HUAWEI Firewall Comprehensive Configuration Examples
HUAWEI Firewall Comprehensive Configuration Examples
Comprehensive Configuration
Examples
Issue 02
Date 2019-08-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: https://e.huawei.com
Related Version
The following table lists the product versions related to this document.
Unless otherwise specified, USG and Eudemon series listed in this table are
referred to as the FW hereinafter.
Intended Audience
This document describes the application scenarios and configuration methods in
typical projects of the FW. This document does not cover all scenarios. You can
adapt the examples to your conditions.
This document is intended for administrators who configure and manage FWs.
The administrators must have good Ethernet knowledge and network
management experience.
Content Conventions
The purchased products, services and features are stipulated by the contract made
between Huawei Technologies Co., Ltd. and the customer. All or part of the
products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all
statements, information, and recommendations in this document are provided "AS
IS" without warranties, guarantees or representations of any kind, either express
or implied.
The information in this document is subject to change without notice. Every effort
has been made in the preparation of this document to ensure accuracy of the
contents, but all statements, information, and recommendations in this document
do not constitute a warranty of any kind, express or implied.
The screenshots in this document are for reference only. The settings are subject to
the actual GUI.
● The features such as antivirus, IPS, file blocking, data filtering, application
behavior control, mail filtering, url session logs and URL filtering may involve
the collection of users' communication contents such as the browsed websites
and transmitted files. You are advised to clear unnecessary sensitive
information in a timely manner.
● Antivirus and IPS support attack evidence collection to analyze data packets
for viruses or intrusions. However, the attack evidence collection process may
involve the collection of user's communication content. The device provides
dedicated audit administrators to obtain collected attack evidence. Other
administrators do not have such permissions. Please keep the audit
administrator account safe and clear the attack evidence collection history in
time.
● The audit function is used to record online behaviors, including the collection
or storage of browsed web pages, BBS or microblog posts, HTTP/FTP file
transfer, email receiving and sending, and QQ login and logout. The device
provides dedicated audit administrators to configure audit policies and view
audit logs. Other administrators do not have such permissions. Please keep
the audit administrator account safe.
● Port mirroring and NetStream are vital to fault diagnosis and traffic statistics
and analysis, but may involve the collection of user's communication content.
The product provides permission control over such functions. You are advised
to clear traffic records after fault diagnosis and traffic analysis.
● The quintuple packet capture function can capture the whole packet content,
which may cause the disclosure of users' personal data. When using this
function, you must comply with related national laws and regulations and
take sufficient measures to protect users' personal data. For example, the
technical support personnel cannot perform packet capture without prior
consent of customers; in addition, they must delete captured packets
immediately after the fault locating is complete. Huawei will not bear any
legal obligations or liabilities for the security events (such as personal data
leaks) that are not caused by Huawei's misconduct.
● Data feedback function (user experience plan) may involve transferring or
processing users' communication contents or personal data. Huawei
Technologies Co., Ltd. alone is unable to transfer or process the content of
users' communications and personal data. It is suggested that you activate
the user data-related functions based on the applicable laws and regulations
in terms of purpose and scope of usage.
● The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS.
Using FTP, TFTP or SFTPv1 has potential security risks. SFTPv2 or FTPS is
recommended.
● Telnet and STelnetv1&v2 can be used to log in to the device. Using Telnet or
STelnetv1 has potential security risks. STelnetv2 is recommended.
● SNMPv1&v2c&v3 can be used to manage network elements. Using
SNMPv1&v2c has potential security risks. SNMPv3 is recommended.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as
follows.
Convention Description
Convention Description
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Update History
Updates between document issues are cumulative. Therefore, the latest document
issue contains all updates made in previous issues.
Contents
1.1 Introduction
This section describes the application of firewalls in the campus egress security
solution. Based on the main issues faced by campus security and network access
management requirements of the campus, the section provides two typical
applications that meet most campus network security solution deployment
requirements.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.
The campus network is mainly used for learning and working. Therefore, in
addition to ensuring the security of intranet users and servers, the egress needs to
properly allocate bandwidth resources and implement load balancing for network
traffic to improve the access experience of intranet and extranet users. The main
requirements of the campus network are as follows:
● Load balancing
– The ISP links must be fully used to ensure the network access experience
of intranet users. The campus wants the traffic destined to a specific ISP
network to be preferentially forwarded by the outbound interface
corresponding to the ISP. For example, traffic destined for the education
traffic is preferentially forwarded by GE 1/0/1, and the traffic destined to
ISP2 network is preferentially forwarded by GE 1/0/5 or GE 1/0/6. The
links to the same ISP network can implement traffic load balancing by
link bandwidth or weight ratio. To improve the forwarding reliability and
prevent packet loss caused by an overburdened link, link backup is
required among the links.
– The LSP links have different transmission quality. The link to the
education network and the links to ISP2 network have high quality and
can forward service traffic that has high requirement on the delay, such
as the traffic of the distance education system. The links to ISP1 network
has poor quality and can forward bandwidth-consuming and small-value
service traffic, such as P2P traffic. Considering the cost, the traffic
destined to the servers of other campuses, network access traffic of users
in the library, and traffic matching default routes are forwarded over the
link to the education network.
– The users on the campus automatically obtain the same DNS server
address. Therefore, the traffic of the users is forwarded over the same ISP
link. The campus wants to make full use of other link resources and
requests to distribute some DNS request packets to other ISP links. Only
changing the outbound interface of packets cannot resolve the issue that
subsequent network access traffic is forwarded over one link. Therefore,
DNS request packets need to be forwarded to the DNS servers of
different ISP networks. Then the resolved addresses belong to different
ISP networks.
– A DNS server is deployed on the campus network to provide domain
name resolution services. When users on different ISP networks access
the campus network, they can use the resolved address that belongs to
the same ISP as the users for access, improving the access quality.
– The traffic destined to the server in the library is heavy, and thereby two
servers are required for traffic load balancing.
● Address translation
– Users on the campus network require public IP addresses to access the
Internet.
– The servers, such as library servers, portal servers, and DNS servers, on
the campus network use public IP addresses to provide services for
intranet and extranet users.
● Security defense
– Assign network devices to different zones based on their locations,
implement security isolation for interzone traffic, and control the
permissions on mutual zone access. For example, allow users on the
campus to access extranet resources, and allow extranet users to access
only a specific port of an intranet server.
– Common DDoS attacks (such as SYN flood attacks) and single-packet
attacks (such as Land attacks) are effectively defended against.
– Network intrusion behaviors are blocked and alerted.
● Bandwidth management and control
Due to limited bandwidth resources, the campus requests to limit the
bandwidth percentage of P2P traffic as well as the bandwidth of each user's
P2P traffic. Common P2P traffic is generated by download software (Thunder,
eMule, BT, Ares, and Vuze), music software (Kugou Music, kugou, and
SoulSeek), or video websites or software (Baidu player, QiYi, and SHPlayer).
● Source tracing and auditing
– To prevent the improper online behavior of users on the campus from
harming the reputation of the campus, perform source tracing for the
improper behavior and restore the improper behavior. The online
behavior of users on the campus need to be audited for subsequent
investigation and analysis. The behavior to be audited includes URL
access records, BBS posts and microblogs, HTTP upload and download,
and FTP upload and download.
– Log servers are deployed on the campus. Attack defense and intrusion
detection logs as well as pre-NAT and post-NAT IP addresses can be
viewed on the log servers.
Users on the campus network in the Trust zone with the highest security level. The
users can proactively access all the zones. Servers are also in the Trust zone and
can access only extranets under the control of security policies, but not other
devices in the Trust zone. The security zone is created for each ISP to separately
control the policies between two zones. The devices on each ISP network can
access the server area. In addition, ASPF needs to be enabled to ensure normal
communication between zones through multi-channel protocols, such as FTP.
Intrusion Prevention
Intrusion prevention needs to be enabled on the FW to alert or block the intrusion
of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW
needs to periodically update the intrusion prevent signature database through the
security center (sec.huawei.com).
– Detection interval: 3s
– Detection times: 5
– Quality detection
parameters:
– Packet loss ratio
– Delay
– Jitter
– Outbound interfaces
involved in intelligent uplink
selection:
– GE1/0/1
– GE1/0/2
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6
Smart DNS
When a private DNS server exists, the FW that has smart DNS enabled
intelligently replies to DNS requests from different ISPs, so that the server address
obtained by a user is in the same ISP network as the user.
For example, a school has a DNS server, which stores the portal server domain
name (www.example.com) and the public IP address 1.1.15.15 assigned by the
education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped
address is the ISP1-assigned public IP address 2.2.15.15.
When an education network user accesses the portal server address, as GE1/0/1
does not have the smart DNS function enabled, the user obtains the public IP
address 1.1.15.15 assigned by the education network as the portal server address.
When an ISP1 user accesses the portal server address, the DNS server replies a
DNS response message to the user. After the FW's GE1/0/2 receives the message,
the FW replaces the original public IP address 1.1.15.15 assigned by the education
network with the ISP1-assigned address 2.2.15.15. After the user receives the
message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map
must be configured on the FW to associate the private portal server address
10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to
communicate with the portal server.
NAT
● NAT Server
To ensure the users on each ISP network can access intranet servers, the NAT
server function is required on the FW to translate the private addresses of
servers into public IP addresses.
Portal ● Private IP address: 10.1.10.20 The NAT server can map multiple
server ● Public IP address: public IP addresses to the same
private IP address based on the
– For the education network: security zone.
1.1.15.15
– For ISP1 network: 2.2.15.15,
2.2.16.16, and 2.2.17.17
– For ISP2 network: 3.3.15.15
and 3.3.16.16
● Source NAT
To enable a large number of intranet users to make full use of limited public
IP addresses for access, source NAT needs to be configured on the FW to
translate the private IP addresses in packets into public IP addresses.
● NAT ALG
If the FW that has NAT enabled needs to forward packets of a multichannel
protocol, such as FTP, the NAT ALG function of the protocol needs to be
enabled to ensure correct address translation for the multichannel protocol
packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are
enabled.
Attack Defense
Attack defense can detect multiple types of network attacks, such as DDoS attack
and single-packet attacks. This function protects the intranet against malicious
attacks.
Anti- ● DDoS attack type: SYN Flood For the above flood attacks, the
DDoS ● Interface: GE1/0/2, GE1/0/3, recommended maximum packet
GE1/0/4, GE1/0/5, and GE1/0/6 rate for GE attacks is 16,000 pps.
In this case, the interfaces are all
● Alarm-threshold rate: 24000 GE interfaces. The final interface
threshold is 24000 pps, which is
the test result. Configure a large
threshold and adjust it according
to the test until it falls into the
normal range. A suitable threshold
helps defend against attacks
without affecting normal services.
Audit Policy
The FW supports the audit function to record the Internet access behavior defined
in the audit policy for future audit and analysis.
Bandwidth Management
As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the
bandwidth used by P2P traffic over each ISP1 link and implement bandwidth
limiting for P2P traffic per IP address. Bandwidth management can implement
global/per-IP/per-user traffic limiting for a specific type of traffic.
Log serverDevices
The log server can collect, query, and display logs. After the FW is used together
with the log server, you can view the session logs (sent by the FW) on the log
server, including session logs before and after NAT. With these logs, you can view
NAT-related address information. On the log server, you can also view the IPS and
attack defense logs sent by the FW. With these logs, you can query attacks and
intrusions on the network.
NAT Enable Record Session Log for the NAT tracing allows you to view
tracin following security policies: pre-NAT and post-NAT address
g ● user_inside information. After the session log
function is enabled in the security
● user_outside policy view, the FW sends the logs
on the sessions matching the
security policy to the log host. You
can view the log information
through the log server to which
the log host is connected. Some
session logs include pre-NAT and
post-NAT address information.
1.3.3 Precautions
Precautions
● Whether the ISP address set includes all required IP addresses affects the
implementation of intelligent uplink selection and smart DNS. Therefore,
update the ISP address database regularly from the security center platform
(isecurity.huawei.com).
● In a multi-egress scenario, PBR intelligent uplink selection cannot be used
together with the IP spoofing attack defense or Unicast Reverse Path
Forwarding (URPF) function. If the IP spoofing attack defense or URPF
function is enabled, the FW may discard packets.
● A license is required to use smart DNS. In addition, smart DNS is available
only after required components are loaded through the dynamic loading
function.
● The virtual server IP address used in server load balancing cannot be the
same as any of the following ones:
– Public IP address of the NAT server (global IP address)
– IP addresses in the NAT address pool
– Gateway IP address
– Interface IP addresses of the FW
● The real server IP address used in server load balancing cannot be the same
as any of the following ones:
– Virtual server IP address
– Public IP address of the NAT server (global IP address)
– Internal server IP address of the NAT server (inside IP)
● After you configure server load balancing, configure IP addresses for real
servers, but not the IP address of the virtual server, when configuring security
policies and the routing function.
● After you configure the NAT address pool and NAT server, configure black-
hole routes to addresses in the address pool and the public address of the
NAT server to prevent routing loops.
● Only the audit administrator can configure the audit function and view audit
logs.
● You can view and export audit logs on the web UI only from the device that
has an available disk installed.
● On networks with different forward and return packet paths, the audit log
contents may be incomplete.
A license is available for updating the signature database, and the license is activated on
the device.
2. The device can access the update server directly or through a proxy server. In
this example, the device can directly access the update server.
[FW] dns resolve
[FW] dns server 10.1.10.30
3. Configure the scheduled update function and set the scheduled update time.
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30
Step 3 Configure IP-link to detect whether the status of each LSP is normal.
The IP-link configuration commands on the USG6000 and USG9500 are different. The
USG6000 is used in this example for illustration.
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit
[FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit
[FW] dns-transparent-policy
[FW-policy-dns] dns transparent-proxy enable
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/1 preferred 1.1.22.22 alternate 1.1.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/2 preferred 2.2.22.22 alternate 2.2.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/3 preferred 2.2.24.24 alternate 2.2.25.25
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/4 preferred 2.2.26.26 alternate 2.2.27.27
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/5 preferred 3.3.22.22 alternate 3.3.23.23
[FW-policy-dns] dns server bind interface GigabitEthernet 1/0/6 preferred 3.3.24.24 alternate 3.3.25.25
# Configure PBR intelligent uplink selection to load balance DNS request packets
to each link.
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit
Ensure that the FW has the route configuration that guides the transmission of the traffic
generated by the distance education system even if PBR is unavailable.
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems sub-category
Enterprise_Application
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
# Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.
Ensure that the FW has the route configuration that guides P2P traffic transmission even if
PBR is unavailable.
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit
2. Prefer ISP1 links to forward traffic destined for an address in the address set
of ISP1 network.
[FW-policy-pbr] rule name pbr_isp1
[FW-policy-pbr-rule-pbr_isp1] source-zone trust
[FW-policy-pbr-rule-pbr_isp1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp1] destination-address isp isp1_address
[FW-policy-pbr-rule-pbr_isp1] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp1-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/2 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/3 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/4 priority 8
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/5 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] add interface GigabitEthernet 1/0/6 priority 1
[FW-policy-pbr-rule-pbr_isp1-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp1] quit
3. Prefer ISP2 links to forward traffic destined for an address in the address set
of ISP2 network.
[FW-policy-pbr] rule name pbr_isp2
[FW-policy-pbr-rule-pbr_isp2] source-zone trust
[FW-policy-pbr-rule-pbr_isp2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_isp2] destination-address isp isp2_address
[FW-policy-pbr-rule-pbr_isp2] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_isp2-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/1 priority 5
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/2 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/3 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/4 priority 1
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/5 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] add interface GigabitEthernet 1/0/6 priority 8
[FW-policy-pbr-rule-pbr_isp2-multi-inter] quit
[FW-policy-pbr-rule-pbr_isp2] quit
# Select the link with the highest quality through PBR pbr_rest to forward the
traffic that does not match any ISP address set.
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit
[FW] slb
[FW-slb] group 1 grp1
[FW-slb-group-1] metric roundrobin
# Create a smart DNS group and configure smart DNS mappings in the group.
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/2 map 2.2.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/3 map 2.2.16.16
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/4 map 2.2.17.17
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/5 map 3.3.15.15
[FW-dns-smart-group-1] out-interface GigabitEthernet 1/0/6 map 3.3.16.16
[FW-dns-smart-group-1] quit
[FW] dns-smart group 2 type single
[FW-dns-smart-group-2] real-server-ip 1.1.101.101
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/2 map 2.2.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/3 map 2.2.103.103
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/4 map 2.2.104.104
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/5 map 3.3.102.102
[FW-dns-smart-group-2] out-interface GigabitEthernet 1/0/6 map 3.3.103.103
[FW-dns-smart-group-2] quit
Step 9 Configure the security zone-based NAT server function so that users on different
ISP networks can use corresponding public IP addresses to access intranet servers.
# Configure a black-hole route to the public address of the NAT server to prevent
routing loops.
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0
# Configure the intrazone NAT, so that users can access the intranet server
through the public address.
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit
# Configure source NAT for traffic destined for ISP1 network. The address in the
address pool is the public address of ISP1 network.
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
# Configure source NAT for traffic destined for ISP2 network. The address in the
address pool is the public address of ISP2 network.
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat
[FW-address-group-isp2_nat_address_pool2] section 0 3.3.2.1 3.3.2.3
[FW-address-group-isp2_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy2
[FW-policy-nat-rule-isp2_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy2] destination-zone isp2_zone2
[FW-policy-nat-rule-isp2_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy2] action source-nat address-group isp2_nat_address_pool2
[FW-policy-nat-rule-isp2_nat_policy2] quit
[FW-policy-nat] quit
Step 11 Configure NAT ALG between the Trust zone and other security zones. In this
example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT
ALG, enable ASPF.
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.
[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-ip both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-ip both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-ip both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
[FW-policy-traffic-rule-isp1_p2p_03] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_03] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_03] action qos profile isp1_p2p_profile_03
[FW-policy-traffic-rule-isp1_p2p_03] quit
[FW-policy-traffic] quit
Step 15 Configure system log sending and NAT tracing to view logs on the eSight.
# Configure the function of sending system logs to a log host at 10.1.10.30 (in this
example, IPS and attack defense logs are sent).
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30
Step 16 Configure SNMP and ensure that the SNMP parameters on the eSight are
consistent with those on the FW.
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123
After completing the configuration on the eSight, choose Log Analysis > Session
Analysis > IPv4 Session Query to view session logs.
----End
1.3.5 Verification
1. When users on the campus access the extranet, the traffic destined to the
education network is forwarded by GE1/0/1, the traffic destined to ISP1
network is forwarded by GE1/0/2, and the traffic destined to ISP2 network is
forwarded by GE1/0/3.
2. The traffic destined to servers of other campuses and the network access
traffic of users in the library are forwarded by GE1/0/1.
3. Check the configuration and update of the IPS signature database.
# Run the display update configuration command to check the update
information of the IPS signature database.
[sysname] display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server :-
Proxy Port :-
Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 10:51:45 2015/05/20
Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
access network resources through the BRAS, users must be authenticated by the
RADIUS server. According to the existing organization structure, the administrator
can create users/user groups or use a file to import users/user groups in batches
on the FW and then control the access behavior of the users/user groups through
policies. To improve the reliability of the network egress, the campus leases 1G
links from ISP1 and ISP2 and 10G links from the education network.
The campus network is mainly used for learning and working. Therefore, in
addition to ensuring the security of intranet users and servers, the egress needs to
properly allocate bandwidth resources and implement load balancing for network
traffic to improve the access experience of intranet and extranet users. The main
requirements of the campus network are as follows:
● User and authentication
– Users access the Internet through the BRAS after being authenticated by
the RADIUS server. Users do not need to be authenticated by the FW
after being authenticated by the RADIUS server.
– The Internet access users on the campus are classified into teachers, users
who access the Internet from the library, users who access the Internet
from the public area, users with monthly package of 20 Yuan, and users
Intrusion Prevention
Intrusion prevention needs to be enabled on the FW to alert or block the intrusion
of Botnets, Trojan horses, and worms. To better identify intrusion behavior, the FW
needs to periodically update the intrusion prevent signature database through the
security center (sec.huawei.com).
– Outbound interfaces
involved in intelligent uplink
selection:
– GE1/0/1
– GE1/0/2
– GE1/0/3
– GE1/0/4
– GE1/0/5
– GE1/0/6
Smart DNS
When a private DNS server exists, the FW that has smart DNS enabled
intelligently replies to DNS requests from different ISPs, so that the server address
obtained by a user is in the same ISP network as the user.
For example, a school has a DNS server, which stores the portal server domain
name (www.example.com) and the public IP address 1.1.15.15 assigned by the
education network. Smart DNS is enabled on the FW's GE1/0/2. The mapped
address is the ISP1-assigned public IP address 2.2.15.15.
When an education network user accesses the portal server address, as GE1/0/1
does not have the smart DNS function enabled, the user obtains the public IP
address 1.1.15.15 assigned by the education network as the portal server address.
When an ISP1 user accesses the portal server address, the DNS server replies a
DNS response message to the user. After the FW's GE1/0/2 receives the message,
the FW replaces the original public IP address 1.1.15.15 assigned by the education
network with the ISP1-assigned address 2.2.15.15. After the user receives the
message, he or she communicates with 2.2.15.15. Certainly, a NAT Server map
must be configured on the FW to associate the private portal server address
10.1.10.20 with 2.2.15.15. In this manner, ISP1 users can use 2.2.15.15 to
communicate with the portal server.
NAT
● NAT Server
To ensure the users on each ISP network can access intranet servers, the NAT
server function is required on the FW to translate the private addresses of
servers into public IP addresses.
Portal ● Private IP address: 10.1.10.20 The NAT server can map multiple
server ● Public IP address: public IP addresses to the same
private IP address based on the
– For the education network: security zone.
1.1.15.15
– For ISP1 network: 2.2.15.15,
2.2.16.16, and 2.2.17.17
– For ISP2 network: 3.3.15.15
and 3.3.16.16
● Source NAT
To enable a large number of intranet users to make full use of limited public
IP addresses for access, source NAT needs to be configured on the FW to
translate the private IP addresses in packets into public IP addresses.
● NAT ALG
If the FW that has NAT enabled needs to forward packets of a multichannel
protocol, such as FTP, the NAT ALG function of the protocol needs to be
enabled to ensure correct address translation for the multichannel protocol
packets. In this case, the NAT ALG functions of FTP, QQ, and RTSP are
enabled.
Attack Defense
Attack defense can detect multiple types of network attacks, such as DDoS attack
and single-packet attacks. This function protects the intranet against malicious
attacks.
Anti- ● DDoS attack type: SYN Flood For the above flood attacks, the
DDoS ● Interface: GE1/0/2, GE1/0/3, recommended maximum packet
GE1/0/4, GE1/0/5, and GE1/0/6 rate for GE attacks is 16,000 pps.
In this case, the interfaces are all
● Alarm-threshold rate: 24000 GE interfaces. The final interface
threshold is 24000 pps, which is
the test result. Configure a large
threshold and adjust it according
to the test until it falls into the
normal range. A suitable threshold
helps defend against attacks
without affecting normal services.
Audit Policy
The FW supports the audit function to record the Internet access behavior defined
in the audit policy for future audit and analysis.
Bandwidth Management
As P2P traffic uses a lot of bandwidth resources, the campus requests to limit the
bandwidth used by P2P traffic over each ISP1 link and implement bandwidth
limiting for P2P traffic per IP address. Bandwidth management can implement
global/per-IP/per-user traffic limiting for a specific type of traffic.
NAT Enable Record Session Log for the NAT tracing allows you to view
tracin following security policies: pre-NAT and post-NAT address
g ● user_inside information. After the session log
function is enabled in the security
● user_outside policy view, the NGFW sends the
logs on the sessions matching the
security policy to the log host. You
can view the log information
through the log server to which
the log host is connected. Some
session logs include pre-NAT and
post-NAT address information.
1.4.3 Precautions
Precautions
● Whether the ISP address set includes all required IP addresses affects the
implementation of intelligent uplink selection and smart DNS. Therefore,
update the ISP address database regularly from the security center platform
(isecurity.huawei.com).
● In a multi-egress scenario, PBR intelligent uplink selection cannot be used
together with the IP spoofing attack defense or Unicast Reverse Path
Forwarding (URPF) function. If the IP spoofing attack defense or URPF
function is enabled, the FW may discard packets.
A license is available for updating the signature database, and the license is activated on
the device.
2. The device can access the update server directly or through a proxy server. In
this example, the device can directly access the update server.
[FW] dns resolve
[FW] dns server 10.1.10.30
3. Configure the scheduled update function and set the scheduled update time.
[FW] update schedule ips-sdb enable
[FW] update schedule sa-sdb enable
[FW] update schedule ips-sdb daily 02:30
[FW] update schedule sa-sdb daily 02:30
Step 3 Configure IP-link to detect whether the status of each ISP is normal.
The IP-link configuration commands on the USG6000 and USG9500 are different. The
USG6000 is used in this example for illustration.
[FW] ip-link check enable
[FW] ip-link name edu_ip_link
[FW-iplink-edu_ip_link] destination 1.1.1.2 interface GigabitEthernet 1/0/1 mode icmp
[FW-iplink-edu_ip_link] quit
[FW] ip-link name isp1_ip_link
[FW-iplink-isp1_ip_link] destination 2.2.2.2 interface GigabitEthernet 1/0/2 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.3.2 interface GigabitEthernet 1/0/3 mode icmp
[FW-iplink-isp1_ip_link] destination 2.2.4.2 interface GigabitEthernet 1/0/4 mode icmp
[FW-iplink-isp1_ip_link] quit
[FW] ip-link name isp2_ip_link
[FW-iplink-isp2_ip_link] destination 3.3.3.2 interface GigabitEthernet 1/0/5 mode icmp
[FW-iplink-isp2_ip_link] destination 3.3.4.2 interface GigabitEthernet 1/0/6 mode icmp
[FW-iplink-isp2_ip_link] quit
Contact the administrator to configure the routes except the routes required in
this example.
# Configure a static route whose destination address belongs to the network
segment of the intranet and next-hop address is the address of the intranet switch
so that extranet traffic can reach the intranet.
[FW] ip route-static 10.1.0.0 255.255.0.0 10.2.0.2
# Configure PBR intelligent uplink selection to load balance DNS request packets
to each link.
[FW] policy-based-route
[FW-policy-pbr] rule name pbr_dns_trans
[FW-policy-pbr-rule-pbr_dns_trans] source-zone trust
[FW-policy-pbr-rule-pbr_dns_trans] service dns dns-tcp
[FW-policy-pbr-rule-pbr_dns_trans] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_dns_trans-multi-inter] quit
[FW-policy-pbr-rule-pbr_dns_trans] quit
[FW-policy-pbr] quit
Ensure that the FW has the route configuration that guides the transmission of the traffic
generated by the distance education system even if PBR is unavailable.
[FW] sa
[FW-sa] user-defined-application name UD_dis_edu_sys_app
[FW-sa-user-defined-app-UD_dis_edu_sys_app] category Business_Systems
[FW-sa-user-defined-app-UD_dis_edu_sys_app] data-model client-server
[FW-sa-user-defined-app-UD_dis_edu_sys_app] label Encrypted-Communications Business-Applications
[FW-sa-user-defined-app-UD_dis_edu_sys_app] rule name 1
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] ip-address 2.2.50.50 32
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] port 5000
[FW-sa-user-defined-app-UD_dis_edu_sys_app-rule-1] quit
[FW-sa-user-defined-app-UD_dis_edu_sys_app] quit
[FW-sa] quit
[FW] policy-based-route
[FW-policy-pbr] rule name dis_edu_sys
[FW-policy-pbr-rule-dis_edu_sys] source-zone trust
[FW-policy-pbr-rule-dis_edu_sys] application app UD_dis_edu_sys_app
[FW-policy-pbr-rule-dis_edu_sys] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-dis_edu_sys-multi-inter] quit
[FW-policy-pbr-rule-dis_edu_sys] quit
# Configure PBR intelligent uplink selection to forward P2P traffic over ISP1 links.
Ensure that the FW has the route configuration that guides P2P traffic transmission even if
PBR is unavailable.
[FW-policy-pbr] rule name p2p_traffic
[FW-policy-pbr-rule-p2p_traffic] source-zone trust
[FW-policy-pbr-rule-p2p_traffic] application category Entertainment sub-category PeerCasting
[FW-policy-pbr-rule-p2p_traffic] application category General_Internet sub-category FileShare_P2P
[FW-policy-pbr-rule-p2p_traffic] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-p2p_traffic-multi-inter] mode proportion-of-bandwidth
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-p2p_traffic-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-p2p_traffic-multi-inter] quit
[FW-policy-pbr-rule-p2p_traffic] quit
# Configure the traffic of users who access network resources from the public area
to be preferentially forwarded over the link to the education network.
[FW-policy-pbr] rule name pbr_public_user
[FW-policy-pbr-rule-pbr_public_user] source-zone trust
[FW-policy-pbr-rule-pbr_public_user] user user-group /default/public_user
[FW-policy-pbr-rule-pbr_public_user] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_public_user-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-pbr_public_user-multi-inter] add interface GigabitEthernet 1/0/1 priority 8
# Select the link with the highest quality through PBR pbr_rest to forward the
traffic that does not match any ISP address set.
[FW-policy-pbr] rule name pbr_rest
[FW-policy-pbr-rule-pbr_rest] source-zone trust
[FW-policy-pbr-rule-pbr_rest] source-address 10.1.0.0 16
[FW-policy-pbr-rule-pbr_rest] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-pbr_rest-multi-inter] mode priority-of-link-quality
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/2
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/3
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/5
[FW-policy-pbr-rule-pbr_rest-multi-inter] add interface GigabitEthernet 1/0/6
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality protocol tcp-simple
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW-policy-pbr-rule-pbr_rest-multi-inter] priority-of-link-quality interval 3 times 5
[FW-policy-pbr-rule-pbr_rest-multi-inter] quit
[FW-policy-pbr-rule-pbr_rest] quit
[FW-policy-pbr] quit
# Create a smart DNS group and configure smart DNS mappings in the group.
[FW] dns-smart group 1 type single
[FW-dns-smart-group-1] real-server-ip 1.1.15.15
Step 10 Configure the security zone-based NAT server function so that users on different
ISP networks can use corresponding public IP addresses to access intranet servers.
# Configure a black-hole route to the public address of the NAT server to prevent
routing loops.
[FW] ip route-static 1.1.15.15 32 NULL 0
[FW] ip route-static 2.2.15.15 32 NULL 0
[FW] ip route-static 2.2.16.16 32 NULL 0
[FW] ip route-static 2.2.17.17 32 NULL 0
[FW] ip route-static 3.3.15.15 32 NULL 0
[FW] ip route-static 3.3.16.16 32 NULL 0
[FW] ip route-static 1.1.101.101 32 NULL 0
[FW] ip route-static 2.2.102.102 32 NULL 0
[FW] ip route-static 2.2.103.103 32 NULL 0
[FW] ip route-static 2.2.104.104 32 NULL 0
[FW] ip route-static 3.3.102.102 32 NULL 0
[FW] ip route-static 3.3.103.103 32 NULL 0
# Configure source NAT for traffic destined for the education network. The
address in the address pool is the public address of the education network.
[FW] nat address-group edu_nat_address_pool
[FW-address-group-edu_nat_address_pool] mode pat
[FW-address-group-edu_nat_address_pool] section 0 1.1.30.31 1.1.30.33
[FW-address-group-edu_nat_address_pool] quit
[FW] nat-policy
[FW-policy-nat] rule name edu_nat_policy
[FW-policy-nat-rule-edu_nat_policy] source-zone trust
[FW-policy-nat-rule-edu_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-edu_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-edu_nat_policy] quit
[FW-policy-nat] quit
# Configure the intrazone NAT, so that users can access the intranet server
through the public address.
[FW] nat-policy
[FW-policy-nat] rule name inner_nat_policy
[FW-policy-nat-rule-inner_nat_policy] source-zone trust
[FW-policy-nat-rule-inner_nat_policy] destination-zone trust
[FW-policy-nat-rule-inner_nat_policy] source-address 10.1.0.0 16
[FW-policy-nat-rule-inner_nat_policy] action source-nat address-group edu_nat_address_pool
[FW-policy-nat-rule-inner_nat_policy] quit
[FW-policy-nat] quit
# Configure source NAT for traffic destined for ISP1 network. The address in the
address pool is the public address of ISP1 network.
[FW] nat address-group isp1_nat_address_pool1
[FW-address-group-isp1_nat_address_pool1] mode pat
[FW-address-group-isp1_nat_address_pool1] section 0 2.2.5.1 2.2.5.3
[FW-address-group-isp1_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy1
[FW-policy-nat-rule-isp1_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy1] destination-zone isp1_zone1
[FW-policy-nat-rule-isp1_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy1] action source-nat address-group isp1_nat_address_pool1
[FW-policy-nat-rule-isp1_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool2
[FW-address-group-isp1_nat_address_pool2] mode pat
[FW-address-group-isp1_nat_address_pool2] section 0 2.2.6.1 2.2.6.3
[FW-address-group-isp1_nat_address_pool2] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy2
[FW-policy-nat-rule-isp1_nat_policy2] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy2] destination-zone isp1_zone2
[FW-policy-nat-rule-isp1_nat_policy2] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy2] action source-nat address-group isp1_nat_address_pool2
[FW-policy-nat-rule-isp1_nat_policy2] quit
[FW-policy-nat] quit
[FW] nat address-group isp1_nat_address_pool3
[FW-address-group-isp1_nat_address_pool3] mode pat
[FW-address-group-isp1_nat_address_pool3] section 0 2.2.7.1 2.2.7.3
[FW-address-group-isp1_nat_address_pool3] quit
[FW] nat-policy
[FW-policy-nat] rule name isp1_nat_policy3
[FW-policy-nat-rule-isp1_nat_policy3] source-zone trust
[FW-policy-nat-rule-isp1_nat_policy3] destination-zone isp1_zone3
[FW-policy-nat-rule-isp1_nat_policy3] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp1_nat_policy3] action source-nat address-group isp1_nat_address_pool3
[FW-policy-nat-rule-isp1_nat_policy3] quit
[FW-policy-nat] quit
# Configure source NAT for traffic destined for ISP2 network. The address in the
address pool is the public address of ISP2 network.
[FW] nat address-group isp2_nat_address_pool1
[FW-address-group-isp2_nat_address_pool1] mode pat
[FW-address-group-isp2_nat_address_pool1] section 0 3.3.1.1 3.3.1.3
[FW-address-group-isp2_nat_address_pool1] quit
[FW] nat-policy
[FW-policy-nat] rule name isp2_nat_policy1
[FW-policy-nat-rule-isp2_nat_policy1] source-zone trust
[FW-policy-nat-rule-isp2_nat_policy1] destination-zone isp2_zone1
[FW-policy-nat-rule-isp2_nat_policy1] source-address 10.1.0.0 16
[FW-policy-nat-rule-isp2_nat_policy1] action source-nat address-group isp2_nat_address_pool1
[FW-policy-nat-rule-isp2_nat_policy1] quit
[FW-policy-nat] quit
[FW] nat address-group isp2_nat_address_pool2
[FW-address-group-isp2_nat_address_pool2] mode pat
Step 12 Configure NAT ALG between the Trust zone and other security zones. In this
example, NAT ALG is configured for FTP, QQ, and RTSP. Besides configuring NAT
ALG, enable ASPF.
[FW] firewall interzone trust edu_zone
[FW-interzone-trust-edu_zone] detect ftp
[FW-interzone-trust-edu_zone] detect qq
[FW-interzone-trust-edu_zone] detect rtsp
[FW-interzone-trust-edu_zone] quit
[FW] firewall interzone trust isp1_zone1
[FW-interzone-trust-isp1_zone1] detect ftp
[FW-interzone-trust-isp1_zone1] detect qq
[FW-interzone-trust-isp1_zone1] detect rtsp
[FW-interzone-trust-isp1_zone1] quit
[FW] firewall interzone trust isp1_zone2
[FW-interzone-trust-isp1_zone2] detect ftp
[FW-interzone-trust-isp1_zone2] detect qq
[FW-interzone-trust-isp1_zone2] detect rtsp
[FW-interzone-trust-isp1_zone2] quit
[FW] firewall interzone trust isp1_zone3
[FW-interzone-trust-isp1_zone3] detect ftp
[FW-interzone-trust-isp1_zone3] detect qq
[FW-interzone-trust-isp1_zone3] detect rtsp
[FW-interzone-trust-isp1_zone3] quit
[FW] firewall interzone trust isp2_zone1
[FW-interzone-trust-isp2_zone1] detect ftp
[FW-interzone-trust-isp2_zone1] detect qq
[FW-interzone-trust-isp2_zone1] detect rtsp
[FW-interzone-trust-isp2_zone1] quit
[FW] firewall interzone trust isp2_zone2
[FW-interzone-trust-isp2_zone2] detect ftp
[FW-interzone-trust-isp2_zone2] detect qq
[FW-interzone-trust-isp2_zone2] detect rtsp
[FW-interzone-trust-isp2_zone2] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/2 resides.
[FW] traffic-policy
[FW-policy-traffic] profile isp1_p2p_profile_01
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth whole both 100000
[FW-policy-traffic-profile-isp1_p2p_profile_01] bandwidth maximum-bandwidth per-user both 500
[FW-policy-traffic-profile-isp1_p2p_profile_01] quit
[FW-policy-traffic] rule name isp1_p2p_01
[FW-policy-traffic-rule-isp1_p2p_01] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_01] egress-interface GigabitEthernet 1/0/2
[FW-policy-traffic-rule-isp1_p2p_01] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_01] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_01] action qos profile isp1_p2p_profile_01
[FW-policy-traffic-rule-isp1_p2p_01] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/3 resides.
[FW-policy-traffic] profile isp1_p2p_profile_02
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth whole both 300000
[FW-policy-traffic-profile-isp1_p2p_profile_02] bandwidth maximum-bandwidth per-user both 1000
[FW-policy-traffic-profile-isp1_p2p_profile_02] quit
[FW-policy-traffic] rule name isp1_p2p_02
[FW-policy-traffic-rule-isp1_p2p_02] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_02] egress-interface GigabitEthernet 1/0/3
[FW-policy-traffic-rule-isp1_p2p_02] application category Entertainment sub-category PeerCasting
[FW-policy-traffic-rule-isp1_p2p_02] application category General_Internet sub-category FileShare_P2P
[FW-policy-traffic-rule-isp1_p2p_02] action qos profile isp1_p2p_profile_02
[FW-policy-traffic-rule-isp1_p2p_02] quit
# Configure traffic limiting for P2P traffic over the link where GE1/0/4 resides.
[FW-policy-traffic] profile isp1_p2p_profile_03
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth whole both 700000
[FW-policy-traffic-profile-isp1_p2p_profile_03] bandwidth maximum-bandwidth per-user both 2000
[FW-policy-traffic-profile-isp1_p2p_profile_03] quit
[FW-policy-traffic] rule name isp1_p2p_03
[FW-policy-traffic-rule-isp1_p2p_03] ingress-interface GigabitEthernet 1/0/7
[FW-policy-traffic-rule-isp1_p2p_03] egress-interface GigabitEthernet 1/0/4
Step 16 Configure system log and NAT tracing to view logs on the eSight.
# Configure the function of sending system logs to a log host at 10.1.10.30 (in this
example, IPS and attack defense logs are sent).
[FW] info-center enable
[FW] engine log ips enable
[FW] info-center source IPS channel loghost log level emergencies
[FW] info-center source ANTIATTACK channel loghost
[FW] info-center loghost 10.1.10.30
Step 17 Configure SNMP and ensure that the SNMP parameters on the eSight are
consistent with those on the FW.
[FW] snmp-agent sys-info version v3
[FW] snmp-agent group v3 inside_snmp privacy
[FW] snmp-agent usm-user v3 snmp_user group inside_snmp
[FW] snmp-agent usm-user v3 snmp_user authentication-mode sha cipher Test@123
[FW] snmp-agent usm-user v3 user-name privacy-mode aes256 cipher Test@123
After completing the configuration on the eSight, choose Log Analysis > Session
Analysis > IPv4 Session Query to view session logs.
----End
1.4.5 Verification
1. When teachers and users with monthly package of 50 Yuan access the
extranet, the traffic destined to the education network is forwarded by
GE1/0/1, the traffic destined to ISP1 network is forwarded by GE1/0/2,
GE1/0/3, or GE1/0/4, and the traffic destined to ISP2 network is forwarded by
GE1/0/5 or GE1/0/6.
2. The traffic of the distance education system is forwarded over the link to the
education network or ISP2 link, P2P traffic is forwarded over ISP1 link, and
the traffic of users with monthly package of 20 Yuan and users who access
network resources from the library is forwarded over the link to the education
network.
3. Check the configuration and update of the IPS signature database.
# Run the display update configuration command to check the update
information of the IPS signature database.
[sysname] display update configuration
Update Configuration Information:
------------------------------------------------------------
Update Server : sec.huawei.com
Update Port : 80
Proxy State : disable
Proxy Server :-
Proxy Port :-
Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
------------------------------------------------------------
# Run the display version ips-sdb command to check the configuration of
the IPS signature database.
