[All About Switches - Configuration Examples]Example for Configuring NGFW Module

Created Jun 11, 2015 19:39:34Latest reply Aug 24, 2016 03:51:48 4029 2 2 0

1.1 Overview

After installing the NGFW Module on a switch, you can redirect specified traffic to the NGFW Module for processing based on service requirements. Figure 1 shows an example. Traffic from the enterprise office and Internet to the enterprise servers is redirected to the NGFW Module for security protection.

Figure 1 Adjusting the service traffic path based on service requirements

 The NGFW Module provides the powerful CLI and easy-to-use web UI. In addition, the NGFW Module can use SNMP to communicate with the standard NMS for centralized management.

1.1.1 Appearance

 NGFW Module is a next generation firewall (NGFW) module that applies to Huawei S7700, S9700, and S12700 switch series to provide firewall, NAT, VPN, and content security functions for IP networks.

Figure 2 Appearance of NGFW Module

Ports

Description

MGMT port

Out-of-band 10/100/1000M autosensing Ethernet management port. The interface number is GigabitEthernet 0/0/0 and the default IP address of the interface is 192.168.0.1.

You can connect this port to a PC through a network cable. Then, you can use Telnet, or sTelnet to access the CLI or use a web browser to access the web UI to configure, manage, and maintain the NGFW Module.

NOTE:

The MGMT port cannot be used as a service port. The service ports (GigabitEthernet 1/0/0 to GigabitEthernet 1/0/1) of the NGFW Module are used to connect to the switch on which the module is installed.

Console port

Console port allows you to locally connect to the NGFW Module. You can use a console cable to connect the console port on the NGFW Module to the COM port on your PC and use a serial port terminal program on your PC to access, configure, and manage the NGFW Module.

GE1-GE3 ports

Three 10/100/1000M autosensing Ethernet electrical ports, numbered from GigabitEthernet 0/0/1 to GigabitEthernet 0/0/3.

You can use one of the GE ports as the heartbeat interface during hot standby deployment or to connect a third-party log host.

NOTE:

The three ports cannot be used as service ports.

USB port

USB port allows you to insert USB devices for system software upgrades. For details on upgrades through USB devices, refer to the Upgrade Guide delivered with the device.

1.1.2 Functions

Table 1 lists the main functions of the NGFW Module.

Table 1 NGFW Module functions

Category

Function

Description

Content security

Application identification

·        Identifies common applications based on the predefined signature database.

·        Supports the constant update of the predefined signature database and the user-defined applications.

·        Parses the packets of tens of protocols and identifies the contents during the protocol negotiation and supports common multi-channel protocols.

Antivirus

·        Employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses.

·        Updates the signature database constantly.

Intrusion prevention

·        Detects and defends against thousands of common intrusion behaviors, worms, Trojan horses, and Botnets.

·        Updates the predefined signature database constantly and supports user-defined signatures.

URL filtering

·        Blocks connections to HTTP and HTTPS URLs as required.

·        Adds URLs and URL categories on the local and supports the query of the latest URLs and URL categories from the remote URL category server.

·        Updates URL categories constantly.

Data filtering

·        Supports common file transfer protocols, including HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP, RTMPT, and FLASH.

·        Filters contents in the files transferred over the previous protocols based on keywords.

·        Filters contents in the HTTP and FTP files based on keywords.

File blocking

·        Supports common file transfer protocols, including HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP, RTMPT, and FLASH.

·        Identifies common documents, code files, executable files, multimedia files, real types of the compressed files, and file name extensions over the previous protocols.

·        Identifies common files transferred over the previous protocols based the real types and file name extensions.

Application behavior control

·        Controls HTTP behaviors, including the file upload and download, POST, web page browsing, and HTTP proxy.

·        Controls FTP behaviors, including FTP file upload and download.

Mail filtering

·        Supports the mail server whitelist and blacklist on the local to block the spam.

·        Works with the RBL server to remotely query whether a received or sent mail is spam in real time.

·        Filters mails based on the sender addresses, receiver addresses, and the size and number of mail attachments.

Network-layer security protection

Packet filtering

Supports packet filtering based on policies.

NAT

·        Translates the source IP addresses, destination IP addresses, and ports of packets.

·        Maps private IP addresses and ports to public IP addresses and ports, so that the internal server can provide services for external users.

