Page 1 Quidway S7700 Smart Routing Switch V100R006C00 Configuration Guide - SPU Issue Date 2011-07-15 HUAWEI TECHNOLOGIES CO., LTD.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: About This Document
Quidway S7700 Smart Routing Switch Configuration Guide - SPU About This Document About This Document Versions The following table provides the mapping between versions. Table 1 Mapping between VASP version and S7700 version VASP S7700 Remarks VASP S7700 V100R006C00 V100R003C00...
Page 4: Command Conventions
Quidway S7700 Smart Routing Switch Configuration Guide - SPU About This Document Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. DANGER Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.
Page 5 Quidway S7700 Smart Routing Switch Configuration Guide - SPU About This Document Change History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Changes in Issue 01 (2011-07-15) Initial commercial release.
Page 6: Table Of Contents
Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents Contents About This Document........................ii 1 SPU Pre-Configuration.........................1 1.1 Overview of the SPU Pre-Configuration......................2 1.2 Configuring a Service Type..........................2 1.2.1 Establishing the Configuration Task......................3 1.2.2 Configuring a Service Type........................3 1.2.3 Checking the Configuration........................4 1.3 Configuring Layer 2 Flow Import........................4...
Page 7 Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents 2.5.3 Adding IP Addresses to the Blacklist Manually..................40 2.5.4 Configuring Blacklist and Whitelist by Using the Configuration File............41 2.5.5 Checking the Configuration........................42 2.6 Configuring the Whitelist..........................42 2.6.1 Establishing the Configuration Task.......................42 2.6.2 Adding Entries to the Whitelist Manually....................43...
Page 8 Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents 2.14.1 Displaying the Firewall Configuration....................66 2.14.2 Clearing the Statistics of the Firewall....................67 2.15 Configuration Examples..........................68 2.15.1 Example for Configuring the ACL-based Packet Filtering Firewall.............68 2.15.2 Example for Configuring ASPF and Port Mapping................71 2.15.3 Example for Configuring the Blacklist....................75...
Page 9 Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents 4.4.4 Configuring an IKE Peer........................121 4.4.5 Configuring an IPSec Proposal......................123 4.4.6 Configuring an IPSec Policy.........................124 4.4.7 (Optional) Configuring an IPSec Policy Template................125 4.4.8 (Optional) Setting Optional Parameters....................126 4.4.9 Applying an IPSec policy to an interface....................128 4.4.10 Checking the Configuration.........................128...
Page 10 Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents 6.3.2 (Optional) Configuring an NAT Address Pool..................232 6.3.3 (Optional) Configuring Link Health Detection..................233 6.3.4 Configuring a Link..........................235 6.3.5 Configuring a Link Group........................236 6.3.6 Configuring a Layer 7 Classifier......................238 6.3.7 Configuring a Load Balancing Action....................239 6.3.8 Configuring an ACL..........................240...
Page 11 Quidway S7700 Smart Routing Switch Configuration Guide - SPU Contents 7.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized.........342 7.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets................................343 7.3.5 Checking the Configuration........................343 7.4 Maintaining Dual-System HSB........................344...
Page 12: Spu Pre-Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration SPU Pre-Configuration About This Chapter To use the SPU on the S7700, configure the S7700 and SPU in advance. 1.1 Overview of the SPU Pre-Configuration This topic describes the connection of virtual XGE interfaces between the SPU and the S7700.
Page 13: Overview Of The Spu Pre-Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration 1.1 Overview of the SPU Pre-Configuration This topic describes the connection of virtual XGE interfaces between the SPU and the S7700. Connection Mode If the SPU is inserted into slot 5 on the S7700, virtual connections are set up between XGE 5/0/0 on the S7700 and XGE 0/0/1 on the SPU and between XGE 5/0/1 on the S7700 and XGE 0/0/2 on the SPU.
Page 14: Establishing The Configuration Task
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration inconsistent with the required type, you need to change the service type, and then restart the SPU to make the change take effect. 1.2.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring a service type.
Page 15: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration 1.2.3 Checking the Configuration You can check the current service type before and after configuring the service type of the SPU. Procedure Run the display service-type command in the system view, and you can check the service type of the SPU.
Page 16 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Figure 1-2 Importing Layer 2 flows if interfaces are aggregated XGE5/0/0 XGE0/0/1 Eth-Trunk 0 Eth-Trunk 1 GE3/0/0 Eth-Trunk GE3/0/1 XGE0/0/2 XGE5/0/1 Switch Importing Layer 2 flows if interfaces are not aggregated...
Page 17: Configuring Layer 2 Flow Import If Interfaces Are Aggregated
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Data Number of the slot to which the SPU is inserted ID of the VLAN to which interfaces belong Number of the slot to which the LPU is inserted 1.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated...
Page 18 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration l Run the port default vlan vlan-id command to configure the default VLAN to which the Access interface is added. l For the Hybrid interface: – Run the port hybrid tagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to add the Hybrid interface to the VLAN in tagged mode.
Page 19 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration The Eth-Trunk interface view is displayed. Run: trunkport xgigabitethernet { interface-number1 [ to interface-number2 ] } &<1-8> Two virtual interfaces on the S7700 are aggregated as the Eth-Trunk interface.
Page 20 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Run: quit Exit from the Eth-Trunk interface view. Step 2 Import data flows: Run: interface eth-trunk trunk-id.subtrunk-id The Eth-Trunk sub-interface view is displayed. Traffic is imported to the SPU through the Eth-Trunk sub-interface.
Page 21: Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Run: ip address ip-address { mask | mask-length } [ sub ] An IP address is set for the Eth-Trunk sub-interface. Run: arp broadcast enable The ARP broadcast function on the Eth-Trunk sub-interface is enabled.
Page 22 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Run: port link-type { access | hybrid | trunk } The link type of the interface is configured. Run the corresponding command according to the link type to add the interface to the...
Page 23 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Exit from the VLAN view. Run: interface interface-type interface-number The LPU interface (this interface forwards the traffic processed by the SPU to the LPU) view is displayed. Run: port link-type { access | hybrid | trunk The link type of the interface is configured.
Page 24 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Context NOTE To facilitate description, the direction of forwarding traffic from the LPU to the SPU is the incoming direction of traffic; the direction of forwarding traffic from the SPU to the LPU is the outgoing direction of traffic.
Page 25: Configuring Layer 3 Flow Import
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration The index of the ID of the VLAN to which the sub-interface belongs and encapsulation mode of the sub-interface are configured. Run: dot1q termination vid low-pe-vid [ to high-pe-vid ]...
Page 26 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration As shown in Figure 1-4, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU.
Page 27: Configuring Layer 3 Flow Import If Interfaces Are Aggregated
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Figure 1-5 Importing flows at Layer 3 if interfaces are not aggregated XGE5/0/0 GE3/0/0 VLANIF1051 14.14.1.2/24 XGE0/0/1.1 VLAN1052 VLANIF1060 14.14.1.1/24 13.1.1.1/24 XGE0/0/1.2 GE3/0/0 12.12.1.1/24 VLAN1052 Switch Pre-configuration Tasks Check that the SPU is installed on the S7700.
Page 28 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Context NOTE To facilitate description, the direction of forwarding traffic from the LPU to the SPU is the incoming direction of traffic; the direction of forwarding traffic from the SPU to the LPU is the outgoing direction of traffic.
Page 29 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration – Run the port hybrid untagged vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to add the Hybrid interface to the VLAN in untagged mode. l Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all } command to configure the VLAN to which the Trunk interface is added.
Page 30 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Run: trunkport xgigabitethernet { interface-number1 [ to interface-number2 ] } &<1-8> Two virtual interfaces on the S7700 are aggregated as the Eth-Trunk interface. Run: port link-type { access | hybrid | trunk } The link type of the Eth-Trunk interface is configured.
Page 31 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration Two virtual interfaces on the SPU are aggregated as the Eth-Trunk interface. Run: quit Exit from the Eth-Trunk interface view. Step 2 Import data flows: Run: interface eth-trunk trunk-id.subtrunk-id The Eth-Trunk sub-interface view is displayed.
Page 32: Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration The allowed VLAN on the sub-interface is configured as the VLAN configured in Configuring Layer 3 Flow Import on S7700 If Interfaces Are Aggregated Step 2.1. Run: ip address ip-address { mask | mask-length } [ sub ] An IP address is set for the Eth-Trunk sub-interface.
Page 33 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration A VLANIF interface is created and the VLANIF interface view is displayed. The value of vlan-id in this step is the same as that of vlan-id in step Step 1.2.
Page 34 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration 15. Run: quit Exit from the VLANIF interface view. 16. Run: interface xgigabitethernet interface-number The view of the virtual XGE interface on the S7700 is displayed. 17. Run: port link-type { access | hybrid | trunk } The link type of the interface is configured.
Page 35 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration l Run the port default vlan vlan-id command to configure the default VLAN to which the Access interface is added. l For the Hybrid interface: – Run the port hybrid tagged vlan { vlan-id1 [ to vlan-id2] }&<1-10> command to add the Hybrid interface to the VLAN in tagged mode.
Page 36 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 1 SPU Pre-Configuration The IP address of the XGE sub-interface is configured. The XGE sub-interface is in the same network segment with the VLANIF interface configured in Configuring Layer 3 Flow...
Page 37: Firewall Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Firewall Configuration About This Chapter The attack defense system is to set up a line of defense between the internal and external networks so that the internal network is protected against attacks from the external network. Generally, firewalls are deployed between the internal and external networks to prevent attacks.
Page 38 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.8 Configuring Port Mapping Port mapping defines new port numbers for different application-layer protocols, protecting the server against the service specific attacks. 2.9 Configuring the Aging Time of the Firewall Session Table 2.10 Configuring the Transparent Firewall...
Page 39: Firewall Overview
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.1 Firewall Overview A firewall discards the undesired packets and protects the mainframes and key resources on the internal network. In a building, a firewall is designed to prevent fire from spreading across one place to the other places.
Page 40 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different.