[sysname] display version ips-sdb
IPS SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2015041503
Signature Database Size(byte) : 2659606
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 16:06:30 2015/04/15
Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 12:02:10 2015/05/27
Issue Time of the Update File : 10:51:45 2015/05/20
Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
4. Run the display firewall server-map command to check server-map entries
generated by server load balancing.
[sysname] display firewall server-map slb
Current Total Server-map : 3
Type: SLB, ANY -> 3.3.113.113[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 2.2.112.112[grp1/1], Zone:---, protocol:---
Vpn: public -> public
Type: SLB, ANY -> 1.1.111.111[grp1/1], Zone:---, protocol:---
Vpn: public -> public
5. Run the display firewall server-map command to check server-map entries
generated by the NAT server function.
[sysname] display firewall server-map nat-server
Current Total Server-map : 12
Type: Nat Server, ANY -> 1.1.15.15[10.1.10.20], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.15.15[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.16.16[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.17.17[10.1.10.20], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.15.15[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.16.16[10.1.10.20], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 1.1.101.101[10.1.10.30], Zone: edu_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.102.102[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.103.103[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 2.2.104.104[10.1.10.30], Zone: isp1_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.102.102[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 3.3.103.103[10.1.10.30], Zone: isp2_zone , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 10.1.10.20[3.3.16.16] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[3.3.15.15] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.17.17] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.16.16] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[2.2.15.15] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.20[1.1.15.15] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.103.103] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[3.3.102.102] -> ANY, Zone: isp2_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.104.104] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.103.103] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[2.2.102.102] -> ANY, Zone: isp1_zone , protocol:---
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 10.1.10.30[1.1.101.101] -> ANY, Zone: edu_zone , protocol:---
Vpn: public -> public, counter: 1
#
interface GigabitEthernet1/0/2
description connect_to_isp1
ip address 2.2.2.1 255.255.255.252
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
redirect-reverse next-hop 2.2.2.2
#
interface GigabitEthernet1/0/3
description connect_to_isp1
ip address 2.2.3.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 2.2.3.2
#
interface GigabitEthernet1/0/4
description connect_to_isp1
ip address 2.2.4.1 255.255.255.252
bandwidth ingress 200000 threshold 90
bandwidth egress 200000 threshold 90
redirect-reverse next-hop 2.2.4.2
#
interface GigabitEthernet1/0/5
description connect_to_isp2
ip address 3.3.3.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 3.3.3.2
#
interface GigabitEthernet1/0/6
description connect_to_isp2
ip address 3.3.4.1 255.255.255.252
bandwidth ingress 1000000 threshold 90
bandwidth egress 1000000 threshold 90
redirect-reverse next-hop 3.3.4.2
#
interface GigabitEthernet1/0/7
description connect_to_campus
ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet1/0/8
description connect_to_radius
ip address 10.2.1.1 255.255.255.252
#
firewall zone name edu_zone
set priority 20
add interface GigabitEthernet1/0/1
#
firewall zone name isp1_zone1
set priority 30
add interface GigabitEthernet1/0/2
#
firewall zone name isp1_zone2
set priority 40
add interface GigabitEthernet1/0/3
#
firewall zone name isp1_zone3
set priority 50
add interface GigabitEthernet1/0/4
#
firewall zone name isp2_zone1
set priority 60
add interface GigabitEthernet1/0/5
#
firewall zone name isp2_zone2
set priority 70
add interface GigabitEthernet1/0/6
#
firewall zone trust
vserver 1 vs1
vip 1 1.1.111.111
vip 2 2.2.112.112
vip 3 3.3.113.113
group grp1
#
security-policy
rule name user_inside
source-zone trust
profile ips default
action permit
rule name user_outside
source-zone edu_zone
source-zone isp1_zone1
source-zone isp1_zone2
source-zone isp1_zone3
source-zone isp2_zone1
source-zone isp2_zone2
destination-address 10.1.10.0 mask 255.255.255.0
profile ips default
action permit
rule name local_to_any
source-zone local
destination-zone any
action permit
#
traffic-policy
profile isp1_p2p_profile_01
bandwidth maximum-bandwidth whole both 100000
bandwidth maximum-bandwidth per-ip both 500
profile isp1_p2p_profile_02
bandwidth maximum-bandwidth whole both 300000
bandwidth maximum-bandwidth per-ip both 1000
profile isp1_p2p_profile_03
bandwidth maximum-bandwidth whole both 700000
bandwidth maximum-bandwidth per-ip both 2000
rule name isp1_p2p_01
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/2
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_01
rule name isp1_p2p_02
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/3
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_02
rule name isp1_p2p_03
ingress-interface GigabitEthernet 1/0/7
egress-interface GigabitEthernet 1/0/4
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action qos profile isp1_p2p_profile_03
#
policy-based-route
rule name pbr_dns_trans
source-zone trust
service dns
service dns-tcp
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name dis_edu_sys
source-zone trust
application app UD_dis_edu_sys_app
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name p2p_traffic
source-zone trust
application category Entertainment sub-category PeerCasting
application category General_Internet sub-category FileShare_P2P
action pbr egress-interface multi-interface
mode proportion-of-bandwidth
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
rule name pbr_edu
source-zone trust
source-address 10.1.0.0 16
destination-address isp edu_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 8
add interface GigabitEthernet 1/0/2 priority 5
add interface GigabitEthernet 1/0/3 priority 5
add interface GigabitEthernet 1/0/4 priority 5
add interface GigabitEthernet 1/0/5 priority 1
add interface GigabitEthernet 1/0/6 priority 1
rule name pbr_isp1
source-zone trust
source-address 10.1.0.0 16
destination-address isp isp1_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 5
add interface GigabitEthernet 1/0/2 priority 8
add interface GigabitEthernet 1/0/3 priority 8
add interface GigabitEthernet 1/0/4 priority 8
add interface GigabitEthernet 1/0/5 priority 1
add interface GigabitEthernet 1/0/6 priority 1
rule name pbr_isp2
source-zone trust
source-address 10.1.0.0 16
destination-address isp isp2_address
action pbr egress-interface multi-interface
mode priority-of-userdefine
add interface GigabitEthernet 1/0/1 priority 5
add interface GigabitEthernet 1/0/2 priority 1
add interface GigabitEthernet 1/0/3 priority 1
add interface GigabitEthernet 1/0/4 priority 1
add interface GigabitEthernet 1/0/5 priority 8
add interface GigabitEthernet 1/0/6 priority 8
rule name pbr_rest
source-zone trust
source-address 10.1.0.0 16
action pbr egress-interface multi-interface
mode priority-of-link-quality
priority-of-link-quality parameter delay jitter loss
priority-of-link-quality protocol tcp-simple
priority-of-link-quality interval 3 times 5
add interface GigabitEthernet 1/0/1
add interface GigabitEthernet 1/0/2
add interface GigabitEthernet 1/0/3
add interface GigabitEthernet 1/0/4
add interface GigabitEthernet 1/0/5
add interface GigabitEthernet 1/0/6
rule name other_edu_server
source-zone trust
source-address 10.1.0.0 16
2.1 Introduction
This section describes the planning and deployment of firewalls at the egress of a
broadcast and television network. It also provides reference for tier-2 carriers.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.
Two firewalls are deployed at the Internet egress of the broadcast and television
network for hot standby (active/standby backup). The upstream interfaces of the
two firewalls are connected to the two ISPs through the egress aggregation
switches. The downstream interfaces of the two firewalls are connected to the
MAN through core routers and connected to the servers through the switch in the
server area.
Specifically, the broadcast and television network has the following requirements
on the egress firewalls:
Table 2-1 Device planning for the egress of a broadcast and television network
Device Recommended Plan 1 Recommended Plan 2
then connect the two links to the upstream interfaces of the two firewalls. OSPF
runs between the firewalls and their downstream routers. Typical hot standby
networking is achieved with two firewalls connected to the upstream switches and
downstream routers. In such networking, a VRRP group is configured on the
upstream interface of a firewall, and a VGMP group is configured on the
downstream interface to monitor service interfaces.
Figure 2-3 shows the hot standby networking, where the interfaces of the active
and standby firewalls connected to one ISP access point are added to one VRRP
group.
● Address pool
Configure two address pools corresponding to different ISPs based on the
public IP addresses requested from the ISPs. Note that the public IP addresses
of VRRP groups and disclosed public IP addresses of servers should be
excluded from the address pools.
● Network Address and Port Translation (NAPT)
NAPT translates both IP addresses and ports. When a packet from an intranet
user to the Internet arrives at the firewall, NAPT translates the source address
of the packet into a public address and translates its source port into a
random unwell-known port. In this way, one public address can be used by
multiple intranet users, and a large number of users can access the Internet
simultaneously.
● NAT ALG: When a NAT-enabled firewall needs to forward multi-path protocol
(such as FTP, SIP, H323, RTSP, and QQ) packets, the corresponding NAT ALG
function must be enabled.
If the DNS servers are deployed internally, smart DNS is needed to enable extranet
users to obtain the most appropriate resolved addresses of servers. In other words,
the address must belong to the serving ISP of the user.
The egress gateway enables the communication between the broadcast and
television network and the extranet. Therefore, it is necessary to configure security
functions, including intrusion prevention (IPS) and attack defense.
The default IPS profile default is used to block detected intrusions. You can also
use the profile ids to log attacks without blocking and then define a specific IPS
profile according to the log.
Data Planning
Data planning is based on the above service planning.
Eth-Trunk2.1 Eth-Trunk2.1
IP address: IP address:
2.2.2.2/29 2.2.2.3/29
Security zone: Security zone:
isp2_1 isp2_1
Gateway: 2.2.2.6/29 Gateway: 2.2.2.6/29
VRRP backup group VRRP backup group
2: 2.2.2.1/29 2: 2.2.2.1/29
VGMP management VGMP management
group: Active group: Standby
Eth-Trunk1.2 Eth-Trunk1.2
IP address: IP address:
1.1.2.2/29 1.1.2.3/29
Security zone: Security zone:
isp1_2 isp1_2
Gateway: 1.1.2.6/29 Gateway: 1.1.2.6/29
VRRP backup group VRRP backup group
3: 1.1.2.1/29 3: 1.1.2.1/29
VGMP management VGMP management
group: Active group: Standby
Eth-Trunk2.2 Eth-Trunk2.2
IP address: IP address:
2.2.3.2/29 2.2.3.3/29
Security zone: Security zone:
isp2_2 isp2_2
Gateway: 2.2.3.6/29 Gateway: 2.2.3.6/29
VRRP backup group VRRP backup group
2: 2.2.3.1/29 2: 2.2.3.1/29
VGMP management VGMP management
group: Active group: Standby
FTP server
Private IP address: 10.0.10.11
ISP1_1 public IP address: 1.1.1.16
ISP1_2 public IP address: 1.1.2.16
ISP2_1 public IP address: 2.2.2.16
ISP2_2 public IP address: 2.2.3.16
DNS server
Private IP address: 10.0.10.20
ISP1_1 public IP address: 1.1.1.17
ISP1_2 public IP address: 1.1.2.17
ISP2_1 public IP address: 2.2.2.17
ISP2_2 public IP address: 2.2.3.17
2.4 Precautions
● License
Licenses are required for IPS and smart DNS services. Smart DNS also requires
loading of a content security component.
● Hardware requirement
For the USG9500, IPS, application-based PBR, and smart DNS require that the
SPC-APPSEC-FW is in position. Otherwise, these functions are unavailable.
● Before using the IPS function, you are advised to update the IPS signature
database to the latest version.
● Networking
– To prevent communication failures between active and standby firewalls
due to heartbeat interface faults, using an Eth-Trunk interface as the
heartbeat interface is recommended. For devices on which multiple NICs
can be installed (for the support situation, see the hardware guide), an
inter-board Eth-Trunk interface is required. That is, the member interfaces
of the Eth-Trunk interface are on different LPUs. The inter-board Eth-
Trunk improves reliability and increases bandwidth. For devices that do
not support interface expansion or inter-board Eth-Trunk, it is possible
that a faulty LPU may cause all HRP backup channels to be unavailable
and compromise services.
– When hot standby and intelligent uplink selection are used together, if
the upstream switch runs VRRP, the upstream physical port of the firewall
must be a public IP address in the same network segment as the address
of the ISP router. Otherwise, the gateway of the port cannot be specified.
The gateway command is mandatory for intelligent uplink selection and
link health check.
If the upstream device of the firewall is a router, this restriction does not
apply.
● Intelligent uplink selection
– The firewall generates an equal-cost default route using the gateway
command. The protocol is UNR, and the route priority is 70, which is
lower than the priority (60) of a static route. When this command takes
effect, you can no longer configure a multi-egress equal-cost static route
manually.
– Intelligent uplink selection cannot be used together with IP address
spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP
address spoofing defense or URPF is enabled, the firewall may drop
packets.
● Black-hole route
The firewall allows a User Network Route (UNR) for addresses in the NAT
address pool. The UNR functions the same as a black-hole route. It can
prevent a routing loop and can also be advertised using dynamic routing
protocols, such as OSPF. For the NAT server, if the protocol and port are
specified, it is also necessary to configure a black-hole route with the
destination address being a public address. With this black-hole route, packets
from external sources destined to a public address but not matching any entry
the server-map table are matched to the black-hole route and dropped
directly to prevent a routing loop.
Procedure
Step 1 Configure IP addresses for the interfaces of FW_A.
<FW_A> system-view
[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] undo service-manage enable
[FW_A-Eth-Trunk1] description To-isp1
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 1/0/6
[FW_A-Eth-Trunk1] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] undo service-manage enable
[FW_A-Eth-Trunk2] description To-isp2
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/2
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 1/0/7
[FW_A-Eth-Trunk2] quit
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] description To-isp1-1
[FW_A-Eth-Trunk1.1] vlan-type dot1q 11
[FW_A-Eth-Trunk1.1] ip address 1.1.1.2 29
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] description To-isp2-1
[FW_A-Eth-Trunk2.1] vlan-type dot1q 21
[FW_A-Eth-Trunk2.1] ip address 2.2.2.2 29
[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] description To-isp1-2
[FW_A-Eth-Trunk1.2] vlan-type dot1q 12
[FW_A-Eth-Trunk1.2] ip address 1.1.2.2 29
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 2.2
[FW_A-Eth-Trunk2.2] description To-isp2-2
[FW_A-Eth-Trunk2.2] vlan-type dot1q 22
[FW_A-Eth-Trunk2.2] ip address 2.2.3.2 29
[FW_A-Eth-Trunk2.2] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] undo service-manage enable
[FW_A-GigabitEthernet1/0/3] description To-router
[FW_A-GigabitEthernet1/0/3] ip address 10.0.3.1 24
[FW_A-GigabitEthernet1/0/3] quit
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] undo service-manage enable
[FW_A-GigabitEthernet1/0/4] description To-server
[FW_A-GigabitEthernet1/0/4] ip address 10.0.5.1 24
[FW_A-GigabitEthernet1/0/4] quit
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] description Hrp-interface
[FW_A-Eth-Trunk0] ip address 10.0.7.1 24
[FW_A-Eth-Trunk0] quit
[FW_A] interface GigabitEthernet 2/0/0
[FW_A-GigabitEthernet2/0/0] undo service-manage enable
[FW_A-GigabitEthernet2/0/0] eth-trunk 0
[FW_A-GigabitEthernet2/0/0] quit
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] undo service-manage enable
[FW_A-GigabitEthernet1/0/5] eth-trunk 0
[FW_A-GigabitEthernet1/0/5] quit
Step 3 Configure the IP addresses and security zones of FW_B interfaces according to the
above procedure. The difference lies in the IP addresses of the interfaces.
----End
Procedure
Step 1 Enable the health check function of FW_A. Configure health check for the links of
ISP 1 and ISP 2.
The destination address is a real IP address on the Internet. Here, the ISP gateway
address and DNS address are used.
[FW_A] healthcheck enable
[FW_A] healthcheck name isp1_health1
[FW_A-healthcheck-isp1_health1] destination 1.1.1.6 interface Eth-Trunk1.1 protocol icmp
[FW_A-healthcheck-isp1_health1] destination 1.1.1.222 interface Eth-Trunk1.1 protocol dns
[FW_A-healthcheck-isp1_health1] quit
[FW_A] healthcheck name isp1_health2
[FW_A-healthcheck-isp1_health2] destination 1.1.2.6 interface Eth-Trunk1.2 protocol icmp
[FW_A-healthcheck-isp1_health2] destination 1.1.1.222 interface Eth-Trunk1.2 protocol dns
[FW_A-healthcheck-isp1_health2] quit
[FW_A] healthcheck name isp2_health1
[FW_A-healthcheck-isp2_health1] destination 2.2.2.6 interface Eth-Trunk2.1 protocol icmp
[FW_A-healthcheck-isp2_health1] destination 2.2.2.222 interface Eth-Trunk2.1 protocol dns
[FW_A-healthcheck-isp2_health1] quit
[FW_A] healthcheck name isp2_health2
[FW_A-healthcheck-isp2_health2] destination 2.2.3.6 interface Eth-Trunk2.2 protocol icmp
[FW_A-healthcheck-isp2_health2] destination 2.2.2.222 interface Eth-Trunk2.2 protocol dns
[FW_A-healthcheck-isp2_health2] quit
Step 2 Configure the gateway addresses and bandwidths for interfaces, and apply
corresponding health check configurations.
After health check is enabled on an interface, when the link including the interface
fails, the bound route also fails.
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] gateway 1.1.1.6
[FW_A-Eth-Trunk1.1] bandwidth ingress 800000
[FW_A-Eth-Trunk1.1] bandwidth egress 800000
[FW_A-Eth-Trunk1.1] healthcheck isp1_health1
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk1.2
[FW_A-Eth-Trunk1.2] gateway 1.1.2.6
[FW_A-Eth-Trunk1.2] bandwidth ingress 400000
[FW_A-Eth-Trunk1.2] bandwidth egress 400000
[FW_A-Eth-Trunk1.2] healthcheck isp1_health2
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk2.1
[FW_A-Eth-Trunk2.1] gateway 2.2.2.6
[FW_A-Eth-Trunk2.1] bandwidth ingress 900000
[FW_A-Eth-Trunk2.1] bandwidth egress 900000
[FW_A-Eth-Trunk2.1] healthcheck isp2_health1
[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk2.2
[FW_A-Eth-Trunk2.2] gateway 2.2.3.6
[FW_A-Eth-Trunk2.2] bandwidth ingress 600000
[FW_A-Eth-Trunk2.2] bandwidth egress 600000
[FW_A-Eth-Trunk2.2] healthcheck isp2_health2
[FW_A-Eth-Trunk2.2] quit
----End
Procedure
Step 1 Configure a VRRP group on the upstream interface of FW_A, and set the VRRP
group to an active state.
<FW_A> system-view
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] vrrp vrid 2 virtual-ip 2.2.2.1 29 active
[FW_A-Eth-Trunk2.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] vrrp vrid 3 virtual-ip 1.1.2.1 29 active
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 2.2
[FW_A-Eth-Trunk2.2] vrrp vrid 4 virtual-ip 2.2.3.1 29 active
[FW_A-Eth-Trunk2.2] quit
Step 3 Enable on FW_A the function of adjusting OSPF costs according to the VGMP
status.
[FW_A] hrp adjust ospf-cost enable
Step 4 Enable the preemption function on FW_A and set the preemption delay to 300s.
[FW_A] hrp preempt delay 300
Step 5 Specify the heartbeat interface and enable hot standby on FW_A.
[FW_A] hrp interface Eth-Trunk0 remote 10.0.7.2
[FW_A] hrp enable
Step 6 Configure hot standby on FW_B with reference to the above procedure. The
difference is that the state of the VRRP group is set to standby and that the
remote address of hrp interface is set to 10.0.7.1.
Step 7 Configure routers and switches.
1. Configure OSPF and advertise the neighboring network segments on the
routers. For the specific configuration command, see the related router
documentation.
2. Add three interfaces to one VLAN on the switches. For the specific
configuration command, see the related router documentation.
----End
Result
A hot-standby relationship has been established to back up most subsequent
configurations. Therefore, in the subsequent steps, you only need to make
configurations on the active FW_A (unless otherwise stated).
You can run the route enable command to generate a UNR for addresses in the NAT
address pool. The UNR functions the same as a black-hole route. It can prevent a routing
loop.
Step 2 Configure the NAT policy between the Trust and isp1_1 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp1_1.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone isp1_1
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group pool_isp1_1
HRP_M[FW_A-policy-nat-rule-policy_nat1] quit
HRP_M[FW_A-policy-nat] quit
Step 3 Configure NAT address pool pool_isp1_2 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp1_2
HRP_M[FW_A-address-group-pool_isp1_2] mode pat
Step 4 Configure the NAT policy between the Trust and isp1_2 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp1_2.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat2
HRP_M[FW_A-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat2] destination-zone isp1_2
HRP_M[FW_A-policy-nat-rule-policy_nat2] action source-nat address-group pool_isp1_2
HRP_M[FW_A-policy-nat-rule-policy_nat2] quit
HRP_M[FW_A-policy-nat] quit
Step 5 Configure NAT address pool pool_isp2_1 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp2_1
HRP_M[FW_A-address-group-pool_isp2_1] mode pat
HRP_M[FW_A-address-group-pool_isp2_1] section 2.2.2.10 2.2.2.12
HRP_M[FW_A-address-group-pool_isp2_1] route enable
HRP_M[FW_A-address-group-pool_isp2_1] quit
Step 6 Configure the NAT policy between the Trust and isp2_1 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp2_1.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat3
HRP_M[FW_A-policy-nat-rule-policy_nat3] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat3] destination-zone isp2_1
HRP_M[FW_A-policy-nat-rule-policy_nat3] action source-nat address-group pool_isp2_1
HRP_M[FW_A-policy-nat-rule-policy_nat3] quit
HRP_M[FW_A-policy-nat] quit
Step 7 Configure NAT address pool pool_isp2_2 and specify the address pool type to be
NAPT.
HRP_M[FW_A] nat address-group pool_isp2_2
HRP_M[FW_A-address-group-pool_isp2_2] mode pat
HRP_M[FW_A-address-group-pool_isp2_2] section 2.2.3.10 2.2.3.12
HRP_M[FW_A-address-group-pool_isp2_2] route enable
HRP_M[FW_A-address-group-pool_isp2_2] quit
Step 8 Configure the NAT policy between the Trust and isp2_2 zones to translate source
addresses of packets from the Trust zone to addresses in pool_isp2_2.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat4
HRP_M[FW_A-policy-nat-rule-policy_nat4] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat4] destination-zone isp2_2
HRP_M[FW_A-policy-nat-rule-policy_nat4] action source-nat address-group pool_isp2_2
HRP_M[FW_A-policy-nat-rule-policy_nat4] quit
HRP_M[FW_A-policy-nat] quit
HRP_M[FW_A] detect qq
----End
Smart DNS requires a content security group license. It also requires dynamic loading of the
corresponding component.
For the USG9500, smart DNS requires that the SPC-APPSEC-FW is in position. Otherwise,
the function is unavailable.
Procedure
Step 1 Configure the NAT server.
1. Configure the NAT server function, mapping the private addresses of web
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_web1 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web2 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web3 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside
10.0.10.10 www
HRP_M[FW_A] nat server policy_web4 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside
10.0.10.10 www
2. Configure the NAT server function, mapping the private addresses of FTP
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_ftp1 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp2 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp3 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside
10.0.10.11 ftp
HRP_M[FW_A] nat server policy_ftp4 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside
10.0.10.11 ftp
3. Configure the NAT server function, mapping the private addresses of DNS
servers to public addresses for access of users of ISP 1 and ISP 2.
HRP_M[FW_A] nat server policy_dns1 zone isp1_1 protocol tcp global 1.1.1.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns2 zone isp1_2 protocol tcp global 1.1.2.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns3 zone isp2_1 protocol tcp global 2.2.2.17 domain inside
10.0.10.20 domain
HRP_M[FW_A] nat server policy_dns4 zone isp2_2 protocol tcp global 2.2.3.17 domain inside
10.0.10.20 domain
To enable sticky load balancing, configure IP addresses and gateway addresses for
interfaces. IP addresses and gateway addresses have been completed in 2.5.1 Configuring
Interfaces and Security Zones and 2.5.2 Configuring Intelligent Uplink Selection and
Routes.
Interface configuration does not support backup. Therefore, you need to configure sticky
load balancing on both FW_A and FW_B.
HRP_M[FW_A] interface Eth-Trunk 1.1
HRP_M[FW_A-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
HRP_M[FW_A-Eth-Trunk1.1] quit
HRP_M[FW_A] interface Eth-Trunk 2.1
HRP_M[FW_A-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6
HRP_M[FW_A-Eth-Trunk2.1] quit
HRP_M[FW_A] interface Eth-Trunk 1.2
HRP_M[FW_A-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
HRP_M[FW_A-Eth-Trunk1.2] quit
HRP_M[FW_A] interface Eth-Trunk 2.2
HRP_M[FW_A-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
HRP_M[FW_A-Eth-Trunk2.2] quit
HRP_S[FW_B] interface Eth-Trunk 1.1
HRP_S[FW_B-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
HRP_S[FW_B-Eth-Trunk1.1] quit
HRP_S[FW_B] interface Eth-Trunk 2.1
HRP_S[FW_B-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6
HRP_S[FW_B-Eth-Trunk2.1] quit
HRP_S[FW_B] interface Eth-Trunk 1.2
HRP_S[FW_B-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
HRP_S[FW_B-Eth-Trunk1.2] quit
HRP_S[FW_B] interface Eth-Trunk 2.2
HRP_S[FW_B-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
HRP_S[FW_B-Eth-Trunk2.2] quit
Step 4 Configure a black-hole route to the public address of the NAT server to prevent
routing loops between the firewall and ISP routers.
Route configuration does not support backup. Therefore, you need to configure
black-hole routes on both FW_A and FW_B.
HRP_M[FW_A] ip route-static 1.1.1.15 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.1.16 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.1.17 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.15 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.16 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.2.17 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.15 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.16 32 NULL 0
HRP_M[FW_A] ip route-static 1.1.2.17 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.15 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.16 32 NULL 0
HRP_M[FW_A] ip route-static 2.2.3.17 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.15 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.16 32 NULL 0
HRP_S[FW_B] ip route-static 1.1.1.17 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.2.15 32 NULL 0
HRP_S[FW_B] ip route-static 2.2.2.16 32 NULL 0
----End
Step 5 Configure the Trust-to-DMZ security policy, allowing intranet users to access the
web server, FTP server, and DNS server in the DMZ zone and enabling intrusion
prevention.
HRP_M[FW_A-policy-security] rule name trust_to_http
HRP_M[FW_A-policy-security-rule-trust_to_http] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_http] destination-address 10.0.10.10 24
HRP_M[FW_A-policy-security-rule-trust_to_http] service http
HRP_M[FW_A-policy-security-rule-trust_to_http] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_http] action permit
HRP_M[FW_A-policy-security-rule-trust_to_http] quit
HRP_M[FW_A-policy-security] rule name trust_to_ftp
HRP_M[FW_A-policy-security-rule-trust_to_ftp] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_ftp] destination-address 10.0.10.11 24
HRP_M[FW_A-policy-security-rule-trust_to_ftp] service ftp
HRP_M[FW_A-policy-security-rule-trust_to_ftp] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_ftp] action permit
HRP_M[FW_A-policy-security-rule-trust_to_ftp] quit
HRP_M[FW_A-policy-security] rule name trust_to_dns
HRP_M[FW_A-policy-security-rule-trust_to_dns] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-zone dmz
HRP_M[FW_A-policy-security-rule-trust_to_dns] destination-address 10.0.10.20 24
HRP_M[FW_A-policy-security-rule-trust_to_dns] service dns
HRP_M[FW_A-policy-security-rule-trust_to_dns] profile ips default
HRP_M[FW_A-policy-security-rule-trust_to_dns] action permit
HRP_M[FW_A-policy-security-rule-trust_to_dns] quit
Step 6 Configure the Local-to-DMZ security policy, allowing the firewall to send logs to
the log server.
HRP_M[FW_A-policy-security] rule name local_to_logcenter
HRP_M[FW_A-policy-security-rule-local_to_logcenter] source-zone local
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-zone dmz
HRP_M[FW_A-policy-security-rule-local_to_logcenter] destination-address 10.0.10.30 24
HRP_M[FW_A-policy-security-rule-local_to_logcenter] action permit
HRP_M[FW_A-policy-security-rule-local_to_logcenter] quit
Step 7 Configure the Local-to-isp1 and Local-to-isp2 security policy, allowing the FW to
connect to the security center and update its signature databases.
HRP_M[FW_A-policy-security] rule name local_to_isp
HRP_M[FW_A-policy-security-rule-local_to_isp] source-zone local
HRP_M[FW_A-policy-security-rule-local_to_isp] destination-zone isp1_1 isp1_2 isp2_1 isp2_2
For versions earlier than USG6000&USG9500 V500R001C80: You need to configure required
security policies on the FW to allow the FW to send health check probe packets to the
destination device. For versions later than V500R001C80: Probe packets for health check are
not subject to security policies and are permitted by default. Therefore, you do not need to
configure security policies.
Step 8 Update the IPS signature database and service awareness signature database
automatically.
1. Make sure that the firewall has activated the license that supports the IPS
signature database update server.
HRP_M[FW_A] display license
IPS : Enabled; service expire time: 2015/06/12
2. Configure the DNS server, allowing the firewall to access the security center
using a domain name.
HRP_M[FW_A] dns resolve
HRP_M[FW_A] dns server 1.1.1.222
----End
Procedure
Step 1 Configure a log host on FW_A.
HRP_M[FW_A] firewall log host 1 10.0.10.30 9002
HRP_M[FW_A] firewall log source 10.0.5.1 6000
Step 4 Configure the source IP and port that FW_B uses to send logs to the log host. This
configuration does not support backup.
HRP_S[FW_B] firewall log source 10.0.6.1 6000
Step 6 Configure SNMP V3 on FW_B. This configuration does not support backup.
HRP_S[FW_B] snmp-agent sys-info version v3
HRP_S[FW_B] snmp-agent group v3 NMS1 privacy
HRP_S[FW_B] snmp-agent usm-user v3 admin1 group NMS1
HRP_S[FW_B] snmp-agent usm-user v3 admin1 authentication-mode md5 cipher
Admin@123abcdefg1234567890abccba10
HRP_S[FW_B] snmp-agent usm-user v3 admin1 privacy-mode aes256 cipher
Admin@123abcdefg1234567890abccba10
Step 7 After eLog configuration is complete, choose Log Analysis > Session Analysis >
IPv4 Session Log on the eLog to view session logs. Choose Log Analysis > Cyber
Security Analysis > IM to view IM logs.
----End
Step 3 For the USG6000, if a hard disk is installed, you can also choose Monitoring >
Report > Traffic Report to view traffic reports. You can query traffic histories by
address or application.
----End
2.5.9 Verification
● Intranet users can access the Internet normally.
● Extranet users can access intranet servers using public IP addresses.
● The eLog can obtain session logs of the firewalls.
● Run the shutdown command on GigabitEthernet 1/0/1 of the active firewall
to simulate a link fault. The active/standby switchover is normal without
services interrupted.
