Huawei S9700 Series Configuration Manual
  1. Manuals
  2. Brands
  3. Huawei Manuals
  4. Switch
  5. S9700 Series
  6. Configuration manual
Huawei S9700 Series Configuration Manual

Huawei S9700 Series Configuration Manual

Terabit routing switches spu
Hide thumbs Also See for S9700 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
S9700 Core Routing Switch
V200R001C00
Configuration Guide - SPU
Issue
01
Date
2012-03-15
HUAWEI TECHNOLOGIES CO., LTD.

Advertisement

Table of Contents
loading

Related Manuals for Huawei S9700 Series

Summary of Contents for Huawei S9700 Series

  • Page 1 S9700 Core Routing Switch V200R001C00 Configuration Guide - SPU Issue Date 2012-03-15 HUAWEI TECHNOLOGIES CO., LTD.
  • Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.

  • Page 3: About This Document

    This document is intended for: Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers Symbol Conventions The symbols that may be found in this document are defined as follows. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 4: Command Conventions

    Several items or no item can be selected. &<1-n> The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 5 Change History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Changes in Issue 01 (2012-03-15) Initial commercial release. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 6: Table Of Contents

    2.4.1 Establishing the Configuration Task.......................37 2.4.2 Configuring ACL-based Packet Filtering in an Interzone...............38 2.4.3 Checking the Configuration........................38 2.5 Configuring the Blacklist..........................39 2.5.1 Establishing the Configuration Task.......................39 2.5.2 Enabling the Blacklist Function......................40 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 7 2.13 Configuring the Log Function........................63 2.13.1 Establishing the Configuration Task.....................63 2.13.2 Enabling the Log Function on the Firewall...................64 2.13.3 Setting the Log Parameters........................65 2.13.4 Checking the Configuration........................66 2.14 Maintaining the Firewall..........................66 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 8 4.3.6 Checking the Configuration........................119 4.4 Establishing an IPSec Tunnel Through IKE Negotiation................120 4.4.1 Establishing the Configuration Task.....................120 4.4.2 Defining Protected Data Flows......................121 4.4.3 Configuring an IKE Proposal........................121 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 9 5.5.5 (Optional) Configuring the Inactive Aging Time for the Original Traffic..........159 5.5.6 (Optional) Configuring the Active Aging Time for the Original Traffic..........159 5.5.7 Checking the Configuration........................159 5.6 Configuring the Aggregation Statistics About Traffic...................160 Issue 01 (2012-03-15) Huawei Proprietary and Confidential viii Copyright © Huawei Technologies Co., Ltd.
  • Page 10 6.4 Configuring Server Load Balancing.......................205 6.4.1 Establishing the Configuration Task.....................205 6.4.2 (Optional) Configuring an NAT Address Pool..................206 6.4.3 (Optional) Configuring Server Health Detection..................207 6.4.4 Configuring a Server..........................211 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 11 7.4.1 Checking Channel Connectivity Between the Active and Standby Firewalls........303 7.5 Configuration Examples of Dual-System HSB....................304 7.5.1 Example for Configuring Dual-System HSB on the S9700..............304 7.5.2 Example for Configuring Dual-System HSB Between S9700s............314 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 12: Spu Pre-Configuration

    To implement Layer 2 communication between the SPU and the S9700 switch, assign IP addresses on same network segment to virtual XGE interfaces between them, and configure Layer 3 flow import. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 13: Overview Of Spu Pre-Configuration

    Only one of the preceding services can be enabled on an SPU at a time. You can install multiple SPUs on an S9700 switch to provide different types of services. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 14: Configuring A Service Type

    The SPU can provide the firewall, NAT, IPSec and NetStream services to meet different service requirements. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: set service-type type The service type of the SPU is configured. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 15: Checking The Configuration

    LPU. If two pairs of XGE interfaces on the S9700 switch and SPU are aggregated into Eth-Trunk interfaces, add GE 3/0/0, Eth-Trunk 0, and Eth-Trunk 1 to the same VLAN. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 16 Before configuring Layer 2 flow import, ensure that the SPU has been installed on the S9700 switch and is running properly. Data Preparation To configure Layer 2 flow import, you need the following data. Data Number of the Eth-Trunk interface Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 17: Configuring Layer 2 Flow Import With Interfaces Aggregated

    The link type of the interface is configured. Run any of the following commands to add the interface to the VLAN based on the link type of the interface: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 18 [ to vlan-id2 ] }&<1-10> | all command to add the interface to the VLAN. Run: quit Exit from the interface view. Step 3 Configure an Eth-Trunk interface. Run: interface eth-trunk trunk-id Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 19 The Eth-Trunk interface view is displayed. Run: trunkport xgigabitethernet { interface-number1 [ to interface-number2 ] } &<1-8> Two virtual interfaces are configured as member interfaces of the Eth-Trunk interface. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 20 The sub-interface is configured to allow the VLAN for outgoing data flows. This VLAN is configured in Step 2.1 of section "Configuring Layer 2 Flow Import on the S9700 Switch with Interfaces Aggregated." Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 21: Configuring Layer 2 Flow Import Without Interface Aggregation

    The VLAN for incoming data flows is created and the VLAN view is displayed. Run: quit Exit from the VLAN view. Run: interface interface-type interface-number The view of the interface that forwards traffic to the SPU is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 22 Exit from the interface view. Step 2 Export data flows. Run: vlan vlan-id The VLAN for outgoing data flows is created and the VLAN view is displayed. Run: quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 23 If the interface is a trunk interface, run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all command to add the interface to the VLAN. Run: quit Exit from the interface view. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 24 Down and then Up. This may result in route flapping on the entire network, affecting the service operation. Run: quit Exit from the sub-interface view. Step 2 Export data flows. Run: interface xgigabitethernet interface-number.subinterface-number Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 25: Configuring Layer 3 Flow Import

    This configuration is recommended. Add interfaces on the LPUs and virtual XGE interfaces on the S9700 to VLANs. Configure IP addresses for VLANIF interfaces and the XGE sub-interfaces. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 26 Configure an IP address for the sub-interface of XGE 0/0/1 and an IP address for the VLANIF interface. Ensure that the two IP addresses are on the same network segment. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 27: Configuring Layer 3 Flow Import With Interfaces Aggregated

    In this document, incoming data flows refer to the flows sent from an LPU to the SPU, and outgoing data flows refer to the flows sent from the SPU to an LPU. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 28 If the interface is a trunk interface, run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all command to add the interface to the VLAN. 10. Run: quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 29 { interface-number1 [ to interface-number2 ] } &<1-8> Two virtual interfaces on the S9700 are aggregated as the Eth-Trunk interface. Run: port link-type { access | hybrid | trunk } Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 30 { interface-number1 [ to interface-number2 ] } &<1-8> Two virtual interfaces on the SPU configured as the member interfaces of the Eth-Trunk interface. Run: quit Exit from the Eth-Trunk interface view. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 31 The sub-interface is configured to allow the VLAN for outgoing flows, which is configured Step 2.1 of section "Configuring Layer 3 Flow Import on the S9700 Switch with Interfaces Aggregated." Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 32: Configuring Layer 3 Flow Import Without Interface Aggregation

