Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

Background

The IPS module is a card providing the intrusion defense function. It provides intrusion defense, antivirus, and anti-DDoS for IP networks.

The NGFW module functions as a next-generation firewall that provides the firewall, NAT, and VPN functions for IP networks.

There are many methods to deploy the IPS modules and IPS/NGFW modules. This section provides two typical methods, as described in Table 1-30.

Table 1-30 Deploying IPS modules and IPS/NGFW modules on switches

Method	Description
Deploying IPS modules and NGFW modules on a Layer 2 dual-node system and importing flows through redirection	The NGFW modules work in the interface pair mode, and the flows from switches are received by a Layer 2 Eth-Trunk. The IP address of the firewall subinterface is the gateway address for upstream and downstream networks.
Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing	The NGFW modules work in the routing mode, and the flows from switches are received by a Layer 3 Eth-Trunk subinterface. The VLANIF interface address on a switch is the gateway address for upstream and downstream networks.

Method

Description

Deploying IPS modules and NGFW modules on a Layer 2 dual-node system and importing flows through redirection

The NGFW modules work in the interface pair mode, and the flows from switches are received by a Layer 2 Eth-Trunk.

The IP address of the firewall subinterface is the gateway address for upstream and downstream networks.

Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing

The NGFW modules work in the routing mode, and the flows from switches are received by a Layer 3 Eth-Trunk subinterface.

The VLANIF interface address on a switch is the gateway address for upstream and downstream networks.

Table 1-31 lists the products and versions to which this configuration example is applicable.

Table 1-31 Applicable products and versions

Product Model	Software Version
S7700&S9700&S12700	V200R007 and later versions
IPS Module	V100R001C30
NGFW Module	V100R001C30

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Two S12700s are deployed on a network shown in Figure 1-30. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules and NGFW modules work at Layer 2. That is, they access the network transparently.

The customer has the following requirements:

The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 1-31 shows the flow directions.

imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

When the IPS module and NGFW module are connected to the switch, the internal Ethernet interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the IPS module on the switch are XGE1/0/0 and XGE1/0/1.

Figure 1-30 Deploying IPS module and NGFW module on a Layer 2 dual-node system and importing flows through redirection
imgDownload?uuid=34ce5d800d2e45a0a724f94
Figure 1-31 Flow direction
imgDownload?uuid=6a08a1130cad4721968d7f3

imgDownload?uuid=62cb3ca542c14bdba3f51e1

imgDownload?uuid=79a8c848f623471b994ae68

imgDownload?uuid=2f61a0c458a941acbd7eb92

Data Plan

Table 1-32, Table 1-33, and Table 1-34 provide the data plan.Table 1-32 Data plan for link aggregation

Device	Interface Number	Interface Description	Member Interface
S12700 cluster	Eth-trunk100	Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet	XGE1/5/0/0
			XGE1/5/0/1
			XGE2/5/0/0
			XGE2/5/0/1
	Eth-trunk101	Connected to NGFW Module_A and NGFW Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet	XGE1/4/0/0
			XGE1/4/0/1
			XGE2/4/0/0
			XGE2/4/0/1
NGFW Module_A	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
NGFW Module_B	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
IPS Module_A	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
IPS Module_B	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2

Table 1-33 VLAN plan

Data	Remarks
100, 300	Server VLANs
101 to 126	Client VLANs
2001	Extranet VLAN

Table 1-34 IP address plan

Device	Data	Remarks
S12700 cluster	VLANIF 100: 10.55.0.1/24 VLANIF 300: 10.55.200.1/24	Server-side gateway
	VLANIF 101: 10.55.1.1/24 VLANIF 102: 10.55.2.1/24 ... VLANIF 126: 10.55.26.1/24	Client-side gateway
	VLANIF 2001: 10.54.1.253/29	Extranet gateway
IPS Module_A	Eth-trunk 0: 192.168.213.5/30	HRP interface
IPS Module_B	Eth-trunk 0: 192.168.213.6/30
NGFW Module_A	Eth-trunk 0: 192.168.213.1/30
NGFW Module_B	Eth-trunk 0: 192.168.213.2/30

Configuration Roadmap

Configure interfaces on NGFW Module_A and NGFW Module_B and set basic parameters.
Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby system working in load balancing mode.
Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
Configure the two S12700s as a cluster.
Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
Configure a traffic policy on the S12700 cluster and apply the policy to interfaces to implement redirection.

Procedure

Configure interfaces on NGFW modules and set basic parameters.

# Log in to the CLI of NGFW Module_A from Switch_A.

<sysname> connect slot 4

imgDownload?uuid=3e05c5d0674f40b8868c338

NOTE:

To return to the CLI of the switch, press Ctrl+D.

# Set the device name on NGFW Module_A.

<sysname> system-view [sysname] sysname NGFW Module_A

# Create VLANs on NGFW Module_A.

[NGFW Module_A] vlan batch 100 to 126 300 2001

# Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from upstream and downstream VLANs to pass.

[NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk101 [NGFW Module_A-Eth-Trunk1] portswitch [NGFW Module_A-Eth-Trunk1] port link-type trunk [NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_A-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

NOTE:

Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo lldp enable command on the interface before adding it to an Eth-Trunk.

[NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] portswitch [NGFW Module_A-GigabitEthernet1/0/0] port link-type access [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] portswitch [NGFW Module_A-GigabitEthernet1/0/1] port link-type access [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit

# Create Eth-Trunk 1 interface pair on NGFW Module_A.

[NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1

# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

[NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_A to the security zone.

[NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] set priority 85 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit

# Log in to the CLI of NGFW Module_B from Switch_B.

<sysname> connect slot 4

# Set the device name on NGFW Module_B.

<sysname> system-view [sysname] sysname NGFW Module_B

# Create VLANs on NGFW Module_B.

[NGFW Module_B] vlan batch 100 to 126 300 2001

# Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair mode, and allow the packets from upstream and downstream VLANs to pass.

[NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk101 [NGFW Module_B-Eth-Trunk1] portswitch [NGFW Module_B-Eth-Trunk1] port link-type trunk [NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1 [NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001 [NGFW Module_B-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

[NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] portswitch [NGFW Module_B-GigabitEthernet1/0/0] port link-type access [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] portswitch [NGFW Module_B-GigabitEthernet1/0/1] port link-type access [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit

# Create Eth-Trunk 1 interface pair on NGFW Module_B.

[NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1

# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

[NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_B to the security zone.

[NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] set priority 85 [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit

Configure hot standby for NGFW modules.

