Background
The IPS module is a card providing the intrusion defense function. It provides intrusion defense, antivirus, and anti-DDoS for IP networks.
The NGFW module functions as a next-generation firewall that provides the firewall, NAT, and VPN functions for IP networks.
There are many methods to deploy the IPS modules and IPS/NGFW modules. This section provides two typical methods, as described in Table 1-30.
Table 1-30 Deploying IPS modules and IPS/NGFW modules on switches
Method | Description |
---|---|
Deploying IPS modules and NGFW modules on a Layer 2 dual-node system and importing flows through redirection | The NGFW modules work in the interface pair mode, and the flows from switches are received by a Layer 2 Eth-Trunk. The IP address of the firewall subinterface is the gateway address for upstream and downstream networks. |
Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing | The NGFW modules work in the routing mode, and the flows from switches are received by a Layer 3 Eth-Trunk subinterface. The VLANIF interface address on a switch is the gateway address for upstream and downstream networks. |
Table 1-31 lists the products and versions to which this configuration example is applicable.
Table 1-31 Applicable products and versions
Product Model | Software Version |
---|---|
S7700&S9700&S12700 | V200R007 and later versions |
IPS Module | V100R001C30 |
NGFW Module | V100R001C30 |
- Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection
- Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing
Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection
Networking Requirements
Two S12700s are deployed on a network shown in Figure 1-30. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules and NGFW modules work at Layer 2. That is, they access the network transparently.
The customer has the following requirements:
- The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
- The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
- The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.
Figure 1-31 shows the flow directions.
NOTE:
Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.
When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.
Figure 1-30 Deploying IPS module and NGFW module on a Layer 2 dual-node system and importing flows through redirection
Figure 1-31 Flow direction
Data Plan
Table 1-32, Table 1-33, and Table 1-34 provide the data plan.Table 1-32 Data plan for link aggregation
Device | Interface Number | Interface Description | Member Interface |
---|---|---|---|
S12700 cluster | Eth-trunk100 | Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet | XGE1/5/0/0 |
XGE1/5/0/1 | |||
XGE2/5/0/0 | |||
XGE2/5/0/1 | |||
Eth-trunk101 | Connected to NGFW Module_A and NGFW Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet | XGE1/4/0/0 | |
XGE1/4/0/1 | |||
XGE2/4/0/0 | |||
XGE2/4/0/1 | |||
NGFW Module_A | Eth-trunk0 | Connected to NGFW Module_B through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 | |||
NGFW Module_B | Eth-trunk0 | Connected to NGFW Module_A through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 | |||
IPS Module_A | Eth-trunk0 | Connected to IPS Module_B through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 | |||
IPS Module_B | Eth-trunk0 | Connected to IPS Module_A through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 |
Data | Remarks |
---|---|
100, 300 | Server VLANs |
101 to 126 | Client VLANs |
2001 | Extranet VLAN |
Device | Data | Remarks |
---|---|---|
S12700 cluster | VLANIF 100: 10.55.0.1/24 VLANIF 300: 10.55.200.1/24 | Server-side gateway |
VLANIF 101: 10.55.1.1/24 VLANIF 102: 10.55.2.1/24 ... VLANIF 126: 10.55.26.1/24 | Client-side gateway | |
VLANIF 2001: 10.54.1.253/29 | Extranet gateway | |
IPS Module_A | Eth-trunk 0: 192.168.213.5/30 | HRP interface |
IPS Module_B | Eth-trunk 0: 192.168.213.6/30 | |
NGFW Module_A | Eth-trunk 0: 192.168.213.1/30 | |
NGFW Module_B | Eth-trunk 0: 192.168.213.2/30 |
Configuration Roadmap
- Configure interfaces on NGFW Module_A and NGFW Module_B and set basic parameters.
- Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby system working in load balancing mode.
- Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
- Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
- Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
- Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
- Configure the two S12700s as a cluster.
- Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
- Configure a traffic policy on the S12700 cluster and apply the policy to interfaces to implement redirection.
Procedure
- Configure interfaces on NGFW modules and set basic parameters.
# Log in to the CLI of NGFW Module_A from Switch_A.
<sysname> connect slot 4
NOTE:
To return to the CLI of the switch, press Ctrl+D.
# Set the device name on NGFW Module_A.
<sysname> system-view [sysname] sysname NGFW Module_A
# Create VLANs on NGFW Module_A.
[NGFW Module_A] vlan batch 100 to 126 300 2001
# Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from upstream and downstream VLANs to pass.
[NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk101 [NGFW Module_A-Eth-Trunk1] portswitch [NGFW Module_A-Eth-Trunk1] port link-type trunk [NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_A-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.
NOTE:
Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.
[NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] portswitch [NGFW Module_A-GigabitEthernet1/0/0] port link-type access [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] portswitch [NGFW Module_A-GigabitEthernet1/0/1] port link-type access [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit
# Create Eth-Trunk 1 interface pair on NGFW Module_A.
[NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1
# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_A to the security zone.
[NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] set priority 85 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit
# Log in to the CLI of NGFW Module_B from Switch_B.
<sysname> connect slot 4
# Set the device name on NGFW Module_B.
<sysname> system-view [sysname] sysname NGFW Module_B
# Create VLANs on NGFW Module_B.
[NGFW Module_B] vlan batch 100 to 126 300 2001
# Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair mode, and allow the packets from upstream and downstream VLANs to pass.
[NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk101 [NGFW Module_B-Eth-Trunk1] portswitch [NGFW Module_B-Eth-Trunk1] port link-type trunk [NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_B-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.
[NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] portswitch [NGFW Module_B-GigabitEthernet1/0/0] port link-type access [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] portswitch [NGFW Module_B-GigabitEthernet1/0/1] port link-type access [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit
# Create Eth-Trunk 1 interface pair on NGFW Module_B.
[NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1
# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_B to the security zone.
[NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] set priority 85 [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit
- Configure hot standby for NGFW modules.
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.
[NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.[NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable
- Configure the security service on the NGFW modules.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.
# Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.
HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16 //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29 //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit
- Configure interfaces on IPS modules and set basic parameters.
- Log in to the web UI through an Ethernet interface.
- Set up a physical connection between the management PC and an IPS module.
- Open the browser on the management PC and access https://192.168.0.1:8443.
- Enter the default user name admin and password Admin@123 of the system administrator and click Login.
- Change the password, click OK, and enter the web system.
- Choose Network > Interface, click
of interface GE1/0/0 and set the connection type of GE1/0/0 to access.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click
of interface GE1/0/1 and set the connection type of GE1/0/1 to access.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click Add, and configure Eth-Trunk 1.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Choose Network > Interface Pair, click Add, and configure an interface pair.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.
NOTE:
- The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
- The Eth-Trunk member interfaces on the IPS Modules must be the same.
Configure a heartbeat interface on one IPS Module.
Configure a heartbeat interface on the other IPS Module.
- Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Log in to the web UI through an Ethernet interface.
- Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.
- Choose Object > Security Profiles > Anti-Virus.
- Click Add and set the parameters as follows:
- Click OK.
- Repeat the previous steps to set the parameters of AV_ftp profile.
- Configure a security policy for the outbound direction.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
- Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.
Name
policy_av_2
Description
Intranet-Server
Interface Pair
Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action
permit
Content Security
Anti-Virus
AV_ftp
- Configure the two S12700s as a cluster.
Connect cluster cables. For details, see Switch Cluster Setup Guide.
Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.
# Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.
<HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100
# Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
<HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10
# Check the cluster configuration.
Run the display css status saved command to check whether the configurations are as expected.
Check the cluster configuration on Switch_A.
[Switch_A] display css status saved Current Id Saved Id CSS Enable CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 1 Off CSS card 100 Off
Check the cluster configuration on Switch_B.
[Switch_B] display css status saved Current Id Saved Id CSS Enable CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 2 Off CSS card 10 Off
Enable the cluster function.
# Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.
[Switch_A] css enable Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the cluster function on Switch_B and restart Switch_B.
[Switch_B] css enable Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
Check whether the cluster is set up successfully.
# View the indicator status.
The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.
The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.
# Log in to the cluster through the console port on any MPU to check the cluster status.
[Switch_A] display css status CSS Enable switch On Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 On Master CSS card 100 Off 2 On Standby CSS card 10 Off
The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.
# Check whether cluster links work normally.
[Switch_A] display css channel
The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.
Set the cluster system name to CSS.
[Switch_A] sysname CSS [CSS]
- Configure the interfaces and VLAN IDs on switches.
- Create VLANs.
[CSS] vlan batch 100 to 126 128 300 2001
- Configure upstream and downstream interfaces.
[CSS] interface GigabitEthernet 1/6/0/36 //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 //Connected to extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit
- Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.
[CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit
- Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and the four interfaces connected to the IPS module to Eth-Trunk 100.
[CSS] interface eth-trunk 101 [CSS-Eth-Trunk101] description to-ngfw [CSS-Eth-Trunk101] port link-type trunk [CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk101] mac-address learning disable [CSS-Eth-Trunk101] stp disable [CSS-Eth-Trunk101] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit
- Set the load balancing mode on Eth-Trunks.
[CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] load-balance enhanced profile sec [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit
- Configure port isolation on the interfaces between the NGFW/IPS module and switches.
[CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] port-isolate enable group 1 [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] port-isolate enable group 1 [CSS-Eth-Trunk100] quit
- Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.
[CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit
- Configure traffic policies and bind them to interfaces to implement redirection.
