01-02 Comprehensive Configuration Examples PDF
Uploaded by
Tedy Man01-02 Comprehensive Configuration Examples PDF
Uploaded by
Tedy ManS2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2 Comprehensive Configuration Examples
NOTICE
The solution that uses VXLAN to build virtual networks on campus networks is a
large- and medium-sized campus network solution (virtualization scenario). For
details about the solution, see the CloudCampus Solution.
2.1 Typical Configuration for Interoperation Between Switches and Firewalls
2.2 Typical Configuration for Interoperation Between Switches and Routers
2.3 Example for Configuring Egress Devices on Small- and Medium-Sized Campus
or Branch Networks
2.4 Example for Configuring the Egress of a Large-Sized Campus (Firewalls Are
Connected to Core Switches in In-line Mode)
2.5 Example for Configuring the Egress of a Large-Sized Campus (Firewalls Are
Connected to Core Switches in Bypass Mode)
2.6 Example for Configuring an Agile Campus Network
2.7 Example for Configuring High-Speed Self Recovery on a Subway Bearer
Network
2.8 Example for Deploying the ACU2, NGFW Module, and IPS Module on a Switch
2.1 Typical Configuration for Interoperation Between
Switches and Firewalls
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 74
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.1.1 Example for Configuring a Layer 2 Switch to Work with
a Firewall for Internet Access
Layer 2 Switch
Layer 2 switches perform only Layer 2 forwarding instead of Layer 3 forwarding.
That is, Layer 2 switches support only Layer 2 switches instead of Layer 3 features
such as routing.
Layer 2 switches are typically deployed at the access layer and cannot function as
gateways of users.
Configuration Notes
Switch configurations used in this example apply to all versions of all S series
switches.
This example uses firewall configurations of USG6650 V500R001C60. For other
firewall configurations, see the corresponding documentation.
Networking Requirements
In Figure 2-1, a company has multiple departments that belong to different
network segments, and each department needs to access the Internet. It is
required that users access the Internet through the Layer 2 switch and firewall and
that the firewall function as the gateway of users.
Figure 2-1 Configuring a Layer 2 switch to work with a firewall for Internet access
Internet
Public IP: 200.0.0.1/24
IP: 200.0.0.2/24
GE1/0/2
Firewall functions as
the gateway of PCs
GE1/0/1
GE0/0/1
Switch
GE0/0/2 GE0/0/3
VLAN 2 VLAN 3
PC1 PC2
IP: 192.168.1.2/24 IP: 192.168.2.2/24
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 75
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based VLAN assignment on the switch for Layer 2
forwarding.
2. Configure the firewall as the gateway of users to implement Layer 3
forwarding across network segments through sub-interfaces or VLANIF
interfaces.
3. Configure the firewall as the DHCP server to assign IP addresses to users.
4. Configure a security interzone policy for the firewall so that packets of
different zones can be forwarded.
5. Configure the PAT function on the firewall to enable intranet users to access
the Internet.
Procedure
Step 1 Configure the switch.
# Configure the interfaces connected to users.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet0/0/2] port default vlan 2 //Add the interface to VLAN 2.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
# Configure the interface connected to the firewall.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3 //Configure the interface as a trunk
interface to transparently transmit packets from VLAN 2 and VLAN 3.
[Switch-GigabitEthernet0/0/1] quit
Step 2 Configure the firewall.
Two methods are available to configure a firewall: one is to configure sub-
interfaces and the other is to configure VLANIF interfaces.
● Configure the firewall to terminate VLAN tags through sub-interfaces to
implement Layer 3 forwarding across network segments.
# Configure sub-interfaces for VLAN tag termination.
<USG6600> system-view
[USG6600] interface gigabitethernet 1/0/1.1
[USG6600-GigabitEthernet1/0/1.1] vlan-type dot1q 2
[USG6600-GigabitEthernet1/0/1.1] ip address 192.168.1.1 24
[USG6600-GigabitEthernet1/0/1.1] quit
[USG6600] interface gigabitethernet 1/0/1.2
[USG6600-GigabitEthernet1/0/1.2] vlan-type dot1q 3
[USG6600-GigabitEthernet1/0/1.2] ip address 192.168.2.1 24
[USG6600-GigabitEthernet1/0/1.2] quit
# Configure the DHCP function to assign IP addresses to intranet users and
specify the DNS server address.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 76
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[USG6600] dhcp enable
[USG6600] interface gigabitethernet 1/0/1.1
[USG6600-GigabitEthernet1/0/1.1] dhcp select interface //Enable the DHCP server function on the
interface and configure it to use an interface address pool.
[USG6600-GigabitEthernet1/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured
DNS-list 114.114.114.114 is a public DNS server address, which is the same for carriers. In practice,
the DNS-list address needs to be configured based on the DNS assigned to a carrier.[USG6600-
GigabitEthernet1/0/1.1] quit
[USG6600] interface gigabitethernet 1/0/1.2
[USG6600-GigabitEthernet1/0/1.2] dhcp select interface
[USG6600-GigabitEthernet1/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6600-GigabitEthernet1/0/1.2] quit
# Configure a public network interface IP address and a static route.
[USG6600] interface gigabitethernet 1/0/2
[USG6600-GigabitEthernet1/0/2] ip address 200.0.0.2 255.255.255.0 //Configure an IP address
200.0.0.2 for GE0/0/2 connected to the public network.
[USG6600-GigabitEthernet1/0/2] quit
[USG6600] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next
hop pointing to the public IP address 200.0.0.1.
# Configure security zones.
[USG6600] firewall zone trust //Configure a trust zone.
[USG6600-zone-trust] add interface gigabitethernet 1/0/1
[USG6600-zone-trust] add interface gigabitethernet 1/0/1.1
[USG6600-zone-trust] add interface gigabitethernet 1/0/1.2
[USG6600-zone-trust] quit
[USG6600] firewall zone untrust //Configure an untrust zone.
[USG6600-zone-untrust] add interface gigabitethernet 1/0/2
[USG6600-zone-untrust] quit
# Configure a security policy to allow inter-zone access.
[USG6600] security-policy
[USG6600-policy-security] rule name policy1
[USG6600-policy-security-rule-policy1] source-zone trust
[USG6600-policy-security-rule-policy1] destination-zone untrust
[USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600-policy-security-rule-policy1] action permit
[USG6600-policy-security-rule-policy1] quit
[USG6600-policy-security] quit
# Configure a PAT address pool to allow interface address translation.
[USG6600] nat address-group addressgroup1
[USG6600-address-group-addressgroup1] mode pat
[USG6600-address-group-addressgroup1] route enable
[USG6600-address-group-addressgroup1] section 0 200.0.0.2 200.0.0.2 //Translated public IP
address
[USG6600-address-group-addressgroup1] quit
# Configure a PAT policy so that source IP addresses are automatically
translated when devices on a specified network segment of an internal
network access the Internet.
[USG6600] nat-policy
[USG6600-policy-nat] rule name policy_nat1
[USG6600-policy-nat-rule-policy_nat1] source-zone trust
[USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //Source IP
address that can be translated using PAT
[USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
[USG6600-policy-nat-rule-policy_nat1] quit
[USG6600-policy-nat] quit
[USG6600] quit
● Configure VLANIF interfaces on the firewall to implement Layer 3 forwarding
across network segments.
# Configure VLANIF interfaces.
<USG6600> system-view
[USG6600] vlan batch 2 3
[USG6600] interface gigabitethernet 1/0/1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 77
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[USG6600-GigabitEthernet1/0/1] portswitch //Change the Ethernet interface from Layer 3 mode to
Layer 2 mode. If it has worked in Layer 2 mode, skip this step.
[USG6600-GigabitEthernet1/0/1] port link-type hybrid
[USG6600-GigabitEthernet1/0/1] port hybrid tagged vlan 2 to 3
[USG6600-GigabitEthernet1/0/1] quit
[USG6600] interface vlanif 2
[USG6600-Vlanif2] ip address 192.168.1.1 24 //Configure the IP address of VLANIF2 as the gateway
address of PC1.
[USG6600-Vlanif2] quit
[USG6600] interface vlanif 3
[USG6600-Vlanif3] ip address 192.168.2.1 24 //Configure the IP address of VLANIF3 as the gateway
address of PC2.
[USG6600-Vlanif3] quit
# Configure the DHCP and DNS functions.
[USG6600] dhcp enable
[USG6600] interface vlanif 2
[USG6600-Vlanif2] dhcp select interface
[USG6600-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-
list address needs to be configured based on the DNS assigned to a carrier.[USG6600-Vlanif2] quit
[USG6600] interface vlanif 3
[USG6600-Vlanif3] dhcp select interface
[USG6600-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[USG6600-Vlanif3] quit
# Configure a public network interface IP address and a static route.
[USG6600] interface gigabitethernet 1/0/2
[USG6600-GigabitEthernet1/0/2] ip address 200.0.0.2 255.255.255.0
[USG6600-GigabitEthernet1/0/2] quit
[USG6600] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next
hop pointing to the public IP address 200.0.0.1.
# Configure security zones.
[USG6600] firewall zone trust
[USG6600-zone-trust] add interface gigabitethernet 1/0/1
[USG6600-zone-trust] add interface vlanif 2
[USG6600-zone-trust] add interface vlanif 3
[USG6600-zone-trust] quit
[USG6600] firewall zone untrust
[USG6600-zone-untrust] add interface gigabitethernet 1/0/2
[USG6600-zone-untrust] quit
# Configure a security policy to allow inter-zone access.
[USG6600] security-policy
[USG6600-policy-security] rule name policy1
[USG6600-policy-security-rule-policy1] source-zone trust
[USG6600-policy-security-rule-policy1] destination-zone untrust
[USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600-policy-security-rule-policy1] action permit
[USG6600-policy-security-rule-policy1] quit
[USG6600-policy-security] quit
# Configure a PAT address pool to allow interface address translation.
[USG6600] nat address-group addressgroup1
[USG6600-address-group-addressgroup1] mode pat
[USG6600-address-group-addressgroup1] route enable
[USG6600-address-group-addressgroup1] section 0 200.0.0.2 200.0.0.2 //Translated public IP
address
[USG6600-address-group-addressgroup1] quit
# Configure a PAT policy so that source IP addresses are automatically
translated when devices on a specified network segment of an internal
network access the Internet.
[USG6600] nat-policy
[USG6600-policy-nat] rule name policy_nat1
[USG6600-policy-nat-rule-policy_nat1] source-zone trust
[USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //Source IP
address that can be translated using PAT
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 78
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
[USG6600-policy-nat-rule-policy_nat1] quit
[USG6600-policy-nat] quit
[USG6600] quit
Step 3 Check the configuration.
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Configure an IP address 200.0.0.1/24 and a gateway address 200.0.0.2 for external
network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 200.0.0.1/24 and access the Internet.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 2 to 3
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
return
● USG configuration file (used when the firewall performs Layer 3 forwarding
through sub-interfaces)
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet1/0/1.2
vlan-type dot1q 3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet1/0/2
ip address 200.0.0.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/1.1
add interface GigabitEthernet1/0/1.2
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 79
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 200.0.0.2 200.0.0.2
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action nat address-group addressgroup1
#
return
● USG configuration file (used when the firewall performs Layer 3 forwarding
through VLANIF interfaces)
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet1/0/1
portswitch
port hybrid tagged vlan 2 to 3
#
interface GigabitEthernet1/0/2
ip address 200.0.0.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface Vlanif2
add interface Vlanif3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 200.0.0.2 200.0.0.2
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 80
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action nat address-group addressgroup1
#
return
Related Content
Videos
Connecting an S Series Switch Acting as a Layer 2 Switch to a Firewall
2.1.2 Example for Configuring a Layer 3 Switch to Work with
a Firewall for Internet Access
Layer 3 Switch
Layer 3 switches provide the routing function, which indicates a network-layer
function in the OSI model.
Layer 3 switches can work at Layer 2 and Layer 3 and be deployed at the access
layer or aggregation layer as user gateways.
Configuration Notes
● This example uses firewall configurations of USG6650 V500R001C60. For
other firewall configurations, see the corresponding documentation.
● For the products and versions applicable when a switch functions as a DHCP
server, see Examples for Applicable Products and Versions.
Networking Requirements
In Figure 2-2, a company has multiple departments that belong to different
network segments, and each department needs to access the Internet. It is
required that users access the Internet through the Layer 3 switch and firewall and
that the Layer 3 switch function as the gateway of users.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 81
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-2 Configuring a Layer 3 switch to work with a firewall for Internet access
Internet
Public IP: 200.0.0.1/24
IP: 200.0.0.2/24
GE1/0/2
Firewall
GE1/0/1
IP: 192.168.100.1/24 VLANIF 100
GE0/0/1 IP: 192.168.100.2/24
Switch functions as
the gateway of PCs
GE0/0/2 GE0/0/3
VLAN 2 VLAN 3
IP: 192.168.1.1/24 IP: 192.168.2.1/24
PC1 PC2
IP: 192.168.1.2/24 IP: 192.168.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the switch as the gateway of users to allow users to communicate
across network segments through VLANIF interfaces.
2. Configure the switch as the DHCP server to assign IP addresses to users.
3. Configure an interzone security policy for the firewall so that packets of
different zones can be forwarded.
4. Configure the PAT function on the firewall to enable intranet users to access
the Internet.
Procedure
Step 1 Configure the switch.
# Configure the interfaces connected to users and corresponding VLANIF
interfaces.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet0/0/2] port default vlan 2 //Add the interface to VLAN 2.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 82
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 2
[Switch-Vlanif2] ip address 192.168.1.1 24
[Switch-Vlanif2] quit
[Switch] interface vlanif 3
[Switch-Vlanif3] ip address 192.168.2.1 24
[Switch-Vlanif3] quit
# Configure the interface connected to the firewall and corresponding VLANIF
interface.
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 192.168.100.2 24
[Switch-Vlanif100] quit
# Configure the default route.
[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //The next hop of the default route is the IP address
192.168.100.1 of the firewall interface.
# Configure the DHCP server.
[Switch] dhcp enable
[Switch] interface vlanif 2
[Switch-Vlanif2] dhcp select interface //DHCP uses an interface address pool to assign IP addresses to
intranet users.
[Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list
address needs to be configured based on the DNS assigned to a carrier.
[Switch-Vlanif2] quit
[Switch] interface vlanif 3
[Switch-Vlanif3] dhcp select interface
[Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[Switch-Vlanif3] quit
Step 2 Configure the firewall.
# Configure an IP address for the interface connected to the switch.
<USG> system-view
[USG] interface gigabitethernet 1/0/1
[USG-GigabitEthernet1/0/1] ip address 192.168.100.1 255.255.255.0
[USG-GigabitEthernet1/0/1] quit
# Configure an IP address for the interface connected to the Internet.
[USG] interface gigabitethernet 1/0/2
[USG-GigabitEthernet1/0/2] ip address 200.0.0.2 255.255.255.0 //The IP address of the interface
connected to the Internet is on the same network segment as the public IP address.
[USG-GigabitEthernet1/0/2] quit
# Configure a default route and a return route.
[USG] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next hop
pointing to the public IP address 200.0.0.1.
[USG] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //Configure a return route with the next
hop pointing to the IP address 192.168.100.2 of the switch's uplink interface.
# Configure security zones.
[USG] firewall zone trust //Configure a trust zone.
[USG-zone-trust] add interface gigabitethernet 1/0/1
[USG-zone-trust] quit
[USG] firewall zone untrust //Configure an untrust zone.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 83
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[USG-zone-untrust] add interface gigabitethernet 1/0/2
[USG-zone-untrust] quit
# Configure a security policy to allow inter-zone access.
[USG6600] security-policy
[USG6600-policy-security] rule name policy1
[USG6600-policy-security-rule-policy1] source-zone trust
[USG6600-policy-security-rule-policy1] destination-zone untrust
[USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0
[USG6600-policy-security-rule-policy1] action permit
[USG6600-policy-security-rule-policy1] quit
[USG6600-policy-security] quit
# Configure a PAT address pool to allow interface address translation.
[USG6600] nat address-group addressgroup1
[USG6600-address-group-addressgroup1] mode pat
[USG6600-address-group-addressgroup1] route enable
[USG6600-address-group-addressgroup1] section 0 200.0.0.2 200.0.0.2 //Translated public IP address
[USG6600-address-group-addressgroup1] quit
# Configure a PAT policy so that source IP addresses are automatically translated
when devices on a specified network segment of an internal network access the
Internet.
[USG6600] nat-policy
[USG6600-policy-nat] rule name policy_nat1
[USG6600-policy-nat-rule-policy_nat1] source-zone trust
[USG6600-policy-nat-rule-policy_nat1] destination-zone untrust
[USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //Source IP address
that can be translated using PAT
[USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
[USG6600-policy-nat-rule-policy_nat1] quit
[USG6600-policy-nat] quit
[USG6600] quit
Step 3 Check the configuration.
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Configure an IP address 200.0.0.1/24 and a gateway address 200.0.0.2 for external
network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 200.0.0.1/24 and access the Internet.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 2 to 3 100
#
dhcp enable
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 84
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
return
● USG configuration file
#
interface GigabitEthernet1/0/1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 200.0.0.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
#
nat address-group addressgroup1 0
mode pat
route enable
section 0 200.0.0.2 200.0.0.2
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action nat address-group addressgroup1
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 85
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Examples for Applicable Products and Versions
Table 2-1 Applicable product models and versions
Series Product Software Version
Model
S2700 S2720-EI V200R009C00, V200R010C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S2750-EI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S3700 S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
S5700 S5700-LI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5700S-LI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5700-SI V200R001C00, V200R002C00, V200R003C00,
V200R005C00
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00SPC500&C01&C02)
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5710-EI V200R001C00, V200R002C00, V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-LI, V200R010C00, V200R011C00, V200R011C10,
S5720S-LI V200R012(C00&C20), V200R013C00, V200R019C00,
V200R019C10
S5720-SI, V200R008C00, V200R009C00, V200R010C00,
S5720S-SI V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10
S5720I-SI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 86
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Series Product Software Version
Model
S5720-EI V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5730-HI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5730-SI V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5730S-EI V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10
S5731-S, V200R019C00, V200R019C10
S5731S-S
S5731S-H V200R019C00, V200R019C10
S5732-H V200R019C00, V200R019C10
S5735-L, V200R019C00, V200R019C10
S5735S-L
S5735S-L- V200R019C00, V200R019C10
M
S5735-S, V200R019C00, V200R019C10
S5735S-S
S6700 S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02)
S6720-LI, V200R011C00, V200R011C10, V200R012C00,
S6720S-LI V200R013C00, V200R019C00, V200R019C10
S6720-SI, V200R011C00, V200R011C10, V200R012C00,
S6720S-SI V200R013C00, V200R019C00, V200R019C10
S6720-EI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 87
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Series Product Software Version
Model
S6720-HI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S6730-H V200R013C02, V200R019C00, V200R019C10
S6730-S, V200R019C00, V200R019C10
S6730S-S
S6730S-H V200R019C10
S7700 S7703, V200R001(C00&C01), V200R002C00, V200R003C00,
S7706, V200R005C00, V200R006C00, V200R007C00,
S7712 V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00,
V200R013C02, V200R019C00, V200R019C10
S7703 PoE V200R013C00, V200R019C00, V200R019C10
S7706 PoE V200R013C00, V200R019C00, V200R019C10
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,
S9706, V200R005C00, V200R006C00, V200R007(C00&C10),
S9712 V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00
2.2 Typical Configuration for Interoperation Between
Switches and Routers
2.2.1 Example for Configuring a Layer 2 Switch to Work with
a Router for Internet Access
Layer 2 Switch
Layer 2 switches perform only Layer 2 forwarding instead of Layer 3 forwarding.
That is, Layer 2 switches support only Layer 2 switches instead of Layer 3 features
such as routing.
Layer 2 switches are typically deployed at the access layer and cannot function as
gateways of users.
Configuration Notes
Switch configurations used in this example apply to all versions of all S series
switches.
This example uses router configurations of AR3600 V200R007C00SPCc00. For
other router configurations, see the corresponding documentation.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 88
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Networking Requirements
In Figure 2-3, a company has multiple departments that belong to different
network segments, and each department needs to access the Internet. It is
required that users access the Internet through the Layer 2 switch and router and
that the router function as the gateway of users.
Figure 2-3 Configuring a Layer 2 switch to work with a router for Internet access
Internet
Public IP: 200.0.0.1/24
IP: 200.0.0.2/24
GE0/0/2
Router functions as
the gateway of PCs
GE0/0/1
GE0/0/1
Switch
GE0/0/2 GE0/0/3
VLAN 2 VLAN 3
PC1 PC2
IP: 192.168.1.2/24 IP: 192.168.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure interface-based VLAN assignment on the switch for Layer 2
forwarding.
2. Configure the router as the gateway of users to implement Layer 3
forwarding across network segments through sub-interfaces or VLANIF
interfaces.
3. Configure the router as the DHCP server to assign IP addresses to users.
4. Configure the NAT function on the router to enable intranet users to access
the Internet.
Procedure
Step 1 Configure the switch.
# Configure the interfaces connected to users.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 89
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet0/0/2] port default vlan 2 //Add the interface to VLAN 2.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
# Configure the interface connected to the router.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3 //Configure the interface as a trunk
interface to transparently transmit packets from VLAN 2 and VLAN 3.
[Switch-GigabitEthernet0/0/1] quit
Step 2 Configure the router.
Two methods are available to configure a router: one is to configure sub-
interfaces and the other is to configure VLANIF interfaces.
● Configure the router to terminate VLAN tags through sub-interfaces to
implement Layer 3 forwarding across network segments.
# Configure sub-interfaces for VLAN tag termination.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 2 3
[Router] interface gigabitethernet 0/0/1.1
[Router-GigabitEthernet0/0/1.1] dot1q termination vid 2
[Router-GigabitEthernet0/0/1.1] ip address 192.168.1.1 24
[Router-GigabitEthernet0/0/1.1] arp broadcast enable //By default, ARP broadcast on a VLAN tag
termination sub-interface is disabled on AR routers in a version earlier than V200R003C01 and
enabled in V200R003C01 and later versions.
[Router-GigabitEthernet0/0/1.1] quit
[Router] interface gigabitethernet 0/0/1.2
[Router-GigabitEthernet0/0/1.2] dot1q termination vid 3
[Router-GigabitEthernet0/0/1.2] ip address 192.168.2.1 24
[Router-GigabitEthernet0/0/1.2] arp broadcast enable
[Router-GigabitEthernet0/0/1.2] quit
# Configure the DHCP function to assign IP addresses to intranet users and
specify the DNS server address.
[Router] dhcp enable
[Router] interface gigabitethernet 0/0/1.1
[Router-GigabitEthernet0/0/1.1] dhcp select interface //DHCP uses an interface address pool to
assign IP addresses to intranet users.
[Router-GigabitEthernet0/0/1.1] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured
DNS-list 114.114.114.114 is a public DNS server address, which is the same for carriers. In practice,
the DNS-list address needs to be configured based on the DNS assigned to a carrier.
[Router-GigabitEthernet0/0/1.1] quit
[Router] interface gigabitethernet 0/0/1.2
[Router-GigabitEthernet0/0/1.2] dhcp select interface
[Router-GigabitEthernet0/0/1.2] dhcp server dns-list 114.114.114.114 223.5.5.5
[Router-GigabitEthernet0/0/1.2] quit
# Configure a public network interface IP address and a static route.
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0 //Configure an IP address
200.0.0.2 for GE0/0/2 connected to the public network.
[Router-GigabitEthernet0/0/2] quit
[Router] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next
hop pointing to the public IP address 200.0.0.1.
# Configure the NAT function to enable intranet users to access the Internet.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 90
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Router] acl number 2001
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for
source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of
outgoing packets on GE0/0/2.
[Router-acl-basic-2001] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] nat outbound 2001
[Router-GigabitEthernet0/0/2] quit
● Configure VLANIF interfaces on the router to implement Layer 3 forwarding
across network segments.
# Configure VLANIF interfaces.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 2 3
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] portswitch //Change the Ethernet interface from Layer 3 mode to
Layer 2 mode. If it has worked in Layer 2 mode, skip this step.
[Router-GigabitEthernet0/0/1] port link-type trunk
[Router-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 3
[Router-GigabitEthernet0/0/1] quit
[Router] interface vlanif 2
[Router-vlanif2] ip address 192.168.1.1 24 //Configure the IP address of VLANIF2 as the gateway
address of PC1.
[Router-vlanif2] quit
[Router] interface vlanif 3
[Router-vlanif3] ip address 192.168.2.1 24 //Configure the IP address of VLANIF3 as the gateway
address of PC2.
[Router-vlanif3] quit
# Configure the DHCP function to assign IP addresses to intranet users and
specify the DNS server address.
[Router] dhcp enable
[Router] interface vlanif 2
[Router-Vlanif2] dhcp select interface
[Router-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-
list address needs to be configured based on the DNS assigned to a carrier.
[Router-Vlanif2] quit
[Router] interface vlanif 3
[Router-Vlanif3] dhcp select interface
[Router-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[Router-Vlanif3] quit
# Configure a public network interface IP address and a static route.
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit
[Router] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next
hop pointing to the public IP address 200.0.0.1.
# Configure the NAT function to enable intranet users to access the Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for
source IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of
outgoing packets on GE0/0/2.
[Router-acl-basic-2001] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] nat outbound 2001
[Router-GigabitEthernet0/0/2] quit
Step 3 Check the configuration.
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 91
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configure an IP address 200.0.0.1/24 and a gateway address 200.0.0.2 for external
network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 200.0.0.1/24 and access the Internet.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 2 to 3
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
return
● Router configuration file (used when the router performs Layer 3 forwarding
through sub-interfaces)
#
sysname Router
#
vlan batch 2 to 3
#
dhcp enable
#
acl number 2001
rule 5 permit source 192.168.0.0 0.0.255.255
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 2
ip address 192.168.1.1 255.255.255.0
arp broadcast enable
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 3
ip address 192.168.2.1 255.255.255.0
arp broadcast enable
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet0/0/2
ip address 200.0.0.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
#
return
● Router configuration file (used when the router performs Layer 3 forwarding
through VLANIF interfaces)
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 92
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
sysname Router
#
vlan batch 2 to 3
#
dhcp enable
#
acl number 2001
rule 5 permit source 192.168.0.0 0.0.255.255
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface GigabitEthernet0/0/1
portswitch
port link-type trunk
port trunk allow-pass vlan 2 to 3
#
interface GigabitEthernet0/0/2
ip address 200.0.0.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
#
return
Related Content
Videos
Connecting an S Series Switch Acting as a Layer 2 Switch to a Router
2.2.2 Example for Configuring a Layer 3 Switch to Work with
a Router for Internet Access
Layer 3 Switch
Layer 3 switches provide the routing function, which indicates a network-layer
function in the OSI model.
Layer 3 switches can work at Layer 2 and Layer 3 and be deployed at the access
layer or aggregation layer as user gateways.
Configuration Notes
● This example uses router configurations of AR3600 V200R007C00SPCc00. For
other router configurations, see the corresponding documentation.
● For the products and versions applicable when a switch functions as a DHCP
server, see Examples for Applicable Products and Versions.
Networking Requirements
In Figure 2-4, a company has multiple departments that belong to different
network segments, and each department needs to access the Internet. It is
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 93
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
required that users access the Internet through the Layer 3 switch and router and
that the Layer 3 switch function as the gateway of users.
Figure 2-4 Configuring a Layer 3 switch to work with a router for Internet access
Internet
Public IP: 200.0.0.1/24
IP: 200.0.0.2/24
GE0/0/2
Router
GE0/0/1
IP: 192.168.100.1/24 VLANIF 100
GE0/0/1 IP: 192.168.100.2/24
Switch functions as
the gateway of PCs
GE0/0/2 GE0/0/3
VLAN 2 VLAN 3
IP: 192.168.1.1/24 IP: 192.168.2.1/24
PC1 PC2
IP: 192.168.1.2/24 IP: 192.168.2.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the switch as the gateway of users to allow users to communicate
across network segments through VLANIF interfaces.
2. Configure the switch as the DHCP server to assign IP addresses to users.
3. Configure the NAT function on the router to enable intranet users to access
the Internet.
Procedure
Step 1 Configure the switch.
# Configure the interfaces connected to users and corresponding VLANIF
interfaces.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 2 3
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access //Set the link type of the interface to access.
[Switch-GigabitEthernet0/0/2] port default vlan 2 //Add the interface to VLAN 2.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 94
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Switch-GigabitEthernet0/0/3] port default vlan 3
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 2
[Switch-Vlanif2] ip address 192.168.1.1 24
[Switch-Vlanif2] quit
[Switch] interface vlanif 3
[Switch-Vlanif3] ip address 192.168.2.1 24
[Switch-Vlanif3] quit
# Configure the interface connected to the router and corresponding VLANIF
interface.
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 100
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 192.168.100.2 24
[Switch-Vlanif100] quit
# Configure the default route.
[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //The next hop of the default route is the IP address
192.168.100.1 of the router interface.
# Configure the DHCP server.
[Switch] dhcp enable
[Switch] interface vlanif 2
[Switch-Vlanif2] dhcp select interface //DHCP uses an interface address pool to assign IP addresses to
intranet users.
[Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //The configured DNS-list
114.114.114.114 is a public DNS server address, which is the same for carriers. In practice, the DNS-list
address needs to be configured based on the DNS assigned to a carrier.
[Switch-Vlanif2] quit
[Switch] interface vlanif 3
[Switch-Vlanif3] dhcp select interface
[Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5
[Switch-Vlanif3] quit
Step 2 Configure the router.
# Configure an IP address for the interface connected to the switch.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 192.168.100.1 255.255.255.0 //Configure the IP address
192.168.100.1 as the next-hop IP address of the switch's default route.
[Router-GigabitEthernet0/0/1] quit
# Configure an IP address for the interface connected to the Internet.
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 200.0.0.2 255.255.255.0 //The IP address of the interface
connected to the Internet is on the same network segment as the public IP address.
[Router-GigabitEthernet0/0/2] quit
# Configure a default route and a return route.
[Router] ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //Configure a static default route with the next hop
pointing to the public IP address 200.0.0.1.
[Router] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //Configure a return route with the next
hop pointing to the IP address 192.168.100.2 of the switch's uplink interface.
# Configure the NAT function to enable intranet users to access the Internet.
[Router] acl number 2001
[Router-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255 //NAT takes effect only for source
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 95
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
IP addresses on the network segment 192.168.0.0/16 and translates only source IP addresses of outgoing
packets on GE0/0/2.
[Router-acl-basic-2001] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] nat outbound 2001
[Router-GigabitEthernet0/0/2] quit
Step 3 Check the configuration.
Configure an IP address 192.168.1.2/24 and a gateway address 192.168.1.1 for
PC1, and configure an IP address 192.168.2.2/24 and a gateway address
192.168.2.1 for PC2.
Configure an IP address 200.0.0.1/24 and a gateway address 200.0.0.2 for external
network.
After the configurations are complete, PC1 and PC2 can ping the external network
IP address 200.0.0.1/24 and access the Internet.
----End
Configuration Files
● Switch configuration file
#
sysname Switch
#
vlan batch 2 to 3 100
#
dhcp enable
#
interface Vlanif2
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif3
ip address 192.168.2.1 255.255.255.0
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
#
interface Vlanif100
ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
return
● Router configuration file
#
sysname Router
#
acl number 2001
rule 5 permit source 192.168.0.0 0.0.255.255
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 96
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface GigabitEthernet0/0/1
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 200.0.0.2 255.255.255.0
nat outbound 2001
#
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2
#
return
Examples for Applicable Products and Versions
Table 2-2 Applicable product models and versions
Series Product Software Version
Model
S2700 S2720-EI V200R009C00, V200R010C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S2750-EI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S3700 S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
S5700 S5700-LI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5700S-LI V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5700-SI V200R001C00, V200R002C00, V200R003C00,
V200R005C00
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00SPC500&C01&C02)
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5710-EI V200R001C00, V200R002C00, V200R003C00,
V200R005(C00&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 97
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Series Product Software Version
Model
S5720-LI, V200R010C00, V200R011C00, V200R011C10,
S5720S-LI V200R012(C00&C20), V200R013C00, V200R019C00,
V200R019C10
S5720-SI, V200R008C00, V200R009C00, V200R010C00,
S5720S-SI V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10
S5720I-SI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5720-EI V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5730-HI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5730-SI V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5730S-EI V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10
S5731-S, V200R019C00, V200R019C10
S5731S-S
S5731S-H V200R019C00, V200R019C10
S5732-H V200R019C00, V200R019C10
S5735-L, V200R019C00, V200R019C10
S5735S-L
S5735S-L- V200R019C00, V200R019C10
M
S5735-S, V200R019C00, V200R019C10
S5735S-S
S6700 S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02)
S6720-LI, V200R011C00, V200R011C10, V200R012C00,
S6720S-LI V200R013C00, V200R019C00, V200R019C10
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 98
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Series Product Software Version
Model
S6720-SI, V200R011C00, V200R011C10, V200R012C00,
S6720S-SI V200R013C00, V200R019C00, V200R019C10
S6720-EI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S6720-HI V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S6730-H V200R013C02, V200R019C00, V200R019C10
S6730-S, V200R019C00, V200R019C10
S6730S-S
S6730S-H V200R019C10
S7700 S7703, V200R001(C00&C01), V200R002C00, V200R003C00,
S7706, V200R005C00, V200R006C00, V200R007C00,
S7712 V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00,
V200R013C02, V200R019C00, V200R019C10
S7703 PoE V200R013C00, V200R019C00, V200R019C10
S7706 PoE V200R013C00, V200R019C00, V200R019C10
S9700 S9703, V200R001(C00&C01), V200R002C00, V200R003C00,
S9706, V200R005C00, V200R006C00, V200R007(C00&C10),
S9712 V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00
2.3 Example for Configuring Egress Devices on Small-
and Medium-Sized Campus or Branch Networks
Overview
A campus network egress is often located between an enterprise's internal
network and external network to provide the only ingress and egress for data
traffic between the internal and external networks. Small- and medium-scale
enterprises want to deploy multiple types of services on the same device to reduce
initial investment on enterprise network construction and long-term O&M cost.
Enterprise network users require access to the Internet and virtual private
networks (VPNs). To reduce network construction and maintenance costs, small-
and medium-scale enterprises often lease the Internet links of carriers to build
VPNs. Some campus networks requiring high reliability often deploy two egress
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 99
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
routers to implement device-level reliability and use reliability techniques such as
link aggregation, Virtual Router Redundancy Protocol (VRRP), and active and
standby routes to ensure campus network egress reliability. Huawei AR series
routers can be used as egress devices and work with Huawei S series switches to
provide a cost-effective network solution for small- and medium-scale campus
networks. Campus network egress devices must provide the following functions:
● Provide the network address translation (NAT) outbound and NAT server
functions to translate between private and public network addresses, so that
internal users can access the Internet and Internet users can access internal
servers.
● Support the construction of VPNs through the Internet so that branches of the
enterprise can communicate over VPNs.
● Encrypt data to protect data integrity and confidentiality, ensuring service
transmission security.
● Egress devices of small- and medium-scale campus networks must be reliable,
secure, low-cost, and easy to maintain.
Configuration Notes
This configuration example:
● Applies to small- and medium-sized enterprise campus/branch egress
solutions.
● Provides only the enterprise network egress configuration. For the internal
network configuration, see "Small- and Mid-Sized Campus Networks" in the
HUAWEI S Series Campus Switches Quick Configuration.
● Uses S series switches running V200R008 and AR series routers running
V200R003.
Networking Requirements
The headquarters and branch of an enterprise are located in different cities and
far from each other. The headquarters has two departments (A and B), and the
branch has only one department. A cross-regional enterprise campus network
needs to be constructed to meet the following requirements:
● Both users in the headquarters and branch have access to the Internet. In the
headquarters, users in Department A can access the Internet, but users in
Department B are not allowed to access the Internet. In the branch, all users
can access the Internet.
● The headquarters has a web server to provide WWW service so that external
users can access the internal server.
● The headquarters and branch need to communicate through VPNs over the
Internet and communication contents must be protected.
● The headquarters' campus network egress requires link-level reliability and
device-level reliability.
● The branch does not need high reliability.
A comprehensive configuration solution, as shown in Figure 2-5, is provided to
meet the preceding requirements. The solution adopts a multi-layer, modular,
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 100
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
redundant, and secure design and applies to small- and medium-scale enterprise
or branch campus networks.
Figure 2-5 Configuring egress devices for small- and medium-sized campus
networks or branch networks
PC5 PC6 Printer 3
Eth0/0/2
GE0/0/1 SwitchA
GE2/0/0
Enterprise
branch RouterC
GE1/0/0
A
Internet
RouterE
l
l
e
e
Tunn
Tunn
RouterD
c
c
IPSe
B C
IPSe
Enterprise
GE1/0/0 GE1/0/0
headquarters
OSPF
RouterA RouterB
Area 0
Eth-Trunk1 Eth-Trunk1
VRRP VRID1
Web Server Eth-Trunk3 Eth-Trunk4
GE0/0/5 CORE
Eth-Trunk1 Eth-Trunk2
Eth-Trunk1
Eth-Trunk1
ACC1 Department B ACC2
Department A VLAN 20
Eth0/0/2 VLAN 10 Eth0/0/2
PC1 PC2 Printer 1 PC3 PC4 Printer 2
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 101
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Solution Overview
● Deploy Huawei S2700&S3700 switches (ACC1, ACC2, and SwitchA) at the
access layer, deploy Huawei S5700 switches (CORE) at the core layer, and
deploy Huawei AR3200 routers (RouterA, RouterB, and RouterC) at the
campus network egress.
● In the headquarters, use redundancy between two AR egress routers (RouterA
and RouterB) to ensure device-level reliability. In the branch, deploy one AR
router as the egress router.
● In the headquarters, set up a stack (CORE) between two S5700 core switches
to ensure device-level reliability.
● In the headquarters, deploy Eth-Trunks between access switches, the CORE,
and egress routers to ensure link-level reliability.
● In the headquarters, assign a VLAN to each department and transmit services
between departments at Layer 3 through VLANIF interfaces of the CORE.
● Use the CORE of the headquarters as the gateway for users and servers, and
deploy a DHCP server to assign IP addresses to users.
● Deploy the gateway for branch users on the egress router.
● Deploy VRRP between the two egress routers of the headquarters to ensure
reliability.
● Construct an Internet Protocol Security (IPSec) VPN between the
headquarters and branch over the Internet to enable communication while
ensuring data transmission security.
● Deploy Open Shortest Path First (OSPF) between the two egress routers and
CORE of the headquarters to advertise user routes for future capacity
expansion and maintenance.
Configuration Roadmap
The configuration roadmap is as follows:
1. Deploy the headquarters and branch campus networks.
In the headquarters, deploy a stack and link aggregation, configure VLANs
and IP addresses for interfaces, and deploy a DHCP server to allow users in
the headquarters campus network to communicate. Users within a
department communicate at Layer 2 through access switches, and users in
different departments communicate at Layer 3 through the VLANIF interfaces
of the CORE.
In the branch, configure VLANs and IP addresses for interfaces on access
switches and egress routers, and deploy a DHCP server to allow users in the
branch campus network to communicate.
2. Deploy VRRP.
To ensure reliability between the CORE and two egress routers of the
headquarters, deploy VRRP between the two egress routers so that VRRP
heartbeat packets are exchanged through the CORE. Configure RouterA as the
master device and RouterB as the backup device.
To prevent service interruption in the case of an uplink failure on RouterA,
associate the VRRP status with the uplink interface of RouterA. The
association ensures a fast VRRP switchover when the uplink fails.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 102
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
3. Deploy routes.
To steer uplink traffic of devices, configure a default route with the VRRP
virtual address as the next hop on the CORE of the headquarters, and
configure a default route on each egress router of the headquarters and
branch, with the next hop pointing to the IP address of the connected carrier
network device (public network gateway address).
To steer the return traffic of two egress routers of the headquarters, configure
OSPF between the two egress routers and CORE, and advertise all user
network segments on the CORE into OSPF and then to the two egress routers.
On RouterD, to steer traffic generated by access to the web server from
external networks, configure two static routes of which the destination
address is the public network address of the web server and next-hop
addresses are uplink interface addresses of the two egress routers. To ensure
simultaneous route switchover and VRRP switchover, set the route with next
hop pointing to RouterA as the preferred one. When this route fails, the route
with next hop pointing to RouterB takes effect.
4. Configure NAT outbound.
To enable internal users to access the Internet, configure NAT on the uplink
interfaces of the two egress routers for translation between private network
addresses and public network addresses. Use an ACL to permit the source IP
address of packets from Department A so that users in Department A can
access the Internet while users in Department B cannot.
5. Configure a NAT server.
To enable external users to access the internal web server, configure a NAT
server on the uplink interfaces of the two egress routers to translate between
the public and private network addresses of the server.
6. Deploy IPSec VPN.
To enable users in the headquarters and branch to communicate through a
VPN, configure IPSec VPN between the egress routers of the headquarters
and branch for secure communication.
For the enterprise internal network configuration, see "Small- and Mid-Sized Campus
Networks" in the HUAWEI S Series Campus Switches Quick Configuration.
Data Plan
Table 2-3, Table 2-4, and Table 2-5 provide the data plan.
Table 2-3 Data plan for link aggregation of interfaces
Device LAG Interface Physical Interface
RouterA Eth-Trunk1 GE2/0/0
GE2/0/1
RouterB Eth-Trunk1 GE2/0/0
GE2/0/1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 103
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device LAG Interface Physical Interface
CORE Eth-Trunk1 GE0/0/1
GE1/0/1
Eth-Trunk2 GE0/0/2
GE1/0/2
Eth-Trunk3 GE0/0/3
GE1/0/3
Eth-Trunk4 GE0/0/4
GE1/0/4
ACC1 Eth-Trunk1 GE0/0/1
GE0/0/2
ACC2 Eth-Trunk1 GE0/0/1
GE0/0/2
All Eth-Trunk interfaces work in Link Aggregation Control Protocol (LACP) mode.
Table 2-4 VLAN plan
Device Data Remarks
RouterA Eth-Trunk1.100: Connects to the CORE of
Configure a dot1q the headquarters.
termination sub-
interface to terminate
packets of VLAN 100.
RouterB Eth-Trunk1.100: Connects to the CORE of
Configure a dot1q the headquarters.
termination sub-
interface to terminate
packets of VLAN 100.
CORE Eth-Trunk1: a trunk Connects to department
interface that A of the headquarters.
transparently transmits
packets of VLAN 10.
Eth-Trunk2: a trunk Connects to department
interface that B of the headquarters.
transparently transmits
packets of VLAN 20.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 104
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Data Remarks
GE0/0/5: an access Connects to the web
interface with VLAN 30 server of the
as the default VLAN. headquarters.
Eth-Trunk3: a trunk Connects to RouterA of
interface that the headquarters.
transparently transmits
packets of VLAN 100.
Eth-Trunk4: a trunk Connects to RouterB of
interface that the headquarters.
transparently transmits
packets of VLAN 100.
ACC1 Eth-Trunk1: a trunk Connects to the CORE of
interface that the headquarters.
transparently transmits
packets of VLAN 10.
Ethernet0/0/2: an access Connects to PC1 in
interface with VLAN 10 department A.
as the default VLAN.
ACC2 Eth-Trunk1: a trunk Connects to the CORE of
interface that the headquarters.
transparently transmits
packets of VLAN 20.
Ethernet0/0/2: an access Connects to PC3 in
interface with VLAN 20 department B.
as the default VLAN.
RouterC GE2/0/0.200: Configure a Connects to SwitchA
dot1q termination sub- (access switch) of the
interface to terminate branch.
packets of VLAN 200.
SwitchA GE0/0/1: a trunk Connects to RouterC
interface that (egress router) of the
transparently transmits branch.
packets of VLAN 200.
Ethernet0/0/2: an access Connects to PC5 in the
interface with VLAN 200 branch.
as the default VLAN.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 105
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-5 IP address plan
Device Data Remarks
RouterA GE1/0/0: 202.10.1.2/24 GE1/0/0 connects to the
Eth-Trunk1.100: carrier network.
10.10.100.2/24 Eth-Trunk1.100 connects
to the CORE of the
headquarters.
RouterB GE1/0/0: 202.10.2.2/24 -
Eth-Trunk1.100:
10.10.100.3/24
CORE VLANIF 10: 10.10.10.1/24 VLANIF 10 functions as
VLANIF 20: 10.10.20.1/24 the user gateway of
department A.
VLANIF 30: 10.10.30.1/24
VLANIF 20 functions as
VLANIF 100: the user gateway of
10.10.100.4/24 department B.
VLANIF 30 functions as
the gateway of the web
server.
VLANIF 100 connects to
egress routers.
Web server IP address: 10.10.30.2/24 Public network IP
Default gateway: address translated by the
10.10.30.1 NAT server: 202.10.100.3
PC1 IP address: 10.10.10.2/24 IP address 10.10.10.2/24
Default gateway: is allocated to the PC
10.10.10.1 through DHCP in this
example.
PC3 IP address: 10.10.20.2/24 IP address 10.10.20.2/24
Default gateway: is allocated to the PC
10.10.20.1 through DHCP in this
example.
RouterD InterfaceB: interface RouterD is a carrier
number network device. The
GigabitEthernet1/0/0 interface number used
and IP address here is an example.
202.10.1.1/24 When configuring a
InterfaceC: interface device, use the actual
number interface number.
GigabitEthernet2/0/0
and IP address
202.10.2.1/24
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 106
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Data Remarks
RouterE InterfaceA: interface RouterE is a carrier
number network device. The
GigabitEthernet1/0/0 interface number used
and IP address here is an example.
203.10.1.1/24 When configuring a
device, use the actual
interface number.
RouterC GE1/0/0: 203.10.1.2/24 -
GE2/0/0.200:
10.10.200.1/24
PC5 IP address: IP address 10.10.200.2/24
10.10.200.2/24 is allocated to the PC
Default gateway: through DHCP in this
10.10.200.1 example.
Procedure
Step 1 Configure Eth-Trunks between the CORE and two egress routers of the
headquarters.
# Configure the CORE.
<HUAWEI> system-view
[HUAWEI] sysname CORE
[CORE] interface eth-trunk 3
[CORE-Eth-Trunk3] mode lacp
[CORE-Eth-Trunk3] quit
[CORE] interface eth-trunk 4
[CORE-Eth-Trunk4] mode lacp
[CORE-Eth-Trunk4] quit
[CORE] interface gigabitethernet 0/0/3
[CORE-GigabitEthernet0/0/3] eth-trunk 3
[CORE-GigabitEthernet0/0/3] quit
[CORE] interface gigabitethernet 1/0/3
[CORE-GigabitEthernet1/0/3] eth-trunk 3
[CORE-GigabitEthernet1/0/3] quit
[CORE] interface gigabitethernet 0/0/4
[CORE-GigabitEthernet0/0/4] eth-trunk 4
[CORE-GigabitEthernet0/0/4] quit
[CORE] interface gigabitethernet 1/0/4
[CORE-GigabitEthernet1/0/4] eth-trunk 4
[CORE-GigabitEthernet1/0/4] quit
# Configure RouterA (egress router) of the headquarters. The configuration of
RouterB is similar to that of RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] eth-trunk 1
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 2/0/1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 107
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[RouterA-GigabitEthernet2/0/1] eth-trunk 1
[RouterA-GigabitEthernet2/0/1] quit
Step 2 Configure VLANs and IP addresses for interfaces.
# Configure the CORE.
[CORE] vlan 100
[CORE] quit
[CORE] interface Eth-Trunk 3
[CORE-Eth-Trunk3] port link-type trunk
[CORE-Eth-Trunk3] port trunk allow-pass vlan 100
[CORE-Eth-Trunk3] quit
[CORE] interface Eth-Trunk 4
[CORE-Eth-Trunk4] port link-type trunk
[CORE-Eth-Trunk4] port trunk allow-pass vlan 100
[CORE-Eth-Trunk4] quit
[CORE] interface vlanif 100
[CORE-Vlanif100] ip address 10.10.100.4 24
[CORE-Vlanif100] quit
# Configure RouterA (egress router) of the headquarters. The configuration of
RouterB is similar to that of RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] ip address 10.10.100.2 24
[RouterA-Eth-Trunk1.100] dot1q termination vid 100
[RouterA-Eth-Trunk1.100] arp broadcast enable //Enable the interface to process ARP broadcast
packets. This function has been enabled on AR3200 series routers running V200R003C01 and later versions
by default.
[RouterA-Eth-Trunk1.100] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip address 202.10.1.2 24
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterC (egress router) of the branch.
<Huawei> system-view
[Huawei] sysname RouterC
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ip address 203.10.1.2 24
[RouterC-GigabitEthernet1/0/0] quit
Step 3 Deploy VRRP. Configure VRRP between RouterA and RouterB of the headquarters,
and configure RouterA as the master device and RouterB as the backup device.
# Configure RouterA.
[RouterA] interface Eth-Trunk 1.100
[RouterA-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterA-Eth-Trunk1.100] vrrp vrid 1 priority 120
[RouterA-Eth-Trunk1.100] vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40
[RouterA-Eth-Trunk1.100] quit
//To prevent service interruption in the case of an uplink failure on RouterA, associate the VRRP status with
the uplink interface of RouterA. The association ensures a fast VRRP switchover when the uplink fails.
# Configure RouterB.
[RouterB] interface Eth-Trunk 1.100
[RouterB-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.100.1
[RouterB-Eth-Trunk1.100] quit
After the configuration is complete, a VRRP group should have been set up
between RouterA and RouterB. You can run the display vrrp command to view
the VRRP status of the two egress routers.
# Check that the VRRP status of RouterA is Master.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 108
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[RouterA] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Master
Virtual IP : 10.10.100.1
Master IP : 10.10.100.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/0 Priority reduced : 40
IF state : UP
Create time : 2015-05-18 06:53:47 UTC-05:13
Last change time : 2015-05-18 06:54:14 UTC-05:13
# Check that the VRRP status of RouterB is Backup.
[RouterB] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Backup
Virtual IP : 10.10.100.1
Master IP : 10.10.100.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2015-05-18 06:53:52 UTC-05:13
Last change time : 2015-05-18 06:57:12 UTC-05:13
Step 4 Deploy routes.
1. Configure default routes to steer uplink traffic of devices.
# Configure a default route with the VRRP virtual address as the next hop on
the CORE.
[CORE] ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
# Configure a default route on each egress router of the headquarters and
branch, with the next hop pointing to the IP address of the connected carrier
network device (public network gateway address).
[RouterA] ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
[RouterB] ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
[RouterC] ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
2. Deploy OSPF. Configure OSPF between two egress routers (RouterA and
RouterB) and CORE of the headquarters so that the two egress routers can
learn return routes from user network segments.
# Configure RouterA (egress router) of the headquarters.
[RouterA] ospf 1 router-id 10.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 109
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure RouterB (egress router) of the headquarters.
[RouterB] ospf 1 router-id 10.2.2.2
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
# Configure the CORE.
[CORE] ospf 1 router-id 10.3.3.3
[CORE-ospf-1] area 0
[CORE-ospf-1-area-0.0.0.0] network 10.10.100.0 0.0.0.255
[CORE-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255 //Advertise the user network segment
into OSPF.
[CORE-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255 //Advertise the user network segment
into OSPF.
[CORE-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255 //Advertise the web server network
segment into OSPF.
[CORE-ospf-1-area-0.0.0.0] quit
# After the configuration is complete, an OSPF neighbor relationship should
have been established between Core, RouterA and RouterB. You can run the
display ospf peer command to view the OSPF neighbor status. The following
uses the display on the CORE as an example. You can view that the OSPF
neighbor status is Full.
[CORE] display ospf peer
OSPF Process 1 with Router ID 10.3.3.3
Neighbors
Area 0.0.0.0 interface 10.10.100.4(Vlanif100)'s neighbors
Router ID: 10.1.1.1 Address: 10.10.100.2
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.10.100.4 BDR: 10.10.100.3 MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 5
Neighbor is up for 00:26:37
Authentication Sequence: [ 0 ]
Router ID: 10.2.2.2 Address: 10.10.100.3
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.10.100.4 BDR: 10.10.100.3 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:26:37
Authentication Sequence: [ 0 ]
3. Configure static routes (return routes) from external networks to the public
network address of the internal server.
# On RouterD, configure two static routes of which the destination address is
the public network address of the internal server and next-hop addresses are
uplink interface addresses of RouterA and RouterB. To ensure simultaneous
route switchover and VRRP switchover, set the route with next hop pointing to
RouterA as the preferred one. When this route fails, the route with next hop
pointing to RouterB takes effect.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.1.2 preference 40 //Set the route
with next hop pointing to RouterA as the preferred route.
[RouterD] ip route-static 202.10.100.0 255.255.255.0 202.10.2.2
When the uplink of RouterA is interrupted, the following actions are triggered:
a. VRRP master/backup switchover between two egress routers (RouterA
and RouterB) is implemented through association between the VRRP
status and uplink interface status of the two egress routers.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 110
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
b. Active/standby switchover between routes from the carrier router
RouterD to the internal server is implemented through the configuration
of active and standby routes on RouterD.
The two actions ensure that the VRRP master/backup switchover and active/
standby route switchover occur simultaneously when the uplink of RouterA is
interrupted and ensure reliability of the incoming and outgoing paths.
Step 5 Configure NAT outbound.
1. Define data flows for NAT translation on the egress routers of the
headquarters and branch.
In the headquarters, only users in Department A can access the Internet using
source IP address 10.10.10.0/24. In the branch, all users can access the
Internet using source IP address 10.10.200.0/24.
# Configure RouterA (egress router) of the headquarters. The configuration of
RouterB is similar to that of RouterA.
[RouterA] acl 3000
[RouterA-acl-adv-3000] rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255 //Configure an ACL to deny the data flow to be protected by IPSec.
[RouterA-acl-adv-3000] rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255 //Configure an ACL to deny the data flow to be protected by IPSec.
[RouterA-acl-adv-3000] rule 15 permit ip source 10.10.10.0 0.0.0.255 //Configure an ACL to
permit the data flow for NAT translation.
[RouterA-acl-adv-3000] quit
//On Huawei AR3200 series routers, if IPSec and NAT are configured on the same interface, NAT
translation is performed first. To avoid performing NAT translation on the data flows to be protected
by IPSec, configure ACLs to be referenced by NAT to deny the data flows to be protected by IPSec.
# Configure RouterC (egress router) of the branch.
[RouterC] acl 3000
[RouterC-acl-adv-3000] rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
[RouterC-acl-adv-3000] rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0
0.0.0.255
[RouterC-acl-adv-3000] rule 15 permit ip source 10.10.200.0 0.0.0.255
[RouterC-acl-adv-3000] quit
//Configure ACLs to be referenced by NAT to deny the data flows to be protected by IPSec.
2. Configure NAT on the uplink interfaces of the egress routers of the
headquarters and branch.
# Configure RouterA. The configurations of RouterB and RouterC are similar
to that of RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat outbound 3000
[RouterA-GigabitEthernet1/0/0] quit
3. Verify the configuration.
# After the configuration is complete, run the display nat outbound
command to view NAT configuration. The following uses the display on
RouterA as an example.
[RouterA] display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
GigabitEthernet1/0/0 3000 202.10.1.2 easyip
--------------------------------------------------------------------------
Total : 1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 111
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 6 Deploy a NAT server.
The headquarters has a web server. You need to configure a NAT server on the
two egress routers (RouterA and RouterB) to allow external users to access the
internal web server.
# Configure RouterA.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
[RouterA-GigabitEthernet1/0/0] quit
# Configure RouterB.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
[RouterB-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display nat server command to
view NAT server configuration. The following uses the display on RouterA as an
example.
[RouterA] display nat server
Nat Server Information:
Interface : GigabitEthernet1/0/0
Global IP/Port : 202.10.100.3/80(www)
Inside IP/Port : 10.10.30.2/8080
Protocol : 6(tcp)
VPN instance-name : ----
Acl number : ----
Description : ----
Total : 1
Step 7 Deploy IPSec VPN so that the headquarters and branch can communicate through
the VPN over the Internet and data communication can be protected.
1. Configure ACLs to permit the data flows to be protected by IPSec.
# Configure RouterA (egress router) of the headquarters.
[RouterA] acl 3001
[RouterA-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255 //Configure an ACL to permit the data flow to be protected by IPSec.
[RouterA-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255 //Configure an ACL to permit the data flow to be protected by IPSec.
[RouterA-acl-adv-3001] quit
# Configure RouterB (egress router) of the headquarters.
[RouterB] acl 3001
[RouterB-acl-adv-3001] rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterB-acl-adv-3001] rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0
0.0.0.255
[RouterB-acl-adv-3001] quit
# Configure RouterC (egress router) of the branch.
[RouterC] acl 3001
[RouterC-acl-adv-3001] rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0
0.0.0.255
[RouterC-acl-adv-3001] rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0
0.0.0.255
[RouterC-acl-adv-3001] quit
2. Configure an IPSec proposal.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 112
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure RouterA (egress router) of the headquarters. The configurations
of RouterB and RouterC are similar to that of RouterA.
[RouterA] ipsec proposal tran1
[RouterA-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 //Configure the
authentication algorithm used by ESP.
[RouterA-ipsec-proposal-tran1] esp encryption-algorithm aes 128 //Configure the encryption
algorithm used by ESP.
[RouterA-ipsec-proposal-tran1] quit
3. Configure an IKE proposal.
# Configure RouterA (egress router) of the headquarters. The configurations
of RouterB and RouterC are similar to that of RouterA.
[RouterA] ike proposal 5
[RouterA-ike-proposal-5] encryption-algorithm aes-cbc-128
[RouterA-ike-proposal-5] quit
4. Configure an IKE peer.
# Configure RouterA (egress router) of the headquarters.
[RouterA] ike peer vpn v1
[RouterA-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterA-ike-peer-vpn] ike-proposal 5
[RouterA-ike-peer-vpn] dpd type periodic //Configure periodic dead peer detection (DPD).
[RouterA-ike-peer-vpn] dpd idle-time 10 //Set the idle time for DAD to 10 seconds.
[RouterA-ike-peer-vpn] remote-address 203.10.1.2
[RouterA-ike-peer-vpn] quit
# Configure RouterB (egress router) of the headquarters.
[RouterB] ike peer vpn v1
[RouterB-ike-peer-vpn] pre-shared-key cipher huawei123
[RouterB-ike-peer-vpn] ike-proposal 5
[RouterB-ike-peer-vpn] dpd type periodic
[RouterB-ike-peer-vpn] dpd idle-time 10
[RouterB-ike-peer-vpn] remote-address 203.10.1.2
[RouterB-ike-peer-vpn] quit
# Configure RouterC (egress router) of the branch.
[RouterC] ike peer vpnr1 v1
[RouterC-ike-peer-vpnr1] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr1] ike-proposal 5
[RouterC-ike-peer-vpnr1] dpd type periodic
[RouterC-ike-peer-vpnr1] dpd idle-time 10
[RouterC-ike-peer-vpnr1] remote-address 202.10.1.2
[RouterC-ike-peer-vpnr1] quit
[RouterC] ike peer vpnr2 v1
[RouterC-ike-peer-vpnr2] pre-shared-key cipher huawei123
[RouterC-ike-peer-vpnr2] ike-proposal 5
[RouterC-ike-peer-vpnr2] dpd type periodic
[RouterC-ike-peer-vpnr2] dpd idle-time 10
[RouterC-ike-peer-vpnr2] remote-address 202.10.2.2
[RouterC-ike-peer-vpnr2] quit
5. Configure a security policy.
# Configure RouterA (egress router) of the headquarters.
[RouterA] ipsec policy ipsec_vpn 10 isakmp
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterA-ipsec-policy-isakmp-ipsec_vpn-10] quit
# Configure RouterB (egress router) of the headquarters.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 113
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[RouterB] ipsec policy ipsec_vpn 10 isakmp
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpn
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterB-ipsec-policy-isakmp-ipsec_vpn-10] quit
# Configure RouterC (egress router) of the branch.
[RouterC] ipsec policy ipsec_vpn 10 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] ike-peer vpnr1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-10] quit
[RouterC] ipsec policy ipsec_vpn 20 isakmp
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] security acl 3001
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] ike-peer vpnr2
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] proposal tran1
[RouterC-ipsec-policy-isakmp-ipsec_vpn-20] quit
6. Apply an IPSec policy group to an interface.
# Apply an IPSec policy group to GE1/0/0 that connects RouterA to RouterD.
[RouterA] interface GigabitEthernet1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterA-GigabitEthernet1/0/0] quit
# Apply an IPSec policy group to GE1/0/0 that connects RouterB to RouterD.
[RouterB] interface GigabitEthernet1/0/0
[RouterB-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterB-GigabitEthernet1/0/0] quit
# Apply an IPSec policy group to GE1/0/0 that connects RouterC to RouterD.
[RouterC] interface GigabitEthernet1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy ipsec_vpn
[RouterC-GigabitEthernet1/0/0] quit
7. Verify the configuration.
# After the configuration is complete, run the display ike sa command to
view information about the security association (SA) established through IKE
negotiation.
[RouterC] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
7 202.10.2.2 0 RD|ST 2
4 202.10.2.2 0 RD 2
2 202.10.2.2 0 RD 1
6 202.10.1.2 0 RD|ST 2
5 202.10.1.2 0 RD 2
3 202.10.1.2 0 RD 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
# After the configuration is complete, run the display ipsec sa command to
view SA information. The following uses the display on RouterC as an
example.
[RouterC] display ipsec sa
===============================
Interface: GigabitEthernet1/0/0
Path MTU: 1500
===============================
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 114
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 10
Acl Group : 3001
Acl rule :5
Mode : ISAKMP
-----------------------------
Connection ID :5
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.1.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.10.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 969156085 (0x39c425f5)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887313920/1521
Max sent sequence-number: 8
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 1258341975 (0x4b00c657)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436080/1521
Max received sequence-number: 10
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 10
Acl Group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID :6
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.1.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.20.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 4217384908 (0xfb602fcc)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887283200/1522
Max sent sequence-number: 10
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 654720480 (0x27063de0)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436080/1522
Max received sequence-number: 10
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 20
Acl Group : 3001
Acl rule :5
Mode : ISAKMP
-----------------------------
Connection ID :4
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 115
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.2.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.10.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 240759500 (0xe59b2cc)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/1521
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 3888073495 (0xe7bf4b17)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/1521
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec policy name: "ipsec_vpn"
Sequence number : 20
Acl Group : 3001
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID :7
Encapsulation mode: Tunnel
Tunnel local : 203.10.1.2
Tunnel remote : 202.10.2.2
Flow source : 10.10.200.0/255.255.255.0 0/0
Flow destination : 10.10.20.0/255.255.255.0 0/0
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 2751917383 (0xa406ed47)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/1522
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 739146604 (0x2c0e7b6c)
Proposal: ESP-ENCRYPT-AES-128 SHA2-256-128
SA remaining key duration (bytes/sec): 1887436800/1522
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
Step 8 Verify the configuration.
# Run the ping command to test the connectivity between the headquarters and
branch.
PC1>ping 10.10.200.2
Ping 10.10.200.2: 32 data bytes, Press Ctrl_C to break
From 10.10.200.2: bytes=32 seq=1 ttl=126 time=140 ms
From 10.10.200.2: bytes=32 seq=2 ttl=126 time=235 ms
From 10.10.200.2: bytes=32 seq=3 ttl=126 time=266 ms
From 10.10.200.2: bytes=32 seq=4 ttl=126 time=140 ms
From 10.10.200.2: bytes=32 seq=5 ttl=126 time=141 ms
--- 10.10.200.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 116
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
0.00% packet loss
round-trip min/avg/max = 140/184/266 ms
PC3>ping 10.10.200.2
Ping 10.10.200.2: 32 data bytes, Press Ctrl_C to break
From 10.10.200.2: bytes=32 seq=1 ttl=126 time=156 ms
From 10.10.200.2: bytes=32 seq=2 ttl=126 time=297 ms
From 10.10.200.2: bytes=32 seq=3 ttl=126 time=156 ms
From 10.10.200.2: bytes=32 seq=4 ttl=126 time=141 ms
From 10.10.200.2: bytes=32 seq=5 ttl=126 time=109 ms
--- 10.10.200.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 109/171/297 ms
The preceding command output shows that PC1 and PC5, and PC3 and PC5 can
communicate with each other, and the headquarters and branch can communicate
through the VPN over the Internet.
# Verify the connectivity between departments of the headquarters and the
Internet. In the following example, ping the public network gateway 202.10.1.1 of
the headquarters from PC1 and PC3.
PC1>ping 202.10.1.1
Ping 202.10.1.1: 32 data bytes, Press Ctrl_C to break
From 202.10.1.1: bytes=32 seq=1 ttl=253 time=235 ms
From 202.10.1.1: bytes=32 seq=2 ttl=253 time=109 ms
From 202.10.1.1: bytes=32 seq=3 ttl=253 time=79 ms
From 202.10.1.1: bytes=32 seq=4 ttl=253 time=63 ms
From 202.10.1.1: bytes=32 seq=5 ttl=253 time=63 ms
--- 202.10.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 63/109/235 ms
PC3>ping 202.10.1.1
Ping 202.10.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 202.10.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
The preceding command output shows that users (such as PC1) in Department A
can access the public network but users (such as PC3) in Department B cannot.