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

[NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.

[NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable

Configure the security service on the NGFW modules.

After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on NGFW Module_A.

# Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit

Configure interfaces on IPS modules and set basic parameters.
1. Log in to the web UI through an Ethernet interface.
  1. Set up a physical connection between the management PC and an IPS module.
  2. Open the browser on the management PC and access https://192.168.0.1:8443.
  3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
  4. Change the password, click OK, and enter the web system.
2. Choose Network > Interface, click of interface GE1/0/0 and set the connection type of GE1/0/0 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
4. Click Add, and configure Eth-Trunk 1.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
5. Choose Network > Interface Pair, click Add, and configure an interface pair.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.
  NOTE:
  - The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
  - The Eth-Trunk member interfaces on the IPS Modules must be the same.
  Configure a heartbeat interface on one IPS Module.
  Configure a heartbeat interface on the other IPS Module.
7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click Add and set the parameters as follows:
3. Click OK.
4. Repeat the previous steps to set the parameters of AV_ftp profile.
Configure a security policy for the outbound direction.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
1. Choose Policy > Security Policy.
2. Click Add.
3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:
  Name
  policy_av_1
  Description
  Intranet-User
  Interface Pair
  Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
  Action
  permit
  Content Security
  Anti-Virus
  AV_http_pop3
Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.
Name
policy_av_2
Description
Intranet-Server
Interface Pair
Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action
permit
Content Security
Anti-Virus
AV_ftp
Configure the two S12700s as a cluster.
1. Connect cluster cables. For details, see Switch Cluster Setup Guide.
  Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.
  # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.
```
<HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100 
```
  # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
```
<HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10
```
  # Check the cluster configuration.
  Run the display css status saved command to check whether the configurations are as expected.
  Check the cluster configuration on Switch_A.
```
[Switch_A] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            1            Off          CSS card    100         Off                
```
  Check the cluster configuration on Switch_B.
```
[Switch_B] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            2            Off          CSS card    10          Off               
```
2. Enable the cluster function.
  # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.
```
[Switch_A] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
  # Enable the cluster function on Switch_B and restart Switch_B.
```
[Switch_B] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
3. Check whether the cluster is set up successfully.
  # View the indicator status.
  The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.
  The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.
  # Log in to the cluster through the console port on any MPU to check the cluster status.
```
[Switch_A] display css status CSS Enable switch On                                                                                    Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force    ------------------------------------------------------------------------------    1            On           Master          CSS card    100         Off             2            On           Standby         CSS card    10          Off            
```
  The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.
  # Check whether cluster links work normally.
```
[Switch_A] display css channel
```
  The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.
4. Set the cluster system name to CSS.
```
[Switch_A] sysname CSS [CSS]
```

Name	policy_av_1
Description	Intranet-User
Interface Pair	Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_http_pop3

Name	policy_av_2
Description	Intranet-Server
Interface Pair	Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_ftp

Configure the interfaces and VLAN IDs on switches.

Create VLANs.

[CSS] vlan batch 100 to 126 128 300 2001

Configure upstream and downstream interfaces.

[CSS] interface GigabitEthernet 1/6/0/36  //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0  //Connected to extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit

Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

[CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit

Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and the four interfaces connected to the IPS module to Eth-Trunk 100.

[CSS] interface eth-trunk 101 [CSS-Eth-Trunk101] description to-ngfw [CSS-Eth-Trunk101] port link-type trunk [CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk101] mac-address learning disable [CSS-Eth-Trunk101] stp disable [CSS-Eth-Trunk101] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit

Set the load balancing mode on Eth-Trunks.

[CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] load-balance enhanced profile sec [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit

Configure port isolation on the interfaces between the NGFW/IPS module and switches.

[CSS] interface Eth-Trunk 101 [CSS-Eth-Trunk101] port-isolate enable group 1 [CSS-Eth-Trunk101] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] port-isolate enable group 1 [CSS-Eth-Trunk100] quit

Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

[CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit

Configure traffic policies and bind them to interfaces to implement redirection.

# Create ACLs.

[CSS] acl 3010  //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011  //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020  //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021  //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012  //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022  //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit

# Configure traffic classifiers.

[CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit

# Configure traffic behaviors.

[CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100 [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk101 [CSS-behavior-to-eth-trunk101] permit [CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101 [CSS-behavior-to-eth-trunk101] quit

# Bind traffic policies to interfaces.

[CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101  //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit

Verify the configuration.

# Check the configuration of S12700 cluster.

[CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA       1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA Chassis 2   (Standby Switch) S12712's D  evice status   : Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA       1     EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA PWR2  -     -               Present   PowerOn    Registered     Normal     NA CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA FAN5  -     -               Present   PowerOn    Registered     Normal     NA

# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

[IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%     0%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

[NGFW Module_B] display interface brief | include up 10:56:34  2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

# Check traffic statistics on interfaces.

The traffic statistics between clients and servers are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.15%  0.15%          0          0   XGigabitEthernet1/5/0/0   up    up        0.60%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%  0.60%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.15%  0.15%          0          0   XGigabitEthernet1/4/0/0   up    up        0.60%     0%          0          0   XGigabitEthernet1/4/0/1   up    up           0%  0.60%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

The traffic statistics between clients and extranet are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up           0%     0%          0          0   XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.12%  0.12%          0          0   XGigabitEthernet1/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%  0.33%          0          0   XGigabitEthernet2/4/0/1   up    up        0.50%  0.17%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

The traffic statistics between servers and extranet are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk101                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

Configuration Files

NGFW module configuration files

NGFW Module_A	NGFW Module_B
# sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return	# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk101 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # return

NGFW Module_A

NGFW Module_B

# sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk101  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # return

# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk101  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # return

IPS module configuration files

IPS Module_A	IPS Module_B
# sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return	# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return

IPS Module_A

IPS Module_B

# sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return

# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0  ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return