Page 41: Port Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors, the firewall detects an attack from an IP address. Then the firewall adds the IP address of the attacker to the blacklist so that all the packets from the attacker are discarded.
Page 42: Firewall Log
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Firewall Log The firewall records the behaviors and status of the firewall in real time. For example, the attack defense measures and the detection of malicious attacks are recorded in the firewall log.
Page 43: Attack Defense
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Attack Defense With the attack defense feature, the SPU can detect various network attacks and protect the internal network against attacks. Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, and malformed packet attacks.
Page 44: Ping Of Death Attack
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration damage the target host because the IGMP packet is not fragmented. An attack occurs when a host receives an IGMP packet. SYN Flood Attack The TCP/IP protocol stack only permits a limited number of TCP connections due to resource restriction.
Page 45: Configuring Zones
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration running when receiving a forged fragment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Page 46: Creating A Zone
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Pre-configuration Tasks Before configuring a zone, complete the following task: Configuring the interfaces that you want to add to the zone Data Preparation To configure the zone, you need the following data.
Page 47: Creating An Interzone
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface interface-type interface-number.subinterface The interface view is displayed. Only the XGE sub-interfaces and Eth-Trunk sub-interfaces of the SPU can be added to a zone.
Page 48: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run: firewall enable The firewall is enabled. By default, the firewall function is disabled in an interzone.
Page 49: Configuring Acl-Based Packet Filtering In An Interzone
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Data Zone names ACL number Packet direction to which the ACL is applied 2.4.2 Configuring ACL-based Packet Filtering in an Interzone You can specify the direction to which the ACL is applied and the default processing mode of the packets that do not match the ACL rules.
Page 50: Configuring The Blacklist
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Procedure Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about packet filtering. Run the display acl acl-number command to view the ACL configuration.
Page 51: Enabling The Blacklist Function
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.5.2 Enabling the Blacklist Function To make the entries added to the blacklist manually or dynamically effective, you must enable the blacklist function first. Procedure Step 1 Run: system-view The system view is displayed.
Page 52: Configuring Blacklist And Whitelist By Using The Configuration File
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Follow-up Procedure Run the firewall black-white-list save command to save the blacklist and whitelist to the specified configuration file to load next time. 2.5.4 Configuring Blacklist and Whitelist by Using the Configuration File You can batch configure the entries in blacklist and whitelist by loading the configuration file.
Page 53: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration The entries in the whitelist take effect directly and you do not need to enable the whitelist function. A blacklist supports up to 4096 entries, and a whitelist supports up to 1024 entries.
Page 54: Adding Entries To The Whitelist Manually
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Pre-configuration Tasks Before configuring the whitelist, complete the following tasks: Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Data Preparation To configure the whitelist, you need the following data.
Page 55 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Prerequisite The configuration file for storing the blacklist and whitelist is available. Context The configuration file must be in txt format, and the contents are as follows: [FirewallBlacklist] # A blacklist entry...
Page 56: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.6.4 Checking the Configuration After the whitelist is configured, you can view information about the whitelist. Procedure Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view information about the whitelist.
Page 57: Configuring Aspf Detection
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol 2.7.2 Configuring ASPF Detection ASPF can detect and filter the FTP, HTTP, SIP, and RTSP packets at the application layer.
Page 58: Configuring Port Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration packet-filter default permit outbound session-log 2006 inbound packet-filter default permit inbound detect aspf ftp detect aspf sip detect aspf rtsp detect aspf http detect aspf http java-blocking detect aspf http activex-blocking 2.8 Configuring Port Mapping...
Page 59: Configuring Port Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Data Number of the basic ACL 2.8.2 Configuring Port Mapping Port mapping maps protocols to ports based on a basic ACL. Procedure Step 1 Run: system-view The system view is displayed.
Page 60: Configuring The Aging Time Of The Firewall Session Table
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.9 Configuring the Aging Time of the Firewall Session Table 2.9.1 Establishing the Configuration Task Before configuring the aging time of the firewall session table, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Page 61: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration l HTTP: 120 seconds l ICMP: 20 seconds l TCP: 600 seconds l TCP-proxy: 10 seconds l UDP: 40 seconds l SIP: 1800 seconds l SIP-media: 120 seconds...
Page 62: Establishing The Configuration Task
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.10.1 Establishing the Configuration Task Before configuring the transparent firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Applicable Environment When a firewall works as a transparent firewall (also called bridge firewall), the interfaces of the firewall cannot be configured with IP addresses or NAT.
Page 63 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration – ARP protocol packets – Broadcast MAC address: FFFF.FFFF.FFFF – Multicast address: 0100.5E00.0000-0100.5EFE.FFFF – IPv6 multicast address: 3333.0000.0000-3333.FFFF.FFFF – BPDU multicast address: 0100.0CCC.CCCD – Appletalk network multicast address: 0900.0700.0000-0900.07FF.FFFF...
Page 64: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Return to the system view. Step 5 Run: interface interface-type interface-number.subinterface The sub-interface view is displayed. Step 6 Run: l2 binding inter-vlan-bridge instance instance-id The sub-interface is bound to the VLAN bridge instance.
Page 65: Establishing The Configuration Task
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.11.1 Establishing the Configuration Task Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. Applicable Environment On the SPU, you can enable the attack defense function for the protected area.
Page 66 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Step 2 Run: firewall defend all enable All the attack defense functions are enabled. Step 3 Run: firewall defend fraggle enable The Fraggle attack defense is enabled. Step 4 Run: firewall defend icmp-flood enable The ICMP Flood attack defense is enabled.
Page 67: Setting The Parameters Of Flood Attack Defense
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Step 12 Run: firewall defend port-scan enable The port scanning attack defense is enabled. After the parameters of port scanning attack defense are set, you must enable the port scanning attack defense function;...
Page 68: Configuring Large Icmp Packet Attack Defense
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Context Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defend different types of Flood attacks. Procedure Step 1 Run: system-view The system view is displayed.
Page 69: Setting Parameters Of Scanning Attack Defense
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration firewall defend large-icmp max-length length The parameter of large ICMP packet attack defense is set. For the large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum packet length.
Page 70: Configuring Traffic Statistics And Monitoring
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Procedure Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip- address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense.
Page 71: Enabling Traffic Statistics And Monitoring
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Applicable Environment System-level traffic statistics and monitoring take effect on all the data flows in interzones that are enabled with the firewall feature. That is, the SPU collects statistics of the ICMP, TCP, TCP proxy, and UDP sessions in the interzones.
Page 72: Setting The Session Thresholds
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration The system view is displayed. Run: firewall statistics system enable The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled.
Page 73 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration The system-level traffic statistics and monitoring are enabled. By default, the system-level traffic statistics and monitoring is disabled. Run: firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold The session thresholds for the system-level traffic statistics and monitoring are set.
Page 74: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Run: statistics ip enable { inzone | outzone } The IP address-level traffic statistics and monitoring are enabled. By default, the IP address-level traffic statistics and monitoring is disabled.
Page 75: Enabling The Log Function On The Firewall
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Pre-configuration Tasks Before configuring the logs, complete the following tasks: Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone...
Page 76: Setting The Parameters Of Logs
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.13.3 Setting the Parameters of Logs The parameters of logs include the session log host, conditions of recording session logs, and interval for exporting logs. Context The session logs are exported to a log host in real time; therefore, you need to configure the log host first.
Page 77: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.13.4 Checking the Configuration After the log function is configured on the firewall, you can view information about the logs. Procedure Run the display firewall log configuration command to view information about the logs on the firewall.
Page 78: Clearing The Statistics Of The Firewall
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Run the display firewall statistics system command to view the system-level traffic statistics. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view the zone-level traffic statistics and traffic monitoring information.
Page 79: Configuration Examples
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration 2.15 Configuration Examples This section provides several configuration examples of firewall. 2.15.1 Example for Configuring the ACL-based Packet Filtering Firewall This example shows the application of the ACL-based packet filtering firewall on a network.
Page 80 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Configure an ACL. Configure ACL-based packet filtering in the interzone. Procedure Step 1 Import flows from the S7700 to the SPU. Configure the S7700 as follows: [Quidway] vlan 10...
Page 81 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration [SPU] acl 3102 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0...
Page 82: Example For Configuring Aspf And Port Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration interface Eth-trunk0.2 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.39.2.1 255.255.0.0 zone untrust return Configuration file of the S7700 vlan batch 10 20 interface GigabitEthernet1/0/10 port link-type access...
Page 83 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Figure 2-3 Networking of ASPF and port mapping VLAN 10 Eth-Trunk0.1 XGE5/0/0 FTP Server WWW Server XGE5/0/1 129.38.1.2 Eth-Trunk0.2 129.38.1.4 VLAN 20 GE1/0/10 GE1/0/11 Switch 202.39.2.3 Internal Network Telnet Server 129.38.1.3...
Page 84 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration [SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/1 [SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/2 [SPU-Eth-trunk0] quit [SPU] interface Eth-trunk0.1 [SPU-Eth-trunk0.1] control-vid 10 dot1q-termination [SPU-Eth-trunk0.1] dot1q termination vid 10 [SPU-Eth-trunk0.1] ip address 129.38.1.1 255.255.255.0 [SPU-Eth-trunk0.1] arp broadcast enable [SPU-Eth-trunk0.1] quit...
Page 85 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration firewall enable packet-filter default permit outbound packet-filter 3102 inbound packet-filter default permit inbound detect aspf ftp Run the display port-mapping ftp command on the SPU, and the result is as follows:...
Page 86: Example For Configuring The Blacklist
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Configuration file of the S7700 vlan batch 10 20 interface GigabitEthernet1/0/10 port link-type access port default vlan 10 interface GigabitEthernet1/0/11 port link-type trunk port trunk allow-pass vlan 20...
Page 87 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Figure 2-4 Networking of blacklist configuration VLAN 101 Server Eth-Trunk1.1 XGE5/0/0 XGE5/0/1 Eth-Trunk1.2 VLAN 102 GE2/0/1 GE2/0/2 Enterprise Network Switch Configuration Roadmap The configuration roadmap is as follows: Import flows from the S7700 to the SPU.