----End
Configuration Files
● Core switch configuration file
#
sysname CORE
#
vlan batch 100
#
interface Vlanif100
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 117
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip address 10.10.100.4 255.255.255.0
#
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 100
mode lacp
#
interface GigabitEthernet0/0/3
eth-trunk 3
#
interface GigabitEthernet0/0/4
eth-trunk 4
#
interface GigabitEthernet1/0/3
eth-trunk 3
#
interface GigabitEthernet1/0/4
eth-trunk 4
#
ospf 1 router-id 10.3.3.3
area 0.0.0.0
network 10.10.100.0 0.0.0.255
network 10.10.10.0 0.0.0.255
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.1
#
return
● RouterA configuration file
#
sysname RouterA
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 128
#
ike proposal 5
encryption-algorithm aes-cbc-128
#
ike peer vpn v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 203.10.1.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
interface Eth-Trunk1
undo portswitch
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 118
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
vrrp vrid 1 priority 120
vrrp vrid 1 track interface GigabitEthernet1/0/0 reduced 40
arp broadcast enable
#
interface GigabitEthernet1/0/0
ip address 202.10.1.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
nat outbound 3000
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
#
return
● RouterB configuration file
#
sysname RouterB
#
acl number 3000
rule 5 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 deny ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 15 permit ip source 10.10.10.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
rule 10 permit ip source 10.10.20.0 0.0.0.255 destination 10.10.200.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 128
#
ike proposal 5
encryption-algorithm aes-cbc-128
#
ike peer vpn v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 203.10.1.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpn
proposal tran1
#
interface Eth-Trunk1
undo portswitch
mode lacp-static
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
arp broadcast enable
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 119
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
interface GigabitEthernet1/0/0
ip address 202.10.2.2 255.255.255.0
ipsec policy ipsec_vpn
nat server protocol tcp global 202.10.100.3 www inside 10.10.30.2 8080
nat outbound 3000
#
interface GigabitEthernet2/0/0
eth-trunk 1
#
interface GigabitEthernet2/0/1
eth-trunk 1
#
ospf 1 router-id 10.2.2.2
area 0.0.0.0
network 10.10.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.2.1
#
return
● Configuration file of the branch egress router RouterC
#
sysname RouterC
#
acl number 3000
rule 5 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 10 deny ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
rule 15 permit ip source 10.10.200.0 0.0.0.255
acl number 3001
rule 5 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
rule 10 permit ip source 10.10.200.0 0.0.0.255 destination 10.10.20.0 0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes 128
#
ike proposal 5
encryption-algorithm aes-cbc-128
#
ike peer vpnr1 v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 202.10.1.2
#
ike peer vpnr2 v1
pre-shared-key cipher "@J*U2S*(7F,YWX*NZ55OA!!
ike-proposal 5
dpd type periodic
dpd idle-time 10
remote-address 202.10.2.2
#
ipsec policy ipsec_vpn 10 isakmp
security acl 3001
ike-peer vpnr1
proposal tran1
#
ipsec policy ipsec_vpn 20 isakmp
security acl 3001
ike-peer vpnr2
proposal tran1
#
interface GigabitEthernet1/0/0
ip address 203.10.1.2 255.255.255.0
ipsec policy ipsec_vpn
nat outbound 3000
#
ip route-static 0.0.0.0 0.0.0.0 203.10.1.1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 120
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
return
● Configuration file of the headquarters carrier router RouterD
#
sysname RouterD
#
interface GigabitEthernet1/0/0
ip address 202.10.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 202.10.2.1 255.255.255.0
#
ip route-static 202.10.100.0 255.255.255.0 202.10.1.2 preference 40
ip route-static 202.10.100.0 255.255.255.0 202.10.2.2
#
return
● Configuration file of the branch carrier router RouterE
#
sysname RouterE
#
interface GigabitEthernet1/0/0
ip address 203.10.1.1 255.255.255.0
#
return
2.4 Example for Configuring the Egress of a Large-
Sized Campus (Firewalls Are Connected to Core
Switches in In-line Mode)
Networking Requirements
As shown in Figure 2-6, at the egress of a large-sized campus, core switches are
directly connected to firewalls and connected to egress gateways through the
firewalls. The firewalls filter incoming and outgoing traffic of the campus to
ensure network security. The network requirements are as follows:
● Users on the internal network use private IP addresses and user IP addresses
are allocated using DHCP.
● Users in department A can access the Internet, and users in department B
cannot access the Internet.
● Users on internal and external networks can access the HTTP server.
● Each node uses the redundancy design to ensure network reliability.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 121
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-6 Configuring the egress of a large-sized campus (firewalls are
connected to core switches in in-line mode)
Internet
Access Access
point point
GE0/0/2 GE0/0/2
Router 1 Router 2
GE0/0/1 GE0/0/1
OSPF 0
GE1/0/1 GE1/0/1
GE1/0/7 GE1/0/7
FW 1 FW 2
GE2/0/4 GE2/0/4
GE2/0/3 GE2/0/3
Eth-Trunk 10 Eth-Trunk 20
Swich1 Swich2
(master) (standby)
CSS
HTTP server
Eth-Trunk 100 Eth-Trunk 200
OSPF 1 OSPF 2
Department A Department B
AGG1 AGG2
Switch3 Switch4 Switch5 Switch6
(master) (standby) (master) (standby)
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 122
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Selection
This example applies to the following products and versions. If other products or
versions are used, the configurations may vary. For details, see a related
configuration manual.
Device Type Device Model Device Version
Access router AR3600 series routers V200R007C00
Firewall USG9500 series firewalls V500R001C20
Core switches S12700 series switches V200R008C00
Aggregation switch S5720-EI series switches V200R008C00
Deployment Overview
● Routing deployment
– Configure a loopback interface address as the router ID on each device.
– Add egress routers, firewalls, and core switches to OSPF area 0. Configure
egress routers as Autonomous System Border Routers (ASBRs) and core
switches as Area Border Routers (ABRs).
– Configure Open Shortest Path First (OSPF) areas 1 and 2 for departments
A and B, respectively, and configure the two OSPF areas as Not-So-
Stubby Areas (NSSAs) to reduce the number of LSAs transmitted between
OSPF areas.
– To guide uplink traffic on each device, configure a default route pointing
to the firewall on the core switch, configure a default route pointing to
the egress router on the firewall, and configure a default route pointing
to the address of the interconnected interface (public gateway address)
of the carrier's device.
● Reliability deployment
You are advised to use CSS+iStack+Eth-Trunk to build a loop-free
Ethernet.
– Deploy cluster switch system (CSS) on core switches and intelligent Stack
(iStack) on aggregation switches to ensure device-level reliability.
– To improve link reliability, use Eth-Trunks between core switches and
firewalls, between core switches and aggregation switches, and between
aggregation switches and access switches.
– Deploy the Huawei Redundancy Protocol (HRP) on firewalls to
implement load balancing.
● Dynamic Host Configuration Protocol (DHCP) deployment
– Configure the core switch as the DHCP server to allocate IP addresses to
users.
– Configure the DHCP relay function on the aggregation switch to ensure
that the DHCP server can allocate IP addresses to users.
● Network Address Translation (NAT) deployment
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 123
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
– To ensure that users on the internal network can access the Internet,
configure NAT on uplink interfaces of the two egress routers to translate
private addresses into public addresses. Configure an access control list
(ACL) to match the source IP address of department A so that users of
department A can access the Internet and users of department B cannot
access the Internet.
– To ensure that users on the external network can access the HTTP server,
configure the NAT server on two egress routers.
● Security deployment
Configure security policies on firewalls to filter traffic and ensure network
security.
Data Plan
Device Interfac Membe VLANIF IP Remote Remote
e r Interfac Address Device Interface
Number Interfac e Number
e
Router1 GE0/0/1 - - 10.1.1.1/ FW1 GE1/0/1
24
GE0/0/2 - - 202.10.1 Assume that the
.1/24 interface connected to
an interface of a carrier's
device and the IP
address is a public one
allocated by the carrier.
Router2 GE0/0/1 - - 10.2.1.1/ FW2 GE1/0/1
24
GE0/0/2 - - 202.10.2 Assume that the
.1/24 interface connected to
an interface of a carrier's
device and the IP
address is a public one
allocated by the carrier.
FW1 GE1/0/1 - - 10.1.1.2/ Router1 GE0/0/1
24
GE1/0/7 - - 10.10.1. FW2 GE1/0/7
1/24
Eth- GE2/0/3 - 10.3.1.1/ CSS Eth-Trunk 10
Trunk10 24
GE2/0/4
FW2 GE1/0/1 - - 10.2.1.2/ Router2 GE0/0/1
24
GE1/0/7 - - 10.10.1. FW1 GE1/0/7
2/24
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 124
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Interfac Membe VLANIF IP Remote Remote
e r Interfac Address Device Interface
Number Interfac e Number
e
Eth- GE2/0/3 - 10.4.1.1/ CSS Eth-Trunk 20
Trunk 20 24
GE2/0/4
CSS GE1/1/0 - VLANIF 10.100.1 HTTP Ethernet
/10 300 .1 server interface
Eth- GE1/1/0 - 10.3.1.2/ FW1 Eth-Trunk 10
Trunk 10 /3 24
GE2/1/0
/3
Eth- GE1/1/0 - 10.4.1.2/ FW2 Eth-Trunk 20
Trunk 20 /4 24
GE2/1/0
/4
Eth- GE1/2/0 VLANIF 10.5.1.1/ AGG1 Eth-Trunk 100
Trunk /3 100 24
100
GE2/2/0
/3
Eth- GE1/2/0 VLANIF 10.6.1.1/ AGG2 Eth-Trunk 200
Trunk /4 200 24
200
GE2/2/0
/4
AGG1 Eth- GE1/0/1 VLANIF 10.5.1.2/ CSS Eth-Trunk 100
Trunk 100 24
100 GE2/0/1
Eth- GE1/0/5 VLANIF 192.168. Assume that the
Trunk 500 1.1/24 interface is used to
500 GE2/0/5 connect to department A
and its IP address is the
gateway address of
department A.
AGG2 Eth- GE1/0/1 VLANIF 10.6.1.2/ CSS
Trunk 200 24
200 GE2/0/1
Eth- GE1/0/5 VLANIF6 192.168. Assume that the
Trunk 00 2.1/24 interface is used to
600 GE2/0/5 connect to department B
and its IP address is the
gateway address of
department B.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 125
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Interfac Membe VLANIF IP Remote Remote
e r Interfac Address Device Interface
Number Interfac e Number
e
HTTP Ethernet - - 10.100.1 CSS GE
server interface .10/24 1/
1/
0/
10
Configuration Roadmap
The configuration roadmap is as follows:
Step Configuration Roadmap Involved Product
1 (1) Configure CSS on core Core switches (Switch1 and Switch2)
switches. and aggregation switches (Switch3,
(2) Configure iStack on Switch4, Switch5, and Switch6)
aggregation switches.
2 Configure Eth-Trunks to Core switches (CSS), firewalls (FW1
improve the link and FW2), and aggregation switches
reliability. (AGG1 and AGG2)
(1) Configure Eth-Trunks
between core switches
(CSS) and firewalls.
(2) Configure Eth-Trunks
between core switches
(CSS) and aggregation
switches (AGG).
(3) Configure Eth-Trunks
between aggregation
switches and access
switches.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 126
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step Configuration Roadmap Involved Product
3 Assign an IP address to Routers (Router1 and Router2),
each interface. firewalls (FW1 and FW2), core
(1) Configure IP addresses switches (CSS), and aggregation
for uplink and downlink switches (AGG1 and AGG2)
interfaces of routers.
(2) Configure IP addresses
for uplink and downlink
interfaces of firewalls.
(3) Configure IP addresses
for uplink and downlink
interfaces of core
switches.
(4) Configure IP addresses
for uplink and downlink
interfaces of aggregation
switches.
4 Configure a routing Routers (Router1 and Router2),
protocol. Configure OSPF firewalls (FW1 and FW2), and core
on the internal network. switches (CSS)
(1) Configure OSPF area
0 on uplink interfaces of
routers, firewalls, and
core switches.
(2) Configure OSPF areas
1 and 2 on core and
aggregation switches,
configure the two OSPF
areas as NSSAs, and add
downlink interfaces of
core switches to NSSAs.
(3) Configure a default
route pointing to the
firewall on the core
switch, configure a
default route pointing to
the egress router on the
firewall, and configure a
default route pointing to
the address of the
interconnected interface
(public gateway address)
of the carrier's device.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 127
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step Configuration Roadmap Involved Product
5 Configure zones that Firewalls (FW1 and FW2)
interfaces belong to.
(1) Add the interface
connected to the external
network to the untrusted
zone.
(2) Add the interface
connected to the internal
network to the trusted
zone.
(3) Add the heartbeat
interface enabled with
HRP to the DMZ.
6 Configure HRP. Firewalls (FW1 and FW2)
(1) Associate VRRP Group
Management Protocol
(VGMP) groups with
uplink and downlink
interfaces.
(2) Specify heartbeat
interfaces and enable
HRP.
(3) Enable quick session
backup to implement
load balancing between
two firewalls.
7 Configure DHCP. Core switches (CSS) and aggregation
(1) Configure the DHCP switches (AGG1 and AGG2)
server on core switches
and specify the address
pool and gateway
address.
(2) Configure the DHCP
relay function on
aggregation switches.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 128
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step Configuration Roadmap Involved Product
8 Configure NAT. Egress routers (Router1 and Router2)
(1) Configure NAT on two
egress routers so that
users of department A
can access the Internet
and users of department
B cannot access the
Internet.
(2) Configure the NAT
server on two egress
routers so that users on
the external network can
access the HTTP server.
9 Configure attack defense Firewalls
and enable defense
against SYN Flood attacks
and HTTP Flood attacks
on firewalls to protect
internal servers against
attacks.
Procedure
Step 1 Configure CSS on core switches.
1. Connect cables of CSS cards. CSS card EH1D2VS08000 is used as an example.
Figure 2-7 CSS cabling
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 129
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
– One CSS card can only be connected to one CSS card in the other chassis but not
the local chassis.
– An interface in group 1 of a CSS card can be connected to any interface in group 1
of the CSS card on the other chassis. The requirements for interfaces in group 2 are
the same.
– CSS cards have the same number of cluster cables connected. (If the CSS cards
have different numbers of cluster cables connected, the total cluster bandwidth is
limited to the cluster with the least cluster cables connected.) In addition,
interfaces on CSS cards are connected sequentially based on the interface number.
2. Configure the CSS function on Switch1 and use CSS card connection (the
default value does not need to be configured). Use the default CSS ID 1 (the
default value does not need to be configured) and set the CSS priority to 100.
<HUAWEI> system-view
[HUAWEI] set css mode css-card //Default setting. You do not need to run this command. The step
is used for reference.
[HUAWEI] set css id 1 //Default setting. You do not need to run this command. The step is used for
reference.
[HUAWEI] set css priority 100 //The default CSS priority is 1. Change the priority of the master
switch to be higher than that of the standby switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is
CSS-Card. Reboot now? [Y/N]:Y //Restart the switch.
3. Configure the CSS function on Switch2. Use CSS card connection (the default
value does not need to be configured). Set the CSS ID to 2 and use default
CSS priority 1 (the default value does not need to be configured).
<HUAWEI> system-view
[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is
CSS-Card. Reboot now? [Y/N]:Y //Restart the switch.
4. Check the CSS status after the switches restart.
The MASTER indicator on the MPU is steady green, as shown in Figure 2-8.
– On Switch1, the CSS ID indicators numbered 1 on both MPUs are steady
green. On Switch2, the CSS ID indicators numbered 2 on both MPUs are
steady green.
– The LINK/ALM indicators of interfaces on all CSS cards connected to
cluster cables are steady green.
– The MASTER indicators on all CSS cards in the active chassis are steady
green, and the MASTER indicators on all CSS cards in the standby chassis
are off.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 130
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-8 Indicators of the MPU and CSS card
After the CSS is established, subsequent operations will be performed on the master
switch and data will be automatically synchronized to the standby switch. In a CSS,
the physical interface number is in the format of interface type chassis ID/slot ID/
interface card ID/interface sequence number, for example, 10GE1/1/0/9.
Step 2 Configure iStack on aggregation switches. S5720-EI series switches are used as an
example. Service interface stacking is used.
Switch3 and Switch4 are used as an example. The configurations of Switch5 and Switch6
are similar, and are not mentioned here.
Connect cables after the iStack configuration is complete.
1. Configure logical stack interfaces and add physical member interfaces to
them.
Physical member interfaces of logical stack interface stack-port n/1 on one switch can
only be connected to the interfaces of stack-port n/2 on a neighboring switch.
# Configure service interface GE0/0/28 on Switch3 as the physical member
interface and add it to the corresponding logical stack interface.
[Switch3] interface stack-port 0/1
[Switch3-stack-port0/1] port interface gigabitethernet 0/0/28 enable
Warning: Enabling stack function may cause configuration loss on the interface, continue?[Y/
N]:Y
Info: This operation may take a few seconds. Please wait for a moment.......
[Switch3-stack-port0/1] quit
# Configure service interface GE0/0/28 on Switch4 as the physical member
interface and add it to the corresponding logical stack interface.
[Switch4] interface stack-port 0/2
[Switch4-stack-port0/2] port interface gigabitethernet 0/0/28 enable
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 131
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Warning: Enabling stack function may cause configuration loss on the interface, continue?[Y/
N]:Y
Info: This operation may take a few seconds. Please wait for a moment.......
[Switch4-stack-port0/2] quit
2. Configure stack IDs and stack priorities.
# Set the stack priority of Switch3 to 200.
[Switch3] stack slot 0 priority 200
Warning: Please do not frequently modify Priority, it will make the stack split, continue?[Y/N]:Y
# Set the stack ID of Switch3 to 1.
[Switch3] stack slot 0 renumber 1
Warning: All the configurations related to the slot ID will be lost after the slot ID is modified.
Please do not frequently modify slot ID, it will make the stack split. Continue?[Y/N]:Y
Info: Stack configuration has been changed, and the device needs to restart to make the
configuration effective.
# Set the stack ID of Switch4 to 2.
[Switch4] stack slot 0 renumber 2
Warning: All the configurations related to the slot ID will be lost after the slot ID is modified.
Please do not frequently modify slot ID, it will make the stack split. Continue?[Y/N]:Y
Info: Stack configuration has been changed, and the device needs to restart to make the
configuration effective.
3. Power off Switch3 and Switch4 and connect GE0/0/28 interfaces using the SFP
+ stack cable.
Run the save command to save the configurations before you power off the switches.
Stack-port 0/1 of one switch must be connected to stack-port 0/2 of another switch.
Otherwise, the stack cannot be set up.
Figure 2-9 Stack networking
GE0/0/28 GE0/0/28
iStack Link
Switch3 Switch4
4. Power on the switches.
To specify a member switch as the master switch, power on this switch first.
For example, if Switch3 needs to be used as the master switch, power on
Switch3 and then Switch4.
5. Check whether the stack is set up successfully.
[Switch3] display stack
Stack topology type: Link
Stack system MAC: 0018-82b1-6eb4
MAC switch delay time: 2 min
Stack reserved vlan: 4093
Slot of the active management port: --
Slot Role Mac address Priority Device type
-------------------------------------------------------------
1 Master 0018-82b1-6eb4 200 S5720-36C-EI-AC
2 Standby 0018-82b1-6eba 150 S5720-36C-EI-AC
You can check the master and standby switches, that is, the stack is set up
successfully.
Step 3 Configure inter-chassis Eth-Trunks between the CSS and firewalls and between the
CSS and aggregation switches.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 132
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
1. On firewalls, configure Eth-Trunks between the CSS and firewalls.
# On FW1, create Eth-Trunk 10 to connect to the CSS and add member
interfaces to Eth-Trunk 10.
[FW1] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to the CSS.
[FW1-Eth-Trunk10] quit
[FW1] interface gigabitethernet 2/0/3
[FW1-GigabitEthernet2/0/3] eth-trunk 10
[FW1-GigabitEthernet2/0/3] quit
[FW1] interface gigabitethernet 2/0/4
[FW1-GigabitEthernet2/0/4] eth-trunk 10
[FW1-GigabitEthernet2/0/4] quit
# On FW2, create Eth-Trunk 20 to connect to the CSS and add member
interfaces to Eth-Trunk 20.
[FW2] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to the CSS.
[FW2-Eth-Trunk20] quit
[FW2] interface gigabitethernet 2/0/3
[FW2-GigabitEthernet2/0/3] eth-trunk 20
[FW2-GigabitEthernet2/0/3] quit
[FW2] interface gigabitethernet 2/0/4
[FW2-GigabitEthernet2/0/4] eth-trunk 20
[FW2-GigabitEthernet2/0/4] quit
2. In the CSS, configure inter-chassis Eth-Trunks between the CSS and firewalls
and between the CSS and aggregation switches.
# In the CSS, create Eth-Trunk 10 to connect to FW1 and add member
interfaces to Eth-Trunk 10.
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 to connect to FW1.
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/3
[CSS-GigabitEthernet1/1/0/3] eth-trunk 10
[CSS-GigabitEthernet1/1/0/3] quit
[CSS] interface gigabitethernet 2/1/0/3
[CSS-GigabitEthernet2/1/0/3] eth-trunk 10
[CSS-GigabitEthernet2/1/0/3] quit
# In the CSS, create Eth-Trunk 20 to connect to FW2 and add member
interfaces to Eth-Trunk 20.
[CSS] interface eth-trunk 20 //Create Eth-Trunk 20 to connect to FW2.
[CSS-Eth-Trunk20] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 20
[CSS-GigabitEthernet1/1/0/4] quit
[CSS] interface gigabitethernet 2/1/0/4
[CSS-GigabitEthernet2/1/0/4] eth-trunk 20
[CSS-GigabitEthernet2/1/0/4] quit
# In the CSS, create Eth-Trunk 100 to connect to AGG1 and add member
interfaces to Eth-Trunk 100.
[CSS] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to AGG1.
[CSS-Eth-Trunk100] quit
[CSS] interface gigabitethernet 1/2/0/3
[CSS-GigabitEthernet1/2/0/3] eth-trunk 100
[CSS-GigabitEthernet1/2/0/3] quit
[CSS] interface gigabitethernet 2/2/0/3
[CSS-GigabitEthernet2/2/0/3] eth-trunk 100
[CSS-GigabitEthernet2/2/0/3] quit
# In the CSS, create Eth-Trunk 200 to connect to AGG2 and add member
interfaces to Eth-Trunk 200.
[CSS] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to AGG2.
[CSS-Eth-Trunk200] quit
[CSS] interface gigabitethernet 1/2/0/4
[CSS-GigabitEthernet1/2/0/4] eth-trunk 200
[CSS-GigabitEthernet1/2/0/4] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 133
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] interface gigabitethernet 2/2/0/4
[CSS-GigabitEthernet2/2/0/4] eth-trunk 200
[CSS-GigabitEthernet2/2/0/4] quit
3. On aggregation switches, configure Eth-Trunks between the AGG and CSS and
between aggregation switches and access switches.
# Configure AGG1.
[AGG1] interface eth-trunk 100 //Create Eth-Trunk 100 to connect to the CSS.
[AGG1-Eth-Trunk100] quit
[AGG1] interface gigabitethernet 1/0/1
[AGG1-GigabitEthernet1/0/1] eth-trunk 100
[AGG1-GigabitEthernet1/0/1] quit
[AGG1] interface gigabitethernet 2/0/1
[AGG1-GigabitEthernet2/0/1] eth-trunk 100
[AGG1-GigabitEthernet2/0/1] quit
[AGG1] interface eth-trunk 500 //Create Eth-Trunk 500 to connect to the access switch.
[AGG1-Eth-Trunk500] quit
[AGG1] interface gigabitethernet 1/0/5
[AGG1-GigabitEthernet1/0/5] eth-trunk 500
[AGG1-GigabitEthernet1/0/5] quit
[AGG1] interface gigabitethernet 2/0/5
[AGG1-GigabitEthernet2/0/5] eth-trunk 500
[AGG1-GigabitEthernet2/0/5] quit
# Configure AGG2.
[AGG2] interface eth-trunk 200 //Create Eth-Trunk 200 to connect to the CSS.
[AGG2-Eth-Trunk200] quit
[AGG2] interface gigabitethernet 1/0/1
[AGG2-GigabitEthernet1/0/1] eth-trunk 200
[AGG2-GigabitEthernet1/0/1] quit
[AGG2] interface gigabitethernet 2/0/1
[AGG2-GigabitEthernet2/0/1] eth-trunk 200
[AGG2-GigabitEthernet2/0/1] quit
[AGG2] interface eth-trunk 600 //Create Eth-Trunk 600 to connect to the access switch.
[AGG2-Eth-Trunk600] quit
[AGG2] interface gigabitethernet 1/0/5
[AGG2-GigabitEthernet1/0/5] eth-trunk 600
[AGG2-GigabitEthernet1/0/5] quit
[AGG2] interface gigabitethernet 2/0/5
[AGG2-GigabitEthernet2/0/5] eth-trunk 600
[AGG2-GigabitEthernet2/0/5] quit
Step 4 Assign an IP address to each interface.
# Configure Router1.
[Router1] interface loopback 0
[Router1-LoopBack0] ip address 1.1.1.1 32 //Configure the IP address as the router ID.
[Router1-LoopBack0] quit
[Router1] interface gigabitethernet 0/0/2
[Router1-GigabitEthernet0/0/2] ip address 202.10.1.1 24 //Configure an IP address for the interface
connected to the external network.
[Router1-GigabitEthernet0/0/2] quit
[Router1] interface gigabitethernet 0/0/1
[Router1-GigabitEthernet0/0/1] ip address 10.1.1.1 24 //Configure an IP address for the interface
connected to FW1.
[Router1-GigabitEthernet0/0/1] quit
# Configure Router2.
[Router2] interface loopback 0
[Router2-LoopBack0] ip address 2.2.2.2 32 //Configure the IP address as the router ID.
[Router2-LoopBack0] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] ip address 202.10.2.1 24 //Configure an IP address for the interface
connected to the external network.
[Router2-GigabitEthernet0/0/2] quit
[Router2] interface gigabitethernet 0/0/1
[Router2-GigabitEthernet0/0/1] ip address 10.2.1.1 24 //Configure an IP address for the interface
connected to FW2.
[Router2-GigabitEthernet0/0/1] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 134
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure FW1.
[FW1] interface loopback 0
[FW1-LoopBack0] ip address 3.3.3.3 32 //Configure the IP address as the router ID.
[FW1-LoopBack0] quit
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] ip address 10.1.1.2 24 //Configure an IP address for the interface connected
to Router1.
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/7
[FW1-GigabitEthernet1/0/7] ip address 10.10.1.1 24 //Configure an IP address for the heartbeat interface
enabled with HSB.
[FW1-GigabitEthernet1/0/7] quit
[FW1] interface eth-trunk 10
[FW1-Eth-Trunk10] ip address 10.3.1.1 24 //Configure an IP address for the Eth-Trunk connected to the
CSS.
[FW1-Eth-Trunk10] quit
# Configure FW2.
[FW2] interface loopback 0
[FW2-LoopBack0] ip address 4.4.4.4 32 //Configure the IP address as the Router ID.
[FW2-LoopBack0] quit
[FW2] interface gigabitethernet 1/0/1
[FW2-GigabitEthernet1/0/1] ip address 10.2.1.2 24 //Configure an IP address for the interface connected
to Router2.
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface gigabitethernet 1/0/7
[FW2-GigabitEthernet1/0/7] ip address 10.10.1.2 24 //Configure an IP address for the heartbeat interface
enabled with HSB.
[FW2-GigabitEthernet1/0/7] quit
[FW2] interface eth-trunk 20
[FW2-Eth-Trunk20] ip address 10.4.1.1 24 //Configure an IP address for the Eth-Trunk connected to the
CSS.
[FW2-Eth-Trunk20] quit
# Configure CSS.
[CSS] interface loopback 0
[CSS-LoopBack0] ip address 5.5.5.5 32 //Configure the IP address as the Router ID.
[CSS-LoopBack0] quit
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] undo portswitch //By default, an Eth-Trunk works in Layer 2 mode. To use an Eth-
Trunk as a Layer 3 interface, run the undo portswitch command to switch the Eth-Trunk to Layer 3 mode.
[CSS-Eth-Trunk10] ip address 10.3.1.2 24 //Configure an IP address for the Eth-Trunk connected to FW1.
[CSS-Eth-Trunk10] quit
[CSS] interface eth-trunk 20
[CSS-Eth-Trunk20] undo portswitch //By default, an Eth-Trunk works in Layer 2 mode. To use an Eth-
Trunk as a Layer 3 interface, run the undo portswitch command to switch the Eth-Trunk to Layer 3 mode.
[CSS-Eth-Trunk20] ip address 10.4.1.2 24 //Configure an IP address for the Eth-Trunk connected to FW2.
[CSS-Eth-Trunk20] quit
[CSS] vlan batch 100 200 300 //Create VLANs in a batch.
[CSS] interface eth-trunk 100
[CSS-Eth-Trunk100] port link-type hybrid
[CSS-Eth-Trunk100] port hybrid pvid vlan 100
[CSS-Eth-Trunk100] port hybrid untagged vlan 100
[CSS-Eth-Trunk100] quit
[CSS] interface vlanif 100
[CSS-Vlanif100] ip address 10.5.1.1 24 //Configure an IP address for the interface connected to
aggregation switch AGG1.
[CSS-Vlanif100] quit
[CSS] interface eth-trunk 200
[CSS-Eth-Trunk200] port link-type hybrid
[CSS-Eth-Trunk200] port hybrid pvid vlan 200
[CSS-Eth-Trunk200] port hybrid untagged vlan 200
[CSS-Eth-Trunk200] quit
[CSS] interface vlanif 200
[CSS-Vlanif200] ip address 10.6.1.1 24 //Configure an IP address for the interface connected to
aggregation switch AGG2.
[CSS-Vlanif200] quit
[CSS] interface gigabitethernet 1/1/0/10 //Enter the view of the interface connected to the HTTP server.
[CSS-GigabitEthernet1/1/0/10] port link-type access
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 135
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-GigabitEthernet1/1/0/10] port default vlan 300 //Add the access interface to VLAN 300.
[CSS-GigabitEthernet1/1/0/10] quit
[CSS] interface vlanif 300
[CSS-Vlanif300] ip address 10.100.1.1 24 //Configure an IP address for the interface connected to the
HTTP server.
[CSS-Vlanif300] quit
# Configure AGG1.
[AGG1] interface loopback 0
[AGG1-LoopBack0] ip address 6.6.6.6 32 //Configure the IP address as the router ID.
[AGG1-LoopBack0] quit
[AGG1] vlan batch 100 500
[AGG1] interface eth-trunk 100
[AGG1-Eth-Trunk100] port link-type hybrid
[AGG1-Eth-Trunk100] port hybrid pvid vlan 100
[AGG1-Eth-Trunk100] port hybrid untagged vlan 100
[AGG1-Eth-Trunk100] quit
[AGG1] interface vlanif 100
[AGG1-Vlanif100] ip address 10.5.1.2 24 //Configure an IP address for the interface connected to the CSS.
[AGG1-Vlanif100] quit
[AGG1] interface eth-trunk 500
[AGG1-Eth-Trunk500] port link-type hybrid
[AGG1-Eth-Trunk500] port hybrid pvid vlan 500
[AGG1-Eth-Trunk500] port hybrid untagged vlan 500
[AGG1-Eth-Trunk500] quit
[AGG1] interface vlanif 500
[AGG1-Vlanif500] ip address 192.168.1.1 24 //Configure an IP address for the interface connected to the
access switch and configure it as the gateway address of department A.
[AGG1-Vlanif500] quit
# Configure AGG2.
[AGG2] interface loopback 0
[AGG2-LoopBack0] ip address 7.7.7.7 32 //Configure the IP address as the router ID.
[AGG2-LoopBack0] quit
[AGG2] vlan batch 200 600
[AGG2] interface eth-trunk 200
[AGG2-Eth-Trunk200] port link-type hybrid
[AGG2-Eth-Trunk200] port hybrid pvid vlan 200
[AGG2-Eth-Trunk200] port hybrid untagged vlan 200
[AGG2-Eth-Trunk200] quit
[AGG2] interface vlanif 200
[AGG2-Vlanif200] ip address 10.6.1.2 24 //Configure an IP address for the interface connected to the CSS.
[AGG2-Vlanif200] quit
[AGG2] interface eth-trunk 600
[AGG2-Eth-Trunk600] port link-type hybrid
[AGG2-Eth-Trunk600] port hybrid pvid vlan 600
[AGG2-Eth-Trunk600] port hybrid untagged vlan 600
[AGG2-Eth-Trunk600] quit
[AGG2] interface vlanif 600
[AGG2-Vlanif600] ip address 192.168.2.1 24 //Configure an IP address for the interface connected to the
access switch and configure it as the gateway address of department B.
[AGG2-Vlanif600] quit
Step 5 On firewalls, configure security policies and zones that interfaces belong to.
# Add interfaces to zones.
[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 10 //Add Eth-Trunk 10 connected to the internal network to a
trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the external
network to an untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW1-zone-dmz] quit
[FW2] firewall zone trust
[FW2-zone-trust] add interface Eth-Trunk 20 //Add Eth-Trunk 20 connected to the internal network to a
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 136
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
trusted zone.
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface gigabitethernet 1/0/1 //Add GE1/0/1 connected to the external
network to an untrusted zone.
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface gigabitethernet 1/0/7 //Add GE1/0/7 to the DMZ.
[FW2-zone-dmz] quit
# Configure security policies on FW1.
[FW1] policy interzone local untrust inbound
[FW1-policy-interzone-local-untrust-inbound] policy 2
[FW1-policy-interzone-local-untrust-inbound-2] policy source 10.1.1.1 mask 24 //Configure a policy to
permit the router in the untrusted zone to access the firewall.
[FW1-policy-interzone-local-untrust-inbound-2] action permit
[FW1-policy-interzone-local-untrust-inbound-2] quit
[FW1-policy-interzone-local-untrust-inbound] quit
[FW1] policy interzone local trust outbound
[FW1-policy-interzone-local-trust-outbound] policy 1
[FW1-policy-interzone-local-trust-outbound-1] policy source 10.3.1.2 mask 24 //Configure a policy to
permit the device in the trusted zone to access the firewall.
[FW1-policy-interzone-local-trust-outbound-1] policy source 10.5.1.1 mask 24 // //Configure a policy to
permit the device in the trusted zone to access the firewall.
[FW1-policy-interzone-local-trust-outbound-1] policy source 192.168.1.1 mask 24 // //Configure a policy
to permit the device in the trusted zone to access the firewall.
[FW1-policy-interzone-local-outbound-inbound-1] action permit
[FW1-policy-interzone-local-outbound-inbound-1] quit
[FW1-policy-interzone-local-outbound-inbound] quit
[FW1] policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound] policy 4
[FW1-policy-interzone-trust-untrust-outbound-4] policy source 192.168.1.1 mask 24 //Configure devices
on network segment 192.168.1.0/24 to access the external network.
[FW1-policy-interzone-trust-untrust-outbound-4] action permit
[FW1-policy-interzone-trust-untrust-outbound-4] quit
[FW1-policy-interzone-trust-untrust-outbound] quit
[FW1] policy interzone trust untrust inbound
[FW1-policy-interzone-trust-untrust-inbound] policy 3
[FW1-policy-interzone-trust-untrust-inbound-3] policy source 10.1.1.1 mask 24 //Configure the device at
10.1.1.1 to access the internal network.
[FW1-policy-interzone-trust-untrust-inbound-3] action permit
[FW1-policy-interzone-trust-untrust-inbound-3] quit
[FW1-policy-interzone-trust-untrust-inbound] quit
# Configure security policies on FW2.
[FW2] policy interzone local untrust inbound
[FW2-policy-interzone-local-untrust-inbound] policy 2
[FW2-policy-interzone-local-untrust-inbound-2] policy source 10.2.1.1 mask 24 //Configure a policy to
permit the router in the untrusted zone to access the firewall.
[FW2-policy-interzone-local-untrust-inbound-2] action permit
[FW2-policy-interzone-local-untrust-inbound-2] quit
[FW2-policy-interzone-local-untrust-inbound] quit
[FW2] policy interzone local trust outbound
[FW2-policy-interzone-local-trust-outbound] policy 1
[FW2-policy-interzone-local-trust-outbound-1] policy source 10.4.1.2 mask 24 // //Configure a policy to
permit the device in the trusted zone to access the firewall.
[FW2-policy-interzone-local-trust-outbound-1] policy source 10.6.1.1 mask 24 // //Configure a policy to
permit the device in the trusted zone to access the firewall.
[FW2-policy-interzone-local-trust-outbound-1] policy source 192.168.2.1 mask 24 // //Configure a policy
to permit the device in the trusted zone to access the firewall.
[FW2-policy-interzone-local-dmz-inbound-1] action permit
[FW2-policy-interzone-local-dmz-inbound-1] quit
[FW2-policy-interzone-local-dmz-inbound] quit
[FW2] policy interzone trust untrust inbound
[FW2-policy-interzone-trust-untrust-inbound] policy 3
[FW2-policy-interzone-trust-untrust-inbound-3] policy source 10.2.1.1 mask 24 //Configure the device at
10.2.1.1 to access the internal network.
[FW2-policy-interzone-trust-untrust-inbound-3] action permit
[FW2-policy-interzone-trust-untrust-inbound-3] quit
[FW2-policy-interzone-trust-untrust-inbound] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 137
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 6 Deploy routing.
1. Configure OSPF area 0 on uplink interfaces of routers, firewalls, and core
switches.
# Configure Router1.
[Router1] router id 1.1.1.1
[Router1] ospf 1 //Configure OSPF.
[Router1-ospf-1] area 0 //Configure a backbone area.
[Router1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to FW1 to the OSPF backbone area.
[Router1-ospf-1-area-0.0.0.0] quit
[Router1-ospf-1] quit
# Configure Router2.
[Router2] router id 2.2.2.2
[Router2] ospf 1 //Configure OSPF.
[Router2-ospf-1] area 0 //Configure a backbone area.
[Router2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to FW2 to the OSPF backbone area.
[Router2-ospf-1-area-0.0.0.0] quit
[Router2-ospf-1] quit
# Configure FW1.
[FW1] router id 3.3.3.3
[FW1] ospf 1 //Configure OSPF.
[FW1-ospf-1] area 0 //Configure a backbone area.
[FW1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to Router1 to the OSPF backbone area.
[FW1-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to the CSS to the OSPF backbone area.
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
# Configure FW2.
[FW2] router id 4.4.4.4
[FW2] ospf 1 //Configure OSPF.
[FW2-ospf-1] area 0 //Configure a backbone area.
[FW2-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 // //Configure the device to advertise the
network segment connected to Router2 to the OSPF backbone area.
[FW2-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to the CSS to the OSPF backbone area.
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Configure the CSS.
[CSS] router id 5.5.5.5
[CSS] ospf 1 //Configure OSPF.
[CSS-ospf-1] area 0 //Configure a backbone area.
[CSS-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to FW1 to the OSPF backbone area.
[CSS-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to FW2 to the OSPF backbone area.
[CSS-ospf-1-area-0.0.0.0] network 10.100.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to the HTTP server to the OSPF backbone area.
[CSS-ospf-1-area-0.0.0.0] quit
[CSS-ospf-1] quit
2. Configure OSPF areas 1 and 2 on core and aggregation switches, configure
the two OSPF areas as NSSAs, and add downlink interfaces of core switches
to NSSAs.
# Configure the CSS.
[CSS] ospf 1 //Configure OSPF.
[CSS-ospf-1] area 1 //Configure OSPF area 1.
[CSS-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to AGG1 to OSPF area 1.
[CSS-ospf-1-area-0.0.0.1] nssa //Configure OSPF area 1 as an NSSA.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 138
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-ospf-1-area-0.0.0.1] quit
[CSS-ospf-1] area 2 //Configure OSPF area 2.
[CSS-ospf-1-area-0.0.0.2] network 10.6.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to AGG2 to OSPF area 2.
[CSS-ospf-1-area-0.0.0.2] nssa //Configure OSPF area 1 as an NSSA.
[CSS-ospf-1-area-0.0.0.2] quit
[CSS-ospf-1] quit
# Configure AGG1.
[AGG1] ospf 1 //Configure OSPF.
[AGG1-ospf-1] area 1 //Configure OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] network 10.5.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to the CSS to OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Configure the device to advertise the
user network segment to OSPF area 1.
[AGG1-ospf-1-area-0.0.0.1] nssa //Configure OSPF area 1 as an NSSA.
[AGG1-ospf-1-area-0.0.0.1] quit
[AGG1-ospf-1] quit
# Configure AGG2.
[AGG2] ospf 1 //Configure OSPF.
[AGG2-ospf-1] area 2 //Configure OSPF area 2.
[AGG2-ospf-1-area-0.0.0.2] network 10.6.1.0 0.0.0.255 //Configure the device to advertise the
network segment connected to the CSS to OSPF area 2.
[AGG2-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 //Configure the device to advertise the
user network segment to OSPF area 1.
[AGG2-ospf-1-area-0.0.0.2] nssa //Configure OSPF area 2 as an NSSA.
[AGG2-ospf-1-area-0.0.0.2] quit
[AGG2-ospf-1] quit
3. Configure a default route pointing to the firewall on the core switch,
configure a default route pointing to the egress router on the firewall, and
configure a default route pointing to the address of the interconnected
interface (public gateway address) of the carrier's device.
[Router1] ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
[Router2] ip route-static 0.0.0.0 0.0.0.0 202.10.2.2
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
4. Verify the configuration.
Check the routing table of the stack. AGG1 is used as an example. You can
see that routes are generated for network segments on the internal network
and one default route is generated for traffic going out of the NSSA.
[AGG1] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_NSSA 150 1 D 10.5.1.1 Vlanif100
6.6.6.6/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.1.1.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
10.2.1.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
10.3.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
10.4.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
10.5.1.0/24 Direct 0 0 D 10.5.1.2 Vlanif100
10.5.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.6.1.0/24 OSPF 10 2 D 10.5.1.1 Vlanif100
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif500
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 139
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif500
192.168.2.0/24 OSPF 10 3 D 10.5.1.1 Vlanif100
# Check the routing table in the CSS. You can see routes are generated for
network segments on the internal network and the costs of routes to firewalls
are the same, indicating that load balancing is used.
[CSS] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.3.1.1 Eth-Trunk10
Static 60 0 RD 10.4.1.1 Eth-Trunk20
5.5.5.5/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.1.1.0/24 OSPF 10 2 D 10.3.1.1 Eth-Trunk10
10.2.1.0/24 OSPF 10 2 D 10.4.1.1 Eth-Trunk20
10.3.1.0/24 Direct 0 0 D 10.3.1.2 Eth-Trunk10
10.3.1.2/32 Direct 0 0 D 127.0.0.1 Eth-Trunk10
10.4.1.0/24 Direct 0 0 D 10.4.1.2 Eth-Trunk20
10.4.1.2/32 Direct 0 0 D 127.0.0.1 Eth-Trunk20
10.5.1.0/24 Direct 0 0 D 10.5.1.1 Vlanif100
10.5.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.6.1.0/24 Direct 0 0 D 10.6.1.1 Vlanif200
10.6.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
10.100.1.0/24 Direct 0 0 D 10.100.1.1 Vlanif300
10.100.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 OSPF 10 2 D 10.5.1.2 Vlanif100
192.168.2.0/24 OSPF 10 2 D 10.6.1.2 Vlanif200
Step 7 Configure DHCP in the CSS and AGG.
# Configure the DHCP server in the CSS to allocate IP addresses to users.
[CSS] dhcp enable //Enable DHCP.
[CSS] interface vlanif 100 //Configure the device to allocate IP addresses to department A through
VLANIF 100.
[CSS-Vlanif100] dhcp select global //Configure the device to use the global address pool.
[CSS-Vlanif100] quit
[CSS] interface vlanif 200 //Configure the device to allocate IP addresses to department B through
VLANIF 200.
[CSS-Vlanif200] dhcp select global //Configure the device to use the global address pool.
[CSS-Vlanif200] quit
[CSS] ip pool poola //Configure the address pool poola from which IP addresses are allocated to
department A.
[CSS-ip-pool-poola] network 192.168.1.0 mask 24 //Configure a network segment assigned to
department A.
[CSS-ip-pool-poola] gateway-list 192.168.1.1 //Configure a gateway address for department A.
[CSS-ip-pool-poola] quit
[CSS] ip pool poolb //Configure the address pool poolb from which IP addresses are allocated to
department B.
[CSS-ip-pool-poolb] network 192.168.2.0 mask 24 //Configure a network segment assigned to
department B.
[CSS-ip-pool-poolb] gateway-list 192.168.2.1 //Configure a gateway address for department B.
[CSS-ip-pool-poolb] quit
# Configure the DHCP relay function on AGG1.
[AGG1] dhcp enable //Enable DHCP.
[AGG1] interface vlanif 500
[AGG1-Vlanif500] dhcp select relay //Configure the DHCP relay function.
[AGG1-Vlanif500] dhcp relay server-ip 10.5.1.1 //Specify the DHCP server's IP address.
[AGG1-Vlanif500] quit
# Configure the DHCP relay function on AGG2.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 140
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[AGG2] dhcp enable //Enable DHCP.
[AGG2] interface vlanif 600
[AGG2-Vlanif600] dhcp select relay //Configure the DHCP relay function.
[AGG2-Vlanif600] dhcp relay server-ip 10.6.1.1 //Specify the DHCP server's IP address.
[AGG2-Vlanif600] quit
# Verify the configuration.
Configure clients to obtain IP addresses through the DHCP server and check the
address pool in the CSS. You can see that two IP addresses (Used: 2) have been
allocated and there are 503 remaining IP addresses (Idle: 503). That is, IP
addresses are allocated successfully.
[CSS] display ip pool
-----------------------------------------------------------------------
Pool-name : poola
Pool-No :0
Position : Local Status : Unlocked
Gateway-0 : 192.168.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------
Pool-name : poolb
Pool-No :1
Position : Local Status : Unlocked
Gateway-0 : 192.168.2.1
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :506
Used :2 Idle :503
Expired :0 Conflict :1 Disable :0
Step 8 Configure NAT on egress routers.
Users on the internal network use private IP addresses. To meet the requirements,
perform NAT configurations:
● To allow users of department A to access the Internet, configure NAT on
egress routers to translate private IP addresses into public IP addresses.
● To allow users on the external network to access the HTTP server, configure
the NAT server on egress routers.
Assume that the carrier allocates the following public IP addresses to enterprise users:
202.10.1.2 to 202.10.1.10 and 202.10.2.2 to 202.10.2.10. The IP addresses of 202.10.1.2 and
202.10.2.2 are used by Router1 and Router 2 respectively to connect to the external
network. The IP address 202.10.1.10 and 202.10.2.10 is used by users on the external
network to access the HTTP server. Users on the internal network use the remaining public
IP addresses to access the Internet.
# Configure NAT on Router1 to translate IP addresses of users in department A
into public IP addresses so that users in department A can access the Internet.
[Router1] nat address-group 1 202.10.1.3 202.10.1.9 //Configure a NAT address pool, including public IP
addresses allocated by the carrier.
[Router1] acl number 2000
[Router1-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure a NAT address pool,
including public IP addresses allocated by the carrier.
[Router1-acl-basic-2000] quit
[Router1] interface gigabitethernet 0/0/2
[Router1-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Configure NAT on the interface
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 141
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
connected to the external network.
[Router1-GigabitEthernet0/0/2] quit
# Configure NAT on Router2 to translate IP addresses of users in department A
into public IP addresses.
[Router2] nat address-group 1 202.10.2.3 202.10.2.9 //Configure a NAT address pool, including public IP
addresses allocated by the carrier.
[Router2] acl number 2000
[Router2-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 //Configure an address segment which
can be used to access the external network.
[Router2-acl-basic-2000] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] nat outbound 2000 address-group 1 //Configure NAT on the interface
connected to the external network.
[Router2-GigabitEthernet0/0/2] quit
# Verify the configuration.
[Router2] display nat outbound
NAT Outbound Information:
-------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
-------------------------------------------------------------------------
GigabitEthernet0/0/2 2000 1 pat
-------------------------------------------------------------------------
Total : 1
# Configure the NAT server on Router1 and Router2 so that users on the external
network can access the HTTP server.
[Router1] interface gigabitethernet 0/0/2
[Router1-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.1.10 http inside 10.100.1.10
http //Configure the device to allow Internet users to access the HTTP server of the company.
[Router1-GigabitEthernet0/0/2] quit
[Router2] interface gigabitethernet 0/0/2
[Router2-GigabitEthernet0/0/2] nat server protocol tcp global 202.10.2.10 http inside 10.100.1.10
http //Configure the device to allow Internet users to access the HTTP server of the company.
[Router2-GigabitEthernet0/0/2] quit
Step 9 Configure HRP on firewalls.
# On FW1, associate VGMP groups with uplink and downlink interfaces.
[FW1] hrp track interface gigabitethernet 1/0/1 //Associate a VGMP group with an uplink interface.
[FW1] hrp track interface eth-trunk 10 //Associate a VGMP group with a downlink interface.
# On FW1, adjust the OSPF cost based on the HRP status.
[FW1] hrp adjust ospf-cost enable
# On FW2, associate VGMP groups with uplink and downlink interfaces.
[FW2] hrp track interface gigabitthernet 1/0/1 //Associate a VGMP group with an uplink interface.
[FW2] hrp track interface eth-trunk 20 //Associate a VGMP group with a downlink interface.
# On FW2, adjust the OSPF cost based on the HRP status.
[FW2] hrp adjust ospf-cost enable
# On FW1, specify a heartbeat interface and enable HRP.
[FW1] hrp interface gigabitethernet 1/0/7 remote 10.10.1.2 //Configure a heartbeat interface and
enable HRP.
[FW1] hrp enable //Enable HSB.
HRP_M[FW1] hrp mirror session enable //Enable quick session backup. In HRP networking, if packets
are received and sent along different paths, the quick session backup function ensures that session
information on the active firewall is immediately synchronized to the standby firewall. When the active
firewall fails, packets can be forwarded by the standby firewall. This function ensures nonstop sessions of
internal and external users.
After HRP is configured, the configuration and session of the active device are automatically
backed up to the standby device.
# On FW2, specify a heartbeat interface and enable HRP.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 142
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[FW2] hrp interface gigabitethernet 1/0/7 remote 10.10.1.1 //Configure a heartbeat interface and
enable HRP.
[FW2] hrp enable //Enable HRP.
HRP_B[FW2] hrp mirror session enable //Enable quick session backup. In HRP networking, if packets are
received and sent along different paths, the quick session backup function ensures that session information
on the active firewall is immediately synchronized to the standby firewall. When the active firewall fails,
packets can be forwarded by the standby firewall. This function ensures nonstop sessions of internal and
external users.
# Verify the configuration.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 49012, peer: 49012
Core state: normal, peer: normal
Backup channel usage: 3%
Stable time: 0 days, 5 hours, 1 minutes
The local and remote firewalls have the same priority and are both in active state,
indicating that the two firewalls are in load balancing state.
Step 10 Configure attack defense on firewalls.
To protect internal servers against potential SYN Flood attacks and HTTP Flood
attacks, enable defense against SYN Flood attacks and HTTP Flood attacks on
firewalls.
The attack defense threshold is used for reference. Set this value according to actual
network traffic.
HRP_M[FW1] firewall defend syn-flood enable
HRP_M[FW1] firewall defend syn-flood zone untrust max-rate 20000
HRP_M[FW1] firewall defend udp-flood enable
HRP_M[FW1] firewall defend udp-flood zone untrust max-rate 1500
HRP_M[FW1] firewall defend icmp-flood enable
HRP_M[FW1] firewall defend icmp-flood zone untrust max-rate 20000
HRP_M[FW1] firewall blacklist enable
HRP_M[FW1] firewall defend ip-sweep enable
HRP_M[FW1] firewall defend ip-sweep max-rate 4000
HRP_M[FW1] firewall defend port-scan enable
HRP_M[FW1] firewall defend port-scan max-rate 4000
HRP_M[FW1] firewall defend ip-fragment enable
HRP_M[FW1] firewall defend ip-spoofing enable
----End
Configuration Files
● Router1 configuration file
#
sysname Router1
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 202.10.1.3 202.10.1.9
#
interface GigabitEthernet 0/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
ip address 202.10.1.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 202.10.1.10 http inside 10.100.1.10 http
#
interface LoopBack0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 143
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip address 1.1.1.1 255.255.255.255
#
ospf 1 router id 1.1.1.1
area 0.0.0.0
network 10.1.1.0 0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.1.2
#
return
● Router2 configuration file
#
sysname Router2
#
acl number 2000
rule permit source 192.168.1.0 0.0.0.255
#
nat address-group 1 202.10.2.3 202.10.2.9 mask 255.255.255.0
#
interface GigabitEthernet 0/0/1
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
ip address 202.10.2.1 255.255.255.0
nat outbound 2000 address-group 1
nat server protocol tcp global 202.10.2.10 http inside 10.100.1.10 http
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1 router id 2.2.2.2
area 0.0.0.0
network 10.2.1.0 0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.10.2.2
#
return
● FW1 configuration file
#
sysname FW1
#
router id 3.3.3.3
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.2
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 10
#
interface Eth-Trunk 10
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet 1/0/7
ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet 2/0/3
eth-trunk 10
#
interface GigabitEthernet 2/0/4
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
firewall zone trust
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 144
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
set priority 85
add interface Eth-Trunk10
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
policy interzone local trust outbound
policy 1
action permit
policy source 10.3.1.0 mask 24
policy source 10.5.1.0 mask 24
policy source 192.168.1.0 mask 24
#
policy interzone local untrust inbound
policy 2
action permit
policy source 10.1.1.0 mask 24
#
policy interzone trust untrust inbound
policy 3
action permit
policy source 10.1.1.0 mask 24
#
policy interzone trust untrust outbound
policy 4
action permit
policy source 192.168.1.0 mask 24
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
● FW2 configuration file
#
sysname FW2
#
router id 4.4.4.4
#
hrp mirror session enable
hrp adjust ospf-cost enable
hrp enable
hrp interface GigabitEthernet 1/0/7 remote 10.10.1.1
hrp track interface GigabitEthernet1/0/1
hrp track interface Eth-Trunk 20
#
interface Eth-Trunk 20
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 145
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet 1/0/7
ip address 10.10.1.2 255.255.255.0
#
interface GigabitEthernet 2/0/3
eth-trunk 20
#
interface GigabitEthernet 2/0/4
eth-trunk 20
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk20
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/7
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
ospf 1
area 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.2.1.1
#
policy interzone local trust outbound
policy 1
action permit
policy source 10.4.1.0 mask 24
policy source 10.6.1.0 mask 24
policy source 192.168.2.0 mask 24
#
policy interzone local untrust inbound
policy 2
action permit
policy source 10.2.1.0 mask 24
#
policy interzone trust untrust inbound
policy 3
action permit
policy source 10.2.1.0 mask 24
#
firewall defend syn-flood enable
firewall defend syn-flood zone untrust max-rate 20000
firewall defend udp-flood enable
firewall defend udp-flood zone untrust max-rate 1500
firewall defend icmp-flood enable
firewall defend icmp-flood zone untrust max-rate 20000
firewall blacklist enable
firewall defend ip-sweep enable
firewall defend ip-sweep max-rate 4000
firewall defend port-scan enable
firewall defend port-scan max-rate 4000
firewall defend ip-fragment enable
firewall defend ip-spoofing enable
#
return
● CSS configuration file
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 146
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
sysname CSS
#
vlan batch 100 200 300
#
dhcp enable
#
ip pool poola
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
#
ip pool poolb
gateway-list 192.168.2.1
network 192.168.2.0 mask 255.255.255.0
#
interface Vlanif 100
ip address 10.5.1.1 255.255.255.0
dhcp select global
#
interface Vlanif 200
ip address 10.6.1.1 255.255.255.0
dhcp select global
#
interface Vlanif 300
ip address 10.100.1.100 255.255.255.0
#
interface Eth-Trunk 10
undo portswitch
ip address 10.3.1.2 255.255.255.0
#
interface Eth-Trunk 20
undo portswitch
ip address 10.4.1.2 255.255.255.0
#
interface Eth-Trunk 100
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface Eth-Trunk 200
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface GigabitEthernet 1/1/0/1
port link-type access
port default vlan 300
#
interface GigabitEthernet 1/1/0/3
eth-trunk 10
#
interface GigabitEthernet 1/1/0/4
eth-trunk 20
#
interface GigabitEthernet 1/2/0/3
eth-trunk 100
#
interface GigabitEthernet 1/2/0/4
eth-trunk 200
#
interface GigabitEthernet 2/1/0/3
eth-trunk 10
#
interface GigabitEthernet 2/1/0/4
eth-trunk 20
#
interface GigabitEthernet 2/2/0/3
eth-trunk 100
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 147
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface GigabitEthernet 2/2/0/4
eth-trunk 200
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
network 10.100.1.0 0.0.0.255
area 0.0.0.1
network 10.5.1.0 0.0.0.255
area 0.0.0.2
network 10.6.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.1
ip route-static 0.0.0.0 0.0.0.0 10.4.1.1
#
return
● AGG1 configuration file
#
sysname AGG1
#
vlan batch 100 500
#
interface Vlanif 100
ip address 10.5.1.2 255.255.255.0
#
interface Vlanif 500
ip address 192.168.1.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.5.1.1
#
interface Eth-Trunk 100
port link-type hybrid
port hybrid pvid vlan 100
port hybrid untagged vlan 100
#
interface Eth-Trunk 500
port link-type hybrid
port hybrid pvid vlan 500
port hybrid untagged vlan 500
#
interface GigabitEthernet 1/0/1
eth-trunk 100
#
interface GigabitEthernet 2/0/1
eth-trunk 100
#
interface GigabitEthernet 1/0/5
eth-trunk 500
#
interface GigabitEthernet 2/0/5
eth-trunk 500
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
ospf 1 router-id 6.6.6.6
area 0.0.0.1
network 10.5.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
nssa
#
return
● AGG2 configuration file
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 148
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
sysname AGG2
#
vlan batch 200 600
#
interface Vlanif 200
ip address 10.6.1.2 255.255.255.0
#
interface Vlanif 600
ip address 192.168.2.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.6.1.1
#
interface Eth-Trunk 200
port link-type hybrid
port hybrid pvid vlan 200
port hybrid untagged vlan 200
#
interface Eth-Trunk 600
port link-type hybrid
port hybrid pvid vlan 600
port hybrid untagged vlan 600
#
interface GigabitEthernet 1/0/1
eth-trunk 200
#
interface GigabitEthernet 2/0/1
eth-trunk 200
#
interface GigabitEthernet 1/0/5
eth-trunk 600
#
interface GigabitEthernet 2/0/5
eth-trunk 600
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
ospf 1 router-id 7.7.7.7
area 0.0.0.2
network 10.6.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
nssa
#
return
2.5 Example for Configuring the Egress of a Large-
Sized Campus (Firewalls Are Connected to Core
Switches in Bypass Mode)
Configuration Notes
● This example uses Huawei S series modular switches, USG firewalls, and NE
routers to describe the configuration procedure.
● The configuration procedure in this example involves only the enterprise
network egress. For the internal network configuration, see "Large-Sized
Campus Networks" in the Huawei S Series Campus Switch Quick
Configuration Guide.
● Only the connection configurations between firewalls and switches and the
HRP configurations on firewalls are provided in the following procedure. For
the security service plan on the firewalls and security policies, attack defense,
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 149
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
bandwidth management, and IPSec on the campus network, see Firewall
Configuration Examples.
● This example describes only the routers and switches at the egress of campus
network. For the Internet-side configurations on routers, see the NE Router
Configuration Guide.
Networking Requirements
At the egress of a large-sized campus network, core switches connect to routers to
access the Internet through upstream interfaces. Firewalls connect to the core
switches in bypass mode to filter service traffic.
To simplify network and improve reliability, a switch cluster is deployed at the core
layer.
HRP (active/standby mode) is deployed on firewalls. If one firewall fails, services
are switched to another firewall.
Each of the core switches is dual homed to two egress routers, and VRRP is
configured between routers to ensure reliability.
To improve link reliability, Eth-Trunks are configured between core switches and
egress routers, core switches and firewalls, and two firewalls.
The networking diagram is as follows:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 150
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-10 Campus egress (HRP firewalls in bypass mode)
Traffic from the
Internet to intranet
Internet Traffic from the
intranet to Internet
Campus egress
Router 1 Router 2
VRRP VRID 1
FW 1
CSS HRP
FW 2
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
In Layer 3 forwarding environment, traffic inside and outside the campus network
is directly forwarded by switches, but does not pass through FW1 and FW2. When
traffic needs to be filtered by FWs, the VRF function must be configured on
switches. The CSS is divided into a virtual switch VRF-A and a root switch Public,
which are separated from each other.
Public is connected to the egress routers, and forwards traffic from the Internet to
FWs for filtering and traffic from FWs to the egress routers.
VRF-A is connected to the intranet, and forwards traffic from FWs to the intranet
and traffic from intranet to FWs for filtering.
The following logical network diagram shows the traffic forwarding paths.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 151
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-11 Connections between physical interfaces of switches, routers, and
firewalls
Traffic from the
Internet
Internet to intranet
Traffic from the
intranet to Internet
Router 1 Router 2
10GE1/0/1 10GE1/0/2 10GE1/0/1 10GE1/0/2
Eth-Trunk1 Eth-Trunk1
Eth-Trunk1 Eth-Trunk2
10GE1/4/0/0 10GE2/4/0/0 10GE2/4/0/1
10GE1/4/0/1
Switch 1 Switch 2
(master) CSS
(backup)
Internet-side
Public
GE1/1/0/7 GE1/2/0/7 GE2/1/0/7 GE2/2/0/7
Eth-Trunk4 Eth-Trunk6
Eth-Trunk4 Eth-Trunk6
GE1/0/0 GE1/0/1 GE1/0/0 GE1/0/1
GE2/0/0 GE2/0/0
FW 1 GE2/0/1 GE2/0/1 FW 2
Eth-Trunk1 Eth-Trunk1
GE1/1/0 GE1/1/1 GE1/1/0 GE1/1/1
Eth-Trunk5 Eth-Trunk7
Eth-Trunk5 Eth-Trunk7
GE1/1/0/8 GE1/2/0/8 GE2/1/0/8 GE2/2/0/8
Switch 1 CSS Switch 2
(master) (backup)
Intranet-side
GE1/3/0/1 GE1/3/0/2 VRF-A GE2/3/0/1 GE2/3/0/2
Eth-Trunk8 Eth-Trunk9
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 152
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
In this example, the core switches work in Layer 3 mode. The firewalls connect to
Layer 3 switches through upstream and downstream interfaces. VRRP needs to be
configured on both upstream and downstream service interfaces of firewalls, as
shown below.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 153
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-12 Connections between Layer 3 interfaces of switches, routers, and
firewalls
Traffic from the
Internet to intranet
Internet
Traffic from the
intranet to Internet
Router 1 Router 2
Eth-Trunk1 Eth-Trunk1
10.10.4.2/24 10.10.4.3/24
VRRP VRID 1
CSS
1OSPF
Virtual IP
Eth-Trunk1
3 Static route
10.10.4.100/24
Eth-Trunk2
OSPF VLANIF10
Eth-Trunk1 Eth-Trunk2
100 10.10.4.1/24
Area 0
CSS
Internet-side
Public CSS
2 Static route
Eth-Trunk4
Eth-Trunk6
Eth-Trunk4 Eth-Trunk6
2 Static route
VLANIF20
Virtual IP 10.10.2.1/24
10.10.2.5/24
Upstream VRRP VRID 1
Untrust: Eth-Trunk4 Untrust: Eth-Trunk6
10.10.2.2/24 10.10.2.3/24
Static route
FW 1 Eth-Trunk1 Eth-Trunk1 FW 2
10.1.1.1/24 10.1.1.2/24
Trust:Eth-Trunk5 Trust: Eth-Trunk7
10.10.3.2/24 10.10.3.3/24
Downstream VRRP VRID 2
3 Static route
Virtual IP CSS
1 Static route
10.10.3.5/24 Eth-Trunk5
Eth-Trunk7
Eth-Trunk5 Eth-Trunk7 VLANIF30
10.10.3.1/24
Intranet-side
VRF-A
CSS
Eth-Trunk8 Eth-Trunk9
VLANIF100 VLANIF200
10.10.100.1/24 10.10.200.1/24
Aggregation Aggregation
switch switch
Service Service
network 1 network 2
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 154
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
The traffic (in blue) from the intranet to the Internet is forwarded as follows:
1. When traffic from the intranet to the Internet reaches VRF-A, it is then
forwarded to the firewalls based on the static route (next hop is the
downstream VRRP virtual IP address of firewalls) configured on VRF-A.
2. After filtering the traffic, the firewalls forward traffic to Public based on the
static route (next hop is the CSS's VLANIF 20).
3. Public forwards traffic to routers based on the static route (next hop is the
router VRRP virtual IP address).
The traffic (in red) from the Internet to the intranet is forwarded as follows:
1. The traffic from the Internet to the intranet reaches the routers, and is then
forwarded to Public based on the OSPF routing table.
2. Public forwards the traffic to firewalls based on the static route (next hop is
the upstream VRRP virtual IP address of firewalls).
3. After filtering the traffic, the firewalls forward traffic to VRF-A based on the
static route (next hop is the CSS's VLANIF 30).
4. VRF-A forwards the traffic to aggregation switches based on OSPF routing
table, and then the aggregation switches forward the traffic to service
networks.
Device Selection
This example applies to the following products and versions. If other products or
versions are used, the configurations may vary. For details, see a related
configuration manual.
Device Type Device Model Device Version
Access router AR3600 series routers V200R007C00
Firewall USG9500 series firewalls V500R001C20
Core switches S12700 series switches V200R008C00
Aggregation switch S5720-EI series switches V200R008C00
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 155
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Data Plan
Table 2-6 Link aggregation data plan
Devi Interfac Member VLANI IP Address Remote Remote
ce e Interfac F Device Interface
Numbe e Number
r
Rout Eth- 10GE1/0 - 10.10.4.2/2 Switch 1 Eth-Trunk1
er1 trunk1.1 /1 4 Switch 2
00 10GE1/0
/2
Rout Eth- 10GE1/0 - 10.10.4.3/2 Switch 1 Eth-Trunk2
er2 trunk1.1 /1 4 Switch 2
00 10GE1/0
/2
VRR - - - 10.10.4.100 - -
P of /24
Rout
er 1
and
Rout
er 2
CSS Eth- 10GE1/4 VLANI 10.10.4.1/2 Router 1 Eth-Trunk1
(Swit trunk1 /0/0 F10 4
ch 1 10GE2/4
and /0/0
Swit
ch 2) Eth- 10GE1/4 VLANI 10.10.4.1/2 Router 2 Eth-Trunk1
trunk2 /0/1 F10 4
10GE2/4
/0/1
Eth- GE1/1/0 VLANI 10.10.2.1/2 FW 1 Eth-Trunk4
trunk4 /7 F20 4
GE2/1/0
/7
Eth- GE1/1/0 VLANI 10.10.3.1/2 FW 1 Eth-Trunk5
trunk5 /8 F30 4
GE2/1/0
/8
Eth- GE1/2/0 VLANI 10.10.2.1/2 FW 2 Eth-Trunk6
trunk6 /7 F20 4
GE2/2/0
/7
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 156
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Devi Interfac Member VLANI IP Address Remote Remote
ce e Interfac F Device Interface
Numbe e Number
r
Eth- GE1/2/0 VLANI 10.10.3.1/2 FW 2 Eth-Trunk7
trunk7 /8 F30 4
GE2/2/0
/8
Eth- GE1/3/0 VLANI 10.10.100.1 Service - (omitted in
trunk8 /1 F100 /24 network 1 this
GE2/3/0 example)
/1
Eth- GE1/3/0 VLANI 10.10.200.1 Service - (omitted in
trunk9 /2 F200 /24 network 2 this
GE2/3/0 example)
/2
FW1 Eth- GE2/0/0 - 10.1.1.1/24 FW2 Eth-Trunk1
trunk1 GE2/0/1
Eth- GE1/0/0 - 10.10.2.2/2 Switch 1 Eth-Trunk4
Trunk4 GE1/0/1 4 Switch 2
Eth- GE1/1/0 - 10.10.3.2/2 Switch 1 Eth-Trunk5
Trunk5 GE1/1/1 4 Switch 2
FW2 Eth- GE2/0/0 - 10.1.1.2/24 FW1 Eth-Trunk1
trunk1 GE2/0/1
Eth- GE1/0/0 - 10.10.2.3/2 Switch 1 Eth-Trunk6
Trunk6 GE1/0/1 4 Switch 2
Eth- GE1/1/0 - 10.10.3.3/2 Switch 1 Eth-Trunk7
Trunk7 GE1/1/1 4 Switch 2
VRR - - - 10.10.2.5/2 - -
P1 4
of
FW
1
and
FW
2
(ups
trea
m)
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 157
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Devi Interfac Member VLANI IP Address Remote Remote
ce e Interfac F Device Interface
Numbe e Number
r
VRR - - - 10.10.3.5/2 - -
P2 4
of
FW
1
and
FW
2
(dow
nstre
am)
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the CSS for core switches.
2. Assign IP addresses to the interfaces between switches, firewalls, and routers.
To improve link reliability, configure inter-chassis Eth-Trunks between switches
and firewalls and between switches and routers.
Configure security zones on the firewalls' interfaces.
3. Configure VRRP on egress routers.
To ensure reliability between the core switches and two egress routers, deploy
VRRP between the two egress routers so that VRRP heartbeat packets are
exchanged through the core switches. Router1 functions as the master device,
and Router2 functions as the backup device.
4. Deploy routing.
Configure the VRF function on switches to divide the CSS into a virtual switch
VRF-A and a root switch Public, which separate the service network routes
and public network routes.
To steer the upstream traffic on each device, configure a default route on core
switches, of which the next hop is the VRRP virtual IP address of the egress
routers.
To steer the return traffic of two egress routers, configure OSPF between the
egress routers and core switches, and advertise all user network segment
routes on the core switches into OSPF on egress routers.
To forward the upstream traffic of service networks to firewalls, configure a
default route on switches, of which the next hop is the virtual IP address of
VRRP VRID2 on firewalls.
To forward the downstream traffic of service network 1 to firewalls, configure
a default route on switches, of which the next hop is the virtual IP address of
VRRP VRID1 on firewalls.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 158
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
To forward the downstream traffic of service network 2 to firewalls, configure
a default route on switches, of which the next hop is the virtual IP address of
VRRP VRID1 on firewalls.
To forward the upstream traffic of service networks to switches, configure a
default route on firewalls, of which the next hop is the IP address of VLANIF
20 on switches.
To forward the downstream traffic of service network 1 to switches, configure
a default route on firewalls, of which the next hop is the IP address of VLANIF
30 on switches.
To forward the downstream traffic of service network 2 to switches, configure
a default route on firewalls, of which the next hop is the IP address of VLANIF
30 on switches.
5. Configure HRP on firewalls.
Procedure
Step 1 On switch 1 and switch 2: Configure CSSs.
1. Connect CSS cards through cables.
In the following figure, the S12700 switches have the CSS cards
EH1D2VS08000 installed. An S12700 has a maximum number of MPUs, SFUs,
and CSS cards installed. Each chassis must have at least one MPU and one
SFU installed. You are advised to install two SFUs and two CSS cards in each
chassis.
Figure 2-13 CSS card connections
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 159
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
– The two chassis are connected by at least one CSS cable.
– One CSS card can only be connected to one CSS card in the other chassis but not
the local chassis.
– An interface in group 1 of a CSS card can only be connected to any interface in
group 1 of the CSS card on the other chassis. The requirements for interfaces in
group 2 are the same.
– CSS cards have the same number of cluster cables connected. (If the CSS cards
have different numbers of cluster cables connected, the total cluster bandwidth
depends on the cluster with the least cluster cables connected.) In addition,
interfaces on CSS cards are connected based on interface numbers.
2. Configure clustering on Switch 1.
# Set the cluster mode to CSS card (the default value does not need to be
configured). Retain the default cluster ID 1 (the default value does not need
to be configured) and set the priority to 100.
<HUAWEI> system-view
[HUAWEI] set css mode css-card //Default setting. You do not need to run this command. The step
is used for reference.
[HUAWEI] set css id 1 //Default setting. You do not need to run this command. The step is used for
reference.
[HUAWEI] set css priority 100 //The default CSS priority is 1. Change the priority of the master
switch to be higher than that of the backup switch.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is
CSS-card. Reboot now? [Y/N]:y //Restart the switch.
3. Configure clustering on Switch 2.
Set the cluster mode to CSS card (the default value does not need to be
configured). Set the CSS ID to 2 and retain the default priority 1 (the default
value does not need to be configured).
<HUAWEI> system-view
[HUAWEI] set css id 2 //The default CSS ID is 1. Change the CSS ID to 2.
[HUAWEI] css enable
Warning: The CSS configuration takes effect only after the system is rebooted. The next CSS mode is
CSS-card. Reboot now? [Y/N]:y //Restart the switch.
4. Check the CSS status after the switches restart.
– On Switch 1, the active switch of the CSS, the MASTER indicator on the
active MPU is steady green. (Figure 1)
– On Switch 1, the CSS ID indicators numbered 1 on both MPUs are steady
green. On Switch 2, the CSS ID indicators numbered 2 on both MPUs are
steady green. (Figure 1)
– The LINK/ALM indicators of interfaces on all CSS cards connected to
cluster cables are steady green. (Figure 2)
– The MASTER indicators on all CSS cards in the active chassis are steady
green, and the MASTER indicators on all CSS cards in the standby chassis
are off. (Figure 2)
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 160
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-14 Indicators of the MPU and CSS card
– After the CSS is established, subsequent operations will be performed on the
master switch (switch 1) and data will be automatically synchronized to the
standby switch (switch 2).
– The interface name in a CSS is in the format like 10GE1/4/0/0. The leftmost part
indicates the CSS ID.
Step 2 Configure the inter-chassis Eth-Trunks between CSS and FWs and between CSS
and routers. Configure VLANIF interfaces on the CSS and assign IP addresses to
them.
1. Configure an inter-chassis Eth-Trunk between switches and routers. Configure
VLANIF interfaces and assign IP addresses to them.
# In the CSS, create Eth-Trunk1 to connect to Router1 and add member
interfaces to Eth-Trunk1.
<HUAWEI> system-view
[HUAWEI] sysname CSS //Rename the CSS.
[CSS] interface Eth-Trunk 1
[CSS-Eth-Trunk1] quit
[CSS] interface XGigabitethernet 1/4/0/0 //Add an interface on the master switch to Eth-Trunk1.
[CSS-XGigabitEthernet1/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet1/4/0/0] quit
[CSS] interface XGigabitethernet 2/4/0/0 //Add an interface on the backup switch to Eth-Trunk1.
[CSS-XGigabitEthernet2/4/0/0] Eth-Trunk 1
[CSS-XGigabitEthernet2/4/0/0] quit
# In the CSS, create Eth-Trunk2 to connect to Router2 and add member
interfaces to Eth-Trunk2.
[CSS] interface Eth-Trunk 2
[CSS-Eth-Trunk2] quit
[CSS] interface XGigabitethernet 1/4/0/1 //Add an interface on the master switch to Eth-Trunk2.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 161
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-XGigabitEthernet1/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet1/4/0/1] quit
[CSS] interface XGigabitethernet 2/4/0/1 //Add an interface on the backup switch to Eth-Trunk2.
[CSS-XGigabitEthernet2/4/0/1] Eth-Trunk 2
[CSS-XGigabitEthernet2/4/0/1] quit
# Create VLANIF interfaces and assign IP addresses to them.
[CSS] vlan batch 10
[CSS] interface Eth-Trunk 1 //Add Eth-Trunk1 to VLAN 10.
[CSS-Eth-Trunk1] port link-type trunk
[CSS-Eth-Trunk1] port trunk allow-pass vlan 10
[CSS-Eth-Trunk1] quit
[CSS] interface Eth-Trunk 2 //Add Eth-Trunk2 to VLAN 10.
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] port trunk allow-pass vlan 10
[CSS-Eth-Trunk2] quit
[CSS] interface Vlanif 10 //Create VLANIF 10 for the CSS to communicate with Router1 and
Router2.
[CSS-Vlanif10] ip address 10.10.4.1 24
[CSS-Vlanif10] quit
2. Configure the inter-chassis Eth-Trunks between switches and FWs and
between CSS and routers. Configure VLANIF interfaces on the CSS and assign
IP addresses to them.
# In the CSS, create Eth-Trunk4 to connect Public to FW1 and add member
interfaces to Eth-Trunk4.
[CSS] interface Eth-Trunk 4
[CSS-Eth-Trunk4] quit
[CSS] interface Gigabitethernet 1/1/0/7 //Add an interface on the master switch to Eth-Trunk4.
[CSS-Gigabitethernet1/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet1/1/0/7] quit
[CSS] interface Gigabitethernet 2/1/0/7 //Add an interface on the backup switch to Eth-Trunk4.
[CSS-Gigabitethernet2/1/0/7] Eth-Trunk 4
[CSS-Gigabitethernet2/1/0/7] quit
# In the CSS, create Eth-Trunk5 to connect VRF-A to FW1 and add member
interfaces to Eth-Trunk5.
[CSS] interface Eth-Trunk 5
[CSS-Eth-Trunk5] quit
[CSS] interface Gigabitethernet 1/1/0/8 //Add an interface on the master switch to Eth-Trunk5.
[CSS-Gigabitethernet1/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet1/1/0/8] quit
[CSS] interface Gigabitethernet 2/1/0/8 //Add an interface on the backup switch to Eth-Trunk5.
[CSS-Gigabitethernet2/1/0/8] Eth-Trunk 5
[CSS-Gigabitethernet2/1/0/8] quit
# In the CSS, create Eth-Trunk6 to connect Public to FW2 and add member
interfaces to Eth-Trunk6.
[CSS] interface Eth-Trunk 6
[CSS-Eth-Trunk6] quit
[CSS] interface Gigabitethernet 1/2/0/7 //Add an interface on the master switch to Eth-Trunk6.
[CSS-Gigabitethernet1/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet1/2/0/7] quit
[CSS] interface Gigabitethernet 2/2/0/7 //Add an interface on the backup switch to Eth-Trunk6.
[CSS-Gigabitethernet2/2/0/7] Eth-Trunk 6
[CSS-Gigabitethernet2/2/0/7] quit
# In the CSS, create Eth-Trunk7 to connect VRF-A to FW2 and add member
interfaces to Eth-Trunk7.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 162
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] interface Eth-Trunk 7
[CSS-Eth-Trunk7] quit
[CSS] interface Gigabitethernet 1/2/0/8 //Add an interface on the master switch to Eth-Trunk7.
[CSS-Gigabitethernet1/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet1/2/0/8] quit
[CSS] interface Gigabitethernet 2/2/0/8 //Add an interface on the backup switch to Eth-Trunk7.
[CSS-Gigabitethernet2/2/0/8] Eth-Trunk 7
[CSS-Gigabitethernet2/2/0/8] quit
# Create VLANIF interfaces and assign IP addresses to them.
[CSS] vlan batch 20 30
[CSS] interface Eth-Trunk 4 //Add Eth-Trunk4 to VLAN 20.
[CSS-Eth-Trunk4] port link-type trunk
[CSS-Eth-Trunk4] port trunk allow-pass vlan 20
[CSS-Eth-Trunk4] quit
[CSS] interface Eth-Trunk 6 //Add Eth-Trunk6 to VLAN 20.
[CSS-Eth-Trunk6] port link-type trunk
[CSS-Eth-Trunk6] port trunk allow-pass vlan 20
[CSS-Eth-Trunk6] quit
[CSS] interface Vlanif 20 //Create VLANIF 20 for Public to connect to FW1 and FW2.
[CSS-Vlanif20] ip address 10.10.2.1 24
[CSS-Vlanif20] quit
[CSS] interface Eth-Trunk 5 //Add Eth-Trunk5 to VLAN 30.
[CSS-Eth-Trunk5] port link-type trunk
[CSS-Eth-Trunk5] port trunk allow-pass vlan 30
[CSS-Eth-Trunk5] quit
[CSS] interface Eth-Trunk 7 //Add Eth-Trunk7 to VLAN 30.
[CSS-Eth-Trunk7] port link-type trunk
[CSS-Eth-Trunk7] port trunk allow-pass vlan 30
[CSS-Eth-Trunk7] quit
[CSS] interface Vlanif 30 //Create VLANIF 30 for VRF-A to connect to FW1 and FW2.
[CSS-Vlanif30] ip address 10.10.3.1 24
[CSS-Vlanif30] quit
3. Configure inter-chassis Eth-Trunks between switches and service networks.
Configure VLANIF interfaces and assign IP addresses to them.
# In the CSS, create Eth-Trunk8 to connect to service network 1 and add
member interfaces to Eth-Trunk8.
[CSS] interface Eth-Trunk 8
[CSS-Eth-Trunk8] quit
[CSS] interface Gigabitethernet 1/3/0/1 //Add an interface on the master switch to Eth-Trunk8.
[CSS-Gigabitethernet1/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet1/3/0/1] quit
[CSS] interface Gigabitethernet 2/3/0/1 //Add an interface on the backup switch to Eth-Trunk8.
[CSS-Gigabitethernet2/3/0/1] Eth-Trunk 8
[CSS-Gigabitethernet2/3/0/1] quit
# In the CSS, create Eth-Trunk9 to connect to service network 2 and add
member interfaces to Eth-Trunk9.
[CSS] interface Eth-Trunk 9
[CSS-Eth-Trunk9] quit
[CSS] interface Gigabitethernet 1/3/0/2 //Add an interface on the master switch to Eth-Trunk9.
[CSS-Gigabitethernet1/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet1/3/0/2] quit
[CSS] interface Gigabitethernet 2/3/0/2 //Add an interface on the backup switch to Eth-Trunk9.
[CSS-Gigabitethernet2/3/0/2] Eth-Trunk 9
[CSS-Gigabitethernet2/3/0/2] quit
# Create VLANIF interfaces and assign IP addresses to them.
[CSS] vlan batch 100 200
[CSS] interface Eth-Trunk 8 //Add Eth-Trunk8 to VLAN 100.
[CSS-Eth-Trunk8] port link-type trunk
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 163
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-Eth-Trunk8] port trunk allow-pass vlan 100
[CSS-Eth-Trunk8] quit
[CSS] interface Vlanif 100 //Create VLANIF 100 for CSS to connect to service network 1.
[CSS-Vlanif100] ip address 10.10.100.1 24
[CSS-Vlanif100] quit
[CSS] interface Eth-Trunk 9 //Add Eth-Trunk9 to VLAN 200.
[CSS-Eth-Trunk9] port link-type trunk
[CSS-Eth-Trunk9] port trunk allow-pass vlan 200
[CSS-Eth-Trunk9] quit
[CSS] interface Vlanif 200 //Create VLANIF 200 for CSS to connect to service network 2.
[CSS-Vlanif200] ip address 10.10.200.1 24
[CSS-Vlanif200] quit
Step 3 On routers: Configure the interfaces between routers and CSS.
# Configure Router1, create Eth-Trunk1 on Router1, and add member interfaces to
Eth-Trunk1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] interface Eth-Trunk 1
[Router1-Eth-Trunk1] quit
[Router1] interface XGigabitethernet 1/0/1
[Router1-XGigabitEthernet1/0/1] undo shutdown
[Router1-XGigabitEthernet1/0/1] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/1] quit
[Router1] interface XGigabitethernet 1/0/2
[Router1-XGigabitEthernet1/0/2] undo shutdown
[Router1-XGigabitEthernet1/0/2] Eth-Trunk 1
[Router1-XGigabitEthernet1/0/2] quit
# Configure the Dot1q termination subinterface for VLAN 10 and assign an IP
address to the subinterface.
[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] ip address 10.10.4.2 24
[Router1-Eth-Trunk1.100] dot1q termination vid 10
[Router1-Eth-Trunk1.100] quit
# The configuration procedure on Router2 is the same as that on Router1 except
that the interface addresses are different.
Step 4 On firewalls: Configure interfaces and zones.
# Configure interfaces and zones on FW1.
<USG> system-view
[USG] sysname FW1
[FW1] interface Eth-Trunk 4 //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk4] ip address 10.10.2.2 24
[FW1-Eth-Trunk4] quit
[FW1] interface Gigabitethernet 1/0/0 //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/0] Eth-Trunk 4
[FW1-GigabitEthernet1/0/0] quit
[FW1] interface Gigabitethernet 1/0/1 //Add an interface to Eth-Trunk4.
[FW1-GigabitEthernet1/0/1] Eth-Trunk 4
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface Eth-Trunk 5 //Configure the interface connected to CSS and assign an IP address to it.
[FW1-Eth-Trunk5] ip address 10.10.3.2 24
[FW1-Eth-Trunk5] quit
[FW1] interface Gigabitethernet 1/1/0 //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/0] Eth-Trunk 5
[FW1-GigabitEthernet1/1/0] quit
[FW1] interface Gigabitethernet 1/1/1 //Add an interface to Eth-Trunk5.
[FW1-GigabitEthernet1/1/1] Eth-Trunk 5
[FW1-GigabitEthernet1/1/1] quit
[FW1] interface Eth-Trunk 1 //Configure the interface connecting FW1 to FW2.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 164
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[FW1-Eth-Trunk1] ip address 10.1.1.1 24
[FW1-Eth-Trunk1] quit
[FW1] interface Gigabitethernet 2/0/0 //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/0] Eth-Trunk 1
[FW1-GigabitEthernet2/0/0] quit
[FW1] interface Gigabitethernet 2/0/1 //Add an interface to Eth-Trunk1.
[FW1-GigabitEthernet2/0/1] Eth-Trunk 1
[FW1-GigabitEthernet2/0/1] quit
[FW1] firewall zone trust
[FW1-zone-trust] add interface Eth-Trunk 5 //Add Eth-Trunk5 connected to the intranet to a trusted zone.
[FW1-zone-trust] quit
[FW1] firewall zone untrust
[FW1-zone-untrust] add interface Eth-Trunk 4 //Add Eth-Trunk4 connected to the extranet to an
untrusted zone.
[FW1-zone-untrust] quit
[FW1] firewall zone dmz
[FW1-zone-dmz] add interface Eth-Trunk 1 //Add the interface between FW1 and FW2 to the DMZ.
[FW1-zone-dmz] quit
# Configure interfaces and zones on FW2.
<USG> system-view
[USG] sysname FW2
[FW2] interface Eth-Trunk 6 //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk6] ip address 10.10.2.3 24
[FW2-Eth-Trunk6] quit
[FW2] interface Gigabitethernet 1/0/0 //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/0] Eth-Trunk 6
[FW2-GigabitEthernet1/0/0] quit
[FW2] interface Gigabitethernet 1/0/1 //Add an interface to Eth-Trunk6.
[FW2-GigabitEthernet1/0/1] Eth-Trunk 6
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface Eth-Trunk 7 //Configure the interface connected to CSS and assign an IP address to it.
[FW2-Eth-Trunk7] ip address 10.10.3.3 24
[FW2-Eth-Trunk7] quit
[FW2] interface Gigabitethernet 1/1/0 //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/0] Eth-Trunk 7
[FW2-GigabitEthernet1/1/0] quit
[FW2] interface Gigabitethernet 1/1/1 //Add an interface to Eth-Trunk7.
[FW2-GigabitEthernet1/1/1] Eth-Trunk 7
[FW2-GigabitEthernet1/1/1] quit
[FW2] interface Eth-Trunk 1 //Configure the interface between FW2 and FW1.
[FW2-Eth-Trunk1] ip address 10.1.1.2 24
[FW2-Eth-Trunk1] quit
[FW2] interface Gigabitethernet 2/0/0 //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/0] Eth-Trunk 1
[FW2-GigabitEthernet2/0/0] quit
[FW2] interface Gigabitethernet 2/0/1 //Add an interface to Eth-Trunk1.
[FW2-GigabitEthernet2/0/1] Eth-Trunk 1
[FW2-GigabitEthernet2/0/1] quit
[FW2] firewall zone trust
[FW2-zone-trust] add interface Eth-Trunk 7 //Add Eth-Trunk7 connected to the intranet to the trusted
zone.
[FW2-zone-trust] quit
[FW2] firewall zone untrust
[FW2-zone-untrust] add interface Eth-Trunk 6 //Add Eth-Trunk6 connected to the extranet to the
untrusted zone.
[FW2-zone-untrust] quit
[FW2] firewall zone dmz
[FW2-zone-dmz] add interface Eth-Trunk 1 //Add the interface between FW1 and FW2 to the DMZ.
[FW2-zone-dmz] quit
Step 5 On routers: Configure VRRP. Configure Router1 as the VRRP master and Router2
as the VRRP backup.
# Configure Router1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 165
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Router1] interface Eth-Trunk 1.100
[Router1-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the VRRP virtual IP address.
[Router1-Eth-Trunk1.100] vrrp vrid 1 priority 120 //Increase the priority of Router1 to make Router1
become the Master.
[Router1-Eth-Trunk1.100] quit
# Configure Router2.
[Router2] interface Eth-Trunk 1.100
[Router2-Eth-Trunk1.100] vrrp vrid 1 virtual-ip 10.10.4.100 //Configure the VRRP virtual IP address.
[Router2-Eth-Trunk1.100] quit
After the configuration is complete, a VRRP group should have been set up
between Router1 and Router2. You can run the display vrrp command to view the
VRRP status of Router1 and Router2.
# Check the VRRP status of Router1. The status is master.
[Router1] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Master
Virtual IP : 10.10.4.100
Master IP : 10.10.4.2
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2015-05-18 06:53:47 UTC-05:13
Last change time : 2015-05-18 06:54:14 UTC-05:13
# Check the VRRP status of Router2. The status is backup.
[Router2] display vrrp
Eth-Trunk1.100 | Virtual Router 1
State : Backup
Virtual IP : 10.10.4.100
Master IP : 10.10.4.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2015-05-18 06:53:52 UTC-05:13
Last change time : 2015-05-18 06:57:12 UTC-05:13
Step 6 Configure routes between CSS and FWs and between CSS and routers.
1. Configure OSPF between switches and routers.
# Create VPN instance Public on CSS and bind the interfaces connected to
routers and firewalls to Public.
[CSS] ip vpn-instance Public //Create the VPN instance Public.
[CSS-vpn-instance-Public] ipv4-family
[CSS-vpn-instance-Public-af-ipv4] route-distinguisher 100:2
[CSS-vpn-instance-Public-af-ipv4] vpn-target 222:2 both
[CSS-vpn-instance-Public-af-ipv4] quit
[CSS-vpn-instance-Public] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 166
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] interface Vlanif 10
[CSS-Vlanif10] ip binding vpn-instance Public //Bind VLANIF 10, which connects the CSS to router,
to Public.
[CSS-Vlanif10] ip address 10.10.4.1 24 //Reconfigure an IP address for VLANIF 10, because the
preceding operation has deleted the original IP address.
[CSS-Vlanif10] quit
[CSS] interface Vlanif 20
[CSS-Vlanif20] ip binding vpn-instance Public //Bind VLANIF 20, which connects the CSS to
firewall's upstream interface, to Public.
[CSS-Vlanif20] ip address 10.10.2.1 24 //Reconfigure an IP address for VLANIF 20, because the
preceding operation has deleted the original IP address.
[CSS-Vlanif20] quit
# Configure a static route in Public to forward upstream traffic. Set the next
hop of the route to the VRRP virtual IP address of routers.
[CSS] ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100 //Configure a default route
for Public and set the next hop as the VRRP virtual IP address of the router.
# Configure OSPF between CSS and routers to forward downstream traffic.
Routers can learn the return routes to service networks using OSPF.
[CSS] ospf 100 router-id 1.1.1.1 vpn-instance Public
[CSS-ospf-100] area 0
[CSS-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the routes on the network
segment connected to Router to OSPF.
[CSS-ospf-100-area-0.0.0.0] quit
[CSS-ospf-100] import-route static //Import the static route to OSPF.
[CSS-ospf-100] quit
Configure OSPF on Router1 and Router2.
# Configure Router1.
[Router1] ospf 100 router-id 2.2.2.2
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the routes on the network
segment connected to CSS to OSPF.
[Router1-ospf-100-area-0.0.0.0] quit
[Router1-ospf-100] quit
# Configure Router2.
[Router2] ospf 100 router-id 3.3.3.3
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 10.10.4.0 0.0.0.255 //Advertise the routes on the network
segment connected to CSS to OSPF.
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit
# After the configurations are complete, CSS, Router1, and Router2 can set up
neighbor relationships. For example, when you view OSPF neighbor
information on the CSS, you can find that Router1 and Router2 have set up
OSPF neighbor relationships with CSS and the neighbor status is Full.
[CSS] display ospf peer
OSPF Process 100 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 10.10.4.1(Vlanif10)'s neighbors
Router ID: 2.2.2.2 Address: 10.10.4.2
State: Full Mode:Nbr is Master Priority: 1
DR: 10.10.4.1 BDR: 10.10.4.2 MTU: 0
Dead timer due in 31 sec
Retrans timer interval: 5
Neighbor is up for 00:13:23
Authentication Sequence: [ 0 ]
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 167
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Router ID: 3.3.3.3 Address: 10.10.4.3
State: Full Mode:Nbr is Master Priority: 1
DR: 10.10.4.1 BDR: 10.10.4.2 MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 5
Neighbor is up for 00:00:52
Authentication Sequence: [ 0 ]
2. Configure static routes between switches and FWs.
# Create VRF-A on the CSS to forward upstream traffic, and bind the
interfaces connected to service networks and downstream interfaces of
firewalls to VRF-A. The default route of VRF-A is the downstream VRRP virtual
IP address (VRID2) of firewalls.
[CSS] ip vpn-instance VRF-A //Create VRF-A.
[CSS-vpn-instance-VRF-A] ipv4-family
[CSS-vpn-instance-VRF-A-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-VRF-A-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-VRF-A-af-ipv4] quit
[CSS-vpn-instance-VRF-A] quit
[CSS] interface Vlanif 100
[CSS-Vlanif100] ip binding vpn-instance VRF-A //Bind VLANIF 100, which connects the CSS to
service network 1, to VRF-A.
[CSS-Vlanif100] ip address 10.10.100.1 24 //Reconfigure an IP address for VLANIF 100, because the
preceding operation has deleted the original IP address.
[CSS-Vlanif100] quit
[CSS] interface Vlanif 200
[CSS-Vlanif200] ip binding vpn-instance VRF-A //Bind VLANIF 200, which connects the CSS to
service network 2, to VRF-A.
[CSS-Vlanif200] ip address 10.10.200.1 24 //Reconfigure an IP address for VLANIF 200, because the
preceding operation has deleted the original IP address.
[CSS-Vlanif200] quit
[CSS] interface Vlanif 30
[CSS-Vlanif30] ip binding vpn-instance VRF-A //Bind VLANIF 30, which connects the CSS to the
firewall's downstream interface, to VRF-A.
[CSS-Vlanif30] ip address 10.10.3.1 24 //Reconfigure an IP address for VLANIF 30, because the
preceding operation has deleted the original IP address.
[CSS-Vlanif30] quit
# Configure a default route in VRF-A. The next hop is the downstream VRRP 2
virtual IP address (VRID2) of firewalls.
[CSS] ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
# Configure a static route in Public to forward downstream traffic. Set the
next hop of the route to the upstream VRRP 1 virtual IP address (VRID1) of
firewalls.
[CSS] ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5 //The destination
address is on service network 1 and the next hop is the VRID2 virtual IP address of the two FWs.
[CSS] ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5 //The destination
address is on service network 2 and the next hop is the VRID2 virtual IP address of the two FWs.
3. Configure static routes on firewalls.
# Configure a static route on FW1.
[FW1] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //For upstream traffic, the next hop of the default
route is the IP address of VLANIF 20 on Public.
[FW1] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 //For downstream traffic, the destination
address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW1] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1 //For downstream traffic, the destination
address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.
# Configure a static route on FW2.
[FW2] ip route-static 0.0.0.0 0.0.0.0 10.10.2.1 //For upstream traffic, the next hop of the default
route is the IP address of VLANIF 20 on Public.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 168
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[FW2] ip route-static 10.10.100.0 255.255.255.0 10.10.3.1 //For downstream traffic, the destination
address is on service network 1 and the next hop is the IP address of VLANIF 30 on VRF-A.
[FW2] ip route-static 10.10.200.0 255.255.255.0 10.10.3.1 //For downstream traffic, the destination
address is on service network 2 and the next hop is the IP address of VLANIF 30 on VRF-A.
# After the configuration is complete, an OSPF neighbor relationship should
have been established between Router 1and Router 2. You can run the
display ospf peer command to view the OSPF neighbor status. The following
uses the display on CSS switches as an example. You can view that the OSPF
neighbor status is Full.
4. Verify the configuration.
# Check the routing table on CSS.
[CSS] display ip routing-table vpn-instance VRF-A
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: VRF-A
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.10.3.5 Vlanif30
10.10.3.0/24 Direct 0 0 D 10.10.3.1 Vlanif30
10.10.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.10.100.0/24 Direct 0 0 D 10.10.100.1 Vlanif100
10.10.100.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.10.200.0/24 Direct 0 0 D 10.10.200.1 Vlanif200
10.10.200.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
In the routing table on VRF-A, the first line indicates that the next hop for the
traffic destined for the Internet is the VRRP VRID 2 virtual IP address
(10.10.3.5) of firewalls. This indicates that upstream traffic is forcibly directed
to firewalls for filtering.
[CSS] display ip routing-table vpn-instance Public
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.10.4.100 Vlanif10
10.10.2.0/24 Direct 0 0 D 10.10.2.1 Vlanif20
10.10.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.10.4.0/24 Direct 0 0 D 10.10.4.1 Vlanif10
10.10.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.10.100.0/24 Static 60 0 RD 10.10.2.5 Vlanif20
10.10.200.0/24 Static 60 0 RD 10.10.2.5 Vlanif20
In the routing table on Public, the first line indicates that the next hop for the
traffic destined for the Internet is the VRRP VRID 1 virtual IP address
(10.10.4.100) of routers.
The fifth and sixth lines indicate that the next hop for the traffic destined for
service networks is the VRRP VRID 1 virtual IP address (10.10.3.5) of firewalls.
This indicates that downstream traffic is forcibly directed to firewalls for
filtering.
Step 7 Configure HRP on firewalls.
# Configure HRP on FW1 and set FW1 as master.
[FW1] interface Eth-Trunk 4
[FW1-Eth-Trunk4] vrrp vrid 1 virtual-ip 10.10.2.5 24 master //Configure VRRP group 1 on the upstream
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 169
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface and set it status to master.
[FW1-Eth-Trunk4] quit
[FW1] interface Eth-Trunk 5
[FW1-Eth-Trunk5] vrrp vrid 2 virtual-ip 10.10.3.5 24 master //Configure VRRP group 2 on the
downstream interface and set it status to master.
[FW1-Eth-Trunk5] quit
[FW1] hrp interface Eth-Trunk 1 remote 10.1.1.2 //Configure the heartbeat interface and enable HRP.
[FW1] firewall packet-filter default permit interzone local dmz
[FW1] hrp enable
HRP_M[FW1]
# Configure HRP on FW2 and set FW2 as slave.
[FW2] interface Eth-Trunk 6
[FW2-Eth-Trunk6] vrrp vrid 1 virtual-ip 10.10.2.5 24 slave //Configure VRRP group 1 on the upstream
interface and set it status to slave.
[FW2-Eth-Trunk6] quit
[FW2] interface Eth-Trunk 7
[FW2-Eth-Trunk7] vrrp vrid 2 virtual-ip 10.10.3.5 24 slave //Configure VRRP group 2 on the downstream
interface and set it status to slave.
[FW2-Eth-Trunk7] quit
[FW2] hrp interface Eth-Trunk 1 remote 10.1.1.1 //Configure the heartbeat interface and enable HRP.
[FW2] firewall packet-filter default permit interzone local dmz
[FW2] hrp enable
HRP_M[FW2]
# Check VRRP status. FW1 is the master and FW2 is the slave.
HRP_M[FW1] display vrrp
Eth-Trunk4 | Virtual Router 1
VRRP Group : Master
State : Master
Virtual IP : 10.10.2.5
Virtual MAC : 0000-5e00-0101
Primary IP : 10.10.2.2
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES
Eth-Trunk5 | Virtual Router 2
VRRP Group : Master
State : Master
Virtual IP : 10.10.3.5
Virtual MAC : 0000-5e00-0102
Primary IP : 10.10.3.2
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES
HRP_M[FW2] display vrrp
Eth-Trunk7 | Virtual Router 2
VRRP Group : Slave
State : Backup
Virtual IP : 10.10.3.5
Virtual MAC : 0000-5e00-0102
Primary IP : 10.10.3.3
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 170
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Eth-Trunk6 | Virtual Router 1
VRRP Group : Slave
State : Backup
Virtual IP : 10.10.2.5
Virtual MAC : 0000-5e00-0101
Primary IP : 10.10.2.3
PriorityRun : 120
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
Advertisement Timer : 1
Auth type : NONE
Check TTL : YES
# Check HRP status.
HRP_M[FW1] display hrp state
The firewall's config state is: MASTER
Current state of virtual routers configured as master:
Eth-Trunk4 vrid 1 : master
(gigabitEthernet1/0/0) : up
(gigabitEthernet1/0/1) : up
Eth-Trunk5 vrid 2 : master
(gigabitEthernet1/1/0) : up
(gigabitEthernet1/1/1) : up
After HRP is configured, the configurations and sessions on the active firewall are
synchronized to the standby firewall; therefore, you only need to perform the following
configurations on the active firewall FW1.
Step 8 Configure security policies on firewalls.
Only the connection configurations between firewalls and switches and the HRP
configurations on firewalls are provided in the following procedure. For the
security service plan on the firewalls and security policies, attack defense,
bandwidth management, and IPSec on the campus network, see Firewall
Configuration Examples.
Step 9 Verify the configuration.
After the configurations are complete, check whether the CSS and routers can
ping each other.
# Ping Eth-Trunk1.100 of Router1 from the CSS to check the uplink connectivity.
<CSS> ping 10.10.4.2
Ping 10.10.4.2: 32 data bytes, Press Ctrl_C to break
Reply From 10.10.4.2: bytes=32 seq=1 ttl=126 time=140 ms
Reply From 10.10.4.2: bytes=32 seq=2 ttl=126 time=235 ms
Reply From 10.10.4.2: bytes=32 seq=3 ttl=126 time=266 ms
Reply From 10.10.4.2: bytes=32 seq=4 ttl=126 time=140 ms
Reply From 10.10.4.2: bytes=32 seq=5 ttl=126 time=141 ms
--- 10.10.200.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 140/184/266 ms
You can find that the CSS and Router1 can ping each other.
# Ping the VRF-A VLANIF 100 on the CSS from Router1 to check the downlink
connectivity.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 171
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
<Router1> Ping 10.10.100.1
Ping 10.10.100.1: 32 data bytes, Press Ctrl_C to break
Reply From 10.10.100.1: bytes=32 seq=1 ttl=253 time=235 ms
Reply From 10.10.100.1: bytes=32 seq=2 ttl=253 time=109 ms
Reply From 10.10.100.1: bytes=32 seq=3 ttl=253 time=79 ms
Reply From 10.10.100.1: bytes=32 seq=4 ttl=253 time=63 ms
Reply From 10.10.100.1: bytes=32 seq=5 ttl=253 time=63 ms
--- 10.10.100.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 63/109/235 ms
You can find that Router1 and CSS VLANIF 100 can ping each other.
----End
Configuration Files
● Router1 configuration file
#
sysname Router1
#
interface Eth-Trunk1
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.4.100
vrrp vrid 1 priority 120
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet1/0/2
eth-trunk 1
#
ospf 100 router-id 2.2.2.2
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
● Router2 configuration file
#
sysname Router2
#
interface Eth-Trunk1
#
interface Eth-Trunk1.100
dot1q termination vid 10
ip address 10.10.4.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.4.100
#
interface XGigabitEthernet1/0/1
eth-trunk 1
#
interface XGigabitEthernet1/0/2
eth-trunk 1
#
ospf 100 router-id 3.3.3.3
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 172
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● CSS configuration file
#
sysname CSS
#
vlan batch 10 20 30 100 200
#
ip vpn-instance Public
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
ip vpn-instance VRF-A
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface Vlanif1
#
interface Vlanif10
ip binding vpn-instance Public
ip address 10.10.4.1 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance Public
ip address 10.10.2.1 255.255.255.0
#
interface Vlanif30
ip binding vpn-instance VRF-A
ip address 10.10.3.1 255.255.255.0
#
interface Vlanif100
ip binding vpn-instance VRF-A
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif200
ip binding vpn-instance VRF-A
ip address 10.10.200.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk5
port link-type trunk
port trunk allow-pass vlan 30
#
interface Eth-Trunk6
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk7
port link-type trunk
port trunk allow-pass vlan 30
#
interface Eth-Trunk8
port link-type trunk
port trunk allow-pass vlan 100
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 173
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface Eth-Trunk9
port link-type trunk
port trunk allow-pass vlan 200
#
interface Eth-Trunk1.100
dot1q termination vid 100
ip address 10.10.100.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.100.1
arp broadcast enable
#
interface GigabitEthernet1/1/0/7
eth-trunk 4
#
interface GigabitEthernet1/1/0/8
eth-trunk 5
#
interface GigabitEthernet1/2/0/7
eth-trunk 6
#
interface GigabitEthernet1/2/0/8
eth-trunk 7
#
interface GigabitEthernet1/3/0/1
eth-trunk 8
#
interface GigabitEthernet1/3/0/2
eth-trunk 9
#
interface GigabitEthernet2/1/0/7
eth-trunk 4
#
interface GigabitEthernet2/1/0/8
eth-trunk 5
#
interface GigabitEthernet2/2/0/7
eth-trunk 6
#
interface GigabitEthernet2/2/0/8
eth-trunk 7
#
interface GigabitEthernet2/3/0/1
eth-trunk 8
#
interface GigabitEthernet2/3/0/2
eth-trunk 9
#
interface XGigabitEthernet1/4/0/0
eth-trunk 1
#
interface XGigabitEthernet1/4/0/1
eth-trunk 2
#
interface XGigabitEthernet2/4/0/0
eth-trunk 1
#
interface XGigabitEthernet2/4/0/1
eth-trunk 2
#
ospf 100 router-id 1.1.1.1 vpn-instance Public
import-route static
area 0.0.0.0
network 10.10.4.0 0.0.0.255
#
ip route-static vpn-instance VRF-A 0.0.0.0 0.0.0.0 10.10.3.5
ip route-static vpn-instance Public 0.0.0.0 0.0.0.0 10.10.4.100
ip route-static vpn-instance Public 10.10.100.0 255.255.255.0 10.10.2.5
ip route-static vpn-instance Public 10.10.200.0 255.255.255.0 10.10.2.5
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 174
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● FW1 configuration file
#
interface Eth-Trunk1
alias Eth-Trunk1
ip address 10.1.1.1 255.255.255.0
#
interface Eth-Trunk4
alias Eth-Trunk4
ip address 10.10.2.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 master
#
interface Eth-Trunk5
alias Eth-Trunk5
ip address 10.10.3.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 master
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
undo enable snmp trap updown physic-status
eth-trunk 4
#
interface GigabitEthernet1/0/1
undo enable snmp trap updown physic-status
eth-trunk 4
#
interface GigabitEthernet1/1/0
undo enable snmp trap updown physic-status
eth-trunk 5
#
interface GigabitEthernet1/1/1
undo enable snmp trap updown physic-status
eth-trunk 5
#
interface GigabitEthernet2/0/0
undo enable snmp trap updown physic-status
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo enable snmp trap updown physic-status
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Eth-Trunk5
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface Eth-Trunk4
#
firewall zone dmz
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW1
#
hrp enable
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 175
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
hrp interface Eth-Trunk1 remote 10.1.1.2
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
#
return
● FW2 configuration file
#
interface Eth-Trunk1
alias Eth-Trunk1
ip address 10.1.1.2 255.255.255.0
#
interface Eth-Trunk6
alias Eth-Trunk6
ip address 10.10.2.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.2.5 slave
#
interface Eth-Trunk7
alias Eth-Trunk7
ip address 10.10.3.30 255.255.255.0
vrrp vrid 2 virtual-ip 10.10.3.5 255.255.255.0 slave
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
#
interface GigabitEthernet1/0/0
undo enable snmp trap updown physic-status
eth-trunk 6
#
interface GigabitEthernet1/0/1
undo enable snmp trap updown physic-status
eth-trunk 6
#
interface GigabitEthernet1/1/0
undo enable snmp trap updown physic-status
eth-trunk 7
#
interface GigabitEthernet1/1/1
undo enable snmp trap updown physic-status
eth-trunk 7
#
interface GigabitEthernet2/0/0
undo enable snmp trap updown physic-status
eth-trunk 1
#
interface GigabitEthernet2/0/1
undo enable snmp trap updown physic-status
eth-trunk 1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Eth-Trunk7
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface Eth-Trunk6
#
firewall zone dmz
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 176
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
set priority 50
add interface Eth-Trunk1
#
ip route-static 0.0.0.0 0.0.0.0 10.10.2.1
ip route-static 10.10.100.0 255.255.255.0 10.10.3.1
ip route-static 10.10.200.0 255.255.255.0 10.10.3.1
#
sysname FW2
#
hrp enable
hrp interface Eth-Trunk1 remote 10.1.1.1
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
#
return
2.6 Example for Configuring an Agile Campus Network
2.6.1 Solution Overview
Campus networks develop quickly and are carrying more diversified services. As
smart mobile terminals are popularized in campuses, users need to access campus
networks during moving and wireless data traffic increases rapidly. Cloud
computing development requires real-time service monitoring and service
virtualization. Campus networks also need to carry high definition (HD) video
services and social networking services (SNSs). These service requirements are
challenging current network deployment. To meet these challenges, Huawei
introduces the agility concept to campus networks based on the software-defined
networking (SDN) architecture. Huawei agile campus network solutions help build
high-performance core networks and highly efficient wireless access networks and
enable networks to be more agile for services.
On agile networks, flexible and fast agile switches replace traditional switches. For
example, administrators can flexibly and fast configure, manage, and maintain
devices. They do not need to modify configurations for devices one by one to
change a service or take a long time to locate a network fault. Users can flexibly
and fast access an agile network and enjoy the same network experience at any
locations using any access mode.
An agile campus network for a university is taken as an example in the following
sections to describe how agile networks improve the network services for campus
users.
2.6.2 Networking Requirements
Figure 2-15 shows the original network in the university's main campus. Core
switches manage wired users, and independent ACs manage wireless users.
● Users in different areas of the main campus can access the campus network
and connect to the Internet through the campus network. Wired users use
802.1X authentication and wireless users use Web authentication to access
the network.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 177
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
The following figure shows only the network deployment for teaching and
office areas. The network deployment for other areas is similar and is not
shown in the figure.
● The network provides the Voice over Internet Protocol (VoIP), network printer,
and multimedia services.
● Users in branch campuses can access the main campus network through the
Intranet.
● Users outside the campuses can access the main campus network through the
Internet.
Figure 2-15 Campus networking diagram for the main campus (with no agile
network deployed)
Intranet Internet
Core switch S7700
Independent
AC
S5700LI
Teaching Office AP
S5700LI area area Teaching Office
area area
Wired users Wireless users
The service deployment on the current campus network faces the following
problems:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 178
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● As the population in the university grows, a large number of wireless users
demand for wireless services. The wired and wireless networks are separately
deployed and difficult to manage. The university demands for the wired and
wireless convergence to simplify network management and improve network
operation and maintenance (O&M) efficiency.
● As various network services develop in the campus and users need to access
the network during moving, network information security becomes more
important. The university desires the classification of access user roles to
ensure that service policies and network experience are consistent wherever
users go.
● The university has a large number of network devices and needs to frequently
adjust network services. Network administrators need to modify
configurations or upgrade versions on devices one by one to change a service,
requiring heavy and trivial workload. The university desires the centralized
configuration, management, and maintenance of network access devices.
● When a network fault occurs, network administrators cannot detect or
troubleshoot it quickly, affecting user experience. The university needs a real-
time network quality monitoring mechanism to reduce the impacts of
network faults.
The university intends to deploy an agile network to simplify network deployment
and configuration, improve user experience, and improve O&M efficiency.
2.6.3 Network Planning
Figure 2-16 shows the agile campus networking. Two S12708 agile switches are
deployed to set up a cluster switch system (CSS) at the core layer. The S5700-LI
switches at the aggregation and access layers are enabled with only Layer 2
forwarding (the S7700 core switches in the original networking are used at the
aggregation layer). Some APs are deployed in the campus as needed. The S5700-
LI switches are deployed at the access layer to connect to and manage wired users
and APs, providing wired and wireless coverage for the campus.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 179
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-16 Agile campus networking diagram
Intranet Internet
Agile network on a Remote
branch campus access users
External
eSight Core switch website server
S12708
Data center Agile Controller
S5700LI
AP S5700LI
Teaching Office Residential
Library Canteen Stadium
area area community
Public areas
Teacher Lee is
in the office area
at 8:00 a.m.
Teacher Lee is in
the teaching area
at 10:00 a.m.
Teacher Lee is
in the canteen
at 12:00 a.m.
Teacher Lee is
in the library at
4:00 p.m.
Teacher Lee is in the
residential community
at 8:00 p.m.
The requirements for NEs shown in Figure 2-16 are as follows:
● Core switch
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 180
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Agile switches are used at the core layer. If modular switches are used as agile
switches, X series cards need to be installed on the switches to implement
wired and wireless convergence.
● Aggregation and access switches
To support the agile feature Super Virtual Fabric (SVF), see "SVF hardware
and software requirements" in SVF Technical Characteristics.
● Agile Controller
The Agile Controller integrates functions of the RADIUS server, Portal server,
and free mobility controller, facilitating service adjustment. When a user
connects to the network from different locations, the free mobility controller
uniformly delivers network access rights to ensure that the user can have the
same network access rights at different locations.
● eSight network management system (NMS)
eSight provides a graphical user interface (GUI) to help manage network
devices, perform configurations, and facilitate convenient and visual
management.
2.6.4 Feature Planning
After the S12708 agile switches are deployed on the campus network, the
following agile features can be applied to solve the service deployment problems
described in 2.6.2 Networking Requirements, and to enable the network to fast
and flexibly adapt to service requirements.
● Wired and wireless convergence: Wired and wireless networks are uniformly
managed and maintained.
Agile switches at the core layer provide native capabilities on their line cards,
so no independent AC devices or AC cards (such as ACU2) are required.
Administrators do not need to configure and deploy user access services on
the wired and wireless networks respectively and can manage wired and
wireless networks simply as managing one device. The high switching
capability and scalability of agile switches eliminate bottlenecks in centralized
traffic forwarding when independent ACs or AC cards are used.
● Free mobility: Service control policies can be migrated with users, delivering
consistent experience for users.
For example, in 2.6.2 Networking Requirements, teacher Lee connects to the
campus network from the office area, teaching area, library, and residential
community every day. He may be granted different access rights on a
traditional network. For example, he can access the essay database only in
the office area, teaching area, and library, but not in public areas in the
campus.
The free mobility solution enables users to have the same network access
rights at different locations. Network access policies are configured centrally
on the Agile Controller and delivered to all associated access devices. In this
way, users can obtain the same network access policies and enjoy consistent
network access experience at any locations and using any IP addresses.
Table 2-7 lists the access policies that are configured on the Agile Controller
and delivered to three user groups: guest, student, and teacher.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 181
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-7 Free mobility policy configuration
User (Source Resource (Destination Security Access Control
Security Group) Policy
Group)
Guest Public resources (IP address: Permit
10.10.1.1/32)
Education management system (IP Forbid
address: 10.10.2.1/32)
Fire Transfer Protocol (FTP) resources Forbid
(IP address: 10.10.3.1/32)
Student Public resources (IP address: Permit
10.10.1.1/32)
Education management system (IP Forbid
address: 10.10.2.1/32)
Fire Transfer Protocol (FTP) resources Permit
(IP address: 10.10.3.1/32)
Teacher Public resources (IP address: Permit
10.10.1.1/32)
Education management system (IP Permit
address: 10.10.2.1/32)
Fire Transfer Protocol (FTP) resources Permit
(IP address: 10.10.3.1/32)
After the preceding policies are configured, users have the same network
access rights and network experience after passing authentication.
● Super Virtual Fabric (SVF): Agile switches deliver configurations to devices at
the aggregation and access layers.
The SVF solution virtualizes core, aggregation, and access switches on a
network into one switch. The core switch manages the aggregation and
access switches, and uses configuration templates to complete batch
configuration of aggregation and access switches. In this way, administrators
do not need to configure switches one by one.
Table 2-8 describes the roles in an SVF system. The agile switch functions as a
parent to manage all access switches (ASs) and APs. In the SVF system, wired
and wireless users are all managed on the parent.
Table 2-8 SVF deployment
Role Device
Parent Two S12708 switches in a CSS
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 182
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Role Device
Client Level-1 Switches directly connected to the parent, providing
AS wired connections to access switches or terminals
Level-2 Switches directly connected to level-1 ASs, providing
AS wired connections to terminals
Wireless APs on a WLAN, providing wireless connections to
access terminals
device If APs are deployed in an SVF system, the parent
functions as a wireless access controller (AC) to control
and manage all APs.
Services on ASs are configured on the parent, and the key states of ASs and
APs are maintained on the parent. Administrators can complete service
configurations for aggregation and access switches by simply connecting
unconfigured aggregation and access switches to the parent. The aggregation
and access layers realize zero-touch configuration, automatic upgrade, and
plug-and-play deployment, simplifying network configuration, management,
and maintenance.
An SVF system supports at most two levels of ASs and one level of APs. When eSight is
deployed to manage the SVF system, SVF can better simplify device management.
● Packet Conservation Algorithm for Internet (iPCA): iPCA allows an agile
network to be aware of the service quality and to locate network failures.
An agile switch with iPCA configured can monitor packet loss in real time.
Table 2-9 lists packet loss measurement modes. If a link fails, an iPCA-
capable switch can quickly detect the fault and sends an alarm to
administrators immediately. iPCA allows the network to be aware of the
service quality, reducing impact of network failures. eSight can display packet
loss measurement results on a GUI, so administrators can easily monitor the
network quality.
Table 2-9 iPCA deployment
Packet Loss Deployment Scenario
Measurement
Mode
Network-level Monitor packet loss on the links between the main
packet loss campus and branch campuses. iPCA needs to be
measurement configured on local and remote core switches.
Device-level Monitor packet loss on core switches. iPCA only needs to
packet loss be configured on local core switches.
measurement
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 183
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-10 lists the minimum versions supporting agile features and precautions
for configuring these features.
Table 2-10 Applicable versions and precautions
Agile Minimum Precaution
Feature Version
SVF V200R007 A license is required to enable the SVF function on
(V200R007C20 a parent.
is not When enabling the SVF function, ensure that the
included) current and next startup network admission
control (NAC) configuration modes are the unified
mode.
Free V200R006 The Agile Controller needs to be deployed to
mobility enable the free mobility function. Free mobility is
supported only in the unified NAC mode.
iPCA V200R006 If modular switches are used, X series cards need
to be installed.
Wired V200R005 If modular switches are used, X series cards need
and (V200R007C20 to be installed.
wireless is not For details about the applicable AP models and
converge included) versions, see the product documents.
nce
This case uses S series switches in V200R009C00 as an example. The configuration may
slightly vary depending on the product and version. Refer to the configuration manual
accordingly.
2.6.5 Data Planning
Basic Agile Campus Networking
This section uses simplified networking to replace the preceding agile campus
networking to describe the deployment of agile features. Figure 2-17 shows the
networking for teaching area 1 and library.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 184
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-17 Basic agile campus networking diagram
Branch campus
WAN
Core switch (S9706)
in the branch campus
Core switches (S12708) in the main
campus
Agile Controller
Parent_1 GE1/1/0/2 Parent_2
GE1/1/0/1 GE2/1/0/2
GE2/1/0/1
Libarary
(S5700LI) (S5700LI)
AS_1 AS_2
Teaching area 1
(S5700LI)
AS_3
GE0/0/24 (AP5010DN)
GE0/0/23
PC_2 AP_2
(AP5010DN)
PC_1 AP_1 STA_2
STA_1
Table 2-11 and Table 2-12 describe the data planning based on the preceding
networking diagram.
Table 2-11 Device data planning
Role Device Data
Parent Two S12708 switches in a /
CSS
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 185
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Role Device Data
Level-1 AS Aggregation switches in MAC address: 0200-0000-0011
teaching area 1 IP address: 192.168.11.254/24
AS_1: S5700-52X-PWR-LI-AC
Access switches in the MAC address: 0200-0000-0022
library IP address: 192.168.11.253/24
AS_2: S5700-52X-PWR-LI-AC
Level-2 AS Access devices in teaching MAC address: 0200-0000-0033
area 1 IP address: 192.168.11.252/24
AS_3: S5700-28X-PWR-LI-AC
AP Wireless access devices in MAC address: 00e0-0001-0005
teaching area 1
AP_1: AP5010DN-AGN
Wireless access devices in MAC address: 00e0-0002-0008
the library
AP_2: AP5010DN-AGN
Free mobility Agile Controller IP address: 192.168.2.31
controller NOTE Interoperation key:
The Agile Controller integrates Huawei@123
functions of the RADIUS server
RADIUS server and Portal server. IP address: 192.168.2.31
On the Agile Controller, the Interoperation key:
fixed RADIUS authentication Huawei@123
port number is 1812, and the
fixed Portal server port Authentication port number:
number is 50200. 1812
Portal server IP address: 192.168.2.31
Interoperation key:
Huawei@123
Port number: 50200
Public resource File server 1 IP address: 10.10.1.1/32
server
Education File server 2 IP address: 10.10.2.1/32
management
system server
FTP resource File server 3 IP address: 10.10.3.1/32
server
Core switches S9706 /
on branch
campus
networks
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 186
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-12 VLAN data planning
Data Description
ID: 11 ● SVF management VLAN on which a parent
IP address: 192.168.11.1/24 can set up Control and Provisioning of
Wireless Access Points (CAPWAP) tunnels with
ASs and APs
● Service VLAN accessed by AP_1 in teaching
area 1 and AP_2 in the library
● VLAN on which a parent can communicate
with the Agile Controller
ID: 101 Service set VLAN
VLAN that wired users in Service VLAN accessed by wired users in teaching
teaching area 1 belong to. area 1, such as the VLAN that PC_1 belongs to.
ID: 100
IP address: 192.168.100.1/24
VLAN that wired users in the Service VLAN accessed by wired users in the
library belong to. library, such as the VLAN that PC_2 belongs to.
ID: 200
IP address: 192.168.200.1/24
VLAN that mobile terminals Service VLAN accessed by STAs in teaching area
in teaching area 1 belong to. 1, such as the VLAN that STA_1 belongs to.
ID: 202
IP address: 192.168.202.1/24
VLAN that mobile terminals Service VLAN accessed by STAs in the library,
in the library belong to. such as the VLAN that STA_2 belongs to.
ID: 204
IP address: 192.168.204.1/24
2.6.6 Configuration Procedure
This section only describes how to configure agile features, and does not describe
other basic configurations, such as routing connectivity.
SVF Configuration Procedure
Configure ASs to connect to the parent.
1. Configure the two switches in the parent to set up a CSS. For details, see the
product documents.
2. Log in to the CSS and enable the SVF function.
<HUAWEI> system-view
[HUAWEI] vlan batch 11
[HUAWEI] dhcp enable //Enable the DHCP server function to allow an AS to obtain an IP address
from the parent.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 187
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[HUAWEI] interface vlanif 11
[HUAWEI-Vlanif11] ip address 192.168.11.1 24
[HUAWEI-Vlanif11] dhcp select interface
[HUAWEI-Vlanif11] dhcp server option 43 ip-address 192.168.11.1 //Configure the parent to send
the IP address to an AS so that the AS can set up a CAPWAP link with the specified IP address.
[HUAWEI-Vlanif11] quit
[HUAWEI] capwap source interface vlanif 11 //Set up a CAPWAP link between the parent and the
AS.
[HUAWEI] authentication unified-mode //Change the network admission control (NAC)
configuration mode to the united mode.
[HUAWEI] stp mode rstp //Set the working mode to STP or RSTP when enabling the SVF function.
[HUAWEI] uni-mng //Enable the SVF function and enter the uni-mng view.
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may
be triggered and service traffic will be affected. Continue?[Y/N]: y
When enabling the SVF function, ensure that the current and next startup NAC
configuration modes are the unified mode.
You can run the display authentication mode command to check whether the current
and next startup NAC configuration modes are the unified mode. If not, set the modes to
the unified mode.
After the traditional and unified modes are switched, restart the device to make the
configuration take effect. By default, the NAC configuration mode is unified mode.
3. Configure access parameters for ASs.
# Configure ASs' names, and specify the device models and management
MAC addresses for the ASs.
[HUAWEI-um] as name as1 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0011
[HUAWEI-um-as-as1] quit
[HUAWEI-um] as name as2 model S5700-52X-PWR-LI-AC mac-address 0200-0000-0022
[HUAWEI-um-as-as2] quit
[HUAWEI-um] as name as3 model S5700-28X-PWR-LI-AC mac-address 0200-0000-0033
[HUAWEI-um-as-as3] quit
# Configure the fabric ports that connect the parent to level-1 ASs (AS_1 and
AS_2). The following example configures the fabric port that connects the
parent to AS_1. The configuration of the fabric port that connects the parent
to AS_2 is similar and is not mentioned here.
[HUAWEI-um] interface fabric-port 1
[HUAWEI-um-fabric-port-1] port member-group interface eth-trunk 1
[HUAWEI-um-fabric-port-1] quit
[HUAWEI-um] quit
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet1/1/0/1] quit
[HUAWEI] interface gigabitethernet 2/1/0/1
[HUAWEI-GigabitEthernet2/1/0/1] eth-trunk 1
[HUAWEI-GigabitEthernet2/1/0/1] quit
# Configure the fabric port that connects level-1 AS (AS_1) to level-2 AS
(AS_3).
[HUAWEI] uni-mng
[HUAWEI-um] as name as1
[HUAWEI-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4
[HUAWEI-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23 to 0/0/24
[HUAWEI-um-as-as1] quit
[HUAWEI-um] quit
# Configure ASs to be authenticated using a whitelist when they connect to
an SVF system.
[HUAWEI] as-auth
[HUAWEI-as-auth] undo auth-mode
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0011
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0022
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 188
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[HUAWEI-as-auth] whitelist mac-address 0200-0000-0033
[HUAWEI-as-auth] quit
[HUAWEI] quit
4. Clear the configurations of ASs, restart the ASs, and then connect the ASs to
the parent using cables. Subsequently, an SVF system is set up.
Before connecting an AS to the parent, ensure that the AS has no configuration file or
input on the console port.
# Clear the configurations of ASs and restart the ASs. (This process takes 5
minutes. During the process, ensure that the AS has no input on the console
port. If the ASs are unconfigured, you can directly connect the ASs to the
parent with no need to restart the ASs.)
<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
# After connecting the cables, run the display as all command to check
whether all ASs have connected to the SVF system successfully.
<HUAWEI> display as all
------------------------------------------------------------------------------
No. Type Mac IP State Name
------------------------------------------------------------------------------
0 S5700-52X-PWR-LI-AC 0200-0000-0011 192.168.11.254 normal as1
1 S5700-52X-PWR-LI-AC 0200-0000-0022 192.168.11.253 normal as2
2 S5700-28X-PWR-LI-AC 0200-0000-0033 192.168.11.252 normal as3
------------------------------------------------------------------------------
Total: 3
Configure an AP to connect to an AS. The following example describes how to
connect AP_1 to AS_3, and the procedure for connecting AP_2 to AS_2 is not
mentioned here.
1. Create a network basic profile, and specify a pass-VLAN for mobile terminals
connected to AP_1.
<HUAWEI> system-view
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_ap
[HUAWEI-um-net-basic-profile_ap] pass-vlan 202
[HUAWEI-um-net-basic-profile_ap] quit
2. Add the port connecting AS_3 to AP_1 to an AP port group.
[HUAWEI-um] port-group connect-ap name group_ap
[HUAWEI-um-portgroup-group_ap] network-basic-profile profile_ap
[HUAWEI-um-portgroup-group_ap] as name as3 interface gigabitethernet 0/0/24
[HUAWEI-um-portgroup-group_ap] quit
[HUAWEI-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]:y
[HUAWEI-um] quit
3. Configure access parameters for AP_1.
# Configure the AP ID.
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-id 1 ap-type ap5010dn-agn ap-mac 00e0-0001-0005
[HUAWEI-wlan-ap-1] quit
# Configure non-authentication for AP_1 to connect to an SVF system.
[HUAWEI-wlan-view] ap auth-mode no-auth
[HUAWEI-wlan-view] quit
4. Power on AP_1 and connect AP_1 to AS_3 using cables.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 189
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# After connecting the cables, run the display ap all command to check
whether AP_1 has connected to the SVF system successfully.
[HUAWEI] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------------------
1 00e0-0001-0005 00e0-0001-0005 default 192.168.11.254 AP5010DN-AGN nor 0 6H:3M:
40S
-------------------------------------------------------------------------------------------------
Total: 1
Configure a PC to connect to an AS. The following example describes how to
connect PC_1 to AS_3, and the procedure for connecting PC_2 to AS_2 is not
mentioned here.
1. Create a network basic profile.
[HUAWEI] uni-mng
[HUAWEI-um] network-basic-profile name profile_1
[HUAWEI-um-net-basic-profile_1] user-vlan 100
[HUAWEI-um-net-basic-profile_1] quit
[HUAWEI-um] quit
2. Create a user access profile.
[HUAWEI] dot1x-access-profile name 1
[HUAWEI-dot1x-access-profile-1] quit
[HUAWEI] authentication-profile name dot1x_auth
[HUAWEI-authen-profile-dot1x_auth] dot1x-access-profile 1
[HUAWEI-authen-profile-dot1x_auth] quit
[HUAWEI] uni-mng
[HUAWEI-um] user-access-profile name pro1
[HUAWEI-um-user-access-pro1] authentication-profile dot1x_auth
3. Create a group, and bind the network basic profile and user access profile to
the group.
[HUAWEI-um] port-group name group1
[HUAWEI-um-portgroup-group1] network-basic-profile profile_1
[HUAWEI-um-portgroup-group1] user-access-profile pro1
[HUAWEI-um-portgroup-group1] as name as3 interface GigabitEthernet 0/0/23
[HUAWEI-um] commit as name as3
[HUAWEI-um] quit
4. Configure PC_1 to connect to AS_3.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme sch1
[HUAWEI-aaa-authen-shc1] authentication-mode none
[HUAWEI-aaa-authen-shc1] quit
[HUAWEI-aaa] domain pc
[HUAWEI-aaa-domain-pc] authentication-scheme sch1
[HUAWEI-aaa-domain-pc] quit
[HUAWEI-aaa] quit
5. Check whether the user has connected to the SVF system.
If the user is dynamically configured to connect to an SVF system, perform
shutdown and undo shutdown operations to reconnect the wired user to the
SVF system. Run the display access-user command to check whether the user
has connected to the SVF system.
[HUAWEI] uni-mng
[HUAWEI-um] as name as3
[HUAWEI-um-as-as3] shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] undo shutdown interface gigabitethernet 0/0/23
[HUAWEI-um-as-as3] quit
[HUAWEI-um] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 190
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Free Mobility Configuration Procedure
1. Create and configure a RADIUS server template, an AAA authentication
scheme, and an authentication domain.
# Create and configure a RADIUS server template rd1.
[HUAWEI] radius-server template rd1
[HUAWEI-radius-rd1] radius-server authentication 192.168.2.31 1812
[HUAWEI-radius-rd1] radius-server shared-key cipher Huawei@123
[HUAWEI-radius-rd1] quit
# Create an AAA authentication scheme abc, and set the authentication
mode to RADIUS.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme abc
[HUAWEI-aaa-authen-abc] authentication-mode radius
[HUAWEI-aaa-authen-abc] quit
# Create an authentication domain isp1, and bind the AAA authentication
scheme abc and RADIUS server template rd1 to the domain.
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authentication-scheme abc
[HUAWEI-aaa-domain-isp1] radius-server rd1
[HUAWEI-aaa-domain-isp1] quit
[HUAWEI-aaa] quit
# Configure a global default domain isp1. If a user name does not contain a
domain name or contains an invalid domain name, the user is authenticated
in the default domain.
[HUAWEI] domain isp1
2. Configure 802.1X authentication and web authentication.
# Create and configure a Portal server template abc.
[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-ip 192.168.2.31
[HUAWEI-web-auth-server-abc] url http://192.168.2.31:50200/webagent
[HUAWEI-web-auth-server-abc] shared-key cipher Huawei@123
[HUAWEI-web-auth-server-abc] quit
# Enable 802.1X authentication and web authentication on GE1/1/0/1.
[HUAWEI] interface gigabitethernet 1/1/0/1
[HUAWEI-GigabitEthernet1/1/0/1] authentication dot1x portal
[HUAWEI-GigabitEthernet1/1/0/1] web-auth-server abc direct //Bind the Portal server template to
GE1/1/0/1.
[HUAWEI-GigabitEthernet1/1/0/1] quit
# Enable the free mobility function, and configure an IP address for the Agile
Controller server and a password used for communicating with the Agile
Controller.
[HUAWEI] group-policy controller 192.168.2.31 password Huawei@123
3. Perform the following configurations on the Agile Controller.
Screenshots on the Agile Controller are not provided here. For details, see the
Agile Controller product documents.
a. Create user accounts in source security groups. For example, you can
configure user names, passwords, and departments for common guests,
undergraduates, postgraduates, and teachers.
b. Configure RADIUS, Portal, and XMPP parameters, and add the core switch
to ensure that the S series switches can communicate with the Agile
Controller.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 191
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
c. Configure source security groups and destination security groups to
indicate users and resources respectively. For example, the IP address of
the public resource server is 10.10.1.1/32.
d. Use fast authorization to authorize a source security group to the
corresponding department. Users are mapped to the source security
group after being authenticated.
e. Configure access control policies and specify whether users in a source
security group are permitted to access a destination security group.
Deploy the access control policies on all devices on the network. For
example, common guests can only access the public resources, and
cannot access the education management system and internal FTP
resources.
Table 2-13 Security groups and access control policies configured on the Agile
Controller
Source Destination Security Group (Resource) Access
Security Control
Group (User) Policy
Common Public resources (bound IP address: Permit
guest 10.10.1.1/32)
Education management system (bound IP Forbid
address 10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Forbid
Undergraduate Public resources (bound IP address: Permit
or 10.10.1.1/32)
postgraduate
Education management system (bound IP Forbid
address 10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Permit
Teacher Public resources (bound IP address: Permit
10.10.1.1/32)
Education management system (bound IP Permit
address 10.10.2.1/32)
FTP resources (bound IP address: 10.10.3.1/32) Permit
Wired and Wireless Convergence Configuration Procedure
After wired and wireless convergence is configured on an agile switch, you do not
need to individually configure the switch and independent AC or ACU2; you can
perform configurations on the switch directly.
1. Configure the S12708 to function as a DHCP server to assign IP addresses to
PCs and STAs. The S12708 assigns IP addresses to APs through SVF. You do
not need to configure the S12708 to assign IP addresses to APs. The following
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 192
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
example describes how the S12708 assigns IP addresses to the PCs and STAs
in teaching area 1.
# Configure the S12708 to assign an IP address to PC_1 from the global
address pool.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] vlan batch 100 202
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 192.168.100.1 24
[HUAWEI-Vlanif100] dhcp select global
[HUAWEI-Vlanif100] quit
[HUAWEI] ip pool 100
[HUAWEI-ip-pool-100] gateway-list 192.168.100.1
[HUAWEI-ip-pool-100] network 192.168.100.0 mask 24
[HUAWEI-ip-pool-100] quit
# Configure the S12708 to assign IP addresses to STAs from the global
address pool. The IP addresses in the address pool 202 are assigned to the
STAs connected to AP_1, and the IP addresses in the address pool 204 are
assigned to the STAs connected to AP_2.
The following example describes how the S12708 assigns IP addresses to the
STAs connected to AP_1.
[HUAWEI] interface vlanif 202
[HUAWEI-Vlanif202] ip address 192.168.202.1 24
[HUAWEI-Vlanif202] dhcp select global
[HUAWEI-Vlanif202] quit
[HUAWEI] ip pool 202
[HUAWEI-ip-pool-202] gateway-list 192.168.202.1
[HUAWEI-ip-pool-202] network 192.168.202.0 mask 24
[HUAWEI-ip-pool-202] quit
2. Configure an AP to go online.
# Create an AP group to which the APs with the same configuration can be
added.
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the
profile, and apply the profile to the AP group.
[HUAWEI-wlan-view] regulatory-domain-profile name domain1
[HUAWEI-wlan-regulate-domain-domain1] country-code cn
[HUAWEI-wlan-regulate-domain-domain1] quit
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continu
e?[Y/N]:y
[HUAWEI-wlan-ap-group-ap-group1] quit
[HUAWEI-wlan-view] quit
# Configure the AC's source interface.
[HUAWEI] capwap source interface vlanif 11
# Add an AP to the AP group ap-group1. In this example, the AP's MAC
address is 00e0-0001-0005.
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-id 1 ap-mac 00e0-0001-0005
[HUAWEI-wlan-ap-1] ap-name area_1
[HUAWEI-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[HUAWEI-wlan-ap-1] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 193
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# After the AP is powered on, run the display ap all command to check the
AP state. If the State field displays nor, the AP has gone online.
[HUAWEI-wlan-view] display ap all
Total AP information:
nor : normal [1]
-------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-------------------------------------------------------------------------------------
1 00e0-0001-0005 area_1 ap-group1 192.168.11.254 AP5010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
3. Configure WLAN service parameters.
# Create the security profile security and set the security policy in the profile.
In this example, the security policy is set to WPA2+PSK+AES and password to
huawei123. In actual situations, the security policy must be configured according to
service requirements.
[HUAWEI-wlan-view] security-profile name security
[HUAWEI-wlan-sec-prof-security] security wpa2 psk pass-phrase huawei123 aes
[HUAWEI-wlan-sec-prof-security] quit
# Create the SSID profile area1 and set the SSID name to area1.
[HUAWEI-wlan-view] ssid-profile name area1
[HUAWEI-wlan-ssid-prof-area1] ssid area1
Warning: This action may cause service interruption. Continue?[Y/N]y
[HUAWEI-wlan-ssid-prof-area1] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
[HUAWEI-wlan-view] vap-profile name wlan-vap
[HUAWEI-wlan-vap-prof-wlan-vap] forward-mode direct-forward
Warning: This action may cause service interruption. Continue?[Y/N]y
[HUAWEI-wlan-vap-prof-wlan-vap] service-vlan vlan-id 202
[HUAWEI-wlan-vap-prof-wlan-vap] security-profile security
[HUAWEI-wlan-vap-prof-wlan-vap] ssid-profile area1
[HUAWEI-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to radio 0 and radio 1 of the AP group.
[HUAWEI-wlan-view] ap-group name ap-group1
[HUAWEI-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[HUAWEI-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[HUAWEI-wlan-ap-group-ap-group1] quit
4. Commit the configuration.
[HUAWEI-wlan-view] commit all //From V200R011C10, WLAN configurations are automatically
delivered, without the need of running the commit all command.
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
iPCA Configuration Procedure
iPCA can be performed to detect packet loss on agile switches and between agile switches. If
you want to detect packet loss between the main campus and branch campus networks, agile
switches need to be deployed on both networks.
Configure the packet loss measurement function for a device.
1. Enable iPCA on each device to implement packet loss measurement so that
you can know packet loss in a timely manner. Configure the packet loss alarm
on each device.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 194
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[HUAWEI] iplpm global loss-measure alarm enable //Enable the packet loss alarm and clear
alarm on a device.
[HUAWEI] iplpm global loss-measure enable //Enable the packet loss measurement
2. Run the display iplpm loss-measure statistics global command to check the
packet loss measurement results on a device. You can check the values of
Loss Packets and LossRatio to know whether packet loss occurs on a device.
[HUAWEI] display iplpm loss-measure statistics global
Latest global loss statistics:
--------------------------------------------------------------------------------
StartTime(DST) Loss Packets LossRatio ErrorInfo
--------------------------------------------------------------------------------
2015-06-12 18:47:30 344127 4.513519% OK
2015-06-12 18:47:20 381085 4.513196% OK
2015-06-12 18:47:10 381192 4.513290% OK
2015-06-12 18:47:00 381339 4.513341% OK
2015-06-12 18:46:50 381465 4.513392% OK
2015-06-12 18:46:40 381444 4.513487% OK
2015-06-12 18:46:30 381129 4.513309% OK
--------------------------------------------------------------------------------
Configure the end-to-end packet loss measurement function.
1. Configure the core switches in the main campus.
[HUAWEI] nqa ipfpm dcp //Enable the DCP function globally.
[HUAWEI-nqa-ipfpm-dcp] dcp id 1.1.1.1 //Configure the DCP ID.
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[HUAWEI-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0
24 //Set the target flow to a bidirectional symmetrical flow.
[HUAWEI-nqa-ipfpm-dcp-instance-1] tlp 1 in-point ingress //Color the target flows that enter the
network.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit
[HUAWEI] interface gigabitethernet 3/1/0/1 //Specify the interface connecting to the core switch
in the branch campus.
[HUAWEI-GigabitEthernet3/1/0/1] ipfpm tlp 1 //Bind a Target Logical Port (TLP) to the interface.
[HUAWEI-GigabitEthernet3/1/0/1] quit
[HUAWEI] interface gigabitethernet 3/1/0/2 //Specify the interface connecting to the core switch
in the branch campus.
[HUAWEI-GigabitEthernet3/1/0/2] ipfpm tlp 1 //Bind a TLP to the interface.
[HUAWEI-GigabitEthernet3/1/0/2] quit
[HUAWEI] nqa ipfpm dcp
[HUAWEI-nqa-ipfpm-dcp] instance 1
[HUAWEI-nqa-ipfpm-dcp-instance-1] loss-measure enable continual //Enable the continual packet
loss measurement function for the DCP instance.
[HUAWEI-nqa-ipfpm-dcp-instance-1] quit
[HUAWEI-nqa-ipfpm-dcp] quit
2. Configure the core switches in the branch campus.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] dcp id 2.2.2.2
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] mcp 2.2.2.2
[Switch-nqa-ipfpm-dcp-instance-1] flow bidirectional source 10.1.1.0 24 destination 10.2.1.0 24
[Switch-nqa-ipfpm-dcp-instance-1] tlp 2 out-point egress
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] ipfpm tlp 2
[Switch-GigabitEthernet1/0/1] quit
[Switch] nqa ipfpm dcp
[Switch-nqa-ipfpm-dcp] instance 1
[Switch-nqa-ipfpm-dcp-instance-1] loss-measure enable continual
[Switch-nqa-ipfpm-dcp-instance-1] quit
[Switch-nqa-ipfpm-dcp] quit
[Switch] nqa ipfpm mcp //Enable the MCP function globally.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 195
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Switch-nqa-ipfpm-mcp] mcp id 2.2.2.2 //Create a MCP.
[Switch-nqa-ipfpm-mcp] instance 1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 1.1.1.1
[Switch-nqa-ipfpm-mcp-instance-1] dcp 2.2.2.2
[Switch-nqa-ipfpm-mcp-instance-1] loss-measure ratio-threshold upper-limit 7 lower-limit 5 //
Set the packet loss alarm threshold to 7% and clear alarm threshold to 5% for the MCP instance.
[Switch-nqa-ipfpm-mcp-instance-1] quit
[Switch-nqa-ipfpm-mcp] quit
[Switch] quit
3. Verify the configurations.
# Run the display ipfpm statistic-type loss instance 1 command on the core
switches in the branch campus to view the packet loss measurement results.
<Switch> display ipfpm statistic-type loss instance 1
Latest loss statistics of forward flow:
Unit: p - packet, b - byte
------------------------------------------------------------------------------------------
Period Loss(p) LossRatio(p) Loss(b) LossRatio(b)
------------------------------------------------------------------------------------------
127636768 381549 4.514649% 40444194 4.514649%
127636767 381528 4.514620% 40441968 4.514620%
127636766 381318 4.514996% 40419708 4.514996%
127636765 381192 4.514686% 40406352 4.514686%
127636764 381381 4.514679% 40426386 4.514679%
127636763 381402 4.514748% 40428612 4.514748%
127636762 381081 4.514797% 40394586 4.514797%
127636761 381324 4.514702% 40420344 4.514702%
127636760 381549 4.514870% 40444194 4.514870%
127636759 381066 4.514638% 40392996 4.514638%
127636758 381570 4.514836% 40446420 4.514836%
127636757 382452 4.514757% 40539912 4.514757%
Latest loss statistics of backward flow:
Unit: p - packet, b - byte
------------------------------------------------------------------------------------------
Period Loss(p) LossRatio(p) Loss(b) LossRatio(b)
------------------------------------------------------------------------------------------
127636768 381087 4.513306% 40395222 4.513306%
127636767 381129 4.513384% 40399674 4.513384%
127636766 381465 4.513444% 40435290 4.513444%
127636765 381087 4.513222% 40395222 4.513222%
127636764 381045 4.513272% 40390770 4.513272%
127636763 381381 4.513364% 40426386 4.513364%
127636762 381276 4.513435% 40415256 4.513435%
127636761 380961 4.513280% 40381866 4.513280%
127636760 381339 4.513574% 40421934 4.513574%
127636759 381045 4.513270% 40390770 4.513270%
127636758 381088 4.513226% 40395328 4.513226%
127636757 382409 4.513464% 40535354 4.513464%
2.6.7 Summary and Recommendations
In this document, the application of S series agile switches on the agile network in
the education industry is taken as an example to describe the application and key
configurations of agile features of agile switches.
● Wired and wireless convergence
Agile switches have native AC cards installed to converge wired and wireless
networks into one network, simplifying the configuration and maintenance of
wired and wireless networks. The high switching capability and scalability of
agile switches eliminate bottlenecks in centralized traffic forwarding when
independent ACs or AC cards are used.
● Free mobility
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 196
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Free mobility enables the unified management of users' identity information
on the entire network. It ensures that a user can have the same network
access rights and enjoy the same service experience when using different IP
addresses to access the network from different locations.
● SVF
The SVF technology virtualizes core, aggregation, and access switches on a
network into one super switch. The core switch uniformly delivers
configurations to and manages aggregation and access switches.
● iPCA
iPCA collects statistics of packets that each device sends and forwards on one
or multiple paths. If a packet is lost, eSight can immediately detect the packet
loss information and locate where the packet is lost. iPCA realize the real-time
monitoring of real service traffic.
The agile features of S series switches are being developed and optimized. In the
future, S series switches will be more widely used on agile networks.
2.7 Example for Configuring High-Speed Self Recovery
on a Subway Bearer Network
2.7.1 Service Requirements and Solution Description
Service Requirements
Traveling by subway has become a major way to avoid traffic congestion in cities.
The subway public transportation system must therefore be highly secure and
reliable given the more diverse range of IP services and increasing data traffic.
However, the legacy subway bearer network can no longer meet these
requirements. A more robust, reliable bearer network is required by a digital
subway system and needs to meet the following requirements:
● Ensures high reliability and security: Subways belong to the public
transportation system, requiring the subway bearer network to be reliable and
secure.
● Provides sufficient data capacity: The subway system has high passenger
traffic and an increasing number of data terminals, requiring the subway
bearer network to provide sufficient data capacity and data switching
capacity.
● Supports a diverse range of service types: The subway system involves
different service types such as the control system, advertising media, and daily
working, requiring the subway bearer network to support a diverse range of
service types.
The IP data communication network is the mainstream data communication
network. It supports various access modes and can scale to a large size. Therefore,
the trend in constructing subway bearer networks has shifted towards IP.
Huawei offers the HoVPN-based HSR solution to implement secure and reliable
subway system operation and support a diverse range of service types for the
subway system. The HSR solution uses Huawei agile switches to construct a
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 197
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
hierarchical network based on MPLS L3VPN technology, provides powerful service
supporting capabilities and simple as well as flexible networking modes, and is
suitable for large-scale subway bearer networks. This solution adopts multiple
protection technologies, including hardware bidirectional forwarding detection
(BFD), TE hot standby (HSB), VPN fast reroute (FRR), and traffic forwarding on
the Virtual Route Redundancy Protocol (VRRP) backup device and provides
protection switchovers within milliseconds to complete an end-to-end link
switchover without being noticed by users.
Overview
The Hierarchy of VPN (HoVPN)-based High-Speed Self Recovery (HSR) solution is
designed to ensure network reliability, scalability, maintainability, and multi-
service supporting capability, provide a hierarchical network structure, and reduce
networking costs. Figure 2-18 shows the network topology in the HSR solution.
Figure 2-18 Network topology
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
BFD for Core_SPE1 BFD for
VRRP VRRP
TE HSB TE HSB
VPN FRR VPN FRR
Site1_UPE2 VPN FRR Site3_UPE5
Data center site Metro site 2
Core_SPE2 Core_SPE3
TE HSB
VPN FRR
BFD for
VRRP
Site2_UPE3 Site2_UPE4
CE2
vpna
Metro site 1
In Figure 2-18,
● Three S9700 switches are fully connected on the core layer to form a core
ring, while the data center site and two subway sites exchange data across
the core ring.
● Two S5720-HIs are deployed as aggregation switches in each subway site and
form square networking with two S9700s on the core ring. Alternatively,
S5720-HIs in multiple sites are connected in serial networking and then form
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 198
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
square networking with two S9700s on the core ring. S5720-HIs have VRRP
configured to function as user gateways of each subway site. The data center
site uses two S9700s as aggregation switches and has the same services as
S5720-HIs deployed.
● Layer 2 switches are deployed on the access layer in each site to form an
access ring and are dual-homed to two S5720-HIs in subway sites or two
S9700s in the data center site.
This network transmits all service traffic of the subway system, including traffic of
daily work, advertising media, and train control management.
Service Deployment
Table 2-14 Service deployment
Item Solution
IGP Use OSPF as an IGP and run OSPF between aggregation and core
switches to ensure that these switches can be reached through routes
and set up Multiprotocol Label Switching (MPLS) Label Distribution
Protocol (LDP) and MPLS Traffic Engineering (TE) over OSPF routes.
BGP Deploy Multiprotocol Border Gateway Protocol (MP-BGP) to set up
L3VPN tunnels over MP-BGP routes. Establish Internal BGP (IBGP)
neighbor relationships between aggregation and core switches, and
between core switches, and advertise VPN routes.
Routin Use routing policies to set the preferred value, and community
g attribute to filter, select, and back up routes.
policy
MPLS Run LDP between aggregation and core switches to transmit L3VPN
LDP data on links for label switching. Configure BFD for label switched
paths (LSPs) to implement fast link switchovers.
MPLS Deploy MPLS TE tunnels to transmit L3VPN traffic. That is, establish
TE the primary and backup TE tunnels between each S5720-HI and its
directly connected S9700, and establish the primary and backup
tunnels between each S9700 and its directly connected S5720-HI.
Enable TE HSB and configure BFD for TE HSB to allow traffic to be
switched from the faulty primary TE tunnel to the backup TE tunnel
within 50 ms.
L3VPN Configure different VPNs for services such as daily office, advertising
media, and train control management to isolate these services. In this
scenario, one VPN is configured as an example.
BFD Use BFD on each node to detect faults and implement fast traffic
switchovers in case of faults. In this example, you need to deploy
multiple services, including BFD for VRRP, BFD for LSP, and BFD for TE,
to complete end-to-end switchovers within 50 ms.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 199
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Item Solution
TE Establish bidirectional TE tunnels between S5720-HI aggregation
HSB switches and S9700 core switches, and deploy HSB for MPLS TE tunnels
to provide the primary and backup constraint-based routed label
switched paths (CR-LSPs) for each TE tunnel. Configure BFD for CR-LSP
to fast detect CR-LSP faults. When a fault occurs on the primary CR-
LSP, L3VPN traffic can be fast switched to the backup CR-LSP, providing
end-to-end traffic protection.
Hybrid Enable IP+VPN hybrid FRR on S5720-HIs. When a fault occurs on the
fast downlink access link, the connected interface on one S5720-HI will
rerout detect the fault and fast switch traffic to the peer S5720-HI, which
e then forwards traffic to access devices.
(FRR)
VRRP Deploy VRRP between two S5720-HIs to implement gateway backup
for access users. Configure BFD for VRRP to speed up fault detection,
VRRP convergence, and traffic switchovers. To prevent traffic loss
caused by aggregation switch faults and shorten service interruptions,
you also need to configure the VRRP backup device to forward service
traffic.
Device Selection and Restrictions
Table 2-15 Device selection and restrictions
Network Device Selection and Restrictions
Element
Core nodes Use S9706s or S9712s as core nodes and data center
and data aggregation nodes, and install SRUDs and X series cards on
center these switches.
aggregation To provide high reliability, ensure that:
nodes
● Eth-Trunk member interfaces reside on the same LPU.
● On the same device, any two interfaces connected to other
devices reside on different LPUs.
Aggregation Use S5720-HIs as aggregation switches.
nodes in
subway sites
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 200
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Version Mapping
Table 2-16 Version mapping
Version Device
V200R009C0 Use S12700s, S9700s, or S7700s as core switches and S5720-HIs
0 and later as aggregation switches.
versions NOTE
This configuration example uses S series switches running V200R009C00.
2.7.2 Basic Configuration
2.7.2.1 Data Plan
Network Topology
Construct a network based on the topology shown in Figure 2-19, name network
devices, and configure IP addresses for network devices, service interfaces, and
user interfaces on the devices.
Figure 2-19 Network topology
Site1_UPE1 Site3_UPE6
CE1 XGE1/0/4.200 XGE0/0/2.100 CE3
Eth
-Tr /0 /4
vpna un E0
vpna
k1 XG
Eth 7
Eth Core_SPE1 /1
-Tr
un
-Tr /4 0/0
k7 un
k1 6/0 XG
E
7 X GE
Eth 5
-Tr nk
Eth
-Tr un h - Tru
un k4 Et /1
XGE1/0/4.200 k 7 E0/0 XGE0/0/2.100
Eth XG
Eth -Tr /4
-Tr un k5 /0
un k4 un E0
k1 -Tr XG
Site1_UPE2 Eth 7 Eth Site3_UPE5
-Tr /1
un 6/0
k1
7
Eth-Trunk2
X GE
Eth-Trunk2
Core_SPE2 XGE5/0/5 XGE6/0/3 Core_SPE3
XGE0/0/1 XGE0/0/1
XGE0/0/4
Site2_UPE3 Site2_UPE4
XGE0/0/4
XGE0/0/2.150 XGE0/0/2.150
CE2
vpna
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 201
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Interface data plan
Table 2-17 and Table 2-18 list Eth-Trunks, local interfaces, and IP addresses of
local interfaces on devices.
Table 2-17 Eth-Trunks
Device Role Interface Number Member Interface
Core_SPE1 Eth-Trunk4 XGigabitEthernet5/0/4
XGigabitEthernet5/0/5
XGigabitEthernet5/0/6
XGigabitEthernet5/0/7
Eth-Trunk5 XGigabitEthernet1/0/0
XGigabitEthernet1/0/1
XGigabitEthernet1/0/2
XGigabitEthernet1/0/3
Eth-Trunk17 XGigabitEthernet6/0/0
XGigabitEthernet6/0/1
XGigabitEthernet6/0/2
XGigabitEthernet6/0/3
Core_SPE2 Eth-Trunk4 XGigabitEthernet6/0/4
XGigabitEthernet6/0/5
XGigabitEthernet6/0/6
XGigabitEthernet6/0/7
Eth-Trunk2 XGigabitEthernet3/0/4
XGigabitEthernet3/0/5
XGigabitEthernet3/0/6
XGigabitEthernet3/0/7
Eth-Trunk17 XGigabitEthernet5/0/0
XGigabitEthernet5/0/1
XGigabitEthernet5/0/2
XGigabitEthernet5/0/3
Core_SPE3 Eth-Trunk5 XGigabitEthernet1/0/0
XGigabitEthernet1/0/1
XGigabitEthernet1/0/2
XGigabitEthernet1/0/3
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 202
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Role Interface Number Member Interface
Eth-Trunk2 XGigabitEthernet2/0/4
XGigabitEthernet2/0/5
XGigabitEthernet2/0/6
XGigabitEthernet2/0/7
Site1_UPE1 Eth-Trunk17 XGigabitEthernet1/0/0
XGigabitEthernet1/0/1
XGigabitEthernet1/0/2
XGigabitEthernet1/0/3
Eth-Trunk7 XGigabitEthernet4/0/4
XGigabitEthernet4/0/5
XGigabitEthernet4/0/6
XGigabitEthernet4/0/7
Site1_UPE2 Eth-Trunk17 XGigabitEthernet6/0/0
XGigabitEthernet6/0/1
XGigabitEthernet6/0/2
XGigabitEthernet6/0/3
Eth-Trunk7 XGigabitEthernet6/0/4
XGigabitEthernet6/0/5
XGigabitEthernet6/0/6
XGigabitEthernet6/0/7
Table 2-18 Local Interfaces and IP Addresses
Device Role Local Interface IP Address Interface
Description
Core_SPE1 LoopBack1 172.16.0.5/32 -
Eth-Trunk4 172.17.4.8/31 Core_SPE1 to
Core_SPE2
Eth-Trunk5 172.17.4.2/31 Core_SPE1 to
Core_SPE3
Eth-Trunk17 172.17.4.10/31 Core_SPE1 to
Site1_UPE1
XGigabitEthernet6/ 172.17.10.2/31 Core_SPE1 to
0/4 Site3_UPE6
Core_SPE2 LoopBack1 172.16.0.3/32 -
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 203
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Role Local Interface IP Address Interface
Description
Eth-Trunk4 172.17.4.9/31 Core_SPE2 to
Core_SPE1
Eth-Trunk2 172.17.4.0/31 Core_SPE2 to
Core_SPE3
Eth-Trunk17 172.17.4.12/31 Core_SPE2 to
Site1_UPE2
XGigabitEthernet5/ 172.16.8.178/31 Core_SPE2 to
0/5 Site2_UPE3
Core_SPE3 LoopBack1 172.16.0.4/32 -
Eth-Trunk5 172.17.4.3/31 Core_SPE3 to
Core_SPE1
Eth-Trunk2 172.17.4.1/31 Core_SPE3 to
Core_SPE2
XGigabitEthernet6/ 172.16.8.213/31 Core_SPE3 to
0/1 Site3_UPE5
XGigabitEthernet6/ 172.16.8.183/31 Core_SPE3 to
0/3 Site2_UPE4
Site1_UPE1 LoopBack1 172.16.2.51/32 -
Eth-Trunk17 172.17.4.11/31 Site1_UPE1 to
Core_SPE1
Eth-Trunk7 172.17.4.14/31 Site1_UPE1 to
Site1_UPE2
XGigabitEthernet1/ 172.18.200.66/26 Site1_UPE1 to CE1
0/4.200
Site1_UPE2 LoopBack1 172.16.2.50/32 -
Eth-Trunk17 172.17.4.13/31 Site1_UPE2 to
Core_SPE2
Eth-Trunk7 172.17.4.15/31 Site1_UPE2 to
Site1_UPE1
XGigabitEthernet1/ 172.18.200.67/26 Site1_UPE2 to CE1
0/4.200
Site2_UPE3 LoopBack1 172.16.2.75/32 -
XGigabitEthernet0/ 172.16.8.179/31 Site2_UPE3 to
0/1 Core_SPE2
XGigabitEthernet0/ 172.16.8.180/31 Site2_UPE3 to
0/4 Site2_UPE4
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 204
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Role Local Interface IP Address Interface
Description
XGigabitEthernet0/ 172.18.150.2/26 Site2_UPE3 to CE2
0/2.150
Site2_UPE4 LoopBack1 172.16.2.76/32 -
XGigabitEthernet0/ 172.16.8.182/31 Site2_UPE4 to
0/1 Core_SPE3
XGigabitEthernet0/ 172.16.8.181/31 Site2_UPE4 to
0/4 Site2_UPE3
XGigabitEthernet0/ 172.18.150.3/26 Site2_UPE4 to CE2
0/2.150
Site3_UPE5 LoopBack1 172.16.2.87/32 -
XGigabitEthernet0/ 172.16.8.212/31 Site3_UPE5 to
0/4 Core_SPE3
XGigabitEthernet0/ 172.17.10.0/31 Site3_UPE5 to
0/1 Site3_UPE6
XGigabitEthernet0/ 172.18.100.2/26 Site3_UPE5 to CE3
0/2.100
Site3_UPE6 LoopBack1 172.16.2.86/32 -
XGigabitEthernet0/ 172.17.10.3/31 Site3_UPE6 to
0/4 Core_SPE1
XGigabitEthernet0/ 172.17.10.1/31 Site3_UPE6 to
0/1 Site3_UPE5
XGigabitEthernet0/ 172.18.100.3/26 Site3_UPE6 to CE3
0/2.100
2.7.2.2 Configuring Device Information
Data Plan
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Configure device information on all devices based on the network topology.
Device information includes the site name, device role, and device number. Each
device is named in the format of AA_BBX.
● AA: indicates the site name, such as Core and Site1.
● BB: indicates the device role, such as SPE, UPE, and CE.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 205
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● X: indicates the device number, starting from 1.
For example, Site1_UPE1 indicates a UPE numbered 1 at site 1. The following table
describes the data plan.
Parameter Value Description
sysname Site1_UPE1 Device name.
Procedure
● Configure the device name.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of other devices are similar to the configuration of Site1_UPE1,
and are not mentioned here.
sysname Site1_UPE1
----End
2.7.2.3 Configuring Interfaces
Procedure
Step 1 Add physical interfaces to Eth-Trunks.
The following uses the configuration of Core_SPE1 as an example. The
configurations of other devices are similar to the configuration of Core_SPE1, and
are not mentioned here.
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet5/0/4
eth-trunk 4
#
interface XGigabitEthernet5/0/5
eth-trunk 4
#
interface XGigabitEthernet5/0/6
eth-trunk 4
#
interface XGigabitEthernet5/0/7
eth-trunk 4
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 206
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
Step 2 Configure descriptions and IP addresses for interfaces.
The following uses the configuration of Core_SPE1 as an example. The
configurations of other devices are similar to the configuration of Core_SPE1, and
are not mentioned here.
#
interface Eth-Trunk4
undo portswitch
description Core_SPE1 to Core_SPE2
ip address 172.17.4.8 255.255.255.254
#
interface Eth-Trunk5
undo portswitch
description Core_SPE1 to Core_SPE3
ip address 172.17.4.2 255.255.255.254
#
interface Eth-Trunk17
undo portswitch
description Core_SPE1 to Site1_UPE1
ip address 172.17.4.10 255.255.255.254
#
interface XGigabitEthernet6/0/4
undo portswitch
description Core_SPE1 to Site3_UPE6
ip address 172.17.10.2 255.255.255.254
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
Step 3 Configure Eth-Trunks to function as 40GE interfaces.
Run the least active-linknumber 4 command on Eth-Trunks of all S9700 switches
to configure the Eth-Trunks to function as 40GE interfaces. If a member interface
of an Eth-Trunk goes Down, the Eth-Trunk goes Down. The following uses the
configuration of Core_SPE1 as an example. The configurations of other devices are
similar to the configuration of Core_SPE1, and are not mentioned here.
#
interface Eth-Trunk4
least active-linknumber 4
#
interface Eth-Trunk5
least active-linknumber 4
#
interface Eth-Trunk17
least active-linknumber 4
#
Step 4 Create Eth-Trunk load balancing profiles and apply the profiles to Eth-Trunks.
Configure load balancing based on the source and destination port numbers. The
following uses the configuration of Core_SPE1 as an example. The configurations
of other devices are similar to the configuration of Core_SPE1, and are not
mentioned here.
#
load-balance-profile CUSTOM
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 207
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
load-balance enhanced profile CUSTOM
#
Step 5 Disable STP globally.
All devices on the entire network are connected through Layer 3 interfaces, and
Layer 2 loop prevention protocols are not required. Therefore, disable STP globally.
The following uses the configuration of Core_SPE1 as an example. The
configurations of other devices are similar to the configuration of Core_SPE1, and
are not mentioned here.
#
stp disable
#
----End
2.7.2.4 Enabling BFD
Context
To implement protection switching within 50 ms, set the minimum interval at
which BFD packets are sent and received to 3.3 ms. The restraints on switches are
as follows:
● For the S12700, the MPU must be an ET1D2MPUA000/ET1D2MPUDC00 card.
● For the S12700E, the MPU must be an LST7MPUE0000 card.
● For the S9700, the MPU must be an EH1D2SRUDC00/EH1D2SRUDC01 card.
● For the S7700, the MPU must have an ES0D00FSUA00 card installed or be an
EH1D2SRUDC00/EH1D2SRUDC01 card.
● For the S7706/S7706 PoE or S7712, the assign system-resource-mode static
command must be run to set the resource allocation mode to static so that
the BFD detection duration can be controlled within 50 ms.
● For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, and
S6720-HI, the set service-mode command must be run to configure the
switch to work in enhanced mode.
● For the S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, the set service-
mode command must be run to configure the switch to work in enhanced—
bfd mode.
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 208
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
bfd
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
#
bfd
#
----End
2.7.3 Deploying OSPF
2.7.3.1 Configuration Roadmap
Figure 2-20 OSPF neighbor relationship diagram
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
OS Core_SPE1
PF PF
OS
PF
OS
OS
PF
PF
OS
OS
OS
PF
PF
PF
OS
Site1_UPE2 Site3_UPE5
OSPF
Core_SPE2 Core_SPE3
OSPF
OSPF
OSPF
Site2_UPE3 Site2_UPE4
CE2 OSPF
vpna
Configuration Roadmap
Use OSPF as an IGP to ensure that network-wide devices can be reached through
routes and set up MPLS LDP and MPLS TE over OSPF routes. The configuration
roadmap is as follows:
1. Add all devices to area 0 and advertise the directly connected network
segment and the address of loopback interface 1.
2. Configure all interfaces that do not run OSPF as OSPF silent interfaces to
disable the interfaces from sending or receiving OSPF packets. The
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 209
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
configuration makes the OSPF network more adaptive and saves network
resources.
3. Considering the impact of 31-bit subnet masks, configure the OSPF network
type to point-to-point on the main interoperation interface.
4. Configure synchronization between OSPF and LDP to prevent traffic loss
caused by switchovers of the primary and backup LSPs.
2.7.3.2 Deploying OSPF
Context
Configuring OSPF ensures that user-end provider edges (UPEs) and superstratum
provider edges (SPEs) can be reached through public network routes.
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
router id 172.16.0.5 //Configure a router ID.
#
interface Eth-Trunk4
ospf network-type p2p //Set the OSPF network type to P2P on the interfaces using IP addresses
with 31-bit subnet masks.
#
interface Eth-Trunk5
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
interface XGigabitEthernet6/0/4
ospf network-type p2p
#
ospf 1
silent-interface all //Prohibit all interfaces from receiving and sending OSPF packets.
undo silent-interface Eth-Trunk4 //Allow interfaces to receive and send OSPF packets.
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10 //Set the route calculation interval to 10 ms to speed up route
convergence.
lsa-originate-interval 0 //Set the LSA update interval to 0.
lsa-arrival-interval 0 //Set the interval for receiving LSAs to 0 so that topology or route changes
can be immediately detected to speed up route convergence.
graceful-restart period 600 //Enable OSPF GR.
flooding-control //Enable flooding-control to stabilize neighbor relationships.
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^
%# //Set the authentication mode and password for the OSPF area.
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 210
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
router id 172.16.2.51
#
interface Eth-Trunk7
ospf network-type p2p
#
interface Eth-Trunk17
ospf network-type p2p
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
graceful-restart period 600
bandwidth-reference 100000 //Set the bandwidth reference value used by the system to calculate
the interface cost based on a formula.
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
#
----End
Checking the Configuration
● Run the display ospf peer command to check OSPF neighbor information.
Using Core_SPE1 as an example, if the value of State is Full, OSPF neighbor
relationships have set up successfully.
[Core_SPE1]display ospf peer
OSPF Process 1 with Router ID 172.16.0.5
Neighbors
Area 0.0.0.0 interface 172.17.4.8(Eth-Trunk4)'s neighbors
Router ID: 172.16.0.3 Address: 172.17.4.9 GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 40 sec
Retrans timer interval: 4
Neighbor is up for 00:53:42
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 172.17.4.2(Eth-Trunk5)'s neighbors
Router ID: 172.16.0.4 Address: 172.17.4.3 GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 37 sec
Retrans timer interval: 4
Neighbor is up for 00:53:22
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 172.17.4.10(Eth-Trunk17)'s neighbors
Router ID: 172.16.2.51 Address: 172.17.4.11 GR State: Normal
State: Full Mode:Nbr is Slave Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 31 sec
Retrans timer interval: 4
Neighbor is up for 00:53:34
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 211
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Authentication Sequence: [ 0 ]
Neighbors
Area 0.0.0.0 interface 172.17.10.2(XGigabitEthernet6/0/4)'s neighbors
Router ID: 172.16.2.86 Address: 172.17.10.3 GR State: Normal
State: Full Mode:Nbr is Master Priority: 1
DR: None BDR: None MTU: 0
Dead timer due in 32 sec
Retrans timer interval: 5
Neighbor is up for 00:53:42
Authentication Sequence: [ 0 ]
2.7.4 Deploying MPLS LDP
2.7.4.1 Configuration Roadmap
Figure 2-21 MPLS LDP topology
Site1_UPE1 Site3_UPE6
CE1 CE3
vpna vpna
Core_SPE1
4 7
5
8
1
6 9
Site1_UPE2 Site3_UPE5
3
Core_SPE2 Core_SPE3
10
12
11
Site2_UPE3 Site2_UPE4
CE2 LDP LSP
vpna
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an LSR ID and enable MPLS LDP globally and on each interface.
2. Configure synchronization between LDP and OSPF to prevent traffic loss
caused by switchovers of the primary and backup LSPs.
3. Configure LDP GR so that traffic forwarding is not interrupted upon primary/
backup switchovers and protocol restarts.
4. Configure BFD for LSP to quickly detect LDP LSP faults on the core ring.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 212
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.4.2 Data Plan
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Plan data before configuring MPLS LDP.
Table 2-19 MPLS parameters
Parameter Value Remarks
mpls lsr-id IP address of LSR Configure LSR IDs before
loopback interface 1 running MPLS
commands.
label advertise non-null Disable penultimate hop
popping (PHP) because
it affects switchover
performance.
bfd bind ldp-lsp discriminator local Configure static BFD for
discriminator remote LDP LSPs.
detect-multiplier Set the local
discriminator of the local
min-tx-interval system to be the same
min-rx-interval as the remote
process-pst discriminator of the
remote system, and
adjust the local detection
multiplier of BFD.
Set the minimum
interval at which BFD
packets are sent and
received to 3.3 ms.
Allow BFD sessions to
change the port status
table (PST) to speed up
switchovers.
2.7.4.3 Enabling MPLS LDP
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
mpls lsr-id 172.16.0.5 //Configure an MPLS LSR ID. The IP address of a loopback interface is
recommended.
mpls //Enable MPLS globally.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 213
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
label advertise non-null //Disable PHP so that the egress node assigns labels to the penultimate
hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
interface Eth-Trunk4
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk5
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk17
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface XGigabitEthernet6/0/4
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
mpls lsr-id 172.16.2.51 //Configure an MPLS LSR ID. The IP address of a loopback interface is
recommended.
mpls //Enable MPLS globally.
label advertise non-null //Disable PHP so that the egress node assigns labels to the penultimate
hop properly.
#
mpls ldp //Enable MPLS LDP globally.
#
interface Eth-Trunk7
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
interface Eth-Trunk17
mpls
mpls ldp //Enable MPLS LDP on an interface.
#
----End
Checking the Configuration
● Run the display mpls ldp session all command to view the MPLS LDP session
status. Using Core_SPE1 as an example, if the value of Status is Operational,
an MPLS LDP session has been set up successfully.
[Core_SPE1]display mpls ldp session all
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
172.16.0.3:0 Operational DU Passive 0000:00:56 226/226
172.16.0.4:0 Operational DU Active 0000:00:56 226/226
172.16.2.51:0 Operational DU Passive 0000:00:55 223/223
172.16.2.86:0 Operational DU Passive 0000:00:55 223/223
------------------------------------------------------------------------------
TOTAL: 4 session(s) Found.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 214
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.4.4 Configuring Synchronization Between LDP and OSPF
Context
LDP LSRs set up LSPs using OSPF. When an LDP session fault (non-link fault)
occurs on the primary LSP or the primary LSP recovers from a fault,
synchronization between LDP and OSPF can prevent traffic loss caused by
switchovers of the primary and backup LSPs.
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
interface Eth-Trunk4
ospf ldp-sync //Enable synchronization between LDP and OSPF on the protected interface.
ospf timer ldp-sync hold-down 20 //Set a Hold-down time that an interface uses to delay setting
up an OSPF neighbor relationship until an LDP session is set up.
#
interface Eth-Trunk5
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface Eth-Trunk17
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface XGigabitEthernet6/0/4
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
interface Eth-Trunk7
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
interface Eth-Trunk17
ospf ldp-sync
ospf timer ldp-sync hold-down 20
#
----End
2.7.4.5 Configuring LDP GR
Context
LDP GR can be configured so that traffic forwarding is not interrupted upon
primary/backup switchovers and protocol restarts.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 215
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
mpls ldp
graceful-restart //Enable LDP GR.
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
mpls ldp
graceful-restart
#
----End
2.7.4.6 Configuring BFD for LSP
Context
To ensure reliability of LDP LSPs between SPEs on the core ring, configure BFD to
detect LDP LSPs quickly.
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-Trunk4 //Enable
static BFD to detect the LDP LSP between SPE1 and SPE2.
discriminator local 317 //Set the local discriminator. The local discriminator of the local system
must be the same as the remote discriminator of the remote system.
discriminator remote 137 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface Eth-Trunk5 //Enable
static BFD to detect the LDP LSP between SPE1 and SPE3.
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 216
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Checking the Configuration
● Run the display bfd session all for-lsp command to check the BFD for LSP
session status. Using Core_SPE1 as an example, if BFD sessions with the
tunnel type being S_LDP_LSP are all in Up state, BFD for LSP sessions have
been set up successfully.
[Core_SPE1]display bfd session all for-lsp
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
32 23 172.16.0.4 Up S_LDP_LSP Eth-Trunk4
317 137 172.16.0.3 Up S_LDP_LSP Eth-Trunk5
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 2/0
2.7.5 Deploying MPLS TE
2.7.5.1 Configuration Roadmap
Figure 2-22 MPLS TE topology
Core_SPE2 Core_SPE3
Primary TE1
Primary TE3
2 Ba
3 1 TE ck
up 5 7
up TE
ck
Ba 4
6
2
Site2_UPE3 4 Site2_UPE4
8
Primary path of a TE tunnel
Backup path of a TE tunnel
Dashed lines in the same color indicate the
primary and backup paths of a TE tunnel.
Pipes indicate primary and backup TE tunnels
of L3VPN services.
The configuration roadmap is as follows:
1. Enable MPLS TE.
2. Globally enable MPLS, MPLS TE and MPLS TE CSPF on each node along TE
tunnels, and deploy MPLS and MPLS TE on each interface along the TE
tunnels.
3. Configure tunnel paths, enable each node to use primary and backup TE
tunnels, and configure primary and backup CR-LSPs using the affinity
attribute.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 217
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
4. Create L3VPN service tunnels.
a. Create primary tunnels.
▪ Create primary tunnel TE1 between Site2_UPE3 and Core_SPE2.
Specify path 1 as the primary CR-LSP and path 2 as the backup CR-
LSP.
▪ Create primary tunnel TE3 between Site2_UPE4 and Core_SPE3.
Specify path 5 as the primary CR-LSP and path 6 as the backup CR-
LSP.
b. Create backup tunnels.
▪ Create backup tunnel TE2 between Site2_UPE3 and Core_SPE3, which
is the backup tunnel of primary tunnel TE1. Specify path 3 as the
primary CR-LSP and path 4 as the backup CR-LSP.
▪ Create backup tunnel TE4 between Site2_UPE4 and Core_SPE2, which
is the backup tunnel of primary tunnel TE3. Specify path 7 as the
primary CR-LSP and path 8 as the backup CR-LSP.
c. Configure RSVP GR.
Enable RSVP GR on all devices to prevent network disconnection and
recover dynamic CR-LSPs upon switchovers on RSVP nodes.
d. Configure BFD for CR-LSP.
Configure static BFD for CR-LSP on all devices to speed up switchovers of
the primary and backup CR-LSPs.
5. Create a tunnel policy.
Configure TE tunnels to be preferentially selected.
2.7.5.2 Data Plan
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Table 2-20 MPLS parameters
Parameter Value Remarks
mpls te - Enable MPLS TE.
mpls rsvp-te - Enable MPLS RSVP-TE.
mpls rsvp-te hello - Enable the RSVP Hello
extension mechanism.
mpls rsvp-te hello full- - Enable the RSVP GR and
gr RSVP GR Helper
capabilities of the GR
node.
mpls te cspf - Enable the MPLS TE
CSPF algorithm.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 218
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-21 MPLS TE tunnel parameters
Parameter Value Remarks
interface Tunnel Number of a tunnel It is recommended that
interface tunnel IDs be associated
with device names and
descriptions be added for
tunnel interfaces.
ip address unnumbered interface LoopBack1 Configure a tunnel
interface to borrow an IP
address from loopback
interface 1.
tunnel-protocol mpls te Enable the TE tunnel
function.
destination IP address of remote Specify the destination IP
loopback interface 1 address.
mpls te tunnel-id Tunnel ID Set a tunnel ID.
mpls te affinity Configure the affinity -
property attribute for the primary
and backup CR-LSPs
based on link
management group
attributes.
mpls te backup hot-standby Configure the hot
standby mode of the
tunnel.
bfd bind mpls-te discriminator local Configure static BFD to
interface Tunnel te-lsp discriminator remote detect the backup CR-LSP
of a TE tunnel.
detect-multiplier
Set the local
min-tx-interval discriminator of the local
min-rx-interval system to be the same as
process-pst the remote discriminator
of the remote system,
and adjust the local
detection multiplier of
BFD.
Set the minimum interval
at which BFD packets are
sent and received to 3.3
ms.
Allow BFD sessions to
change the PST to speed
up switchovers.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 219
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Parameter Value Remarks
bfd bind mpls-te discriminator local Configure static BFD to
interface Tunnel discriminator remote detect the primary CR-
LSP of a TE tunnel.
detect-multiplier
Set the local
min-tx-interval discriminator of the local
min-rx-interval system to be the same as
process-pst the remote discriminator
of the remote system,
and adjust the local
detection multiplier of
BFD.
Set the minimum interval
at which BFD packets are
sent and received to 3.3
ms.
Allow BFD sessions to
change the PST to speed
up switchovers.
tunnel-policy Tunnel policy name: Configure tunnel policies
TSel for preferentially
tunnel select-seq cr-lsp selecting CR-LSPs.
lsp load-balance-number
1
Tunnel policy on the
core device: TE
tunnel select-seq cr-lsp
load-balance-number 1
Table 2-22 MPLS TE tunnel list
Tunnel Tunnel Interface Tunnel ID
Core_SPE1 to Site1_UPE1 Tunnel611 71
Site1_UPE1 to Core_SPE1
Core_SPE1 to Site1_UPE2 Tunnel622 82
Site1_UPE2 to Core_SPE1
Core_SPE1 to Site3_UPE5 Tunnel721 312
Site3_UPE5 to Core_SPE1
Core_SPE1 to Site3_UPE6 Tunnel711 311
Site3_UPE6 to Core_SPE1
Core_SPE2 to Site2_UPE3 Tunnel111 111
Site2_UPE3 to Core_SPE2
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 220
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Tunnel Tunnel Interface Tunnel ID
Core_SPE2 to Site2_UPE4 Tunnel121 121
Site2_UPE4 to Core_SPE2
Core_SPE2 to Site1_UPE1 Tunnel612 72
Site1_UPE1 to Core_SPE2
Core_SPE2 to Site1_UPE2 Tunnel621 81
Site1_UPE2 to Core_SPE2
Core_SPE3 to Site2_UPE3 Tunnel112 112
Site2_UPE3 to Core_SPE3
Core_SPE3 to Site2_UPE4 Tunnel122 122
Site2_UPE4 to Core_SPE3
Core_SPE3 to Site3_UPE5 Tunnel722 322
Site3_UPE5 to Core_SPE3
Core_SPE3 to Site3_UPE6 Tunnel712 321
Site3_UPE6 to Core_SPE3
2.7.5.3 Configuring MPLS TE Tunnels and Hot Standby
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
interface Eth-Trunk4
mpls te //Enable MPLS TE on an interface.
mpls te link administrative group c //Configure the link management group attribute for the TE
tunnel to select primary and backup paths.
mpls rsvp-te //Enable RSVP-TE on an interface.
#
interface Eth-Trunk5
mpls te
mpls te link administrative group 30
mpls rsvp-te
#
interface Eth-Trunk17
mpls te
mpls te link administrative group 4
mpls rsvp-te
#
interface XGigabitEthernet6/0/4
mpls te
mpls te link administrative group 20
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 221
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque capability of OSPF.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the OSPF area.
#
interface Tunnel611 //Specify the tunnel from Core_SPE1 to Site1_UPE1.
description Core_SPE1 to Site1_UPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface to borrow the IP
address of a loopback interface.
tunnel-protocol mpls te //Set the tunnel protocol to MPLS TE.
destination 172.16.2.51 //Configure IP address of Site1_UPE1 as the tunnel destination IP address.
mpls te tunnel-id 71 //Configure a tunnel ID, which must be valid and unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of the primary CR-LSP for
selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity attribute of the backup CR-
LSP.
mpls te backup hot-standby //Configure the hot standby mode of tunnels.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for the configuration to take
effect.
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure the CR-LSP to be preferentially
selected.
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
● Configure UPEs.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 222
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
mpls
mpls te //Enable MPLS TE globally.
mpls rsvp-te //Enable RSVP-TE.
mpls te cspf //Enable the CSPF algorithm.
#
interface Eth-Trunk7
mpls te //Enable MPLS TE on an interface.
mpls te link administrative group c //Configure the link management group attribute for the TE
tunnel to select primary and backup paths.
mpls rsvp-te //Enable RSVP-TE on an interface.
#
interface Eth-Trunk17
mpls te
mpls te link administrative group 4
mpls rsvp-te
#
ospf 1
opaque-capability enable //Enable the Opaque capability of OSPF.
area 0.0.0.0
mpls-te enable //Enable MPLS TE in the OSPF area.
#
interface Tunnel611 //Specify the tunnel from Site1_UPE1 to Core_SPE1.
description Site1_UPE1 to Core_SPE1 //Configure the interface description.
ip address unnumbered interface LoopBack1 //Configure a tunnel interface to borrow the IP
address of a loopback interface.
tunnel-protocol mpls te //Set the tunnel protocol to MPLS TE.
destination 172.16.0.5 //Configure IP address of Core_SPE1 as the tunnel destination IP address.
mpls te tunnel-id 71 //Configure a tunnel ID, which must be valid and unique on the local device.
mpls te record-route //Configure the tunnel to record detailed route information for maintenance.
mpls te affinity property 4 mask 4 //Configure the affinity attribute of the primary CR-LSP for
selecting the optimal forwarding path.
mpls te affinity property 8 mask 8 secondary //Configure the affinity attribute of the backup CR-
LSP.
mpls te backup hot-standby //Configure the hot standby mode of tunnels.
mpls te commit //Commit all the MPLS TE configuration of the tunnel for the configuration to take
effect.
#
interface Tunnel612
description Site1_UPE1 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 72
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
tunnel-policy TSel //Configure a tunnel policy.
tunnel select-seq cr-lsp lsp load-balance-number 1 //Configure the CR-LSP to be preferentially
selected.
#
----End
Checking the Configuration
● Run the display mpls te tunnel-interface Tunnel command to check local
tunnel interface information.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 223
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, if both the
primary and backup LSPs of tunnel 611 are in UP state, the primary and
backup LSPs have been set up successfully.
[Core_SPE1]display mpls te tunnel-interface Tunnel611
----------------------------------------------------------------
Tunnel611
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 71
Ingress LSR ID : 172.16.0.5 Egress LSR ID: 172.16.2.51
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 1
Hot-Standby LSP State : UP
Main LSP State : READY LSP ID : 32772
● Run the display mpls te hot-standby state all command to view status of all
HSB tunnels.
Using Core_SPE1 as an example, if all HSB tunnels of Core_SPE1 are in
Primary LSP state, traffic has been switched to primary CR-LSPs.
[Core_SPE1]display mpls te hot-standby state all
---------------------------------------------------------------------
No. tunnel name session id switch result
---------------------------------------------------------------------
1 Tunnel611 71 Primary LSP
2 Tunnel622 82 Primary LSP
3 Tunnel711 311 Primary LSP
4 Tunnel721 312 Primary LSP
● Run the ping lsp te tunnel command to check bidirectional connectivity of
the master and backup TE tunnels of each device.
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, run the
following ping commands on both ends of the TE tunnel:
[Core_SPE1] ping lsp te Tunnel611
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes, press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=5 ms
Reply from 172.16.2.51: bytes=100 Sequence=2 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=3 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=4 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=5 time=3 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/5 ms
[Core_SPE1] ping lsp te Tunnel611 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 : 100 data bytes, press CTRL_C to break
Reply from 172.16.2.51: bytes=100 Sequence=1 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=2 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=3 time=3 ms
Reply from 172.16.2.51: bytes=100 Sequence=4 time=2 ms
Reply from 172.16.2.51: bytes=100 Sequence=5 time=3 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
● Run the tracert lsp te Tunnel command to detect LSPs.
Using tunnel 611 from Core_SPE1 to Site1_UPE1 as an example, ensure that
the primary and backup tunnel paths are different.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 224
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Core_SPE1]tracert lsp te Tunnel611
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.11/[1078 ]
1 172.16.2.51 3 ms Egress
[Core_SPE1]tracert lsp te Tunnel611 hot-standby
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel611 , press CTRL_C to break.
TTL Replier Time Type Downstream
0 Ingress 172.17.4.9/[1391 ]
1 172.17.4.9 3 ms Transit 172.17.4.13/[1169 ]
2 172.17.4.13 7 ms Transit 172.17.4.14/[1109 ]
3 172.16.2.51 4 ms Egress
2.7.5.4 Configuring RSVP GR
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper capabilities.
#
interface Eth-Trunk4
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an interface.
#
interface Eth-Trunk5
mpls rsvp-te hello
#
interface Eth-Trunk17
mpls rsvp-te hello
#
interface XGigabitEthernet6/0/4
mpls rsvp-te hello
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
mpls
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism globally.
mpls rsvp-te hello full-gr //Enable the RSVP GR and RSVP GR Helper capabilities.
#
interface Eth-Trunk7
mpls rsvp-te hello //Enable the RSVP Hello extension mechanism on an interface.
#
interface Eth-Trunk17
mpls rsvp-te hello
#
----End
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 225
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.5.5 Configuring BFD for CR-LSP
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup //Enable static BFD to detect the
backup CR-LSP of TE tunnel 611.
discriminator local 6116 //Set the local discriminator. The local discriminator of the local system
must be the same as the remote discriminator of the remote system.
discriminator remote 6115 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 611.
discriminator local 6112
discriminator remote 6111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_b bind mpls-te interface Tunnel622 te-lsp backup //Enable static BFD to detect the
backup CR-LSP of TE tunnel 622.
discriminator local 6226
discriminator remote 6225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_m bind mpls-te interface Tunnel622 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 622.
discriminator local 6222
discriminator remote 6221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_b bind mpls-te interface Tunnel721 te-lsp backup //Enable static BFD to detect the
backup CR-LSP of TE tunnel 721.
discriminator local 7216
discriminator remote 7215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 721.
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 226
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup //Enable static BFD to detect the
backup CR-LSP of TE tunnel 711.
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 711.
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup //Enable static BFD to detect
the backup CR-LSP of TE tunnel 611.
discriminator local 6115 //Set the local discriminator. The local discriminator of the local system
must be the same as the remote discriminator of the remote system.
discriminator remote 6116 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
process-pst //Allow BFD sessions to change the PST to speed up switchovers.
commit //Commit the BFD session configuration.
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 611.
discriminator local 6111
discriminator remote 6112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup //Enable static BFD to detect the
backup CR-LSP of TE tunnel 612.
discriminator local 6125
discriminator remote 6126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp //Enable static BFD to detect the
primary CR-LSP of TE tunnel 612.
discriminator local 6121
discriminator remote 6122
detect-multiplier 8
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 227
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
----End
Checking the Configuration
● Run the display bfd session all for-te command to view the BFD session
status.
Using Core_SPE1 as an example, if BFD sessions with the tunnel type being
S_TE_LSP are all in Up state, BFD sessions have been set up successfully.
[Core_SPE1]display bfd session all for-te
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
7112 7111 172.16.2.86 Up S_TE_LSP Tunnel711
7212 7211 172.16.2.87 Up S_TE_LSP Tunnel721
7216 7215 172.16.2.87 Up S_TE_LSP Tunnel721
7116 7115 172.16.2.86 Up S_TE_LSP Tunnel711
6226 6225 172.16.2.50 Up S_TE_LSP Tunnel622
6116 6115 172.16.2.51 Up S_TE_LSP Tunnel611
6112 6111 172.16.2.51 Up S_TE_LSP Tunnel611
6222 6221 172.16.2.50 Up S_TE_LSP Tunnel622
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 8/0
2.7.6 Deploying L3VPN Services and Protection (HoVPN)
2.7.6.1 Configuration Roadmap
On a rail transmit bearer network, IP tunnels between nodes need to be enabled
to bear L3VPN services. For example, set up a hierarchical L3VPN tunnel from
Site1_UPE1 to Site2_UPE3 to transmit IP data services between Site1 and Site2, as
shown in Figure 2-23.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 228
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-23 Hierarchical L3VPN
Primary path for traffic of vpna
Site1_UPE1 Site3_UPE6
VPN FRR
CE1 CE3
Sp L
vpna ec 3VP vpna
ific N
De rou
fau te
lt r
ou
te
Core_SPE1
VPN FRR
L3VPN
te
rou
L3
ific
N
VP
VP
ec
L3
Sp
N
Site1_UPE2 Site3_UPE5
Core_SPE2 Core_SPE3
VPN FRR
Specific route
Default route
L3VPN
L3
L3VPN
VP
N
Site2_UPE3 Site2_UPE4
IP+VPN hybrid FRR
CE2
vpna
The configuration roadmap is as follows:
1. Deploy MP-BGP.
– Set up MP-IBGP peer relationships between UPEs and SPEs and between
SPEs.
– Configure routing rules to enable traffic from UPEs to SPEs is forwarded
through the default route and traffic from SPEs to UPEs is forwarded
through specific routes.
– Configure route priority policies to enable UPEs to forward traffic to other
sites preferentially through SPEs directly connected to the UPEs.
– Configure route priority policies to enable SPEs to forward traffic to other
sites preferentially through UPEs directly connected to the SPEs.
– Configure route filtering policies to disable SPEs from advertising ARP
Vlink direct routes at the local sites to UPEs at other sites.
– Configure route filtering policies to disable SPEs from receiving route
information about sites directly connected to them from other SPEs,
preventing route loops. For example, disable Core_SPE2 from receiving
routes of Site1 from Core_SPE1 and routes of Site2 from Core_SPE3.
2. Deploy VPN services.
– Deploy VPN instances on UPEs and SPEs, and bind interfaces to the VPN
instances on UPEs, but not on SPEs.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 229
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
– Preferentially use TE tunnels to bear VPN services on UPEs. In hybrid FRR
mode, LSP tunnels can be used to bear VPN services.
– Configure a tunnel policy selector on an SPE to enable the SPE to select
any tunnel policy when the next-hop address of a VPNv4 route has the
prefix of another SPE and to select a TE tunnel in other scenarios.
– Deploy VRRP on two UPEs at a site, and send information about ARP
Vlink direct routes to the neighboring SPEs so that the SPEs select the
optimal route to send packets to the CE.
3. Configure reliability protection.
– Deploy VRRP on two UPEs at a site to implement gateway backup and
ensure reliability of uplink traffic on CEs. Configure backup devices to
forward service traffic, minimizing the impact of VRRP switchovers on
services.
– Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE
is faulty, traffic is automatically switched to the TE tunnel between the
UPE and another SPE at the same site, minimizing the impact on VPN
services.
– Deploy VPN FRR on an SPE, for example Core_SPE1. If Core_SPE2
connected to SPE1 is faulty, Core_SPE1 switches VPN services to
Core_SPE3, implementing fast E2E switchovers of VPN services.
– Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE
is faulty, traffic is automatically switched to the TE tunnel between the
SPE and another UPE at the same site, minimizing the impact on VPN
services.
– Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a
fault on the link between the UPE and its connected CE, the UPE quickly
switches traffic to its peer UPE, and the peer UPE then forwards the
traffic to the CE.
– Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic
forwarding during a master/backup switchover on the device transmitting
VPN services.
2.7.6.2 Data Plan
The data provided in this section is used as an example, which may vary depending on the
network scale and topology.
Table 2-23 Service interfaces
NE Role Value Remarks
Site1_UPE1 interface -
XGigabitEthernet1/0/4.20
0: 172.18.200.66/26
Site1_UPE2 interface -
XGigabitEthernet1/0/4.20
0: 172.18.200.67/26
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 230
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NE Role Value Remarks
Site2_UPE3 interface -
XGigabitEthernet0/0/2.15
0: 172.18.150.2/26
Site2_UPE4 interface -
XGigabitEthernet0/0/2.15
0: 172.18.150.3/26
Site3_UPE5 interface -
XGigabitEthernet0/0/2.10
0: 172.18.100.2/26
Site3_UPE6 interface -
XGigabitEthernet0/0/2.10
0: 172.18.100.3/26
Table 2-24 MPLS VPN parameters
Parameter Value Remarks
VPN instance name vpna -
RD value UPE: 1:1 It is recommended that
Core_SPE1: 5:1 the same RD value be
set on UPEs and SPEs. If
Core_SPE2: 3:1 different RD values are
Core_SPE3: 4:1 set, to make VPN FRR
take effect, you need to
run the vpn-route cross
multipath command to
add multiple VPNv4
routes to a VPN instance
with a different RD value
from these routes' RD
values.
RT 0:1 Plan the same RT on the
entire network.
Table 2-25 BGP parameters
Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
BGP 6500 6500 6500 6500 6500 6500 6500 6500 6500
proce 0 0 0 0 0 0 0 0 0
ss ID
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 231
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
Route 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
r ID 6.0.5 6.0.3 6.0.4 6.2.51 6.2.50 6.2.75 6.2.76 6.2.87 6.2.86
Peer devC devC devC devC devC devC devC devC devC
group ore: ore: ore: ore: ore: ore: ore: ore: ore:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.3, 6.0.4, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.3, 6.0.4, 6.0.4,
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.0.4 6.0.5 6.0.5 6.0.5 6.0.5 6.0.4 6.0.4 6.0.5 6.0.5
devH devH devH devH devH devH devH devH devH
ost: ost: ost: ost: ost: ost: ost: ost: ost:
172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1 172.1
6.2.50 6.2.50 6.2.75 6.2.50 6.2.51 6.2.76 6.2.75 6.2.86 6.2.87
, , ,
172.1 172.1 172.1
6.2.51 6.2.51 6.2.76
, , ,
172.1 172.1 172.1
6.2.86 6.2.75 6.2.86
, , ,
172.1 172.1 172.1
6.2.87 6.2.76 6.2.87
policy Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl Enabl
vpn- e e e e e e e e e
target
Tunn Deplo Deplo Deplo - - - - - -
el y y y
policy
select
or
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 232
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Para Core_ Core_ Core_ Site1 Site1 Site2 Site2 Site3 Site3
mete SPE1 SPE2 SPE3 _UPE _UPE _UPE _UPE _UPE _UPE
r 1 2 3 4 5 6
Peer - - - Impro Impro Impro Impro Impro Impro
priori ve ve ve ve ve ve
ty the the the the the the
peer peer peer peer peer peer
priori priori priori priori priori priori
ty of ty of ty of ty of ty of ty of
Core_ Core_ Core_ Core_ Core_ Core_
SPE1 SPE2 SPE2 SPE3 SPE3 SPE1
so so so so so so
that that that that that that
UPEs UPEs UPEs UPEs UPEs UPEs
prefer prefer prefer prefer prefer prefer
ential ential ential ential ential ential
ly ly ly ly ly ly
select select select select select select
route route route route route route
s s s s s s
adver adver adver adver adver adver
tised tised tised tised tised tised
from from from from from from
Core_ Core_ Core_ Core_ Core_ Core_
SPE1. SPE2. SPE2. SPE3. SPE3. SPE1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 233
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.6.3 Configuring MP-BGP
BGP Connection Diagram
Site1_UPE110 Site3_UPE6
12 0:100 00
0:1
57 :12 10 13:13
CE1 20 20 CE3
vpna
:57 :57 vpna
20 720
5
Core_SPE1
30 0
0 30
200
200
200 200
Site1_UPE2 30
0 0 Site3_UPE5
30
20 00
12 0:200 0:3
57 :12 30 13:13
20 20
:57 :57
20 7 20
5
Core_SPE2 Core_SPE3
5720:5720
5720:5720
300
300
20
200:200
300:300
0
20 0
23:23
23:23
Site2_UPE3 Site2_UPE4
CE2 BGP peers
vpna n preferred-value
Community Attribute
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp //Configure a tunnel policy selector to enable Core_SPE1 to
select any tunnel to be iterated when the next-hop address of a VPNv4 route has the prefix of
another SPE.
#
tunnel-selector TSel permit node 10 //Configure a tunnel policy selector to iterate a route received
from an IBGP peer to a TE tunnel when the route needs to be forwarded to another IBGP peer and
Core_SPE1 needs to modify the next hop of the route to itself.
apply tunnel-policy TE
#
bgp 65000
group devCore internal //Create an IBGP peer group.
peer devCore connect-interface LoopBack1 //Specify loopback interface 1 and its address as the
source interface and address of BGP packets.
peer 172.16.0.3 as-number 65000 //Set up a peer relationship between SPEs.
peer 172.16.0.3 group devCore //Add SPEs to the IBGP peer group.
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 234
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
tunnel-selector TSel //An SPE advertises the default route to UPEs. The SPE modifies the next hop
of UPEs' routes to itself and forwards the routes to other SPEs. Therefore, configure a tunnel policy
selector to iterate BGP VPNv4 routes sent to UPEs to TE tunnels and to iterate BGP VPNv4 routes sent
to other SPEs to LSPs.
peer devCore enable
peer devCore route-policy core-import import //Configure Core_SPE1 to filter information about all
routes of sites connected to Core_SPE1 when it receives routes from other SPEs.
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import //Configure Core_SPE1 to filter out host routes
when receiving routes from UPEs; set the preferred value of the route between Core_SPE1 and its
directly connected UPEs to 300, and set the preferred value of routes between Core_SPE1 and other
UPEs to 200.
peer devHost advertise-community //Advertise community attributes to the IBGP peer group.
peer devHost upe //Configure the peer devHost as a UPE.
peer devHost default-originate vpn-instance vpna //Send the default route of VPN instance vpna
to UPEs.
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
#
route-policy p_iBGP_RR_in deny node 5 //Filter out host routes of all sites.
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11 //Set the preferred value of the route between
Core_SPE1 and its directly connected UPE to 300.
if-match community-filter site1
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 12 //Set the preferred value of the route between
Core_SPE1 and another UPE to 200.
if-match community-filter site2
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 13 //Set the preferred value of the route between
Core_SPE1 and another UPE to 200.
if-match community-filter site3
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 235
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 20 //Permit all the other routes.
#
route-policy core-import deny node 5 //Deny all routes of sites directly connected to Core_SPE1.
if-match community-filter site12
#
route-policy core-import deny node 6 //Deny all routes of sites directly connected to Core_SPE1.
if-match community-filter site13
#
route-policy core-import permit node 10 //Permit all the other routes.