CSS configuration file

# sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010  rule 5 permit ip source 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011  rule 5 permit ip destination 10.55.1.0 0.0.0.255  rule 10 permit ip destination 10.55.2.0 0.0.0.255  rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012  rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020  rule 5 permit ip source 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021  rule 5 permit ip destination 10.55.0.0 0.0.0.255  rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022  rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40  if-match acl 3012 traffic classifier from-office operator or precedence 80  if-match acl 3010 traffic classifier from-server operator or precedence 75  if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85  if-match acl 3011 traffic classifier to-server operator or precedence 60  if-match acl 3021 # traffic behavior behavior1  permit traffic behavior to-eth-trunk100  permit  redirect interface Eth-Trunk100 traffic behavior to-eth-trunk101  permit  redirect interface Eth-Trunk101 # traffic policy office-out match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier from-office behavior to-eth-trunk101 traffic policy internet-in match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier to-office behavior to-eth-trunk101 traffic policy ips-to-fw match-order config  classifier to-server behavior to-eth-trunk101  classifier from-server behavior to-eth-trunk101 traffic policy server-out match-order config  classifier server-server behavior behavior1  classifier from-server behavior to-eth-trunk100 # interface Vlanif100  ip address 10.55.0.1 255.255.255.0 # interface Vlanif101  ip address 10.55.1.1 255.255.255.0 # interface Vlanif102  ip address 10.55.2.1 255.255.255.0 # interface Vlanif300  ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001  ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100  description to-ips  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  traffic-policy ips-to-fw inbound  load-balance enhanced profile sec  port-isolate enable group 1 # interface Eth-Trunk101  description to-ngfw  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  load-balance enhanced profile sec  port-isolate enable group 1 # interface GigabitEthernet1/6/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 300  traffic-policy server-out inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/0  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 2001  traffic-policy internet-in inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface GigabitEthernet2/3/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 101 to 126  traffic-policy office-out inbound  am isolate Eth-Trunk101 Eth-Trunk100 # interface XGigabitEthernet1/4/0/0  eth-trunk 101 # interface XGigabitEthernet1/4/0/1  eth-trunk 101 # interface XGigabitEthernet1/5/0/0  eth-trunk 100 # interface XGigabitEthernet1/5/0/1  eth-trunk 100 # interface XGigabitEthernet2/4/0/0  eth-trunk 101 # interface XGigabitEthernet2/4/0/1  eth-trunk 101 # interface XGigabitEthernet2/5/0/0  eth-trunk 100 # interface XGigabitEthernet2/5/0/1  eth-trunk 100 # return

Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing

Networking Requirements

Two S12700s are deployed on a network shown in Figure 1-32. An NGFW module and an IPS module are installed in slot 4 and slot 5 respectively on each S12700. The two S12700s set up a cluster and work in hot standby mode. The IPS modules work at Layer 2. That is, they access the network transparently. The NGFW modules work at Layer 3 (flows imported at Layer 3) in active/standby mode.

The customer has the following requirements:

The inter-client flows and inter-server flows within a subnet are directly forwarded by the switches.
The inter-client flows on different subnets and the flows between clients and the extranet are checked by the NGFW modules.
The flows between clients/extranet and servers and the inter-server flows on different subnets are filtered by the IPS modules and then checked by the NGFW modules.

Figure 1-33 shows the flow directions.

imgDownload?uuid=3e05c5d0674f40b8868c338 NOTE:

Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.

Figure 1-32 Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3 dual-node system, and importing flows based on policy routing
imgDownload?uuid=34ce5d800d2e45a0a724f94
Figure 1-33 Flow direction
imgDownload?uuid=6a08a1130cad4721968d7f3

imgDownload?uuid=62cb3ca542c14bdba3f51e1

imgDownload?uuid=79a8c848f623471b994ae68

imgDownload?uuid=2f61a0c458a941acbd7eb92

Data Plan

Table 1-35, Table 1-36, and Table 1-37 provide the data plan.Table 1-35 Data plan for link aggregation

Device	Interface Number	Interface Description	Member Interface
S12700 cluster	Eth-trunk100	Connected to IPS Module_A and IPS Module_B to transparently transmit the packets from the VLANs of clients, servers, and extranet	XGE1/5/0/0
			XGE1/5/0/1
			XGE2/5/0/0
			XGE2/5/0/1
	Eth-trunk105	Connected to NGFW Module_A to transparently transmit the packets from VLAN 128	XGE1/4/0/0
	Eth-trunk105		XGE1/4/0/1
	Eth-trunk106	Connected to NGFW Module_B to transparently transmit the packets from VLAN 128	XGE2/4/0/0
	Eth-trunk106		XGE2/4/0/1
NGFW Module_A	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Layer 3 interface connected to the S12700 cluster	GE1/0/1
	Eth-trunk1	Layer 3 interface connected to the S12700 cluster	GE1/0/2
NGFW Module_B	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to NGFW Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Layer 3 interface connected to the S12700 cluster	GE1/0/1
	Eth-trunk1	Layer 3 interface connected to the S12700 cluster	GE1/0/2
IPS Module_A	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_B through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2
IPS Module_B	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/1
	Eth-trunk0	Connected to IPS Module_A through the heartbeat line	GE0/0/2
	Eth-trunk1	Connected to the S12700 cluster to transparently transmit the packets from the VLANs of clients, servers, and extranet	GE1/0/1
	Eth-trunk1		GE1/0/2

Table 1-36 VLAN plan

Data	Remarks
100, 300	Server VLANs
101 to 126	Client VLANs
128	Layer 3 interface between the NGFW module and switch
2001	Extranet VLAN

Table 1-37 IP address plan

Device	Data	Remarks
S12700 cluster	VLANIF 100: 10.55.0.1/24 VLANIF 300: 10.55.200.1/24	Server-side gateway
	VLANIF 101: 10.55.1.1/24 VLANIF 102: 10.55.2.1/24 ... VLANIF 126: 10.55.26.1/24	Client-side gateway
	VLANIF 128: 10.54.28.4/24	Layer 3 interface connected to the NGFW module
	VLANIF 2001: 10.54.1.253/29	Extranet gateway
IPS Module_A	Eth-trunk 0: 192.168.213.5/30	HRP interface
IPS Module_B	Eth-trunk 0: 192.168.213.6/30	HRP interface
NGFW Module_A	Eth-trunk 0: 192.168.213.1/30	HRP interface
	Eth-trunk 1.1: 10.55.28.2/24	Master IP address of the VRRP group connected to the S12700 cluster
	10.55.28.1	VRRP virtual IP address
NGFW Module_B	Eth-trunk 0: 192.168.213.2/30	HRP interface
	Eth-trunk 1.1: 10.55.28.3/24	Backup IP address of the VRRP group connected to the S12700 cluster
	10.55.28.1	VRRP virtual IP address

Configuration Roadmap

Configure interfaces and static routes on NGFW Module_A and NGFW Module_B and set basic parameters.
Configure NGFW Module_A and NGFW Module_B as a Layer 3 VRRP group working in hot standby mode.
Configure the security service on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion. The configurations on NGFW Module_A can be automatically backed up to NGFW Module_B.
Configure interfaces on IPS Module_A and IPS Module_B and set basic parameters.
Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system working in load balancing mode.
Configure the security service on IPS Module_A, for example, antivirus. The configurations on IPS Module_A can be automatically backed up to IPS Module_B.
Configure the two S12700s as a cluster.
Implement connectivity between S12700 cluster, NGFW modules, and IPS modules.
Configure a routing policy on the S12700 cluster to implement redirection.