FW_A FW_B
description To-isp2 description To-isp2
undo service-manage enable undo service-manage enable
# #
interface Eth-Trunk 1.1 interface Eth-Trunk 1.1
description To-isp1-1 description To-isp1-1
ip address 1.1.1.2 255.255.255.248 ip address 1.1.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248 active vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.248
healthcheck isp1_health1 standby
gateway 1.1.1.6 healthcheck isp1_health1
vlan-type dot1q 11 gateway 1.1.1.6
bandwidth ingress 800000 vlan-type dot1q 11
bandwidth egress 800000 bandwidth ingress 800000
redirect-reverse next-hop 1.1.1.6 bandwidth egress 800000
# redirect-reverse next-hop 1.1.1.6
interface Eth-Trunk 2.1 #
description To-isp2-1 interface Eth-Trunk 2.1
ip address 2.2.2.2 255.255.255.248 description To-isp2-1
vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248 active ip address 2.2.2.3 255.255.255.248
healthcheck isp2_health1 vrrp vrid 2 virtual-ip 2.2.2.1 255.255.255.248
gateway 2.2.2.6 standby
vlan-type dot1q 21 healthcheck isp2_health1
bandwidth ingress 900000 gateway 2.2.2.6
bandwidth egress 900000 vlan-type dot1q 21
redirect-reverse next-hop 2.2.2.6 bandwidth ingress 900000
# bandwidth egress 900000
interface Eth-Trunk 1.2 redirect-reverse next-hop 2.2.2.6
description To-isp1-2 #
ip address 1.1.2.2 255.255.255.248 interface Eth-Trunk 1.2
vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248 active description To-isp1-2
healthcheck isp1_health2 ip address 1.1.2.3 255.255.255.248
gateway 1.1.2.6 vrrp vrid 3 virtual-ip 1.1.2.1 255.255.255.248
vlan-type dot1q 12 standby
bandwidth ingress 400000 healthcheck isp1_health2
bandwidth egress 400000 gateway 1.1.2.6
redirect-reverse next-hop 1.1.2.6 vlan-type dot1q 12
# bandwidth ingress 400000
interface Eth-Trunk 2.2 bandwidth egress 400000
description To-isp2-2 redirect-reverse next-hop 1.1.2.6
ip address 2.2.3.2 255.255.255.248 #
vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248 active interface Eth-Trunk 2.2
healthcheck isp2_health2 description To-isp2-2
gateway 2.2.3.6 ip address 2.2.3.3 255.255.255.248
vlan-type dot1q 22 vrrp vrid 4 virtual-ip 2.2.3.1 255.255.255.248
bandwidth ingress 600000 standby
bandwidth egress 600000 healthcheck isp2_health2
redirect-reverse next-hop 2.2.3.6 gateway 2.2.3.6
# vlan-type dot1q 22
interface GigabitEthernet 1/0/1 bandwidth ingress 600000
eth-trunk 1 bandwidth egress 600000
undo service-manage enable redirect-reverse next-hop 2.2.3.6
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/1
eth-trunk 2 eth-trunk 1
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/2
description To-router eth-trunk 2
ip address 10.0.3.1 255.255.255.0 undo service-manage enable
undo service-manage enable #
# interface GigabitEthernet 1/0/3
interface GigabitEthernet 1/0/4 description To-router
description To-server ip address 10.0.4.1 255.255.255.0
ip address 10.0.5.1 255.255.255.0 undo service-manage enable
undo service-manage enable #
# interface GigabitEthernet 1/0/4
interface GigabitEthernet 1/0/5 description To-server
FW_A FW_B
eth-trunk 0 ip address 10.0.6.1 255.255.255.0
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/6 interface GigabitEthernet 1/0/5
eth-trunk 1 eth-trunk 0
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/6
eth-trunk 2 eth-trunk 1
undo service-manage enable undo service-manage enable
# #
interface GigabitEthernet 2/0/0 interface GigabitEthernet 1/0/7
eth-trunk 0 eth-trunk 2
undo service-manage enable undo service-manage enable
# #
firewall zone trust interface GigabitEthernet 2/0/0
set priority 85 eth-trunk 0
add interface GigabitEthernet 1/0/3 undo service-manage enable
# #
firewall zone dmz firewall zone trust
set priority 5 set priority 85
add interface GigabitEthernet 1/0/4 add interface GigabitEthernet 1/0/3
# #
firewall zone name hrp id 4 firewall zone dmz
set priority 75 set priority 5
add interface eth-trunk 0 add interface GigabitEthernet 1/0/4
# #
firewall zone name isp1_1 id 5 firewall zone name hrp id 4
set priority 10 set priority 75
add interface eth-trunk1.1 add interface eth-trunk 0
# #
firewall zone name isp1_2 id 6 firewall zone name isp1_1 id 5
set priority 15 set priority 10
add interface eth-trunk1.2 add interface eth-trunk1.1
# #
firewall zone name isp2_1 id 7 firewall zone name isp1_2 id 6
set priority 20 set priority 15
add interface eth-trunk2.1 add interface eth-trunk1.2
# #
firewall zone name isp2_2 id 8 firewall zone name isp2_1 id 7
set priority 25 set priority 20
add interface eth-trunk2.2 add interface eth-trunk2.1
# #
detect ftp firewall zone name isp2_2 id 8
detect sip set priority 25
detect h323 add interface eth-trunk2.2
detect rtsp #
detect qq detect ftp
# detect sip
ospf 1 detect h323
area 0.0.0.0 detect rtsp
network 10.0.3.0 0.0.0.255 detect qq
network 10.0.5.0 0.0.0.255 #
# ospf 1
ip route-static 1.1.1.15 255.255.255.255 NULL 0 area 0.0.0.0
ip route-static 1.1.1.16 255.255.255.255 NULL 0 network 10.0.4.0 0.0.0.255
ip route-static 1.1.1.17 255.255.255.255 NULL 0 network 10.0.6.0 0.0.0.255
ip route-static 2.2.2.15 255.255.255.255 NULL 0 #
ip route-static 2.2.2.16 255.255.255.255 NULL 0 ip route-static 1.1.1.15 255.255.255.255 NULL 0
ip route-static 2.2.2.17 255.255.255.255 NULL 0 ip route-static 1.1.1.16 255.255.255.255 NULL 0
ip route-static 1.1.2.15 255.255.255.255 NULL 0 ip route-static 1.1.1.17 255.255.255.255 NULL 0
ip route-static 1.1.2.16 255.255.255.255 NULL 0 ip route-static 2.2.2.15 255.255.255.255 NULL 0
ip route-static 1.1.2.17 255.255.255.255 NULL 0 ip route-static 2.2.2.16 255.255.255.255 NULL 0
ip route-static 2.2.3.15 255.255.255.255 NULL 0 ip route-static 2.2.2.17 255.255.255.255 NULL 0
ip route-static 2.2.3.16 255.255.255.255 NULL 0 ip route-static 1.1.2.15 255.255.255.255 NULL 0
ip route-static 2.2.3.17 255.255.255.255 NULL 0 ip route-static 1.1.2.16 255.255.255.255 NULL 0
FW_A FW_B
# ip route-static 1.1.2.17 255.255.255.255 NULL 0
snmp-agent ip route-static 2.2.3.15 255.255.255.255 NULL 0
snmp-agent sys-info version v3 ip route-static 2.2.3.16 255.255.255.255 NULL 0
snmp-agent group v3 NMS1 privacy ip route-static 2.2.3.17 255.255.255.255 NULL 0
snmp-agent usm-user v3 admin1 group NMS1 #
snmp-agent usm-user v3 admin1 authentication- snmp-agent
mode md5 cipher %^%#Hkf(QMzGN$biX- snmp-agent sys-info version v3
NUpE14:e,9Bu,0E"3TL$@gV<.V%^%# snmp-agent group v3 NMS1 privacy
snmp-agent usm-user v3 admin1 privacy-mode snmp-agent usm-user v3 admin1 group NMS1
aes256 cipher %^ snmp-agent usm-user v3 admin1 authentication-
%#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^ mode md5 cipher %^%#Hkf(QMzGN$biX-
% NUpE14:e,9Bu,0E"3TL$@gV<.V%^%#
# snmp-agent usm-user v3 admin1 privacy-mode
nat server policy_web1 0 zone isp1_1 protocol tcp aes256 cipher %^
global 1.1.1.15 8080 inside 10.0.10.10 www %#77$d.slqmEO)"('y<g6/,h5z<:#v~!jab]@M$58J%^
nat server policy_web2 1 zone isp1_2 protocol tcp %
global 1.1.2.15 8080 inside 10.0.10.10 www #
nat server policy_web3 2 zone isp2_1 protocol tcp nat server policy_web1 0 zone isp1_1 protocol tcp
global 2.2.2.15 8080 inside 10.0.10.10 www global 1.1.1.15 8080 inside 10.0.10.10 www
nat server policy_web4 3 zone isp2_2 protocol tcp nat server policy_web2 1 zone isp1_2 protocol tcp
global 2.2.3.15 8080 inside 10.0.10.10 www global 1.1.2.15 8080 inside 10.0.10.10 www
nat server policy_ftp1 4 zone isp1_1 protocol tcp nat server policy_web3 2 zone isp2_1 protocol tcp
global 1.1.1.16 ftp inside 10.0.10.11 ftp global 2.2.2.15 8080 inside 10.0.10.10 www
nat server policy_ftp2 5 zone isp1_2 protocol tcp nat server policy_web4 3 zone isp2_2 protocol tcp
global 1.1.2.16 ftp inside 10.0.10.11 ftp global 2.2.3.15 8080 inside 10.0.10.10 www
nat server policy_ftp3 6 zone isp2_1 protocol tcp nat server policy_ftp1 4 zone isp1_1 protocol tcp
global 2.2.2.16 ftp inside 10.0.10.11 ftp global 1.1.1.16 ftp inside 10.0.10.11 ftp
nat server policy_ftp4 7 zone isp2_2 protocol tcp nat server policy_ftp2 5 zone isp1_2 protocol tcp
global 2.2.3.16 ftp inside 10.0.10.11 ftp global 1.1.2.16 ftp inside 10.0.10.11 ftp
nat server policy_dns1 8 zone isp1_1 protocol tcp nat server policy_ftp3 6 zone isp2_1 protocol tcp
global 1.1.1.17 domain inside 10.0.10.20 domain global 2.2.2.16 ftp inside 10.0.10.11 ftp
nat server policy_dns2 9 zone isp1_2 protocol tcp nat server policy_ftp4 7 zone isp2_2 protocol tcp
global 1.1.2.17 domain inside 10.0.10.20 domain global 2.2.3.16 ftp inside 10.0.10.11 ftp
nat server policy_dns3 10 zone isp2_1 protocol tcp nat server policy_dns1 8 zone isp1_1 protocol tcp
global 2.2.2.17 domain inside 10.0.10.20 domain global 1.1.1.17 domain inside 10.0.10.20 domain
nat server policy_dns4 11 zone isp2_2 protocol tcp nat server policy_dns2 9 zone isp1_2 protocol tcp
global 2.2.3.17 domain inside 10.0.10.20 domain global 1.1.2.17 domain inside 10.0.10.20 domain
# nat server policy_dns3 10 zone isp2_1 protocol tcp
dns-smart enable global 2.2.2.17 domain inside 10.0.10.20 domain
# nat server policy_dns4 11 zone isp2_2 protocol tcp
dns-smart group 1 type multi global 2.2.3.17 domain inside 10.0.10.20 domain
out-interface eth-trunk1.1 map 1.1.1.15 #
out-interface eth-trunk2.1 map 2.2.2.15 dns-smart enable
out-interface eth-trunk1.2 map 1.1.2.15 #
out-interface eth-trunk2.2 map 2.2.3.15 dns-smart group 1 type multi
# out-interface eth-trunk1.1 map 1.1.1.15
dns-smart group 2 type multi out-interface eth-trunk2.1 map 2.2.2.15
out-interface eth-trunk1.1 map 1.1.1.16 out-interface eth-trunk1.2 map 1.1.2.15
out-interface eth-trunk2.1 map 2.2.2.16 out-interface eth-trunk2.2 map 2.2.3.15
out-interface eth-trunk1.2 map 1.1.2.16 #
out-interface eth-trunk2.2 map 2.2.3.16 dns-smart group 2 type multi
# out-interface eth-trunk1.1 map 1.1.1.16
nat address-group pool_isp1_1 1 out-interface eth-trunk2.1 map 2.2.2.16
mode pat out-interface eth-trunk1.2 map 1.1.2.16
route enable out-interface eth-trunk2.2 map 2.2.3.16
section 0 1.1.1.10 1.1.1.12 #
# nat address-group pool_isp1_1 1
nat address-group pool_isp1_2 2 mode pat
mode pat route enable
route enable section 0 1.1.1.10 1.1.1.12
section 0 1.1.2.10 1.1.2.12 #
# nat address-group pool_isp1_2 2
nat address-group pool_isp2_1 3 mode pat
mode pat route enable
route enable section 0 1.1.2.10 1.1.2.12
section 0 2.2.2.10 2.2.2.12 #
FW_A FW_B
# nat address-group pool_isp2_1 3
nat address-group pool_isp2_2 4 mode pat
mode pat route enable
route enable section 0 2.2.2.10 2.2.2.12
section 0 2.2.3.10 2.2.3.12 #
# nat address-group pool_isp2_2 4
nat-policy mode pat
rule name policy_nat1 route enable
source-zone trust section 0 2.2.3.10 2.2.3.12
destination-zone isp1_1 #
action source-nat address-group pool_isp1_1 nat-policy
rule name policy_nat2 rule name policy_nat1
source-zone trust source-zone trust
destination-zone isp1_2 destination-zone isp1_1
action source-nat address-group pool_isp1_2 action source-nat address-group pool_isp1_1
rule name policy_nat3 rule name policy_nat2
source-zone trust source-zone trust
destination-zone isp2_1 destination-zone isp1_2
action source-nat address-group pool_isp2_1 action source-nat address-group pool_isp1_2
rule name policy_nat4 rule name policy_nat3
source-zone trust source-zone trust
destination-zone isp2_2 destination-zone isp2_1
action source-nat address-group pool_isp2_2 action source-nat address-group pool_isp2_1
# rule name policy_nat4
security-policy source-zone trust
rule name trust_to_isp1 destination-zone isp2_2
session logging action source-nat address-group pool_isp2_2
source-zone trust #
destination-zone isp1_1 isp1_2 security-policy
action permit rule name trust_to_isp1
profile ips default session logging
rule name trust_to_isp2 source-zone trust
session logging destination-zone isp1_1 isp1_2
source-zone trust action permit
destination-zone isp2_1 isp2_2 profile ips default
action permit rule name trust_to_isp2
profile ips default session logging
rule name isp1_to_http source-zone trust
source-zone isp1_1 isp1_2 destination-zone isp2_1 isp2_2
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name isp1_to_http
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp1_to_ftp destination-address 10.0.10.10 24
source-zone isp1_1 isp1_2 service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name isp1_to_ftp
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp1_to_dns destination-address 10.0.10.11 24
source-zone isp1_1 isp1_2 service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name isp1_to_dns
action permit source-zone isp1_1 isp1_2
profile ips default destination-zone dmz
rule name isp2_to_http destination-address 10.0.10.20 24
source-zone isp2_1 isp2_2 service dns
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name isp2_to_http
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name isp2_to_ftp destination-address 10.0.10.10 24
FW_A FW_B
source-zone isp2_1 isp2_2 service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name isp2_to_ftp
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name isp2_to_dns destination-address 10.0.10.11 24
source-zone isp2_1 isp2_2 service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name isp2_to_dns
action permit source-zone isp2_1 isp2_2
profile ips default destination-zone dmz
rule name trust_to_http destination-address 10.0.10.20 24
source-zone trust service dns
destination-zone dmz action permit
destination-address 10.0.10.10 24 profile ips default
service http rule name trust_to_http
action permit source-zone trust
profile ips default destination-zone dmz
rule name trust_to_ftp destination-address 10.0.10.10 24
source-zone trust service http
destination-zone dmz action permit
destination-address 10.0.10.11 24 profile ips default
service ftp rule name trust_to_ftp
action permit source-zone trust
profile ips default destination-zone dmz
rule name trust_to_dns destination-address 10.0.10.11 24
source-zone trust service ftp
destination-zone dmz action permit
destination-address 10.0.10.20 24 profile ips default
service dns rule name trust_to_dns
action permit source-zone trust
profile ips default destination-zone dmz
rule name local_to_logcenter destination-address 10.0.10.20 24
source-zone local service dns
destination-zone dmz action permit
destination-address 10.0.10.30 24 profile ips default
action permit rule name local_to_logcenter
source-zone local
rule name local_to_isp destination-zone dmz
source-zone local destination-address 10.0.10.30 24
destination-zone isp1_1 isp1_2 isp2_1 isp2_2 action permit
service http ftp rule name local_to_isp
action permit source-zone local
# destination-zone isp1 isp2
policy-based-route service http ftp
rule name dns_pbr action permit
ingress-interface GigabitEthernet1/0/3 #
service dns policy-based-route
action pbr egress-interface multi-interface rule name dns_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk1.1 weight 2 service dns
add interface eth-trunk1.2 weight 1 action pbr egress-interface multi-interface
add interface eth-trunk2.1 weight 3 mode proportion-of-weight
add interface eth-trunk2.2 weight 2 add interface eth-trunk1.1 weight 2
rule name p2p_pbr add interface eth-trunk1.2 weight 1
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk2.1 weight 3
application app BT Thunder eDonkey_eMule add interface eth-trunk2.2 weight 2
action pbr egress-interface multi-interface rule name p2p_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk2.1 weight 3 application app BT Thunder eDonkey_eMule
add interface eth-trunk2.2 weight 2 action pbr egress-interface multi-interface
rule name isp1_pbr mode proportion-of-weight
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk2.1 weight 3
destination-address isp isp1 add interface eth-trunk2.2 weight 2
FW_A FW_B
action pbr egress-interface multi-interface rule name isp1_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk1.1 weight 2 destination-address isp isp1
add interface eth-trunk1.2 weight 1 action pbr egress-interface multi-interface
rule name isp2_pbr mode proportion-of-weight
ingress-interface GigabitEthernet1/0/3 add interface eth-trunk1.1 weight 2
destination-address isp isp2 add interface eth-trunk1.2 weight 1
action pbr egress-interface multi-interface rule name isp2_pbr
mode proportion-of-weight ingress-interface GigabitEthernet1/0/3
add interface eth-trunk2.1 weight 3 destination-address isp isp2
add interface eth-trunk2.2 weight 2 action pbr egress-interface multi-interface
# mode proportion-of-weight
dns-transparent-policy add interface eth-trunk2.1 weight 3
dns transparent-proxy enable add interface eth-trunk2.2 weight 2
dns server bind interface eth-trunk1.1 preferred #
1.1.1.222 alternate 1.1.1.223 dns-transparent-policy
dns server bind interface eth-trunk1.2 preferred dns transparent-proxy enable
1.1.1.222 alternate 1.1.1.223 dns server bind interface eth-trunk1.1 preferred
dns server bind interface eth-trunk2.1 preferred 1.1.1.222 alternate 1.1.1.223
2.2.2.222 alternate 2.2.2.223 dns server bind interface eth-trunk1.2 preferred
dns server bind interface eth-trunk2.2 preferred 1.1.1.222 alternate 1.1.1.223
2.2.2.222 alternate 2.2.2.223 dns server bind interface eth-trunk2.1 preferred
dns transparent-proxy exclude domain 2.2.2.222 alternate 2.2.2.223
www.example.com server preferred 1.1.1.222 dns server bind interface eth-trunk2.2 preferred
# 2.2.2.222 alternate 2.2.2.223
rule name dns_proxy dns transparent-proxy exclude domain
source-address 10.3.0.0 24 www.example.com server preferred 1.1.1.222
action tpdns #
# rule name dns_proxy
return source-address 10.3.0.0 24
action tpdns
#
return
For the USG9500, before configuring triplet NAT, you must make sure that the hash board
selection mode is source address-based hash. The configuration command is as follows:
[FW] firewall hash-mode source-only
After the configuration, you need to restart the device to make the configuration take
effect.
3.1 Introduction
This section describes the deployment and planning of firewalls in a financial data
center network. It also provides reference for firewall deployment in the data
centers of other trades.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.
Item Description
Firewall in the intranet access Serves as an SACG to work with the Agile
area Controller to authenticate users who access the
intranet locally or through private lines.
Item Description
The following part describes the networking solutions and configuration methods
of the firewalls.
User-defined services
Security policies
default indicates the default security policy. If the traffic does not match the security policy,
the traffic will match the default security policy (all conditions are any, and all actions are
deny). If only the PCs at specified IP addresses are allowed to access servers, keep the
default security policy and configure security policies to allow the access of such IP
addresses.
Hot standby heartbeat packets are not controlled by security policies. Do not configure
security policies for heartbeat packets.
Of the two methods, prolonging the session aging time of a protocol is easier to configure.
You can set specific conditions for the persistent connection function to keep persistent
connections for specified traffic. The prolonged session aging time of a protocol is a global
configuration and takes effect on all sessions of the protocol. As a result, sessions that do
not need persistent connections cannot be aged, occupying session entry resources. Once
session entry resources are exhausted, no services can be created.
Therefore, if you confirm that all sessions of a protocol require a long session aging time,
you can prolong the session aging time of the protocol for persistent connections.
Otherwise, use the persistent connection function.
The persistent connection function is valid only for TCP-based connections.
The IPS may be deployed on the firewalls or deployed as an independent IPS device.
To configure the IPS functions, you reference an IPS profile when defining security
policies. In the present case, the IPS profile is referenced in all the above planned
security policies (except those for the local zone). This means that IPS detection is
carried out for all traffic permitted by the security policies.
Generally, when the firewalls are initially deployed, you can select the default IPS
profile default. After the firewalls are active for some time, the administrator can
define a profile based on the network status. The IPS also supports the default
profile ids, which means alarms are generated upon the detection of intrusions
but the intrusions are not blocked. If high security is required, to reduce false
positives reported by the IPS, you can select the ids profile.
3.3.3 Precautions
IPS
The IPS signature database must be the latest before the IPS function is
configured.
Attack Defense
The attack defense configuration is the recommended standard configuration.
# On FW-2, configure a static route to the data center service area and set the
next hop to the IP address of the aggregation switch.
[FW-2] ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
[FW-2] ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
[FW-2] ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
# On FW-1, configure static routes to the SSL VPN access terminal, branch, and
partner network and set the next hop to the IP address of the core switch.
[FW-1] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
[FW-1] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
# On FW-2, configure static routes to the SSL VPN access terminal, branch, and
partner network and set the next hop to the IP address of the core switch.
[FW-2] ip route-static 172.168.3.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 172.168.4.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
[FW-2] ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
After hot standby is configured, you only need to configure security policies and attack
defense on the active device FW-1. The configuration on FW-1 is automatically backed up
on FW-2.
# Configure the security policy partner_to_server2 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name partner_to_server2
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-zone untrust
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-zone trust
HRP_M[FW-1-policy-security-rule-partner_to_server2] source-address address-set partner
HRP_M[FW-1-policy-security-rule-partner_to_server2] destination-address address-set server2
HRP_M[FW-1-policy-security-rule-partner_to_server2] service tcp_1414
HRP_M[FW-1-policy-security-rule-partner_to_server2] action permit
HRP_M[FW-1-policy-security-rule-partner_to_server2] profile ips default
HRP_M[FW-1-policy-security-rule-partner_to_server2] quit
# Configure the security policy branch1_to_server3 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name branch1_to_server3
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-zone untrust
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-zone trust
HRP_M[FW-1-policy-security-rule-branch1_to_server3] source-address address-set branch1
HRP_M[FW-1-policy-security-rule-branch1_to_server3] destination-address address-set server3
HRP_M[FW-1-policy-security-rule-branch1_to_server3] service tcp_8888_9000
HRP_M[FW-1-policy-security-rule-branch1_to_server3] action permit
HRP_M[FW-1-policy-security-rule-branch1_to_server3] profile ips default
HRP_M[FW-1-policy-security-rule-branch1_to_server3] quit
# Configure the security policy branch2_to_server4 on FW-1 and reference the IPS
profile.
HRP_M[FW-1-policy-security] rule name branch2_to_server4
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-zone untrust
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-zone trust
HRP_M[FW-1-policy-security-rule-branch2_to_server4] source-address address-set branch2
HRP_M[FW-1-policy-security-rule-branch2_to_server4] destination-address address-set server4
HRP_M[FW-1-policy-security-rule-branch2_to_server4] service ftp
HRP_M[FW-1-policy-security-rule-branch2_to_server4] action permit
HRP_M[FW-1-policy-security-rule-branch2_to_server4] profile ips default
HRP_M[FW-1-policy-security-rule-branch2_to_server4] quit
HRP_M[FW-1-policy-security] quit
----End
3.3.5 Verification
1. On FW-1 and FW-2, run the display hrp state verbose command to view the
hot standby status.
HRP_M<FW-1> display hrp state verboseRole: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 3 hours, 8 minutes
Last state change information: 2016-05-14 11:18:13 HRP core state changed, old_state =
abnormal(active), new_state = normal, local_priority = 45000, peer_priority = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
Eth-Trunk1 vrrp vrid 1: active
Eth-Trunk2 vrrp vrid 2: active
GigabitEthernet1/0/1: up
GigabitEthernet1/0/2: up
GigabitEthernet1/0/3: up
GigabitEthernet1/0/4: up
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
HRP_S<FW-2> display hrp state verboseRole: standby, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 3 hours, 8 minutes
Last state change information: 2016-05-14 11:18:18 HRP core state changed, old_state =
abnormal(standby), new_state = normal, local_priority = 45000, peer_priority = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
Eth-Trunk1 vrrp vrid 1: standby
Eth-Trunk2 vrrp vrid 2: standby
GigabitEthernet1/0/1: up
GigabitEthernet1/0/2: up
GigabitEthernet1/0/3: up
GigabitEthernet1/0/4: up
ospf-cost: +65500
ospfv3-cost: +65500
bgp-cost: +100
Proxy User :-
Proxy Password :-
IPS-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
IP-REPUTATION:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
CNC:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:30
------------------------------------------------------------
Backup Version:
Signature Database Version :
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
IPS Engine Information List:
----------------------------------------------------------------
Current Version:
IPS Engine Version : V200R002C00SPC060
IPS Engine Size(byte) : 3145728
Update Time : 02:30:00 2016/05/08
Issue Time of the Update File : 16:06:30 2016/05/07
Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
4. Verify the access permission of users in each security zone to the data center
network.
If the access control result conforms to the security policy planning in Service
Planning, the configuration is successful.
FW-1 FW-2
vrrp vrid 1 virtual-ip 10.6.1.1 active vrrp vrid 1 virtual-ip 10.6.1.1 standby
# #
interface Eth-Trunk2 interface Eth-Trunk2
ip address 10.7.1.2 255.255.255.248 ip address 10.7.1.3 255.255.255.248
vrrp vrid 2 virtual-ip 10.7.1.1 active vrrp vrid 2 virtual-ip 10.7.1.1 standby
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/4 interface GigabitEthernet 1/0/4
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
firewall zone trust firewall zone trust
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
firewall zone untrust firewall zone untrust
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone dmz firewall zone dmz
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
ip route-static 10.1.0.0 255.255.0.0 10.7.1.4 ip route-static 10.1.0.0 255.255.0.0 10.7.1.4
ip route-static 10.2.0.0 255.255.0.0 10.7.1.4 ip route-static 10.2.0.0 255.255.0.0 10.7.1.4
ip route-static 10.3.0.0 255.255.0.0 10.7.1.4 ip route-static 10.3.0.0 255.255.0.0 10.7.1.4
ip route-static 10.8.1.0 255.255.255.0 10.6.1.4 ip route-static 10.8.1.0 255.255.255.0 10.6.1.4
ip route-static 10.9.1.0 255.255.255.0 10.6.1.4 ip route-static 10.9.1.0 255.255.255.0 10.6.1.4
ip route-static 192.168.3.0 255.255.255.0 10.6.1.4 ip route-static 192.168.3.0 255.255.255.0 10.6.1.4
ip route-static 192.168.4.0 255.255.255.0 10.6.1.4 ip route-static 192.168.4.0 255.255.255.0 10.6.1.4
# #
firewall session aging-time service-set tcp_1414 firewall session aging-time service-set tcp_1414
40000 40000
# #
security-policy security-policy
rule name remote_users_to_server1 rule name remote_users_to_server1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set remote_users source-address address-set remote_users
destination-address address-set server1 destination-address address-set server1
service http service http
service ftp service ftp
profile ips default profile ips default
action permit action permit
rule name partner_to_server2 rule name partner_to_server2
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set partner source-address address-set partner
destination-address address-set server2 destination-address address-set server2
service tcp_1414 service tcp_1414
profile ips default profile ips default
action permit action permit
rule name branch1_to_server3 rule name branch1_to_server3
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set branch1 source-address address-set branch1
FW-1 FW-2
destination-address address-set server3 destination-address address-set server3
service tcp_8888_9000 service tcp_8888_9000
profile ips default profile ips default
action permit action permit
rule name branch2_to_server4 rule name branch2_to_server4
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address address-set branch2 source-address address-set branch2
destination-address address-set server4 destination-address address-set server4
service ftp service ftp
profile ips default profile ips default
long-link enable long-link enable
long-link aging-time 480 long-link aging-time 480
action permit action permit
Isolation Patch server: Add the patch server and antivirus server
domain 192.168.2.3 to the isolation domain and apply user
Antivirus server: accounts in branch 1.
192.168.2.5
Pre- DNS server: Add the DNS server and Service Controllers
authentic 192.168.3.3 to the pre-authentication domain.
ation Service Controller 1:
domain 192.168.1.2
Service Controller 2:
192.168.1.3
6 Permit_1
This role is
allowed to
access the
service
system.
255 Last
This role is
allowed to
access the
pre-
authenticatio
n domain.
3.4.3 Precautions
The firewall stateful inspection function must be disabled.
<sysname> system-view
[sysname] sysname FW-4
[FW-4] interface GigabitEthernet 1/0/1
[FW-4-GigabitEthernet1/0/1] description SACG2_To_Coreswitch2_GE2/1/0/3
[FW-4-GigabitEthernet1/0/1] ip address 10.4.1.3 29
[FW-4-GigabitEthernet1/0/1] quit
[FW-4] interface GigabitEthernet 1/0/2
[FW-4-GigabitEthernet1/0/2] description SACG2_To_Coreswitch2_GE2/1/0/4
[FW-4-GigabitEthernet1/0/2] ip address 10.5.1.3 29
[FW-4-GigabitEthernet1/0/2] quit
[FW-4] interface GigabitEthernet 1/0/3
[FW-4-GigabitEthernet1/0/3] description hrp_interface
[FW-4-GigabitEthernet1/0/3] ip address 10.10.10.2 24
[FW-4-GigabitEthernet1/0/3] quit
# On FW-4, configure a static route to guide traffic back to the core switch.
[FW-4] ip route-static 0.0.0.0 0.0.0.0 10.4.1.4
# Designate GE1/0/3 as the heartbeat interface of FW-3, and enable hot standby.
[FW-3] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.2
[FW-3] hrp enable
# Designate GE1/0/3 as the heartbeat interface of FW-4, and enable hot standby.
[FW-4] hrp interface GigabitEthernet 1/0/3 remote 10.10.10.1
[FW-4] hrp enable
After hot standby is configured, you only need to configure security policies and SACG on
the active device FW-3. The configuration on FW-3 is automatically backed up on FW-4.
# Configure the policy for the Local-Untrust interzone. In this way, the FW can
push the web-based authentication page to the user.
HRP_M[FW-3-security-policy] rule name sacg_to_client
HRP_M[FW-3-security-policy-sacg_to_client] source-zone local
HRP_M[FW-3-security-policy-sacg_to_client] destination-zone untrust
HRP_M[FW-3-security-policy-sacg_to_client] action permit
HRP_M[FW-3-security-policy-sacg_to_client] quit
HRP_M[FW-3-security-policy] quit
# Enter the view of configuring the FW to interwork with the Agile Controller, and
specify the number of the default ACL rule group.
If ACLs 3099 to 3999 are in use, delete them before configuring the interworking with the
Agile Controller. Otherwise, conflicts occur when the FW generates ACL rules.
HRP_M[FW-3] right-manager server-group
HRP_M[FW-3-rightm] default acl 3099
# Add the Service Controller to the FW. Then the FW can interwork with the
Service Controller. Because two Service Controllers are deployed, you must run the
server ip command twice to add the two Service Controllers.
The port and shared key in the server ip command must be the same as those on the
Service Controller. Otherwise, the FW cannot interwork with the Service Controller, and the
SACG interworking function is unavailable.
HRP_M[FW-3-rightm] server ip 192.168.1.2 port 3288 shared-key TSM_Security
HRP_M[FW-3-rightm] server ip 192.168.1.3 port 3288 shared-key TSM_Security
# Configure the local IP address used by the FW for communicating with the
Service Controller.
The configuration cannot be backed up. You must configure it on both FWs. Set the IP
address of the standby FW to 10.4.1.3.
HRP_M[FW-3-rightm] local ip 10.4.1.2
# Enable the server group so that the FW connects to the Service Controller
immediately and sends the interworking request. After the connection succeeds,
the FW can receive the roles and rules delivered by the Agile Controller.
HRP_M[FW-3-rightm] right-manager server-group enable
Step 8 Configure the core switches. This part uses the CE12800 as an example to describe
the configuration for interworking between the switch and FW.
# Configure the interfaces and VLANs of core switches.
[~CSS] vlan batch 101 to 102
[*CSS] interface gigabitethernet 1/1/0/3
[*CSS-GigabitEthernet1/1/0/3] description To_SACG1_GE1/0/1
[*CSS-GigabitEthernet1/1/0/3] port link-type access
[*CSS-GigabitEthernet1/1/0/3] port default vlan 101
[*CSS-GigabitEthernet1/1/0/3] quit
[*CSS] interface gigabitethernet 1/1/0/4
[*CSS-GigabitEthernet1/1/0/4] description To_SACG1_GE1/0/2
[*CSS-GigabitEthernet1/1/0/4] port link-type access
[*CSS-GigabitEthernet1/1/0/4] port default vlan 102
[*CSS-GigabitEthernet1/1/0/4] quit
[*CSS] interface gigabitethernet 2/1/0/3
[*CSS-GigabitEthernet2/1/0/3] description To_SACG2_GE1/0/1
[*CSS-GigabitEthernet2/1/0/3] port link-type access
[*CSS-GigabitEthernet2/1/0/3] port default vlan 101
[*CSS-GigabitEthernet2/1/0/3] quit
[*CSS] interface gigabitethernet 2/1/0/4
[*CSS-GigabitEthernet2/1/0/4] description To_SACG2_GE1/0/2
[*CSS-GigabitEthernet2/1/0/4] port link-type access
[*CSS-GigabitEthernet2/1/0/4] port default vlan 102
[*CSS-GigabitEthernet2/1/0/4] quit
[*CSS] interface vlanif 101
[*CSS-Vlanif101] ip address 10.4.1.4 29
[*CSS-Vlanif101] quit
[*CSS] interface vlanif 102
[*CSS-Vlanif102] ip address 10.5.1.4 29
[*CSS-Vlanif102] quit
[*CSS] commit
# Configure PBR.
[~CSS] acl 3001
[*CSS-acl4-advance-3001] rule 5 permit ip source 10.8.1.0 24
[*CSS-acl4-advance-3001] quit
[~CSS] traffic classifier c1
[*CSS-classifier-c1] if-match acl 3001
[*CSS-classifier-c1] quit
[~CSS] traffic behavior b1
[*CSS-behavior-b1] redirect nexthop 10.5.1.1
[*CSS-behavior-b1] quit
[~CSS] traffic policy p1
[*CSS-trafficpolicy-p1] classifier c1 behavior b1 precedence 5
[*CSS-trafficpolicy-p1] quit
[~CSS] interface eth-trunk 2 //Eth-Trunk 2 connects the core switch to branch 1.
[*CSS-Eth-Trunk2] traffic-policy p1 inbound
[*CSS-Eth-Trunk2] quit
[*CSS] commit
If NAT is configured to implement address translation between end users and the SC,
set the IP address range (Start IP Address and End IP Address) to the range of
translated IP addresses for end users but not the real IP addresses of terminals.
Otherwise, end users cannot go online on the SACG.
2. Configure the pre-authentication domain, isolation domain, and post-
authentication domain.
a. Click Add on the Pre-Authentication Domain tab.
c. Click Add on the Isolation Domain tab to set the resource that end users
can access.
Add the resource that end users cannot access in non-working hours to
the post-authentication domain according to the preceding steps.
c. Click OK.
d. Configure an SACG policy group.
i. Choose Policy > Permission Control > Hardware SACG > Hardware
SACG Policy Group.
e. Click Add.
f. Click OK.
g. Apply the SACG policy group to an account/user group or IP address
segment. In this example, the SACG policy group is applied to a user
group.
The SACG policy group is applied to an account, user group, and IP address segment in
descending order of matched priorities.
Click next to SACG policy to apply the SACG policy to the specified user group.
----End
3.4.5 Verification
1. If a user successfully passes authentication and terminal security check, the
user can access the service system in working hours but not in non-working
hours.
2. If a severe violation occurs, the terminal host cannot access a network and a
message is displayed indicating that repair is required. The terminal host can
access to the network after the repair.
3. View the state of the Agile Controller.
# View the state of the Agile Controller on the active FW.
HRP_M<FW-3> display right-manager server-group
Server group state : Enable
Server number : 2
Server ip address Port State Master
192.168.1.2 3288 active Y
192.168.1.3 3288 active N
active indicates that the status of the connection between the Agile
Controller and FW is normal.
# View the state of the Agile Controller on the standby FW.
HRP_S<FW-4> display right-manager server-group
Server group state : Enable
Server number : 2
Server ip address Port State Master
192.168.1.2 3288 active Y
192.168.1.3 3288 active N
4. After the branch user logs in, you can view the user login information on both
FWs. The following part shows the display right-manager online-users
command output on the active FW.
HRP_M<FW-3> display right-manager online-users
User name : lee
Ip address : 10.8.1.3
ServerIp : 192.168.1.2
Login time : 10:14:11 2016/05/06 ( Hour:Minute:Second Year/Month/Day)
-----------------------------------------
Role id Rolename
1 DefaultDeny
6 Permit_1
255 Last
-----------------------------------------
Run the display acl acl-number command to view ACLs 3100, 3105, and
3354.
HRP_M<FW-3> display acl 3100
Advanced ACL 3100, 1 rule //Default deny rule, used when Control mode in the isolation and post-
authentication domains is selected as Permits access to only controlled domain resources in the list.
Acl's step is 1
rule 1 deny ip (0 times matched)
HRP_M<FW-3> display acl 3105
Advanced ACL 3105, 1 rule //Permit the access to the post-authentication domain.
Acl's step is 1
rule 1 permit ip destination 10.1.1.4 0 (0 times matched)
rule 2 permit ip destination 10.1.1.5 0 (0 times matched)
HRP_M<FW-3> display acl 3354
Advanced ACL 3354, 3 rules //Permit the access to the pre-authentication domain.
Acl's step is 1
rule 1 permit ip destination 192.168.1.2 0 (0 times matched)
rule 2 permit ip destination 192.168.1.3 0 (0 times matched)
rule 3 permit ip destination 192.168.3.3 0 (0 times matched)
From the previous information, account lee corresponds to roles 1, 6, and 255,
and the matching sequence is from top to bottom. The role-ACL relationship
indicates the ACL rules for the three roles.
FW-3 FW-4
destination-zone untrust destination-zone untrust
action permit action permit
User-defined services
Security policies
default indicates the default security policy. If the traffic does not match the security policy,
the traffic will match the default security policy (all conditions are any, and all actions are
deny). If only the PCs at specified IP addresses are allowed to access servers, keep the
default security policy and configure security policies to allow the access of such IP
addresses.
Hot standby heartbeat packets are not controlled by security policies. Do not configure
security policies for heartbeat packets.
Of the two methods, prolonging the session aging time of a protocol is easier to configure.
You can set specific conditions for the persistent connection function to keep persistent
connections for specified traffic. The prolonged session aging time of a protocol is a global
configuration and takes effect on all sessions of the protocol. As a result, sessions that do
not need persistent connections cannot be aged, occupying session entry resources. Once
session entry resources are exhausted, no services can be created.
Therefore, if you confirm that all sessions of a protocol require a long session aging time,
you can prolong the session aging time of the protocol for persistent connections.
Otherwise, use the persistent connection function.
The persistent connection function is valid only for TCP-based connections.
Item Data
Item Data
The IPS may be deployed on the firewalls or deployed as an independent IPS device.
To configure the IPS functions, you reference an IPS profile when defining security
policies. In the present case, the IPS profile is referenced in all the above planned
security policies (except those for the local zone). This means that IPS detection is
carried out for all traffic permitted by the security policies.
Generally, when the firewalls are initially deployed, you can select the default IPS
profile default. After the firewalls are active for some time, the administrator can
define a profile based on the network status. The IPS also supports the default
profile ids, which means alarms are generated upon the detection of intrusions
but the intrusions are not blocked. If high security is required, to reduce false
positives reported by the IPS, you can select the ids profile.
3.5.3 Precautions
IPS
The IPS signature database must be the latest before the IPS function is
configured.
Attack Defense
The attack defense configuration is the recommended standard configuration.
Procedure
Step 1 Configure IP addresses for the interfaces of FW-5.
<sysname> system-view
[sysname] sysname FW-5
[FW-5] interface Eth-trunk 1
[FW-5-Eth-Trunk1] description Link_To_SW5
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/1
[FW-5-Eth-Trunk1] trunkport GigabitEthernet 1/0/2
[FW-5-Eth-Trunk1] quit
[FW-5] interface Eth-trunk 1.1
[FW-5-Eth-Trunk1.1] vlan-type dot1q 10
[FW-5-Eth-Trunk1.1] ip address 172.6.1.2 29
[FW-5-Eth-Trunk1.1] quit
[FW-5] interface Eth-trunk 1.2
[FW-5-Eth-Trunk1.2] vlan-type dot1q 20
[FW-5-Eth-Trunk1.2] ip address 172.6.2.2 29
[FW-5-Eth-Trunk1.2] quit
[FW-5] interface Eth-trunk 1.3
[FW-5-Eth-Trunk1.3] vlan-type dot1q 30
[FW-5-Eth-Trunk1.3] ip address 172.6.3.2 29
[FW-5-Eth-Trunk1.3] quit
[FW-5] interface Eth-trunk 1.4
[FW-5-Eth-Trunk1.4] vlan-type dot1q 40
[FW-5-Eth-Trunk1.4] ip address 172.6.4.2 29
[FW-5-Eth-Trunk1.4] quit
[FW-5] interface Eth-trunk 2
# On FW-5, configure static routes to the SSL VPN access terminal, branch,
partner network, and Internet and set the next hop to the IP address of the ISP
router.
[FW-5] ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
[FW-5] ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
[FW-5] ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
[FW-5] ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
Step 4 Configure the IP addresses, security zones, and routes of FW-6 interfaces
according to the above procedure. The difference lies in the IP addresses of the
interfaces.
----End
Procedure
Step 1 Configure VRRP group on the interfaces of FW-5, setting its state to Active.
<FW-5> system-view
[FW-5] interface Eth-Trunk1.1
[FW-5-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 active
[FW-5-Eth-Trunk1.1] quit
[FW-5] interface Eth-Trunk1.2
[FW-5-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 active
[FW-5-Eth-Trunk1.2] quit
[FW-5] interface Eth-Trunk1.3
[FW-5-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 active
[FW-5-Eth-Trunk1.3] quit
[FW-5] interface Eth-Trunk1.4
[FW-5-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 active
[FW-5-Eth-Trunk1.4] quit
[FW-5] interface Eth-Trunk2.1
[FW-5-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 active
[FW-5-Eth-Trunk2.1] quit
[FW-5] interface Eth-Trunk2.2
[FW-5-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 active
[FW-5-Eth-Trunk2.2] quit
Step 2 Designate Eth-Trunk 0 as the heartbeat interface of FW-5, and enable hot standby.
[FW-5] hrp interface Eth-Trunk0 remote 12.12.12.2
[FW-5] hrp enable
Step 3 Configure VRRP group on the interfaces of FW-6, setting its state to Standby.
<FW-6> system-view
[FW-6] interface Eth-Trunk1.1
[FW-6-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 1.1.1.1 29 standby
[FW-6-Eth-Trunk1.1] quit
[FW-6] interface Eth-Trunk1.2
[FW-6-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 1.1.2.1 29 standby
[FW-6-Eth-Trunk1.2] quit
[FW-6] interface Eth-Trunk1.3
[FW-6-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 1.1.3.1 29 standby
[FW-6-Eth-Trunk1.3] quit
[FW-6] interface Eth-Trunk1.4
[FW-6-Eth-Trunk1.4] vrrp vrid 4 virtual-ip 1.1.4.1 29 standby
[FW-6-Eth-Trunk1.4] quit
[FW-6] interface Eth-Trunk2.1
[FW-6-Eth-Trunk2.1] vrrp vrid 5 virtual-ip 172.7.1.1 29 standby
[FW-6-Eth-Trunk2.1] quit
[FW-6] interface Eth-Trunk2.2
[FW-6-Eth-Trunk2.2] vrrp vrid 6 virtual-ip 172.7.2.1 29 standby
[FW-6-Eth-Trunk2.2] quit
Step 4 Designate Eth-Trunk 0 as the heartbeat interface of FW-6, and enable hot standby.
[FW-6] hrp interface Eth-Trunk0 remote 12.12.12.1
[FW-6] hrp enable
----End
Result
A hot-standby relationship has been established to back up most subsequent
configurations. Therefore, in the subsequent steps, you only need to make
configurations on the active FW-5 (unless otherwise stated).
Procedure
Step 1 Configure NAT Server to map the pre-service servers' private IP addresses to public
IP addresses.
HRP_M[FW-5] nat server https_server1 protocol tcp global 1.1.3.2 4433 inside 192.168.4.2 443
HRP_M[FW-5] nat server https_server2 protocol tcp global 1.1.3.3 4433 inside 192.168.4.3 443
HRP_M[FW-5] nat server http_server1 protocol tcp global 1.1.3.4 8000 inside 192.168.4.4 80
HRP_M[FW-5] nat server http_server2 protocol tcp global 1.1.3.5 8000 inside 192.168.4.5 80
Step 2 Configure a black-hole route to the public address of the NAT server to prevent
routing loops between the firewall and ISP routers.
Route configuration does not support backup. Therefore, you need to configure
black-hole routes on both FW-5 and FW-6.
HRP_M[FW-5] ip route-static 1.1.3.2 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.3 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.4 32 NULL 0
HRP_M[FW-5] ip route-static 1.1.3.5 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.2 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.3 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.4 32 NULL 0
HRP_S[FW-6] ip route-static 1.1.3.5 32 NULL 0
----End
Procedure
Step 1 Configure security policies and IPS functions.
# Configure an address group on FW-5.
HRP_M[FW-5] ip address-set remote_users type object
HRP_M[FW-5-object-address-set-remote_users] address 0 172.168.3.0 mask 24
HRP_M[FW-5-object-address-set-remote_users] description "for remote users"
HRP_M[FW-5-object-address-set-remote_users] quit
HRP_M[FW-5] ip address-set partner type object
HRP_M[FW-5-object-address-set-partner] address 0 172.168.4.0 mask 24
HRP_M[FW-5-object-address-set-partner] description "for partner"
HRP_M[FW-5-object-address-set-partner] quit
HRP_M[FW-5] ip address-set branch2 type object
HRP_M[FW-5-object-address-set-branch2] address 0 10.9.1.0 mask 24
HRP_M[FW-5-object-address-set-branch2] description "for branch2"
HRP_M[FW-5-object-address-set-branch2] quit
HRP_M[FW-5] ip address-set server1 type object
HRP_M[FW-5-object-address-set-server1] address 0 10.1.1.10 mask 32
HRP_M[FW-5-object-address-set-server1] address 1 10.1.1.11 mask 32
HRP_M[FW-5-object-address-set-server1] description "for server1"
HRP_M[FW-5-object-address-set-server1] quit
HRP_M[FW-5] ip address-set server2 type object
HRP_M[FW-5-object-address-set-server2] address 0 10.2.1.4 mask 32
HRP_M[FW-5-object-address-set-server2] address 1 10.2.1.5 mask 32
# Configure the security policy partner_to_server2 on FW-5 and reference the IPS
profile.
HRP_M[FW-5-policy-security] rule name partner_to_server2
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-zone zone4
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-zone trust
HRP_M[FW-5-policy-security-rule-partner_to_server2] source-address address-set partner
HRP_M[FW-5-policy-security-rule-partner_to_server2] destination-address address-set server2
HRP_M[FW-5-policy-security-rule-partner_to_server2] service tcp_1414
HRP_M[FW-5-policy-security-rule-partner_to_server2] action permit
HRP_M[FW-5-policy-security-rule-partner_to_server2] profile ips default
HRP_M[FW-5-policy-security-rule-partner_to_server2] quit
# Configure the security policy branch2_to_server4 on FW-5 and reference the IPS
profile.
HRP_M[FW-5-policy-security] rule name branch2_to_server4
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-zone zone2
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-zone trust
HRP_M[FW-5-policy-security-rule-branch2_to_server4] source-address address-set branch2
HRP_M[FW-5-policy-security-rule-branch2_to_server4] destination-address address-set server4
HRP_M[FW-5-policy-security-rule-branch2_to_server4] service ftp
HRP_M[FW-5-policy-security-rule-branch2_to_server4] action permit
HRP_M[FW-5-policy-security-rule-branch2_to_server4] profile ips default
HRP_M[FW-5-policy-security-rule-branch2_to_server4] quit
# Configure the security policy internet_to_server5 on FW-5 and reference the IPS
profile.
----End
Procedure
Step 1 Configure an IPSec policy on FW-5 and apply the policy to the corresponding
interface.
1. Define data flows to be protected. Configure advanced ACL 3000 to permit
the users on network segment 10.1.1.0/24 to access network segment
10.9.1.0/24.
HRP_M<FW-5> system-view
HRP_M[FW-5] acl 3000
HRP_M[FW-5-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.9.1.0
0.0.0.255
HRP_M[FW-5-acl-adv-3000] quit
2. Configure an IPSec proposal using the default parameters. You do not need to
set default parameters.
HRP_M[FW-5] ipsec proposal tran1
HRP_M[FW-5-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
HRP_M[FW-5-ipsec-proposal-tran1] esp encryption-algorithm aes-256
HRP_M[FW-5-ipsec-proposal-tran1] quit
3. Configure an IKE proposal using the default parameters. You do not need to
set default parameters.
