabitEthernet1/4/0/1
 eth-trunk 2
#
interface XGigabitEthernet2/4/0/0
 eth-trunk 1
#
interface XGigabitEthernet2/4/0/1
 eth-trunk 2
#
ospf 100 router-id 1.1.1.1 vpn-instance Public
 import-route static
 area 0.0.0.0 
   network 10.10.4.0 0.0.0.255 
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5
ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5
#
return

  • FW1 configuration file

    #
interface Eth-Trunk1
 alias Eth-Trunk1
 ip address 10.1.1.1 255.255.255.0 
#
interface Eth-Trunk4
 alias Eth-Trunk4
 ip address 10.10.2.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.10.2.5 master
#
interface Eth-Trunk5
 alias Eth-Trunk5
 ip address 10.10.3.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.3.5 master
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 192.168.0.1 255.255.255.0 
 dhcp select interface
 dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
 undo enable snmp trap updown physic-status
 eth-trunk 4
#
interface GigabitEthernet1/0/1
 undo enable snmp trap updown physic-status
 eth-trunk 4
#
interface GigabitEthernet1/1/0
 undo enable snmp trap updown physic-status
 eth-trunk 5
#
interface GigabitEthernet1/1/1
 undo enable snmp trap updown physic-status
 eth-trunk 5
#
interface GigabitEthernet2/0/0
 undo enable snmp trap updown physic-status
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 undo enable snmp trap updown physic-status
 eth-trunk 1
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk5
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
add interface Eth-Trunk4
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
 ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 
 ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 
 ip route-static 10.10.200.0 255.255.255.0 10.10.3.1 
#
 sysname FW1
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.1.1.2
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound

 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
return

  • FW2 configuration file

    #
interface Eth-Trunk1
 alias Eth-Trunk1
 ip address 10.1.1.2 255.255.255.0 
#
interface Eth-Trunk6
 alias Eth-Trunk6
 ip address 10.10.2.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.10.2.5 slave
#
interface Eth-Trunk7
 alias Eth-Trunk7
 ip address 10.10.3.30 255.255.255.0
 vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 slave
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 192.168.0.1 255.255.255.0 
 dhcp select interface
 dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
 undo enable snmp trap updown physic-status
 eth-trunk 6
#
interface GigabitEthernet1/0/1
 undo enable snmp trap updown physic-status
 eth-trunk 6
#
interface GigabitEthernet1/1/0
 undo enable snmp trap updown physic-status
 eth-trunk 7
#
interface GigabitEthernet1/1/1
 undo enable snmp trap updown physic-status
 eth-trunk 7
#
interface GigabitEthernet2/0/0
 undo enable snmp trap updown physic-status
 eth-trunk 1
#
interface GigabitEthernet2/0/1
 undo enable snmp trap updown physic-status
 eth-trunk 1
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Eth-Trunk7
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
add interface Eth-Trunk6
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
#
 ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 
 ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 
 ip route-static 10.10.200.0 255.255.255.0 10.10.3.1 
#
 sysname FW2
#
hrp enable
 hrp interface Eth-Trunk1 remote 10.1.1.1
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction outbound

 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
#
return
Parent Topic: Comprehensive Configuration Examples
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >