Documentos de Académico
Documentos de Profesional
Documentos de Cultura
V500R001C10SPC100
Administrator Guide
Issue 01
Date 2015-12-8
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Product Version
The following table lists the product versions of this document.
USG6000V V500R001C10SPC100
Intended Audience
This document describes the features, configuration guide, and troubleshooting guide of the
FW in detail. This document focuses on how to manage the device on the Web UI, but
provides information on how to manage the device on the CLI to meet different user
preferences.
This document is intended for administrators who configure and manage FW. The
administrators must have good Ethernet knowledge and network management experience.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Convention Description
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Update History
Updates between document issues are cumulative. Therefore, the latest document issue
contains all updates made in previous issues.
Contents
1.7.2 Mechanism...............................................................................................................................................................125
1.7.3 Restrictions and Precautions....................................................................................................................................129
1.7.4 Configuring SNMP Using the Web UI.................................................................................................................... 129
1.7.5 Maintaining SNMP..................................................................................................................................................133
1.7.6 Feature History........................................................................................................................................................ 134
1.8 Across-Layer-3 MAC Identification...........................................................................................................................134
1.8.1 Overview................................................................................................................................................................. 134
1.8.2 Configuring Across-Layer-3 MAC Identification Using the Web UI..................................................................... 136
1.8.3 Configuring Across-Layer-3 MAC Identification Using the CLI........................................................................... 137
1.8.4 Feature History........................................................................................................................................................ 139
1.9 Logs............................................................................................................................................................................ 139
1.9.1 Overview................................................................................................................................................................. 139
1.9.2 Mechanism...............................................................................................................................................................142
1.9.2.1 Session Logs......................................................................................................................................................... 142
1.9.2.2 Packet Discard Logs............................................................................................................................................. 143
1.9.2.3 Service Logs......................................................................................................................................................... 144
1.9.2.4 System Logs......................................................................................................................................................... 144
1.9.3 Restrictions and Precautions....................................................................................................................................147
1.9.4 Configuring Logs Using the Web UI.......................................................................................................................148
1.9.5 Configuring Logs Using the CLI.............................................................................................................................151
1.9.5.1 Configuring the FW to Send Session Logs to a Log Host....................................................................................151
1.9.5.2 Configuring the FW to Send Service Logs to a Log Host....................................................................................155
1.9.5.3 Enabling the FW to Send Packet Discard Logs to a Log Host.............................................................................156
1.9.5.4 Configuring the FW to Output Service Logs and System Logs to a Log Host Through the Information Center158
1.9.5.4.1 Enabling the Information Center....................................................................................................................... 158
1.9.5.4.2 Configuring the FW to Output Logs to a Log Buffer........................................................................................160
1.9.5.4.3 Outputting Logs to Log Files.............................................................................................................................161
1.9.5.4.4 Outputting Logs to the Console.........................................................................................................................161
1.9.5.4.5 Outputting Logs to a Terminal...........................................................................................................................162
1.9.5.4.6 Outputting Logs to a Log Host.......................................................................................................................... 163
1.9.5.5 Maintaining Logs..................................................................................................................................................164
1.9.6 Configuration Example............................................................................................................................................165
1.9.6.1 CLI: Example for Configuring the FW to Output Session Logs to Log Hosts.................................................... 165
1.9.6.2 CLI: Example for Configuring the FW to Output Service Logs to Log Hosts.................................................... 170
1.9.6.3 CLI: Example for Configuring the FW to Output Packet Loss Logs to Log Hosts............................................. 175
1.9.6.4 CLI: Example for Configuring the FW to Output Service Logs and System Logs to a Log Host Through the
Information Center........................................................................................................................................................... 180
1.9.7 Feature Reference.................................................................................................................................................... 183
1.9.7.1 Specifications........................................................................................................................................................183
1.9.7.2 Feature History..................................................................................................................................................... 184
1.10 Alarms...................................................................................................................................................................... 184
1.10.1 Overview............................................................................................................................................................... 184
1.10.2 Mechanism.............................................................................................................................................................184
2 High Availability.......................................................................................................................312
2.1 Hot Standby................................................................................................................................................................ 313
2.1.1 Overview................................................................................................................................................................. 313
2.1.2 Application Scenarios..............................................................................................................................................315
2.1.2.1 In-line Deployment of Hot Standby..................................................................................................................... 315
2.1.2.2 Transparent Deployment of Hot Standby............................................................................................................. 318
2.1.8.8 Web: Active/Standby Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Static Routing
Mode)................................................................................................................................................................................430
2.1.8.9 Web: Load Balancing Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Static
Routing Mode)..................................................................................................................................................................437
2.1.8.10 Web: Active/Standby Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Dynamic
Routing Mode)..................................................................................................................................................................446
2.1.8.11 Web: Load Balancing Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Dynamic
Routing Mode)..................................................................................................................................................................457
2.1.8.12 CLI: Active/Standby Networking in Which the FWs Are Connected In-line to Layer-2 Upstream and
Downstream Devices........................................................................................................................................................ 468
2.1.8.13 CLI: Load Balancing Networking in Which the FWs Are Connected In-line to Layer-2 Upstream and
Downstream Devices........................................................................................................................................................ 473
2.1.8.14 CLI: Active/Standby Networking in Which the FWs Are Connected In-line to Layer-3 Upstream and
Downstream Devices........................................................................................................................................................ 482
2.1.8.15 CLI: Load Balancing Networking in Which the FWs Are Connected In-line to Layer-3 Upstream and
Downstream Devices........................................................................................................................................................ 486
2.1.8.16 CLI: Active/Standby Networking in Which the FWs Are Connected In-line to Layer-3 Upstream and Layer-2
Downstream Devices........................................................................................................................................................ 490
2.1.8.17 CLI: Load Balancing Networking in Which the FWs Are Connected In-line to Layer-3 Upstream and Layer-2
Downstream Devices........................................................................................................................................................ 495
2.1.8.18 CLI: Load Balancing Networking in Which the FWs Are Connected Transparently to Layer-3 Upstream and
Downstream Devices........................................................................................................................................................ 501
2.1.8.19 CLI: Active/Standby Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Static
Routing Mode)..................................................................................................................................................................505
2.1.8.20 CLI: Load Balancing Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Static
Routing Mode)..................................................................................................................................................................513
2.1.8.21 CLI: Active/Standby Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Dynamic
Routing Mode)..................................................................................................................................................................523
2.1.8.22 CLI: Load Balancing Networking in Which the FWs Are Connected Off-line to Layer-3 Devices (Dynamic
Routing Mode)..................................................................................................................................................................533
2.1.9 Feature Reference.................................................................................................................................................... 542
2.1.9.1 Specifications........................................................................................................................................................543
2.1.9.2 Feature History..................................................................................................................................................... 546
2.1.9.3 Standards and Protocols........................................................................................................................................546
2.1.10 Hot Standby FAQ.................................................................................................................................................. 546
2.1.10.1 FAQs on Failures................................................................................................................................................ 547
2.1.10.2 FAQs on Configurations..................................................................................................................................... 549
2.1.10.3 FAQs on Mechanism.......................................................................................................................................... 550
2.1.10.4 FAQs on Specifications...................................................................................................................................... 552
2.1.10.5 FAQs on Miscellaneous Issues........................................................................................................................... 553
2.2 IP-Link........................................................................................................................................................................553
2.2.1 Overview................................................................................................................................................................. 553
2.2.2 Application Scenarios..............................................................................................................................................554
2.2.2.1 IP-Link in the Hot Standby Environment.............................................................................................................554
2.2.2.2 IP-Link in the Static Routing Environment.......................................................................................................... 554
2.2.2.3 IP-Link in the Policy-based Routing Environment.............................................................................................. 555
3 Virtual System............................................................................................................................650
3.1 Overview.................................................................................................................................................................... 651
3.2 Application Scenario.................................................................................................................................................. 651
3.3 Mechanism..................................................................................................................................................................653
3.3.1 Virtual System and Administrator........................................................................................................................... 653
3.3.2 Virtual System Resource Allocation........................................................................................................................655
3.3.3 Virtual System Traffic Sorting.................................................................................................................................657
3.3.4 Communication Between Virtual Systems.............................................................................................................. 659
3.4 Restrictions and Precautions.......................................................................................................................................664
3.5 Deploying a Virtual System Using the Web UI..........................................................................................................666
3.5.1 Enabling the Virtual System Function.....................................................................................................................666
3.5.2 Configuring a Resource Class ................................................................................................................................ 666
3.5.3 Creating a Virtual System and Allocating Resources .............................................................................................668
3.5.4 Enabling Communication Between Virtual Systems ..............................................................................................669
3.5.4.1 Enabling Communication Between a Virtual System and the Public System .....................................................669
3.5.4.2 Enabling Communication Between Virtual Systems ...........................................................................................672
3.5.5 Creating a Virtual System Administrator................................................................................................................ 675
3.6 Deploying a Virtual System Using the CLI................................................................................................................677
3.6.1 Enabling the Virtual System Function.....................................................................................................................678
3.6.2 Configuring a Resource Class................................................................................................................................. 678
3.6.3 Creating a Virtual System and Allocating Resources..............................................................................................679
4 Networks..................................................................................................................................... 739
4.1 Interfaces.................................................................................................................................................................... 741
4.1.1 Overview................................................................................................................................................................. 741
4.1.1.1 Supported Interface Types.................................................................................................................................... 741
4.1.1.2 IP Addresses......................................................................................................................................................... 745
4.1.2 Interface Configuration Using the Web UI..............................................................................................................753
4.1.2.1 Configuring a Layer 3 Ethernet Interface.............................................................................................................753
4.1.2.2 Configuring a Layer 2 Ethernet Interface.............................................................................................................760
4.1.2.3 Configuring a Layer 3 Ethernet Subinterface.......................................................................................................763
4.1.2.4 Configuring a Layer 2 Ethernet Subinterface.......................................................................................................771
4.1.2.5 Configuring a VLAN Interface.............................................................................................................................772
4.1.2.6 Configuring an Eth-Trunk Interface..................................................................................................................... 780
4.1.2.7 Configuring a Loopback Interface........................................................................................................................789
4.1.2.8 Configuring the Tunnel Interface......................................................................................................................... 790
4.1.3 Interface Configuration Using the CLI....................................................................................................................794
4.1.3.1 Configuring a Layer 3 Ethernet Interface.............................................................................................................794
4.1.3.2 Configuring a Layer 2 Ethernet Interface.............................................................................................................798
