Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: Email:
Issue 02 (2010-07-15)
Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 02 (2010-07-15)
iii
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
iv
Issue 02 (2010-07-15)
Contents
Contents
About This Document...................................................................................................................iii 1 Configuration Differences Between SPU and S9300..........................................................1-1
1.1 Configuration Differences...............................................................................................................................1-3 1.2 Basic Configuration Differences.....................................................................................................................1-3 1.3 Ethernet Configuration Differences................................................................................................................1-4 1.4 IP Service Configuration Differences.............................................................................................................1-5 1.5 IP Routing Configuration Differences............................................................................................................1-7 1.6 QoS Configuration Differences.....................................................................................................................1-10 1.7 Security Configuration Differences..............................................................................................................1-11 1.8 Reliability Configuration Differences...........................................................................................................1-13 1.9 Device Management Configuration Differences...........................................................................................1-14 1.10 Network Management Differences.............................................................................................................1-15 1.11 VPN Configuration Differences..................................................................................................................1-18
2 SPU Pre-Configuration.............................................................................................................2-1
2.1 Overview of the SPU Pre-Configuration........................................................................................................2-2 2.2 Configuring a Service Type............................................................................................................................2-3 2.2.1 Establishing the Configuration Task......................................................................................................2-3 2.2.2 Configuring a Service Type...................................................................................................................2-3 2.2.3 Checking the Configuration...................................................................................................................2-4 2.3 Configuring Layer 2 Flow Import...................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-4 2.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated...........................................................2-6 2.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated....................................................2-6 2.4 Configuring Layer 3 Flow Import...................................................................................................................2-6 2.4.1 Establishing the Configuration Task......................................................................................................2-7 2.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated...........................................................2-9 2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated....................................................2-9 2.5 Configuring Traffic Mirroring........................................................................................................................2-9 2.5.1 Establishing the Configuration Task......................................................................................................2-9 2.5.2 Configuring Traffic Mirroring.............................................................................................................2-10
3 Firewall Configuration..............................................................................................................3-1
3.1 Firewall Overview...........................................................................................................................................3-3 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
3.2 Firewall Features Supported by the SPU........................................................................................................ 3-3 3.3 Configuring Zones...........................................................................................................................................3-9 3.3.1 Establishing the Configuration Task....................................................................................................3-10 3.3.2 Creating a Zone....................................................................................................................................3-10 3.3.3 Adding an Interface to the Zone...........................................................................................................3-11 3.3.4 Creating an Interzone...........................................................................................................................3-11 3.3.5 Enabling Firewall in the Interzone.......................................................................................................3-12 3.3.6 Checking the Configuration.................................................................................................................3-12 3.4 Configuring the Packet Filtering Firewall.....................................................................................................3-13 3.4.1 Establishing the Configuration Task....................................................................................................3-13 3.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................3-14 3.4.3 Checking the Configuration.................................................................................................................3-14 3.5 Configuring the Blacklist..............................................................................................................................3-15 3.5.1 Establishing the Configuration Task....................................................................................................3-15 3.5.2 Enabling the Blacklist Function...........................................................................................................3-16 3.5.3 Adding IP Addresses to the Blacklist Manually..................................................................................3-16 3.5.4 Checking the Configuration.................................................................................................................3-17 3.6 Configuring the Whitelist..............................................................................................................................3-17 3.6.1 Establishing the Configuration Task....................................................................................................3-18 3.6.2 Adding Entries to the Whitelist............................................................................................................3-18 3.6.3 Checking the Configuration.................................................................................................................3-19 3.7 Configuring ASPF.........................................................................................................................................3-19 3.7.1 Establishing the Configuration Task....................................................................................................3-20 3.7.2 Configuring ASPF Detection...............................................................................................................3-20 3.7.3 Checking the Configuration.................................................................................................................3-21 3.8 Configuring Port Mapping............................................................................................................................3-21 3.8.1 Establishing the Configuration Task....................................................................................................3-21 3.8.2 Configuring Port Mapping...................................................................................................................3-22 3.8.3 Checking the Configuration.................................................................................................................3-23 3.9 Configuring the Aging Time of the Firewall Session Table.........................................................................3-23 3.9.1 Establishing the Configuration Task....................................................................................................3-23 3.9.2 Configuring the Aging Time of the Firewall Session Table................................................................3-24 3.9.3 Checking the Configuration.................................................................................................................3-24 3.10 Configuring the Transparent Firewall.........................................................................................................3-25 3.10.1 Establishing the Configuration Task..................................................................................................3-25 3.10.2 Configuring the Transparent Firewall................................................................................................3-26 3.10.3 Checking the Configuration...............................................................................................................3-27 3.11 Configuring the Attack Defense Function..................................................................................................3-27 3.11.1 Establishing the Configuration Task..................................................................................................3-28 3.11.2 Enabling the Attack Defense Function...............................................................................................3-28 3.11.3 Setting the Parameters of Flood Attack Defense................................................................................3-31 3.11.4 Configuring Large ICMP Packet Attack Defense..............................................................................3-32 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Contents
3.11.5 Setting Parameters of Scanning Attack Defense................................................................................3-32 3.11.6 Checking the Configuration...............................................................................................................3-33 3.12 Configuring Traffic Statistics and Monitoring............................................................................................3-33 3.12.1 Establishing the Configuration Task..................................................................................................3-34 3.12.2 Enabling Traffic Statistics and Monitoring........................................................................................3-35 3.12.3 Setting the Session Thresholds...........................................................................................................3-36 3.12.4 Checking the Configuration...............................................................................................................3-37 3.13 Configuring the Log Function.....................................................................................................................3-39 3.13.1 Establishing the Configuration Task..................................................................................................3-39 3.13.2 Enabling the Log Function on the Firewall........................................................................................3-40 3.13.3 Setting the Parameters of Logs...........................................................................................................3-40 3.13.4 Checking the Configuration...............................................................................................................3-41 3.14 Maintaining the Firewall.............................................................................................................................3-42 3.14.1 Displaying the Firewall Configuration...............................................................................................3-42 3.14.2 Clearing the Statistics of the Firewall................................................................................................3-43 3.15 Configuration Examples..............................................................................................................................3-43 3.15.1 Example for Configuring the ACL-based Packet Filtering Firewall.................................................3-44 3.15.2 Example for Configuring ASPF and Port Mapping...........................................................................3-47 3.15.3 Example for Configuring the Blacklist..............................................................................................3-51 3.15.4 Example for Configuring the Transparent Firewall...........................................................................3-55
4 NAT Configuration....................................................................................................................4-1
4.1 NAT Overview................................................................................................................................................4-2 4.2 NAT Features Supported by the SPU.............................................................................................................4-3 4.3 Configuring NAT............................................................................................................................................4-6 4.3.1 Establishing the Configuration Task......................................................................................................4-7 4.3.2 Configuring an Address Pool.................................................................................................................4-8 4.3.3 Associating an ACL with an Address Pool............................................................................................4-8 4.3.4 Configuring Easy IP...............................................................................................................................4-9 4.3.5 Configuring an Internal NAT Server.....................................................................................................4-9 4.3.6 Configuring Static NAT.......................................................................................................................4-10 4.3.7 Enabling NAT ALG.............................................................................................................................4-10 4.3.8 Configuring DNS Mapping..................................................................................................................4-11 4.3.9 Configuring Twice NAT......................................................................................................................4-11 4.3.10 Checking the Configuration...............................................................................................................4-12 4.4 Configuration Examples................................................................................................................................4-14 4.4.1 Example for Configuring the NAT Server...........................................................................................4-14 4.4.2 Example for Configuring Static NAT..................................................................................................4-18 4.4.3 Example for Configuring Outbound NAT...........................................................................................4-21 4.4.4 Example for Configuring Twice NAT.................................................................................................4-25
5 IPSec Configuration...................................................................................................................5-1
5.1 IPSec Overview...............................................................................................................................................5-2 5.2 IPSec Features Supported by the SPU............................................................................................................5-3 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
5.3 Establishing an IPSec Tunnel Manually.........................................................................................................5-4 5.3.1 Establishing the Configuration Task......................................................................................................5-4 5.3.2 Defining Data Flows to Be Protected.....................................................................................................5-5 5.3.3 Configuring an IPSec Proposal..............................................................................................................5-6 5.3.4 Configuring an IPSec Policy..................................................................................................................5-7 5.3.5 (Optional) Configuring an IPSec Policy Template................................................................................5-8 5.3.6 Setting the Global Lifetime of SAs........................................................................................................5-9 5.3.7 Applying an IPSec Policy Group to an Sub-interface..........................................................................5-10 5.3.8 Checking the Configuration.................................................................................................................5-10 5.4 Establishing an IPSec Tunnel Through IKE Negotiation.............................................................................5-10 5.4.1 Establishing the Configuration Task....................................................................................................5-11 5.4.2 Defining Data Flows to Be Protected...................................................................................................5-12 5.4.3 Configuring the Local Host Name Used in IKE Negotiation..............................................................5-13 5.4.4 Configuring an IKE Proposal...............................................................................................................5-13 5.4.5 Configuring an IKE Peer......................................................................................................................5-14 5.4.6 Configuring an IPSec Proposal............................................................................................................5-16 5.4.7 Configuring an IPSec Policy................................................................................................................5-17 5.4.8 (Optional) Configuring an IPSec Policy Template..............................................................................5-18 5.4.9 (Optional) Setting Optional Parameters...............................................................................................5-19 5.4.10 Applying an IPSec policy to an Sub-interface...................................................................................5-20 5.4.11 Checking the Configuration...............................................................................................................5-21 5.5 Maintaining IPSec.........................................................................................................................................5-21 5.5.1 Displaying the IPSec Configuration.....................................................................................................5-21 5.5.2 Clearing IPSec Information..................................................................................................................5-22 5.6 Configuration Examples................................................................................................................................5-22 5.6.1 Example for Establishing an SA Manually..........................................................................................5-23 5.6.2 Example for Establishing an SA Through IKE Negotiation................................................................5-29
6 NetStream Configuration.........................................................................................................6-1
6.1 Overview of NetStream...................................................................................................................................6-2 6.2 NetStream Features Supported by the SPU.....................................................................................................6-3 6.3 Collecting IPv4 Traffic Statistics....................................................................................................................6-4 6.3.1 Establishing the Configuration Task......................................................................................................6-4 6.3.2 Enabling NetStream on an Interface......................................................................................................6-5 6.3.3 (Optional) Configuring the Version of Exported Packets......................................................................6-5 6.3.4 Setting the Destination Address of the Statistics...................................................................................6-6 6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag...................................................6-6 6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic..............................................6-7 6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic................................................6-7 6.3.8 Checking the Configuration...................................................................................................................6-8 6.4 Collecting IPv6 Traffic Statistics....................................................................................................................6-8 6.4.1 Establishing the Configuration Task......................................................................................................6-8 6.4.2 Enabling NetStream on an Interface......................................................................................................6-9 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Contents
6.4.3 Setting the Destination Address of the Statistics................................................................................... 6-9 6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag.................................................6-10 6.4.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-11 6.4.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-11 6.4.7 Checking the Configuration.................................................................................................................6-11 6.5 Collecting MPLS Traffic Statistics...............................................................................................................6-12 6.5.1 Establishing the Configuration Task....................................................................................................6-12 6.5.2 Enabling NetStream on an Interface....................................................................................................6-13 6.5.3 (Optional) Configuring the Version of Exported Packets....................................................................6-13 6.5.4 Setting the Destination Address of the Statistics.................................................................................6-14 6.5.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-14 6.5.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-15 6.5.7 Checking the Configuration.................................................................................................................6-15 6.6 Configuring the Aggregation Statistics About Traffic..................................................................................6-15 6.6.1 Establishing the Configuration Task....................................................................................................6-16 6.6.2 Enabling NetStream on an Interface....................................................................................................6-16 6.6.3 Configuring the Aggregation Function................................................................................................6-17 6.6.4 (Optional) Configuring the Version of Exported Packets....................................................................6-17 6.6.5 (Optional) Configuring the Export of Statistics...................................................................................6-18 6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic.....................................6-19 6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic.......................................6-19 6.6.8 Checking the Configuration.................................................................................................................6-19 6.7 Configuring the Flexible NetStream Feature................................................................................................6-19 6.7.1 Establishing the Configuration Task....................................................................................................6-20 6.7.2 Creating a Record and Entering the Record View...............................................................................6-20 6.7.3 Configuring Aggregation Key Words of Records................................................................................6-21 6.7.4 (Optional) Configuring the Exported Traffic Statistics........................................................................6-21 6.7.5 Enabling Flexible NetStream on Interfaces..........................................................................................6-22 6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface......................................6-22 6.7.7 Checking the Configuration.................................................................................................................6-23 6.8 Example for Configuring NetStream............................................................................................................6-23 6.8.1 Example for Configuring IPv4 Traffic Statistics.................................................................................6-23 6.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic.....................................................6-26 6.8.3 Example for Configuring Flexible NetStream Traffic Statistics..........................................................6-32
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - SPU 7.3.5 Configuring a Link Group....................................................................................................................7-19 7.3.6 Configuring a Layer 7 Classifier..........................................................................................................7-21 7.3.7 Configuring a Load Balancing Action.................................................................................................7-22 7.3.8 Configuring an ACL.............................................................................................................................7-23 7.3.9 (Optional) Configuring a Connection Parameter Profile.....................................................................7-24 7.3.10 Configuring a Layer 3 Classifier........................................................................................................7-25 7.3.11 Configuring a Load Balancing Policy................................................................................................7-26 7.3.12 Applying the Load Balancing Policy.................................................................................................7-27 7.3.13 Checking the Configuration...............................................................................................................7-27
7.4 Configuring Server Load Balancing.............................................................................................................7-28 7.4.1 Establishing the Configuration Task....................................................................................................7-29 7.4.2 (Optional) Configuring an NAT Address Pool....................................................................................7-30 7.4.3 (Optional) Configuring Server Health Detection.................................................................................7-31 7.4.4 Configuring a Server............................................................................................................................7-35 7.4.5 Configuring a Server Group.................................................................................................................7-37 7.4.6 (Optional) Configuring Session Stickiness..........................................................................................7-40 7.4.7 Configuring a Layer 7 Classifier..........................................................................................................7-42 7.4.8 Configuring a Load Balancing Action.................................................................................................7-43 7.4.9 Configuring an ACL.............................................................................................................................7-44 7.4.10 (Optional) Configuring a Connection Parameter Profile...................................................................7-45 7.4.11 (Optional) Configuring an HTTP Parameter Profile..........................................................................7-46 7.4.12 Configuring a Layer 3 Classifier........................................................................................................7-46 7.4.13 Configuring a Load Balancing Policy................................................................................................7-48 7.4.14 Applying the Load Balancing Policy.................................................................................................7-49 7.4.15 Checking the Configuration...............................................................................................................7-49 7.5 Configuring Firewall Load Balancing...........................................................................................................7-50 7.6 Configuration Examples................................................................................................................................7-54 7.6.1 Example for Configuring Egress Link Load Balancing.......................................................................7-54 7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode.......................................7-62 7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode........................................7-72 7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode........................................7-83 7.6.5 Example for Configuring Session Stickiness.......................................................................................7-95 7.6.6 Example for Configuring Standard Firewall Load Balancing............................................................7-107
Contents
8.3.5 Checking the Configuration...................................................................................................................8-7 8.4 Maintaining Dual-System HSB.......................................................................................................................8-7 8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules........................8-7 8.5 Configuration Examples of Dual-System HSB...............................................................................................8-7 8.5.1 Example for Configuring Dual-System HSB on the S9300...................................................................8-8 8.5.2 Example for Configuring Dual-System HSB Between S9300s...........................................................8-17
Issue 02 (2010-07-15)
xi
Figures
Figures
Figure 2-1 Mapping between interfaces on the S9300 and SPU..........................................................................2-2 Figure 2-2 Importing Layer 2 flows if interfaces are aggregated.........................................................................2-5 Figure 2-3 Importing Layer 2 flows if interfaces are not aggregated...................................................................2-6 Figure 2-4 Importing flows at Layer 3 if interfaces are aggregated.....................................................................2-8 Figure 2-5 Importing flows at Layer 3 if interfaces are not aggregated...............................................................2-8 Figure 3-1 Limiting the number of sessions initiated by external server.............................................................3-6 Figure 3-2 Networking of ACL-based packet filtering......................................................................................3-44 Figure 3-3 Networking of ASPF and port mapping...........................................................................................3-48 Figure 3-4 Networking of blacklist configuration..............................................................................................3-52 Figure 3-5 Networking of transparent firewall configuration............................................................................3-55 Figure 4-1 Networking of NAT............................................................................................................................4-2 Figure 4-2 Networking of PAT............................................................................................................................4-4 Figure 4-3 Networking of twice NAT..................................................................................................................4-5 Figure 4-4 Networking diagram for configuring the NAT server......................................................................4-15 Figure 4-5 Networking diagram for configuring static NAT.............................................................................4-18 Figure 4-6 Networking diagram for configuring outbound NAT......................................................................4-22 Figure 4-7 Networking diagram for configuring twice NAT.............................................................................4-25 Figure 5-1 Packets format in transport mode.......................................................................................................5-2 Figure 5-2 Packets format in tunnel mode...........................................................................................................5-3 Figure 5-3 Networking diagram for establishing an SA manually.....................................................................5-23 Figure 5-4 Networking for establishing an SA through IKE negotiation..........................................................5-29 Figure 6-1 Diagram of NetStream data collection and analysis...........................................................................6-2 Figure 6-2 Networking diagram for configuring NetStream..............................................................................6-23 Figure 6-3 Networking diagram of NetStream aggregation...............................................................................6-27 Figure 6-4 Networking diagram for configuring Flexible NetStream................................................................6-32 Figure 7-1 Typical networking of egress link load balancing..............................................................................7-6 Figure 7-2 Typical networking of server load balancing in DNAT mode...........................................................7-8 Figure 7-3 Typical networking of server load balancing in DMAC mode..........................................................7-9 Figure 7-4 Typical networking of firewall load balancing.................................................................................7-11 Figure 7-5 Networking of standard firewall load balancing..............................................................................7-12 Figure 7-6 Networking of transparent firewall load balancing..........................................................................7-12 Figure 7-7 Networking for combining firewall load balancing and server load balancing................................7-12 Figure 7-8 Networking diagram for configuring egress link load balancing.....................................................7-55 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Figures
Quidway S9300 Terabit Routing Switch Configuration Guide - SPU Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode....................7-63 Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode...................7-73 Figure 7-11 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-84 Figure 7-12 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-96 Figure 7-13 Networking for configuring standard firewall load balancing.....................................................7-108
Figure 8-1 Networking of dual-system HSB........................................................................................................8-2 Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300...............................................8-8 Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s........................................8-18
xiv
Issue 02 (2010-07-15)
This section describes the differences between the network management configurations of SPU and S9300. 1.11 VPN Configuration Differences This section describes the differences between the VPN configurations of SPU and S9300.
1-2
Issue 02 (2010-07-15)
On the S9300, these commands are run on the Ethernet interface, GE interface, XGE interface, or VLANIF interface. On the SPU, these commands are run on the XGE interface, Eth-Trunk containing XGE interfaces, XGE sub-interface, or sub-interface of the EthTrunk containing XGE interfaces. For example: On the S9300, the arp expire-time expire-time command is used on the VLANIF interface. On the SPU, the arp expire-time expire-time command is used on the XGE interface.
All the commands of the SPU do not support the slot slot-id parameter. For example: The command of the S9300 is display bfd ttl [ slot slot-id ]. The command of the SPU is display bfd ttl.
The SPU does not support the IPv6- or MPLS-related functions or parameters.
NOTE
For details about the common functions, see S9300 configuration guide.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Sub-feature SPU supports all sub-feature of the CLI Overview. SPU supports all sub-feature of the How to Use Interfaces.
Issue 02 (2010-07-15)
1-3
Sub-feature Basic Configuration Introduction Configuring the Basic System Environment Configuring Basic User Environment Displaying System Status Messages
Difference See Common Differences. The SPU does not support the setting of system clock. See Common Differences. See Common Differences. See Common Differences. See Common Differences.
SPU supports all sub-feature of the User Management. SPU supports all sub-feature of the File System Management. SPU supports all sub-feature of the Management of Configuration Files.
SPU supports all sub-feature of the FTP and TFTP. SPU supports all sub-feature of the Telnet and SSH.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Sub-feature Configuring basic attributes of the Ethernet interface Configuring advanced attributes of the Ethernet interface
Difference The SPU supports only (Optional) Configuring the Description. The SPU supports only (Optional) Assigning an IP Address to an Ethernet Sub-interface.
1-4
Issue 02 (2010-07-15)
Sub-feature Configuring Link Aggregation in Manual Load Balancing Mode Configuration example: Example for Configuring Link Aggregation in Manual Load Balancing Mode Configuring an Eth-Trunk Sub-interface
Difference An Eth-Trunk of the SPU contains a maximum of 2 member interfaces. By default, the maximum number of interfaces that determine bandwidth of the Eth-Trunk is 2.
VLAN
Configuring Sub-interfaces to Implement Layer-3 Communication Configuration example: Example for Implementing Communication Between VLANs Through Subinterfaces
ARP
Configuring ARP Configuration example: Example for Configuring ARP Configuring Routed Proxy ARP Configuration example: Example for Configuring Routed Proxy ARP Configuring ARPing-IP Maintaining ARP
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table lists all the IP service features of the SPU.
Issue 02 (2010-07-15)
1-5
Sub-feature IP address unnumbered Configuration example: Example for Configuring a Tunnel Interface to Borrow the IP Address of a Loopback Interface
Configuration Task Establishing the Configuration Task Setting the Primary IP Address Setting the Unnumbered IP Address Checking the Configuration -
DHCP IP session
Configuring IP Session IP performance optimization Configuration example: Example for Disabling the Sending of ICMP Redirection Packets Example for Disabling the Sending of ICMP Host Unreachable Packets Example for Optimizing System Performance by Discarding Certain ICMP Packets IP performance optimization IP performance maintenance
Not supported by the SPU. The SPU supports only the (Optional) Binding a VPN Instance to an Interface. Not supported by the SPU.
IP performanc e
Enabling an Interface to Check the Source IP Addresses of Packets Setting ICMP Parameters (Optional) Setting the Load Balancing Mode of IP Packet Forwarding
1-6
Issue 02 (2010-07-15)
Configuration Task Example for Configuring PBR Based on the Protocol Type Example for Configuring PBR Based on the Packet Length Example for Configuring Flowbased PBR
UDP Helper DNS Basic IPv6 configuratio ns IPv6 DNS IPv6 over IPv4 IPv4 over IPv6
Not supported by the SPU. Not supported by the SPU. Not supported by the SPU.
Not supported by the SPU. Not supported by the SPU. Not supported by the SPU.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Issue 02 (2010-07-15)
1-7
Sub-feature Configuring an IPv4 Static Route Configuration example: Example for Configuring Static Routes Configuring BFD for IPv4 Static Routes in the Public Network Configuration example: Example for Configuring BFD for IPv4 Static Routes
SPU supports all sub-feature of the RIP Configuration. SPU supports all sub-feature of the OSPF Configuration. SPU supports all sub-feature of the IS-IS Configuration. Configuring Basic BGP Functions Configuration example: Example for Configuring Basic BGP Functions Configuring BGP Route Attributes Configuring BGP Filters Configuration example: Example for Configuring AS-Path Filter Controlling the Advertisement of BGP Routing Information Controlling the Import of Routing Information Configuration example: Example for Configuring BGP to Interact With an IGP Configuring BGP Route Dampening Configuring Parameters of a BGP Peer Connection
See Common Differences. See Common Differences. See Common Differences. The SPU does not support IPv6-related configurations.
1-8
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring BGP Tracking Configuring BGP Load Balancing Configuration example: Example for Configuring BGP Load Balancing and Setting the MED Configuring a BGP Confederation Configuration example: Example for Configuring a BGP Confederation Configuring a BGP Route Reflector Configuration example: Example for Configuring a BGP RR Configuring BGP Accounting Configuration example: Example for Configuring the BGP Accounting Configuring BFD for BGP Configuration example: Example for Configuring BFD for BGP Configuring BGP Auto FRR Configuration example: Example for Configuring BGP Auto FRR Configuring a BGP Peer Group Configuration example: Example for Configuring the BGP Community Attribute Configuring BGP GR
Difference
Issue 02 (2010-07-15)
1-9
Feature
Sub-feature Configuring BGP Security Configuration example: Example for Configuring BGP GTSM
Difference
Routing policy
Configuring the IP-Prefix List Configuring the RoutePolicy Applying Filters to Received Routes Applying Filters to Advertised Routes Configuration example: Example for Filtering the Received and Advertised Routes Applying Filters to Imported Routes Configuration example: Example for Applying a Routing Policy to the Imported Routes Controlling the Valid Time of the Routing policy
The SPU does not support the configurations related to IPv6, MPLS, FRR, and VPN.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
1-10
Issue 02 (2010-07-15)
Feature
Difference In Creating a Traffic Classifier Based on Layer 3 Information, SPU does not support :
l
Example for Re-marking the Priorities Based on Complex Traffic Classification Example for Re-marking the Priorities Based on Complex Traffic Classification Example for Filtering Packets Based On Complex Traffic Classification
if-match cvlan-8021p { 8021pvalue } &<1-8> if-match discard if-match inbound-interface interface-type interface-number if-match vlan-8021p 8021p-value &<1-8>
l l
SPU does not support the URPF. In Clearing the Flow-based Traffic Statistics, only the inbound interface supports: reset traffic policy statistics { global | vlan vlan-id } See Common Differences.
SPU supports all sub-feature of the Traffic Policing and Traffic Shaping Configuration.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Sub-feature AAA scheme RADIUS server template HWTACACS server template Service scheme
Difference See Common Differences. See Common Differences. See Common Differences. See Common Differences.
1-11
Issue 02 (2010-07-15)
Feature
Sub-feature Domain Local user management AAA and user management maintenance AAA and User Management Configuration Configuration example: Example for Configuring RADIUS Authentication and Accounting AAA and User Management Configuration Configuration example: Example for Configuring HWTACACS Authentication, Accounting, and Authorization
Difference See Common Differences. See Common Differences. See Common Differences. See Common Differences.
ACL
ACL Reflective ACL ACL maintenance Configuring a Basic ACL Configuration example: Example for Configuring a Basic ACL Configuring an Advanced ACL Configuration example: Example for Configuring an Advanced ACL Configuring a Layer 2 ACL Configuration example: Example for Configuring a Layer 2 ACL
The SPU does not support named ACLs or user-defined ACLs. The reflective ACLs can be bound only in the system view of the SPU. The ACL6 statistics on the SPU cannot be cleared. See Common Differences.
1-12
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring Reflective ACL Configuration example: Example for Configuring the Reflective ACL Function
Difference The reflective ACLs can be bound only in the system view of the SPU.
On the SPU, only the CAR can be configured in the attack defense policy view, and the attack defense policy can be only bound globally.
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Feature BFD
Sub-feature Configuring Single-Hop BFD Configuration example: Example for Configuring Single-Hop BFD on a VLANIF Interface
Difference The SPU does not support (Optional) Setting the Multicast IP Address of BFD or detection of IPv6 links. In Creating a BFD Session, only the BFD detection for Layer 3 interfaces is supported: bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instancename ] interface interface-type interface-number [ source-ip source-ip ] The SPU does not support the static BFD6 session with automatically negotiated discriminators. The SPU does not support the static BFD6 session with automatically negotiated discriminators. See Common Differences. The SPU does not support the multi-hop packet TTL.
Configuring a Static BFD Session with Automatically Negotiated Discriminators Setting the BFD Session-Up Delay Adjusting the BFD Detection Parameters Setting the Global TTL Value
Issue 02 (2010-07-15)
1-13
Feature
VRRP
Configuring a VRRP Backup Group Configuration example: Example for Configuring VRRP in Master/Backup Mode Example for Configuring VRRP in Load Balancing Mode Configuring VRRP to Track the Interface Status Configuring VRRP to Track the Interface Status Configuration example: Example for Configuring VRRP Fast Switchover Configuring VRRP Authentication Optimizing the VRRP Performance
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
1-14
Issue 02 (2010-07-15)
Displaying Information About the S9300 Displaying the Version Displaying the CPU Usage Displaying the Interface Status Displaying Alarm Information Displaying Diagnostic Information
l l l l l
Configuring the Information Center (Optional) Configuring Information Output Modes Configuration example: Configuration Examples
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences. The SPU supports only the SNMP, ping, and Tracert functions.
Issue 02 (2010-07-15)
1-15
Feature SNMP
Sub-feature Configuring Basic Functions of SNMPv1 Configuring Basic Functions of SNMPv2c Configuring CommunityName-based Access Control in SNMPv1 Configuring CommunityName-based Access Control in SNMPv2c Configuration example: Example for Specifying an NMS to Manage the Switch Configuring MIB-Viewbased Access Control in SNMPv1 Configuring MIB-Viewbased Access Control in SNMPv2c Configuring Basic Functions of SNMPv3 Configuring Group-based Access Control in SNMPv3 Configuring User-based Access Control in SNMPv3 Configuring Authentication and Encryption Functions in SNMPv3 Configuring MIB-Viewbased Access Control in SNMPv3 Configuration example: Example for Configuring Different NMSs to Access the Switch Example for Configuring Different NMSs to Access the Switch (Inform Mode)
Difference See Common Differences. See Common Differences. See Common Differences.
See Common Differences. See Common Differences. See Common Differences. See Common Differences.
1-16
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring SNMP Maintenance Information Configuration example: Example for Specifying an NMS to Manage the Switch Configuring the Maximum Size of the SNMP Packet Configuring Batch Statistics Collection Configuration example: Example for Configuring Batch Statistics Collection Configuring the Trap Function Configuration example: Example for Specifying an NMS to Manage the Switch Example for Configuring Different NMSs to Access the Switch Example for Configuring Alarm Messages to Be Sent to the Huawei NMS Propagating Alarms in the Inform Mode Configuration example: Example for Configuring Different NMSs to Access the Switch (Inform Mode) Enabling the Extended Error Code Function on the SNMP Agent Configuration example: Example for Enabling the Extended Error Code Function on the SNMP Agent Configuring the SET Response Message Caching Function Configuring the Constant Interface Index Feature
Issue 02 (2010-07-15)
1-17
Sub-feature Performing Ping and Tracert Operations Configuration example: Example for Performing Ping and Tracert Operations
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Sub-feature GRE tunnel Configuration example: Example for Configuring Static Routes on the GRE Tunnel Example for Configuring the Dynamic Routing Protocol on the GRE Tunnel
Difference When the destination address of the tunnel is configured in Configuring a Tunnel Interface, the destination address cannot be set to the IP address of a VPN instance.
BGP/MPLS IP VPN
The SPU supports only Creating a VPN Instance. The SPU supports only Binding an Interface with a VPN Instance. For the configuration of mutual access between local VPNs, see Example for Configuring Mutual Access for Local VPNs on SPU Board.
1-18
Issue 02 (2010-07-15)
2 SPU Pre-Configuration
2
About This Chapter
SPU Pre-Configuration
To use the SPU on the S9300, configure the S9300 and SPU in advance. 2.1 Overview of the SPU Pre-Configuration This topic describes the connection of virtual XGE interfaces between the SPU and the S9300. 2.2 Configuring a Service Type When using the SPU, you must ensure that the service type of the SPU is consistent with the type of the service actually processed by the SPU. If the original service type of the SPU is inconsistent with the required type, you need to change the service type, and then restart the SPU to make the change take effect. 2.3 Configuring Layer 2 Flow Import The S9300 and SPU are deployed in VLAN networking. After the interfaces that need to communicate with each other are grouped into the same VLAN, interworking at Layer 2 can be implemented. 2.4 Configuring Layer 3 Flow Import After two groups of virtual XGE interfaces that are connected between the SPU and S9300 are added to the same network segment, the communicating on layer 3 can be implemented. 2.5 Configuring Traffic Mirroring When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or traffic mirroring mode.
Issue 02 (2010-07-15)
2-1
2 SPU Pre-Configuration
Connection Mode
If the SPU is inserted into slot 5 on the S9300, virtual connections are set up between XGE 5/0/0 on the S9300 and XGE 0/0/1 on the SPU and between XGE 5/0/1 on the S9300 and XGE 0/0/2 on the SPU. All the traffic that is forwarded or mirrored to XGE 5/0/0 and XGE 5/0/1 through flow import are processed by the SPU, as shown in Figure 2-1. Figure 2-1 Mapping between interfaces on the S9300 and SPU
XGE5/0/0 XGE5/0/1 XGE0/0/1 XGE0/0/2
Switch
When the SPU is used for the first time, the service type is not configured. You must configure the corresponding service type. When firewalls, load balancing, and IPSec are used, data interworking between the S9300 and the SPU is implemented through Layer 2 or Layer 3 flow import. When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or traffic mirroring mode. The preceding four services cannot be enabled concurrently. That is, at a certain moment, only one service can be used. You can install multiple SPUs on the S9300 to provide different types of services.
2-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
2 SPU Pre-Configuration
Applicable Environment
When using the SPU, you need to select a service type. Currently, the SPU can process the following services:
l l l l
Pre-configuration Tasks
You have logged in to the SPU successfully.
Data Preparation
To configure a service type, you need the following data. No. 1 Data Number of the type of the service to be processed by the SPU
2 SPU Pre-Configuration
Procedure
Step 1 Run:
system-view
After a service type is changed, the original service configurations do not take effect any more. The configurations of the new service type take effect after the SPU is restarted.
----End
Procedure
l Run the display service-type command in the system view, and you can check the service type of the SPU.
----End
2 SPU Pre-Configuration
Applicable Environment
When firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic to the SPU for processing. When traffic is forwarded at Layer 2:
l
The SPU aggregates two groups of virtual XGE service interfaces as an Eth-Trunk interface, thus providing higher bandwidth. The SPU can also add interfaces on the LPUs and virtual XGE interfaces on the S9300 to the same VLAN and configure the virtual XGE sub-interfaces on the SPU to allow the packets from the certain VLANs to pass.
For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfaces on the LPUs and virtual XGE interfaces on the S9300 to the same VLAN and configure the virtual XGE sub-interfaces on the SPU to allow the packets from the certain VLANs to pass.
When using firewalls, and load balancing, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.
l
Importing Layer 2 flows if interfaces are aggregated As shown in Figure 2-2, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregated as Eth-Trunk interfaces, you need to add GE 3/0/0, Eth-Trunk 0, and Eth-Trunk 1 to the same VLAN. Figure 2-2 Importing Layer 2 flows if interfaces are aggregated
XGE0/0/1
Switch
Importing Layer 2 flows if interfaces are not aggregated As shown in Figure 2-3, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If interfaces are not aggregated, you need to add GE 3/0/0, XGE 5/0/0, and XGE 0/0/1 to the same VLAN.
Issue 02 (2010-07-15)
2-5
2 SPU Pre-Configuration
GE3/0/0 GE3/0/1
XGE5/0/0 XGE0/0/1
Switch
Pre-configuration Tasks
Ensure that the S9300 has been installed with SPU and the SPU runs normally.
Data Preparation
To configure Layer 2 flow import, you need the following data. No. 1 2 3 4 Data Number of the Eth-Trunk interface Number of the slot to which the SPU is inserted ID of the VLAN to which interfaces belong Number of the slot to which the LPU is inserted
2 SPU Pre-Configuration
2.4.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring Layer 3 flow import. 2.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated When firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increase bandwidth on interfaces. 2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated Assign IP addresses for VLANIF interfaces on the S9300 and XGE sub-interfaces on the SPU to forward traffic at Layer 3.
Applicable Environment
When firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic to the SPU for processing. When traffic is forwarded at Layer 3:
l
The SPU can aggregate two groups of virtual XGE service interfaces as an Eth-Trunk interface, thus providing higher bandwidth. The SPU can also add interfaces on the LPUs and virtual XGE interfaces on the S9300 to VLANs and configure IP addresses for VLANIF interfaces and the XGE subinterfaces on the SPU to implement Layer 3 forwarding.
For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfaces to the VLAN and configure IP addresses for VLANIF interfaces to implement Layer 3 forwarding.
When using firewalls and load balancing, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.
l
Importing flows at Layer 3 if interfaces are aggregated As shown in Figure 2-4, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregated as Eth-Trunk interfaces, you need to add Eth-Trunk 0 and Eth-Trunk 1 to the same VLAN and configure the IP address of the sub-interface in Eth-Trunk 1 and the IP address of the VLANIF interface which Eth-Trunk 0 belongs to.
NOTE
Issue 02 (2010-07-15)
2-7
2 SPU Pre-Configuration
XGE0/0/1
XGE0/0/2
Switch
Importing flows at Layer 3 if interfaces are not aggregated As shown in Figure 2-5, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If interfaces are not aggregated, you need to add XGE 5/0/0 and XGE 0/0/1 to the same VLAN and configure the IP address of the sub-interface in XGE 0/0/1 and the IP address of the VLANIF interface which XGE 5/0/0 belongs to.
NOTE
XGE5/0/0 VLANIF1051 14.14.1.2/24 XGE0/0/1.1 GE3/0/0 VLAN1052 VLANIF1060 14.14.1.1/24 13.1.1.1/24 GE3/0/0 VLAN1052 XGE0/0/1.2 12.12.1.1/24
Switch
Pre-configuration Tasks
Check that the SPU is installed on the S9300.
2-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
2 SPU Pre-Configuration
Data Preparation
To configure Layer 3 flow import, you need the following data. No. 1 2 3 4 Data Number of the Eth-Trunk interface Ethernet interface number and sub-interface number IP address and mask of the sub-interface Range of IDs of the VLANs to which interfaces belong
Applicable Environment
When NetStream is used, the LPU of the S9300 mirrors traffic to the SPU for traffic classification and traffic statistics.
Pre-configuration Tasks
Check that the SPU is installed on the S9300.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-9
2 SPU Pre-Configuration
Data Preparation
To configure traffic mirroring, you need the following data. No. 1 2 3 4 5 6 7 Data Type and number of an observing interface Mirrored interface (Optional) Direction of the traffic to be mirrored (Optional) Defined name of the traffic behavior and corresponding parameters (Optional) Number, matching order, and rule of an ACL (Optional) Defined name and rule of a traffic identifier (Optional) Name of a traffic policy
Context
When NetStream is used, traffic on the S9300 is mirrored to the master CPU on the SPU in port mirroring or traffic mirroring mode. All configurations are performed on the S9300.
Procedure
l Configuring port mirroring 1. Run:
system-view
The local observing interface is configured, which is the virtual XGE interface corresponding to the master CPU on the SPU. 3. Run:
interface interface-type interface-number
The port mirroring function is configured to mirror the traffic that is imported or exported through this interface to the observing interface configured in step 2. l
2-10
2 SPU Pre-Configuration
1.
Run:
system-view
The local observing interface is configured, which is the virtual XGE interface corresponding to the master CPU on the SPU. 3. Run:
acl [ number ] acl-number [ match-order { auto | config } ]
A rule is added in this ACL view. Only the traffic that matches the permit rule can be mirrored to the observing interface. 5. Run:
quit
A traffic classifier is created and the traffic classifier view is displayed. 7. Run:
if-match[ ipv6 ] acl acl-number
The rule for classifying traffic based on the ACL is configured. 8. Run:
quit
A traffic behavior is created and the traffic behavior view is displayed. 10. Run:
mirroring to observing-port observe-port-index
The traffic that meets the rule is configured to be mirrored to the observing interface configured in step 2. 11. Run:
quit
2 SPU Pre-Configuration
13. Run:
classifier classifier-name behavior behavior-name
2-12
Issue 02 (2010-07-15)
3 Firewall Configuration
3
About This Chapter
Firewall Configuration
The attack defense system is to set up a line of defense between the internal and external networks so that the internal network is protected against attacks from the external network. Generally, firewalls are deployed between the internal and external networks to prevent attacks. 3.1 Firewall Overview A firewall discards the undesired packets and protects the mainframes and key resources on the internal network. 3.2 Firewall Features Supported by the SPU The firewall features supported by the SPU include ACL-based packet filtering, blacklist, whitelist, ASPF, port mapping, transparent firewall, virtual firewall, attack defense, traffic statistics and monitoring, and logs. 3.3 Configuring Zones All the security policies of the firewall are enforced based on zones. 3.4 Configuring the Packet Filtering Firewall The packet filtering firewall filters packets by using an ACL. 3.5 Configuring the Blacklist You can add entries to the blacklist manually or configure a dynamic blacklist. If you choose the dynamic blacklist, you need to enable IP address scanning and port scanning defense function on the attack defense module of the SPU. When the SPU detects that the connection rate of an IP address or a port exceeds the threshold, the SPU considers that a scanning attack occurs, and then adds the source IP address to the blacklist. Then all the packets from this source IP address are filtered out. 3.6 Configuring the Whitelist The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. 3.7 Configuring ASPF The ASPF function can detect the sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables the application protocols that cannot traverse firewalls function normally.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-1
3 Firewall Configuration
3.8 Configuring Port Mapping Port mapping defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. 3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Transparent Firewall A transparent firewall forwards packets to the destination VLAN at Layer 2 according to the configuration of VLAN bridge instance, rather than routes. 3.11 Configuring the Attack Defense Function The attack defense function of the SPU prevents the attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.12 Configuring Traffic Statistics and Monitoring The SPU supports the traffic statistics and monitoring at the system level, zone level, and IP address level. 3.13 Configuring the Log Function The logs on the firewall include session logs, statistics logs, attack defense logs, and blacklist logs. 3.14 Maintaining the Firewall 3.15 Configuration Examples This section provides several configuration examples of firewall.
3-2
Issue 02 (2010-07-15)
3 Firewall Configuration
ACL-based packet filtering: filters packets through an ACL. ASPF: filters packets at the application layer. Blacklist: filters packets based on source IP addresses. Whitelist: prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses. Port mapping: defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. Attack defense: detects various network attacks and takes measures to protect the internal network against attacks. Traffic statistics and monitoring: monitors traffic volume, detects the connections between internal and external networks, and carries out calculation and analysis.
Security Zone
The security zone, also referred to as a zone, is the basis of firewall. All the security policies are enforced based on the zones.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-3
3 Firewall Configuration
A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different. The SPU considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The SPU verifies the data and enforces the security policies only when the data flows from one zone to another.
Interzone
Any two zones form an interzone. Each interzone has an independent interzone view. Most firewall configurations are performed in the interzone views. Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering can be configured. The configured filtering policy is then enforced on the data transmission between zone1 and zone2.
Direction
In an interzone, data is transmitted in inbound direction or outbound direction.
l
Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
ASPF
ASPF is applied to the application layer, that is, ASPF is the status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and discards undesired packets. The ACL-based packet filtering firewall detects packets at the network and transport layers. The ASPF function and the common packet filtering firewall can be used together to enforce the security policies on an internal network. The SPU performs ASPF for the File Transfer Protocol (FTP) and Hyper Text Transport Protocol (HTTP) packets.
Blacklist
A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklist uses simpler matching fields to implement high-speed packet filtering. Thus the packets from certain IP addresses can be filtered out.
3-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors, the firewall detects an attack from an IP address. Then the firewall adds the IP address of the attacker to the blacklist so that all the packets from the attacker are discarded.
Whitelist
The whitelist prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses. The IP addresses in the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist is represented by the source VPN and IP address. The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. The entries of the whitelist on the SPU can only be manually added.
Port Mapping
The application-layer protocols use well-known ports for communication. Port mapping defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. Port mapping applies to service-sensitive features such as ASPF and Network Address Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides the FTP service through port 2121. When accessing the FTP server through a NAT server, users must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private networks belong to small-scale enterprises. Such enterprises have the following requirements:
l l
They require high security. They cannot afford a private security device.
Logically, the SPU can be divided into multiple virtual firewalls to serve multiple small-scale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises. A virtual firewall integrates a VPN instance and a security instance. It provides a private routing plane and security service for the virtual firewall users.The VPN instance and the security instance are as follows:
l
VPN instance: provides independent VPN routes for the users under each virtual firewall. These VPN routes are used to forward the packets received by each virtual firewall. Security instance: provides independent security services for the users under each virtual firewall. The security instance contains private interfaces, zones, interzones, ACL rules, and NAT rules. In addition, it provides the security services such as address binding, blacklist, address translation, packet filtering, traffic statistics and monitoring, attack defense, ASPF, and NAT for the users under the virtual firewalls.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-5
Issue 02 (2010-07-15)
3 Firewall Configuration
Firewall Log
The firewall records the behaviors and status of the firewall in real time. For example, the attack defense measures and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types:
l l l
Session log: sent to the log server in real time. Blacklist log: sent to the information center in real time. Attack log and statistics log: sent to the information center periodically.
These logs help you find out the security risk, detect the attempts to violate the security policies, and learn the type of a network attack. The real-time log is also used to detect the intrusion that is underway.
Attack Defense
With the attack defense feature, the SPU can detect various network attacks and protect the internal network against attacks.
3-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, and malformed packet attacks.
l
DoS attack Denial of service (DoS) attack is an attack to a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. DoS attackers include SYN Flood attack and Fraggle attack. DoS attacks are different from other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers.
Scanning and snooping attack Scanning and snooping attack is to identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then find out potential targets. Through TCP scanning, the attackers can know the operating system and the monitored services. By scanning and snooping, an attacker can generally know the service type and security vulnerability of the system and prepare for further intrusion to the system.
Malformed packet attack Malformed packet attack is to send malformed IP packets to the system. Under such an attack, the system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.
Land Attack
Land attack is to set the source and destination addresses of a TCP SYN packet to the IP address of the attacked target. The target then sends the SYN-ACK message to its own IP address, and an ACK message is sent back to the target. This forms a null session. Every null session exists until it times out. The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.
Smurf Attack
A simple Smurf attack is used to attack a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host then crashes. To send the attack packet, certain traffic and duration are needed so as to really wage the attack. Theoretically speaking, the attack effect is more obvious when there are more hosts on the network. Fraggle attack is another form of the Smurf attack.
WinNuke Attack
WinNuke attack is to send an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host crashes. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet is not fragmented. An attack occurs when a host receives an IGMP packet.
3 Firewall Configuration
whose source address is forged or nonexistent and originates a connection to the server. Upon receipt of this packet, the server replies with SYN-ACK. Because there is no receiver of the SYN-ACK packet, a half-connection is caused. If the attacker sends a large number of such packets, a lot of half-connections are produced on the attacked host and the resources of the attacked host will be exhausted; therefore, normal users cannot access the host till the halfconnections expire. If the connections can be created without restriction, SYN Flood has similar influence. That is, it will consume the system resources such as memory.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged fragment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with
3-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
a generated character string. Similar to the ICMP packet attack, the two UDP ports generate many invalid response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable packets, which also consume bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset, Length, Dont Fragment (DF), and MF. If the previous fields conflict and are not processed appropriately, the equipment may stop running. In the following cases, the fields conflict:
l l
DF bit and MF bit are set at the same time or fragment offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
In addition, the device must directly discard the fragment packet with the destination as itself. This is because more fragments results in heavy load in packet caching and assembling.
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To Live (TTL) becomes 0 and an ICMP port-unreachable packet. In this way, the attacker can know the network architecture.
3 Firewall Configuration
After configuring the zones and interzone, you can view information about the zones and interzone.
Applicable Environment
Before configuring the firewall, you need to configure the zones. Then you can configure the firewall based on zones or interzones.
Pre-configuration Tasks
Before configuring a zone, complete the following task:
l
Data Preparation
To configure the zone, you need the following data. No. 1 2 3 Data Name of the zone Priority of the zone Interfaces that you want to add to the zone
Procedure
Step 1 Run:
system-view
A zone is created. The SPU can be configured with up to 255 zones, and no default zone is provided. Step 3 Run:
priority security-priority
3 Firewall Configuration
You must configure a priority for a zone before making other configurations. The priority cannot be changed. The priority ranges from 0 to 254. The priorities of the zones cannot be the same. A greater value indicates a higher priority. ----End
Prerequisite
The zone has been created through the firewall zone command.
Procedure
Step 1 Run:
system-view
The interface view is displayed. Only the XGE sub-interfaces and Eth-Trunk sub-interfaces of the SPU can be added to a zone. Step 3 Run:
zone zone-name
The interface is added to the zone. Each zone has up to 1024 interfaces, and an interface can be added to only one zone. ----End
Procedure
Step 1 Run:
system-view
An interzone is created. You need to specify two existing zones for the interzone. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The interzone view is displayed. The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run:
firewall enable
The firewall is enabled. By default, the firewall function is disabled in an interzone. ----End
Procedure
l l Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about the interzone.
----End
Example
Run the display firewall zone [ zone-name ] [ interface | priority ] command, and you can view information about the zones, for example:
<Quidway> display firewall zone zone zone1 priority is 10 interface of the zone is (total number 1): XGigabitEthernet0/0/1.1 total number is : 1
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view information about the interzone, for example:
<Quidway> display firewall interzone interzone zone2 zone1
3-12
Issue 02 (2010-07-15)
3 Firewall Configuration
Applicable Environment
When data is transmitted between two zones, the ACL-based packet filtering firewall enforces the packet filtering policies according to the ACL rules. The ACLs for filtering packet include the basic ACL, advanced ACL, and Layer 2 ACL.
Pre-configuration Tasks
Before configuring ACL-based packet filtering, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL, advanced ACL, or Layer 2 ACL and configuring ACL rules
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Zone names ACL number Packet direction to which the ACL is applied
Issue 02 (2010-07-15)
3-13
3 Firewall Configuration
Procedure
Step 1 Run:
system-view
The ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for the inbound or outbound packets. Step 4 (Optional) Run:
packet-filter default { deny | permit } { inbound | outbound }
The default processing mode of the unmatched packets is configured. In the initial settings of the system, the outbound unmatched packets are allowed, and the inbound unmatched packets are denied. If an ACL is applied to the inbound packets or outbound packets of an interzone, the packets are filtered according to the ACL rules. If packets do not match the ACL, the default processing mode is used.
NOTE
When Layer 2 ACL is applied to the interzone, the non-Ethernet packets that do not match the ACL are discarded.
----End
Procedure
l l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about packet filtering. Run the display acl acl-number command to view the ACL configuration.
----End
3-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view information about packet filtering, for example:
<Quidway> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 2012 inbound total number is : 1
Run the display acl acl-number command, and you can view the ACL configuration.
<Quidway> display acl 2010 Basic ACL 2010, 1 rule Acl's step is 5 rule 5 permit vpn-instance vpnnat (0 times matched)
Applicable Environment
The blacklist can filter out the packets sent from a specified IP address to a zone. An IP address can be added to the blacklist manually or automatically. When the attack defense module of the firewall detects an attack through the packet behavior, the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets from this IP address are filtered out.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-15
3 Firewall Configuration
Pre-configuration Tasks
Before configuring the blacklist, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Enabling IP address scanning attack defense or port scanning attack defense if a dynamic blacklist is used
Data Preparation
To configure the blacklist, you need the following data. No. 1 2 Data IP address that you want to add to the blacklist (the VPN instance can be included) (Optional) Aging time of blacklist entries
Procedure
Step 1 Run:
system-view
The blacklist function is enabled. By default, the blacklist function is disabled. ----End
Procedure
Step 1 Run:
system-view
3 Firewall Configuration
An entry is added to the blacklist. When adding an entry to the blacklist, you can set the IP address, aging time, and VPN instance. The aging time refers to the period in which the IP address is effective after it is added to the blacklist. When the IP address expires, it is released from the blacklist. If the aging time is not specified, the IP address is always valid in the blacklist. An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can add entries, but the entries are invalid. You can add up to 4096 entries to a blacklist.
NOTE
The blacklist entries without the aging time are written to the configuration file. The entries configured with aging time are not written to the configuration file, but you can view them by using the display firewall blacklist command.
----End
Procedure
l Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name ] command to view information about the blacklist.
----End
Example
Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command, and you can view information about the blacklist, for example:
<Quidway> display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------10.1.1.1 Manual 100 -----------------------------------------------------------------------total number is : 1
3 Firewall Configuration
3.6.2 Adding Entries to the Whitelist The entries in the whitelist take effect without enabling the whitelist function. 3.6.3 Checking the Configuration After the whitelist is configured, you can view information about the whitelist.
Applicable Environment
The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. If you add the VPN and IP address of a host to the whitelist, the firewall does not check the packets sent by the host that look like IP address scanning or port scanning attack, or add the IP address to the blacklist.
Pre-configuration Tasks
Before configuring the whitelist, complete the following tasks:
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the whitelist, you need the following data. No. 1 2 Data IP address that you want add to the whitelist (the VPN instance can be included) (Optional) Aging time of whitelist entries
Procedure
Step 1 Run:
system-view
3 Firewall Configuration
By running this command, you can add an entry to the whitelist manually. You can specify the IP address, aging time, and VPN instance when adding the entry. The aging time refers to the period in which the IP address is effective after it is added to the whitelist. When the IP address expires, it is released from the whitelist. If the aging time is not specified, the IP address is always valid in the whitelist. You can create up to 1024 entries in the whitelist. ----End
Procedure
l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name ] command to view information about the whitelist.
----End
Example
Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command, and you can view information about the whitelist, for example:
<Quidway> display firewall whitelist all Firewall Whitelist Items : -----------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance -----------------------------------------------------------------------1.1.1.1 3 vpn1 1.1.1.2 Permanent vpn2 1.1.1.3 6 -----------------------------------------------------------------------total number is : 3
Issue 02 (2010-07-15)
3-19
3 Firewall Configuration
Applicable Environment
When data is transmitted between two zones, ASPF checks the packets at the application layer and discards the unmatched packets.
Pre-configuration Tasks
Before configuring ASPF, complete the following tasks:
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
Procedure
Step 1 Run:
system-view
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The SPU automatically checks the packets in the two directions.
3-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
Procedure
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF information of the interzone.
----End
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view the ASPF information of the interzone, for example:
<Quidway> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound detect aspf ftp total number is : 1
Applicable Environment
Through port mapping, the firewall can identify packets of the application-layer protocols that use the non-well-known ports. The port mapping function can be applied to the features sensitive to application-layer protocols, such as ASPF. Port mapping is applicable to the application-layer protocols such as FTP, DNS, and HTTP. Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering,
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-21
3 Firewall Configuration
the SPU matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping, you must configure the zones and interzone.
Pre-configuration Tasks
Before configuring port mapping, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application-layer protocol User-defined port to be mapped Number of the basic ACL
Procedure
Step 1 Run:
system-view
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP address of a WWW server); therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End
3-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
Procedure
l Run the display port-mapping [ dns | ftp | http | port port-number ] command to view information about port mapping.
----End
Example
Run the display port-mapping [ dns | ftp | http | port port-number ] command, and you can view information about port mapping, for example:
<Quidway> display port-mapping dns ------------------------------------------------Service Port Acl Type ------------------------------------------------dns 53 system defined -------------------------------------------------
Applicable Environment
The SPU creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall. If a record in the session table does not match any packet within the aging time, the system deletes the record. To change the aging time of the sessions of a protocol, you can set the aging time of the firewall session table.
Pre-configuration Tasks
Before configuring the aging time of the firewall session table, complete the following tasks:
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-23
3 Firewall Configuration
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To set the aging time of the firewall session table, you need the following data. No. 1 Data Aging time of the session table of each application-layer protocol
Procedure
Step 1 Run:
system-view
The aging time of the firewall session table is set. By default, the aging time of each protocol is as follows:
l l l l l l l l
DNS: 120 seconds FTP-ctrl: 120 seconds FTP-data: 120 seconds HTTP: 120 seconds ICMP: 20 seconds TCP: 600 seconds TCP-proxy: 10 seconds UDP: 40 seconds
NOTE
In general, you do not need to change the aging time of a session table.
----End
3 Firewall Configuration
Procedure
l Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
----End
Example
Run the display firewall-nat session aging-time command, and you can view the aging time of the firewall session table, for example:
<Quidway> display firewall-nat session aging-time --------------------------------------------tcp protocol timeout : 600 (s) tcp-proxy timeout : 10 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp-ctrl protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s) ---------------------------------------------
Applicable Environment
When a firewall works as a transparent firewall (also called bridge firewall), the interfaces of the firewall cannot be configured with IP addresses or NAT. The zone where the interfaces reside is the Layer 2 zone. All the external users connected to the interfaces of the Layer 2 zone belong to the same subnet. When transmitting packets between the interfaces of the Layer 2 zone, the SPU searches for an outbound interface according to the MAC addresses of packets. In this case, the SPU functions as a transparent bridge. Different from the bridge, the SPU forwards the received IP packets to
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-25
3 Firewall Configuration
the upper layer, and then determines whether to allow the packets to pass according to the session table or ACL rules. In addition, the SPU provides the attack defense functions. The SPU in transparent mode supports the functions such as ACL-based packet filtering, ASPF detection, attack defense check, and traffic monitoring.
Pre-configuration Tasks
Before configuring the transparent firewall, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Configuring the VLAN on the interface
Data Preparation
To configure the transparent firewall, you need the following data. No. 1 2 Data VLAN bridge instance ID Number of the interface bound to the VLAN bridge instance
Procedure
Step 1 Run:
system-view
The VLAN bridge instance is created. By default, no VLAN bridge instance is created. Step 3 (Optional) Run:
description description
The description of the VLAN bridge instance is set. The default description is "inter-vlan-bridge instance-id." Step 4 Run:
quit
3 Firewall Configuration
Step 5 Run:
interface interface-type interface-number.subinterface
The sub-interface is bound to the VLAN bridge instance. A VLAN bridge instance can be bound to up to two sub-interfaces and the two sub-interfaces must belong to the same main interface. That is, a VLAN bridge instance contains up to two member interfaces. When no VLAN is configured on the sub-interface, the sub-interface cannot be bound to the VLAN bridge instance. Only one VLAN can be configured on the sub-interface where you want to bind the VLAN bridge instance. If a sub-interface is configured with IP address or NAT, the interface cannot be bound to a VLAN bridge instance. ----End
Procedure
l Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to view information about the transparent firewall.
----End
Example
Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command, and you can view information about the transparent firewall. # View information about all VLAN bridge instances.
<Quidway> display inter-vlan-bridge instance Instance ID Member1 Member2 --------------------------------------------------------------------2 XGigabitEthernet0/0/1.1 NULL 3 XGigabitEthernet0/0/1.2 XGigabitEthernet0/0/1.3
3 Firewall Configuration
3.11.3 Setting the Parameters of Flood Attack Defense 3.11.4 Configuring Large ICMP Packet Attack Defense 3.11.5 Setting Parameters of Scanning Attack Defense 3.11.6 Checking the Configuration After the attack defense is configured, you can view information about attack defense.
Applicable Environment
On the SPU, you can enable the attack defense function for the protected area. The protected area may be zones or IP addresses.
Pre-configuration Tasks
Before configuring the attack defense function, complete the following tasks:
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the attack defense function, you need the following data. No. 1 2 Data Attack type, a specified type or all types Zones or IP addresses (the VPN instance may be included) to be protected against Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), and maximum session rate Status of the TCP proxy that prevents SYN Flood attacks, including always enabled, always disabled, or auto enabled (automatically enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum session rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent large ICMP packet attack
4 5
3-28
Issue 02 (2010-07-15)
3 Firewall Configuration
Context
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view
The ICMP Flood attack defense is enabled. After the parameters of ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 5 Run:
firewall defend icmp-redirect enable
The IP address sweeping attack defense is enabled. After the parameters of IP address sweeping attack defense are set, you must enable the IP address sweeping attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 9 Run:
firewall defend land enable
3 Firewall Configuration
Step 10 Run:
firewall defend large-icmp enable
The large ICMP packet attack defense is enabled. After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 11 Run:
firewall defend ping-of-death enable
The port scanning attack defense is enabled. After the parameters of port scanning attack defense are set, you must enable the port scanning attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 13 Run:
firewall defend smurf enable
The SYN Flood attack defense is enabled. After the parameters of SYN Flood attack defense are set, you must enable the SYN Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 15 Run:
firewall defend tcp-flag enable
The UDP Flood attack defense is enabled. After the parameters of UDP Flood attack defense are set, you must enable the UDP Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures.
3-30 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
Step 19 Run:
firewall defend winnuke enable
The WinNuke attack defense is enabled. By default, no attack defense function is enabled. ----End
Procedure
Step 1 Run:
system-view
The parameters of ICMP Flood attack defense are set. Step 3 Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value | tcp-proxy { auto | off | on } ]
The parameters of SYN Flood attack defense are set. Step 4 Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value ]
The parameters of UDP Flood attack defense are set. To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the SPU considers that an attack occurs and takes measures. For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Flood attack defense is enable for both a specified IP address and the zone where the IP address resides, then the attack defense for the IP address takes effect. If you cancel the attack defense for the IP address, the attack defense for the zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled for the SYN Flood attack defense. For the Flood attack defense, you can specify up to 4096 IP addresses to protect. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-31
3 Firewall Configuration
The parameter of large ICMP packet attack defense is set. For the large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum packet length. When the length of an ICMP packet exceeds the limit, the SPU considers that an attack occurs and discards the packet. By default, the maximum length of ICMP packet is 4000 bytes. ----End
Procedure
Step 1 Run:
system-view
The parameters of IP address sweep attack defense are set. Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters of port scanning attack defense are set. For scanning attack defense, the following two parameters need to be set:
l
Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the SPU considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies the new sessions from the IP address or port. Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the SPU deletes the IP address from the blacklist and allows the new sessions from the IP address or port.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3-32
3 Firewall Configuration
By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End
Procedure
l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense.
----End
Example
Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command, and you can view information about attack defense. # View the status of each attack defense function.
<Quidway> display firewall defend flag -------------------------------Type Flag -------------------------------land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable --------------------------------
3 Firewall Configuration
3.12.1 Establishing the Configuration Task Before configuring traffic statistics and monitoring, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.12.2 Enabling Traffic Statistics and Monitoring You can enable the traffic statistics and monitoring at the system level, zone level, or IP address level according to the actual situation. 3.12.3 Setting the Session Thresholds You can set the session thresholds for the system-level, zone-level, or IP address-level traffic statistics and monitoring according to the actual situation. 3.12.4 Checking the Configuration After the traffic statistics and monitoring is configured, you can view information about traffic statistics and monitoring.
Applicable Environment
System-level traffic statistics and monitoring takes effect on all the data flows in interzones that are enabled with the firewall feature. That is, the SPU collects statistics of the ICMP, TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring takes effect on the data flows between zones. That is, the SPU counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the SPU counts and monitors the sessions initiated by local zone. The outbound direction means that the SPU counts and monitors the sessions destined for this zone. The IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDP sessions set up by an IP address in the zone. When the number of sessions set up by an IP address exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The IP address-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the SPU counts and monitors the sessions initiated by the IP address in the local zone. The outbound direction means that the SPU counts and monitors the sessions destined for this IP address.
Pre-configuration Tasks
Before configuring traffic statistics and monitoring, complete the following tasks:
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure traffic statistics and monitoring, you need the following data.
3-34 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
No. 1 2 3
Data Type of sessions to be monitored, including TCP and UDP Session threshold Direction of traffic statistics and monitoring
Procedure
l Enabling system-level traffic statistics and monitoring 1. Run:
system-view
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. l Enabling zone-level traffic statistics and monitoring 1. Run:
system-view
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. l Enabling IP address-level traffic statistics and monitoring 1. Run:
system-view
Issue 02 (2010-07-15)
3-35
3 Firewall Configuration
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. ----End
Procedure
l Setting the session thresholds for system-level traffic statistics and monitoring 1. Run:
system-view
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. 3. Run:
firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold
The session thresholds for the system-level traffic statistics and monitoring are set. For the system-level traffic statistics, you can set the threshold for each type of session. For example, you can set the threshold for TCP sessions to 500000. When the number of TCP sessions in all interzones exceeds 500000, the SPU denies all the new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls below 75% of the threshold, the SPU generates the recovery log and sends the log to the information center. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. l Setting the session thresholds for zone-level traffic statistics and monitoring 1. Run:
system-view
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. 4.
3-36
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the zone-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold of inbound TCP sessions to 500000. When the number of TCP sessions initiated by this zone exceeds 500000, the SPU denies new TCP sessions from this zone. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. l Setting the session thresholds for IP address-level traffic statistics and monitoring 1. Run:
system-view
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the IP address-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 10000. When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the SPU denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. ----End
Procedure
l l Run the display firewall statistics system command to view information about the systemlevel traffic statistics and monitoring. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view information about the zone-level traffic statistics and monitoring.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-37
Issue 02 (2010-07-15)
3 Firewall Configuration
Run the display firewall statistics zone-ip zone-name command to view information about the IP address-level traffic statistics and monitoring.
----End
Example
Run the display firewall statistics system command, and you can view information about the system-level traffic statistics and monitoring, for example:
<Quidway> display firewall statistics system -------------------------------------------------------------------Global system statistics config information -------------------------------------------------------------------Is enable 0 <enable : 1 disable : 0 > ---------------------------------High---------------------Low------Tcp connect-number 500000 450000 Udp connect-number Icmp connect-number Tcp-proxy connect-number Frag connect-number 500000 500000 500000 500000 450000 450000 450000 450000
--------------------------------------------------------------------
Run the display firewall statistics zone zone-name { inzone | outzone } all command, and you can view information about the zone-level traffic statistics and monitoring. # View the inbound packet statistics of zone1.
<Quidway> system-view [Quidway] display firewall statistics zone zone1 inzone all ZoneID:0 Direction:IN InTcpSetupTotal-----------------0 InTcpTearTotal------------------0 InUdpSetupTotal-----------------0 InUdpTearTotal------------------0 InIcmpSetupTotal----------------0 InIcmpTearTotal-----------------0
Run the display firewall statistics zone-ip zone-name command, and you can view information about the IP address-level traffic statistics and monitoring. # View the configuration of traffic monitoring in zone2.
<Quidway> display firewall statistics zone-ip zone2 ------------------------------------------------------------------Zone statistics config information -------------------------------------------------------------------Zone in enable 0 <enable : 1 disable : 0> ---------------------------------High---------------------Low------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Icmp connect-number 500000 450000 -------------------------------------------------------------------Zone out enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number Icmp connect-number 500000 500000 450000 450000
3-38
Issue 02 (2010-07-15)
3 Firewall Configuration
-------------------------------------------------------------------Ip in enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Icmp connect-number 500000 450000 -------------------------------------------------------------------Ip out enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Applicable Environment
The logs record the behaviors and status of the firewall to help you find out the security risk, analyze the attempts to violate the security policies, and detect the network attacks.
Pre-configuration Tasks
Before configuring the logs, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure the log function, you need the following data.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-39
3 Firewall Configuration
No. 1 2 3 4
Data Type of the log IP address and port number of the session log host, and the source IP address and source port number that the SPU uses to communicate with the session log host Conditions of recording session logs, including the ACL number and the direction (Optional) Interval for exporting the attack defense logs or statistics logs
The log function is enabled on the firewall. The log function can be enabled according to log types or enabled for all types of logs by using the all parameter. By default, the log function is disabled on a firewall. Step 3 Run:
firewall log session nat enable
The NAT session log is enabled. Before running the firewall log session nat enable command, you must run the firewall log session enable command. By default, the NAT session log is disabled. ----End
Context
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the SPU uses to communicate with the log host.
3-40 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
An ACL is referenced in the interzone view to help decide the sessions to be recorded in the logs. The ACLs can be configured for the inbound and outbound traffic respectively.
Procedure
Step 1 Run:
system-view
The session log host is configured. By default, no session log host is configured. Step 3 (Optional) Run:
firewall log session out-of-band enable
The SPU exports the session logs to the session log host through the outband interface (Ethernet 0/0/0). By default, the logs are not exported through Ethernet 0/0/0. Step 4 (Optional) Run:
firewall log { blacklist | defend | session | statistics } log-interval time
The interval for exporting logs is set. By default, logs are exported every 30 seconds. Step 5 Run:
firewall interzone zone-name1 zone-name2
The conditions of recording session logs are configured. By default, no condition is configured in an interzone for recording session logs. ----End
Procedure
l Run the display firewall log configuration command to view information about the logs on the firewall.
----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-41
3 Firewall Configuration
Example
Run the display firewall log configuration command, and you can view information about the logs on the firewall, for example:
<Quidway> display firewall log configuration defend log : status : enabled log-interval : 30 s statistics log : status : enabled log-interval : 30 s blacklist log : status : enabled log-interval : 30 s session log : status : enabled log-interval : 30 s out-of-band status : disabled nat-session : disabled binary-log host : host source ----:-----:--
3-42
3 Firewall Configuration
l l l l
Run the display firewall-nat session aging-time command to view the timeout of entries in the session table. Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to view information about the VLAN bridge instance. Run the display port-mapping [ dns | ftp | http | port port-number ] command to view the mappings between application-layer protocols and ports. Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view the status and configuration of the attack defense functions. Run the display firewall log configuration command to view the global configuration of the log function.
----End
Procedure
Step 1 Run:
system-view
The statistics about communication packets in the zone are cleared. ----End
3 Firewall Configuration
This example shows the application of ASPF and port mapping on a network. The SPU can detect the packets of the specified application-layer protocols and discard the undesired packets. 3.15.3 Example for Configuring the Blacklist This example shows the application of the blacklist on a network. By using a blacklist, the SPU can prevent the attacks initiated by certain IP addresses. 3.15.4 Example for Configuring the Transparent Firewall This example shows the application of the transparent firewall on a network. The SPU forwards packets to the destination VLAN through Layer 2 according to the configuration of the VLAN bridge instance.
Networking Requirements
As shown in Figure 3-2, Eth-Trunk0.1 of the SPU is connected to an internal network with high security, and Eth-Trunk0.2 is connected to the external network with low security. The SPU must filter the communication packets between the internal network and the external network. The requirements are as follows:
l
A host (202.39.2.3) on the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server on the internal network.
The SPU is installed in slot 5 of the S9300. Figure 3-2 Networking of ACL-based packet filtering VLAN 10 XGE5/0/0 Eth-Trunk0.1 FTP Server WWW Server 129.38.1.2 129.38.1.4 XGE5/0/1 Eth-Trunk0.2 VLAN 20
GE1/0/10 Switch
GE1/0/11 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows:
3-44 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
3 Firewall Configuration
1. 2. 3. 4. 5.
Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone.
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Configure the S9300 as follows:
[Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/10 [Quidway-GigabitEthernet1/0/10] port link-type access [Quidway-GigabitEthernet1/0/10] port default vlan 10 [Quidway-GigabitEthernet1/0/10] quit [Quidway] vlan 20 [Quidway-vlan20] quit [Quidway] interface gigabitethernet 1/0/11 [Quidway-GigabitEthernet1/0/11] port link-type access [Quidway-GigabitEthernet1/0/11] port default vlan 20 [Quidway-GigabitEthernet1/0/11] quit [Quidway] interface Eth-Trunk 0 [Quidway-Eth-Trunk0] port link-type trunk [Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk0] quit
2.
Issue 02 (2010-07-15)
3-45
3 Firewall Configuration
[SPU] interface Eth-trunk0.2 [SPU-Eth-trunk0.2] zone untrust [SPU-Eth-trunk0.2] quit
Step 6 Verify the configuration. After the configuration, only the specified host (202.39.2.3) can access the server on the internal network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound
----End
Configuration Files
l
3-46
Issue 02 (2010-07-15)
3 Firewall Configuration
Networking Requirements
As shown in Figure 3-3, Eth-Trunk0.1 of the SPU is connected to an internal network with high security, and Eth-Trunk0.2 is connected to the external network with low security. The SPU must filter the communication packets and perform ASPF check between the internal network and the external network. The requirements are as follows:
l
A host (202.39.2.3) on the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server on the internal network. The SPU checks the FTP status of the connections and filters the undesired packets. The packets from the external host are sent to the FTP server through port 2121, which is used as the port of the FTP protocol.
l l l
Issue 02 (2010-07-15)
3-47
3 Firewall Configuration
Figure 3-3 Networking of ASPF and port mapping VLAN 10 XGE5/0/0 Eth-Trunk0.1 FTP Server WWW Server 129.38.1.2 129.38.1.4 XGE5/0/1 Eth-Trunk0.2 VLAN 20
GE1/0/10 Switch
GE1/0/11 202.39.2.3
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone. Configure ASPF in the interzone. Map port 2121 to the HTTP protocol.
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Configure the S9300 as follows:
[Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/10 [Quidway-GigabitEthernet1/0/10] port link-type access [Quidway-GigabitEthernet1/0/10] port default vlan 10 [Quidway-GigabitEthernet1/0/10] quit [Quidway] vlan 20 [Quidway-vlan20] quit [Quidway] interface gigabitethernet 1/0/11 [Quidway-GigabitEthernet1/0/11] port link-type access [Quidway-GigabitEthernet1/0/11] port default vlan 20 [Quidway-GigabitEthernet1/0/11] quit [Quidway] interface Eth-Trunk 0 [Quidway-Eth-Trunk0] port link-type trunk [Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk0] quit
2.
3-48
Issue 02 (2010-07-15)
3 Firewall Configuration
Step 8 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust
Issue 02 (2010-07-15)
3-49
3 Firewall Configuration
firewall enable packet-filter default permit outbound packet-filter 3102 inbound packet-filter default permit inbound detect aspf ftp
Run the display port-mapping { dns | ftp | http | port port-number } command on the SPU, and the result is as follows:
[SPU] display port-mapping ftp ------------------------------------------------Service Port Acl Type ------------------------------------------------ftp 21 system defined ftp 2121 2102 user defined -------------------------------------------------
----End
Configuration Files
l
3-50
Issue 02 (2010-07-15)
3 Firewall Configuration
Networking Requirements
As shown in Figure 3-4, Eth-Trunk1.1 of the SPU is connected to an internal network with high security, and Eth-Trunk1.2 is connected to the external network with low security. The SPU needs to apply the IP address sweeping defense and blacklist policies to the packets from the Internet to the enterprise intranet. If the SPU finds that an IP address attacks the enterprise intranet through IP address sweeping, it adds the IP address to the blacklist. The maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes. When the SPU detects that IP address 202.39.1.2 attacks the enterprise intranet multiple times, you can add the IP address to the blacklist manually. Then the IP address will always be in the blacklist. The SPU is installed in slot 5 of the S9300. The flows on the S9300 need to be imported to the SPU through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.
Issue 02 (2010-07-15)
3-51
3 Firewall Configuration
Server
Enterprise Network
GE2/0/1 Switch
GE2/0/2
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Enable the blacklist function. Add entries to the blacklist. Enable the defense against IP address sweeping or port scanning attack. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning attack.
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Configure the S9300 as follows:
<Quidway> system-view [Quidway] vlan batch 101 to 102 [Quidway] interface GigabitEthernet2/0/1 [Quidway-GigabitEthernet2/0/1] port link-type trunk [Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [Quidway-GigabitEthernet2/0/1] quit [Quidway] interface GigabitEthernet2/0/2 [Quidway-GigabitEthernet2/0/2] port link-type trunk [Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1 [Quidway-Eth-Trunk1] port link-type trunk [Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk1] quit
2.
3-52
Issue 02 (2010-07-15)
3 Firewall Configuration
Step 6 Enable the IP address sweeping and port scanning attack defense.
[SPU] firewall defend ip-sweep enable [SPU] firewall defend port-scan enable
Step 7 Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning attack.
[SPU] [SPU] [SPU] [SPU] firewall firewall firewall firewall defend defend defend defend ip-sweep max-rate 5000 ip-sweep blacklist-expire-time 30 port-scan max-rate 5000 port-scan blacklist-expire-time 30
Step 8 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound
Run the display firewall blacklist all command on the SPU, and the result is as follows:
[SPU] display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance
Issue 02 (2010-07-15)
3-53
3 Firewall Configuration
----End
Configuration Files
l
3-54
Issue 02 (2010-07-15)
3 Firewall Configuration
XGigabitEthernet5/0/0 1 XGigabitEthernet5/0/1 1
Networking Requirements
As shown in Figure 3-5, PC A and PC B are in different VLANs. The VLAN bridge instance is configured between the VLANs. The SPU performs Layer 2 forwarding. PC A in the trust zone can access the resources in the untrust zone. The MAC address of PC A is 000f-1f7e-fec5. The SPU is installed in slot 5 of the S9300. Figure 3-5 Networking of transparent firewall configuration
trust zone
GE2/0/1
GE2/0/2 PC B Switch
PC A 000f-1f7e-fec5
untrust zone
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8.
Issue 02 (2010-07-15)
Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Add interfaces to VLANs. Configure the VLAN bridge instance. Bind the VLAN bridge instance to sub-interfaces. Configure an ACL. Configure packet filtering.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-55
3 Firewall Configuration
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Import flows from the S9300 to the SPU.
<Quidway> system-view [Quidway] vlan batch 101 to 102 [Quidway] interface GigabitEthernet2/0/1 [Quidway-GigabitEthernet2/0/1] port link-type trunk [Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [Quidway-GigabitEthernet2/0/1] quit [Quidway] interface GigabitEthernet2/0/2 [Quidway-GigabitEthernet2/0/2] port link-type trunk [Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1 [Quidway-Eth-Trunk1] port link-type trunk [Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk1] quit
2.
Step 5 Bind the VLAN bridge instance to the sub-interfaces of the SPU.
[SPU] interface Eth-Trunk1.1 [SPU-Eth-Trunk1.1] l2 binding inter-vlan-bridge [SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] l2 binding inter-vlan-bridge instance 127 instance 127
3-56
Issue 02 (2010-07-15)
3 Firewall Configuration
Step 8 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound
----End
Configuration Files
l
Issue 02 (2010-07-15)
3-57
3 Firewall Configuration
# return l
3-58
Issue 02 (2010-07-15)
4 NAT Configuration
4
About This Chapter
NAT Configuration
Network Address Translation (NAT) can translate private and public addresses. The shortage of IPv4 address can be solved and the topology of the private network can be shielded. The network security is thus improved. 4.1 NAT Overview NAT enables hosts on a private network to access the public network. 4.2 NAT Features Supported by the SPU The SPU supports the following NAT features: static NAT, Port Address Translation (PAT), internal server, NAT Application Level Gateway (ALG), Easy IP, twice NAT, and NAT multiinstance. 4.3 Configuring NAT To implement communication between the private network and the public network through NAT, you can use Easy IP for a single user and the address pool for multiple users. 4.4 Configuration Examples This section provides several configuration examples of NAT.
Issue 02 (2010-07-15)
4-1
4 NAT Configuration
After planning the scale of the intranet, an enterprise chooses the proper private address segment for the intranet. The private address segments of enterprises can overlap each other. If an intranet does not use the IP address in the defined private address segments, errors may occur during communication with other networks.
Principle of NAT
As shown in Figure 4-1, the private address must be translated when a host on a private network accesses the Internet or interworks with the hosts on a public network. Figure 4-1 Networking of NAT
PC 10.1.1.10
PC ........
The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network in Web mode. The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to
4-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
4 NAT Configuration
203.196.3.23:32814, and the destination address/port remains unchanged. The SPU maintains a mapping table between addresses and ports. After the Web server responds to the host, the SPU translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this manner, the host on the private network can access the server on the public network.
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can shield the topology of the private network. When a packet is sent from a private network to the public network, static NAT translates the source IP address of the packet to a public address. When the public network returns a response, static NAT translates the destination IP address of the response packet to the private address.
PAT
PAT, which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, the public addresses are saved. PAT translates source IP addresses of packets from hosts that reside on the private network to a public address. The translated port numbers of these packets are different, and the private addresses can share a public address. A mapping table between private addresses and ports is configured for PAT. Before packets from different private addresses are sent to the public network, the PAT-enabled device replaces the source addresses with the same public address. The source port numbers of the packets, however, are replaced with different port numbers. When the public network returns response packets to private networks, the PAT-enabled device translates the destination IP addresses to private addresses according to the port numbers. Figure 4-2 shows the networking of PAT.
Issue 02 (2010-07-15)
4-3
4 NAT Configuration
SPU
192.168.1.2 Datagram 3 Src IP: 192.168.1.2 Src Port:23 Datagram 4 Src IP: 192.168.1.2 Src Port:80 Datagram 3 Src IP: 202.169.10.1 Src Port:11023 Datagram 4 Src IP: 202.169.10.1 Src Port:11080
Internal Server
NAT can shield internal hosts. In applications, users on the public network may need to access the internal hosts. For example, users on the public network need to access a Web server or a file transfer protocol (FTP) server. You can add internal servers flexibly through NAT. For example, use 202.110.10.10 or even 202.110.10.12:8080 as the public address of the Web server, 202.110.10.11 as the public address of the FTP server. You can also provide multiple identical servers such as Web servers for external users. You can configure an internal server and map the corresponding public address and port to the internal server. In this manner, hosts on the public network can access the internal server.
Easy IP
Easy IP takes the public IP address of the interface as the source address after NAT is performed. In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.
NAT ALG
If NAT is configured, application protocols that are exclusive with NAT cannot work normally. Special processing is required. Packets of protocols that contain the IP address and/or port number in the payload, which affects interaction of protocols. The NAT ALG function is used for NAT traversal of special protocols. It implements transparent transmission and relay of packets of a special protocol by replacing the IP address and port number in the payload. Currently, the NAT ALG of the SPU supports the domain name system (DNS) and FTP.
4-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
4 NAT Configuration
Twice NAT
The basic NAT technology translates only the source or destination address of packets, whereas the twice NAT technology translates both the source and destination addresses of packets. The twice NAT technology is applicable to the scenario where IP addresses of hosts on private and public networks are overlapped. As shown in Figure 4-3, the IP address of PC1 on the private network is the same as the IP address of PC3 on the public network. If PC2 on the private network sends a packet to PC3, the packet will be incorrectly forwarded to PC1. On the SPU, the twice NAT technology configures the mapping between the overlapped address pool and the temporary address pool based on basic NAT. The overlapped IP address is translated to a unique temporary address so that packets can be forwarded correctly. Figure 4-3 Networking of twice NAT
PC 1 10.0.0.1/24
Switch PC 2 10.0.0.1/24
You can configure twice NAT on the SPU as follows: Configure basic NAT (many-to-many NAT). Configure an NAT address pool that contains IP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface of the WAN. Configure the mapping between a group of overlapped addresses and the temporary addresses: 10.0.0.0 to 3.0.0.0. The mapping indicates that one overlapped address pool maps one temporary address pool. The translation rule is as follows: Temporary address = Start IP address in the temporary address pool + (Overlapped IP address - Start IP address in the overlapped address pool) Overlapped address = Start IP address in the overlapped address pool + (Temporary IP address - Start IP address in the temporary address pool) When PC2 on the private network accesses PC3 on the public network through the domain name, the packet is processed as follows: 1. PC2 sends a DNS request for resolving the domain name being www.web.com of the Web server. After the DNS server resolves the DNS request, the SPU receives the response packet of the DNS server. The SPU resolves the address 10.0.0.1 in the payload of the response packet and detects that the address is the overlapped address (it matches the overlapped address pool). Then the SPU translates the address 10.0.0.1 to the temporary address 3.0.0.1. The SPU translates the destination address of the response packet through basic NAT and then sends it to PC2.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-5
Issue 02 (2010-07-15)
4 NAT Configuration
2.
PC2 uses the temporary address 3.0.0.1 corresponding to www.web.com to access the public network. When a packet reaches the SPU, the SPU translates the source address of the packet through basic NAT and then translates the destination address (that is, temporary address) of the packet to the overlapped address 10.0.0.1. PC2 sends the packet to the outbound interface of the WAN. The packet is then forwarded to PC3 hop by hop. When the packet sent from PC3 to PC2 reaches the SPU, the SPU checks the source address 10.0.0.1, which is the overlapped address (it matches the overlapped address pool). Then the SPU translates the source address to the temporary address 3.0.0.1. The SPU translates the destination address of the response packet through basic NAT and then sends it to PC2.
3. 4.
4 NAT Configuration
4.3.7 Enabling NAT ALG If NAT is used for protocol packets encapsulated into IP data packets, errors may occur. The NAT ALG function can normally translate the protocol packets. 4.3.8 Configuring DNS Mapping On the private network, different servers such as the FTP server and Web server are deployed, but no DNS server is deployed. If hosts on the private network want to differentiate and access corresponding servers through domain names, you can configure DNS mapping. 4.3.9 Configuring Twice NAT Twice NAT refers to translation of source and destination IP addresses of a data packet. It is applied to the situation where IP addresses of internal hosts and external hosts are overlapped. 4.3.10 Checking the Configuration After NAT is configured, you can view information about NAT.
Applicable Environment
NAT needs to be configured at the juncture between the private network and the public network. Private and public addresses can be translated through NAT.
Pre-configuration Tasks
Before configuring NAT, complete the following task:
l
Data Preparation
To configure NAT, you need the following data. No. 1 2 3 Data Number of the public address pool, start IP address, and end IP address Number of the basic ACL or advanced ACL Information about the internal server, including the protocol type, public address, public port number, private address (the VPN instance may be included), and private port number (optional) Information about static NAT, including the protocol type, public address, public port number, private address (the VPN instance may be included), private port number (optional), and subnet mask Index of the overlapped address pool and temporary address pool, start IP address, address pool length, and VPN instance (optional) Domain name, public address, and public port number
5 6
Issue 02 (2010-07-15)
4-7
4 NAT Configuration
Procedure
Step 1 Run:
system-view
A public address pool is configured. A public address pool is a set of public addresses. When NAT is performed on the internal data packets, the SPU selects an IP address from the address pool as the source address. The public address pools are numbered with numerals. Up to 1024 address pools can be configured. By default, no public address pool is configured on the SPU. ----End
Procedure
Step 1 Run:
system-view
An ACL rule is associated with an address pool. After an ACL is associated with an address pool, the SPU translates source addresses of data packets matching the ACL to an IP address in the address pool. On the same interface, different IP address can be translated and associated. Up to 16 IP addresses can be configured on each interface. no-pat indicates one-to-one NAT, that is, only the IP address in a datagram is translated and the port number is not translated ----End
4-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
4 NAT Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
The internal NAT server is configured. After the internal NAT server is configured, users on the public network can access servers on the private network. When a host on the public network sends a connection request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request to a private address (host-address). The request is then forwarded to the server on the private network.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-9
4 NAT Configuration
Up to 1024 NAT servers and NAT static can be configured on the SPU and up to 64 NAT servers and NAT static can be configured on each interface.
NOTE
When configuring the internal NAT server, ensure that global-address and host-address are different from IP addresses of interfaces and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
When configuring static NAT, ensure that global-address and host-address are different from IP addresses of interfaces and IP addresses in the user address pool.
----End
Procedure
Step 1 Run:
system-view
4 NAT Configuration
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the public network through NAT. Otherwise, the application protocol cannot work normally. all indicates that NAT traversal can be used for DNS and FTP. ----End
Procedure
Step 1 Run:
system-view
The mapping from domain names to public IP addresses, port numbers, and protocol types is configured. Up to 64 mapping entries can be configured on the SPU. ----End
Context
When IP addresses of internal hosts and external hosts are overlapped, you need to configure the mapping between the overlapped address pool and the temporary address pool. After the mapping is configured, the overlapped address is translated to a unique temporary address. The packets can be forwarded correctly. In addition, you need to configure NAT outbound to implement twice NAT.
Procedure
Step 1 Run:
system-view
4 NAT Configuration
The overlapped address pool and temporary address pool are sets of consecutive IP addresses. The lengths of the two address pools are the same and up to 255 IP addresses can be configured in the two address pools. Up to 128 mapping entries between the overlapped address pool and the temporary address pool can be configured globally. When the VPN instance of the configuration is deleted, the configuration of twice NAT is also deleted. ----End
Procedure
l l l l Run the display nat alg command to check whether the NAT ALG function is enabled. Run the display nat address-group [ group-index ] [ verbose ] command to check the configuration of the NAT address pool. Run the display nat dns-map [ domain-name ] command to check information about DNS mapping. Run the display nat outbound [ acl acl-number | address-group group-index | interface { xgigabitEthernet | eth-trunk } interface-number.subnumber ] command to check information about NAT outbound. Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command to check information about twice NAT. Run the display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number.subnumber ] command to check the configuration of the NAT server. Run the display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-name ] command to check the configuration of static NAT.
l l
----End
Example
# Display the configuration of NAT ALG.
<Quidway> system-view [Quidway] display nat alg NAT Application Level Gateway Information: ---------------------------------Application Status ---------------------------------ftp Disabled dns Disabled ----------------------------------
4-12
Issue 02 (2010-07-15)
4 NAT Configuration
Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command, and you can view the mapping between the overlapped address pool and the temporary address pool. For example: # Display the configuration of all the overlapped address pools.
<Quidway> system-view [Quidway] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------1 10.2.2.2 3.3.10.10 255 cmml ------------------------------------------------------------------------------Total : 1
Run the display nat server [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-number.subnumber ] command, and you can view the configuration of the NAT server. For example: # Display the configuration of all NAT servers.
<Quidway> system-view [Quidway] display nat server Nat Server Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 210.10.10.1 Inside IP/Port : 10.10.10.1 Protocol : 6(tcp) VPN instance-name : ---Total : 1
21(smtp) 25(smtp)
Run the display nat static [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-name ] command, and you can view the configuration of static NAT. For example: # Display the global configuration of static NAT.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-13
4 NAT Configuration
<Quidway> system-view [Quidway] display nat static Static Nat Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 212.10.10.1 Inside IP/Port : 100.10.10.1 Protocol : 6(tcp) VPN instance-name : ---Netmask : 255.255.255.0 Total : 1
21(smtp) 25(smtp)
4-14
Issue 02 (2010-07-15)
4 NAT Configuration
Figure 4-4 Networking diagram for configuring the NAT server VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 102 GE2/0/1 VLAN 101 GE2/0/2 VLAN 102 202.169.10.2/24 GE2/0/3 Switch VLAN 103
10.0.0.3/24
B FTP Server
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Import flows from the S9300 to the SPU through NAT. Configure the internal server. Enable the NAT ALG function for FTP.
Procedure
Step 1 Import flows from the S9300 to the SPU through NAT. 1. Import flows from the S9300 to the SPU.
<S9300> system-view [S9300] vlan batch 101 to 103 [S9300] interface Eth-Trunk 1 [S9300-Eth-Trunk1] port link-type trunk [S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9300-Eth-Trunk1] quit [S9300] interface GigabitEthernet2/0/1 [S9300-GigabitEthernet2/0/1] port link-type trunk [S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9300-GigabitEthernet2/0/1] quit [S9300] interface GigabitEthernet2/0/2 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103 [S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0 [S9300-XgigabitEthernet5/0/0] eth-trunk 1 [S9300-XgigabitEthernet5/0/0] quit [S9300] interface XGigabitEthernet5/0/1 [S9300-XgigabitEthernet5/0/1] eth-trunk 1 [S9300-XgigabitEthernet5/0/1] quit
Issue 02 (2010-07-15)
4-15
4 NAT Configuration
2.
Step 3 On the SPU, enable the NAT ALG function for FTP.
[SPU] nat alg ftp enable
Step 4 Verify the configuration. Run the display nat server [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-number.subnumber ] command on the SPU, and you can view the following information:
[SPU] display nat server Nat Server Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.5 Inside IP/Port : 192.168.20.2 Protocol : 6(tcp) VPN instance-name : ---Global IP/Port Inside IP/Port Protocol : 6(tcp) VPN instance-name Total : 2 : 202.169.10.33 : 10.0.0.3 : vpn_b
80(www) 8080
21(ftp) 21(ftp)
----End
4-16 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
4 NAT Configuration
Configuration Files
l
Issue 02 (2010-07-15)
4-17
4 NAT Configuration
# interface XGigabitEthernet5/0/1 eth-trunk 1 # return
Configuration Roadmap
The configuration roadmap is as follows: 1.
4-18
4 NAT Configuration
2.
Procedure
Step 1 Import flows from the S9300 to the SPU through NAT. 1. Import flows from the S9300 to the SPU.
<S9300> system-view [S9300] vlan batch 101 to 103 [S9300] interface Eth-Trunk 1 [S9300-Eth-Trunk1] port link-type trunk [S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9300-Eth-Trunk1] quit [S9300] interface GigabitEthernet2/0/1 [S9300-GigabitEthernet2/0/1] port link-type trunk [S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9300-GigabitEthernet2/0/1] quit [S9300] interface GigabitEthernet2/0/2 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103 [S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0 [S9300-XgigabitEthernet5/0/0] eth-trunk 1 [S9300-XgigabitEthernet5/0/0] quit [S9300] interface XGigabitEthernet5/0/1 [S9300-XgigabitEthernet5/0/1] eth-trunk 1 [S9300-XgigabitEthernet5/0/1] quit
2.
4 NAT Configuration
[SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254 [SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.32 ftp inside 10.0.0.2 ftp vpn-instance vpn_b netmask 255.255.255.252 [SPU-Eth-Trunk1.2] quit
Step 3 Verify the configuration. Run the display nat static [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-name ] command on the SPU, and you can view the following information:
[SPU] display nat static Static Nat Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.2 Inside IP/Port : 192.168.20.2 Protocol : 6(tcp) VPN instance-name : ---Netmask : 255.255.255.254 Global IP/Port : 202.169.10.32 Inside IP/Port : 10.0.0.2 Protocol : 6(tcp) VPN instance-name : vpn_b Netmask : 255.255.255.252 Total : 2
80(www) 8080
21(ftp) 21(ftp)
----End
Configuration Files
l
4-20
Issue 02 (2010-07-15)
4 NAT Configuration
eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 # Return l
Issue 02 (2010-07-15)
4-21
4 NAT Configuration
Figure 4-6 Networking diagram for configuring outbound NAT VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 102
A PC 1...PC n 192.168.20.2
GE2/0/1 GE2/0/2 VLAN 102 VLAN 101 GE2/0/3 202.169.10.2/24 VLAN 103 Switch VPN B PC 1...PC n 10.0.0.2/24
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Import flows from the S9300 to the SPU through NAT. Configure outbound NAT.
Procedure
Step 1 Import flows from the S9300 to the SPU through NAT. 1. Import flows from the S9300 to the SPU.
<S9300> system-view [S9300] vlan batch 101 to 103 [S9300] interface Eth-Trunk 1 [S9300-Eth-Trunk1] port link-type trunk [S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9300-Eth-Trunk1] quit [S9300] interface GigabitEthernet2/0/1 [S9300-GigabitEthernet2/0/1] port link-type trunk [S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9300-GigabitEthernet2/0/1] quit [S9300] interface GigabitEthernet2/0/2 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103 [S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0 [S9300-XgigabitEthernet5/0/0] eth-trunk 1 [S9300-XgigabitEthernet5/0/0] quit [S9300] interface XGigabitEthernet5/0/1 [S9300-XgigabitEthernet5/0/1] eth-trunk 1 [S9300-XgigabitEthernet5/0/1] quit
2.
4-22
4 NAT Configuration
<SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] quit [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 102 [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] ip vpn-instance vpn_b [SPU-vpn-instance-vpn_b] route-distinguisher 0:1 [SPU-vpn-instance-vpn_b] quit SPU] interface Eth-Trunk 1.3 [SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 103 [SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b [SPU-Eth-Trunk1.2] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 1 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit
Step 3 Verify the configuration. Run the display nat outbound [ acl acl-number | address-group group-index | interface { xgigabitEthernet | eth-trunk } interface-number.subnumber ] command on the SPU, and you can view the following information:
[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------Interface Acl Address-group/IP Type ----------------------------------------------------------------Eth-Trunk1.2 2000 1 no-pat Eth-Trunk1.2 2001 2 pat ----------------------------------------------------------------Total : 2
----End
Issue 02 (2010-07-15)
4-23
4 NAT Configuration
Configuration Files
l
4-24
Issue 02 (2010-07-15)
4 NAT Configuration
VPN A PC 1 192.168.20.2/24 PC 1
GE2/0/1 GE2/0/3 VLAN 101 VLAN 103 GE2/0/2 Switch 202.169.10.2/24 VLAN 102 VPN B PC 2 192.168.20.2/24
DNS Server
Configuration Roadmap
The configuration roadmap is as follows: 1.
Issue 02 (2010-07-15)
4 NAT Configuration
2. 3.
Configure the mapping between the overlapped address pool and the temporary address pool. Configure common NAT outbound.
Procedure
Step 1 Import flows from the SPU to the SPU through NAT. 1. Import flows from the SPU to the SPU.
<S9300> system-view [S9300] vlan batch 101 to 103 [S9300] interface Eth-Trunk 1 [S9300-Eth-Trunk1] port link-type trunk [S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9300-Eth-Trunk1] quit [S9300] interface GigabitEthernet2/0/1 [S9300-GigabitEthernet2/0/1] port link-type trunk [S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9300-GigabitEthernet2/0/1] quit [S9300] interface GigabitEthernet2/0/2 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103 [S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0 [S9300-XgigabitEthernet5/0/0] eth-trunk 1 [S9300-XgigabitEthernet5/0/0] quit [S9300] interface XGigabitEthernet5/0/1 [S9300-XgigabitEthernet5/0/1] eth-trunk 1 [S9300-XgigabitEthernet5/0/1] quit
2.
4-26
Issue 02 (2010-07-15)
4 NAT Configuration
Step 2 Configure DNS mapping on the SPU so that the IP address of host A returned from the DNS server to PC1 is translated to a unique temporary address.
[SPU] nat alg dns enable [SPU] nat dns-map www.Server.com 192.168.20.2 80 tcp
Step 3 Configure the mapping between the overlapped address pool and the temporary address pool on the SPU.
[SPU] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpninstance vpna
Step 4 Configure the static route from the temporary address pool to Eth-Trunk 1.2 on the SPU.
[SPU] ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2
Step 5 On the outbound sub-interface Eth-Trunk1.2 of the SPU, configure NAT outbound for host A. 1. Create an ACL and configure an ACL rule to allow packets of host A to pass through.
[SPU] acl 3180 [SPU--acl-adv-3180] rule permit ip vpn-instance vpna source 192.168.20.1 0.0.0.255 [SPU--acl-adv-3180] quit
2. 3.
Step 6 Verify the configuration. Run the display nat overlap-address all command on the SPU, and you can view the mapping between the overlapped address pool and the temporary address pool.
[SPU] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------0 192.168.20.2 202.169.100.2 254 vpna ------------------------------------------------------------------------------Total : 1
Run the display nat outbound command on the SPU, and you can view information about outbound NAT.
[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------Interface Acl Address-group/IP Type ----------------------------------------------------------------Eth-Trunk1.2 3180 1 pat ----------------------------------------------------------------Total : 1
----End
Configuration Files
l
Issue 02 (2010-07-15)
4-27
4 NAT Configuration
4-28
Issue 02 (2010-07-15)
4 NAT Configuration
Issue 02 (2010-07-15)
4-29
5 IPSec Configuration
5
About This Chapter
IPSec Configuration
This chapter describes how to ensure confidentiality and integrity of data and prevent replay of data packets on a network through data encryption and data source authentication at the IP layer. Internet Key Exchange (IKE) provides the mechanism of negotiating keys and establishing security associations (SAs) to simplify the usage and management of IPSec. 5.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. Communicating parties can encrypt data and authenticate the data source at the IP layer to ensure confidentiality and integrity of data and prevent replay of data packets on a network. 5.2 IPSec Features Supported by the SPU The SPU supports IPSec tunnel established in manual mode or IKE negotiation mode. 5.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple. 5.4 Establishing an IPSec Tunnel Through IKE Negotiation IKE provides an automatic protection mechanism to distribute keys, authenticate the identity, and set up SAs on an insecure network. 5.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics. 5.6 Configuration Examples This section provides several configuration examples of IPSec.
Issue 02 (2010-07-15)
5-1
5 IPSec Configuration
An SA is a set of conventions adopted by the communicating parties. For example, it determines the security protocol (AH, ESP, or both), encapsulation mode (transport mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect certain flow, and the lifetime of the shared key. SA is the basis and essence of IPSec. An SA is unidirectional, so you need to configure at least two SAs to protect data flows in bidirectional communication. If two peers need to communicate through both AH and ESP, each peer needs to establish two SAs for the two protocols. An SA is identified by three parameters: Security Parameter Index (SPI), destination IP address, and security protocol ID (AH or ESP). Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 5-1. Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP header, as shown in Figure 5-2. Figure 5-1 Packets format in transport mode Mode Protocol AH ESP AH-ESP IP Header AH TCP Header data ESP Tail ESP Auth data transport
Encapsulation mode
IP Header AH ESP TCP Header data ESP Tail ESP Auth data
5-2
Issue 02 (2010-07-15)
5 IPSec Configuration
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
IPSec can use the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1) for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, whereas the SHA-1 algorithm is more secure than the MD5 algorithm. IPSec can use the DES, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) algorithms for encryption. The ASE algorithm encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.
Negotiation mode IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE negotiation mode (isakmp).
4.
Associating a VPN instance with an AS Configuring the switch as a PE and associating the VPN instance with the PE interface connected to the CE
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-3
Issue 02 (2010-07-15)
5 IPSec Configuration
Applicable Environment
Data flows must be authenticated to ensure data transmission security. In the scenarios demanding high security, data flows must be authenticated and encrypted. In such a scenario, you can configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service. You can establish IPSec tunnels manually when the network topology is simple.
Pre-configuration Tasks
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure that the link-layer protocol on the interfaces is Up Configuring routes between the source and the destination
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
5-4
5 IPSec Configuration
Data Preparation
To establish an IPSec tunnel manually, you need the following data. No. 1 2 Data Parameters of an advanced ACL IPSec proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode Name and sequence number of the IPSec policy, local and peer IP addresses of the tunnel, inbound and outbound SPIs of AH, inbound and outbound SPIs of ESP, inbound and outbound authentication keys of AH (character strings), inbound and outbound authentication keys of ESP (character strings), inbound and outbound authentication keys of AH (hexadecimal numbers), inbound and outbound authentication keys of ESP (hexadecimal numbers), inbound and outbound encryption keys of ESP (hexadecimal numbers), (optional) VPN instance name Type and number of the interface to which the IPSec policy group is applied
NOTE
You can use the AH or ESP protocol according to the actual situation.
Procedure
Step 1 Run:
system-view
An advanced ACL is created and the ACL view is displayed. Step 3 Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range timename | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmpcode ]
5 IPSec Configuration
NOTE
l l
The ACL must be configured to match the data flows accurately. It is recommended that you set the action of the ACL rule to permit for the data flows that need to be protected. You need to create different ACLs and IPSec policies for the data flows with different requirements for security.
----End
Procedure
Step 1 Run:
system-view
An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is configured. By default, the ESP protocol defined by RFC 2406 is used. Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by ESP is configured. By default, both ESP and AH use the MD5 authentication algorithm. You can configure the authentication and encryption algorithms only after selecting a security protocol through the transform command. For example, if ESP is selected, you can configure the authentication and encryption algorithms for ESP rather than AH. Step 6 (Optional) Run:
esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]
The encryption algorithm used by ESP is configured. By default, ESP uses the DES encryption algorithm. Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
5 IPSec Configuration
Context
CAUTION
When configuring SA parameters SPI, string authentication key (string-key), hexadecimal authentication key (authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound parameters on the remote end, and the outbound parameters on the local end are the same as the inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view
An IPSec policy is created. An IPSec policy group can contain up to 400 IPSec policies. By default, no IPSec policy exists. Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy. An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy, the last configured ACL takes effect. Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy. An IPSec policy can use only one proposal. If an IPSec proposal has been applied to the IPSec policy, you must cancel the existing proposal before applying a new one to the IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must be configured with the same security protocol, algorithm, and packet encapsulation mode. Step 5 Run:
tunnel local ip-address
Issue 02 (2010-07-15)
5-7
5 IPSec Configuration
The IP address of the local end of the tunnel is configured. Step 6 Run:
tunnel remote ip-address
The IP address of the remote end of the tunnel is configured. Step 7 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured. When configuring an SA, you need to to set both inbound parameters and outbound parameters. To manually create an IPSec tunnel, you need to use the sa spi command together with the sa string-key, sa authentication-hex, or sa encryption-hex command. The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local end must be the same as the inbound SPI of the remote end.
CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up. If you configure the keys in different formats, the last configured key takes effect. Step 8 Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (a hexadecimal number) of the security protocol is configured. Step 9 Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (a character string) of the security protocol is configured. Step 10 Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (a hexadecimal number) of ESP is configured. Step 11 (Optional) Run:
sa binding vpn-instance vpn-instance-name
The IPSec policy created through an IPSec policy template cannot be used to initiate an SA negotiation but can respond to an SA negotiation.
5-8
Issue 02 (2010-07-15)
5 IPSec Configuration
Procedure
Step 1 Run:
system-view
An IPSec policy template is created and the IPSec policy template view is displayed. Step 3 Run:
security acl acl-number
The specified IPSec proposals are applied to the IPSec policy template. Step 5 Run:
sa duration { traffic-based kilobytes | time-based seconds }
The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation. By default, the time-based global lifetime is 3600 seconds; the traffic-based global lifetime is 1843200 kilobytes.
----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-9
5 IPSec Configuration
Procedure
Step 1 Run:
system-view
An IPSec policy group is applied to the Sub-interface. An Sub-interface can use only one IPSec policy group. An IPSec policy group that establishes an SA through IKE negotiation can be applied to multiple Sub-interfaces, whereas an IPSec policy group that is used to establish an SA manually can be applied only to one Sub-interface. If the applied IPSec policy establishes an SA in manual mode, the SA is generated immediately. ----End
Prerequisite
The configurations required to establish an IPSec tunnel manually are complete.
Procedure
l l l Run the display ipsec sa command to view information about the SA. Run the display ipsec proposal [ name proposal-name ] command to view information about the IPSec proposal. Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view information about the IPSec policy.
----End
5 IPSec Configuration
5.4.2 Defining Data Flows to Be Protected IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows. 5.4.3 Configuring the Local Host Name Used in IKE Negotiation The local ID type used in IKE negotiation must the same as remote ID type. 5.4.4 Configuring an IKE Proposal You can create multiple IKE proposals with different priority levels. The two ends must have at least one matching IKE proposal for IKE negotiation. 5.4.5 Configuring an IKE Peer 5.4.6 Configuring an IPSec Proposal Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. 5.4.7 Configuring an IPSec Policy After configuring an IKE peer, you need to apply it to the IPSec policy. Then the two ends can start IKE negotiation. 5.4.8 (Optional) Configuring an IPSec Policy Template An IPSec policy template can be used to configure multiple IPSec policies, thus reducing the workload of establishing multiple IPSec tunnels. 5.4.9 (Optional) Setting Optional Parameters This section describes how to set optional parameters for IKE negotiation. 5.4.10 Applying an IPSec policy to an Sub-interface An Sub-interface can adopt only one IPSec policy group. An IPSec policy group created through IKE negotiation can be applied to multiple Sub-interfaces. 5.4.11 Checking the Configuration After an IPSec tunnel is established through IKE negotiation, you can view information about the SA, configuration of the IKE peer, and configuration of the IKE proposal.
Application Environment
Data flows must be authenticated to ensure data transmission security. In the scenarios demanding high security, data flows must be authenticated and encrypted. In such a scenario, you can configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service. When the network topology is complex, you can establish IPSec tunnels through IKE negotiation.
Pre-configuration Tasks
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
Issue 02 (2010-07-15)
5-11
5 IPSec Configuration
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure that the link-layer protocol on the interfaces is Up Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data. No. 1 2 Data Parameters of an advanced ACL Priority of the IKE proposal, encryption algorithm, authentication algorithm, and authentication method used in IKE negotiation, identifier of the Diffie-Hellman group, and SA lifetime IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel, and remote host name Security proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode Name and sequence number of the IPSec policy, (optional) Perfect Forward Secrecy (PFS) feature used in IKE negotiation (Optional) Name of the IPSec policy template (Optional) Local address of the IPSec policy group, time-based global SA lifetime, traffic-based global SA lifetime, interval for sending keepalive packets, timeout inertial of keepalive packets, and interval for sending NAT update packets Type and number of the interface to which the IPSec policy is applied
5 6 7
NOTE
You can use the AH or ESP protocol according to the actual situation.
Procedure
Step 1 Run:
system-view
5-12
Issue 02 (2010-07-15)
5 IPSec Configuration
An advanced ACL is created and the ACL view is displayed. Step 3 Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range timename | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmpcode ]
Procedure
Step 1 Run:
system-view
The local host name used in the IKE negotiation is configured. The local host name and the remote host name configured when you configure an IKE peer are both case sensitive. ----End
Procedure
Step 1 Run:
system-view
An IKE proposal is created and the IKE proposal view is displayed. The IKE negotiation succeeds only when the two ends use the IKE proposals with the same settings. Step 3 Run:
encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aescbc-256 }
5 IPSec Configuration
Pre-shared key authentication is configured. When pre-shared key authentication is configured, you must set the same pre-shared key on the IKE peers. Step 5 Run:
authentication-algorithm { md5 | sha1 }
The authentication algorithm is configured. When pre-shared key authentication is configured, an authenticator must be configured. Step 6 (Optional) Run:
dh { group1 | group2 }
The algorithm used to generate the pseudo random number is specified. Step 8 Run:
sa duration interval
The SA lifetime is set. If the lifetime expires, the ISAKMP SA is automatically updated. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. ----End
An IKE peer is created and the IKE peer view is displayed. Step 3 Run:
exchange-mode { main | aggressive }
The IKE negotiation mode is configured. In aggressive mode, the local ID type must be set to name in step 5. In main mode, the local ID type must be set to ip.
5-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
5 IPSec Configuration
Step 4 Run:
ike-proposal proposal-number
The local ID type is configured. By default, the IP address of the local end is used as the local ID. Step 6 (Optional) Run:
local-address address
The IP address to the local end of IKE negotiation is configured. Step 7 (Optional) Run:
ike local-name router-name
The local host name used in the IKE negotiation is configured. After the local ID type is set to name, you need to set the local host name. The local host name and the remote host name configured when you configure an IKE peer are both case sensitive. Step 8 (Optional) Run:
peer-id-type { ip | name }
The Peer ID type is configured. By default, the IP address of the local end is used as the local ID. The peer-id-type command is valid only when IKEv2 is used. Step 9 (Optional) Run:
nat traversal
NAT traversal is enabled. When NAT traversal is enabled, exchange-mode must be set to aggressive and local-id-type must be set to name. Step 10 Run:
pre-shared-key key-string
The pre-shared key used by the local end and remote peer is configured. If pre-shared key authentication is configured, you need to configure a pre-shared key for each remote peer. The two ends of an IPSec tunnel must be configured with the same pre-shared key. If pre-shared key authentication is configured, an authenticator must be configured. Step 11 Run:
remote-address [ vpn-instance vpn-instance-name ] ip-address
5 IPSec Configuration
By specifying the VPN instance that the remote end of the IPSec tunnel belongs to, you can implement multi-instance IPSec connections. The configuration takes effect only on the initiator of the tunnel. The initiator needs to obtain the outbound interface when sending packets. This command specifies the VPN that the remote end of the IPSec tunnel belongs to. According to the VPN, the tunnel initiator can obtain the outbound interface and send packets through the outbound interface. The packets received by the remote peer contain the VPN attribute, so you do not need to specify the VPN on the remote peer. Step 13 Run:
remote-name name
The remote host name is configured (it is used only when the name authentication is used in aggressive mode). ----End
Procedure
Step 1 Run:
system-view
An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is configured. By default, the ESP protocol defined by RFC 2406 is used. Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is configured. By default, AH uses the MD5 authentication algorithm. Step 5 (Optional) Run:
esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is configured. By default, ESP uses the MD5 authentication algorithm. Step 6 (Optional) Run:
esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }
5 IPSec Configuration
By default, EPS uses the EDS encryption algorithm. Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured. By default, the security protocol uses the tunnel mode to encapsulate IP packets. ----End
Procedure
Step 1 Run:
system-view
An IPSec proposal is applied to the IPSec policy. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 4 Run:
security acl acl-number
The SA triggering mode is configured. After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering mode. In automatic triggering mode, the IPSec SA is established immediately after IKE negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only after packets are received. By default, the automatic triggering mode is used. Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
5 IPSec Configuration
l
In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller value as the SA lifetime. In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set SA lifetime.
Step 7 Run:
ike-peer peer-name
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. ----End
Procedure
Step 1 Run:
system-view
An IPSec proposal is applied to the IPSec policy template. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 5 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
5-18
Issue 02 (2010-07-15)
5 IPSec Configuration
An IKE peer is applied to the IPSec policy template. Step 7 (Optional) Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. By default, the PFS feature is not used in IKE negotiation. ----End
Procedure
Step 1 Run:
system-view
The global SA lifetime is set. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. If the SA lifetime is not set in an IPSec policy, the global lifetime is used. The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation. Step 3 Run:
ike sa heartbeat-timer interval interval
The timeout interval of heartbeat packets is set. If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat packets must be set on the other end. On a network, packet loss rarely occurs consecutively more than three times. Therefore, the timeout interval of heartbeat packets on one end can be set to three times the interval for sending heartbeat packets on the other end. Step 5 Run:
ike sa nat-keepalive-timer interval interval
The interval for sending NAT update packets is set. Step 6 Run:
ipsec anti-replay { enable | disable }
Issue 02 (2010-07-15)
5-19
5 IPSec Configuration
The IP address of the local end is configured. Step 9 Run following commands to configure the dead peer detection (DPD) function. l Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of retransmissions are set. l Run:
dpd msg { seq-hash-notify | seq-notify-hash }
Procedure
Step 1 Run:
system-view
The IPSec policy template is used to create an IPSec policy. Step 3 Run:
interface interface-type interface-number.subinterface
An IPSec policy group is applied to the Sub-interface. Only one IPSec policy group can be applied on an Sub-interface. An IPSec policy group can be applied to multiple Sub-interfaces. After the configuration, the packets transmitted between two ends of the IPSec tunnel trigger the establishment of an SA through the IKE negotiation. In automatic triggering mode, the SA
5-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
5 IPSec Configuration
is established immediately after the IKE negotiation succeeds. In traffic-based triggering mode, the SA is established only after data flows matching the IPSec policy are sent from the Subinterface. After IKE negotiation succeeds and the SA is established, the data flows between two ends of the tunnel are encrypted and then transmitted. ----End
Prerequisite
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l l l Run the display ike sa command. Run the display ike peer [ name peer-name ] [ verbose ] command. Run the display ike proposal command.
----End
Prerequisite
The configurations of IPSec are complete.
Procedure
l Run the display ipsec sa [ brief | duration | hardware { { ah | esp } [ inbound | outbound ] spi spi-value peerip peer-ip-address | peer-table value } | policy policyname [ seq-number ] | peerip peer-ip-address ] command to view information about the SA.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-21
Issue 02 (2010-07-15)
5 IPSec Configuration
l l l
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to view information about the established IPSec tunnel. Run the display ipsec statistics { ah | esp } command to view the statistics about IPSec packets. Run the display ike statistics { all | msg | v2 } command to view the statistics about IKE packets.
----End
Context
CAUTION
The statistics cannot be restored if cleared. So, use the following commands with caution.
Procedure
l l l l Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics about IPSec packets. Run the reset ike statistics { all | msg } command in the user view to clear the statistics about IKE packets. Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address { ah | esp } spi ] command in the user view to clear an SA. Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a specified IPSec tunnel or all established IPSec tunnels.
----End
5 IPSec Configuration
Networking Requirements
As shown in Figure 5-3, an IPSec tunnel is established between SwitchA and SwitchB to protect data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks. Figure 5-3 Networking diagram for establishing an SA manually
VLAN 20 VLAN 10 202.38.163.1/24 VLAN 20 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2 202.38.168.2/24 VLAN 10 SwitchA GE1/0/11 10.1.1.2/24 GE1/0/12
VLAN 20 VLAN 30 VLAN 20 202.38.162.1/24 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.2 202.38.165.2/24 VLAN 30 GE1/0/12 SwitchB GE1/0/11 10.1.2.2/24
Internet
PC A
PC B
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Import flows from the Switches to the SPUs. Configure ACLs to define the data flows to be protected. Configure static routes between the SPUs of SwitchA and SwitchB. Configure PSec proposals. Configure PSec policies and apply the ACLs and IPSec proposals to the IPSec policies. Apply the IPSec policies to interfaces of the SPUs.
Procedure
Step 1 Import flows from SwitchA and SwitchB to the SPUs. 1. Configure SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA
Issue 02 (2010-07-15)
5-23
5 IPSec Configuration
20 vlan 1
10 20 vlan 1
2.
3.
Configure SwitchB.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan 30 [SwitchB-vlan30] quit [SwitchB] interface gigabitethernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type access [SwitchB-GigabitEthernet1/0/11] port default vlan 30 [SwitchB-GigabitEthernet1/0/11] quit [SwitchB] vlan 20 [SwitchB-vlan20] quit [SwitchB] interface gigabitethernet 1/0/12 [SwitchB-GigabitEthernet1/0/12] port link-type trunk [SwitchB-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchB-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchB-GigabitEthernet1/0/12] quit [SwitchB] interface XGigabitEthernet5/0/0 [SwitchB-XGigabitEthernet5/0/0] port link-type trunk [SwitchB-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchB-XGigabitEthernet5/0/0] quit
20 vlan 1
30 20 vlan 1
4.
5-24
Issue 02 (2010-07-15)
5 IPSec Configuration
Step 2 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected. # Configure an ACL on the SPU of SwitchA.
[SPU] acl number 3101 [SPU-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SPU-acl-adv-3101] quit
Step 3 Configure static routes between the SPUs of SwitchA and SwitchB. # Configure a static route to the remote peer on the SPU of SwitchA.
[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
Ping PC B from PC A. The ping succeeds. Step 4 Create IPSec proposals on the SPUs of SwitchA and SwitchB. # Configure an IPSec proposal on the SPU of SwitchA.
[SPU] ipsec proposal tran1 [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec proposal Number of Proposals: 1 IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES
Step 5 Create IPSec policies on the SPUs of SwitchA and SwitchB. # Configure an IPSec policy on the SPU of SwitchA.
[SPU] ipsec policy map1 10 manual [SPU-ipsec-policy-manual-map1-10] security acl 3101
Issue 02 (2010-07-15)
5-25
5 IPSec Configuration
[SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10]
Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec policy =========================================== IPsec Policy Group: "map1" Using local-address: {(null)} Using interface: {} =========================================== SequenceNumber: 10 Security data flow: 3101 Tunnel local address: 202.38.163.1 Tunnel remote address: 202.38.162.1 Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:
Step 6 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB. # Apply the IPSec policy to the SPU interface on SwitchA.
[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy map1 [SPU-XGigabitEthernet0/0/1.1] quit
5-26
Issue 02 (2010-07-15)
5 IPSec Configuration
Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view the configuration. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec sa =============================== Interface: XGigabitEthernet0/0/1.1 Path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" Sequence number: 10 Mode: Manual ----------------------------Encapsulation mode: Tunnel Tunnel local : 202.38.163.1 DSCP value: 0
[Outbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA [Inbound ESP SAs] SPI: 54321 (0xd431) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA
Step 7 Verify the configuration. After the configuration is complete, PC A can ping PC B. Run the display ipsec statistics esp command, and you can view statistics about data packets. ----End
Configuration Files
l
Issue 02 (2010-07-15)
5-27
5 IPSec Configuration
5-28
Issue 02 (2010-07-15)
5 IPSec Configuration
Networking Requirements
As shown in Figure 5-4, an IPSec tunnel is established between SwitchA an dSwitchB. This IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks. Figure 5-4 Networking for establishing an SA through IKE negotiation
VLAN 20 VLAN 10 202.38.163.1/24 VLAN 20 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2 202.38.168.2/24 VLAN 10 SwitchA GE1/0/11 10.1.1.2/24 GE1/0/12
VLAN 20 VLAN 30 VLAN 20 202.38.162.1/24 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.2 202.38.165.2/24 VLAN 30 GE1/0/12 SwitchB GE1/0/11 10.1.2.2/24
Internet
PC A
PC B
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-29
5 IPSec Configuration
1. 2. 3. 4. 5. 6. 7. 8.
Import flows on the Switches to the SPUs. Configure IKE proposal. Specify the local host ID and IKE peer required in IKE negotiation. Configure ACLs to define the data flows to be protected. Configure static routes between the SPUs of SwitchA and SwitchB. Configure IPSec proposals. Configure IPSec policies and apply the ACLs and IPSec proposals to the IPSec policies. Apply the IPSec policies to interfaces of the SPUs.
Procedure
Step 1 Import flows on SwitchA and SwitchB to the SPUs. 1. Configure SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan 10 [SwitchA-vlan10] quit [SwitchA] interface gigabitethernet 1/0/11 [SwitchA-GigabitEthernet1/0/11] port link-type access [SwitchA-GigabitEthernet1/0/11] port default vlan 10 [SwitchA-GigabitEthernet1/0/11] quit [SwitchA] vlan 20 [SwitchA-vlan20] quit [SwitchA] interface gigabitethernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/12] quit [SwitchA] interface XGigabitEthernet5/0/0 [SwitchA-XGigabitEthernet5/0/0] port link-type trunk [SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchA-XGigabitEthernet5/0/0] quit
20 vlan 1
10 20 vlan 1
2.
3.
Configure SwitchB.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan 30 [SwitchB-vlan30] quit [SwitchB] interface gigabitethernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type access [SwitchB-GigabitEthernet1/0/11] port default vlan 30 [SwitchB-GigabitEthernet1/0/11] quit [SwitchB] vlan 20 [SwitchB-vlan20] quit [SwitchB] interface gigabitethernet 1/0/12
5-30
Issue 02 (2010-07-15)
5 IPSec Configuration
20 vlan 1
30 20 vlan 1
4.
Step 2 Configure the IKE proposal on SPUs of SwitchA and SwitchB. # Configure the IKE proposal on SPU of SwitchA.
[SPU] ike proposal 1 [SPU-ike-proposal-1] encryption-algorithm aes-cbc-128 [SPU-ike-proposal-1] authentication-algorithm md5 [SPU-ike-proposal-1] quit
Step 3 Configure the local IDs and IKE peers on SPUs of SwitchA and SwitchB. # Configure the local ID and IKE peer on the SPU of SwitchA.
[SPU] ike local-name huawei01 [SPU] ike peer spub v1 [SPU-ike-peer-spub] exchange-mode aggressive [SPU-ike-peer-spub] ike-proposal 1 [SPU-ike-peer-spub] local-id-type name [SPU-ike-peer-spub] pre-shared-key huawei [SPU-ike-peer-spub] remote-name huawei02 [SPU-ike-peer-spub] remote-address 202.38.162.1 [SPU-ike-peer-spub] local-address 202.38.163.1 [SPU-ike-peer-spub] quit
NOTE
In aggressive mode, you need to configure the IP address of the remote peer (remote-adress).
Issue 02 (2010-07-15)
5-31
5 IPSec Configuration
[SPU-ike-peer-spua] remote-address 202.38.163.1 [SPU-ike-peer-spua] local-address 202.38.162.1 [SPU-ike-peer-spua] quit
Run the display ike peer command on the SPUs of SwitchA and SwitchB to view the configuration of the IKE peers. Take the display on the SPU of SwitchA as an example.
[SPU] display ike peer name spub verbose ---------------------------------------IKE Peer : spub Exchange mode : aggressive on phase 1 Pre-shared-key : huawei Local id type : name DPD : Disable DPD mode : Periodic DPD idle time : 20 DPD retrans int : 5 DPD retry limit : 5 Peer ip address : 202.38.162.1 VPN name : Local ip address : 202.38.163.1 Remote name : huawei02 Nat-traversal : Disable Configured IKE ver : VERSION ONE ---------------------------------------Negotiated IKE ver: VERSION ONE ----------------------------------------
Step 4 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected. # Configure an ACL on the SPU of SwitchA.
[SPU] acl number 3101 [SPU-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SPU-acl-adv-3101] quit
Step 5 Configure static routes between the SPUs of SwitchA and SwitchB. Configure the SPU on SwitchA.
[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 [SPU] ip route-static 202.38.162.1 255.255.255.0 202.38.163.1
Step 6 Create IPSec proposals on the SPUs of SwitchA and SwitchB. # Configure an IPSec proposal on the SPU of SwitchA.
[SPU] ipsec proposal tran1 [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
5 IPSec Configuration
encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec proposal Number of Proposals: 1 IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES
Step 7 Create IPSec policies on the SPUs of SwitchA and SwitchB. # Configure an IPSec policy on the SPU of SwitchA.
[SPU] ipsec policy map1 10 isakmp [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] ike-peer spub proposal tran1 security acl 3101 quit
Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec policy =========================================== IPsec Policy Group: "map1" Using local-address: {(null)} Using interface: {} =========================================== SequenceNumber: 10 Security data flow: 3101 IKE-peer name: spub Perfect forward secrecy: None Proposal name: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic
Step 8 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB. # Apply the IPSec policy to the SPU interface on SwitchA.
[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy map1 [SPU-XGigabitEthernet0/0/1.1] quit
Issue 02 (2010-07-15)
5-33
5 IPSec Configuration
Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view the configuration. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec sa =============================== Interface: XGigabitEthernet 0/0/1.1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------Connection id: 3 encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436528/3575 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3835455224 (0xe49c66f8) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: N
Step 9 Verify the configuration. After the configuration is complete, PC A can ping PC B. The data transmitted between PC A and PC B is encrypted. Run the display ike sa command on an SPU, and the following information is displayed:
[SPU] display ike sa Conn-ID Peer VPN Flag(s) Phase version -------------------------------------------------------------14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSEC Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
----End
Configuration Files
l
5-34
Issue 02 (2010-07-15)
5 IPSec Configuration
remote-name huawei02 remote-address 202.38.162.1 local-address 202.38.163.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1 # acl number 3101 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 ip route-static 202.38.162.1 255.255.255.0 202.38.163.1 # interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.163.1 255.255.255.0 ipsec policy map1 arp broadcast enable # interface XGigabitEthernet0/0/1.2 control-vid 10 dot1q-termination dot1q termination vid 10 ip address 202.38.163.2 255.255.255.0 arp broadcast enable # return l
Issue 02 (2010-07-15)
5-35
5 IPSec Configuration
5-36
Issue 02 (2010-07-15)
6 NetStream Configuration
6
About This Chapter
NetStream Configuration
This chapter describes working principle of the NetStream and provides configuration examples. 6.1 Overview of NetStream This section describes the working principle of NetStream. 6.2 NetStream Features Supported by the SPU This section describes the NetStream features supported by the SPU. 6.3 Collecting IPv4 Traffic Statistics This section describes how to collect statistics about IPv4 traffic passing through an interface. 6.4 Collecting IPv6 Traffic Statistics This section describes how to collect statistics about IPv6 traffic passing through an interface. 6.5 Collecting MPLS Traffic Statistics This section describes how to collect statistics about MPLS traffic passing through an interface. 6.6 Configuring the Aggregation Statistics About Traffic This section describes how to configure the statistics about IPv4 and MPLS aggregation traffic passing an interface. 6.7 Configuring the Flexible NetStream Feature This section describes how to configure the Flexible NetStream feature to flexibly create NetStream statistics according to records. 6.8 Example for Configuring NetStream This section provides several configuration examples of NetStream.
Issue 02 (2010-07-15)
6-1
6 NetStream Configuration
Concepts of NetStream
NetStream is a technology of collecting and advertising statistics about network traffic. It classifies and collects statistics about the communication traffic and resource usage on the network. NetStream also manages the network and conducts charging based on the service types and QoS. NetStream involves three types of devices:
l
Netstream Data Exporter (NDE) The NDE collects and sends traffic statistics. Netstream Collector (NSC) The NSC receives and stores the traffic statistics sent by the NDE. Netstream Data Analyse (NDA) The NDA analyzes the traffic statistics. The analysis result provides the basis for network accounting, network planning, network monitoring, and application monitoring and analysis.
NetStream Application
Due to the connectionless-oriented feature of the IP network, communications among different types of services are realized by the transmission of IP packets from one terminal to another. Such IP packets constitute a data stream of a particular service on the network. Most data streams on the network are ephemeral and bidirectional. Based on the destination IP address, source IP address, destination port number, source port number, protocol number, Type of Service (ToS), and inbound and outbound interfaces of packets, NetStream identifies different streams and collects statistics for each stream. The switch sends the collected traffic statistics regularly to the NSC for further processing and then sends the statistics to the NDA for data analysis. The report generated based on the analysis result is the basis for accounting and network planning. As shown in Figure 6-1. Figure 6-1 Diagram of NetStream data collection and analysis
SwitchA
NSC
NDA SwitchB
NOTE
NSC
6-2
Issue 02 (2010-07-15)
6 NetStream Configuration
The version of the exported packets of the original traffic is V5 or V9. By default, the version of exported statistics packets is V5 and the version of exported IPv6 statistics packets is V9. To export statistics about MPLS traffic, set the version to V9. The version of the exported packets of the aggregation traffic is V8 or V9. By default, the version number of the exported packets of IPv4 aggregation traffic is V8 and that of MPLS aggregation traffic is V9. The version of the exported packets of the Flexible traffic is V9.
Statistics Aggregation
The SPU supports the aggregation based on as, as-tos, protocol-port, protocol-port-tos, mplslabel, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos.
Aging Types
The SPU supports the following aging types:
l
Aging depending on the inactive aging time: After the inactive aging time is set, the traffic is aged if the SPU does not receive any packet of the traffic in a certain period. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on the active aging time: After the active aging time is set, the traffic is aged within a certain period since the first packet of the traffic is collected. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on the FIN or RST flag in the TCP streams : If the traffic received by the SPU contains the FIN or RST flag of TCP packets, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on byte overflow If the number of bytes in the statistics reaches a certain value, the traffic is aged. This function is enabled by default.
Issue 02 (2010-07-15)
6-3
6 NetStream Configuration
Flexible Netstream
Flexible NetStream provides users with a flexible way to collect NetStream statistics. You can collect traffic statistics based on the protocol type, DSCP field, source IP address, destination IP address, source port number, destination port number, or traffic label as required. The SPU can send the traffic statistics on an interface to the NSC.
Pre-configuration Tasks
Before configuring the statistics about the original traffic, complete the following tasks:
l l l
Setting physical parameters on an interface Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To configure NetStream, you need the following data. No. 1 Data Name and number of the interface on which traffic statistics need to be collected
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
6-4
6 NetStream Configuration
No. 2 3
Data Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC
The packet sampling ratio is set on the XGigabitEthernet interface. By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
ip netstream inbound
The NetStream function is enabled on the interface to collect statistics about IPv4 unicast traffic. By default, NetStream is disabled for the IPv4 traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
The version of exported packets is configured. By default, the version of exported packets is v5, the AS option is none, and the statistics do not contain the information about the BGP nexthop.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-5
6 NetStream Configuration
NOTE
At present, only the packets of v9 contain the information about the BGP nexthop.
----End
Procedure
Step 1 Run:
system-view
The source address for exporting statistics is configured. By default, the source address of the exported packets carrying the NetStream statistics is 0.0.0.0. Step 3 Run:
ip netstream export host ip-address port-number
The destination IP address of the exported statistics, that is, the IP address of the NSC, is configured. If multiple destination addresses are configured, the statistics are exported to multiple NSCs. You can configure up to 2 destination addresses to implement the backup between 2 NSCs. ----End
6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag
Context
The TCP traffic can be aged according to the FIN or RST flag. If the traffic received by the SPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
6 NetStream Configuration
Step 2 Run:
ip netstream tcp-flag enable
The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header. By default, the TCP traffic is not aged according to the FIN or RST flag.
NOTE
If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.
----End
6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic
Context
After the inactive aging time of the original traffic is configured, if the SPU does not receive any data packets from the original traffic for the specified period, the SPU considers that this original traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
The inactive aging time of the original traffic is set. By default, the inactive aging time of the original traffic is 30s. ----End
6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic
Procedure
Step 1 Run:
system-view
The active aging time of the original traffic is set. By default, the active aging time of the original traffic is 30 minutes. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-7
6 NetStream Configuration
Procedure
Step 1 Run the display ip netstream all command to view the NetStream configuration. ----End
Pre-configuration Tasks
Before configuring the statistics about the original traffic, complete the following tasks:
l l l
Setting physical parameters on an interface Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To configure NetStream, you need the following data.
6-8
Issue 02 (2010-07-15)
6 NetStream Configuration
No. 1 2 3
Data Name and number of the interface on which traffic statistics need to be collected Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC
The packet sampling ratio is set on the XGigabitEthernet interface. By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
ipv6 netstream inbound
The NetStream function is enabled on the interface to collect statistics about IPv6 unicast traffic. By default, NetStream is disabled for the IPv6 traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2010-07-15)
6-9
6 NetStream Configuration
The source address for exporting statistics is configured. By default, the source address of the exported packets carrying the NetStream statistics is 0.0.0.0. Step 3 Run:
ipv6 netstream export host ip-address port-number
The destination IP address of the exported statistics, that is, the IP address of the NSC, is configured. If multiple destination addresses are configured, the statistics are exported to multiple NSCs. You can configure up to 2 destination addresses to implement the backup between 2 NSCs. ----End
6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag
Context
The TCP traffic can be aged according to the FIN or RST flag. If the traffic received by the SPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header. By default, the TCP traffic is not aged according to the FIN or RST flag.
NOTE
If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.
----End
6-10
Issue 02 (2010-07-15)
6 NetStream Configuration
6.4.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic
Context
After the inactive aging time of the original traffic is configured, if the SPU does not receive any data packets from the original traffic for the specified period, the SPU considers that this original traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
The inactive aging time of the original traffic is set. By default, the inactive aging time of the original traffic is 30s. ----End
6.4.6 (Optional) Configuring the Active Aging Time of the Original Traffic
Procedure
Step 1 Run:
system-view
The active aging time of the original traffic is set. By default, the active aging time of the original traffic is 30 minutes. ----End
Procedure
Step 1 Run the display ipv6 netstream all command to view the NetStream configuration. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-11
6 NetStream Configuration
Example
View the NetStream configuration.
[Quidway]display ipv6 netstream all system ipv6 netstream timeout inactive 300 ipv6 netstream export source 6.6.6.1 ipv6 netstream export host 5.0.132.2 10 ipv6 netstream export host 1.1.1.1 20 ip netstream record test0 match ipv4 source-port match ipv6 source-address match ipv6 destination-address collect counter packets collect counter bytes collect interface input collect interface output
Pre-configuration Tasks
Before configuring the statistics about the original traffic, complete the following tasks:
l l l
Setting physical parameters on an interface Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To configure NetStream, you need the following data.
6-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
6 NetStream Configuration
No. 1 2 3
Data Name and number of the interface on which traffic statistics need to be collected Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC
The packet sampling ratio is set on the XGigabitEthernet interface. By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
ip netstream mpls inbound
The statistics function of MPLS is enabled. By default, NetStream is disabled for the MPLS traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2010-07-15)
6-13
6 NetStream Configuration
The version of exported statistics packets is set to V9. By default, the version of exported packets is v5, the AS option is none, and the statistics do not contain the information about the BGP nexthop. ----End
Procedure
Step 1 Run:
system-view
The source address for exporting statistics is configured. By default, the source address of the exported packets carrying the NetStream statistics is 0.0.0.0. Step 3 Run:
ip netstream export host ip-address port-number
The destination IP address of the exported statistics, that is, the IP address of the NSC, is configured. If multiple destination addresses are configured, the statistics are exported to multiple NSCs. You can configure up to 2 destination addresses to implement the backup between 2 NSCs. ----End
6.5.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic
Context
After the inactive aging time of the original traffic is configured, if the SPU does not receive any data packets from the original traffic for the specified period, the SPU considers that this original traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
6-14
Issue 02 (2010-07-15)
6 NetStream Configuration
The inactive aging time of the original traffic is set. By default, the inactive aging time of the original traffic is 30s. ----End
6.5.6 (Optional) Configuring the Active Aging Time of the Original Traffic
Procedure
Step 1 Run:
system-view
The active aging time of the original traffic is set. By default, the active aging time of the original traffic is 30 minutes. ----End
Procedure
Step 1 Run the display ip netstream all command to view the NetStream configuration. ----End
6 NetStream Configuration
6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic 6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic 6.6.8 Checking the Configuration
Pre-configuration Tasks
Before configuring NetStream for aggregation traffic, complete the following tasks:
l l l
Setting physical parameters on an interface Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To complete the configuration, you need the following data. No. 1 2 3 Data Name and number of the interface on which traffic statistics need to be collected Version number of exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC
6 NetStream Configuration
By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
ip netstream inbound
The NetStream function is enabled on the interface to collect statistics about IPv4 unicast traffic. To enable the NetStream function for MPLS traffic, run the ip netstream mpls inbound command. By default, NetStream is disabled for IPv4 or MPLS traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
To collect statistics about the MPLS aggregation traffic passing an interface, enable the mpls-label mode.
----End
6 NetStream Configuration
export version version
The version of the exported packets is configured. By default, the version of the exported packets is V8.
NOTE
When the mpls-label mode is enabled, the version of exported packets cannot be set. The default version V9 is used.
----End
The source address for exporting statistics is configured. Step 4 (Optional) Run:
ip netstream export host ip-address port-number
The destination address for exporting statistics is configured. The destination NSC address of the exported statistics can be configured in either the system view or the NetStream aggregation view. The priority of the destination NSC address configured in the NetStream aggregation view is higher than that configured in the system view. After the destination NSC address is successfully configured,
l
Original traffic can only be sent to the destination NSC address configured in the system view. Aggregation traffic is sent to the destination NSC address configured in the NetStream aggregation view. If no destination NSC address is configured in the NetStream aggregation view, aggregation traffic is sent to the destination NSC address configured in the system view.
----End
6-18
Issue 02 (2010-07-15)
6 NetStream Configuration
6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic
Procedure
Step 1 Run:
system-view
The inactive aging time of the aggregation traffic is set. By default, the inactive aging time of the aggregation traffic is 30s. ----End
6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic
Procedure
Step 1 Run:
system-view
The active aging time of the aggregation traffic is set. By default, the active aging time of the aggregation traffic is 30 minutes. ----End
Procedure
Step 1 Run the display ip netstream all command to view the NetStream configuration. ----End
6 NetStream Configuration
6.7.1 Establishing the Configuration Task 6.7.2 Creating a Record and Entering the Record View 6.7.3 Configuring Aggregation Key Words of Records 6.7.4 (Optional) Configuring the Exported Traffic Statistics 6.7.5 Enabling Flexible NetStream on Interfaces 6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface 6.7.7 Checking the Configuration
Pre-configuration Tasks
Before configuring Flexible NetStream, complete the following task:
l l l
Setting physical parameters on interfaces Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To complete the configuration, you need the following data. No. 1 2 Data Name and number of the interface on which traffic statistics need to be collected IP addresses and port numbers of the NSC
6-20
Issue 02 (2010-07-15)
6 NetStream Configuration
The IPv4 aggregation key words of records are configured. Step 4 (Optional) Run:
match ipv6 { protocol | tc | source-address | destination-address | source-port | destination-port | flow-label }
The traffic statistics sent to the NSC contain the indexes of the inbound interface and outbound interface of the flows. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-21
6 NetStream Configuration
Only one record can be configured on a XGE interface. To modify the record in the same interface view, you must first delete the existing configuration by running the undo port ip netstream record command.
----End
6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface
Procedure
Step 1 Run:
system-view
The packet sampling ratio is set on the XGE interface. Step 4 Run:
ip netstream inbound
The NetStream function is enabled for the IPv4 traffic on the XGE interface. Step 5 Run:
ipv6 netstream inbound
The NetStream function is enabled for the IPv6 traffic on the XGE interface. ----End
6-22 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
6 NetStream Configuration
Procedure
Step 1 Run the display ip netstream all and display ipv6 netstream all commands to view the NetStream configuration. ----End
User Network
SwitchA
SwitchB
XGE0/0/1
Issue 02 (2010-07-15)
6-23
6 NetStream Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Set IP addresses for interfaces on Switch A and Switch B. Mirror the traffic on Switch B to the SPU. Enable the NetStream on the SPU to collect statistics about the inbound traffic. Configure the SPU to export statistics to the NSC and configure the source address of the statistics. Set the aging mode and aging time of packets.
Data Preparation
To complete the configuration, you need the following data:
l l
IP address of each interface Address and port number of the NSC and source address contained in the packets
Procedure
Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-2. The configuration procedure is not mentioned here. Step 2 Mirror the traffic on Switch B to the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
Step 3 Enable the NetStream on the SPU to collect traffic statistics on the inbound interface. # Enable the NetStream on XGigabitEthernet0/0/1 of the SPU to collect traffic statistics on the inbound interface.
<Quidway> system-view [Quidway] sysname SPU [SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream inbound
Step 4 Set the SPU to export statistics to the NSC. You must also configure the source address of the statistics. Configure the SPU to export statistics to the NSC with the IP address 10.2.1.2 and UDP port 6000.
[SPU] ip netstream export host 10.2.1.2 6000
Step 5 Set the aging mode and aging time of the original traffic.