Page 88 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 201.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination...
Page 89 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration ------------------------------------------------------------------------ 202.39.1.2 Manual Permanent ------------------------------------------------------------------------ total number is : 1 Run the display firewall defend command on the SPU, and the result is as follows: [SPU] display firewall defend port-scan...
Page 90: Example For Configuring The Transparent Firewall
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 101 to 102...
Page 91 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration Configure zones and the interzone. Add interfaces to the zones. Add interfaces to VLANs. Configure the VLAN bridge instance. Bind the VLAN bridge instance to sub-interfaces. Configure an ACL.
Page 92 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration [SPU-Eth-Trunk1.2] zone untrust [SPU-Eth-Trunk1.2] quit Step 4 Configure the VLAN bridge instance on the SPU. [SPU] inter-vlan-bridge instance 127 Step 5 Bind the VLAN bridge instance to the sub-interfaces of the SPU.
Page 93 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 2 Firewall Configuration interface Eth-Trunk 1 interface XGigabitEthernet0/0/1 eth-trunk 1 interface XGigabitEthernet0/0/2 eth-trunk 1 firewall zone trust priority 100 firewall zone untrust priority 1 acl 3000 rule 5 permit ospf acl number 4100...
Page 94: Nat Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration NAT Configuration About This Chapter Network Address Translation (NAT) can translate private and public addresses. The shortage of IPv4 address can be solved and the topology of the private network can be shielded. The network security is thus improved.
Page 95: Nat Overview
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration 3.1 NAT Overview NAT enables hosts on a private network to access the public network. Private Network Address and Public Network Address A private network address, which is also called a private address, is the IP address of an internal network or a host.
Page 96: Nat Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to 203.196.3.23:32814, and the destination address/port remains unchanged.
Page 97: Internal Server
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Figure 3-2 Networking of PAT Datagram 1 Datagram 1 Src IP: 192.168.1.3 Src IP: 202.169.10.1 Src Port:23 Src Port:10023 Datagram 2 Datagram 2 Src IP: 192.168.1.3 Src IP: 202.169.10.1...
Page 98: Nat Alg
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Easy IP Easy IP takes the public IP address of the interface as the source address after NAT is performed. In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.
Page 99: Configuring Nat
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Temporary address = Start IP address in the temporary address pool + (Overlapped IP address - Start IP address in the overlapped address pool) Overlapped address = Start IP address in the overlapped address pool + (Temporary IP address...
Page 100: Configuring An Address Pool
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Applicable Environment NAT needs to be configured at the juncture between the private network and the public network. Private and public addresses can be translated through NAT. Pre-configuration Tasks...
Page 101: Associating An Acl With An Address Pool
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration The public address pools are numbered with numerals. Up to 102416 address pools can be configured. By default, no public address pool is configured on the SPU. ----End 3.3.3 Associating an ACL with an Address Pool...
Page 102: Configuring An Internal Nat Server
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Easy IP is configured. ----End 3.3.5 Configuring an Internal NAT Server If a server is deployed on the private network, the security of the server can be improved and attacks of users from the public network can be prevented.
Page 103: Enabling Nat Alg
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration The interface view is displayed. Step 3 Run: l nat static protocol { tcp | udp } global global-address global-port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] [ description...
Page 104: Configuring Nat Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Address-dependent filtering Address and port-dependent filtering Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: nat filter-mode { endpoint-dependent | endpoint-independent | endpoint-and-port- dependent } The NAT filtering mode is set.
Page 105: Configuring Dns Mapping
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration NAT mapping is applied to the traffic from the internal network to the external network. The default mode is address and port-dependent mapping. ----End 3.3.10 Configuring DNS Mapping On the private network, different servers such as the FTP server and Web server are deployed, but no DNS server is deployed.
Page 106: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Up to 128 mapping entries between the overlapped address pool and the temporary address pool can be configured globally. When the VPN instance of the configuration is deleted, the configuration of twice NAT is also deleted.
Page 107 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration the intranet of company B. The private IP address of the FTP server is 10.0.0.3 and its public address is 202.169.10.33. The SPU is installed in slot 5 of the S7700.
Page 108 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration [S7700-XgigabitEthernet5/0/0] quit [S7700] interface XGigabitEthernet5/0/1 [S7700-XgigabitEthernet5/0/1] eth-trunk 1 [S7700-XgigabitEthernet5/0/1] quit On the SPU, set IP addresses of interfaces and add interfaces to VLANs. <SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] quit [SPU] interface Eth-Trunk 1.1...
Page 109 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Total : ----End Configuration Files Configuration file of the SPU sysname SPU ip vpn-instance vpn_b route-distinguisher 0:1 Nat alg ftp enable interface Eth-Trunk1 interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0...
Page 110: Example For Configuring Static Nat
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 interface XGigabitEthernet5/0/0 eth-trunk 1 interface XGigabitEthernet5/0/1 eth-trunk 1 return 3.4.2 Example for Configuring Static NAT Networking Requirements As shown in...
Page 111 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Configuration Roadmap The configuration roadmap is as follows: Import flows from the S7700 to the SPU through NAT. Configure static NAT. Procedure Step 1 Import flows from the S7700 to the SPU through NAT.
Page 112 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit Step 2 Configure static NAT on the SPU. [SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254...
Page 113: Example For Configuring Outbound Nat
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable interface XGigabitEthernet0/0/1 eth-trunk 1 interface XGigabitEthernet0/0/2 eth-trunk 1 ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2...
Page 114 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Figure 3-6 Networking diagram for configuring outbound NAT VLAN 101 XGE 5/0/0 Company A Eth-Trunk1.1 PC 1...PC n 192.168.20.2 Eth-Trunk1.2 XGE 5/0/1 VLAN 102 GE 2/0/1 GE 2/0/2...
Page 115 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration <SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] quit [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit...
Page 116 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Configuration Files Configuration file of the SPU sysname SPU ip vpn-instance vpn_b route-distinguisher 0:1 acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 vpn-instance vpn_b nat address-group 1 202.169.10.100 202.169.10.200...
Page 117: Example For Configuring Twice Nat
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 interface XGigabitEthernet5/0/0 eth-trunk 1 interface XGigabitEthernet5/0/1 eth-trunk 1 return 3.4.4 Example for Configuring Twice NAT Networking Requirements The common NAT technology translates only the source or destination address of packets, whereas the twice NAT technology translates both the source and destination addresses of packets.
Page 118 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration Configure the mapping between the overlapped address pool and the temporary address pool. Configure common NAT outbound. Procedure Step 1 Import flows from the SPU to the SPU through NAT.
Page 119 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration [SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit Step 2 Configure DNS mapping on the SPU so that the IP address of host A returned from the DNS server to PC1 is translated to a unique temporary address.
Page 120 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration system-view interface Eth-Trunk1 ip vpn-instance vpna route-distinguisher 1:1 ip vpn-instance vpnb route-distinguisher 2:2 interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip binding vpn-instance vpna ip address 192.168.20.1 255.255.255.0 arp broadcast enable interface Eth-Trunk1.2...
Page 121 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 3 NAT Configuration interface XGigabitEthernet5/0/1 eth-trunk 1 return Issue 01 (2011-07-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 122: Ipsec Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration IPSec Configuration About This Chapter This chapter describes how to ensure confidentiality and integrity of data and prevent replay of data packets on a network through data encryption and data source authentication at the IP layer.
Page 123: Ipsec Overview
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration 4.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets.
Page 124: Ipsec Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Figure 4-2 Packets format in tunnel mode Mode tunnel Protocol new IP Header AH raw IP Header TCP Header data new IP raw IP ESP Tail ESP Auth data...
Page 125: Establishing An Ipsec Tunnel Manually
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration 4.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple. 4.3.1 Establishing the Configuration Task Before establishing an IPSec tunnel manually, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Page 126: Defining Data Flows To Be Protected
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration NOTE You can use the AH or ESP protocol according to the actual situation. 4.3.2 Defining Data Flows to Be Protected IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows.
Page 127: Configuring An Ipsec Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 } The authentication algorithm used by AH is configured. Step 5 (Optional) Run: esp authentication-algorithm [ md5 | sha1 ] The authentication algorithm used by ESP is configured.
Page 128 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration ipsec policy policy-name seq-number manual An IPSec policy is created. An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy exists. Step 3 Run: security acl acl-number An ACL is applied to the IPSec policy.
Page 129: Applying An Ipsec Policy Group To An Interface
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration The authentication key (a hexadecimal number) of the security protocol is configured. Step 9 Run: sa string-key { inbound | outbound } { ah | esp } string-key The authentication key (a character string) of the security protocol is configured.
Page 130: Establishing An Ipsec Tunnel Through Ike Negotiation
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Procedure Run the display ipsec sa command to view information about the SA. Run the display ipsec proposal [ name proposal-name ] command to view information about the IPSec proposal.
Page 131: Defining Data Flows To Be Protected
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Data IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, pre- shared key, remote address, (optional) VPN instance bound to the IPSec tunnel,and remote host name...
Page 132: Configuring An Ike Peer
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ike proposal proposal-number An IKE proposal is created and the IKE proposal view is displayed.
Page 133 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ike peer peer-name { v1 | v2 } An IKE peer is created and the IKE peer view is displayed.
Page 134: Configuring An Ipsec Proposal
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration When NAT traversal is enabled, local-id-type must be set to name. Step 10 Run: pre-shared-key key-string The pre-shared key used by the local end and remote peer is configured.
Page 135: Configuring An Ipsec Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration transform { ah | esp | ah-esp } The security protocol is configured. By default, the ESP protocol defined by RFC 2406 is used. Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 } The authentication algorithm used by AH is configured.
Page 136: Optional) Configuring An Ipsec Policy Template
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Step 4 Run: security acl acl-number An ACL is applied to the IPSec policy. Step 5 (Optional) Run: sa trigger-mode { auto | traffic-based } The SA triggering mode is configured.