HRP_M[FW-5] ike proposal 10
HRP_M[FW-5-ike-proposal-10] authentication-method pre-share
HRP_M[FW-5-ike-proposal-10] prf hmac-sha2-256
HRP_M[FW-5-ike-proposal-10] encryption-algorithm aes-256
HRP_M[FW-5-ike-proposal-10] dh group2
HRP_M[FW-5-ike-proposal-10] integrity-algorithm hmac-sha2-256
HRP_M[FW-5-ike-proposal-10] quit
4. Configure an IKE peer.
HRP_M[FW-5] ike peer b
HRP_M[FW-5-ike-peer-b] ike-proposal 10
HRP_M[FW-5-ike-peer-b] pre-shared-key Test!1234
HRP_M[FW-5-ike-peer-b] quit
5. Configure an IPSec policy.
HRP_M[FW-5] ipsec policy-template policy1 1
HRP_M[FW-5-ipsec-policy-templet-policy1-1] security acl 3000
HRP_M[FW-5-ipsec-policy-templet-policy1-1] proposal tran1
HRP_M[FW-5-ipsec-policy-templet-policy1-1] ike-peer b
HRP_M[FW-5-ipsec-policy-templet-policy1-1] quit
HRP_M[FW-5] ipsec policy map1 10 isakmp template policy1
6. Apply IPSec policy map1 to Eth-Trunk1.2.
HRP_M[FW-5] interface Eth-Trunk1.2
HRP_M[FW-5-Eth-Trunk1.2] ipsec policy map1
HRP_M[FW-5-Eth-Trunk1.2] quit
Step 2 Configure an IPSec policy on the FW of branch and apply the policy to the
corresponding interface.
1. Configure advanced ACL 3000 to permit the users on network segment
10.9.1.0/24 to access network segment 10.1.1.0/24.
<FW-branch> system-view
[FW-branch] acl 3000
[FW-branch-acl-adv-3000] rule 5 permit ip source 10.9.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW-branch-acl-adv-3000] quit
6. Apply IPSec policy group map1 to the interface. In this example, the WAN
interface is GE1/0/1 for the branch.
[FW-branch] interface GigabitEthernet 1/0/1
[FW-branch-GigabitEthernet1/0/1] ipsec policy map1
[FW-branch-GigabitEthernet1/0/1] quit
----End
Procedure
Step 1 Set parameters for interconnection between the FW and AD server.
The parameter settings on the FW must be consistent with those on the AD server.
HRP_M[FW-5] ad-server template ad_server
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.4 88
HRP_M[FW-5-ad-ad_server] ad-server authentication 192.168.5.5 88 secondary
HRP_M[FW-5-ad-ad_server] ad-server authentication base-dn dc=cce,dc=com
HRP_M[FW-5-ad-ad_server] ad-server authentication manager cn=administrator,cn=users Admin@123
Admin@123
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server.cce.com
HRP_M[FW-5-ad-ad_server] ad-server authentication host-name info-server2.cce.com secondary
HRP_M[FW-5-ad-ad_server] ad-server authentication ldap-port 389
HRP_M[FW-5-ad-ad_server] ad-server user-filter sAMAccountName
HRP_M[FW-5-ad-ad_server] ad-server group-filter ou
If you are unfamiliar with the AD server and cannot provide the server name, Base
DN, or filter field values, you can use the AD Explorer or LDAP Browser software
to connect to the AD server to query the attribute values. The AD Explorer is used
as an example. The AD server attributes and mappings between the server
attributes and parameters on the FW are as follows.
The user name and password used for the test must be the same as those on the AD server.
When the FW uses AD or LDAP authentication, the authentication domain name configured
on the FW must be the same as that configured on the authentication server. In this
example, the domain name on the AD server is cce.com. Therefore, the authentication
domain name must be set to cce.com on the FW.
HRP_M[FW-5] aaa
HRP_M[FW-5-aaa] authentication-scheme ad
HRP_M[FW-5-aaa-authen-ad] authentication-mode ad
HRP_M[FW-5-aaa-authen-ad] quit
HRP_M[FW-5-aaa] domain cce.com
HRP_M[FW-5-aaa-domain-cce.com] service-type ssl-vpn
HRP_M[FW-5-aaa-domain-cce.com] authentication-scheme ad
HRP_M[FW-5-aaa-domain-cce.com] ad-server ad_server
HRP_M[FW-5-aaa-domain-cce.com] reference user current-domain
HRP_M[FW-5-aaa-domain-cce.com] quit
HRP_M[FW-5-aaa] quit
Step 3 Configure a policy to import user information from the AD server to the FW.
HRP_M[FW-5] user-manage import-policy ad_server from ad
HRP_M[FW-5-import-ad_server] server template ad_server
HRP_M[FW-5-import-ad_server] server basedn dc=cce,dc=com
HRP_M[FW-5-import-ad_server] server searchdn ou=remoteusers,dc=cce,dc=com
HRP_M[FW-5-import-ad_server] destination-group /cce.com
HRP_M[FW-5-import-ad_server] user-attribute sAMAccountName
● If you need to import user groups only, set import-type to group and set the new user
option in Step 5 to new-user add-temporary group /cce.com auto-import ad_server.
Authenticated users use the permissions of their owning groups.
● The user and user group filtering conditions in this example use the default values (&(|
(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!
(objectclass=computer))) and (|(objectclass=organizationalUnit)(ou=*)). To change
them, run the user-filter and group-filter commands.
After the import succeeds, you can run the display user-manage user verbose
command to view information about the imported users.
Step 5 Set the new user option for the authentication domain on the FW.
HRP_M[FW-5] aaa
HRP_M[FW-5-aaa] domain cce.com
HRP_M[FW-5-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import ad_server
HRP_M[FW-5-aaa-domain-cce.com] quit
HRP_M[FW-5-aaa] quit
If the virtual gateway is bound to an authentication domain, the user name entered for a
login should not carry the authentication domain information. If the user name carries an
authentication domain name, the gateway considers the string following the at sign (@) as
a part of the user name, not an authentication domain name. For example, if the virtual
gateway has been bound to the authentication domain cce.com, you should enter
user_0001, not [email protected], as the user name.
# Configure functions for the roles. Enable web proxy and network extension for
role remoteusers.
HRP_M[FW-5-example-role] role remoteusers web-proxy network-extension enable
----End
3.5.5 Verification
● Employees on the move and partners can establish SSL VPN tunnels with the
firewalls at the Internet egress and can access resource servers in the data
center.
● The firewalls at branch egresses and the firewalls at the Internet egress can
establish IPSec VPN tunnels. The branches can access resource servers in the
data center.
● Internet users can access the pre-service servers in the DMZ.
● Run the shutdown command on a service interface of the active firewall to
simulate a link fault. The active/standby switchover is performed without
interrupting services.
FW-5 FW-6
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 remote 12.12.12.2 hrp interface Eth-Trunk0 remote 12.12.12.1
# #
nat server https_server1 protocol tcp global 1.1.3.2 nat server https_server1 protocol tcp global 1.1.3.2
4433 inside 192.168.4.2 443 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 nat server https_server2 protocol tcp global 1.1.3.3
4433 inside 192.168.4.3 443 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 nat server http_server1 protocol tcp global 1.1.3.4
8000 inside 192.168.4.4 80 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 nat server http_server2 protocol tcp global 1.1.3.5
8000 inside 192.168.4.5 80 8000 inside 192.168.4.5 80
# #
interface Eth-Trunk0 interface Eth-Trunk0
ip address 12.12.12.1 255.255.255.0 ip address 12.12.12.2 255.255.255.0
# #
interface Eth-Trunk1 interface Eth-Trunk1
description Link_To_SW5 description Link_To_SW6
# #
interface Eth-trunk 2 interface Eth-trunk 2
description Link_To_SW1 description Link_To_SW2
# #
interface Eth-Trunk1.1 interface Eth-Trunk1.1
vlan-type dot1q 10 vlan-type dot1q 10
ip address 172.6.1.2 255.255.255.248 ip address 172.6.1.3 255.255.255.248
vrrp vrid 1 virtual-ip 1.1.1.1 active vrrp vrid 1 virtual-ip 1.1.1.1 standby
# #
interface Eth-Trunk1.2 interface Eth-Trunk1.2
vlan-type dot1q 20 vlan-type dot1q 20
ip address 172.6.2.2 255.255.255.248 ip address 172.6.2.3 255.255.255.248
vrrp vrid 2 virtual-ip 1.1.2.1 active vrrp vrid 2 virtual-ip 1.1.2.1 standby
# #
interface Eth-Trunk1.3 interface Eth-Trunk1.3
vlan-type dot1q 30 vlan-type dot1q 30
ip address 172.6.3.2 255.255.255.248 ip address 172.6.3.3 255.255.255.248
vrrp vrid 3 virtual-ip 1.1.3.1 active vrrp vrid 3 virtual-ip 1.1.3.1 standby
# #
interface Eth-Trunk1.4 interface Eth-Trunk1.4
vlan-type dot1q 40 vlan-type dot1q 40
ip address 172.6.4.2 255.255.255.248 ip address 172.6.4.3 255.255.255.248
vrrp vrid 4 virtual-ip 1.1.4.1 active vrrp vrid 4 virtual-ip 1.1.4.1 standby
# #
interface Eth-Trunk2.1 interface Eth-Trunk2.1
vlan-type dot1q 103 vlan-type dot1q 103
ip address 172.7.1.2 255.255.255.248 ip address 172.7.1.3 255.255.255.248
vrrp vrid 5 virtual-ip 172.7.1.1 active vrrp vrid 5 virtual-ip 172.7.1.1 standby
# #
interface Eth-Trunk2.2 interface Eth-Trunk2.2
vlan-type dot1q 104 vlan-type dot1q 104
ip address 172.7.2.2 255.255.255.248 ip address 172.7.2.3 255.255.255.248
vrrp vrid 6 virtual-ip 172.7.2.1 active vrrp vrid 6 virtual-ip 172.7.2.1 standby
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/4 interface GigabitEthernet 1/0/4
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
FW-5 FW-6
# #
interface GigabitEthernet 1/0/5 interface GigabitEthernet 1/0/5
eth-trunk 0 eth-trunk 0
# #
firewall zone trust firewall zone trust
add interface Eth-Trunk2.1 add interface Eth-Trunk2.1
# #
firewall zone dmz firewall zone dmz
add interface Eth-Trunk2.2 add interface Eth-Trunk2.2
# #
firewall zone hrp firewall zone hrp
set priority 85 set priority 85
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
firewall zone name zone1 firewall zone name zone1
set priority 45 set priority 45
add interface Eth-Trunk1.1 add interface Eth-Trunk1.1
# #
firewall zone name zone2 firewall zone name zone2
set priority 40 set priority 40
add interface Eth-Trunk1.2 add interface Eth-Trunk1.2
# #
firewall zone name zone3 firewall zone name zone3
set priority 10 set priority 10
add interface Eth-Trunk1.3 add interface Eth-Trunk1.3
# #
firewall zone name zone4 firewall zone name zone4
set priority 30 set priority 30
add interface Eth-Trunk1.4 add interface Eth-Trunk1.4
# #
ip route-static 10.1.0.0 255.255.0.0 172.7.1.4 ip route-static 10.1.0.0 255.255.0.0 172.7.1.4
ip route-static 10.2.0.0 255.255.0.0 172.7.1.4 ip route-static 10.2.0.0 255.255.0.0 172.7.1.4
ip route-static 10.3.0.0 255.255.0.0 172.7.1.4 ip route-static 10.3.0.0 255.255.0.0 172.7.1.4
ip route-static 0.0.0.0 0.0.0.0 1.1.3.2 ip route-static 0.0.0.0 0.0.0.0 1.1.3.2
ip route-static 10.9.1.0 255.255.255.0 1.1.2.2 ip route-static 10.9.1.0 255.255.255.0 1.1.2.2
ip route-static 172.168.3.0 255.255.255.0 1.1.1.2 ip route-static 172.168.3.0 255.255.255.0 1.1.1.2
ip route-static 172.168.4.0 255.255.255.0 1.1.4.2 ip route-static 172.168.4.0 255.255.255.0 1.1.4.2
ip route-static 1.1.3.2 32 NULL 0 ip route-static 1.1.3.2 32 NULL 0
ip route-static 1.1.3.3 32 NULL 0 ip route-static 1.1.3.3 32 NULL 0
ip route-static 1.1.3.4 32 NULL 0 ip route-static 1.1.3.4 32 NULL 0
ip route-static 1.1.3.5 32 NULL 0 ip route-static 1.1.3.5 32 NULL 0
FW-5 FW-6
# #
nat server https_server1 protocol tcp global 1.1.3.2 nat server https_server1 protocol tcp global 1.1.3.2
4433 inside 192.168.4.2 443 4433 inside 192.168.4.2 443
nat server https_server2 protocol tcp global 1.1.3.3 nat server https_server2 protocol tcp global 1.1.3.3
4433 inside 192.168.4.3 443 4433 inside 192.168.4.3 443
nat server http_server1 protocol tcp global 1.1.3.4 nat server http_server1 protocol tcp global 1.1.3.4
8000 inside 192.168.4.4 80 8000 inside 192.168.4.4 80
nat server http_server2 protocol tcp global 1.1.3.5 nat server http_server2 protocol tcp global 1.1.3.5
8000 inside 192.168.4.5 80 8000 inside 192.168.4.5 80
FW-5 FW-6
# #
firewall defend land enable firewall defend land enable
firewall defend smurf enable firewall defend smurf enable
firewall defend fraggle enable firewall defend fraggle enable
firewall defend ip-fragment enable firewall defend ip-fragment enable
firewall defend tcp-flag enable firewall defend tcp-flag enable
firewall defend winnuke enable firewall defend winnuke enable
firewall defend source-route enable firewall defend source-route enable
firewall defend teardrop enable firewall defend teardrop enable
firewall defend route-record enable firewall defend route-record enable
firewall defend time-stamp enable firewall defend time-stamp enable
firewall defend ping-of-death enable firewall defend ping-of-death enable
# #
ip address-set remote_users type object ip address-set remote_users type object
description "for remote users" description "for remote users"
address 0 172.168.3.0 mask 24 address 0 172.168.3.0 mask 24
# #
ip address-set partner type object ip address-set partner type object
description "for partner" description "for partner"
address 0 172.168.4.0 mask 24 address 0 172.168.4.0 mask 24
# #
ip address-set branch2 type object ip address-set branch2 type object
description "for branch2" description "for branch2"
address 0 10.9.1.0 mask 24 address 0 10.9.1.0 mask 24
# #
ip address-set server1 type object ip address-set server1 type object
description "for server1" description "for server1"
address 0 10.1.1.10 mask 32 address 0 10.1.1.10 mask 32
address 1 10.1.1.11 mask 32 address 1 10.1.1.11 mask 32
# #
ip address-set server2 type object ip address-set server2 type object
description "for server2" description "for server2"
address 0 10.2.1.4 mask 32 address 0 10.2.1.4 mask 32
address 1 10.2.1.5 mask 32 address 1 10.2.1.5 mask 32
# #
ip address-set server4 type object ip address-set server4 type object
description "for server4" description "for server4"
address 0 10.1.1.4 mask 32 address 0 10.1.1.4 mask 32
address 1 10.1.1.5 mask 32 address 1 10.1.1.5 mask 32
# #
ip address-set server5 type object ip address-set server5 type object
description "for server5" description "for server5"
address 0 192.168.4.2 mask 32 address 0 192.168.4.2 mask 32
address 1 192.168.4.3 mask 32 address 1 192.168.4.3 mask 32
address 2 192.168.4.4 mask 32 address 2 192.168.4.4 mask 32
address 3 192.168.4.5 mask 32 address 3 192.168.4.5 mask 32
# #
ip address-set ad_server type object ip address-set ad_server type object
description "for ad_server" description "for ad_server"
address 0 192.168.5.4 mask 32 address 0 192.168.5.4 mask 32
address 1 192.168.5.5 mask 32 address 1 192.168.5.5 mask 32
# #
ip service-set tcp_1414 type object ip service-set tcp_1414 type object
service 0 protocol tcp destination-port 1414 service 0 protocol tcp destination-port 1414
# #
firewall session aging-time service-set tcp_1414 firewall session aging-time service-set tcp_1414
40000 40000
# #
security-policy security-policy
rule name remote_users_to_server1 rule name remote_users_to_server1
source-zone zone1 source-zone zone1
destination-zone trust destination-zone trust
source-address address-set remote_users source-address address-set remote_users
destination-address address-set server1 destination-address address-set server1
service http service http
service ftp service ftp
FW-5 FW-6
profile ips default profile ips default
action permit action permit
rule name partner_to_server2 rule name partner_to_server2
source-zone zone4 source-zone zone4
destination-zone trust destination-zone trust
source-address address-set partner source-address address-set partner
destination-address address-set server2 destination-address address-set server2
service tcp_1414 service tcp_1414
profile ips default profile ips default
action permit action permit
rule name branch2_to_server4 rule name branch2_to_server4
source-zone zone2 source-zone zone2
destination-zone trust destination-zone trust
source-address address-set branch2 source-address address-set branch2
destination-address address-set server4 destination-address address-set server4
service ftp service ftp
profile ips default profile ips default
long-link enable long-link enable
long-link aging-time 480 long-link aging-time 480
action permit action permit
rule name internet_to_server5 rule name internet_to_server5
source-zone zone3 source-zone zone3
destination-zone dmz destination-zone dmz
destination-address address-set server5 destination-address address-set server5
service http service http
service https service https
profile ips default profile ips default
action permit action permit
rule name ipsec rule name ipsec
source-zone zone2 source-zone zone2
source-zone local source-zone local
destination-zone zone2 destination-zone zone2
destination-zone local destination-zone local
source-address 1.1.2.1 32 source-address 1.1.2.1 32
source-address 2.2.2.2 32 source-address 2.2.2.2 32
destination-address 1.1.2.1 32 destination-address 1.1.2.1 32
destination-address 2.2.2.2 32 destination-address 2.2.2.2 32
action permit action permit
rule name ssl_vpn rule name ssl_vpn
source-zone zone1 source-zone zone1
source-zone zone4 source-zone zone4
destination-zone local destination-zone local
destination-address 1.1.1.1 32 destination-address 1.1.1.1 32
destination-address 1.1.4.1 32 destination-address 1.1.4.1 32
action permit action permit
rule name to_ad_server rule name to_ad_server
source-zone local source-zone local
destination-zone dmz destination-zone dmz
destination-address address-set ad_server destination-address address-set ad_server
action permit action permit
FW-5 FW-6
# #
acl number 3000 acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255 rule 5 permit ip source 10.1.1.0 0.0.0.255
destination 10.9.1.0 0.0.0.255 destination 10.9.1.0 0.0.0.255
# #
ipsec proposal tran1 ipsec proposal tran1
esp authentication-algorithm sha2-256 esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256 esp encryption-algorithm aes-256
# #
ike proposal 10 ike proposal 10
encryption-algorithm aes-256 encryption-algorithm aes-256
dh group2 dh group2
authentication-algorithm sha2-256 authentication-algorithm sha2-256
authentication-method pre-share authentication-method pre-share
integrity-algorithm hmac-sha2-256 integrity-algorithm hmac-sha2-256
prf hmac-sha2-256 prf hmac-sha2-256
# #
ike peer b ike peer b
pre-shared-key %@%@'OMi3SPl pre-shared-key %@%@'OMi3SPl
%@TJdx5uDE(44*I^%@%@ %@TJdx5uDE(44*I^%@%@
ike-proposal 10 ike-proposal 10
remote-address 1.1.5.1 remote-address 1.1.5.1
# #
ipsec policy-template policy1 1 ipsec policy-template policy1 1
security acl 3000 security acl 3000
ike-peer b ike-peer b
proposal tran1 proposal tran1
# #
ipsec policy map1 10 isakmp template policy1 ipsec policy map1 10 isakmp template policy1
# #
interface Eth-Trunk1.2 interface Eth-Trunk1.2
ip address 1.1.3.1 255.255.255.0 ip address 1.1.3.1 255.255.255.0
ipsec policy map1 ipsec policy map1
FW-5 FW-6
# #
ad-server template ad_server ad-server template ad_server
ad-server authentication 192.168.5.4 88 ad-server authentication 192.168.5.4 88
ad-server authentication 192.168.5.5 88 secondary ad-server authentication 192.168.5.5 88 secondary
ad-server authentication base-dn dc=cce,dc=com ad-server authentication base-dn dc=cce,dc=com
ad-server authentication manager ad-server authentication manager
cn=administrator,cn=users %$% cn=administrator,cn=users %$%
$M#._~J4QrR[kJu7PUMtHUqh_%$%$ $M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication host-name info- ad-server authentication host-name info-
server2.cce.com secondary server2.cce.com secondary
ad-server authentication host-name info- ad-server authentication host-name info-
server.cce.com server.cce.com
ad-server authentication ldap-port 389 ad-server authentication ldap-port 389
ad-server user-filter sAMAccountName ad-server user-filter sAMAccountName
ad-server group-filter ou ad-server group-filter ou
# #
user-manage import-policy ad_server from ad user-manage import-policy ad_server from ad
server template ad_server server template ad_server
server basedn dc=cce,dc=com server basedn dc=cce,dc=com
server searchdn ou=remoteusers,dc=cce,dc=com server searchdn ou=remoteusers,dc=cce,dc=com
destination-group /cce.com destination-group /cce.com
user-attribute sAMAccountName user-attribute sAMAccountName
user-filter (&(|(objectclass=person) user-filter (&(|(objectclass=person)
(objectclass=organizationalPerson))(cn=*)(! (objectclass=organizationalPerson))(cn=*)(!
(objectclass=computer))) (objectclass=computer)))
group-filter (|(objectclass=organizationalUnit) group-filter (|(objectclass=organizationalUnit)
(ou=*)) (ou=*))
import-type all import-type all
import-override enable import-override enable
sync-mode incremental schedule interval 120 sync-mode incremental schedule interval 120
sync-mode full schedule daily 01:00 sync-mode full schedule daily 01:00
# #
aaa aaa
authentication-scheme ad authentication-scheme ad
authentication-mode ad authentication-mode ad
# #
domain cce.com domain cce.com
authentication-scheme ad authentication-scheme ad
ad-server ad_server ad-server ad_server
service-type ssl-vpn service-type ssl-vpn
reference user current-domain reference user current-domain
new-user add-temporary group /cce.com auto- new-user add-temporary group /cce.com auto-
import ad_server import ad_server
# #
v-gateway example 1.1.1.1 private v-gateway example 1.1.1.1 private
www.example.com www.example.com
v-gateway example authentication-domain v-gateway example authentication-domain
cce.com cce.com
v-gateway example max-user 150 v-gateway example max-user 150
v-gateway example cur-max-user 100 v-gateway example cur-max-user 100
# #
v-gateway example v-gateway example
service service
web-proxy enable web-proxy enable
web-proxy web-link enable web-proxy web-link enable
web-proxy proxy-resource resource1 http:// web-proxy proxy-resource resource1 http://
10.1.1.10 show-link 10.1.1.10 show-link
web-proxy proxy-resource resource2 http:// web-proxy proxy-resource resource2 http://
10.1.1.11 show-link 10.1.1.11 show-link
network-extension enable network-extension enable
network-extension keep-alive enable network-extension keep-alive enable
network-extension netpool 172.168.3.2 network-extension netpool 172.168.3.2
172.168.3.254 255.255.255.0 172.168.3.254 255.255.255.0
network-extension mode manual network-extension mode manual
network-extension manual-route 10.1.1.0 network-extension manual-route 10.1.1.0
255.255.255.0 255.255.255.0
FW-5 FW-6
role role
role remoteusers condition all role remoteusers condition all
role remoteusers network-extension enable role remoteusers network-extension enable
role remoteusers web-proxy enable role remoteusers web-proxy enable
role remoteusers web-proxy resource resource1 role remoteusers web-proxy resource resource1
role remoteusers web-proxy resource resource2 role remoteusers web-proxy resource resource2
4.1 Introduction
A firewall is attached to a core switch of the cloud computing network in off-line
mode. Virtual machine services on the network are isolated using virtual systems.
Two firewalls are deployed in hot standby mode to improve service availability.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, USG6000E V600R006C00,
Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document
content may vary according to version.
The following firewall functions are used on the cloud computing network:
● Hot standby
Two firewalls are deployed in hot standby mode to improve service
availability.
● NAT Server
The public addresses of the Portal system and virtual machines are advertised
through the NAT server for access of enterprise users on the Internet.
● Virtual system
A virtual system is built on each virtual machine to isolate virtual machine
services accessed by enterprise users. Security policies are also configured for
the virtual system for access control.
● Access behavior of extranet enterprise users to the Portal system and virtual
machines is controlled to permit only service access traffic.
● Device availability is improved to avoid service interruption caused by the
failure of only one device.
The firewalls are attached to the CE12800 core switches in off-path mode. The
above requirements are satisfied by the following features:
● Virtual system: Virtual systems are used to isolate virtual machine services
accessed by external enterprise users. Each virtual machine belongs to one
virtual system, and each virtual system has its maximum bandwidth.
● Subinterface: The firewall is connected to the CE12800 through subinterfaces.
The subinterfaces are assigned to the virtual systems and the root system. The
subinterfaces in the virtual systems carry virtual machine services, and the
subinterface in the root system carries portal services.
● NAT server: The NAT servers advertise the public addresses of the Portal
system and virtual machines to the extranet. A NAT server dedicated to a
virtual machine is configured in each virtual system, and NAT servers
dedicated to the Portal system are configured in the root system.
● Security policy: Security policies are applied to control access to the Portal
system and virtual machines. Security policies used to control access to
services of a virtual machine are configured in each virtual system, and
security policies used to control access to services of the Portal system are
configured in the root system.
● Hot standby: Two firewalls are deployed in hot standby mode to improve
availability. When the active firewall fails, the standby firewall takes over
without services interrupted.
One virtual machine can request to access the public address of another. The exchanged
packets are forwarded by the CE12800.
Table 4-1 describes the planning of interfaces and security zones on the FWs.
Virtual Systems
Virtual systems carry virtual machine services. Each virtual system corresponds to
one virtual machine. The planning of interfaces for the virtual systems has been
described in the above interfaces and security zones. In addition, to limit the
bandwidth available for each virtual system, it is also necessary to configure
resource classes for the virtual systems.
Table 4-2 describes the planning of virtual systems on the FWs. Only two virtual
systems are listed. In practice, you can create multiple virtual systems as needed.
Routes
There are routes in the root system and routes in virtual systems, both including
the default route, black-hole route, and OSPF route. The OSPF routes run on the
upstream subinterface connecting the FW to the CE12800, as shown in Figure 4-8.
Specifically:
● A default route is configured for the root system with the next hop being the
related VLANIF IP address of CE12800_A. A default route is configured for
each virtual system with the next hop being the related VLANIF IP address of
CE12800_A.
● Black-hole routes with destination addresses being the public addresses of the
Portal system are configured in the root system. These black-hole routes are
advertised to CE12800_A by the root system through OSPF. A black-hole route
with the destination address being the public address of the virtual machine is
configured for each virtual system. This black-hole route is advertised to
CE12800_A by the virtual system through OSPF.
● OSPF runs on both the root system and virtual systems. The VPN instance
corresponding to a virtual system is bound in the root system to run OSPF in
the virtual system.
OSPF also runs on CE12800_A to advertise the network segment of each VLANIF
interface.
Table 4-3 describes the planning of routes on the FWs.
Hot Standby
The hot standby networking is typical, where firewalls are connected to upstream
Layer-3 devices and connected to downstream Layer-2 devices. Figure 4-9 shows
the logical networking where extranet enterprise users access services of the
virtual machines.
Figure 4-10 shows the logical networking where extranet enterprise users access
services of the Portal system.
After hot standby is configured, FW_A serves as the active firewall, and FW_B
serves as the standby firewall. As shown in Figure 4-11, when the network is
normal, FW_A advertises routes normally, and the cost of routes advertised by
FW_B increases by 65,500 (default value, configurable). When Router_A or
Router_B forwards the traffic of extranet enterprise users to a Portal system or
virtual machine, it selects a path with a smaller cost. Therefore, the traffic is
forwarded by FW_A.
For the return traffic, when the Portal system or virtual machine requests the MAC
address of the gateway, only the active firewall FW_A responds and sends the
virtual MAC address to the Portal system or virtual machine. The CE6800 records
the mapping between the virtual MAC address and port and forwards the return
traffic to FW_A.
When FW_A or the link of FW_A fails, an active/standby switchover takes place.
Then, FW_B advertises routes normally, and the cost of routes advertised by FW_A
increases by 65,500. After the routes converge again, all traffic is forwarded by
FW_B, as shown in Figure 4-12.
For the return traffic, after the active/standby switchover, FW_B sends a gratuitous
ARP packet to make the CE6800 update the mapping between the virtual MAC
address and port. Then, the return traffic is forwarded by the CE6800 to FW_B.
Security Policies
There are security policies in the root system and security policies in virtual
systems. Security policies in the root system permit packets from extranet
enterprise users to the Portal system and permit OSPF packets exchanged
between the root system and the CE12800. Security policies in a virtual system
permit packets from extranet enterprise users to the virtual machine and permit
OSPF packets exchanged between the virtual system and the CE12800.
In addition, antivirus and IPS profiles can be included in the security policies to
defend against attacks of viruses, worms, Trojan horses, and zombies. Normally,
the default antivirus and IPS profiles can be used.
Table 4-4 describes the planning of security policies on the FWs.
NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The
NAT servers in the root system mirror the address of Portal system to a public
address for access of extranet enterprise users. The NAT server in a virtual system
mirrors the address of a virtual machine to a public address to access of extranet
enterprise users.
In order that extranet enterprise users can access the Portal system and virtual
machines, it is necessary to apply for public addresses for every Portal system and
virtual machine. It is assumed that the public addresses for the Portal system are
117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are
118.1.1.1 and 118.1.1.2. Table 4-5 describes the planning of NAT servers on the
FWs.
4.3.3 Precautions
Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual
systems, you must apply for a license.
OSPF
You cannot configure OSPF directly in a virtual system. You must bind the VPN
instance corresponding to the virtual system when creating the OSPF process in
the root system.
Black-hole Route
Configure black-hole routes to the public addresses of the Portal system in the
root system and black-hole routes to the public addresses of virtual machines in
the virtual systems to prevent routing loops. These black-hole routes can be
advertised through OSPF.
Procedure
Step 1 Configure interfaces and security zones.
# Configure IP addresses for root system interfaces on FW_A, and assign the
interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_A-zone-dmz] quit
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 1
[FW_A-zone-hrpzone] quit
# Configure IP addresses for root system interfaces on FW_B, and assign the
interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1
[FW_A-vsys-vfw1] assign resource-class vfw1_car
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_A-vsys-vfw1] quit
[FW_A] vsys name vfw2
[FW_A-vsys-vfw2] assign resource-class vfw2_car
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_A-vsys-vfw2] quit
# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1
[FW_B-vsys-vfw1] assign resource-class vfw1_car
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_B-vsys-vfw1] quit
[FW_B] vsys name vfw2
[FW_B-vsys-vfw2] assign resource-class vfw2_car
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_B-vsys-vfw2] quit
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name sec_portal
HRP_M[FW_A-policy-security-rule-sec_portal] source-zone untrust
HRP_M[FW_A-policy-security-rule-sec_portal] destination-zone dmz
HRP_M[FW_A-policy-security-rule-sec_portal] destination-address 10.159.0.0 16
HRP_M[FW_A-policy-security-rule-sec_portal] action permit
HRP_M[FW_A-policy-security-rule-sec_portal] profile av default
HRP_M[FW_A-policy-security-rule-sec_portal] profile ips default
HRP_M[FW_A-policy-security-rule-sec_portal] quit
HRP_M[FW_A-policy-security] rule name sec_ospf
HRP_M[FW_A-policy-security-rule-sec_ospf] source-zone untrust local
HRP_M[FW_A-policy-security-rule-sec_ospf] destination-zone local untrust
HRP_M[FW_A-policy-security-rule-sec_ospf] service ospf
HRP_M[FW_A-policy-security-rule-sec_ospf] action permit
HRP_M[FW_A-policy-security-rule-sec_ospf] quit
HRP_M[FW_A-policy-security] quit
The NAT server configuration commands are only exemplary. In practice, NAT servers are
configured on the management component, and the management component delivers the
configuration to the FW.
----End
4.3.5 Verification
1. Run the display hrp state command on FW_A and FW_B. The current HRP
state is normal.
2. Enterprise users on the Internet can access virtual machine services normally.
3. Enterprise users on the Internet can access the Portal system normally.
4. Run the shutdown command on GE1/0/2.1 of FW_A to simulate a link fault.
The active/standby switchover is normal without services interrupted.
FW_A FW_B
vlan-type dot1q 2 vrrp vrid 1 virtual-ip 10.159.2.254 standby
ip address 10.159.2.252 255.255.255.0 #
vrrp vrid 2 virtual-ip 10.159.2.254 active interface GigabitEthernet1/0/3
# undo shutdown
interface GigabitEthernet1/0/3 #
undo shutdown interface GigabitEthernet1/0/3.10
# vlan-type dot1q 10
interface GigabitEthernet1/0/3.10 ip binding vpn-instance vfw1
vlan-type dot1q 10 ip address 10.159.10.253 255.255.255.0
ip binding vpn-instance vfw1 vrrp vrid 10 virtual-ip 10.159.10.254 standby
ip address 10.159.10.252 255.255.255.0 #
vrrp vrid 10 virtual-ip 10.159.10.254 active interface GigabitEthernet1/0/3.11
# vlan-type dot1q 11
interface GigabitEthernet1/0/3.11 ip binding vpn-instance vfw2
vlan-type dot1q 11 ip address 10.159.11.253 255.255.255.0
ip binding vpn-instance vfw2 vrrp vrid 11 virtual-ip 10.159.11.254 standby
ip address 10.159.11.252 255.255.255.0 #
vrrp vrid 11 virtual-ip 10.159.11.254 active interface GigabitEthernet1/0/8
# undo shutdown
interface GigabitEthernet1/0/8 eth-trunk 1
undo shutdown #
eth-trunk 1 interface GigabitEthernet2/0/8
# undo shutdown
interface GigabitEthernet2/0/8 eth-trunk 1
undo shutdown #
eth-trunk 1 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3
set priority 85 #
add interface GigabitEthernet1/0/3 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1
set priority 5 add interface GigabitEthernet1/0/1.1000
add interface GigabitEthernet1/0/1 #
add interface GigabitEthernet1/0/1.1000 firewall zone dmz
# set priority 50
firewall zone dmz add interface GigabitEthernet1/0/2
set priority 50 add interface GigabitEthernet1/0/2.1
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2.2
add interface GigabitEthernet1/0/2.1 #
add interface GigabitEthernet1/0/2.2 firewall zone name hrpzone id 4
# set priority 65
firewall zone name hrpzone id 4 add interface Eth-Trunk1
set priority 65 #
add interface Eth-Trunk1 ospf 1 vpn-instance vfw1
# import-route static
ospf 1 vpn-instance vfw1 area 0.0.0.0
import-route static network 172.16.10.0 0.0.0.255
area 0.0.0.0 #
network 172.16.10.0 0.0.0.255 ospf 2 vpn-instance vfw2
# import-route static
ospf 2 vpn-instance vfw2 area 0.0.0.0
import-route static network 172.16.11.0 0.0.0.255
area 0.0.0.0 #
network 172.16.11.0 0.0.0.255 ospf 1000
# import-route static
ospf 1000 area 0.0.0.0
import-route static network 172.16.9.0 0.0.0.255
area 0.0.0.0 #
network 172.16.9.0 0.0.0.255 ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
# ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 117.1.1.2 255.255.255.255 NULL 0
ip route-static 117.1.1.1 255.255.255.255 NULL 0 #
ip route-static 117.1.1.2 255.255.255.255 NULL 0 nat server nat_server_portal1 0 global 117.1.1.1
# inside 10.159.1.100
nat server nat_server_portal1 0 global 117.1.1.1 nat server nat_server_portal2 1 global 117.1.1.2
FW_A FW_B
inside 10.159.1.100 inside 10.159.2.100
nat server nat_server_portal2 1 global 117.1.1.2 #
inside 10.159.2.100 security-policy
# rule name sec_portal
security-policy source-zone untrust
rule name sec_portal destination-zone dmz
source-zone untrust destination-address 10.159.0.0 16
destination-zone dmz profile av default
destination-address 10.159.0.0 16 profile ips default
profile av default action permit
profile ips default rule name sec_ospf
action permit source-zone local
rule name sec_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit return
# #
return switch vsys vfw1
# #
switch vsys vfw1 interface GigabitEthernet1/0/1.10
# ip binding vpn-instance vfw1
interface GigabitEthernet1/0/1.10 ip address 172.16.10.253 255.255.255.0
ip binding vpn-instance vfw1 #
ip address 172.16.10.252 255.255.255.0 interface GigabitEthernet1/0/3.10
# vlan-type dot1q 10
interface GigabitEthernet1/0/3.10 ip binding vpn-instance vfw1
vlan-type dot1q 10 ip address 10.159.10.253 255.255.255.0
ip binding vpn-instance vfw1 vrrp vrid 10 virtual-ip 10.159.10.254 standby
ip address 10.159.10.252 255.255.255.0 #
vrrp vrid 10 virtual-ip 10.159.10.254 active interface Virtual-if1
# #
interface Virtual-if1 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3.10
set priority 85 #
add interface GigabitEthernet1/0/3.10 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1.10
set priority 5 #
add interface GigabitEthernet1/0/1.10 security-policy
# rule name sec_vm1
security-policy source-zone untrust
rule name sec_vm1 destination-zone trust
source-zone untrust destination-address 10.159.10.0 24
destination-zone trust profile av default
destination-address 10.159.10.0 24 profile ips default
profile av default action permit
profile ips default rule name sec_vm1_ospf
action permit source-zone local
rule name sec_vm1_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
# ip route-static 118.1.1.1 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 #
ip route-static 118.1.1.1 255.255.255.255 NULL 0 nat server nat_server_vm1 2 global 118.1.1.1
# inside 10.159.10.100
nat server nat_server_vm1 2 global 118.1.1.1 #
inside 10.159.10.100 return
# #
FW_A FW_B
return switch vsys vfw2
# #
switch vsys vfw2 interface GigabitEthernet1/0/1.11
# ip binding vpn-instance vfw2
interface GigabitEthernet1/0/1.11 ip address 172.16.11.253 255.255.255.0
ip binding vpn-instance vfw2 #
ip address 172.16.11.252 255.255.255.0 interface GigabitEthernet1/0/3.11
# vlan-type dot1q 11
interface GigabitEthernet1/0/3.11 ip binding vpn-instance vfw2
vlan-type dot1q 11 ip address 10.159.11.253 255.255.255.0
ip binding vpn-instance vfw2 vrrp vrid 11 virtual-ip 10.159.11.254 standby
ip address 10.159.11.252 255.255.255.0 #
vrrp vrid 11 virtual-ip 10.159.11.254 active interface Virtual-if2
# #
interface Virtual-if2 firewall zone trust
# set priority 85
firewall zone trust add interface GigabitEthernet1/0/3.11
set priority 85 #
add interface GigabitEthernet1/0/3.11 firewall zone untrust
# set priority 5
firewall zone untrust add interface GigabitEthernet1/0/1.11
set priority 5 #
add interface GigabitEthernet1/0/1.11 security-policy
# rule name sec_vm2
security-policy source-zone untrust
rule name sec_vm2 destination-zone trust
source-zone untrust destination-address 10.159.11.0 24
destination-zone trust profile av default
destination-address 10.159.11.0 24 profile ips default
profile av default action permit
profile ips default rule name sec_vm2_ospf
action permit source-zone local
rule name sec_vm2_ospf source-zone untrust
source-zone local destination-zone local
source-zone untrust destination-zone untrust
destination-zone local service ospf
destination-zone untrust action permit
service ospf #
action permit ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
# ip route-static 118.1.1.2 255.255.255.255 NULL 0
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 #
ip route-static 118.1.1.2 255.255.255.255 NULL 0 nat server nat_server_vm2 3 global 118.1.1.2
# inside 10.159.11.100
nat server nat_server_vm2 3 global 118.1.1.2 #
inside 10.159.11.100 return
#
return
The firewalls are attached to the CE12800 core switches in off-path mode. The
above requirements are satisfied by the following features:
● Virtual system: Virtual systems are used to isolate virtual machine services
accessed by external enterprise users. Each virtual machine belongs to one
virtual system, and each virtual system has its maximum bandwidth.
● Subinterface: The firewall is connected to the CE12800 through subinterfaces.
The subinterfaces are assigned to the virtual systems and the root system. The
subinterfaces in the virtual systems carry virtual machine services, and the
subinterface in the root system carries portal services.
● NAT server: The NAT servers advertise the public addresses of the Portal
system and virtual machines to the extranet. A NAT server dedicated to a
virtual machine is configured in each virtual system, and NAT servers
dedicated to the Portal system are configured in the root system.
● Security policy: Security policies are applied to control access to the Portal
system and virtual machines. Security policies used to control access to
services of a virtual machine are configured in each virtual system, and
security policies used to control access to services of the Portal system are
configured in the root system.
● Hot standby: Two firewalls are deployed in hot standby mode to improve
availability. When the active firewall fails, the standby firewall takes over
without services interrupted.