# Create ACLs.
[CSS] acl 3010 //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011 //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020 //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021 //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012 //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022 //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit
# Configure traffic classifiers.
[CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit
# Configure traffic behaviors.
[CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100 [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk101 [CSS-behavior-to-eth-trunk101] permit [CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101 [CSS-behavior-to-eth-trunk101] quit
# Bind traffic policies to interfaces.
[CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound //Redirect the flows filtered by the IPS module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100 //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101 //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1 //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100 //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101 //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1 //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100 //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit
- Create VLANs.
- Verify the configuration.
# Check the configuration of S12700 cluster.
[CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot Sub Type Online Power Register Status Role ---------- ------------ --------------------------------------------------------- 4 - ET1D2FW00S00 Present PowerOn Registered Normal NA 5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA 6 - ET1D2G48SX1E Present PowerOn Registered Normal NA 7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA 9 - ET1D2MPUA000 Present PowerOn Registered Normal Master 10 - ET1D2MPUA000 Present PowerOn Registered Normal Slave 12 - ET1D2SFUD000 Present PowerOn Registered Normal NA 1 EH1D2VS08000 Present PowerOn Registered Normal NA PWR1 - - Present PowerOn Registered Normal NA CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Slave CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master FAN1 - - Present PowerOn Registered Normal NA FAN2 - - Present PowerOn Registered Normal NA FAN3 - - Present PowerOn Registered Normal NA FAN4 - - Present PowerOn Registered Normal NA Chassis 2 (Standby Switch) S12712's D evice status : Slot Sub Type Online Power Register Status Role ---------- ------------ --------------------------------------------------------- 3 - ET1D2G48SX1E Present PowerOn Registered Normal NA 4 - ET1D2FW00S00 Present PowerOn Registered Normal NA 5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA 7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA 13 - ET1D2MPUA000 Present PowerOn Registered Normal Master 14 - ET1D2MPUA000 Present PowerOn Registered Normal Slave 18 - ET1D2SFUD000 Present PowerOn Registered Normal NA 1 EH1D2VS08000 Present PowerOn Registered Normal NA PWR1 - - Present PowerOn Registered Normal NA PWR2 - - Present PowerOn Registered Normal NA CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master FAN1 - - Present PowerOn Registered Normal NA FAN2 - - Present PowerOn Registered Normal NA FAN3 - - Present PowerOn Registered Normal NA FAN4 - - Present PowerOn Registered Normal NA FAN5 - - Present PowerOn Registered Normal NA
# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.
[IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk0 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/2 up up 0% 0% 0 0 Eth-Trunk1 up up 0.01% 0.01% 0 0 GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0 GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0 NULL0 up up(s) 0% 0% 0 0
[NGFW Module_B] display interface brief | include up 10:56:34 2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk0 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/2 up up 0% 0.01% 0 0 Eth-Trunk1 up up 0.01% 0.01% 0 0 GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0 GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0 NULL0 up up(s) 0% 0% 0 0
# Check traffic statistics on interfaces.
The traffic statistics between clients and servers are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0.15% 0.15% 0 0 XGigabitEthernet1/5/0/0 up up 0.60% 0% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0.60% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0% 0 0 XGigabitEthernet2/5/0/1 up up 0% 0% 0 0 Eth-Trunk101 up up 0.15% 0.15% 0 0 XGigabitEthernet1/4/0/0 up up 0.60% 0% 0 0 XGigabitEthernet1/4/0/1 up up 0% 0.60% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0% 0 0 XGigabitEthernet2/4/0/1 up up 0% 0% 0 0 Ethernet0/0/0/0 up up 0.02% 0.01% 0 0 GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif128 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
The traffic statistics between clients and extranet are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0% 0% 0 0 XGigabitEthernet1/5/0/0 up up 0% 0% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0% 0 0 XGigabitEthernet2/5/0/1 up up 0% 0% 0 0 Eth-Trunk101 up up 0.12% 0.12% 0 0 XGigabitEthernet1/4/0/0 up up 0% 0% 0 0 XGigabitEthernet1/4/0/1 up up 0% 0% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0.33% 0 0 XGigabitEthernet2/4/0/1 up up 0.50% 0.17% 0 0 Ethernet0/0/0/0 up up 0.02% 0.01% 0 0 GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