Page 137: Optional) Setting Optional Parameters
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration ipsec policy-template policy-template-name seq-number An IPSec policy template is created. Step 3 (Optional) Run: security acl acl-number An ACL is applied to the IPSec policy template. Step 4 Run: proposal proposal-name&<1-6>...
Page 138 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation.
Page 139: Applying An Ipsec Policy To An Interface
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration 4.4.9 Applying an IPSec policy to an interface An interface can use only one IPSec policy group. An IPSec policy group created through IKE negotiation can be applied to multiple interfaces.
Page 140: Maintaining Ipsec
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Run the display ike proposal command to view the configuration of a specified IKE proposal or all IKE proposals. ----End 4.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics.
Page 141: Configuration Examples
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address { ah | esp } spi ] command in the user view to clear an SA.
Page 142 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Configure static routes between the SPUs of SwitchA and SwitchB. Configure an IPSec proposal. Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
Page 143 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration [SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1 [SwitchB-XGigabitEthernet5/0/0] quit Configure the SPU on SwitchB. <Quidway> system-view [Quidway] sysname SPU [SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination [SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20 [SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.1 255.255.255.0...
Page 144 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
Page 145 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key: Step 6 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB. # Apply the IPSec policy to the SPU interface on SwitchA.
Page 146 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg interface XGigabitEthernet0/0/1.1...
Page 147: Example For Establishing An Sa Through Ike Negotiation
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration ipsec policy map1 arp broadcast enable interface XGigabitEthernet0/0/1.2 control-vid 30 dot1q-termination dot1q termination vid 30 ip address 202.38.162.2 255.255.255.0 arp broadcast enable ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 return...
Page 148 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration Figure 4-4 Networking for establishing an SA through IKE negotiation VLAN 20 VLAN 20 VLAN 30 VLAN 10 202.38.162.1/24 202.38.163.1/24 VLAN 20 VLAN 20 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2...
Page 149 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration [SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan 10 20 [SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1 [SwitchA-XGigabitEthernet5/0/0] quit Configure the SPU on SwitchA. <Quidway> system-view [Quidway] sysname SPU [SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination...
Page 150 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration [SPU-ike-proposal-1] authentication-algorithm md5 [SPU-ike-proposal-1] quit Step 3 Configure the local IDs and IKE peers on SPUs of SwitchA and SwitchB. # Configure the local ID and IKE peer on the SPU of SwitchA.
Page 151 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration [SPU-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 [SPU-acl-adv-3101] quit Step 5 Configure static routes between the SPUs of SwitchA and SwitchB. Configure the SPU on SwitchA.
Page 152 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration [SPU] display ipsec policy =========================================== IPsec Policy Group: "map1" Using interface: {} =========================================== SequenceNumber: 10 Security data flow: 3101 Peer name: spub Perfect forward secrecy: None Proposal name:...
Page 153 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration 202.38.162.1 RD|ST Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP ----End Configuration Files Configuration of the SPU on SwitchA sysname SPU...
Page 154 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20...
Page 155 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 4 IPSec Configuration port link-type access port default vlan 30 interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 interface XGigabitEthernet5/0/0 port link-type trunk...
Page 156: Wlan Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration WLAN Configuration About This Chapter This chapter describes how to configure the WLAN service in the AC + fit AP networking mode. 5.1 WLAN Configuration This chapter describes how to configure the WLAN service in the AC + fit AP networking mode.
Page 157: Wlan Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration 5.1 WLAN Configuration This chapter describes how to configure the WLAN service in the AC + fit AP networking mode. 5.1.1 WLAN Overview This section describes the concepts and application of WLAN.
Page 158: Radius Server
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Figure 5-1 WLAN networking diagram IP backbone RADIUS server MAN aggregate network Aggregate switch Access switch Encrypts and decrypts data on wireless channels. An AP monitors wireless channels and converges wireless channel information to an AC.
Page 159 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The AP starts and discovers the AC in unicast, multicast, or broadcast mode. In unicast mode, the AP discovers the AC by means of Dynamic Host Control Protocol (DHCP) discovery, Domain Name System (DNS) discovery, or static configuration.
Page 160: Wlan Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration An AP is a bridge that connects STAs to a LAN and converts frames exchanged between STAs and the LAN. An AC is a device that manages all APs in a WLAN. It can connect to an authentication server and allow WLAN users to be authenticated by the authentication server.
Page 161 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration WLAN Access Security Channels of a WLAN are open to users, and malicious users can easily intercept, modify, and forward data of authorized users. The WLAN technology provides security policies to prevent access from unauthorized users.
Page 162: Configuring Basic Ac Attributes
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration 5.1.3 Configuring Basic AC Attributes Before deploying WLAN services on an AC, configure basic attributes for the AC, including the AC ID, carrier ID, country code, and source interface.
Page 163: Configuring Parameters For Communication Between The Ac And Aps
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Step 5 (Optional) Configure the AC as a DHCP server to allocate IP addresses to APs. Run: dhcp enable DHCP is enabled on the VLANIF interface. Run: interface vlanif vlan-id A VLANIF interface is created.
Page 164 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration required for the configuration. This can help you complete the configuration task quickly and accurately. Applicable Environment Before deploying WLAN services, ensure that APs can communicate with ACs. An AP can be connected to an AC directly or through a Layer 2 or Layer 3 network.
Page 165 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Prerequisite Basic AC attributes have been configured according to 5.1.3 Configuring Basic AC Attributes. The AP is connected to the AC correctly. Context Before adding an AP to the AC, you can configure a radio and VAP for the AP. When the type...
Page 166 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration l If the AC mode is used, upload the upgrade file to the AC before specifying the AP upgrade file. l If the FTP mode is used, run the ap-update ftp-server server-ip-address [ ftp-username...
Page 167 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Configuring AP Discovery After you configure the AP whitelist and AP authentication mode on an AC, an AP can be discovered by the AC and go online if it is in the whitelist.
Page 168 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Result The MAC address or SN of the AP connected to the AC is in the whitelist, so the AP enters the normal state directly. Run the display ap { all | id ap-id | by-mac ap-mac | by-sn ap-sn } command. The command output shows that the AP is in normal state.
Page 169: Configuring The Wlan Radio Environment
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Checking the Configuration After configuring parameters for communication between an AP and an AC, you can use the following commands to verify the configuration. Procedure Run the display ap { all | id ap-id | by-mac ap-mac | by-sn ap-sn } command to view AP information.
Page 170 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration WMM profile needs to be bound to a radio profile in which radio parameters are configured. The WMM profile is then applied to a radio together with the radio profile.
Page 171 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The system view is displayed. Step 2 Run: wlan The WLAN view is displayed. Step 3 Run: wmm-profile { id profile-id | name profile-name } A WMM profile is created.
Page 172 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration NOTE A STA communicates with an AP by sending radio packets over a channel. Four queues are provided for radio packets. Packets in different queues have different opportunities to obtain transmission channels so that differentiated services can be provided for radio packets.
Page 173 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Step 3 Run: radio-profile { id profile-id | name profile-name } A radio profile is created. After a radio profile is created, parameters in the profile use default values.
Page 174 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The default channel mode is auto. In this mode, channels are selected for radios using the radio profile automatically based on the WLAN radio environment. Step 8 Run: wmm-profile { id profile-id | name profile-name } A WMM profile is bound to the radio profile.
Page 175 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The system view is displayed. Step 2 Run: wlan The WLAN view is displayed. Step 3 Run: radio-profile { id profile-id | name profile-name } A radio profile is created.
Page 176 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration (Optional) Configuring an AP Load Balancing Group You can configure an AP load balancing group on an AC to implement load balancing between APs. The AC controls user access according to the policies configured in the load balancing group.
Page 177: Configuring The Wlan Service
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration If the number of times a STA requests to associate with a radio exceeds the threshold, the STA is allowed to associate with the radio regardless of whether the traffic is balanced in the load balancing group.
Page 178 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Configuring basic AC attributes according to 5.1.3 Configuring Basic AC Attributes Connecting an AP to an AC correctly Configuring the WLAN radio environment according to 5.1.5 Configuring the WLAN...
Page 179 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Context A WLAN-ESS interface is a virtual Layer 2 interface. Similar to a Layer 2 Ethernet interface of the access type, a WLAN-ESS interface has Layer 2 attributes and supports multiple Layer 2 protocols.
Page 180 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration To allow users on an interface to access certain network resources after they fail in dot1x authentication, add the interface to a restrict VLAN. Step 7 (Optional) Run: qos car { inbound | outbound }car-name A QoS CAR profile is applied to the WLAN-ESS interface.
Page 181 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The system view is displayed. Step 2 Run: wlan The WLAN view is displayed. Step 3 Run: security-profile { id profile-id | name profile-name } A security profile is created.
Page 182 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Run: { wpa | wpa2 } authentication-method dot1x { peap | tls } encryption- method { tkip | ccmp } The dot1x authentication and corresponding encryption mode are configured for the WPA/WPA2 policy.
Page 183 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration By default, the interval for updating an MSK is 86400s; the number of packets that will trigger MSK update is 10000; the number of retransmissions of MSK negotiation packets is 3.
Page 184 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration ---------------------------- 802.1p to User-priority Mapping List: ---------------------------- 802.1p User-priority ---------------------------- Tunnel priority(up) Mapping Mode:ToS(inner) to ToS(outer) ---------------------------- ToS(inner) ToS(outer) ---------------------------- Tunnel priority(down) Mapping Mode:ToS(inner) to ToS(outer) ---------------------------- ToS(inner)
Page 185 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The rate limit for upstream or downstream packets is set for a single STA or all STAs associated with a VAP. Step 7 (Optional) Run either of the following commands to set designated priorities or priority...
Page 186 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration A traffic profile is created. Step 7 Run: quit Return to the system view. Step 8 Run: service-set { name service-set-name | id service-set-id } A service set is created.
Page 187: Maintaining The Wlan Service
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The radio view is displayed. Run: service-set { name service-set-name | id service-set-id } [ wlan wlan-id ] A service set is bound to the radio. Run: quit Return to the WLAN view.
