Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

35 0 0 0

Background

The IPS module is a card providing the intrusion defense function. It provides intrusion defense, antivirus, and anti-DDoS for IP networks.

The NGFW module functions as a next-generation firewall that provides the firewall, NAT, and VPN functions for IP networks.

There are many methods to deploy the IPS modules and IPS/NGFW modules. This section provides two typical methods, as described in Table 1-30.

Table 1-30  Deploying IPS modules and IPS/NGFW modules on switches

Method

Description

Deploying IPS modules and NGFW modules on a Layer 2 dual-node system and importing flows through redirection

The NGFW modules work in the interface pair mode, and the flows from switches are received by a Layer 2 Eth-Trunk.

The IP address of the firewall subinterface is the gateway address for upstream and downstream networks.

Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing

The NGFW modules work in the routing mode, and the flows from switches are received by a Layer 3 Eth-Trunk subinterface.

The VLANIF interface address on a switch is the gateway address for upstream and downstream networks.

Table 1-31 lists the products and versions to which this configuration example is applicable.

Table 1-31  Applicable products and versions

Product Model

Software Version

S7700&S9700&S12700

V200R007 and later versions

IPS Module

V100R001C30

NGFW Module

V100R001C30

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Two S12700s are deployed on a network shown in Figure 1-30. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules and NGFW modules work at Layer 2. That is, they access the network transparently.

The customer has the following requirements:

  • The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
  • The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
  • The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 1-31 shows the flow directions.

imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 1-30  Deploying IPS module and NGFW module on a Layer 2 dual-node system and importing flows through redirection 
imgDownload?uuid=34ce5d800d2e45a0a724f94
Figure 1-31  Flow direction 
imgDownload?uuid=6a08a1130cad4721968d7f3

imgDownload?uuid=62cb3ca542c14bdba3f51e1

imgDownload?uuid=79a8c848f623471b994ae68

imgDownload?uuid=2f61a0c458a941acbd7eb92

Data Plan

Table 1-32Table 1-33, and Table 1-34 provide the data plan.Table 1-32  Data plan for link aggregation

Device

Interface Number

Interface Description

Member Interface

S12700 cluster

Eth-trunk100

Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/5/0/0

XGE1/5/0/1

XGE2/5/0/0

XGE2/5/0/1

Eth-trunk101

Connected to NGFW Module_A and NGFW Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/4/0/0

XGE1/4/0/1

XGE2/4/0/0

XGE2/4/0/1

NGFW Module_A

Eth-trunk0

Connected to NGFW Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

NGFW Module_B

Eth-trunk0

Connected to NGFW Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_A

Eth-trunk0

Connected to IPS Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_B

Eth-trunk0

Connected to IPS Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

Table 1-33  VLAN plan

Data

Remarks

100, 300

Server VLANs

101 to 126

Client VLANs

2001

Extranet VLAN

Table 1-34  IP address plan

Device

Data

Remarks

S12700 cluster

VLANIF 100: 10.55.0.1/24

VLANIF 300: 10.55.200.1/24

Server-side gateway

VLANIF 101: 10.55.1.1/24

VLANIF 102: 10.55.2.1/24

...

VLANIF 126: 10.55.26.1/24

Client-side gateway

VLANIF 2001: 10.54.1.253/29

Extranet gateway

IPS Module_A

Eth-trunk 0: 192.168.213.5/30

HRP interface

IPS Module_B

Eth-trunk 0: 192.168.213.6/30

NGFW Module_A

Eth-trunk 0: 192.168.213.1/30

NGFW Module_B

Eth-trunk 0: 192.168.213.2/30

Configuration Roadmap
  1. Configure interfaces on NGFW Module_A and NGFW Module_B and set basic parameters.
  2. Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby system working in load balancing mode.
  3. Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
  4. Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
  5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
  6. Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
  7. Configure the two S12700s as a cluster.
  8. Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
  9. Configure a traffic policy on the S12700 cluster and apply the policy to interfaces to implement redirection.