    A VLANIF interface is created and the VLANIF interface view is displayed. The value of vlan-id must be the same as the VLAN ID specified in Step 1.2. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 33 1.11. 14. Run: ip address ip-address { mask| mask-length} An IP address is configured for the VLANIF interface. 15. Run: quit Exit from the VLANIF interface view. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 34 If the interface is an access interface, run the port default vlan vlan-id command to configure the VLAN as the default VLAN of the interface. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 35 Step 1.11 of section "Configuring Layer 3 Flow Import on the S9700 Switch Without Interface Aggregation." Run: ip address ip-address { mask | mask-length } [ sub ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 36 When you enable or disable the ARP broadcast function on a sub-interface, the routing status on the sub-interface becomes Down and then Up. This may result in route flapping on the entire network, affecting the service operation. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 37: Firewall Configuration

    The ASPF function can detect sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables application protocols that cannot traverse firewalls to function properly. 2.8 Configuring Port Mapping Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 38 The firewall logs include session logs, statistics logs, attack defense logs, and blacklist logs. 2.14 Maintaining the Firewall 2.15 Configuration Examples This section provides several configuration examples of firewall. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 39: Firewall Overview

    A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 40 An entry in the whitelist is represented by the source VPN and IP address. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 41: Port Mapping

    Session log: sent to the log server in real time. Blacklist log: sent to the information center in real time. Attack log and statistics log: sent to the information center periodically. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 42 DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers. Scanning and snooping attack Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 43: Land Attack

    Common users cannot access the host till the half-connections expire. If the connections can be created without restriction, SYN Flood will consume the system resources such as memory. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 44: Ping Of Death Attack

    19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable packets, which also consume Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 45: Configuring Zones

    Configuring the interfaces that you want to add to the zone Data Preparation To configure the zone, you need the following data. Data Name of the zone Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 46: Creating A Zone

    The zone has been created through the firewall zone command. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number.subinterface The interface view is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 47: Creating An Interzone

    The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run: firewall enable The firewall is enabled. By default, the firewall function is disabled in an interzone. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 48: Checking The Configuration

    Creating the basic ACL, Layer 2 ACL, and advanced ACL and configuring ACL rules Data Preparation To configure ACL-based packet filtering, you need the following data. Data Zone names ACL number Packet direction to which the ACL is applied Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 49: Configuring Acl-Based Packet Filtering In An Interzone

    When Layer 2 ACL is applied to the interzone, the non-Ethernet packets that do not match the ACL are discarded. ----End 2.4.3 Checking the Configuration After the ACL-based packet filtering firewall is configured, you can view information about ACL-based packet filtering. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 50: Configuring The Blacklist

    To configure the blacklist, you need the following data. Data IP address that you want to add to the blacklist (the VPN instance can be included) (Optional) Aging time of blacklist entries Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 51: Enabling The Blacklist Function

    The blacklist entries without the aging time are added to the configuration file. The entries configured with the aging time are not added to the configuration file, but you can view them by using the display firewall blacklist command. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 52: Configuring Blacklist And Whitelist Using The Configuration File

    The blacklist and whitelist configuration file is loaded. The configured blacklist takes effect only after you run the firewall blacklist enable command to enable the blacklist. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 53: Checking The Configuration

    If you add the VPN and IP address of a host to the whitelist, the firewall does not check the packets sent by the host that look like IP address scanning or port scanning attack, or add the IP address to the blacklist. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 54: Adding Entries To The Whitelist Manually

    2.6.3 Configuring Blacklist and Whitelist Using the Configuration File You can configure blacklist and whitelist entries in a batch by loading the configuration file. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 55 A blacklist supports up to 4096 entries, and a whitelist supports up to 1024 entries. ----End Follow-up Procedure Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 56: Checking The Configuration

    Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Data Preparation To configure ASPF, you need the following data. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 57: Configuring Aspf Detection

    Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the ASPF information of the interzone. <Quidway> display firewall interzone interzone zone2 zone1 firewall enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 58: Configuring Port Mapping

    Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules Data Preparation To configure port mapping, you need the following data. Data Type of application-layer protocol Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 59: Configuring Port Mapping

    Run the display port-mapping [ dns | ftp | http | rtsp | sip | port port-number ] command to view information about port mapping. <Quidway> display port-mapping dns ------------------------------------------------- Service Port Type ------------------------------------------------- system defined ------------------------------------------------- Total number is : 1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 60: Configuring The Aging Time Of The Firewall Session Table

    The aging time of the firewall session table is set. By default, the aging time of each protocol is as follows: l DNS: 120 seconds l FTP: 120 seconds l FTP-data: 120 seconds Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 61: Checking The Configuration

    2.10 Configuring the Transparent Firewall A transparent firewall forwards packets to the destination VLAN at Layer 2 according to the configuration of VLAN bridge instance, rather than routes. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 62: Establishing The Configuration Task

    To permit these packets, configure an ACL. To permit Layer 2 protocol packets, configure a Layer 2 ACL. For example, permit the packets with the following characteristics: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 63 By default, no VLAN bridge instance is created. Step 3 (Optional) Run: description description The description of the VLAN bridge instance is set. The default description is "inter-vlan-bridge instance-id." Step 4 Run: quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 64: Checking The Configuration

    2.11 Configuring the Attack Defense Function The SPU attack defense function prevents attacks to the CPU. It ensures that the server operates normally even when it is attacked. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 65: Establishing The Configuration Task

    Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend against different types of attacks. Procedure Step 1 Run: system-view Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 66 After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 11 Run: firewall defend ping-of-death enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 67: Setting The Parameters For Flood Attack Defense

    The WinNuke attack defense is enabled. By default, no attack defense function is enabled. ----End 2.11.3 Setting the Parameters for Flood Attack Defense Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 68: Configuring Large Icmp Packet Attack Defense

    For Flood attack defense, you can specify up to 4096 IP addresses to protect. ----End 2.11.4 Configuring Large ICMP Packet Attack Defense Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 69: Setting Parameters For Scanning Attack Defense

    4000 pps, and the blacklist timeout is 20 minutes. ----End 2.11.6 Checking the Configuration After the attack defense is configured, you can view information about attack defense. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 70: Configuring Traffic Statistics And Monitoring

    Before configuring traffic statistics and monitoring, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration. This will help you complete the configuration task quickly and accurately. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 71: Enabling Traffic Statistics And Monitoring

    You can enable traffic statistics and monitoring at the system level, zone level, or IP address level as needed. Procedure Enabling system-level traffic statistics and monitoring Run: system-view Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 72: Setting The Session Thresholds

    Procedure Setting the session thresholds for system-level traffic statistics and monitoring Run: system-view The system view is displayed. Run: firewall statistics system enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 73 Setting the session thresholds for IP address-level traffic statistics and monitoring Run: system-view The system view is displayed. Run: firewall zone zone-name The zone view is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 74: Checking The Configuration

    Applicable Environment The logs record the behaviors and status of the firewall to help you find security risks, analyze attempts to violate security policies, and detect network attacks. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 75: Enabling The Log Function On The Firewall

    Before running the firewall log session nat enable command, you must run the firewall log session enable command. By default, the NAT session log is disabled. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 76: Setting The Log Parameters

    { inbound | outbound } The conditions for recording session logs are configured. By default, no condition is configured in an interzone for recording session logs. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 77: Checking The Configuration

    Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 78: Clearing The Firewall Statistics

    Step 3 Run: clear firewall statistics zone zone-name The communication packet statistics in the zone are cleared. ----End 2.15 Configuration Examples This section provides several configuration examples of firewall. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 79: Example For Configuring The Acl-Based Packet Filtering Firewall