Page 188 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Context CAUTION Exercise caution when resetting an AP because services on the AP will be interrupted. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: wlan The WLAN view is displayed.
Page 189 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The system view is displayed. Run: wlan The WLAN view is displayed. Run: ap-update mode { ftp-mode | ac-mode } The AP upgrade mode is set to AC mode.
Page 190: Configuration Examples
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Context Signals of unauthorized APs on a WLAN may interfere with signals of authorized APs on the WLAN, deteriorating the signal transmission quality or even data loss. To remove unauthorized APs from the WLAN to ensure network security, locate the physical locations of APs.
Page 191 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Table 5-1 Data plan Item Data WLAN service WEP open system authentication and no encryption Management VLAN for APs VLAN 100, which is assigned by the Switch AP region...
Page 192 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration (3) Configure a service set and bind a security profile and a traffic profile to it to ensure security and QoS for STAs. (4) Configure a VAP and deliver VAP parameters so that STAs can access the WLAN.
Page 193 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration [AC-Vlanif102] ip address 192.168.2.1 24 [AC-Vlanif102] dhcp select interface [AC-Vlanif102] quit NOTE An AP can set up a connection with an AC only after obtaining an IP address from the AC, a broadband remote access server (BRAS), or a DHCP server.
Page 194 [AC-wlan-service-set-huawei-2] service-vlan 102 [AC-wlan-service-set-huawei-2] forward-mode direct-forward [AC-wlan-service-set-huawei-2] quit Step 7 Configure VAPs for APs and deliver VAP parameters. # Bind radios of AP1 and AP2 to service sets huawei-1 and huawei-2. [AC-wlan-view] ap 0 radio 0 [AC-wlan-radio-0/0] service-set name huawei-1 [AC-wlan-radio-0/0] quit...
Page 195 Configuration Guide - SPU 5 WLAN Configuration Step 8 Verify the configuration. Two WLANs with SSIDs huawei-1 and huawei-2 are available for STAs connected to AP1 and AP2, and these STAs can connect to the WLAN without authentication. ----End Configuration Files...
Page 196 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration ap-auth-mode no- auth ap id 0 ap id wmm-profile name wmm-1 id traffic-profile name traffic-1 id security-profile name security-1 id service-set name huawei-1 id wlan-ess ssid huawei-1 traffic-profile id...
Page 197: Wlan Security Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration trunk port trunk allow-pass vlan 100 to 5.2 WLAN Security Configuration This chapter describes how to configure WLAN security in the AC + fit AP networking mode. 5.2.1 WLAN Security Overview The wireless security feature provided by 802.11 authentication can defend against common...
Page 198 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration sent to the wireless client. If the two character strings are the same, the wireless client and AP have the same shared key and the wireless client passes shared key authentication.
Page 199: Wlan Security Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration 5.2.2 WLAN Security Features Supported by the SPU The SPU supports a variety of WLAN security features, including access security policy management, station (STA) blacklist and whitelist management, and user isolation.
Page 200 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Connecting an AP to an AC correctly Data Preparation To configure an access security policy, you need the following data. Data Security profile name or security profile ID...
Page 201 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The WEP security policy is configured. Run: wep authentication-method open-system [ data-encrypt ] WEP open system authentication is configured. WEP shared key authentication Run: security-policy wep The WEP security policy is configured.
Page 202 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration WAPI supports two authentication modes: certificate authentication and pre-shared key authentication. When pre-shared key authentication is used, the shared key must be configured. Run: wapi import certificate { ac | asu | issuer } file-name file_name The AC certificate file, certificate of the AC certificate issuer, and ASU certificate file are imported.
Page 203: Configuring The Sta Blacklist And Whitelist
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Profile name : lw Profile ID Authentication : Share key Encryption : WEP-40 ------------------------------------------------------------ Service-set ID SSID l00129796_9300 l00129796_93002 ------------------------------------------------------------ WEP's configuration Authentication : Share key Encryption : WEP-40...
Page 204 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Data Preparation To configure the STA blacklist and whitelist, you need the following data. Data AP ID and STA's MAC address Procedure Step 1 Run: system-view The system view is displayed.
Page 205: Configuring User Isolation
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration information: ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ 0026-0000-90a1 0026-0000-909f ------------------------------------------------------------------------------ Total number: 2 Run the display sta-whitelist command to view the STA whitelist. Check the STA whitelist. <Quidway> display sta-whitelist Station mac global white list...
Page 206 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Figure 5-6 User isolation networking Gateway Client1 Client2 Client3 As shown in Figure 5-6, after user isolation is configured, clients 1 through 4 cannot communicate directly. Pre-configuration Tasks...
Page 207 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Step 3 Configure user isolation. If data is directly forwarded between the AP and AC, user isolation must be configured in a service set. Run: service-set { name service-set-name | id service-set-id } A service set is configured.
Page 208: Configuration Examples
Shared key authentication and WEP-40 encryption are used on the WLAN with the SSID huawei-2. WPA1 authentication and TKIP encryption are used on the WLAN with the SSID huawei-3. WPA2 authentication and CCMP encryption are used on the WLAN with the SSID huawei-4.
Page 209 Prerequisite An AC and APs can communicate properly. AP1 and AP2 are working properly. The AC certificate file huawei-ac.cer, ASU certificate file huawei-asu.cer, and AC private key file ac-key.key have been saved in the CF card of the AC. A radio profile has been created and bound to a radio.
Page 210 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Create security profiles and configure security policies so that STAs access different WLANs by using different security policies. Create service sets, bind security profiles to them, and specify SSIDs for them.
Page 211 Step 3 Create service sets, create VAPs, and deliver VAP parameters. # Create service set ss-1, specify SSID huawei-1 for it, bind traffic profile ctc and security profile security-1 to it, and deliver VAP parameters to radio 0 of AP1.
Page 212 On the WLAN with the SSID huawei-1, users can use the WLAN service without being authenticated. l On the WLAN with the SSID huawei-2, users can use the WLAN service only when they have the shared key. l On the WLAN with the SSID huawei-3 or huawei-4, users can use the WLAN service only when they pass 802.1x authentication.
Page 213: Wlan Qos Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration traffic-profile name ctc id 1 security-profile name security-1 id 1 security-profile name security-2 id 2 wep authentication-method share-key wep key wep-40 pass-phrase 0 12345 security-profile name security-3 id 3...
Page 214: Wlan Qos Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration An 802.11 network provides the competition-based wireless access service. Different applications have different requirements for networks; however, traditional networks cannot provide access services of different qualities for different applications.
Page 215 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration duration. If this parameter is set to 0, an AP or a STA can send only one packet each time it occupies a channel. ACK policy: determines whether to send an ACK packet to confirm the receiving of a unicast packet.
Page 216: Configuring A Radio Qos Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration 5.3.3 Configuring a Radio QoS Policy A radio QoS policy controls an AP's capability to compete for channels and determines the quality of services provided for the AP.
Page 217 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration The following information shows the default configuration of the WMM profile wp. [Quidway-wlan-view] display wmm-profile name wp Profile ID Profile name : wp WMM switch : enable Client EDCA parameters:...
Page 218: Configuring A Vap Qos Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Checking the Configuration Run the display wmm-profile { all | id profile-id | name profile-name } command to view the configuration of a WMM profile. 5.3.4 Configuring a VAP QoS Policy To apply the priority mapping and traffic suppression functions to a virtual AP (VAP), create a traffic profile and bind the traffic profile to a service set.
Page 219 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration After a traffic profile is created, parameters in the profile use default values. To view the configuration of a traffic profile, run the display traffic-profile { all | id profile-id | name profile-name } command.
Page 220: Configuring The User Priority And Car
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Step 4 (Optional) Run: 8021p { designate value | up-mapping value0 value1 value2 value3 value4 value5 value6 value7 } The 802.1p priority of 802.3 packets sent from an AP to an AC is set.
Page 221 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration Data User profile name or user profile ID User priority QoS CAR profile name Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: wlan The WLAN view is displayed.
Page 222: Configuration Examples
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration User-priority upstream User-priority downstream 5.3.6 Configuration Examples Example for Configuring a QoS Policy Networking Requirements STA1 and STA2 are connected to the network through AP1. STA3, STA4, and STA5 are connected to the network through AP2.
Page 223 VLAN: 204 l SSID: huawei-5 l Traffic profile: huawei-vip l VLAN: 205 Radio profile of an AP l AP1 radio profile (huawei) and WMM profile (huawei) l AP2 radio profile (huawei-vi) and WMM profile (huawei-vi) Management VLAN of an AP...
Page 224 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration l Create a service set and bind the security profile and traffic profile to the service set. l Configure a VAP and deliver VAP parameters to implement QoS control for STAs.
Page 225 [AC-WLAN-ESS5] quit Step 5 Configure profiles for APs. Create WMM profiles. # Create a WMM profile huawei and use the default settings, for example, the AC_VO queue has a higher priority than the AC_VI queue. [AC-wlan-view] wmm-profile name huawei [AC-wlan-wmm-prof-huawei] quit # Create a WMM profile huawei-vi and change the queue priority to enable the AC_VI queue to have a higher priority than the AC_VO queue.
Page 226 [AC-wlan-view] security-profile name huawei [AC-wlan-sec-prof-huawei] quit Create traffic profiles. # Create a traffic profile huawei and limit the VAP downstream rate to 1024 kbit/s and STA upstream rate to 512 kbit/s. [AC-wlan-view] traffic-profile name huawei [AC-wlan-traffic-prof-huawei] rate-limit client up 512...
Page 227 [AC-wlan-service-set-huawei-5] service-vlan 205 [AC-wlan-service-set-huawei-5] quit Step 8 Configure VAPs for APs and deliver VAP parameters. # Bind the radio of AP1 to service sets huawei-1 and huawei-2 and deliver VAP parameters. [AC-wlan-view] ap 1 radio 0 [AC-wlan-radio-1/0] service-set name huawei-1...