Procedure

  1. Configure interfaces on NGFW modules and set basic parameters.

    # Log in to the CLI of NGFW Module_A from Switch_A.

    <sysname> connect slot 4
    imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

    To return to the CLI of the switch, press Ctrl+D.

    # Set the device name on NGFW Module_A.

    <sysname> system-view [sysname] sysname NGFW Module_A

    # Create VLANs on NGFW Module_A.

    [NGFW Module_A] vlan batch 100 to 126 300 2001 

    # Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from upstream and downstream VLANs to pass.

    [NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk101 [NGFW Module_A-Eth-Trunk1] portswitch [NGFW Module_A-Eth-Trunk1] port link-type trunk [NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_A-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

    imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

    Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

    [NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] portswitch [NGFW Module_A-GigabitEthernet1/0/0] port link-type access [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] portswitch [NGFW Module_A-GigabitEthernet1/0/1] port link-type access [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit

    # Create Eth-Trunk 1 interface pair on NGFW Module_A.

    [NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1 

    # Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_A to the security zone.

    [NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] set priority 85 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit

    # Log in to the CLI of NGFW Module_B from Switch_B.

    <sysname> connect slot 4

    # Set the device name on NGFW Module_B.

    <sysname> system-view [sysname] sysname NGFW Module_B

    # Create VLANs on NGFW Module_B.

    [NGFW Module_B] vlan batch 100 to 126 300 2001 

    # Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair mode, and allow the packets from upstream and downstream VLANs to pass.

    [NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk101 [NGFW Module_B-Eth-Trunk1] portswitch [NGFW Module_B-Eth-Trunk1] port link-type trunk [NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_B-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

    [NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] portswitch [NGFW Module_B-GigabitEthernet1/0/0] port link-type access [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] portswitch [NGFW Module_B-GigabitEthernet1/0/1] port link-type access [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit

    # Create Eth-Trunk 1 interface pair on NGFW Module_B.

    [NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1 

    # Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_B to the security zone.

    [NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] set priority 85 [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit

  2. Configure hot standby for NGFW modules.

    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

    [NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable
    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.
    [NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable

  3. Configure the security service on the NGFW modules.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

    # Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

    HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit 

  4. Configure interfaces on IPS modules and set basic parameters.
    1. Log in to the web UI through an Ethernet interface.

      1. Set up a physical connection between the management PC and an IPS module.
      2. Open the browser on the management PC and access https://192.168.0.1:8443.
      3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
      4. Change the password, click OK, and enter the web system.

    2. Choose Network > Interface, click imgDownload?uuid=3f4064cb9e1e4e058ad1654 of interface GE1/0/0 and set the connection type of GE1/0/0 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=8eb986ee7a0d43848b3b84c

    3. Click imgDownload?uuid=3f4064cb9e1e4e058ad1654 of interface GE1/0/1 and set the connection type of GE1/0/1 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=c21f0c4019db4e5580682ac

    4. Click Add, and configure Eth-Trunk 1.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=21557b9afacc4dd0a3fba5f

    5. Choose Network > Interface Pair, click Add, and configure an interface pair.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=bdc89c6918ce4d158be8e03

    6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.

      imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:
      • The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
      • The Eth-Trunk member interfaces on the IPS Modules must be the same.

      Configure a heartbeat interface on one IPS Module.

      imgDownload?uuid=a2d8cd4d5fd044d3a8c4901

      Configure a heartbeat interface on the other IPS Module.

      imgDownload?uuid=86a367e8af9e4959b36d57a

    7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=b7f99cb650f5493598a8ab4

  5. Configure the IPS security service, for example, antivirus.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.

    1. Choose Object > Security Profiles > Anti-Virus.
    2. Click Add and set the parameters as follows:

      imgDownload?uuid=e58ef24c8e214ba89759bfc

    3. Click OK.
    4. Repeat the previous steps to set the parameters of AV_ftp profile.

      imgDownload?uuid=50647044e45e4b159128640

  6. Configure a security policy for the outbound direction.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    1. Choose Policy > Security Policy.
    2. Click Add.
    3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:

      Name

      policy_av_1

      Description

      Intranet-User

      Interface Pair

      Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.

      Action

      permit

      Content Security

      Anti-Virus

      AV_http_pop3

  7. Configure the security policy in the direction from the external to internal servers.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.

    Name

    policy_av_2

    Description

    Intranet-Server

    Interface Pair

    Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.

    Action

    permit

    Content Security

    Anti-Virus

    AV_ftp

  8. Configure the two S12700s as a cluster.

    1. Connect cluster cables. For details, see Switch Cluster Setup Guide.

      Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.

      # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.

      <HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100 

      # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.

      <HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10

      # Check the cluster configuration.

      Run the display css status saved command to check whether the configurations are as expected.

      Check the cluster configuration on Switch_A.

      [Switch_A] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            1            Off          CSS card    100         Off                

      Check the cluster configuration on Switch_B.

      [Switch_B] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            2            Off          CSS card    10          Off               
    2. Enable the cluster function.

      # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.

      [Switch_A] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable the cluster function on Switch_B and restart Switch_B.

      [Switch_B] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
    3. Check whether the cluster is set up successfully.

      # View the indicator status.

      The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.

      The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.

      # Log in to the cluster through the console port on any MPU to check the cluster status.

      [Switch_A] display css status CSS Enable switch On                                                                                    Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force    ------------------------------------------------------------------------------    1            On           Master          CSS card    100         Off             2            On           Standby         CSS card    10          Off            

      The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.

      # Check whether cluster links work normally.

      [Switch_A] display css channel

      The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.

    4. Set the cluster system name to CSS.

      [Switch_A] sysname CSS [CSS]

  9. Configure the interfaces and VLAN IDs on switches.
    1. Create VLANs.

      [CSS] vlan batch 100 to 126 128 300 2001

    2. Configure upstream and downstream interfaces.

      [CSS] interface GigabitEthernet 1/6/0/36  //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0  //Connected to extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit 

    3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

      [CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit 

    4. Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and the four interfaces connected to the IPS module to Eth-Trunk 100.

      [CSS] interface eth-trunk 101 [CSS-Eth-Trunk101] description to-ngfw [CSS-Eth-Trunk101] port link-type trunk [CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk101] mac-address learning disable [CSS-Eth-Trunk101] stp disable [CSS-Eth-Trunk101] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit 

    5. Set the load balancing mode on Eth-Trunks.

      [CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] load-balance enhanced profile sec [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit

    6. Configure port isolation on the interfaces between the NGFW/IPS module and switches.

      [CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] port-isolate enable group 1 [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] port-isolate enable group 1 [CSS-Eth-Trunk100] quit 

    7. Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

      [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit

    8. Configure traffic policies and bind them to interfaces to implement redirection.

      # Create ACLs.

      [CSS] acl 3010  //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011  //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020  //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021  //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012  //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022  //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit

      # Configure traffic classifiers.

      [CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit 

      # Configure traffic behaviors.

      [CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100 [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk101 [CSS-behavior-to-eth-trunk101] permit [CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101 [CSS-behavior-to-eth-trunk101] quit 

      # Bind traffic policies to interfaces.

      [CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101  //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit 

  10. Verify the configuration.

    # Check the configuration of S12700 cluster.

    [CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA       1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA Chassis 2   (Standby Switch) S12712's D  evice status   : Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA       1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA PWR2  -     -               Present   PowerOn    Registered     Normal     NA CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA FAN5  -     -               Present   PowerOn    Registered     Normal     NA 

    # Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

    [IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%     0%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0 
    [NGFW Module_B] display interface brief | include up 10:56:34  2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

    # Check traffic statistics on interfaces.

    • The traffic statistics between clients and servers are correct.

      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.15%  0.15%          0          0   XGigabitEthernet1/5/0/0   up    up        0.60%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%  0.60%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.15%  0.15%          0          0   XGigabitEthernet1/4/0/0   up    up        0.60%     0%          0          0   XGigabitEthernet1/4/0/1   up    up           0%  0.60%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 
    • The traffic statistics between clients and extranet are correct.

      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up           0%     0%          0          0   XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.12%  0.12%          0          0   XGigabitEthernet1/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%  0.33%          0          0   XGigabitEthernet2/4/0/1   up    up        0.50%  0.17%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 
    • The traffic statistics between servers and extranet are correct.
      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 

Configuration Files
  • NGFW module configuration files

    NGFW Module_ANGFW Module_B
    # sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk101  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # return 
    # sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk101  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # return 
  • IPS module configuration files

    IPS Module_AIPS Module_B
    # sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return 
    # sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return 
  • CSS configuration file

    # sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010  rule 5 permit ip source 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011  rule 5 permit ip destination 10.55.1.0 0.0.0.255  rule 10 permit ip destination 10.55.2.0 0.0.0.255  rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012  rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020  rule 5 permit ip source 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021  rule 5 permit ip destination 10.55.0.0 0.0.0.255  rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022  rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40  if-match acl 3012 traffic classifier from-office operator or precedence 80  if-match acl 3010 traffic classifier from-server operator or precedence 75  if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85  if-match acl 3011 traffic classifier to-server operator or precedence 60  if-match acl 3021 # traffic behavior behavior1  permit traffic behavior to-eth-trunk100  permit  redirect interface Eth-Trunk100 traffic behavior to-eth-trunk101  permit  redirect interface Eth-Trunk101 # traffic policy office-out match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier from-office behavior to-eth-trunk101 traffic policy internet-in match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier to-office behavior to-eth-trunk101 traffic policy ips-to-fw match-order config  classifier to-server behavior to-eth-trunk101  classifier from-server behavior to-eth-trunk101 traffic policy server-out match-order config  classifier server-server behavior behavior1  classifier from-server behavior to-eth-trunk100 # interface Vlanif100  ip address 10.55.0.1 255.255.255.0 # interface Vlanif101  ip address 10.55.1.1 255.255.255.0 # interface Vlanif102  ip address 10.55.2.1 255.255.255.0 # interface Vlanif300  ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001  ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100  description to-ips  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  traffic-policy ips-to-fw inbound  load-balance enhanced profile sec  port-isolate enable group 1 # interface Eth-Trunk101  description to-ngfw  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  load-balance enhanced profile sec  port-isolate enable group 1 # interface GigabitEthernet1/6/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 300  traffic-policy server-out inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/0  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 2001  traffic-policy internet-in inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 101 to 126  traffic-policy office-out inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface XGigabitEthernet1/4/0/0  eth-trunk 101 # interface XGigabitEthernet1/4/0/1  eth-trunk 101 # interface XGigabitEthernet1/5/0/0  eth-trunk 100 # interface XGigabitEthernet1/5/0/1  eth-trunk 100 # interface XGigabitEthernet2/4/0/0  eth-trunk 101 # interface XGigabitEthernet2/4/0/1  eth-trunk 101 # interface XGigabitEthernet2/5/0/0  eth-trunk 100 # interface XGigabitEthernet2/5/0/1  eth-trunk 100 # return 

Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing

Networking Requirements

Two S12700s are deployed on a network shown in Figure 1-32. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules work at Layer 2. That is, they access the network transparently. The NGFW modules work at Layer 3 (flows imported at Layer 3) in active/standby mode.

The customer has the following requirements:

  • The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
  • The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
  • The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 1-33 shows the flow directions.

imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 1-32  Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing 
imgDownload?uuid=34ce5d800d2e45a0a724f94
Figure 1-33  Flow direction 
imgDownload?uuid=6a08a1130cad4721968d7f3

imgDownload?uuid=62cb3ca542c14bdba3f51e1

imgDownload?uuid=79a8c848f623471b994ae68

imgDownload?uuid=2f61a0c458a941acbd7eb92

Data Plan

Table 1-35Table 1-36, and Table 1-37 provide the data plan.Table 1-35  Data plan for link aggregation