    Configure zones and the interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone. Procedure Step 1 Import flows from the S9700 to the SPU. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 80 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 81 10 dot1q-termination dot1q termination vid 10 ip address 129.38.1.1 255.255.255.0 zone trust interface Eth-trunk0.2 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.39.2.1 255.255.0.0 zone untrust Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 82: Example For Configuring Aspf And Port Mapping

    The packets from the external host are sent to the FTP server through port 2121, which is used as the port for the FTP protocol. The SPU is installed in slot 5 of the S9700. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 83 [Quidway-Eth-Trunk0] port link-type trunk [Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk0] quit Configure the SPU. [Quidway] sysname SPU [SPU] interface Eth-trunk0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 84 Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows: [SPU] display firewall interzone trust untrust interzone trust untrust Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 85 10 dot1q-termination dot1q termination vid 10 ip address 129.38.1.1 255.255.255.0 zone trust interface Eth-trunk0.2 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.39.2.1 255.255.0.0 zone untrust return Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 86: Example For Configuring The Blacklist

    The SPU is installed in slot 5 of the S9700. The flows on the S9700 need to be imported to the SPU through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 87 [Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk1] quit Configure the SPU as follows: <SPU> system-view [SPU] interface Eth-Trunk 1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 88 Run the display firewall blacklist all command on the SPU, and the result is as follows: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 89 101 ip address 201.0.0.1 255.255.255.0 arp broadcast enable zone trust interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.0.0.1 255.255.255.0 arp broadcast enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 90: Example For Configuring The Transparent Firewall

    Figure 2-5 Networking of transparent firewall configuration VLAN 101 XGE5/0/0 Eth-Trunk1.1 Eth-Trunk1.2 XGE5/0/1 VLAN 102 trust zone 000f-1f7e-fec5 GE2/0/1 GE2/0/2 untrust zone Switch A Switch B Switch Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 91 Step 2 Configure zones and the interzone on the SPU. [SPU] firewall zone trust [SPU-zone-trust] priority 100 [SPU-zone-trust] quit [SPU] firewall zone untrust [SPU-zone-untrust] priority 1 [SPU-zone-untrust] quit [SPU] firewall interzone trust untrust Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 92 [SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3000 inbound packet-filter 4100 inbound ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 93 101 to 102 interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 interface XGigabitEthernet5/0/0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 94 S9700 Core Routing Switch Configuration Guide - SPU 2 Firewall Configuration eth-trunk 1 interface XGigabitEthernet5/0/1 eth-trunk 1 return Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 95: Nat Configuration

    To implement communication between the private network and the public network through NAT, use Easy IP for a single user and an address pool for multiple users. 3.4 Configuration Examples This section provides several configuration examples of NAT. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 96: Nat Overview

    The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network in Web mode. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 97: Nat Features Supported By The Spu

    PAT-enabled device translates the destination IP addresses to private addresses according to the port numbers. Figure 3-2 shows how PAT translates IP addresses and port numbers. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 98 A NAT device filters the traffic from external network to internal network. After a host on the internal network sends an access request to a host on the external network, the host on the external Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 99 IP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface connecting to the WAN. Configure the mapping from overlapping addresses to temporary addresses: 10.0.0.0 to 3.0.0.0. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 100: Configuring Nat

    NAT, use Easy IP for a single user and an address pool for multiple users. 3.3.1 Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 101: Configuring An Address Pool

    SPU selects an IP address from the address pool as the source address. The public address pool IDs are numerals. Up to 102416 address pools can be configured. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 102: Associating An Acl With An Address Pool

    Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: nat outbound acl-number [ address-group group-index [ no-pat ] ] Easy IP is configured. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 103: Configuring An Internal Server

    Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number The interface view is displayed. Step 3 Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 104: Enabling Nat Alg

    The NAT device filters the traffic sent to the internal host. Context NAT filtering has the following modes: Endpoint-independent filtering Address-dependent filtering Address and port-dependent filtering Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 105: Configuring Nat Mapping

    The NAT mapping mode is set. NAT mapping applies to the traffic from an internal network to an external network. The default mode is address and port-dependent mapping. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 106: Configuring Dns Mapping

    NAT to implement twice NAT. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: nat overlap-address map-index overlappool-startaddress temppool-startaddress pool- length length [ inside-vpn-instance inside-vpn-instance-name ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 107: Checking The Configuration

    3-4, the intranet of company A connects to the WAN through the SPU with NAT enabled. Company A provides the web server for users on the public network to access. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 108 [S9700-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9700-Eth-Trunk1] quit [S9700] interface GigabitEthernet2/0/1 [S9700-GigabitEthernet2/0/1] port link-type trunk [S9700-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9700-GigabitEthernet2/0/1] quit [S9700] interface GigabitEthernet2/0/2 [S9700-GigabitEthernet2/0/2] port link-type trunk Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 109 ] | interface interface-type interface-number.subnumber ] command on the SPU. The following information is displayed: [SPU] display nat server Nat Server Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.5/80(www) Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 110 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 Return Configuration file of the S9700 sysname S9700 vlan batch 101 to 103 interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 111: Example For Configuring Static Nat

    10.0.0.0 and the mask is 255.255.255.252). The public addresses are in the range of 202.169.10.32 to 202.169.10.35 (the network segment is 202.169.10.32 and the mask is 255.255.255.252). The SPU is installed in slot 5 of the S9700. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 112 [S9700] interface XGigabitEthernet5/0/1 [S9700-XgigabitEthernet5/0/1] eth-trunk 1 [S9700-XgigabitEthernet5/0/1] quit On the SPU, configure IP addresses for interfaces and add interfaces to VLANs. <SPU> system-view [SPU] interface Eth-Trunk 1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 113 VPN instance-name : ---- Netmask : 255.255.255.254 Global IP/Port : 202.169.10.32/21(ftp) Inside IP/Port : 10.0.0.2/21(ftp) Protocol : 6(tcp) VPN instance-name : vpn_b Netmask : 255.255.255.252 Total : ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 114 101 interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 interface XGigabitEthernet5/0/0 eth-trunk 1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 115: Example For Configuring Outbound Nat

    VLAN 103 VPN Company B PC 1...PC n 10.0.0.2/24 Configuration Roadmap The configuration roadmap is as follows: Import flows from the S9700 to the SPU. Configure outbound NAT. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 116 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit Step 2 Configure outbound NAT on the SPU. [SPU] nat address-group 1 202.169.10.100 202.169.10.200 [SPU] nat address-group 2 202.169.10.80 202.169.10.83 [SPU] acl 2000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 117 2000 address-group 1 no-pat nat outbound 2001 address-group 2 interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 118: Example For Configuring Twice Nat

    NAT. The overlapping IP address is translated to a unique temporary address so that packets can be forwarded correctly. The SPU is installed in slot 5 of the S9700. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 119 [S9700-GigabitEthernet2/0/3] port link-type trunk [S9700-GigabitEthernet2/0/3] port trunk allow-pass vlan 103 [S9700-GigabitEthernet2/0/3] quit [S9700] interface XGigabitEthernet5/0/0 [S9700-XgigabitEthernet5/0/0] eth-trunk 1 [S9700-XgigabitEthernet5/0/0] quit [S9700] interface XGigabitEthernet5/0/1 [S9700-XgigabitEthernet5/0/1] eth-trunk 1 [S9700-XgigabitEthernet5/0/1] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 120 [SPU] nat address-group 1 160.160.0.2 160.160.0.254 On the outbound sub-interface Eth-Trunk1.2, configure outbound NAT for host A. [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] nat outbound 3180 address-group 1 [SPU-Eth-Trunk1.2] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 121 192.168.20.2 80 tcp nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpn- instance vpna ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 122 102 interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 interface XGigabitEthernet5/0/0 eth-trunk 1 interface XGigabitEthernet5/0/1 eth-trunk 1 return Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 123: Ipsec Configuration