4.1.3.3 Configuring a Layer 3 Ethernet Subinterface.......................................................................................................799
4.1.3.4 Configuring a Layer 2 Ethernet Subinterface.......................................................................................................802
4.1.3.5 Configuring a VLAN Interface.............................................................................................................................803
4.1.3.6 Configuring an Eth-Trunk Interface..................................................................................................................... 806
4.1.3.6.1 Configuration Procedure....................................................................................................................................806
4.1.3.6.2 Configuring a Layer 3 Eth-Trunk Interface.......................................................................................................807
4.7.6.2 CLI Example for Configuring the Device as a DHCP Server (Using the Global Address Pool-based Layer-3
Ethernet Interface).......................................................................................................................................................... 1022
4.7.6.3 CLI Example for Configuring a Global Address Pool-based DHCP Server (Using Sub-interfaces)................ 1028
4.7.6.4 CLI Example for Configuring the Device as a DHCP Relay............................................................................. 1034
4.7.6.5 CLI Example for Configuring the Device as an DHCP Client...........................................................................1038
4.7.7 Feature Reference.................................................................................................................................................. 1040
4.7.7.1 Specifications......................................................................................................................................................1040
4.7.7.2 Feature History................................................................................................................................................... 1042
4.7.7.3 Reference Standards and Protocols.................................................................................................................... 1042
4.8 DHCP Snooping....................................................................................................................................................... 1043
4.8.1 Overview............................................................................................................................................................... 1043
4.8.2 Mechanism.............................................................................................................................................................1045
4.8.3 Configuring Defense Against Attacks Initiated by a Bogus DHCP Server.......................................................... 1053
4.8.3.1 Configuring a Layer 2 Interface to Defend Against Attacks Initiated by a Bogus DHCP Server..................... 1053
4.8.3.2 Configuring a Layer 3 Interface to Defend Against Attacks Initiated by a Bogus DHCP Server..................... 1054
4.8.4 Configuring Defense Against Man-in-the-Middle and IP/MAC Spoofing Attacks..............................................1056
4.8.4.1 Configuring a Layer 2 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks.........1056
4.8.4.2 Configuring a Layer 3 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks.........1058
4.8.5 Configuring Defense Against Attacks Launched by Changing the CHADDR Value...........................................1061
4.8.5.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by Changing CHADDRs.............................. 1061
4.8.5.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by Changing CHADDRs.............................. 1062
4.8.6 Configuring Defense Against Attacks by Sending Bogus Packets for Extending IP Leases................................1063
4.8.6.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by Sending Bogus Packets for Extending IP
Leases............................................................................................................................................................................. 1063
4.8.6.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by Sending Bogus Packets for Extending IP
Leases............................................................................................................................................................................. 1065
4.8.7 Configuring Alarms Used to Discard Packets....................................................................................................... 1067
4.8.8 Maintaining DHCP Snooping................................................................................................................................1068
4.8.8.1 Maintaining a DHCP Snooping Binding Table.................................................................................................. 1068
4.8.8.2 Debugging the DHCP Snooping Function......................................................................................................... 1069
4.8.9 Example for Configuring DHCP Snooping...........................................................................................................1070
4.8.10 Feature Reference................................................................................................................................................ 1075
4.8.10.1 Specifications....................................................................................................................................................1075
4.8.10.2 Feature History................................................................................................................................................. 1077
4.8.10.3 Reference Standards and Protocols.................................................................................................................. 1077
4.9 MAC Address Table................................................................................................................................................. 1077
4.9.1 Overview............................................................................................................................................................... 1078
4.9.2 Configuring a MAC Address Table.......................................................................................................................1080
4.9.2.1 Configuring the MAC Address Table Based on the VLAN and Layer 2 Interface............................................1080
4.9.2.2 Configuring the Aging Time of a MAC Address Table..................................................................................... 1081
4.9.2.3 Configuring a Limit Rule for Learning MAC Addresses...................................................................................1081
4.9.3 Maintaining the MAC Address Table....................................................................................................................1082
4.9.4 Configuration Examples........................................................................................................................................ 1083
4.9.4.1 Example for Configuring the MAC Address Table Based on the Interface and VLAN.................................... 1083
4.9.5 Feature Reference.................................................................................................................................................. 1085
4.9.5.1 Specifications......................................................................................................................................................1086
4.9.5.2 Feature History................................................................................................................................................... 1086
4.10 ARP........................................................................................................................................................................ 1087
4.10.1 Overview............................................................................................................................................................. 1087
4.10.2 Mechanism...........................................................................................................................................................1088
4.10.3 Configuring ARP................................................................................................................................................. 1092
4.10.3.1 Configuring Static ARP....................................................................................................................................1092
4.10.3.2 Enabling a Device to Learn Multicast MAC Addresses and Generate ARP Entries....................................... 1094
4.10.3.3 Optimizing Dynamic ARP................................................................................................................................1096
4.10.3.4 Configuring a Device to Delete Dynamic ARP Entries after a Delay..............................................................1097
4.10.3.5 Configuring ARP Automatic Scanning and Fixed ARP.................................................................................. 1098
4.10.3.6 Configuring the ARP Proxy..............................................................................................................................1100
4.10.3.6.1 Configuring Routed Proxy ARP.................................................................................................................... 1100
4.10.3.6.2 Configuring Proxy ARP Within a VLAN......................................................................................................1101
4.10.3.7 Configuring Gratuitous ARP............................................................................................................................ 1102
4.10.3.7.1 Configuring the Learning of Gratuitous ARP Packets.................................................................................. 1102
4.10.3.7.2 Configuring the Sending of Gratuitous ARP Packets....................................................................................1102
4.10.3.8 Preventing Attacks on ARP Entries..................................................................................................................1103
4.10.3.8.1 Configuring Global Strict ARP Entry Learning............................................................................................ 1103
4.10.3.8.2 Configuring Strict ARP Entry Learning on Interfaces.................................................................................. 1104
4.10.3.8.3 Configuring Interface-based ARP Entry Restriction..................................................................................... 1105
4.10.3.8.4 Enabling Alarm Functions for Potential Attack Behaviors........................................................................... 1105
4.10.4 Maintaining ARP................................................................................................................................................. 1106
4.10.4.1 Displaying ARP Configuration.........................................................................................................................1106
4.10.4.2 Clearing ARP Entries........................................................................................................................................1106
4.10.5 Configuration Examples...................................................................................................................................... 1107
4.10.5.1 Example for Configuring Static ARP............................................................................................................... 1107
4.10.5.2 Example for Configuring ARP Automatic Scanning and Fixed ARP..............................................................1109
4.10.5.3 Example for Configuring Proxy ARP...............................................................................................................1112
4.10.6 Troubleshooting ARP Faults................................................................................................................................1115
4.10.7 Feature Reference................................................................................................................................................ 1119
4.10.7.1 Specifications....................................................................................................................................................1119
4.10.7.2 Feature History................................................................................................................................................. 1120
4.10.7.3 Reference Standards and Protocols...................................................................................................................1120
4.11 VLAN..................................................................................................................................................................... 1121
4.11.1 Overview..............................................................................................................................................................1121
4.11.2 Mechanism...........................................................................................................................................................1122
4.11.3 Configuring a VLAN........................................................................................................................................... 1130
4.11.3.1 Dividing a LAN into VLANs Based on Ports.................................................................................................. 1130
4.11.3.2 Configuring Vlanif Interfaces to Enable VLANs to Communicate..................................................................1132
5 Routing...................................................................................................................................... 1172
5.1 Routing Protocol Overview...................................................................................................................................... 1174
5.1.1 Overview................................................................................................................................................................1174
5.1.2 Static Routes and Dynamic Routes........................................................................................................................1174
5.1.3 Default Routes....................................................................................................................................................... 1175
5.1.4 Routing Table and FIB Table.................................................................................................................................1175
5.1.5 Routing Protocol Preference..................................................................................................................................1179
5.1.6 Route Import.......................................................................................................................................................... 1181
5.1.7 Route Metric.......................................................................................................................................................... 1181
5.1.8 Load Balancing...................................................................................................................................................... 1181
5.1.9 Priority-based Route Convergence........................................................................................................................ 1183
5.2 Routing Basics Configuration...................................................................................................................................1184
5.2.1 Routing Basics Configuration Using the Web UI..................................................................................................1184
5.2.1.1 Configuring Virtual Routers............................................................................................................................... 1184
5.2.1.2 Monitoring OSPF and BGP................................................................................................................................ 1185
5.2.1.3 Checking the Routing Table............................................................................................................................... 1186
5.2.2 Routing Basics Configuration-CLI........................................................................................................................1187
5.2.2.1 Configuring the Global Router ID...................................................................................................................... 1187
5.2.2.2 Configuring the IP-Prefix List............................................................................................................................ 1188
5.2.2.2.1 Configuring the IPv4 IP-Prefix List.................................................................................................................1188
5.2.2.2.2 Configuring the IPv6 IP-Prefix List.................................................................................................................1189
5.2.2.3 Managing IP Routing Tables.............................................................................................................................. 1190
5.2.2.3.1 Managing the Routing Table............................................................................................................................1190
5.2.2.3.2 Managing the Routing Management Module.................................................................................................. 1192
5.3 IP Static Route.......................................................................................................................................................... 1193
5.3.1 Overview................................................................................................................................................................1193
5.3.2 Mechanism.............................................................................................................................................................1193
5.3.2.1 Components of Static Routes..............................................................................................................................1193
5.3.2.2 Applications of Static Routes............................................................................................................................. 1194
5.3.2.3 Default Routes.................................................................................................................................................... 1196
5.3.2.4 BFD for Static Routes.........................................................................................................................................1196
5.3.3 Configuring Static Route Using the Web UI......................................................................................................... 1197
5.10.4.4.2 Configuring the Policy for Advertising BGP Routing Information.............................................................. 1631
5.10.4.4.3 Configuring the Policy for Receiving BGP Routing Information................................................................. 1633
5.10.4.4.4 Configuring BGP Soft Resetting................................................................................................................... 1635
5.10.4.5 Configuring BGP Route Selection and Load Balancing.................................................................................. 1637
5.10.4.5.1 Configuring the BGP Preference................................................................................................................... 1637
5.10.4.5.2 Configuring Preferred Values for BGP Routes..............................................................................................1638
5.10.4.5.3 Configuring a Default Local_Pref Attribute for a Device............................................................................. 1639
5.10.4.5.4 Configuring the MED Attribute.................................................................................................................... 1639
5.10.4.5.5 Configuring Next_Hop Attributes for Routes............................................................................................... 1642
5.10.4.5.6 Configuring the BGP Community Attribute................................................................................................. 1644
5.10.4.5.7 Configuring AS_Path Attributes for Routes..................................................................................................1646
5.10.4.5.8 Configuring BGP Load Balancing................................................................................................................ 1650
5.10.4.6 Simplifying BGP Network Connections.......................................................................................................... 1653
5.10.4.6.1 Configuring BGP Route Reflectors............................................................................................................... 1653
5.10.4.6.2 Configuring a BGP Confederation................................................................................................................ 1654
5.10.4.7 Adjusting the BGP Network Convergence Speed............................................................................................ 1655