Device

Interface Number

Interface Description

Member Interface

S12700 cluster

Eth-trunk100

Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet

XGE1/5/0/0

XGE1/5/0/1

XGE2/5/0/0

XGE2/5/0/1

Eth-trunk105

Connected to NGFW Module_A to transparently transmit the packets from VLAN 128

XGE1/4/0/0

XGE1/4/0/1

Eth-trunk106

Connected to NGFW Module_B to transparently transmit the packets from VLAN 128

XGE2/4/0/0

XGE2/4/0/1

NGFW Module_A

Eth-trunk0

Connected to NGFW Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Layer 3 interface connected to the S12700 cluster

GE1/0/1

GE1/0/2

NGFW Module_B

Eth-trunk0

Connected to NGFW Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Layer 3 interface connected to the S12700 cluster

GE1/0/1

GE1/0/2

IPS Module_A

Eth-trunk0

Connected to IPS Module_B through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

IPS Module_B

Eth-trunk0

Connected to IPS Module_A through the heartbeat line

GE0/0/1

GE0/0/2

Eth-trunk1

Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet

GE1/0/1

GE1/0/2

Table 1-36  VLAN plan

Data

Remarks

100, 300

Server VLANs

101 to 126

Client VLANs

128

Layer 3 interface between the NGFW module and switch

2001

Extranet VLAN

Table 1-37  IP address plan

Device

Data

Remarks

S12700 cluster

VLANIF 100: 10.55.0.1/24

VLANIF 300: 10.55.200.1/24

Server-side gateway

VLANIF 101: 10.55.1.1/24

VLANIF 102: 10.55.2.1/24

...

VLANIF 126: 10.55.26.1/24

Client-side gateway

VLANIF 128: 10.54.28.4/24

Layer 3 interface connected to the NGFW module

VLANIF 2001: 10.54.1.253/29

Extranet gateway

IPS Module_A

Eth-trunk 0: 192.168.213.5/30

HRP interface

IPS Module_B

Eth-trunk 0: 192.168.213.6/30

NGFW Module_A

Eth-trunk 0: 192.168.213.1/30

HRP interface

Eth-trunk 1.1: 10.55.28.2/24

Master IP address of the VRRP group connected to the S12700 cluster

10.55.28.1

VRRP virtual IP address

NGFW Module_B

Eth-trunk 0: 192.168.213.2/30

HRP interface

Eth-trunk 1.1: 10.55.28.3/24

Backup IP address of the VRRP group connected to the S12700 cluster

10.55.28.1

VRRP virtual IP address

Configuration Roadmap
  1. Configure interfaces and static routes on NGFW Module_A and NGFW Module_B and set basic parameters.
  2. Configure NGFW Module_A and NGFW Module_B as a Layer 3 VRRP group working in hot standby mode.
  3. Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
  4. Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
  5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
  6. Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
  7. Configure the two S12700s as a cluster.
  8. Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
  9. Configure a routing policy on the S12700 cluster to implement redirection.

Procedure

  1. Configure interfaces on NGFW modules and set basic parameters.

    # Log in to the CLI of NGFW Module_A from Switch_A.

    <sysname> connect slot 4
    imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

    To return to the CLI of the switch, press Ctrl+D.

    # Set the device name on NGFW Module_A.

    <sysname> system-view [sysname] sysname NGFW Module_A

    # Create VLANs on NGFW Module_A.

    [NGFW Module_A] vlan batch 100 to 126 300 2001 

    # Create Layer 3 Eth-Trunk 1 on NGFW Module_A.

    [NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk105 [NGFW Module_A-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

    imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

    Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

    [NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit

    # Create a Layer 3 subinterface and configure a VRRP group.

    [NGFW Module_A] interface Eth-Trunk 1.1 [NGFW Module_A-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_A-Eth-Trunk1.1] ip address 10.55.28.2 255.255.255.0 [NGFW Module_A-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_A-Eth-Trunk1.1] service-manage ping permit [NGFW Module_A-Eth-Trunk1.1] quit 

    # Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

    [NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_A to the security zone.