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32 //Permit all 32-bit
host routes and deny all the other routes.
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.4 32 //Permit routes to 172.16.0.3/32 and
172.16.0.4/32 and deny all the other routes.
#
ip community-filter basic site1 permit 100:100 //Create a community attribute filter site1 and set
the community attribute to 100:100.
ip community-filter basic site2 permit 200:200
ip community-filter basic site3 permit 300:300
ip community-filter basic all_site permit 5720:5720
ip community-filter basic site12 permit 12:12
ip community-filter basic site13 permit 13:13
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
bgp 65000
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export //Configure the community attribute of routes
that Site1_UPE1 sends to SPEs.
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 200 //Set the preferred value of the route between Site1_UPE1 and
Core_SPE2 to 200.
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 300 //Set the priority of Core_SPE1 to 300 so that Site1_UPE1
preferentially selects routes advertised from Core_SPE1.
peer devHost enable
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 236
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
peer devHost advertise-community
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
#
#
route-policy p_iBGP_host_ex permit node 0 //Add the community attribute for the route.
apply community 100:100 5720:5720 12:12
#
----End
Checking the Configuration
● Run the display bgp vpnv4 all peer command to check the BGP VPNv4 peer
status.
Using Core_SPE1 as an example, if the value of State is Established, BGP peer
relationships have been set up successfully.
[Core_SPE1]display bgp vpnv4 all peer
BGP local router ID : 172.16.0.5
Local AS number : 65000
Total number of peers : 4 Peers in established state : 4
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
172.16.2.51 4 65000 2102 1859 0 20:55:17 Established 550
172.16.2.86 4 65000 3673 2989 0 0026h03m Established 550
172.16.0.3 4 65000 1659 1462 0 20:57:05 Established 200
172.16.0.4 4 65000 3421 2494 0 0026h03m Established 200
2.7.6.4 Configuring an L3VPN
Context
VPN instances need to be configured to advertise VPNv4 routes and forward data
to achieve communication over a L3VPN.
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
ip vpn-instance vpna //Create a VPN instance.
ipv4-family
route-distinguisher 5:1 //Configure an RD.
tnl-policy TSel //Configure a TE tunnel for the VPN instance.
vpn-target 0:1 export-extcommunity //Configure the extended community attribute VPN target.
vpn-target 0:1 import-extcommunity
#
bgp 65000
#
ipv4-family vpnv4
nexthop recursive-lookup delay 10 //Set the next-hop iteration delay to 10s.
route-select delay 120 //Set the route selection delay to 120s, preventing traffic interruption
caused by fast route switchback.
#
ipv4-family vpn-instance vpna
default-route imported //Import the default route to VPN instance vpna.
nexthop recursive-lookup route-policy delay_policy //Configure BGP next-hop iteration based on
the routing policy delay_policy.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 237
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
nexthop recursive-lookup delay 10
route-select delay 120
#
route-policy delay_policy permit node 0 //Permit routes of all sites.
if-match community-filter all_site
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
arp vlink-direct-route advertise //Advertise IPv4 ARP Vlink direct routes.
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
interface XGigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna //Bind the VPN instance to the corresponding service interface.
arp direct-route enable //Configure the ARP module to report ARP Vlink direct routes to the RM
module.
ip address 172.18.200.66 255.255.255.192
arp broadcast enable //Enable ARP broadcast of a VLAN tag termination sub-interface.
#
bgp 65000
#
ipv4-family vpnv4
route-select delay 120
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex //Import direct routes to VPN instance vpna and
add the community attribute.
route-select delay 120
#
#
route-policy p_iBGP_RR_ex permit node 0 //Add the community attribute for the route.
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640 //Set the aging time of dynamic ARP entries.
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200 //Configure a
static ARP entry.
#
Since V200R010C00, dynamic ARP is supported to meet reliability requirements in this
scenario. Perform the following operations to implement dynamic ARP:
● Run the arp learning passive enable command in the system view to enable
passive ARP.
● Run the arp auto-scan enable command in the sub-interface view to enable ARP
automatic scanning on the sub-interface.
After the preceding configuration is complete, you do not need to configure the aging
time of dynamic ARP entries and static ARP entries.
----End
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 238
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.6.5 Configuring Reliability Protection
Configuration Roadmap
The configuration roadmap is as follows:
1. Deploy VRRP on two UPEs at a site to ensure reliability of uplink traffic on
CEs. Site1 is used as an example, as shown in Figure 2-24.
– Configure Site1_UPE1 as the master node and Site1_UPE2 as the backup
node in a VRRP group. If Site1_UPE1 is faulty, uplink traffic on CE1 will be
quickly switched to Site1_UPE2.
– Configure BFD for VRRP so that hardware-based BFD can quickly detect
faults. When a fault is detected, hardware notifies the backup device in a
VRRP group to switch as the master device. Additionally, hardware
directly sends gratuitous ARP packets to instruct devices at the access
layer to forward traffic to the new master device.
– Configure backup devices to forward service traffic. When the VRRP
status of a device is Backup, the device can forward traffic as long as it
receives traffic. This prevents service traffic loss and shortens service
interruption time if the aggregation device is faulty.
If the number of VRRP groups exceeds the device default value, run the set vrrp max-
group-number max-group-number command on the UPEs to set the maximum
number of allowed VRRP groups.
Figure 2-24 VRRP between two UPEs
Site1_UPE1
CE1
vpna
D
Master
BF
ck
tra
RP
VR
Backup
Configure the backup device
to forward service traffic.
Site1_UPE2 Upstream
2. Deploy VPN FRR on a UPE. If the TE tunnel between the UPE and an SPE is
faulty, traffic is automatically switched to the TE tunnel between the UPE and
another SPE at the same site. Site1_UPE1 is used as an example, as shown in
Figure 2-25.
Site1_UPE1 has two TE tunnels to Core_SPE1 and Core_SPE2 respectively.
Deploying VPN FRR on Site1_UPE1 ensures that traffic is quickly switched to
Core_SPE2 if Core_SPE1 is faulty.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 239
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-25 VPN FRR from an aggregation device to a core device
Site1_UPE1
VPN FRR
CE1
L3 Primary path
vpna VP
N
Core_SPE1
L3VPN
Backup
path
Site1_UPE2
Upstream
Core_SPE2
3. Deploy VPN FRR on an SPE, for example Core_SPE1. If Core_SPE2 connected
to Core_SPE1 is faulty, Core_SPE1 switches VPN services to Core_SPE3,
implementing fast E2E switchovers of VPN services, as shown in Figure 2-26.
Figure 2-26 VPN FRR between core devices
Core_SPE1
VPN FRR
N
L3
Primary path Backup path
VP
VP
L3
Core_SPE2 Core_SPE3
Downstream
4. Deploy VPN FRR on an SPE. If the TE tunnel between the SPE and a UPE is
faulty, traffic is automatically switched to the TE tunnel between the SPE and
another UPE at the same site. Core_SPE2 is used as an example, as shown in
Figure 2-27.
Core_SPE2 has two TE tunnels to Site2_UPE3 and Site2_UPE4 respectively.
Deploying VPN FRR on Core_SPE2 ensures that traffic is quickly switched to
Site2_UPE4 if Site2_UPE3 is faulty.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 240
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-27 VPN FRR from a core device to an aggregation device
Core_SPE2 Core_SPE3
VPN FRR
Primary path
Ba
L3VPN
ck L3V
up P
pa N
th
Site2_UPE3 Site2_UPE4
CE2 Downstream
vpna
5. Deploy IP+VPN hybrid FRR on UPEs. If the interface of a UPE detects a fault
on the link between the UPE and its connected CE, the UPE quickly switches
traffic to its peer UPE, and the peer UPE then forwards the traffic to the CE.
Site2 is used as an example, as shown in Figure 2-28.
If the link from Site2_UPE3 to CE2 is faulty, traffic is forwarded to Site2_UPE4
through an LSP and then to CE2 using a private IP address, improving
network reliability.
Figure 2-28 Deployment of IP+VPN hybrid FRR on UPEs
MPLD LDP
Site2_UPE3 Site2_UPE4
IP+VPN hybrid FRR
Primary path Backup path
CE2 Downstream
vpna
6. Deploy VPN GR on all UPEs and SPEs to ensure uninterrupted VPN traffic
forwarding during a master/backup switchover on the device transmitting
VPN services.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 241
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Procedure
● Configure SPEs.
The following uses the configuration of Core_SPE1 on the core ring as an
example. The configurations of Core_SPE2 and Core_SPE3 are similar to the
configuration of Core_SPE1, and are not mentioned here.
bgp 65000
graceful-restart //Enable BGP GR.
#
ipv4-family vpnv4
auto-frr //Enable VPNv4 FRR.
bestroute nexthop-resolved tunnel //Configure the system to select a VPNv4 route only when the
next hop is iterated to a tunnel, preventing packet loss during a revertive switchover.
#
ipv4-family vpn-instance vpna
auto-frr //Enable VPN auto FRR.
vpn-route cross multipath //Add multiple VPNv4 routes to a VPN instance with a different RD
value from these routes' RD values, making VPN FRR take effect.
#
● Configure UPEs.
The following uses the configuration of Site1_UPE1 as an example. The
configurations of Site1_UPE2, Site2_UPE3, Site2_UPE4, Site3_UPE5, and
Site3_UPE6 are similar to the configuration of Site1_UPE1, and are not
mentioned here.
ip vpn-instance vpna
ipv4-family
ip frr route-policy mixfrr //Enable IP FRR.
#
interface XGigabitEthernet1/0/4.200
vrrp vrid 1 virtual-ip 172.18.200.65 //Configure VRRP.
vrrp vrid 1 preempt-mode timer delay 250 //Set the preemption delay of switches in a VRRP group.
vrrp vrid 1 track bfd-session 2200 peer //Enable BFD for VRRP to implement master/backup
switchovers.
vrrp vrid 1 backup-forward //Enable the backup device to forward service traffic.
vrrp track bfd gratuitous-arp send enable //Enable BFD for VRRP to quickly send gratuitous ARP
packets during master/backup switchovers.
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-
ip 172.18.200.66 //Configure static BFD for VRRP.
discriminator local 2200 //Set the local discriminator. The local discriminator of the local system
must be the same as the remote discriminator of the remote system.
discriminator remote 1200 //Set the remote discriminator.
detect-multiplier 8 //Set the local detection multiplier of BFD.
min-tx-interval 3 //Set the minimum interval at which the local device sends BFD packets to 3.3 ms.
min-rx-interval 3 //Set the minimum interval at which the local device receives BFD packets to 3.3
ms.
commit //Commit the BFD session configuration.
#
bgp 65000
graceful-restart
#
ipv4-family vpn-instance vpna
auto-frr
#
#
route-policy mixfrr permit node 0 //Set the backup next hop to the loopback interface 1 of another
UPE at the same site.
apply backup-nexthop 172.16.2.50
#
----End
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 242
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Checking the Configuration
● Run the display ip routing-table vpn-instance command on SPEs to check
the VPN FRR status from SPEs to UPEs.
The command output on Core_SPE2 is used as an example. The fields in
boldface indicate the backup next hop, backup label, and backup tunnel ID.
The command output shows that the hybrid FRR entry from Core_SPE2 to a
UPE has been generated.
[Core_SPE2]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 1
Destination: 172.18.150.0/26
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.75 Neighbour: 172.16.2.75
State: Active Adv Relied Age: 21h55m50s
Tag: 0 Priority: low
Label: 1025 QoSInfo: 0x0
IndirectID: 0x185
RelayNextHop: 0.0.0.0 Interface: Tunnel111
TunnelID: 0x2 Flags: RD
BkNextHop: 172.16.2.76 BkInterface: Tunnel121
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x3 BkPESecTunnelID: 0x0
BkIndirectID: 0xd
● Run the display ip routing-table vpn-instance command on UPEs to check
the hybrid FRR status.
The command output on Site2_UPE3 is used as an example. The fields in
boldface indicate the backup next hop, backup label, and backup tunnel ID.
The command output shows that the hybrid FRR entry has been generated.
The command output shows that the master hybrid FRR route is to the local
sub-interface, and the backup route is to the UPE with IP address 172.16.2.76
at the same site.
[Site2_UPE3]display ip routing-table vpn-instance vpna 172.18.150.4 verbose
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 2
Destination: 172.18.150.4/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 172.18.150.4 Neighbour: 0.0.0.0
State: Active Adv Age: 1d02h36m21s
Tag: 0 Priority: high
Label: NULL QoSInfo: 0x0
IndirectID: 0x0
RelayNextHop: 0.0.0.0 Interface: XGigabitEthernet0/0/2.150
TunnelID: 0x0 Flags: D
BkNextHop: 172.16.2.76 BkInterface: XGigabitEthernet0/0/4
BkLabel: 1024 SecTunnelID: 0x0
BkPETunnelID: 0x4800001b BkPESecTunnelID: 0x0
BkIndirectID: 0x0
Destination: 172.18.150.4/32
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 172.16.2.76 Neighbour: 172.16.2.76
State: Inactive Adv Relied Age: 1d02h36m21s
Tag: 0 Priority: low
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 243
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Label: 1024 QoSInfo: 0x0
IndirectID: 0xcd
RelayNextHop: 172.16.8.181 Interface: XGigabitEthernet0/0/4
TunnelID: 0x4800001b Flags: R
● Run the display vrrp interface command to check the VRRP status.
The command output on Site2_UPE3 is used as an example. The fields in
boldface in the command output indicate that the VRRP status of Site2_UPE3
is Master, the backup device has been configured to forward service traffic,
and BFD for VRRP has been configured.
[Site2_UPE3]display vrrp interface XGigabitEthernet0/0/2.150
XGigabitEthernet0/0/2.150 | Virtual Router 1
State : Master
Virtual IP : 172.18.150.1
Master IP : 172.18.150.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 250 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : enabled
Track BFD : 1150 type: peer
BFD-session state : UP
Create time : 2016-05-21 11:02:27
Last change time : 2016-05-21 11:02:55
2.7.7 Configuration Files
2.7.7.1 Core_SPE1 Configuration File
sysname Core_SPE1
#
router id 172.16.0.5
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 5:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.5
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 244
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk4
undo portswitch
description Core_SPE1 to Core_SPE2
ip address 172.17.4.8 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
undo portswitch
description Core_SPE1 to Core_SPE3
ip address 172.17.4.2 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 30
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
undo portswitch
description Core_SPE1 to Site1_UPE1
ip address 172.17.4.10 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 4
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet5/0/4
eth-trunk 4
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 245
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface XGigabitEthernet5/0/5
eth-trunk 4
#
interface XGigabitEthernet5/0/6
eth-trunk 4
#
interface XGigabitEthernet5/0/7
eth-trunk 4
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
interface XGigabitEthernet6/0/4
undo portswitch
description Core_SPE1 to Site3_UPE6
ip address 172.17.10.2 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 20
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.5 255.255.255.255
#
interface Tunnel611
description Core_SPE1 to Site1_UPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.51
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel622
description Core_SPE1 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel711
description Core_SPE1 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 311
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 246
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te record-route
mpls te affinity property 20 mask 20
mpls te affinity property 10 mask 10 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel721
description Core_SPE1 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 247
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
auto-frr
nexthop recursive-lookup route-policy delay_policy
nexthop recursive-lookup delay 10
vpn-route cross multipath
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk4
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet6/0/4
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
graceful-restart period 600
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#NInJJ<oF9VXb:BS~~9+JT'suROXkVHNG@8+*3FyB%^%#
network 172.16.0.5 0.0.0.0
network 172.17.4.2 0.0.0.0
network 172.17.4.8 0.0.0.0
network 172.17.4.10 0.0.0.0
network 172.17.10.2 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
if-match community-filter all_site
#
route-policy p_iBGP_RR_in deny node 5
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11
if-match community-filter site1
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 12
if-match community-filter site2
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 13
if-match community-filter site3
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 20
#
route-policy core-import deny node 5
if-match community-filter site12
#
route-policy core-import deny node 6
if-match community-filter site13
#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.4 32
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 248
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip community-filter basic site1 permit 100:100
ip community-filter basic site2 permit 200:200
ip community-filter basic site3 permit 300:300
ip community-filter basic all_site permit 5720:5720
ip community-filter basic site12 permit 12:12
ip community-filter basic site13 permit 13:13
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
bfd SPE1toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.9 interface Eth-Trunk4
discriminator local 317
discriminator remote 137
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.3 interface Eth-Trunk5
discriminator local 32
discriminator remote 23
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_b bind mpls-te interface Tunnel611 te-lsp backup
discriminator local 6116
discriminator remote 6115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE1_m bind mpls-te interface Tunnel611 te-lsp
discriminator local 6112
discriminator remote 6111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_b bind mpls-te interface Tunnel622 te-lsp backup
discriminator local 6226
discriminator remote 6225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE2_m bind mpls-te interface Tunnel622 te-lsp
discriminator local 6222
discriminator remote 6221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_b bind mpls-te interface Tunnel721 te-lsp backup
discriminator local 7216
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 249
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
discriminator remote 7215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE5_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7212
discriminator remote 7211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7116
discriminator remote 7115
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE1toUPE6_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7112
discriminator remote 7111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.2 Core_SPE2 Configuration File
sysname Core_SPE2
#
router id 172.16.0.3
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 3:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.3
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 250
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
graceful-restart
#
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk2
undo portswitch
description Core_SPE2 to Core_SPE3
ip address 172.17.4.0 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk4
undo portswitch
description Core_SPE2 to Core_SPE1
ip address 172.17.4.9 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk17
undo portswitch
description Core_SPE2 to Site1_UPE2
ip address 172.17.4.12 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 8
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet3/0/4
eth-trunk 2
#
interface XGigabitEthernet3/0/5
eth-trunk 2
#
interface XGigabitEthernet3/0/6
eth-trunk 2
#
interface XGigabitEthernet3/0/7
eth-trunk 2
#
interface XGigabitEthernet5/0/0
eth-trunk 17
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 251
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
interface XGigabitEthernet5/0/1
eth-trunk 17
#
interface XGigabitEthernet5/0/2
eth-trunk 17
#
interface XGigabitEthernet5/0/3
eth-trunk 17
#
interface XGigabitEthernet5/0/5
undo portswitch
description Core_SPE2 to Site2_UPE3
ip address 172.16.8.178 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet6/0/4
eth-trunk 4
#
interface XGigabitEthernet6/0/5
eth-trunk 4
#
interface XGigabitEthernet6/0/6
eth-trunk 4
#
interface XGigabitEthernet6/0/7
eth-trunk 4
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.3 255.255.255.255
#
interface Tunnel111
description Core_SPE2 to Site2_UPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.75
mpls te tunnel-id 111
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel121
description Core_SPE2 to Site2_UPE4
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.76
mpls te tunnel-id 121
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel612
description Core_SPE2 to Site1_UPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.51
mpls te tunnel-id 72
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 252
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel621
description Core_SPE2 to Site1_UPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.50
mpls te tunnel-id 81
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
peer 172.16.2.75 as-number 65000
peer 172.16.2.75 group devHost
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.2.51 enable
undo peer 172.16.2.75 enable
undo peer 172.16.2.76 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 253
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
peer 172.16.2.75 enable
peer 172.16.2.75 group devHost
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
auto-frr
nexthop recursive-lookup route-policy delay_policy
nexthop recursive-lookup delay 10
vpn-route cross multipath
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk2
undo silent-interface Eth-Trunk4
undo silent-interface Eth-Trunk17
undo silent-interface XGigabitEthernet5/0/5
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
graceful-restart period 600
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#8|'*QyJCZ<@"H2,\pm@FUK3R3uSfFGaaJr39=1%^%#
network 172.16.0.3 0.0.0.0
network 172.16.8.178 0.0.0.0
network 172.17.4.0 0.0.0.0
network 172.17.4.9 0.0.0.0
network 172.17.4.12 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
if-match community-filter all_site
#
route-policy p_iBGP_RR_in deny node 5
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11
if-match community-filter site1
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 12
if-match community-filter site2
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 13
if-match community-filter site3
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 20
#
route-policy core-import deny node 5
if-match community-filter site12
#
route-policy core-import deny node 6
if-match community-filter site23
#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
ip ip-prefix core_nhp index 10 permit 172.16.0.4 32
ip ip-prefix core_nhp index 20 permit 172.16.0.5 32
#
ip community-filter basic site1 permit 100:100
ip community-filter basic site2 permit 200:200
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 254
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip community-filter basic site3 permit 300:300
ip community-filter basic site12 permit 12:12
ip community-filter basic site23 permit 23:23
ip community-filter basic all_site permit 5720:5720
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
bfd SPE2toSPE1 bind ldp-lsp peer-ip 172.16.0.5 nexthop 172.17.4.8 interface Eth-Trunk4
discriminator local 137
discriminator remote 317
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toSPE3 bind ldp-lsp peer-ip 172.16.0.4 nexthop 172.17.4.1 interface Eth-Trunk2
discriminator local 127
discriminator remote 217
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE1_b bind mpls-te interface Tunnel612 te-lsp backup
discriminator local 6126
discriminator remote 6125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE1_m bind mpls-te interface Tunnel612 te-lsp
discriminator local 6122
discriminator remote 6121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE2_b bind mpls-te interface Tunnel621 te-lsp backup
discriminator local 6216
discriminator remote 6215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE2_m bind mpls-te interface Tunnel621 te-lsp
discriminator local 6212
discriminator remote 6211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE3_b bind mpls-te interface Tunnel111 te-lsp backup
discriminator local 1116
discriminator remote 1115
detect-multiplier 8
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 255
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE3_m bind mpls-te interface Tunnel111 te-lsp
discriminator local 1112
discriminator remote 1111
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE4_b bind mpls-te interface Tunnel121 te-lsp backup
discriminator local 1216
discriminator remote 1215
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE2toUPE4_m bind mpls-te interface Tunnel121 te-lsp
discriminator local 1212
discriminator remote 1211
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.3 Core_SPE3 Configuration File
sysname Core_SPE3
#
router id 172.16.0.4
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 4:1
tnl-policy TSel
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
tunnel-selector TSel permit node 9
if-match ip next-hop ip-prefix core_nhp
#
tunnel-selector TSel permit node 10
apply tunnel-policy TE
#
bfd
#
mpls lsr-id 172.16.0.4
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 256
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
load-balance-profile CUSTOM
ipv6 field l4-sport l4-dport
ipv4 field l4-sport l4-dport
#
interface Eth-Trunk2
undo portswitch
description Core_SPE3 to Core_SPE2
ip address 172.17.4.1 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface Eth-Trunk5
undo portswitch
description Core_SPE3 to Core_SPE1
ip address 172.17.4.3 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 30
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
load-balance enhanced profile CUSTOM
#
interface XGigabitEthernet1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/0/1
eth-trunk 5
#
interface XGigabitEthernet1/0/2
eth-trunk 5
#
interface XGigabitEthernet1/0/3
eth-trunk 5
#
interface XGigabitEthernet2/0/4
eth-trunk 2
#
interface XGigabitEthernet2/0/5
eth-trunk 2
#
interface XGigabitEthernet2/0/6
eth-trunk 2
#
interface XGigabitEthernet2/0/7
eth-trunk 2
#
interface XGigabitEthernet6/0/1
undo portswitch
description Core_SPE3 to Site3_UPE5
ip address 172.16.8.213 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 257
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te link administrative group 10
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet6/0/3
undo portswitch
description Core_SPE3 to Site2_UPE4
ip address 172.16.8.183 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.0.4 255.255.255.255
#
interface Tunnel112
description Core_SPE3 to Site2_UPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.75
mpls te tunnel-id 112
mpls te bfd enable
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel122
description Core_SPE3 to Site2_UPE4
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.76
mpls te tunnel-id 122
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel712
description Core_SPE3 to Site3_UPE6
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.86
mpls te tunnel-id 321
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel722
description Core_SPE3 to Site3_UPE5
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.2.87
mpls te tunnel-id 322
mpls te record-route
mpls te affinity property 10 mask 10
mpls te affinity property 20 mask 20 secondary
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 258
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te backup hot-standby
mpls te commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.75 as-number 65000
peer 172.16.2.75 group devHost
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.75 enable
undo peer 172.16.2.76 enable
undo peer 172.16.2.86 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
auto-frr
nexthop recursive-lookup delay 10
tunnel-selector TSel
bestroute nexthop-resolved tunnel
route-select delay 120
peer devCore enable
peer devCore route-policy core-import import
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer devHost enable
peer devHost route-policy p_iBGP_RR_in import
peer devHost advertise-community
peer devHost upe
peer devHost default-originate vpn-instance vpna
peer 172.16.2.75 enable
peer 172.16.2.75 group devHost
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
auto-frr
nexthop recursive-lookup route-policy delay_policy
nexthop recursive-lookup delay 10
vpn-route cross multipath
route-select delay 120
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 259
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ospf 1
silent-interface all
undo silent-interface Eth-Trunk5
undo silent-interface Eth-Trunk2
undo silent-interface XGigabitEthernet6/0/1
undo silent-interface XGigabitEthernet6/0/3
spf-schedule-interval millisecond 10
lsa-originate-interval 0
lsa-arrival-interval 0
opaque-capability enable
graceful-restart period 600
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#N@WU@i600:_5W!%F!L~9%7ui(!x:VP5<mJ:z>zJX%^%#
network 172.16.0.4 0.0.0.0
network 172.16.8.183 0.0.0.0
network 172.16.8.213 0.0.0.0
network 172.17.4.1 0.0.0.0
network 172.17.4.3 0.0.0.0
mpls-te enable
#
route-policy delay_policy permit node 0
#
route-policy p_iBGP_RR_in deny node 5
if-match ip-prefix deny_host
if-match community-filter all_site
#
route-policy p_iBGP_RR_in permit node 11
if-match community-filter site1
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 12
if-match community-filter site2
apply preferred-value 200
#
route-policy p_iBGP_RR_in permit node 13
if-match community-filter site3
apply preferred-value 300
#
route-policy p_iBGP_RR_in permit node 20
#
route-policy core-import deny node 5
if-match community-filter site13
#
route-policy core-import deny node 6
if-match community-filter site23
#
route-policy core-import permit node 10
#
ip ip-prefix deny_host index 10 permit 0.0.0.0 0 greater-equal 32 less-equal 32
ip ip-prefix core_nhp index 10 permit 172.16.0.3 32
ip ip-prefix core_nhp index 20 permit 172.16.0.5 32
#
ip community-filter basic site1 permit 100:100
ip community-filter basic site2 permit 200:200
ip community-filter basic site3 permit 300:300
ip community-filter basic all_site permit 5720:5720
ip community-filter basic site13 permit 13:13
ip community-filter basic site23 permit 23:23
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
tunnel-policy TE
tunnel select-seq cr-lsp load-balance-number 1
#
bfd SPE3toSPE1 bind ldp-lsp peer-ip 172.16.0.5 nexthop 172.17.4.2 interface Eth-Trunk5
discriminator local 23
discriminator remote 32
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 260
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toSPE2 bind ldp-lsp peer-ip 172.16.0.3 nexthop 172.17.4.0 interface Eth-Trunk2
discriminator local 217
discriminator remote 127
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE3_b bind mpls-te interface Tunnel112 te-lsp backup
discriminator local 1126
discriminator remote 1125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE3_m bind mpls-te interface Tunnel112 te-lsp
discriminator local 1122
discriminator remote 1121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE4_b bind mpls-te interface Tunnel122 te-lsp backup
discriminator local 1226
discriminator remote 1225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE4_m bind mpls-te interface Tunnel122 te-lsp
discriminator local 1222
discriminator remote 1221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE5_b bind mpls-te interface Tunnel722 te-lsp backup
discriminator local 7226
discriminator remote 7225
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE5_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7222
discriminator remote 7221
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 261
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
bfd SPE3toUPE6_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7126
discriminator remote 7125
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd SPE3toUPE6_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7122
discriminator remote 7121
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.4 Site1_UPE1 Configuration File
sysname Site1_UPE1
#
router id 172.16.2.51
#
arp vlink-direct-route advertise
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.51
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface Eth-Trunk7
undo portswitch
description Site1_UPE1 TO Site1_UPE2
ip address 172.17.4.14 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface Eth-Trunk17
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 262
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
undo portswitch
description Site1_UPE1 to Core_SPE1
ip address 172.17.4.11 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 4
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface XGigabitEthernet1/0/0
eth-trunk 17
#
interface XGigabitEthernet1/0/1
eth-trunk 17
#
interface XGigabitEthernet1/0/2
eth-trunk 17
#
interface XGigabitEthernet1/0/3
eth-trunk 17
#
interface XGigabitEthernet1/0/4
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.200.66 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.200.65
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2200 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet4/0/4
eth-trunk 7
#
interface XGigabitEthernet4/0/5
eth-trunk 7
#
interface XGigabitEthernet4/0/6
eth-trunk 7
#
interface XGigabitEthernet4/0/7
eth-trunk 7
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.51 255.255.255.255
#
interface Tunnel611
description Site1_UPE1 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 71
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 263
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
interface Tunnel612
description Site1_UPE1 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 72
mpls te record-route
mpls te affinity property 4 mask 4
mpls te affinity property 8 mask 8 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.200.67 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-ip
172.18.200.66
discriminator local 2200
discriminator remote 1200
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.50 as-number 65000
peer 172.16.2.50 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.50 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 200
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 300
peer devHost enable
peer devHost advertise-community
peer 172.16.2.50 enable
peer 172.16.2.50 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
#
ospf 1
silent-interface all
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 264
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#nU!dUe#c'J!;/%*WtZxQ<gP:'zx_E2OQnML]q;s#%^%#
network 172.16.2.51 0.0.0.0
network 172.17.4.11 0.0.0.0
network 172.17.4.14 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.50
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 12:12
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 12:12
#
arp expire-time 62640
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE1toSPE1_m_b bind mpls-te interface Tunnel611 te-lsp backup
discriminator local 6115
discriminator remote 6116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE1_m bind mpls-te interface Tunnel611 te-lsp
discriminator local 6111
discriminator remote 6112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_b bind mpls-te interface Tunnel612 te-lsp backup
discriminator local 6125
discriminator remote 6126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE1toSPE2_m bind mpls-te interface Tunnel612 te-lsp
discriminator local 6121
discriminator remote 6122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 265
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.7.5 Site1_UPE2 Configuration File
sysname Site1_UPE2
#
router id 172.16.2.50
#
arp vlink-direct-route advertise
#
stp disable
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.50
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
#
interface Eth-Trunk7
undo portswitch
description Site1_UPE2 to Site1_UPE1
ip address 172.17.4.15 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group c
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface Eth-Trunk17
undo portswitch
description Site1_UPE2 to Core_SPE2
ip address 172.17.4.13 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 8
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
least active-linknumber 4
#
interface XGigabitEthernet1/0/4
port link-type trunk
#
interface XGigabitEthernet1/0/4.200
dot1q termination vid 200
ip binding vpn-instance vpna
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 266
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
arp direct-route enable
ip address 172.18.200.67 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.200.65
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 1200 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet6/0/0
eth-trunk 17
#
interface XGigabitEthernet6/0/1
eth-trunk 17
#
interface XGigabitEthernet6/0/2
eth-trunk 17
#
interface XGigabitEthernet6/0/3
eth-trunk 17
#
interface XGigabitEthernet6/0/4
eth-trunk 7
#
interface XGigabitEthernet6/0/5
eth-trunk 7
#
interface XGigabitEthernet6/0/6
eth-trunk 7
#
interface XGigabitEthernet6/0/7
eth-trunk 7
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.50 255.255.255.255
#
interface Tunnel621
description Site1_UPE2 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 81
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel622
description Site1_UPE2 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 82
mpls te record-route
mpls te affinity property 8 mask 8
mpls te affinity property 4 mask 4 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.200.66 vpn-instance vpna interface XGigabitEthernet1/0/4.200 source-ip
172.18.200.67
discriminator local 1200
discriminator remote 2200
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 267
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.51 as-number 65000
peer 172.16.2.51 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.2.51 enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.5 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 300
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.51 enable
peer 172.16.2.51 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
#
ospf 1
silent-interface all
undo silent-interface Eth-Trunk7
undo silent-interface Eth-Trunk17
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#GUPhWw-[LH2O6#NMxtJAl!Io8W~iF'![mQF[\9GI%^%#
network 172.16.2.50 0.0.0.0
network 172.16.2.92 0.0.0.0
network 172.17.4.13 0.0.0.0
network 172.17.4.15 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.51
#
route-policy p_iBGP_host_ex permit node 0
apply community 200:200 5720:5720 12:12
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 268
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
route-policy p_iBGP_RR_ex permit node 0
apply community 200:200 5720:5720 12:12
#
arp expire-time 62640
arp static 172.18.200.68 0001-0002-0003 vid 200 interface XGigabitEthernet1/0/4.200
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE2toSPE1_b bind mpls-te interface Tunnel622 te-lsp backup
discriminator local 6225
discriminator remote 6226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE1_m bind mpls-te interface Tunnel622 te-lsp
discriminator local 6221
discriminator remote 6222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE2_b bind mpls-te interface Tunnel621 te-lsp backup
discriminator local 6215
discriminator remote 6216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE2toSPE2_m bind mpls-te interface Tunnel621 te-lsp
discriminator local 6211
discriminator remote 6212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.6 Site2_UPE3 Configuration File
sysname Site2_UPE3
#
router id 172.16.2.75
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 269
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
mpls lsr-id 172.16.2.75
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site2_UPE3 to Core_SPE2
ip address 172.16.8.179 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.150
dot1q termination vid 150
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.150.2 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.150.1
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site2_UPE3 to Site2_UPE4
ip address 172.16.8.180 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.75 255.255.255.255
#
interface Tunnel111
description Site2_UPE3 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 111
mpls te record-route
mpls te affinity property 1 mask 1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 270
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel112
description Site2_UPE3 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 112
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.150.3 vpn-instance vpna interface XGigabitEthernet0/0/2.150 source-ip
172.18.150.2
discriminator local 2150
discriminator remote 1150
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.76 as-number 65000
peer 172.16.2.76 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.76 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 300
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.76 enable
peer 172.16.2.76 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 271
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#zJm-P{(FiMrB0bLa^ST'z[!(UezNNTx\CQ6@N\,K%^%#
network 172.16.2.75 0.0.0.0
network 172.16.8.179 0.0.0.0
network 172.16.8.180 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.76
#
route-policy p_iBGP_host_ex permit node 10
apply community 200:200 5720:5720 23:23
#
route-policy p_iBGP_RR_ex permit node 0
apply community 200:200 5720:5720 23:23
#
arp expire-time 62640
arp static 172.18.150.4 0000-0001-0003 vid 150 interface XGigabitEthernet0/0/2.150
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE3toSPE2_b bind mpls-te interface Tunnel111 te-lsp backup
discriminator local 1115
discriminator remote 1116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE3toSPE2_m bind mpls-te interface Tunnel111 te-lsp
discriminator local 1111
discriminator remote 1112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE3toSPE3_b bind mpls-te interface Tunnel112 te-lsp backup
discriminator local 1125
discriminator remote 1126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE3toSPE3_m bind mpls-te interface Tunnel112 te-lsp
discriminator local 1121
discriminator remote 1122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 272
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.7.7.7 Site2_UPE4 Configuration File
sysname Site2_UPE4
#
router id 172.16.2.76
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.76
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site2_UPE4 to Core_SPE3
ip address 172.16.8.182 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.150
dot1q termination vid 150
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.150.3 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.150.1
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 1150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site2_UPE4 to Site2_UPE3
ip address 172.16.8.181 255.255.255.254
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 273
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.76 255.255.255.255
#
interface Tunnel121
description Site2_UPE4 to Core_SPE2
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.3
mpls te tunnel-id 121
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel122
description Site2_UPE4 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 122
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.150.2 vpn-instance vpna interface XGigabitEthernet0/0/2.150 source-ip
172.18.150.3
discriminator local 1150
discriminator remote 2150
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.3 as-number 65000
peer 172.16.0.3 group devCore
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.75 as-number 65000
peer 172.16.2.75 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.3 enable
undo peer 172.16.0.4 enable
undo peer 172.16.2.75 enable
#
ipv4-family vpnv4
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 274
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.3 enable
peer 172.16.0.3 group devCore
peer 172.16.0.3 preferred-value 200
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 300
peer devHost enable
peer devHost advertise-community
peer 172.16.2.75 enable
peer 172.16.2.75 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %^%#"sZy-UeQ88(kmb#.o"Y8*@/_9D[_<-3ET`+!1no4%^%#
network 172.16.2.76 0.0.0.0
network 172.16.8.181 0.0.0.0
network 172.16.8.182 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.75
#
route-policy p_iBGP_host_ex permit node 0
apply community 300:300 5720:5720 23:23
#
route-policy p_iBGP_RR_ex permit node 0
apply community 300:300 5720:5720 23:23
#
arp expire-time 62640
arp static 172.18.150.4 0000-0001-0003 vid 150 interface XGigabitEthernet0/0/2.150
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE4toSPE2_b bind mpls-te interface Tunnel121 te-lsp backup
discriminator local 1215
discriminator remote 1216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE4toSPE2_m bind mpls-te interface Tunnel121 te-lsp
discriminator local 1211
discriminator remote 1212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 275
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
bfd UPE4toSPE3_b bind mpls-te interface Tunnel122 te-lsp backup
discriminator local 1225
discriminator remote 1226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE4toSPE3_m bind mpls-te interface Tunnel122 te-lsp
discriminator local 1221
discriminator remote 1222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.8 Site3_UPE5 Configuration File
sysname Site3_UPE5
#
router id 172.16.2.87
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.87
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.100
dot1q termination vid 100
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.100.2 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.100.1
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 276
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site3_UPE5 to Site3_UPE6
ip address 172.17.10.0 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site3_UPE5 to Core_SPE3
ip address 172.16.8.212 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 2
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.87 255.255.255.255
#
interface Tunnel721
description Site3_UPE5 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 312
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel722
description Site3_UPE5 to Core_SPE3
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 322
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-2000 bind peer-ip 172.18.100.3 vpn-instance vpna interface XGigabitEthernet0/0/2.100 source-ip
172.18.100.2 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 277
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.86 as-number 65000
peer 172.16.2.86 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.4 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.86 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 300
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 200
peer devHost enable
peer devHost advertise-community
peer 172.16.2.86 enable
peer 172.16.2.86 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#^tB:@vm8r%4Z0),RRem7dU.A3.}(a&*/IhJ70>y9%#%#
network 172.16.2.87 0.0.0.0
network 172.16.8.212 0.0.0.0
network 172.17.10.0 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.86
#
route-policy p_iBGP_host_ex permit node 0
apply community 300:300 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 300:300 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 278
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#
bfd UPE5toSPE1_b bind mpls-te interface Tunnel721 te-lsp backup
discriminator local 7215
discriminator remote 7216
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE1_m bind mpls-te interface Tunnel721 te-lsp
discriminator local 7211
discriminator remote 7212
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_b bind mpls-te interface Tunnel722 te-lsp backup
discriminator local 7225
discriminator remote 7226
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE5toSPE3_m bind mpls-te interface Tunnel722 te-lsp
discriminator local 7221
discriminator remote 7222
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.7.7.9 Site3_UPE6 Configuration File
sysname Site3_UPE6
#
router id 172.16.2.86
#
arp vlink-direct-route advertise
#
stp disable
#
set service-mode enhanced
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 1:1
ip frr route-policy mixfrr
tnl-policy TSel
arp vlink-direct-route advertise
vpn-target 0:1 export-extcommunity
vpn-target 0:1 import-extcommunity
#
bfd
#
mpls lsr-id 172.16.2.86
mpls
mpls te
label advertise non-null
mpls rsvp-te
mpls rsvp-te hello
mpls rsvp-te hello full-gr
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 279
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
mpls te cspf
#
mpls ldp
graceful-restart
#
interface XGigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
#
interface XGigabitEthernet0/0/2.100
dot1q termination vid 100
ip binding vpn-instance vpna
arp direct-route enable
ip address 172.18.100.3 255.255.255.192
vrrp vrid 1 virtual-ip 172.18.100.1
vrrp vrid 1 priority 90
vrrp vrid 1 preempt-mode timer delay 250
vrrp vrid 1 track bfd-session 2150 peer
vrrp vrid 1 backup-forward
arp broadcast enable
vrrp track bfd gratuitous-arp send enable
#
interface XGigabitEthernet0/0/1
undo portswitch
description Site3_UPE6 to Site3_UPE5
ip address 172.17.10.1 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 3
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface XGigabitEthernet0/0/4
undo portswitch
description Site3_UPE6 to Core_SPE1
ip address 172.17.10.3 255.255.255.254
ospf network-type p2p
ospf ldp-sync
ospf timer ldp-sync hold-down 20
mpls
mpls te
mpls te link administrative group 1
mpls rsvp-te
mpls rsvp-te hello
mpls ldp
#
interface LoopBack1
description ** GRT Management Loopback **
ip address 172.16.2.86 255.255.255.255
#
interface Tunnel711
description Site3_UPE6 to Core_SPE1
ip address unnumbered interface LoopBack1
tunnel-protocol mpls te
destination 172.16.0.5
mpls te tunnel-id 311
mpls te record-route
mpls te affinity property 1 mask 1
mpls te affinity property 2 mask 2 secondary
mpls te backup hot-standby
mpls te commit
#
interface Tunnel712
description Site3_UPE6 to Core_SPE3
ip address unnumbered interface LoopBack1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 280
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
tunnel-protocol mpls te
destination 172.16.0.4
mpls te tunnel-id 321
mpls te record-route
mpls te affinity property 2 mask 2
mpls te affinity property 1 mask 1 secondary
mpls te backup hot-standby
mpls te commit
#
bfd vrrp-1 bind peer-ip 172.18.100.2 vpn-instance vpna interface XGigabitEthernet0/0/2.100 source-ip
172.18.100.3 auto
min-tx-interval 3
min-rx-interval 3
commit
#
bgp 65000
graceful-restart
group devCore internal
peer devCore connect-interface LoopBack1
peer 172.16.0.4 as-number 65000
peer 172.16.0.4 group devCore
peer 172.16.0.5 as-number 65000
peer 172.16.0.5 group devCore
group devHost internal
peer devHost connect-interface LoopBack1
peer 172.16.2.87 as-number 65000
peer 172.16.2.87 group devHost
#
ipv4-family unicast
undo synchronization
undo peer devCore enable
undo peer devHost enable
undo peer 172.16.0.4 enable
undo peer 172.16.0.5 enable
undo peer 172.16.2.87 enable
#
ipv4-family vpnv4
policy vpn-target
route-select delay 120
peer devCore enable
peer devCore route-policy p_iBGP_host_ex export
peer devCore advertise-community
peer 172.16.0.4 enable
peer 172.16.0.4 group devCore
peer 172.16.0.4 preferred-value 200
peer 172.16.0.5 enable
peer 172.16.0.5 group devCore
peer 172.16.0.5 preferred-value 300
peer devHost enable
peer devHost advertise-community
peer 172.16.2.87 enable
peer 172.16.2.87 group devHost
#
ipv4-family vpn-instance vpna
default-route imported
import-route direct route-policy p_iBGP_RR_ex
auto-frr
route-select delay 120
#
ospf 1
silent-interface all
undo silent-interface XGigabitEthernet0/0/1
undo silent-interface XGigabitEthernet0/0/4
opaque-capability enable
graceful-restart period 600
bandwidth-reference 100000
flooding-control
area 0.0.0.0
authentication-mode md5 1 cipher %#%#<3.TS63Ml*_Gn]2$}@O/G8llX)VNvDY\kT;4E9-A%#%#
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 281
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
network 172.16.2.86 0.0.0.0
network 172.17.10.1 0.0.0.0
network 172.17.10.3 0.0.0.0
mpls-te enable
#
route-policy mixfrr permit node 0
apply backup-nexthop 172.16.2.87
#
route-policy p_iBGP_host_ex permit node 0
apply community 100:100 5720:5720 13:13
#
route-policy p_iBGP_RR_ex permit node 0
apply community 100:100 5720:5720 13:13
#
arp expire-time 62640
arp static 172.18.100.4 0000-0002-0003 vid 100 interface XGigabitEthernet0/0/2.100
#
tunnel-policy TSel
tunnel select-seq cr-lsp lsp load-balance-number 1
#
bfd UPE6toSPE1_b bind mpls-te interface Tunnel711 te-lsp backup
discriminator local 7115
discriminator remote 7116
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE1_m bind mpls-te interface Tunnel711 te-lsp
discriminator local 7111
discriminator remote 7112
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_b bind mpls-te interface Tunnel712 te-lsp backup
discriminator local 7125
discriminator remote 7126
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
bfd UPE6toSPE3_m bind mpls-te interface Tunnel712 te-lsp
discriminator local 7121
discriminator remote 7122
detect-multiplier 8
min-tx-interval 3
min-rx-interval 3
process-pst
commit
#
return
2.8 Example for Deploying the ACU2, NGFW Module,
and IPS Module on a Switch
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 282
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.8.1 Example for Configuring ACU2 and NGFW on Switches
Background
When a switch on the live network has both ACU2 and NGFW configured,
redirection needs to be configured to ensure correct forwarding for the upstream
and downstream traffic of STAs. In addition, the wireless traffic entering and
leaving the switch must be processed according to the policies configured on
NGFW.
Configuration Notes
On the NGFW side, two fixed internal Ethernet interfaces are GE1/0/0 and
GE1/0/1. On the switch side, the internal Ethernet interface numbers depend on
the slot ID of the NGFW module. For example, when the NGFW module is
installed in slot 1, the interface numbers are XGE1/0/0 and XGE1/0/1.
On the ACU2 side, two fixed internal Ethernet interfaces are XGE0/0/1 and
XGE0/0/2. On the switch side, the internal Ethernet interface numbers depend on
the slot ID of the ACU2. For example, when the ACU2 is installed in slot 2, the
interface numbers are XGE2/0/0 and XGE2/0/1.
Table 2-26 lists the products and versions to which this configuration example is
applicable.
Table 2-26 Applicable products and versions
Product Software Version
Model
S7700&S9700 V200R007 and V200R008
ACU2 V200R005C10 and V200R005C20
NGFW V100R001C10 and later versions
module
Networking Requirements
Two switches are located on the network shown in Figure 2-29. Switch_1 has
NGFW and ACU2 configured. Traffic policies are configured on NGFW.
The customer wants to use ACU2 to manage the wireless network, providing
stable wireless service to STAs.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 283
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-29 Configuring ACU2 and NGFW on switches
Network
GE1
/0/0 XG
NGFW_1 E1/0 XGE3/0/1
GE1 /0
/0/1 XG
E1/0
/1 Switch_1
1
trunk
Eth_ trunk
1 Eth_trunk0
Eth_
ACU2_1
Eth_trunk0
Switch_2
GE0/0/1
AP
Data Plan
Table 2-27, Table 2-28, and Table 2-29 provide the data plan.
Table 2-27 Eth-Trunk
Device Interface Number Member Interfaces
Switch_2 Eth-trunk0 XGE0/0/1
XGE0/0/2
Switch_1 Eth-trunk0 XGE3/0/2
XGE3/0/3
Eth-trunk1 XGE2/0/0
XGE2/0/1
ACU2_1 Eth-trunk1 XGE0/0/1
XGE0/0/2
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 284
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-28 VLAN
Device Data Remarks
Switch_2 Eth-trunk0: transparently Connected to Switch_1.
transmits the packets
from VLAN 42.
GE0/0/1: VLAN 42 Connected to AP.
Switch_1 Eth-trunk0: transparently Connected to Switch_2.
transmits the packets
from VLAN 42.
Eth-trunk1: transparently Connected to ACU2_1.
transmits the packets
from VLAN 42, VLAN
428.
XGE1/0/0: transparently Connected to NGFW_1.
transmits the packets
from VLAN 428.
XGE1/0/1: transparently Connected to NGFW_1.
transmits the packets
from VLAN 428.
XGE3/0/1: transparently Connected to an upper-
transmits the packets layer device.
from VLAN 428.
ACU2_1 Eth-trunk1: transparently Connected to Switch_1.
transmits the packets
from VLAN 42, VLAN
428.
NGFW_1 XGE1/0/0: transparently Connected to Switch_1.
transmits the packets
from VLAN 428.
XGE1/0/1: transparently Connected to Switch_1.
transmits the packets
from VLAN 428.
Table 2-29 IP Addresses
Device Data Remarks
ACU2_1 VLANIF428: Configure VLANIF 428 to
172.16.29.1/24 assign IP addresses to
STAs.
VLANIF42: Configure VLANIF 42 as
172.18.255.240/24 the CAPWAP source
address.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 285
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Eth-Trunk on each switch and add interfaces to VLANs. Configure
the interfaces connecting Switch_2 to the DHCP server and AP to implement
network connectivity.
2. Implement connections between ACU2 and Switch_1.
3. Implement connections between NGFW and Switch_1.
4. Configure wireless service on ACU2. Wireless service traffic is forwarded
through tunnels, and ACU2_1 functions as a DHCP server to assign IP
addresses to APs and STAs.
5. Configure traffic policies on each interface of Switch_1 and Switch_2 to ensure
that STAs can successfully go online. The configurations include:
– Configure a redirection policy for the inbound traffic on Eth-Trunk 1,
which is the internal interface between switch and ACU2, to redirect the
upstream wireless traffic to XGE1/0/1, which is the internal interface
between switch and NGFW. When traffic is forwarded from NGFW to
XGE1/0/0, the traffic matches the inbound redirection policy again, and is
forwarded to upstream interface XGE3/0/1.
– Configure a redirection policy for the inbound traffic on XGE3/0/1 to
redirect the downstream wireless traffic to XGE1/0/0, which is the internal
interface between switch and NGFW. When traffic is forwarded from
NGFW to XGE1/0/1, the traffic matches the inbound redirection policy
again, and is forwarded to Eth-Trunk 0, which is the internal interface
between switch and ACU2.
Procedure
Step 1 Configure Eth-Trunks between Switch_1 and Switch_2.
# Configure Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 42 428
[Switch_1] interface Eth-Trunk 0
[Switch_1-Eth-Trunk0] port link-type trunk
[Switch_1-Eth-Trunk0] port trunk allow-pass vlan 42
[Switch_1-Eth-Trunk0] quit
[Switch_1] interface XGigabitEthernet 3/0/2
[Switch_1-XGigabitEthernet3/0/2] eth-trunk 0
[Switch_1-XGigabitEthernet3/0/2] quit
[Switch_1] interface XGigabitEthernet 3/0/3
[Switch_1-XGigabitEthernet3/0/3] eth-trunk 0
[Switch_1-XGigabitEthernet3/0/3] quit
# Configure the connection between Switch_1 and upper-layer device.
[Switch_1] interface XGigabitEthernet 3/0/1
[Switch_1-XGigabitEthernet0/0/1] port link-type trunk
[Switch_1-XGigabitEthernet0/0/1] port trunk allow-pass vlan 428
[Switch_1-XGigabitEthernet0/0/1] quit
# Configure Eth-trunk0 between Switch_2 and Switch_1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 286
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 42 428
[Switch_2] interface Eth-Trunk 0
[Switch_2-Eth-Trunk0] port link-type trunk
[Switch_2-Eth-Trunk0] port trunk allow-pass vlan 42
[Switch_2-Eth-Trunk0] quit
[Switch_2] interface XGigabitEthernet 0/0/1
[Switch_2-XGigabitEthernet0/0/1] eth-trunk 0
[Switch_2-XGigabitEthernet0/0/1] quit
[Switch_2] interface XGigabitEthernet 0/0/2
[Switch_2-XGigabitEthernet0/0/2] eth-trunk 0
[Switch_2-XGigabitEthernet0/0/2] quit
# Configure the interfaces between Switch_2 and AP.
[Switch_2] interface GigabitEthernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 42
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 42
[Switch_2-GigabitEthernet0/0/1] quit
Step 2 Configure Eth-Trunks between Switch_1 and ACU2.
# Configure Switch_1.
[Switch_1] interface Eth-Trunk 1
[Switch_1-Eth-Trunk1] port link-type trunk
[Switch_1-Eth-Trunk1] port trunk allow-pass vlan 42 428
[Switch_1-Eth-Trunk1] quit
[Switch_1] interface XGigabitEthernet 2/0/0 //Switch_1 connects to ACU2 through XGE2/0/0 and
XGE2/0/1. The first digit 2 indicates that ACU2 is installed in slot 2 on Switch_1.
[Switch_1-XGigabitEthernet2/0/0] eth-trunk 1
[Switch_1-XGigabitEthernet2/0/0] quit
[Switch_1] interface XGigabitEthernet 2/0/1
[Switch_1-XGigabitEthernet2/0/1] eth-trunk 1
[Switch_1-XGigabitEthernet2/0/1] quit
# Configure ACU2_1 on Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname ACU2_1
[ACU2_1] vlan batch 42 428
[ACU2_1] interface eth-trunk 1
[ACU2_1-Eth-Trunk1] port link-type trunk
[ACU2_1-Eth-Trunk1] port trunk allow-pass vlan 42 428
[ACU2_1-Eth-Trunk1] quit
[ACU2_1] interface XGigabitEthernet0/0/1
[ACU2_1-XGigabitEthernet0/0/0] eth-trunk 1
[ACU2_1-XGigabitEthernet0/0/0] quit
[ACU2_1] interface XGigabitEthernet0/0/2
[ACU2_1-XGigabitEthernet0/0/1] eth-trunk 1
[ACU2_1-XGigabitEthernet0/0/1] quit
Step 3 Configure the interfaces connecting Switch_1 to NGFW.
# Configure Switch_1.
[Switch_1] interface XGigabitEthernet 1/0/0
[Switch_1-XGigabitEthernet1/0/0] port link-type trunk
[Switch_1-XGigabitEthernet1/0/0] mac-address learning disable
[Switch_1-XGigabitEthernet1/0/0] port trunk allow-pass vlan 428
[Switch_1-XGigabitEthernet1/0/0] stp disable
[Switch_1-XGigabitEthernet1/0/0] carrier up-hold-time 10000
[Switch_1-XGigabitEthernet1/0/0] am isolate XGigabitEthernet1/0/1
[Switch_1-XGigabitEthernet1/0/0] quit
[Switch_1] interface XGigabitEthernet 1/0/1
[Switch_1-XGigabitEthernet1/0/1] port link-type trunk
[Switch_1-XGigabitEthernet1/0/1] mac-address learning disable
[Switch_1-XGigabitEthernet1/0/1] port trunk allow-pass vlan 428
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 287
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Switch_1-XGigabitEthernet1/0/1] stp disable
[Switch_1-XGigabitEthernet1/0/1] carrier up-hold-time 10000
[Switch_1-XGigabitEthernet1/0/1] am isolate XGigabitEthernet1/0/0
[Switch_1-XGigabitEthernet1/0/1] quit
Configure NGFW_1 on Switch_1.
<HUAWEI> system-view
[HUAWEI] sysname NGFW_1
[NGFW_1] vlan batch 428
[NGFW_1] interface GigabitEthernet1/0/0
[NGFW_1-GigabitEthernet1/0/0] portswitch
[NGFW_1-GigabitEthernet1/0/0] port link-type trunk
[NGFW_1-GigabitEthernet1/0/0] undo port trunk permit vlan 1
[NGFW_1-GigabitEthernet1/0/0] port trunk permit vlan 428
[NGFW_1-GigabitEthernet1/0/0] quit
[NGFW_1] interface GigabitEthernet1/0/1
[NGFW_1-GigabitEthernet1/0/1] portswitch
[NGFW_1-GigabitEthernet1/0/1] port link-type trunk
[NGFW_1-GigabitEthernet1/0/1] undo port trunk permit vlan 1
[NGFW_1-GigabitEthernet1/0/1] port trunk permit vlan 428
[NGFW_1-GigabitEthernet1/0/1] quit
[NGFW_1] pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1 //Add the two interfaces into an
interface group. Traffic entering an interface is sent out through a fixed interface, without the need of
looking up the routing or MAC address table.
# Add the interfaces on NGFW_1 to the security zone.
[NGFW_1] firewall zone trust
[NGFW_1-zone-trust] add interface GigabitEthernet1/0/1
[NGFW_1-zone-trust] quit
[NGFW_1] firewall zone untrust
[NGFW_1-zone-untrust] add interface GigabitEthernet1/0/0
[NGFW_1-zone-untrust] quit
# Configure an IPSec policy.
To facilitate verification, all packets within VLAN 428 are allowed in this example. Modify the
IPSec policy after verification if necessary.
[NGFW_1] security-policy
[NGFW_1-policy-security] rule name policy1
[NGFW_1-policy-security-rule-policy1] source-zone trust
[NGFW_1-policy-security-rule-policy1] destination-zone untrust
[NGFW_1-policy-security-rule-policy1] action permit
[NGFW_1-policy-security-rule-policy1] quit
[NGFW_1-policy-security] rule name policy2
[NGFW_1-policy-security-rule-policy2] source-zone untrust
[NGFW_1-policy-security-rule-policy2] destination-zone trust
[NGFW_1-policy-security-rule-policy2] action permit
[NGFW_1-policy-security-rule-policy2] quit
[NGFW_1-policy-security] quit
Step 4 Configure wireless service on ACU2.
# Configure ACU2_1 to assign IP addresses to APs and STAs.
[ACU2_1] dhcp enable
[ACU2_1] interface Vlanif42
[ACU2_1-Vlanif42] ip address 172.18.255.240 255.255.255.0
[ACU2_1-Vlanif42] dhcp select interface
[ACU2_1-Vlanif42] quit
[ACU2_1] interface Vlanif428
[ACU2_1-Vlanif428] ip address 172.16.29.1 255.255.255.0
[ACU2_1-Vlanif428] dhcp select interface
[ACU2_1-Vlanif428] quit
# Configure the country code.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 288
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[ACU2_1] wlan ac-global country-code cn
Warning: Modifying the country code will clear channel configurations of the AP radio using the country
code and reset the AP. If the new country code does not support the radio, all configurations of the radio
are cleared. Continue?[Y/N]:y
# Configure the AC ID and carrier ID.
[ACU2_1] wlan ac-global ac id 1 carrier id other
Warning: Modify the carrier ID or AC ID may cause all of the AP offline, continue?[Y/N]:y
# Configure the source interface on ACU2_1.
[ACU2_1] capwap source interface vlanif42
# Configure basic WLAN services.
[ACU2_1] wlan
[ACU2_1-wlan-view] ap-auth-mode mac-auth
[ACU2_1-wlan-view] ap id 1 type-id 19 mac 9c37-f48c-0c40
[ACU2_1-wlan-ap-0] quit
[ACU2_1-wlan-view] ap-region id 0
[ACU2_1-wlan-ap-region-0] quit
[ACU2_1-wlan-view] ap id 1
[ACU2_1-wlan-ap-1] region-id 0
[ACU2_1-wlan-ap-1] quit
[ACU2_1-wlan-view] wmm-profile name wmm id 1
[ACU2_1-wlan-wmm-prof-wmm] quit
[ACU2_1-wlan-view] radio-profile name radio id 1
[ACU2_1-wlan-radio-prof-radio] wmm-profile name wmm
[ACU2_1-wlan-radio-prof-radio] quit
[ACU2_1-wlan-view] quit
[ACU2_1] interface wlan-ess 1
[ACU2_1-Wlan-Ess1] port hybrid pvid vlan 428
[ACU2_1-Wlan-Ess1] port hybrid untagged vlan 428
[ACU2_1-Wlan-Ess1] quit
[ACU2_1] wlan
[ACU2_1-wlan-view] security-profile name security id 1
[ACU2_1-wlan-sec-prof-security] quit
[ACU2_1-wlan-view] traffic-profile name traffic id 1
[ACU2_1-wlan-traffic-prof-traffic] quit
[ACU2_1-wlan-view] service-set name huawei id 1
[ACU2_1-wlan-service-set-huawei] ssid huawei
[ACU2_1-wlan-service-set-huawei] wlan-ess 1
[ACU2_1-wlan-service-set-huawei] security-profile name security
[ACU2_1-wlan-service-set-huawei] traffic-profile name traffic
[ACU2_1-wlan--huawei] service-vlan 428
[ACU2_1-wlan-service-set-huawei] forward-mode tunnel
[ACU2_1-wlan-service-set-huawei] quit
[ACU2_1-wlan-view] ap 1 radio 0
[ACU2_1-wlan-radio-0/0] radio-profile name radio
[ACU2_1-wlan-radio-0/0] service-set name huawei
[ACU2_1-wlan-radio-0/0] quit
[ACU2_1-wlan-view] commit ap 1
[ACU2_1-wlan-view] quit
Step 5 Configure traffic policies on each interface of Switch_1.
# Configure a traffic classifier.
[Switch_1] traffic classifier service_vlan operator or precedence 50
[Switch_1-classifier-service_vlan] if-match vlan-id 428 //Configure a traffic classifier to match wireless
service VLAN.
[Switch_1-classifier-service_vlan] quit
# Configure a traffic behavior.
[Switch_1] traffic behavior Redirect_to_XGE3/0/1
[Switch_1-behavior-Redirect_to_XGE3/0/1] permit
[Switch_1-behavior-Redirect_to_XGE3/0/1] redirect interface XGigabitEthernet3/0/1
[Switch_1-behavior-Redirect_to_XGE3/0/1] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 289
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Switch_1] traffic behavior Redirect_to_ETH1
[Switch_1-behavior-Redirect_to_ETH1] permit
[Switch_1-behavior-Redirect_to_ETH1] redirect interface Eth-Trunk1
[Switch_1-behavior-Redirect_to_ETH1] quit
[Switch_1] traffic behavior Redirect_to_XGE1/0/0
[Switch_1-behavior-Redirect_to_XGE1/0/0] permit
[Switch_1-behavior-Redirect_to_XGE1/0/0] redirect interface XGigabitEthernet1/0/0
[Switch_1-behavior-Redirect_to_XGE1/0/0] quit
[Switch_1] traffic behavior Redirect_to_XGE1/0/1
[Switch_1-behavior-Redirect_to_XGE1/0/1] permit
[Switch_1-behavior-Redirect_to_XGE1/0/1] redirect interface XGigabitEthernet1/0/1
[Switch_1-behavior-Redirect_to_XGE1/0/1] quit
# Configure traffic policies.
[Switch_1] traffic policy Redirect_to_XGE3/0/1 match-order config
[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] classifier service_vlan behavior Redirect_to_XGE3/0/1
[Switch_1-trafficpolicy-Redirect_to_XGE3/0/1] quit
[Switch_1]traffic policy Redirect_to_ETH1 match-order config
[Switch_1-trafficpolicy-Redirect_to_ETH1] classifier service_vlan behavior Redirect_to_ETH1
[Switch_1-trafficpolicy-Redirect_to_ETH1] quit
[Switch_1] traffic policy Redirect_to_XGE1/0/0 match-order config
[Switch_1-trafficpolicy-Redirect_to_XGE1/0/0] classifier service_vlan behavior Redirect_to_XGE1/0/0
[Switch_1-trafficpolicy-Redirect_to_XGE1/0/0] quit
[Switch_1]traffic policy Redirect_to_XGE1/0/1 match-order config
[Switch_1-trafficpolicy-Redirect_to_XGE1/0/1] classifier service_vlan behavior Redirect_to_XGE1/0/1
[Switch_1-trafficpolicy-Redirect_to_XGE1/0/1] quit
# Apply a traffic policy to Eth-Trunk 1.
[Switch_1] interface Eth-Trunk1
[Switch_1-Eth-Trunk1] traffic-policy Redirect_to_XGE1/0/1 inbound //Redirect wireless service traffic
forwarded by ACU2 to XGE1/0/1 of Switch_1. This interface connects to GE1/0/1 of NGFW_1.
[Switch_1-Eth-Trunk1] quit
# Apply a traffic policy to XGE1/0/0.
[Switch_1] interface XGigabitEthernet 1/0/0
[Switch_1-XGigabitEthernet1/0/0] traffic-policy Redirect_to_XGE3/0/1 inbound //Redirect the wireless
traffic forwarded by NGFW to XGE3/0/1.
[Switch_1-XGigabitEthernet1/0/0] quit
# Apply a traffic policy to XGE3/0/1.
[Switch_1] interface XGigabitEthernet 3/0/1
[Switch_1-Eth-Trunk0] traffic-policy Redirect_to_XGE1/0/0 inbound //Redirect downstream wireless
traffic to XGE1/0/0 of Switch_1. This interface connects to GE1/0/0 of NGFW_1.
[Switch_1-Eth-Trunk0] quit
# Apply a traffic policy to XGE1/0/1.
[Switch_1] interface XGigabitEthernet 1/0/1
[Switch_1-XGigabitEthernet1/0/1] traffic-policy Redirect_to_ETH1 inbound //Redirect wireless service
traffic forwarded by NGFW to Eth-Trunk1 of Switch_1. This interface connects to Eth-Trunk1 of ACU2_1.
[Switch_1-XGigabitEthernet1/0/1] quit
Step 6 Verify the configuration.
# Check the configurations on Switch_1.
<Switch_1> display device
S7703's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2FW00S00 Present PowerOn Registered Normal NA
2 - ACU2 Present PowerOn Registered Normal NA
3 - ES0D0X4UXA00 Present PowerOn Registered Normal NA
4 - ES0D00MCUA00 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
FAN1 - - Present PowerOn Registered Normal NA
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 290
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Check that the Eth-Trunk 1 status between ACU2 and Switch_1 is normal.