- The traffic statistics between servers and extranet are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0.13% 0.13% 0 0 XGigabitEthernet1/5/0/0 up up 0.50% 0.50% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0% 0 0 XGigabitEthernet2/5/0/1 up up 0% 0% 0 0 Eth-Trunk101 up up 0.13% 0.13% 0 0 XGigabitEthernet1/4/0/0 up up 0.50% 0.50% 0 0 XGigabitEthernet1/4/0/1 up up 0% 0% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0% 0 0 XGigabitEthernet2/4/0/1 up up 0% 0% 0 0 Ethernet0/0/0/0 up up 0.02% 0.01% 0 0 GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
Configuration Files
NGFW module configuration files
NGFW Module_A NGFW Module_B # sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return
# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return
IPS module configuration files
IPS Module_A IPS Module_B # sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return
# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return
CSS configuration file
# sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010 rule 5 permit ip source 10.55.1.0 0.0.0.255 rule 10 permit ip source 10.55.2.0 0.0.0.255 rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011 rule 5 permit ip destination 10.55.1.0 0.0.0.255 rule 10 permit ip destination 10.55.2.0 0.0.0.255 rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012 rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020 rule 5 permit ip source 10.55.0.0 0.0.0.255 rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021 rule 5 permit ip destination 10.55.0.0 0.0.0.255 rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022 rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40 if-match acl 3012 traffic classifier from-office operator or precedence 80 if-match acl 3010 traffic classifier from-server operator or precedence 75 if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85 if-match acl 3011 traffic classifier to-server operator or precedence 60 if-match acl 3021 # traffic behavior behavior1 permit traffic behavior to-eth-trunk100 permit redirect interface Eth-Trunk100 traffic behavior to-eth-trunk101 permit redirect interface Eth-Trunk101 # traffic policy office-out match-order config classifier office-office behavior behavior1 classifier to-server behavior to-eth-trunk100 classifier from-office behavior to-eth-trunk101 traffic policy internet-in match-order config classifier office-office behavior behavior1 classifier to-server behavior to-eth-trunk100 classifier to-office behavior to-eth-trunk101 traffic policy ips-to-fw match-order config classifier to-server behavior to-eth-trunk101 classifier from-server behavior to-eth-trunk101 traffic policy server-out match-order config classifier server-server behavior behavior1 classifier from-server behavior to-eth-trunk100 # interface Vlanif100 ip address 10.55.0.1 255.255.255.0 # interface Vlanif101 ip address 10.55.1.1 255.255.255.0 # interface Vlanif102 ip address 10.55.2.1 255.255.255.0 # interface Vlanif300 ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001 ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100 description to-ips port link-type trunk mac-address learning disable undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 126 300 2001 stp disable traffic-policy ips-to-fw inbound load-balance enhanced profile sec port-isolate enable group 1 # interface Eth-Trunk101 description to-ngfw port link-type trunk mac-address learning disable undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 126 300 2001 stp disable load-balance enhanced profile sec port-isolate enable group 1 # interface GigabitEthernet1/6/0/36 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 300 traffic-policy server-out inbound am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 2001 traffic-policy internet-in inbound am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/36 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 126 traffic-policy office-out inbound am isolate Eth-Trunk101 Eth-Trunk100 # interface XGigabitEthernet1/4/0/0 eth-trunk 101 # interface XGigabitEthernet1/4/0/1 eth-trunk 101 # interface XGigabitEthernet1/5/0/0 eth-trunk 100 # interface XGigabitEthernet1/5/0/1 eth-trunk 100 # interface XGigabitEthernet2/4/0/0 eth-trunk 101 # interface XGigabitEthernet2/4/0/1 eth-trunk 101 # interface XGigabitEthernet2/5/0/0 eth-trunk 100 # interface XGigabitEthernet2/5/0/1 eth-trunk 100 # return
Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing
Networking Requirements
Two S12700s are deployed on a network shown in Figure 1-32. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules work at Layer 2. That is, they access the network transparently. The NGFW modules work at Layer 3 (flows imported at Layer 3) in active/standby mode.
The customer has the following requirements:
- The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
- The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
- The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.
Figure 1-33 shows the flow directions.
NOTE:
Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.
When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.