    [NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit

    # Configure static routes on NGFW Module_A.

    [NGFW Module_A] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet [NGFW Module_A] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside [NGFW Module_A] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 

    # Log in to the CLI of NGFW Module_B from Switch_B.

    <sysname> connect slot 4

    # Set the device name on NGFW Module_B.

    <sysname> system-view [sysname] sysname NGFW Module_B

    # Create VLANs on NGFW Module_B.

    [NGFW Module_B] vlan batch 100 to 126 300 2001 

    # Create Layer 3 Eth-Trunk 1 on NGFW Module_B.

    [NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk105 [NGFW Module_B-Eth-Trunk1] quit

    # Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

    [NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit

    # Create a Layer 3 subinterface and configure a VRRP group.

    [NGFW Module_B] interface Eth-Trunk 1.1 [NGFW Module_B-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_B-Eth-Trunk1.1] ip address 10.55.28.3 255.255.255.0 [NGFW Module_B-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_B-Eth-Trunk1.1] service-manage ping permit [NGFW Module_B-Eth-Trunk1.1] quit 

    # Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

    [NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit

    # Add the interfaces on NGFW Module_B to the security zone.

    [NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit

    # Configure static routes on NGFW Module_B.

    [NGFW Module_B] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet [NGFW Module_B] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside [NGFW Module_B] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 

  2. Configure hot standby for NGFW modules.

    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

    [NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable
    # Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.
    [NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable

  3. Configure the security service on the NGFW modules.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

    # Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

    HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit 

  4. Configure interfaces on IPS modules and set basic parameters.
    1. Log in to the web UI through an Ethernet interface.

      1. Set up a physical connection between the management PC and an IPS module.
      2. Open the browser on the management PC and access https://192.168.0.1:8443.
      3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
      4. Change the password, click OK, and enter the web system.

    2. Choose Network > Interface, click imgDownload?uuid=3f4064cb9e1e4e058ad1654 of interface GE1/0/0 and set the connection type of GE1/0/0 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=8eb986ee7a0d43848b3b84c

    3. Click imgDownload?uuid=3f4064cb9e1e4e058ad1654 of interface GE1/0/1 and set the connection type of GE1/0/1 to access.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=c21f0c4019db4e5580682ac

    4. Click Add, and configure Eth-Trunk 1.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=21557b9afacc4dd0a3fba5f

    5. Choose Network > Interface Pair, click Add, and configure an interface pair.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=bdc89c6918ce4d158be8e03

    6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.

      imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:
      • The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
      • The Eth-Trunk member interfaces on the IPS Modules must be the same.

      Configure a heartbeat interface on one IPS Module.

      imgDownload?uuid=a2d8cd4d5fd044d3a8c4901

      Configure a heartbeat interface on the other IPS Module.

      imgDownload?uuid=86a367e8af9e4959b36d57a

    7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.

      The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.

      imgDownload?uuid=b7f99cb650f5493598a8ab4

  5. Configure the IPS security service, for example, antivirus.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.

    1. Choose Object > Security Profiles > Anti-Virus.
    2. Click Add and set the parameters as follows:

      imgDownload?uuid=e58ef24c8e214ba89759bfc

    3. Click OK.
    4. Repeat the previous steps to set the parameters of AV_ftp profile.

      imgDownload?uuid=50647044e45e4b159128640

  6. Configure a security policy for the outbound direction.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    1. Choose Policy > Security Policy.
    2. Click Add.
    3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:

      Name

      policy_av_1

      Description

      Intranet-User

      Interface Pair

      Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.

      Action

      permit

      Content Security

      Anti-Virus

      AV_http_pop3

  7. Configure the security policy in the direction from the external to internal servers.

    After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.

    Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.

    Name

    policy_av_2

    Description

    Intranet-Server

    Interface Pair

    Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.

    Action

    permit

    Content Security

    Anti-Virus

    AV_ftp

  8. Configure the two S12700s as a cluster.

    1. Connect cluster cables. For details, see Switch Cluster Setup Guide.

      Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.

      # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.

      <HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100 

      # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.

      <HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10

      # Check the cluster configuration.

      Run the display css status saved command to check whether the configurations are as expected.

      Check the cluster configuration on Switch_A.

      [Switch_A] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            1            Off          CSS card    100         Off                

      Check the cluster configuration on Switch_B.