·        Automatically translates the IP addresses and ports negotiated in the packets of multi-channel protocols.

DDoS attack defense

Defends against various DoS and DDoS attacks:

·        Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP flood

·        Application-layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP flood

Single-packet attack defense

Implements packet validity checking to defend against various single-packet attacks, including IP spoofing attacks, LAND attacks, Smurf attacks, Fraggle attacks, Winnuke attacks, Ping of Death attacks, Teardrop attacks, address scanning attacks, port scanning attacks, IP option control attacks, IP fragment control attacks, TCP label validity check attacks, ICMP packet control attacks, ICMP redirect packet attacks, ICMP unreachable packet attacks, and TRACERT packet attacks.

Blacklist and whitelist

Rapidly filters packets based on the whitelist and blacklist of IP addresses.

IP-MAC address binding

Supports IP-MAC address binding to prevent IP spoofing.

 

1.1.3 Interface Application

The NGFW Module and switch are interconnected through two 20GE internal Ethernet links. The NGFW Module is considered a firewall device directly connected to the switch through internal Ethernet interfaces.

The NGFW Module has two internal Ethernet interfaces: GE 1/0/0 and GE 1/0/1.

The numbering rule of internal Ethernet interfaces on the switch is determined by the slot in which the NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 of the switch, as shown in Figure 3, the internal Ethernet interfaces used by the switch are XGE 1/0/0 and XGE 1/0/1.

Figure 3 Internal Ethernet interface numbering  

    

1.2 Configuration Example

This example shows how to configure the connections on interfaces between NGFW Module and switch and how to redirect traffic to the NGFW Module. For more information about security policy configuration, see the HUAWEI USG6000 Series & NGFW Module V100R001 Administrator Guide.

Configuration Notes

Table 2 Version support

S7700&S9700&S12700 Version Required

NGFW Module Version Required

V200R005C00 and later versions

V100R001C10 and later versions

 

Networking Requirements

Generally, a core switch on a campus network connects to the external network through an upstream router, and an NGFW board is deployed to control access of external network.

The NGFW Module is installed on the core switch to protect traffic between VLAN 301 and VLAN 302.

Two NGFW Modules are deployed on the core switch to work in hot standby mode (load balancing) and improve device reliability. Two NGFW Modules forward traffic at the same time. When an NGFW Module fails, services can be smoothly transferred to another NGFW Module.

Figure 4 PBR-based traffic diversion with load balanced NGFW Modules working in routing mode

  

As shown in the right part of Figure 4, to improve bandwidth and link reliability, bundle the internal Ethernet interfaces between the switch and NGFW Modules. The switch forwards traffic to the NGFW Module through the Eth-Trunk.

Two NGFW Modules are installed in slot 1 and slot 2 of the switch. To understand the traffic forwarding direction, see Figure 5.

Figure 5 Logical networking for load balancing in routed mode (PBR-based traffic diversion)

 

Configuration Roadmap

The configuration roadmap is as follows:

1.       Configure interfaces on the switch connected to the NGFW Modules and links used to transmit traffic to the NGFW Modules.

2.       Configure redirection (PBR) on the switch to forward traffic to the NGFW Modules.

3.       Configure interfaces on the NGFW Modules connected to the switch and links used to transmit traffic to the switch.

4.       Configure hot standby on NGFW Modules.

5.       Create a security policy on NGFW Modules.

 

  • x
  • convention:

All_About_Switch     Created Jun 11, 2015 19:39:58 Helpful(1) Helpful(1)

Procedure

                          Step 1     On the switch: Create VLANs, configure VLANIF interfaces, and assign IP addresses to VLANIF interfaces.

<HUAWEI> system-view

[HUAWEI] vlan batch 301 302 303 304

[HUAWEI] interface GigabitEthernet 3/0/1  //Configure GE3/0/1 as the interface connected to service network 1.

[HUAWEI-GigabitEthernet3/0/1] port link-type trunk

[HUAWEI-GigabitEthernet3/0/1] port trunk allow-pass vlan 301

[HUAWEI-GigabitEthernet3/0/1] quit

[HUAWEI] interface vlanif301  //Configure VLANIF301 as the downstream gateway to connect to network segment 10.10.10.0.