Figure 1-32 Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing
Figure 1-33 Flow direction
Data Plan
Table 1-35, Table 1-36, and Table 1-37 provide the data plan.Table 1-35 Data plan for link aggregation
Device | Interface Number | Interface Description | Member Interface |
---|---|---|---|
S12700 cluster | Eth-trunk100 | Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet | XGE1/5/0/0 |
XGE1/5/0/1 | |||
XGE2/5/0/0 | |||
XGE2/5/0/1 | |||
Eth-trunk105 | Connected to NGFW Module_A to transparently transmit the packets from VLAN 128 | XGE1/4/0/0 | |
XGE1/4/0/1 | |||
Eth-trunk106 | Connected to NGFW Module_B to transparently transmit the packets from VLAN 128 | XGE2/4/0/0 | |
XGE2/4/0/1 | |||
NGFW Module_A | Eth-trunk0 | Connected to NGFW Module_B through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Layer 3 interface connected to the S12700 cluster | GE1/0/1 | |
GE1/0/2 | |||
NGFW Module_B | Eth-trunk0 | Connected to NGFW Module_A through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Layer 3 interface connected to the S12700 cluster | GE1/0/1 | |
GE1/0/2 | |||
IPS Module_A | Eth-trunk0 | Connected to IPS Module_B through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 | |||
IPS Module_B | Eth-trunk0 | Connected to IPS Module_A through the heartbeat line | GE0/0/1 |
GE0/0/2 | |||
Eth-trunk1 | Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet | GE1/0/1 | |
GE1/0/2 |
Data | Remarks |
---|---|
100, 300 | Server VLANs |
101 to 126 | Client VLANs |
128 | Layer 3 interface between the NGFW module and switch |
2001 | Extranet VLAN |
Device | Data | Remarks |
---|---|---|
S12700 cluster | VLANIF 100: 10.55.0.1/24 VLANIF 300: 10.55.200.1/24 | Server-side gateway |
VLANIF 101: 10.55.1.1/24 VLANIF 102: 10.55.2.1/24 ... VLANIF 126: 10.55.26.1/24 | Client-side gateway | |
VLANIF 128: 10.54.28.4/24 | Layer 3 interface connected to the NGFW module | |
VLANIF 2001: 10.54.1.253/29 | Extranet gateway | |
IPS Module_A | Eth-trunk 0: 192.168.213.5/30 | HRP interface |
IPS Module_B | Eth-trunk 0: 192.168.213.6/30 | |
NGFW Module_A | Eth-trunk 0: 192.168.213.1/30 | HRP interface |
Eth-trunk 1.1: 10.55.28.2/24 | Master IP address of the VRRP group connected to the S12700 cluster | |
10.55.28.1 | VRRP virtual IP address | |
NGFW Module_B | Eth-trunk 0: 192.168.213.2/30 | HRP interface |
Eth-trunk 1.1: 10.55.28.3/24 | Backup IP address of the VRRP group connected to the S12700 cluster | |
10.55.28.1 | VRRP virtual IP address |
Configuration Roadmap
- Configure interfaces and static routes on NGFW Module_A and NGFW Module_B and set basic parameters.
- Configure NGFW Module_A and NGFW Module_B as a Layer 3 VRRP group working in hot standby mode.
- Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
- Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
- Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
- Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
- Configure the two S12700s as a cluster.
- Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
- Configure a routing policy on the S12700 cluster to implement redirection.
Procedure
- Configure interfaces on NGFW modules and set basic parameters.
# Log in to the CLI of NGFW Module_A from Switch_A.
<sysname> connect slot 4
NOTE:
To return to the CLI of the switch, press Ctrl+D.
# Set the device name on NGFW Module_A.
<sysname> system-view [sysname] sysname NGFW Module_A
# Create VLANs on NGFW Module_A.
[NGFW Module_A] vlan batch 100 to 126 300 2001
# Create Layer 3 Eth-Trunk 1 on NGFW Module_A.
[NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk105 [NGFW Module_A-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.
NOTE:
Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.
[NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit
# Create a Layer 3 subinterface and configure a VRRP group.
[NGFW Module_A] interface Eth-Trunk 1.1 [NGFW Module_A-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_A-Eth-Trunk1.1] ip address 10.55.28.2 255.255.255.0 [NGFW Module_A-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_A-Eth-Trunk1.1] service-manage ping permit [NGFW Module_A-Eth-Trunk1.1] quit
# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_A to the security zone.
[NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit
# Configure static routes on NGFW Module_A.
[NGFW Module_A] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 //The destination address is on the external subnet [NGFW Module_A] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 //The destination address is on the subnet where clients reside [NGFW Module_A] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
# Log in to the CLI of NGFW Module_B from Switch_B.
<sysname> connect slot 4
# Set the device name on NGFW Module_B.
<sysname> system-view [sysname] sysname NGFW Module_B
# Create VLANs on NGFW Module_B.
[NGFW Module_B] vlan batch 100 to 126 300 2001
# Create Layer 3 Eth-Trunk 1 on NGFW Module_B.
[NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk105 [NGFW Module_B-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.
[NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit
# Create a Layer 3 subinterface and configure a VRRP group.
[NGFW Module_B] interface Eth-Trunk 1.1 [NGFW Module_B-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_B-Eth-Trunk1.1] ip address 10.55.28.3 255.255.255.0 [NGFW Module_B-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_B-Eth-Trunk1.1] service-manage ping permit [NGFW Module_B-Eth-Trunk1.1] quit
# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_B to the security zone.
[NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit
# Configure static routes on NGFW Module_B.
[NGFW Module_B] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 //The destination address is on the external subnet [NGFW Module_B] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 //The destination address is on the subnet where clients reside [NGFW Module_B] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
- Configure hot standby for NGFW modules.
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.
[NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.[NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable
- Configure the security service on the NGFW modules.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.
# Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.
HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16 //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29 //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit
- Configure interfaces on IPS modules and set basic parameters.