6-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
6 NetStream Configuration
# Set the inactive aging time of the original traffic to 100 seconds.
[SPU] ip netstream timeout inactive 100
# Set the aging of the original traffic according to the FIN flag in the TCP packet header.
[SPU] ip netstream tcp-flag enable
Step 6 Verify the configuration. # After the configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all system ip netstream export host 10.2.1.2 6000 ip netstream export source 10.2.1.1 ip netstream timeout inactive 100 ip netstream tcp-flag enable XGigabitEthernet0/0/1 ip netstream inbound
----End
Configuration Files
Configuration file of Switch A
# sysname SwitchA # vlan 100 # interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return
Issue 02 (2010-07-15)
6-25
6 NetStream Configuration
port hybrid pvid vlan 200 port hybrid untagged vlan 200 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 # return
On the SPU:
# sysname SPU # ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000 ip netstream timeout inactive 100 ip netstream tcp-flag enable # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # interface XGigabitEthernet0/0/1 ip netstream inbound # return
6-26
Issue 02 (2010-07-15)
6 NetStream Configuration
XGE4/0/0
XGE0/0/1
NSC&NDA 10.4.1.2/24
Switch C Switch D
GigabitEthernet1/0/0 GigabitEthernet2/0/0
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure a reachable route between the user network and access network. Configure reachable routes between the access network and ISP 1, and between the access network between ISP 2. Configure the NetStream function on the SPU of SwitchB.
Data Preparation
To complete the configuration, you need the following data:
l l
Issue 02 (2010-07-15)
6 NetStream Configuration
l l l l
BGP process ID IP address and port number of the NSC Packet sampling ratio Version number of exported packets
Procedure
Step 1 Set IP addresses for interfaces on Switch A and Switch B. The configuration procedure is not mentioned here. Step 2 Configure the IGP route between Switch A and Switch B. # Configure the dynamic route on Switch A.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] ospf router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
Step 3 # Set up dynamic BGP peer relations between Switch B and Switch C. # Configure Switch B
[SwitchB] bgp 65001 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 10.2.1.2 as-number 65002 [SwitchB-bgp] ipv4-family unicast [SwitchB-bgp-af-ipv4] import-route ospf 1 [SwitchB-bgp-af-ipv4]quit [SwitchB-bgp]quit
# Configure Switch C
<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] bgp 65002 [SwitchC-bgp] route-id 3.3.3.3 [SwitchC-bgp] peer 10.2.1.1 as-number 65001
Step 4 # Set up dynamic BGP peer relations between Switch B and Switch D. # Configure Switch B
[SwitchB] bgp 65001 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 10.3.1.2 as-number 65003 [SwitchB-bgp]quit
# Configure Switch D
<Quidway> system-view [Quidway] sysname SwitchD
6-28
Issue 02 (2010-07-15)
6 NetStream Configuration
Step 5 Configure the NetStream function on the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
[SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
# Set the version number of exported packets for the aggregation traffic on the SPU.
<Quidway> system-view [Quidway] sysname SPU [SPU] ip netstream aggregation as [SPU-aggregation-as] enable [SPU-aggregation-as] export version 9 [SPU-aggregation-as] ip netstream export host 10.4.1.2 6000 [SPU-aggregation-as] ip netstream export source 10.4.1.1 [SPU-aggregation-as] quit
# Configure NetStream on the inbound interface and set the packet sampling ratio on the SPU.
[SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound [SPU-XGigabitEthernet0/0/1] ip netstream inbound [SPU-XGigabitEthernet0/0/1] quit [SPU] quit
Step 6 Verify the configuration. # After successful configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all ip netstream aggregation as enable export version 9 ip netstream export source 10.4.1.1 ip netstream export host 10.4.1.2 6000 XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound
----End
Configuration Files
Configuration file of Switch A.
# sysname SwitchA # vlan batch 30 # interface Vlanif30 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30
Issue 02 (2010-07-15)
6-29
6 NetStream Configuration
# ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
6-30
Issue 02 (2010-07-15)
6 NetStream Configuration
On the SPU:
# sysname SPU # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # ip netstream aggregation as enable export version 9 ip netstream export host 10.4.1.2 6000 ip netstream export source 10.4.1.1 # interface xgigabitethernet 0/0/1 ip netstream sampler fix-packets 100 inbound ip netstream inbound # return
Issue 02 (2010-07-15)
6-31
6 NetStream Configuration
import-route ospf 1 peer 10.3.1.1 enable # return
User Network
SwitchA
SwitchB
XGE0/0/1
Configuration Roadmap
The configuration roadmap is as follows. 1. 2. 3. 4. Set IP addresses for interfaces on Switch A and Switch B. Mirror the traffic on GE 1/0/0 of Switch B to the SPU. Enable the Flexible NetStream feature on the SPU. Enable the Flexible NetStream feature on GE1/0/0 of Switch B.
Data Preparation
To complete the configuration, you need the following data:
l l l l
IP address of each interface Version of the exported packets Address and port number of the NSC and the source address contained in the packets Traffic statistics to be sent to the NSC
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
6-32
6 NetStream Configuration
Procedure
Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-4. The configuration procedure is not mentioned here. Step 2 Mirror the traffic on Switch B to the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
Step 3 Enable the Flexible NetStream feature on the SPU. Create a record named test and enter the test view.
<Quidway> system-view [Quidway] sysname SPU [SPU] ip netstream record test [SPU-record-test]
# Configure the SPU to send the inbound and outbound interface indexes in the test record to the NSC.
[SPU-record-test] collect interface input [SPU-record-test] collect interface output
# Send the number of packets and bytes of the inbound and outbound traffic to the NSC.
[SPU-record-test] collect counter bytes [SPU-record-test] collect counter packets [SPU-record-test] quit
Step 4 Enable the Flexible NetStream feature on XGigabitEthernet0/0/1. # Set the fixed-packets sampling ratio on XGigabitEthernet0/0/1 to 100.
[SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound
Step 5 Set the source address, destination port number, and destination address for exporting packets. # Set the destination address and destination port number for exporting packets.
[SPU] ip netstream export host 10.2.1.2 6000
6 NetStream Configuration
# After successful configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all system ip netstream export host 10.2.1.2 6000 ip netstream export source 10.2.1.1 XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound port ip netstream record test
----End
Configuration Files
Configuration file of Switch A.
# sysname SwitchA # vlan 100 # interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return
6 NetStream Configuration
On the MPU:
# sysname SwitchB # vlan batch 100 to 101 200 # observe-port 1 interface XGigabitEthernet4/0/0 # interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 # interface Vlanif 200 ip address 10.2.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 port-mirroring to observe-port 1 inbound # interface GigabitEthernet2/0/0 port hybrid pvid vlan 200 port hybrid untagged vlan 200 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 # return
On the SPU:
# sysname SPU # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000 # interface XGigabitEthernet0/0/1 ip netstream sampler fix-packets 100 inbound port ip netstream record test ip netstream inbound # ip netstream record test match ipv4 destination-address match ipv4 destination-port collect counter packets collect counter bytes collect interface input collect interface output # return
Issue 02 (2010-07-15)
6-35
7
About This Chapter
Load balancing is a cluster technology that load balances special services such as network services and network traffic among multiple links or network devices, for example, servers and firewalls. The load balancing technology improves the service processing capabilities of networks and ensures high reliability of services. 7.1 Load Balancing Overview This section describes the background, classification, and basic concepts of load balancing. 7.2 Load Balancing Features Supported by the SPU The load balancing features supported by the SPU and the implementation principle are as follows. 7.3 Configuring Egress Link Load Balancing On the network where multiple ISP egresses exist, you can configure egress link load balancing so that the link can be selected dynamically and the reliability of services is improved. 7.4 Configuring Server Load Balancing In the networking where multiple servers are deployed such as the data center, you can configure server load balancing to load balance network services among multiple servers for processing. In this manner, service processing capabilities of servers are improved. 7.5 Configuring Firewall Load Balancing On a network where multiple firewalls exist, you can load balance network traffic among firewalls in a group. In this manner, the burden of each single firewall is reduced and the network processing capability is improved. 7.6 Configuration Examples This section provides several configuration examples. A configuration example includes the networking requirements, configuration roadmap, operation procedure, and configuration files.
Issue 02 (2010-07-15)
7-1
Background
With rapid development of the Internet, increasing users and diversified services propose high requirements for the network performance. To improve the overall performance of the network, the network bandwidth needs to be increased and the performance of network devices such as servers and firewalls needs to be enhanced. You can use high-performance servers or increase the link bandwidth to improve the network performance, whereas the investments are greatly wasted. To solve the problem, the load balancing technology is introduced. By performing a load balancing algorithm, the load balancing technology evenly distributes services to multiple network devices or links so that the overall performance of the network is improved. The load balancing technology has the following advantages:
l
High reliability When one or more network devices or links are faulty, the system automatically switches services to normal network devices or links so that services are not interrupted. This reduces network faults and improves the reliability of service processing.
High performance The load balancing technology evenly distributes services to multiple network devices so that processing capabilities of network devices are integrated. These network devices function as a large network device. The capability of the system for processing services is thus improved.
Extensibility By using the load balancing technology, you can add network devices or links to a group, meeting requirements of increasing services. In addition, the service quality is ensured.
Classification
The load balancing modes are classified based on different factors:
l
Physical location: Load balancing is classified into global and local load balancing.
Local load balancing is performed among servers in a server group in the same physical location. Global load balancing is performed among the server groups that are located in different physical locations and adopt different network structures. Global load balancing is applied to the following scenario: An enterprise or a group has server sites in multiple areas and load balancing users can access the nearest server through an IP address or a domain name so that they can obtain the fastest access speed.
Load balancing object Load balancing is classified into link load balancing, server load balancing, and firewall load balancing.
Link load balancing indicates that load balancing is performed among different links.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-2
Server load balancing indicates that load balancing is performed among different servers. Firewall load balancing indicates that load balancing is performed among different firewalls.
Load balancing technology Load balancing is classified into DNS-based load balancing and network-based load balancing.
The DNS-based load balancing technology returns different IP address lists with different sequences and allocates user requests to different servers by setting the mapping between multiple IP addresses and a domain name on the Domain Name Server (DNS) server. The network-based load balancing technology provides services for users through a virtual IP address. Each network device has a real IP address; the load balancing device provides the mapping between the virtual IP address and real IP addresses and load balances services to different network devices.
NOTE
This document introduces the configuration of load balancing based on the object.
Basic Concepts
l
Load balancing Load balancing is a group technology that load balances special services such as network services and network traffic among multiple links or network devices, for example, servers and firewalls. This improves the service processing capability and ensures high reliability of services.
Load balancing member A load balancing member refers to the entity that provides actual services for users and is configured on the load balancing device, for example, the server, firewall, or link.
Load balancing group A load balancing group refers to a set of network devices or links that provide the same service for users. A set of servers is called a server group; a set of firewalls is called a firewall group; a set of links is called a link group.
Load balancing member instance A load balancing member can join multiple load balancing groups and the mapping between a load balancing member and a load balancing group is called load balancing member instance. If the load balancing member is a server, the corresponding instance is called server instance; if the load balancing member is a firewall, the corresponding instance is called firewall instance; if the load balancing member is a link, the corresponding instance is called link instance.
VIP The virtual IP address is used by the server and firewall load balancing technologies. Multiple servers or firewalls share a public IP address. Users accessing the servers or firewalls through the public IP address, whereas the servers or firewalls use different internal IP addresses. The SPU distributes the traffic destined for the virtual IP address to each real server according to the load balancing policy.
Issue 02 (2010-07-15)
The load balancing algorithm is used by the load balancing device to select a load balancing member for providing the best services for users. The SPU supports the following load balancing algorithms:
Weighted round robin (WRR) algorithm In the WRR algorithm, the SPU makes load balancing decisions according to the priorities and weights of load balancing members. The SPU selects load balancing members with higher priorities for providing services according to the weights. The load balancing member with a greater weight can be selected with a greater possibility and can be allocated with more services. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If no load balancing member with higher priority can be used, the SPU selects the load balancing member among load balancing members with lower priorities according to the WRR algorithm. The WRR algorithm solves the problem of different performance among servers or different bandwidth among links. It is applied to the scenario where the performance of servers in a server group is different or the bandwidth of links in a link group is different.
Least connection algorithm Actually, the SPU uses the weight and least connection algorithm. In the least connection algorithm, the SPU makes load balancing decisions according to the priority, weight, and number of active connections of a load balancing member. The SPU selects load balancing members with higher priorities for providing services, and often selects the load balancing member with the smallest number of active connections or the smallest weight. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If no load balancing member with higher priority can be used, the SPU selects the load balancing member among load balancing members with lower priorities according to the weight and least connection algorithm. The least connection algorithm can smoothly distribute the requests of connections with great difference between durations to each server or link. It is applied to the scenario where the performance of servers in a server group is different or the bandwidth of links in a link group is different and the difference between durations of the connections initiated by different users are great.
Hash algorithm based on the IP address In the hash algorithm based on the IP address, the SPU hashes the source IP address, the destination IP address, or source and destination IP addresses and makes load balancing decisions according to the hash value. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If the load balancing member cannot be used, the SPU selects the next load balancing member according to the hash value. The hash algorithm can map the following requests to the same server or link:
Requests with the same source IP address Requests with the same destination IP address Requests with the same source and destination IP addresses Requests whose source IP addresses are located in the same network segment Requests whose destination IP addresses are located in the same network segment
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-4
Requests whose source and destination IP addresses are located in the same network segment
The hash algorithm is applied to the scenario where requests from a user are distributed to the same server or link, and is also applied to server load balancing. It is applied to the scenario where all requests from a user are distributed to a server or a link. It is also applied to firewall load balancing.
Hash algorithm based on the HTTP URL In the hash algorithm based on the HTTP URL, the SPU hashes the URL carried in HTTP request packets and makes load balancing decisions according to the hash value. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If the load balancing member cannot be used, the SPU selects the next load balancing member according to the hash value.
Health detection Health detection indicates that the load balancing device periodically detects the service status of real servers or links to collect corresponding information and isolate abnormal servers or links. The SPU can detect whether servers or links run normally.
Session stickiness Session stickiness indicates that connection requests of a user in a period are sent to the same server for processing.
Firewall load balancing Based on load balancing of network devices, the firewall load balancing technology ensures the bidirectional traffic of a session passes through the same firewall. Firewall load balancing has the following characteristics:
Reducing or even removing the bottleneck of the firewall (enhancing the performance and extensibility of the network) Enhancing firewall availability and network security Standard firewall load balancing Transparent firewall load balancing
By using the dynamic load balancing algorithm, multiple egress links share the traffic. The algorithm is easily configured and adapts to the network structure change. The preceding problem can be solved. Figure 7-1 shows the typical networking of egress link load balancing. Figure 7-1 Typical networking of egress link load balancing
RouterA ISP1 Server on the external network Enterprise network Switch RouterB ISP2 IP Network
ISP3 RouterC
As shown in Figure 7-1, Switch is the load balancing device and distributes the traffic sent from the internal network to the external network to multiple links. One ISP gateway corresponds to one link. The egress link load balancing process is as follows: 1. 2. Users on the internal network send requests to servers on the external network. When the request packets pass through Switch, Switch selects a link according to the configured load balancing algorithm, weights, priorities, and inbound/outbound bandwidth limits, and forwards the request packets to the selected link. After receiving the response packets of servers on the external network, Switch forwards the response packets to the users on the internal network.
3.
The egress link load balancing supported by the SPU has the following characteristics:
l
Load balancing algorithm It supports the WRR algorithm, least connection algorithm, and hash algorithm based on the IP address.
Link bandwidth threshold The link bandwidth threshold can be set for the inbound or outbound traffic. When the bandwidth threshold or the percentage of the bandwidth threshold is exceeded, the load balancing device does not select the ISP link.
Link health detection After an Internet Control Message Protocol (ICMP) probe is configured on the SPU, the SPU periodically sends probing packets to the link gateway to detect the connectivity between nodes along the link.
Forwarding mode
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-6
The forwarding mode can be DNAT or DMAC in server load balancing. In egress link load balancing, the SPU supports the redirection mode.
Server load balancing in DNAT mode In DNAT mode, the networking is flexible. The backup servers can be located in different physical positions and on different LANs. Figure 7-2 shows the typical networking.
Issue 02 (2010-07-15)
7-7
Figure 7-2 Typical networking of server load balancing in DNAT mode ServerA IPA
Host IP Network
ServerC IPC
As shown in Figure 7-2, multiple servers provide services through the virtual IP address. Switch functions as the load balancing device and is responsible for allocating user requests to multiple servers. The process of server load balancing in DNAT mode is as follows: 1. 2. Users send requests to the virtual IP address. Switch classifies packets at Layer 3 or Layer 7 according to service traffic features and selects a load balancing group. Then Switch selects a real server according to the configured load balancing algorithm, weights, priorities, inbound/outbound bandwidth limits, connection quantity limits, and connection rate limits, and uses NAT to replace the destination IP address of the request packets with the IP address of the real server. Switch sends the request packets to the real server. The real server sends the response packets to Switch through a route. Before returning the response packets to users, Switch changes the source IP address of the response packets to the virtual IP address. Then Switch sends the response packets to users. The load balancing process is complete.
3.
Server load balancing in DMAC mode In DMAC mode, only request packets of users pass through the load balancing device. The response packets of a server does not pass through the load balancing device. This reduces the burden of the load balancing device and prevents the load balancing device being the bottleneck. Figure 7-3 shows the typical networking.
7-8
Issue 02 (2010-07-15)
Figure 7-3 Typical networking of server load balancing in DMAC mode SwitchA ServerA IPA VIP IP Network SwitchB ServerC IPC ServerB IPB
Host
As shown in Figure 7-3, multiple servers provide services through the virtual IP address. Switch A functions as the load balancing device and is responsible for allocating user requests to multiple servers. Switch B functions as a common switch and is responsible for forwarding user requests to the load balancing device or returning response packets of servers to users. The process of server load balancing in DMAC mode is as follows: 1. 2. 3. Users send requests to Switch B. Switch B forwards the received request packets to Switch A. After receiving the response packets, Switch A classifies packets at Layer 3 or Layer 7 according to service traffic features and selects a load balancing group. Then Switch A selects a real server according to the configured load balancing algorithm, weights, priorities, inbound/outbound bandwidth limits, connection quantity limits, and connection rate limits, and replaces the destination MAC address of the request packets (the destination IP address is still the virtual IP address) with the MAC address of the real server. Switch A sends the request packets to the real server. The real server sends the response packets to Switch B, and Switch B sends the response packets to users. The load balancing process is complete.
4.
The server load balancing supported by the SPU has the following characteristics:
l
Load balancing algorithm It supports the WRR algorithm, least connection algorithm, hash algorithm based on the IP address, and hash algorithm based on the URL in HTTP packets.
Server health detection You can configure different probes on the load balancing device to detect the health status of servers according to different services. Currently, the SPU supports ICMP, Transmassion Control Protocol (TCP), User Datagram Protocol (UDP), and HTTP probes.
Forwarding mode In server load balancing, the SPU supports DNAT and DMAC modes. Session stickiness Session stickiness indicates that multiple connections of an application layer session are directed to a server.
Issue 02 (2010-07-15)
7-9
Server load balancing supported by the SPU can identify users and send the same type of requests of a user to a server for processing, meeting the requirements of a user whose multiple connections of a session are processed by a server in e-commerce.
l
Active/Standby switchover between servers When the selected server is Down, to ensure that user request packets are forwarded, the SPU can switch user requests to an available backup server. This ensures high reliability of services. The SPU provides the following functions of active/standby switchover between servers:
When the master server is unavailable, the SPU randomly selects an available backup server from multiple backup servers. If all the backup servers are unavailable, the SPU sends user requests to another master server again. Users is unware of the active/standby switchover between servers.
Active/Standby switchover between server groups The SPU supports the active/standby switchover between servers and between server groups. If the threshold for the master server group to remain active and the threshold for switching services from the master server group to the backup server group are set, when the percentage of active servers in the master server group is smaller than or equal to the threshold for the master server group to remain active and active servers are available in the backup server group, the SPU switches user requests to the backup server group. When the percentage of active servers in the original master server group is greater than the threshold for switching services from the master server group to the backup server group, the master server group is recovered to provide services. If the threshold for the master server group to remain active and the threshold for switching services from the master server group to the backup server group are not specified, the SPU switches user requests between server groups. If all the servers in the master server group are faulty, the SPU switches user requests to a backup server group automatically. When a server in the master server group becomes active, the SPU switches user requests to the master server group again.
Server protection The SPU protects servers by limiting the number of servers or server instances, connection rate, and inbound/outbound bandwidth.
HostA IP Network
SwitchA
SwitchB IP Network
HostB
FirewallB
As shown in Figure 7-4, Switch A and Switch B function as load balancing devices and are responsible for allocating traffic of user requests to multiple firewalls. Load balancing devices are classified into level-1 and level-2 load balancing devices. Level-1 load balancing devices load balance traffic on the firewalls, and level-2 load balancing devices ensure that the inbound and outbound traffic traverses the same firewall. As shown in Figure 7-4, if traffic is sent from Host A to Host B, Switch A is the level-1 load balancing device and Switch B is the level-2 load balancing device; if traffic is sent from Host B to Host A, then Switch B is the level-1 load balancing device and Switch A is the level-2 load balancing device. The firewall load balancing process is as follows: 1. 2. Host A sends a request to Host B. After receiving the request packet of Host A, Switch A selects a firewall (assume that Firewall A is used) according to the load balancing algorithm and forwards the request packets to Firewall A. Firewall A forwards the request packet to Switch B. As the level-2 load balancing device, Switch B records the firewall forwarding the request packet and forwards the request packet to the destination (Host B shown in Figure 7-4). After receiving the response packet of Host B, Switch B forwards the response packet to Firewall A according to the record. Firewall A forwards the response packet to Switch A and Switch A returns the received response packet to Host A.
3. 4. 5. 6.
According to different networking modes, firewalls are classified into standard firewalls and transparent firewalls.
l
Each standard firewall, which is similar to a server, has an IP address. The standard firewall can be detected by other devices on networks, as shown in Figure 7-5.
Issue 02 (2010-07-15)
7-11
FirewallA HostA IP Network 10.10.10.2 10.10.11.2 FirewallB VIP 10.10.10.1 SwitchA 10.10.11.1 SwitchB IP Network HostB
Transparent firewalls have no IP addresses and cannot be detected by other devices on a network. They are connected to level-1 and level-2 load balancing devices, as shown in Figure 7-6. Figure 7-6 Networking of transparent firewall load balancing
FirewallA HostA IP Network 10.10.20.1 10.10.21.1 FirewallB VIP 10.10.10.1 SwitchA 10.10.11.1 SwitchB IP Network HostB
In actual applications, firewall load balancing is used with server load balancing. Figure 7-7 shows the typical networking of firewall load balancing. Figure 7-7 Networking for combining firewall load balancing and server load balancing FirewallA ServerA IPA HostA IP Network SwitchA VIP SwitchB ServerB IPB
The process of combined load balancing is actually the combination of firewall load balancing and server load balancing. The combined load balancing prevents the firewalls from being the bottleneck on the network and improves the performance and availability of network services such as HTTP.
7.3.13 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid.
Applicable Environment
On a network where an enterprise leases two or multiple ISP egresses from which enterprise users can access the public network through the private network, you can configure egress link load balancing. When an enterprise user accesses the external network, the SPU selects a link according to the priorities, weights, or bandwidths of egress links. In this manner, the egress links are properly used, the risk on the reliability caused by egress faults is prevented, and the problem of network access caused by insufficient bandwidth is solved.
Pre-configuration Tasks
Before configuring egress link load balancing, complete the following tasks:
l
Setting link layer parameters for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Setting network layer parameters for the interfaces and ensuring that the routes between devices are available Performing the task of 2 SPU Pre-Configuration
Data Preparation
To configure egress link load balancing, you need the following data. No. 1 2 3 4 Data (Optional) NAT address pool index and network segment Name, type, and related parameters of the probe Name and related parameters of the link, including the description (optional), ISP gateway IP address, priority (optional), weight (optional), and bandwidth (optional) Name and parameters of the link group, including the description, load balancing algorithm, forwarding mode, action performed when the member fails, threshold for switching services from the master server group to the backup server group, probe bound to the server group, member, and NAT address pool index of the member instance Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, and matching rule
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
5 6 7
7-14
No. 8 9 10 11
Data Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied (type and number of an interface)
Context
The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancing member instance.
Procedure
Step 1 Run:
system-view
An NAT address pool is configured. Up to 1024 NAT address pools can be configured. By default, no NAT address pool is configured. The IP address of the outbound interface must be different from any IP address in the NAT address pool that is bound to the Layer 3 classifier referenced by the load balancing policy on the outbound interface.
l
If the IP address of the outbound interface is the same as an IP address in the NAT address pool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT address pool. After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool, if the IP address that is to be assigned to the outbound interface is the same as an IP address in the NAT address pool, the system displays the information that the IP address cannot be set.
----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-15
Context
In egress link load balancing, the SPU detects the link status through an ICMP probe. The ICMP probe sends ICMP Echo request packets to the ISP gateway at the probing interval. When a link group is bound to only one probe, the health status of a link member is detected according to the following principles:
l
If the link member is in Down state, the probe sends probing packets at an interval specified by fail-interval interval.
If the probe receives response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the link member in Up state. Otherwise, the link member retains to be in Down state.
If the link member is in Up state, the probe sends probing packets at an interval specified by interval interval.
If the probe does not receive response packets of the ISP gateway for the consecutive number of times specified by retry-count times in the timeout interval, it marks the link member in Down state. Otherwise, the link member retains to be in Up state.
When a link group is bound to multiple probes, the health status of a link member is detected according to the following principles:
l
When the probe mode is fail-on-all, the link member is considered as Down when all the probes bound to the link group detect that the link member is in Down state. When the probe mode is fail-on-one, the link member is considered as Down when a probe bound to the link group detects that the link member is in Down state.
Procedure
Step 1 Run:
system-view
The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe. The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.
NOTE
l l
When running the load-balance ip interface command, you can select the specified interface only if an XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface has been created. A probe does not send probing packets if the specified interface is not configured with an IP address.
7-16
Issue 02 (2010-07-15)
Step 3 Run:
load-balance probe probe-name icmp
An ICMP probe is created and the ICMP probe view is displayed. When creating a probe, you must specify the probe type. When you enter the view of the created probe, you can choose not to specify the probe type. Up to 1024 probes can be created. By default, an ICMP probe is not configured. Step 4 (Optional) Run:
description description
The description of a probe is configured. By default, no description is configured for a probe. Step 5 (Optional) Run:
interval interval
The probing interval of a probe is set. The probing interval of a probe indicates the interval for sending probing packets to detect the health status of a link. The probing interval of a probe must be greater than the timeout interval of a probe. By default, the probing interval of a probe is 15s. Step 6 (Optional) Run:
time-out time-out
The timeout interval of a probe is set. The timeout interval of a probe must be smaller than the probing interval of a probe and the interval for a probe to detect that a server member is Down. By default, the timeout interval of a probe is 10s. Step 7 (Optional) Run:
retry-count times
The retry count of a probe is set when a link member is in Up state. By default, The retry count of a probe is 3 when a link member is in Up state. Step 8 (Optional) Run:
fail-interval interval
The interval for a probe to detect that a link member is Down is set. After the link becomes invalid, the SPU sends probing packets at this interval to detect link recovery. This interval must be greater than the timeout interval of a probe. By default, the interval for a probe to detect that a link member is Down is 60s. Step 9 (Optional) Run:
fail-retrycount times
By default, the retry count for a probe to detect link recovery is 3. ----End
Procedure
Step 1 Run:
system-view
A link is created and the load balancing member view is displayed. Up to 1024 links can be created. By default, no link is configured. Step 3 (Optional) Run:
description text
The description of a link is configured. By default, no description is configured for a link. Step 4 Run:
ip address ip-address
The IP address of the gateway corresponding to the link is set. By default, the IP address of the gateway corresponding to the link is not set. Step 5 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold value ] | connection conn-limit } threshold-
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the link are set. After selecting a link through the load balancing algorithm, the system compares the used bandwidth and the connection rate with the bandwidth limit and connection rate limit. If the bandwidth limit or connection rate limit is reached, the system does not select the link. By default, the connection rate of a link is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 6 (Optional) Run:
priority level
The priority of the link is set. The greater value of level represents a higher priority of the link. Therefore, the link can be selected with a greater probability.
7-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
The weight of the link is set. By default, the weight of a link is 8. ----End
Procedure
Step 1 Run:
system-view
A link group is created and the link group view is displayed. Up to 1024 load balancing groups can be created, including link groups, server groups, and firewall groups. By default, no link group is configured. Step 3 Run:
probe probe-name
A probe of the link group is configured. By default, a link group is not configured with any probe. Before using this command, you must run the load-balance probe probe-name [ icmp | tcp | udp | http ] command to create a probe. Step 4 Run:probe-mode { fail-on-all | fail-on-one } The probe mode is set. By default, the probe mode is fail-on-one. In fail-on-one mode, the S9300 considers a link to be invalid when a probe detects that the link is in Down state. If the probe mode is set to fail-on-all, the S9300 considers a link to be invalid only when all the probes detect that the link is in Down state. Step 5 Run:
forward-mode redirect
The packet forwarding mode is set to redirection. In egress link load balancing, the packet forwarding mode must be set to redirection. In redirection mode, the SPU forwards internal enterprise user traffic through the device egress corresponding to the link gateway.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-19
In egress link load balancing, only the WRR algorithm, the least connection algorithm, and the hash algorithm based on the IP address are supported.
A link is add to the link group and the link instance view is displayed. Step 8 (Optional) Run:
member port port-number
The port number of a load balancing member instance is configured. By default, the port number of a load balancing member instance is not configured. When the load balancing member instance is in inservice or inservice standby state, you cannot configure the port number. Step 9 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold thresholdvalue ] | connection conn-limit }
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the link instance are set. When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a link instance and a link are set simultaneously, both the values of the link instance and the link take effect. For example, the bandwidth limit of a link is 200 kbit/s and link instance A and link instance B are configured on the link. The bandwidth limit of link instance A is 200 kbit/s and the bandwidth limit of link instance B is 100 kbit/s. When selecting a link, the S9300 needs to consider the bandwidth limit of the link instance and link. That is, the total bandwidth of link instance A and link instance B cannot exceed the bandwidth of the link. By default, the connection rate of a link instance is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 10 (Optional) Run:
priority level
The priority of the link instance is set. When the priorities of a link instance and a link are set simultaneously, the priority of the link instance takes effect. If the priority of the link instance is not set, the SPU uses the priority of the link. If the priority of the link is not set, the SPU adopts the default value.
NOTE
The link priority is only valid for the WRR algorithm and the least connection algorithm.
7-20
Issue 02 (2010-07-15)
The weight of the link instance is set. When the weights of a link instance and a link are set simultaneously, the weight of the link instance takes effect. If the weight of the link instance is not set, the SPU uses the weight of the link. If the weight of the link is not set, the SPU adopts the default value.
NOTE
The weight is only valid for the WRR algorithm and the least connection algorithm.
An NAT address pool is configured in the link instance for translating source IP addresses through NAT. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. When NAT for translating source IP addresses is enabled simultaneously in a link instance and a Layer 3 classifier, NAT for translating source IP addresses enabled in the link instance takes effect. By default, NAT for translating source IP addresses in a link instance is disabled. Step 13 Run:
inservice
Context
On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. In egress link load balancing, the matching rule of a Layer 7 classifier must be set to any.
Procedure
Step 1 Run:
system-view
Issue 02 (2010-07-15)
7-21
A Layer 7 classifier is created and the Layer 7 classifier view is displayed. By default, no Layer 7 classifier is configured. When you create a Layer 7 classifier, if and or oris not specified, the default matching mode is and. In egress link load balancing, the matching rule of a Layer 7 classifier can be set to only match any. Therefore, any packet is matched regardless of whether the matching mode is and or or.
NOTE
When you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode must be the same as the one used when the Layer 7 classifier is created.
The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched. after the matching rule is set to any, the traffic that is load balanced is processed at Layer 3 and Layer 4. In this case, the load balancing algorithms for Layer 7 services including the hash algorithm based on the URL cannot be configured. By default, the matching rule of a Layer 7 classifier is any. ----End
Procedure
Step 1 Run:
system-view
A load balancing action profile is created and the load balancing action profile view is displayed. Step 3 Run the following command as required.
l
Run:
drop
Run:
forward
Run:
group master-group-name [ backup backup-group-name ]
Run:
stickygroup stickygroup-name
7-22
Issue 02 (2010-07-15)
The action is set to the sticky operation. By default, the action is forward. ----End
Context
In egress link load balancing, the SPU can use only the source IP address, destination IP address, protocol type, source port number and destination port number to define ACL rules.
Procedure
Step 1 Run:
system-view
An ACL is created and the ACL view is displayed. In egress link load balancing, the value of number ranges from 3000 to 3999. That is, advanced ACLs are used. A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, the latest ACL takes effect. By default, no ACL is created. Step 3 (Optional) Run:
step step-value
The step between ACL rule IDs is set. By default, the step between ACL rule IDs is 5. Step 4 Run the following command as required:
l
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destinationwildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any } | timerange time-name | tos tos ] * undo rule rule-id
When the parameter protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp |
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-23
Issue 02 (2010-07-15)
fragment | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *
l
When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] * undo rule rule-id
Context
To prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need to set the aging time to periodically age the TCP or UDP traffic forwarding entries that have been idle for a long time.
Procedure
Step 1 Run:
system-view
A connection parameter profile is created and the connection parameter profile view is displayed. Up to 1024 connection parameter profiles can be created. By default, no connection parameter profile is created. Step 3 Run:
tcp aging-time aging-time
The aging time of the TCP traffic forwarding table is set. By default, the aging time of the TCP traffic forwarding table is 3600s. Step 4 Run:
udp aging-time aging-time
The aging time of the UDP traffic forwarding table is set. By default, the aging time of the UDP traffic forwarding table is 120s. ----End
7-24 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Procedure
Step 1 Run:
system-view
A Layer 3 classifier is created and the Layer 3 classifier view is displayed. By default, no Layer 3 classifier is created. Step 3 Run:
if-match acl acl-number
An ACL is bound to the Layer 3 classifier. A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number command is run for multiple times in the same Layer 3 classifier view, the latest configuration takes effect. By default, no ACL is bound to a Layer 3 classifier. Step 4 Run:
l7classifier l7classifier-name action action-name
The Layer 7 classifier and action are bound to the Layer 3 classifier. The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packets with the rule in a Layer 7 classifier. By default, a Layer 3 classifier is not bound to any Layer 7 classifier and action. Step 5 (Optional) Run:
icmp-reply
The SPU is configured to respond ping requests of users. In egress link load balancing, if the SPU is required to respond to ping requests of users, you need to use the icmp-reply command.
NOTE
l l
If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier. If the ACL in the Layer 3 classifier for matching the source and destination IP addresses is set to any, the SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, you need to configure the ACL in a Layer 3 classifier with caution.