<ACU2_1> display interface brief | include up
PHY: Physical
*down: administratively down
(l): loopback
(s): spoofing
(b): BFD down
(e): ETHOAM down
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
XGigabitEthernet0/0/2 up up 0% 0% 0 0
# After an AP is powered on, check that the AP status is normal.
<ACU2_1> display ap all
All AP information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP6010DN-AGN 9c37-f48c-0c40 0/0 normal ap-1
------------------------------------------------------------------------------
Total number: 1,printed: 1
# Check that the STAs are online.
<ACU2_1> display access-user
-----------------------------------------------------------------------------------------------
UserID Username IP address MAC Status
-----------------------------------------------------------------------------------------------
68 986cf56f7e20 172.16.29.254 986c-f56f-7e20 Success
-----------------------------------------------------------------------------------------------
Total: 1, printed: 1
# Check that traffic statistics on each interface of Switch_1 are correct.
<Switch_1> display interface Eth-Trunk0
Eth-Trunk0 current state : UP
Line protocol current state : UP
Description: to Core
Switch Port, Link-type : trunk(configured),
PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current BW: 40G, The Maximum
Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
Current system time: 2016-03-12 17:16:08
Last 300 seconds input rate 5128 bits/sec, 5 packets/sec
Last 300 seconds output rate 7184 bits/sec, 6 packets/sec
Input: 996134 packets, 122502357 bytes
Unicast: 871023, Multicast: 17723
Broadcast: 107988, Jumbo: 0
Discard: 0, Pause: 0
Frames: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 1085606 packets, 134379838 bytes
Unicast: 309565, Multicast: 343925
Broadcast: 432116, Jumbo: 0
Discard: 0, Pause: 0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 291
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
XGigabitEthernet3/0/2 UP 1
XGigabitEthernet3/0/3 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
<Switch_1> display interface Eth-Trunk1
Eth-Trunk0 current state : UP
Line protocol current state : UP
Description: to ACU_1 Slot2
Switch Port, Link-type : trunk(configured),
PVID : 1, Hash arithmetic : According to SIP-XOR-DIP,Maximal BW:40G, Current BW: 40G, The Maximum
Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is d4b1-10b3-2bde
Current system time: 2016-03-12 17:16:09
Last 300 seconds input rate 5608 bits/sec, 4 packets/sec
Last 300 seconds output rate 6480 bits/sec, 4 packets/sec
Input: 1046610 packets, 131462045 bytes
Unicast: 568448, Multicast: 41189
Broadcast: 433973, Jumbo: 333
Discard: 0, Pause: 0
Frames: 0
Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Fragments: 0
Runts: 0, DropEvents: 0
Alignments: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 1603637 packets, 226275601 bytes
Unicast: 1114078, Multicast: 381346
Broadcast: 108213, Jumbo: 0
Discard: 0, Pause: 0
Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
XGigabitEthernet2/0/0 UP 1
XGigabitEthernet2/0/1 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
----End
Configuration Files
● Switch_1 configuration file
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 292
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
sysname Switch_1
#
vlan batch 42 428
#
traffic classifier service_vlan operator or precedence 50
if-match vlan-id 428
#
traffic behavior Redirect_to_XGE3/0/1
permit
redirect interface XGigabitEthernet3/0/1
traffic behavior Redirect_to_ETH1
permit
redirect interface Eth-Trunk1
traffic behavior Redirect_to_XGE1/0/0
permit
redirect interface XGigabitEthernet1/0/0
traffic behavior Redirect_to_XGE1/0/1
permit
redirect interface XGigabitEthernet1/0/1
#
traffic policy Redirect_to_XGE3/0/1 match-order config
classifier service_vlan behavior Redirect_to_XGE3/0/1
traffic policy Redirect_to_ETH1 match-order config
classifier service_vlan behavior Redirect_to_ETH1
traffic policy Redirect_to_XGE1/0/0 match-order config
classifier service_vlan behavior Redirect_to_XGE1/0/0
traffic policy Redirect_to_XGE1/0/1 match-order config
classifier service_vlan behavior Redirect_to_XGE1/0/1
#
interface Eth-Trunk0
description to Core
port link-type trunk
port trunk allow-pass vlan 42
#
interface Eth-Trunk1
description to ACU_1 Slot2
port link-type trunk
port trunk allow-pass vlan 42 428
traffic-policy Redirect_to_XGE1/0/1 inbound
#
interface XGigabitEthernet1/0/0
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 428
stp disable
traffic-policy Redirect_to_XGE3/0/1 inbound
carrier up-hold-time 10000
am isolate XGigabitEthernet1/0/1
#
interface XGigabitEthernet1/0/1
port link-type trunk
mac-address learning disable
port trunk allow-pass vlan 428
stp disable
traffic-policy Redirect_to_ETH1 inbound
carrier up-hold-time 10000
am isolate XGigabitEthernet1/0/0
#
interface XGigabitEthernet2/0/0
eth-trunk 1
#
interface XGigabitEthernet2/0/1
eth-trunk 1
#
interface XGigabitEthernet3/0/1
port link-type trunk
port trunk allow-pass vlan 428
traffic-policy Redirect_to_XGE1/0/0 inbound
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 293
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
#interface XGigabitEthernet3/0/2
eth-trunk 0
#
interface XGigabitEthernet3/0/3
eth-trunk 0
#
return
● Switch_2 configuration file
#
sysname Switch_2
#
vlan batch 42
#
interface Eth-Trunk0
port link-type trunk
port trunk allow-pass vlan 42
#
interface XGigabitEthernet0/0/1
eth-trunk 0
#
interface XGigabitEthernet0/0/2
eth-trunk 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port type pvid vlan 42
port type allow vlan 42
#
return
● ACU2_1 configuration file
#
sysname ACU2_1
#
vlan batch 42 428
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif42
ip address 172.18.255.240 255.255.255.0
dhcp select interface
#
interface Vlanif428
ip address 172.16.29.1 255.255.255.0
dhcp select interface
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 42
#
interface XGigabitEthernet0/0/1
eth-trunk 1
#
interface XGigabitEthernet0/0/2
eth-trunk 1
#
interface Wlan-Ess1
port hybrid pvid vlan 428
port hybrid untagged vlan 428
#
capwap source interface vlanif42
#
wlan
ap-region id 0
ap-auth-mode mac-auth
ap id 1 type-id 19 mac 9c37-f48c-0c40 sn 21023585619WF6000564
region-id 0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 294
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
service-set name huawei id 1
forward-mode tunnel
wlan-ess 1
ssid huawei
traffic-profile id 1
security-profile id 1
service-vlan 428
radio-profile name radio id 1
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
● NGFW_1 configuration file
#
sysname NGFW_1
#
vlan batch 428
#
pair-interface 1 GigabitEthernet1/0/0 GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/0
portswitch
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 428
#
interface GigabitEthernet1/0/1
portswitch
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 428
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
action permit
rule name policy2
source-zone untrust
destination-zone trust
action permit
#
return
2.8.2 Example for Configuring IPS Modules and NGFW
Modules on a Cluster of Modular Switches
Background
The IPS module is a card providing the intrusion defense function. It provides
intrusion defense, antivirus, and anti-DDoS for IP networks.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 295
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
The NGFW module functions as a next-generation firewall that provides the
firewall, NAT, and VPN functions for IP networks.
There are many methods to deploy the IPS modules and IPS/NGFW modules. This
section provides two typical methods, as described in Table 2-30.
Table 2-30 Deploying IPS modules and IPS/NGFW modules on switches
Method Description
Deploying IPS modules and The NGFW modules work in the interface pair
NGFW modules on a Layer 2 mode, and the flows from switches are received
dual-node system and by a Layer 2 Eth-Trunk.
importing flows through The IP address of the firewall subinterface is the
redirection gateway address for upstream and downstream
networks.
Deploying IPS modules at The NGFW modules work in the routing mode,
Layer 2 and NGFW modules and the flows from switches are received by a
on a Layer 3 dual-node Layer 3 Eth-Trunk subinterface.
system, and importing flows The VLANIF interface address on a switch is the
based on policy routing gateway address for upstream and downstream
networks.
Table 2-31 lists the products and versions to which this configuration example is
applicable.
Table 2-31 Applicable products and versions
Product Model Software Version
S7700&S9700&S127 V200R007 and later versions
00
IPS Module V100R001C30
NGFW Module V100R001C30
2.8.2.1 Deploying IPS Modules and NGFW Modules on a Layer 2 Dual-Node
System and Importing Flows Through Redirection
Networking Requirements
Two S12700s are deployed on a network shown in Figure 2-30. An NGFW module
and an IPS module are installed in slot 4 and slot 5 respectively on each S12700.
The two S12700s set up a cluster and work in hot standby mode. The IPS modules
and NGFW modules work at Layer 2. That is, they access the network
transparently.
The customer has the following requirements:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 296
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● The inter-client flows and inter-server flows within a subnet are directly
forwarded by the switches.
● The inter-client flows on different subnets and the flows between clients and
the extranet are checked by the NGFW modules.
● The flows between clients/extranet and servers and the inter-server flows on
different subnets are filtered by the IPS modules and then checked by the
NGFW modules.
Figure 2-31 shows the flow directions.
Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on
the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.
When the IPS module and NGFW module are connected to the switch, the internal Ethernet
interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet
interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For
example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the
IPS module on the switch are XGE1/0/0 and XGE1/0/1.
Figure 2-30 Deploying IPS module and NGFW module on a Layer 2 dual-node
system and importing flows through redirection
Extranet
VLAN 2001
Eth-Trunk0 Eth-Trunk0
192.168.213.5/30 192.168.213.6/30
1/0
GE Heartbeat line /0
1/0
GE /0 X G E
1/0 GE
/0/
0 /0/1
/1 1 E1
IPS XG /5/0/0 E2
/ 5
/1
G IPS
Module_A E1/ XG 2/5/0 Module_B
5/0 CSS E
/1
XG
XG
/0 /0 E2
1 /4 1 Switch_A Switch_B XG /4
NGFW G E /0 / E2 /0/0
X / 4 /4 NGFW
Module_A 0 G E1 /0
/ GE Module_B
/ X 1
1/0 1
GE /0/0
GE /0/1 1/0
1
GE /1
Heartbeat line
Eth-Trunk0 Eth-Trunk0
192.168.213.1/30 192.168.213.2/30
Client Server
VLAN 101,
VLAN 100,300
102,103 ... 126
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 297
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-31 Flow direction
Extranet
10.54.1.251/29
IPS
Module
NGFW
CSS Module
Client
10.55.1.10/24 10.55.2.10/24
10.55.1.20/24
Ø Inter-client flow within a subnet
directly forwarded by switch
Ø Inter-client flow between subnets
checked by the NGFW Module
Ø Flow between clients and extranet
checked by the NGFW Module
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 298
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS
NGFW
Module
Module
NGFW IPS
CSS Module CSS Module
Client Server Client Server
10.55.1.10/24 10.55.0.10/24 10.55.1.10/24 10.55.0.10/24
Ø Flow between clients and servers
filter by IPS Module first, and then
checked by NGFW Module
Note: To avoid intersecting lines, the
locations of the IPS module and NGFW
module in the right figure are exchanged.
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS NGFW
Module Module
NGFW IPS
CSS Module CSS Module
Server Server
10.55.0.10/24 10.55.200.10/24 10.55.0.10/24 10.55.200.10/24
10.55.0.20/24 10.55.0.20/24
Ø Inter-server flow within a subnet
directly forwarded by switch
Ø Inter-server flow between subnets
filter by IPS Module first, and then
checked by NGFW Module
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 299
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS NGFW
Module Module
NGFW IPS
CSS Module CSS Module
Server Server
10.55.0.20/24 10.55.0.20/24
Ø Flow between extranet and servers
filter by IPS Module first, and then
checked by NGFW Module
Data Plan
Table 2-32, Table 2-33, and Table 2-34 provide the data plan.
Table 2-32 Data plan for link aggregation
Device Interface Interface Member Interface
Number Description
S12700 cluster Eth-trunk100 Connected to XGE1/5/0/0
IPS Module_A
and IPS XGE1/5/0/1
Module_B to XGE2/5/0/0
transparently
transmit the XGE2/5/0/1
packets from
the VLANs of
clients, servers,
and extranet
Eth-trunk101 Connected to XGE1/4/0/0
NGFW
Module_A and XGE1/4/0/1
NGFW XGE2/4/0/0
Module_B to
transparently
transmit the
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 300
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Interface Interface Member Interface
Number Description
packets from XGE2/4/0/1
the VLANs of
clients, servers,
and extranet
NGFW Eth-trunk0 Connected to GE0/0/1
Module_A NGFW
Module_B GE0/0/2
through the
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
NGFW Eth-trunk0 Connected to GE0/0/1
Module_B NGFW
Module_A GE0/0/2
through the
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
IPS Module_A Eth-trunk0 Connected to GE0/0/1
IPS Module_B
through the GE0/0/2
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 301
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Interface Interface Member Interface
Number Description
IPS Module_B Eth-trunk0 Connected to GE0/0/1
IPS Module_A
through the GE0/0/2
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
Table 2-33 VLAN plan
Data Remarks
100, 300 Server VLANs
101 to 126 Client VLANs
2001 Extranet VLAN
Table 2-34 IP address plan
Device Data Remarks
S12700 VLANIF 100: 10.55.0.1/24 Server-side
cluster VLANIF 300: 10.55.200.1/24 gateway
VLANIF 101: 10.55.1.1/24 Client-side gateway
VLANIF 102: 10.55.2.1/24
...
VLANIF 126: 10.55.26.1/24
VLANIF 2001: 10.54.1.253/29 Extranet gateway
IPS Module_A Eth-trunk 0: 192.168.213.5/30 HRP interface
IPS Module_B Eth-trunk 0: 192.168.213.6/30
NGFW Eth-trunk 0: 192.168.213.1/30
Module_A
NGFW Eth-trunk 0: 192.168.213.2/30
Module_B
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 302
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configuration Roadmap
1. Configure interfaces on NGFW Module_A and NGFW Module_B and set basic
parameters.
2. Configure NGFW Module_A and NGFW Module_B as a Layer 2 hot standby
system working in load balancing mode.
3. Configure the security service on NGFW Module_A to allow the flows from
clients, servers, and extranet to pass and prevent intrusion. The configurations
on NGFW Module_A can be automatically backed up to NGFW Module_B.
4. Configure interfaces on IPS Module_A and IPS Module_B and set basic
parameters.
5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system
working in load balancing mode.
6. Configure the security service on IPS Module_A, for example, antivirus. The
configurations on IPS Module_A can be automatically backed up to IPS
Module_B.
7. Configure the two S12700s as a cluster.
8. Implement connectivity between S12700 cluster, NGFW modules, and IPS
modules.
9. Configure a traffic policy on the S12700 cluster and apply the policy to
interfaces to implement redirection.
Procedure
Step 1 Configure interfaces on NGFW modules and set basic parameters.
# Log in to the CLI of NGFW Module_A from Switch_A.
<sysname> connect slot 4
To return to the CLI of the switch, press Ctrl+D.
# Set the device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname NGFW Module_A
# Create VLANs on NGFW Module_A.
[NGFW Module_A] vlan batch 100 to 126 300 2001
# Create Layer 2 Eth-Trunk 1 on NGFW Module_A and allow the packets from
upstream and downstream VLANs to pass.
[NGFW Module_A] interface Eth-Trunk 1
[NGFW Module_A-Eth-Trunk1] description To-master-trunk101
[NGFW Module_A-Eth-Trunk1] portswitch
[NGFW Module_A-Eth-Trunk1] port link-type trunk
[NGFW Module_A-Eth-Trunk1] undo port trunk permit vlan 1
[NGFW Module_A-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
[NGFW Module_A-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 303
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For
example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo
lldp enable command on the interface before adding it to an Eth-Trunk.
[NGFW Module_A] interface GigabitEthernet 1/0/0
[NGFW Module_A-GigabitEthernet1/0/0] portswitch
[NGFW Module_A-GigabitEthernet1/0/0] port link-type access
[NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/0] quit
[NGFW Module_A] interface GigabitEthernet 1/0/1
[NGFW Module_A-GigabitEthernet1/0/1] portswitch
[NGFW Module_A-GigabitEthernet1/0/1] port link-type access
[NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/1] quit
# Create Eth-Trunk 1 interface pair on NGFW Module_A.
[NGFW Module_A] pair-interface 1 Eth-Trunk1 Eth-Trunk1
# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[NGFW Module_A] interface Eth-Trunk 0
[NGFW Module_A-Eth-Trunk0] description hrp-interface
[NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252
[NGFW Module_A-Eth-Trunk0] quit
[NGFW Module_A] interface GigabitEthernet 0/0/1
[NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/1] quit
[NGFW Module_A] interface GigabitEthernet 0/0/2
[NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_A to the security zone.
[NGFW Module_A] firewall zone trust
[NGFW Module_A-zone-trust] set priority 85
[NGFW Module_A-zone-trust] add interface Eth-Trunk 1
[NGFW Module_A-zone-trust] quit
[NGFW Module_A] firewall zone name hrp
[NGFW Module_A-zone-hrp] set priority 75
[NGFW Module_A-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_A-zone-hrp] quit
# Log in to the CLI of NGFW Module_B from Switch_B.
<sysname> connect slot 4
# Set the device name on NGFW Module_B.
<sysname> system-view
[sysname] sysname NGFW Module_B
# Create VLANs on NGFW Module_B.
[NGFW Module_B] vlan batch 100 to 126 300 2001
# Create Layer 2 Eth-Trunk 1 on NGFW Module_B, switch to the interface pair
mode, and allow the packets from upstream and downstream VLANs to pass.
[NGFW Module_B] interface Eth-Trunk 1
[NGFW Module_B-Eth-Trunk1] description To-master-trunk101
[NGFW Module_B-Eth-Trunk1] portswitch
[NGFW Module_B-Eth-Trunk1] port link-type trunk
[NGFW Module_B-Eth-Trunk1] undo port trunk permit vlan 1
[NGFW Module_B-Eth-Trunk1] port trunk permit vlan 100 to 126 300 2001
[NGFW Module_B-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 304
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[NGFW Module_B] interface GigabitEthernet 1/0/0
[NGFW Module_B-GigabitEthernet1/0/0] portswitch
[NGFW Module_B-GigabitEthernet1/0/0] port link-type access
[NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/0] quit
[NGFW Module_B] interface GigabitEthernet 1/0/1
[NGFW Module_B-GigabitEthernet1/0/1] portswitch
[NGFW Module_B-GigabitEthernet1/0/1] port link-type access
[NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/1] quit
# Create Eth-Trunk 1 interface pair on NGFW Module_B.
[NGFW Module_B] pair-interface 1 Eth-Trunk1 Eth-Trunk1
# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[NGFW Module_B] interface Eth-Trunk 0
[NGFW Module_B-Eth-Trunk0] description hrp-interface
[NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252
[NGFW Module_B-Eth-Trunk0] quit
[NGFW Module_B] interface GigabitEthernet 0/0/1
[NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/1] quit
[NGFW Module_B] interface GigabitEthernet 0/0/2
[NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_B to the security zone.
[NGFW Module_B] firewall zone trust
[NGFW Module_B-zone-trust] set priority 85
[NGFW Module_B-zone-trust] add interface Eth-Trunk 1
[NGFW Module_B-zone-trust] quit
[NGFW Module_B] firewall zone name hrp
[NGFW Module_B-zone-hrp] set priority 75
[NGFW Module_B-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_B-zone-hrp] quit
Step 2 Configure hot standby for NGFW modules.
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby
on NGFW Module_A.
[NGFW Module_A] hrp mirror session enable
[NGFW Module_A] hrp interface Eth-Trunk 0
[NGFW Module_A] hrp loadbalance-device
[NGFW Module_A] hrp enable
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby
on NGFW Module_B.
[NGFW Module_B] hrp mirror session enable
[NGFW Module_B] hrp interface Eth-Trunk 0
[NGFW Module_B] hrp loadbalance-device
[NGFW Module_B] hrp enable
Step 3 Configure the security service on the NGFW modules.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security service on NGFW Module_A.
# Configure the security policy on NGFW Module_A to allow the flows from
clients, servers, and extranet to pass and prevent intrusion.
HRP_M[NGFW Module_A] security-policy
HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16 //Subnet
where clients and servers reside
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29 //
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 305
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Subnet of the extranet
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit
HRP_M[NGFW Module_A-policy-security] quit
Step 4 Configure interfaces on IPS modules and set basic parameters.
1. Log in to the web UI through an Ethernet interface.
a. Set up a physical connection between the management PC and an IPS
module.
b. Open the browser on the management PC and access https://
192.168.0.1:8443.
c. Enter the default user name admin and password Admin@123 of the
system administrator and click Login.
d. Change the password, click OK, and enter the web system.
2. Choose Network > Interface, click of interface GE1/0/0 and set the
connection type of GE1/0/0 to access.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to
access.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 306
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
4. Click Add, and configure Eth-Trunk 1.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
5. Choose Network > Interface Pair, click Add, and configure an interface pair.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as
the heartbeat interface and backup channel.
– The IP addresses of heartbeat interfaces on the IPS Modules must be in the same
network segment.
– The Eth-Trunk member interfaces on the IPS Modules must be the same.
Configure a heartbeat interface on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 307
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configure a heartbeat interface on the other IPS Module.
7. Choose System > Dual-System Hot Backup, click Edit, and configure hot
standby.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 308
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 5 Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security service on IPS Module_A.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click Add and set the parameters as follows:
3. Click OK.
4. Repeat the previous steps to set the parameters of AV_ftp profile.
Step 6 Configure a security policy for the outbound direction.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 309
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security policy on IPS Module_A.
1. Choose Policy > Security Policy.
2. Click Add.
3. Reference the antivirus profile in Add Security Policy, and set the parameters
as follows:
Name policy_av_1
Description Intranet-User
Interface Pair Select Eth-Trunk1->Eth-Trunk1 from the drop-down
list.
Action permit
Content Security
Anti-Virus AV_http_pop3
Step 7 Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from
internal clients to external servers. The parameters are as follows.
Name policy_av_2
Description Intranet-Server
Interface Pair Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action permit
Content Security
Anti-Virus AV_ftp
Step 8 Configure the two S12700s as a cluster.
1. Connect cluster cables. For details, see Switch Cluster Setup Guide.
Set the cluster connection mode (for example, cluster card mode), cluster IDs,
and priorities.
# Configure the cluster on Switch_A. Retain the default cluster connection
mode (cluster card mode) and the default cluster ID 1, and set the priority to
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] set css priority 100
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 310
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure the cluster on Switch_B. Retain the default cluster connection
mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] set css id 2
[Switch_B] set css priority 10
# Check the cluster configuration.
Run the display css status saved command to check whether the
configurations are as expected.
Check the cluster configuration on Switch_A.
[Switch_A] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
Check the cluster configuration on Switch_B.
[Switch_B] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
2. Enable the cluster function.
# Enable the cluster function on Switch_A and restart Switch_A. Switch_A
becomes the active switch.
[Switch_A] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
# Enable the cluster function on Switch_B and restart Switch_B.
[Switch_B] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
3. Check whether the cluster is set up successfully.
# View the indicator status.
The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating
that the MPU is the active MPU of the cluster and Switch_A is the master
switch.
The CSS MASTER indicator on an MPU of Switch_B is off, indicating that
Switch_B is the standby switch.
# Log in to the cluster through the console port on any MPU to check the
cluster status.
[Switch_A] display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The preceding information includes the cluster IDs, priorities, cluster
enablement status, and cluster status, indicating that the cluster is
successfully established.
# Check whether cluster links work normally.
[Switch_A] display css channel
The command output shows that all the cluster links are working normally,
indicating that the cluster is established successfully.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 311
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
4. Set the cluster system name to CSS.
[Switch_A] sysname CSS
[CSS]
Step 9 Configure the interfaces and VLAN IDs on switches.
1. Create VLANs.
[CSS] vlan batch 100 to 126 128 300 2001
2. Configure upstream and downstream interfaces.
[CSS] interface GigabitEthernet 1/6/0/36 //Connected to server
[CSS-GigabitEthernet1/6/0/36] port link-type trunk
[CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0 //Connected to extranet
[CSS-GigabitEthernet2/3/0/0] port link-type trunk
[CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36 //Connected to client
[CSS-GigabitEthernet2/3/0/36] port link-type trunk
[CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126
[CSS-GigabitEthernet2/3/0/36] quit
3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN
101, VLAN 102, and VLAN 126.
[CSS] interface vlanif 2001
[CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248
[CSS-Vlanif2001] quit
[CSS] interface vlanif 100
[CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0
[CSS-Vlanif100] quit
[CSS] interface vlanif 300
[CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0
[CSS-Vlanif300] quit
[CSS] interface vlanif 101
[CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0
[CSS-Vlanif101] quit
[CSS] interface vlanif 102
[CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0
[CSS-Vlanif102] quit
[CSS] interface vlanif 126
[CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0
[CSS-Vlanif126] quit
4. Add the four interfaces connected to the NGFW module to Eth-Trunk 101 and
the four interfaces connected to the IPS module to Eth-Trunk 100.
[CSS] interface eth-trunk 101
[CSS-Eth-Trunk101] description to-ngfw
[CSS-Eth-Trunk101] port link-type trunk
[CSS-Eth-Trunk101] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk101] port trunk allow-pass vlan 100 to 126 300 2001
[CSS-Eth-Trunk101] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1
[CSS-Eth-Trunk101] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1
[CSS-Eth-Trunk101] mac-address learning disable
[CSS-Eth-Trunk101] stp disable
[CSS-Eth-Trunk101] quit
[CSS] interface eth-trunk 100
[CSS-Eth-Trunk100] description to-ips
[CSS-Eth-Trunk100] port link-type trunk
[CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001
[CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1
[CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1
[CSS-Eth-Trunk100] mac-address learning disable
[CSS-Eth-Trunk100] stp disable
[CSS-Eth-Trunk100] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 312
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
5. Set the load balancing mode on Eth-Trunks.
[CSS] load-balance-profile sec
[CSS-load-balance-profile-sec] ipv4 field sip dip
[CSS-load-balance-profile-sec] quit
[CSS] interface Eth-Trunk 101
[CSS-Eth-Trunk101] load-balance enhanced profile sec
[CSS-Eth-Trunk101] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] load-balance enhanced profile sec
[CSS-Eth-Trunk100] quit
6. Configure port isolation on the interfaces between the NGFW/IPS module and
switches.
[CSS] interface Eth-Trunk 101
[CSS-Eth-Trunk101] port-isolate enable group 1
[CSS-Eth-Trunk101] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] port-isolate enable group 1
[CSS-Eth-Trunk100] quit
7. Configure unidirectional isolation between the upstream and downstream
interfaces and Eth-Trunks.
[CSS] interface GigabitEthernet 1/6/0/36
[CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk101 Eth-Trunk100
[CSS-GigabitEthernet2/3/0/36] quit
8. Configure traffic policies and bind them to interfaces to implement
redirection.
# Create ACLs.
[CSS] acl 3010 //Match the flows sent from clients
[CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255
[CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255
[CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255
[CSS-acl-adv-3010] quit
[CSS] acl 3011 //Match the flows destined for clients
[CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3011] quit
[CSS] acl 3020 //Match the flows sent from servers
[CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255
[CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255
[CSS-acl-adv-3020] quit
[CSS] acl 3021 //Match the flows destined for servers
[CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3021] quit
[CSS] acl 3012 //Match inter-client flows within a subnet
[CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3012] quit
[CSS] acl 3022 //Match inter-server flows within a subnet
[CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3022] quit
# Configure traffic classifiers.
[CSS] traffic classifier from-office operator or precedence 80
[CSS-classifier-from-office] if-match acl 3010
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 313
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-classifier-from-office] quit
[CSS] traffic classifier to-office operator or precedence 85
[CSS-classifier-to-office] if-match acl 3011
[CSS-classifier-to-office] quit
[CSS] traffic classifier from-server operator or precedence 75
[CSS-classifier-from-server] if-match acl 3020
[CSS-classifier-from-server] quit
[CSS] traffic classifier to-server operator or precedence 60
[CSS-classifier-to-server] if-match acl 3021
[CSS-classifier-to-server] quit
[CSS] traffic classifier office-office operator or precedence 40
[CSS-classifier-office-office] if-match acl 3012
[CSS-classifier-office-office] quit
[CSS] traffic classifier server-server operator or precedence 65
[CSS-classifier-server-server] if-match acl 3022
[CSS-classifier-server-server] quit
# Configure traffic behaviors.
[CSS] traffic behavior behavior1
[CSS-behavior-behavior1] permit
[CSS-behavior-behavior1] quit
[CSS] traffic behavior to-eth-trunk100
[CSS-behavior-to-eth-trunk100] permit
[CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100
[CSS-behavior-to-eth-trunk100] quit
[CSS] traffic behavior to-eth-trunk101
[CSS-behavior-to-eth-trunk101] permit
[CSS-behavior-to-eth-trunk101] redirect interface Eth-Trunk 101
[CSS-behavior-to-eth-trunk101] quit
# Bind traffic policies to interfaces.
[CSS] traffic policy ips-to-fw match-order config
[CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk101
[CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk101
[CSS-trafficpolicy-ips-to-fw] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound //Redirect the flows filtered by the IPS module
to the NGFW module
[CSS-Eth-Trunk100] quit
[CSS] traffic policy internet-in match-order config
[CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1
[CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100 //Redirect the flows
from extranet to servers to the IPS module
[CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk101 //Redirect the flows
from extranet to clients to the NGFW module
[CSS-trafficpolicy-internet-in] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] traffic policy office-out match-order config
[CSS-trafficpolicy-office-out] classifier office-office behavior behavior1 //Do not redirect the inter-
client flows within a subnet
[CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100 //Redirect the flows
from clients to servers to the IPS module
[CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk101 //Redirect the inter-
client flows on different subnets and the flows from clients to the extranet to the NGFW module
[CSS-trafficpolicy-office-out] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound
[CSS-GigabitEthernet2/3/0/36] quit
[CSS] traffic policy server-out match-order config
[CSS-trafficpolicy-server-out] classifier server-server behavior behavior1 //Do not redirect the inter-
server flows within a subnet
[CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100 //Redirect the flows
from servers to clients, the inter-server flows on different subnets, and the flows from servers to the
extranet to the IPS module
[CSS-trafficpolicy-server-out] quit
[CSS] interface GigabitEthernet 1/6/0/36
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 314
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound
[CSS-GigabitEthernet1/6/0/36] quit
Step 10 Verify the configuration.
# Check the configuration of S12700 cluster.
[CSS] display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
---------- ------------ ---------------------------------------------------------
4 - ET1D2FW00S00 Present PowerOn Registered Normal NA
5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA
6 - ET1D2G48SX1E Present PowerOn Registered Normal NA
7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Master
10 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Slave
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12712's D evice status :
Slot Sub Type Online Power Register Status Role
---------- ------------ ---------------------------------------------------------
3 - ET1D2G48SX1E Present PowerOn Registered Normal NA
4 - ET1D2FW00S00 Present PowerOn Registered Normal NA
5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA
7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA
13 - ET1D2MPUA000 Present PowerOn Registered Normal Master
14 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
18 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
FAN5 - - Present PowerOn Registered Normal NA
# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.
[IPS Module] display interface brief | include up
2016/5/31 10:49
PHY: Physical
*down: administratively down
^down: standby down
(s): spoofing
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk0 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
Eth-Trunk1 up up 0.01% 0.01% 0 0
GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0
GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
[NGFW Module_B] display interface brief | include up
10:56:34 2016/05/31
PHY: Physical
*down: administratively down
^down: standby down
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 315
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
(s): spoofing
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk0 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/2 up up 0% 0.01% 0 0
Eth-Trunk1 up up 0.01% 0.01% 0 0
GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0
GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
# Check traffic statistics on interfaces.
● The traffic statistics between clients and servers are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0.15% 0.15% 0 0
XGigabitEthernet1/5/0/0 up up 0.60% 0% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0.60% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0% 0 0
XGigabitEthernet2/5/0/1 up up 0% 0% 0 0
Eth-Trunk101 up up 0.15% 0.15% 0 0
XGigabitEthernet1/4/0/0 up up 0.60% 0% 0 0
XGigabitEthernet1/4/0/1 up up 0% 0.60% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0% 0 0
XGigabitEthernet2/4/0/1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif128 up up -- -- 0 0
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
● The traffic statistics between clients and extranet are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 316
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0% 0% 0 0
XGigabitEthernet1/5/0/0 up up 0% 0% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0% 0 0
XGigabitEthernet2/5/0/1 up up 0% 0% 0 0
Eth-Trunk101 up up 0.12% 0.12% 0 0
XGigabitEthernet1/4/0/0 up up 0% 0% 0 0
XGigabitEthernet1/4/0/1 up up 0% 0% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0.33% 0 0
XGigabitEthernet2/4/0/1 up up 0.50% 0.17% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
● The traffic statistics between servers and extranet are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0.13% 0.13% 0 0
XGigabitEthernet1/5/0/0 up up 0.50% 0.50% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0% 0 0
XGigabitEthernet2/5/0/1 up up 0% 0% 0 0
Eth-Trunk101 up up 0.13% 0.13% 0 0
XGigabitEthernet1/4/0/0 up up 0.50% 0.50% 0 0
XGigabitEthernet1/4/0/1 up up 0% 0% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0% 0 0
XGigabitEthernet2/4/0/1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
----End
Configuration Files
● NGFW module configuration files
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 317
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname NGFW Module_A sysname NGFW Module_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface Eth-Trunk 0 hrp interface Eth-Trunk 0
# #
vlan batch 100 to 126 300 2001 vlan batch 100 to 126 300 2001
# #
pair-interface 1 Eth-Trunk1 Eth-Trunk1 pair-interface 1 Eth-Trunk1 Eth-Trunk1
# #
interface Eth-Trunk 0 interface Eth-Trunk 0
description hrp-interface description hrp-interface
ip address 192.168.213.1 255.255.255.252 ip address 192.168.213.2 255.255.255.252
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
description To-master-trunk101 description To-master-trunk101
portswitch portswitch
port link-type trunk port link-type trunk
undo port trunk permit vlan 1 undo port trunk permit vlan 1
port trunk permit vlan 100 to 126 300 2001 port trunk permit vlan 100 to 126 300 2001
# #
interface GigabitEthernet 0/0/1 interface GigabitEthernet 0/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 0/0/2 interface GigabitEthernet 0/0/2
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone name hrp firewall zone name hrp
set priority 75 set priority 75
add interface Eth-Trunk 0 add interface Eth-Trunk 0
# #
security-policy security-policy
rule name policy_to_wan rule name policy_to_wan
source-address 10.55.0.0 16 source-address 10.55.0.0 16
source-address 10.54.1.248 29 source-address 10.54.1.248 29
profile ips default profile ips default
action permit action permit
# #
return return
● IPS module configuration files
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 318
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
IPS Module_A IPS Module_B
# #
sysname IPS Module_A sysname IPS Module_B
# #
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface Eth-Trunk 0 hrp interface Eth-Trunk 0
# #
vlan batch 100 to 126 300 2001 vlan batch 100 to 126 300 2001
# #
pair-interface 1 Eth-Trunk1 Eth-Trunk1 pair-interface 1 Eth-Trunk1 Eth-Trunk1
# #
interface Eth-Trunk 0 interface Eth-Trunk 0
ip address 192.168.213.5 255.255.255.252 ip address 192.168.213.6 255.255.255.252
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
portswitch portswitch
port link-type trunk port link-type trunk
undo port trunk permit vlan 1 undo port trunk permit vlan 1
port trunk permit vlan 100 to 126 300 2001 port trunk permit vlan 100 to 126 300 2001
# #
interface GigabitEthernet 0/0/1 interface GigabitEthernet 0/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 0/0/2 interface GigabitEthernet 0/0/2
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
profile type av name AV_http_pop3 profile type av name AV_http_pop3
description http-pop3 description http-pop3
http-detect direction download http-detect direction download
undo ftp-detect undo ftp-detect
undo smtp-detect undo smtp-detect
pop3-detect action delete-attachment pop3-detect action delete-attachment
undo imap-detect undo imap-detect
undo nfs-detect undo nfs-detect
undo smb-detect undo smb-detect
exception application name Netease_Webmail exception application name Netease_Webmail
action allow action allow
exception av-signature-id 1000 exception av-signature-id 1000
profile type av name AV_ftp profile type av name AV_ftp
description ftp description ftp
undo http-detect undo http-detect
ftp-detect direction upload ftp-detect direction upload
undo smtp-detect undo smtp-detect
undo pop3-detect undo pop3-detect
undo imap-detect undo imap-detect
undo nfs-detect undo nfs-detect
undo smb-detect undo smb-detect
# #
security-policy security-policy
rule name policy_av_1 rule name policy_av_1
description Intranet-User description Intranet-User
profile av AV_http_pop3 profile av AV_http_pop3
pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
action permit action permit
rule name policy_av_2 rule name policy_av_2
description Intranet-Server description Intranet-Server
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 319
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
IPS Module_A IPS Module_B
profile av AV_ftp profile av AV_ftp
pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
action permit action permit
# #
return return
● CSS configuration file
#
sysname CSS
#
vlan batch 100 to 126 128 300 2001
#
acl number 3010
rule 5 permit ip source 10.55.1.0 0.0.0.255
rule 10 permit ip source 10.55.2.0 0.0.0.255
rule 15 permit ip source 10.55.26.0 0.0.0.255
acl number 3011
rule 5 permit ip destination 10.55.1.0 0.0.0.255
rule 10 permit ip destination 10.55.2.0 0.0.0.255
rule 15 permit ip destination 10.55.26.0 0.0.0.255
acl number 3012
rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
acl number 3020
rule 5 permit ip source 10.55.0.0 0.0.0.255
rule 10 permit ip source 10.55.200.0 0.0.0.255
acl number 3021
rule 5 permit ip destination 10.55.0.0 0.0.0.255
rule 10 permit ip destination 10.55.200.0 0.0.0.255
acl number 3022
rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
#
traffic classifier office-office operator or precedence 40
if-match acl 3012
traffic classifier from-office operator or precedence 80
if-match acl 3010
traffic classifier from-server operator or precedence 75
if-match acl 3020
traffic classifier server-server operator or precedence 65
if-match acl 3022
traffic classifier to-office operator or precedence 85
if-match acl 3011
traffic classifier to-server operator or precedence 60
if-match acl 3021
#
traffic behavior behavior1
permit
traffic behavior to-eth-trunk100
permit
redirect interface Eth-Trunk100
traffic behavior to-eth-trunk101
permit
redirect interface Eth-Trunk101
#
traffic policy office-out match-order config
classifier office-office behavior behavior1
classifier to-server behavior to-eth-trunk100
classifier from-office behavior to-eth-trunk101
traffic policy internet-in match-order config
classifier office-office behavior behavior1
classifier to-server behavior to-eth-trunk100
classifier to-office behavior to-eth-trunk101
traffic policy ips-to-fw match-order config
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 320
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
classifier to-server behavior to-eth-trunk101
classifier from-server behavior to-eth-trunk101
traffic policy server-out match-order config
classifier server-server behavior behavior1
classifier from-server behavior to-eth-trunk100
#
interface Vlanif100
ip address 10.55.0.1 255.255.255.0
#
interface Vlanif101
ip address 10.55.1.1 255.255.255.0
#
interface Vlanif102
ip address 10.55.2.1 255.255.255.0
#
interface Vlanif300
ip address 10.55.200.1 255.255.255.0
#
interface Vlanif2001
ip address 10.54.1.253 255.255.255.248
#
load-balance-profile sec
#
interface Eth-Trunk100
description to-ips
port link-type trunk
mac-address learning disable
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 126 300 2001
stp disable
traffic-policy ips-to-fw inbound
load-balance enhanced profile sec
port-isolate enable group 1
#
interface Eth-Trunk101
description to-ngfw
port link-type trunk
mac-address learning disable
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 126 300 2001
stp disable
load-balance enhanced profile sec
port-isolate enable group 1
#
interface GigabitEthernet1/6/0/36
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 300
traffic-policy server-out inbound
am isolate Eth-Trunk101 Eth-Trunk100
#
interface GigabitEthernet2/3/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2001
traffic-policy internet-in inbound
am isolate Eth-Trunk101 Eth-Trunk100
#
interface GigabitEthernet2/3/0/36
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 126
traffic-policy office-out inbound
am isolate Eth-Trunk101 Eth-Trunk100
#
interface XGigabitEthernet1/4/0/0
eth-trunk 101
#
interface XGigabitEthernet1/4/0/1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 321
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
eth-trunk 101
#
interface XGigabitEthernet1/5/0/0
eth-trunk 100
#
interface XGigabitEthernet1/5/0/1
eth-trunk 100
#
interface XGigabitEthernet2/4/0/0
eth-trunk 101
#
interface XGigabitEthernet2/4/0/1
eth-trunk 101
#
interface XGigabitEthernet2/5/0/0
eth-trunk 100
#
interface XGigabitEthernet2/5/0/1
eth-trunk 100
#
return
2.8.2.2 Deploying IPS Modules at Layer 2 and NGFW Modules on a Layer 3
Dual-Node System, and Importing Flows Based on Policy Routing
Networking Requirements
Two S12700s are deployed on a network shown in Figure 2-32. An NGFW module
and an IPS module are installed in slot 4 and slot 5 respectively on each S12700.
The two S12700s set up a cluster and work in hot standby mode. The IPS modules
work at Layer 2. That is, they access the network transparently. The NGFW
modules work at Layer 3 (flows imported at Layer 3) in active/standby mode.
The customer has the following requirements:
● The inter-client flows and inter-server flows within a subnet are directly
forwarded by the switches.
● The inter-client flows on different subnets and the flows between clients and
the extranet are checked by the NGFW modules.
● The flows between clients/extranet and servers and the inter-server flows on
different subnets are filtered by the IPS modules and then checked by the
NGFW modules.
Figure 2-33 shows the flow directions.
Each IPS/NGFW module is connected to a switch through two 20GE Ethernet links. The ports on
the two ends of each internal Ethernet link are on the switch and IPS or NGFW module.
When the IPS module and NGFW module are connected to the switch, the internal Ethernet
interfaces used by the two modules are fixed as GE1/0/0 and GE1/0/1. The internal Ethernet
interfaces on the switch depend on the slot IDs of the IPS module and NGFW module. For
example, when the IPS module is installed in slot 1, the numbers of interfaces connected to the
IPS module on the switch are XGE1/0/0 and XGE1/0/1.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 322
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-32 Deploying IPS modules at Layer 2 and NGFW modules on a Layer 3
dual-node system, and importing flows based on policy routing
Extranet
VLAN 2001
Eth-Trunk0 Eth-Trunk0
192.168.213.5/30 192.168.213.6/30
GE
1/0
Heartbeat line /0
1/0
GE /0 X GE 0/1
1/0 GE 0 /
/1 1 /0/ E1
IPS XG /5/0/0 E 2/5 /1 G IPS
Module_A E1/5 XG 2/5/0 Module_B
/0/1 CSS E
XG
XG
0/0 E
1 /4/ 1 Switch_A Switch_B XG 2/4/
NGFW E 0 / E 0
XG 1/4/ 2/ /0 NGFW
Module_A 0 E 4/0
/ X G / 1 G E1Module_B
E 1/0 1 /0
G / 0 / G E1 /0
1 /0/
GE 1
Heartbeat line
Eth-Trunk0 Eth-Trunk0
192.168.213.1/30 192.168.213.2/30
Client Server
VLAN 101,
VLAN 100,300
102,103 ... 126
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 323
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-33 Flow direction
Extranet
10.54.1.251/29
IPS
Module
NGFW
CSS Module
Client
10.55.1.10/24 10.55.2.10/24
10.55.1.20/24
Ø Inter-client flow within a subnet
directly forwarded by switch
Ø Inter-client flow between subnets
checked by the NGFW Module
Ø Flow between clients and extranet
checked by the NGFW Module
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS
NGFW
Module
Module
NGFW IPS
CSS Module CSS Module
Client Server Client Server
10.55.1.10/24 10.55.0.10/24 10.55.1.10/24 10.55.0.10/24
Ø Flow between clients and servers
filter by IPS Module first, and then
checked by NGFW Module
Note: To avoid intersecting lines, the
locations of the IPS module and NGFW
module in the right figure are exchanged.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 324
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS NGFW
Module Module
NGFW IPS
CSS Module CSS Module
Server Server
10.55.0.10/24 10.55.200.10/24 10.55.0.10/24 10.55.200.10/24
10.55.0.20/24 10.55.0.20/24
Ø Inter-server flow within a subnet
directly forwarded by switch
Ø Inter-server flow between subnets
filter by IPS Module first, and then
checked by NGFW Module
Extranet Extranet
10.54.1.251/29 10.54.1.251/29
IPS NGFW
Module Module
NGFW IPS
CSS Module CSS Module
Server Server
10.55.0.20/24 10.55.0.20/24
Ø Flow between extranet and servers
filter by IPS Module first, and then
checked by NGFW Module
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 325
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Data Plan
Table 2-35, Table 2-36, and Table 2-37 provide the data plan.
Table 2-35 Data plan for link aggregation
Device Interface Interface Member Interface
Number Description
S12700 cluster Eth-trunk100 Connected to XGE1/5/0/0
IPS Module_A
and IPS XGE1/5/0/1
Module_B to XGE2/5/0/0
transparently
transmit the XGE2/5/0/1
packets from
the VLANs of
clients, servers,
and extranet
Eth-trunk105 Connected to XGE1/4/0/0
NGFW
Module_A to XGE1/4/0/1
transparently
transmit the
packets from
VLAN 128
Eth-trunk106 Connected to XGE2/4/0/0
NGFW
Module_B to XGE2/4/0/1
transparently
transmit the
packets from
VLAN 128
NGFW Eth-trunk0 Connected to GE0/0/1
Module_A NGFW
Module_B GE0/0/2
through the
heartbeat line
Eth-trunk1 Layer 3 GE1/0/1
interface
connected to GE1/0/2
the S12700
cluster
NGFW Eth-trunk0 Connected to GE0/0/1
Module_B NGFW
Module_A GE0/0/2
through the
heartbeat line
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 326
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Device Interface Interface Member Interface
Number Description
Eth-trunk1 Layer 3 GE1/0/1
interface
connected to GE1/0/2
the S12700
cluster
IPS Module_A Eth-trunk0 Connected to GE0/0/1
IPS Module_B
through the GE0/0/2
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
IPS Module_B Eth-trunk0 Connected to GE0/0/1
IPS Module_A
through the GE0/0/2
heartbeat line
Eth-trunk1 Connected to GE1/0/1
the S12700
cluster to GE1/0/2
transparently
transmit the
packets from
the VLANs of
clients, servers,
and extranet
Table 2-36 VLAN plan
Data Remarks
100, 300 Server VLANs
101 to 126 Client VLANs
128 Layer 3 interface between the NGFW
module and switch
2001 Extranet VLAN
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 327
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Table 2-37 IP address plan
Device Data Remarks
S12700 VLANIF 100: 10.55.0.1/24 Server-side gateway
cluster VLANIF 300: 10.55.200.1/24
VLANIF 101: 10.55.1.1/24 Client-side gateway
VLANIF 102: 10.55.2.1/24
...
VLANIF 126: 10.55.26.1/24
VLANIF 128: 10.54.28.4/24 Layer 3 interface
connected to the NGFW
module
VLANIF 2001: 10.54.1.253/29 Extranet gateway
IPS Module_A Eth-trunk 0: 192.168.213.5/30 HRP interface
IPS Module_B Eth-trunk 0: 192.168.213.6/30
NGFW Eth-trunk 0: 192.168.213.1/30 HRP interface
Module_A
Eth-trunk 1.1: 10.55.28.2/24 Master IP address of the
VRRP group connected
to the S12700 cluster
10.55.28.1 VRRP virtual IP address
NGFW Eth-trunk 0: 192.168.213.2/30 HRP interface
Module_B
Eth-trunk 1.1: 10.55.28.3/24 Backup IP address of the
VRRP group connected
to the S12700 cluster
10.55.28.1 VRRP virtual IP address
Configuration Roadmap
1. Configure interfaces and static routes on NGFW Module_A and NGFW
Module_B and set basic parameters.
2. Configure NGFW Module_A and NGFW Module_B as a Layer 3 VRRP group
working in hot standby mode.
3. Configure the security service on NGFW Module_A to allow the flows from
clients, servers, and extranet to pass and prevent intrusion. The configurations
on NGFW Module_A can be automatically backed up to NGFW Module_B.
4. Configure interfaces on IPS Module_A and IPS Module_B and set basic
parameters.
5. Configure IPS Module_A and IPS Module_B as a Layer 2 hot standby system
working in load balancing mode.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 328
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
6. Configure the security service on IPS Module_A, for example, antivirus. The
configurations on IPS Module_A can be automatically backed up to IPS
Module_B.
7. Configure the two S12700s as a cluster.
8. Implement connectivity between S12700 cluster, NGFW modules, and IPS
modules.
9. Configure a routing policy on the S12700 cluster to implement redirection.
Procedure
Step 1 Configure interfaces on NGFW modules and set basic parameters.
# Log in to the CLI of NGFW Module_A from Switch_A.
<sysname> connect slot 4
To return to the CLI of the switch, press Ctrl+D.
# Set the device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname NGFW Module_A
# Create VLANs on NGFW Module_A.
[NGFW Module_A] vlan batch 100 to 126 300 2001
# Create Layer 3 Eth-Trunk 1 on NGFW Module_A.
[NGFW Module_A] interface Eth-Trunk 1
[NGFW Module_A-Eth-Trunk1] description To-master-trunk105
[NGFW Module_A-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_A to Eth-Trunk 1.
Only the Layer 3 physical interfaces with empty configuration can be added to Eth-Trunks. For
example, if LLDP has been enabled on a physical interface of the NGFW module, run the undo
lldp enable command on the interface before adding it to an Eth-Trunk.
[NGFW Module_A] interface GigabitEthernet 1/0/0
[NGFW Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/0] quit
[NGFW Module_A] interface GigabitEthernet 1/0/1
[NGFW Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_A-GigabitEthernet1/0/1] quit
# Create a Layer 3 subinterface and configure a VRRP group.
[NGFW Module_A] interface Eth-Trunk 1.1
[NGFW Module_A-Eth-Trunk1.1] vlan-type dot1q 128
[NGFW Module_A-Eth-Trunk1.1] ip address 10.55.28.2 255.255.255.0
[NGFW Module_A-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active
[NGFW Module_A-Eth-Trunk1.1] service-manage ping permit
[NGFW Module_A-Eth-Trunk1.1] quit
# Add two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[NGFW Module_A] interface Eth-Trunk 0
[NGFW Module_A-Eth-Trunk0] description hrp-interface
[NGFW Module_A-Eth-Trunk0] ip address 192.168.213.1 255.255.255.252
[NGFW Module_A-Eth-Trunk0] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 329
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[NGFW Module_A] interface GigabitEthernet 0/0/1
[NGFW Module_A-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/1] quit
[NGFW Module_A] interface GigabitEthernet 0/0/2
[NGFW Module_A-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_A-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_A to the security zone.
[NGFW Module_A] firewall zone trust
[NGFW Module_A-zone-trust] add interface Eth-Trunk 1
[NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1
[NGFW Module_A-zone-trust] quit
[NGFW Module_A] firewall zone name hrp
[NGFW Module_A-zone-hrp] set priority 75
[NGFW Module_A-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_A-zone-hrp] quit
# Configure static routes on NGFW Module_A.
[NGFW Module_A] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 //The destination address is on
the external subnet
[NGFW Module_A] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 //The destination address is on the
subnet where clients reside
[NGFW Module_A] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
[NGFW Module_A] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
[NGFW Module_A] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 //The destination address is on the
subnet where servers reside
[NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
# Log in to the CLI of NGFW Module_B from Switch_B.
<sysname> connect slot 4
# Set the device name on NGFW Module_B.
<sysname> system-view
[sysname] sysname NGFW Module_B
# Create VLANs on NGFW Module_B.
[NGFW Module_B] vlan batch 100 to 126 300 2001
# Create Layer 3 Eth-Trunk 1 on NGFW Module_B.
[NGFW Module_B] interface Eth-Trunk 1
[NGFW Module_B-Eth-Trunk1] description To-master-trunk105
[NGFW Module_B-Eth-Trunk1] quit
# Add the internal physical interfaces on NGFW Module_B to Eth-Trunk 1.
[NGFW Module_B] interface GigabitEthernet 1/0/0
[NGFW Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/0] quit
[NGFW Module_B] interface GigabitEthernet 1/0/1
[NGFW Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[NGFW Module_B-GigabitEthernet1/0/1] quit
# Create a Layer 3 subinterface and configure a VRRP group.
[NGFW Module_B] interface Eth-Trunk 1.1
[NGFW Module_B-Eth-Trunk1.1] vlan-type dot1q 128
[NGFW Module_B-Eth-Trunk1.1] ip address 10.55.28.3 255.255.255.0
[NGFW Module_B-Eth-Trunk1.1] vrrp vrid 10 virtual-ip 10.55.28.1 active
[NGFW Module_B-Eth-Trunk1.1] service-manage ping permit
[NGFW Module_B-Eth-Trunk1.1] quit
# Add two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[NGFW Module_B] interface Eth-Trunk 0
[NGFW Module_B-Eth-Trunk0] description hrp-interface
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 330
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[NGFW Module_B-Eth-Trunk0] ip address 192.168.213.2 255.255.255.252
[NGFW Module_B-Eth-Trunk0] quit
[NGFW Module_B] interface GigabitEthernet 0/0/1
[NGFW Module_B-GigabitEthernet0/0/1] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/1] quit
[NGFW Module_B] interface GigabitEthernet 0/0/2
[NGFW Module_B-GigabitEthernet0/0/2] eth-trunk 0
[NGFW Module_B-GigabitEthernet0/0/2] quit
# Add the interfaces on NGFW Module_B to the security zone.
[NGFW Module_B] firewall zone trust
[NGFW Module_B-zone-trust] add interface Eth-Trunk 1
[NGFW Module_A-zone-trust] add interface Eth-Trunk 1.1
[NGFW Module_B-zone-trust] quit
[NGFW Module_B] firewall zone name hrp
[NGFW Module_B-zone-hrp] set priority 75
[NGFW Module_B-zone-hrp] add interface Eth-Trunk 0
[NGFW Module_B-zone-hrp] quit
# Configure static routes on NGFW Module_B.
[NGFW Module_B] ip route-static 10.54.1.248 255.255.255.248 10.55.28.4 //The destination address is on
the external subnet
[NGFW Module_B] ip route-static 10.55.1.0 255.255.255.0 10.55.28.4 //The destination address is on the
subnet where clients reside
[NGFW Module_B] ip route-static 10.55.2.0 255.255.255.0 10.55.28.4
[NGFW Module_B] ip route-static 10.55.26.0 255.255.255.0 10.55.28.4
[NGFW Module_B] ip route-static 10.55.0.0 255.255.255.0 10.55.28.4 //The destination address is on the
subnet where servers reside
[NGFW Module_A] ip route-static 10.55.200.0 255.255.255.0 10.55.28.4
Step 2 Configure hot standby for NGFW modules.
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby
on NGFW Module_A.
[NGFW Module_A] hrp mirror session enable
[NGFW Module_A] hrp interface Eth-Trunk 0
[NGFW Module_A] hrp loadbalance-device
[NGFW Module_A] hrp enable
# Enable session fast backup, specify heartbeat interfaces, and enable hot standby
on NGFW Module_B.
[NGFW Module_B] hrp mirror session enable
[NGFW Module_B] hrp interface Eth-Trunk 0
[NGFW Module_B] hrp loadbalance-device
[NGFW Module_B] hrp enable
Step 3 Configure the security service on the NGFW modules.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security service on NGFW Module_A.
# Configure the security policy on NGFW Module_A to allow the flows from
clients, servers, and extranet to pass and prevent intrusion.
HRP_M[NGFW Module_A] security-policy
HRP_M[NGFW Module_A-policy-security] rule name policy_to_wan
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.55.0.0 16 //Subnet
where clients and servers reside
HRP_M[NGFW Module_A-policy-security-rule_policy-policy_to_wan] source-address 10.54.1.248 29 //
Subnet of the extranet
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] profile ips default
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] action permit
HRP_M[NGFW Module_A-policy-security-rule-policy_policy_to_wan] quit
HRP_M[NGFW Module_A-policy-security] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 331
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 4 Configure interfaces on IPS modules and set basic parameters.
1. Log in to the web UI through an Ethernet interface.
a. Set up a physical connection between the management PC and an IPS
module.
b. Open the browser on the management PC and access https://
192.168.0.1:8443.
c. Enter the default user name admin and password Admin@123 of the
system administrator and click Login.
d. Change the password, click OK, and enter the web system.
2. Choose Network > Interface, click of interface GE1/0/0 and set the
connection type of GE1/0/0 to access.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
3. Click of interface GE1/0/1 and set the connection type of GE1/0/1 to
access.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
4. Click Add, and configure Eth-Trunk 1.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 332
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
5. Choose Network > Interface Pair, click Add, and configure an interface pair.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
6. Click Add and bundle GE 0/0/1 and GE 0/0/2 into an Eth-Trunk interface as
the heartbeat interface and backup channel.
– The IP addresses of heartbeat interfaces on the IPS Modules must be in the same
network segment.
– The Eth-Trunk member interfaces on the IPS Modules must be the same.
Configure a heartbeat interface on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 333
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configure a heartbeat interface on the other IPS Module.
7. Choose System > Dual-System Hot Backup, click Edit, and configure hot
standby.
The configurations on the two IPS Modules are the same. The following part
provides the configuration on one IPS Module.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 334
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 5 Configure the IPS security service, for example, antivirus.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security service on IPS Module_A.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click Add and set the parameters as follows:
3. Click OK.
4. Repeat the previous steps to set the parameters of AV_ftp profile.
Step 6 Configure a security policy for the outbound direction.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 335
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security policy on IPS Module_A.
1. Choose Policy > Security Policy.
2. Click Add.
3. Reference the antivirus profile in Add Security Policy, and set the parameters
as follows:
Name policy_av_1
Description Intranet-User
Interface Pair Select Eth-Trunk1->Eth-Trunk1 from the drop-down
list.
Action permit
Content Security
Anti-Virus AV_http_pop3
Step 7 Configure the security policy in the direction from the external to internal servers.
After hot standby is configured, the configurations and sessions on the active
device are automatically synchronized to the standby device; therefore, you only
need to configure the security policy on IPS Module_A.
Refer to the method of configuring the security policy in the direction from
internal clients to external servers. The parameters are as follows.
Name policy_av_2
Description Intranet-Server
Interface Pair Select Eth-Trunk1<-Eth-Trunk1 from the drop-down list.
Action permit
Content Security
Anti-Virus AV_ftp
Step 8 Configure the two S12700s as a cluster.
1. Connect cluster cables. For details, see Switch Cluster Setup Guide.
Set the cluster connection mode (for example, cluster card mode), cluster IDs,
and priorities.
# Configure the cluster on Switch_A. Retain the default cluster connection
mode (cluster card mode) and the default cluster ID 1, and set the priority to
100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] set css priority 100
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 336
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure the cluster on Switch_B. Retain the default cluster connection
mode (cluster card mode), and set the cluster ID to 2 and priority to 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] set css id 2
[Switch_B] set css priority 10
# Check the cluster configuration.
Run the display css status saved command to check whether the
configurations are as expected.
Check the cluster configuration on Switch_A.
[Switch_A] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
Check the cluster configuration on Switch_B.
[Switch_B] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
2. Enable the cluster function.
# Enable the cluster function on Switch_A and restart Switch_A. Switch_A
becomes the active switch.
[Switch_A] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
# Enable the cluster function on Switch_B and restart Switch_B.
[Switch_B] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode
is CSS card. Reboot now? [Y/N]:y
3. Check whether the cluster is set up successfully.
# View the indicator status.
The CSS MASTER indicator on an MPU of Switch_A is steady on, indicating
that the MPU is the active MPU of the cluster and Switch_A is the master
switch.
The CSS MASTER indicator on an MPU of Switch_B is off, indicating that
Switch_B is the standby switch.
# Log in to the cluster through the console port on any MPU to check the
cluster status.
[Switch_A] display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The preceding information includes the cluster IDs, priorities, cluster
enablement status, and cluster status, indicating that the cluster is
successfully established.
# Check whether cluster links work normally.
[Switch_A] display css channel
The command output shows that all the cluster links are working normally,
indicating that the cluster is established successfully.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 337
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
4. Set the cluster system name to CSS.
[Switch_A] sysname CSS
[CSS]
Step 9 Configure the interfaces and VLAN IDs on switches.
1. Create VLANs.
[CSS] vlan batch 100 to 126 128 300 2001
2. Configure upstream and downstream interfaces.
[CSS] interface GigabitEthernet 1/6/0/36 //Connected to server
[CSS-GigabitEthernet1/6/0/36] port link-type trunk
[CSS-GigabitEthernet1/6/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/6/0/36] port trunk allow-pass vlan 100 300
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0 //Connected to the extranet
[CSS-GigabitEthernet2/3/0/0] port link-type trunk
[CSS-GigabitEthernet2/3/0/0] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/0] port trunk allow-pass vlan 2001
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36 //Connected to client
[CSS-GigabitEthernet2/3/0/36] port link-type trunk
[CSS-GigabitEthernet2/3/0/36] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/3/0/36] port trunk allow-pass vlan 101 to 126
[CSS-GigabitEthernet2/3/0/36] quit
3. Configure VLANIF interfaces. In this example, the VLANs of clients are VLAN
101, VLAN 102, and VLAN 126.
[CSS] interface vlanif 2001
[CSS-Vlanif2001] ip address 10.54.1.253 255.255.255.248
[CSS-Vlanif2001] quit
[CSS] interface vlanif 100
[CSS-Vlanif100] ip address 10.55.0.1 255.255.255.0
[CSS-Vlanif100] quit
[CSS] interface vlanif 300
[CSS-Vlanif300] ip address 10.55.200.1 255.255.255.0
[CSS-Vlanif300] quit
[CSS] interface Vlanif 101
[CSS-Vlanif101] ip address 10.55.1.1 255.255.255.0
[CSS-Vlanif101] quit
[CSS] interface vlanif 102
[CSS-Vlanif102] ip address 10.55.2.1 255.255.255.0
[CSS-Vlanif102] quit
[CSS] interface vlanif 126
[CSS-Vlanif126] ip address 10.55.26.1 255.255.255.0
[CSS-Vlanif126] quit
[CSS] interface vlanif 128 //Layer 3 interface connected to the NGFW module
[CSS-Vlanif128] ip address 10.55.28.4 255.255.255.0
[CSS-Vlanif128] quit
4. Add the eight interfaces between the switches and NGFW/IPS modules to
Eth-Trunk 105, Eth-Trunk 106, and Eth-Trunk 100.
[CSS] interface eth-trunk 105
[CSS-Eth-Trunk105] description to-ngfw-a
[CSS-Eth-Trunk105] port link-type trunk
[CSS-Eth-Trunk105] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk105] port trunk allow-pass vlan 128
[CSS-Eth-Trunk105] trunkport xgigabitethernet 1/4/0/0 to 1/4/0/1
[CSS-Eth-Trunk105] quit
[CSS] interface eth-trunk 106
[CSS-Eth-Trunk106] description to-ngfw-b
[CSS-Eth-Trunk106] port link-type trunk
[CSS-Eth-Trunk106] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk106] port trunk allow-pass vlan 128
[CSS-Eth-Trunk106] trunkport xgigabitethernet 2/4/0/0 to 2/4/0/1
[CSS-Eth-Trunk106] quit
[CSS] interface eth-trunk 100
[CSS-Eth-Trunk100] description to-ips
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 338
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-Eth-Trunk100] port link-type trunk
[CSS-Eth-Trunk100] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk100] port trunk allow-pass vlan 100 to 126 300 2001
[CSS-Eth-Trunk100] trunkport xgigabitethernet 1/5/0/0 to 1/5/0/1
[CSS-Eth-Trunk100] trunkport xgigabitethernet 2/5/0/0 to 2/5/0/1
[CSS-Eth-Trunk100] mac-address learning disable
[CSS-Eth-Trunk100] stp disable
[CSS-Eth-Trunk100] quit
5. Set the load balancing mode on Eth-Trunks.
[CSS] load-balance-profile sec
[CSS-load-balance-profile-sec] ipv4 field sip dip
[CSS-load-balance-profile-sec] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] load-balance enhanced profile sec
[CSS-Eth-Trunk100] quit
[CSS] interface Eth-Trunk 105
[CSS-Eth-Trunk105] load-balance enhanced profile sec
[CSS-Eth-Trunk105] quit
[CSS] interface Eth-Trunk 106
[CSS-Eth-Trunk106] load-balance enhanced profile sec
[CSS-Eth-Trunk106] quit
6. Configure unidirectional isolation between the upstream and downstream
interfaces and Eth-Trunks.
[CSS] interface GigabitEthernet 1/6/0/36
[CSS-GigabitEthernet1/6/0/36] am isolate Eth-Trunk100
[CSS-GigabitEthernet1/6/0/36] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] am isolate Eth-Trunk100
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] am isolate Eth-Trunk100
[CSS-GigabitEthernet2/3/0/36] quit
7. Configure traffic policies and bind them to interfaces to implement
redirection.