Procedure

Configure interfaces on NGFW modules and set basic parameters.

# Log in to the CLI of NGFW Module_A from Switch_A.

<sysname> connect slot 4

NOTE:

To return to the CLI of the switch, press Ctrl+D.

# Set the device name on NGFW Module_A.

<sysname> system-view [sysname] sysname NGFW Module_A

# Create VLANs on NGFW Module_A.

[NGFW Module_A] vlan batch 100 to 126 300 2001

# Create Layer 3 Eth-Trunk 1 on NGFW Module_A.

[NGFW Module_A] interface Eth-Trunk 1 [NGFW Module_A-Eth-Trunk1] description To-master-trunk105 [NGFW Module_A-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.

NOTE:

[NGFW Module_A] interface GigabitEthernet 1/0/0 [NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/0] quit [NGFW Module_A] interface GigabitEthernet 1/0/1 [NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_A-GigabitEthernet1/0/1] quit

# Create a Layer 3 subinterface and configure a VRRP group.

[NGFW Module_A] interface Eth-Trunk 1.1 [NGFW Module_A-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_A-Eth-Trunk1.1] ip address 10.55.28.2 255.255.255.0 [NGFW Module_A-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_A-Eth-Trunk1.1] service-manage ping permit [NGFW Module_A-Eth-Trunk1.1] quit

# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.

[NGFW Module_A] interface Eth-Trunk 0 [NGFW Module_A-Eth-Trunk0] description hrp-interface [NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252 [NGFW Module_A-Eth-Trunk0] quit [NGFW Module_A] interface GigabitEthernet 0/0/1 [NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/1] quit [NGFW Module_A] interface GigabitEthernet 0/0/2 [NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_A-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_A to the security zone.

[NGFW Module_A] firewall zone trust [NGFW Module_A-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_A-zone-trust] quit [NGFW Module_A] firewall zone name hrp [NGFW Module_A-zone-hrp] set priority 75 [NGFW Module_A-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_A-zone-hrp] quit

# Configure static routes on NGFW Module_A.

[NGFW Module_A] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet [NGFW Module_A] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside [NGFW Module_A] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_A] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4

# Log in to the CLI of NGFW Module_B from Switch_B.

<sysname> connect slot 4

# Set the device name on NGFW Module_B.

<sysname> system-view [sysname] sysname NGFW Module_B

# Create VLANs on NGFW Module_B.

[NGFW Module_B] vlan batch 100 to 126 300 2001

# Create Layer 3 Eth-Trunk 1 on NGFW Module_B.

[NGFW Module_B] interface Eth-Trunk 1 [NGFW Module_B-Eth-Trunk1] description To-master-trunk105 [NGFW Module_B-Eth-Trunk1] quit

# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.

[NGFW Module_B] interface GigabitEthernet 1/0/0 [NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/0] quit [NGFW Module_B] interface GigabitEthernet 1/0/1 [NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1 [NGFW Module_B-GigabitEthernet1/0/1] quit

# Create a Layer 3 subinterface and configure a VRRP group.

[NGFW Module_B] interface Eth-Trunk 1.1 [NGFW Module_B-Eth-Trunk1.1] vlan-type dot1q 128 [NGFW Module_B-Eth-Trunk1.1] ip address 10.55.28.3 255.255.255.0 [NGFW Module_B-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active [NGFW Module_B-Eth-Trunk1.1] service-manage ping permit [NGFW Module_B-Eth-Trunk1.1] quit

# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.

[NGFW Module_B] interface Eth-Trunk 0 [NGFW Module_B-Eth-Trunk0] description hrp-interface [NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252 [NGFW Module_B-Eth-Trunk0] quit [NGFW Module_B] interface GigabitEthernet 0/0/1 [NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/1] quit [NGFW Module_B] interface GigabitEthernet 0/0/2 [NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0 [NGFW Module_B-GigabitEthernet0/0/2] quit

# Add the interfaces on NGFW Module_B to the security zone.

[NGFW Module_B] firewall zone trust [NGFW Module_B-zone-trust] add interface Eth-Trunk 1 [NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1 [NGFW Module_B-zone-trust] quit [NGFW Module_B] firewall zone name hrp [NGFW Module_B-zone-hrp] set priority 75 [NGFW Module_B-zone-hrp] add interface Eth-Trunk 0 [NGFW Module_B-zone-hrp] quit

# Configure static routes on NGFW Module_B.

[NGFW Module_B] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4  //The destination address is on the external subnet [NGFW Module_B] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where clients reside [NGFW Module_B] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 [NGFW Module_B] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4  //The destination address is on the subnet where servers reside [NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4

Configure hot standby for NGFW modules.

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_A.

[NGFW Module_A] hrp mirror session enable [NGFW Module_A] hrp interface Eth-Trunk 0 [NGFW Module_A] hrp loadbalance-device [NGFW Module_A] hrp enable

# Enable session fast backup, specify heartbeat interfaces, and enable hot standby on NGFW Module_B.

[NGFW Module_B] hrp mirror session enable [NGFW Module_B] hrp interface Eth-Trunk 0 [NGFW Module_B] hrp loadbalance-device [NGFW Module_B] hrp enable

Configure the security service on the NGFW modules.

# Configure the security policy on NGFW Module_A to allow the flows from clients, servers, and extranet to pass and prevent intrusion.