By default, the SPU does not respond to ping requests of users. Step 6 (Optional) Run:
parameter connection profile-name
A connection parameter profile can be bound to one or more Layer 3 classifiers. By default, no connection parameter profile is bound to a Layer 3 classifier. Step 7 (Optional) Run:
nat outbound address-group number [ no-pat ]
An NAT address pool is bound to the Layer 3 classifier. no-pat indicates that PAT is not performed. That is, only the source IP address of packets is translated through NAT. The source port number, however, is not translated. An NAT address pool takes effect only after being bound to a Layer 3 classifier or a link instance. If an NAT address pool is bound to a Layer 3 classifier and a link instance, the NAT address pool bound to the link instance takes effect. An NAT address pool can be bound to multiple Layer 3 classifiers, whereas the same interface processing mode must be used. That is, if an NAT address pool is bound to a Layer 3 classifier in no-pat mode, other Layer 3 classifiers must be bound to the NAT address pool in no-pat mode rather than in pat mode. By default, no NAT address pool is bound to a Layer 3 classifier. ----End
Procedure
Step 1 Run:
system-view
A load balancing policy is created and the load balancing policy view is displayed. Up to 1024 load balancing policies can be created. By default, no load balancing policy is configured. Step 3 Run:
l3classifier l3classifier-name
A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications. By default, no Layer 3 classifier is bound to a load balancing policy. ----End
7-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Context
A load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaces on the SPU.
Procedure
Step 1 Run:
system-view
The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface. After the load balancing policy is applied, the SPU takes actions defined in the load balancing policy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policy on the XGE sub-interface. By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk subinterface. Step 4 (Optional) Run:
service load-balance arp-response nat address-group group-index
The NAT address pool is enabled to respond to ARP requests on the sub-interface. By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface. When the NAT address pool is used for source IP address translation, if the IP address of the outbound interface of the SPU is in the same network segment as any IP address of the NAT address pool, you need to run the service load-balance arp-response nat address-group groupindex command on the outbound interface. If the service load-balance arp-response nat address-group group-index command is not used on the outbound sub-interface, the NAT address pool cannot be enabled to respond to ARP requests on the outbound sub-interface. Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End
Procedure
l l l l l l l l l l Run the display load-balance member [ name member-name | all ] command to check the configuration of the load balancing member. Run the display load-balance probe [ name probe-name [ group name group-name member name member-name ] | all ] command to check the configuration of the probe. Run the display load-balance group [ name group-name | all ] command to check the configuration of the load balancing group. Run the display load-balance group name group-name member name member-name [ verbose ] command to check the configuration of the load balancing member instance. Run the display load-balance l7classifier [ name l7classifier-name | all ] command to check the configuration of the Layer 7 classifier. Run the display load-balance action [ name action-name | all ] command to check the configuration of the load balancing action profile. Run the display load-balance l3classifier [ name l3classifier-name | all ] command to check the configuration of the Layer 3 classifier. Run the display load-balance policy [ name policy-name | all ] command to check the configuration of the load balancing policy. Run the display load-balance parameter connection [ name connection-name | all ] command to check the configuration of the connection parameter profile. Run the display load-balance parameter http [ name http-name | all ] command to check the configuration of the HTTP parameter profile.
----End
7.4.6 (Optional) Configuring Session Stickiness Session stickiness indicates that multiple connections of a session are directed to the same server in a specified period. In this case, the SPU does not make load balancing decisions. 7.4.7 Configuring a Layer 7 Classifier This section describes how to create a Layer 7 classifier and configure a matching rule. 7.4.8 Configuring a Load Balancing Action This section describes how to create a load balancing action profile and specify an action. 7.4.9 Configuring an ACL This section describes how to configure an ACL to identify the traffic of various services. 7.4.10 (Optional) Configuring a Connection Parameter Profile This section describes how to configure a connection parameter profile to set the aging time of the TCP or UDP traffic forwarding table. 7.4.11 (Optional) Configuring an HTTP Parameter Profile This section describes how to configure an HTTP parameter profile and set related parameters for processing HTTP packets, including the maximum parsing length and the functions of perpacket rebalance. 7.4.12 Configuring a Layer 3 Classifier This section describes how to create a Layer 3 classifier and configure a matching rule. 7.4.13 Configuring a Load Balancing Policy This section describes how to create a load balancing policy, and bind the Layer 3 classifier to the load balancing policy. 7.4.14 Applying the Load Balancing Policy A load balancing policy takes effect only after being applied. 7.4.15 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid.
Applicable Environment
In the networking such as the data center, a server needs to process a large number of user requests. The processing capabilities of a single server is limited and is bound to be the bottleneck. By using server load balancing, you can properly distribute network services to multiple servers for processing. This reduces the burden of a single server, improves the service processing capabilities, and ensures the high reliability of services. To upgrade the network or improve the server performance, you simply need to add servers to a server group, without changing the current network structure and stopping existing services.
Pre-configuration Tasks
Before configuring server load balancing, complete the following tasks:
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-29
Setting link layer parameters for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Setting network layer parameters for the interfaces and ensuring that the routes between devices are available Performing the task of 2 SPU Pre-Configuration
Data Preparation
To configure server load balancing, you need the following data. No. 1 2 3 4 Data (Optional) NAT address pool index and network segment (Optional) Name, type, and related parameters of the probe Name and related parameters of the server, including the description, server IP address, weight, and bandwidth Name and related parameters of the server group, including the description, load balancing algorithm, forwarding mode, action when the server group fails, threshold for switching the master server group to the backup server group, bound probe, member, member instance port number, and NAT address pool index (Optional) Name and related parameters of the sticky group, including the description, aging time, and static sticky entries Related parameters of the Layer 7 classifier, including the classifier name and matching rule Name and related parameters of the load balancing action profile, including the description and action Related parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Related parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and related parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the functions of per-packet rebalance Related parameters of the load balancing policy, including the load balancing policy name and bound Layer 3 classifier Object that the load balancing profile is applied to
5 6 7 8 9 10 11 12 13
Context
The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancing member instance.
Procedure
Step 1 Run:
system-view
An NAT address pool is configured. Up to 1024 NAT address pools can be configured. By default, no NAT address pool is configured. The IP address of the outbound interface must be different from any IP address in the NAT address pool that is bound to the Layer 3 classifier referenced by the load balancing policy on the outbound interface.
l
If the IP address of the outbound interface is the same as an IP address in the NAT address pool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT address pool. After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool, if the IP address that is to be assigned to the outbound interface is the same as an IP address in the NAT address pool, the system displays the information that the IP address cannot be set.
----End
Context
When a server group is bound to only a probe, the health status of a server member is detected according to the following principles:
l
If the server member is in Down state, the probe sends probing packets at intervals specified by fail-interval interval.
If the probe receives response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the the server member in Up state. Otherwise, the server member retains to be in Down state.
If the server member is in Up state, the probe sends probing packets at intervals specified by interval interval.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-31
Issue 02 (2010-07-15)
If the probe does not receive response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the server member in Down state. Otherwise, the server member retains to be in Up state.
When a server group is bound to multiple probes, the health status of a server member is detected according to the following principles:
l
When the probe mode is fail-on-all, the server member is considered as Down when all the probes bound to the server group detect that the server member is in Down state. When the probe mode is fail-on-one, the server member is considered as Down when a probe bound to the server group detects that the server member is in Down state.
In server load balancing, the SPU supports ICMP, TCP, UDP, and HTTP probes.
l
ICMP probe An ICMP probe sends ICMP Echo request packets to a server in a server group. If the SPU consecutively receives ICMP Reply packets of the server for the specified number of times in the specified period, it considers the probing to be successful and sets the server to Up. Otherwise, the SPU considers the probing to be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
TCP probe A TCP probe initiates a request for establishing a TCP connection to an interface of a server in a server group. If the SPU consecutively receives response packets of the server for the specified number of times in the specified period and the data carried in the response packets is the same as the expected response data, it considers the probing to be successful and sets the server to Up. If the SPU does not consecutively receive response packets of the server for the specified number of times in the specified time or the data carried in the response packets is different from the expected response data , it considers the probing to be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
UDP probe A UDP probe sends UDP request packets to an interface of a server in a server group. If the SPU consecutively receives ICMP Host packets or Port Unreachable packets of the server for the specified number of times in the specified time, it considers the probing to be failed and determines whether to set the server to Down according to the probe mode set on the server group. If the SPU consecutively receives response packets of the server for the specified number of times in the specified time and the data carried in the response packets is the same as the expected response data, it considers the probing to be successful and sets the server to Up.
HTTP probe An HTTP probe establishes a TCP connection with an HTTP interface of a server in a server group, and then sends HTTP requests. If the SPU consecutively receives response packets of the server for the specified number of times and the return status code is the same as the expected response data, it sets the server to Up. If the SPU does not consecutively receive response packets of the server for the specified number of times in the specified time or the return status code carried in the response packets is different from the expected response data, it considers the probing to
7-32
Issue 02 (2010-07-15)
be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
NOTE
When the probe mode is AND, the SPU sets a server to Down only if the probing of all probes fails. When the probe mode is OR, the SPU sets a server to Down if the probing of a probe fails.
Procedure
Step 1 Run:
system-view
The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe. The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.
NOTE
l l
When running the load-balance ip interface command, you can select the specified interface only if an XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface is specified. A probe does not send probing packets if the specified interface is not configured with an IP address.
Step 3 Run:
load-balance probe probe-name [ http | icmp | udp | tcp ]
A probe is created or the probe view is displayed. When creating a probe, you must specify the probe type. When you enter the view of the created probe, you can choose not to specify the probe type. Up to 1024 probes can be created, including ICMP probes, TCP probes, UDP probes, and HTTP probes. By default, no probe is configured. Step 4 (Optional) Run:
description description
The description of the probe is configured. By default, no description is configured for a probe. Step 5 (Optional) Run:
interval interval
The probing interval of a probe is set. The probing interval of a probe indicates the interval for sending probing packets to detect the health status of a server. The probing interval of a probe must be greater than the timeout interval of a probe. By default, the probing interval of a probe is 15s. Step 6 (Optional) Run:
time-out time-out
Issue 02 (2010-07-15)
7-33
The timeout interval of a probe is set. The timeout interval of a probe must be smaller than the probing interval of a probe and the interval for a probe to detect that a server member is Down.
NOTE
After a TCP connection is established, if packets of the TCP connection fail to be transmitted, the system uses the TCP retransmission mechanism. It is recommended that the timeout interval of TCP probes be greater than the timeout interval of TCP transmission. By default, the timeout interval of TCP transmission is 6s. If multiple probes are configured, it is recommended that the timeout interval of probes be greater than or equal to the default value.
The retry count of a probe is set when a server member is in Up state. By default, the retry count of a probe is 3 when a server member is in Up state. Step 8 (Optional) Run:
fail-interval interval
The interval for a probe to detect that a server member is Down is set. The interval for a probe to detect that a server member is Down must be greater than the timeout interval of a probe. By default, the interval for a probe to detect that a server member is Down is 60s. Step 9 (Optional) Run:
fail-retrycount times
The retry count for a probe to detect server recovery is set. By default, the retry count for a probe to detect server recovery is 3. Step 10 (Optional) Run the following command as required.
l
Run:
send-data data
Run:
expect-data data
The expected response data of a TCP probe or a UDP probe is set. A TCP probe or a UDP probe determines whether a server member works normally by comparing the sent data and the expected response data. If the response data from the server member is the same as the expected response data, it indicates that the server member works normally. If the server member does not respond or the response data is different from the expected response data, it indicates that the server member works abnormally. By default, the sent data or the expected response data of a TCP probe or a UDP probe is not set.
l
Run:
request method { get | head } url url
7-34
Issue 02 (2010-07-15)
The HTTP request method and the URL used by the HTTP probe are configured. The difference between the GET method and Head method is as follows: the entire page corresponding to the URL is obtained by using the GET method, whereas the header of the corresponding to the URL is obtained by using the Head method. By default, the HTTP request method is GET and no URL is used.
Run:
user user-name [ password password ]
The user name and password of an HTTP request are set. By default, the user name and password of an HTTP request are not set.
Run:
header { accept | accept-charset } header-value value
The Accept field or the Accept-Charset field in an HTTP request packet header is set. By default, the SPU does not set the Accept field or the Accept-Charset field in an HTTP request packet header.
Run:
expect status-code min min-number max max-number
The range of the expected return status code is set. By default, the expected return status code is 200. Step 11 (Optional) Run:
destination port port-number
The destination port number of a probe is configured. By default, the destination port number of a probe is the port number of a load balancing member instance through the member port port-number command. If the port number of a load balancing member instance is not configured, the destination port number of a probe is the default port number. For example, TCP and HTTP probes use destination port 80 and UDP probes use destination port 53. ICMP probes have no destination port number. If a TCP probe, a UDP probe, or an HTTP probe is bound to a load balancing group, the destination port number of the probe cannot be changed. ----End
Procedure
Step 1 Run:
system-view
A server is created and the load balancing member view is displayed. Up to 1024 servers can be created.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-35
The description of the server is configured. By default, no description is configured for a server. Step 4 Run:
ip address ip-address
The IP address of the server is set. By default, no IP address of a server is specified. Step 5 (Optional) Run:
conn-limit max limit
The maximum number of connections of the server is set. When the number of connections of a server exceeds the set value, the SPU does not send user requests to the server for processing.
NOTE
The maximum number of connections can be set in a server instance. If the maximum number of connections of a server and a server instance is set, the SPU checks whether the value reaches the limited number of connections of the server instance. If yes, the SPU rejects new connections. Then the SPU compares the value with the limited number of connections of the server. If yes, the SPU rejects new connections.
By default, the maximum number of connections of a server is 4000000. Step 6 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold value ] | connection conn-limit } threshold-
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the server are set. After selecting a server through the load balancing algorithm, the SPU compares the current bandwidth and the number of connections with the bandwidth limit and connection rate limit. If the bandwidth limit or connection rate limit is reached, the SPU does not select the server. By default, the connection rate of a server is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 7 (Optional) Run:
priority level
The priority of the server is set. The greater value represents a higher priority of the server so that the server can be selected with a greater possibility. By default, the priority of a server is 8. Step 8 (Optional) Run:
weight weight-value
If the priority and weight of a server instance are not set, the SPU uses the priority and weight of a server. If the priority and weight of the server is not set, the SPU adopts the default values.
----End
Procedure
Step 1 Run:
system-view
A server group is created and the server group view is displayed. Up to 1024 load balancing groups can be created, including link groups, server groups, and firewall groups. By default, no server group is configured. Step 3 Run:
probe probe-name
A probe of the server group is configured. By default, no probe is configured for a server group. Step 4 Run:probe-mode { fail-on-all | fail-on-one }The probe mode is set. By default, the probe mode is fail-on-one. In fail-on-one mode, a server is considered as Down when all the probes bound to the server group detect that the server member is in Down state. When the probe mode is fail-on-one, the server member is considered as Down when a probe bound to the server group detects that the server member is in Down state. Step 5 Run:
failaction { purge | reassign }
The action performed when a server fails is set. By default, no action is taken when a server fails. If the action is set to purge, when the master server fails, the connections of the master server are removed and not switched to a backup server. If the action is set to reassign, when the master server fails, all the connections of the master server are switched to a backup server. Step 6 Run:
switch-threshold percent1 restore-threshold percent2
The threshold for switching services from the master server to the backup server is set.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-37
percent1 specifies the threshold for the master server group to remain active and percent2 specifies the threshold for the backup server group to remain active. When the percentage of active servers in the master server group is smaller than or equal to the value of percent1, the SPU switches services to the backup server group. When the percentage of active servers in the master server group is greater than the value of percent2, the master server group is recovered and starts to provide services. By default, the thresholds for the master and backup server groups to remain active are 0. In this case, if all the servers in the master server group are invalid, the SPU automatically switches services to the backup server group. If a server in the master server group becomes active, the SPU switches services back to the master server group. Step 7 Run:
forward-mode dnat
The packet forwarding mode is set to DMAC. In server load balancing, the packet forwarding mode can be set to DNAT or DMAC. In DNAT mode, the SPU changes the destination IP address of packets to the IP address of a server before forwarding them. In DMAC mode, the SPU changes the destination MAC address of packets to the MAC address of a server before forwarding them. The destination IP address of the packets, however, remains unchanged. Step 8 Run:
load-balance method { { hash address { destination | source | both } [ netmask ] } | { hash url [ begin-pattern expression1 ] [ end-pattern expression2 ] } | leastconns | roundrobin }
The load balancing algorithm is set. By default, the WRR algorithm is used for load balancing. Step 9 Run:
member member-name
A server is bound to the server group and the server instance view is displayed. Step 10 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold thresholdvalue ] | connection conn-limit }
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the server instance are set. By default, the connection rate of a server instance is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a server instance and a server are set simultaneously, both the values of the server instance and the server take effect. For example, the bandwidth limit of a server is 200 kbit/s and server instance A and server instance B are configured on the server. The bandwidth limit of server instance A is 200 kbit/s and the bandwidth limit of server instance B is 100 kbit/s. When selecting a link, the S9300 needs to consider the bandwidth limit of the server instance and server. That is, the total bandwidth of server instance A and link server B cannot exceed the bandwidth of the server.
7-38 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
The maximum number of connections of the server instance is set. When the number of connections of a server instance exceeds the set value, the SPU does not send user requests to the server instance for processing.
NOTE
If the maximum numbers of connections of a server and a server instance are set, the SPU checks whether the value reaches the maximum number of connections of the server instance. If yes, the SPU rejects new connections. Then the SPU compares the value with the maximum number of connections of the server. If yes, the SPU rejects new connections.
By default, the maximum number of connections of a server instance is 4000000. Step 12 (Optional) Run:
priority level
The priority of the server instance is set. When the priorities of a server instance and a server are set simultaneously, the priority of the server instance takes effect. If the priority of a server instance is not set, the SPU uses the priority of a server. If the priority of the server is not set, the SPU adopts the default value.
NOTE
The priority is only valid for the WRR algorithm and the least connection algorithm.
The weight of the server instance is set. When the weights of a server instance and a server are set simultaneously, the weight of the server instance takes effect. If the weight of a server instance is not set, the SPU uses the weight of a server. If the weight of the server is not set, the SPU adopts the default value.
NOTE
The weight is only valid for the WRR algorithm and the least connection algorithm.
The backup member of the server instance is configured. By default, no backup member is configured for a server instance. A server instance can contain up to three backup members. Before configuring a backup member, ensure that the backup member is added to the server group. Step 15 (Optional) Run:
nat outbound address-group group-index [ no-pat ]
Issue 02 (2010-07-15)
7-39
An NAT address pool is configured in the server instance for translating source IP addresses through NAT. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. When NAT for translating source IP addresses is enabled simultaneously in a server instance and a Layer 3 classifier, NAT for translating source IP addresses enabled in the server instance takes effect. By default, NAT for translating source IP addresses is disabled in a server instance.
NOTE
If the forwarding mode is set to DMAC, the NAT address pool does not need to be configured in a server instance or a Layer 3 classifier.
Step 16 Run:
inservice
Context
Session stickiness is often applicable to e-commerce. Multiple connections of a user needs to be processed by only a server when the user shops online. In this case, the SPU is required to identify users and send requests of a user to the same server for processing. The SPU uses sticky groups to configure and manage related attributes of session stickiness. If session stickiness is configured, after the SPU sends the first request of a user to a selected server, the subsequent requests of the user are sent to the same server. The SPU thus does not make load balancing decisions. The SPU supports static and dynamic stickiness:
l
When packets of a session match static sticky entries, the stickiness corresponding to the session is called static stickiness. Static stickiness takes effect as long as static sticky entries exist. When packets of a session match dynamic sticky entries, the stickiness corresponding to the session is called dynamic stickiness. Dynamic stickiness takes effect only in the aging time. After dynamic sticky entries age, stickiness becomes invalid.
The SPU supports session stickiness at the network layer and the application layer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
load-balance stickygroup stickygroup-name mask net-mask { ip | both-ip } source-ip | destination-
A sticky group is created and the sticky group view is displayed. Up to 1024 sticky groups can be created. By default, no sticky group is created. Step 3 (Optional) Run:
description text
The description of the sticky group is configured. By default, no description is configured for a sticky group. Step 4 Run:
group master-group-name [ backup backup-group-name ]
A server group is bound to the sticky group. The name of a backup load balancing group must be different from the name of the master load balancing group. If the Layer 3 classifier bound to the sticky group is bound to a load balance policy, you cannot modify the server group bound to the sticky group. By default, no server group is bound to a sticky group. Step 5 (Optional) Run:
time-out time
The aging time of dynamic sticky entries is set. The dynamic sticky entries generated on a sticky group age after the aging time expires and never take effect. By default, the aging time of dynamic sticky entries is 1440 minutes. Step 6 (Optional) Run:
static client { destination dest-ip-address | source src-ip-address [ destination dest-ip-address ] } member member-name
A static sticky entry is configured. The SPU supports static sticky entries based on the source IP address, the destination IP address, or the source and destination IP addresses. Up to 4096 static sticky entries can be created.
l
When source src-ip-address is specified, it indicates that a static sticky entry based on the source IP address is configured. When the packets with the source IP address specified by src-ip-address match the static sticky entry, the packets are sent to the server specified by member-name. When destination dest-ip-address is specified, it indicates that a static sticky entry based on the destination IP address is configured. When the packets with the destination IP address specified by dest-ip-address match the static sticky entry, the packets are sent to the server specified by member-name. When source src-ip-address and destination dest-ip-address are specified, it indicates that a static sticky entry based on the source and destination IP addresses is configured. When the packets with the source IP address specified by src-ip-address and the destination IP
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-41
Issue 02 (2010-07-15)
address specified by dest-ip-address match the static sticky entry, the packets are sent to the server specified by member-name.
NOTE
When configuring static sticky entries, pay attention to the following points:
l l
Only one static sticky entry of a sticky group can be created on a network segment. Before configuring stickiness, you need to use the load-balance group command to create the corresponding server group and bind the server group to the sticky group. In addition, the server group must contain servers.
Context
On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. The SPU first matches packets with the ACL in a Layer 3 classifier to match packets, and then the matching rule in a Layer 7 classifier bound to the Layer 3 classifier no matter whether Layer 3 or Layer 7 load balancing is used. Therefore, you must configure the Layer 7 classifier for Layer 3 or Layer 7 load balancing. In Layer 3 load balancing, the matching rule of a Layer 7 classifier must be set to any.
Procedure
Step 1 Run:
system-view
A Layer 7 classifier is created and the Layer 7 classifier view is displayed. By default, no Layer 7 classifier is configured. When you create a Layer 7 classifier, if the matching mode is set to and, the matching is successful only when all the rules are matched; if the matching mode is set to or, the matching is successful in the case that any rule is matched; if the matching mode is set to and or or, the default matching mode is and.
NOTE
When you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode must be the same as the one used when the Layer 7 classifier is created.
Run:
match any
The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched.
l
Run:
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-42
rule [ rule-number ] match http url url [ method { method-name | get | head | post } ]
Run:
rule [ rule-number ] match l7classifier l7classifier-name
Another Layer 7 classifier is nested to the Layer 7 classifier. By default, the matching rule of a Layer 7 classifier is any.
NOTE
If other matching rules are configured in the Layer 7 classifier, you cannot set the matching rule to any. If the matching rule of a Layer 7 classifier is set to any, you cannot configure other matching rules. In addition, the traffic that is load balanced is processed at Layer 3 and Layer 4. In this case, the load balancing algorithms for Layer 7 services including the hash algorithm based on the URL cannot be configured. A Layer 7 classifier can be nested by another Layer 7 classifier if the matching rule of a Layer 7 classifier is set to the nesting rule. A Layer 7 classifier can be nested by up to eight Layer 7 classifiers.
l l
Step 4 Run:
case-insensitive
Case sensitivity is disabled. After this command is run, the SPU does not distinguish uppercase and lowercase letters when parsing HTTP packets. By default, the SPU distinguishes uppercase and lowercase letters when parsing HTTP packets. ----End
Procedure
Step 1 Run:
system-view
A load balancing action profile is created and the load balancing action profile view is displayed. Step 3 Run the following command as required.
l
Run:
drop
Run:
forward
Run:
group master-group-name [ backup backup-group-name ]
Issue 02 (2010-07-15)
7-43
Run:
stickygroup stickygroup-name
The action is set to the sticky operation. By default, the action is forward. ----End
Procedure
Step 1 Run:
system-view
An ACL is created and the ACL view is displayed. In server load balancing, the value of number ranges from 3000 to 3999. That is, advanced ACLs are used. A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, the latest ACL takes effect. By default, no ACL is created. Step 3 (Optional) Run:
step step-value
The step between ACL rule IDs is set. By default, the step between ACL rule IDs is 5. Step 4 Run the following command as required:
l
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destinationwildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any } | timerange time-name | tos tos ] * undo rule rule-id
When the parameter protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-44
When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] * undo rule rule-id
Context
To prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need to set the aging time to periodically age the TCP or UDP traffic forwarding entries that have been idle for a long time.
Procedure
Step 1 Run:
system-view
A connection parameter profile is created and the connection parameter profile view is displayed. Up to 1024 connection parameter profiles can be created. By default, no connection parameter profile is created. Step 3 Run:
tcp aging-time aging-time
The aging time of the TCP traffic forwarding table is set. By default, the aging time of the TCP traffic forwarding table is 3600s. Step 4 Run:
udp aging-time aging-time
The aging time of the UDP traffic forwarding table is set. By default, the aging time of the UDP traffic forwarding table is 120s. ----End
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-45
Context
Case sensitivity indicates that the SPU distinguishes uppercase and lowercase letters when parsing HTTP packets. Per-packet rebalance indicates that the SPU makes load balancing decisions again and selects another server for each HTTP request packet even if the quintuple is the same.
Procedure
Step 1 Run:
system-view
An HTTP parameter profile is created and the HTTP parameter profile view is displayed. Up to 1024 HTTP parameter profiles can be created. By default, no HTTP parameter profile is created. Step 3 Run:
max-parse-length length-value
The maximum parsing length of HTTP packets is set. By default, the maximum parsing length of HTTP packets is 1024 bytes. Step 4 Run:
rebalance per-request
Each HTTP request is rebalanced. By default, the SPU does not rebalance newly received HTTP requests. ----End
Context
To classify packets according to the quintuple, you need to create and configure a Layer 3 classifier.
7-46 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Procedure
Step 1 Run:
system-view
A Layer 3 classifier is created and the Layer 3 classifier view is displayed. By default, no Layer 3 classifier is created. Step 3 Run:
if-match acl acl-number
An ACL is bound to the Layer 3 classifier. A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number command is run for multiple times in the same Layer 3 classifier view, the latest one takes effect. By default, no ACL is bound to a Layer 3 classifier. Step 4 Run:
l7classifier l7classifier-name action action-name
The Layer 7 classifier and action are bound to the Layer 3 classifier. The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packets with the rule in a Layer 7 classifier. By default, a Layer 3 classifier is not bound to the Layer 7 classifier and action. Step 5 (Optional) Run:
icmp-reply
The SPU is configured to respond to ping requests of users. The SPU provides services through a virtual IP address. Users send service requests to the virtual IP address, but the SPU does not respond to ICMP packets. If the SPU is required to respond to ping requests, you need to use the icmp-reply command in the Layer 7 classifier view.
CAUTION
l
If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier. If the ACL in the Layer 3 classifier for matching the destination address is set to any, the SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, you need to configure the ACL in a Layer 3 classifier with caution.
By default, the SPU does not respond to ping requests of users. Step 6 (Optional) Run:
parameter connection profile-name
A connection parameter profile can be bound to one or more Layer 3 classifiers. By default, no connection parameter profile is bound to a Layer 3 classifier. Step 7 (Optional) Run:
parameter http profile-name
An HTTP parameter profile is bound to the Layer 3 classifier. An HTTP parameter profile can be bound to one or more Layer 3 classifiers. By default, no HTTP parameter profile is bound to a Layer 3 classifier. Step 8 (Optional) Run:
nat outbound address-group number [ no-pat ]
An NAT address pool is bound to the Layer 3 classifier. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. The NAT address pool takes effect only after it is bound to a Layer 3 classifier or a server instance. If an NAT address pool is bound to a Layer 3 classifier and a server instance simultaneously, the NAT address pool bound to the server instance takes effect. When the forwarding mode of a server group is set to transparent transmission, the NAT function does not take effect even if a Layer 3 classifier or a server instance is bound to the NAT address pool. By default, no NAT address pool is bound to a Layer 3 classifier. ----End
Procedure
Step 1 Run:
system-view
A load balancing policy is created and the load balancing policy view is displayed. Up to 1024 load balancing policies can be created. By default, no load balancing policy is configured. Step 3 Run:
l3classifier l3classifier-name
A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications.
7-48 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Context
A load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaces on the SPU.
Procedure
Step 1 Run:
system-view
The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface. After the load balancing policy is applied, the SPU takes actions defined in the load balancing policy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policy on the XGE sub-interface. By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk subinterface. Step 4 (Optional) Run:
service load-balance arp-response nat address-group group-index
The NAT address pool is enabled to respond to ARP requests on the sub-interface. By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface. When the NAT address pool is used for source IP address translation, if the IP address of the outbound interface of the SPU is in the same network segment as any IP address of the NAT address pool, you need to run the service load-balance arp-response nat address-group groupindex command on the outbound interface. If the service load-balance arp-response nat address-group group-index command is not used on the outbound sub-interface, the NAT address pool cannot be enabled to respond to ARP requests on the outbound sub-interface. Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End
Procedure
l l l l l l l l l l Run the display load-balance member [ name member-name | all ] command to check the configuration of the load balancing member. Run the display load-balance probe [ name probe-name [ group name group-name member name member-name ] | all ] command to check the configuration of the probe. Run the display load-balance group [ name group-name | all ] command to check the configuration of the load balancing group. Run the display load-balance group name group-name member name member-name [ verbose ] command to check the configuration of the load balancing member instance. Run the display load-balance l7classifier [ name l7classifier-name | all ] command to check the configuration of the Layer 7 classifier. Run the display load-balance action [ name action-name | all ] command to check the configuration of the load balancing action profile. Run the display load-balance l3classifier [ name l3classifier-name | all ] command to check the configuration of the Layer 3 classifier. Run the display load-balance policy [ name policy-name | all ] command to check the configuration of the load balancing policy. Run the display load-balance parameter connection [ name connection-name | all ] command to check the configuration of the connection parameter profile. Run the display load-balance parameter http [ name http-name | all ] command to check the configuration of the HTTP parameter profile.
----End
Applicable Environment
As the guard of a network, the firewall is important on the network. However, it encounters the following problem: A firewall needs to check each packet carefully. As a result, the forwarding performance of the firewall is low and the firewall becomes the bottleneck on the network. If existing devices are replaced to improve the forwarding performance, hardware resources are wasted. In addition, when the service volume increases, the devices need to be replaced frequently. The costs on the device replacement are high. You can create a firewall group to reduce the burden of each single firewall and improve the network processing capability. In the scenario where firewall load balancing is configured, load balancing devices are classified into level-1 and level-2 devices. Level-1 devices perform firwall load balancing; level-2 devices ensure that any traffic received through a firewall is sent back through the same firewall. The firewall load balancing technology takes firewalls as servers.
Pre-configuration Tasks
Before configuring firewall load balancing, complete the following tasks:
7-50 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Setting link layer parameters for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Setting network layer parameters for the interfaces and ensuring that the routes between devices are available Performing the task of 2 SPU Pre-Configuration
Data Preparation
To configure firewall load balancing, you need the following data.
l
Level-1 load balancing device No. 1 2 3 Data (Optional) Name, type, and related parameters of the probe Name and parameters of the firewall, including the description, server IP address, weight, and bandwidth Name and firewall group parameters, including the description, load balancing algorithm, forwarding mode (fixed as DMAC), action performed when the firewall group fails, threshold for switching the master firewall group to the backup firewall group, bound probe, member, and member instance port number (Optional) Name and sticky group parameters, including the description, aging time, and static sticky entries Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the function of enabling perpacket rebalance Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied
4 5 6 7 8 9 10
11 12
Level-2 load balancing device No. 1 Data (Optional) NAT address pool index and address network segment
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-51
Issue 02 (2010-07-15)
No. 2 3 4
Data (Optional) Name, type, and related parameters of the probe Name and related parameters of the server, including the description, server IP address, weight, and bandwidth Name and related parameters of the server group, including the description, load balancing algorithm, forwarding mode, action performed when the server group fails, threshold for switching the master server group to the backup server group, bound probe, member, member instance port number, and NAT address pool index (Optional) Name and related parameters of the sticky group, including the description, aging time, and static sticky entries Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the function of enabling perpacket rebalance Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied
5 6 7 8 9 10 11
12 13
Configuration Instructions
In the firewall load balancing technology, firewalls function as servers. The configuration procedure of firewall load balancing is similar to that of server load balancing, and the difference is described in the following two tables. For details about the configuration procedure, see 7.4 Configuring Server Load Balancing.
l
Level-1 load balancing device No. 1 Step (Optional) Configure firewall health detection. Reference 7.4.3 (Optional) Configuring Server Health Detection (Only the ICMP probe is supported)
7-52
Issue 02 (2010-07-15)
No. 2 3
Reference 7.4.4 Configuring a Server 7.4.5 Configuring a Server Group (DMAC must be used as the forwarding mode) 7.4.6 (Optional) Configuring Session Stickiness 7.4.7 Configuring a Layer 7 Classifier 7.4.8 Configuring a Load Balancing Action 7.4.9 Configuring an ACL 7.4.10 (Optional) Configuring a Connection Parameter Profile 7.4.11 (Optional) Configuring an HTTP Parameter Profile 7.4.12 Configuring a Layer 3 Classifier 7.4.13 Configuring a Load Balancing Policy 7.4.14 Applying the Load Balancing Policy 7.4.15 Checking the Configuration
4 5 6 7 8 9 10 11 12 13
(Optional) Configure session stickiness. Configure a Layer 7 classifier. Configure a load balancing action. Configure an ACL. (Optional) Configure a connection parameter profile. (Optional) Configure an HTTP parameter profile. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy. Check the configuration.
Level-2 load balancing device No. 1 2 3 4 5 6 7 8 Step (Optional) Configure an NAT address pool. (Optional) Configure server health detection. Configure a server. Configure a server group (Optional) Configure session stickiness. Configure a Layer 7 classifier. Configure a load balancing action. Configure an ACL. Reference 7.4.2 (Optional) Configuring an NAT Address Pool 7.4.3 (Optional) Configuring Server Health Detection 7.4.4 Configuring a Server 7.4.5 Configuring a Server Group 7.4.6 (Optional) Configuring Session Stickiness 7.4.7 Configuring a Layer 7 Classifier 7.4.8 Configuring a Load Balancing Action 7.4.9 Configuring an ACL
Issue 02 (2010-07-15)
7-53
No. 9 10 11 12 13
Step (Optional) Configure a connection parameter profile. (Optional) Configure an HTTP parameter profile. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy.
Reference 7.4.10 (Optional) Configuring a Connection Parameter Profile 7.4.11 (Optional) Configuring an HTTP Parameter Profile 7.4.12 Configuring a Layer 3 Classifier 7.4.13 Configuring a Load Balancing Policy 7.4.14 Applying the Load Balancing Policy (you need to run the mac-sticky enable command to enable MAC address stickiness) 7.4.15 Checking the Configuration
14
Networking Requirements
As shown in Figure 7-8, an enterprise leases two egresses: ISP1 and ISP2. The link bandwidth of ISP1 is 100 Mbit/s and the link bandwidth of ISP2 is 300 Mbit/s. The network delay of ISP2 is shorter than that of ISP1. The requirements are as follows:
l l
The link is selected preferentially when an enterprise user accesses the external network. Another link is selected automatically when a link becomes invalid or the link limit is exceeded. NAT for translating source IP addresses is enabled.