    4.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics. 4.6 Configuration Examples This section provides several configuration examples of IPSec. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 124: Ipsec Overview

    Protocol IP Header AH TCP Header data TCP Header data IP Header ESP Auth data Tail IP Header TCP Header data ESP Tail ESP Auth data AH-ESP Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 125: Ipsec Features Supported By The Spu

    Associating a VPN instance with an SA l Configuring the switch as a PE and associating the VPN instance with the PE interface connected to the CE Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 126: Establishing An Ipsec Tunnel Manually

    (Optional) VPN instance name Type and number of the interface to which the IPSec policy is applied NOTE Use the AH or ESP protocol based on requirements on your network. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 127: Defining Protected Data Flows

    By default, the ESP protocol defined in RFC 2406 is used. Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 } The authentication algorithm used by AH is specified. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 128: Configuring An Ipsec Policy

    Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipsec policy policy-name seq-number manual An IPSec policy is created. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 129 Step 9 (Optional) Run: sa string-key { inbound | outbound } { ah | esp } string-key The authentication key (a character string) of the security protocol is configured. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 130: Applying An Ipsec Policy To An Interface

    An IPSec policy is applied to the interface. ----End 4.3.6 Checking the Configuration After an IPSec tunnel is manually established, you can check information about the SA, IPSec proposal, and IPSec policy. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 131: Establishing An Ipsec Tunnel Through Ike Negotiation

    Parameters of an advanced ACL Priority of the IKE proposal, encryption algorithm, authentication algorithm, and authentication method used in IKE negotiation, identifier of the Diffie-Hellman group, and SA lifetime Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 132: Defining Protected Data Flows

    4.4.3 Configuring an IKE Proposal You can create multiple IKE proposals with different priority levels. The two ends must have at least one matching IKE proposal for IKE negotiation. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 133 You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 134: Configuring An Ike Peer

    When NAT traversal is enabled, local-id-type must be set to name. Step 9 (Optional) Run: pre-shared-key key-string The pre-shared key used by the local end and remote peer is configured. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 135: Configuring An Ipsec Proposal

    Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. Procedure Step 1 Run: system-view The system view is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 136: Configuring An Ipsec Policy

    The system view is displayed. Step 2 Run: ipsec policy policy-name seq-number isakmp [ template template-name ] An IPSec policy is created. Step 3 Run: proposal proposal-name Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 137: Optional) Configuring An Ipsec Policy Template

    4.4.7 (Optional) Configuring an IPSec Policy Template An IPSec policy template can be used to configure multiple IPSec policies, reducing the workload of establishing multiple IPSec tunnels. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 138: Optional) Setting Optional Parameters

    Step 1 Run: system-view The system view is displayed. Step 2 Run: ipsec sa global-duration { time-based interval | traffic-based kilobytes } The global SA lifetime is set. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 139 Run: dpd msg { seq-hash-notify | seq-notify-hash } The sequence of payload in DPD packets is configured. Run: dpd type { on-demand | periodic } Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 140: Applying An Ipsec Policy To An Interface

    IKE peer or all IKE peers. Run the display ike proposal command to view the configuration of a specified IKE proposal or all IKE proposals. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 141: Maintaining Ipsec

    This section describes how to clear the statistics about IPSec and IKE packets, information about SAs, and information about the IPSec tunnels established through IKE negotiation. Context CAUTION The statistics cannot be restored after being cleared. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 142: Configuration Examples

    VLAN 20 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2 XGE0/0/1.2 202.38.168.2/24 202.38.165.2/24 VLAN 10 VLAN 30 GE1/0/12 GE1/0/12 SwitchA SwitchB Internet GE1/0/11 GE1/0/11 10.1.2.2/24 10.1.1.2/24 PC A PC B Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 143 [Quidway] sysname SwitchB [SwitchB] vlan 30 [SwitchB-vlan30] quit [SwitchB] interface gigabitethernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type access [SwitchB-GigabitEthernet1/0/11] port default vlan 30 [SwitchB-GigabitEthernet1/0/11] quit [SwitchB] vlan 20 [SwitchB-vlan20] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 144 [SPU] ipsec proposal tran1 [SPU-ipsec-proposal-tran1] encapsulation-mode tunnel [SPU-ipsec-proposal-tran1] transform esp [SPU-ipsec-proposal-tran1] esp encryption-algorithm des [SPU-ipsec-proposal-tran1] esp authentication-algorithm sha1 [SPU-ipsec-proposal-tran1] quit # Configure an IPSec proposal on SwitchB. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 145 Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 146 ----End Configuration Files Configuration of the SPU on SwitchA sysname SPU acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 147 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 148: Example For Establishing An Sa Through Ike Negotiation

    (10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. The SPUs of SwitchA and SwitchB are installed in slot 5 of their subracks. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 149 [SwitchA] interface gigabitethernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan 20 [SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet1/0/12] quit [SwitchA] interface XGigabitEthernet5/0/0 [SwitchA-XGigabitEthernet5/0/0] port link-type trunk Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 150 [SPU] ike proposal 1 [SPU-ike-proposal-1] encryption-algorithm aes-cbc-128 [SPU-ike-proposal-1] authentication-algorithm md5 [SPU-ike-proposal-1] quit # Configure the IKE proposal on SPU of SwitchB. [SPU] ike proposal 1 [SPU-ike-proposal-1] encryption-algorithm aes-cbc-128 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 151 [SPU] acl number 3101 [SPU-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SPU-acl-adv-3101] quit # Configure an ACL on the SPU of SwitchB. [SPU] acl number 3101 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 152 Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 153 PC B is encrypted. Run the display ike sa command on an SPU, and the following information is displayed: [SPU] display ike sa Conn-ID Peer Flag(s) Phase ----------------------------------------------------------- 202.38.162.1 RD|ST Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 154 202.38.163.2 255.255.255.0 arp broadcast enable return Configuration file of SwitchA sysname SwitchA vlan batch 10 20 interface GigabitEthernet1/0/11 port link-type access port default vlan 10 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 155 30 dot1q-termination dot1q termination vid 30 ip address 202.38.162.2 255.255.255.0 arp broadcast enable return Configuration file of SwitchB sysname SwitchB vlan batch 20 30 interface GigabitEthernet1/0/11 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 156 1 port trunk allow-pass vlan 20 interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 return Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 157: Netstream Configuration

    This section describes how to configure the Flexible NetStream feature to flexibly create NetStream statistics according to records. 5.8 Example for Configuring NetStream This section provides several configuration examples of NetStream. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 158: Overview Of Netstream

    As shown in Figure 5-1. Figure 5-1 Diagram of NetStream data collection and analysis SwitchA SwitchB NOTE The NetStream function is implemented by the SPU of the switch. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 159: Netstream Features Supported By The Spu

    The SPU supports the aggregation based on as, as-tos, protocol-port, protocol-port-tos, mpls- label, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos. Aging Types The SPU supports the following aging types: Aging depending on the inactive aging time: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 160: Collecting Ipv4 Traffic Statistics