HRP_M[NGFW Module_A] security-policy HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16  //Subnet where clients and servers reside HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29  //Subnet of the extranet HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit HRP_M[NGFW Module_A-policy-security] quit

Configure interfaces on IPS modules and set basic parameters.
1. Log in to the web UI through an Ethernet interface.
  1. Set up a physical connection between the management PC and an IPS module.
  2. Open the browser on the management PC and access https://192.168.0.1:8443.
  3. Enter the default user name admin and password Admin@123 of the system administrator and click Login.
  4. Change the password, click OK, and enter the web system.
2. Choose Network > Interface, click of interface GE1/0/0 and set the connection type of GE1/0/0 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to access.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
4. Click Add, and configure Eth-Trunk 1.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
5. Choose Network > Interface Pair, click Add, and configure an interface pair.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as the heartbeat interface and backup channel.
  NOTE:
  - The IP addresses of heartbeat interfaces on the IPS Modules must be in the same network segment.
  - The Eth-Trunk member interfaces on the IPS Modules must be the same.
  Configure a heartbeat interface on one IPS Module.
  Configure a heartbeat interface on the other IPS Module.
7. Choose System > Dual-System Hot Backup, click Edit, and configure hot standby.
  The configurations on the two IPS Modules are the same. The following part provides the configuration on one IPS Module.
Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security service on IPS Module_A.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click Add and set the parameters as follows:
3. Click OK.
4. Repeat the previous steps to set the parameters of AV_ftp profile.
Configure a security policy for the outbound direction.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
1. Choose Policy > Security Policy.
2. Click Add.
3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:
  Name
  policy_av_1
  Description
  Intranet-User
  Interface Pair
  Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
  Action
  permit
  Content Security
  Anti-Virus
  AV_http_pop3
Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active device are automatically synchronized to the standby device; therefore, you only need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from internal clients to external servers. The parameters are as follows.
Name
policy_av_2
Description
Intranet-Server
Interface Pair
Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action
permit
Content Security
Anti-Virus
AV_ftp
Configure the two S12700s as a cluster.
1. Connect cluster cables. For details, see Switch Cluster Setup Guide.
  Set the cluster connection mode (for example, cluster card mode), cluster IDs, and priorities.
  # Configure the cluster on Switch_A. Retain the default cluster connection mode (cluster card mode) and the default cluster ID 1, and set the priority to 100.
```
<HUAWEI> system-view [HUAWEI] sysname Switch_A [Switch_A] set css priority 100 
```
  # Configure the cluster on Switch_B. Retain the default cluster connection mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
```
<HUAWEI> system-view [HUAWEI] sysname Switch_B [Switch_B] set css id 2 [Switch_B] set css priority 10
```
  # Check the cluster configuration.
  Run the display css status saved command to check whether the configurations are as expected.
  Check the cluster configuration on Switch_A.
```
[Switch_A] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            1            Off          CSS card    100         Off                
```
  Check the cluster configuration on Switch_B.
```
[Switch_B] display css status saved  Current Id   Saved Id     CSS Enable   CSS Mode    Priority    Master Force       ------------------------------------------------------------------------------    1            2            Off          CSS card    10          Off               
```
2. Enable the cluster function.
  # Enable the cluster function on Switch_A and restart Switch_A. Switch_A becomes the active switch.
```
[Switch_A] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
  # Enable the cluster function on Switch_B and restart Switch_B.
```
[Switch_B] css enable  Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
```
3. Check whether the cluster is set up successfully.
  # View the indicator status.
  The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating that the MPU is the active MPU of the cluster and Switch_A is the master switch.
  The CSS MASTER indicator on an MPU of Switch_B is off, indicating that Switch_B is the standby switch.
  # Log in to the cluster through the console port on any MPU to check the cluster status.
```
[Switch_A] display css status CSS Enable switch On                                                                                   Chassis Id   CSS Enable   CSS Status      CSS Mode    Priority    Master Force    ------------------------------------------------------------------------------    1            On           Master          CSS card    100         Off             2            On           Standby         CSS card    10          Off            
```
  The preceding information includes the cluster IDs, priorities, cluster enablement status, and cluster status, indicating that the cluster is successfully established.
  # Check whether cluster links work normally.
```
[Switch_A] display css channel
```
  The command output shows that all the cluster links are working normally, indicating that the cluster is established successfully.
4. Set the cluster system name to CSS.
```
[Switch_A] sysname CSS [CSS]
```

Name	policy_av_1
Description	Intranet-User
Interface Pair	Select Eth-Trunk1->Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_http_pop3

Name	policy_av_2
Description	Intranet-Server
Interface Pair	Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action	permit
Content Security
Anti-Virus	AV_ftp

Configure the interfaces and VLAN IDs on switches.

Create VLANs.

[CSS] vlan batch 100 to 126 128 300 2001

Configure upstream and downstream interfaces.

[CSS] interface GigabitEthernet 1/6/0/36  //Connected to server [CSS-GigabitEthernet1/6/0/36] port link-type trunk [CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0  //Connected to the extranet [CSS-GigabitEthernet2/3/0/0] port link-type trunk [CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36  //Connected to client [CSS-GigabitEthernet2/3/0/36] port link-type trunk [CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1 [CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126 [CSS-GigabitEthernet2/3/0/36] quit

Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN 101, VLAN 102, and VLAN 126.

[CSS] interface vlanif 2001 [CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248 [CSS-Vlanif2001] quit [CSS] interface vlanif 100 [CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0 [CSS-Vlanif100] quit [CSS] interface vlanif 300 [CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0 [CSS-Vlanif300] quit [CSS] interface Vlanif 101 [CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0 [CSS-Vlanif101] quit [CSS] interface vlanif 102 [CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0 [CSS-Vlanif102] quit [CSS] interface vlanif 126 [CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0 [CSS-Vlanif126] quit [CSS] interface vlanif 128  //Layer 3 interface connected to the NGFW module [CSS-Vlanif128] ip address 10.55.28.4 255.255.255.0 [CSS-Vlanif128] quit

Add the eight interfaces between the switches and NGFW/IPS modules to Eth-Trunk 105, Eth-Trunk 106, and Eth-Trunk 100.