The enterprise user is connected to GE 3/0/0 of the Switch and the SPU is installed in slot 5 of the Switch. RouterA is connected to GE 3/0/1 of the Switch and RouterB is connected to GE 3/0/2 of the Switch. The data flows entering the SPU pass through the primary CPU. That is, the data flows are received and sent by GE 5/0/0. The source IP address of the enterprise user is located on 192.168.1.1/24 and the destination IP address of the external network that the enterprise user needs to visit is located on 60.60.60.1/24. Figure 7-8 Networking diagram for configuring egress link load balancing
XGE5/0/0 XGE5/0/1
XGE0/0/1 XGE0/0/2
60.60.60.1/24
GE3/0/0
Enterprise user
External network
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3.
Issue 02 (2010-07-15)
Configure traffic importing. Configure two links connected to ISP1 and ISP2 respectively. Configure link health detection for detecting the links connected to ISP1 and ISP2.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-55
4. 5. 6. 7. 8. 9.
Configure a link group, bind the link group to the links connected to ISP1 and ISP2, and adopt the WRR algorithm. Configure a Layer 7 classifier and set the matching rule to any. Configure a load balancing action profile. Configure an ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
10. Apply the load balancing policy to the interface of the internal network.
Data Preparation
To complete the configuration, you need the following data:
l l l l l l l l
Network segment of the NAT address pool Names of the links connected to ISP1 and ISP2, IP addresses, connection quantity limits, connection rate limits, bandwidth limits, bandwidth thresholds, and weights Name, type, and related parameters of the probe Link group name and load balancing algorithm Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on the Switch. 1. Import traffic to the SPU on the Switch.
<Switch> system-view [Switch] vlan batch 12 13 14 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12 [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13 [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14 [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/2] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] port link-type trunk [Switch-XGigabitEthernet5/0/0] port trunk allow-pass vlan 12 to 14 [Switch-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1 [Switch-XGigabitEthernet5/0/0] quit
2.
# Configure an NAT address pool with the index being 2 and the network segment ranging from 20.20.20.3 to 20.20.20.200.
7-56 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
# Configure an NAT address pool with the index being 3 and the network segment ranging from 30.30.30.3 to 30.30.30.200.
[SPU] nat address-group 3 30.30.30.3 30.30.30.200
3.
Step 2 Configure links. # Create and configure the link isp1 connected to ISP1.
[SPU] load-balance member isp1 [SPU-lb-member-isp1] ip address [SPU-lb-member-isp1] weight 30 [SPU-lb-member-isp1] conn-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] quit 20.20.20.1 max 10000 connection 1500 bandwidth inbound 100 threshold 80 bandwidth outbound 100 threshold 80
Step 3 Configure link health detection. # Set the IP address of XGE 0/0/1.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface xgigabitethernet 0/0/1.2 [SPU-XGigabitEthernet0/0/1.2] control-vid 2 dot1q-termination [SPU-XGigabitEthernet0/0/1.2] dot1q termination vid 2 [SPU-XGigabitEthernet0/0/1.2] ip address 100.100.100.201 24 [SPU-XGigabitEthernet0/0/1.2] quit [SPU] load-balance ip interface xgigabitethernet 0/0/1.2
# Create the ICMP probe probe1, and set the timeout interval of the response of probe1 to 10, the probing interval of probe1 to 20, and the probing interval after the linjk fails to 20.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-57
Step 4 Configure a link group. # Create the link group named linkgroup1, adopt the WRR algorithm, set the forwarding mode to redirection, bind isp1 and isp2 to probe1, and bind NAT address pool 2 and NAT address pool 3 to the link instance.
[SPU] load-balance group linkgroup1 [SPU-lb-group-linkgroup1] forward-mode redirect [SPU-lb-group-linkgroup1] load-balance method roundrobin [SPU-lb-group-linkgroup1] probe probe1 [SPU-lb-group-linkgroup1] member isp1 [SPU-lb-group-linkgroup1-member-isp1] nat outbound address-group 2 [SPU-lb-group-linkgroup1-member-isp1] inservice [SPU-lb-group-linkgroup1-member-isp1] quit [SPU-lb-group-linkgroup1] member isp2 [SPU-lb-group-linkgroup1-member-isp2] nat outbound address-group 3 [SPU-lb-group-linkgroup1-member-isp2] inservice [SPU-lb-group-linkgroup1-member-isp2] quit [SPU-lb-group-linkgroup1] quit
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any.
[SPU] load-balance l7classifier l7cls1 [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1, set the action to load balance, and configure the load balancing group linkgroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group linkgroup1 [SPU-lb-action-act1] quit
Step 7 Configure an ACL. # Create ACL 3000 to permit the packets from 60.60.60.1/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 60.60.60.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier named l3cls1, bind the Layer 7 classifier l7cls1 to the load balancing action profile act1, and configure the matching rule to match ACL 3000.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind the Layer 3 classifier l3cls1 to the load balancing policy named lbp1.
7-58 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Step 10 Apply the load balancing policy. # Apply the load balancing policy lbp1 to XGigabitEthernet 0/0/1.12.
[SPU] interface xgigabitethernet0/0/1.12 [SPU-XGigabitEthernet0/0/1.12] service load-balance policy lbp1 [SPU-XGigabitEthernet0/0/1.12] quit
[SPU] display load-balance group name linkgroup1 member name isp1 verbose Group name : linkgroup1 Member name : isp1 Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max threshold : 100% Weight : 30 Priority : 8 NAT ID : 2 Pat : Yes Member instance ID : 0 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: 1 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)
linkgroup1 member name isp2 verbose linkgroup1 isp2 inservice 4000000 8000(kbps) 100% 8000(kbps) 100% 90 8 3 Yes
7-60
Issue 02 (2010-07-15)
# Simulate an enterprise user to access a website, and then view related information about link instances isp1 and isp2 on the SPU. You can view the packet statistics about isp1 and isp2. The ratio of packets about isp1 and isp2 is 1:3, indicating that user packets are load balanced on ISP1 and ISP2 according to the link weight and load balancing in WRR mode is implemented.
[SPU] display load-balance group name linkgroup1 member name isp1 verbose [SPU] display load-balance group name linkgroup1 member name isp2 verbose
----End
Configuration Files
l
Issue 02 (2010-07-15)
7-61
interface XGigabitEthernet0/0/1.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 30.30.30.2 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 3 # load-balance probe probe1 icmp interval 20 fail-interval 20 # load-balance member isp1 ip address 20.20.20.1 weight 30 conn-limit max 10000 rate-limit connection 1500 rate-limit bandwidth inbound 100 threshold 80 rate-limit bandwidth outbound 100 threshold 80 # load-balance member isp2 ip address 30.30.30.1 weight 90 conn-limit max 20000 rate-limit connection 3000 rate-limit bandwidth inbound 300 threshold 80 rate-limit bandwidth outbound 300 threshold 80 # load-balance group linkgroup1 forward-mode redirect member isp1 inservice member isp2 inservice probe probe1 # load-balance action act1 group linkgroup1 # load-balance l7classifier l7cls1 match any # load-balance ip interface XGigabitEthernet0/0/1.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode
This section describes how to configure Layer 3 server load balancing in DMAC mode to improve service processing capabilities of servers.
Networking Requirements
As shown in Figure 7-9, an internal network user accesses external network servers. There are four servers, which constitute a server group. The load balancing group provides DNS services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.200:80, and the IP addresses of the four servers of Server A, Server B, Server C, and Server D are 20.20.20.1:80, 20.20.20.2:4002, 20.20.20.3:80, and 20.20.20.4:8080. The
7-62 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. Switch B returns the response packets of servers to users. After the master server fails, the load balancing device randomly selects an available server from backup servers.
Switch B is connected to GE 3/0/0 and GE 3/0/1 of Switch A and the SPU is installed in slot 5 of Switch A. The destination IP address of the external network that the user wants to access is 60.60.60.1/24. Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode
10.10.10.2/24 Host
XGE5/0/0 XGE5/0/1
ServerA 20.20.20.1:80
ServerB 20.20.20.2:4002
ServerC 20.20.20.3:80
ServerD 20.20.20.4:8080
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5.
Issue 02 (2010-07-15)
Configure traffic importing. Configure four servers to communicate with the four servers. Configure a probe to detect the health status of the four servers. Configure a server group and bind the server group to the four servers. Configure a Layer 7 classifier.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-63
6. 7. 8. 9.
Configure a load balancing action profile. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
Data Preparation
To complete the configuration, you need the following data:
l l l l l l l
Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on SwitchA. 1. Import traffic to the SPU on SwitchA.
<Switch> system-view [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 13 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
2.
7-64
Issue 02 (2010-07-15)
[SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 20.20.20.5 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] quit
Step 2 Configure servers. # Create servers servera, serverb, serverc, and serverd and configure them to communicate with real servers, that is, Server A, Server B, Server C, and Server D.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] quit 20.20.20.1 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 20.20.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 20.20.20.3 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80 20.20.20.4 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
Step 3 Configure health detection. # Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface eth-trunk 0.2
# Create the TCP probe named probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 tcp [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20
Issue 02 (2010-07-15)
7-65
Step 4 Configure a server group. # Create the server group named servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DMAC, and adopt the WRR algorithm.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dmac [SPU-lb-group-servergroup1] load-balance method roundrobin [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] failaction reassign [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit [SPU-lb-group-servergroup1] quit
# Configure the master and backup relationship and enable servera, serverb, serverc, and serverd.
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] [SPU-lb-group-servergroup1-member-serverd] backup-member serverc inservice quit backup-member serverd inservice quit inservice standby quit inservice standby quit
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 [SPU-lb-action-act1] quit
# Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.200/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 20.20.20.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier named l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SwitchA] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
Step 10 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of SPU.
[SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] service load-balance policy lbp1 [SPU-Eth-Trunk0.12] quit
Issue 02 (2010-07-15)
7-67
Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverc Member name : serverc Description : IP : 20.20.20.3 Max connection : 4000 Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverd Member name : serverd Description : IP : 20.20.20.4 Max connection : 2000 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1
7-68
Issue 02 (2010-07-15)
Backup member instance name : serverc [SPU] display load-balance group name servergroup1 member name serverb Group name : servergroup1 Member name : serverb Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 60 Priority : 8 NAT ID : Pat : Backup member instance name : serverd [SPU] display load-balance group name servergroup1 member name serverc Group name : servergroup1 Member name : serverc Inservice type : inservice standby Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 40 Priority : 8 NAT ID : Pat : [SPU] display load-balance group name servergroup1 member name serverd Group name : servergroup1 Member name : serverd Inservice type : inservice standby Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 20 Priority : 8 NAT ID : Pat : -
Issue 02 (2010-07-15)
7-69
# Simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.200/24, and then view related information about servera, serverb, serverc, and serverd on SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are load balanced between Server A and Server B in WRR mode.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
# Disconnect the link between SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.200/24, and then view related information about servera, serverb, serverc, and serverd on SPU. You can view the packet statistics about server instances servera and serverb, indicating that user packets are switched to Server C after Server A is faulty.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
----End
Configuration Files
l
7-70
Issue 02 (2010-07-15)
Issue 02 (2010-07-15)
7-71
7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode
This section describes how to configure Layer 3 server load balancing in NAT mode to improve service processing capabilities of servers.
Networking Requirements
As shown in Figure 7-10, a user accesses servers. There are four servers, which constitute two server groups. The load balancing group provides DNS services through a virtual IP address. The user IP address is 10.10.10.2; the virtual IP address is 20.20.20.2:80; the servers with IP addresses being 192.168.20.1 and 192.168.20.2 are located in a server group; the servers with IP addresses being 192.168.20.3 and 192.168.20.4 are located in a server group. The processing capabilities of each server such as the CPU, memory, and performance are different. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. Services can be automatically switched between the master server and the backup server to ensure successful network access.
The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively.
7-72
Issue 02 (2010-07-15)
Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode
10.10.10.2/24 Host
Internet
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the two server groups. Configure the master and backup server groups and bind the master and backup server groups to the four servers. Configure a Layer 7 classifier. Configure the load balancing action profile and configure the master and backup relationship between servers. Configure an advanced ACL. Configure a Layer 3 classifier.
10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface.
Issue 02 (2010-07-15)
7-73
Data Preparation
To complete the configuration, you need the following data:
l l l l l l l l
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and matching rule of the Layer 7 classifier Load balancing action profile name, action, and master and backup server groups Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on the Switch. 1. Import traffic to the SPU on the Switch.
<Switch> system-view [Switch] vlan batch 12 to 16 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass [Switch-GigabitEthernet3/0/2] quit [Switch] interface gigabitethernet 3/0/3 [Switch-GigabitEthernet3/0/3] port link-type trunk [Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/3] undo port trunk allow-pass [Switch-GigabitEthernet3/0/3] quit [Switch] interface gigabitethernet 3/0/4 [Switch-GigabitEthernet3/0/4] port link-type trunk [Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/4] undo port trunk allow-pass [Switch-GigabitEthernet3/0/4] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.
Add an interface to a VLAN on the Switch, and configure an NAT address pool.
<Quidway> system-view [Quidway] sysname SPU [SPU] nat address-group 2 100.100.100.2 100.100.100.200 [SPU] interface eth-trunk 0
7-74
Issue 02 (2010-07-15)
[SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with Server A, Server B, Server C, and Server D.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
Issue 02 (2010-07-15)
7-75
10.10.40.2 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
Step 3 Configure health detection. # Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface Eth-Trunk 0.2
# Create the TCP probe named probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 tcp [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] send-data hello [SPU-lb-probe-probe1] expect-data hello [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create server groups named servergroup1 and servergroup2, bind servergroup1 to servera and serverb and bind servergroup2 to serverc and serverd, bind servergroup2 to probe1, set the forwarding mode to DNAT, and adopt the WRR algorithm.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method roundrobin [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] switch-threshold 80 restore-threshold 80 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] inservice [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] quit [SPU] load-balance group servergroup2 [SPU-lb-group-servergroup2] forward-mode dnat [SPU-lb-group-servergroup2] load-balance method roundrobin [SPU-lb-group-servergroup2] probe probe1 [SPU-lb-group-servergroup2] member serverc [SPU-lb-group-servergroup2-member-serverc] member port 80 [SPU-lb-group-servergroup2-member-serverc] inservice [SPU-lb-group-servergroup2-member-serverc] quit [SPU-lb-group-servergroup2] member serverd [SPU-lb-group-servergroup2-member-serverd] member port 8080 [SPU-lb-group-servergroup2-member-serverd] inservice [SPU-lb-group-servergroup2-member-serverd] quit [SPU-lb-group-servergroup2] quit
7-76
Issue 02 (2010-07-15)
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 backup servergroup2 [SPU-lb-action-act1] quit
Step 7 Configure an ACL. # Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.1/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 20.20.20.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] nat outbound address-group 2 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
Step 10 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of the SPU.
[SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] service load-balance policy lbp1 [SPU-Eth-Trunk0.12] quit
Issue 02 (2010-07-15)
7-77
Weight : 80 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverb Member name : serverb Description : IP : 10.10.20.2 Max connection : 6000 Max connection rate : 600 Inbound max bandwidth rate : 600(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 600(kbps) Outbound threshold : 80% Weight : 60 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverc Member name : serverc Description : IP : 10.10.30.2 Max connection : 4000 Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup2 [SPU] display load-balance member name serverd Member name : serverd Description : IP : 10.10.40.2 Max connection : 2000 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup2
7-78
Issue 02 (2010-07-15)
Member instance name: servera serverb [SPU] display load-balance group name servergroup2 Group name : servergroup2 Description : Method : roundrobin Forward mode : dnat Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Action name : act1
Issue 02 (2010-07-15)
7-79
[SPU] display load-balance group name servergroup2 member name serverd Group name : servergroup2 Member name : serverd Inservice type : inservice Port : 8080 Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max bandwidth threshold : 100% Weight : 20 Priority : 8 NAT ID : Pat : -
# Simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and load balanced between Server A and Server B in WRR mode.
[SPU] display load-balance group name servergroup1 member name servera verbose [SPU] display load-balance group name servergroup1 member name serverb verbose [SPU] display load-balance group name servergroup2 member name serverc verbose
7-80
Issue 02 (2010-07-15)
[SPU] display load-balance group name servergroup2 member name serverd verbose
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to servergroup2 after Server A of servergroup1 is faulty. The packets are load balanced between Server C and Server D according to a ratio.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup2 servergroup2 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
# Recover the link between the SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on SPUA. You can view that packet statistics about server instances servera and serverb increase, whereas packet statistics about server instances serverc and serverd do not increase. That is, user packets are switched back to servergroup1 after Server A of servergroup1 is recovered, and are load balanced between Server A and Server B according to a ratio.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup2 servergroup2 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
----End
Configuration Files
l
Issue 02 (2010-07-15)
7-81
arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 tcp interval 20 fail-interval 20 send-data hello expect-data hello # load-balance member servera ip address 10.10.50.2 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 10.10.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 10.10.30.2 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 10.10.40.2 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 switch-threshold 80 restore-threshold 80 forward-mode dnat member servera member port 80 inservice member serverb member port 4002
7-82
Issue 02 (2010-07-15)
7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode
This example describes how to configure Layer 7 server load balancing in DNAT mode to improve service processing capabilities of servers.
Networking Requirements
As shown in Figure 7-11, a user accesses servers. There are four servers, which constitute a server group. The load balancing group provides HTTP services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addresses of the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and 192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. After the master server fails, the load balancing device randomly selects an available server from backup servers.
The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively.
Issue 02 (2010-07-15)
7-83
Figure 7-11 Networking diagram for configuring Layer 7 server load balancing in DNAT mode
10.10.10.2/24 Host
Internet
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the four servers. Configure a load balancing group and bind the load balancing group to the four load balancing members. Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier.
10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface.
Data Preparation
To complete the configuration, you need the following data:
7-84 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and related parameters of the sticky group Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name and matching rule of the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on the Switch. 1. Import traffic to the SPU on the Switch.
<Switch> system-view [Switch] vlan batch 12 to 16 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass [Switch-GigabitEthernet3/0/2] quit [Switch] interface gigabitethernet 3/0/3 [Switch-GigabitEthernet3/0/3] port link-type trunk [Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/3] undo port trunk allow-pass [Switch-GigabitEthernet3/0/3] quit [Switch] interface gigabitethernet 3/0/4 [Switch-GigabitEthernet3/0/4] port link-type trunk [Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/4] undo port trunk allow-pass [Switch-GigabitEthernet3/0/4] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.
3.
Issue 02 (2010-07-15)
7-85
[SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with ServerA, ServerB, ServerC, and ServerD.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
7-86
Issue 02 (2010-07-15)
10.10.40.2 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
Step 3 Configure health detection. # Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface Eth-Trunk 0.2
# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 http [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] user admin password admin [SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5 [SPU-lb-probe-probe1] request method head url index.html [SPU-lb-probe-probe1] expect status-code min 0 max 299 [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hash algorithm based on the HTTP URL.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method hash url [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit
# Configure the master and backup relationship and enable servera, serverb, serverc, and serverd.
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice
Issue 02 (2010-07-15)
7-87
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being slbha[w|W](.*).
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*) [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 [SPU-lb-action-act1] quit
Step 7 Configure an ACL. # Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.1/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 20.20.20.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] nat outbound address-group 2 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
Step 10 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of the SPU.
[SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] service load-balance policy lbp1 [SPU-Eth-Trunk0.12] quit
7-88
Issue 02 (2010-07-15)
Issue 02 (2010-07-15)
7-89
7-90
Issue 02 (2010-07-15)
[SPU] display load-balance group name servergroup1 member name serverb verbose Group name : servergroup1 Member name : serverb Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 60 Priority : 8 NAT ID : Pat : Backup member instance name : serverd
Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : 2 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat :
servergroup1 member name serverc verbose servergroup1 serverc inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 40 8 -
servergroup1 member name serverd verbose servergroup1 serverd inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 20 8 -
Issue 02 (2010-07-15)
7-91
Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths:
3 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)
# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and are load balanced between Server A and Server B in WRR mode.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
7-92
Issue 02 (2010-07-15)
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to Server C after Server A is faulty.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
----End
Configuration Files
l
Issue 02 (2010-07-15)
7-93
eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299 # load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1 # load-balance action act1 group servergroup1 # load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*) # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1
7-94
Issue 02 (2010-07-15)
Networking Requirements
As shown in Figure 7-12, a user accesses servers. There are four servers, which constitute a server group. The load balancing group provides HTTP services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addresses of the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and 192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. After the master server fails, the load balancing device randomly selects an available server from backup servers.
The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively.
Issue 02 (2010-07-15)
7-95
Figure 7-12 Networking diagram for configuring Layer 7 server load balancing in DNAT mode
10.10.10.2/24 Host
Internet
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the four servers. Configure a load balancing group and bind the load balancing group to the four load balancing members. Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier.
10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface.
Data Preparation
To complete the configuration, you need the following data:
7-96 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and related parameters of the sticky group Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name and matching rule of the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on the Switch. 1. Import traffic to the SPU on the Switch.
<Switch> system-view [Switch] vlan batch 12 to 16 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass [Switch-GigabitEthernet3/0/2] quit [Switch] interface gigabitethernet 3/0/3 [Switch-GigabitEthernet3/0/3] port link-type trunk [Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/3] undo port trunk allow-pass [Switch-GigabitEthernet3/0/3] quit [Switch] interface gigabitethernet 3/0/4 [Switch-GigabitEthernet3/0/4] port link-type trunk [Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/4] undo port trunk allow-pass [Switch-GigabitEthernet3/0/4] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.
3.
Issue 02 (2010-07-15)
7-97
[SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with ServerA, ServerB, ServerC, and ServerD.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
7-98
Issue 02 (2010-07-15)
10.10.40.2 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
Step 3 Configure health detection. # Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface Eth-Trunk 0.2
# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 http [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] user admin password admin [SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5 [SPU-lb-probe-probe1] request method head url index.html [SPU-lb-probe-probe1] expect status-code min 0 max 299 [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hash algorithm based on the HTTP URL.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method hash url [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit
# Configure the master and backup relationship and enable servera, serverb, serverc, and serverd.
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice
Issue 02 (2010-07-15)
7-99
Step 5 Configure session stickiness. # Create the sticky group named stickygroup1, configure a static sticky entry, and perform stickiness for the destination IP address.
[SPU] load-balance stickygroup stickygroup1 mask 255.255.255.0 destination-ip [SPU-lb-stickygroup-stickygroup1] group servergroup1 [SPU-lb-stickygroup-stickygroup1] static client destination 20.20.20.2 member servera [SPU-lb-stickygroup-stickygroup1] quit
Step 6 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being slbha[w|W](.*).
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*) [SPU-lb-l7classifier-l7cls1] quit
Step 7 Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] stickygroup stickygroup1 [SPU-lb-action-act1] quit
Step 8 Configure an ACL. # Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.1/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 20.20.20.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 9 Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] nat outbound address-group 2 [SPU-lb-l3classifier-l3cls1] quit
Step 10 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
Step 11 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of the SPU.
7-100 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Issue 02 (2010-07-15)
7-101
7-102
Issue 02 (2010-07-15)
servergroup1 member name serverb verbose servergroup1 serverb inservice 4000000 1000000(kbps) 100% 1000000(kbps) 100% 60 8 -
: serverd
Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: [SPU] display load-balance Group name Member name Inservice type Port 2 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s) group name : : : :
servergroup1 member name serverc verbose servergroup1 serverc inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 40 8 -
Issue 02 (2010-07-15)
7-103
7-104
Issue 02 (2010-07-15)
# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and are load balanced between Server A and Server B in WRR mode.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to Server C after Server A is faulty.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
# Recover the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view that the packet statistics about the server instance servera increase, indicating that Server A provides services when the user accesses 20.20.20.2. Session stickiness is implemented.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
----End
Configuration Files
l
Issue 02 (2010-07-15)
7-105
control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable # interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299 # load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000
7-106
Issue 02 (2010-07-15)
rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1 # load-balance stickygroup stickygroup1 mask 24 destination-ip group servergroup1 static client destination 20.20.20.2 member servera # load-balance action act1 stickygroup stickygroup1 # load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*) # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
Networking Requirements
As shown in Figure 7-13, the user accesses the server through FWA and FWB (FWA and FWB are the two SPUs on SwitchB). FWA and FWB constitute a firewall group to provide external services. The IP address and VIP of the user are 20.20.20.3/24 and 3.3.3.3:80; the firewalls whose IP addresses are 7.7.61.2/24 and 10.10.61.2/24 constitute a firewall group. The processing capabilities of each firewall including the CPU usage, memory usage, and performance are different. The requirements are as follows:
l l
The firewall with greater processing capabilities receives more service requests. Any traffic received through one firewall is sent back through the same firewall.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-107
Issue 02 (2010-07-15)
XGE5/0/0
XGE0/0/1
XGE5/0/1 XGE0/0/2 GE4/0/6 GE1/0/26 IP GE1/0/25 Network SwitchA GE1/0/27 Host 20.20.20.3/24 GE4/0/7 VIP:3.3.3.3:80 FWA GE4/0/2 GE1/0/22 IP Network ServerA
FWB
GE1/0/28
ServerB
SwitchB
Configuration Roadmap
The configuration roadmap is as follows:
l
SwitchA (level-1 load balancing device) 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure two firewalls to communicate with two real firewalls. Configure a firewall group, including DMAC and bundle of the preceding two firewalls. Configure a Layer 7 classifier. Configure a load balancing action profile and bind it to the firewall group. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy to a sub-interface. Import traffic to the firewall. Configure security zones and interzone. Add sub-interfaces to security zones. Configure traffic importing. Configure a NAT address pool. Configure two servers to communicate with two real servers. Configure a server group and bind it to the two servers.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
7-108
5. 6. 7. 8. 9.
Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
10. Apply the load balancing policy to a sub-interface and enable MAC address stickiness.
Data Preparation
To complete the configuration, you need the following data:
l
Firewall names Firewall group name and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied Security zone names Interface where security zones are applied Network segment and index of the NAT address pool Server name Server group name and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
l Configure SwitchA. 1. Configure traffic importing on SwitchA. (1) Import traffic to the SPU on SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan batch 400 600 700 [SwitchA] interface Eth-Trunk 0 [SwitchA-Eth-Trunk0] port link-type trunk [SwitchA-Eth-Trunk0] port trunk allow-pass vlan 400 600 700 [SwitchA-Eth-Trunk0] quit [SwitchA] interface GigabitEthernet1/0/25
Issue 02 (2010-07-15)
7-109
vlan 1 400
vlan 1 600
vlan 1 700
2.
Configure the firewall on the SPU of SwitchA. # Create firewalls s11 and s21 and configure them to communicate with real firewalls s11 and s21.
[SPU] load-balance member s11 [SPU] load-balance member s11 [SPU-lb-member-s11] ip address 7.7.61.2 [SPU-lb-member-s11] weight 15 [SPU-lb-member-s11] priority 15 [SPU-lb-member-s11] quit [SPU] load-balance member s21 [SPU-lb-member-s21] ip address 10.10.61.2 [SPU-lb-member-s21] weight 30 [SPU-lb-member-s21] priority 15 [SPU-lb-member-s21] quit
3.
7-110
# Create the firewall group sg11, bind sg11 to firewalls s11 and s21, and set the forwarding mode to DMAC.
[SPU] load-balance group sg11 [SPU-lb-group-sg11] forward-mode dmac [SPU-lb-group-sg11] member s11 [SPU-lb-group-sg11-member-s11] inservice [SPU-lb-group-sg11-member-s11] quit [SPU-lb-group-sg11] member s21 [SPU-lb-group-sg11-member-s21] inservice [SPU-lb-group-sg11-member-s21] quit [SPU-lb-group-sg11] quit
4.
Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 and [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
5.
Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in sg11.
[SPU] load-balance action act1 [SPU-lb-action-act1] group sg11 [SPU-lb-action-act1] quit
6.
Configure an ACL. # Create ACL 3005 to permit the packets with the destination IP address (VIP) being 3.3.3.3/24 to pass through.
[SPU] acl number 3005 [SPU-acl-adv-3005] rule permit ip destination 3.3.3.3 0.0.0.255 [SPU-acl-adv-3005] quit
7.
Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3005, and bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3005 [SPU-lb-l3classifier-l3cls1] quit
8.
Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
9.
Apply the load balancing policy. # Apply the load balancing policy to the sub-interface of the SPU.
[SPU] interface Eth-Trunk0.5 [SPU-Eth-Trunk0.5] service load-balance policy lbp1 [SPU-Eth-Trunk0.5] quit
Issue 02 (2010-07-15)
(1) Import traffic from SwitchB to SPUA, that is, FWA. SPUA is installed in slot 8.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 600 800 [SwitchB] interface Eth-Trunk 0 [SwitchB-Eth-Trunk0] port link-type trunk [SwitchB-Eth-Trunk0] port trunk allow-pass vlan 600 800 [SwitchB-Eth-Trunk0] quit [SwitchB] interface GigabitEthernet4/0/6 [SwitchB-GigabitEthernet4/0/6] port link-type trunk [SwitchB-GigabitEthernet4/0/6] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/6] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/6] quit [SwitchB] interface GigabitEthernet4/0/2 [SwitchB-GigabitEthernet4/0/2] port link-type trunk [SwitchB-GigabitEthernet4/0/2] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/2] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/2] quit [SwitchB] interface XGigabitEthernet8/0/0 [SwitchB-XGigabitEthernet8/0/0] eth-Trunk 0 [SwitchB-XGigabitEthernet8/0/0] quit [SwitchB] interface XGigabitEthernet8/0/1 [SwitchB-XGigabitEthernet8/0/1] eth-Trunk 0 [SwitchB-XGigabitEthernet8/0/1] quit [SwitchB] vlan batch 700 900 [SwitchB] interface Eth-Trunk 1 [SwitchB-Eth-Trunk1] port link-type trunk [SwitchB-Eth-Trunk1] port trunk allow-pass vlan 700 900 [SwitchB-Eth-Trunk1] quit [SwitchB] interface GigabitEthernet4/0/7 [SwitchB-GigabitEthernet4/0/7] port link-type trunk [SwitchB-GigabitEthernet4/0/7] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/7] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/7] quit [SwitchB] interface GigabitEthernet4/0/3 [SwitchB-GigabitEthernet4/0/3] port link-type trunk [SwitchB-GigabitEthernet4/0/3] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/3] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/3] quit [SwitchB] interface XGigabitEthernet11/0/0 [SwitchB-XGigabitEthernet11/0/0] eth-Trunk 1 [SwitchB-XGigabitEthernet11/0/0] quit [SwitchB] interface XGigabitEthernet11/0/1 [SwitchB-XGigabitEthernet11/0/1] eth-Trunk 1 [SwitchB-XGigabitEthernet11/0/1] quit
vlan 1 600
vlan 1 800
(2) Import traffic from SwitchB to SPUB, that is, FWB. SPUB is installed in slot 11.
vlan 1 700
vlan 1 900
(3) Add inbound and outbound interfaces to the VLAN on SPUA and configure static routes to import traffic to the SPU of SwitchC.
<Quidway> system-view [Quidway] sysname SPUA [SPUA] interface Eth-Trunk 0 [SPUA-Eth-Trunk0] quit [SPUA] interface Eth-Trunk0.5 [SPUA-Eth-Trunk0.5] control-vid 600 dot1q-termination [SPUA-Eth-Trunk0.5] dot1q termination vid 600 [SPUA-Eth-Trunk0.5] ip address 7.7.61.2 255.255.255.0 [SPUA-Eth-Trunk0.5] arp broadcast enable [SPUA-Eth-Trunk0.5] quit [SPUA] interface Eth-Trunk0.6 [SPUA-Eth-Trunk0.6] control-vid 800 dot1q-termination [SPUA-Eth-Trunk0.6] dot1q termination vid 800 [SPUA-Eth-Trunk0.6] ip address 11.11.61.1 255.255.255.0 [SPUA-Eth-Trunk0.6] arp broadcast enable [SPUA-Eth-Trunk0.6] quit [SPUA] interface XGigabitEthernet0/0/1 [SPUA-XGigabitEthernet0/0/1] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/1] quit
7-112
Issue 02 (2010-07-15)
[SPUA] interface XGigabitEthernet0/0/2 [SPUA-XGigabitEthernet0/0/2] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/2] quit [SPUA] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 [SPUA] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1
(4) Add inbound and outbound interfaces to the VLAN on SPUB and configure static routes to import traffic to the SPU of SwitchC.
<Quidway> system-view [Quidway] sysname SPUB [SPUB] interface Eth-Trunk 0 [SPUB-Eth-Trunk0] quit [SPUB] interface Eth-Trunk 0.5 [SPUB-Eth-Trunk0.5] control-vid 700 dot1q-termination [SPUB-Eth-Trunk0.5] dot1q termination vid 700 [SPUB-Eth-Trunk0.5] ip address 10.10.61.2 255.255.255.0 [SPUB-Eth-Trunk0.5] arp broadcast enable [SPUB-Eth-Trunk0.5] quit [SPUB] interface Eth-Trunk 0.6 [SPUB-Eth-Trunk0.6] control-vid 900 dot1q-termination [SPUB-Eth-Trunk0.6] dot1q termination vid 900 [SPUB-Eth-Trunk0.6] ip address 12.12.61.1 255.255.255.0 [SPUB-Eth-Trunk0.6] arp broadcast enable [SPUB-Eth-Trunk0.6] quit [SPUB] interface XGigabitEthernet0/0/1 [SPUB-XGigabitEthernet0/0/1] eth-Trunk 0 [SPUB-XGigabitEthernet0/0/1] quit [SPUB] interface XGigabitEthernet0/0/2 [SPUB-XGigabitEthernet0/0/2] eth-Trunk 0 [SPUB-XGigabitEthernet0/0/2] quit [SPUB] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2 [SPUB] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1
2.
Configure firewalls on SPUA and SPUB on SwitchB. # Configure the security zone and the interzone on SPUA.
[SPUA] firewall zone a [SPUA-zone-a] priority 20 [SPUA-zone-a] quit [SPUA] firewall zone b [SPUA-zone-b] priority 50 [SPUA-zone-b] quit [SPUA] firewall interzone b a [SPUA-interzone-b-a] firewall enable [SPUA-interzone-b-a] packet-filter default permit inbound [SPUA-interzone-b-a] quit
3.
Apply security zones to sub-interfaces of SPUA and SPUB on SwitchB. # Apply security zones to sub-interfaces of SPUA.
[SPUA] interface Eth-Trunk 0.5 [SPUA-Eth-Trunk0.5] zone a [SPUA-Eth-Trunk0.5] quit [SPUA] interface Eth-Trunk 0.6 [SPUA-Eth-Trunk0.6] zone b [SPUA-Eth-Trunk0.6] quit
Issue 02 (2010-07-15)
7-113
Configure SwitchC. 1. Configure traffic importing on SwitchC. (1) Import traffic from SwitchC to the SPU. The SPU is installed in slot 2.