● Two (or more as required by the Portal system) subinterfaces are defined for
GE1/0/2 of FW_A. Each subinterface has an IP address and is assigned to the
DMZ of the root system.
● 10GE1/1/0/2 of CE12800_A is a trunk interface that permits packets of two
VLANs. Each VLANIF interface has an IP address and is logically connected to
the related subinterface of FW_A.
● Multiple (2 in this case) subinterfaces are defined for GE1/0/3 of FW_A. Each
subinterface has an IP address. Each subinterface belongs to a different virtual
system and is assigned to the Trust zone of the virtual system.
The connection between FW_B and CE12800_B is the same as the only difference
in IP addresses.
One virtual machine can request to access the public address of another. The exchanged
packets are forwarded by the CE12800.
Table 4-6 describes the planning of interfaces and security zones on the FWs.
Virtual System
Virtual systems carry virtual machine services. Each virtual system corresponds to
one virtual machine. The planning of interfaces for the virtual systems has been
described in the above interfaces and security zones. In addition, to limit the
bandwidth available for each virtual system, it is also necessary to configure
resource classes for the virtual systems.
Table 4-7 describes the planning of virtual systems on the FWs. Only two virtual
systems are listed. In practice, you can create multiple virtual systems as needed.
Routes
Traffic is forwarded using static routes between the FW and CE12800.
● Static routes are configured in the root switch Public on the CE12800. The
destination addresses of these static routes are public addresses of the Portal
system and virtual machines, and the next-hop addresses are the addresses of
the subinterfaces on the FW. With these static routes, traffic from external
enterprise users to the Portal system or virtual systems can be forwarded to
the FW.
● A default route is configured in each virtual switch VRF on the CE12800. The
next-hop addresses of these default routes are the addresses of the
subinterfaces on the FW. With these default routes, the return traffic from the
Portal system or virtual machines can be forwarded to the FW.
● Static routes are configured on the FW. The destination addresses of these
static routes are private addresses of the Portal system and virtual machines,
and the next-hop addresses are the VLANIF addresses of the virtual switches
VRF of the CE12800. With these static routes, traffic from external enterprise
users to the public addresses of the Portal system and virtual systems can be
forwarded by the FW after processing to the CE12800.
● Default routes are configured on the FW. The next-hop addresses of these
default routes are the VLANIF address of the root switch Public on the
CE12800. With these default routes, return traffic from the Portal system or
virtual machines can be forwarded by the FW after processing to the
CE12800.
Routes on the FW include routes in the root system and routes in the virtual
systems. Table 4-8 describes the planning of routes.
Hot Standby
The hot standby networking is typical where firewalls are connected to Layer-2
devices on both the upstream and the downstream. Figure 4-18 shows the logical
networking where extranet enterprise users access services of the virtual
machines. For the ease of description, only one virtual machine is described.
Figure 4-19 shows the logical networking where external enterprise users access
services of the Portal system. For the ease of description, only one Portal system is
described.
After hot standby is configured, FW_A serves as the active firewall, and FW_B
serves as the standby firewall. As shown in Figure 4-20, when the network is
normal, FW_A responds to the ARP packet sent by the root switch Public of the
CE12800 to request the MAC address of the gateway, and traffic from external
enterprise users to the Portal system or virtual machines is forwarded by the
FW_A. Likewise, the return traffic from the Portal system or virtual machines is
also forwarded to FW_A.
When FW_A or the link connecting FW_A fails, an active/standby switchover takes
place. Then, FW_B sends a gratuitous ARP packet to make the CE12800 update the
mapping between the virtual MAC address and port. All traffic is forwarded by
FW_B, as shown in Figure 4-21. Likewise, the return traffic from the Portal system
or virtual machines is also forwarded to FW_B.
Security Policies
There are security policies in the root system and security policies in virtual
systems. Security policies in the root system permit packets from extranet
enterprise users to the Portal system. Security policies in a virtual system permit
packets from external enterprise users to the virtual machine.
In addition, antivirus and IPS profiles can be included in the security policies to
defend against attacks of viruses, worms, Trojan horses, and zombies. Normally,
the default antivirus and IPS profiles can be used.
Table 4-9 describes the planning of security policies on the FWs.
NAT Servers
There are NAT servers in the root system and NAT servers in virtual systems. The
NAT servers in the root system mirror the address of Portal system to a public
address for access of extranet enterprise users. The NAT server in a virtual system
mirrors the address of a virtual machine to a public address to access of extranet
enterprise users.
In order that extranet enterprise users can access the Portal system and virtual
machines, it is necessary to apply for public addresses for every Portal system and
virtual machine. It is assumed that the public addresses for the Portal system are
117.1.1.1 and 117.1.1.2 and that the public addresses for the virtual machines are
118.1.1.1 and 118.1.1.2. Table 4-10 describes the planning of NAT servers on the
FWs.
4.4.3 Precautions
Virtual System
By default, the USG9500 supports 10 virtual systems. To have more virtual
systems, you must apply for a license.
Black-hole Route
Configure black-hole routes to the public addresses of the Portal systems in the
root system and black-hole routes to the public addresses of virtual machines in
the virtual systems to prevent routing loops.
Procedure
Step 1 Configure interfaces and security zones.
# Create subinterfaces on FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1.10
[FW_A-GigabitEthernet1/0/1.10] quit
[FW_A] interface GigabitEthernet 1/0/1.11
[FW_A-GigabitEthernet1/0/1.11] quit
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] interface GigabitEthernet 1/0/3.10
[FW_A-GigabitEthernet1/0/3.10] quit
[FW_A] interface GigabitEthernet 1/0/3.11
[FW_A-GigabitEthernet1/0/3.11] quit
# Configure IP addresses for root system interfaces on FW_A, and assign the
interfaces to the security zones of the root system.
[FW_A] interface GigabitEthernet 1/0/1.1000
[FW_A-GigabitEthernet1/0/1.1000] ip address 172.16.9.252 24
[FW_A-GigabitEthernet1/0/1.1000] quit
[FW_A] interface GigabitEthernet 1/0/2.1
[FW_A-GigabitEthernet1/0/2.1] ip address 10.159.1.252 24
[FW_A-GigabitEthernet1/0/2.1] quit
[FW_A] interface GigabitEthernet 1/0/2.2
[FW_A-GigabitEthernet1/0/2.2] ip address 10.159.2.252 24
[FW_A-GigabitEthernet1/0/2.2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/3
[FW_A-zone-trust] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_A-zone-dmz] quit
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 1
[FW_A-zone-hrpzone] quit
# Configure IP addresses for root system interfaces on FW_B, and assign the
interfaces to the security zones of the root system.
[FW_B] interface GigabitEthernet 1/0/1.1000
[FW_B-GigabitEthernet1/0/1.1000] ip address 172.16.9.253 24
[FW_B-GigabitEthernet1/0/1.1000] quit
[FW_B] interface GigabitEthernet 1/0/2.1
[FW_B-GigabitEthernet1/0/2.1] ip address 10.159.1.253 24
[FW_B-GigabitEthernet1/0/2.1] quit
[FW_B] interface GigabitEthernet 1/0/2.2
[FW_B-GigabitEthernet1/0/2.2] ip address 10.159.2.253 24
[FW_B-GigabitEthernet1/0/2.2] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 1/0/3
[FW_B-zone-trust] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_B-zone-untrust] add interface GigabitEthernet 1/0/1.1000
[FW_B-zone-untrust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.1
[FW_B-zone-dmz] add interface GigabitEthernet 1/0/2.2
[FW_B-zone-dmz] quit
[FW_B] firewall zone name hrpzone
[FW_B-zone-hrpzone] set priority 65
[FW_B-zone-hrpzone] add interface Eth-Trunk 1
[FW_B-zone-hrpzone] quit
# Create virtual systems on FW_A, and allocate resources to the virtual systems.
[FW_A] vsys name vfw1
[FW_A-vsys-vfw1] assign resource-class vfw1_car
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_A-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_A-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_A-vsys-vfw1] quit
[FW_A] vsys name vfw2
[FW_A-vsys-vfw2] assign resource-class vfw2_car
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_A-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_A-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_A-vsys-vfw2] quit
# Create virtual systems on FW_B, and allocate resources to the virtual systems.
[FW_B] vsys name vfw1
[FW_B-vsys-vfw1] assign resource-class vfw1_car
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/1.10
[FW_B-vsys-vfw1] assign interface GigabitEthernet 1/0/3.10
[FW_B-vsys-vfw1] assign global-ip 118.1.1.1 118.1.1.1 exclusive
[FW_B-vsys-vfw1] quit
[FW_B] vsys name vfw2
[FW_B-vsys-vfw2] assign resource-class vfw2_car
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/1.11
[FW_B-vsys-vfw2] assign interface GigabitEthernet 1/0/3.11
[FW_B-vsys-vfw2] assign global-ip 118.1.1.2 118.1.1.2 exclusive
[FW_B-vsys-vfw2] quit
# Configure IP addresses for interfaces in the virtual system vfw1 on FW_A, and
assign the interfaces to security zones.
[FW_A] switch vsys vfw1
<FW_A-vfw1> system-view
[FW_A-vfw1] interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-GigabitEthernet1/0/1.10] ip address 172.16.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/1.10] quit
[FW_A-vfw1] interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-GigabitEthernet1/0/3.10] ip address 10.159.10.252 24
[FW_A-vfw1-GigabitEthernet1/0/3.10] quit
[FW_A-vfw1] firewall zone untrust
[FW_A-vfw1-zone-untrust] add interface GigabitEthernet 1/0/1.10
[FW_A-vfw1-zone-untrust] quit
[FW_A-vfw1] firewall zone trust
[FW_A-vfw1-zone-trust] add interface GigabitEthernet 1/0/3.10
[FW_A-vfw1-zone-trust] quit
[FW_A-vfw1] quit
<FW_A-vfw1> quit
The NAT server configuration commands are only exemplary. In practice, NAT servers are
configured on the management component, and the management component delivers the
configuration to the FW.
● The CE6800 transmits Layer-2 packets transparently, and you only need to
configure Layer-2 forwarding on it.
----End
4.4.5 Verification
1. Run the display hrp state command on FW_A and FW_B. The current HRP
state is normal.
2. Enterprise users on the Internet can access virtual machine services normally.
3. Enterprise users on the Internet can access the Portal system normally.
4. Run the shutdown command on GE1/0/1.10 of FW_A to simulate a link fault.
The active/standby switchover is normal without services interrupted.
FW_A FW_B
interface GigabitEthernet1/0/3.10 interface GigabitEthernet1/0/3.10
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 110.159.10.252 255.255.255.0 ip address 10.159.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 10.159.10.254 active vrrp vrid 110 virtual-ip 10.159.10.254 standby
# #
interface GigabitEthernet1/0/3.11 interface GigabitEthernet1/0/3.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 10.159.11.252 255.255.255.0 ip address 10.159.11.253 255.255.255.0
vrrp vrid 111 virtual-ip 10.159.11.254 active vrrp vrid 111 virtual-ip 10.159.11.254 standby
# #
interface GigabitEthernet1/0/8 interface GigabitEthernet1/0/8
undo shutdown undo shutdown
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet2/0/8 interface GigabitEthernet2/0/8
undo shutdown undo shutdown
eth-trunk 1 eth-trunk 1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3 add interface GigabitEthernet1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/1.1000 add interface GigabitEthernet1/0/1.1000
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/2.1 add interface GigabitEthernet1/0/2.1
add interface GigabitEthernet1/0/2.2 add interface GigabitEthernet1/0/2.2
# #
firewall zone name hrpzone id 4 firewall zone name hrpzone id 4
set priority 65 set priority 65
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.9.251 ip route-static 0.0.0.0 0.0.0.0 172.16.9.251
ip route-static 117.1.1.1 255.255.255.255 NULL 0 ip route-static 117.1.1.1 255.255.255.255 NULL 0
ip route-static 117.1.1.2 255.255.255.255 NULL 0 ip route-static 117.1.1.2 255.255.255.255 NULL 0
ip route-static 10.160.1.0 255.255.255.0 ip route-static 10.160.1.0 255.255.255.0
10.159.1.251 10.159.1.251
ip route-static 10.160.2.0 255.255.255.0 ip route-static 10.160.2.0 255.255.255.0
10.159.2.251 10.159.2.251
# #
nat server nat_server_portal1 0 global 117.1.1.1 nat server nat_server_portal1 0 global 117.1.1.1
inside 10.160.1.100 inside 10.160.1.100
nat server nat_server_portal2 1 global 117.1.1.2 nat server nat_server_portal2 1 global 117.1.1.2
inside 10.160.2.100 inside 10.160.2.100
# #
security-policy security-policy
rule name sec_portal rule name sec_portal
source-zone untrust source-zone untrust
destination-zone dmz destination-zone dmz
destination-address 10.160.0.0 16 destination-address 10.159.0.0 16
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
return return
# #
switch vsys vfw1 switch vsys vfw1
# #
interface GigabitEthernet1/0/1.10 interface GigabitEthernet1/0/1.10
FW_A FW_B
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 172.16.10.252 255.255.255.0 ip address 172.16.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 172.16.10.254 active vrrp vrid 10 virtual-ip 172.16.10.254 standby
# #
interface GigabitEthernet1/0/3.10 interface GigabitEthernet1/0/3.10
vlan-type dot1q 10 vlan-type dot1q 10
ip binding vpn-instance vfw1 ip binding vpn-instance vfw1
ip address 10.159.10.252 255.255.255.0 ip address 10.159.10.253 255.255.255.0
vrrp vrid 110 virtual-ip 10.159.10.254 active vrrp vrid 110 virtual-ip 10.159.10.254 standby
# #
interface Virtual-if1 interface Virtual-if1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3.10 add interface GigabitEthernet1/0/3.10
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1.10 add interface GigabitEthernet1/0/1.10
# #
security-policy security-policy
rule name sec_vm1 rule name sec_vm1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 10.159.10.0 24 destination-address 10.159.10.0 24
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.10.251 ip route-static 0.0.0.0 0.0.0.0 172.16.10.251
ip route-static 118.1.1.1 255.255.255.255 NULL 0 ip route-static 118.1.1.1 255.255.255.255 NULL 0
ip route-static 10.160.10.0 255.255.255.0 ip route-static 10.160.10.0 255.255.255.0
10.159.10.251 10.159.10.251
# #
nat server nat_server_vm1 2 global 118.1.1.1 nat server nat_server_vm1 2 global 118.1.1.1
inside 10.160.10.100 inside 10.160.10.100
# #
return return
# #
switch vsys vfw2 switch vsys vfw2
# #
interface GigabitEthernet1/0/1.11 interface GigabitEthernet1/0/1.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 172.16.11.252 255.255.255.0 ip address 172.16.11.253 255.255.255.0
vrrp vrid 11 virtual-ip 172.16.11.254 active vrrp vrid 11 virtual-ip 172.16.11.254 standby
# #
interface GigabitEthernet1/0/3.11 interface GigabitEthernet1/0/3.11
vlan-type dot1q 11 vlan-type dot1q 11
ip binding vpn-instance vfw2 ip binding vpn-instance vfw2
ip address 10.159.11.252 255.255.255.0 ip address 10.159.11.253 255.255.255.0
vrrp vrid 111 virtual-ip 10.159.11.254 active vrrp vrid 111 virtual-ip 10.159.11.254 standby
# #
interface Virtual-if2 interface Virtual-if2
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3.11 add interface GigabitEthernet1/0/3.11
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet1/0/1.11 add interface GigabitEthernet1/0/1.11
# #
security-policy security-policy
rule name sec_vm2 rule name sec_vm2
FW_A FW_B
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 10.159.11.0 24 destination-address 10.159.11.0 24
profile av default profile av default
profile ips default profile ips default
action permit action permit
# #
ip route-static 0.0.0.0 0.0.0.0 172.16.11.251 ip route-static 0.0.0.0 0.0.0.0 172.16.11.251
ip route-static 118.1.1.2 255.255.255.255 NULL 0 ip route-static 118.1.1.2 255.255.255.255 NULL 0
ip route-static 10.160.11.0 255.255.255.0 ip route-static 10.160.11.0 255.255.255.0
10.159.11.251 10.159.11.251
# #
nat server nat_server_vm2 3 global 118.1.1.2 nat server nat_server_vm2 3 global 118.1.1.2
inside 10.160.11.100 inside 10.160.11.100
# #
return return
5.1 Introduction
This section describes how to deploy the firewall as an egress gateway for a large-
or medium-sized enterprise network to protect the security of the enterprise
network. It describes the most common scenarios and features of the firewall and
provides reference for the administrator to plan and build the enterprise network.
This document is based on USG6000&USG9500 V500R005C00 and can be used as
a reference for USG6000&USG9500 V500R005C00, USG6000E V600R006C00, and
later versions. Document content may vary according to version.
secure from attacks. On this basis, Internet access privileges and traffic restrictions
must also be defined for different departments. In addition, branch and travelling
employees must be able to access the central network for business
communication and resource sharing.
● Access layer
The access layer is normally made up of Ethernet switches. It connects various
terminals to the campus network. For some terminals, it may be necessary to
add specific access devices, for example, APs for wireless access and IADs for
POTS access.
● Aggregation layer
Traffic of the access devices and users converges at the aggregation layer and
is then forwarded to the core layer. The aggregation layer increases the
quantity of users who can access the core layer.
● Core layer
The core layer is responsible for the high-speed interworking of the entire
campus network. Specific services are generally not deployed here. The core
network must ensure high bandwidth efficiency and quick failure
convergence.
● Enterprise campus egress
The enterprise campus egress is a border between the enterprise campus
network and the public extranet. Internal users of the campus network are
connected to the public network through an edge network. Extranet users
(including customers, partners, branches, and remote users) also access the
internal network through the edge network.
● Data center
The data center is the area where servers and application systems are
deployed. The data center provides data and application services for internal
and external users.
● Network management center
The network management center is the area where the network, servers, and
applications systems are managed. It provides fault management,
configuration management, performance management, and security
management.
● Hot standby
To improve network availability, two FWs can be deployed at the egress of the
enterprise campus network in hot standby mode. When the link of the active
FW fails, traffic on the network is switched to the standby FW to ensure
normal communication of the intranet and extranet.
● NAT
Because public IPv4 addresses are limited, private addresses are allocated for
intranet use, and public addresses are normally not allocated. Therefore, when
an internal user needs to access the Internet, address translation is required.
The FW is deployed at the egress of the intranet to the Internet to provide
NAT functions.
● Security defense
The FW provides attack defense to protect the enterprise network against
external attacks.
● Content security
The FW provides intrusion prevention, antivirus, and URL filtering functions to
ensure a green environment for the intranet.
● Bandwidth management
The FW provides bandwidth management. It identifies traffic based on the
application or user and applies traffic-based control.
An enterprise has many employees and business lines. The traffic on the enterprise
network is varied. When the intranet of the enterprise is connected to the Internet,
the following targets and challenges must be considered:
1. The egress gateway must be highly available. Two devices should be deployed
in hot standby mode to avoid single-point failure. When one device fails, the
another takes over its work, ensuring that normal services are not interrupted.
2. The enterprise leases two links from two ISPs. Therefore, the gateway must be
able to identify traffic based on applications and distribute different types of
traffic to the appropriate links to improve link efficiency and avoid network
congestion.
3. Enterprise employees are in different business lines, including R&D, marketing,
production, and management. Therefore, access control policies are defined
for the egress gateways based on users/departments and applications
according to the business needs of the departments.
4. To enable a large number of intranet users to access the Internet using public
addresses, the egress gateway must be capable of translating private
addresses to public addresses.
5. User and department information is stored in the gateway to provide the
organizational structure of the enterprise for reference of policies. AD servers
are deployed in the server area to facilitate user-based network behavior
control and network permission planning.
6. Extranet users can access the web servers and FTP servers.
7. The enterprise intranet faces unauthorized access and all kinds of attacks and
intrusions from the Internet. Therefore, the egress gateway must be able to
defend against viruses, worms, Trojan horses, and zombies to protect the
security of the enterprise network. In addition, websites accessible by the
enterprise employees must be controlled by filtering, prohibiting access to all
adult and illegal websites.
8. The egress gateway must be able to defend against SYN flood, UDP flood,
and malformed packet attacks targeting at the intranet.
9. The egress gateway must be capable of application-base traffic control to
restrict traffic that takes up much network bandwidth (such as P2P traffic)
and ensure normal operation of critical services. In addition, the egress
gateway can provide differentiated bandwidth management based on users/
departments.
10. The network must ensure secure access to the ERP and email systems of the
enterprise for travelling and home-based R&D employees. It should also
ensure that travelling and home-based senior managers and marketing
employees can complete their office work as if they are in the intranet.
● GE1/0/1 is connected to the ISP1 link and assigned to the ISP1 zone. The ISP1
zone needs to be created, and its priority is 15.
● GE1/0/2 is connected to the ISP2 link and assigned to the ISP2 zone. The ISP2
zone needs to be created, and its priority is 20.
● GE1/0/3 and GE2/0/1 connected to the core router form Eth-Trunk1 and are
assigned to the Heart zone. The Heart zone needs to be created, and its
priority is 75.
● GE1/0/4 is connected to the server area and assigned to the Trust zone. The
Trust zone is a default security zone of the firewall. Its priority is 85.
● As a mirroring interface (Layer 2 interface), GE1/0/5 functions as the interface
for receiving mirrored AD authentication packets.
To save public IP addresses, private IP addresses are planned for the upstream
interfaces of the firewalls. However, the address of a VRRP group must be a public
address allocated by the ISP to enable the communication with the ISP.
3. Configure the server import policy on the FW to import the user information
in the AD server to the FW.
4. Configure the new user option of the authentication domain, and
authenticated user that does not exist in the FW login as a temporary user.
5. Configure SSO parameters on the FW, ensuring that the FW monitors the
authentication result packet sent by the AD server to the user PC.
In the present case, the authentication packet does not pass through the FW.
Therefore, it is necessary to mirror the authentication result packet sent by
the AD server to the user PC.
6. Set the online user aging time to 480 minutes to avoid frequent sign-on
authentication due to the aging of online connections during business hours
(assuming 8 hours).
7. Configure port mirroring on the switch to mirror the authentication packets to
the FW.
In addition, antivirus, IPS, and URL filtering profiles can be included in the security
policies to defend against attacks of viruses, worms, Trojan horses, and Botnet and
filter websites.
Normally, you can just use the default antivirus and IPS profiles. Create a URL
filtering profile, setting the URL filtering control level to "medium", which can
restrict the access to all adult and illegal websites.
NAT Planning
The enterprise has 500 employees but limited public IP addresses. To enable a
large number of intranet users to access the Internet with the limited public
● Name:
policy_nat_ipsec_02
● Source security zone:
trust
● Destination security
zone: ISP2
● Destination address:
192.168.1.0/24
● Action: no NAT
NAT policy
● Name:
policy_nat_internet_02
● Source security zone:
trust
● Destination security
zone: ISP2
● Source address:
addresses in the
address pool
● Address pool: 1
Traffic Traffic policy The P2P online video and P2P file
policy ● Name: sharing applications are selected,
restricting policy_bandwidth_p2p which are P2P media and P2P
P2P traffic download.
● Source security zone:
trust
● Destination security
zone: ISP1, ISP2
● Application: P2P online
video and P2P file
sharing
● Action: limit
● Traffic profile:
profile_p2p
Traffic profile
● Name: profile_p2p
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Maximum upstream
bandwidth: 2000 Mbit/s
● Maximum downstream
bandwidth: 6000 Mbit/s
● Whole maximum
connections: 10,000
Traffic profile
● Name: profile_email
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Guaranteed upstream
bandwidth: 4000 Mbit/s
● Guaranteed
downstream
bandwidth: 4000 Mbit/s
Traffic profile
● Name:
profile_management
● Restrict mode:
upstream bandwidth
and downstream
bandwidth
● Guaranteed upstream
bandwidth: 200 Mbit/s
● Guaranteed
downstream
bandwidth: 200 Mbit/s
● Maximum upstream
bandwidth for one IP
address: 2 Mbit/s
● Maximum downstream
bandwidth for one IP
address: 2 Mbit/s
Attack Defense
Attack defense should be enabled on the FW for security defense. The
recommended configuration is as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
IPSec Planning
For branch employees, to ensure their secure communication with the headquarter
employees and ensure their access to the headquarter servers, IPSec VPN is
needed. If there are not many branches, point-to-point IPSec VPN in IKE mode is
recommended. In the case of many branches, point-to-multipoint IPSec VPN is
recommended.
Virtual-Template port
Port number: Virtual-Template 1
IP address: 10.11.1.1/24
L2TP configuration
Authentication mode: CHAP and PAP
Tunnel authentication: enable
Tunnel peer name: client1
Tunnel local name: lns
Tunnel password: Password@123
Item Data
IPSec configuration
Use the LNS server's IP address: enable
Encapsulation mode: tunnel
Security protocol: ESP
ESP authentication algorithm: SHA-1
ESP encryption algorithm: AES-128
NAT traversal: enable
User configuration
Name for user authentication: vpdnuser
Password for user authentication: Hello123
IPSec configuration
Pre-shared key: Test!1234
Peer address: 1.1.1.2
5.4 Precautions
Intelligent Uplink Selection
For versions earlier than V500R001C30SPC600, global intelligent uplink selection
and PBR intelligent uplink selection cannot be used together with IP address
spoofing defense or Unicast Reverse Path Forwarding (URPF). If IP address
spoofing defense or URPF is enabled, the FW may drop packets.
Hot Standby
● When hot standby runs together with IPSec, the upstream and downstream
tunneling interfaces of the active and standby devices must be Layer 3
interfaces.
● When hot standby runs together with IPSec, the hot standby configuration
and IPSec configuration are the same as they run alone.
● IPSec policy configuration of the active firewall is automatically replicated to
the standby firewall, but the configuration on interfaces is not replicated.
domain name". For example, "user1@test" represents the user user1 in the
test authentication domain, secgroup1 represents the security group
secgroup1 in the authentication domain test.
● User related actions, including creating a user, moving a user, and importing a
user from the server, are all based on one authentication domain. Inter-
domain actions are not supported.
NAT Policies
● When configuring the two source NAT mechanisms, NAT No-PAT and triplet
NAT, do not set the address of a firewall interface to an address in the NAT
address pool to avoid impact on access to the firewall itself.
● When NAT and VPN functions work together, define precise matching
conditions for NAT policies to ensure that NAT is not performed for packets
requiring VPN encapsulation.
IPSec VPN
● When the IPSec proposal is configured, the security protocol, authentication
algorithm, encryption algorithm, and packet encapsulation must be exactly
the same at both ends of the IPSec tunnel.
● It is recommended that the MTU on the interface where an IPSec security
policy group is applied be not smaller than 256 bytes. This is because the size
of IP packets increases after IPSec processing and the increased part varies
with the encapsulation mode, security protocol, authentication algorithm, and
encryption algorithm (at most over 100 bytes). If the MTU is too small, large
IP packets will be fragmented. When there are too many fragments, the peer
device may have a problem in processing the received fragments.
● When both IPSec and NAT are configured, NAT cannot be performed for IPSec
traffic, and no-NAT is required.
[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/4
[FW_A-GigabitEthernet1/0/4] ip address 10.1.1.1 16
[FW_A-GigabitEthernet1/0/4] quit
[FW_A] interface GigabitEthernet 1/0/5
[FW_A-GigabitEthernet1/0/5] portswitch
[FW_A-GigabitEthernet1/0/5] quit
# Configure two default routes on FW_A, and set their next hops respectively to
the access points of the two ISPs.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1
[FW_A] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2
[FW_A] multi-interface
[FW_A-multi-inter] mode priority-of-link-quality
[FW_A-multi-inter] add interface GigabitEthernet1/0/1
[FW_A-multi-inter] add interface GigabitEthernet1/0/2
[FW_A-multi-inter] priority-of-link-quality protocol tcp-simple
[FW_A-multi-inter] priority-of-link-quality parameter delay jitter loss
[FW_A-multi-inter] priority-of-link-quality interval 3 times 5
[FW_A-multi-inter] priority-of-link-quality table aging-time 60
[FW_A-multi-inter] quit
# Similarly, create the groups marketing, research, and onbusiness, and create all
users of every department/group according to the corporate organizational
structure.
# Configure the AD server.
The parameters set here must be consistent with those set on the AD server.
HRP_M[FW_A] ad-server template auth_server_ad
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication 10.3.0.251 88
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users
Admin@123
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
HRP_M[FW_A-ad-auth_server_ad] ad-server authentication ldap-port 389
HRP_M[FW_A-ad-auth_server_ad] ad-server user-filter sAMAccountName
HRP_M[FW_A-ad-auth_server_ad] ad-server group-filter ou
HRP_M[FW_A-ad-auth_server_ad] quit
HRP_M[FW] aaa
HRP_M[FW-aaa] domain cce.com
HRP_M[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
HRP_M[FW-aaa-domain-cce.com] quit
HRP_M[FW-aaa] quit
Step 9 Configure security policies. After hot standby is enabled, the security policies of
FW_A are automatically replicated to FW_B.
# Configure URL filtering profile profile_url and set the URL filtering control level
to medium.
HRP_M[FW_A] profile type url-filter name profile_url
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined control-level medium
HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined action allow
HRP_M[FW_A-profile-url-filter-profile_url] quit
# Configure the security policy that allows extranet users to access the intranet
servers.
HRP_M[FW_A-policy-security] rule name policy_sec_server
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP1
HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP2
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.10 32
HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.11 32
HRP_M[FW_A-policy-security-rule-policy_sec_server] action permit
HRP_M[FW_A-policy-security-rule-policy_sec_server] quit
HRP_M[FW_A-policy-security] quit
Step 10 Configure NAT. After hot standby is enabled, the NAT policies of FW_A are
automatically synchronized to FW_B.
# Configure NAT address pool nataddr.
HRP_M[FW_A] nat address-group nataddr
HRP_M[FW_A-nat-address-group-nataddr] mode pat
HRP_M[FW_A-nat-address-group-nataddr] section 0 1.1.1.1 1.1.1.4
HRP_M[FW_A-nat-address-group-nataddr] route enable
HRP_M[FW_A-nat-address-group-nataddr] quit
# Configure the NAT policy for traffic to the Internet, policy_nat_internet_01 and
policy_nat_internet_02.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_01
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] destination-zone ISP1
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] action source-nat address-group nataddr
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] quit
HRP_M[FW_A-policy-nat] rule name policy_nat_internet_02
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] destination-zone ISP2
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] action source-nat address-group nataddr
HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] quit
Step 11 Configure attack defense. After hot standby is enabled, the attack defense
configuration of FW_A is automatically synchronized to FW_B.
HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable
HRP_M[FW_A] firewall defend route-record enable
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable
Step 12 Configure traffic policies. After hot standby is enabled, the traffic policies of FW_A
are automatically replicated to FW_B.
# Configure the time range.
HRP_M[FW_A] time-range work_time
HRP_M[FW_A-time-range-work_time] period-range 09:00:00 to 18:00:00 working-day
HRP_M[FW_A-time-range-work_time] quit
# Configure the traffic profile that guarantees the bandwidth for email and ERP
applications.
HRP_M[FW_A-policy-traffic] profile profile_email
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole upstream
4000000
HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole downstream
4000000
HRP_M[FW_A-policy-traffic-profile-profile_email] quit
# Configure the traffic policy that guarantees the bandwidth for email and ERP
applications.
HRP_M[FW_A-policy-traffic] rule name policy_email
HRP_M[FW_A-policy-traffic-rule-policy_email] source-zone trust
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP1
HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP2
HRP_M[FW_A-policy-traffic-rule-policy_email] application app LotusNotes OWA
HRP_M[FW_A-policy-traffic-rule-policy_email] time-range work_time
HRP_M[FW_A-policy-traffic-rule-policy_email] action qos profile profile_email
HRP_M[FW_A-policy-traffic-rule-policy_email] quit
Step 13 Configure IPSec VPN. After hot standby is enabled, the IPSec VPN configuration of
FW_A is automatically synchronized to FW_B.
# Configure IPSec on FW_A at the headquarters.
HRP_M[FW_A] acl 3000
HRP_M[FW_A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
HRP_M[FW_A-acl-adv-3000] quit
HRP_M[FW_A] ipsec proposal tran1
HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-128
HRP_M[FW_A-ipsec-proposal-tran1] quit
HRP_M[FW_A] ike proposal 10
HRP_M[FW_A-ike-proposal-10] authentication-method pre-share
HRP_M[FW_A-ike-proposal-10] prf hmac-sha1
HRP_M[FW_A-ike-proposal-10] encryption-algorithm 3des
HRP_M[FW_A-ike-proposal-10] dh group5
HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
HRP_M[FW_A-ike-proposal-10] quit
HRP_M[FW_A] ike peer headquarters
HRP_M[FW_A-ike-peer-headquarters] ike-proposal 10
HRP_M[FW_A-ike-peer-headquarters] pre-shared-key Admin@123
HRP_M[FW_A-ike-peer-headquarters] quit
HRP_M[FW_A] ipsec policy-template temp 1
HRP_M[FW_A-ipsec-policy-templet-temp-1] security acl 3000
HRP_M[FW_A-ipsec-policy-templet-temp-1] proposal tran1
HRP_M[FW_A-ipsec-policy-templet-temp-1] ike-peer headquarters
HRP_M[FW_A-ipsec-policy-templet-temp-1] quit
HRP_M[FW_A] ipsec policy policy1 1 isakmp template temp
HRP_M[FW_A] interface GigabitEthernet 1/0/1
# Enable L2TP.
HRP_M[FW_A] l2tp enable
The IP address of the virtual interface must not be an address in the configured address
pool or the address of any other interface. You can set any IP address except the mentioned
ones.
The service scheme for allocating the peer IP address must be consistent with that
configured in the AAA domain. Otherwise, the LNS cannot allocate an address to the client.
# Create an L2TP group, bind the virtual interface template, and configure tunnel
authentication.
HRP_M[FW_A] l2tp-group 1
HRP_M[FW_A-l2tp1] allow l2tp virtual-template 1 remote client1
HRP_M[FW_A-l2tp1] tunnel name lns
HRP_M[FW_A-l2tp1] tunnel authentication
HRP_M[FW_A-l2tp1] tunnel password cipher Password@123
HRP_M[FW_A-l2tp1] quit
This step should be performed when the VPN Client is disconnected from the dialup
connection.
If no connection exists, click New to create a connection following the instructions.
2. Configure the basic information in the Basic Settings tab and enable an IPSec
security protocol.
See Figure 5-4 for the parameter settings. Enable the IPSec security protocol,
and set the login password to "Hello123" and the identity authentication
word to "Test!1234".
The IPSec identity authentication word set on the VPN Client must be consistent with
the pre-shared key set on the LNS.
3. If the user needs to access the Internet, select Allow Internet Access in the
Basic Settings tab, and configure related routes in the Route Settings tab.
5. Set the basic information of IPSec in the IPSec Settings tab. See Figure 5-8
for the parameter settings.
When the VPN tunnel on the LNS side is L2TP over IPSec, the LNS does not perform
tunnel authentication for the VPN Client. Therefore, it is not necessary to configure the
L2TP Settings tab on the VPN Client.
6. Set the basic information of IKE in the IKE Settings tab. See Figure 5-9 for
the parameter settings.
----End
5.5.2 Verification
Procedure
Step 1 Run the display hrp state command on FW_A to view the current HRP state. The
following information indicates that HRP is successfully set up.
HRP_M[FW_A] display hrp state
Role: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes
Step 2 Different users on the intranet and mobile employees can access the Internet as
planned.
Step 3 Run the shutdown command on GigabitEthernet1/0/1 of FW_A to simulate a link
fault. The active/standby switchover is normal without services interrupted.