- Log in to the web UI through an Ethernet interface.
- Set up a physical connection between the management PC and an IPS module.
- Open the browser on the management PC and access https://192.168.0.1:8443.
- Enter the default user name admin and password Admin@123 of the system administrator and click Login.
- Change the password, click OK, and enter the web system.
- Choose Network > Interface, click
of interface GE1/0/0 and set the connection type of GE1/0/0 to access.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click
of interface GE1/0/1 and set the connection type of GE1/0/1 to access.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click Add, and configure Eth-Trunk 1.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Choose Network > Interface Pair, click Add, and configure an interface pair.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.
NOTE:
- The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
- The Eth-Trunk member interfaces on the IPS Modules must be the same.
Configure a heartbeat interface on one IPS Module.
Configure a heartbeat interface on the other IPS Module.
- Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.
The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
- Log in to the web UI through an Ethernet interface.
- Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.
- Choose Object > Security Profiles > Anti-Virus.
- Click Add and set the parameters as follows:
- Click OK.
- Repeat the previous steps to set the parameters of AV_ftp profile.
- Configure a security policy for the outbound direction.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
- Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.
Name
policy_av_2
Description
Intranet-Server
Interface Pair
Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action
permit
Content Security
Anti-Virus
AV_ftp
- Configure the two S12700s as a cluster.
Connect cluster cables. For details, see Switch Cluster Setup Guide.
Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.
# Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.
<HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100
# Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
<HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10
# Check the cluster configuration.
Run the display css status saved command to check whether the configurations are as expected.
Check the cluster configuration on Switch_A.
[Switch_A] display css status saved Current Id Saved Id CSS Enable CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 1 Off CSS card 100 Off
Check the cluster configuration on Switch_B.
[Switch_B] display css status saved Current Id Saved Id CSS Enable CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 2 Off CSS card 10 Off
Enable the cluster function.
# Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.
[Switch_A] css enable Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the cluster function on Switch_B and restart Switch_B.
[Switch_B] css enable Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
Check whether the cluster is set up successfully.
# View the indicator status.
The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.
The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.
# Log in to the cluster through the console port on any MPU to check the cluster status.
[Switch_A] display css status CSS Enable switch On Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force ------------------------------------------------------------------------------ 1 On Master CSS card 100 Off 2 On Standby CSS card 10 Off
The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.
# Check whether cluster links work normally.
[Switch_A] display css channel
The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.
Set the cluster system name to CSS.
[Switch_A] sysname CSS [CSS]
- Configure the interfaces and VLAN IDs on switches.
- Create VLANs.
[CSS] vlan batch 100 to 126 128 300 2001
- Configure upstream and downstream interfaces.
[CSS] interface GigabitEthernet 1/6/0/36 //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 //Connected to the extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit
- Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.
[CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface Vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit [CSS] interface vlanif 128 //Layer 3 interface connected to the NGFW module [CSS-Vlanif128] ip address 10.55.28.4 255.255.255.0 [CSS-Vlanif128] quit
- Add the eight interfaces between the switches and NGFW/IPS modules to Eth-Trunk 105, Eth-Trunk 106, and Eth-Trunk 100.
[CSS] interface eth-trunk 105 [CSS-Eth-Trunk105] description to-ngfw-a [CSS-Eth-Trunk105] port link-type trunk [CSS-Eth-Trunk105] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk105] port trunk allow-pass vlan 128 [CSS-Eth-Trunk105] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk105] quit [CSS] interface eth-trunk 106 [CSS-Eth-Trunk106] description to-ngfw-b [CSS-Eth-Trunk106] port link-type trunk [CSS-Eth-Trunk106] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk106] port trunk allow-pass vlan 128 [CSS-Eth-Trunk106] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk106] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit
- Set the load balancing mode on Eth-Trunks.
[CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit [CSS] interface Eth-Trunk 105 [CSS-Eth-Trunk105] load-balance enhanced profile sec [CSS-Eth-Trunk105] quit [CSS] interface Eth-Trunk 106 [CSS-Eth-Trunk106] load-balance enhanced profile sec [CSS-Eth-Trunk106] quit
- Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.
[CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit
- Configure traffic policies and bind them to interfaces to implement redirection.
# Create ACLs.
[CSS] acl 3010 //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011 //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020 //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021 //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012 //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022 //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit
# Configure traffic classifiers.
[CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit
# Configure traffic behaviors.
[CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100 //Do not redirect flows [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk105-6 [CSS-behavior-to-eth-trunk105-6] permit [CSS-behavior-to-eth-trunk105-6] redirect ip-nexthop 10.55.28.1 //Redirect flows to the NGFW module [CSS-behavior-to-eth-trunk105-6] quit
# Bind traffic policies to interfaces.
[CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound //Redirect the flows filtered by the IPS Module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100 //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk105-6 //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1 //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100 //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk105-6 //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1 //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100 //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit
- Create VLANs.