<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] vlan batch 800 900 1000 [SwitchC] interface Eth-Trunk 1 [SwitchC-Eth-Trunk1] port link-type trunk [SwitchC-Eth-Trunk1] port trunk allow-pass vlan 800 900 1000 [SwitchC-Eth-Trunk1] quit [SwitchC] interface GigabitEthernet1/0/22 [SwitchC-GigabitEthernet1/0/22] port link-type trunk [SwitchC-GigabitEthernet1/0/22] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/22] port trunk allow-pass vlan 800 [SwitchC-GigabitEthernet1/0/22] quit [SwitchC] interface GigabitEthernet1/0/23 [SwitchC-GigabitEthernet1/0/23] port link-type trunk [SwitchC-GigabitEthernet1/0/23] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/23] port trunk allow-pass vlan 900 [SwitchC-GigabitEthernet1/0/23] quit [SwitchC] interface GigabitEthernet1/0/28 [SwitchC-GigabitEthernet1/0/28] port link-type trunk [SwitchC-GigabitEthernet1/0/28] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/28] port trunk allow-pass vlan 1000 [SwitchC-GigabitEthernet1/0/28] quit [SwitchC] interface XGigabitEthernet2/0/0 [SwitchC-XGigabitEthernet2/0/0] eth-Trunk 1 [SwitchC-XGigabitEthernet2/0/0] quit [SwitchC] interface XGigabitEthernet2/0/1 [SwitchC-XGigabitEthernet2/0/1] eth-Trunk 1 [SwitchC-XGigabitEthernet2/0/1] quit
7-114
Issue 02 (2010-07-15)
2. 3.
Configure servers. # Create the servers s31 and s32 and configure them to communicate with real servers s31 and s32.
[SPU] load-balance member s31 [SPU-lb-member-s31] ip address 100.100.100.8 [SPU-lb-member-s31] quit [SPU] load-balance member s32 [SPU-lb-member-s32] ip address 100.100.100.10 [SPU-lb-member-s32] quit
4.
Configure a server group. # Configure a server group sg31 and bind s31 and s32 to sg31.
[SPU] load-balance group sg31 [SPU-lb-group-sg31] member s31 [SPU-lb-group-sg31-member-s31] inservice [SPU-lb-group-sg31-member-s31 quit [SPU-lb-group-sg31] member s32 [SPU-lb-group-sg31-member-s32] inservice [SPU-lb-group-sg31-member-s32] quit [SPU-lb-group-sg31] quit
5.
Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being html.
[SPU] load-balance l7classifier l7 and [SPU-lb-l7classifier-l7] rule 1 match http url html [SPU-lb-l7classifier-l7] quit
6.
Configure a load balancing action profile. # Create the load balancing action profile act3 and set the action to load balance in sg31.
[SPU] load-balance action act3 [SPU-lb-action-act3] group sg31 [SPU-lb-action-act3] quit
7.
Configure an ACL. # Create ACL 3007 to permit the packets with the destination IP address being 3.3.3.3/24 to pass through.
[SPU] acl number 3007 [SPU-acl-adv-3007] rule permit ip destination 3.3.3.3 0.0.0.255 [SPU-acl-adv-3007] quit
8.
Configure a Layer 3 classifier. # Create the Layer 3 classifier l3, set the matching rule to match ACL 3007, and bind l3 to l7 and act3.
[SPU] load-balance l3classifier l3 [SPU-lb-l3classifier-l3] l7classifier l7 action act3 [SPU-lb-l3classifier-l3] nat outbound address-group 2 [SPU-lb-l3classifier-l3] if-match acl 3007 [SPU-lb-l3classifier-l3] quit
9.
Configure a load balancing policy. # Create the load balancing policy named lp and bind lp to l3.
Issue 02 (2010-07-15)
7-115
10. Apply the load balancing policy and enable MAC address stickiness. # Apply the load balancing policy to a sub-interface of the SPU and enable MAC address stickiness.
[SPU] interface Eth-Trunk 0.8 [SPU-Eth-Trunk0.8] service load-balance policy lp [SPU-Eth-Trunk0.8] mac-sticky enable [SPU-Eth-Trunk0.8] quit [SPU] interface Eth-Trunk 0.9 [SPU-Eth-Trunk0.9] service load-balance policy lp [SPU-Eth-Trunk0.9] mac-sticky enable [SPU-Eth-Trunk0.9] quit
Verify the configuration. # Simulate the internal network user at 20.20.20.3 to access the VIP 3.3.3.3/24 and view information about the firewall instances s11 and s21 on the SPU of SwitchC. You can find that there are packet statistics on s11 and s21 and the packet ratio is 1:2, indicating that user packets are load balanced on s11 and s21.
[SPU] display load-balance group name sg11 member name s11 verbose [SPU] display load-balance group name sg11 member name s21 verbose
# Disable FWA, simulate the internal network user at 20.20.20.3 to access the VIP 3.3.3.3/24 and view information about firewall instances s11 and s21 on the SPU. You can find that there are only packet statistics on s21, indicating that user packets are switched to FWB after FWA is faulty.
[SPU] display load-balance group name sg11 member name s11 verbose [SPU] display load-balance group name sg11 member name s21 verbose
----End
Configuration Files
l
7-116
Issue 02 (2010-07-15)
Issue 02 (2010-07-15)
7-117
7-118
Issue 02 (2010-07-15)
control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.2 255.255.255.0 arp broadcast enable zone a # interface Eth-Trunk0.6 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.1 255.255.255.0 arp broadcast enable zone b # interface XGigabitEthernet0/0/1 eth-Trunk 0 # interface XGigabitEthernet0/0/2 eth-Trunk 0 # ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1 # return l
Issue 02 (2010-07-15)
7-119
7-120
Issue 02 (2010-07-15)
Issue 02 (2010-07-15)
7-121
Issue 02 (2010-07-15)
8-1
A firewall can be enabled with dual-system HSB. That is, dual-system HSB can be enabled on the S9300 that supports the firewall function. The dual system and S9300 are hereinafter referred to as the FW.
To ensure HA of a user network and prevent firewall faults from affecting communication between security zones, the Virtual Router Redundancy Protocol (VRRP) is enabled between firewalls and the firewall status is synchronized between firewalls. As shown in Figure 8-1, FWA and FWB constitute a VRRP backup group that function as a virtual FW.
l
A host on the LAN only learns the IP address of the virtual FW, but does not learn IP addresses of interfaces of FWA and FWB in the VRRP backup group. A host on the LAN sets the default next hop address as the IP address of the virtual FW. Then the host on the LAN communicates with other networks through the virtual FW. In the VRRP backup group, one device is in active state, which is the master device such as FWA shown in Figure 8-1. The other device is in backup state, which is the backup device such as FWB shown in Figure 8-1.
Server
FWB: Backup
8-2
Issue 02 (2010-07-15)
Supporting the Setup of the Channel Through Which Dual-System HSB Data Is Synchronized and the Heartbeat Detection Mechanism
l
The channel through which dual-system HSB data is synchronized is configured between the active and standby modules. When the setup of the channel through which dual-system HSB data is synchronized fails, alarms are reported and logs are recorded. The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets can be set on the TCP channel between the active and standby modules. TCP connections can be set up between the active and standby modules. The VRRP module supports smooth switchback.
l l
After the channel through which dual-system HSB data is synchronized is set up, firewalls need to synchronize the status information in batches. Only the status information associated with the VRRP master device of the active firewall needs to be synchronized to the standby firewall. The active firewall instructs batch backup at the forwarding layer. The remote backup protocol of firewalls is supported. The upper-layer information between firewalls can be backed up. The active and standby modules of a firewall monitor the VRRP status. The forwarding backup module can back up the traffic forwarding table to the peer firewall. When the peer firewall receives the synchronized status information,
l l l l l
it generates the local status information. it updates the number of TCP, UDP, and ICMP connections for the source and destination IP addresses. it updates the NAT address allocation table.
A firewall is powered on; the VRRP management group selects the master and backup devices; the traffic between security zones is filtered by the firewall. This process takes less than 10s. The VRRP management group is switched; the traffic between security zones is filtered by the firewall and user sessions are not interrupted. This process takes less than 2s. The process of firewalls synchronizing all the status information in batches takes less than 15s. The delay in synchronizing the status information between two HSB firewalls is less than 1s.
Before configuring dual-system HSB, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. 8.3.2 Enabling Dual-System HSB You need to configure HSB actions only after dual-system HSB is enabled. 8.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized A channel through which dual-system HSB data is synchronized is required to back up packets in batches between the active and standby modules; therefore, you need to create the channel through which dual-system HSB data is synchronized. 8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets If a protocol stack does not detect a TCP connection that has been interrupted for a long time, you can set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peer end in the period (product of the interval for sending heartbeat packets by the number of times for retransmitting heartbeat packets), it receives an exception notification message and reestablishes a channel. 8.3.5 Checking the Configuration After dual-system HSB between firewalls is configured successfully, you can check whether the configuration is correct and valid.
Applicable Environment
To ensure HA of a user network and prevent firewall faults from affecting communication between security zones, VRRP is enabled between firewalls that function as a virtual firewall, and the firewall status is synchronized between firewalls. In this manner, HSB is implemented between two firewalls and HA of user connections is ensured.
Pre-configuration Tasks
Before configuring dual-system HSB, complete the following tasks:
l l l
Setting the firewall service on the S9300 Setting IP address of the sub-interface configured with the firewall service Configurating VRRP between firewalls
Data Preparation
To configure dual-system HSB, you need the following data. No. 1
8-4
No. 2 3 4
Data Number and IP address of the Eth-Trunk of the peer firewall ID and virtual IP address of the VRRP backup group Priorities of local and peer firewalls in the VRRP backup group
Context
When two devices are deployed at the egress of the network to protect the security of the internal network, you need to configure dual-system HSB. The channel through which dual-system HSB is synchronized can be set up only after dual-system HSB is enabled.
Procedure
Step 1 Run:
system-view
8.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized
A channel through which dual-system HSB data is synchronized is required to back up packets in batches between the active and standby modules; therefore, you need to create the channel through which dual-system HSB data is synchronized.
Context
You need to create a TCP channel and a UDP channel between the local firewall and the peer firewall. The source and destination IP addresses and port numbers of the two channels are the same. The data to be backed up is sent to the peer device through the two channels. TCP packets are sent through the TCP channel and UDP packets are sent through the UDP channel. In this manner, dual-system HSB is implemented.
NOTE
During the creation of the TCP tunnel, the firewall automatically creates the UDP tunnel.
To modify the parameters of the channel through which dual-system HSB data is synchronized, you must delete the previous configuration and then re-set the parameters.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-5
Procedure
Step 1 Run:
system-view
By default, the source and destination IP addresses of the channel through which dual-system HSB data is synchronized are 0.0.0.0, and the source and destination port numbers are 0. The parameters of the channel through which dual-system HSB data is synchronized must be set at the local end and the peer end. The source IP address, destination IP address, source port, and destination port at the local end correspond to the destination IP address, source IP address, destination port, and source port at the remote end. The parameters of the channel through which dual-system HSB data is synchronized take effect only after dual-system HSB is enabled.
----End
8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets
If a protocol stack does not detect a TCP connection that has been interrupted for a long time, you can set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peer end in the period (product of the interval for sending heartbeat packets by the number of times for retransmitting heartbeat packets), it receives an exception notification message and reestablishes a channel.
Procedure
Step 1 Run:
system-view
The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets of the channel between firewalls are set.
l
By default, the interval for sending heartbeat packets is 10s and the number of times for retransmitting heartbeat packets is 6. You need to set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets at the local end and the peer end. You are advised to set the same values of the two parameters at the two ends. The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets take effect only after dual-system HSB is enabled.
----End
8-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Procedure
l Run the display hot-standby configuration command, and you can view the configuration of dual-system HSB, including:
The local and peer IP addresses, port numbers of the channel through which dual-system HSB data is synchronized. The interval for transmitting heartbeat packets, number of times for retransmitting heartbeat packets. The TCP connection status, packet transmission status. The dual-system HSB status. The status of active and standby devices.
----End
8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules
During the running of dual-system HSB, if the active/standby switchover cannot be performed, you can check the connectivity of the channel between the active and standby modules. This helps you analyze the cause of the fault and locate the fault.
Procedure
Step 1 Run the display hot-standby configuration command on the SPU to check whether the value of TCP State is CONNECT. If the value of TCP State is INITIAL or CONNECTING or LISTENING, it indicates that the channel between the active and standby modules is faulty. The possible cause is that the cable connected to the channel between the active and standby modules is removed or the data configuration of the channel between the active and standby modules is incorrect. ----End
8.5.1 Example for Configuring Dual-System HSB on the S9300 This section describes how to configure dual-system HSB on the S9300 to improve the service reliability. 8.5.2 Example for Configuring Dual-System HSB Between S9300s This section describes how to configure dual-system HSB between S9300s to improve the service reliability.
Networking Requirements
A firewall board is taken as an independent device. As shown in Figure 8-2, firewall boards SPU A and SPU B are installed on the same S9300 to implement the dual-system HSB function. Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300
Interface: XGE3/0/0 XGE3/0/1 Eth-Trunk0 IP10.0.0.9/24 VLANIF10 VLAN10/11/13 Inbound Outbound interface: XGE0/0/1 interface: XGE0/0/1 XGE0/0/2 XGE0/0/2 Eth-Trunk0.1 Eth-Trunk0.2 IP10.0.0.2/24 IP11.0.0.2/24 VRRP IP10.0.0.1 VRRP IP11.0.0.1 dot1q10 dot1q11 Eth-Trunk0
Inbound Outbound interface: XGE0/0/1 interface: XGE0/0/1 XGE0/0/2 XGE0/0/2 Eth-Trunk0.1 Eth-Trunk0.2 IP10.0.0.3/24 IP11.0.0.3/24 VRRP IP10.0.0.1 VRRP IP11.0.0.1 dot1q10 dot1q11 Eth-Trunk1
Server
Interface: GE2/0/10 IP18.0.0.1/24 VLANIF18 VLAN18 Interface: GE2/0/11 VLAN11
Network
PCA IP18.0.0.2/24
8-8
Internal network
FW PCB IP11.0.0.9/24
Issue 02 (2010-07-15)
Interface Type
VL AN Typ e VLA N 18
VL AN IF VL AN IF 18 NA VL AN IF 10
EthTrunk
D ot 1q N A
V I D N A
Virtual IP
Priorit y
GigabitEthernet 2/0/10
NA
NA
NA
GigabitEthernet 2/0/11 MPU XGigabitEthern et3/0/0 XGigabitEthern et3/0/1 XGigabitEthern et5/0/0 XGigabitEthern et5/0/1 SPU A XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 SPU B XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2
NA 10.0.0 .9/24
NA EthTrunk 0
N A N A
N A N A
NA NA
NA NA
EthTrunk 1
NA
NA
10.0.0 .2/24
EthTrunk 0.1
10
1 0
10.0.0.1 /24
120
NA
11.0.0 .2/24
EthTrunk 0.2
11
1 1
11.0.0.1 /24
VLA N 13
13.0.0 .2/24
EthTrunk 0.3
13
N A
NA
NA
NA
10.0.0 .3/24
EthTrunk 0.1
10
1 0
10.0.0.1 /24
110
NA
11.0.0 .3/24
EthTrunk 0.2
11
1 1
11.0.0.1 /24
Issue 02 (2010-07-15)
8-9
Boar d Typ e
Interface Type
VL AN Typ e VLA N 13
VL AN IF
EthTrunk
D ot 1q 13
V I D N A
Virtual IP
Priorit y
EthTrunk 0.3
NA
NA
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Check the service type of SPUs. Configure interfaces of the LPU. Configure a static route on the MPU. Configure interfaces of SPUs. Configure VRRP. Configure static routes on SPUs. Configure dual-system HSB between SPU A and SPU B. Check whether VRRP negotiation is correct and whether the channel through which dualsystem HSB data is synchronized is set up successfully. Save the configuration.
Data Preparation
To complete the configuration, you need the following data (Figure 8-2 shows the detailed data):
l l
GE interfaces, VLAN IDs, VLANIF interfaces, and IP addresses of the LPU XGE interfaces, VLAN IDs, VLANIF interfaces, IP addresses, and bound Eth-Trunks of the MPU XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B
l l l
Procedure
Step 1 Check the service type of the SPUs. # Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is the firewall service in the system view.
<S9300> system-view [S9300] display service-type The service type is Firewall!
# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to the firewall service, and then restart SPU A and SPU B after the change.
8-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
[S9300] set service-type 1 The service type will be available after you restart the board, please restart!
By default, GE 2/0/10, GE 2/0/11, XGE 3/0/0, XGE 3/0/1, XGE 5/0/0, and XGE 5/0/1 allow packets of VLAN 1 to pass through.
# Log in to the MPU to create VLAN 10, VLAN 11, and VLAN 13, configure VLANIF 18 on GE 2/0/10 of the LPU, and set parameters of GE 2/0/10 and GE 2/0/11. Then bind XGE 3/0/0 and XGE 3/0/1 of the MPU to Eth-Trunk 0, and bind XGE 5/0/0 and XGE 5/0/1 of the MPU to Eth-Trunk 1.
[MPU] vlan 10 [MPU-VLAN10] quit [MPU] vlan 11 [MPU-VLAN11] quit [MPU] vlan 13 [MPU-VLAN13] quit [MPU] vlan 18 [MPU-VLAN18] quit [MPU] interface vlanif 18 [MPU-Vlanif18] ip address 18.0.0.1 24 [MPU-Vlanif18] quit [MPU] interface gigabitethernet 2/0/10 [MPU-GigabitEthernet2/0/10] port link-type trunk [MPU-GigabitEthernet2/0/10] port trunk allow-pass vlan [MPU-GigabitEthernet2/0/10] undo port trunk allow-pass [MPU-GigabitEthernet2/0/10] quit [MPU] interface gigabitethernet 2/0/11 [MPU-GigabitEthernet2/0/11] port link-type trunk [MPU-GigabitEthernet2/0/11] port trunk allow-pass vlan [MPU-GigabitEthernet2/0/11] undo port trunk allow-pass [MPU-GigabitEthernet2/0/11] quit [MPU] interface vlanif 10 [MPU-VLANIF10] ip address 10.0.0.9 24 [MPU-VLANIF10] quit [MPU] interface eth-trunk0 [MPU-Eth-Trunk0] port link-type trunk [MPU-Eth-Trunk0] port trunk allow-pass vlan 10 to 11 [MPU-Eth-Trunk0] port trunk allow-pass vlan 13 [MPU-Eth-Trunk0] undo port trunk allow-pass vlan 1 [MPU-Eth-Trunk0] quit [MPU] interface eth-trunk1 [MPU-Eth-Trunk1] port link-type trunk [MPU-Eth-Trunk1] port trunk allow-pass vlan 10 to 11 [MPU-Eth-Trunk1] port trunk allow-pass vlan 13 [MPU-Eth-Trunk1] undo port trunk allow-pass vlan 1 [MPU-Eth-Trunk1] quit [MPU] interface xgigabitethernet 3/0/0 [MPU-XGigabitEthernet3/0/0] eth-trunk 0 [MPU-XGigabitEthernet3/0/0] quit [MPU] interface xgigabitethernet 3/0/1 [MPU-XGigabitEthernet3/0/1] eth-trunk 0 [MPU-XGigabitEthernet3/0/1] quit [MPU] interface xgigabitethernet 5/0/0 [MPU-XGigabitEthernet5/0/0] eth-trunk 1 [MPU-XGigabitEthernet5/0/0] quit [MPU] interface xgigabitethernet 5/0/1 [MPU-XGigabitEthernet5/0/1] eth-trunk 1 [MPU-XGigabitEthernet5/0/1] quit
18 vlan 1
11 vlan 1
Step 3 Configure a static route on the MPU. # Log in to the MPU to configure a static route.
[MPU] ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1
Issue 02 (2010-07-15)
8-11
Step 4 Configure interfaces of SPUs. # Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to EthTrunk 0.
[S9300] interface eth-trunk0 [S9300-Eth-Trunk0] quit [S9300] interface xgigabitethernet 0/0/1 [S9300-XGigabitEthernet0/0/1] eth-trunk 0 [S9300-XGigabitEthernet0/0/1] quit [S9300] interface xgigabitethernet 0/0/2 [S9300-XGigabitEthernet0/0/2] eth-trunk 0 [S9300-XGigabitEthernet0/0/2] quit
Set the IP address of Eth-Trunk 0.1 to 10.0.0.2/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 120. Set the IP address of Eth-Trunk 0.2 to 11.0.0.2/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 120. Set the IP address of Eth-Trunk 0.3 to 13.0.0.2/24 and set parameters of Eth-Trunk 0.3.
[S9300-A] interface eth-trunk0.1 [S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-A-Eth-Trunk0.1] dot1q termination vid 10 [S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-A-Eth-Trunk0.1] admin-vrrp vrid 10 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120 [S9300-A-Eth-Trunk0.1] arp broadcast enable [S9300-A-Eth-Trunk0.1] quit [S9300-A] interface eth-trunk0.2 [S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-A-Eth-Trunk0.2] dot1q termination vid 11 [S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown [S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120 [S9300-A-Eth-Trunk0.2] arp broadcast enable [S9300-A-Eth-Trunk0.2] quit [S9300-A] interface eth-trunk0.3 [S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-A-Eth-Trunk0.3] dot1q termination vid 13 [S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24 [S9300-A-Eth-Trunk0.3] arp broadcast enable [S9300-A-Eth-Trunk0.3] quit
# Log in to SPU B.
l
Set the IP address of Eth-Trunk 0.1 to 10.0.0.3/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 110. Set the IP address of Eth-Trunk 0.2 to 11.0.0.3/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 110. Set the IP address of Eth-Trunk 0.3 to 13.0.0.3/24 and set parameters of Eth-Trunk 0.3.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
8-12
[S9300-B] interface eth-trunk0.1 [S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-B-Eth-Trunk0.1] dot1q termination vid 10 [S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-B-Eth-Trunk0.1] admin-vrrp vrid 10 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110 [S9300-B-Eth-Trunk0.1] arp broadcast enable [S9300-B-Eth-Trunk0.1] quit [S9300-B] interface eth-trunk0.2 [S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-B-Eth-Trunk0.2] dot1q termination vid 11 [S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown [S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110 [S9300-B-Eth-Trunk0.2] arp broadcast enable [S9300-B-Eth-Trunk0.2] quit [S9300-B] interface eth-trunk0.3 [S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-B-Eth-Trunk0.3] dot1q termination vid 13 [S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24 [S9300-B-Eth-Trunk0.3] arp broadcast enable [S9300-B-Eth-Trunk0.3] quit
Step 6 Configure static routes on SPUs. # Log in to SPU A to configure a static route.
[S9300-A] ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9
Step 7 Configure the channel between SPU A and SPU B. # Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3, the source port number to 3001, and the destination port number to 4001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 [S9300] hot-standby enable
# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2, the source port number to 4001, and the destination port number to 3001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 [S9300] hot-standby enable
l l
If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates that VRRP negotiation is correct. If the value of TCP State of the SPU is CONNECT, it indicates that the channel between SPU A and SPU B is set up successfully.
# Log in to SPU A to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-13
: : : : : : : : : : : : : :
Master 10.0.0.1 120 120 120 YES 0 1 1 NONE 0000-5e00-0164 YES admin-vrrp 0
Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 0 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : member-vrrp Config track link-bfd down-number : 0 [S9300-A] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.2 Peer IP Address : 13.0.0.3 Source port : 3001 Destination port : 4001 Vpn Instance name : NULL Keep Alive Time : 10 Fail Count : 6 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
# Log in to SPU B to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-B] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11
: : : : : : : : : : : : : :
Backup 10.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0164 YES admin-vrrp 0
8-14
Issue 02 (2010-07-15)
State : Backup Virtual IP : 11.0.0.1 PriorityRun : 110 PriorityConfig : 110 MasterPriority : 120 Preempt : YES Delay Time : 0 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : member-vrrp Config track link-bfd down-number : 0 [S9300-B] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name : NULL Keep Alive Time : 10 Fail Count : 6 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
Step 9 Save the configuration. # Log in to the MPU and run the following command in the user view to save the configuration:
<MPU> save
# Log in to the SPU and run the following command in the user view to save the configuration:
<S9300> save
----End
Configuration Files
l
Issue 02 (2010-07-15)
8-15
port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 # interface eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 to 11 port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 # interface xgigabitethernet3/0/0 eth-trunk 0 # interface xgigabitethernet3/0/1 eth-trunk 0 # interface xgigabitethernet5/0/0 eth-trunk 1 # interface xgigabitethernet5/0/1 eth-trunk 1 # ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1 # return # save l
8-16
Issue 02 (2010-07-15)
Networking Requirements
A firewall board is taken as an independent device. As shown in Figure 8-3, firewall boards SPU A and SPU B are installed on two different S9300s and are connected to interfaces GE 2/0/13 of LPU A and LPU B through cables to implement the dual-system HSB function.
Issue 02 (2010-07-15)
8-17
Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s
Inbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.1 IP10.0.0.2/24 VRRP IP10.0.0.1 dot1q10 Eth-Trunk0 SPUA Outbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.2 IP11.0.0.2/24 VRRP IP11.0.0.1 dot1q11
PC
FWAMaster
VLAN10 GE2/0/10 VLAN11 GE2/0/11 VLAN13 GE2/0/13
Network
VLAN10 GE2/0/10
VLAN11 GE2/0/11
FWBBackup
Inbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.1 IP10.0.0.3/24 VRRP IP10.0.0.1 dot1q10 Eth-Trunk0 Outbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.2 IP11.0.0.3/24 VRRP IP11.0.0.1 dot1q11
Interface Type
IP Addr ess NA
EthTrunk
Dot 1q
VID
Virtual IP Addres s NA
Pri ori ty NA
NA
NA
LPU B
8-18
Issue 02 (2010-07-15)
Boar d Typ e
Interface Type
IP Addr ess
EthTrunk
Dot 1q
VID
Virtual IP Addres s
Pri ori ty
GigabitEthernet2 /0/13 MP UA XGigabitEtherne t3/0/0 XGigabitEtherne t3/0/1 MP UB XGigabitEtherne t3/0/0 XGigabitEtherne t3/0/1 SPU A XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 SPU B XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2
NA EthTrunk 0
NA
10.0.0 .2/24
EthTrunk 0.1
10
10
10.0.0.1 /24
120
NA
11.0.0 .2/24
EthTrunk 0.2
11
11
11.0.0.1 /24
VLAN 13
13.0.0 .2/24
EthTrunk 0.3
13
NA
NA
NA
NA
10.0.0 .3/24
EthTrunk 0.1
10
10
10.0.0.1 /24
110
NA
11.0.0 .3/24
EthTrunk 0.2
11
11
11.0.0.1 /24
VLAN 13
13.0.0 .3/24
EthTrunk0.3
13
NA
NA
NA
Configuration Roadmap
The configuration roadmap is as follows:
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-19
1. 2. 3. 4. 5. 6. 7. 8. 9.
Check whether interfaces of LPUs are in Up state. Check the service type of the SPUs. Configure interfaces of the LPUs. Configure a TCP link. Configure interfaces of SPUs. Configure VRRP. Configure the channel between SPU A and SPU B. Check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully. Save the configuration.
Data Preparation
To complete the configuration, you need the following data (Figure 8-3 shows the detailed data):
l l l l l
GE interfaces, VLAN IDs, and bound Eth-Trunks of LPU A and LPU B GE interfaces, VLAN IDs, and bound Eth-Trunks of MPU A and MPU B XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B
Procedure
Step 1 Check whether interfaces of LPUs are in Up state. # Log in to MPU A and MPU B to check whether interfaces GE 2/0/13 of LPU A and LPU B are in Up state. If interfaces GE 2/0/13 of LPU A and LPU B are in Down state, use cables to connect LPU A and LPU B of the two firewalls.
[MPU] display interface brief GigabitEthernet2/0/10 0 GigabitEthernet2/0/11 0 GigabitEthernet2/0/12 0 GigabitEthernet2/0/13 0 igabitEthernet2/0/14 0 GigabitEthernet2/0/15 0 GigabitEthernet2/0/16 0
0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0% 0% 0%
0 0 0 0 0 0 0
Step 2 Check the service type of the SPUs. # Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is the firewall service in the system view.
<S9300> system-view [S9300] display service-type The service type is Firewall!
# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to the firewall service, and then restart SPU A and SPU B after the change.
8-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
[S9300] set service-type 1 The serivce type will be availble after you restart the board, please restart!
By default, GE 2/0/10, GE 2/0/11, GE 2/0/13, XGE 3/0/0, and XGE 3/0/1 allow packets of VLAN 1 to pass through.
# Log in to MPU A and MPU B to create VLAN 10, VLAN 11, and VLAN 13, bind GE 2/0/10 on LPU A and GE 2/0/11 on LPU B to Eth-Trunk 1 and Eth-Trunk 2 respectively, and bind XGE 3/0/0 on MPU A and XGE 3/0/1 on MPU B to Eth-Trunk 0.
[MPU] vlan 10 [MPU-VLAN10] quit [MPU] vlan 11 [MPU-VLAN11] quit [MPU] vlan 13 [MPU-VLAN13] quit [MPU] vlan 18 [MPU-VLAN18] quit [MPU] interface eth-trunk0 [MPU-Eth-Trunk0] port link-type trunk [MPU-Eth-Trunk0] port trunk allow-pass vlan [MPU-Eth-Trunk0] port trunk allow-pass vlan [MPU-Eth-Trunk0] undo port trunk allow-pass [MPU-Eth-Trunk0] quit [MPU] interface eth-trunk1 [MPU-Eth-Trunk1] port link-type trunk [MPU-Eth-Trunk1] port trunk allow-pass vlan [MPU-Eth-Trunk1] undo port trunk allow-pass [MPU-Eth-Trunk1] quit [MPU] interface eth-trunk2 [MPU-Eth-Trunk2] port link-type trunk [MPU-Eth-Trunk2] port trunk allow-pass vlan [MPU-Eth-Trunk2] undo port trunk allow-pass [MPU-Eth-Trunk2] quit [MPU] interface gigabitethernet 2/0/10 [MPU-GigabitEthernet2/0/10] eth-trunk 1 [MPU-GigabitEthernet2/0/10] quit [MPU] interface gigabitethernet 2/0/11 [MPU-GigabitEthernet2/0/11] eth-trunk 2 [MPU-GigabitEthernet2/0/11] quit [MPU] interface xgigabitethernet 3/0/0 [MPU-XGigabitEthernet3/0/0] eth-trunk 0 [MPU-XGigabitEthernet3/0/0] quit [MPU] interface xgigabitethernet 3/0/1 [MPU-XGigabitEthernet3/0/1] eth-trunk 0 [MPU-XGigabitEthernet3/0/1] quit
10 to 11 13 vlan 1
10 vlan 1
11 vlan 1
Step 4 Configure a TCP link. # Log in to MPU A and MPU B to configure interfaces GE 2/0/13 as interfaces of the TCP link.
[MPU] interface gigabitethernet 2/0/13 [MPU-GigabitEthernet2/0/13] port link-type trunk [MPU-GigabitEthernet2/0/13] port trunk allow-pass vlan 13 [MPU-GigabitEthernet2/0/13] undo port trunk allow-pass vlan 1 [MPU-GigabitEthernet2/0/13] quit
Step 5 Configure interfaces of SPUs. # Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to EthTrunk 0.
[S9300] interface eth-trunk0 [S9300-Eth-Trunk0] quit [S9300] interface xgigabitethernet 0/0/1
Issue 02 (2010-07-15)
8-21
Set the IP address of Eth-Trunk 0.2 to 11.0.0.2/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 120. Set the IP address of Eth-Trunk 0.1 to 10.0.0.2/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 120. Set the IP address of Eth-Trunk 0.3 to 13.0.0.2/24 and set parameters of Eth-Trunk 0.3.
[S9300-A] interface eth-trunk0.2 [S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-A-Eth-Trunk0.2] dot1q termination vid 11 [S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-A-Eth-Trunk0.2] admin-vrrp vrid 11 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120 [S9300-A-Eth-Trunk0.2] arp broadcast enable [S9300-A-Eth-Trunk0.2] quit [S9300-A] interface eth-trunk0.1 [S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-A-Eth-Trunk0.1] dot1q termination vid 10 [S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown [S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3 [S9300-A-Eth-Trunk0.1] arp broadcast enable [S9300-A-Eth-Trunk0.1] quit [S9300-A] interface eth-trunk0.3 [S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-A-Eth-Trunk0.3] dot1q termination vid 13 [S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24 [S9300-A-Eth-Trunk0.3] arp broadcast enable [S9300-A-Eth-Trunk0.3] quit
# Log in to SPU B.
l
Set the IP address of Eth-Trunk 0.2 to 11.0.0.3/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 110. Set the IP address of Eth-Trunk 0.1 to 10.0.0.3/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 110. Set the IP address of Eth-Trunk 0.3 to 13.0.0.3/24 and set parameters of Eth-Trunk 0.3.
[S9300-B] interface eth-trunk0.2 [S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-B-Eth-Trunk0.2] dot1q termination vid 11 [S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-B-Eth-Trunk0.2] admin-vrrp vrid 11 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110
8-22
Issue 02 (2010-07-15)
[S9300-B-Eth-Trunk0.2] arp broadcast enable [S9300-B-Eth-Trunk0.2] quit [S9300-B] interface eth-trunk0.1 [S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-B-Eth-Trunk0.1] dot1q termination vid 10 [S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown [S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3 [S9300-B-Eth-Trunk0.1] arp broadcast enable [S9300-B-Eth-Trunk0.1] quit [S9300-B] interface eth-trunk0.3 [S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-B-Eth-Trunk0.3] dot1q termination vid 13 [S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24 [S9300-B-Eth-Trunk0.3] arp broadcast enable [S9300-B-Eth-Trunk0.3] quit
Step 7 Configure the channel between SPU A and SPU B. # Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3, the source port number to 3001, and the destination port number to 4001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 [S9300] hot-standby enable [S9300] hot-standby-group detect fail-count 20 interval 1
# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2, the source port number to 4001, and the destination port number to 3001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 [S9300] hot-standby enable [S9300] hot-standby-group detect fail-count 20 interval 1
l l
If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates that VRRP negotiation is correct. If the value of TCP State of the SPUs is CONNECT, it indicates that the channel between SPU A and SPU B is set up successfully.
# Log in to SPU A to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-A] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type
: : : : : : : : : : : : :
Master 10.0.0.1 120 120 120 YES 3 1 1 NONE 0000-5e00-0164 YES member-vrrp
Issue 02 (2010-07-15)
8-23
Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 3 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : admin-vrrp Config track link-bfd down-number : 0 [S9300-A] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.2 Peer IP Address : 13.0.0.3 Source port : 3001 Destination port : 4001 Vpn Instance name : NULL Keep Alive Time : 1 Fail Count : 20 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
# Log in to SPU B to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-B] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number
: : : : : : : : : : : : : : : : : : : : : : : : : : : :
Backup 10.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0164 YES member-vrrp 0 Backup 11.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0165 YES admin-vrrp 0
8-24
Issue 02 (2010-07-15)
[S9300-B] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name : NULL Keep Alive Time : 1 Fail Count : 20 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
Step 9 Save the configuration. # Log in to the MPU and run the following command in the user view to save the configuration:
<MPU> save
# Log in to the SPU and run the following command in the user view to save the configuration:
<S9300> save
----End
Configuration Files
l
Issue 02 (2010-07-15)
8-25
8-26
Issue 02 (2010-07-15)
dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown vrrp vrid 10 priority 110 vrrp vrid 10 preempt-mode timer delay 3 arp broadcast enable # interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.3 24 arp broadcast enable # hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 hot-standby enable hot-standby-group detect fail-count 20 interval 1 # return # save
Issue 02 (2010-07-15)
8-27