      [Switch_B] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            2            Off          CSS card    10          Off               
    2. Enable the cluster function.

      # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.

      [Switch_A] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y

      # Enable the cluster function on Switch_B and restart Switch_B.

      [Switch_B] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
    3. Check whether the cluster is set up successfully.

      # View the indicator status.

      The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.

      The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.

      # Log in to the cluster through the console port on any MPU to check the cluster status.

      [Switch_A] display css status CSS Enable switch On                                                                                   Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force    ------------------------------------------------------------------------------    1            On           Master          CSS card    100         Off             2            On           Standby         CSS card    10          Off            

      The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.

      # Check whether cluster links work normally.

      [Switch_A] display css channel

      The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.

    4. Set the cluster system name to CSS.

      [Switch_A] sysname CSS [CSS]

  9. Configure the interfaces and VLAN IDs on switches.
    1. Create VLANs.

      [CSS] vlan batch 100 to 126 128 300 2001

    2. Configure upstream and downstream interfaces.

      [CSS] interface GigabitEthernet 1/6/0/36  //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0  //Connected to the extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit 

    3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

      [CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface Vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit [CSS] interface vlanif 128  //Layer 3 interface connected to the NGFW module [CSS-Vlanif128] ip address 10.55.28.4 255.255.255.0 [CSS-Vlanif128] quit 

    4. Add the eight interfaces between the switches and NGFW/IPS modules to Eth-Trunk 105, Eth-Trunk 106, and Eth-Trunk 100.

      [CSS] interface eth-trunk 105 [CSS-Eth-Trunk105] description to-ngfw-a [CSS-Eth-Trunk105] port link-type trunk [CSS-Eth-Trunk105] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk105] port trunk allow-pass vlan 128 [CSS-Eth-Trunk105] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk105] quit [CSS] interface eth-trunk 106 [CSS-Eth-Trunk106] description to-ngfw-b [CSS-Eth-Trunk106] port link-type trunk [CSS-Eth-Trunk106] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk106] port trunk allow-pass vlan 128 [CSS-Eth-Trunk106] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk106] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit 

    5. Set the load balancing mode on Eth-Trunks.

      [CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit [CSS] interface Eth-Trunk 105 [CSS-Eth-Trunk105] load-balance enhanced profile sec [CSS-Eth-Trunk105] quit [CSS] interface Eth-Trunk 106 [CSS-Eth-Trunk106] load-balance enhanced profile sec [CSS-Eth-Trunk106] quit

    6. Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

      [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit

    7. Configure traffic policies and bind them to interfaces to implement redirection.

      # Create ACLs.

      [CSS] acl 3010  //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011  //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020  //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021  //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012  //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022  //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit

      # Configure traffic classifiers.

      [CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit 

      # Configure traffic behaviors.

      [CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100  //Do not redirect flows [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk105-6 [CSS-behavior-to-eth-trunk105-6] permit [CSS-behavior-to-eth-trunk105-6] redirect ip-nexthop 10.55.28.1  //Redirect flows to the NGFW module [CSS-behavior-to-eth-trunk105-6] quit 

      # Bind traffic policies to interfaces.

      [CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS Module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk105-6  //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk105-6  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit 

  10. Verify the configuration.

    # Check the configuration of S12700 cluster.

    [CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA 1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA Chassis 2   (Standby Switch) S12712's Device status   : Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA 1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA PWR2  -     -               Present   PowerOn    Registered     Normal     NA CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA FAN5  -     -               Present   PowerOn    Registered     Normal     NA 

    # Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

    [IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%     0%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0 
    [NGFW Module_B] display interface brief | include up  10:56:34  2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 Eth-Trunk1.1                up    up       0.01%     0%                 0                 0 Eth-Trunk1.2                up    up       0.01%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