# Create ACLs.
[CSS] acl 3010 //Match the flows sent from clients
[CSS-acl-adv-3010] rule 5 permit ip source 10.55.1.0 0.0.0.255
[CSS-acl-adv-3010] rule 10 permit ip source 10.55.2.0 0.0.0.255
[CSS-acl-adv-3010] rule 15 permit ip source 10.55.26.0 0.0.0.255
[CSS-acl-adv-3010] quit
[CSS] acl 3011 //Match the flows destined for clients
[CSS-acl-adv-3011] rule 5 permit ip destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3011] rule 10 permit ip destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3011] rule 15 permit ip destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3011] quit
[CSS] acl 3020 //Match the flows sent from servers
[CSS-acl-adv-3020] rule 5 permit ip source 10.55.0.0 0.0.0.255
[CSS-acl-adv-3020] rule 10 permit ip source 10.55.200.0 0.0.0.255
[CSS-acl-adv-3020] quit
[CSS] acl 3021 //Match the flows destined for servers
[CSS-acl-adv-3021] rule 5 permit ip destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3021] rule 10 permit ip destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3021] quit
[CSS] acl 3012 //Match inter-client flows within a subnet
[CSS-acl-adv-3012] rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
[CSS-acl-adv-3012] rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
[CSS-acl-adv-3012] rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
[CSS-acl-adv-3012] quit
[CSS] acl 3022 //Match inter-server flows within a subnet
[CSS-acl-adv-3022] rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
[CSS-acl-adv-3022] rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
[CSS-acl-adv-3022] quit
# Configure traffic classifiers.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 339
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] traffic classifier from-office operator or precedence 80
[CSS-classifier-from-office] if-match acl 3010
[CSS-classifier-from-office] quit
[CSS] traffic classifier to-office operator or precedence 85
[CSS-classifier-to-office] if-match acl 3011
[CSS-classifier-to-office] quit
[CSS] traffic classifier from-server operator or precedence 75
[CSS-classifier-from-server] if-match acl 3020
[CSS-classifier-from-server] quit
[CSS] traffic classifier to-server operator or precedence 60
[CSS-classifier-to-server] if-match acl 3021
[CSS-classifier-to-server] quit
[CSS] traffic classifier office-office operator or precedence 40
[CSS-classifier-office-office] if-match acl 3012
[CSS-classifier-office-office] quit
[CSS] traffic classifier server-server operator or precedence 65
[CSS-classifier-server-server] if-match acl 3022
[CSS-classifier-server-server] quit
# Configure traffic behaviors.
[CSS] traffic behavior behavior1
[CSS-behavior-behavior1] permit
[CSS-behavior-behavior1] quit
[CSS] traffic behavior to-eth-trunk100
[CSS-behavior-to-eth-trunk100] permit
[CSS-behavior-to-eth-trunk100] redirect interface Eth-Trunk 100 //Do not redirect flows
[CSS-behavior-to-eth-trunk100] quit
[CSS] traffic behavior to-eth-trunk105-6
[CSS-behavior-to-eth-trunk105-6] permit
[CSS-behavior-to-eth-trunk105-6] redirect ip-nexthop 10.55.28.1 //Redirect flows to the NGFW
module
[CSS-behavior-to-eth-trunk105-6] quit
# Bind traffic policies to interfaces.
[CSS] traffic policy ips-to-fw match-order config
[CSS-trafficpolicy-ips-to-fw] classifier to-server behavior to-eth-trunk105-6
[CSS-trafficpolicy-ips-to-fw] classifier from-server behavior to-eth-trunk105-6
[CSS-trafficpolicy-ips-to-fw] quit
[CSS] interface Eth-Trunk 100
[CSS-Eth-Trunk100] traffic-policy ips-to-fw inbound //Redirect the flows filtered by the IPS Module
to the NGFW module
[CSS-Eth-Trunk100] quit
[CSS] traffic policy internet-in match-order config
[CSS-trafficpolicy-internet-in] classifier office-office behavior behavior1
[CSS-trafficpolicy-internet-in] classifier to-server behavior to-eth-trunk100 //Redirect the flows
from extranet to servers to the IPS module
[CSS-trafficpolicy-internet-in] classifier to-office behavior to-eth-trunk105-6 //Redirect the flows
from extranet to clients to the NGFW module
[CSS-trafficpolicy-internet-in] quit
[CSS] interface GigabitEthernet 2/3/0/0
[CSS-GigabitEthernet2/3/0/0] traffic-policy internet-in inbound
[CSS-GigabitEthernet2/3/0/0] quit
[CSS] traffic policy office-out match-order config
[CSS-trafficpolicy-office-out] classifier office-office behavior behavior1 //Do not redirect the inter-
client flows within a subnet
[CSS-trafficpolicy-office-out] classifier to-server behavior to-eth-trunk100 //Redirect the flows
from clients to servers to the IPS module
[CSS-trafficpolicy-office-out] classifier from-office behavior to-eth-trunk105-6 //Redirect the inter-
client flows on different subnets and the flows from clients to the extranet to the NGFW module
[CSS-trafficpolicy-office-out] quit
[CSS] interface GigabitEthernet 2/3/0/36
[CSS-GigabitEthernet2/3/0/36] traffic-policy office-out inbound
[CSS-GigabitEthernet2/3/0/36] quit
[CSS] traffic policy server-out match-order config
[CSS-trafficpolicy-server-out] classifier server-server behavior behavior1 //Do not redirect the inter-
server flows within a subnet
[CSS-trafficpolicy-server-out] classifier from-server behavior to-eth-trunk100 //Redirect the flows
from servers to clients, the inter-server flows on different subnets, and the flows from servers to the
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 340
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
extranet to the IPS module
[CSS-trafficpolicy-server-out] quit
[CSS] interface GigabitEthernet 1/6/0/36
[CSS-GigabitEthernet1/6/0/36] traffic-policy server-out inbound
[CSS-GigabitEthernet1/6/0/36] quit
Step 10 Verify the configuration.
# Check the configuration of S12700 cluster.
[CSS] display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
---------- ------------ ---------------------------------------------------------
4 - ET1D2FW00S00 Present PowerOn Registered Normal NA
5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA
6 - ET1D2G48SX1E Present PowerOn Registered Normal NA
7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Master
10 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
CMU1 - EH1D200CMU00 Present PowerOn Registered Normal Slave
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12712's Device status :
Slot Sub Type Online Power Register Status Role
---------- ------------ ---------------------------------------------------------
3 - ET1D2G48SX1E Present PowerOn Registered Normal NA
4 - ET1D2FW00S00 Present PowerOn Registered Normal NA
5 - ET1D2IPS0S00 Present PowerOn Registered Normal NA
7 - ET1D2X48SEC0 Present PowerOn Registered Normal NA
13 - ET1D2MPUA000 Present PowerOn Registered Normal Master
14 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
18 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
FAN5 - - Present PowerOn Registered Normal NA
# Check the status of Eth-Trunks between IPS/NGFW modules and S12700 cluster.
[IPS Module] display interface brief | include up
2016/5/31 10:49
PHY: Physical
*down: administratively down
^down: standby down
(s): spoofing
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk0 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
Eth-Trunk1 up up 0.01% 0.01% 0 0
GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0
GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
[NGFW Module_B] display interface brief | include up
10:56:34 2016/05/31
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 341
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
PHY: Physical
*down: administratively down
^down: standby down
(s): spoofing
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk0 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/1 up up 0.01% 0.01% 0 0
GigabitEthernet0/0/2 up up 0% 0.01% 0 0
Eth-Trunk1 up up 0.01% 0.01% 0 0
GigabitEthernet1/0/0(XGE) up up 0.01% 0.01% 0 0
GigabitEthernet1/0/1(XGE) up up 0% 0% 0 0
Eth-Trunk1.1 up up 0.01% 0% 0 0
Eth-Trunk1.2 up up 0.01% 0% 0 0
NULL0 up up(s) 0% 0% 0 0
# Check traffic statistics on interfaces.
● The traffic statistics between clients and servers are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0.13% 0.13% 0 0
XGigabitEthernet1/5/0/0 up up 0.25% 0% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0.25% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0.25% 0 0
XGigabitEthernet2/5/0/1 up up 0.25% 0% 0 0
Eth-Trunk105 up up 0.25% 0.25% 0 0
XGigabitEthernet1/4/0/0 up up 0.25% 0% 0 0
XGigabitEthernet1/4/0/1 up up 0.25% 0.50% 0 0
Eth-Trunk106 up up 0% 0% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0% 0 0
XGigabitEthernet2/4/0/1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif128 up up -- -- 0 0
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
● The traffic statistics between clients and extranet are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 342
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0% 0% 0 0
XGigabitEthernet1/5/0/0 up up 0% 0% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0% 0 0
XGigabitEthernet2/5/0/1 up up 0% 0% 0 0
Eth-Trunk105 up up 0.25% 0.25% 0 0
XGigabitEthernet1/4/0/0 up up 0% 0.17% 0 0
XGigabitEthernet1/4/0/1 up up 0.50% 0.33% 0 0
Eth-Trunk106 up up 0% 0% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0% 0 0
XGigabitEthernet2/4/0/1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.01% 0.01% 0 0
GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/36 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif128 up up -- -- 0 0
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
● The traffic statistics between servers and extranet are correct.
[CSS] display interface brief | include up
PHY: Physical
*down: administratively down
^down: standby
~down: LDT down
#down: LBDT down
(l): loopback
(s): spoofing
(E): E-Trunk down
(b): BFD down
(e): ETHOAM down
(dl): DLDP down
(d): Dampening Suppressed
(ld): LDT block
(lb): LBDT block
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
Eth-Trunk100 up up 0.12% 0.12% 0 0
XGigabitEthernet1/5/0/0 up up 0.50% 0.50% 0 0
XGigabitEthernet1/5/0/1 up up 0% 0% 0 0
XGigabitEthernet2/5/0/0 up up 0% 0% 0 0
XGigabitEthernet2/5/0/1 up up 0% 0% 0 0
Eth-Trunk105 up up 0.25% 0.25% 0 0
XGigabitEthernet1/4/0/0 up up 0.50% 0.50% 0 0
XGigabitEthernet1/4/0/1 up up 0% 0% 0 0
Eth-Trunk106 up up 0% 0% 0 0
XGigabitEthernet2/4/0/0 up up 0% 0% 0 0
XGigabitEthernet2/4/0/1 up up 0% 0% 0 0
Ethernet0/0/0/0 up up 0.02% 0.01% 0 0
GigabitEthernet1/6/0/36 up up 5.00% 5.00% 0 0
GigabitEthernet2/3/0/0 up up 5.00% 5.00% 0 0
NULL0 up up(s) 0% 0% 0 0
Vlanif100 up up -- -- 0 0
Vlanif101 up up -- -- 0 0
Vlanif102 up up -- -- 0 0
Vlanif126 up up -- -- 0 0
Vlanif128 up up -- -- 0 0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 343
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Vlanif300 up up -- -- 0 0
Vlanif2001 up up -- -- 0 0
----End
Configuration Files
● NGFW module configuration files
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 344
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname NGFW Module_A sysname NGFW Module_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface Eth-Trunk 0 hrp interface Eth-Trunk 0
# #
vlan batch 100 to 126 300 2001 vlan batch 100 to 126 300 2001
# #
interface Eth-Trunk 0 interface Eth-Trunk 0
description hrp-interface description hrp-interface
ip address 192.168.213.1 255.255.255.252 ip address 192.168.213.2 255.255.255.252
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
description To-master-trunk105 description To-master-trunk106
# #
interface Eth-Trunk1.1 interface Eth-Trunk1.1
vlan-type dot1q 128 vlan-type dot1q 128
ip address 10.55.28.2 255.255.255.0 ip address 10.55.28.3 255.255.255.0
vrrp vrid 10 virtual-ip 10.55.28.1 active vrrp vrid 10 virtual-ip 10.55.28.1 standby
service-manage ping permit service-manage ping permit
# #
interface GigabitEthernet 0/0/1 interface GigabitEthernet 0/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 0/0/2 interface GigabitEthernet 0/0/2
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
eth-trunk 1 eth-trunk 1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface Eth-Trunk1 add interface Eth-Trunk1
add interface Eth-Trunk1.1 add interface Eth-Trunk1.1
# #
firewall zone name hrp firewall zone name hrp
set priority 75 set priority 75
add interface Eth-Trunk 0 add interface Eth-Trunk 0
# #
security-policy security-policy
rule name policy_to_wan rule name policy_to_wan
source-address 10.55.0.0 16 source-address 10.55.0.0 16
source-address 10.54.1.248 29 source-address 10.54.1.248 29
profile ips default profile ips default
action permit action permit
# #
ip route-static 10.54.1.248 255.255.255.248 ip route-static 10.54.1.248 255.255.255.248
10.55.28.4 10.55.28.4
ip route-static 10.55.0.0 255.255.255.0 ip route-static 10.55.0.0 255.255.255.0
10.55.28.4 10.55.28.4
ip route-static 10.55.1.0 255.255.255.0 ip route-static 10.55.1.0 255.255.255.0
10.55.28.4 10.55.28.4
ip route-static 10.55.2.0 255.255.255.0 ip route-static 10.55.2.0 255.255.255.0
10.55.28.4 10.55.28.4
ip route-static 10.55.26.0 255.255.255.0 ip route-static 10.55.26.0 255.255.255.0
10.55.28.4 10.55.28.4
ip route-static 10.55.200.0 255.255.255.0 ip route-static 10.55.200.0 255.255.255.0
10.55.28.4 10.55.28.4
return return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 345
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
● IPS module configuration files
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 346
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
IPS Module_A IPS Module_B
# #
sysname IPS Module_A sysname IPS Module_B
# #
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface Eth-Trunk 0 hrp interface Eth-Trunk 0
# #
vlan batch 100 to 126 300 2001 vlan batch 100 to 126 300 2001
# #
pair-interface 1 Eth-Trunk1 Eth-Trunk1 pair-interface 1 Eth-Trunk1 Eth-Trunk1
# #
interface Eth-Trunk 0 interface Eth-Trunk 0
ip address 192.168.213.5 255.255.255.252 ip address 192.168.213.6 255.255.255.252
# #
interface Eth-Trunk 1 interface Eth-Trunk 1
portswitch portswitch
port link-type trunk port link-type trunk
undo port trunk permit vlan 1 undo port trunk permit vlan 1
port trunk permit vlan 100 to 126 300 2001 port trunk permit vlan 100 to 126 300 2001
# #
interface GigabitEthernet 0/0/1 interface GigabitEthernet 0/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 0/0/2 interface GigabitEthernet 0/0/2
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port link-type access port link-type access
eth-trunk 1 eth-trunk 1
# #
profile type av name AV_http_pop3 profile type av name AV_http_pop3
description http-pop3 description http-pop3
http-detect direction download http-detect direction download
undo ftp-detect undo ftp-detect
undo smtp-detect undo smtp-detect
pop3-detect action delete-attachment pop3-detect action delete-attachment
undo imap-detect undo imap-detect
undo nfs-detect undo nfs-detect
undo smb-detect undo smb-detect
exception application name Netease_Webmail exception application name Netease_Webmail
action allow action allow
exception av-signature-id 1000 exception av-signature-id 1000
profile type av name AV_ftp profile type av name AV_ftp
description ftp description ftp
undo http-detect undo http-detect
ftp-detect direction upload ftp-detect direction upload
undo smtp-detect undo smtp-detect
undo pop3-detect undo pop3-detect
undo imap-detect undo imap-detect
undo nfs-detect undo nfs-detect
undo smb-detect undo smb-detect
# #
security-policy security-policy
rule name policy_av_1 rule name policy_av_1
description Intranet-User description Intranet-User
profile av AV_http_pop3 profile av AV_http_pop3
pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
action permit action permit
rule name policy_av_2 rule name policy_av_2
description Intranet-Server description Intranet-Server
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 347
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
IPS Module_A IPS Module_B
profile av AV_ftp profile av AV_ftp
pair-interface 1 Eth-Trunk 1 Eth-Trunk 1 pair-interface 1 Eth-Trunk 1 Eth-Trunk 1
action permit action permit
# #
return return
● CSS configuration file
#
sysname CSS
#
vlan batch 100 to 126 128 300 2001
#
acl number 3010
rule 5 permit ip source 10.55.1.0 0.0.0.255
rule 10 permit ip source 10.55.2.0 0.0.0.255
rule 15 permit ip source 10.55.26.0 0.0.0.255
acl number 3011
rule 5 permit ip destination 10.55.1.0 0.0.0.255
rule 10 permit ip destination 10.55.2.0 0.0.0.255
rule 15 permit ip destination 10.55.26.0 0.0.0.255
acl number 3012
rule 5 permit ip source 10.55.1.0 0.0.0.255 destination 10.55.1.0 0.0.0.255
rule 10 permit ip source 10.55.2.0 0.0.0.255 destination 10.55.2.0 0.0.0.255
rule 15 permit ip source 10.55.26.0 0.0.0.255 destination 10.55.26.0 0.0.0.255
acl number 3020
rule 5 permit ip source 10.55.0.0 0.0.0.255
rule 10 permit ip source 10.55.200.0 0.0.0.255
acl number 3021
rule 5 permit ip destination 10.55.0.0 0.0.0.255
rule 10 permit ip destination 10.55.200.0 0.0.0.255
acl number 3022
rule 5 permit ip source 10.55.0.0 0.0.0.255 destination 10.55.0.0 0.0.0.255
rule 10 permit ip source 10.55.200.0 0.0.0.255 destination 10.55.200.0 0.0.0.255
#
traffic classifier office-office operator or precedence 40
if-match acl 3012
traffic classifier from-office operator or precedence 80
if-match acl 3010
traffic classifier from-server operator or precedence 75
if-match acl 3020
traffic classifier server-server operator or precedence 65
if-match acl 3022
traffic classifier to-office operator or precedence 85
if-match acl 3011
traffic classifier to-server operator or precedence 60
if-match acl 3021
#
traffic behavior behavior1
permit
traffic behavior to-eth-trunk100
permit
redirect interface Eth-Trunk100
traffic behavior to-eth-trunk105-6
permit
redirect ip-nexthop 10.55.28.1
#
traffic policy office-out match-order config
classifier office-office behavior behavior1
classifier to-server behavior to-eth-trunk100
classifier from-office behavior to-eth-trunk105-6
traffic policy internet-in match-order config
classifier office-office behavior behavior1
classifier to-server behavior to-eth-trunk100
classifier to-office behavior to-eth-trunk105-6
traffic policy ips-to-fw match-order config
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 348
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
classifier to-server behavior to-eth-trunk105-6
classifier from-server behavior to-eth-trunk105-6
traffic policy server-out match-order config
classifier server-server behavior behavior1
classifier from-server behavior to-eth-trunk100
#
interface Vlanif100
ip address 10.55.0.1 255.255.255.0
#
interface Vlanif101
ip address 10.55.1.1 255.255.255.0
#
interface Vlanif102
ip address 10.55.2.1 255.255.255.0
#
interface Vlanif128
ip address 10.55.28.4 255.255.255.0
#
interface Vlanif300
ip address 10.55.200.1 255.255.255.0
#
interface Vlanif2001
ip address 10.54.1.253 255.255.255.248
#
load-balance-profile sec
#
interface Eth-Trunk100
description to-ips
port link-type trunk
mac-address learning disable
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 126 300 2001
stp disable
traffic-policy ips-to-fw inbound
load-balance enhanced profile sec
#
interface Eth-Trunk105
description to-ngfw-a
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 128
load-balance enhanced profile sec
#
interface Eth-Trunk106
description to-ngfw-b
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 128
load-balance enhanced profile sec
#
interface GigabitEthernet1/6/0/36
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 300
traffic-policy server-out inbound
am isolate Eth-Trunk100
#
interface GigabitEthernet2/3/0/0
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2001
traffic-policy internet-in inbound
am isolate Eth-Trunk100
#
interface GigabitEthernet2/3/0/36
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 101 to 126
traffic-policy office-out inbound
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 349
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
am isolate Eth-Trunk100
#
interface XGigabitEthernet1/4/0/0
eth-trunk 105
#
interface XGigabitEthernet1/4/0/1
eth-trunk 105
#
interface XGigabitEthernet1/5/0/0
eth-trunk 100
#
interface XGigabitEthernet1/5/0/1
eth-trunk 100
#
interface XGigabitEthernet2/4/0/0
eth-trunk 106
#
interface XGigabitEthernet2/4/0/1
eth-trunk 106
#
interface XGigabitEthernet2/5/0/0
eth-trunk 100
#
interface XGigabitEthernet2/5/0/1
eth-trunk 100
#
return
2.8.3 Typical NGFW Module Configuration
NGFW modules are service cards used on switches. An NGFW module connects to
a switch through two 20GE Ethernet links. On the two Ethernet links, the ports on
one end are located on the switch, and the ports on the other end are located on
the NGFW module. Services need to be configured on both the switch-side and
NGFW module-side, otherwise, the NGFW module cannot work normally.
The minimum NGFW module card version matching the switch is V100R001C10.
These NGFW module cards are supported on the switch running V200R005C00 or
later.
2.8.3.1 Layer 2 Load-Balancing Hot Standby on the NGFW Modules Installed
on a Cluster Switch Where Redirection-based Traffic Diversion Is
Implemented
Service Requirements
As shown in Figure 2-34, two switches form a CSS, and two NGFW Modules are
installed in slot 1 of the switches respective and implement hot standby. The
NGFW Modules work at Layer 2 and are transparently connected to the network.
The NGFW Modules implement security check on traffic sent by intranet users to
the Internet. The traffic exchanged between different VLANs does not pass the
NGFW modules. Instead, the traffic is directly forwarded by the switches.
This example uses NGFW modules running V100R001C30 and switches running
V200R008C00. For the configuration examples of NGFW Modules running other
versions, see Deployment Guide. You can search for "Deployment Guide" in the
search bar.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 350
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-34 Networking for Layer-2 dual-NGFW Module deployment and switch
CSS
Internet/WAN
10.3.0.5/24
Eth-Trunk0 Eth-Trunk5 Eth-Trunk0
10.10.0.1/24 Heartbeat link 10.10.0.2/24
VLAN 200
GE1/0/0 XGE1/1/0/0 XGE2/1/0/0 GE1/0/0
CSS
GE1/0/1 XGE1/1/0/1 SwitchB XGE2/1/0/1 GE1/0/1
SwitchA
NGFW Modue_A NGFW Module_B
Eth-Trunk 2 Eth-Trunk 3
Intranet users Server area
10.1.0.0/24 10.2.0.0/24
VLAN 301 VLAN 302
The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The
numbering of internal Ethernet interfaces on the switch is determined by the slot in which the
NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the
switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.
Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.
Deployment Solution
The four interfaces connecting the switches to the NGFW modules are bundled
into an Eth-Trunk interface, and traffic is distributed among the two NGFW
Modules. The two NGFW Modules implement hot standby in Layer-2 load
balancing mode.
1. Add the four interfaces on the switches to Eth-Trunk 10 and four interfaces on
the NGFW Modules to Eth-Trunk 1.
2. Redirection is configured on the switches to direct traffic exchanged between
intranet users and the Internet to the NGFW Modules. Eth-Trunk 1 is
configured as an interface pair (packets entering the interface are forwarded
out of the same interface after being processed) on the NGFW Modules to
send traffic back to the switches.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 351
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
When the NGFW Module works in interface pair mode, the switch cannot have the loop-
detection function enabled. If the switch has the loop-detection function enabled,
broadcast packets are sent out at the interface. Because the NGFW Module works in
interface pair mode, all packets received by the interface are sent out from this interface.
This causes the switch to detect traffic loops and disable the interface.
3. The NGFW Modules implement hot standby in Layer-2 load balancing mode.
Therefore, configure the VLANs to be tracked of the upstream and
downstream interfaces.
Figure 2-35 provides logical networking for easy understanding.
Figure 2-35 Configuring hot standby on the NGFW Modules
Internet
VLANIF 200
10.3.0.1
Eth-Trunk10 Eth-Trunk10
Eth-Trunk1 Eth-Trunk1
Eth-Trunk0
10.10.0.1/24
Eth-Trunk0
10.10.0.2/24
Eth-Trunk1 Eth-Trunk1
Eth-Trunk10 Eth-Trunk10
VLANIF 301 VLANIF 302
10.1.0.1 10.2.0.1
Intranet users Server Area
10.1.0.0/24 10.2.0.0/24
VLAN 301 VLAN 302
Figure 2-35 provides information only interfaces related to the switches and NGFW
Modules.
4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module
into an Eth-Trunk0 interface, which functions as the heartbeat interface and
backup channel and enable hot standby.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 352
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
5. Configure security functions, such as security policies and IPS on NGFW
Module_A. NGFW Module_A will automatically synchronize its configurations
to NGFW Module_B.
Procedure
Step 1 Complete interface and basic network configurations on NGFW Modules.
# Configure device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname Module_A
# Create VLANs on NGFW Module_A.
[Module_A] vlan batch 200 301 to 302
[Module_A-vlan-302] quit
# Create Layer-2 Eth-Trunk 1 on NGFW Module_A and permit packets from the
upstream and downstream VLANs.
[Module_A] interface Eth-Trunk 1
[Module_A-Eth-Trunk1] description To_SwitchA_trunk10
[Module_A-Eth-Trunk1] portswitch
[Module_A-Eth-Trunk1] port link-type trunk
[Module_A-Eth-Trunk1] port trunk permit vlan 200 301 to 302
[Module_A-Eth-Trunk1] quit
# Add the interfaces connecting NGFW Module_A to its connected switch to Eth-
Trunk 1.
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] portswitch
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] portswitch
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
# Configure Eth-Trunk 1 as an interface pair on NGFW Module_A.
[Module_A] pair-interface Eth-Trunk 1 Eth-Trunk 1
# Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] description hrp_interface
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_A to security zones.
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-Trunk 1
[Module_A-zone-trust] quit
[Module_A] firewall zone name hrp
[Module_A-zone-hrp] set priority 75
[Module_A-zone-hrp] add interface Eth-Trunk 0
[Module_A-zone-hrp] quit
# Configure device name on NGFW Module_B.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 353
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
<sysname> system-view
[sysname] sysname Module_B
# Create VLANs on NGFW Module_B.
[Module_B] vlan batch 200 301 to 302
[Module_B-vlan-302] quit
# Create Layer-2 Eth-Trunk 1 on NGFW Module_B and permit packets from the
upstream and downstream VLANs.
[Module_B] interface Eth-Trunk 1
[Module_B-Eth-Trunk1] description To_SwitchB_trunk10
[Module_B-Eth-Trunk1] portswitch
[Module_B-Eth-Trunk1] port link-type trunk
[Module_B-Eth-Trunk1] port trunk permit vlan 200 301 to 302
[Module_B-Eth-Trunk1] quit
# Add the interfaces connecting NGFW Module_B to its connected switch to Eth-
Trunk 1.
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] portswitch
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] portswitch
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
# Configure Eth-Trunk 1 as an interface pair on NGFW Module_B.
[Module_B] pair-interface Eth-Trunk 1 Eth-Trunk 1
# Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] description hrp_interface
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_B to security zones.
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-Trunk 1
[Module_B-zone-trust] quit
[Module_B] firewall zone name hrp
[Module_B-zone-hrp] set priority 75
[Module_B-zone-hrp] add interface Eth-Trunk 0
[Module_B-zone-hrp] quit
Step 2 Configure hot standby on NGFW Modules.
# Enable quick session backup on NGFW Module_A.
[Module_A] hrp mirror session enable
# Specify the heartbeat interface and enable hot standby on NGFW Module_A.
[Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable
[Module_A] hrp loadbalance-device //This command is required only in versions earlier than
V100R001C30SPC300.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 354
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Enable quick session backup on NGFW Module_B.
[Module_B] hrp mirror session enable
# Specify the heartbeat interface and enable hot standby on NGFW Module_B.
[Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp loadbalance-device //This command is required only in versions earlier than
V100R001C30SPC300.
After hot standby is configured, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active NGFW Module_A.
Before configuring intrusion prevention, ensure that the required license is loaded and the
intrusion prevention signature database is the latest version.
When configuring intrusion prevention, use the default intrusion prevention profile default.
Step 3 Configure security services on NGFW Modules.
# On NGFW Module_A, configure a security policy to allow intranet users to
access the Internet and configure intrusion prevention.
HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_to_wan
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.1.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.2.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_wan] profile ips default
HRP_A[Module_A-policy-security-rule-policy_to_wan] action permit
HRP_A[Module_A-policy-security-rule-policy_to_wan] quit
HRP_A[Module_A-policy-security] quit
In this example, the configured security policy allows intranet users to access the Internet.
To enable the Internet to access the intranet, configure a rule whose the destination
address is an intranet address.
# Configure ASPF on NGFW Module_A. FTP is used as an example.
HRP_A[Module_A] firewall zone trust
HRP_A[Module_A-zone-trust] detect ftp
HRP_A[Module_A-zone-trust] quit
# Save configurations on NGFW Module_A and NGFW Module_B.
HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
Step 4 Configure the core switches to form a CSS.
1. Install the hardware and connect the cables. For details, see the CSS
Installation Guide.
2. Set the CSS connection mode (such as the CSS card connection mode), CSS
ID, and CSS priority.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 355
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure the CSS on SwitchA. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card //Set the CSS connection mode. The default mode is CSS
card connection mode.
[SwitchA] set css id 1 //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100 //Set the CSS priority. The default value is 1.
# Configure the CSS on SwitchB. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.
<Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
3. Enable the CSS function.
# To use SwitchA as the active switch, enable CSS on SwitchA and then restart
SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable CSS on SwitchB and then restart SwitchB.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
4. Check whether the CSS is established.
# Log in to the CSS from the console port of any MPU and run the following
command to view the CSS status.
<SwitchA> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two
member switches are displayed, as shown in the preceding information, the
CSS has been established.
You are advised to configure MAD to minimize the impact of a CSS split on
services. Detailed configurations will not be described here.
5. Rename the cluster system to CSS.
<SwitchA> system-view
[SwitchA] sysname CSS
[CSS]
Step 5 Configure switch interfaces and VLANs. This example describes how to configure
interoperation between the switch and NGFW modules.
1. Create VLANs.
[CSS] vlan batch 200 301 to 302
2. Configure upstream and downstream interfaces, isolate the upstream and
downstream interfaces from Eth-Trunk10 unidirectionally. Adding the
interfaces to Eth-Trunk interfaces is not mentioned here.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 356
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] interface eth-trunk 2
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk2] port trunk allow-pass vlan 301
[CSS-Eth-Trunk2] am isolate Eth-Trunk 10
[CSS-Eth-Trunk2] quit
[CSS] interface eth-trunk 3
[CSS-Eth-Trunk3] port link-type trunk
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk3] port trunk allow-pass vlan 302
[CSS-Eth-Trunk3] am isolate Eth-Trunk 10
[CSS-Eth-Trunk3] quit
[CSS] interface eth-trunk 5
[CSS-Eth-Trunk5] port link-type access
[CSS-Eth-Trunk5] port default vlan 200
[CSS-Eth-Trunk5] am isolate Eth-Trunk 10
[CSS-Eth-Trunk5] quit
3. Configure VLANIF interfaces as upstream and downstream gateways.
[CSS] interface vlanif301
[CSS-Vlanif301] ip address 10.1.0.1 24
[CSS-Vlanif301] quit
[CSS] interface vlanif302
[CSS-Vlanif302] ip address 10.2.0.1 24
[CSS-Vlanif302] quit
[CSS] interface vlanif200
[CSS-Vlanif200] ip address 10.3.0.1 24
[CSS-Vlanif200] quit
4. Add the switch interfaces connected to NGFW Module to Eth-Trunk 10.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] description To_Module
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1
[CSS-Eth-Trunk10] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302
[CSS-Eth-Trunk10] mac-address learning disable
[CSS-Eth-Trunk10] undo local-preference enable
[CSS-Eth-Trunk10] stp disable
[CSS-Eth-Trunk10] quit
5. Set the load balancing mode of the Eth-Trunk interface.
When traffic is forwarded from the switches to the NGFW Modules, the cross-board Eth-
Trunk distributes the traffic. To ensure that forward and return packets are forwarded by
the same NGFW Module, set the enhanced load balancing mode. In the example, the
source and destination IP addresses are used for illustration.
[CSS] load-balance-profile module
[CSS-load-balance-profile-module] ipv4 field sip dip
[CSS-load-balance-profile-module] quit
[CSS] interface Eth-Trunk 10
[CSS-Eth-Trunk10] load-balance enhanced profile module
[CSS-Eth-Trunk10] quit
6. Configure traffic policies to redirect traffic to the NGFW Modules.
# Create ACLs.
[CSS] acl 3001 //Match traffic exchanged between intranet users of different VLANs.
[CSS-acl-adv-3001] rule permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
[CSS-acl-adv-3001] rule permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
[CSS-acl-adv-3001] quit
[CSS] acl 3002 //Match traffic sent by intranet users to access the Internet.
[CSS-acl-adv-3002] rule permit ip source 10.1.0.0 0.0.0.255
[CSS-acl-adv-3002] rule permit ip source 10.2.0.0 0.0.0.255
[CSS-acl-adv-3002] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 357
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] acl 3004 //Match traffic from the Internet to the intranet.
[CSS-acl-adv-3004] rule permit ip destination 10.1.0.0 0.0.0.255
[CSS-acl-adv-3004] rule permit ip destination 10.2.0.0 0.0.0.255
[CSS-acl-adv-3004] quit
# Configure the switch not to direct the traffic exchanged between intranet
users but to direct traffic sent by the intranet to access the Internet to the
NGFW Modules.
[CSS] traffic classifier classifier1 precedence 5
[CSS-classifier-classifier1] if-match acl 3001
[CSS-classifier-classifier1] quit
[CSS] traffic behavior behavior1 //Permit traffic exchanged between intranet users.
[CSS-behavior-behavior1] permit
[CSS-behavior-behavior1] quit
[CSS] traffic classifier classifier2 precedence 10
[CSS-classifier-classifier2] if-match acl 3002
[CSS-classifier-classifier2] quit
[CSS] traffic behavior behavior2 //Redirect the traffic from the intranet to the Internet to the
interface connecting the switch to the NGFW Module.
[CSS-behavior-behavior2] redirect interface Eth-Trunk 10
[CSS-behavior-behavior2] quit
[CSS] traffic policy policy1 //Configure a traffic policy.
[CSS-trafficpolicy-policy1] classifier classifier1 behavior behavior1
[CSS-trafficpolicy-policy1] classifier classifier2 behavior behavior2
[CSS-trafficpolicy-policy1] quit
[CSS] interface Eth-Trunk 2
[CSS-Eth-Trunk2] traffic-policy policy1 inbound
[CSS-Eth-Trunk2] quit
[CSS] interface Eth-Trunk 3
[CSS-Eth-Trunk3] traffic-policy policy1 inbound
[CSS-Eth-Trunk3] quit
# Configure the switch to redirect the traffic from the Internet to the intranet
to the NGFW Module.
[CSS] traffic classifier classifier4
[CSS-classifier-classifier4] if-match acl 3004
[CSS-classifier-classifier4] quit
[CSS] traffic behavior behavior4 //Redirect the traffic from the Internet to the intranet to the
interface connecting the switch to the NGFW Module.
[CSS-behavior-behavior4] redirect interface Eth-Trunk 10
[CSS-behavior-behavior4] quit
[CSS] traffic policy policy2 //Configure a traffic policy.
[CSS-trafficpolicy-policy2] classifier classifier4 behavior behavior4
[CSS-trafficpolicy-policy2] quit
[CSS] interface Eth-Trunk 5
[CSS-Eth-Trunk5] traffic-policy policy2 inbound
[CSS-Eth-Trunk5] quit
7. Configure a static route.
After receiving packets, the switch looks up the routing table to complete Layer-3
forwarding although redirection policies are configured. However, the outgoing interfaces
of packets are still determined by the redirection policies.
In the example, when receiving a packet from the intranet to the Internet, the switch first
looks up the routing table, changes the VLAN tag from 301 or 302 to 200 based on the
default route, and then forwards the packet to the NGFW Module. After receiving a packet
from the Internet to the intranet, the switch changes the VLAN tag from 200 to 301 or 302
based on the direct route and then forwards the packet to the NGFW Module.
If no routing entry is matched, the switch forwards the packet based on the redirection
policy without changing the VLAN tag.
# Configure a default route to the Internet.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 358
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
----End
Verification
1. Run the display hrp state command on NGFW Module_A to check the
current HRP status. If the following output is displayed, an HRP relationship is
successfully established.
HRP_A[Module_A] display hrp state
The firewall's config state is: ACTIVE
Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 36 minutes
Current state of interfaces tracked by active:
Eth-trunk1 (VLAN 200) : up
Eth-trunk1 (VLAN 301) : up
Eth-trunk1 (VLAN 302) : up
Current state of interfaces tracked by standby:
Eth-trunk1 (VLAN 200) : up
Eth-trunk1 (VLAN 301) : up
Eth-trunk1 (VLAN 302) : up
2. Check whether the access from the intranet to the Internet succeeds and
check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 10.1.0.10:22048 --> 3.3.3.3:80
HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 10.1.0.10:22048 --> 3.3.3.3:80
According to the preceding output, NGFW Module_A has created a session
entry for the access from the intranet to the Internet. A session entry with the
Remote tag exists on NGFW Module_B, which indicates that session backup
succeeds after you configure hot standby.
3. Configure a PC in the Trust zone to constantly ping the public address and run
the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the
status switchover of the NGFW Module and discarded ping packets. If the
status switchover is normal, NGFW Module_B becomes the active and carries
services. No or several ping packets (1 to 3 packets, depending on actual
network environments) are discarded.
Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and
check the status switchover of the NGFW Module and discarded ping packets.
If the status switchover is normal, NGFW Module_A becomes the active and
starts to carry service after the preemption delay (60s by default) expires. No
or several ping packets (1 to 3 packets, depending on actual network
environments) are discarded.
Configuration Scripts
Configuration scripts of the NGFW Modules:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 359
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname Module_A sysname Module_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp interface Eth-Trunk0 hrp interface Eth-Trunk0
hrp loadbalance-device //This command is hrp loadbalance-device //This command is
required only in versions earlier than required only in versions earlier than
V100R001C30SPC300. V100R001C30SPC300.
# #
vlan batch 200 301 to 302 vlan batch 200 301 to 302
# #
pair-interface Eth-Trunk1 Eth-Trunk1 pair-interface Eth-Trunk1 Eth-Trunk1
# #
vlan 200 vlan 200
hrp track active hrp track active
hrp track standby hrp track standby
Eth-Trunk1 Eth-Trunk1
# #
vlan 301 vlan 301
hrp track active hrp track active
hrp track standby hrp track standby
Eth-Trunk1 Eth-Trunk1
# #
vlan 302 vlan 302
hrp track active hrp track active
hrp track standby hrp track standby
Eth-Trunk1 Eth-Trunk1
# #
interface Eth-Trunk0 interface Eth-Trunk0
description hrp_interface description hrp_interface
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
interface Eth-Trunk1 interface Eth-Trunk1
description To_SwitchA_trunk10 description To_SwitchB_trunk10
portswitch portswitch
port link-type trunk port link-type trunk
port trunk permit vlan 200 301 to 302 port trunk permit vlan 200 301 to 302
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet0/0/2 interface GigabitEthernet0/0/2
eth-trunk 0 eth-trunk 0
# #
interface GigabitEthernet1/0/0 interface GigabitEthernet1/0/0
portswitch portswitch
eth-trunk 1 eth-trunk 1
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
portswitch portswitch
eth-trunk 1 eth-trunk 1
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
detect ftp detect ftp
add interface Eth-Trunk1 add interface Eth-Trunk1
# #
firewall zone name hrp firewall zone name hrp
set priority 75 set priority 75
add interface Eth-Trunk0 add interface Eth-Trunk0
# #
security-policy security-policy
rule name policy_to_wan rule name policy_to_wan
source-address 10.1.0.0 mask 255.255.255.0 source-address 10.1.0.0 mask 255.255.255.0
source-address 10.2.0.0 mask 255.255.255.0 source-address 10.2.0.0 mask 255.255.255.0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 360
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
profile ips default profile ips default
action permit action permit
# #
return return
Configuration script of CSS:
# ----Traffic diversion configuration----
load-balance-profile module
#
vlan batch 200 301 to 302
#
acl number 3001
rule 5 permit ip source 10.1.0.0 0.0.0.255 destination 10.2.0.0 0.0.0.255
rule 10 permit ip source 10.2.0.0 0.0.0.255 destination 10.1.0.0 0.0.0.255
acl number 3002
rule 5 permit ip source 10.1.0.0 0.0.0.255
rule 10 permit ip source 10.2.0.0 0.0.0.255
acl number 3004
rule 5 permit ip destination 10.1.0.0 0.0.0.255
rule 10 permit ip destination 10.2.0.0 0.0.0.255
#
traffic classifier classifier1 operator or precedence 5
if-match acl 3001
traffic classifier classifier2 operator or precedence 10
if-match acl 3002
traffic classifier classifier4 operator or precedence 15
if-match acl 3004
#
traffic behavior behavior1
permit
traffic behavior behavior2
permit
redirect interface Eth-Trunk10
traffic behavior behavior4
permit
redirect interface Eth-Trunk10
#
traffic policy policy1 match-order config
classifier classifier1 behavior behavior1
classifier classifier2 behavior behavior2
traffic policy policy2 match-order config
classifier classifier4 behavior behavior4
#
interface Vlanif200
ip address 10.3.0.1 255.255.255.0
#
interface Vlanif301
ip address 10.1.0.1 255.255.255.0
#
interface Vlanif302
ip address 10.2.0.1 255.255.255.0
#
interface Eth-Trunk2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301
am isolate Eth-Trunk 10
traffic-policy policy1 inbound
#
interface Eth-Trunk3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 302
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 361
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
am isolate Eth-Trunk 10
traffic-policy policy1 inbound
#
interface Eth-Trunk5
port default vlan 200
am isolate Eth-Trunk 10
traffic-policy policy2 inbound
#
interface Eth-Trunk10
description To_Module
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200 301 to 302
mac-address learning disable
stp disable
load-balance enhanced profile module
undo local-preference enable
#
interface XGigabitEthernet1/1/0/0
eth-trunk 10
#
interface XGigabitEthernet1/1/0/1
eth-trunk 10
#
interface xgigabitethernet1/1/0/2
eth-trunk 2
#
interface xgigabitethernet1/1/0/3
eth-trunk 3
#
interface xgigabitethernet1/1/0/5
eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
eth-trunk 10
#
interface XGigabitEthernet2/1/0/1
eth-trunk 10
#
interface xgigabitethernet2/1/0/2
eth-trunk 2
#
interface xgigabitethernet2/1/0/3
eth-trunk 3
#
interface xgigabitethernet2/1/0/5
eth-trunk 5
#
ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
#
return
2.8.3.2 Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed
on a Cluster Switch Where Static Route-based Traffic Diversion Is
Implemented
Service Requirements
As shown in Figure 2-36, two switches are deployed in a CSS and two NGFW
Modules are installed in slot 1 on the two switches. The two NGFW Modules are
required to implement hot standby and perform security detection on traffic
passing through the switches. Two NGFW Modules work in active/standby mode.
This example uses NGFW modules running V100R001C30 and switches running
V200R008C00. For the configuration examples of NGFW Modules running other
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 362
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
versions, see Deployment Guide. You can search for "Deployment Guide" in the
search bar.
Figure 2-36 Networking for Layer-3 dual-NGFW Module deployment and switch
CSS
Internet/WAN
Eth-Trunk0 Eth-Trunk0
10.10.0.1/24 Eth-Trunk 4 Heartbeat link 10.10.0.2/24
Eth-Trunk1.1(untrust) Eth-Trunk1.1(untrust)
CSS
Eth-Trunk1.2(trust) Eth-Trunk1.2(trust)
Eth-Trunk1.3(dmz) SwitchB Eth-Trunk1.3(dmz)
SwitchA
NGFW Module_A Eth-Trunk 5 NGFW Module_B
Eth-Trunk 6
Eth-Trunk 2 Eth-Trunk 3
192.168.1.0/24 192.168.2.0/24
trust dmz
The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The
numbering of internal Ethernet interfaces on the switch is determined by the slot in which the
NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the
switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.
Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.
Data Planning
Item Data Description
Hot standby NGFW Module_A: active -
NGFW Module_B:
standby
NAT Source NAT type: PAT The source address is
NAT Address pool: 1.1.1.1 to automatically translated for
1.1.1.2 Internet access from a
specified private subnet.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 363
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Item Data Description
NAT Server Global address: 1.1.1.3 A specified server address is
Inside address: translated from a private
192.168.2.8 address to a public address
for Internet users to access.
Securit Policy 1: Source security zone: Users in the Trust zone
y policy_sec1 Trust (residing on 192.168.1.0/24)
policy Destination security are allowed to access the
zone: Untrust Internet.
Source IP address:
192.168.1.0
Action: permit
Policy 2: Source security zone: Extranet users are allowed to
policy_sec2 Untrust access the DMZ (residing on
Destination security 192.168.2.0/24), and intrusion
zone: DMZ prevention is implemented.
Destination IP address:
192.168.2.0
Action: permit
Deployment Solution
1. Two NGFW Modules form hot standby networking. The switch diverts the
passing traffic to the NGFW Module through a static route. After performing
security check on the traffic, the NGFW Module rejects the traffic to the
switch through a static route.
Configure VRF on the switches to virtualize the switches as virtual switch
Public connecting to the public network (no VPN instance needs to be
configured) and virtual switches trust and dmz respectively connecting to the
Trust zone and DMZ. Figure 2-37 shows the networking. The virtual switches
are separated. Therefore, traffic will be forwarded to the NGFW Modules.
Figure 2-37 Configuring VRF on switches
Public
trust dmz
NGFW Module_A NGFW Module_B
SwitchA SwitchB
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 364
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2. Figure 2-37 can be abstracted as Figure 2-38. The NGFW Modules run static
routes with upstream and downstream devices. Therefore, you need to
configure VRRP groups on the NGFW Modules, so that the switches
communicate with the virtual IP addresses of VRRP groups on the NGFW
Modules.
Configure a default route to the Internet on the NGFW Module, and set the
next-hop address to the IP address of VLANIF201. Configure a specific route
to the intranet on the NGFW Module, and set the next-hop address to the IP
address of VLANIF202. Figure 2-38 shows the networking. On the virtual
switch Public, configure static routes to the Trust zone and DMZ and set the
next-hop address to the IP address of VRRP group 1. On the virtual switch
trust, configure a default route to the Internet and set the next-hop address
to the IP address of VRRP group 2. On the virtual switch dmz, configure a
default route to the Internet and set the next-hop address to the IP address of
VRRP group 3.
Figure 2-38 Configuring VRRP groups on the NGFW Modules and static
routes on the switches
Public Public
VLANIF 201 Eth-Trunk5 Eth-Trunk6 Eth-Trunk5 Eth-Trunk6 VLANIF 201
10.3.1.4/24 VLAN 201 VLAN 201 VLAN 201 VLAN 201 10.3.1.4/24
Active Standby Active Eth-Trunk1.1 Eth-Trunk1.1 Standby
VRRP Group 1 Eth-Trunk1.1 Eth-Trunk1.1 VRRP Group 1
10.3.1.1/24 10.3.1.2/24 10.3.1.3/24 10.3.1.2/24 10.3.1.3/24 10.3.1.1/24
Eth-Trunk0 Eth-Trunk0
10.10.0.1/24 10.10.0.1/24
Eth-Trunk0 Eth-Trunk0
10.10.0.2/24 10.10.0.2/24
VRRP Group 2 VRRP Group 3
10.3.2.1/24 Eth-Trunk1.2 Eth-Trunk1.2 Eth-Trunk1.3 Eth-Trunk1.3 10.3.3.1/24
10.3.2.2/24 10.3.2.3/24 Standby Active 10.3.3.2/24 10.3.3.3/24
Active Standby
VLANIF 202 Eth-Trunk5 Eth-Trunk6 Eth-Trunk5 Eth-Trunk6 VLANIF 203
10.3.2.4/24 VLAN 202 VLAN 202 VLAN 203 VLAN 203 10.3.3.4/24
trust dmz
Static route
trust zone traffic
dmz zone traffic
Figure 2-38 lists only the switch interfaces involved in the connection with the NGFW
Modules.
3. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module
into an Eth-Trunk0 interface, which functions as the heartbeat interface and
backup channel and enable hot standby.
4. Configure security functions, such as security policies, nat policies, and IPS on
NGFW Module_A. NGFW Module_A will automatically synchronize its
configurations to NGFW Module_B.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 365
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Procedure
Step 1 Complete interface and basic network configurations on NGFW Modules.
# Configure device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname Module_A
# Configure IP addresses for the interfaces on NGFW Module_A.
[Module_A] interface Eth-trunk 1
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
[Module_A] interface Eth-trunk 1.1
[Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
[Module_A-Eth-Trunk1.1] vlan-type dot1q 201
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk 1.2
[Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
[Module_A-Eth-Trunk1.2] vlan-type dot1q 202
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk 1.3
[Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
[Module_A-Eth-Trunk1.3] vlan-type dot1q 203
[Module_A-Eth-Trunk1.3] quit
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_A to security zones.
[Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-trunk 1.1
[Module_A-zone-untrust] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-trunk 1.2
[Module_A-zone-trust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-trunk 1.3
[Module_A-zone-dmz] quit
[Module_A] firewall zone name hrpzone
[Module_A-zone-hrpzone] set priority 65
[Module_A-zone-hrpzone] add interface Eth-Trunk 0
[Module_A-zone-hrpzone] quit
# Configure device name on NGFW Module_B.
<sysname> system-view
[sysname] sysname Module_B
# Configure IP addresses for the interfaces on NGFW Module_B.
[Module_B] interface Eth-Trunk 1
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 366
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
[Module_B] interface Eth-trunk 1.1
[Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
[Module_B-Eth-Trunk1.1] vlan-type dot1q 201
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk 1.2
[Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
[Module_B-Eth-Trunk1.2] vlan-type dot1q 202
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk 1.3
[Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
[Module_B-Eth-Trunk1.3] vlan-type dot1q 203
[Module_B-Eth-Trunk1.3] quit
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_B to security zones.
[Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-trunk 1.1
[Module_B-zone-untrust] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-trunk 1.2
[Module_B-zone-trust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-trunk 1.3
[Module_B-zone-dmz] quit
[Module_B] firewall zone name hrpzone
[Module_B-zone-hrpzone] set priority 65
[Module_B-zone-hrpzone] add interface Eth-Trunk 0
[Module_B-zone-hrpzone] quit
Step 2 Create static routes on NGFW Modules.
# On NGFW Module_A, configure an upstream static route (default route) with
the next-hop address set to the IP address of VLANIF201.
[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
# On NGFW Module_A, configure a downstream static route to the Trust zone,
with the destination address being the address of the Trust zone and next-hop
address being the address of VLANIF202 on the connected switch.
[Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
# On NGFW Module_A, configure a downstream static route to the DMZ, with the
destination address being the address of the DMZ and next-hop address being the
address of VLANIF203 on the connected switch.
[Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# On NGFW Module_A, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is
1.1.1.1-1.1.1.2 in the source NAT address pool.
[Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 367
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# On NGFW Module_A, configure a black-hole route to the global address of the
NAT server to prevent routing loops. In this example, the global address of the
NAT server is 1.1.1.3.
[Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0
# On NGFW Module_B, configure an upstream static route (default route) with
the next-hop address set to the IP address of VLANIF201 on the connected switch.
[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
# On NGFW Module_B, configure a downstream static route to the Trust zone,
with the destination address being the address of the Trust zone and next-hop
address being the address of VLANIF202 on the connected switch.
[Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
# On NGFW Module_B, configure a downstream static route to the DMZ, with the
destination address being the address of the DMZ and next-hop address being the
address of VLANIF203 on the connected switch.
[Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# On NGFW Module_B, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is
1.1.1.1-1.1.1.2 in the source NAT address pool.
[Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0
# On NGFW Module_B, configure a black-hole route to the global address of the
NAT server to prevent routing loops. In this example, the global address of the
NAT server is 1.1.1.3.
[Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0
Step 3 Configure hot standby on NGFW Modules.
# Configure VRRP groups on NGFW Module_A.
[Module_A] interface Eth-trunk1.1
[Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk1.2
[Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk1.3
[Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
[Module_A-Eth-Trunk1.3] quit
# Specify the heartbeat interface and enable hot standby on NGFW Module_A.
[Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable
# Configure VRRP groups on NGFW Module_B.
[Module_B] interface Eth-trunk1.1
[Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk1.2
[Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk1.3
[Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
[Module_B-Eth-Trunk1.3] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 368
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Specify the heartbeat interface and enable hot standby on NGFW Module_B.
[Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device //This command is required only in versions earlier than
V100R001C30SPC300.
After hot standby is configured, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active NGFW Module_A.
Before configuring intrusion prevention, ensure that the required license is loaded and the
intrusion prevention signature database is the latest version.
When configuring intrusion prevention, use the default intrusion prevention profile default.
Step 4 Configure security services on NGFW Modules.
# On NGFW Module_A, configure a security policy to allow users in the Trust zone
(network segment 192.168.1.0/24) to access the Internet.
HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_sec1
HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust
HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
HRP_A[Module_A-policy-security-rule-policy_sec1] quit
# On NGFW Module_A, configure a security policy to allow extranet users to
access the DMZ (network segment 192.168.2.0/24) and configure intrusion
prevention.
HRP_A[Module_A-policy-security] rule name policy_sec2
HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust
HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
HRP_A[Module_A-policy-security-rule-policy_sec2] quit
HRP_A[Module_A-policy-security] quit
# Configure ASPF on NGFW Module_A. FTP is used as an example.
HRP_A[Module_A] firewall interzone untrust dmz
HRP_A[Module_A-interzone-dmz-untrust] detect ftp
HRP_A[Module_A-interzone-dmz-untrust] quit
# Configure a NAT address pool.
HRP_A[Module_A] nat address-group addressgroup1
HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
HRP_A[Module_A-address-group-addressgroup1] quit
# Configure a source NAT policy for Internet access from the specified private
subnet.
HRP_A[Module_A] nat-policy
HRP_A[Module_A-policy-nat] rule name policy_nat1
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
HRP_A[Module_A-policy-nat] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 369
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure the NAT server function to translate the private address of a specific
server in the DMZ into a public address for user access. In this example, private
address 192.168.2.8:80 of the web server in the DMZ is translated into public
address 1.1.1.3:8000.
HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80
# Save configurations on NGFW Module_A and NGFW Module_B.
HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
Step 5 Configure the core switches to form a CSS.
1. Install the hardware and connect the cables. For details, see the CSS
Installation Guide.
2. Set the CSS connection mode (such as the CSS card connection mode), CSS
ID, and CSS priority.
# Configure the CSS on SwitchA. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card //Set the CSS connection mode. The default mode is CSS
card connection mode.
[SwitchA] set css id 1 //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100 //Set the CSS priority. The default value is 1.
# Configure the CSS on SwitchB. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.
<Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
3. Enable the CSS function.
# To use SwitchA as the active switch, enable CSS on SwitchA and then restart
SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable CSS on SwitchB and then restart SwitchB.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
4. Check whether the CSS is established.
# Log in to the CSS from the console port of any MPU and run the following
command to view the CSS status.
<SwitchA> display css status
CSS Enable switch On
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 370
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two
member switches are displayed, as shown in the preceding information, the
CSS has been established.
You are advised to configure MAD to minimize the impact of a CSS split on
services. Detailed configurations will not be described here.
5. Rename the cluster system to CSS.
<SwitchA> system-view
[SwitchA] sysname CSS
[CSS]
Step 6 Configure interfaces and VLANs for core switches. This example describes how to
configure interoperation between the switch and NGFW modules.
[CSS] vlan batch 201 to 205 //Create VLANs.
[CSS] interface eth-trunk 5
[CSS-Eth-Trunk5] description To_NGFW_Module_A
[CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1 //Create Eth-Trunk5 on the CSS and
add internal Ethernet interfaces to Eth-Trunk5.
[CSS-Eth-Trunk5] port link-type trunk
[CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 205 //Configure Eth-Trunk5 to permit traffic from
VLANs 201, 202, 203, 204, and 205.
[CSS-Eth-Trunk5] quit
[CSS] interface eth-trunk 6
[CSS-Eth-Trunk6] description To_NGFW_Module_B
[CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1 //Create Eth-Trunk6 on the CSS and
add internal Ethernet interfaces to Eth-Trunk6.
[CSS-Eth-Trunk6] port link-type trunk
[CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 205 //Configure Eth-Trunk6 to permit traffic from
VLANs 201, 202, 203, 204, and 205.
[CSS-Eth-Trunk6] quit
[CSS] interface eth-trunk 2 //Configure the switch interface Eth-Trunk2 that connects to the
Trust zone, add the interfaces to Eth-Trunk2 is not mentioned here.
[CSS-Eth-Trunk2] description To_TRUST
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk2] port trunk allow-pass vlan 204 //Enable Eth-Trunk2 to permit traffic from VLAN204.
[CSS-Eth-Trunk2] quit
[CSS] interface eth-trunk 3 //Configure the switch interface Eth-Trunk3 that connects to the
DMZ, add the interfaces to Eth-Trunk3 is not mentioned here.
[CSS-Eth-Trunk3] description To_DMZ
[CSS-Eth-Trunk3] port link-type trunk
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk3] port trunk allow-pass vlan 205 //Enable Eth-Trunk3 to permit traffic from VLAN205.
[CSS-Eth-Trunk3] quit
[CSS] ip vpn-instance trust //Create VPN instance trust.
[CSS-vpn-instance-trust] ipv4-family
[CSS-vpn-instance-trust-af-ipv4] route-distinguisher 100:1
[CSS-vpn-instance-trust-af-ipv4] vpn-target 111:1 both
[CSS-vpn-instance-trust-af-ipv4] quit
[CSS-vpn-instance-trust] quit
[CSS] ip vpn-instance dmz //Create VPN instance dmz.
[CSS-vpn-instance-dmz] ipv4-family
[CSS-vpn-instance-dmz-af-ipv4] route-distinguisher 200:1
[CSS-vpn-instance-dmz-af-ipv4] vpn-target 211:1 both
[CSS-vpn-instance-dmz-af-ipv4] quit
[CSS-vpn-instance-dmz] quit
[CSS] interface vlanif 201
[CSS-Vlanif201] ip address 10.3.1.4 24
[CSS-Vlanif201] quit //Configure an IP address for VLANIF201.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 371
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS] interface vlanif 202
[CSS-Vlanif202] ip binding vpn-instance trust
[CSS-Vlanif202] ip address 10.3.2.4 24 //Bind VLANIF202 to trust.
[CSS-Vlanif202] quit //Configure an IP address for VLANIF202.
[CSS] interface vlanif 203
[CSS-Vlanif203] ip binding vpn-instance dmz //Bind VLANIF203 to dmz.
[CSS-Vlanif203] ip address 10.3.3.4 24 //Configure an IP address for VLANIF203.
[CSS-Vlanif203] quit
[CSS] interface vlanif 204
[CSS-Vlanif204] ip binding vpn-instance trust //Bind VLANIF204 to trust.
[CSS-Vlanif204] ip address 10.1.1.2 24 //Configure an IP address for VLANIF204.
[CSS-Vlanif204] quit
[CSS] interface vlanif 205
[CSS-Vlanif205] ip binding vpn-instance dmz //Bind VLANIF205 to dmz.
[CSS-Vlanif205] ip address 10.1.2.2 24 //Configure an IP address for VLANIF205.
[CSS-Vlanif205] quit
Step 7 Configure traffic diversion on the core switch.
[CSS] ip route-static 1.1.1.1 32 10.3.1.1 //Configure a static route to an address in the NAT address pool
of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on
the NGFW Module.
[CSS] ip route-static 1.1.1.2 32 10.3.1.1 //Configure a static route to an address in the NAT address pool
of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group 1 on
the NGFW Module.
[CSS] ip route-static 1.1.1.3 32 10.3.1.1 //Configure a static route to the global address of the NAT server
configured on the NGFW Module and set the next-hop address of the route to the IP address of the
upstream VRRP group 1 on the NGFW Module.
[CSS] ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1 //Configure a default route on the trust
virtual switch and set the next hop to the virtual IP address of VRRP group 2.
[CSS] ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1 //Configure a default route on the dmz
virtual switch and set the next hop to the virtual IP address of VRRP group 3.
[CSS] ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1 //Route
from the Trust zone to the DMZ. 10.1.2.1 is the IP address of the VLANIF 205 interface of the access switch.
[CSS] ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1 //Route
from the DMZ to the Trust zone. 10.1.1.1 is the IP address of the VLANIF 204 interface of the access switch.
In the example, NAT is configured on the NGFW Modules. Therefore, configure static routes
from the Public virtual switch to the Trust zone and DMZ, and the destination IP addresses in
the routes should be post-NAT public IP addresses. If NAT is not configured on the NGFW
Modules, the destination IP addresses in the routes must be private IP addresses respectively in
the Trust zone and DMZ when you configure static routes from the Public virtual switch to the
two zones.
In the example, communication packets between the Trust zone and DMZ are not processed by
the NGFW Modules. If the enterprise requires that the NGFW Modules process the
communication packets between the Trust zone and DMZ, set the next hop to the IP address of
the downlink VRRP group on the NGFW Modules when you configure the route for the
communications between the Trust zone and DMZ.
----End
Verification
1. Run the display hrp state command on NGFW Module_A to check the
current HRP status. If the following output is displayed, an HRP relationship is
successfully established.
HRP_A[Module_A] display hrp state
The firewall's config state is: ACTIVE
Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes
Current state of virtual routers configured as active:
Eth-Trunk1.3 vrid 3 : active
(GigabitEthernet1/0/0) : up
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 372
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
(GigabitEthernet1/0/1) : up
Eth-Trunk1.2 vrid 2 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
Eth-Trunk1.1 vrid 1 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
2. Check whether the access from the intranet to the Internet succeeds and
check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80
HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 192.168.1.8:22048[1.1.1.2:2106] --> 3.3.3.3:80
According to the preceding output, NGFW Module_A has created a session
entry for the access from the intranet to the Internet. A session entry with the
Remote tag exists on NGFW Module_B, which indicates that session backup
succeeds after you configure hot standby.
3. Check whether the access from the Internet to servers in the DMZ succeeds
and check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
4. Configure a PC in the Trust zone to constantly ping the public address and run
the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the
status switchover of the NGFW Module and discarded ping packets. If the
status switchover is normal, NGFW Module_B becomes the active and carries
services. The command prompt of NGFW Module_B is changed from HRP_S to
HRP_A, and the command prompt of NGFW Module_A is changed from
HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on
actual network environments) are discarded.
Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and
check the status switchover of the NGFW Module and discarded ping packets.
If the status switchover is normal, NGFW Module_A becomes the active and
starts to carry service after the preemption delay (60s by default) expires. The
command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and
the command prompt of NGFW Module_B is changed from HRP_A to HRP_S.
No or several ping packets (1 to 3 packets, depending on actual network
environments) are discarded.
Configuration Scripts
Configuration scripts of the NGFW Modules:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 373
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname Module_A sysname Module_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 hrp standby-device //This command is required
# only in versions earlier than V100R001C30SPC300.
nat server policy_web protocol tcp global 1.1.1.3 hrp interface Eth-Trunk0
8000 inside 192.168.2.8 www #
# nat server policy_web protocol tcp global 1.1.1.3
interface Eth-Trunk0 8000 inside 192.168.2.8 www
ip address 10.10.0.1 255.255.255.0 #
# interface Eth-Trunk0
interface Eth-Trunk1 ip address 10.10.0.2 255.255.255.0
portswitch #
port link-type access interface Eth-Trunk1
# portswitch
interface Eth-Trunk1.1 port link-type access
vlan-type dot1q 201 #
ip address 10.3.1.2 255.255.255.0 interface Eth-Trunk1.1
vrrp vrid 1 virtual-ip 10.3.1.1 active vlan-type dot1q 201
# ip address 10.3.1.3 255.255.255.0
interface Eth-Trunk1.2 vrrp vrid 1 virtual-ip 10.3.1.1 standby
vlan-type dot1q 202 #
ip address 10.3.2.2 255.255.255.0 interface Eth-Trunk1.2
vrrp vrid 2 virtual-ip 10.3.2.1 active vlan-type dot1q 202
# ip address 10.3.2.3 255.255.255.0
interface Eth-Trunk1.3 vrrp vrid 2 virtual-ip 10.3.2.1 standby
vlan-type dot1q 203 #
ip address 10.3.3.2 255.255.255.0 interface Eth-Trunk1.3
vrrp vrid 3 virtual-ip 10.3.3.1 active vlan-type dot1q 203
# ip address 10.3.3.3 255.255.255.0
interface GigabitEthernet0/0/1 vrrp vrid 3 virtual-ip 10.3.3.1 standby
eth-trunk 0 #
# interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2 eth-trunk 0
eth-trunk 0 #
# interface GigabitEthernet0/0/2
interface GigabitEthernet1/0/0 eth-trunk 0
portswitch #
port link-type access interface GigabitEthernet1/0/0
eth-trunk 1 portswitch
# port link-type access
interface GigabitEthernet1/0/1 eth-trunk 1
portswitch #
port link-type access interface GigabitEthernet1/0/1
eth-trunk 1 portswitch
# port link-type access
firewall zone trust eth-trunk 1
set priority 85 #
add interface Eth-Trunk1.2 firewall zone trust
# set priority 85
firewall zone untrust add interface Eth-Trunk1.2
set priority 5 #
add interface Eth-Trunk1.1 firewall zone untrust
# set priority 5
firewall zone dmz add interface Eth-Trunk1.1
set priority 50 #
add interface Eth-Trunk1.3 firewall zone dmz
# set priority 50
firewall zone hrpzone add interface Eth-Trunk1.3
set priority 65 #
add interface Eth-Trunk0 firewall zone hrpzone
# set priority 65
firewall interzone dmz untrust add interface Eth-Trunk0
detect ftp #
# firewall interzone dmz untrust
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 374
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
ip route-static 0.0.0.0 0.0.0.0 10.3.1.4 detect ftp
ip route-static 1.1.1.1 255.255.255.255 NULL0 #
ip route-static 1.1.1.2 255.255.255.255 NULL0 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
ip route-static 1.1.1.3 255.255.255.255 NULL0 ip route-static 1.1.1.1 255.255.255.255 NULL0
ip route-static 192.168.1.0 255.255.255.0 10.3.2.4 ip route-static 1.1.1.2 255.255.255.255 NULL0
ip route-static 192.168.2.0 255.255.255.0 10.3.3.4 ip route-static 1.1.1.3 255.255.255.255 NULL0
# ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
nat address-group addressgroup1 0 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
section 0 1.1.1.1 1.1.1.2 #
# nat address-group addressgroup1 0
security-policy section 0 1.1.1.1 1.1.1.2
rule name policy_sec1 #
source-zone trust security-policy
destination-zone untrust rule name policy_sec1
source-address 192.168.1.0 mask 255.255.255.0 source-zone trust
action permit destination-zone untrust
rule name policy_sec2 source-address 192.168.1.0 mask 255.255.255.0
source-zone untrust action permit
destination-zone dmz rule name policy_sec2
destination-address 192.168.2.0 mask source-zone untrust
255.255.255.0 destination-zone dmz
service http destination-address 192.168.2.0 mask
service ftp 255.255.255.0
profile ips default service http
action permit service ftp
# profile ips default
nat-policy action permit
rule name policy_nat1 #
source-zone trust nat-policy
destination-zone untrust rule name policy_nat1
source-address 192.168.1.0 mask source-zone trust
255.255.255.0 destination-zone untrust
action nat address-group addressgroup1 source-address 192.168.1.0 mask
# 255.255.255.0
return action nat address-group addressgroup1
#
return
Configuration script of CSS:
# ----Traffic diversion configuration----
vlan batch 201 to 205
#
ip vpn-instance dmz
ipv4-family
route-distinguisher 200:1
vpn-target 211:1 export-extcommunity
vpn-target 211:1 import-extcommunity
#
ip vpn-instance trust
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
interface Vlanif201
ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
ip binding vpn-instance trust
ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
ip binding vpn-instance dmz
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 375
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
ip address 10.3.3.4 255.255.255.0
#
interface Vlanif204
ip binding vpn-instance trust
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif205
ip binding vpn-instance dmz
ip address 10.1.2.2 255.255.255.0
#
interface Eth-Trunk2
description To_TRUST
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 204
#
interface Eth-Trunk3
description To_DMZ
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 205
#
interface Eth-Trunk5
description To_NGFW_Module_A
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201 to 205
#
interface Eth-Trunk6
description To_NGFW_Module_B
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201 to 205
#
interface XGigabitEthernet1/1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
ip route-static vpn-instance trust 0.0.0.0 0.0.0.0 10.3.2.1
ip route-static vpn-instance trust 192.168.2.0 255.255.255.0 vpn-instance dmz 10.1.2.1
ip route-static vpn-instance dmz 0.0.0.0 0.0.0.0 10.3.3.1
ip route-static vpn-instance dmz 192.168.1.0 255.255.255.0 vpn-instance trust 10.1.1.1
#
return
2.8.3.3 Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed
on a Cluster Switch Where PBR-based Traffic Diversion Is Implemented
Service Requirements
As shown in Figure 2-39, two switches are deployed in a CSS and two NGFW
Modules are installed in slot 1 on the two switches. The two NGFW Modules are
required to implement hot standby and perform security detection on traffic
passing through the switches. Two NGFW Modules work in active/standby mode.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 376
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
This example uses NGFW modules running V100R001C30 and switches running
V200R008C00. For the configuration examples of NGFW Modules running other
versions, see Deployment Guide. You can search for "Deployment Guide" in the
search bar.