5.10.4.7.1 Configuring a BGP ConnectRetry Timer...................................................................................................... 1655
5.10.4.7.2 Configuring BGP Keepalive and Hold Timers..............................................................................................1657
5.10.4.7.3 Configuring a Update Message Timer...........................................................................................................1659
5.10.4.7.4 Disabling Fast Reset of EBGP Connections..................................................................................................1660
5.10.4.7.5 Configuring BGP Route Dampening.............................................................................................................1661
5.10.4.8 Configuring BGP Security................................................................................................................................1662
5.10.4.8.1 Configuring MD5 Authentication................................................................................................................. 1662
5.10.4.8.2 Configuring Keychain Authentication...........................................................................................................1662
5.10.4.9 Configuring BGP Reliability............................................................................................................................ 1663
5.10.4.9.1 Enabling BGP Tracking.................................................................................................................................1663
5.10.4.9.2 Configuring BFD for BGP............................................................................................................................ 1664
5.10.4.9.3 Configuring BGP GR.................................................................................................................................... 1667
5.10.5 Maintaining BGP................................................................................................................................................. 1668
5.10.5.1 Configuring BGP to Record Peer Status Changes and Event Information...................................................... 1668
5.10.5.2 Viewing BGP Routing Information.................................................................................................................. 1669
5.10.5.3 Clearing and Resetting BGP.............................................................................................................................1670
5.10.6 Configuration Examples...................................................................................................................................... 1671
5.10.6.1 Example for Configuring Basic BGP Functions.............................................................................................. 1671
5.10.6.2 Example for Configuring AS_Path Filters....................................................................................................... 1677
5.10.6.3 Example for Configuring MED Attributes to Control BGP Route Selection.................................................. 1682
5.10.6.4 Example for Configuring BGP Load Balancing...............................................................................................1686
5.10.7 Troubleshooting BGP.......................................................................................................................................... 1691
5.10.7.1 Failure in Establishing BGP Peers....................................................................................................................1691
5.10.7.2 Route Loss During the Exchange of Update Messages Between BGP Peers.................................................. 1695
5.10.8 Reference............................................................................................................................................................. 1698
5.10.8.1 Specifications....................................................................................................................................................1698
6.1.6.5 CLI: Example for Configuring Active/Standby Backup by Link Priority......................................................... 1813
6.1.6.6 CLI: Example for Configuring DNS Transparent Proxy....................................................................................1817
6.1.7 Maintaining Global Route Selection Policies........................................................................................................1822
6.1.8 Feature Reference.................................................................................................................................................. 1822
6.1.8.1 Feature History................................................................................................................................................... 1822
6.2 PBR...........................................................................................................................................................................1822
6.2.1 Overview............................................................................................................................................................... 1822
6.2.2 Mechanism.............................................................................................................................................................1823
6.2.3 Restrictions and Precautions..................................................................................................................................1825
6.2.4 Configuring PBR Using the Web UI..................................................................................................................... 1825
6.2.5 Configuring PBR Using the CLI........................................................................................................................... 1832
6.2.6 Configuration Examples........................................................................................................................................ 1837
6.2.6.1 CLI: Example for Configuring Protocol-Specific PBR......................................................................................1837
6.2.6.2 CLI: Example for Configuring Source IP Address-Specific PBR..................................................................... 1840
6.2.6.3 CLI: Example for Configuring PBR Intelligent Uplink Selection Among Multiple ISP Outbound Interfaces. 1842
6.2.6.4 CLI: Example for Configuring Policy-based Routes for Internet Access from Multiple ISPs.......................... 1847
6.2.7 Maintaining PBR................................................................................................................................................... 1850
6.2.8 Feature Reference.................................................................................................................................................. 1851
6.2.8.1 Feature History................................................................................................................................................... 1851
6.3 ISP Link Selection by ISP Routes............................................................................................................................ 1851
6.3.1 Overview............................................................................................................................................................... 1851
6.3.2 Application Scenarios............................................................................................................................................1852
6.3.3 Mechanism.............................................................................................................................................................1853
6.3.4 Configuring ISP Link Selection Using the Web UI...............................................................................................1854
6.3.5 Configuring ISP Link Selection Using the CLI.....................................................................................................1856
6.3.6 Configuration Examples........................................................................................................................................ 1858
6.3.6.1 CLI: Example for Accessing the Internet Through Multiple ISP Networks (ISP Link Selection).................... 1858
6.3.6.2 CLI: Example for Configuring Intelligent Uplink Selection Among Outbound Interfaces of Different ISPs...1862
6.3.7 Maintaining ISP Link Selection............................................................................................................................ 1868
6.3.8 Feature Reference.................................................................................................................................................. 1868
6.3.8.1 Feature History................................................................................................................................................... 1868
6.4 Health Check............................................................................................................................................................ 1868
6.4.1 Overview............................................................................................................................................................... 1868
6.4.2 Application Scenarios............................................................................................................................................1869
6.4.3 Mechanism.............................................................................................................................................................1872
6.4.4 Configuring Health Check Using the Web UI....................................................................................................... 1874
6.4.5 Configuring Health Check Using the CLI............................................................................................................. 1875
6.4.6 Maintaining Health Check.....................................................................................................................................1877
6.4.7 Feature Reference.................................................................................................................................................. 1878
6.4.7.1 Feature History................................................................................................................................................... 1878
7 SLB..............................................................................................................................................1879
7.1 Overview.................................................................................................................................................................. 1880
8 MPLS..........................................................................................................................................1946
8.1 Overview.................................................................................................................................................................. 1947
8.2 Mechanism................................................................................................................................................................1947
8.2.1 MPLS Basics......................................................................................................................................................... 1948
8.2.1.1 Concepts............................................................................................................................................................. 1948
8.2.1.2 Establishing LSPs............................................................................................................................................... 1954
8.2.1.3 MPLS Forwarding.............................................................................................................................................. 1956
8.2.2 MPLS LDP............................................................................................................................................................ 1960
8.2.2.1 Concepts............................................................................................................................................................. 1960
8.2.2.2 LDP Sessions...................................................................................................................................................... 1961
8.2.2.3 Advertising and Managing Labels......................................................................................................................1963
8.2.2.4 LDP LSP Establishment..................................................................................................................................... 1965
8.2.2.5 LDP Extension for Inter-Area LSP.....................................................................................................................1966
8.2.2.6 LDP GR.............................................................................................................................................................. 1967
8.2.2.7 LDP MTU...........................................................................................................................................................1969
8.2.2.8 LDP Authentication............................................................................................................................................ 1970
9 VPN............................................................................................................................................ 2018
9.1 VPN Overview......................................................................................................................................................... 2019
9.1.1 Introduction........................................................................................................................................................... 2019
9.1.2 Application Scenarios............................................................................................................................................2021
9.2 IPSec......................................................................................................................................................................... 2025
9.2.1 IPSec Basics.......................................................................................................................................................... 2025
9.2.1.1 Overview............................................................................................................................................................ 2025
9.2.1.2 Application Scenarios.........................................................................................................................................2025
9.2.1.2.1 Site-to-Site IPSec VPN....................................................................................................................................2026
9.2.1.2.2 Hub-Spoke IPSec VPN....................................................................................................................................2028
9.2.1.2.3 Remote VPN Access for an IKEv2 Client.......................................................................................................2031
9.2.1.2.4 IPSec Redundancy Design...............................................................................................................................2031
9.2.1.2.5 Application of IPSec Multiple Instances......................................................................................................... 2037
9.2.1.3 IPSec Framework............................................................................................................................................... 2038
9.2.1.3.1 Overview of the Protocol Framework............................................................................................................. 2038
9.2.1.3.2 Encapsulation Mode........................................................................................................................................ 2039
9.2.1.3.3 Security Protocol............................................................................................................................................. 2042
9.2.1.3.4 Encryption....................................................................................................................................................... 2044
9.2.1.3.5 Verification...................................................................................................................................................... 2045
9.2.1.3.6 Key Exchange..................................................................................................................................................2048
9.2.1.4 IPSec Security Association.................................................................................................................................2049
9.2.1.4.1 SA Overview................................................................................................................................................... 2049
9.2.1.4.2 IKEv1 SA Negotiation.....................................................................................................................................2051
9.2.1.4.3 IKEv2 SA Negotiation Process....................................................................................................................... 2055
9.2.1.5 Restrictions and Precautions...............................................................................................................................2059
9.2.1.6 IPSec VPN Configuration Overview..................................................................................................................2059
9.2.1.7 Configuring IPSec Using the Web UI................................................................................................................ 2060
9.2.1.7.1 Configuring an IPSec Policy in Site-to-Site VPN........................................................................................... 2060
9.2.1.7.2 Configuring an IPSec Policy in Hub-Spoke VPN........................................................................................... 2067
9.6.4.1 Configuring a VPN Instance Enabled with the IPv6 Address Family............................................................... 2730
9.6.4.2 Configuring Route-Related Attributes of the VPN instance IPv6 Address Family........................................... 2731
9.6.4.3 Binding an Interface to a VPN Instance............................................................................................................. 2733
9.6.4.4 Configuring MP-IBGP Between Hub-PE and Spoke-PE...................................................................................2734
9.6.4.5 Configuring Route Exchange Between PEs and CEs.........................................................................................2735
9.6.5 Configuring Inter-AS IPv6 VPN-Option A...........................................................................................................2736
9.6.6 Configuring Inter-AS IPv6 VPN-Option B........................................................................................................... 2737
9.6.6.1 Configuring MP-IBGP Between PEs and ASBRs in the Same AS................................................................... 2737
9.6.6.2 Configuring MP-EBGP Between ASBRs in Different ASs............................................................................... 2737
9.6.6.3 Controlling the Receiving and Sending of VPN Routes.................................................................................... 2738
9.6.6.4 (Optional) Storing Information About the VPN instance on the ASBRs...........................................................2739
9.6.6.5 Configuring Route Exchange Between PEs and CEs.........................................................................................2742
9.6.7 Configuring Inter-AS IPv6 VPN-Option C (Solution 1).......................................................................................2742
9.6.7.1 Enabling Exchange of the IPv4 Routes with Labels.......................................................................................... 2742
9.6.7.2 Configuring a Routing Policy to Control Label Distribution............................................................................. 2743
9.6.7.3 Establishing the MP-EBGP Peer Between PEs.................................................................................................. 2745
9.6.7.4 Configuring Route Exchange PEs and CEs........................................................................................................2746
9.6.8 Configuring Inter-AS IPv6 VPN Option C (Solution 2)....................................................................................... 2747
9.6.8.1 Establishing an EBGP Peer Relationship Between ASBRs............................................................................... 2747
9.6.8.2 Advertising the Routes of the PE in the Local AS to the Remote PE................................................................ 2747
9.6.8.3 Enabling Labeled IPv4 Route Exchange............................................................................................................ 2748
9.6.8.4 Establishing an LDP LSP for the Labeled BGP Routes of the Public Network................................................ 2749
9.6.8.5 Establishing an MP-EBGP Peer Relationship Between PEs..............................................................................2750