    # Check traffic statistics on interfaces.

    • The traffic statistics between clients and servers are correct.
      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/5/0/0   up    up        0.25%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%  0.25%          0          0   XGigabitEthernet2/5/0/0   up    up           0%  0.25%          0          0   XGigabitEthernet2/5/0/1   up    up        0.25%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up        0.25%     0%          0          0   XGigabitEthernet1/4/0/1   up    up        0.25%  0.50%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 
    • The traffic statistics between clients and extranet are correct.
      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up           0%     0%          0          0   XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up           0%  0.17%          0          0   XGigabitEthernet1/4/0/1   up    up        0.50%  0.33%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.01%  0.01%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 
    • The traffic statistics between servers and extranet are correct.
      [CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.12%  0.12%          0          0   XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0 

Configuration Files
  • NGFW module configuration files

    NGFW Module_ANGFW Module_B
    # sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk105 # interface Eth-Trunk1.1  vlan-type dot1q 128  ip address 10.55.28.2 255.255.255.0  vrrp vrid 10 virtual-ip 10.55.28.1 active  service-manage ping permit # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  eth-trunk 1 # interface GigabitEthernet 1/0/1  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1  add interface Eth-Trunk1.1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return 
    # sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk106 # interface Eth-Trunk1.1  vlan-type dot1q 128  ip address 10.55.28.3 255.255.255.0  vrrp vrid 10 virtual-ip 10.55.28.1 standby  service-manage ping permit # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  eth-trunk 1 # interface GigabitEthernet 1/0/1  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1  add interface Eth-Trunk1.1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return 
  • IPS module configuration files

    IPS Module_AIPS Module_B
    # sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0   ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return 
    # sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0   ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return 
  • CSS configuration file

    # sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010  rule 5 permit ip source 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011  rule 5 permit ip destination 10.55.1.0 0.0.0.255  rule 10 permit ip destination 10.55.2.0 0.0.0.255  rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012  rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020  rule 5 permit ip source 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021  rule 5 permit ip destination 10.55.0.0 0.0.0.255  rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022  rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40  if-match acl 3012 traffic classifier from-office operator or precedence 80  if-match acl 3010 traffic classifier from-server operator or precedence 75  if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85  if-match acl 3011 traffic classifier to-server operator or precedence 60  if-match acl 3021 # traffic behavior behavior1  permit traffic behavior to-eth-trunk100  permit  redirect interface Eth-Trunk100 traffic behavior to-eth-trunk105-6  permit  redirect ip-nexthop 10.55.28.1 # traffic policy office-out match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier from-office behavior to-eth-trunk105-6 traffic policy internet-in match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier to-office behavior to-eth-trunk105-6 traffic policy ips-to-fw match-order config  classifier to-server behavior to-eth-trunk105-6  classifier from-server behavior to-eth-trunk105-6 traffic policy server-out match-order config  classifier server-server behavior behavior1  classifier from-server behavior to-eth-trunk100 # interface Vlanif100  ip address 10.55.0.1 255.255.255.0 # interface Vlanif101  ip address 10.55.1.1 255.255.255.0 # interface Vlanif102  ip address 10.55.2.1 255.255.255.0 # interface Vlanif128  ip address 10.55.28.4 255.255.255.0  # interface Vlanif300  ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001  ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100  description to-ips  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  traffic-policy ips-to-fw inbound  load-balance enhanced profile sec # interface Eth-Trunk105  description to-ngfw-a  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 128  load-balance enhanced profile sec # interface Eth-Trunk106  description to-ngfw-b  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 128  load-balance enhanced profile sec # interface GigabitEthernet1/6/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 300  traffic-policy server-out inbound  am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/0  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 2001  traffic-policy internet-in inbound  am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 101 to 126  traffic-policy office-out inbound  am isolate Eth-Trunk100 # interface XGigabitEthernet1/4/0/0  eth-trunk 105 # interface XGigabitEthernet1/4/0/1  eth-trunk 105 # interface XGigabitEthernet1/5/0/0  eth-trunk 100 # interface XGigabitEthernet1/5/0/1  eth-trunk 100 # interface XGigabitEthernet2/4/0/0  eth-trunk 106 # interface XGigabitEthernet2/4/0/1  eth-trunk 106 # interface XGigabitEthernet2/5/0/0  eth-trunk 100 # interface XGigabitEthernet2/5/0/1  eth-trunk 100 # return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top