Figure 2-39 Networking for Layer-3 dual-NGFW Module deployment and switch
CSS
Internet/WAN
Eth-Trunk0 Eth-Trunk0
10.10.0.1/24 Eth-Trunk 4 Heartbeat link 10.10.0.2/24
Eth-Trunk1.1(untrust) Eth-Trunk1.1(untrust)
CSS
Eth-Trunk1.2(trust) Eth-Trunk1.2(trust)
Eth-Trunk1.3(dmz) SwitchB Eth-Trunk1.3(dmz)
SwitchA
NGFW Module_A Eth-Trunk 5 NGFW Module_B
Eth-Trunk 6
Eth-Trunk 2 Eth-Trunk 3
192.168.1.0/24 192.168.2.0/24
trust dmz
The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The
numbering of internal Ethernet interfaces on the switch is determined by the slot in which the
NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the
switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.
Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.
Data Planning
Item Data Description
Hot standby NGFW Module_A: active -
NGFW Module_B:
standby
NAT Source NAT type: PAT The source address is
NAT Address pool: 1.1.1.1 to automatically translated for
1.1.1.2 Internet access from a
specified private subnet.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 377
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Item Data Description
NAT Server Global address: 1.1.1.3 A specified server address is
Inside address: translated from a private
192.168.2.8 address to a public address
for Internet users to access.
Securit Policy 1: Source security zone: Users in the Trust zone
y policy_sec1 Trust (residing on 192.168.1.0/24)
policy Destination security are allowed to access the
zone: Untrust Internet.
Source IP address:
192.168.1.0
Action: permit
Policy 2: Source security zone: Extranet users are allowed to
policy_sec2 Untrust access the DMZ (residing on
Destination security 192.168.2.0/24), and intrusion
zone: DMZ prevention is implemented.
Destination IP address:
192.168.2.0
Action: permit
Deployment Solution
1. Figure 2-39 can be abstracted as Figure 2-40. You can understand the
mapping between the two figures based on interface numbers and actual
traffic directions.
As shown in Figure 2-40, a default route (next hop: VLANIF201) to the public
network, a specific route (next hop: VLANIF202) to the Trust zone, and a
specific route (next hop: VLANIF203) to the DMZ need to be configured on
the NGFW modules. PBR needs to be configured on the switches to direct
traffic to the firewalls.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 378
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-40 Configuring VRRP on the NGFW modules and PBR on the
switches
VLANIF 201 Eth-Trunk5 Eth-Trunk6 Eth-Trunk5 Eth-Trunk6 VLANIF 201
10.3.1.4/24 VLAN 201 VLAN 201 VLAN 201 VLAN 201 10.3.1.4/24
Active Standby Active Eth-Trunk1.1 Eth-Trunk1.1 Standby
VRRP Group 1 Eth-Trunk1.1 Eth-Trunk1.1 VRRP Group 1
10.3.1.1/24 10.3.1.2/24 10.3.1.3/24 10.3.1.2/24 10.3.1.3/24 10.3.1.1/24
Eth-Trunk0 Eth-Trunk0
10.10.0.1/24 10.10.0.1/24
Eth-Trunk0 Eth-Trunk0
10.10.0.2/24 10.10.0.2/24
VRRP Group 2 VRRP Group 3
10.3.2.1/24 Eth-Trunk1.2 Eth-Trunk1.2 Eth-Trunk1.3 Eth-Trunk1.3 10.3.3.1/24
10.3.2.2/24 10.3.2.3/24 Standby Active 10.3.3.2/24 10.3.3.3/24
Active Standby
VLANIF 202 Eth-Trunk5 Eth-Trunk6 Eth-Trunk5 Eth-Trunk6 VLANIF 203
10.3.2.4/24 VLAN 202 VLAN 202 VLAN 203 VLAN 203 10.3.3.4/24
Static route
trust zone traffic
dmz zone traffic
Figure 2-40 lists only the switch interfaces involved in the connection with the NGFW
Modules.
2. Specify Eth-trunk0 as the heartbeat interface and enable hot standby on each
NGFW Module.
3. Configure security functions, such as security policies, nat policies, and IPS on
NGFW Module_A. NGFW Module_A will automatically synchronize its
configurations to NGFW Module_B.
Procedure
Step 1 Complete interface and basic network configurations on NGFW Modules.
# Configure device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname Module_A
# Configure IP addresses for the interfaces on NGFW Module_A.
[Module_A] interface Eth-trunk 1
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
[Module_A] interface Eth-trunk 1.1
[Module_A-Eth-Trunk1.1] ip address 10.3.1.2 24
[Module_A-Eth-Trunk1.1] vlan-type dot1q 201
[Module_A-Eth-Trunk1.1] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 379
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[Module_A] interface Eth-trunk 1.2
[Module_A-Eth-Trunk1.2] ip address 10.3.2.2 24
[Module_A-Eth-Trunk1.2] vlan-type dot1q 202
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk 1.3
[Module_A-Eth-Trunk1.3] ip address 10.3.3.2 24
[Module_A-Eth-Trunk1.3] vlan-type dot1q 203
[Module_A-Eth-Trunk1.3] quit
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_A to security zones.
[Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-trunk 1.1
[Module_A-zone-untrust] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-trunk 1.2
[Module_A-zone-trust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-trunk 1.3
[Module_A-zone-dmz] quit
[Module_A] firewall zone name hrpzone
[Module_A-zone-hrpzone] set priority 65
[Module_A-zone-hrpzone] add interface Eth-Trunk 0
[Module_A-zone-hrpzone] quit
# Configure device name on NGFW Module_B.
<sysname> system-view
[sysname] sysname Module_B
# Configure IP addresses for the interfaces on NGFW Module_B.
[Module_B] interface Eth-trunk 1
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
[Module_B] interface Eth-trunk 1.1
[Module_B-Eth-Trunk1.1] ip address 10.3.1.3 24
[Module_B-Eth-Trunk1.1] vlan-type dot1q 201
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk 1.2
[Module_B-Eth-Trunk1.2] ip address 10.3.2.3 24
[Module_B-Eth-Trunk1.2] vlan-type dot1q 202
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk 1.3
[Module_B-Eth-Trunk1.3] ip address 10.3.3.3 24
[Module_B-Eth-Trunk1.3] vlan-type dot1q 203
[Module_B-Eth-Trunk1.3] quit
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 380
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Assign the interfaces of NGFW Module_B to security zones.
[Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-trunk 1.1
[Module_B-zone-untrust] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-trunk 1.2
[Module_B-zone-trust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-trunk 1.3
[Module_B-zone-dmz] quit
[Module_B] firewall zone name hrpzone
[Module_B-zone-hrpzone] set priority 65
[Module_B-zone-hrpzone] add interface Eth-Trunk 0
[Module_B-zone-hrpzone] quit
Step 2 Create static routes on NGFW Modules.
# On NGFW Module_A, configure an upstream static route (default route) with
the next-hop address set to the IP address of VLANIF201.
[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
# On NGFW Module_A, configure a downstream static route to the Trust zone,
with the destination address being the address of the Trust zone and next-hop
address being the address of VLANIF202 on the connected switch.
[Module_A] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
# On NGFW Module_A, configure a downstream static route to the DMZ, with the
destination address being the address of the DMZ and next-hop address being the
address of VLANIF203 on the connected switch.
[Module_A] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
# On NGFW Module_A, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is
1.1.1.1-1.1.1.2 in the source NAT address pool.
[Module_A] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_A] ip route-static 1.1.1.2 255.255.255.255 null 0
# On NGFW Module_A, configure a black-hole route to the global address of the
NAT server to prevent routing loops. In this example, the global address of the
NAT server is 1.1.1.3.
[Module_A] ip route-static 1.1.1.3 255.255.255.255 null 0
# On NGFW Module_B, configure an upstream static route (default route) with
the next-hop address set to the IP address of VLANIF201 on the connected switch.
[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
# On NGFW Module_B, configure a downstream static route to the Trust zone,
with the destination address being the address of the Trust zone and next-hop
address being the address of VLANIF202 on the connected switch.
[Module_B] ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
# On NGFW Module_B, configure a downstream static route to the DMZ, with the
destination address being the address of the DMZ and next-hop address being the
address of VLANIF203 on the connected switch.
[Module_B] ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 381
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# On NGFW Module_B, configure a black-hole route to an address in the source
NAT address pool to prevent routing loops. In this example, the address range is
1.1.1.1-1.1.1.2 in the source NAT address pool.
[Module_B] ip route-static 1.1.1.1 255.255.255.255 null 0
[Module_B] ip route-static 1.1.1.2 255.255.255.255 null 0
# On NGFW Module_B, configure a black-hole route to the global address of the
NAT server to prevent routing loops. In this example, the global address of the
NAT server is 1.1.1.3.
[Module_B] ip route-static 1.1.1.3 255.255.255.255 null 0
Step 3 Configure hot standby on NGFW Modules.
# Configure VRRP groups on NGFW Module_A.
[Module_A] interface Eth-trunk1.1
[Module_A-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 active
[Module_A-Eth-Trunk1.1] quit
[Module_A] interface Eth-trunk1.2
[Module_A-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 active
[Module_A-Eth-Trunk1.2] quit
[Module_A] interface Eth-trunk1.3
[Module_A-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 active
[Module_A-Eth-Trunk1.3] quit
# Specify the heartbeat interface and enable hot standby on NGFW Module_A.
[Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable
# Configure VRRP groups on NGFW Module_B.
[Module_B] interface Eth-trunk1.1
[Module_B-Eth-Trunk1.1] vrrp vrid 1 virtual-ip 10.3.1.1 standby
[Module_B-Eth-Trunk1.1] quit
[Module_B] interface Eth-trunk1.2
[Module_B-Eth-Trunk1.2] vrrp vrid 2 virtual-ip 10.3.2.1 standby
[Module_B-Eth-Trunk1.2] quit
[Module_B] interface Eth-trunk1.3
[Module_B-Eth-Trunk1.3] vrrp vrid 3 virtual-ip 10.3.3.1 standby
[Module_B-Eth-Trunk1.3] quit
# Specify the heartbeat interface and enable hot standby on NGFW Module_B.
[Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device //This command is required only in versions earlier than
V100R001C30SPC300.
After hot standby is configured, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active NGFW Module_A.
Before configuring intrusion prevention, ensure that the required license is loaded and the
intrusion prevention signature database is the latest version.
When configuring intrusion prevention, use the default intrusion prevention profile default.
Step 4 Configure security services on NGFW Modules.
# On NGFW Module_A, configure a security policy to allow users in the Trust zone
(network segment 192.168.1.0/24) to access the Internet.
HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_sec1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 382
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
HRP_A[Module_A-policy-security-rule-policy_sec1] source-zone trust
HRP_A[Module_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy-sec1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-security-rule-policy_sec1] action permit
HRP_A[Module_A-policy-security-rule-policy_sec1] quit
# On NGFW Module_A, configure a security policy to allow extranet users to
access the DMZ (network segment 192.168.2.0/24) and configure intrusion
prevention.
HRP_A[Module_A-policy-security] rule name policy_sec2
HRP_A[Module_A-policy-security-rule-policy_sec2] source-zone untrust
HRP_A[Module_A-policy-security-rule-policy_sec2] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy-sec2] destination-address 192.168.2.0 24
HRP_A[Module_A-policy-security-rule-policy_sec2] service http ftp
HRP_A[Module_A-policy-security-rule-policy_sec2] profile ips default
HRP_A[Module_A-policy-security-rule-policy_sec2] action permit
HRP_A[Module_A-policy-security-rule-policy_sec2] quit
HRP_A[Module_A-policy-security] quit
# Configure ASPF on NGFW Module_A. FTP is used as an example.
HRP_A[Module_A] firewall interzone untrust dmz
HRP_A[Module_A-interzone-dmz-untrust] detect ftp
HRP_A[Module_A-interzone-dmz-untrust] quit
# Configure a NAT address pool.
HRP_A[Module_A] nat address-group addressgroup1
HRP_A[Module_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.2
HRP_A[Module_A-address-group-addressgroup1] quit
# Configure a source NAT policy for Internet access from the specified private
subnet.
HRP_A[Module_A] nat-policy
HRP_A[Module_A-policy-nat] rule name policy_nat1
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_A[Module_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_A[Module_A-policy-nat-rule-policy_nat1] source-address 192.168.1.0 24
HRP_A[Module_A-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_A[Module_A-policy-nat-rule-policy_nat1] quit
HRP_A[Module_A-policy-nat] quit
# Configure the NAT server function to translate the private address of a specific
server in the DMZ into a public address for user access. In this example, private
address 192.168.2.8:80 of the web server in the DMZ is translated into public
address 1.1.1.3:8000.
HRP_A[Module_A] nat server policy_web protocol tcp global 1.1.1.3 8000 inside 192.168.2.8 80
# Save configurations on NGFW Module_A and NGFW Module_B.
HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
Step 5 Configure the core switches to form a CSS.
1. Install the hardware and connect the cables. For details, see the CSS
Installation Guide.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 383
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2. Set the CSS connection mode (such as the CSS card connection mode), CSS
ID, and CSS priority.
# Configure the CSS on SwitchA. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card //Set the CSS connection mode. The default mode is CSS
card connection mode.
[SwitchA] set css id 1 //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100 //Set the CSS priority. The default value is 1.
# Configure the CSS on SwitchB. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.
<Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
3. Enable the CSS function.
# To use SwitchA as the active switch, enable CSS on SwitchA and then restart
SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable CSS on SwitchB and then restart SwitchB.
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
4. Check whether the CSS is established.
# Log in to the CSS from the console port of any MPU and run the following
command to view the CSS status.
<SwitchA> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two
member switches are displayed, as shown in the preceding information, the
CSS has been established.
You are advised to configure MAD to minimize the impact of a CSS split on
services. Detailed configurations will not be described here.
5. Rename the cluster system to CSS.
<SwitchA> system-view
[SwitchA] sysname CSS
[CSS]
Step 6 Configure interfaces and VLANs for switches. This example describes how to
configure interoperation between the switch and NGFW modules.
[CSS] vlan batch 201 to 203 //Create VLANs.
[CSS] interface eth-trunk 5
[CSS-Eth-Trunk5] description To_NGFW_Module_A
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 384
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-Eth-Trunk5] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1 //Create Eth-Trunk5 on the CSS and add
internal Ethernet interfaces to Eth-Trunk5.
[CSS-Eth-Trunk5] port link-type trunk
[CSS-Eth-Trunk5] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk5] port trunk allow-pass vlan 201 to 203 //Configure Eth-Trunk5 to permit traffic from
VLANs 201, 202, and 203.
[CSS-Eth-Trunk5] quit
[CSS] interface eth-trunk 6
[CSS-Eth-Trunk6] description To_NGFW_Module_B
[CSS-Eth-Trunk6] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1 //Create Eth-Trunk6 on the CSS and add
internal Ethernet interfaces to Eth-Trunk6.
[CSS-Eth-Trunk6] port link-type trunk
[CSS-Eth-Trunk6] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk6] port trunk allow-pass vlan 201 to 203 //Configure Eth-Trunk6 to permit traffic from
VLANs 201, 202, and 203.
[CSS-Eth-Trunk6] quit
[CSS] interface vlanif 201
[CSS-Vlanif201] ip address 10.3.1.4 24
[CSS-Vlanif201] quit //Configure an IP address for VLANIF201.
[CSS] interface vlanif 202
[CSS-Vlanif202] ip address 10.3.2.4 24
[CSS-Vlanif202] quit //Configure an IP address for VLANIF202.
[CSS] interface vlanif 203
[CSS-Vlanif203] ip address 10.3.3.4 24
[CSS-Vlanif203] quit //Configure an IP address for VLANIF203.
Step 7 Configure traffic diversion on the switch. This example describes how to configure
interoperation between the switch and NGFW modules.
[CSS] acl 3001 //Create ACL3001.
[CSS-acl-adv-3001] rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 //
Configure a rule for ACL3001: source network segment 192.168.1.0 and destination network segment
192.168.2.0.
[CSS-acl-adv-3001] rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 //
Configure a rule for ACL3001: source network segment 192.168.2.0 and destination network segment
192.168.1.0.
[CSS-acl-adv-3001] quit
[CSS] traffic classifier c1 precedence 5 //Create traffic classifier c1.
[CSS-classifier-c1] if-match acl 3001 //Match packets exchanged between the Trust zone and DMZ with
the ACL3001 rule.
[CSS-classifier-c1] quit
[CSS] traffic behavior b1 //Create traffic behavior b1.
[CSS-behavior-b1] permit //Permit the matching packets.
[CSS-behavior-b1] quit
[CSS] acl 3002 //Create ACL3002.
[CSS-acl-adv-3002] rule 5 permit ip source 192.168.1.0 0.0.0.255 //Configure a rule for ACL3002: source
network segment 192.168.1.0.
[CSS-acl-adv-3002] quit
[CSS] traffic classifier c2 precedence 10 //Create traffic classifier c2.
[CSS-classifier-c2] if-match acl 3002 //Match the packets from network segment 192.168.1.0, namely,
packets from the Trust zone to the Internet, with ACL3002.
[CSS-classifier-c2] quit
[CSS] traffic behavior b2 //Create traffic behavior b2.
[CSS-behavior-b2] redirect ip-nexthop 10.3.2.1 //Redirect the matching packets to address 10.3.2.1,
namely, the connected NGFW Module.
[CSS-behavior-b2] quit
[CSS] traffic policy p1 //Create traffic policy p1.
[CSS-trafficpolicy-p1] classifier c1 behavior b1 //Bind traffic classifier c1 and traffic behavior b1 with
traffic policy p1. All packets exchanged between the Trust zone and DMZ are directly forwarded by the
switch, without being forwarded to the NGFW Module.
[CSS-trafficpolicy-p1] classifier c2 behavior b2 //Bind traffic classifier c2 and traffic behavior b2 with
traffic policy p1. All packets from the Trust zone to the Internet are redirected to the NGFW Module.
[CSS-trafficpolicy-p1] quit
[CSS] interface eth-trunk 2 //Access the interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk2] traffic-policy p1 inbound //Apply traffic policy P1 in the inbound direction of the
interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk2] quit
[CSS] acl 3003 //Create ACL3003.
[CSS-acl-adv-3003] rule 5 permit ip source 192.168.2.0 0.0.0.255 //Configure a rule for ACL3003: source
network segment 192.168.2.0.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 385
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-acl-adv-3003] quit
[CSS] traffic classifier c3 precedence 15 //Create traffic classifier c3.
[CSS-classifier-c3] if-match acl 3003 //Match all packets from network segment 192.168.2.0, namely, all
packets from the DMZ to the Internet, with the ACL3003 rule.
[CSS-classifier-c3] quit
[CSS] traffic behavior b3 //Create traffic behavior b3.
[CSS-behavior-b3] redirect ip-nexthop 10.3.3.1 //Redirect the matching packets to address 10.3.3.1,
namely the NGFW Module.
[CSS-behavior-b3] quit
[CSS] traffic policy p3 //Create traffic policy p3.
[CSS-trafficpolicy-p3] classifier c1 behavior b1 //Bind traffic classifier c1 and traffic behavior b1 with
traffic policy p3. All packets exchanged between the Trust zone and DMZ are directly forwarded by the
switch, without being forwarded to the NGFW Module.
[CSS-trafficpolicy-p3] classifier c3 behavior b3 //Bind traffic classifier c3 and traffic behavior b3 with
traffic policy p3. All traffic from the DMZ to the Internet are directed to the NGFW Module.
[CSS-trafficpolicy-p3] quit
[CSS] interface eth-trunk 3 //Access the view of the interface connecting the switch to the Trust zone.
[CSS-Eth-Trunk3] traffic-policy p3 inbound //Apply traffic policy p3 in the inbound direction of the
interface connecting the switch to the DMZ.
[CSS-Eth-Trunk3] quit
[CSS] ip route-static 1.1.1.1 32 10.3.1.1 //Configure a static route to an address in the NAT address pool
of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on
the NGFW Module.
[CSS] ip route-static 1.1.1.2 32 10.3.1.1 //Configure a static route to an address in the NAT address pool
of the NGFW and set the next-hop address of the route to the IP address of the upstream VRRP group on
the NGFW Module.
[CSS] ip route-static 1.1.1.3 32 10.3.1.1 //Configure a static route to the global address of the NAT server
configured on the NGFW Module and set the next-hop address of the route to the IP address of the
upstream VRRP group on the NGFW Module.
In this example, the source NAT and NAT server functions are configured on the NGFW Module.
For the switch, the destination address of traffic sent from the public network the private
network is a post-NAT address. Therefore, you can configure a static route on the switch to
direct the traffic sent from the public address to the private network to the NGFW Module.
If no source NAT or NAT server function is configured on the NGFW Module, for the switch, the
destination address of traffic sent from the public network to the private network is still a
private network. In this case, you need to configure a traffic policy on the upstream interface of
the switch to direct the traffic to the NGFW Module.
[CSS] acl 3004 //Create ACL3004.
[CSS-acl-adv-3004] rule 5 permit ip destination 192.168.1.0 0.0.0.255 //Configure a rule for ACL3004:
destination network segment 192.168.1.0.
[CSS-acl-adv-3004] rule 10 permit ip destination 192.168.2.0 0.0.0.255 //Configure a rule for ACL3004:
destination network segment 192.168.2.0.
[CSS-acl-adv-3004] quit
[CSS] traffic classifier c4 precedence 20 //Create traffic classifier c4.
[CSS-classifier-c4] if-match acl 3004 //Match the packets whose destination network segments are
192.168.1.0 and 192.168.2.0, namely, all packets from the Internet to the intranet, with the ACL3004 rule.
[CSS-classifier-c4] quit
[CSS] traffic behavior b4 //Create traffic behavior b4.
[CSS-behavior-b4] redirect ip-nexthop 10.3.1.1 //Redirect the matching packets to address 10.3.1.1,
namely, the NGFW Module.
[CSS-behavior-b4] quit
[CSS] traffic policy p4 //Create traffic policy p4.
[CSS-trafficpolicy-p4] classifier c4 behavior b4 precedence 20 //Bind traffic classifier c4 and traffic
behavior b4 with traffic policy p4. All traffic from the Internet to the intranet is directed to the NGFW
Module.
[CSS-trafficpolicy-p4] quit
[CSS] interface eth-trunk 4 //Access the view of the interface connecting the switch to the Internet.
[CSS-Eth-Trunk4] traffic-policy p4 inbound //Apply traffic policy p4 in the inbound direction of the
interface connecting the switch to the Internet.
[CSS-Eth-Trunk4] quit
----End
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 386
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Verification
1. Run the display hrp state command on NGFW Module_A to check the
current HRP status. If the following output is displayed, an HRP relationship is
successfully established.
HRP_A[Module_A] display hrp state
The firewall's config state is: ACTIVE
Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes
Current state of virtual routers configured as active:
Eth-Trunk1.3 vrid 3 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
Eth-Trunk1.2 vrid 2 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
Eth-Trunk1.1 vrid 1 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
2. Check whether the access from the intranet to the Internet succeeds and
check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 192.168.1.8:22048[1.1.1.1:2106] --> 3.3.3.3:80
According to the preceding output, NGFW Module_A has created a session
entry for the access from the intranet to the Internet. A session entry with the
Remote tag exists on NGFW Module_B, which indicates that session backup
succeeds after you configure hot standby.
3. Check whether the access from the Internet to servers in the DMZ succeeds
and check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 2.2.2.2:11447 --> 1.1.1.3:8000[192.168.2.8:80]
4. Configure a PC in the Trust zone to constantly ping the public address and run
the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the
status switchover of the NGFW Module and discarded ping packets. If the
status switchover is normal, NGFW Module_B becomes the active and carries
services. The command prompt of NGFW Module_B is changed from HRP_S to
HRP_A, and the command prompt of NGFW Module_A is changed from
HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending on
actual network environments) are discarded.
Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and
check the status switchover of the NGFW Module and discarded ping packets.
If the status switchover is normal, NGFW Module_A becomes the active and
starts to carry service after the preemption delay (60s by default) expires. The
command prompt of NGFW Module_A is changed from HRP_S to HRP_A, and
the command prompt of NGFW Module_B is changed from HRP_A to HRP_S.
No or several ping packets (1 to 3 packets, depending on actual network
environments) are discarded.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 387
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Configuration Scripts
Configuration scripts of the NGFW Modules:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 388
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname Module_A sysname Module_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 hrp interface Eth-Trunk0
# hrp standby-device //This command is required
nat server policy_web protocol tcp global 1.1.1.3 only in versions earlier than V100R001C30SPC300.
8000 inside 192.168.2.8 www #
# nat server policy_web protocol tcp global 1.1.1.3
interface Eth-Trunk0 8000 inside 192.168.2.8 www
ip address 10.10.0.1 255.255.255.0 #
# interface Eth-Trunk0
interface Eth-Trunk1 ip address 10.10.0.2 255.255.255.0
portswitch #
port link-type access interface Eth-Trunk1
# portswitch
interface Eth-Trunk1.1 port link-type access
vlan-type dot1q 201 #
ip address 10.3.1.2 255.255.255.0 interface Eth-Trunk1.1
vrrp vrid 1 virtual-ip 10.3.1.1 active vlan-type dot1q 201
# ip address 10.3.1.3 255.255.255.0
interface Eth-Trunk1.2 vrrp vrid 1 virtual-ip 10.3.1.1 standby
vlan-type dot1q 202 #
ip address 10.3.2.2 255.255.255.0 interface Eth-Trunk1.2
vrrp vrid 2 virtual-ip 10.3.2.1 active vlan-type dot1q 202
# ip address 10.3.2.3 255.255.255.0
interface Eth-Trunk1.3 vrrp vrid 2 virtual-ip 10.3.2.1 standby
vlan-type dot1q 203 #
ip address 10.3.3.2 255.255.255.0 interface Eth-Trunk1.3
vrrp vrid 3 virtual-ip 10.3.3.1 active vlan-type dot1q 203
# ip address 10.3.3.3 255.255.255.0
interface GigabitEthernet0/0/1 vrrp vrid 3 virtual-ip 10.3.3.1 standby
eth-trunk 0 #
# interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2 eth-trunk 0
eth-trunk 0 #
# interface GigabitEthernet0/0/2
interface GigabitEthernet1/0/0 eth-trunk 0
portswitch #
port link-type access interface GigabitEthernet1/0/0
eth-trunk 1 portswitch
# port link-type access
interface GigabitEthernet1/0/1 eth-trunk 1
portswitch #
port link-type access interface GigabitEthernet1/0/1
eth-trunk 1 portswitch
# port link-type access
firewall zone trust eth-trunk 1
set priority 85 #
add interface Eth-Trunk1.2 firewall zone trust
# set priority 85
firewall zone untrust add interface Eth-Trunk1.2
set priority 5 #
add interface Eth-Trunk1.1 firewall zone untrust
# set priority 5
firewall zone dmz add interface Eth-Trunk1.1
set priority 50 #
add interface Eth-Trunk1.3 firewall zone dmz
# set priority 50
firewall zone hrpzone add interface Eth-Trunk1.3
set priority 65 #
add interface Eth-Trunk0 firewall zone hrpzone
# set priority 65
firewall interzone dmz untrust add interface Eth-Trunk0
detect ftp #
# firewall interzone dmz untrust
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 389
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
ip route-static 0.0.0.0 0.0.0.0 10.3.1.4 detect ftp
ip route-static 1.1.1.1 255.255.255.255 NULL0 #
ip route-static 1.1.1.2 255.255.255.255 NULL0 ip route-static 0.0.0.0 0.0.0.0 10.3.1.4
ip route-static 1.1.1.3 255.255.255.255 NULL0 ip route-static 1.1.1.1 255.255.255.255 NULL0
ip route-static 192.168.1.0 255.255.255.0 10.3.2.4 ip route-static 1.1.1.2 255.255.255.255 NULL0
ip route-static 192.168.2.0 255.255.255.0 10.3.3.4 ip route-static 1.1.1.3 255.255.255.255 NULL0
# ip route-static 192.168.1.0 255.255.255.0 10.3.2.4
nat address-group addressgroup1 0 ip route-static 192.168.2.0 255.255.255.0 10.3.3.4
section 0 1.1.1.1 1.1.1.2 #
# nat address-group addressgroup1 0
security-policy section 0 1.1.1.1 1.1.1.2
rule name policy_sec1 #
source-zone trust security-policy
destination-zone untrust rule name policy_sec1
source-address 192.168.1.0 mask 255.255.255.0 source-zone trust
action permit destination-zone untrust
rule name policy_sec2 source-address 192.168.1.0 mask 255.255.255.0
source-zone untrust action permit
destination-zone dmz rule name policy_sec2
destination-address 192.168.2.0 mask source-zone untrust
255.255.255.0 destination-zone dmz
service http destination-address 192.168.2.0 mask
service ftp 255.255.255.0
profile ips default service http
action permit service ftp
# profile ips default
nat-policy action permit
rule name policy_nat1 #
source-zone trust nat-policy
destination-zone untrust rule name policy_nat1
source-address 192.168.1.0 mask 255.255.255.0 source-zone trust
action nat address-group addressgroup1 destination-zone untrust
# source-address 192.168.1.0 mask 255.255.255.0
return action nat address-group addressgroup1
#
return
Configuration script of CSS:
# ----Traffic diversion configuration----
vlan batch 201 to 203
#
acl number 3001
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
rule 5 permit ip source 192.168.1.0 0.0.0.255
acl number 3003
rule 5 permit ip source 192.168.2.0 0.0.0.255
acl number 3004
rule 5 permit destination 192.168.1.0 0.0.0.255
rule 10 permit destination 192.168.2.0 0.0.0.255
#
traffic classifier c1 operator or precedence 5
if-match acl 3001
traffic classifier c2 operator or precedence 10
if-match acl 3002
traffic classifier c3 operator or precedence 15
if-match acl 3003
traffic classifier c4 operator or precedence 20
if-match acl 3004
#
traffic behavior b1
permit
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 390
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
traffic behavior b2
permit
redirect ip-nexthop 10.3.2.1
traffic behavior b3
permit
redirect ip-nexthop 10.3.3.1
traffic behavior b4
permit
redirect ip-nexthop 10.3.1.1
#
traffic policy p1 match-order config
classifier c1 behavior b1
classifier c2 behavior b2
traffic policy p3 match-order config
classifier c1 behavior b1
classifier c3 behavior b3
traffic policy p4 match-order config
classifier c4 behavior b4
#
interface Vlanif201
ip address 10.3.1.4 255.255.255.0
#
interface Vlanif202
ip address 10.3.2.4 255.255.255.0
#
interface Vlanif203
ip address 10.3.3.4 255.255.255.0
#
interface Eth-Trunk2
traffic-policy p1 inbound
#
interface Eth-Trunk3
traffic-policy p3 inbound
#
interface Eth-Trunk4
traffic-policy p4 inbound
#
interface Eth-Trunk5
description To_NGFW_Module_A
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201 to 203
#
interface Eth-Trunk6
description To_NGFW_Module_B
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 201 to 203
#
interface XGigabitEthernet1/1/0/0
eth-trunk 5
#
interface XGigabitEthernet1/1/0/1
eth-trunk 5
#
interface XGigabitEthernet2/1/0/0
eth-trunk 6
#
interface XGigabitEthernet2/1/0/1
eth-trunk 6
#
ip route-static 1.1.1.1 255.255.255.255 10.3.1.1
ip route-static 1.1.1.2 255.255.255.255 10.3.1.1
ip route-static 1.1.1.3 255.255.255.255 10.3.1.1
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 391
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
2.8.3.4 Layer 3 Active/Standby Hot Standby on the NGFW Modules Installed
on a Cluster Switch Where VLAN-based Traffic Diversion Is Implemented
Service Requirements
As shown in Figure 2-41, two switches form a CSS, and two NGFW Modules are
installed in slot 1 of the switches respective and implement hot standby. The
NGFW modules implement security check on traffic sent by intranet users to
access the server area or the Internet.
This example uses NGFW modules running V100R001C30 and switches running
V200R008C00. For the configuration examples of NGFW Modules running other
versions, see Deployment Guide. You can search for "Deployment Guide" in the
search bar.
Figure 2-41 Switch CSS and NGFW Module hot standby networking
Internet/WAN
10.3.0.5/24
Eth-Trunk0 Eth-Trunk5 Eth-Trunk0
10.10.0.1/24 Heartbeat link 10.10.0.2/24
VLAN 200
GE1/0/0 XGE1/1/0/0 XGE2/1/0/0 GE1/0/0
CSS
GE1/0/1 XGE1/1/0/1 SwitchB XGE2/1/0/1 GE1/0/1
SwitchA
NGFW Modue_A NGFW Module_B
Eth-Trunk 2 Eth-Trunk 3
Intranet users Server area
10.1.0.0/24 10.2.0.0/24
VLAN 301 VLAN 302
The NGFW Module has two fixed internal Ethernet interfaces: GE1/0/0 to GE1/0/1. The
numbering of internal Ethernet interfaces on the switch is determined by the slot in which the
NGFW Module is installed. For example, when the NGFW Module is installed in slot 1 on the
switch, the internal Ethernet interfaces used by the switch are XGE1/1/0/0 to XGE1/1/0/1.
Eth-Trunk2 and Eth-Trunk3 are interfaces of the switches in the CSS.
Deployment Solution
The NGFW Modules work at Layer 3, and the upstream and downstream network
gateways point to the NGFW Modules. The switches work at Layer 2.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 392
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
1. The interfaces connecting each NGFW Module and switch are bundled into an
Eth-Trunk interface. The Eth-Trunk interface is Eth-Trunk 1 on each NGFW
Module, Eth-Trunk 10 on the SwitchA, and Eth-Trunk 11 on the SwitchB.
2. The Eth-Trunk at the switch side is configured to work in Trunk mode and
allows packets from VLANs 301, 302, and 200 to pass. Configure three Eth-
Trunk subinterfaces at the NGFW Module side to carry out dot1q termination
for packets from VLANs 301, 302, and 200 respectively and perform Layer-3
forwarding.
3. Two NGFW modules form hot standby in active/standby mode. Therefore, a
VRRP group needs to be configured on the upstream and downstream
subinterfaces of each NGFW Module. One NGFW Module is added to an
active VGMP group, and the other NGFW Module is added to a standby
VGMP group.
The virtual gateway IP addresses of the VRRP group are the gateway
addresses of the downstream and upstream networks.
Figure 2-42 provides logical networking.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 393
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Figure 2-42 Configuring Eth-Trunk subinterfaces and VRRP on the NGFW
Modules
Server area
Internet
10.2.0.0/24
VLAN 302
VLAN 200
Eth-Trunk10 Eth-Trunk11 Eth-Trunk10 Eth-Trunk11
Active Standby Active Standby
VRRP Group 2 VRRP Group 3
10.2.0.3/24 10.3.0.3/24
Eth-Trunk1.302 Eth-Trunk1.302 Eth-Trunk1.200 Eth-Trunk1.200
10.2.0.1/24 10.2.0.2/24 10.3.0.1/24 10.3.0.2/24
Eth-Trunk0 Eth-Trunk0
10.10.0.1/24 10.10.0.1/24
Eth-Trunk0 Eth-Trunk0
10.10.0.2/24 10.10.0.2/24
Eth-Trunk1.301 Eth-Trunk1.301 Eth-Trunk1.301 Eth-Trunk1.301
10.1.0.1/24 10.1.0.2/24 10.1.0.1/24 10.1.0.2/24
VRRP Group 1 VRRP Group 1
10.1.0.3/24 10.1.0.3/24
Active Standby Active Standby
Eth-Trunk10 Eth-Trunk11 Eth-Trunk10 Eth-Trunk11
Intranet users Intranet users
10.1.0.0/24 10.1.0.0/24
VLAN 301 VLAN 301
Figure 2-42 provides information only interfaces related to the switches and NGFW
Modules.
4. Bundle GE0/0/1 and GE0/0/2 interfaces on the panel of each NGFW Module
into an Eth-Trunk0 interface, which functions as the heartbeat interface and
backup channel and enable hot standby.
5. Configure security functions, such as security policies and IPS on NGFW
Module_A. NGFW Module_A will automatically synchronize its configurations
to NGFW Module_B.
Procedure
Step 1 Complete interface and basic network configurations on NGFW Modules.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 394
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
# Configure device name on NGFW Module_A.
<sysname> system-view
[sysname] sysname Module_A
# Add the interfaces connecting NGFW Module_A to its connected switch to Eth-
Trunk 1.
[Module_A] interface Eth-Trunk 1
[Module_A-Eth-Trunk1] description To_SWITCHA_trunk10
[Module_A-Eth-Trunk1] quit
[Module_A] interface GigabitEthernet 1/0/0
[Module_A-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/0] quit
[Module_A] interface GigabitEthernet 1/0/1
[Module_A-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_A-GigabitEthernet1/0/1] quit
# Configure Eth-Trunk 1 subinterfaces on NGFW Module_A and map them to
VLANs 301, 302, and 200 respectively.
In actual networking, the number of required subinterfaces depends on the number of
VLANs from which packets need to be terminated.
[Module_A] interface Eth-Trunk 1.301
[Module_A-Eth-Trunk1.301] vlan-type dot1q 301
[Module_A-Eth-Trunk1.301] ip address 10.1.0.1 24
[Module_A-Eth-Trunk1.301] quit
[Module_A] interface Eth-Trunk 1.302
[Module_A-Eth-Trunk1.302] vlan-type dot1q 302
[Module_A-Eth-Trunk1.302] ip address 10.2.0.1 24
[Module_A-Eth-Trunk1.302] quit
[Module_A] interface Eth-Trunk 1.200
[Module_A-Eth-Trunk1.200] vlan-type dot1q 200
[Module_A-Eth-Trunk1.200] ip address 10.3.0.1 24
[Module_A-Eth-Trunk1.200] quit
# Add the two interfaces on the panel of NGFW Module_A to Eth-Trunk 0.
[Module_A] interface Eth-Trunk 0
[Module_A-Eth-Trunk0] description hrp_interface
[Module_A-Eth-Trunk0] ip address 10.10.0.1 24
[Module_A-Eth-Trunk0] quit
[Module_A] interface GigabitEthernet 0/0/1
[Module_A-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/1] quit
[Module_A] interface GigabitEthernet 0/0/2
[Module_A-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_A-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_A to security zones.
[Module_A] firewall zone untrust
[Module_A-zone-untrust] add interface Eth-Trunk 1.200
[Module_A-zone-untrust] quit
[Module_A] firewall zone dmz
[Module_A-zone-dmz] add interface Eth-Trunk 1.302
[Module_A-zone-dmz] quit
[Module_A] firewall zone trust
[Module_A-zone-trust] add interface Eth-Trunk 1.301
[Module_A-zone-trust] quit
[Module_A] firewall zone name hrp
[Module_A-zone-hrp] set priority 75
[Module_A-zone-hrp] add interface Eth-Trunk 0
[Module_A-zone-hrp] quit
# Configure device name on NGFW Module_B.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 395
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
<sysname> system-view
[sysname] sysname Module_B
# Add the interfaces connecting NGFW Module_B to its connected switch to Eth-
Trunk 1.
[Module_B] interface Eth-Trunk 1
[Module_B-Eth-Trunk1] description To_SWITCHB_trunk11
[Module_B-Eth-Trunk1] quit
[Module_B] interface GigabitEthernet 1/0/0
[Module_B-GigabitEthernet1/0/0] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/0] quit
[Module_B] interface GigabitEthernet 1/0/1
[Module_B-GigabitEthernet1/0/1] Eth-Trunk 1
[Module_B-GigabitEthernet1/0/1] quit
# Configure Eth-Trunk 1 subinterfaces on NGFW Module_B and map them to
VLANs 301, 302, and 200 respectively.
[Module_B] interface Eth-Trunk 1.301
[Module_B-Eth-Trunk1.301] vlan-type dot1q 301
[Module_B-Eth-Trunk1.301] ip address 10.1.0.2 24
[Module_B-Eth-Trunk1.301] quit
[Module_B] interface Eth-Trunk 1.302
[Module_B-Eth-Trunk1.302] vlan-type dot1q 302
[Module_B-Eth-Trunk1.302] ip address 10.2.0.2 24
[Module_B-Eth-Trunk1.302] quit
[Module_B] interface Eth-Trunk 1.200
[Module_B-Eth-Trunk1.200] vlan-type dot1q 200
[Module_B-Eth-Trunk1.200] ip address 10.3.0.2 24
[Module_B-Eth-Trunk1.200] quit
# Add the two interfaces on the panel of NGFW Module_B to Eth-Trunk 0.
[Module_B] interface Eth-Trunk 0
[Module_B-Eth-Trunk0] description hrp_interface
[Module_B-Eth-Trunk0] ip address 10.10.0.2 24
[Module_B-Eth-Trunk0] quit
[Module_B] interface GigabitEthernet 0/0/1
[Module_B-GigabitEthernet0/0/1] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/1] quit
[Module_B] interface GigabitEthernet 0/0/2
[Module_B-GigabitEthernet0/0/2] Eth-Trunk 0
[Module_B-GigabitEthernet0/0/2] quit
# Assign the interfaces of NGFW Module_B to security zones.
[Module_B] firewall zone untrust
[Module_B-zone-untrust] add interface Eth-Trunk 1.200
[Module_B-zone-untrust] quit
[Module_B] firewall zone dmz
[Module_B-zone-dmz] add interface Eth-Trunk 1.302
[Module_B-zone-dmz] quit
[Module_B] firewall zone trust
[Module_B-zone-trust] add interface Eth-Trunk 1.301
[Module_B-zone-trust] quit
[Module_B] firewall zone name hrp
[Module_B-zone-hrp] set priority 75
[Module_B-zone-hrp] add interface Eth-Trunk 0
[Module_B-zone-hrp] quit
Step 2 On NGFW Module, configure a default route to the Internet.
# Default route from NGFW Module_A to the Internet
[Module_A] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
# Default route from NGFW Module_B to the Internet
[Module_B] ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 396
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
Step 3 Configure hot standby on NGFW Modules.
# Configure VRRP groups on NGFW Module_A.
[Module_A] interface Eth-Trunk 1.301
[Module_A-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 active
[Module_A-Eth-Trunk1.301] quit
[Module_A] interface Eth-Trunk 1.302
[Module_A-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 active
[Module_A-Eth-Trunk1.302] quit
[Module_A] interface Eth-Trunk 1.200
[Module_A-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 active
[Module_A-Eth-Trunk1.200] quit
# Specify the heartbeat interface and enable hot standby on NGFW Module_A.
[Module_A] hrp interface Eth-Trunk 0
[Module_A] hrp enable
# Configure VRRP groups on NGFW Module_B.
[Module_B] interface Eth-Trunk 1.301
[Module_B-Eth-Trunk1.301] vrrp vrid 1 virtual-ip 10.1.0.3 standby
[Module_B-Eth-Trunk1.301] quit
[Module_B] interface Eth-Trunk 1.302
[Module_B-Eth-Trunk1.302] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[Module_B-Eth-Trunk1.302] quit
[Module_B] interface Eth-Trunk 1.200
[Module_B-Eth-Trunk1.200] vrrp vrid 3 virtual-ip 10.3.0.3 standby
[Module_B-Eth-Trunk1.200] quit
# Specify the heartbeat interface and enable hot standby on NGFW Module_B.
[Module_B] hrp interface Eth-Trunk 0
[Module_B] hrp enable
[Module_B] hrp standby-device //This command is required only in versions earlier than
V100R001C30SPC300.
After hot standby is configured, the configurations and sessions on the active device are
synchronized to the standby device; therefore, you only need to perform the following
configurations on the active NGFW Module_A.
Before configuring intrusion prevention, ensure that the required license is loaded and the
intrusion prevention signature database is the latest version.
When configuring intrusion prevention, use the default intrusion prevention profile default.
Step 4 Configure security services on NGFW Modules.
# On NGFW Module_A, configure a security policy to allow intranet users to
access the server zone (network segment 10.2.0.0/24).
HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_to_server
HRP_A[Module_A-policy-security-rule-policy_to_server] source-zone trust
HRP_A[Module_A-policy-security-rule-policy_to_server] destination-zone dmz
HRP_A[Module_A-policy-security-rule-policy_to_server] destination-address 10.2.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_server] service http ftp
HRP_A[Module_A-policy-security-rule-policy_to_server] action permit
HRP_A[Module_A-policy-security-rule-policy_to_server] quit
HRP_A[Module_A-policy-security] quit
# On NGFW Module_A, configure a security policy to allow intranet users to
access the Internet and configure intrusion prevention.
HRP_A[Module_A] security-policy
HRP_A[Module_A-policy-security] rule name policy_to_wan
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 397
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-zone trust
HRP_A[Module_A-policy-security-rule-policy_to_wan] destination-zone untrust
HRP_A[Module_A-policy-security-rule-policy_to_wan] source-address 10.1.0.0 24
HRP_A[Module_A-policy-security-rule-policy_to_wan] service http ftp
HRP_A[Module_A-policy-security-rule-policy_to_wan] profile ips default
HRP_A[Module_A-policy-security-rule-policy_to_wan] action permit
HRP_A[Module_A-policy-security-rule-policy_to_wan] quit
HRP_A[Module_A-policy-security] quit
# Configure ASPF on NGFW Module_A. FTP is used as an example.
HRP_A[Module_A] firewall interzone trust dmz
HRP_A[Module_A-interzone-trust-dmz] detect ftp
HRP_A[Module_A-interzone-trust-dmz] quit
HRP_A[Module_A] firewall interzone trust untrust
HRP_A[Module_A-interzone-trust-untrust] detect ftp
HRP_A[Module_A-interzone-trust-untrust] quit
# Save configurations on NGFW Module_A and NGFW Module_B.
HRP_A<Module_A> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
HRP_S<Module_B> save
The current configurations will be written to the device.
Are you sure?[Y/N] y
Now saving the current configuration to the device......
Info:The Current Configuration was saved to the device successfully
Step 5 Configure the core switches to form a CSS.
1. Install the hardware and connect the cables. For details, see the CSS
Installation Guide.
2. Set the CSS connection mode (such as the CSS card connection mode), CSS
ID, and CSS priority.
# Configure the CSS on SwitchA. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 1, and the CSS priority is 100.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] set css mode css-card //Set the CSS connection mode. The default mode is CSS
card connection mode.
[SwitchA] set css id 1 //Set the CSS ID. The default value is 1.
[SwitchA] set css priority 100 //Set the CSS priority. The default value is 1.
# Configure the CSS on SwitchB. In the example, the CSS connection mode is
CSS card connection mode, the CSS ID is 2, and the CSS priority is 10.
<Huawei> system-view
[Huawei] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 2
[SwitchB] set css priority 10
3. Enable the CSS function.
# To use SwitchA as the active switch, enable CSS on SwitchA and then restart
SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable CSS on SwitchB and then restart SwitchB.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 398
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
4. Check whether the CSS is established.
# Log in to the CSS from the console port of any MPU and run the following
command to view the CSS status.
<SwitchA> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
If the CSS IDs, CSS priorities, CSS enabling status, and CSS status of the two
member switches are displayed, as shown in the preceding information, the
CSS has been established.
You are advised to configure MAD to minimize the impact of a CSS split on
services. Detailed configurations will not be described here.
5. Rename the cluster system to CSS.
<SwitchA> system-view
[SwitchA] sysname CSS
[CSS]
Step 6 Configure switch interfaces.
1. Create VLANs.
[CSS] vlan batch 200 301 to 302
2. Add the switch interfaces connected to NGFW Module_A to Eth-Trunk 10.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] description To_Module_A
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] trunkport xgigabitethernet 1/1/0/0 to 1/1/0/1
[CSS-Eth-Trunk10] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk10] port trunk allow-pass vlan 200 301 to 302 //Direct traffic from different
VLANs to the NGFW Module.
[CSS-Eth-Trunk10] quit
3. Add the switch interfaces connected to NGFW Module_B to Eth-Trunk 11.
[CSS] interface eth-trunk 11
[CSS-Eth-Trunk11] description To_Module_B
[CSS-Eth-Trunk11] port link-type trunk
[CSS-Eth-Trunk11] trunkport xgigabitethernet 2/1/0/0 to 2/1/0/1
[CSS-Eth-Trunk11] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk11] port trunk allow-pass vlan 200 301 to 302 //Direct traffic from different
VLANs to the NGFW Module.
[CSS-Eth-Trunk11] quit
4. Configure Eth-Trunk 2 connected to intranet users. Adding the interfaces to
Eth-Trunk 2 is not mentioned here.
[CSS] interface eth-trunk 2
[CSS-Eth-Trunk2] port link-type trunk
[CSS-Eth-Trunk2] undo port trunk allow-pass vlan 1
[CSS-Eth-Trunk2] port trunk allow-pass vlan 301
[CSS-Eth-Trunk2] quit
5. Configure Eth-Trunk 3 connected to intranet users. Adding the interfaces to
Eth-Trunk 3 is not mentioned here.
[CSS] interface eth-trunk 3
[CSS-Eth-Trunk3] port link-type trunk
[CSS-Eth-Trunk3] undo port trunk allow-pass vlan 1
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 399
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
[CSS-Eth-Trunk3] port trunk allow-pass vlan 302
[CSS-Eth-Trunk3] quit
6. Configure Eth-Trunk 5 connected to the egress router. Adding the interfaces to
Eth-Trunk 5 is not mentioned here.
[CSS] interface eth-trunk 5
[CSS-Eth-Trunk5] port link-type access
[CSS-Eth-Trunk5] port default vlan 200
[CSS-Eth-Trunk5] quit
Step 7 Configure upstream and downstream devices.
1. Configure the upstream interface Eth-Trunk 2 on the intranet switch to work
in trunk mode and allow traffic from VLAN 301 to pass.
2. Configure the upstream interface Eth-Trunk 3 on the server switch to work in
trunk mode and allow traffic from VLAN 302 to pass.
3. Set the gateway address of intranet PCs to the virtual IP address (10.1.0.3) of
the VRRP group to which Eth-Trunk 1.301 belongs.
4. Set the gateway address of servers to the virtual IP address (10.2.0.3) of the
VRRP group to which Eth-Trunk 1.302 belongs.
5. The next-hop address of the route from the egress router to the intranet is
the virtual IP address (10.3.0.3) of the VRRP group to which Eth-Trunk 1.200
belongs.
----End
Verification
1. Run the display hrp state command on NGFW Module_A to check the
current HRP status. If the following output is displayed, an HRP relationship is
successfully established.
HRP_A[Module_A] display hrp state
The firewall's config state is: ACTIVE
Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes
Current state of virtual routers configured as active:
Eth-Trunk1.200 vrid 3 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
Eth-Trunk1.302 vrid 2 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
Eth-Trunk1.301 vrid 1 : active
(GigabitEthernet1/0/0) : up
(GigabitEthernet1/0/1) : up
2. Check whether the access from the intranet to the Internet succeeds and
check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 10.1.0.10:22048 --> 3.3.3.3:80
HRP_S[Module_B] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 10.1.0.10:22048 --> 3.3.3.3:80
According to the preceding output, NGFW Module_A has created a session
entry for the access from the intranet to the Internet. A session entry with the
Remote tag exists on NGFW Module_B, which indicates that session backup
succeeds after you configure hot standby.
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 400
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
3. Check whether the access from users in the intranet to servers succeeds and
check the session table of each NGFW Module.
HRP_A[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public 10.1.0.10:22048 --> 10.2.0.8:80
HRP_S[Module_A] display firewall session table
Current Total Sessions : 1
http VPN: public --> public Remote 10.1.0.10:22048 --> 10.2.0.8:80
4. Configure a PC in the Trust zone to constantly ping the public address and run
the shutdown command on Eth-trunk1 of NGFW Module_A. Then check the
status switchover of the NGFW Module and discarded ping packets. If the
status switchover is normal, NGFW Module_B becomes the active device and
carries services. The command prompt of NGFW Module_B is changed from
HRP_S to HRP_A, and the command prompt of NGFW Module_A is changed
from HRP_A to HRP_S. No or several ping packets (1 to 3 packets, depending
on actual network environments) are discarded.
Run the undo shutdown command on Eth-trunk1 of NGFW Module_A and
check the status switchover of the NGFW Module and discarded ping packets.
If the status switchover is normal, NGFW Module_A becomes the active device
and starts to carry service after the preemption delay (60s by default) expires.
The command prompt of NGFW Module_A is changed from HRP_S to HRP_A,
and the command prompt of NGFW Module_B is changed from HRP_A to
HRP_S. No or several ping packets (1 to 3 packets, depending on actual
network environments) are discarded.
Configuration Scripts
Configuration scripts of the NGFW Modules:
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 401
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
# #
sysname Module_A sysname Module_B
# #
hrp enable hrp enable
hrp interface Eth-Trunk0 hrp interface Eth-Trunk0
# hrp standby-device //This command is required
interface Eth-Trunk0 only in versions earlier than V100R001C30SPC300.
description hrp_interface #
ip address 10.10.0.1 255.255.255.0 interface Eth-Trunk0
# description hrp_interface
interface Eth-Trunk1 ip address 10.10.0.2 255.255.255.0
description To_SWITCHA_trunk10 #
# interface Eth-Trunk1
interface Eth-Trunk1.200 description To_SWITCHB_trunk11
vlan-type dot1q 200 #
ip address 10.3.0.1 255.255.255.0 interface Eth-Trunk1.200
vrrp vrid 3 virtual-ip 10.3.0.3 active vlan-type dot1q 200
# ip address 10.3.0.2 255.255.255.0
interface Eth-Trunk1.301 vrrp vrid 3 virtual-ip 10.3.0.3 standby
vlan-type dot1q 301 #
ip address 10.1.0.1 255.255.255.0 interface Eth-Trunk1.301
vrrp vrid 1 virtual-ip 10.1.0.3 active vlan-type dot1q 301
# ip address 10.1.0.2 255.255.255.0
interface Eth-Trunk1.302 vrrp vrid 1 virtual-ip 10.1.0.3 standby
vlan-type dot1q 302 #
ip address 10.2.0.1 255.255.255.0 interface Eth-Trunk1.302
vrrp vrid 2 virtual-ip 10.2.0.3 active vlan-type dot1q 302
# ip address 10.2.0.2 255.255.255.0
interface GigabitEthernet0/0/1 vrrp vrid 2 virtual-ip 10.2.0.3 standby
eth-trunk 0 #
# interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2 eth-trunk 0
eth-trunk 0 #
# interface GigabitEthernet0/0/2
interface GigabitEthernet1/0/0 eth-trunk 0
eth-trunk 1 #
# interface GigabitEthernet1/0/0
interface GigabitEthernet1/0/1 eth-trunk 1
eth-trunk 1 #
# interface GigabitEthernet1/0/1
firewall zone trust eth-trunk 1
set priority 85 #
add interface Eth-Trunk1.301 firewall zone trust
# set priority 85
firewall zone untrust add interface Eth-Trunk1.301
set priority 5 #
add interface Eth-Trunk1.200 firewall zone untrust
# set priority 5
firewall zone dmz add Eth-Trunk1.200
set priority 50 #
add interface Eth-Trunk1.302 firewall zone dmz
# set priority 50
firewall zone name hrp add interface Eth-Trunk1.302
set priority 75 #
add interface Eth-Trunk0 firewall zone name hrp
# set priority 75
firewall interzone trust untrust add interface Eth-Trunk0
detect ftp #
# firewall interzone trust untrust
firewall interzone trust dmz detect ftp
detect ftp #
# firewall interzone trust dmz
ip route-static 0.0.0.0 0.0.0.0 10.3.0.5 detect ftp
# #
security-policy ip route-static 0.0.0.0 0.0.0.0 10.3.0.5
rule name policy_to_server #
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 402
S2700, S3700, S5700, S6700, S7700, and S9700
Series Switches
Typical Configuration Examples 2 Comprehensive Configuration Examples
NGFW Module_A NGFW Module_B
source-zone trust security-policy
destination-zone dmz rule name policy_to_server
destination-address 10.2.0.0 mask 255.255.255.0 source-zone trust
service http destination-zone dmz
service ftp destination-address 10.2.0.0 mask 255.255.255.0
action permit service http
rule name policy_to_wan service ftp
source-zone trust action permit
destination-zone untrust rule name policy_to_wan
source-address 10.1.0.0 mask 255.255.255.0 source-zone trust
service http destination-zone untrust
service ftp source-address 10.1.0.0 mask 255.255.255.0
profile ips default service http
action permit service ftp
# profile ips default
return action permit
#
return
Configuration script of CSS:
# ----CSS configuration----
vlan batch 200 301 to 302
#
interface Eth-Trunk2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 301
#
interface Eth-Trunk3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 302
#
interface Eth-Trunk5
port link-type access
port default vlan 200
#
interface Eth-Trunk10
description To_Module_A
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200 301 to 302
#
interface Eth-Trunk11
description To_Module_B
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 200 301 to 302
#
interface XGigabitEthernet1/1/0/0
eth-Trunk 10
#
interface XGigabitEthernet1/1/0/1
eth-Trunk 10
#
interface XGigabitEthernet2/1/0/0
eth-Trunk 11
#
interface XGigabitEthernet2/1/0/1
eth-Trunk 11
#
return
Issue 26 (2020-02-07) Copyright © Huawei Technologies Co., Ltd. 403
You might also like
- CloudEngine S5700, S6700 Switches Configuration Examples (V600)No ratings yetCloudEngine S5700, S6700 Switches Configuration Examples (V600)758 pages
- Local Configuration of The IP Plan For A GSM BTS (3900 Series) With SMT&BTSMNo ratings yetLocal Configuration of The IP Plan For A GSM BTS (3900 Series) With SMT&BTSM37 pages
- 9.2.2.8 Lab - Configuring Multi-Area OSPFv250% (2)9.2.2.8 Lab - Configuring Multi-Area OSPFv212 pages
- Eudemon200E-B&C&F&X & Eudemon1000E-X V300R001 Configuration Guide-CLI 01No ratings yetEudemon200E-B&C&F&X & Eudemon1000E-X V300R001 Configuration Guide-CLI 013,797 pages
- 06 HUAWEI CBS5.5 Software Structure-CBP&CBPAdapter ISSUE1.00No ratings yet06 HUAWEI CBS5.5 Software Structure-CBP&CBPAdapter ISSUE1.0071 pages
- FusionModule500 Smart Mini Data Center V100R022C10 Product Description (02116611, 02116612, 02116613)No ratings yetFusionModule500 Smart Mini Data Center V100R022C10 Product Description (02116611, 02116612, 02116613)68 pages
- HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)No ratings yetHUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (With New Web UI)280 pages
- Example for Configuring a Layer 2 Switch to Work With a Router for Internet Access_014914No ratings yetExample for Configuring a Layer 2 Switch to Work With a Router for Internet Access_0149147 pages
- Configuring Intervlan Routing and Isl/802.1Q Trunking On Catalyst 2900Xl/3500Xl/2940/2950/2970 Series Switches Using An External Router.............................................. 1No ratings yetConfiguring Intervlan Routing and Isl/802.1Q Trunking On Catalyst 2900Xl/3500Xl/2940/2950/2970 Series Switches Using An External Router.............................................. 121 pages
- 3.2.2.4 Packet Tracer - Configuring TrunksNo ratings yet3.2.2.4 Packet Tracer - Configuring Trunks6 pages
- F4 Design F4 Design Gold F4 Design Platinum: Installation Instructions V8 - 02-2017No ratings yetF4 Design F4 Design Gold F4 Design Platinum: Installation Instructions V8 - 02-201714 pages
- Industrial Protocols and Westermo Devices CompatibilityNo ratings yetIndustrial Protocols and Westermo Devices Compatibility12 pages
- Configuring Cisco Callmanager Express (Cme) : Cisco Networking Academy ProgramNo ratings yetConfiguring Cisco Callmanager Express (Cme) : Cisco Networking Academy Program84 pages
- CISCO - Rockwell - Design Considerations For Securing Industrial Automation Networks (Enet - wp031) PDFNo ratings yetCISCO - Rockwell - Design Considerations For Securing Industrial Automation Networks (Enet - wp031) PDF14 pages
- 11-OWB600206 SGSN9810 GB Interface Data Configuration ISSUE1.0100% (2)11-OWB600206 SGSN9810 GB Interface Data Configuration ISSUE1.058 pages
- Lab-PT2a - 6.2.4 - Configure EtherChannelNo ratings yetLab-PT2a - 6.2.4 - Configure EtherChannel5 pages
- Huawei ICT Competition 2020 Hands-On Lab ExamNo ratings yetHuawei ICT Competition 2020 Hands-On Lab Exam18 pages
- Creating and Applying Ip Acls On A Dell Powerconnect 62xx SERIESNo ratings yetCreating and Applying Ip Acls On A Dell Powerconnect 62xx SERIES11 pages
- OpenStage HFA V3R0.23.3 Release Notes V3.4 Extern100% (1)OpenStage HFA V3R0.23.3 Release Notes V3.4 Extern18 pages
- Commands Used in Smartfabric Os10 Cli Implementation CourseNo ratings yetCommands Used in Smartfabric Os10 Cli Implementation Course2 pages
- Flow-Based Per Port-Channel Load Balancing: Finding Feature InformationNo ratings yetFlow-Based Per Port-Channel Load Balancing: Finding Feature Information12 pages
- Technical Specification: Split Air Conditioner 1.5 TR Qty: 5 Nos. Specifications: 1 PageNo ratings yetTechnical Specification: Split Air Conditioner 1.5 TR Qty: 5 Nos. Specifications: 1 Page2 pages
- CompTIA N10-006 Network - Basic - Darril Gibson100% (4)CompTIA N10-006 Network - Basic - Darril Gibson686 pages
- Ma5600 Multi Service Access Module Operation and MaintenanceNo ratings yetMa5600 Multi Service Access Module Operation and Maintenance48 pages
- L3 48-Port 10/100/1000T 802.3at Poe + 4-Port 10G SFP+ Managed SwitchNo ratings yetL3 48-Port 10/100/1000T 802.3at Poe + 4-Port 10G SFP+ Managed Switch10 pages
- 4 - DPSec A Blockchain-Based Data Plane Authentication Protocol For SDNs - 2020 IeeexploreNo ratings yet4 - DPSec A Blockchain-Based Data Plane Authentication Protocol For SDNs - 2020 Ieeexplore8 pages
- To Point To Point: Series PDH/SDH/Ethernet Series IP/PDH/SDH/Ethernet SeriesNo ratings yetTo Point To Point: Series PDH/SDH/Ethernet Series IP/PDH/SDH/Ethernet Series4 pages
- 5.1.2.8 Lab - Viewing Network Device MAC AddressesNo ratings yet5.1.2.8 Lab - Viewing Network Device MAC Addresses5 pages
- Module 3 STP and RSTP: Lab 3-1 Configuring STP Learning ObjectivesNo ratings yetModule 3 STP and RSTP: Lab 3-1 Configuring STP Learning Objectives28 pages
- VLAN Routing: Huawei Technologies Co., LTDNo ratings yetVLAN Routing: Huawei Technologies Co., LTD14 pages
- Jarkom 2 (Vlan) Lan Design: Tasmi, S.Si,. M.Kom, MTCNA, MTCRENo ratings yetJarkom 2 (Vlan) Lan Design: Tasmi, S.Si,. M.Kom, MTCNA, MTCRE26 pages
- CCNA 2 Routing and Switching Essentials Final Exam AnswersNo ratings yetCCNA 2 Routing and Switching Essentials Final Exam Answers20 pages
- Huawei CloudEngine S6730-H-V2 Series 10GE Switches BrochureNo ratings yetHuawei CloudEngine S6730-H-V2 Series 10GE Switches Brochure12 pages
- Cyberoam High Availability Configuration GuideNo ratings yetCyberoam High Availability Configuration Guide30 pages
- Chapter 1 Lab - Preparing The Switch: TopologyNo ratings yetChapter 1 Lab - Preparing The Switch: Topology9 pages
- HCIA-Routing & Switching Intermediate Lab Guide V2.5No ratings yetHCIA-Routing & Switching Intermediate Lab Guide V2.5151 pages
- Ipasolink - Catalog - 100 200 400 1000 PDFNo ratings yetIpasolink - Catalog - 100 200 400 1000 PDF2 pages
- FTTX Solution Configuration Guide (V100R007 - 02) PDFNo ratings yetFTTX Solution Configuration Guide (V100R007 - 02) PDF411 pages
- Huawei Router Switch Configuration Commands: Computer CommandNo ratings yetHuawei Router Switch Configuration Commands: Computer Command7 pages
- Lab 2.2.1.1 Switch Security ImplementationNo ratings yetLab 2.2.1.1 Switch Security Implementation3 pages
- Packet Tracer 6.1 Tutorial - IP Telephony Advanced ConfigurationNo ratings yetPacket Tracer 6.1 Tutorial - IP Telephony Advanced Configuration6 pages
- HCIP-Routing & Switching-IENP V2.5 Exam Outline PDFNo ratings yetHCIP-Routing & Switching-IENP V2.5 Exam Outline PDF3 pages
- True or False: (12) : HCIA-Access V2.0 Mock ExamNo ratings yetTrue or False: (12) : HCIA-Access V2.0 Mock Exam2 pages
- 3.4.6 Lab - Configure VLANs and TrunkingNo ratings yet3.4.6 Lab - Configure VLANs and Trunking8 pages
- HCIP-Routing & Switching-IEEP V2.5 Exam OutlineNo ratings yetHCIP-Routing & Switching-IEEP V2.5 Exam Outline3 pages
- Ethernet: Outline Multiple Access and Ethernet Intro Ethernet Framing CSMA/CD Protocol Exponential BackoffNo ratings yetEthernet: Outline Multiple Access and Ethernet Intro Ethernet Framing CSMA/CD Protocol Exponential Backoff25 pages
- 10.8.1.2 Packet Tracer - Skills Integration Challenge - InstructorNo ratings yet10.8.1.2 Packet Tracer - Skills Integration Challenge - Instructor11 pages