9.6.8.6 Enabling Route Exchange Between CEs and PEs..............................................................................................2750
9.6.9 Configuring Route Reflection for BGP VPNv6 Routes........................................................................................ 2751
9.6.9.1 Configuring the Client PEs to Establish MP IBGP Connections with the RR...................................................2751
9.6.9.2 Configuring the RR to Establish MP IBGP Connections with All Client PEs...................................................2751
9.6.9.3 Enabling Route Reflection for BGP VPNv6 Routes.......................................................................................... 2752
9.6.10 Maintaining BGP/MPLS IPv6 VPN....................................................................................................................2753
9.6.10.1 Displaying BGP/MPLS IPv6 VPN Information...............................................................................................2753
9.6.10.2 Checking the Network Connectivity and Reachability.................................................................................... 2754
9.6.10.3 Resetting BGP Statistics of a VPN Instance IPv6 Address Family................................................................. 2755
9.6.10.4 Resetting BGP Connections............................................................................................................................. 2755
9.6.11 Configuration Examples...................................................................................................................................... 2756
9.6.11.1 Example for Configuring BGP/MPLS IPv6 VPN............................................................................................ 2756
9.6.12 Reference............................................................................................................................................................. 2770
9.6.12.1 Specifications....................................................................................................................................................2770
9.6.12.2 Feature History................................................................................................................................................. 2772
9.6.12.3 Reference Standards and Protocols.................................................................................................................. 2772
10 Object....................................................................................................................................... 2774
10.1 Address Object and Address Group....................................................................................................................... 2776
10.1.1 Overview............................................................................................................................................................. 2776
10.1.2 Configuring an Address Object and Address Group Using the Web UI............................................................. 2776
10.1.3 Configuring an Address Object and Address Group Using the CLI................................................................... 2777
10.1.4 Maintaining Address Objects and Address Groups.............................................................................................2779
10.1.5 Reference............................................................................................................................................................. 2779
10.1.5.1 Specifications....................................................................................................................................................2779
10.1.5.2 Feature History................................................................................................................................................. 2781
10.2 Domain Group........................................................................................................................................................ 2781
10.2.1 Overview............................................................................................................................................................. 2781
10.2.2 Configuring Domain Groups Using the Web UI................................................................................................. 2782
10.2.3 Configuring Domain Groups Using the CLI....................................................................................................... 2782
10.2.4 Maintaining Domain Groups............................................................................................................................... 2783
10.2.5 Reference............................................................................................................................................................. 2783
10.2.5.1 Specifications....................................................................................................................................................2783
10.2.5.2 Feature History................................................................................................................................................. 2783
10.3 Region and Region Group...................................................................................................................................... 2784
10.3.1 Overview............................................................................................................................................................. 2784
10.3.2 Configuring Regions and Region Groups Using the Web UI..............................................................................2785
10.3.2.1 Modifying a Predefined Region....................................................................................................................... 2785
10.3.2.2 Creating a User-Defined Region...................................................................................................................... 2786
10.3.2.3 Creating a Region Group.................................................................................................................................. 2787
10.3.3 Configuring Regions and Region Groups Using the CLI....................................................................................2788
10.3.3.1 Modifying a Predefined Region....................................................................................................................... 2788
10.3.3.2 Creating a User-Defined Region...................................................................................................................... 2789
10.3.3.3 Creating a Region Group.................................................................................................................................. 2790
10.3.4 Maintaining Regions and Region Groups........................................................................................................... 2790
10.3.5 Reference............................................................................................................................................................. 2791
10.3.5.1 Specifications....................................................................................................................................................2791
10.3.5.2 Feature History................................................................................................................................................. 2791
10.4 Service and Service Group..................................................................................................................................... 2792
10.4.1 Overview............................................................................................................................................................. 2792
10.4.2 Configure a Service Object and Service Group Using the Web UI.....................................................................2794
10.4.3 Configuring a Service Object and Service Group Using the CLI....................................................................... 2796
10.4.4 Maintaining Service Object and Service Groups.................................................................................................2797
10.4.5 Reference............................................................................................................................................................. 2798
10.4.5.1 Specifications....................................................................................................................................................2798
10.4.5.2 Feature History................................................................................................................................................. 2798
10.5 Application and Application Group....................................................................................................................... 2798
10.5.1 Overview............................................................................................................................................................. 2799
10.5.2 Restrictions and Precautions................................................................................................................................2799
10.5.3 Predefined Application........................................................................................................................................ 2800
10.5.4 Configuring a User-Defined Application............................................................................................................ 2801
10.5.5 Configuring an Application Group......................................................................................................................2804
10.11.2 Mechanism.........................................................................................................................................................2909
10.11.2.1 Basic Concepts................................................................................................................................................2909
10.11.2.2 Mechanism of Applying Keychain to a Non-TCP Application......................................................................2911
10.11.2.3 Mechanism of Applying Keychain to TCP Applications............................................................................... 2913
10.11.3 Configuring a Keychain.....................................................................................................................................2915
10.11.3.1 Creating a Keychain........................................................................................................................................2915
10.11.3.2 Configuring a Key.......................................................................................................................................... 2916
10.11.3.3 Applying the Keychain................................................................................................................................... 2918
10.11.4 Maintenance.......................................................................................................................................................2919
10.11.5 Configuration Examples.................................................................................................................................... 2919
10.11.5.1 CLI: Example for Configuring Keychain Authentication for Non-TCP Application.................................... 2919
10.11.5.2 Example for Configuring Keychain Authentication for TCP Application..................................................... 2921
10.11.6 Reference........................................................................................................................................................... 2924
10.11.6.1 Feature History............................................................................................................................................... 2924
10.11.6.2 Standards and Protocols..................................................................................................................................2924
10.12 Authentication Server........................................................................................................................................... 2924
10.12.1 Overview........................................................................................................................................................... 2924
10.12.2 Configuring Authentication Servers Using the Web UI.................................................................................... 2927
10.12.2.1 Configuring a RADIUS Server.......................................................................................................................2928
10.12.2.2 Configuring an HWTACACS Server............................................................................................................. 2930
10.12.2.3 Configuring an AD Server..............................................................................................................................2932
10.12.2.4 Configuring an LDAP Server......................................................................................................................... 2935
10.12.3 Configuring Authentication Servers Using the CLI.......................................................................................... 2937
10.12.3.1 Configuring a RADIUS Server.......................................................................................................................2937
10.12.3.2 Configuring an HWTACACS Server............................................................................................................. 2940
10.12.3.3 Configuring an AD Server..............................................................................................................................2941
10.12.3.4 Configuring an LDAP Server......................................................................................................................... 2943
10.12.3.5 Maintaining the Authentication Servers......................................................................................................... 2944
10.12.4 Reference........................................................................................................................................................... 2946
10.12.4.1 Specifications..................................................................................................................................................2947
10.12.4.2 RADIUS Attributes........................................................................................................................................ 2949
10.12.4.3 Feature History............................................................................................................................................... 2961
10.12.4.4 Standards and Protocols..................................................................................................................................2962
1 System
This chapter describes the configurations of the basic functions, upgrade, and maintenance of
the device.
1.9 Logs
You can display logs to gain visibility into device operating, which facilitates fault location.
1.10 Alarms
By viewing alarms, you can rapidly be informed of faults occurring when the device is
running, helping quickly rectify the faults and ensure normal device operation.
1.11 Debugs
To learn about device running information or commission the device, you can output the
debugging information of a specified module through the information center to different
directions.
1.12 Setting the Mail Service
After the SMTP mail server is configured, the device can send information to a specified
email box.
1.13 Status Check and Packet Processing
You can modify the link status check function and packet processing mode to meet the
network environment requirements.
1.14 File System
This chapter describes how to manage the directories and files in the file system of the FW
and how to transfer files between the FW and other devices.
1.15 Configuration File
This section describes how to save, back up, and remove a configuration file as well as
conduct a comparison between configuration files.
1.16 System Upgrade
You can upgrade the system or install patches.
1.17 System Restart
You need to restart the system if the device works improperly or needs to be upgraded or to
replace the startup file.
1.18 User Experience Plan
This section describes the content of the user experience plan.
1.19 NQA
This chapter describes the Network Quality Analysis (NQA) mechanism, testing scenarios,
and general parameters and provides examples for configuring NQA.
Context
Figure 1-1 shows the networking diagram for the login to the FW through the console port.
Figure 1-1 Cabling between the PC and the Console port of the FW
COM Console
RS-232
PC NGFW
Procedure
Step 1 Connect the console cable.
1. Shut down the FW and power off the configuration terminal.
2. Connect the RS-232 serial port of the configuration terminal to the configuration
interface of the FW with a cable.
3. After checking the installation, power on the configuration terminal.
Step 2 Configure the terminal. The following examples describe terminal configurations in the
Windows XP and Windows 7 operating systems.
Windows XP
1. Run the terminal emulation program (such as the HyperTerminal on Windows XP) on
the PC. Choose Start > All programs > Accessories > Communications > Hyper
Terminal. The Connection Description dialog box is displayed.
2. In Name, enter the name (for example, COMM1) of the connection between the PC and
the FW. Then, select an icon in Icon, as shown in Figure 1-2.
7. Click OK.
Windows 7
1. Download the PuTTY software to the local device and double-click it to run the
software.
2. Choose Session, set the Connection type to Serial.
3. Set the parameters for connecting the serial port to the device.
Figure 1-5 shows detailed parameter settings.
Figure 1-5 Setting the PuTTY parameters for connecting the serial port to the FW
4. Click Open.
Step 3 Click Enter and enter account admin and password Admin@123.
NOTE
After three consecutive login failures through the console port, the system automatically locks out the
console port (prohibiting administrators login) for 10 minutes.
Step 4 Change the default administrator password and access the CLI interface.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password
needs to contain at least three types of the following characters: uppercase letters (A to Z), lowercase
letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@),
number signs (#), dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
----End
Follow-up Procedure
Log in to the device through the console port for management and configuration. You can also
create more administrators or establish the Telnet, STelnet, and web login environment. For
details, refer to 1.3 Administrators.
Prerequisites
The browser on the administrator PC must meet any of the following requirements:
l Internet Explorer: version 6.0 to 9.0
l Firefox (recommended): version 10.0 or later
l Chrome: version 17.0 or later
NOTE
When using Internet Explorer, you are advised to version 7.0 or later.
Procedure
Step 1 Connect the network interface of the administrator PC to management interface
GigabitEthernet 0/0/0 using network cables or layer-2 switches.
Step 2 Set the IP address of the administrator PC, within a range from 192.168.0.2 to 192.168.0.254.
Step 3 Open the browser on the administrator PC. In the address box, enter the default IP address of
the management interface (https://192.168.0.1:8443).
NOTE
If the address is http://192.168.0.1, the device automatically uses the more secure HTTPS to access the
web UI.
If the browser displays a notification for an insecure certificate, you can continue the browsing. For
security, you are advised to configure the specified certificate after logging in to the device. For details,
refer to 1.3.5.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate).
Click Open Source Software Notice in the web login page, you can check the related information about
the open source software notice.
Step 4 On the login page, enter the default user name admin and password Admin@123 of the
system administrator. Click Login.
NOTE
You can also use default audit administrator account audit-admin (password Admin@123) to log in to
the device.
After three consecutive login failures, the web UI is automatically locked out for 10 minutes to forbid
any user login.
Step 5 Changing the password of the default administrator account. Click OK to access the web UI.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password
needs to contain at least three types of the following characters: uppercase letters (A to Z), lowercase
letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@),
number signs (#), dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
----End
Follow-up Procedure
Use HTTPS to log in to the web UI for management and configuration. You can also create
more administrators. For details, refer to 1.3 Administrators.
By default, the Welcome to Startup Wizard page is displayed after the successful login. If you do not want
to enter the Startup Wizard page after login, select Do not display this page upon the next login on the
lower left of the page. Upon the next login, the Dashboard page is directly displayed.
----End
Basic Configuration
Step 1 In Basic Configuration, enter or select parameters listed in Table 1-1.
Parameter Description
Host Name Indicates the name of the device. The host name appears in the
command prompt, and can be modified as required.
Old Password Enters the old password. After you select Change
Administrator Password, Old Password becomes available.