[HUAWEI-vlanif301] ip address 10.10.10.1 24

[HUAWEI-vlanif301] quit

[HUAWEI] interface GigabitEthernet 3/0/0  //Configure GE3/0/0 as the interface connected to service network 2.

[HUAWEI-GigabitEthernet3/0/0] port link-type trunk

[HUAWEI-GigabitEthernet3/0/0] port trunk allow-pass vlan 302

[HUAWEI-GigabitEthernet3/0/0] quit

[HUAWEI] interface vlanif302  //Configure VLANIF302 as the downstream gateway to connect to network segment 10.10.20.0.

[HUAWEI-vlanif302] ip address 10.10.20.1 24

[HUAWEI-vlanif302] quit

[HUAWEI] interface vlanif303  //Configure VLANIF303 as the VRRP virtual interface for communication between the switch and an NGFW Module.

[HUAWEI-vlanif303] ip address 10.10.1.5 24

[HUAWEI-vlanif303] quit

[HUAWEI] interface vlanif304  //Configure VLANIF304 as the VRRP virtual interface for communication between the switch and NGFW Module.

[HUAWEI-vlanif304] ip address 10.10.2.5 24

[HUAWEI-vlanif304] quit

 

                          Step 2     On the switch: Configure the internal Eth-Trunk between the switch and NGFW Modules.

[HUAWEI] interface Eth-Trunk 1  //Add XGE1/0/0 and XGE1/0/1 connected to NGFW Module 1 to Eth-Trunk1.

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 1/0/0

[HUAWEI-Eth-Trunk1] trunkport XGigabitEthernet 1/0/1

[HUAWEI-Eth-Trunk1] port link-type trunk

[HUAWEI-Eth-Trunk1] port trunk allow-pass vlan 301 302 303 304  //Configure Eth-Trunk1 to transparently transmit traffic from VLAN301-304.

[HUAWEI-Eth-Trunk1] quit

[HUAWEI] interface Eth-Trunk 2  //Add XGE2/0/0 and XGE2/0/1 connected to NGFW Module 2 to Eth-Trunk2.

[HUAWEI-Eth-Trunk2] trunkport XGigabitEthernet 2/0/0

[HUAWEI-Eth-Trunk2] trunkport XGigabitEthernet 2/0/1

[HUAWEI-Eth-Trunk2] port link-type trunk

[HUAWEI-Eth-Trunk2] port trunk allow-pass vlan 301 302 303 304  //Configure Eth-Trunk2 to transparently transmit traffic from VLAN301-304.

[HUAWEI-Eth-Trunk2] quit

                          Step 3     On the switch: Configure traffic policies to redirect traffic transmitted between VLAN 301 and VLAN 302 to the NGFW Modules.

# Create ACLs.

[HUAWEI] acl 3001  //ACL3001 matches traffic from service network 1 to service network 2.

[HUAWEI-acl-adv-3001] rule permit ip source 10.10.10.0 0.0.0.255 destination 10.10.20.0 0.0.0.255

[HUAWEI-acl-adv-3001] quit

[HUAWEI] acl 3002  //ACL3002 matches traffic from service network 2 to service network 1.

[HUAWEI-acl-adv-3002] rule permit ip source 10.10.20.0 0.0.0.255 destination 10.10.10.0 0.0.0.255

[HUAWEI-acl-adv-3002] quit

# Configure traffic classifiers.

[HUAWEI] traffic classifier classifier1

[HUAWEI-classifier-classifier1] if-match acl 3001

[HUAWEI-classifier-classifier1] quit

[HUAWEI] traffic classifier classifier2

[HUAWEI-classifier-classifier2] if-match acl 3002

[HUAWEI-classifier-classifier2] quit

# Configure traffic behaviors to redirect traffic to the virtual IP addresses of the VRRP groups on the NGFW Modules.

[HUAWEI] traffic behavior behavior1 //Redirect traffic to two virtual IP addresses 10.10.1.1 (NGFW Module1) and 10.10.1.2 (NGFW Module2) in hot standby mode.

[HUAWEI-behavior-behavior1] redirect ip-multihop nexthop 10.10.1.1 nexthop 10.10.1.2

[HUAWEI-behavior-behavior1] quit

[HUAWEI] traffic behavior behavior2  //Redirect traffic to two virtual IP addresses 10.10.2.1 (NGFW Module1) and 10.10.2.2 (NGFW Module2) in hot standby mode.