- Verify the configuration.
# Check the configuration of S12700 cluster.
[CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot Sub Type Online Power Register Status Role ---------- ------------ --------------------------------------------------------- 4 - ET1D2FW00S00 Present PowerOn Registered Normal NA 5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA 6 - ET1D2G48SX1E Present PowerOn Registered Normal NA 7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA 9 - ET1D2MPUA000 Present PowerOn Registered Normal Master 10 - ET1D2MPUA000 Present PowerOn Registered Normal Slave 12 - ET1D2SFUD000 Present PowerOn Registered Normal NA 1 EH1D2VS08000 Present PowerOn Registered Normal NA PWR1 - - Present PowerOn Registered Normal NA CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Slave CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master FAN1 - - Present PowerOn Registered Normal NA FAN2 - - Present PowerOn Registered Normal NA FAN3 - - Present PowerOn Registered Normal NA FAN4 - - Present PowerOn Registered Normal NA Chassis 2 (Standby Switch) S12712's Device status : Slot Sub Type Online Power Register Status Role ---------- ------------ --------------------------------------------------------- 3 - ET1D2G48SX1E Present PowerOn Registered Normal NA 4 - ET1D2FW00S00 Present PowerOn Registered Normal NA 5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA 7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA 13 - ET1D2MPUA000 Present PowerOn Registered Normal Master 14 - ET1D2MPUA000 Present PowerOn Registered Normal Slave 18 - ET1D2SFUD000 Present PowerOn Registered Normal NA 1 EH1D2VS08000 Present PowerOn Registered Normal NA PWR1 - - Present PowerOn Registered Normal NA PWR2 - - Present PowerOn Registered Normal NA CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master FAN1 - - Present PowerOn Registered Normal NA FAN2 - - Present PowerOn Registered Normal NA FAN3 - - Present PowerOn Registered Normal NA FAN4 - - Present PowerOn Registered Normal NA FAN5 - - Present PowerOn Registered Normal NA
# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.
[IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk0 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/2 up up 0% 0% 0 0 Eth-Trunk1 up up 0.01% 0.01% 0 0 GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0 GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0 NULL0 up up(s) 0% 0% 0 0
[NGFW Module_B] display interface brief | include up 10:56:34 2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk0 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0 GigabitEthernet0/0/2 up up 0% 0.01% 0 0 Eth-Trunk1 up up 0.01% 0.01% 0 0 GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0 GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0 Eth-Trunk1.1 up up 0.01% 0% 0 0 Eth-Trunk1.2 up up 0.01% 0% 0 0 NULL0 up up(s) 0% 0% 0 0
# Check traffic statistics on interfaces.
- The traffic statistics between clients and servers are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0.13% 0.13% 0 0 XGigabitEthernet1/5/0/0 up up 0.25% 0% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0.25% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0.25% 0 0 XGigabitEthernet2/5/0/1 up up 0.25% 0% 0 0 Eth-Trunk105 up up 0.25% 0.25% 0 0 XGigabitEthernet1/4/0/0 up up 0.25% 0% 0 0 XGigabitEthernet1/4/0/1 up up 0.25% 0.50% 0 0 Eth-Trunk106 up up 0% 0% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0% 0 0 XGigabitEthernet2/4/0/1 up up 0% 0% 0 0 Ethernet0/0/0/0 up up 0.02% 0.01% 0 0 GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif128 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
- The traffic statistics between clients and extranet are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0% 0% 0 0 XGigabitEthernet1/5/0/0 up up 0% 0% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0% 0 0 XGigabitEthernet2/5/0/1 up up 0% 0% 0 0 Eth-Trunk105 up up 0.25% 0.25% 0 0 XGigabitEthernet1/4/0/0 up up 0% 0.17% 0 0 XGigabitEthernet1/4/0/1 up up 0.50% 0.33% 0 0 Eth-Trunk106 up up 0% 0% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0% 0 0 XGigabitEthernet2/4/0/1 up up 0% 0% 0 0 Ethernet0/0/0/0 up up 0.01% 0.01% 0 0 GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif128 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
- The traffic statistics between servers and extranet are correct.