New Password Enters the new password. After you select Change
Administrator Password, New Password becomes available.
Confirm Enters the new password again. Ensure that the new passwords
you entered twice are consistent. After you select Change
Administrator Password, Confirm becomes available.
----End
Time Settings
Step 1 In Time Settings, enter or select parameters listed in Table 1-2.
Parameter Description
Configuration Mode You can use one of the following methods to set the system
time:
l Manually Set the Time.
l Synchronize the Time with the Local System Time. If you
select this method, the time zone, date, and system time
cannot be manually set.
l Synchronize the Time with the NTP Server. If you select
this method, you also need to set the IP address of the NTP
server.
Time Zone Selects the time zone in which the device is located from the
drop-down list.
Parameter Description
Automatically adjust After this item is selected, the system automatically adjusts the
clock for daylight saving clock for the DST.
time (DST)
Start Time Indicates the start time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST)
is selected.
End Time Indicates the end time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST)
is selected.
Offset Time Indicates the offset time of the system in the DST mechanism.
This item is displayed after Automatically adjust clock for
daylight saving time (DST) is selected.
For example, set the Start Time to 08:00:00 on the first
Monday in August, End Time to 10:00:00 on the first Monday
in October, and Offset Time to 01:00:00. At 08:00:00 on the
first Monday in August, the system time is automatically
changed to 09:00:00. At 10:00:01 on the first Monday in
October, the system time is automatically changed to 09:00:01.
----End
WAN Mode
Select the Internet access mode based on the information supplied by the network service
provider. Internet access parameters vary with different access modes.
Step 1 In WAN Mode, select the Internet access mode, as shown in Table 1-3.
PPPoE Applies if you obtain a user name and password from the
network service provider.
----End
WAN Settings
Step 1 Enter or select parameters according to the Internet access mode.
l Table 1-4 shows parameters for access to the Internet through a static IP address.
Subnet Mask Indicates the subnet mask of the interface for accessing the
Internet.
The value is supplied by the network service provider and
is in 255.x.x.x format.
Primary DNS Server Indicates the IP address of the primary DNS server.
Generally, LAN hosts require to access the Web site by
using domain names. Therefore, you need to specify the IP
address of the DNS server.
The value is supplied by the network service provider.
Parameter Description
Secondary DNS Server Indicates the IP address of the secondary DNS server.
When the primary DNS server is faulty, the device accesses
the secondary DNS server for domain name resolution.
The value is supplied by the network service provider.
l Table 1-5 shows parameters for access to the Internet through DHCP.
Parameter Description
Interface The interface for accessing the Internet serves as the DHCP
client and attempts to obtain an IP address from the
network service provider (DHCP server).
l Table 1-6 shows parameters for access to the Internet through PPPoE.
Parameter Description
User Name Indicates the user name used by identity authentication for
access in PPPoE mode.
The value is supplied by the network service provider.
Obtain an IP Address Indicates that the interface for accessing the Internet
Automatically automatically obtains an IP address from the network
service provider.
Use the Following IP Manually sets the IP address of the interface for accessing
Address the Internet.
----End
LAN Settings
Step 1 In LAN Settings, enter or select parameters listed in Table 1-7.
Parameter Description
Subnet Mask Indicates the subnet mask of the interface connecting to the
LAN.
----End
Table 1-8 Parameter description of configuring the DHCP service on the LAN
Parameter Description
Enable DHCP Server on After the DHCP service on the LAN is enabled, users on the
LAN LAN can automatically obtain IP addresses ranging from the
start IP address to the end IP address.
Start IP Address Indicates the start IP address of the IP addresses assigned to the
DHCP client.
By default, the system takes the IP address mask range for the
interface as the assignable IP address range. For example, the
IP address of an interface is 192.168.1.5 255.255.255.0. When
you create a DHCP server on the interface, the system regards
Start IP Address as 192.168.1.1, and End IP Address to
192.168.1.254 by default. Because 192.168.1.5 is the IP
address of the interface, it will not be assigned. When
assignable IP address range is different from the default value,
you can directly specify the Start IP Address and End IP
Address.
Parameter Description
End IP Address Indicates the end IP address of the IP addresses assigned to the
DHCP client.
----End
Step 1 Check configuration information in Summary. After confirming the information, click
Apply.
Step 2 Wait a period of time. If the configuration information is successfully delivered, the Startup
Wizard Complete page is displayed.
----End
1.3 Administrators
This section describes how to configure administrators, including configuring administrator
accounts, administrator interfaces, and services.
1.3.1 Overview
The FW provides an administrator mechanism consisting of administrators and administrator
interfaces. The administrator interface is a unified management page over configuration UIs
and administrators using a login method.
CLI Cons Console is the basis of Console port The default account and
ole other CLI login methods. password are admin and
Only one administrator Admin@123. For details,
can operate at the same refer to 1.1.1 Logging In
time. Console is used in to the CLI Through the
the following scenarios: Console Port.
l An administrator logs
in to the CLI for the
first time.
l If an administrator
cannot log in to the
device remotely, the
administrator can log
in locally through the
console port.
l If a device cannot start
normally, the
administrator can
access the BootROM
menu through the
console port to load
the system software.
Teln This method applies to Any Ethernet Direct login is not enabled
et remote management and port reachable to by default. You must
maintenance. Multiple the login PC and configure the Telnet
administrators can operate device works. service. For details, refer
at the same time. You are advised to 1.3.5.3 Example for
to select Logging in to the CLI
management Using the Telnet (Local
interface Authentication) or 1.3.5.4
MGMTfor login. Example for Logging in
to the CLI Using the
Telnet (RADIUS Server
Authentication).
NOTICE
During Telnet login, data and
passwords are transmitted in
plaintext mode, causing
security risks. To secure data
transmission, use STelnet
instead.
audit-admin
NOTE
The FW classifies roles based on permissions on web configuration items. The FW assigns a role read-
write permission, read-only permission, or none permission on a web configuration item.
l The CLI structure differs from the web UI menu. Therefore, the CLI permission control of a role is
not the same as the previous operations on the web UI.
l On the administrator Web UI, the configuration rights are read-write, read-only, and none; on the
CLI, the rights are read-write and none. The read-only right on the Web UI is treated as the none
right on the CLI. If the configuration right of a user is read-only on the Web UI, the user can view
configurations on the Web UI, but cannot view the configurations on the CLI.
Except the role, each administrator has a level. In common cases, levels are configured only
for CLI administrators. The FW provides the following default level-role mappings for the
administrators that have levels configured but not bound to any role:
l 1: Monitoring level corresponds to Configuration administrator (monitoring).
l 2: Configuration level corresponds to Configuration administrator.
l 3: Management level to the 15th level correspond to System administrator.
That is to say, level-2 administrators have the operation permission of configuration
administrators.
On the FW, the role is the only factor that determines administrator permissions, especially
for CLI administrators. The level alone cannot determine the commands that can be executed
by a CLI administrator. For example, the default level of A feature commands is level-2, and
the level-2 administrator corresponds to the configuration administrator role. If the
configuration administrator does not have permission on feature A, the level-2
administrator cannot execute the commands of feature A.
NOTICE
Note the following when you use roles to control administrator permissions:
l If an administrator account is bound to a specific role, the level of the administrator role
takes precedence over the server authorization.
l The default administrator admin is not subject to control (no matter what method is used
for the login) and has permissions on all commands and web configurations except those
of the function.
l For CLI administrators using passwords for authentication, their permissions are
determined by the configurations on the administrator page.
l Local authentication
Both the administrator account and password are stored on the FW.
l Server authentication:
l Server and local authentication
The FW performs server authentication first. The FW performs local authentication only
if it fails to connect to the authentication server.
After the administrator account is created, the virtual system or authentication domain of a
user name must be obtained to log in to the device. For example, user username on virtual
system vsys with domain (domainname) authentication uses user name
username@domainname@@vsys to log in to and manage the FW.
Administrator Accounts
Table 1-11 shows the default administrators of the FW.
To secure FW, you are advised to follow the minimum authorization principle and plan
administrator accounts with different permissions to avoid administrator account sharing. If
default roles cannot meet requirements, you can create new administrator roles.
between the Local zone and the zone where the interface resides, to permit the
login.
For details on the configuration of the access control function on an interface, see 4.1
Interfaces.
Web Web-based Controls the web login behavior, such as setting timeout
administrator period after login and account lockout upon the failed
interface login.
Telnet/ CLI Virtual Controls Telnet or STelnet login behavior. By default, the
STelne admini Type service supports five VTY interfaces. A maximum of 15
t strator Terminal interfaces can be supported. The number of VTY
interfac (VTY) interfaces determines the maximum number of
e interface concurrent Telnet or STelnet administrators.
If an administrator logs in, the device automatically
assigns an idle VTY interface to the administrator in
order.
NOTICE
During Telnet login, data and passwords are transmitted in
plaintext mode, causing security risks. To secure data
transmission, use STelnet instead.
Table 1-13 lists relative and absolute numbers of the console, VTY, and WCON interfaces on
a FW.
Table 1-13 Relative and absolute numbers of the console, VTY, and WCON interfaces
CLI Absolute Relative Number
Administrat Number
or Interface
NOTE
You can run the display user-interface command on a FW to display the numbers of CLI administrator
interfaces.
level. For example, a level 2 interface allows an administrator to execute commands of levels
0, 1, and 2 only.
NOTE
If the CLI administrator interface uses AAA domain authentication, the administrator account level is
prior to the administrator interface level. The administrator interface level takes effect only when the
administrator account level is not set.
Parameter Description
Permission Control Permission for modules. Select one of the following options:
Modules l Read-write: Indicates the access and control permission on
the selected content.
l Read-only: Indicates only the access permission on the
selected content.
l None: Indicates no access or control permission on the
selected content. This is the default permission.
NOTE
l Only the default role system-admin has the Read-write
permission to SNMP module, even though the Read-write
permission to System > Setup has been configured when a role is
created.
l Only the default role system-admin has the Read-write
permission to admin module, even though the Read-write
permission to System has been configured when a role is created.
l Only the default role system-admin has the Read-write
permission to Log configuration module, even though the Read-
write permission to System has been configured when a role is
created.
l Only the default role system-admin has the Read-write
permission to System upgrade module, even though the Read-
write permission to System has been configured when a role is
created.
l Only the default role system-admin has the Read-write
permission to Configuration file Management module, even though
the Read-write permission to System has been configured when a
role is created.
l Only the default role system-admin has the Read-write
permission to the Diagnosis Info module, even though the Read-
write permission to Monitor has been configured when a role is
created.
l Only the default role system-admin has the Read-write
permission to the Quintuple Packet Capture module, even though
the Read-write permission to Monitor has been configured when
a role is created.
l Only the default role system-admin has the Read-write
permission to IPv6 configuration module, even though the Read-
write permission to Dashboard has been configured when a role is
created.
----End
Trusted Host IP address range of the hosts that can log in to the FW. The
value is in the format of IP address/mask. For example,
10.1.1.1/24 or 10.1.1.1/255.255.255.0 can be entered.
To add an address range, click and enter the range. A
maximum of 10 IP addresses ranges can be specified.
Advanced
Parameter Description
Service Type Login method, which can be WEB, Telnet, SSH, console, FTP,
and API.