Page 228 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration interface Vlanif100 ip address 192.168.0.1 255.255.255.0 interface Wlan-Ess1 port hybrid untagged vlan 101 interface Wlan-Ess2 port hybrid untagged vlan 102 interface Wlan-Ess3 port hybrid untagged vlan 203 interface Wlan-Ess4...
Page 229 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 5 WLAN Configuration security-profile id 0 service-vlan 205 radio-profile name huawei id 0 wmm-profile id 0 radio-profile name huawei-vi id 1 wmm-profile id 1 ap 1 radio radio-profile name huawei service-set name huawei-1 wlan 1...
Page 230: Load Balancing Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Load Balancing Configuration About This Chapter Load balancing is a cluster technology that load balances special services such as network services and network traffic among multiple links or network devices, for example, servers and firewalls.
Page 231: Load Balancing Overview
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration 6.1 Load Balancing Overview This section describes the background, classification, and basic concepts of load balancing. Background With rapid development of the Internet, increasing users and diversified services propose high requirements for the network performance.
Page 232: Basic Concepts
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration – Server load balancing indicates that load balancing is performed among different servers. – Firewall load balancing indicates that load balancing is performed among different firewalls. Load balancing technology Load balancing is classified into DNS-based load balancing and network-based load balancing.
Page 233 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration The load balancing algorithm is used by the load balancing device to select a load balancing member for providing the best services for users. The SPU supports the following load balancing algorithms: –...
Page 234: Load Balancing Features Supported By The Spu
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration – Requests whose source and destination IP addresses are located in the same network segment The hash algorithm is applied to the scenario where requests from a user are distributed to the same server or link, and is also applied to server load balancing.
Page 235 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration By using the dynamic load balancing algorithm, multiple egress links share the traffic. The algorithm is easily configured and adapts to the network structure change. The preceding problem can be solved.
Page 236 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration The forwarding mode can be DNAT or DMAC in server load balancing. In egress link load balancing, the SPU supports the redirection mode. Server Load Balancing With the fast development of the Internet and services, the network-based data access traffic increases rapidly.
Page 237 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-2 Typical networking of server load balancing in DNAT mode ServerA Switch Host ServerB Network ServerC As shown in Figure 6-2, multiple servers provide services through the virtual IP address.
Page 238 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-3 Typical networking of server load balancing in DMAC mode ServerA SwitchA Host ServerB Network SwitchB ServerC As shown in Figure 6-3, multiple servers provide services through the virtual IP address.
Page 239: Firewall Load Balancing
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Server load balancing supported by the SPU can identify users and send the same type of requests of a user to a server for processing, meeting the requirements of a user whose multiple connections of a session are processed by a server in e-commerce.
Page 240 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-4 Typical networking of firewall load balancing FirewallA Switch HostA SwitchB HostB Network Network Firewall As shown in Figure 6-4, Switch A and Switch B function as load balancing devices and are responsible for allocating traffic of user requests to multiple firewalls.
Page 241 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-5 Networking of standard firewall load balancing FirewallA 10.10.10.1 10.10.11.1 HostA SwitchB HostB SwitchA Network Network 10.10.10.2 10.10.11.2 FirewallB Transparent firewalls have no IP addresses and cannot be detected by other devices on a network.
Page 242: Configuring Egress Link Load Balancing
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration The process of combined load balancing is actually the combination of firewall load balancing and server load balancing. The combined load balancing prevents the firewalls from being the bottleneck on the network and improves the performance and availability of network services such as HTTP.
Page 243: Optional) Configuring An Nat Address Pool
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Data Name and parameters of the link group, including the description, load balancing algorithm, forwarding mode, action performed when the member fails, threshold for switching services from the master server group to the backup server group,...
Page 244: Optional) Configuring Link Health Detection
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration The IP address of the outbound interface must be different from any IP address in the NAT address pool that is bound to the Layer 3 classifier referenced by the load balancing policy on the outbound interface.
Page 245 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 2 Run: load-balance ip interface interface-type interface-number The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe.
Page 246: Configuring A Link
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration fail-interval interval The interval for a probe to detect that a link member is Down is set. After the link becomes invalid, the SPU sends probing packets at this interval to detect link recovery.
Page 247: Configuring A Link Group
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration After selecting a link through the load balancing algorithm, the system compares the used bandwidth and the connection rate with the bandwidth limit and connection rate limit. If the bandwidth limit or connection rate limit is reached, the system does not select the link.
Page 248 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration By default, the probe mode is fail-on-one. In fail-on-one mode, the S7700 considers a link to be invalid when a probe detects that the link is in Down state.
Page 249: Configuring A Layer 7 Classifier
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 10 (Optional) Run: priority level The priority of the link instance is set. When the priorities of a link instance and a link are set simultaneously, the priority of the link instance takes effect.
Page 250: Configuring A Load Balancing Action
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Context On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. In egress link load balancing, the matching rule of a Layer 7 classifier must be set to any.
Page 251: Configuring An Acl
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 3 Run the following command as required. l Run: drop The action is set to drop. l Run: forward The action is set to forward. l Run: group master-group-name [ backup backup-group-name ] The action is set to load balance.
Page 252: Optional) Configuring A Connection Parameter Profile
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration l When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows: – rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-...
Page 253: Configuring A Layer 3 Classifier
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 3 Run: tcp aging-time aging-time The aging time of the TCP traffic forwarding table is set. By default, the aging time of the TCP traffic forwarding table is 3600s.
Page 254: Configuring A Load Balancing Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration NOTE l If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier.
Page 255: Applying The Load Balancing Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 3 Run: l3classifier l3classifier-name A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications.
Page 256: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End 6.3.13 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid.
Page 257 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration bottleneck. By using server load balancing, you can properly distribute network services to multiple servers for processing. This reduces the burden of a single server, improves the service processing capabilities, and ensures the high reliability of services.
Page 258: Optional) Configuring An Nat Address Pool
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Data Related parameters of the load balancing policy, including the load balancing policy name and bound Layer 3 classifier Object that the load balancing profile is applied to 6.4.2 (Optional) Configuring an NAT Address Pool...
Page 259 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Context When a server group is bound to only a probe, the health status of a server member is detected according to the following principles: If the server member is in Down state, the probe sends probing packets at intervals specified by fail-interval interval.
Page 260 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration for the specified number of times in the specified time and the data carried in the response packets is the same as the expected response data, it considers the probing to be successful and sets the server to Up.
Page 261 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration By default, no description is configured for a probe. Step 5 (Optional) Run: interval interval The probing interval of a probe is set. The probing interval of a probe indicates the interval for sending probing packets to detect the health status of a server.
Page 262 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration – Run: expect-data data The expected response data of a TCP probe or a UDP probe is set. A TCP probe or a UDP probe determines whether a server member works normally by comparing the sent data and the expected response data.
Page 263: Configuring A Server
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration 6.4.4 Configuring a Server This section describes how to set the IP address and related parameters for each server on the SPU so that the SPU can communicate with each server.
Page 264: Configuring A Server Group
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration After selecting a server through the load balancing algorithm, the SPU compares the current bandwidth and the number of connections with the bandwidth limit and connection rate limit.
Page 265 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration By default, the probe mode is fail-on-one. In fail-on-one mode, a server is considered as Down when all the probes bound to the server group detect that the server member is in Down state.
Page 266 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 9 Run: member member-name A server is bound to the server group and the server instance view is displayed. Step 10 (Optional) Run: rate-limit { bandwidth { inbound | outbound } band-limit [ threshold threshold-...
Page 267: Optional) Configuring Session Stickiness
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration When the weights of a server instance and a server are set simultaneously, the weight of the server instance takes effect. If the weight of a server instance is not set, the SPU uses the weight of a server. If the weight of the server is not set, the SPU adopts the default value.
Page 268 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration the subsequent requests of the user are sent to the same server. The SPU thus does not make load balancing decisions. The SPU supports static and dynamic stickiness: When packets of a session match static sticky entries, the stickiness corresponding to the session is called static stickiness.
Page 269: Configuring A Layer 7 Classifier
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 6 (Optional) Run: static client { destination dest-ip-address | source src-ip-address destination dest-ip-address ] member member-name A static sticky entry is configured. The SPU supports static sticky entries based on the source IP address, the destination IP address, or the source and destination IP addresses.
Page 270: Configuring A Load Balancing Action
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration load-balance l7classifier l7classifier-name [ and | or ] A Layer 7 classifier is created and the Layer 7 classifier view is displayed. By default, no Layer 7 classifier is configured.
Page 271: Configuring An Acl
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: load-balance action action-name A load balancing action profile is created and the load balancing action profile view is displayed.
Page 272: Optional) Configuring A Connection Parameter Profile
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration step step-value The step between ACL rule IDs is set. By default, the step between ACL rule IDs is 5. Step 4 Run the following command as required:...
Page 273: Optional) Configuring An Http Parameter Profile
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration A connection parameter profile is created and the connection parameter profile view is displayed. Up to 1024 connection parameter profiles can be created. By default, no connection parameter profile is created.
Page 274: Configuring A Layer 3 Classifier
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration rebalance per-request Each HTTP request is rebalanced. By default, the SPU does not rebalance newly received HTTP requests. ----End 6.4.12 Configuring a Layer 3 Classifier This section describes how to create a Layer 3 classifier and configure a matching rule.
Page 275: Configuring A Load Balancing Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration CAUTION l If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier.
Page 276: Applying The Load Balancing Policy
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration The system view is displayed. Step 2 Run: load-balance policy policy-name A load balancing policy is created and the load balancing policy view is displayed. Up to 1024 load balancing policies can be created.
Page 277: Checking The Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface. When the NAT address pool is used for source IP address translation, if the IP address of the...
Page 278 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration performance of the firewall is low and the firewall becomes the bottleneck on the network. If existing devices are replaced to improve the forwarding performance, hardware resources are wasted.
Page 279 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Data (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including...
Page 280: Configuration Instructions
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Configuration Instructions In the firewall load balancing technology, firewalls function as servers. The configuration procedure of firewall load balancing is similar to that of server load balancing, and the difference is described in the following two tables.