----End
FW_A FW_B
gateway 1.1.1.254 gateway 1.1.1.254
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0
ipsec policy policy1 standby
# ipsec policy policy1
interface GigabitEthernet1/0/2 #
undo shutdown interface GigabitEthernet1/0/2
ip address 2.2.2.2 255.255.255.0 undo shutdown
gateway 2.2.2.254 ip address 2.2.2.1 255.255.255.0
vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 active gateway 2.2.2.254
# vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 standby
interface GigabitEthernet1/0/4 #
undo shutdown interface GigabitEthernet1/0/4
ip address 10.1.1.1 255.255.0.0 undo shutdown
# ip address 10.2.1.1 255.255.0.0
interface GigabitEthernet1/0/5 #
portswitch interface GigabitEthernet1/0/5
# portswitch
interface Eth-Trunk 1 #
ip address 10.10.0.1 255.255.255.0 interface Eth-Trunk 1
trunkport GigabitEthernet 1/0/3 ip address 10.10.0.2 255.255.255.0
trunkport GigabitEthernet 2/0/1 trunkport GigabitEthernet 1/0/3
# trunkport GigabitEthernet 2/0/1
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet1/0/4 set priority 85
add interface GigabitEthernet1/0/5 add interface GigabitEthernet1/0/4
# add interface GigabitEthernet1/0/5
firewall zone untrust #
set priority 5 firewall zone untrust
add interface Virtual-Template1 set priority 5
# add interface Virtual-Template1
firewall zone ISP1 #
set priority 15 firewall zone ISP1
add interface GigabitEthernet1/0/1 set priority 15
# add interface GigabitEthernet1/0/1
firewall zone ISP2 #
set priority 20 firewall zone ISP2
add interface GigabitEthernet1/0/2 set priority 20
# add interface GigabitEthernet1/0/2
firewall zone Heart #
set priority 75 firewall zone Heart
add interface Eth-Trunk1 set priority 75
# add interface Eth-Trunk1
router id 1.1.1.2 #
# router id 2.2.2.3
ospf 100 #
default-route-advertise ospf 100
area 0 default-route-advertise
network 1.1.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 network 2.2.2.0 0.0.0.255
# network 10.2.0.0 0.0.0.255
ip-link check enable #
ip-link name ip_link_1 ip-link check enable
destination 1.1.1.254 interface ip-link name ip_link_1
GigabitEthernet1/0/1 destination 1.1.1.254 interface
ip-link name ip_link_2 GigabitEthernet1/0/1
destination 2.2.2.254 interface ip-link name ip_link_2
GigabitEthernet1/0/2 destination 2.2.2.254 interface
# GigabitEthernet1/0/2
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip- #
link ip_link_1 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-
ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip- link ip_link_1
link ip_link_2 ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-
# link ip_link_2
user-manage online-user aging-time 480 #
user-manage single-sign-on ad user-manage online-user aging-time 480
FW_A FW_B
mode no-plug-in user-manage single-sign-on ad
no-plug-in interface GigabitEthernet1/0/5 mode no-plug-in
no-plug-in traffic server-ip 10.3.0.251 port 88 no-plug-in interface GigabitEthernet1/0/5
enable no-plug-in traffic server-ip 10.3.0.251 port 88
# enable
user-manage user vpdnuser #
password Hello123 user-manage user vpdnuser
# password Hello123
ad-server template auth_server_ad #
ad-server authentication 10.3.0.251 88 ad-server template auth_server_ad
ad-server authentication base-dn dc=cce,dc=com ad-server authentication 10.3.0.251 88
ad-server authentication manager ad-server authentication base-dn dc=cce,dc=com
cn=administrator,cn=users %$% ad-server authentication manager
$M#._~J4QrR[kJu7PUMtHUqh_%$%$ cn=administrator,cn=users %$%
ad-server authentication host-name ad.cce.com $M#._~J4QrR[kJu7PUMtHUqh_%$%$
ad-server authentication ldap-port 389 ad-server authentication host-name ad.cce.com
ad-server user-filter sAMAccountName ad-server authentication ldap-port 389
ad-server group-filter ou ad-server user-filter sAMAccountName
# ad-server group-filter ou
user-manage import-policy policy_import from ad #
server template auth_server_ad user-manage import-policy policy_import from ad
server basedn dc=cce,dc=com server template auth_server_ad
destination-group /cce.com server basedn dc=cce,dc=com
user-attribute sAMAccountName destination-group /cce.com
user-filter (&(|(objectclass=person) user-attribute sAMAccountName
(objectclass=organizationalPerson))(cn=*)(! user-filter (&(|(objectclass=person)
(objectclass=computer))) (objectclass=organizationalPerson))(cn=*)(!
group-filter (|(objectclass=organizationalUnit) (objectclass=computer)))
(ou=*)) group-filter (|(objectclass=organizationalUnit)
import-type user-group (ou=*))
import-override enable import-type user-group
# import-override enable
ip pool pool1 #
section 1 10.1.1.2 10.1.1.100 ip pool pool1
# section 1 10.1.1.2 10.1.1.100
aaa #
authorization-scheme default aaa
authentication-mode local authorization-scheme default
service-scheme l2tp authentication-mode local
ip-pool pool1 service-scheme l2tp
domain net1 ip-pool pool1
service-type internetaccess l2tp domain net1
authentication-scheme default service-type internetaccess l2tp
service-scheme l2tp authentication-scheme default
# service-scheme l2tp
profile type url-filter name profile_url #
category pre-defined control-level medium profile type url-filter name profile_url
category pre-defined action allow category pre-defined control-level medium
# category pre-defined action allow
nat address-group nataddr #
mode pat nat address-group nataddr
route enable mode pat
section 0 1.1.1.1 1.1.1.4 route enable
# section 0 1.1.1.1 1.1.1.4
multi-interface #
mode priority-of-link-quality multi-interface
priority-of-link-quality parameter delay jitter loss mode priority-of-link-quality
priority-of-link-quality protocol tcp-simple priority-of-link-quality parameter delay jitter loss
priority-of-link-quality interval 3 times 5 priority-of-link-quality protocol tcp-simple
priority-of-link-quality table aging-time 60 priority-of-link-quality interval 3 times 5
add interface GigabitEthernet1/0/1 priority-of-link-quality table aging-time 60
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/1
# add interface GigabitEthernet1/0/2
policy-based-route #
rule name pbr_1 policy-based-route
description pbr_1 rule name pbr_1
FW_A FW_B
source-zone trust description pbr_1
application category Business_Systems source-zone trust
track ip-link ip_link_1 application category Business_Systems
action pbr egress-interface GigabitEthernet1/0/1 track ip-link ip_link_1
next-hop 1.1.1.254 action pbr egress-interface GigabitEthernet1/0/1
rule name pbr_2 next-hop 1.1.1.254
description pbr_2 rule name pbr_2
source-zone trust description pbr_2
application category Entertainment sub-category source-zone trust
VoIP application category Entertainment sub-category
application category Entertainment sub-category VoIP
PeerCasting application category Entertainment sub-category
track ip-link ip_link_2 PeerCasting
action pbr egress-interface GigabitEthernet1/0/2 track ip-link ip_link_2
next-hop 2.2.2.254 action pbr egress-interface GigabitEthernet1/0/2
# next-hop 2.2.2.254
security-policy #
rule name policy_sec_management security-policy
source-zone trust rule name policy_sec_management
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/management destination-zone ISP2
profile av default user user-group /default/management
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_marketing_1 action permit
source-zone trust rule name policy_sec_marketing_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/marketing destination-zone ISP2
application category Entertainment sub- user user-group /default/marketing
category Media_Sharing application category Entertainment sub-
application category Entertainment sub- category Media_Sharing
category Game application category Entertainment sub-
action deny category Game
rule name policy_sec_marketing_2 action deny
source-zone trust rule name policy_sec_marketing_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/marketing destination-zone ISP2
profile av default user user-group /default/marketing
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_research_1 action permit
source-zone trust rule name policy_sec_research_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/research destination-zone ISP2
application category Entertainment user user-group /default/research
action deny application category Entertainment
rule name policy_sec_research_2 action deny
source-zone trust rule name policy_sec_research_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/research destination-zone ISP2
profile av default user user-group /default/research
profile ips default profile av default
profile url-filter profile_url profile ips default
action permit profile url-filter profile_url
rule name policy_sec_manufacture action permit
source-zone trust rule name policy_sec_manufacture
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
user user-group /default/manufacture destination-zone ISP2
FW_A FW_B
action deny user user-group /default/manufacture
rule name policy_sec_ipsec_1 action deny
source-zone local rule name policy_sec_ipsec_1
source-zone ISP1 source-zone local
source-zone ISP2 source-zone ISP1
destination-zone local source-zone ISP2
destination-zone ISP1 destination-zone local
destination-zone ISP2 destination-zone ISP1
source-address 1.1.1.2 32 destination-zone ISP2
source-address 3.3.3.1 32 source-address 1.1.1.2 32
destination-address 1.1.1.2 32 source-address 3.3.3.1 32
destination-address 3.3.3.1 32 destination-address 1.1.1.2 32
action permit destination-address 3.3.3.1 32
rule name policy_sec_ipsec_2 action permit
source-zone trust rule name policy_sec_ipsec_2
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
source-address 10.1.0.0 16 destination-zone ISP2
destination-address 192.168.1.0 24 source-address 10.1.0.0 16
profile av default destination-address 192.168.1.0 24
profile ips default profile av default
action permit profile ips default
rule name policy_sec_ipsec_3 action permit
source-zone ISP1 rule name policy_sec_ipsec_3
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
source-address 192.168.1.0 24 destination-zone trust
profile av default source-address 192.168.1.0 24
profile ips default profile av default
action permit profile ips default
rule name policy_sec_l2tp_ipsec_1 action permit
source-zone trust rule name policy_sec_l2tp_ipsec_1
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
source-address 10.1.1.1 16 destination-zone ISP2
destination-address range 10.1.1.2 10.1.1.100 source-address 10.1.1.1 16
action permit destination-address range 10.1.1.2 10.1.1.100
rule name policy_sec_l2tp_ipsec_2 action permit
source-zone untrust rule name policy_sec_l2tp_ipsec_2
destination-zone trust source-zone untrust
source-address range 10.1.1.2 10.1.1.100 destination-zone trust
destination-address 10.1.1.1 16 source-address range 10.1.1.2 10.1.1.100
action permit destination-address 10.1.1.1 16
rule name local_policy_ad_01 action permit
source-zone local rule name local_policy_ad_01
destination-zone trust source-zone local
destination-address 10.3.0.251 32 destination-zone trust
action permit destination-address 10.3.0.251 32
rule name local_policy_ad_02 action permit
source-zone trust rule name local_policy_ad_02
destination-zone local source-zone trust
source-address 10.3.0.251 32 destination-zone local
action permit source-address 10.3.0.251 32
rule name policy_sec_server action permit
source-zone ISP1 rule name policy_sec_server
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
destination-address 10.2.0.10 32 destination-zone trust
destination-address 10.2.0.11 32 destination-address 10.2.0.10 32
action permit destination-address 10.2.0.11 32
# action permit
nat-policy #
rule name policy_nat_internet_01 nat-policy
source-zone trust rule name policy_nat_internet_01
destination-zone ISP1 source-zone trust
action source-nat address-group nataddr destination-zone ISP1
FW_A FW_B
rule name policy_nat_internet_02 action source-nat address-group nataddr
source-zone trust rule name policy_nat_internet_02
destination-zone ISP2 source-zone trust
action source-nat address-group nataddr destination-zone ISP2
rule name policy_nat_ipsec_01 action source-nat address-group nataddr
source-zone trust rule name policy_nat_ipsec_01
destination-zone ISP1 source-zone trust
destination-address 192.168.1.0 24 destination-zone ISP1
action no-pat destination-address 192.168.1.0 24
rule name policy_nat_ipsec_02 action no-pat
source-zone trust rule name policy_nat_ipsec_02
destination-zone ISP2 source-zone trust
destination-address 192.168.1.0 24 destination-zone ISP2
action no-pat destination-address 192.168.1.0 24
# action no-pat
traffic-policy #
profile profile_p2p traffic-policy
bandwidth maximum-bandwidth whole profile profile_p2p
upstream 2000000 bandwidth maximum-bandwidth whole
bandwidth connection-limit whole downstream upstream 2000000
6000000 bandwidth connection-limit whole downstream
bandwidth connection-limit whole both 10000 6000000
profile profile_email bandwidth connection-limit whole both 10000
bandwidth guaranteed-bandwidth whole profile profile_email
upstream 4000000 bandwidth guaranteed-bandwidth whole
bandwidth guaranteed-bandwidth whole upstream 4000000
downstream 4000000 bandwidth guaranteed-bandwidth whole
profile profile_management downstream 4000000
bandwidth guaranteed-bandwidth whole profile profile_management
upstream 200000 bandwidth guaranteed-bandwidth whole
bandwidth guaranteed-bandwidth whole upstream 200000
downstream 200000 bandwidth guaranteed-bandwidth whole
bandwidth maximum-bandwidth per-ip downstream 200000
upstream 20000 bandwidth maximum-bandwidth per-ip
bandwidth maximum-bandwidth per-ip upstream 20000
downstream 20000 bandwidth maximum-bandwidth per-ip
rule name policy_bandwidth_p2p downstream 20000
source-zone trust rule name policy_bandwidth_p2p
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
application category Entertainment sub-category destination-zone ISP2
PeerCasting application category Entertainment sub-category
application category General_Internet sub- PeerCasting
category FileShare_P2P application category General_Internet sub-
action qos profile profile_p2p category FileShare_P2P
rule name policy_email action qos profile profile_p2p
source-zone trust rule name policy_email
destination-zone ISP1 source-zone trust
destination-zone ISP2 destination-zone ISP1
application app LotusNotes destination-zone ISP2
application app OWA application app LotusNotes
time-range work_time application app OWA
action qos profile profile_email time-range work_time
rule name policy_bandwidth_management action qos profile profile_email
source-zone ISP1 rule name policy_bandwidth_management
source-zone ISP2 source-zone ISP1
destination-zone trust source-zone ISP2
user user-group /default/management destination-zone trust
action qos profile profile_management user user-group /default/management
# The following configurations are used to create action qos profile profile_management
users/groups. These configurations are stored in # The following configurations are used to create
the database and are not contained in the users/groups. These configurations are stored in
configuration file. the database and are not contained in the
user-manage group /default/management configuration file.
user-manage group /default/marketing user-manage group /default/management
user-manage group /default/research user-manage group /default/marketing
FW_A FW_B
user-manage user user_0001 user-manage group /default/research
alias Tom user-manage user user_0001
parent-group /default/management alias Tom
password ********* parent-group /default/management
undo multi-ip online enable password *********
undo multi-ip online enable
6.1 Introduction
This section describes the application of the firewall in the Service Control
Gateway (SCG) carrier scenario. By analyzing the security issues faced by the SCG,
this section provides a typical application solution of the firewall.
This document is based on Eudemon8000E-X V500R005C00 and can be used as a
reference for Eudemon8000E-X V500R005C00, V600R006C00, and later versions.
Document content may vary according to version.
The SCG works in explicit or transparent proxy mode based on WAP/HTTP service
awareness.
● Explicit proxy (WAPGW)
The SCG provides gateway services. In this mode, service access users must set the SCG
address as the gateway address on their clients. After receiving a user request, the SCG
translates the user address into the SCG address and connects to the Internet.
● Transparent proxy (Proxy)
The SCG is similar to a router and does not provide gateway services. In this mode,
service access users do not need to set gateway addresses on their clients. User requests
are routed to the SCG through network devices. After receiving a user request, the SCG
uses the client IP address to connect to the web server. This implementation prevents
denial of services or verification code input due to duplicate or intensive user addresses
after NAT in explicit proxy mode.
Traffic Models
The GGSN and uplink FW establish a GRE tunnel. The GGSN sends service traffic
through the GRE tunnel to the uplink FW to access the SCG. The SCG performs
WAP/HTTP service awareness and translation and sends the traffic to the
downlink FW. The downlink FW performs NAT and sends the traffic to the
Internet.
Root systems and virtual systems are designed for the FWs. The root systems of the FWs
are configured as the FWs at the uplink side and carry out hot standby. The virtual systems
of the FWs are configured as the FWs at downlink side and carry out hot standby.
In this scenario, Only hot standby in active/standby mode is supported.
Reliability Analysis
Figure 6-3 shows the active/standby switchovers when FW_A in the active state at
the uplink side and its link become faulty and recover. The active/standby
switchover processes are as follows:
● Switchover in case of a fault
When FW_A and its link fail, FW_B becomes the active firewall, and the route
is switched to FW_B.
● Switchover in case of fault recovery
After FW_A and its link recover, FW_A preempts to be the active firewall, the
route and traffic are switched back to FW_A.
Figure 6-4 shows the active/standby switchovers when FW_C in the active state
and its link become faulty and recover. The active/standby switchover processes
are as follows:
● Switchover in case of a fault
When FW_C and its connected link fail, FW_D becomes the active firewall,
and the route is switched to FW_D.
● Switchover in case of fault recovery
After FW_C and its link recover, FW_C preempts to be the active firewall, the
route and traffic are switched back to FW_C.
Table 6-1 Interface and security zone planning for FW_A and FW_B
FW_A FW_B Description
Table 6-2 Interface and security zone planning for FW_C and FW_D
FW_C FW_D Description
6.3.2.2 Availability
Hot standby in active/standby mode is carried out between FW_A and FW_B and
between FW_C and FW_D. When services at the uplink side are operating properly,
the traffic that enters the SCG is forwarded by FW_A. If FW_A fails, the traffic is
forwarded by FW_B. When services at the downlink side are operating properly,
the traffic that leaves the SCG is forwarded by FW_C. If FW_C fails, the traffic is
forwarded by FW_D. In this way, service continuity at both sides of the SCG is
ensured. Table 6-3 describes the availability planning for FW_A and FW_B, and
Table 6-4 describes the availability planning for FW_C and FW_D.
6.3.2.5 NAT
The GGSN sends user information to the RADIUS server for authentication. If the
authentication succeeds, the RADIUS server sends the user information to the FW.
The NAT Server function is configured at the SCG side to translate private
addresses of the SCG network into public addresses for the RADIUS server to
access, as listed in Table 6-8.
You are advised to set the number of public addresses of the downlink firewall to
[Maximum number of online users x 60%]/[2 x 60000].
The FW needs to perform NAT for traffic sent by users connected to the SCG so
that these users can use post-NAT addresses (public addresses) to access Internet
services. NAT saves public address resources and improves intranet security.
The FW usually uses NAT PAT. Table 6-9 describes the NAT address pool planning.
The active and standby firewalls must have the same NAT address pool planning.
6.3.2.6 Routes
As shown in Figure 6-5, the egress gateways of the SCG are the FWs at the uplink
and downlink sides of the GGSN. OSPF process 1 is planned on FW_A and FW_B to
connect to the GGSN, and OSPF process 2 is planned on FW_C and FW_D to
connect to the Internet.
Different costs are set for FW interfaces to advertise the routes from the firewalls to the
SCG to the GGSN and Internet so that return packets will be sent to the active firewalls.
The Holddown timer and Multipath parameter use their default values on the Layer-2
switch at the GGSN side and the router at the Internet.
Process ID 1 1
Cost 10 1000
Process ID 2 2
Cost 10 1000
6.3.2.7 Others
ASPF
If multi-channel protocols, such as FTP, RTSP, and PPTP, are used between zones,
run the detect command in the interzone view. Recommended detect commands
are as follows:
detect rtsp
detect ftp
detect pptp
The detect qq and detect msn commands are not recommended in the interzone view.
Attack Defense
Attack defense is configured on the FWs to provide security protection.
Recommended attack defense configuration commands are as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
NMS (SNMP)
The Simple Network Management Protocol (SNMP) is the most widely used
network management protocol on TCP/IP networks. On the FW, configure the
SNMP proxy to manage the FWs through the NMS server.
6.4 Precautions
Hot Standby
● In this scenario, Only hot standby in active/standby mode is supported.
● The recommended HRP preemption delay is 300s.
● The traffic bandwidth of the heartbeat interface must not be less than 20% of
device traffic.
● The interfaces connecting the FWs at the uplink and downlink sides to the
intranet switches need to be added to link groups.
Routes
● Different costs are set for FW interfaces to advertise the routes from the
firewalls to the SCG to the GGSN and Internet so that return packets will be
sent to the active firewalls.
● The Holddown timer and Multipath parameter use their default values on the
Layer-2 switch at the GGSN side and the router at the Internet.
NAT
You are advised to set the number of public addresses of the downlink firewall to
[Maximum number of online users x 60%]/[2 x 60000].
ASPF
The detect qq and detect msn commands are not recommended in the interzone
view.
Attack Defense
You are advised to use the recommended attack defense configuration.
6.5.1 Procedure
Procedure
Step 1 Configure interfaces and security zones for FW_A.
# Create Eth-Trunk 0 and configure an IP address for it.
<FW_A> system-view
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] description To_FW_B
[FW_A-Eth-Trunk0] ip address 10.10.0.1 24
[FW_A-Eth-Trunk0] quit
[FW_B-GigabitEthernet1/0/2] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] eth-trunk 1
[FW_B-GigabitEthernet1/0/3] quit
[FW_D-GigabitEthernet1/0/0] quit
[FW_D] interface GigabitEthernet 2/0/1
[FW_D-GigabitEthernet1/0/1] eth-trunk 0
[FW_D-GigabitEthernet1/0/1] quit
----End
Procedure
Step 1 Configure the hot standby configuration on FW_A.
# Enable the HRP function.
[FW_A] hrp enable
# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_A] hrp ospf-cost adjust-enable
# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to active.
[FW_A] interface Eth-Trunk 2.1
[FW_A-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 active
[FW_A-Eth-Trunk2.1] quit
# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_B] hrp ospf-cost adjust-enable
# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to standby.
[FW_B] interface Eth-trunk 2.1
[FW_B-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[FW_B-Eth-Trunk2.1] quit
# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to active.
[FW_C] interface Eth-trunk 2.1
[FW_C-Eth-Trunk2.1] vrrp vrid 1 virtual-ip 10.3.1.3 active
[FW_C-Eth-Trunk2.1] quit
# Enable the function of adjusting the OSPF cost based on the VGMP group
status.
[FW_D] hrp ospf-cost adjust-enable
# Configure VRRP group 1 on the downstream service interface and set the status
of the VRRP group to standby.
----End
Procedure
Step 1 Configure GRE tunnels on FW_A and FW_B.
HRP_S[FW_B-loopback2] quit
HRP_S[FW_B] interface Tunnel 1
HRP_S[FW_B-Tunnel1] ip address 172.16.2.3 32
HRP_S[FW_B-Tunnel1] quit
HRP_S[FW_B] interface Tunnel 2
HRP_S[FW_B-Tunnel2] ip address 172.16.2.4 32
HRP_S[FW_B-Tunnel2] quit
HRP_S[FW_B] ospf 1
HRP_S[FW_B-ospf-1] area 1
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 172.16.2.0 0.0.0.255
HRP_S[FW_B-ospf-1] quit
HRP_S[FW_B] interface Tunnel 1
HRP_S[FW_B-Tunnel1] tunnel-protocol gre
HRP_S[FW_B-Tunnel1] source loopback1
HRP_S[FW_B-Tunnel1] destination 10.2.10.2//IP address of the peer tunnel interface
HRP_S[FW_B-Tunnel1] gre key cipher 123456
HRP_S[FW_B-Tunnel1] ospf timer hello 30
HRP_S[FW_B-Tunnel1] quit
HRP_S[FW_B] interface Tunnel 2
HRP_S[FW_B-Tunnel2] tunnel-protocol gre
HRP_S[FW_B-Tunnel2] source loopback2
HRP_S[FW_B-Tunnel2] destination 10.2.11.2//IP address of the peer tunnel interface
HRP_S[FW_B-Tunnel2] gre key cipher 123456
HRP_S[FW_B-Tunnel2] ospf timer hello 30
HRP_S[FW_B-Tunnel2] quit
----End
Procedure
Step 1 Configure security policies on FW_A and FW_B.
----End
Procedure
Step 1 Configure the NAT Server function on FW_A and FW_B.
After hot standby is implemented, the NAT configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.
Configure NAT Server based on the service requirements.
After hot standby is implemented, the NAT and ASPF configurations on FW_C are
automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.
# Configure a NAT policy. In this section, the source addresses of the packets from
network segment 10.3.1.0/24 at the SCG are translated. Add rules to the NAT
policy as required.
HRP_M[FW_C] nat-policy
HRP_M[FW_C-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] source-address 10.3.1.0 0.0.0.255
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addressgroup1
HRP_M[FW_C-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_C-policy-nat] quit
----End
Procedure
Step 1 Configure routes on FW_A.
HRP_M[FW_A] acl number 2000
HRP_M[FW_A-acl-basic-2000] description ospf1_import_ggsn
HRP_M[FW_A-acl-basic-2000] rule 5 permit source 221.180.0.0 0.0.0.255//Network segment of GGSN
HRP_M[FW_A-acl-basic-2000] rule 100 deny
HRP_M[FW_A] interface eth-Trunk 1
HRP_M[FW_A-Eth-trunk1] ospf cost 10
HRP_M[FW_A-Eth-trunk1] ospf network-type p2p
HRP_M[FW_A-Eth-trunk1] quit
HRP_M[FW_A] ospf 1
HRP_M[FW_A-ospf-1] filter-policy 2000 import
HRP_M[FW_A-ospf-1] area 1
HRP_M[FW_A-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
HRP_M[FW_A-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
HRP_M[FW_A-ospf-1-area-0.0.0.1] quit
HRP_M[FW_A-ospf-1] quit
After hot standby is implemented, the ACL configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.
HRP_S[FW_B] interface eth-Trunk 1
HRP_S[FW_B-Eth-trunk1] ospf cost 1000
HRP_S[FW_B-Eth-trunk1] ospf network-type p2p
HRP_S[FW_B-Eth-trunk1] quit
HRP_S[FW_B] ospf 1
HRP_S[FW_B-ospf-1] filter-policy 2000 import
HRP_S[FW_B-ospf-1] area 1
HRP_S[FW_B-ospf-1-area-0.0.0.1] authentication-mode md5 1 cipher Huawei-123
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.2.0.0 0.0.0.255
HRP_S[FW_B-ospf-1-area-0.0.0.1] network 10.3.0.0 0.0.0.255
HRP_S[FW_B-ospf-1-area-0.0.0.1] quit
HRP_S[FW_B-ospf-1] quit
After hot standby is implemented, the ACL configuration on FW_C is automatically backed
up to FW_D. You do not need to repeat the configuration on FW_D.
HRP_S[FW_D] interface eth-Trunk 1
HRP_S[FW_D-Eth-trunk1] ospf cost 10
HRP_S[FW_D-Eth-trunk1] ospf network-type p2p
HRP_S[FW_D-Eth-trunk1] quit
HRP_S[FW_D] ospf 2
HRP_S[FW_D-ospf-2] filter-policy 2100 import
HRP_S[FW_D-ospf-2] import-route static
HRP_S[FW_D-ospf-2] area 2
HRP_S[FW_D-ospf-2-area-0.0.0.2] authentication-mode md5 1 cipher Huawei-123
HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.2.1.0 0.0.0.255
HRP_S[FW_D-ospf-2-area-0.0.0.2] network 10.3.1.0 0.0.0.255
HRP_S[FW_D-ospf-2-area-0.0.0.2] quit
HRP_S[FW_D-ospf-2] quit
----End
6.5.1.7 Others
Procedure
Step 1 Configure ASPF.
After hot standby is implemented, the ASPF configuration on FW_A is automatically backed
up to FW_B. You do not need to repeat the configuration on FW_B.
After hot standby is implemented, the NAT and ASPF configurations on FW_C are
automatically backed up to FW_D. You do not need to repeat the configurations on FW_D.
Configure the SNMP version on the FW. This step is optional. By default, SNMPv3
is used. To change the SNMP version, perform this step.
HRP_M[FW_A] snmp-agent sys-info version v3
Configure the SNMP version on the FW. This step is optional. By default, SNMPv3
is used. To change the SNMP version, perform this step.
HRP_M[FW_C] snmp-agent sys-info version v3
Step 4 For basic network parameter settings and active/standby configurations of the
upstream and downstream switches and routers, see the product documentation
of the switches and routers.
----End
6.5.2 Verification
1. Run the display hrp state command on FW_A to check the HRP status. If the
following information is displayed, HRP is successfully configured.
HRP_M[FW_A] display hrp stateRole: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes
4. Run the display nat-policy rule rule-name command on FW_C to check the
source NAT policy match count. If the value is 1 or greater, there are data
flows matching the source NAT policy.
5. Run the display firewall session table command on FW_C to search for an
entry whose source address is the private address of the SCG. If the entry
exists and the post-NAT IP address exists in the NAT address pool, the NAT
policy is successfully configured. Information in the square brackets ([]) is the
post-NAT IP address and port. Address 3.3.3.30 at the Internet side is used as
an example.
HRP_M<FW_C> display firewall session table
Current Total Sessions : 1
http VPN:public --> public 10.3.1.0:2474[1.1.1.10:3761]-->3.3.3.30:8080
6. If the RADIUS server can access intranet servers, server mappings are
successfully configured.
7. Users can access the Internet by using their mobile phones.
FW_A FW_B
eth-trunk 1
link-group 1 #
# interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/4 eth-trunk 2
eth-trunk 2
link-group 1 #
# interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/5 eth-trunk 2
eth-trunk 2
link-group 1 #
# firewall zone trust
firewall zone trust set priority 85
set priority 85 add interface Eth-Trunk2.1
add interface Eth-Trunk2.1 #
# firewall zone untrust
firewall zone untrust set priority 5
set priority 5 add interface Eth-Trunk1.1
add interface Eth-Trunk1.1 add interface Eth-Trunk1.2
add interface Eth-Trunk1.2 #
# firewall zone dmz
firewall zone dmz set priority 50
set priority 50 add interface Eth-Trunk0
add interface Eth-Trunk0 #
# firewall zone tunnelzone
firewall zone tunnelzone set priority 20
set priority 20 add interface tunnel1
add interface tunnel1 add interface tunnel2
add interface tunnel2 #
# firewall interzone trust untrust
firewall interzone trust untrust detect rtsp
detect rtsp detect ftp
detect ftp detect pptp
detect pptp #
# security-policy
security-policy #
# rule name trust_tunnelzone_outbound
rule name trust_tunnelzone_outbound source-zone trust
source-zone trust destination-zone tunnelzone
destination-zone tunnelzone source-address 10.3.0.0 24
source-address 10.3.0.0 24 action permit
action permit #
# rule name trust_tunnelzone_inbound
rule name trust_tunnelzone_inbound source-zone tunnelzone
source-zone tunnelzone destination-zone trust
destination-zone trust destination-address 10.3.0.0 24
destination-address 10.3.0.0 24 action permit
action permit #
# rule name local_dmz_outbound
rule name local_dmz_outbound source-zone local
source-zone local destination-zone dmz
destination-zone dmz source-address 10.10.0.0 24
source-address 10.10.0.0 24 action permit
action permit #
# rule name local_dmz_inbound
rule name local_dmz_inbound source-zone dmz
source-zone dmz destination-zone local
destination-zone local destination-address 10.10.0.0 24
destination-address 10.10.0.0 24 action permit
action permit #
# rule name local_untrust_outbound
rule name local_untrust_outbound source-zone local
source-zone local destination-zone untrust
destination-zone untrust source-address 10.2.0.0 16
source-address 10.2.0.0 16 action permit
action permit #
# rule name local_untrust_inbound
FW_A FW_B
rule name local_untrust_inbound source-zone dmz
source-zone dmz destination-zone local
destination-zone local destination-address 10.2.0.0 16
destination-address 10.2.0.0 16 action permit
action permit #
# nat server for_server protocol tcp global 3.3.3.3
nat server for_server protocol tcp global 3.3.3.3 8080 inside 10.3.0.10 80
8080 inside 10.3.0.10 80 #
# acl number 2000
acl number 2000 description ospf1_import_ggsn
description ospf1_import_ggsn rule 5 permit source 221.180.0.0 0.0.0.255
rule 5 permit source 221.180.0.0 0.0.0.255 rule 100 deny
rule 100 deny #
# ospf 1
ospf 1 filter-policy 2000 import
filter-policy 2000 import area 0.0.0.1
area 0.0.0.1 authentication-mode md5 1 cipher Huawei-123
authentication-mode md5 1 cipher Huawei-123 network 10.2.0.0 0.0.0.255
network 10.2.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 172.16.2.0 0.0.0.255
network 172.16.2.0 0.0.0.255 #
# interface Tunnel1
interface Tunnel1 ip address 172.16.2.3 32
ip address 172.16.2.1 32 tunnel-protocol gre
tunnel-protocol gre source loopback1
source loopback1 destination 10.2.10.2
destination 10.2.10.1 gre key cipher 123456
gre key cipher 123456 ospf timer hello 30
ospf timer hello 30 #
# interface Tunnel2
interface Tunnel2 ip address 172.16.2.4 32
ip address 172.16.2.2 32 tunnel-protocol gre
tunnel-protocol gre source loopback2
source loopback2 destination 10.2.11.2
destination 10.2.11.1 gre key cipher 123456
gre key cipher 123456 ospf timer hello 30
ospf timer hello 30 #
# snmp-agent
snmp-agent snmp-agent local-engineid
snmp-agent local-engineid 000007DB7FFFFFFF000077D0
000007DB7FFFFFFF000077D0 snmp-agent sys-info version v3
snmp-agent sys-info version v3 snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info contact Mr.zhang snmp-agent sys-info location Beijing
snmp-agent sys-info location Beijing snmp-agent group v3 NMS1 privacy
snmp-agent group v3 NMS1 privacy snmp-agent target-host trap address udp-domain
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname
10.1.1.1 params securityname %$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3
%$%$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy private-netmanager
privacy private-netmanager snmp-agent usm-user v3 Admin123 NMS1
snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,
authentication-mode md5 %$%$q:JqX0VlJ, 5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$
5ykB"H'lF&k d[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ privacy-mode aes256 %$%$.AA`F.
privacy-mode aes256 %$%$.AA`F. dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4 #
# return
return
7.1 Introduction
This section describes the application of firewalls in the PS security solution. By
analyzing the security issues faced by the mobile core network, this section
provides a typical application solution of the firewall.
This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-
X V500R005C00 and can be used as a reference for Eudemon200E-
N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-
G&Eudemon1000E-G V600R006C00, and later versions. Document content may
vary according to version.
The 2G/3G mobile core network includes a Circuit Switched (CS) domain and a
Packet Switched (PS) domain. The CS domain deals with voice services (such as
telephony); the PS domain provides data services (such as Internet access).
Long Term Evolution (LTE) is the evolutionary technology of 3G. Currently, all
mainstream carriers are regarding LTE as the major 4G trend. The LTE network
includes the E-UTRAN (radio access subsystem) and SAE (core network
subsystem). The LTE architecture builds entirely on the PS domain and has no CS
domain of 2G/3G. The LTE core network is also referred to as the Evolved Packet
Core (EPC).
Traffic Model
Traffic on the FW comes mainly from the Gi/SGi interface. Some of the traffic is
directly routed to the Internet; other traffic is routed to the WAP gateway (and
then forwarded by the WAP gateway to the Internet). The traffic from the mobile
terminal directly to the Internet is referred to as Internet traffic; the traffic from
the mobile terminal to the WAP gateway is referred to as WAP traffic. Internet
traffic and WAP traffic are collectively referred as Gi/SGi traffic.
In addition to the Gi/SGi traffic, Gn and Gp traffic sometimes also passes through
the firewall. Gn traffic is the traffic between the local GGSN (P-GW) and SGSN (S-
GW).
The paths for various types of service traffic are as follows:
● Internet traffic
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone >
Internet
Packets of the mobile terminal pass through the access/aggregation network
and the core network and arrive at the Gi/SGi interface. Then the FW
performs NAT for the packets and forwards them to the Internet. In this case,
the FW processes the original TCP/UDP packets from the mobile terminal.
● WAP traffic
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone >
WAP gateway
A GRE tunnel is set up directly between the GGSN (P-GW) and WAP gateway.
The traffic is sent to the WAP gateway which serves as a proxy to forward the
packets to the Internet. In this case, the FW processes GRE packets. Such
traffic shrinks on 4G networks.
1. HRP is configured on the FWs so that the FWs work in active/standby mode,
improving network reliability and preventing single points of failure. A
heartbeat link is connected between the two FWs for active/standby
negotiation and status backup.
If a great deal of data needs to be backed up, multiple heartbeat links are
recommended. When a 10GE link serves as an HRP backup channel, it can
support 50,000/s new session rate or 5 million concurrent sessions or carry 5G
service traffic. The number of required interfaces is assessed based on the
actual traffic volume. The N+1 backup mode is recommended for the
Availability Analysis
Figure 7-3 shows the switchover upon failure of the active firewall FW_A. The
specific process is as follows:
● Switchover upon failure:
FW_A fails, and FW_B becomes active. The OSPF neighbor relationships
between the routers RouterA, RouterC, and FW_A no longer exist, and the
route is switched to FW_B.
● Recovery from failure:
After FW_A recovers from the failure, the OSPF neighbor relationships
between the routers RouterA, RouterC, and FW_A are restored, and FW_A
becomes active. The route is switched back to FW_A, and traffic is routed to
FW_A again.
Figure 7-4 shows the switchover upon failure of the link connecting the active
firewall FW_A fails (the link to the backbone or GGSN/P-GW). The specific process
is as follows:
After the links recovers from the failure, FW_A becomes active, and its
neighbor relationship with RouterA (RouterC) is restored. The route is
switched back to FW_A, and the traffic is switched back to the original link.
is recommended. For devices on which multiple NICs can be installed (for the
support situation, see the hardware guide), an inter-board Eth-Trunk interface is
required. That is, the member interfaces of the Eth-Trunk interface are on different
LPUs. The inter-board Eth-Trunk improves reliability and increases bandwidth. For
devices that do not support interface expansion or inter-board Eth-Trunk, it is
possible that a faulty LPU may cause all HRP backup channels to be unavailable
and compromise services.
The upstream and downstream physical links must have the same bandwidth that
is greater than the peak traffic. Otherwise, services are affected due to traffic
congestion in case of traffic burst.
Table 7-1 describes the planning of interfaces and security zones on the FWs.
Security Policies
Table 7-2 describes the planning of security policies on the FW.
Local - Trust Local Trust The security policy for access of the FW to
the trust zone, which may be set to permit
all packets. If a fine-grained policy is
required, note that OSPF packets should be
permitted.
Routes
The route planning is as follows:
1. Black-hole routes are configured for NAT addresses, and static routes are
advertised to avoid routing loops.
2. The firewall learns the default route from the Internet-side device and
advertises the default route to the core network-side device in the way of
unforced delivery of OSPF routes. Routing policies also need to be configured.
When the firewall and Internet-side device import static routes, only the
routes to addresses in the NAT address pool are advertised, and the routes to
the other private addresses are not advertised.
3. The firewall learns the addresses of intranet servers and terminal IP addresses
from the core network side device and advertises the routes of the servers to
the Internet side device. Filtering policies are configured for the firewall and
the core network side device, and the firewall does not need to learn the
default route from the core network side device.
Table 7-3 describes the planning of routes on the FWs.
NAT
If the IP address obtained by a mobile terminal is a private address, NAT is
required on the FW. The public address obtained through NAT is used for Internet
access. NAT reduces the use of public addresses and improves the intranet
security.
The usual NAT mode for FWs is NAT PAT. Empirically, one NAT address supports
the NAT for 5000 to 10,000 private IP addresses. Table 7-4 describes the planning
of the NAT address pool. The configuration is the same for the active and standby
firewalls.
ID 1 1
Match All packets from the All packets from the 10.10.0.0/16
condition 10.10.0.0/16 network network segment
segment
NAT 1 1
address
pool ID
NAT is performed by the FW for FTP, RTSP, and PPTP traffic from mobile terminals
to the Internet. It is necessary to configure ASPF between the zone where the
Gi/SGi interface resides and the Untrust zone to ensure normal functioning of
these applications.
Attack Defense
Attack defense should be enabled on the FW for security defense. The
recommended configuration is as follows:
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
Log (eLog)
The eLog server is used to collect NAT session logs for source tracing. Configure
the FW to output session logs to the eLog server, including the log output format,
source address, and source port.
7.4 Precautions
Hot Standby
● The recommended preemption delay of a VGMP group is 300s.
● Hot standby supports only OSPF and BGP route adjustment, but not IS-IS
route adjustment. If OSPF or BGP route adjustment is configured, configure
an interzone policy to permit OSPF or BGP packets.
● In hot standby networking, if the upstream device runs BGP, the downstream
device runs OSPF, and OSPF uses default-route-advertise to generate a
default route, ,perform the following configurations to avoid loops:
– Change the BGP route priority to a value larger than 10 and smaller than
150.
The default priority of an intra-area route is 10 (highest priority). The
default route is an external route, and its default priority is 150. The
default priority of a BGP route is 255 (lowest priority). If the default
priority is used, the BGP route cannot take effect.
– Configure route filtering to prevent the learning of the default
downstream OSPF route.
If the upstream device learns the default downstream route, the traffic of
the upstream device cannot reach the extranet.
● HRP is associated with routing protocols for cost adjustment. Table 7-6
describes the support for routes.
Table 7-6 Routing protocols for cost adjustment associated with HRP
Item Supported or Not
Security Policies
Considering security, interzone security policies are designed based on the security
policy planning. Do not open all interzone security policies.
Attack Defense
The recommended configuration should be used.
NAT
● When planning the NAT address pool, keep the ratio of public addresses to
private addresses at about 1:5,000.
● If servers on the core network provide extranet access services, use port-based
mapping, but not one-to-one IP address mapping, when configuring the NAT
server.
● The recommended NAT mode is 5-tuple NAT. If customers require to use
triplet NAT, contact service or R&D engineers to reassess the solution.
● In load balancing scenarios, both devices process service traffic. If NAT is
configured, the devices may have conflicting public ports in the NAPT mode.
To prevent such conflicts, configure respective NAT port resources for the
devices. You can run the hrp nat resource primary-group command on the
active device. The standby device will automatically generate the hrp nat
resource secondary-group command.
● You are advised to configure blackhole routes for the NAT address pool to
prevent such issues as routing loops.
GRE
When the following conditions are met, you are recommended to enable the
function of using GRE inner packets for selecting the SPU. In this way, traffic is
evenly distributed on multiple CPUs.
You can run the firewall gre inner hash enable command to enable the function
of selecting a CPU based on the hash value calculated according to GRE inner
packet information.
Performance
In load-balancing hot standby scenarios, ensure that the traffic does not exceed
70% of the interface bandwidth utilization and SPU CPU processing capability
after being switched to a device. You can run the display interface command to
check the interface bandwidth utilization and the display cpu-usage command to
check the SPU CPU processing capability.
[FW_A-GigabitEthernet2/0/5] Eth-Trunk 2
[FW_A-GigabitEthernet2/0/5] quit
# Add Eth-Trunk0 to the hrpzone security zone.
[FW_A] firewall zone name hrpzone
[FW_A-zone-hrpzone] set priority 65
[FW_A-zone-hrpzone] add interface Eth-Trunk 0
[FW_A-zone-hrpzone] quit
# Add Eth-Trunk1 to the untrust security zone.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface Eth-Trunk 1
[FW_A-zone-untrust] quit
# Add Eth-Trunk2 to the trust security zone.
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface Eth-Trunk 2
[FW_A-zone-trust] quit
2. Configure the interfaces and security zones of FW_B.
# Create Eth-Trunk0, setting its IP address.
<FW_B> system-view
[FW_B] interface Eth-Trunk 0
[FW_B-Eth-Trunk0] description To_FW_A
[FW_B-Eth-Trunk0] ip address 192.168.3.2 24
[FW_B-Eth-Trunk0] undo service-manage enable
[FW_B-Eth-Trunk0] quit
# Create Eth-Trunk1, setting its IP address.
[FW_B] interface Eth-Trunk 1
[FW_B-Eth-Trunk1] description To_Backbone
[FW_B-Eth-Trunk1] ip address 1.1.2.1 24
[FW_B-Eth-Trunk1] undo service-manage enable
[FW_B-Eth-Trunk1] quit
# Create Eth-Trunk 2, setting its IP address.
[FW_B] interface Eth-Trunk 2
[FW_B-Eth-Trunk2] description To_GI
[FW_B-Eth-Trunk2] ip address 10.14.2.1 24
[FW_B-Eth-Trunk2] undo service-manage enable
[FW_B-Eth-Trunk2] quit
# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet2/0/0] Eth-Trunk 0
[FW_B-GigabitEthernet2/0/0] quit
[FW_B] interface GigabitEthernet 2/0/1
[FW_B-GigabitEthernet2/0/1] Eth-Trunk 0
[FW_B-GigabitEthernet2/0/1] quit
# Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.
[FW_B] interface GigabitEthernet 2/0/2
[FW_B-GigabitEthernet2/0/2] Eth-Trunk 1
[FW_B-GigabitEthernet2/0/2] quit
[FW_B] interface GigabitEthernet 2/0/3
[FW_B-GigabitEthernet2/0/3] Eth-Trunk 1
[FW_B-GigabitEthernet2/0/3] quit
# Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk 2.
[FW_B] interface GigabitEthernet 2/0/4
[FW_B-GigabitEthernet2/0/4] Eth-Trunk 2
[FW_B-GigabitEthernet2/0/4] quit
[FW_B] interface GigabitEthernet 2/0/5
[FW_B-GigabitEthernet2/0/5] Eth-Trunk 2
[FW_B-GigabitEthernet2/0/5] quit
# Add Eth-Trunk0 to the hrpzone security zone.
[FW_B] firewall zone name hrpzone
[FW_B-zone-hrpzone] set priority 65
# Configure the security policy between the local and untrust zones.
[FW_A-policy-security] rule name local_untrust_outbound
[FW_A-policy-security-rule-local_untrust_outbound] source-zone local
[FW_A-policy-security-rule-local_untrust_outbound] destination-zone untrust
[FW_A-policy-security-rule-local_untrust_outbound] source-address 1.1.1.0 24
[FW_A-policy-security-rule-local_untrust_outbound] action permit
[FW_A-policy-security-rule-local_untrust_outbound] quit
[FW_A-policy-security] rule name local_untrust_inbound
[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust
[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_A-policy-security-rule-local_untrust_inbound] destination-address 1.1.1.0 24
[FW_A-policy-security-rule-local_untrust_inbound] action permit
[FW_A-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the local and hrpzone zones.