[HUAWEI-behavior-behavior1] redirect ip-multihop nexthop 10.10.2.1 nexthop 10.10.2.2

[HUAWEI-behavior-behavior1] quit

# Apply the traffic policies to the inbound direction of the interfaces.

[HUAWEI] traffic policy policy1  //Redirect traffic from service network 1 to two virtual IP addresses 10.10.1.1 (NGFW Module1) and 10.10.1.2 (NGFW Module2) in hot standby mode.

[HUAWEI-trafficpolicy-policy1] classifier classifier1 behavior behavior1

[HUAWEI-trafficpolicy-policy1] quit

[HUAWEI] traffic policy policy2  //Redirect traffic from service network 2 to two virtual IP addresses 10.10.2.1 (NGFW Module1) and 10.10.2.2 (NGFW Module2) in hot standby mode.

[HUAWEI-trafficpolicy-policy2] classifier classifier2 behavior behavior2

[HUAWEI-trafficpolicy-policy2] quit

[HUAWEI] interface GigabitEthernet 3/0/1  //Apply policy1 to the inbound direction on the interface connected to service network 1.

[HUAWEI-GigabitEthernet3/0/1] traffic-policy policy1 inbound

[HUAWEI-GigabitEthernet3/0/1] quit

[HUAWEI] interface GigabitEthernet 3/0/0  //Apply policy2 to the inbound direction on the interface connected to service network 2.

[HUAWEI-GigabitEthernet3/0/0] traffic-policy policy2 inbound

[HUAWEI-GigabitEthernet3/0/0] quit

                          Step 4     Log in to the CLI of the NGFW Module from the switch.

# In any view, run the connect slot slot-num command.

[HUAWEI] connect slot 1

******************************************************

*              Slot  1 output to mainboard           *

******************************************************

Press Ctrl+D to quit

Press Enter. You are redirected to the NGFW Module CLI.

 

                          Step 5     On each NGFW Module: Bundle the internal Ethernet interfaces into an Eth-Trunk. Create two Layer 3 sub-interfaces to separately terminate VLAN 303 and VLAN 304. Add the sub-interfaces to security zones.

# The configurations on the two NGFW Modules are the same, except the IP addresses. The following part provides the configuration on one NGFW Module.

# Create an Eth-Trunk.

<sysname> system-view

[sysname] interface Eth-Trunk 1  //Add GE1/0/0 and GE1/0/1 connected to the switch to Eth-Trunk1.

[sysname-Eth-Trunk1] quit

[sysname] interface GigabitEthernet 1/0/0

[sysname-GigabitEthernet1/0/0] Eth-Trunk 1

[sysname-GigabitEthernet1/0/0] quit

[sysname] interface GigabitEthernet 1/0/1

[sysname-GigabitEthernet1/0/1] Eth-Trunk 1

[sysname-GigabitEthernet1/0/1] quit

# Configure Eth-Trunk sub-interfaces.

NOTE:

After receiving a packet from VLAN 301, the switch searches the routing table, changes the VLAN ID to 303, and forwards the packet to an NGFW Module. The NGFW Module processes the packet, searches the routing table, and sends the packet back to the switch. To be specific, Eth-Trunk 1.1 terminates VLAN 303; Eth-Trunk 1.2 terminates VLAN 304.

[sysname] interface Eth-Trunk 1.1  //Connect Eth-Trunk1.1 to the VLANIF303 of the switch and terminate VLAN303.

[sysname-Eth-Trunk1.1] vlan-type dot1q 303

[sysname-Eth-Trunk1.1] ip address 10.10.1.3 24

[sysname-Eth-Trunk1.1] quit

[sysname] interface Eth-Trunk 1.2  //Connect Eth-Trunk1.2 to the VLANIF304 of the switch and terminate VLAN304.

[sysname-Eth-Trunk1.2] vlan-type dot1q 304

[sysname-Eth-Trunk1.2] ip address 10.10.2.3 24

[sysname-Eth-Trunk1.2] quit

# Add Eth-Trunk sub-interfaces to Trust and Untrust zones separately.

[sysname] firewall zone Trust  //Add Eth-Trunk1.1 to the Trust zone.

[sysname-zone-trust] add interface Eth-Trunk 1.1

[sysname-zone-trust] quit

[sysname] firewall zone Untrust  //Add Eth-Trunk1.2 to the Untrust zone.