    Name and number of the interface on which traffic statistics need to be collected Version of the exported packets IP address and port number of the NSC Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 161: Enabling Netstream On An Interface

    By default, the version of exported packets is v5, the AS option is none, and the statistics do not contain the information about the BGP next hop. NOTE At present, only the packets of v9 contain the information about the BGP next hop. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 162: Setting The Destination Address Of The Statistics

    The TCP traffic will be aged by its FIN or RST flag in the TCP packet header. By default, the TCP traffic is not aged by the FIN or RST flag. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 163: Optional) Configuring The Inactive Aging Time For The Original Traffic

    The active aging time is set for the original traffic. By default, the active aging time of the original traffic is 30 minutes. ----End 5.3.8 Checking the Configuration Prerequisites The NetStream configuration is complete. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 164: Collecting Ipv6 Traffic Statistics

    IP address and port number of the NSC 5.4.2 Enabling NetStream on an Interface Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface xgigabitethernet interface-number Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 165: Setting The Destination Address Of The Statistics

    If multiple destination addresses are configured, the statistics are exported to multiple NSCs. You can configure up to 2 destination addresses to implement the backup between 2 NSCs. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 166: Optional) Aging The Tcp Traffic By Its Fin Or Rst Flag

    The inactive aging time is set for the original traffic. By default, the inactive aging time of the original traffic is 30s. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 167: Optional) Configuring The Active Aging Time For The Original Traffic

    5.5 Collecting MPLS Traffic Statistics This section describes how to collect statistics about MPLS traffic passing through an interface. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 168: Establishing The Configuration Task

    | fix-time time-interval | random-time time-interval } inbound The packet sampling ratio is set on the XGigabitEthernet interface. By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 169: Optional) Configuring The Version Of Exported Packets

    Step 3 Run: ip netstream export host ip-address port-number The destination IP address of the exported statistics, that is, the IP address of the NSC, is configured. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 170: Optional) Configuring The Inactive Aging Time For The Original Traffic

    The active aging time is set for the original traffic. By default, the active aging time of the original traffic is 30 minutes. ----End 5.5.7 Checking the Configuration Prerequisites The NetStream configuration is complete. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 171: Configuring The Aggregation Statistics About Traffic

    IP address and port number of the NSC 5.6.2 Enabling NetStream on an Interface Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface xgigabitethernet interface-number Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 172: Configuring The Aggregation Function

    To collect statistics about the MPLS aggregation traffic passing an interface, enable the mpls-label mode. ----End 5.6.4 (Optional) Configuring the Version of Exported Packets Procedure Step 1 Run: system-view The system view is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 173: Optional) Configuring The Export Of Statistics

    Original traffic can only be sent to the destination NSC address configured in the system view. l Aggregation traffic is sent to the destination NSC address configured in the NetStream aggregation view. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 174: Optional) Configuring The Inactive Aging Time For The Aggregation Traffic

    ----End 5.6.8 Checking the Configuration Prerequisites The NetStream configuration is complete. Procedure Step 1 Run the display ip netstream all command to view the NetStream configuration. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 175: Configuring The Flexible Netstream Feature

    Step 1 Run: system-view The system view is displayed. Step 2 Run: ip netstream record record-name A record is created and the record view is displayed. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 176: Configuring Aggregation Key Words Of Records

    { input | output } The traffic statistics sent to the NSC contain the indexes of the inbound interface and outbound interface of the flows. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 177: Enabling Flexible Netstream On Interfaces

    The NetStream function is enabled for the IPv4 traffic on the XGE interface. Step 5 Run: ipv6 netstream inbound The NetStream function is enabled for the IPv6 traffic on the XGE interface. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 178: Checking The Configuration

    XGE4/0/0 XGE0/0/1 XGE4/0/1 VLAN101 VLANIF101 XGE0/0/2.2 22.22.22.2/24 22.22.22.1/24 Configuration Roadmap The configuration roadmap is as follows: Set IP addresses for interfaces on Switch A and Switch B. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 179 [SPU] ip netstream timeout inactive 100 # Set the aging of the original traffic according to the FIN flag in the TCP packet header. [SPU] ip netstream tcp-flag enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 180 1 inbound interface GigabitEthernet2/0/0 port hybrid pvid vlan 200 port hybrid untagged vlan 200 interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 181: Example For Configuring Netstream Of Ipv4 Aggregation Traffic

    5-3, the NetStream function is configured on Switch B to collect statistics on the traffic from the user network to different ISPs. The traffic statistics serve as the basis for accounting. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 182 Configure the NetStream function on the SPU of SwitchB. Data Preparation To complete the configuration, you need the following data: IP addresses of interfaces OSPF process ID Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 183 Step 4 # Set up dynamic BGP peer relationships between Switch B and Switch D. # Configure Switch B [SwitchB] bgp 65001 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 10.3.1.2 as-number 65003 [SwitchB-bgp]quit # Configure Switch D <Quidway> system-view [Quidway] sysname SwitchD Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 184 Configuration file of Switch A. sysname SwitchA vlan batch 30 interface Vlanif30 ip address 10.1.1.1 255.255.255.0 interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 185 1 peer 10.2.1.2 enable peer 10.3.1.2 enable ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 network 10.3.1.0 0.0.0.255 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 186 10.3.1.2 255.255.255.0 interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid untagged vlan 20 bgp 65003 router-id 4.4.4.4 peer 10.3.1.1 as-number 65001 ipv4-family unicast undo synchronization Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 187: Example For Configuring Flexible Netstream Traffic Statistics

    Version of the exported packets Address and port number of the NSC and source address contained in the packets Traffic statistics to be sent to the NSC Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 188 # Set the destination address and destination port number for exporting packets. [SPU] ip netstream export host 10.2.1.2 6000 # Configure the source address for exporting packets. [SPU] ip netstream export source 10.2.1.1 Step 6 Verify the configuration. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 189 100 interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 return Configuration file of Switch B Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 190 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 191: Load Balancing Configuration

    6.6 Configuration Examples This section provides several load balancing configuration examples. A configuration example includes the networking requirements, configuration roadmap, operation procedure, and configuration files. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 192: Load Balancing Overview

    – Server load balancing: is performed among different servers. – Firewall load balancing: is performed among different firewalls. Technology Domain Name Server (DNS)-based and virtual IP address (VIP)-based load balancing Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 193: Basic Concepts

    If the server performance in the server group or link bandwidth in the link group have great differences, consider the WRR algorithm. – Least connection algorithm The SPU uses the weight and least connection algorithm to perform load balancing. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 194 The SPU can detect whether servers or links run normally. Session stickiness Connection requests of a user in a period are sent to the same server for processing. Firewall load balancing Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 195: Load Balancing Features Supported By The Spu

    Figure 6-1 Typical networking of egress link load balancing RouterA ISP1 Server on the external network Enterprise ISP2 network Network RouterB Switch ISP3 RouterC Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 196: Server Load Balancing

    IP address, the SPU allocates the requests to real servers according to the load balancing algorithm. In DNAT mode, when allocating service requests, the SPU translates the Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 197 This reduces the burden of the load balancing device and prevents the load balancing device being the bottleneck. Figure 6-3 shows the typical networking. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 198 In server load balancing, the SPU supports DNAT and DMAC modes. Session stickiness Session stickiness indicates that multiple connections of an application layer session are directed to a server. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 199: Firewall Load Balancing