NOTE
l After the FTP is specified, the system automatically generates an
FTP directory for the administrator. By default, the FTP directory
name is hda1:.
l There are security risks if the service type is configured to be
Telnet or FTP. So it is suggested to configure the service type to be
SSH.
l If the administrator service types are changed, the login
administrator will be forced offline.
l The API service is mutually exclusive with other service types. If
you specify the API service type, you cannot specify other service
types.
NOTE
By default, an administrator created using the web UI can log in to the device from a web page.
Interface access control, administrator service type, and enabled service on the device determine the
login method. For example, if an administrator wants to log in using HTTPS through the management
interface, the management interface must enable the HTTPS access control, the administrator account
must support HTTPS, and the device must enable HTTPS. For detailed configuration process, see 1.3.5
Configuration Examples.
----End
Follow-up Procedure
Modify administrator parameters. You can click of the administrator whose parameters
need to be modified.
NOTE
To change the password of an administrator, enter the current administrator account password in the
Please input the administrator current password dialog box that is displayed and then click Confirm.
----End
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.
NOTICE
During FTP login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use SFTP instead.
Key Generation Interval Interval (hours) at which a FW SSH server generates a key.
SSH User Level Level of an administrator that uses SSH to log in to a FW.
A larger value indicates a higher level.
----End
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Access the AAA view.
aaa
Step 3 Create an administrator role and access the administrator role view.
role role-name
The administrator role referenced by an administrator cannot be deleted.
Step 4 Optional: Rename an administrator role.
rename new-role-name
Step 5 Optional: Add a description of an administrator role.
description description-information
Step 6 Grant the role the permission for configuration modules.
NOTE
feature-name is the module name. You can set one or more module names during configuration.
Operation Command
Grant permission for the dashboard module. dashboard { none | read-only | read-
write }
Grant permission for the monitor module. monitor { none | read-only | read-write }
[ feature-name ]
Grant permission for the network module. network { none | read-only | read-write }
[ feature-name ]
Grant permission for the object module. object { none | read-only | read-write }
[ feature-name ]
Grant permission for the policy module. policy { none | read-only | read-write }
[ feature-name ]
Grant permission for the system module. system { none | read-only | read-write }
[ feature-name ]
----End
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.
3. Run the authentication-mode aaa command to set the authentication mode to AAA.
4. Run quit to return to the system view.
Step 2 Create an administrator.
1. Run the aaa command to access the AAA view.
2. Run the manager-user user-name command to configure an administrator account and
access the administrator view.
3. Run the service-type { api | ftp | ssh | telnet | terminal | web } * command to set the
service type for the administrator account.
By default, no service type is specified for an administrator created using the CLI.
NOTE
There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to
configure the service type to be SSH.
Interface access control, administrator service type, and enabled service on the device determine
the login method. For example, if an administrator wants to log in using HTTPS through the
management interface, the management interface must enable the HTTPS access control, the
administrator account must support HTTPS, and the device must enable HTTPS. For detailed
configuration process, see 1.3.5 Configuration Examples.
If administrator service types are changed, the service types of online administrators are not
changed, but for the administrators logging in after service types are changed, the new service
types take effect.
If the administrator service types are changed, the login administrator will be forced offline.
The service types of virtual system administrators can be Web, Telnet, and SSH only.
The API service is mutually exclusive with other service types. If you specify the API service
type, you cannot specify other service types.
4. Run the password [ cipher cipher-password ] command to set a password for the
administrator account.
When setting a password, note the following points:
– The value is a string that contains 8 to 64 characters.
– To enhance security, a password must meet the minimum strength requirements,
that is, the password needs to contain at least three types of the following
characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and
special characters, such as exclamation points (!), at signs (@), number signs (#),
dollar signs ($), and percent (%).
– The password cannot contain more than two identical characters in a row.
– The password cannot be the same as the administrator name or reverse of the
administrator name.
– The interactive mode is recommended for creating administrator passwords because
the passwords configured by the cipher password command are not safe.
– A new administrator can use Admin@123 as the password but will be prompted to
change it upon login.
Step 5 Configure the permission and other attributes for the administrator account.
1. Control the administrator permission based on the administrator role or level.
In the AAA view, run the bind manager-user manager-name role role-name command
to bind the administrator account to a role.
If the administrator account is not bound to any role, you can run the level level
command in the administrator view to set the administrator level. The FW will determine
the administrator role based on the administrator level according to the following
mappings:
– The administrator role is prior to the administrator level. If an administrator is bound to a role,
the administrator level does not take effect.
– If the administrator permission is changed, the login administrator will be forced offline.
2. Optional: In the administrator view, configure attributes for the administrator account.
Operation Command
Operation Command
3. Optional: In the AAA view, enable the function of locking out the administrators that
fail the authentication.
– If the administrator logs in to the FW for the first time after password change
function is enabled, the FW prompts the administrator to change the password.
Otherwise, the administrator fails to log in.
– If the administrator's password is about to expire in 10 days, the FW will prompt the
administrator to change the password.
– If the administrator's password has expired, the FW will prompt the administrator to
change the password. Otherwise, the administrator fails to log in.
----End
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.
3. Run the authentication-mode aaa command to configure the AAA authentication
mode.
4. Run the quit command to return the system view.
– Run the service-type { api | ftp | ssh | telnet | terminal | web } * command to set
the service type for the administrator account.
By default, no service type is specified for an administrator created using the CLI.
NOTE
There are security risks if the service type is configured to be Telnet or FTP. So it is
suggested to configure the service type to be SSH.
Interface access control, administrator service type, and enabled service on the device
determine the login method. For example, if an administrator wants to log in using HTTPS
through the management interface, the management interface must enable the HTTPS access
control, the administrator account must support HTTPS, and the device must enable HTTPS.
For detailed configuration process, see 1.3.5 Configuration Examples.
If the administrator service types are changed, the login administrator will be forced offline.
The service types of virtual system administrators can be Web, Telnet, and SSH only.
The API service is mutually exclusive with other service types. If you specify the API
service type, you cannot specify other service types.
– Run the authorization-scheme scheme-name command to bind the authentication
scheme for the administrator account.
– Reference the server template.
n Run the radius-server template-name command to reference the RADIUS
server template.
n Run the hwtacacs-server template-name command to apply the HWTACACS
server template.
n Run the ad-server template-name command to reference the AD server
template.
n Run the ldap-server template-name command to reference the LDAP server
template.
l Create an authentication domain.
If administrator domain authentication is used, the administrator account and password
must be created and saved on the authentication server. The FW does not have user
information configured. After an administrator is created, the administrator uses User
Name@Authentication Domain/Password to log in to and manage the FW.
NOTE
When administrator domain authentication is used, the administrator does not have any role. The
administrator level is set on the server. If not configured, the administrator level is determined by
command line authorization.
The administrator with server domain authentication has all service types without additional
configuration.
– Create an administrator on the server. For details, see the server-related document.
– Run the domain domain-name to create a domain (user group) and access the
domain view.
– Optional: Run the authorization-scheme scheme-name command to configure the
authorization scheme for the domain.
This authentication scheme must be the same as that configured in the AAA view.
– Apply the server template based on the selected authentication server.
Run the radius-server template-name command to apply the RADIUS server
template.
– Run the service-type administrator-access command to allow administrators to
access the authentication domain.
Step 4 Configure the permission and other attributes for the administrator account.
In the AAA view, run the bind manager-user manager-name role role-name command
to bind the administrator account to a role.
If the administrator account is not bound to any role, you can run the level level
command in the administrator view to set the administrator level. The FW will determine
the administrator role based on the administrator level according to the following
mappings:
– The administrator role is prior to the administrator level. If an administrator is bound to a role,
the administrator level does not take effect.
– If the administrator permission is changed, the login administrator will be forced offline.
2. Optional: Enable the function of locking out the administrators that fail the
authentication.
Operation Command
Operation Command
----End
Context
The FW enables ports 80 and 8443 to provide the HTTPS service by default. When you use
the web browser to access port 80, the FW automatically redirects the access to port 8443 for
you to log in through HTTPS.
You can run the undo web-manager enable command to disable port 80.
By default, if you fail to access the web page for three consecutive times, your account will be
locked for 30 minutes. In addition, the FW provides the web administrator page locking
function. If three administrator accounts that share the same IP address are locked within a
specific period, the web page will be locked for a period. The IP address cannot be used to
access the web page within the period. Therefore, the function prevents the passwords of
administrator accounts from be cracked by brute force attacks.
Procedure
Step 1 Access the system view.
system-view
NOTE
If you do not use the default port to log in, run the undo web-manager security enable [ port
port-number ] command in advance to disable the HTTPS service and default port 8443. Then
enable the HTTPS service again.
NOTICE
If you specify the all parameter, insecure encryption algorithms are included
which may pose security risks. You are advised to set the high-strength
parameter instead.
The certificate can be issued by a worldwide known certificate authority or a PC that supports the
certificate service. The PC must import a CA certificate before being able to authenticate a
certificate sent by the FW.
a. The FW generates a certificate request file, sends the file to the CA server to apply
for the certificate, and imports the local certificate to the FW. For the configuration
procedure, see 10.7 Certificate.
b. Optional:
Import the CA certificate obtained from the CA server which the FW applies for a
certificate to the browser. For details, see the instructions to the Firefox or Internet
Explorer.
NOTE
Although the client can still access the FW through HTTPS even if the CA certificate is not
imported to the browser, the client cannot authenticate the access and is vulnerable to
attacks.
c. Configure the FW to send a certificate to the client when the client accesses the FW
through HTTPS.
web-manager security server-certificate file-name
d. Enable HTTPS.
web-manager security enable [ port port-number ]
Enter the address of a FW following the string of "https://" in the address bar on the
web browser of the PC to log in to the FW. Ensure that the address is the same as
that specified in the certificate.
e. Configure an SSL or TLS protocol and an encryption algorithm. For the
configuration procedure, see Specify an SSL protocol and an encryption
algorithm.
----End
system-view
Existing VTY interfaces are assigned specified levels and authentication parameters manually.
If the maximum number of allowed VTY to be set is greater than the number of existing
VTYs, specify a level and a password for the password authentication mode for the new VTY.
You can also specify another authentication mode.
NOTE
By default, the maximum number of VTY administrator interfaces is five.
shell
Operation Command
Set the CLI administrator interface priority. user privilege level level
NOTE
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
----End
----End
Step 1 In the user view, enable the current interface to send messages to another administrator
interface.
send { all | ui-type ui-number | ui-number }
Step 2 Enter a message to be sent and press Ctrl+Z or Enter to send the message.
----End
Step 1 View online administrator information, including interfaces to which the administrators log in.
Write down the administrators to be logged out and their administrator interfaces.
display users
Step 2 In the user view, specify an interface to which administrators logged in are to be logged out.
free user-interface { ui-number | ui-type ui-number }
----End
Run the commands listed in Table 1-18 in any view to display information about CLI
administrator interfaces and administrator accounts.
Table 1-18 Displaying information about CLI administrator interfaces and administrator
accounts
Operation Command
Operation Command
1.3.5.1 Example for Logging in to the Web UI Using HTTPS (Default Certificate)
This section provides an example of how to configure HTTPS using the web and log in to the
web UI.