[sysname-zone-untrust] add interface Eth-Trunk 1.2

[sysname-zone-untrust] quit

                          Step 6     On each NGFW Module: Configure static routes.

# Configure two static routes on each NGFW Module to forward traffic back to the switch.

[sysname] ip route-static 10.10.10.0 24 10.10.1.5  //Configure VLANIF303 of the switch as the next hop for packets with destination IP address 10.10.10.0.

[sysname] ip route-static 10.10.20.0 24 10.10.2.5  //Configure VLANIF304 of the switch as the next hop for packets with destination IP address 10.10.20.0.

                          Step 7     On NGFW Modules: Configure VRRP groups working in load balancing mode.

# On one NGFW Module, configure two VRRP groups and add downstream interface Eth-Trunk 1.1 to the two VRRP groups.

NGFW Module 1 is the active in VRRP group VRID1 and standby in VRRP group VRID2.

[sysname] interface Eth-Trunk 1.1 

[sysname-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.10.1.1 active

[sysname-Eth-Trunk1.1] vrrp vrid 2 virtual-ip 10.10.1.2 standby

[sysname-Eth-Trunk1.1] quit

# On one NGFW Module, configure two VRRP groups and add upstream interface Eth-Trunk 1.2 to the two VRRP groups.

NGFW Module 1 is the active in VRRP group VRID3 and standby in VRRP group VRID4.

[sysname] interface Eth-Trunk 1.2

[sysname-Eth-Trunk1.1] vrrp vrid 3 virtual-ip 10.10.2.1 active

[sysname-Eth-Trunk1.1] vrrp vrid 4 virtual-ip 10.10.2.2 standby

[sysname-Eth-Trunk1.1] quit

# On the other NGFW Module, configure two VRRP groups and add downstream interface Eth-Trunk 1.1 to the two VRRP groups.

NGFW Module 2 is the standby in VRRP group VRID1 and active in VRRP group VRID2.

[sysname] interface Eth-Trunk 1.1

[sysname-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.10.1.1 standby

[sysname-Eth-Trunk1.1] vrrp vrid 2 virtual-ip 10.10.1.2 active

[sysname-Eth-Trunk1.1] quit

# On the other NGFW Module, configure two VRRP groups and add upstream interface Eth-Trunk 1.2 to the two VRRP groups.

NGFW Module 2 is the standby in VRRP group VRID3 and active in VRRP group VRID4.

[sysname] interface Eth-Trunk 1.2

[sysname-Eth-Trunk1.1] vrrp vrid 3 virtual-ip 10.10.2.1 standby

[sysname-Eth-Trunk1.1] vrrp vrid 4 virtual-ip 10.10.2.2 active

[sysname-Eth-Trunk1.1] quit

                          Step 8     On NGFW Modules: Configure heartbeat interfaces.

NOTE:

        The IP addresses of heartbeat interfaces on the NGFW Modules must be in the same network segment.

        The Eth-Trunk member interfaces on the NGFW Modules must be the same.

# Configure a heartbeat interface on one NGFW Module. In this example, two GE interfaces are bundled into an Eth-Trunk.

[sysname] interface Eth-Trunk 0  //Bundle GE0/0/1 and GE0/0/2 on the panel of NGFW Module1 into an Eth-Trunk, which functions as the heartbeat interface and backup channel.

[sysname-Eth-Trunk0] ip address 192.168.10.1 24

[sysname-Eth-Trunk0] quit

[sysname] interface GigabitEthernet 0/0/1

[sysname-GigabitEthernet0/0/1] Eth-Trunk 0

[sysname-GigabitEthernet0/0/1] quit

[sysname] interface GigabitEthernet 0/0/2

[sysname-GigabitEthernet0/0/2] Eth-Trunk 0

[sysname-GigabitEthernet0/0/2] quit

# # Configure a heartbeat interface on the other NGFW Module.

[sysname] interface Eth-Trunk 0  //Bundle GE0/0/1 and GE0/0/2 on the panel of NGFW Module2 into an Eth-Trunk, which functions as the heartbeat interface and backup channel.