Page 281: Configuration Examples
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step Reference (Optional) Configure server 6.4.3 (Optional) Configuring Server health detection. Health Detection Configure a server. 6.4.4 Configuring a Server Configure a server group 6.4.5 Configuring a Server Group (Optional) Configure session 6.4.6 (Optional) Configuring Session...
Page 282 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Another link is selected automatically when a link becomes invalid or the link limit is exceeded. NAT for translating source IP addresses is enabled. The enterprise user is connected to GE 3/0/0 of the Switch and the SPU is installed in slot 5 of the Switch.
Page 283 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Configure a Layer 3 classifier. Configure a load balancing policy. 10. Apply the load balancing policy to the interface of the internal network. Data Preparation To complete the configuration, you need the following data:...
Page 284 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Add an interface to a VLAN on the SPU. [SPU] interface xgigabitethernet 0/0/1.12 [SPU-XGigabitEthernet0/0/1.12] control-vid 12 dot1q-termination [SPU-XGigabitEthernet0/0/1.12] dot1q termination vid 12 [SPU-XGigabitEthernet0/0/1.12] ip address 10.10.10.1 255.255.255.0 [SPU-XGigabitEthernet0/0/1.12] arp broadcast enable...
Page 285 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 4 Configure a link group. # Create the link group named linkgroup1, adopt the WRR algorithm, set the forwarding mode to redirection, bind isp1 and isp2 to probe1, and bind NAT address pool 2 and NAT address pool 3 to the link instance.
Page 286 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] interface xgigabitethernet0/0/1.12 [SPU-XGigabitEthernet0/0/1.12] service load-balance policy lbp1 [SPU-XGigabitEthernet0/0/1.12] quit Step 11 Verify the configuration. # View the configuration of links. [SPU] display load-balance member name isp1...
Page 287 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Inbound max bandwidth rate : 8000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max threshold : 100% Weight : 30 Priority NAT ID...
Page 288 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration NAT ID Connection parameter name : - HTTP parameter name L7 classifier name : l7cls1 L7 action name : act1 # View the configuration of the load balancing policy.
Page 289: Example For Configuring Layer 3 Server Load Balancing In Dmac Mode
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration interval 20 fail-interval 20 load-balance member isp1 ip address 20.20.20.1 weight 30 conn-limit max 10000 rate-limit connection 1500 rate-limit bandwidth inbound 100 threshold 80 rate-limit bandwidth outbound 100 threshold 80 load-balance member isp2 ip address 30.30.30.1...
Page 290 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration After the master server fails, the load balancing device randomly selects an available server from backup servers. Switch B is connected to GE 3/0/0 and GE 3/0/1 of Switch A and the SPU is installed in slot 5 of Switch A.
Page 291 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Data Preparation To complete the configuration, you need the following data: Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe...
Page 292 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU-Eth-Trunk0.13] quit Step 2 Configure servers. # Create servers servera, serverb, serverc, and serverd and configure them to communicate with real servers, that is, Server A, Server B, Server C, and Server D.
Page 293 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration # Create the server group named servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DMAC, and adopt the WRR algorithm.
Page 294 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier named l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
Page 295 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40...
Page 296 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] display load-balance group name servergroup1 member name serverb Group name : servergroup1 Member name : serverb Inservice type : inservice Port Max connection : 4000000 Max connection rate...
Page 297 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration : 3000 ICMP reply : Disable NAT ID Connection parameter name : - HTTP parameter name L7 classifier name : l7cls1 L7 action name : act1 # View the configuration of the load balancing policy.
Page 298 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.5 255.255.255.0 arp broadcast enable...
Page 299: Example For Configuring Layer 3 Server Load Balancing In Dnat Mode
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration load-balance action act1 group servergroup1 load-balance l7classifier l7cls1 match any load-balance ip interface Eth-Trunk 0.2 load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000 load-balance policy lbp1...
Page 300 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode 10.10.10.2/24 Host Internet GE3/0/0 XGE5/0/0 XGE0/0/1 Switch XGE5/0/1 XGE0/0/2 VIP 20.20.20.2:80 ServerA ServerB...
Page 301 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Data Preparation To complete the configuration, you need the following data: Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits...
Page 302 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0...
Page 303 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 [SPU-lb-member-serverd] rate-limit connection 200 [SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80 [SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80 [SPU-lb-member-serverd] quit Step 3 Configure health detection.
Page 304 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched. [SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit Step 6 Configure a load balancing action profile.
Page 305 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name : servergroup1 [SPU] display load-balance member name serverb Member name : serverb Description : 10.10.20.2 Max connection : 6000...
Page 306 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Action name : act1 Member instance name: servera serverb [SPU] display load-balance group name servergroup2 Group name : servergroup2 Description Method : roundrobin Forward mode : dnat...
Page 307 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Inservice type : inservice Port : 8080 Max connection : 4000000 Max connection rate Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate...
Page 308 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to servergroup2 after Server A of servergroup1 is faulty.
Page 309 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0...
Page 310: Example For Configuring Layer 7 Server Load Balancing In Dnat Mode
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration forward-mode dnat member serverc member port 80 inservice member serverd member port 8080 inservice probe probe1 load-balance action act1 group servergroup1 backup servergroup2 load-balance l7classifier l7cls1 or match any load-balance ip interface Eth-Trunk 0.2...
Page 311 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-11 Networking diagram for configuring Layer 7 server load balancing in DNAT mode 10.10.10.2/24 Host Internet GE3/0/0 XGE5/0/0 XGE0/0/1 Switch XGE5/0/1 XGE0/0/2 VIP 20.20.20.2:80 ServerA ServerB...
Page 312 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe...
Page 313 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0...
Page 314 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 [SPU-lb-member-serverd] rate-limit connection 200 [SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80 [SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80 [SPU-lb-member-serverd] quit Step 3 Configure health detection.
Page 315 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] inservice standby [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] inservice standby [SPU-lb-group-servergroup1-member-serverd] quit Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being slbha[w|W](.*).
Page 316 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Description : 10.10.50.2 Max connection : 8000 Max connection rate : 800 Inbound max bandwidth rate : 800(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 800(kbps)
Page 317 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] display load-balance probe name probe1 Probe name : probe1 Description Probe type : http Source IP : 100.100.100.201 Destination port Probe port Interval : 20(s) Retry count...
Page 318 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] display load-balance group name servergroup1 member name serverb verbose Group name : servergroup1 Member name : serverb Inservice type : inservice Port Max connection : 4000000...
Page 319 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Member instance ID Status : up Inbound bytes Outbound bytes Inbound packets Outbound packets Cur-connection Closed-connections Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) # View the configuration of the Layer 7 classifier.
Page 320 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration # Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU.
Page 321 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration eth-trunk 0 interface XGigabitEthernet0/0/2 eth-trunk 0 load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html...
Page 322: Example For Configuring Session Stickiness
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 load-balance policy lbp1 l3classifier l3cls1 return 6.6.5 Example for Configuring Session Stickiness This section provides an example for configuring session stickiness. With the session stickiness function, requests of the same type of users are processed by the same server, meeting e- commerce requirements of internal network users.
Page 323 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-12 Networking diagram for configuring Layer 7 server load balancing in DNAT mode 10.10.10.2/24 Host Internet GE3/0/0 XGE5/0/0 XGE0/0/1 Switch XGE5/0/1 XGE0/0/2 VIP 20.20.20.2:80 ServerA ServerB...
Page 324 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe...
Page 325 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0...
Page 326 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address 10.10.40.2 [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit max 2000 [SPU-lb-member-serverd] rate-limit connection 200 [SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80 [SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80 [SPU-lb-member-serverd] quit Step 3 Configure health detection.
Page 327 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] inservice standby [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] inservice standby [SPU-lb-group-servergroup1-member-serverd] quit Step 5 Configure session stickiness. # Create the sticky group named stickygroup1, configure a static sticky entry, and perform stickiness for the destination IP address.
Page 328 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] service load-balance policy lbp1 [SPU-Eth-Trunk0.12] quit Step 12 Verify the configuration. # View the configurations of servers. [SPU] display load-balance member name servera...
Page 329 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name : servergroup1 # View the configuration of the probe. [SPU] display load-balance probe name probe1 Probe name : probe1...
Page 330 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Member instance ID Status : up Inbound bytes Outbound bytes Inbound packets Outbound packets Cur-connection Closed-connections Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name servergroup1 member name serverb verbose...
Page 331 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Max connection : 4000000 Max connection rate Inbound max bandwidth rate : 1000000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold...
Page 332 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Description Bound interface : Eth-Trunk 0.12 Numbers of L3 classifier : 1 L3 classifier name : l3cls1 Action type : sticky-load-balance Stickygroup name : stickygroup1 Current group name : servergroup1 # Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address...
Page 333 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0...
Page 334: Example For Configuring Standard Firewall Load Balancing
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200...
Page 335 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Figure 6-13 Networking for configuring standard firewall load balancing XGE5/0/0 XGE0/0/1 XGE5/0/1 XGE0/0/2 Server GE4/0/6 GE4/0/2 GE1/0/26 GE1/0/22 GE1/0/25 Network Network GE1/0/28 SwitchA SwitchC GE1/0/27 GE1/0/23 Host 20.20.20.3/24...
Page 336 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy. 10. Apply the load balancing policy to a sub-interface and enable MAC address stickiness.
Page 337 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SwitchA-GigabitEthernet1/0/25] quit [SwitchA] interface GigabitEthernet1/0/26 [SwitchA-GigabitEthernet1/0/26] port link-type trunk [SwitchA-GigabitEthernet1/0/26] undo port trunk allow-pass vlan 1 [SwitchA-GigabitEthernet1/0/26] port trunk allow-pass vlan 600 [SwitchA-GigabitEthernet1/0/26] quit [SwitchA] interface GigabitEthernet1/0/27...