[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface PHY Protocol InUti OutUti inErrors outErrors Eth-Trunk100 up up 0.12% 0.12% 0 0 XGigabitEthernet1/5/0/0 up up 0.50% 0.50% 0 0 XGigabitEthernet1/5/0/1 up up 0% 0% 0 0 XGigabitEthernet2/5/0/0 up up 0% 0% 0 0 XGigabitEthernet2/5/0/1 up up 0% 0% 0 0 Eth-Trunk105 up up 0.25% 0.25% 0 0 XGigabitEthernet1/4/0/0 up up 0.50% 0.50% 0 0 XGigabitEthernet1/4/0/1 up up 0% 0% 0 0 Eth-Trunk106 up up 0% 0% 0 0 XGigabitEthernet2/4/0/0 up up 0% 0% 0 0 XGigabitEthernet2/4/0/1 up up 0% 0% 0 0 Ethernet0/0/0/0 up up 0.02% 0.01% 0 0 GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0 GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0 NULL0 up up(s) 0% 0% 0 0 Vlanif100 up up -- -- 0 0 Vlanif101 up up -- -- 0 0 Vlanif102 up up -- -- 0 0 Vlanif126 up up -- -- 0 0 Vlanif128 up up -- -- 0 0 Vlanif300 up up -- -- 0 0 Vlanif2001 up up -- -- 0 0
- The traffic statistics between clients and servers are correct.
Configuration Files
NGFW module configuration files
NGFW Module_A NGFW Module_B # sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk105 # interface Eth-Trunk1.1 vlan-type dot1q 128 ip address 10.55.28.2 255.255.255.0 vrrp vrid 10 virtual-ip 10.55.28.1 active service-manage ping permit # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 eth-trunk 1 # interface GigabitEthernet 1/0/1 eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 add interface Eth-Trunk1.1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return
# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk106 # interface Eth-Trunk1.1 vlan-type dot1q 128 ip address 10.55.28.3 255.255.255.0 vrrp vrid 10 virtual-ip 10.55.28.1 standby service-manage ping permit # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 eth-trunk 1 # interface GigabitEthernet 1/0/1 eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 add interface Eth-Trunk1.1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return
IPS module configuration files
IPS Module_A IPS Module_B # sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return
# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return
CSS configuration file
# sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010 rule 5 permit ip source 10.55.1.0 0.0.0.255 rule 10 permit ip source 10.55.2.0 0.0.0.255 rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011 rule 5 permit ip destination 10.55.1.0 0.0.0.255 rule 10 permit ip destination 10.55.2.0 0.0.0.255 rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012 rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020 rule 5 permit ip source 10.55.0.0 0.0.0.255 rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021 rule 5 permit ip destination 10.55.0.0 0.0.0.255 rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022 rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40 if-match acl 3012 traffic classifier from-office operator or precedence 80 if-match acl 3010 traffic classifier from-server operator or precedence 75 if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85 if-match acl 3011 traffic classifier to-server operator or precedence 60 if-match acl 3021 # traffic behavior behavior1 permit traffic behavior to-eth-trunk100 permit redirect interface Eth-Trunk100 traffic behavior to-eth-trunk105-6 permit redirect ip-nexthop 10.55.28.1 # traffic policy office-out match-order config classifier office-office behavior behavior1 classifier to-server behavior to-eth-trunk100 classifier from-office behavior to-eth-trunk105-6 traffic policy internet-in match-order config classifier office-office behavior behavior1 classifier to-server behavior to-eth-trunk100 classifier to-office behavior to-eth-trunk105-6 traffic policy ips-to-fw match-order config classifier to-server behavior to-eth-trunk105-6 classifier from-server behavior to-eth-trunk105-6 traffic policy server-out match-order config classifier server-server behavior behavior1 classifier from-server behavior to-eth-trunk100 # interface Vlanif100 ip address 10.55.0.1 255.255.255.0 # interface Vlanif101 ip address 10.55.1.1 255.255.255.0 # interface Vlanif102 ip address 10.55.2.1 255.255.255.0 # interface Vlanif128 ip address 10.55.28.4 255.255.255.0 # interface Vlanif300 ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001 ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100 description to-ips port link-type trunk mac-address learning disable undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 to 126 300 2001 stp disable traffic-policy ips-to-fw inbound load-balance enhanced profile sec # interface Eth-Trunk105 description to-ngfw-a port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 128 load-balance enhanced profile sec # interface Eth-Trunk106 description to-ngfw-b port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 128 load-balance enhanced profile sec # interface GigabitEthernet1/6/0/36 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 100 300 traffic-policy server-out inbound am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 2001 traffic-policy internet-in inbound am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/36 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 101 to 126 traffic-policy office-out inbound am isolate Eth-Trunk100 # interface XGigabitEthernet1/4/0/0 eth-trunk 105 # interface XGigabitEthernet1/4/0/1 eth-trunk 105 # interface XGigabitEthernet1/5/0/0 eth-trunk 100 # interface XGigabitEthernet1/5/0/1 eth-trunk 100 # interface XGigabitEthernet2/4/0/0 eth-trunk 106 # interface XGigabitEthernet2/4/0/1 eth-trunk 106 # interface XGigabitEthernet2/5/0/0 eth-trunk 100 # interface XGigabitEthernet2/5/0/1 eth-trunk 100 # return
See more please click