[sysname-Eth-Trunk0] ip address 192.168.10.2 24

[sysname-Eth-Trunk0] quit

[sysname] interface GigabitEthernet 0/0/1

[sysname-GigabitEthernet0/0/1] Eth-Trunk 0

[sysname-GigabitEthernet0/0/1] quit

[sysname] interface GigabitEthernet 0/0/2

[sysname-GigabitEthernet0/0/2] Eth-Trunk 0

[sysname-GigabitEthernet0/0/2] quit

# Add the heartbeat interfaces to the DMZ.

[sysname] firewall zone DMZ

[sysname-zone-dmz] add interface Eth-Trunk 0

[sysname-zone-dmz] quit

# Specify the heartbeat interface in the system view.

[sysname] hrp interface Eth-Trunk 0

                          Step 9     On NGFW Modules: Enable hot standby in load balancing mode.

[sysname] hrp loadbalance-device

[sysname] hrp enable

NOTE:

If NAT is enabled on the NGFW Module, run the hrp nat ports-segment primary and hrp nat ports-segment secondary commands separately on two NGFW Modules to prevent port conflicts.

                       Step 10     On one NGFW Module: Configure security zones.

NOTE:

        After hot standby is enabled, the configuration on one NGFW Module is automatically backed up to the other. Therefore, configure security policies only on one NGFW Module.

        To verify the deployment effect, configure the security policies to allow all traffic of VLAN 301 and VLAN 302 to pass. After the verification is complete, configure more refined security policies.

[sysname] security-policy

[sysname-policy-security] rule name policy1

[sysname-policy-security-rule-policy1] source-zone trust

[sysname-policy-security-rule-policy1] destination-zone untrust

[sysname-policy-security-rule-policy1] action permit

[sysname-policy-security-rule-policy1] quit

[sysname-policy-security] rule name policy2

[sysname-policy-security-rule-policy2] source-zone untrust

[sysname-policy-security-rule-policy2] destination-zone trust

[sysname-policy-security-rule-policy2] action permit

[sysname-policy-security-rule-policy2] quit

[sysname-policy-security] quit

----END

Follow-up Procedure

1.      Perform the ping operation to verify network connectivity. If the ping operation fails, check configurations.

2.      Run the shutdown command on one NGFW Module to disable one Eth-Trunk and check the hot standby status and service status. Then, restart the Eth-Trunk.

3.      Configure refined security policies and services based on service requirements.

1.3 Summary

Each NGFW Module deployment solution involves three elements: traffic diversion on the switch, interfaces used by the NGFW Module to communicate with the switch, and NGFW Module working mode.

Switch Traffic Diversion Modes

To use the NGFW Module for security functions, divert traffic from the switch to the NGFW Module, so that the switch can exchange data with the NGFW Module.

l   VLAN-based traffic diversion: VLANs are configured on the switch and NGFW Module. Interfaces that need to communicate with each other are added to the same VLAN for Layer 2 interconnection.

l   Redirection traffic diversion: Traffic policies are configured on the switch to redirect traffic to be checked to the NGFW Module. After security detection on the NGFW Module, the traffic is injected back to the switch through an interface pair.

l   PBR-based traffic diversion: PBR is configured on the switch to divert traffic to be checked to the NGFW Module. After security detection on the NGFW Module, the traffic is injected back to the switch through a static route.

Interface Selection

You can use interfaces and sub-interfaces on the NGFW Module to communicate with the switch. The NGFW Module can send and receive packets through the same interface.

To improve interface bandwidth and link reliability, you are advised to bundle internal Ethernet interfaces into an Eth-Trunk and use the Eth-Trunk or its sub-interfaces to communicate with the switch.

NGFW Module Working Modes

The NGFW Module works in either of the following modes:

l   Routed mode: Interfaces work at Layer 3.

l   Interface pair mode: Interfaces work at Layer 2 and form interface pairs. Packets enter the NGFW Module through one interface and are sent through the other in the pair. In this mode, the NGFW Module forwards packets without searching the MAC table.

 

For more information about NGFW Module deployment, see the HUAWEI NGFW Module V100R001 Deployment Guide.

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

johnston78     Created Jun 23, 2015 15:54:39 Helpful(1) Helpful(1)


Yes, i was also facing the same problem with this but i have used Acronis from long time but nowadays i am actually using a new software that is "Ahsay software" i am basically using this software from last month only. But trust me i am really satisfied with this software. So you can also try using this software. Just Google it if you get some issues with reaching this software.

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top