[FW_A-policy-security] rule name local_hrpzone_outbound
[FW_A-policy-security-rule-local_hrpzone_outbound] source-zone local
[FW_A-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
[FW_A-policy-security-rule-local_hrpzone_outbound] action permit
[FW_A-policy-security-rule-local_hrpzone_outbound] quit
[FW_A-policy-security] rule name local_hrpzone_inbound
[FW_A-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_A-policy-security-rule-local_untrust_inbound] action permit
[FW_A-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the Trust and Untrust zones,
permitting tunnel packets from mobile terminals to the WAP gateway.
Configure more refined security policies based on site requirements.
[FW_A-policy-security] rule name trust_untrust_outbound1
[FW_A-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_A-policy-interzone-trust_untrust_outbound1] destination-zone untrust
[FW_A-policy-interzone-trust_untrust_outbound1] action permit
[FW_A-policy-interzone-trust_untrust_outbound1] quit
# Configure the security policy between the trust and untrust zones,
permitting packets from mobile terminals to the Internet. All packets from the
10.10.0.0/16 network segment are matched. In practice, you can add rules as
needed.
[FW_A-policy-security] rule name trust_untrust_outbound2
[FW_A-policy-security-rule-trust_untrust_outbound2] source-zone trust
[FW_A-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_A-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_A-policy-security-rule-trust_untrust_outbound2] action permit
[FW_A-policy-security-rule-trust_untrust_outbound2] quit
# Configure the security policy between the local and untrust zones.
[FW_B-policy-security] rule name local_untrust_outbound
[FW_B-policy-security-rule-local_untrust_outbound] source-zone local
[FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust
[FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_outbound] action permit
[FW_B-policy-security-rule-local_untrust_outbound] quit
[FW_B-policy-security] rule name local_untrust_inbound
[FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust
[FW_B-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the local and hrpzone zones.
[FW_B-policy-security] rule name local_hrpzone_outbound
[FW_B-policy-security-rule-local_hrpzone_outbound] source-zone local
[FW_B-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
[FW_B-policy-security-rule-local_hrpzone_outbound] action permit
[FW_B-policy-security-rule-local_hrpzone_outbound] quit
[FW_B-policy-security] rule name local_hrpzone_inbound
[FW_B-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the Trust and Untrust zones,
permitting tunnel packets from mobile terminals to the WAP gateway.
Configure more refined security policies based on site requirements.
[FW_B-policy-security] rule name trust_untrust_outbound1
[FW_B-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_B-policy-interzone-trust_untrust_outbound1] destination-zone untrust
# Configure the security policy between the trust and untrust zones,
permitting packets from mobile terminals to the Internet. All packets from the
10.10.0.0/16 network segment are matched. In practice, you can add rules as
needed.
[FW_B-policy-security] rule name trust_untrust_outbound2
[FW_B-policy-security-rule-trust_untrust_outbound2] source-zone trust
[FW_B-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_B-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_B-policy-security-rule-trust_untrust_outbound2] action permit
[FW_B-policy-security-rule-trust_untrust_outbound2] quit
Specify different router IDs for the active and standby firewalls to support the OSPF process
to prevent OSPF route flapping.
# Configure route filtering policies for the side of the FW_A connecting the
core network so as not to learn the default route.
[FW_A] ip ip-prefix no-default deny 0.0.0.0 0
[FW_A] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_A] ospf 2 router-id 10.14.1.1
[FW_A-ospf-2] filter-policy ip-prefix no-default import
[FW_A-ospf-2] default-route-advertise
[FW_A-ospf-2] area 0.0.0.0
[FW_A-ospf-2-area-0.0.0.0] network 10.14.1.0 0.0.0.255
[FW_A-ospf-2-area-0.0.0.0] quit
[FW_A-ospf-2] quit
# Configure route filtering policies for the side of the FW_B connecting the
core network so as not to learn the default route.
[FW_B] ip ip-prefix no-default deny 0.0.0.0 0
[FW_B] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_B] ospf 2 router-id 10.14.2.1
[FW_B-ospf-2] filter-policy ip-prefix no-default import
[FW_B-ospf-2] default-route-advertise
[FW_B-ospf-2] area 0
[FW_B-ospf-2-area-0.0.0.0] network 10.14.2.0 0.0.0.255
[FW_B-ospf-2-area-0.0.0.0] quit
[FW_B-ospf-2] quit
# Enable HRP.
[FW_A] hrp enable
# Enable HRP.
[FW_B] hrp enable
After hot standby is enabled, the NAT and ASPF configuration of FW_A is automatically
synchronized to FW_B.
# Configure the NAT policy. The source addresses of all packets from the
10.10.0.0/16 network segment are translated. In practice, you can add rules as
needed.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.10.0.0 0.0.255.255
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group
addressgroup1
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_A-policy-nat] quit
After hot standby is enabled, the attack defense configuration of FW_A is automatically
synchronized to FW_B.
For the configuration on the LogCenter log server, see the product manual of the
LogCenter. Only the configuration on the FW is described.
After hot standby is enabled, the LogCenter configuration of FW_A is automatically
synchronized to FW_B. However, the source address and source port for log export need to
be configured on FW_B.
1. Configure FW_A.
# Configure a log host. When the log format is syslog, the address of the log
host is 2.2.2.2, and the host port must be 514.
# Enable the session log function in the security policy as required. Configure
this function depending on the actual situation.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_untrust
HRP_M[FW_A-policy-security-rule-trust_untrust] session logging
HRP_M[FW_A-policy-security-rule-trust_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_untrust] quit
HRP_M[FW_A-policy-security] quit
Configure the log output format, concurrent mode, and source address/port
(3.3.3.3/ 6000) of the logs.
HRP_M[FW_A] firewall log session log-type syslog
HRP_M[FW_A] firewall log session multi-host-mode concurrent
HRP_M[FW_A] firewall log source 3.3.3.3 6000
2. Configure FW_B.
Configure the source address and source port for log export (3.3.3.4/6000).
HRP_S[FW_B] firewall log source 3.3.3.4 6000
----End
7.5.2 Verification
1. Run the display hrp state command on FW_A to view the current HRP state.
The following information indicates that HRP is successfully set up.
HRP_M[FW_A] display hrp stateRole: active, peer: standby
Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes
2. Users can browse web pages and receive and send multimedia messages
using mobile terminals.
3. Users can roam normally with their mobile terminals.
4. Run the shutdown command on GigabitEthernet2/0/0 of FW_A to simulate a
link fault. The active/standby switchover is normal without services
interrupted.
FW_A FW_B
eth-trunk 2 eth-trunk 2
# #
interface GigabitEthernet2/0/5 interface GigabitEthernet2/0/5
eth-trunk 2 eth-trunk 2
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone hrpzone firewall zone hrpzone
set priority 65 set priority 65
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
firewall interzone trust untrust firewall interzone trust untrust
detect rtsp detect rtsp
detect ftp detect ftp
detect pptp detect pptp
# #
security-policy security-policy
rule name local_trust_outbound rule name local_trust_outbound
source-zone local source-zone local
destination-zone trust destination-zone trust
source-address 10.14.1.0 24 source-address 10.14.2.0 24
action permit action permit
rule name local_trust_inbound rule name local_trust_inbound
source-zone trust source-zone trust
destination-zone local destination-zone local
destination-address 10.14.1.0 24 destination-address 10.14.2.0 24
action permit action permit
rule name local_untrust_outbound rule name local_untrust_outbound
source-zone local source-zone local
destination-zone untrust destination-zone untrust
source-address 1.1.1.0 24 source-address 1.1.2.0 24
action permit action permit
rule name local_untrust_inbound rule name local_untrust_inbound
source-zone untrust source-zone Untrust
destination-zone local destination-zone local
destination-address 1.1.1.0 24 destination-address 1.1.2.0 24
action permit action permit
rule name local_hrpzone_outbound rule name local_hrpzone_outbound
source-zone local source-zone local
destination-zone hrpzone destination-zone hrpzone
source-address 192.168.3.0 24 source-address 192.168.3.0 24
action permit action permit
rule name local_hrpzone_inbound rule name local_hrpzone_inbound
source-zone hrpzone source-zone hrpzone
destination-zone local destination-zone local
destination-address 192.168.3.0 24 destination-address 192.168.3.0 24
action permit action permit
rule name trust_untrust_outbound1 rule name trust_untrust_outbound1
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
rule name trust_untrust_inbound1 rule name trust_untrust_inbound1
source-zone untrust source-zone Untrust
destination-zone trust destination-zone trust
action permit action permit
rule name trust_untrust_outbound2 rule name trust_untrust_outbound2
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 10.10.0.0 16 source-address 10.10.0.0 16
action permit action permit
FW_A FW_B
rule name trust_untrust rule name trust_untrust
session logging session logging
action permit action permit
# #
nat-policy nat-policy
rule name trust_untrust_outbound rule name trust_untrust_outbound
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 10.10.0.0 16 source-address 10.10.0.0 16
action source-nat address-group addressgroup1 action source-nat address-group addressgroup1
# #
ip ip-prefix natAddress permit 1.1.10.10 32 ip ip-prefix natAddress permit 1.1.1.10 32
ip ip-prefix natAddress permit 1.1.10.11 32 ip ip-prefix natAddress permit 1.1.1.11 32
ip ip-prefix natAddress permit 1.1.10.12 32 ip ip-prefix natAddress permit 1.1.1.12 32
ip ip-prefix natAddress permit 1.1.10.13 32 ip ip-prefix natAddress permit 1.1.1.13 32
ip ip-prefix natAddress permit 1.1.10.14 32 ip ip-prefix natAddress permit 1.1.1.14 32
ip ip-prefix natAddress permit 1.1.10.15 32 ip ip-prefix natAddress permit 1.1.1.15 32
ip ip-prefix no-default deny 0.0.0.0 0 ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal ip ip-prefix no-default permit 0.0.0.0 0 less-equal
32 32
# #
route-policy PS_NAT permit node 10 route-policy PS_NAT permit node 10
if-match ip-prefix natAddress if-match ip-prefix natAddress
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 1.1.1.3
import-route static route-policy PS_NAT import-route static route-policy PS_NAT
area 0.0.0.0 area 0.0.0.0
network 1.1.1.0 0.0.0.255 network 1.1.2.0 0.0.0.255
# #
ospf 2 router-id 10.14.1.1 ospf 2 router-id 10.14.1.3
default-route-advertise default-route-advertise
filter-policy ip-prefix no-default import filter-policy ip-prefix no-default import
area 0.0.0.0 area 0.0.0.0
network 10.14.1.0 0.0.0.255 network 10.15.1.0 0.0.0.255
# #
ip route-static 1.1.10.10 255.255.255.255 NULL0 ip route-static 1.1.10.10 255.255.255.255 NULL0
ip route-static 1.1.10.11 255.255.255.255 NULL0 ip route-static 1.1.10.11 255.255.255.255 NULL0
ip route-static 1.1.10.12 255.255.255.255 NULL0 ip route-static 1.1.10.12 255.255.255.255 NULL0
ip route-static 1.1.10.13 255.255.255.255 NULL0 ip route-static 1.1.10.13 255.255.255.255 NULL0
ip route-static 1.1.10.14 255.255.255.255 NULL0 ip route-static 1.1.10.14 255.255.255.255 NULL0
ip route-static 1.1.10.15 255.255.255.255 NULL0 ip route-static 1.1.10.15 255.255.255.255 NULL0
# #
snmp-agent snmp-agent
snmp-agent local-engineid snmp-agent local-engineid
000007DB7FFFFFFF000077D0 000007DB7FFFFFFF000077D0
snmp-agent sys-info version v3 snmp-agent sys-info version v3
snmp-agent sys-info contact Mr.zhang snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info location Beijing snmp-agent sys-info location Beijing
snmp-agent group v3 NMS1 privacy snmp-agent group v3 NMS1 privacy
snmp-agent target-host trap address udp-domain snmp-agent target-host trap address udp-domain
10.1.1.1 params securityname %$% 10.1.1.1 params securityname %$%
$Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy $Lch*5Z>Q0:BIj9Nv<&^W(>5,%$%$ v3 privacy
private-netmanager private-netmanager
snmp-agent usm-user v3 Admin123 NMS1 snmp-agent usm-user v3 Admin123 NMS1
authentication-mode md5 %$%$q:JqX0VlJ, authentication-mode md5 %$%$q:JqX0VlJ,
5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$ 5ykB"H'lF&kd[REPvIW_tq`0DkZ\JN)tTE`ja\%$%$
privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz; privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;
0PYcZQ">eB&vh6t$]4 0PYcZQ">eB&vh6t$]4
# #
return return
Networking Diagram
As shown in Figure 7-5, the service interfaces of both firewalls work at Layer 3,
connecting to the backbone through routers and to the GGSN/P-GW through
Layer 2 switches. OSPF runs between the firewall and router, and VRRP is enabled
on the interface connecting the firewall to the switch.
Configuration Difference
Ite FW_A FW_B
m
Int # #
interface Eth-Trunk0 interface Eth-Trunk0
erf description TO-FW-B description TO-FW-A
ace ip address 192.168.3.1 255.255.255.240 ip address 192.168.3.2 255.255.255.240
s # #
interface Eth-Trunk1 interface Eth-Trunk1
ip address 1.1.1.1 255.255.255.0 ip address 1.1.2.1 255.255.255.0
# #
interface Eth-Trunk2 interface Eth-Trunk2
description TO-GI description TO-GI
ip address 10.14.1.1 255.255.255.0 ip address 10.14.1.2 255.255.255.0
vrrp vrid 20 virtual-ip 10.14.1.3 active vrrp vrid 20 virtual-ip 10.14.1.3 standby
# #
The two firewalls are expected to work in load balancing mode. Normally, FW_A
and FW_B forward traffic together. When one firewall fails, the other firewall
forwards all traffic. The services are not interrupted.
Configuration Difference
Ite FW_A FW_B
m
8.1 Introduction
The shortage of public IPv4 addresses entails the transition from IPv4 to IPv6, and
the CGN solution enables smooth transition from IPv4 to IPv6.
NAT44
You can understand the NAT44 as the traditional IPv4 NAT function. The NAT44 is
mainly used to translate the private IPv4 addresses to public IPv4 addresses. The
public network address assignment authority specifies the following network
addresses as the reserved addresses for the private network:
● 10.0.0.0 to 10.255.255.255
● 172.16.0.0 to 172.31.255.255
● 192.168.0.0 to 192.168.255.255
The addresses on the preceding network segments are not allocated to Internet
users. These addresses are used on private networks. Private network addresses
are not used on the Internet. Hosts assigned with private network addresses
cannot directly access the Internet. With the NAT function, private network
addresses are translated into public network addresses so that the hosts on the
private network can access the Internet. The NAT device allocates a temporary
valid IP address to a host when the host accesses the Internet. In this manner,
hosts can access the Internet without legitimate IP addresses. Therefore, IP address
resources are optimized.
As shown in Figure 8-1, to further save IP address resources, carriers deploy two-
level NAT (NAT444) on the egress gateway at the user side and the egress
gateway at the carrier side. That is, the NAT444 is deployed on the customer
premise equipment (CPE) and carrier grade NAT (CGN).
The NAT function deployed on the CPE translates the user's private network
addresses into the carrier's private network addresses. Then, the NAT function
deployed on the CGN translates the addresses of the carrier private network into
the public network addresses. With two-level NAT on the CPE and CGN, the
NAT444 technology supports three types of addresses, that is, addresses of the
user's private network, carrier's private network addresses, and public network
addresses. The private network addresses cannot conflict with the carrier's private
network addresses. Therefore, the network segments of private networks are
effectively used and the issue about insufficient private network addresses is
avoided.
Dual Stack
The dual stack technology is the basis for the transition from IPv4 to IPv6. All the
other transition technologies are developed on the basis of the dual stack
technology. When nodes on the network support the IPv4 and IPv6 protocols,
source nodes select different protocol stacks based on different destination nodes.
Network devices use different protocol stacks to process and forward packets
based on different protocol types of the packets. The dual stack technology can be
implemented on single network device or on a dual-stack network. For the dual-
stack network, all devices must support both IPv4 and IPv6 protocol stacks. The
interfaces that connect to the dual-stack network must be configured with both
IPv4 and IPv6 addresses. Figure 8-2 shows the schematic diagram of the dual
stack.
The advantages of the dual stack technology used in the transition from the IPv4
network to the IPv6 network are as follows:
6RD Tunneling
The 6RD tunneling technology is based on the existing IPv4 network. It helps users
to deploy the IPv6 access service rapidly. The 6RD tunneling technology is
improved based on the original 6to4 solution. The difference between these two
is: The address defined by the 6to4 uses the known 2002::/16 as its prefix.
However, the 6RD address prefix can be obtained after the carrier divides its IPv6
address space.
To allow IPv6 users to send packets over carriers' IPv4 network and access IPv6
services and resources, the 6RD solution automatically establishes and removes
the tunnels between CPEs and the CGN gateway. Automatically establishing the
tunnel is completed based on predefining the 6RD prefix.
The 6RD address consists of 6RD prefix (an IPv6 prefix allocated by the carrier and
the 6RD prefix length is between 0 to 32), IPv4 address, subnet ID (allocated by
the carrier), and interface identifier. Figure 8-3 shows the 6RD address format.
The 6RD delegated prefix contains the 6RD prefix and part or entire IPv4 address,
and is calculated on the basis of them. The IPv4 address length in the 6RD
delegated prefix is determined by the IPv4 address length configured for the 6RD
tunnel.
1. The carrier allocates a 6RD prefix, an IPv4 address, and an IPv4 address of the
CGN (6RD Border Relay) for the user's CPE. The CPE generates its own 6RD
delegated prefix and then delivers it to the IPv6 terminal.
2. Upon receiving the packet sent by the IPv6 terminal, the CPE encapsulates the
IPv6 packet in the IPv4 tunnel and send it to the CGN. The external layer
source address of the tunnel is the CPE IPv4 address and the destination
address is the CGN IPv4 address.
3. The CGN decapsulates the received IPv4 tunnel packet and then forwards the
IPv6 packet.
NAT64
The NAT64 technology is mainly applied in the scenario where a single stack host
on the IPv6 network accesses resources on the IPv4 network. As shown in Figure
8-5, the CGN device is deployed between the IPv6 network and the IPv4 network
to bidirectionally translate addresses of the IPv6 and IPv4 networks. The DNS64
devices that support the resolution of IPv4 and IPv6 domain names must be
deployed on the network.
The DNS64 device provides a mapping between domain names and IPv6 addresses,
generates IPv6 addresses by combining the NAT64 prefixes configured on the CGN device
and the IPv4 addresses on the IPv4 server, and generates corresponding AAAA records.
the IPv4 addresses in the NAT address pool as the source IP addresses of
the resulting IPv4 packets. A session table is generated in this process.
d. The CGN sends the resulting IPv4 packet to the server.
e. The CGN receives the response packet from the IPv4 server, translates the
IPv4 packet into an IPv6 packet according to the session table, and sends
the resulting IPv6 packet to the host.
DS-Lite
The dual stack technology is an effective technology used during the transition
from the IPv4 network to the IPv6 network. The dual stack technology, however,
requires the maintenance of both IPv4 and IPv6 networks. In the mid-and-late
phase of the transition, some carriers require the deployment of the IPv6 MAN to
simplify network management and maintenance. Certain emerging carriers
require direct deployment of the IPv6 MAN to provide large-scale IPv6 services
and a few IPv4 services. In this scenario, certain IPv4 nodes need to traverse the
IPv6 network to access the IPv4 network. To fulfill this requirement, the DS-Lite
technology is developed as an IPv6 transition technology.
The DS-Lite system consists of dual-stack hosts and IPv6 network. As shown in
Figure 8-6, only the CPE and CGN on the DS-Lite network support dual stack.
Other network nodes support only the IPv6 protocol.
The CGN must support IPv4 over IPv6 tunneling and NAT44 functions. The CPE
users can obtain IPv6 addresses and private IPv4 addresses so that IPv6 packets
directly traverse the CPE and access the IPv6 Internet. IPv4 packets are transmitted
to the CGN over the IPv4 over IPv6 tunnel and are decapsulated on the CGN. After
the private IPv4 addresses are translated into public network addresses, the
packets are transmitted to the IPv4 Internet. The packet traversing process from
the private IPv4 network to the IPv4 Internet over the IPv6 network is as follows:
1. The carrier supports only IPv6 service access. The IPv6 prefix is allocated to
the CPE. The CPE allocates private IPv4 addresses to internal network users.
2. When a private IPv4 user accesses the IPv4 Internet, an IPv4 packet is sent to
the CPE. The CPE encapsulates the packet and sends the packets to the CGN
over the IPv4 over IPv6 tunnel.
3. After decapsulating the packet, the CGN translates the IPv4 packet using the
NAT44. After translating the private IPv4 address into the IPv4 Internet
address, the CGN sends the packet to the IPv4 network.
● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates IPv6 addresses to IPv6 users. The IPv6 address prefix
indicates the 6RD delegated prefix calculated by the CPE.
In addition, the CPE translates addresses for the private IPv4 users and
establishes 6RD tunnels with the CGN.
● As an egress gateway on the MAN, the CGN translates addresses for private
IPv4 users to access the IPv4 Internet and provides 6RD tunnels for IPv6 users
to access the IPv6 Internet.
● As a device at the aggregation layer, the BRAS allocates IPv4 addresses for the
CPEs to connect to the MAN.
Two-level Without upgrading the live Deploy two-level NAT on the CPE
NAT network to the IPv6 and the CGN.
(NAT444) network, the NAT444 ● Set the NAT mode of the CPE
function is function can be deployed to to Easy IP, that is, replacing the
used to resolve the IPv4 address source IP address in a packet
enable shortage issue. The IPv4- with the address of the
private IPv4 based NAT technology is outbound interface.
users to mature and widely applied
access the on IPv4 networks. ● The CGN translates addresses
IPv4 Internet. Therefore, the two-level using NAPT, which requires
NAT444 scheme is a configuration of a public
feasible transition scheme. address pool. On the CGN, a
port is pre-allocated to the
CPE to facilitate the ease of
user tracing.
Data Planning
Figure 8-8 shows the networking diagram with data to facilitate configurations
and understanding.
8.3.3 Precautions
When the Eudemon8000E-X serves as the CGN, if port pre-allocation is configured,
the hash-based CPU selection mode must be source address hash.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
c
e
I
P
a
d
d
r
e
s
s
e
s
t
o
N
A
P
T
(
E
a
s
y
I
P
)
.
T
h
e
p
r
i
v
a
t
e
I
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
u
s
e
r
s
a
r
e
t
r
a
n
s
l
a
t
e
d
i
n
t
o
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
p
r
i
v
a
t
e
I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
N
i
s
c
r
e
a
t
e
d
t
o
i
m
p
l
e
m
e
n
t
t
h
e
i
n
t
e
r
a
c
t
i
o
n
b
e
t
w
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
n
I
P
v
6
u
s
e
r
s
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
i
s
i
p
v
6
-
i
p
v
4
6
r
d
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
6
R
D
t
u
n
n
e
l
.
Y
o
u
c
a
n
s
p
e
c
i
f
y
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
t
i
s
c
o
n
n
e
c
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
f
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
t
e
r
f
a
c
e
a
s
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
y
e
i
t
h
e
r
a
p
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
f
a
c
e
s
u
c
h
a
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
o
f
t
h
e
t
u
n
n
e
l
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
c
a
r
r
i
e
r
a
n
d
s
e
r
v
e
s
a
s
a
p
a
r
t
o
f
t
h
e
6
R
D
d
e
l
e
g
a
t
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
d
p
r
e
fi
x
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
h
i
g
h
-
o
r
d
e
r
b
i
t
s
o
f
t
h
e
l
e
n
g
t
h
a
r
e
d
e
l
e
t
e
d
f
r
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
o
m
t
h
e
s
o
u
r
c
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
a
n
d
o
t
h
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
b
i
t
s
f
o
r
m
a
p
a
r
t
o
f
t
h
e
6
R
D
p
r
e
fi
x
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
s
s
p
e
c
i
fi
c
6
R
D
B
R
I
P
v
4
a
d
d
r
e
s
s
,
t
h
a
t
i
s
,
t
h
e
p
r
i
v
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
t
e
I
P
v
4
a
d
d
r
e
s
s
(
1
0
.
1
.
2
.
1
/
2
4
)
t
h
a
t
c
o
n
n
e
c
t
s
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
C
G
N
t
o
t
h
e
i
n
t
e
r
n
a
l
M
A
N
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
l
i
s
c
o
n
fi
g
u
r
e
d
b
a
s
e
d
o
n
t
h
e
6
R
D
d
e
l
e
g
a
t
e
d
p
r
e
fi
x
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
a
t
i
n
c
l
u
d
e
s
t
h
e
6
R
D
p
r
e
fi
x
a
n
d
a
p
a
r
t
o
f
o
r
t
h
e
e
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
i
r
e
I
P
v
4
a
d
d
r
e
s
s
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
4 Configure routes. M
a
n
d
a
t
o
r
y
R
o
u
t
e
s
i
n
c
l
u
d
e
t
h
e
I
P
v
4
s
e
r
v
i
c
e
r
o
u
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
a
n
d
I
P
v
6
s
e
r
v
i
c
e
r
o
u
t
e
.
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
r
o
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
u
t
e
b
a
s
e
d
o
n
t
h
e
r
o
u
t
e
p
l
a
n
n
i
n
g
i
n
8
.
3
.
2
S
e
r
v
i
c
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
P
l
a
n
n
i
n
g
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
p
r
i
v
a
t
e
I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
t
o
t
h
e
p
u
b
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
l
i
c
I
P
v
4
a
d
d
r
e
s
s
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
f
c
o
n
s
e
c
u
t
i
v
e
I
P
a
d
d
r
e
s
s
e
s
.
W
h
e
n
a
p
a
c
k
e
t
f
r
o
m
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
p
r
i
v
a
t
e
n
e
t
w
o
r
k
r
e
a
c
h
e
s
t
h
e
p
u
b
l
i
c
n
e
t
w
o
r
k
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
r
o
u
g
h
N
A
T
,
a
n
a
d
d
r
e
s
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
e
l
e
c
t
e
d
a
s
t
h
e
I
P
a
d
d
r
e
s
s
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
S
e
t
t
h
e
p
r
e
-
a
l
l
o
c
a
t
e
d
p
o
r
t
b
l
o
c
k
s
i
z
e
i
n
t
h
e
a
d
d
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
e
s
s
p
o
o
l
f
o
r
t
h
e
p
r
e
-
a
l
l
o
c
a
t
i
o
n
o
f
p
o
r
t
r
e
s
o
u
r
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
c
e
s
f
o
r
N
A
T
t
o
t
h
e
C
P
E
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
i
c
h
t
h
e
N
A
T
p
o
l
i
c
y
t
a
k
e
s
e
ff
e
c
t
a
n
d
t
h
e
N
A
T
a
d
d
r
e
s
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
p
o
l
i
c
y
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
E
i
s
c
r
e
a
t
e
d
t
o
i
m
p
l
e
m
e
n
t
t
h
e
i
n
t
e
r
a
c
t
i
o
n
b
e
t
w
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
n
I
P
v
6
u
s
e
r
s
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
i
s
i
p
v
6
-
i
p
v
4
6
r
d
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
6
R
D
t
u
n
n
e
l
.
Y
o
u
c
a
n
s
p
e
c
i
f
y
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
t
i
s
c
o
n
n
e
c
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
d
d
r
e
s
s
o
f
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
t
e
r
f
a
c
e
a
s
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
y
e
i
t
h
e
r
a
p
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
f
a
c
e
s
u
c
h
a
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
o
f
t
h
e
t
u
n
n
e
l
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
c
a
r
r
i
e
r
a
n
d
s
e
r
v
e
s
a
s
a
p
a
r
t
o
f
t
h
e
6
R
D
d
e
l
e
g
a
t
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
d
p
r
e
fi
x
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
e
h
i
g
h
-
o
r
d
e
r
b
i
t
s
o
f
t
h
e
l
e
n
g
t
h
i
s
d
e
l
e
t
e
d
f
r
o
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
m
t
h
e
s
o
u
r
c
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
a
n
d
o
t
h
e
r
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
b
i
t
s
f
o
r
m
a
p
a
r
t
o
f
t
h
e
6
R
D
p
r
e
fi
x
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
l
i
s
c
o
n
fi
g
u
r
e
d
b
a
s
e
d
o
n
t
h
e
6
R
D
d
e
l
e
g
a
t
e
d
p
r
e
fi
x
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
h
a
t
i
n
c
l
u
d
e
s
t
h
e
6
R
D
p
r
e
fi
x
a
n
d
a
p
a
r
t
o
f
o
r
t
h
e
e
n
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
t
i
r
e
I
P
v
4
a
d
d
r
e
s
s
.
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
4 Configure routes. M
a
n
d
a
t
o
r
y
R
o
u
t
e
s
i
n
c
l
u
d
e
t
h
e
I
P
v
4
s
e
r
v
i
c
e
r
o
u
t
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
a
n
d
I
P
v
6
s
e
r
v
i
c
e
r
o
u
t
e
.
Y
o
u
c
a
n
c
o
n
fi
g
u
r
e
t
h
e
r
o
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
u
t
e
b
a
s
e
d
o
n
t
h
e
r
o
u
t
e
p
l
a
n
n
i
n
g
i
n
8
.
3
.
2
S
e
r
v
i
c
e
Item Pr Operation D
oc e
ed s
ur c
e r
i
p
t
i
o
n
P
l
a
n
n
i
n
g
.
Enable the ASPF functions for the corresponding services. This section uses the
FTP protocol as an example.
[CPE] firewall interzone trust untrust
[CPE-interzone-trust-untrust] detect ftp
[CPE-interzone-trust-untrust] quit
e. Configure the 6RD tunnel.
# Configure the interface Tunnel1 of the 6RD tunnel.
[CPE] interface Tunnel 1
[CPE-Tunnel1] tunnel-protocol ipv6-ipv4 6rd
[CPE-Tunnel1] ipv6 enable
[CPE-Tunnel1] source 10.1.1.1
[CPE-Tunnel1] ipv6-prefix 22::/32
[CPE-Tunnel1] ipv4-prefix length 8
[CPE-Tunnel1] border-relay address 10.1.2.1
[CPE-Tunnel1] quit
After the 6RD prefix and IPv4 prefix length are configured, the CPE automatically
calculates the 6RD delegated prefix. When you run the display interface Tunnel
1 command, the 6RD delegated prefix is displayed. You can configure the IPv6
address for the Tunnel interface based on this 6RD delegated prefix.
# View the calculated 6RD delegated prefix.
[CPE] display interface Tunnel 1
Tunnel1 current state : UP
Line protocol current state : UP
Description: Tunnel1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.1.1.1(GigabitEthernet1/0/2), destination auto
Tunnel protocol/transport IPV6 over IPv4(6rd) ipv6 prefix 22::/32
ipv4 prefix length 8
6RD Operational, Delegated Prefix is 22:0:101:100::/56
# Configure the IPv6 address for the Tunnel1 interface based on the 6RD
delegated prefix.
[CPE-Tunnel1] ipv6 address 22:0:101:100::1 56
[CPE-Tunnel1] quit
f. Configure routes.
# Configure the static IPv4 route from the CGN to the MAN. Assume that
the next hop address of the CPE to the MAN is 10.1.1.2.
[CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
# Configure the route from the CPE to the 6RD tunnel interface of the
CGN.
[CPE] ipv6 route-static 22:: 32 Tunnel 1
# Configure the static route from the CGN to the IPv6 network. Set the
next hop address to the IPv6 address of the Tunnel interface of the CGN.
[CPE] ipv6 route-static 3000:: 64 22:0:102:100::1
c. Configure NAT to translate the carrier's private IPv4 addresses into public
IPv4 addresses.
# Configure a NAT address pool. The size of the pre-allocated port block
is 256 bytes.
[CGN] nat address-group addressgroup1
[CGN-address-group-addressgroup1] mode pat
[CGN-address-group-addressgroup1] route enable
[CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
[CGN-address-group-addressgroup1] port-block-size 256
[CGN-address-group-addressgroup1] quit
After the 6RD prefix and IPv4 prefix length are configured, the CGN
automatically calculates the 6RD delegated prefix. When you run the display
interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can
configure the IPv6 address for the Tunnel interface based on this 6RD delegated
prefix.
# View the calculated 6RD delegated prefix.
[CGN] display interface Tunnel 1
Tunnel1 current state : UP
Line protocol current state : UP
Description: Tunnel1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.1.2.1(GigabitEthernet1/0/2), destination auto
Tunnel protocol/transport IPV6 over IPv4(6rd)
# Configure the IPv6 address for the Tunnel interface based on the 6RD
delegated prefix.
[CGN-Tunnel1] ipv6 address 22:0:102:100::1 56
[CGN-Tunnel1] quit
e. Configure routes.
Configure the static IPv4 route to the MAN interface of the CPE. Assume
that the next hop address of the CGN to the MAN is 10.1.2.2.
[CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2
Configure the static IPv4 route to the FTP server on the Internet. In this
example, the next-hop address of the CGN to the Internet is 1.1.1.2.
[CGN] ip route-static 1.1.3.1 255.255.255.255 1.1.1.2
# Configure the route to the 6RD tunnel interface and 6RD domain of the
CPE.
[CGN] ipv6 route-static 22:: 32 Tunnel 1
8.3.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, access the FTP Server on the Internet
using PC1 on the private IPv4 network.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:
230 User logged in.
ftp>
b. Run the display firewall session table verbose command on the CPE to
check the address translation.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: untrust --> trust TTL: 00:00:10 Left: 00:00:03
Interface: GigabitEthernet1/0/2 NextHop: 10.1.1.2 MAC: 0018-8239-1e5c
<--packets:20 bytes:1168 -->packets:26 bytes:1150
192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 PolicyName:policy_sec_1
ftp-data VPN:public --> public ID: ab016391fa4c03558d54c16acd159
Zone: untrust--> trust TTL: 00:00:10 Left: 00:00:07
Interface: GigabitEthernet1/0/0 NextHop: 192.168.0.2 MAC: 0018-826f-b3f4
<--packets:3 bytes:124 -->packets:5 bytes:370
1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034] PolicyName:policy_nat_1
#
ipv6
#
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
#
interface GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 22:0:101:101::1/64
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
interface Tunnel1
ipv6 enable
ipv6 address 22:0:101:100::1/56
tunnel-protocol ipv6-ipv4 6rd
source 10.1.1.1
ipv6-prefix 22::/32
ipv4-prefix length 8
border-relay address 10.1.2.1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone dmz
set priority 50
#
firewall interzone trust untrust
detect ftp
#
ipv6 route-static 22:: 32 Tunnel 1
ipv6 route-static 3000:: 64 22:0:102:100::1
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 22:0:101:101:: 64
action permit
rule name policy2
source-zone local
destination-zone untrust
source-address 22:0:101:100:: 56
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action source-nat easy-ip
#
return
#
sysname CGN
#
ipv6
#
firewall hash-mode source-only
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ipv6 enable
ipv6 address 3000::1/64
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
interface Tunnel1
ipv6 enable
ipv6 address 22:0:102:100::1/56
tunnel-protocol ipv6-ipv4 6rd
source 10.1.2.1
ipv6-prefix 22::/32
ipv4-prefix length 8
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
nat address-group addressgroup1
mode pat
port-block-size 256
route enable
section 1 1.1.2.1 1.1.2.5
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 1.1.1.0 24
source-address 3000:: 64
action permit
rule name policy2
source-zone trust
destination-zone local
source-address 22:0:102:100:: 56
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
action source-nat address-group addressgroup1
#
firewall interzone trust untrust
detect ftp
#
ipv6 route-static 22:: 32 Tunnel 1
#
return
● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates private IPv6 addresses to IPv6 users.
The CPE translates addresses for users on the IPv4 private network.
● As an egress gateway of the MAN, the CGN translates addresses for the IPv4
users to access the IPv4 Internet, provides channels for the IPv6 users to
access the IPv6 Internet, and translates IPv6 addresses into IPv4 addresses for
the IPv6 users to access the IPv4 network.
● As a device at the aggregation layer, the BRAS allocates IPv4 or IPv6
addresses for the CPEs to connect to the MAN.
CGN to enable access to the IPv4 Internet using private addresses through
two translations.
● Providing routing tunnels
The CPE and the CGN need to forward both IPv4 and IPv6 traffic. Therefore,
they must support both the IPv6 and IPv6 protocol stacks.
● Providing NAT from IPv6 addresses to IPv4 addresses
To enable the IPv6 users to access the IPv4 network, configure NAT64 on the
CGN.
The dual stack The dual stack technology The configuration of the dual
technology is is the basis for the stack function is simple. The
used. transition from IPv4 to IPv6. configuration of dual stack on
All the other transition the CGN and CPE is as follows:
technologies are developed ● Enable the IPv4 function at
on the basis of the dual the IPv4 service interface. By
stack technology. The default, the IPv4 function is
advantages of the dual enabled.
stack technology used in
the transition from the IPv4 ● Enable the IPv6 function at
network to the IPv6 the IPv6 service interface.
network are as follows: Enable the IPv6 function in
the system view.
● On the dual-stack
network, IPv6 and IPv4
service data is forwarded
on respective forwarding
planes. Logically, two
forwarding planes are
considered as two
networks to facilitate
network deployment.
The dual stack
technology supports
smooth transition to the
IPv6 network.
● The dual-stack network
does not involve
interconnection and
access between IPv6
services and IPv4
services. Therefore, the
implementation is
simple.
● The dual-stack network
is easy to maintain and
manage.
Two-level NAT On the live network, the Deploy two-level NAT on the
(NAT444) IPv4 traffic still dominates CPE and the CGN.
function is the service traffic and the ● Set the NAT mode of the CPE
used to Internet IP addresses are to Easy IP, that is, replacing
enable private insufficient. Therefore, the the source IP address in a
IPv4 users to NAT444 function can be packet with the address of
access the deployed to resolve the the outbound interface.
IPv4 Internet. IPv4 address shortage issue.
The IPv4-based NAT ● The CGN translates addresses
technology is mature and using NAPT, which requires a
widely applied on IPv4 public address pool. On the
networks. Therefore, the CGN, a port is pre-allocated
two-level NAT444 scheme to the CPE to facilitate the
is a feasible transition ease of user tracing.
scheme.
The dynamic The dynamic NAT64 uses Configure the NAT64 function
NAT64 the dynamic address on the CGN.
function is mapping and upper-layer ● Configure the NAT64 prefix.
used to protocol mapping methods
implement to translate a large number ● Configure the address pool
the of IPv6 addresses with a for the IPv4 Internet.
communicatio few IPv4 addresses. The ● Configure the NAT64 policy.
n between dynamic NAT64 function
IPv4 and IPv6 saves IPv4 public addresses
users. and is applicable to large-
scale deployment.
Data planning
Figure 8-10 shows the networking diagram with data to facilitate configurations
and understanding.
Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain
name translation. The prefix and length configured for the DNS64 are the same as
those of the NAT64 device. Figure 8-11 shows the NAT64 networking diagram.
After the MAN is upgraded to the dual-stack network, two networks exist, that is,
IPv4 and IPv6. For the IPv4 network, the routing plan keeps unchanged. The route
between the CPE and the CGN uses the static routing protocol. For the IPv6
network, the OSPFv3 routing protocol is used, as shown in Figure 8-12.
8.4.3 Precautions
When the CGN is the Eudemon8000E-X, if triplet DS-Lite NAT is configured, the
hash-based CPU selection mode must be source address hash.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
e
s
s
e
s
o
f
t
h
e
u
s
e
r
'
s
p
r
i
v
a
t
e
n
e
t
w
o
r
k
a
r
e
t
r
a
n
s
l
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
t
e
d
i
n
t
o
t
h
e
c
a
r
r
i
e
r
'
s
I
P
v
4
a
d
d
r
e
s
s
e
s
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
f
o
r
t
h
e
C
P
E
i
n
c
l
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
u
d
e
:
● S
t
a
t
i
c
I
P
v
4
r
o
u
t
e
:
f
o
r
w
a
r
d
s
I
P
v
4
s
e
r
v
i
c
e
p
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
e
r
f
a
c
e
t
o
c
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
I
P
v
6
s
e
r
v
i
c
e
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
p
a
c
k
e
t
s
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
I
P
v
4
a
d
d
r
e
s
s
e
s
o
f
t
h
e
c
a
r
r
i
e
r
'
s
p
r
i
v
a
t
e
n
e
t
w
o
r
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
k
t
o
t
h
e
I
P
v
4
a
d
d
r
e
s
s
o
f
t
h
e
I
P
v
4
p
u
b
l
i
c
a
d
d
r
e
s
s
e
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
f
c
o
n
s
e
c
u
t
i
v
e
I
P
a
d
d
r
e
s
s
e
s
.