Page 338 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] load-balance group sg11 [SPU-lb-group-sg11] forward-mode dmac [SPU-lb-group-sg11] member s11 [SPU-lb-group-sg11-member-s11] inservice [SPU-lb-group-sg11-member-s11] quit [SPU-lb-group-sg11] member s21 [SPU-lb-group-sg11-member-s21] inservice [SPU-lb-group-sg11-member-s21] quit [SPU-lb-group-sg11] quit Configure a Layer 7 classifier.
Page 339 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SwitchB] interface Eth-Trunk 0 [SwitchB-Eth-Trunk0] port link-type trunk [SwitchB-Eth-Trunk0] port trunk allow-pass vlan 600 800 [SwitchB-Eth-Trunk0] quit [SwitchB] interface GigabitEthernet4/0/6 [SwitchB-GigabitEthernet4/0/6] port link-type trunk [SwitchB-GigabitEthernet4/0/6] undo port trunk allow-pass vlan 1...
Page 340 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPUA] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 [SPUA] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1 (4) Add inbound and outbound interfaces to the VLAN on SPUB and configure static routes to import traffic to the SPU of SwitchC.
Page 341 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPUB] interface Eth-Trunk 0.5 [SPUB-Eth-Trunk0.5] zone a [SPUB-Eth-Trunk0.5] quit [SPUB] interface Eth-Trunk 0.6 [SPUB-Eth-Trunk0.6] zone b [SPUB-Eth-Trunk0.6] quit Configure SwitchC. Configure traffic importing on SwitchC. (1) Import traffic from SwitchC to the SPU. The SPU is installed in slot 2.
Page 342 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU-XGigabitEthernet0/0/2] eth-Trunk 0 [SPU-XGigabitEthernet0/0/2] quit Configure a NAT address pool on the SPU. [SPU] nat address-group 2 33.33.33.33 33.33.33.250 Configure servers. # Create the servers s31 and s32 and configure them to communicate with real servers s31 and s32.
Page 343 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration [SPU] load-balance policy lp [SPU-lb-policy-lp] l3classifier l3 [SPU-lb-policy-lp] quit 10. Apply the load balancing policy and enable MAC address stickiness. # Apply the load balancing policy to a sub-interface of the SPU and enable MAC address stickiness.
Page 344 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration interface XGigabitEthernet5/0/1 eth-Trunk 0 return Configuration file of the SPU on SwitchA acl number 3005 rule permit ip destination 3.3.3.3 0.0.0.255 interface Eth-Trunk 0 interface Eth-Trunk0.5 control-vid 400 dot1q-termination dot1q termination vid 400 ip address 20.20.20.1 255.255.255.0...
Page 345 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration return Configuration file of SwitchB vlan batch 600 700 800 900 interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 600 800 interface Eth-Trunk 1 port link-type trunk...
Page 346 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.2 255.255.255.0 arp broadcast enable zone a interface Eth-Trunk0.6 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.1 255.255.255.0...
Page 347 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 800 900 1000 interface GigabitEthernet1/0/22 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan...
Page 348 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 6 Load Balancing Configuration load-balance group sg31 member s31 inservice member s32 inservice load-balance action act3 group sg31 load-balance l7classifier l7 and rule 1 match http url html load-balance l3classifier l3...
Page 349: Dual-System Hsb Configuration
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Dual-System HSB Configuration About This Chapter Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty, services are interrupted on the network. The reliability of firewalls greatly affects high availability (HA) of the network.
Page 350: Dual-System Hsb Overview
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration 7.1 Dual-System HSB Overview This section describes basic concepts of dual-system HSB. Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty, services are interrupted on the network.
Page 351: Configuring Dual-System Hsb
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Supporting the Setup of the Channel Through Which Dual-System HSB Data Is Synchronized and the Heartbeat Detection Mechanism The channel through which dual-system HSB data is synchronized is configured between the active and standby modules.
Page 352: Establishing The Configuration Task
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration 7.3.1 Establishing the Configuration Task Before configuring dual-system HSB, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately.
Page 353: Creating The Channel Through Which Dual-System Hsb Data Is Synchronized
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Step 2 Run: hot-standby enable Dual-system HSB is enabled. By default, dual-system HSB is disabled. ----End 7.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized A channel through which dual-system HSB data is synchronized is required to back up packets in batches between the active and standby modules;...
Page 354: Setting The Interval For Sending Heartbeat Packets And The Number Of Times For Retransmitting Heartbeat Packets
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration 7.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets If a protocol stack does not detect a TCP connection that has been interrupted for a long time, you can set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets on the firewall.
Page 355: Maintaining Dual-System Hsb
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration 7.4 Maintaining Dual-System HSB This section describes how to maintain dual-system HSB. 7.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules During the running of dual-system HSB, if the active/standby switchover cannot be performed, you can check the connectivity of the channel between the active and standby modules.
Page 356 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Figure 7-2 Networking diagram for configuring dual-system HSB on the S7700 Outbound XGE0/0/1 XGE0/0/1 Inbound Interface: XGE3/0/0 interface: XGE0/0/2 interface: XGE0/0/2 XGE3/0/1 Eth-Trunk0.1 Eth-Trunk0.2 Eth-Trunk0 IP：10.0.0.2/24 IP：10.0.0.9/24 IP：11.0.0.2/24...
Page 357 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Boar Interface Type Eth- Virtual Priorit Addr Trunk XGigabitEthern N 11 et3/0/1 XGigabitEthern Eth- N 13 et5/0/0 Trunk 1 XGigabitEthern et5/0/1 XGigabitEthern 10.0.0 Eth- 10.0.0.1 et0/0/1 .2/24...
Page 358 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Configure interfaces of SPUs. Configure VRRP. Configure static routes on SPUs. Configure dual-system HSB between SPU A and SPU B. Check whether VRRP negotiation is correct and whether the channel through which dual- system HSB data is synchronized is set up successfully.
Page 359 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [MPU] interface gigabitethernet 2/0/10 [MPU-GigabitEthernet2/0/10] port link-type trunk [MPU-GigabitEthernet2/0/10] port trunk allow-pass vlan 18 [MPU-GigabitEthernet2/0/10] undo port trunk allow-pass vlan 1 [MPU-GigabitEthernet2/0/10] quit [MPU] interface gigabitethernet 2/0/11...
Page 360 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration l Set the IP address of Eth-Trunk 0.2 to 11.0.0.2/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 120.
Page 361 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [S7700-B-Eth-Trunk0.3] dot1q termination vid 13 [S7700-B-Eth-Trunk0.3] ip address 13.0.0.3 24 [S7700-B-Eth-Trunk0.3] arp broadcast enable [S7700-B-Eth-Trunk0.3] quit Step 6 Configure static routes on SPUs. # Log in to SPU A to configure a static route.
Page 362 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Preempt : YES Delay Time TimerRun TimerConfig Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : member-vrrp Config track link-bfd down-number...
Page 363 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL Step 9 Save the configuration.
Page 364 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration return save Configuration file of S7700 A interface eth-trunk0 interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.2 24...
Page 365: Example For Configuring Dual-System Hsb Between S7700S
Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown...
Page 366 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Figure 7-3 Networking diagram for configuring dual-system HSB between S7700s Inbound Outbound XGE0/0/1 XGE0/0/1 interface: interface: XGE0/0/2 XGE0/0/2 Interface: XGE3/0/0 Eth-Trunk0.1 Eth-Trunk0.2 XGE3/0/1 Channel: IP：11.0.0.2/24 IP：10.0.0.2/24 XGE0/0/1 VRRP IP：...
Page 367 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Boar Interface Type Eth- Virtual Addr Trunk Type Addres GigabitEthernet2 VLAN /0/13 XGigabitEtherne VLAN Eth- t3/0/0 Trunk 0 VLAN XGigabitEtherne t3/0/1 VLAN XGigabitEtherne t3/0/0 XGigabitEtherne t3/0/1 XGigabitEtherne 10.0.0...
Page 368 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Check whether interfaces of LPUs are in Up state. Check the service type of the SPUs. Configure interfaces of the LPUs. Configure a TCP link. Configure interfaces of SPUs.
Page 369 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [S7700] set service-type 1 The serivce type will be availble after you restart the board, please restart! Step 3 Configure interfaces of the LPUs. NOTE By default, GE 2/0/10, GE 2/0/11, GE 2/0/13, XGE 3/0/0, and XGE 3/0/1 allow packets of VLAN 1 to pass through.
Page 370 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [S7700-XGigabitEthernet0/0/1] eth-trunk 0 [S7700-XGigabitEthernet0/0/1] quit [S7700] interface xgigabitethernet 0/0/2 [S7700-XGigabitEthernet0/0/2] eth-trunk 0 [S7700-XGigabitEthernet0/0/2] quit Step 6 Configure VRRP. # Log in to SPU A. l Set the IP address of Eth-Trunk 0.2 to 11.0.0.2/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority...
Page 371 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [S7700-B-Eth-Trunk0.2] arp broadcast enable [S7700-B-Eth-Trunk0.2] quit [S7700-B] interface eth-trunk0.1 [S7700-B-Eth-Trunk0.1] control-vid 10 dot1q-termination [S7700-B-Eth-Trunk0.1] dot1q termination vid 10 [S7700-B-Eth-Trunk0.1] dot1q vrrp vid 10 [S7700-B-Eth-Trunk0.1] ip address 10.0.0.3 24 [S7700-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1...
Page 372 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time...
Page 373 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration [S7700-B] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------- Local IP Address : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name...
Page 374 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration return save Configuration file of S7700 A interface eth-trunk0 interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.2 24...
Page 375 Quidway S7700 Smart Routing Switch Configuration Guide - SPU 7 Dual-System HSB Configuration dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown...

Huawei quidway s7700 Configuration Manual

About this Document

1 SPU Pre-Configuration

2 Firewall Configuration

3 NAT Configuration

4 Ipsec Configuration

5 WLAN Configuration

6 Load Balancing Configuration

7 Dual-System HSB Configuration

Quick Links

Related Manuals for Huawei quidway s7700

Summary of Contents for Huawei quidway s7700