[CSS] interface eth-trunk 105 [CSS-Eth-Trunk105] description to-ngfw-a [CSS-Eth-Trunk105] port link-type trunk [CSS-Eth-Trunk105] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk105] port trunk allow-pass vlan 128 [CSS-Eth-Trunk105] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1 [CSS-Eth-Trunk105] quit [CSS] interface eth-trunk 106 [CSS-Eth-Trunk106] description to-ngfw-b [CSS-Eth-Trunk106] port link-type trunk [CSS-Eth-Trunk106] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk106] port trunk allow-pass vlan 128 [CSS-Eth-Trunk106] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1 [CSS-Eth-Trunk106] quit [CSS] interface eth-trunk 100 [CSS-Eth-Trunk100] description to-ips [CSS-Eth-Trunk100] port link-type trunk [CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1 [CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001 [CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1 [CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1 [CSS-Eth-Trunk100] mac-address learning disable [CSS-Eth-Trunk100] stp disable [CSS-Eth-Trunk100] quit

Set the load balancing mode on Eth-Trunks.

[CSS] load-balance-profile sec [CSS-load-balance-profile-sec] ipv4 field sip dip [CSS-load-balance-profile-sec] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] load-balance enhanced profile sec [CSS-Eth-Trunk100] quit [CSS] interface Eth-Trunk 105 [CSS-Eth-Trunk105] load-balance enhanced profile sec [CSS-Eth-Trunk105] quit [CSS] interface Eth-Trunk 106 [CSS-Eth-Trunk106] load-balance enhanced profile sec [CSS-Eth-Trunk106] quit

Configure unidirectional isolation between the upstream and downstream interfaces and Eth-Trunks.

[CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet1/6/0/36] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/0] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk100 [CSS-GigabitEthernet2/3/0/36] quit

Configure traffic policies and bind them to interfaces to implement redirection.

# Create ACLs.

[CSS] acl 3010  //Match the flows sent from clients [CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255 [CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255 [CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255 [CSS-acl-adv-3010] quit [CSS] acl 3011  //Match the flows destined for clients [CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3011] quit [CSS] acl 3020  //Match the flows sent from servers [CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255 [CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255 [CSS-acl-adv-3020] quit [CSS] acl 3021  //Match the flows destined for servers [CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3021] quit [CSS] acl 3012  //Match inter-client flows within a subnet [CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255 [CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255 [CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 [CSS-acl-adv-3012] quit [CSS] acl 3022  //Match inter-server flows within a subnet [CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255 [CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 [CSS-acl-adv-3022] quit

# Configure traffic classifiers.

[CSS] traffic classifier from-office operator or precedence 80 [CSS-classifier-from-office] if-match acl 3010 [CSS-classifier-from-office] quit [CSS] traffic classifier to-office operator or precedence 85 [CSS-classifier-to-office] if-match acl 3011 [CSS-classifier-to-office] quit [CSS] traffic classifier from-server operator or precedence 75 [CSS-classifier-from-server] if-match acl 3020 [CSS-classifier-from-server] quit [CSS] traffic classifier to-server operator or precedence 60 [CSS-classifier-to-server] if-match acl 3021 [CSS-classifier-to-server] quit [CSS] traffic classifier office-office operator or precedence 40 [CSS-classifier-office-office] if-match acl 3012 [CSS-classifier-office-office] quit [CSS] traffic classifier server-server operator or precedence 65 [CSS-classifier-server-server] if-match acl 3022 [CSS-classifier-server-server] quit

# Configure traffic behaviors.

[CSS] traffic behavior behavior1 [CSS-behavior-behavior1] permit [CSS-behavior-behavior1] quit [CSS] traffic behavior to-eth-trunk100 [CSS-behavior-to-eth-trunk100] permit [CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100  //Do not redirect flows [CSS-behavior-to-eth-trunk100] quit [CSS] traffic behavior to-eth-trunk105-6 [CSS-behavior-to-eth-trunk105-6] permit [CSS-behavior-to-eth-trunk105-6] redirect ip-nexthop 10.55.28.1  //Redirect flows to the NGFW module [CSS-behavior-to-eth-trunk105-6] quit

# Bind traffic policies to interfaces.

[CSS] traffic policy ips-to-fw match-order config [CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk105-6 [CSS-trafficpolicy-ips-to-fw] quit [CSS] interface Eth-Trunk 100 [CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound  //Redirect the flows filtered by the IPS Module to the NGFW module [CSS-Eth-Trunk100] quit [CSS] traffic policy internet-in match-order config [CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1 [CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100  //Redirect the flows from extranet to servers to the IPS module [CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk105-6  //Redirect the flows from extranet to clients to the NGFW module [CSS-trafficpolicy-internet-in] quit [CSS] interface GigabitEthernet 2/3/0/0 [CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound [CSS-GigabitEthernet2/3/0/0] quit [CSS] traffic policy office-out match-order config [CSS-trafficpolicy-office-out] classifier office-office behavior behavior1  //Do not redirect the inter-client flows within a subnet [CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100  //Redirect the flows from clients to servers to the IPS module [CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk105-6  //Redirect the inter-client flows on different subnets and the flows from clients to the extranet to the NGFW module [CSS-trafficpolicy-office-out] quit [CSS] interface GigabitEthernet 2/3/0/36 [CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound [CSS-GigabitEthernet2/3/0/36] quit [CSS] traffic policy server-out match-order config [CSS-trafficpolicy-server-out] classifier server-server behavior behavior1  //Do not redirect the inter-server flows within a subnet [CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100  //Redirect the flows from servers to clients, the inter-server flows on different subnets, and the flows from servers to the extranet to the IPS module [CSS-trafficpolicy-server-out] quit [CSS] interface GigabitEthernet 1/6/0/36 [CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound [CSS-GigabitEthernet1/6/0/36] quit

Verify the configuration.

# Check the configuration of S12700 cluster.

[CSS] display device Chassis 1 (Master Switch) S12708's Device status: Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 6     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 9     -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 10    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 12    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA 1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA CMU1  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Slave CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA Chassis 2   (Standby Switch) S12712's Device status   : Slot  Sub   Type            Online    Power      Register       Status     Role ----------  ------------   --------------------------------------------------------- 3     -     ET1D2G48SX1E    Present   PowerOn    Registered     Normal     NA 4     -     ET1D2FW00S00    Present   PowerOn    Registered     Normal     NA 5     -     ET1D2IPS0S00    Present   PowerOn    Registered     Normal     NA 7     -     ET1D2X48SEC0    Present   PowerOn    Registered     Normal     NA 13    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Master 14    -     ET1D2MPUA000    Present   PowerOn    Registered     Normal     Slave 18    -     ET1D2SFUD000    Present   PowerOn    Registered     Normal     NA 1           EH1D2VS08000    Present   PowerOn    Registered     Normal     NA PWR1  -     -               Present   PowerOn    Registered     Normal     NA PWR2  -     -               Present   PowerOn    Registered     Normal     NA CMU2  -     EH1D200CMU00    Present   PowerOn    Registered     Normal     Master FAN1  -     -               Present   PowerOn    Registered     Normal     NA FAN2  -     -               Present   PowerOn    Registered     Normal     NA FAN3  -     -               Present   PowerOn    Registered     Normal     NA FAN4  -     -               Present   PowerOn    Registered     Normal     NA FAN5  -     -               Present   PowerOn    Registered     Normal     NA

# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.

[IPS Module] display interface brief | include up 2016/5/31 10:49 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%     0%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

[NGFW Module_B] display interface brief | include up  10:56:34  2016/05/31 PHY: Physical *down: administratively down ^down: standby down (s): spoofing InUti/OutUti: input utility/output utility Interface                   PHY   Protocol InUti OutUti          inErrors         outErrors Eth-Trunk0                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/1      up    up       0.01%  0.01%                 0                 0   GigabitEthernet0/0/2      up    up          0%  0.01%                 0                 0 Eth-Trunk1                  up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/0(XGE) up    up       0.01%  0.01%                 0                 0   GigabitEthernet1/0/1(XGE) up    up          0%     0%                 0                 0 Eth-Trunk1.1                up    up       0.01%     0%                 0                 0 Eth-Trunk1.2                up    up       0.01%     0%                 0                 0 NULL0                       up    up(s)       0%     0%                 0                 0

# Check traffic statistics on interfaces.

The traffic statistics between clients and servers are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.13%  0.13%          0          0   XGigabitEthernet1/5/0/0   up    up        0.25%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%  0.25%          0          0   XGigabitEthernet2/5/0/0   up    up           0%  0.25%          0          0   XGigabitEthernet2/5/0/1   up    up        0.25%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up        0.25%     0%          0          0   XGigabitEthernet1/4/0/1   up    up        0.25%  0.50%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

The traffic statistics between clients and extranet are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up           0%     0%          0          0   XGigabitEthernet1/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up           0%  0.17%          0          0   XGigabitEthernet1/4/0/1   up    up        0.50%  0.33%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.01%  0.01%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/36     up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

The traffic statistics between servers and extranet are correct.

[CSS] display interface brief | include up PHY: Physical *down: administratively down ^down: standby ~down: LDT down #down: LBDT down (l): loopback (s): spoofing (E): E-Trunk down (b): BFD down (e): ETHOAM down (dl): DLDP down (d): Dampening Suppressed (ld): LDT block (lb): LBDT block InUti/OutUti: input utility/output utility Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors Eth-Trunk100                up    up        0.12%  0.12%          0          0   XGigabitEthernet1/5/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/5/0/1   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/5/0/1   up    up           0%     0%          0          0 Eth-Trunk105                up    up        0.25%  0.25%          0          0   XGigabitEthernet1/4/0/0   up    up        0.50%  0.50%          0          0   XGigabitEthernet1/4/0/1   up    up           0%     0%          0          0 Eth-Trunk106                up    up           0%     0%          0          0   XGigabitEthernet2/4/0/0   up    up           0%     0%          0          0   XGigabitEthernet2/4/0/1   up    up           0%     0%          0          0 Ethernet0/0/0/0             up    up        0.02%  0.01%          0          0 GigabitEthernet1/6/0/36     up    up        5.00%  5.00%          0          0 GigabitEthernet2/3/0/0      up    up        5.00%  5.00%          0          0 NULL0                       up    up(s)        0%     0%          0          0 Vlanif100                   up    up           --     --          0          0 Vlanif101                   up    up           --     --          0          0 Vlanif102                   up    up           --     --          0          0 Vlanif126                   up    up           --     --          0          0 Vlanif128                   up    up           --     --          0          0 Vlanif300                   up    up           --     --          0          0 Vlanif2001                  up    up           --     --          0          0

Configuration Files

NGFW module configuration files

NGFW Module_A	NGFW Module_B
# sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk105 # interface Eth-Trunk1.1 vlan-type dot1q 128 ip address 10.55.28.2 255.255.255.0 vrrp vrid 10 virtual-ip 10.55.28.1 active service-manage ping permit # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 eth-trunk 1 # interface GigabitEthernet 1/0/1 eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 add interface Eth-Trunk1.1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return	# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0 description hrp-interface ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1 description To-master-trunk106 # interface Eth-Trunk1.1 vlan-type dot1q 128 ip address 10.55.28.3 255.255.255.0 vrrp vrid 10 virtual-ip 10.55.28.1 standby service-manage ping permit # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 eth-trunk 1 # interface GigabitEthernet 1/0/1 eth-trunk 1 # firewall zone trust set priority 85 add interface Eth-Trunk1 add interface Eth-Trunk1.1 # firewall zone name hrp set priority 75 add interface Eth-Trunk 0 # security-policy rule name policy_to_wan source-address 10.55.0.0 16 source-address 10.54.1.248 29 profile ips default action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return

NGFW Module_A

NGFW Module_B

# sysname NGFW Module_A # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.1 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk105 # interface Eth-Trunk1.1  vlan-type dot1q 128  ip address 10.55.28.2 255.255.255.0  vrrp vrid 10 virtual-ip 10.55.28.1 active  service-manage ping permit # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  eth-trunk 1 # interface GigabitEthernet 1/0/1  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1  add interface Eth-Trunk1.1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return

# sysname NGFW Module_B # hrp mirror session enable hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # interface Eth-Trunk 0  description hrp-interface  ip address 192.168.213.2 255.255.255.252 # interface Eth-Trunk 1  description To-master-trunk106 # interface Eth-Trunk1.1  vlan-type dot1q 128  ip address 10.55.28.3 255.255.255.0  vrrp vrid 10 virtual-ip 10.55.28.1 standby  service-manage ping permit # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  eth-trunk 1 # interface GigabitEthernet 1/0/1  eth-trunk 1 # firewall zone trust  set priority 85  add interface Eth-Trunk1  add interface Eth-Trunk1.1 # firewall zone name hrp  set priority 75  add interface Eth-Trunk 0 # security-policy  rule name policy_to_wan   source-address 10.55.0.0 16   source-address 10.54.1.248 29   profile ips default   action permit # ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 ip route-static 10.55.2.0 255.255.255.0 10.55.28.4 ip route-static 10.55.26.0 255.255.255.0 10.55.28.4 ip route-static 10.55.200.0 255.255.255.0 10.55.28.4 return

IPS module configuration files

IPS Module_A	IPS Module_B
# sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return	# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0 ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1 portswitch port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1 eth-trunk 0 # interface GigabitEthernet 0/0/2 eth-trunk 0 # interface GigabitEthernet 1/0/0 portswitch port link-type access eth-trunk 1 # interface GigabitEthernet 1/0/1 portswitch port link-type access eth-trunk 1 # profile type av name AV_http_pop3 description http-pop3 http-detect direction download undo ftp-detect undo smtp-detect pop3-detect action delete-attachment undo imap-detect undo nfs-detect undo smb-detect exception application name Netease_Webmail action allow exception av-signature-id 1000 profile type av name AV_ftp description ftp undo http-detect ftp-detect direction upload undo smtp-detect undo pop3-detect undo imap-detect undo nfs-detect undo smb-detect # security-policy rule name policy_av_1 description Intranet-User profile av AV_http_pop3 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit rule name policy_av_2 description Intranet-Server profile av AV_ftp pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 action permit # return

IPS Module_A

IPS Module_B

# sysname IPS Module_A # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0   ip address 192.168.213.5 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return

# sysname IPS Module_B # hrp enable hrp loadbalance-device hrp interface Eth-Trunk 0 # vlan batch 100 to 126 300 2001 # pair-interface 1 Eth-Trunk1 Eth-Trunk1 # interface Eth-Trunk 0   ip address 192.168.213.6 255.255.255.252 # interface Eth-Trunk 1  portswitch  port link-type trunk  undo port trunk permit vlan 1  port trunk permit vlan 100 to 126 300 2001 # interface GigabitEthernet 0/0/1  eth-trunk 0 # interface GigabitEthernet 0/0/2  eth-trunk 0 # interface GigabitEthernet 1/0/0  portswitch  port link-type access  eth-trunk 1 # interface GigabitEthernet 1/0/1  portswitch  port link-type access  eth-trunk 1 # profile type av name AV_http_pop3     description http-pop3       http-detect direction download       undo ftp-detect        undo smtp-detect          pop3-detect action delete-attachment    undo imap-detect     undo nfs-detect   undo smb-detect    exception application name Netease_Webmail action allow     exception av-signature-id 1000   profile type av name AV_ftp    description ftp     undo http-detect    ftp-detect direction upload  undo smtp-detect    undo pop3-detect       undo imap-detect      undo nfs-detect    undo smb-detect   # security-policy  rule name policy_av_1   description Intranet-User   profile av AV_http_pop3   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit  rule name policy_av_2   description Intranet-Server   profile av AV_ftp   pair-interface 1 Eth-Trunk 1 Eth-Trunk 1   action permit # return

CSS configuration file

# sysname CSS # vlan batch 100 to 126 128 300 2001 # acl number 3010  rule 5 permit ip source 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 acl number 3011  rule 5 permit ip destination 10.55.1.0 0.0.0.255  rule 10 permit ip destination 10.55.2.0 0.0.0.255  rule 15 permit ip destination 10.55.26.0 0.0.0.255 acl number 3012  rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255  rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255  rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255 acl number 3020  rule 5 permit ip source 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 acl number 3021  rule 5 permit ip destination 10.55.0.0 0.0.0.255  rule 10 permit ip destination 10.55.200.0 0.0.0.255 acl number 3022  rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255  rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255 # traffic classifier office-office operator or precedence 40  if-match acl 3012 traffic classifier from-office operator or precedence 80  if-match acl 3010 traffic classifier from-server operator or precedence 75  if-match acl 3020 traffic classifier server-server operator or precedence 65 if-match acl 3022 traffic classifier to-office operator or precedence 85  if-match acl 3011 traffic classifier to-server operator or precedence 60  if-match acl 3021 # traffic behavior behavior1  permit traffic behavior to-eth-trunk100  permit  redirect interface Eth-Trunk100 traffic behavior to-eth-trunk105-6  permit  redirect ip-nexthop 10.55.28.1 # traffic policy office-out match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier from-office behavior to-eth-trunk105-6 traffic policy internet-in match-order config  classifier office-office behavior behavior1  classifier to-server behavior to-eth-trunk100  classifier to-office behavior to-eth-trunk105-6 traffic policy ips-to-fw match-order config  classifier to-server behavior to-eth-trunk105-6  classifier from-server behavior to-eth-trunk105-6 traffic policy server-out match-order config  classifier server-server behavior behavior1  classifier from-server behavior to-eth-trunk100 # interface Vlanif100  ip address 10.55.0.1 255.255.255.0 # interface Vlanif101  ip address 10.55.1.1 255.255.255.0 # interface Vlanif102  ip address 10.55.2.1 255.255.255.0 # interface Vlanif128  ip address 10.55.28.4 255.255.255.0  # interface Vlanif300  ip address 10.55.200.1 255.255.255.0 # interface Vlanif2001  ip address 10.54.1.253 255.255.255.248 # load-balance-profile sec # interface Eth-Trunk100  description to-ips  port link-type trunk  mac-address learning disable  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 to 126 300 2001  stp disable  traffic-policy ips-to-fw inbound  load-balance enhanced profile sec # interface Eth-Trunk105  description to-ngfw-a  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 128  load-balance enhanced profile sec # interface Eth-Trunk106  description to-ngfw-b  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 128  load-balance enhanced profile sec # interface GigabitEthernet1/6/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 100 300  traffic-policy server-out inbound  am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/0  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 2001  traffic-policy internet-in inbound  am isolate Eth-Trunk100 # interface GigabitEthernet2/3/0/36  port link-type trunk  undo port trunk allow-pass vlan 1  port trunk allow-pass vlan 101 to 126  traffic-policy office-out inbound  am isolate Eth-Trunk100 # interface XGigabitEthernet1/4/0/0  eth-trunk 105 # interface XGigabitEthernet1/4/0/1  eth-trunk 105 # interface XGigabitEthernet1/5/0/0  eth-trunk 100 # interface XGigabitEthernet1/5/0/1  eth-trunk 100 # interface XGigabitEthernet2/4/0/0  eth-trunk 106 # interface XGigabitEthernet2/4/0/1  eth-trunk 106 # interface XGigabitEthernet2/5/0/0  eth-trunk 100 # interface XGigabitEthernet2/5/0/1  eth-trunk 100 # return

See more please click

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples

Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

Background

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Data Plan

Configuration Roadmap

Procedure

Configuration Files

Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing

Networking Requirements

Data Plan

Configuration Roadmap

Procedure

Configuration Files

Third Party’s Trade Secret

`@trans`drinking_poetry`~trans`

`@trans`universal_genius`~trans`

`@trans`full_of_learning`~trans`

Enterprise

Consumer

Corporate

Carriers

Example for Configuring IPS Modules and NGFW Modules on a Cluster of Modular Switches

Background

Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node System and Importing Flows Through Redirection

Networking Requirements

Data Plan

Configuration Roadmap

Procedure

Configuration Files

Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3 Dual-Node System, and Importing Flows Based on Policy Routing

Networking Requirements

Data Plan

Configuration Roadmap

Procedure

Configuration Files

Third Party’s Trade Secret

`@trans`drinking_poetry`~trans`

`@trans`universal_genius`~trans`

`@trans`full_of_learning`~trans`