W
h
e
n
a
p
a
c
k
e
t
f
r
o
m
t
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
p
r
i
v
a
t
e
n
e
t
w
o
r
k
r
e
a
c
h
e
s
t
h
e
p
u
b
l
i
c
n
e
t
w
o
r
k
t
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
r
o
u
g
h
N
A
T
,
a
n
a
d
d
r
e
s
s
i
n
t
h
e
N
A
T
a
d
d
r
e
s
s
p
o
o
l
i
s
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
e
l
e
c
t
e
d
a
s
t
h
e
I
P
a
d
d
r
e
s
s
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
S
e
t
t
h
e
p
r
e
-
a
l
l
o
c
a
t
e
d
p
o
r
t
b
l
o
c
k
s
i
z
e
i
n
t
h
e
a
d
d
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
e
s
s
p
o
o
l
f
o
r
t
h
e
p
r
e
-
a
l
l
o
c
a
t
i
o
n
o
f
p
o
r
t
r
e
s
o
u
r
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
c
e
s
f
o
r
N
A
T
t
o
t
h
e
C
P
E
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
i
c
h
t
h
e
N
A
T
p
o
l
i
c
y
t
a
k
e
s
e
ff
e
c
t
a
n
d
t
h
e
N
A
T
a
d
d
r
e
s
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
p
o
l
i
c
y
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
i
n
c
l
u
d
e
:
● S
t
a
t
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
i
c
r
o
u
t
e
t
o
t
h
e
C
P
E
a
n
d
I
P
v
4
I
n
t
e
r
n
e
t
:
f
o
r
w
a
r
d
s
I
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
P
v
4
s
e
r
v
i
c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
r
f
a
c
e
t
o
c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
I
P
v
6
s
e
r
v
i
c
e
p
a
c
k
e
t
s
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
e
r
s
t
o
a
c
c
e
s
s
t
h
e
I
P
v
4
n
e
t
w
o
r
k
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
N
A
T
6
4
t
r
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
a
n
s
l
a
t
i
o
n
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
l
a
t
i
o
n
o
n
a
n
I
P
v
6
p
a
c
k
e
t
d
e
p
e
n
d
s
o
n
w
h
e
t
h
e
r
t
h
e
I
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
P
v
6
p
a
c
k
e
t
c
o
n
t
a
i
n
s
a
N
A
T
6
4
p
r
e
fi
x
.
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
e
N
A
T
p
o
l
i
c
y
,
a
n
d
s
p
e
c
i
f
y
t
h
e
N
A
T
t
y
p
e
a
s
N
A
T
6
4
.
W
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
h
e
n
p
e
r
f
o
r
m
i
n
g
N
A
T
6
4
t
r
a
n
s
l
a
t
i
o
n
,
t
h
e
C
G
N
s
e
l
e
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
c
t
s
o
n
e
I
P
v
4
a
d
d
r
e
s
s
r
a
n
d
o
m
l
y
f
r
o
m
t
h
e
N
A
T
a
d
d
r
e
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
s
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
6
4
p
o
l
i
c
y
a
s
t
h
e
s
o
u
Item Pr Action D
oc e
ed s
ur c
e r
i
p
t
i
o
n
r
c
e
a
d
d
r
e
s
s
o
f
a
p
a
c
k
e
t
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.
d. Configure the NAT function to translate the IPv4 addresses of the user's
private network into the carrier's private IPv4 addresses.
[CPE] nat-policy
[CPE-policy-nat] rule name policy_nat_1
[CPE-policy-nat-rule-policy_nat_1] source-zone trust
[CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
[CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
[CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[CPE-policy-nat-rule-policy_nat_1] quit
[CPE-policy-nat] quit
# Configure the NAT ALG between the Trust zone and the Untrust zone
so that the server can provide FTP services externally.
[CPE] firewall interzone trust untrust
[CPE-interzone-trust-untrust] detect ftp
[CPE-interzone-trust-untrust] quit
b. Set the hash board selection mode to source address-based hash mode.
[CGN] firewall hash-mode source-only
# Introduce the blackhole route with the NAT64 prefix to the OSPFv3
protocol.
[CGN] ospfv3
[CGN-ospfv3-1] import-route static
[CGN-ospfv3-1] quit
8.4.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, PC1 on the private IPv4 network can
be used to access the FTP service provided by the server on the Internet.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:
b. Run the display firewall session table verbose command on the CPE to
check the address translation.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: trust--> untrust TTL: 00:10:00 Left: 00:09:59
Interface: GigabitEthernet1/0/2 NextHop: 10.1.1.2 MAC: 0018-8239-1e5c
<--packets:20 bytes:1168 -->packets:26 bytes:1150
192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 PolicyName:policy_sec_1
The CGN can be successfully pinged and the IPv6 routes to the CPE and
CGN are configured. On the CPE and CGN, you can run the display
ospfv3 routing command to view the OSPFv3 routing tables.
[CPE] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
2000::/64 1
directly connected, GigabitEthernet1/0/1
3000::/64 1
directly connected, GigabitEthernet1/0/3
IA 4000::/64 2
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3
IA 5000::/64 3
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3
According to the OSPFv3 routing table, you can learn that the CPE learns
the routes from the CGN to the IPv6 MAN and IPv6 Internet.
[CGN] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 2000::/64 3
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3
IA 3000::/64 2
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3
4000::/64 1
directly connected, GigabitEthernet1/0/3
5000::/64 1
directly connected, GigabitEthernet1/0/1
According to the OSPFv3 routing table, you can learn that the CGN learns
the routes from the CPE to the IPv6 MAN and IPv6 users.
b. On PC2, ping PC3.
C:\> ping6 5000::2
from 2000::2 with 32 bytes of data:
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Ping statistics for 5000::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
router-id 1.1.1.1
area 0.0.0.0
area 0.0.0.1
#
ip route-static 10.1.2.0 255.255.255.0 10.1.1.2
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 2000::2 64
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
action source-nat easy-ip
#
return
Networking
After the IPv4 and IPv6 services on carrier A's network are developed for a period,
the IPv4 public addresses are exhausted. Services are gradually migrated to the
IPv6 network. The IPv6 traffic dominates the service traffic. The carrier's MAN is
completely upgraded to the IPv6 network. To meet the network development
requirements, carrier A uses the DS-Lite+NAT64 solution, as shown in Figure 8-13.
● For the IPv6 users, the IPv6 users can directly access the IPv6 Internet over the
IPv6 routes because the IPv6 routes are reachable.
● For the IPv4 users, the DS-Lite function must be configured because the
access to the IPv4 Internet requires the IPv6 MAN. The configuration
procedure of the DS-Lite function is as follows:
a. Configure a DS-Lite tunnel between the CPE and the CGN.
● The CPE is used to connect terminal users and allocate addresses to the users.
– The CPE allocates private IPv4 addresses to IPv4 users.
– The CPE allocates private IPv6 addresses to IPv6 users.
The DS-Lite tunnel must be established between the CPE and the CGN.
● As an egress gateway of the MAN, the CGN provides DS-Lite tunnels for the
private IPv4 users to access the IPv4 Internet and translates their IPv4
addresses into IPv4 Internet address; the CGN provides routing channels for
addresses for the IPv6 users to access the IPv4 network and translates IPv6
addresses into IPv4 ones.
● As a device at the aggregation layer, the BRAS allocates IPv6 addresses for the
CPEs to connect to the MAN.
Requirements Analysis
Data Planning
Figure 8-14 shows the networking diagram with data to facilitate configurations
and understanding.
Generally, the NAT64 is deployed with the DNS64. The DNS64 performs domain
name translation. The prefix and length configured for the DNS64 are the same as
those of the NAT64 device. Figure 8-15 shows the NAT64 networking diagram.
After the MAN is upgraded to the IPv6 network, the OSPFv3 protocol is still used
to plan IPv6 routing. Figure 8-16 shows the protocol planning.
8.5.3 Precautions
When the CGN is the Eudemon8000E-X, if the triplet DS-Lite NAT function is
required, the hash board selection mode must be source address hash.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
h
e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
I
P
v
4
u
s
e
r
t
o
a
c
c
e
s
s
t
h
e
C
G
N
b
y
t
r
a
v
e
r
s
i
n
g
t
h
e
I
P
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
v
6
M
A
N
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
i
s
i
p
v
4
-
i
p
v
6
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
.
Y
o
u
c
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
a
n
s
p
e
c
i
f
y
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
t
i
s
c
o
n
n
e
c
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
y
e
i
t
h
e
r
a
p
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
f
a
c
e
s
u
c
h
a
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
t
u
n
n
e
l
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
l
i
n
d
i
c
a
t
e
s
t
h
e
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
(
4
0
0
0
:
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
:
1
/
6
4
)
t
h
a
t
c
o
n
n
e
c
t
s
t
h
e
C
G
N
t
o
t
h
e
M
A
N
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
f
o
r
t
h
e
C
P
E
i
n
c
l
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
u
d
e
:
● D
S
-
L
i
t
e
t
u
n
n
e
l
r
o
u
t
e
:
f
o
r
w
a
r
d
s
I
P
v
4
s
e
r
v
i
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
e
r
f
a
c
e
t
o
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
I
P
v
6
s
e
r
v
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
i
c
e
p
a
c
k
e
t
s
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
a
c
t
u
a
l
i
n
t
e
r
f
a
c
e
a
n
d
I
P
a
d
d
r
e
s
s
p
l
a
n
n
i
n
g
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
r
s
t
o
t
r
a
v
e
r
s
e
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
n
d
a
c
c
e
s
s
t
h
e
I
P
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
v
4
I
n
t
e
r
n
e
t
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
I
P
v
4
u
s
e
r
t
o
a
c
c
e
s
s
t
h
e
C
G
N
b
y
t
r
a
v
e
r
s
i
n
g
t
h
e
I
P
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
v
6
M
A
N
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
i
s
i
p
v
4
-
i
p
v
6
d
s
-
l
i
t
e
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
r
c
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
I
P
v
4
o
v
e
r
I
P
v
6
t
u
n
n
e
l
.
Y
o
u
c
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
a
n
s
p
e
c
i
f
y
t
h
e
I
P
v
6
a
d
d
r
e
s
s
o
f
t
h
e
i
n
t
e
r
f
a
c
e
t
h
a
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
t
i
s
c
o
n
n
e
c
t
e
d
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
a
s
t
h
e
s
o
u
r
c
e
a
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
d
d
r
e
s
s
o
f
t
h
e
t
u
n
n
e
l
,
o
r
d
i
r
e
c
t
l
y
s
p
e
c
i
f
y
t
h
e
i
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
e
i
n
t
e
r
f
a
c
e
.
● Y
o
u
c
a
n
s
p
e
c
i
f
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
y
e
i
t
h
e
r
a
p
h
y
s
i
c
a
l
i
n
t
e
r
f
a
c
e
o
r
a
l
o
g
i
c
a
l
i
n
t
e
r
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
f
a
c
e
s
u
c
h
a
s
t
h
e
l
o
o
p
b
a
c
k
i
n
t
e
r
f
a
c
e
a
s
t
h
e
s
o
u
r
c
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
i
n
t
e
r
f
a
c
e
o
f
t
h
e
t
u
n
n
e
l
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
D
S
-
L
i
t
e
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
N
A
T
t
r
a
n
s
l
a
t
i
o
n
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
L
i
t
e
N
A
T
p
o
l
i
c
y
,
a
n
d
D
S
-
L
i
t
e
N
A
T
S
e
r
v
e
r
.
Y
o
u
c
a
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
c
o
n
fi
g
u
r
e
t
h
e
D
S
-
L
i
t
e
N
A
T
p
o
l
i
c
y
b
a
s
e
d
o
n
a
c
t
u
a
l
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
n
e
t
w
o
r
k
c
o
n
d
i
t
i
o
n
s
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
3 Configure routes. M
a
n
d
a
t
o
r
y
T
h
e
r
o
u
t
e
s
c
o
n
fi
g
u
r
e
d
i
n
c
l
u
d
e
:
● S
t
a
t
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
i
c
r
o
u
t
e
t
o
t
h
e
C
P
E
a
n
d
I
P
v
4
I
n
t
e
r
n
e
t
:
f
o
r
w
a
r
d
s
I
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
P
v
4
s
e
r
v
i
c
e
p
a
c
k
e
t
s
● O
S
P
F
v
3
c
o
n
fi
g
u
r
e
d
a
t
t
h
e
i
n
t
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
r
f
a
c
e
t
o
c
o
n
n
e
c
t
t
o
t
h
e
I
P
v
6
n
e
t
w
o
r
k
:
f
o
r
w
a
r
d
s
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
I
P
v
6
s
e
r
v
i
c
e
p
a
c
k
e
t
s
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
I
P
v
6
u
s
e
r
s
t
o
a
c
c
e
s
s
t
h
e
I
P
v
4
n
e
t
w
o
r
k
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
a
r
e
u
s
e
d
a
s
t
h
e
I
P
v
4
a
d
d
r
e
s
s
e
s
a
f
t
e
r
t
h
e
N
A
T
6
4
t
r
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
a
n
s
l
a
t
i
o
n
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
l
a
t
i
o
n
o
n
a
n
I
P
v
6
p
a
c
k
e
t
d
e
p
e
n
d
s
o
n
w
h
e
t
h
e
r
t
h
e
I
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
P
v
6
p
a
c
k
e
t
c
o
n
t
a
i
n
s
a
N
A
T
6
4
p
r
e
fi
x
.
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
e
N
A
T
p
o
l
i
c
y
,
a
n
d
s
p
e
c
i
f
y
t
h
e
N
A
T
t
y
p
e
a
s
N
A
T
6
4
.
W
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
h
e
n
p
e
r
f
o
r
m
i
n
g
N
A
T
6
4
t
r
a
n
s
l
a
t
i
o
n
,
t
h
e
C
G
N
s
e
l
e
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
c
t
s
o
n
e
I
P
v
4
a
d
d
r
e
s
s
r
a
n
d
o
m
l
y
f
r
o
m
t
h
e
N
A
T
a
d
d
r
e
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
s
s
p
o
o
l
r
e
f
e
r
e
n
c
e
d
i
n
t
h
e
N
A
T
6
4
p
o
l
i
c
y
a
s
t
h
e
s
o
u
Item P Operation D
r e
o s
c c
e r
d i
u p
r t
e i
o
n
r
c
e
a
d
d
r
e
s
s
o
f
a
p
a
c
k
e
t
a
f
t
e
r
t
r
a
n
s
l
a
t
i
o
n
.
b. Set the hash board selection mode to source address-based hash mode.
[CGN] firewall hash-mode source-only
8.5.6 Verification
● Verify the IPv4 services.
a. After the configuration is complete, access the FTP service provided by
the server on the Internet using PC1 on the private IPv4 network.
C:\Documents and Settings\Administrator>ftp 1.1.3.1
Connected to 1.1.3.1.
220 FTP service ready.
User (1.1.3.1:(none)): admin
331 Password required for admin.
Password:
230 User logged in.
ftp>
b. Run the display firewall session table verbose command on the CPE to
check the session information.
[CPE] display firewall session table verbose
Current Total Sessions : 2
ftp VPN:public --> public ID: ab016391fa4c03558d54c16fac122
Zone: trust--> untrust TTL: 00:10:00 Left: 00:09:59
Interface: Tunnel1 NextHop: 1.1.3.1 MAC: 0000-0000-0000
<--packets:8 bytes:498 -->packets:12 bytes:541
192.168.0.2:1035+->1.1.3.1:21 PolicyName: ---
The output shows that the outbound interface is the Tunnel1 interface
and the tunnel is successfully established.
● Verify the IPv6 services.
a. Ping the interface address of the CGN that connects to the IPv6 network
from the CPE, that is, the address of the GigabitEthernet 1/0/2 interface.
<CPE> ping ipv6 4000::1
PING 4000::1 : 56 data bytes, press CTRL_C to break
Reply from 4000::1
bytes=56 Sequence=1 hop limit=64 time = 90 ms
Reply from 4000::1
bytes=56 Sequence=2 hop limit=64 time = 100 ms
Reply from 4000::1
bytes=56 Sequence=3 hop limit=64 time = 40 ms
Reply from 4000::1
bytes=56 Sequence=4 hop limit=64 time = 60 ms
Reply from 4000::1
bytes=56 Sequence=5 hop limit=64 time = 40 ms
If the CGN can be successfully pinged, the IPv6 routes to the CPE and
CGN are configured. On the CPE and CGN, you can run the display
ospfv3 routing command to view the OSPFv3 routing tables.
[CPE] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
2000::/64 1
directly connected, GigabitEthernet1/0/1
3000::/64 1
directly connected, GigabitEthernet1/0/2
IA 4000::/64 2
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2
IA 5000::/64 3
via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2
According to the OSPFv3 routing table, you can learn that the CPE learns
the routes from the CGN to the IPv6 MAN and IPv6 Internet.
[CGN] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 2000::/64 3
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2
IA 3000::/64 2
via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2
4000::/64 1
directly connected, GigabitEthernet1/0/2
5000::/64 1
directly connected, GigabitEthernet1/0/1
According to the OSPFv3 routing table, you can learn that the CGN learns
the routes from the CPE to the IPv6 MAN and IPv6 users.
b. On PC2, ping PC3.
C:\> ping6 5000::2
from 2000::2 with 32 bytes of data:
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Reply from 5000::2: time<1ms
Ping statistics for 5000::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
If PC3 is pinged through, the configurations of the IPv6 routes on the
entire network are correct.
● Enable an IPv6 user to access the IPv4 Internet.
a. Ping domain name www.example.com on PC2.
Pinging 6000::ca01:301 with 32 bytes of data:
#
interface Tunnel1
ip address 10.1.1.1 255.255.255.0
tunnel-protocol ipv4-ipv6
source 3000::1
destination 4000::1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
source-address 2000:: 64
action permit
rule name policy2
source-zone local
destination-zone untrust
source-address 10.1.1.0 24
action permit
#
firewall zone dmz
set priority 50
#
ospfv3 1
router-id 1.1.1.1
area 0.0.0.0
area 0.0.0.1
#
ip route-static 0.0.0.0 0.0.0.0 Tunnel1
#
return
#
interface GigabitEthernet1/0/2
undo shutdown
ipv6 enable
ipv6 address 4000::1/64
ospfv3 1 area 0.0.0.0
#
interface Tunnel1
ip address 10.1.1.2 255.255.255.0
tunnel-protocol ipv4-ipv6 ds-lite
source 4000::1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface Tunnel1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
destination-address 1.1.1.0 24
destination-address 5000:: 64
action permit
rule name policy2
source-zone trust
destination-zone local
destination-address 10.1.1.0 24
action permit
#
nat address-group addressgroup1
route enable
section 1 1.1.2.1 1.1.2.5
nat address-group addressgroup2
mode pat
route enable
section 1 1.1.2.11 1.1.2.15
#
nat-policy
rule name policy_nat_1
nat-type ds-lite
source-zone trust
destination-zone untrust
source-address 3000::1 64
action source-nat address-group addressgroup1
rule name policy_nat64
nat-type nat64
source-zone trust
destination-zone untrust
source-address 2000:: 64
action source-nat address-group addressgroup2
#
firewall interzone trust untrust
detect ftp
#
ospfv3 1
router-id 2.2.2.2
import-route static
#
ipv6 route-static 6000:: 96 NULL0
#
return
9.1 Introduction
This section describes the applications of IPSec in the LTE and the IPSec
configuration in the networking where hot standby devices are deployed in off-
line mode.
● User Equipment (UE): the general term for mobile terminals, such as mobile
phones, smart phones, and multimedia devices, used on the LTE network
● Evolved NodeB (eNodeB): wireless base station that provides wireless access
services for users
● IP-Radio Access Network (RAN): IP-based wireless access network. It is the
access network of the entire LTE network.
● Evolved Packet Core (EPC): the core network of LTE
– Mobility Management Entity (MME): responsible for the control function
of the core network. Traffic from the eNodeB to the EPC includes
signaling flows and service flows, and the MME processes signaling
traffic.
– Serving Gateway (S-GW): processes the service traffic from the eNodeB
to the EPC.
– Operation and Maintenance Center (OMC): includes the M2000, CME,
and LMT. The administrator manages the NEs on the LTE network in a
centralized manner through the OMC. For the ease of management,
some certificate servers, such as the CA server and RA server, are also
deployed in the OMC area.
● S1 interface
The S1 interface is between the MME/S-GW and the eNodeB. Based on the
service plane, the S1 interface is further split to the S1 user plane interface
and the S1 control plane interface.
– S1 user plane interface (S1-U)
The S1-U interface is between the eNodeB and the S-GW. It carries user
data, also called service data, between the eNodeB and the S-GW. The
S1-U works on the simple GTP over UDP/IP transport protocol. This
In the LTE IPSec solution, traffic on the eNodeB includes S1 traffic, X2 traffic, and
OM traffic and PKI traffic for communication with the NMS. Considering the
security and real-time performance, the carrier has different requirements for the
processing of different types of traffic:
● S1 traffic
The S1 traffic is classified into user plane (S1 UP) traffic for voices and control
plane (S1 CP) traffic for signaling. This traffic requires high security and
therefore is transmitted over the IPSec tunnel.
● X2 traffic
The X2 traffic is burst traffic and does not require high security. This traffic
can be either encrypted or not encrypted. In the present case, the X2 traffic is
not IPSec-encrypted because the IPSec tunnel encapsulation increases its
transmission delay.
● OM traffic
Network devices, including the eNodeB and FW are managed by the OM
server in a centralized manner. This management traffic does not require
protection of the IPSec tunnel. For example, a small jitter is required for the
clock synchronization between the NTP server of the OM and the eNodeB,
and therefore, IPSec encryption is inappropriate.
● PKI traffic
The PKI server issues certificates to the eNodeB and the IPSec gateway. When
the eNodeB and the IPSec gateway establish an IPSec tunnel, they exchange
certificates to verify the identity of each other. This traffic does not require
IPSec protection either. It is sent by the eNodeB directly to the PKI server.
Figure 9-3 shows the transmission paths of different traffic.
Figure 9-3 Transmission of different eNodeB traffic in the LTE IPSec solution
IP address of Eth-
Trunk1.2: 1.1.2.1/30
VLAN:200
Eth-Trunk1.2
processes decrypted
service traffic sent by
the eNodeB to the S-
GW.
IP address of Eth-
Trunk1.3: 1.1.3.1/30
VLAN:300
Eth-Trunk1.3
processes decrypted
signaling traffic sent
by the eNodeB to the
MME.
IP address of Eth-
Trunk1.4: 1.1.4.1/30
VLAN:400
Eth-Trunk1.4
processes the
management traffic
exchanged between
FW_A and the OM
server.
IP address of Eth-
Trunk1.2: 5.1.2.1/30
VLAN: 200
Eth-Trunk1.2
processes decrypted
service traffic sent by
the eNodeB to the S-
GW after the active/
standby device
switchover.
IP address of Eth-
Trunk1.3: 5.1.3.1/30
VLAN: 300
Eth-Trunk1.3
processes decrypted
signaling traffic sent
by the eNodeB to the
MME after the active/
standby device
switchover.
IP address of Eth-
Trunk1.4: 5.1.4.1/30
VLAN: 400
Eth-Trunk1.4
processes the
management traffic
exchanged between
FW_B and the OM
server.
OM U2000 9.1.1.1/30 -
PKI CA 9.1.2.4/30 -
● Uplink traffic
The uplink traffic from the eNodeB to the EPC relies on the following route
exchange process. The process here is based on the line from eNodeB-1
through the IP-RAN, FW_A, and RSG-1 to the EPC.
a. FW_A advertises the IPSec gateway route to OSPF1.
b. RSG-1 imports the OSPF1 route to the BGP.
c. RSG-1 advertises the IPSec gateway route to the AGG through the IBGP.
d. The AGG receives the IPSec gateway route and advertises it on the IP-
RAN.
When the eNodeB forwards IPSec traffic to the IP-RAN through a static
route, the IP-RAN learns the IPSec gateway route and routes the IPSec
traffic all the way to FW_A.
FW_A learns the route to the EPC through OSPF2. The uplink IPSec traffic
is decrypted and is forwarded to the EPC along the route learnt through
OSPF2.
● Downlink traffic
The downlink response traffic from the EPC to the eNodeB relies on the
following route exchange process. The process here is based on the line from
the EPC through RSG-1, FW_A, and the IP-RAN to eNodeB-1.
a. After importing direct routes from the AN, the IP-RAN can learn the IPSec
tunnel route to eNodeB-1.
b. RSG-1 learns the IPSec tunnel route to eNodeB-1 from the IP-RAN
through IBGP.
c. RSG-1 imports the IPSec tunnel route to eNodeB-1 learnt by the IBGP to
OSPF1. FW_A learns the IPSec tunnel route to eNodeB-1.
The response traffic from the EPC to eNodeB-1 is forwarded to FW_A
along the route learnt in OSPF2. The traffic enters the IPSec tunnel along
the route learnt during reverse route injection of FW_A. NGFW_A
forwards the encapsulated traffic to the IP-RAN along the route to
eNodeB-1 learnt in OSPF1. The IP-RAN then forwards the traffic all the
way to eNodeB-1.
In the hot standby scenario, the cost of the OSPF route advertised by the active
IPSec gateway (FW_A) is the original one and is configurable, and the cost of the
OSPF route advertised by the standby IPSec gateway (FW_B) is 65500. Therefore,
the original cost of the OSPF route is generally smaller than 65500. When the
traffic from the eNodeB to the EPC arrives at the RSG, the RSG selects a link with
a smaller route cost to forward the traffic to FW_A. Because the Eth-Trunk sub-
interface Trunk2.1 of RSG-1 and RSG-2 is added to OSPF1, the cost of OSPF1 is
transferred among FW_A, RSG-1, RSG-2, and FW_B. Therefore, no matter whether
the traffic from the eNodeB to the EPC arrives at RSG-1 or RSG-2, the RSG selects
a link with a smaller cost to forward the traffic to FW_A. When FW_A fails, an
active/standby switchover takes place, and the route costs are switched
simultaneously. The traffic is still forwarded by the link with a smaller cost. The
difference is that the traffic is forwarded to FW_B instead of FW_A.
9.4 Precautions
● IPSec configuration
– The tunnel address and service address of the eNodeB must be different.
– If remote disaster recovery is not implemented, when you configure the
tunnel route to the eNodeB for the FW, IPSec reverse route injection is no
longer mandatory, and static routes can be used.
● Networking
In the current LTE IPSec solution, most FWs are deployed in hot standby in
off-path mode while very few are deployed in in-path mode. This is because
off-path deployment has less impact on the original network topology.
● MTU
IPSec encryption increases the packet length. Therefore, you must adjust the
MTU of the entire path after the IPSec gateway is deployed. There are
specifically two MTU adjustment schemes:
– Reduce the MTU on the EPC side and the eNodeB side without changing
it on other nodes. The strength of this scheme is that it involves only a
small number of devices.
– Increase the MTU on the intermediate IPCore, IP-RAN and transmission
nodes. This scheme is advantageous in a high transmission efficiency and
a small IPSec header per packet.
Transmission efficiency = 1 - IPSec header/packet length. The IPSec
header length is fixed. Therefore, a greater packet length indicates a
Procedure
Step 1 Configure IP addresses for the interfaces of FW_A.
<FW_A> system-view
[FW_A] sysname FW_A
[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] quit
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] description eth-trunk1
[FW_A-GigabitEthernet1/0/1] Eth-Trunk 1
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] description eth-trunk1
[FW_A-GigabitEthernet1/0/2] Eth-Trunk 1
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] quit
[FW_A] interface GigabitEthernet 1/0/8
[FW_A-GigabitEthernet1/0/8] description eth-trunk2
[FW_A-GigabitEthernet1/0/8] Eth-Trunk 2
[FW_A-GigabitEthernet1/0/8] quit
[FW_A] interface GigabitEthernet 2/0/8
[FW_A-GigabitEthernet2/0/8] description eth-trunk2
[FW_A-GigabitEthernet2/0/8] Eth-Trunk 2
[FW_A-GigabitEthernet2/0/8] quit
[FW_A] interface Eth-Trunk 1.1
[FW_A-Eth-Trunk1.1] ip address 1.1.1.1 30
[FW_A-Eth-Trunk1.1] vlan-type dot1q 100
[FW_A-Eth-Trunk1.1] quit
[FW_A] interface Eth-Trunk 1.2
[FW_A-Eth-Trunk1.2] ip address 1.1.2.1 30
[FW_A-Eth-Trunk1.2] vlan-type dot1q 200
[FW_A-Eth-Trunk1.2] quit
[FW_A] interface Eth-Trunk 1.3
[FW_A-Eth-Trunk1.3] ip address 1.1.3.1 30
[FW_A-Eth-Trunk1.3] vlan-type dot1q 300
[FW_A-Eth-Trunk1.3] quit
[FW_A] interface Eth-Trunk 1.4
[FW_A-Eth-Trunk1.4] ip address 1.1.4.1 30
[FW_A-Eth-Trunk1.4] vlan-type dot1q 400
[FW_A-Eth-Trunk1.4] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] ip address 2.1.1.1 30
[FW_A-Eth-Trunk2] quit
[FW_A] interface Tunnel 1
Step 3 Configure the IP addresses and security zones of the interfaces of FW_B according
to the above procedure. Note that the IP addresses of the interfaces are different.
----End
Procedure
Step 1 Configure hot standby.
# Configure hot standby on FW_A.
1. Configure a VGMP group to monitor Eth-Trunk1.
[FW_A] hrp track interface Eth-Trunk 1
----End
The field order in the CA name must be the same as that in the CA certificate;
otherwise, the server considers the CA name invalid.
# Create a CMP session named cmp.
HRP_M[FW_A] pki cmp session ngfwa
# Specify the PKI entity name referenced by the CMP session.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request entity ngfwa
# Configure a CA name, for example, C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request ca-name
"C=cn,ST=jiangsu,L=SD,O=BB,OU=BB,CN=BB"
# Configure the URL for certificate application.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request server url http://9.1.2.4:8080
# Specify the RSA key pair used for certificate application and configure the device to update
the RSA key pair together with the certificate.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request rsa local-key-pair rsa_cmp regenerate
# When applying for a certificate for the first time, use the message authentication code for
authentication. Set the reference value and secret value of the message authentication code, for
example, 1234 and 123456.
HRP_M[FW_A-pki-cmp-session-ngfwa] cmp-request message-authentication-code 1234
123456
HRP_M[FW_A-pki-cmp-session-ngfwa] quit
# Submit an initial certificate request to the CMPv2 server based on the CMP session
configuration.
HRP_M[FW_A] pki cmp initial-request session ngfwa
HRP_M[FW_A]
Info: Initializing configuration.
Info: Creatting initial request packet.
Info: Connectting to CMPv2 server.
Info: Sending initial request packet.
Info: Waitting for initial response packet.
Info: Creatting confirm packet.
Info: Connectting to CMPv2 server.
Info: Sending confirm packet.
Info: Waitting for confirm packet from server.
Info: CMPv2 operation finish.
2. Configure an IPSec policy on FW_A, and apply the IPSec policy to the
interfaces.
a. Define the protected data streams.
After hot standby is enabled, all configuration information of FW_A except the route
configuration is synchronized to FW_B automatically.
Import the route generated during IPSec dynamic reverse route injection to OSPF2
to guide the forwarding of the response traffic of the EPC to the eNodeB. Set the
next hop of the route to the Tunnel interface of the IPSec tunnel.
HRP_M[FW_B] ospf 2
HRP_M[FW_B-ospf-2] import-route unr
HRP_M[FW_B-ospf-2] area 1.1.1.1
HRP_M[FW_B-ospf-2-area-1.1.1.1] network 5.1.2.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.1.1] quit
HRP_M[FW_B-ospf-2] area 1.1.2.1
HRP_M[FW_B-ospf-2-area-1.1.2.1] network 5.1.3.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.2.1] quit
HRP_M[FW_B-ospf-2] area 1.1.3.1
HRP_M[FW_B-ospf-2-area-1.1.3.1] network 5.1.4.0 0.0.0.3
HRP_M[FW_B-ospf-2-area-1.1.3.1] quit
HRP_M[FW_B-ospf-2] quit
----End
3. Configure a security policy between the Untrust and Trust zones, allowing
decapsulated IPSec traffic to pass through FW_A.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name 5
HRP_M[FW_A-policy-security-rule-5] source-zone untrust
HRP_M[FW_A-policy-security-rule-5] destination-zone trust
HRP_M[FW_A-policy-security-rule-5] source-address 6.1.0.0 16
HRP_M[FW_A-policy-security-rule-5] source-address 7.1.0.0 16
HRP_M[FW_A-policy-security-rule-5] destination-address 8.1.1.1 30
HRP_M[FW_A-policy-security-rule-5] action permit
HRP_M[FW_A-policy-security-rule-5] quit
HRP_M[FW_A-policy-security] rule name 6
HRP_M[FW_A-policy-security-rule-6] source-zone trust
HRP_M[FW_A-policy-security-rule-6] destination-zone untrust
HRP_M[FW_A-policy-security-rule-6] source-address 8.1.1.1 30
HRP_M[FW_A-policy-security-rule-6] destination-address 6.1.0.0 16
HRP_M[FW_A-policy-security-rule-6] destination-address 7.1.0.0 16
HRP_M[FW_A-policy-security-rule-6] action permit
HRP_M[FW_A-policy-security-rule-6] quit
----End
----End
9.5.6 Verification
1. After the configuration is complete, the IPSec tunnel between the eNodeB
and FW_A is successfully established, and the MME and S-GW can be
accessed.
2. Check the setup of the IKE SA on FW_A.
<FW_A> display ike sa
Spu board slot 1, cpu 0 ike sa information :
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
16792025 6.1.1.1 RD|ST|M v2:2
16792024 6.1.1.1 RD|ST|M v2:1
83887864 7.1.1.1 RD|ST|M v2:2
83887652 7.1.1.1 RD|ST|M v2:1
Number of SA entries : 4
Number of SA entries of all cpu : 4
-------------------------------------------------------------------------------
3.1.1.1 6.1.1.1 3923280450 ESP E:AES-256 A:SHA2-256-128
6.1.1.1 3.1.1.1 787858613 ESP E:AES-256 A:SHA2-256-128
3.1.1.1 7.1.1.1 3923280452 ESP E:AES-256 A:SHA2-256-128
7.1.1.1 3.1.1.1 787858611 ESP E:AES-256 A:SHA2-256-128
4. Run the display hrp state command on FW_A to check the current HRP state.
HRP_M[FW_A] display hrp state
Role: active, peer: active
Running priority: 49012, peer: 49012
Backup channel usage: 3%
Stable time: 0 days, 5 hours, 1 minutes
FW_A FW_B
proposal tran1 proposal tran1
route inject dynamic route inject dynamic
# #
ipsec policy map1 10 isakmp template policy1 ipsec policy map1 10 isakmp template policy1
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
description eth-trunk1 description eth-trunk1
Eth-Trunk 1 Eth-Trunk 1
# #
interface GigabitEthernet 1/0/2 interface GigabitEthernet 1/0/2
description eth-trunk1 description eth-trunk1
Eth-Trunk 1 Eth-Trunk 1
# #
interface Eth-Trunk 2 interface Eth-Trunk 2
ip address 2.1.1.1 255.255.255.252 ip address 2.1.1.2 255.255.255.252
# #
interface GigabitEthernet 1/0/8 interface GigabitEthernet 1/0/8
description eth-trunk2 description eth-trunk2
Eth-Trunk 2 Eth-Trunk 2
# #
interface GigabitEthernet 2/0/8 interface GigabitEthernet 2/0/8
description eth-trunk2 description eth-trunk2
Eth-Trunk 2 Eth-Trunk 2
# #
interface Eth-Trunk 1.1 interface Eth-Trunk 1.1
vlan-type dot1q 100 vlan-type dot1q 1
ip address 1.1.1.1 255.255.255.252 ip address 5.1.1.1 255.255.255.252
# #
interface Eth-Trunk 1.2 interface Eth-Trunk 1.2
vlan-type dot1q 200 vlan-type dot1q 2
ip address 1.1.2.1 255.255.255.252 ip address 5.1.2.1 255.255.255.252
# #
interface Eth-Trunk 1.3 interface Eth-Trunk 1.3
vlan-type dot1q 300 vlan-type dot1q 3
ip address 1.1.3.1 255.255.255.252 ip address 5.1.3.1 255.255.255.252
# #
interface Eth-Trunk 1.4 interface Eth-Trunk 1.4
vlan-type dot1q 400 vlan-type dot1q 4
ip address 1.1.4.1 255.255.255.252 ip address 5.1.4.1 255.255.255.252
# #
interface Tunnel 1 interface Tunnel 1
ip address 3.1.1.1 255.255.255.252 ip address 3.1.1.1 255.255.255.252
tunnel-protocol ipsec tunnel-protocol ipsec
ipsec policy map1 ipsec policy map1
# #
router id 1.1.1.1 router id 5.1.1.1
# #
ospf 1 ospf 1
area 1.1.1.1 area 1.1.1.1
network 1.1.1.0 0.0.0.3 network 5.1.1.0 0.0.0.3
network 3.1.1.0 0.0.0.3 network 3.1.1.0 0.0.0.3
# #
ospf 2 ospf 2
import-route unr import-route unr
area 1.1.1.1 area 1.1.1.1
network 1.1.2.0 0.0.0.3 network 5.1.2.0 0.0.0.3
area 1.1.2.1 area 1.1.2.1
network 1.1.3.0 0.0.0.3 network 5.1.3.0 0.0.0.3
area 1.1.3.1 area 1.1.3.1
network 1.1.4.0 0.0.0.3 network 5.1.4.0 0.0.0.3
# #
ntp-service unicast-server 9.1.1.2 ntp-service unicast-server 9.1.1.2
# #
log type traffic enable log type traffic enable
FW_A FW_B
firewall log host 1 9.1.1.3 9002 firewall log host 1 9.1.1.3 9002
# #
info-center enable info-center enable
snmp-agent snmp-agent
snmp-agent sys-info version v2c snmp-agent sys-info version v2c
snmp-agent target-host inform address udp- snmp-agent target-host inform address udp-
domain 9.1.1.1 params securitynam e private@123 domain 9.1.1.1 params securitynam e private@123
v2c v2c
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk1.2 add interface Eth-Trunk1.2
add interface Eth-Trunk1.3 add interface Eth-Trunk1.3
add interface Eth-Trunk1.4 add interface Eth-Trunk1.4
# #
firewall zone untrust firewall zone untrust
set priority 85 set priority 85
add interface Eth-Trunk1.1 add interface Eth-Trunk1.1
add interface Tunnel1 add interface Tunnel1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface Eth-Trunk2 add interface Eth-Trunk2
# #
security-policy security-policy
rule name 1 rule name 1
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
service ospf service ospf
action permit action permit
rule name 2 rule name 2
source-zone local source-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
service ospf service ospf
action permit action permit
rule name 3 rule name 3
source-zone local source-zone local
destination-zone untrust destination-zone untrust
source-address 3.1.1.1 32 source-address 3.1.1.1 32
destination-address 6.1.1.1 30 destination-address 6.1.1.1 30
destination-address 7.1.1.1 30 destination-address 7.1.1.1 30
action permit action permit
rule name 4 rule name 4
source-zone untrust source-zone untrust
destination-zone local destination-zone local
source-address 6.1.1.1 30 source-address 6.1.1.1 30
source-address 7.1.1.1 30 source-address 7.1.1.1 30
destination-address 3.1.1.1 32 destination-address 3.1.1.1 32
action permit action permit
rule name 5 rule name 5
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
source-address 6.1.0.0 16 source-address 6.1.0.0 16
source-address 7.1.0.0 16 source-address 7.1.0.0 16
destination-address 8.1.1.1 30 destination-address 8.1.1.1 30
action permit action permit
rule name 6 rule name 6
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 8.1.1.1 30 source-address 8.1.1.1 30
destination-address 6.1.0.0 16 destination-address 6.1.0.0 16
destination-address 7.1.0.0 16 destination-address 7.1.0.0 16
action permit action permit
FW_A FW_B
# #
return return
Disaster Recovery for Link Failure Between the MME/S-GW and RSG
As shown in Figure 9-9, when the link between RSG-1 and the S-GW fails, traffic
from FW_A to the S-GW cannot be transferred along this link. Instead, the traffic
has to be routed to RSG-2 and then forwarded to the S-GW. Adding Eth Trunk2.3
and Eth Trunk2.2 to OSPF2 ensures the change of the route cost of OSPF2 when
this link fails, so that decapsulated IPSec traffic is routed to RSG-2 for forwarding.
Figure 9-9 Disaster recovery for link failure between the MME/S-GW and RSG
Disaster Recovery for Link Failure Between the AGG and RSG
As shown in Figure 9-10, when the link between AGG-1 and RSG-1 fails, the cost
of the route in the IP-RAN area changes, and IPSec traffic from the eNodeB to
FW_A is no longer carried on this link. Instead, the traffic is routed to AGG-2 and
then forwarded to RSG-2. Because Eth Trunk2.1 is added to OSPF1, when the IPSec
traffic arrives at RSG-2, the traffic is forwarded by RSG-2 to RSG-1 and then
forwarded to FW_A. Here, the cost of the route from RSG-2 to FW_B (standby) is
greater than the cost of the route from RSG-2 to FW_A (active). Therefore, it is no
need worrying that RSG-2 forwards the IPSec traffic to FW_B.
Figure 9-10 Disaster recovery for link failure between the AGG and RSG