    Compared with server load balancing, firewall load balancing is applied to bidirectional traffic, ensuring that bidirectional traffic of one session passes through the same firewall. Figure 6-4 shows the typical networking of firewall load balancing. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 200 Each standard firewall, which is similar to a server, has an IP address. The standard firewall can be detected by other devices on networks, as shown in Figure 6-5. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 201 Figure 6-7 Networking for combining firewall load balancing and server load balancing FirewallA ServerA HostA SwitchA SwitchB ServerB Network ServerC FirewallB Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 202: Configuring Egress Link Load Balancing

    NAT address pool index of the member instance Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 203: Optional) Configuring An Nat Address Pool

    After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool, if the IP address that is to be assigned to the outbound interface is the same as an IP address Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 204: Optional) Configuring Link Health Detection

    The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe. The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 205 This interval must be greater than the timeout interval of a probe. By default, the interval for a probe to detect that a link member is Down is 60s. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 206: Configuring A Link

    By default, the connection rate of a link is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 6 (Optional) Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 207: Configuring A Link Group

    If the probe mode is set to fail-on-all, the S9700 considers a link to be invalid only when all the probes detect that the link is in Down state. Step 5 Run: forward-mode redirect Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 208 If the priority of the link instance is not set, the SPU uses the priority of the link. If the priority of the link is not set, the SPU adopts the default value. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 209: Configuring A Layer 7 Classifier

    On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. In egress link load balancing, the matching rule of a Layer 7 classifier must be set to any. Procedure Step 1 Run: system-view Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 210: Configuring A Load Balancing Action

    Step 3 Run the following command as required. l Run: drop The action is set to drop. l Run: forward The action is set to forward. l Run: group master-group-name [ backup backup-group-name ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 211: Configuring An Acl

    – undo rule rule-id l When the parameter protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), the command format is as follows: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 212: Optional) Configuring A Connection Parameter Profile

    By default, the aging time of the TCP traffic forwarding table is 3600s. Step 4 Run: udp aging-time aging-time The aging time of the UDP traffic forwarding table is set. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 213: Configuring A Layer 3 Classifier

    SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, you need to configure the ACL in a Layer 3 classifier with caution. By default, the SPU does not respond to ping requests of users. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 214: Configuring A Load Balancing Policy

    A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 215: Applying The Load Balancing Policy

    Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End 6.3.13 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 216: Configuring Server Load Balancing

    Pre-configuration Tasks Before configuring server load balancing, complete the following tasks: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 217: Optional) Configuring An Nat Address Pool

    To ensure that response packets still pass through the SPU when user requests pass through links of different ISPs, you need to configure an NAT address pool for translating source addresses through NAT. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 218: Optional) Configuring Server Health Detection

    – Otherwise, the server member retains to be in Down state. If the server member is in Up state, the probe sends probing packets at intervals specified by interval interval. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 219 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 220 The probing interval of a probe must be greater than the timeout interval of a probe. By default, the probing interval of a probe is 15s. Step 6 (Optional) Run: time-out time-out Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 221 By default, the sent data or the expected response data of a TCP probe or a UDP probe is not set. l For an HTTP probe, do as follows: – Run: request method { get | head } url url Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 222: Configuring A Server

    The system view is displayed. Step 2 Run: load-balance member member-name A server is created and the load balancing member view is displayed. Up to 1024 servers can be created. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 223 The greater value represents a higher priority of the server so that the server can be selected with a greater possibility. By default, the priority of a server is 8. Step 8 (Optional) Run: weight weight-value The weight of the server is set. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 224: Configuring A Server Group

    Step 6 Run: switch-threshold percent1 restore-threshold percent2 The threshold for switching services from the master server to the backup server is set. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 225 S9700 needs to consider the bandwidth limit of the server instance and server. That is, the total bandwidth of server instance A and link server B cannot exceed the bandwidth of the server. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 226 A server instance can contain up to three backup members. Before configuring a backup member, ensure that the backup member is added to the server group. Step 15 (Optional) Run: nat outbound address-group group-index [ no-pat ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 227: Optional) Configuring Session Stickiness

    After dynamic sticky entries age, stickiness becomes invalid. The SPU supports session stickiness at the network layer and the application layer. Procedure Step 1 Run: system-view The system view is displayed. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 228 IP addresses is configured. When the packets with the source IP address specified by src-ip-address and the destination IP Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 229: Configuring A Layer 7 Classifier

    Step 3 Run the following command as required: l Run: match any The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched. l Run: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 230: Configuring A Load Balancing Action

    Step 3 Run the following command as required. l Run: drop The action is set to drop. l Run: forward The action is set to forward. l Run: group master-group-name [ backup backup-group-name ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 231: Configuring An Acl

    | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 232: Optional) Configuring A Connection Parameter Profile

    The aging time of the UDP traffic forwarding table is set. By default, the aging time of the UDP traffic forwarding table is 120s. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 233: Optional) Configuring An Http Parameter Profile

    This section describes how to create a Layer 3 classifier and configure a matching rule. Context To classify packets according to the quintuple, you need to create and configure a Layer 3 classifier. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 234 By default, the SPU does not respond to ping requests of users. Step 6 (Optional) Run: parameter connection profile-name A connection parameter profile is bound to the Layer 3 classifier. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 235: Configuring A Load Balancing Policy

    A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 236: Applying The Load Balancing Policy

    Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End 6.4.15 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 237: Configuring Firewall Load Balancing

    Firewall load balancing takes firewalls as servers. Pre-configuration Tasks Before configuring firewall load balancing, complete the following tasks: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 238 Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied Level-2 load balancing device Data (Optional) NAT address pool index and address network segment Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 239: Configuration Instructions

    Configuring Server Load Balancing. Level-1 load balancing device Step Reference (Optional) Configure firewall 6.4.3 (Optional) Configuring Server health detection. Health Detection (Only the ICMP probe is supported) Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 240 Configure a Layer 7 classifier. 6.4.7 Configuring a Layer 7 Classifier Configure a load balancing 6.4.8 Configuring a Load Balancing action. Action Configure an ACL. 6.4.9 Configuring an ACL Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 241: Configuration Examples

    The source IP address of the enterprise user is located on 192.168.1.1/24 and the destination IP address of the external network that the enterprise user needs to visit is located on 60.60.60.1/24. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 242 Name, type, and related parameters of the probe Link group name and load balancing algorithm Name and matching rule of the Layer 7 classifier Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 243 [SPU-XGigabitEthernet0/0/1.13] quit [SPU] interface xgigabitethernet 0/0/1.14 [SPU-XGigabitEthernet0/0/1.14] control-vid 14 dot1q-termination [SPU-XGigabitEthernet0/0/1.14] dot1q termination vid 14 [SPU-XGigabitEthernet0/0/1.14] ip address 30.30.30.2 255.255.255.0 [SPU-XGigabitEthernet0/0/1.14] arp broadcast enable Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 244 [SPU-lb-group-linkgroup1] probe probe1 [SPU-lb-group-linkgroup1] member isp1 [SPU-lb-group-linkgroup1-member-isp1] nat outbound address-group 2 [SPU-lb-group-linkgroup1-member-isp1] inservice [SPU-lb-group-linkgroup1-member-isp1] quit [SPU-lb-group-linkgroup1] member isp2 [SPU-lb-group-linkgroup1-member-isp2] nat outbound address-group 3 [SPU-lb-group-linkgroup1-member-isp2] inservice [SPU-lb-group-linkgroup1-member-isp2] quit [SPU-lb-group-linkgroup1] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 245 Max connection rate : 1500 Inbound max bandwidth rate : 100(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 100(kbps) Outbound threshold : 80% Weight : 30 Priority Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 246 NAT ID : Yes Member instance ID Status : up Inbound bytes Outbound bytes Inbound packets Outbound packets Cur-connection Closed-connections Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 247 : lbp1 Description Bound interface : XGigabitEthernet0/0/1.12 Numbers of L3 classifier : 1 L3 classifier name : l3cls1 Action type : load-balance Current group name : linkgroup1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 248 100 threshold 80 load-balance member isp2 ip address 30.30.30.1 weight 90 conn-limit max 20000 rate-limit connection 3000 rate-limit bandwidth inbound 300 threshold 80 rate-limit bandwidth outbound 300 threshold 80 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 249: Example For Configuring Layer 3 Server Load Balancing In Dmac Mode

    Switch B is connected to GE 3/0/0 and GE 3/0/1 of Switch A and the SPU is installed in slot 5 of Switch A. The destination IP address of the external network that the user wants to access is 60.60.60.1/24. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 250 Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and matching rule of the Layer 7 classifier Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 251 Server A, Server B, Server C, and Server D. [SPU] load-balance member servera [SPU-lb-member-servera] ip address 20.20.20.1 [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit max 8000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 252 [SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dmac [SPU-lb-group-servergroup1] load-balance method roundrobin [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] failaction reassign [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 253 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] quit Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 254 : 80% Weight : 40 Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name : servergroup1 [SPU] display load-balance member name serverd Member name : serverd Description Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 255 Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 60 Priority NAT ID Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 256 : act1 # View the configuration of the load balancing policy. [SPU] display load-balance policy name lbp1 Policy name : lbp1 Description Bound interface : Eth-Trunk 0.12 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 257 Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.5 255.255.255.0 arp broadcast enable interface XGigabitEthernet0/0/1 eth-trunk 0 interface XGigabitEthernet0/0/2 eth-trunk 0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 258 Eth-Trunk 0.2 load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000 load-balance policy lbp1 l3classifier l3cls1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 259: Example For Configuring Layer 3 Server Load Balancing In Dnat Mode

    The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 260 Configure an advanced ACL. Configure a Layer 3 classifier. 10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 261 [Quidway] sysname SPU [SPU] nat address-group 2 100.100.100.2 100.100.100.200 [SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 262 [SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80 [SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80 [SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 263 Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 264 Inbound max bandwidth rate : 800(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 800(kbps) Outbound threshold : 80% Weight : 80 Priority Cur-connections Closed-connections Inbound cur-bandwidths Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 265 Switch threshold : 80% Restore threshold : 80% Fail action : default Probe mode : fail-on-one Probe name : probe1 Action name : act1 Member instance name: servera Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 266 [SPU] display load-balance group name servergroup2 member name serverd Group name : servergroup2 Member name : serverd Inservice type : inservice Port : 8080 Max connection : 4000000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 267 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 268 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 269 80 restore-threshold 80 forward-mode dnat member servera member port 80 inservice member serverb member port 4002 inservice probe probe1 load-balance group servergroup2 forward-mode dnat member serverc Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 270: Example For Configuring Layer 7 Server Load Balancing In Dnat Mode

    The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 271 Configure a Layer 3 classifier. 10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface. Data Preparation To complete the configuration, you need the following data: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 272 Add an interface to a VLAN on the SPU. [SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 273 [SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80 [SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80 [SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 274 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] inservice standby [SPU-lb-group-servergroup1-member-serverc] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 275 # View the configurations of servers. [SPU] display load-balance member name servera Member name : servera Description : 10.10.50.2 Max connection : 8000 Max connection rate : 800 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 276 : servergroup1 # View the configuration of the probe. [SPU] display load-balance probe name probe1 Probe name : probe1 Description Probe type : http Source IP : 100.100.100.201 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 277 [SPU] display load-balance group name servergroup1 member name serverb verbose Group name : servergroup1 Member name : serverb Inservice type : inservice Port Max connection : 4000000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 278 Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 20 Priority NAT ID Member instance ID Status : up Inbound bytes Outbound bytes Inbound packets Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 279 SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to Server C after Server A is faulty. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 280 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group interface XGigabitEthernet0/0/1 eth-trunk 0 interface XGigabitEthernet0/0/2 eth-trunk 0 load-balance probe probe1 http interval 20 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 281 1 match http url slbha[w|W](.*) load-balance ip interface Eth-Trunk 0.2 load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 load-balance policy lbp1 l3classifier l3cls1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 282: Example For Configuring Session Stickiness

    The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 283 Configure a Layer 3 classifier. 10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface. Data Preparation To complete the configuration, you need the following data: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 284 Add an interface to a VLAN on the SPU. [SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 285 [SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80 [SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80 [SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 286 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] inservice standby [SPU-lb-group-servergroup1-member-serverc] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 287 [SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit Step 11 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of the SPU. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 288 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 289 Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 80 Priority NAT ID Backup member instance name : serverc Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 290 Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name servergroup1 member name serverd verbose Group name : servergroup1 Member name : serverd Inservice type : inservice standby Port Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 291 L7 classifier name : l7cls1 L7 action name : act1 # View the configuration of the load balancing policy. [SPU] display load-balance policy name lbp1 Policy name : lbp1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 292 5 permit ip destination 20.20.20.0 0.0.0.255 nat address-group 2 100.100.100.2 100.100.100.200 interface Eth-Trunk0 interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0 interface Eth-Trunk0.12 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 293 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 294: Example For Configuring Standard Firewall Load Balancing

    The requirements are as follows: The firewall with greater processing capabilities receives more service requests. Any traffic received through one firewall is sent back through the same firewall. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 295 Configure a NAT address pool. Configure two servers to communicate with two real servers. Configure a server group and bind it to the two servers. Configure a Layer 7 classifier. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 296 [SwitchA-Eth-Trunk0] port trunk allow-pass vlan 400 600 700 [SwitchA-Eth-Trunk0] quit [SwitchA] interface GigabitEthernet1/0/25 [SwitchA-GigabitEthernet1/0/25] port link-type trunk [SwitchA-GigabitEthernet1/0/25] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet1/0/25] port trunk allow-pass vlan 400 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 297 Configure a firewall group on the SPU of SwitchA. # Create the firewall group sg11, bind sg11 to firewalls s11 and s21, and set the forwarding mode to DMAC. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 298 Configure traffic importing on SwitchB. Import traffic from SwitchB to SPUA, that is, FWA. SPUA is installed in slot 8. <Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 600 800 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 299 [SPUA-Eth-Trunk0.6] ip address 11.11.61.1 255.255.255.0 [SPUA-Eth-Trunk0.6] arp broadcast enable [SPUA-Eth-Trunk0.6] quit [SPUA] interface XGigabitEthernet0/0/1 [SPUA-XGigabitEthernet0/0/1] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/1] quit [SPUA] interface XGigabitEthernet0/0/2 [SPUA-XGigabitEthernet0/0/2] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/2] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 300 # Apply security zones to sub-interfaces of SPUA. [SPUA] interface Eth-Trunk 0.5 [SPUA-Eth-Trunk0.5] zone a [SPUA-Eth-Trunk0.5] quit [SPUA] interface Eth-Trunk 0.6 [SPUA-Eth-Trunk0.6] zone b [SPUA-Eth-Trunk0.6] quit # Apply security zones to sub-interfaces of SPUB. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 301 [SPU-Eth-Trunk0.10] dot1q termination vid 1000 [SPU-Eth-Trunk0.10] ip address 100.100.100.1 255.255.255.0 [SPU-Eth-Trunk0.10] arp broadcast enable [SPU-Eth-Trunk0.10] quit [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-Trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 302 [SPU-lb-l3classifier-l3] nat outbound address-group 2 [SPU-lb-l3classifier-l3] if-match acl 3007 [SPU-lb-l3classifier-l3] quit Configure a load balancing policy. # Create the load balancing policy named lp and bind lp to l3. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 303 1 port trunk allow-pass vlan interface GigabitEthernet1/0/27 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 700 interface XGigabitEthernet5/0/0 eth-Trunk 0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 304 3005 load-balance policy lbp1 l3classifier l3cls1 interface Eth-Trunk0.5 service load-balance policy lbp1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 305 5 permit ip firewall zone a priority 20 firewall zone b priority 50 firewall interzone b a firewall enable packet-filter default permit inbound interface Eth-Trunk 0 interface Eth-Trunk0.5 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 306 XGigabitEthernet0/0/2 eth-Trunk 0 ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1 return Configuration file of SwitchC vlan batch 800 900 1000 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 307 100.100.100.1 255.255.255.0 arp broadcast enable interface XGigabitEthernet0/0/1 eth-Trunk 0 interface XGigabitEthernet0/0/2 eth-Trunk 0 load-balance member s31 ip address 100.100.100.8 load-balance member s32 ip address 100.100.100.10 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 308 3007 load-balance policy lp l3classifier l3 interface Eth-Trunk 0.8 service load-balance policy lp mac-sticky enable interface Eth-Trunk 0.9 service load-balance policy lp mac-sticky enable return Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 309: Dual-System Hsb Configuration

    7.4 Maintaining Dual-System HSB This section describes how to maintain dual-system HSB. 7.5 Configuration Examples of Dual-System HSB This section provides several configuration examples of dual-system HSB. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 310: Dual-System Hsb Overview

    Synchronization Channel and Heartbeat Detection The firewalls synchronize data using a channel. If the channel fails to be set up, an alarm is generated and recorded in to log. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 311: Configuring Dual-System Hsb

    Before configuring dual-system HSB, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 312: Enabling Dual-System Hsb

    HSB is enabled. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: hot-standby enable Dual-system HSB is enabled. By default, dual-system HSB is disabled. ----End Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 313: Creating The Channel Through Which Dual-System Hsb Data Is Synchronized

    If a firewall does not receive a heartbeat packet from the peer firewall within the period (heartbeat interval x retransmission times), the firewall reset up a channel to the peer. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 314: Checking The Configuration

    When dual-system HSB is running, if the active/standby switchover cannot be performed, you can check the connectivity of the channel between the active and standby modules. This helps you analyze the cause of the fault and locate the fault. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 315: Configuration Examples Of Dual-System Hsb

    A VRRP group is configured on SPU A and SPU B. SPU A is the master and SPU B is the backup. When the SPU A-side link is faulty, traffic is switched to SPU B. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 316 Boar Interface Type Eth- Virtual Priorit Addr Trunk GigabitEthernet 18.0.0 2/0/10 N 18 .1/24 GigabitEthernet 2/0/11 N 11 XGigabitEthern 10.0.0 Eth- et3/0/0 N 10 .9/24 Trunk 0 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 317 Configuration Roadmap The configuration roadmap is as follows: Check the service type of SPUs. Configure interfaces of the LPU. Configure a static route on the MPU. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 318 [MPU-VLAN10] quit [MPU] vlan 11 [MPU-VLAN11] quit [MPU] vlan 13 [MPU-VLAN13] quit [MPU] vlan 18 [MPU-VLAN18] quit [MPU] interface vlanif 18 [MPU-Vlanif18] ip address 18.0.0.1 24 [MPU-Vlanif18] quit Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 319 Set the IP address of Eth-Trunk 0.1 to 10.0.0.2/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 120. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 320 [SPU-B-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown [SPU-B-Eth-Trunk0.2] vrrp vrid 11 priority 110 [SPU-B-Eth-Trunk0.2] arp broadcast enable [SPU-B-Eth-Trunk0.2] quit [SPU-B] interface eth-trunk0.3 [SPU-B-Eth-Trunk0.3] control-vid 13 dot1q-termination Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 321 Config type : admin-vrrp Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 322 : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name : NULL Keep Alive Time : 10 Fail Count Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 323 1 interface xgigabitethernet3/0/0 eth-trunk 0 interface xgigabitethernet3/0/1 eth-trunk 0 interface xgigabitethernet5/0/0 eth-trunk 1 interface xgigabitethernet5/0/1 eth-trunk 1 ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 324 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 admin-vrrp vrid 10 vrrp vrid 10 priority 110 arp broadcast enable interface eth-trunk0.2 control-vid 11 dot1q-termination Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

  • Page 325: Example For Configuring Dual-System Hsb Between S9700S

    SPU A and SPU B are installed on two different S9700s and are connected to interfaces GE 2/0/13 of LPU A and LPU B through cables to implement the dual-system HSB function. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 326 GigabitEthernet2 VLAN Eth- /0/10 Trunk 1 GigabitEthernet2 VLAN Eth- /0/11 Trunk 2 GigabitEthernet2 VLAN /0/13 GigabitEthernet2 VLAN Eth- /0/10 Trunk 1 GigabitEthernet2 VLAN Eth- /0/11 Trunk 2 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 327 XGigabitEtherne 11.0.0 Eth- 11.0.0.1 t0/0/1 .3/24 Trunk 0.2 XGigabitEtherne t0/0/2 XGigabitEtherne VLAN 13.0.0 Eth- t0/0/1 .3/24 Trunk0.3 XGigabitEtherne t0/0/2 Configuration Roadmap The configuration roadmap is as follows: Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 328 # If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to the firewall service, and then restart SPU A and SPU B after the change. Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 329 # Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to Eth- Trunk 0. [SPU] interface eth-trunk0 [SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 330 [SPU-B-Eth-Trunk0.2] dot1q termination vid 11 [SPU-B-Eth-Trunk0.2] dot1q vrrp vid 11 [SPU-B-Eth-Trunk0.2] ip address 11.0.0.3 24 [SPU-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [SPU-B-Eth-Trunk0.2] admin-vrrp vrid 11 [SPU-B-Eth-Trunk0.2] vrrp vrid 11 priority 110 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 331 : 120 MasterPriority : 120 Preempt : YES Delay Time TimerRun TimerConfig Auth Type : NONE Virtual Mac : 0000-5e00-0164 Check TTL : YES Config type : member-vrrp Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 332 Preempt : YES Delay Time TimerRun TimerConfig Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : admin-vrrp Config track link-bfd down-number Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 333 2 interface xgigabitethernet3/0/0 eth-trunk 0 interface xgigabitethernet3/0/1 eth-trunk 0 interface gigabitethernet2/0/13 port link-type trunk port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 334 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 admin-vrrp vrid 11 vrrp vrid 11 priority 110 arp broadcast enable interface eth-trunk0.1 control-vid 10 dot1q-termination Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
  • Page 335 13.0.0.3 24 arp broadcast enable hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-data- port 3001 hot-standby enable hot-standby-group detect fail-count 20 interval 1 return save Issue 01 (2012-03-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Table of Contents