Networking Requirements
Figure 1-6 shows how to configure local authentication administrator webadmin that can use
HTTPS to log in to the web UI on the FW.
Figure 1-6 Networking diagram of logging in to the web UI using HTTPS (default certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 FW
Data Planning
Item Data Description
Password Myadmin@123 -
Configuration Roadmap
1. Enable the HTTPS server on the interface.
2. Create an administrator role.
3. Create an administrator account and set the authentication mode, administrator role, and
trusted host.
4. Set the web service timeout period.
NOTE
This section describes only how to configure an administrator.
Procedure
Step 1 Enable the HTTPS server on interface GigabitEthernet 1/0/3.
NOTE
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device,
skip this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface
has been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.
1. Choose Network > Interface.
2. Click for interface GE1/0/3 and set the parameters as follows:
Zone trust
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Name service-admin
Description policy_object_network_readwrite_and_other_modules_non
e
Popedom
3. Click OK.
Password Myadmin@123
Role service-admin
Advanced
3. Click OK.
Step 4 Enable the HTTPS service (default certificate) and set the service port and web service
timeout period.
1. Choose System > Admin > Settings.
2. Select Enable next to HTTPS Service.
3. Click Apply.
Step 5 In the upper right of the page, click Save Then click OK in the dialog box that is displayed.
NOTE
If the browser displays a notification for an insecure certificate, you can continue the browsing.
Step 7 On the login UI, enter user name webadmin and password Myadmin@123 and click Login
to access the web UI.
----End
Configuration Scripts
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage https permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
acl number 2000
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security enable
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin
password cipher %@%@*y:3*ZN}.%%qcL1cC|@XBVMDyDwlB.Wq'6JF(iOz2D8>A\SN%@%@
service-type web
level 15
acl-number 2000
authentication-scheme admin_local
#
bind manager-user webadmin role service-admin
role service-admin
description policy_object_network_readwrite_and_other_modules_none
dashboard none
monitor none
system none
network read-write
object read-write
policy read-write
#
return
Networking Requirements
Figure 1-7 shows how to configure FW authentication administrator webadmin that can use
HTTPS to log in to the web UI.
Figure 1-7 Networking diagram of logging in to the web UI using HTTPS (specified
certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 FW
Data Planning
Item Data Description
Configuration Roadmap
1. Assign the administrator and device the certificates from one Certificate Authority (CA)
for connection security.
2. Create an administrator account and configure a trusted host for the administrator.
3. Set an IP address for the administrator PC.
Procedure
Step 1 Configure the certificate.
1. The FW generates a certificate request file. An administrator sends the file to the CA
server through web, disks, or emails to apply for a certificate. The CA server generates a
certificate. The administrator can use HTTP, LDAP, or other methods to download the
CA certificate and local certificate from the server that stores the certificate to the FW
memory and install the certificate. For detailed configuration process, see 10.7
Certificate.
NOTE
CA certificate cep_ca.cer and local certificate cep_local.cer are used as examples.
2. Optional: Obtain the CA certificate and import it to the browser of the administrator PC
(client). For details, refer to the help of the browser.
NOTE
Although the client can still access the device through HTTPS even if the CA certificate is not
imported to the browser, the client cannot verify the certificate and is prone to attacks.
3. Configure the device to send a certificate to the client when the client accesses the device
using HTTPS.
<FW> system-view
[FW] web-manager security server-certificate cep_local.cer
The device and PC must support the same SSL and encryption algorithm. If not, the SSL
negotiation fails.
3. Configure GigabitEthernet 1/0/3 IP address and enable the HTTPS service.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] service-manage enable
[FW-GigabitEthernet1/0/3] service-manage https permit
[FW-GigabitEthernet1/0/3] quit
----End
Configuration Scripts
The configuration script of the administrator and web service is as follows:
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage https permit
#
firewall zone dmz
set priority 85
add interface GigabitEthernet1/0/3
#
acl number 2001
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security enable
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@
%@
service-type web
access-limit 10
acl-number 2001
authentication-scheme admin_local
#
bind manager-user webadmin role service-admin
role service-admin
description policy_object_network_readwrite_and_other_modules_none
dashboard none
monitor none
system none
network read-write
object read-write
policy read-write
#
return
1.3.5.3 Example for Logging in to the CLI Using the Telnet (Local Authentication)
By default, the Telnet is disabled on the device. You need to establish a Telnet login
environment. This section provides an example for configuring how to log in to the CLI using
the Telnet.
Context
NOTE
Telnet login is not secure. You are advised to log in to the CLI using STelnet.
Networking Requirements
Figure 1-8 shows that the FW has a local administrator. The local administrator has some
administrator permissions and can use the Telnet to log in to the CLI only from a local PC for
FW management and maintenance. The FW implements local authentication on
administrators.
Figure 1-8 Networking diagram of logging in to the CLI using the Telnet
Administrator( Telnet ) GE1/0/3
10.3.0.1/24
10.3.0.100/24 FW
Data Planning
Item Data Description
Configuration Roadmap
1. Configurations on the FW are as follows:
a. Enable the Telnet service on the FW.
b. Configure the administrator login interface.
c. Configure the VTY administrator interface.
d. Configure the administrator.
2. Configure the IP address of the administrator PC and use the Telnet software to log in to
the VTY interface.
Procedure
Step 1 If you log in to the CLI for the first time, reference Logging In to the CLI Through the
Console Port and establish the Telnet login environment.
Step 2 Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.
<FW> system-view
[FW] telnet server enable
If you use the default settings of management interface MGMT to log in to the device, do not perform
this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface
has been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.
1. Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through Telnet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] service-manage enable
[FW-GigabitEthernet1/0/3] service-manage telnet permit
[FW-GigabitEthernet1/0/3] quit
Set the authentication mode of the VTY administrator interface to AAA and idle
disconnection duration to 5 minutes (the default value is 10 minutes).
NOTE
The number of default VTY administrator interfaces is five. To add more interfaces, run the user-
interface maximum-vty number command.
[FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] protocal inbound telnet
[FW-ui-vty0-4] idle-timeout 5
[FW-ui-vty0-4] quit
By default, an account is locked for 30 minutes after three failed login attempts. In the
following example, the account is locked for 10 minutes after two failed login attempts.
[FW-aaa] lock-authentication enable
[FW-aaa] lock-authentication failed-count 2
[FW-aaa] lock-authentication timeout 10
----End
Configuration Scripts
#
telnet server enable
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage telnet permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocal inbound telnet
idle-timeout 5
#
aaa
authorization-scheme default
manager-user vtyadmin
password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@
%@
service-type telnet
level 15
lock-authentication enable
lock-authentication failed-count 2
lock-authentication timeout 10
1.3.5.4 Example for Logging in to the CLI Using the Telnet (RADIUS Server
Authentication)
By default, the Telnet is disabled on the device. You need to establish a Telnet login
environment. This section provides an example for configuring how to log in to the CLI using
the Telnet.
Context
NOTE
Telnet login is not secure. You are advised to log in to the CLI using STelnet.
Networking Requirements
Figure 1-9 shows that the FW has a local administrator. The local administrator has some
administrator permissions and can use the Telnet to log in to the CLI only from a local PC for
FW management and maintenance. RADIUS server authentication takes precedence over
local authentication. The FW implements local authentication on administrators only when
the RADIUS server does not respond.
Figure 1-9 Networking diagram of logging in to the CLI using the Telnet
RADIUS Server
172.16.0.2/24
GE1/0/2
Administrator( Telnet ) GE1/0/3 172.16.0.1/24
10.3.0.1/24
10.3.0.100/24 FW
Data Planning
Item Data Description
Configuration Roadmap
1. Configurations on the FW are as follows:
a. Enable the Telnet service on the FW.
b. Configure the administrator login interface.
c. Configure the VTY administrator interface.
d. Configure the administrator, authentication scheme, and RADIUS server template.
2. Configure the IP address of the administrator PC and use the Telnet software to log in to
the VTY interface.
Procedure
Step 1 If you log in to the CLI for the first time, reference Logging In to the CLI Through the
Console Port and establish the Telnet login environment.
Step 2 Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.
<FW> system-view
[FW] telnet server enable
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, do
not perform this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface
has been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.
1. Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through Telnet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] service-manage enable
[FW-GigabitEthernet1/0/3] service-manage telnet permit
[FW-GigabitEthernet1/0/3] quit
Set the authentication mode of the VTY administrator interface to AAA and idle
disconnection duration to 5 minutes (the default value is 10 minutes).
NOTE
The number of default VTY administrator interfaces is five. To add more interfaces, run the user-
interface maximum-vty number command.
[FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] idle-timeout 5
[FW-ui-vty0-4] quit
Step 5 Set the interface IP address, assign the interface to a security zone, and configure a security
policy.
By default, an account is locked for 30 minutes after three failed login attempts. In the
following example, the account is locked for 10 minutes after two failed login attempts.
[FW] aaa
[FW-aaa] lock-authentication enable
[FW-aaa] lock-authentication failed-count 2
[FW-aaa] lock-authentication timeout 10
----End
Configuration Scripts
#
telnet server enable
#
interface GigabitEthernet1/0/2
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage telnet permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 5
#
aaa
authentication-scheme radius
authentication-mode radius local
manager-user vtyadmin
password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@
%@
service-type telnet
level 15
authentication-scheme radius
radius-server radius_server
lock-authentication enable
lock-authentication failed-count 2
lock-authentication timeout 10
1.3.5.5 Example for Logging in to the CLI Using the Telnet (HWTACACS Server
Authentication)
By default, the Telnet is disabled on the device. You need to establish a Telnet login
environment. This section provides an example for configuring how to log in to the CLI using
the Telnet.
Context
NOTE
Telnet login is not secure. You are advised to log in to the CLI using STelnet.
Networking Requirements
Figure 1-10 shows that the FW has a local administrator. The local administrator has some
administrator permissions and can use the Telnet to log in to the CLI only from a local PC for
FW management and maintenance. HWTACACS server authentication takes precedence over
local authentication. The FW implements local authentication on administrators only when
the HWTACACS server does not respond.
Figure 1-10 Networking diagram of logging in to the CLI using the Telnet
HWTACACS Server
172.16.0.2/24
GE1/0/2
Administrator( Telnet ) GE1/0/3 172.16.0.1/24
10.3.0.1/24
10.3.0.100/24 FW
Data Planning
Item Data Description
Configuration Roadmap
1. Configurations on the FW are as follows:
a. Enable the Telnet service on the FW.
b. Configure the administrator login interface.
c. Configure the VTY administrator interface.
d. Configure the administrator, authentication scheme, and HWTACACS server
template.
2. Configure the IP address of the administrator PC and use the Telnet software to log in to
the VTY interface.
Procedure
Step 1 If you log in to the CLI for the first time, reference Logging In to the CLI Through the
Console Port and establish the Telnet login environment.
Step 2 Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.
<FW> system-view
[FW] telnet server enable
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, do
not perform this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface
has been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.
1. Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through Telnet.
Set the authentication mode of the VTY administrator interface to AAA and idle
disconnection duration to 5 minutes (the default value is 10 minutes).
NOTE
The number of default VTY administrator interfaces is five. To add more interfaces, run the user-
interface maximum-vty number command.
[FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] idle-timeout 5
[FW-ui-vty0-4] quit
Step 5 Set the interface IP address, assign the interface to a security zone, and configure a security
policy.
NOTE
The default administrator (admin/Admin@123) can use Telnet, web, and console port to log in to the
device. If you use the administrator account to log in to the device, skip this step. Change the default
password upon first login as prompted and keep the new password secure.
1. Create an administrator account.
[FW] aaa
[FW-aaa] manager-user vtyadmin
[FW-aaa-manager-user-vtyadmin] password
Enter Password:
Confirm Password:
[FW-aaa-manager-user-vtyadmin] service-type telnet
[FW-aaa-manager-user-vtyadmin] authentication-scheme hwtacacs
[FW-aaa-manager-user-vtyadmin] hwtacacs-server hwtacacs_server
[FW-aaa-manager-user-vtyadmin] quit
[FW-aaa] bind manager-user vtyadmin role system-admin
----End
Configuration Scripts
#
telnet server enable
#
interface GigabitEthernet1/0/2
ip address 172.16.0.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage telnet permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 5
#
aaa
authentication-scheme hwtacacs
authentication-mode hwtacacs local
manager-user vtyadmin
password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@
%@
service-type telnet
level 15
authentication-scheme hwtacacs
hwtacacs-server hwtacacs_server
lock-authentication enable
lock-authentication failed-count 2
lock-authentication timeout 10
Networking Requirements
Figure 1-11 shows that the FW has an administrator. The administrator wants to use STelnet
to log in to the VTY administrator interface of the FW after password authentication and
manage and maintain the FW.
Figure 1-11 Networking diagram of using STelnet to log in to the CLI (password
authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 FW
Data Planning
Item Data
FW SSH sshadmin
account
Item Data
Authenticat Password
ion mode
Password Mydevice@123
Service STelnet
type
Configuration Roadmap
1. Configure FW as the SSH server.
– Enable the SSH service on the interface.
– Configure the VTY administrator interface.
– Create an SSH administrator account and specify the authentication type and
service type.
– Generate a local key pair.
– Enable the STelnet service.
– Configure the SSH service parameters.
2. Configure the administrator PC as the SSH client.
– Set an IP address for the administrator PC.
– Install the PuTTY software.
– Use PuTTY to log in to the FW through SSH.
NOTE
The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and
security policies have been configured. The following example introduces content related only to the
administrator.
Procedure
Step 1 Configure the FW.
1. Enable the SSH service on interface GigabitEthernet 1/0/3.
<FW> system-view
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] service-manage enable
[FW-GigabitEthernet1/0/3] service-manage ssh permit
[FW-GigabitEthernet1/0/3] quit
3. Create SSH administrator account sshadmin and set the authentication type and service
type to Password and Stelnet. In this example, local authentication is used. You can also
use server authentication in actual scenarios. For details, see 1.3.5.4 Example for
Logging in to the CLI Using the Telnet (RADIUS Server Authentication) and 1.3.5.5
Example for Logging in to the CLI Using the Telnet (HWTACACS Server
Authentication).
[FW] aaa
[FW-aaa] manager-user sshadmin
[FW-aaa-manager-user-sshadmin] password
Enter Password:
Confirm Password:
[FW-aaa-manager-user-sshadmin] service-type ssh
[FW-aaa-manager-user-sshadmin] quit
[FW-aaa] bind manager-user sshadmin role system-admin
[FW-aaa] quit
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower
than 3.
4. Generate a local key pair.
[FW] rsa local-key-pair create
The key name will be: FW_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
b. Choose Connection > SSH in the left Category tree. The interface shown in
Figure 1-13 is displayed. In Protocol options, set Preferred SSH protocol version
to 2 and click Open.
c. Dialog box shown in Figure 1-14 is displayed upon the first login. Click Yes.
d. In the login page that is displayed, enter SSH administrator account sshadmin and
press Enter. Enter Mydevice@123 and press Enter again. You can log in to FW.
----End
Configuration Scripts
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
manager-user sshadmin
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%@
service-type ssh
level 15
1.3.5.7 Example for Logging In to the CLI Using STelnet (RSA Authentication)
This section describes how to configure the administrator PC as the STelnet client and FW as
the STelnet server, and how to use STelnet to log in to the VTY administrator interface of the
FW after RSA authentication.
Networking Requirements
Figure 1-15 shows that the FW has an administrator. The administrator wants to use STelnet
to log in to the VTY administrator interface of the FW after RSA authentication and manage
and maintain the FW.
Figure 1-15 Networking diagram of using STelnet to log in to the CLI (RSA authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 FW
Data Planning
Item Data
FW SSH sshadmin
account
Authenticat RSA
ion mode
Service STelnet
type
Configuration Roadmap
1. Generate a local RSA key pair on the PC and an RSA public key in the format supported
by the FW.
– Install the PuTTY software.
– Use the PuTTYgen tool to generate a local SSH-RSA key pair.
2. Configure FW as the SSH server.
– Enable the SSH service on the interface.
– Configure the VTY administrator interface.
– Save the RSA public key on the SSH client (the PC).
– Create an SSH administrator account.
– Enable the STelnet service.
3. Configure the administrator PC as the SSH client.
– Set an IP address for the administrator PC.
– Use PuTTY to log in to the FW through SSH.
NOTE
The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and
security policies have been configured. The following example introduces content related only to the
administrator.
Procedure
Step 1 Generate an RSA public key on the PC.
1. Install the PuTTY software. Details are omitted.
2. Use the PuTTYgen tool to generate a local SSH-RSA key pair. (PuTTYgen 0.60 is used
as an example in the following part.)
a. Double-click PuTTYgen.exe. The interface shown in Figure 1-16 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.
Figure 1-16 Selecting the SSH version for generating the local SSH-RSA key pair
b. Figure 1-17 shows the interface for generating a local RSA key pair. You must
move the mouse continuously during the generation of the local RSA key pair.
Move the pointer only in the window other than the process bar in green.
Otherwise, the progress bar suspends, and the generation of the key pair is stopped.
c. Figure 1-18 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
n OpenSSH: Copy the marked content in the Key text box.
n PEM: Click Save public key, enter public for the name of the public key file,
and click Save. Click Save private key, enter private for the name of the
private key file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter
the password again in the Confirm passphrase text box to set a password for using this key
pair.
3. Save the RSA public key of the intranet PC. In this example, the RSA public key is
saved in the OpenSSH coding format.
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower
than 3.
5. Enable the STelnet service.
[FW] stelnet server enable
b. Choose Connection > SSH in the left Category tree. The interface shown in Figure
1-20 is displayed. In the Protocol options area, set Preferred SSH protocol
version to 2.
c. Select Auth in SSH. The dialog box shown in Figure 1-21 is displayed. Click
Browse, import the private key file private.ppk in the saved SSH-RSA key pair.
Figure 1-21 Importing the private key in the SSH-RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 1-22.
NOTE
The saved session will be used when the PSFTP tool is used for SFTP login. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.
Figure 1-22 Importing the private key in the SSH-RSA key pair
e. Enter SSH administrator account sshadmin in the login page that is displayed and
press Enter. You can log in to FW.
NOTE
If a password is specified for using the key pair, you must enter the password for the login.
----End
Configuration Scripts
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
#
manager-user sshadmin
service-type ssh
level 15
Prerequisites
l The FW between the STelnet or Telnet server is routable.
l The STelnet server has been enabled on the server.
l The STelnet or Telnet user information configured on the STelnet or Telnet server has
been obtained.
Networking Requirements
The FW logs in to the server using STelnet or Telnet, as shown in Figure 1-23.
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.
FW
Stelnet/Telnet Server
Stelnt/Telnet Client
Procedure
l Configure the FW to access the server using Telnet.
a. Enable the Telnet service on the server.
b. Use the FW to log in to the server using Telnet.
<FW> telnet 10.2.2.1
<FW> system-view
[FW] ssh client first-time enable
ii. Copy the RSA keys. The information in bold is the RSA keys generated by the
client. Copy the keys and save them.
[FW] display rsa local-key-pair public
=====================================================
=====================================================
Time of Key pair created: 11:43:19 2013/9/17
Key name: FW_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
EC20AA8E 967145ED 186D85B4 3B928A81 C312F0E2
----End
1.3.6.1 Specifications
This section provides the specifications of the administrator.
Function Specifications
Func Sub- Description Supported or
tion functi Not
on
Performance Specifications
Function Specifications
Number of administrators 1
using console port login
Number of administrators 5
using web login
Total number of administrators 128 plus the number of virtual systems supported by the
that can be created in the root device
system and virtual systems
Log in to the device using 10.1.3.1 after the configurations are complete.
NOTE
Telnet login has security risks. You are advised to log in to the device through SSH.
1. Log in to the device through SSH by using account admin1 and then confirm the
permission assigned to the administrator account.
Run the display users command to view all login accounts. The account with the "+"
mark is the current administrator account, and the number of the account is VTY 0.
<FW> display users
User-Intf Delay Type Network Address AuthenStatus
AuthorcmdFlag
0 CON 0 47:47:45
no
Username :
Unspecified
2. Run the display user-interface command to view the permission of the administrator
account. The command output shows that VTY 0 corresponds to level 15 and has the
permission to change the console port password.
<FW> display user-interface
Idx Type Tx/Rx Modem Privi ActualPrivi Auth
Int
0 CON 0 9600 - 15 15 P
-
+ 34 VTY 0 - 15 15 A -
......
3. Change the console port password based on the authentication mode of the console port.
– The console port uses the password authentication mode.
Change the console port password to Admin@1234.
<FW> system-view
[FW] user-interface console 0
[FW-ui-console0] set authentication password
Please configure the login password
(8-16)
Enter
Password:
Confirm Password:
Confirm Password:
4. Then you can uses the changed password to log in to the device through the console port.
1.4.1 Overview
This section describes the definition and objective of the system clock.
Definition
The system clock indicates the current time of the device. It is an important parameter for
device running.
Objective
You can view the time of device logs and alarms to know the exact time when a specific event
happens. In addition, if multiple devices interwork on a network, configuring a correct system
time ensures the accuracy and consistency of device collaboration.
To change a date, select the date item (such as the year) and enter a new value. Alternatively,
click and select a date from the calendar that is displayed.
To change the system time, select the time item (such as the hour) and enter a new value.
Alternatively, click / on the right.
----End
Step 2 Select Synchronize the Time with the Local System Time in Configuration Mode.
----End
----End
----End
1.5.1 Overview
1.5.1.1 Overview
A license is a type of contract from the vendor who confers certain rights to a customer. These
rights include usage scope of a product and time period of its usage. Licenses can dynamically
control whether some features of a product are available. If new devices are deployed, you
can purchase new licenses as needed to enable license-controlled features and functions on the
devices. This reduces purchase costs. If the capacities of existing devices are expanded, you
can update the licenses used on the devices to enable more license-controlled features and
functions.
Definition
A license is a permission or authorization granted by the supplier to the customer regarding
the function, resource, and upgrade service of a product. The license is physically the
combination of a license file and a license authorization certificate.
After the license is purchased, the carrier provides the license authorization certificate for the
user to activate the license. The license authorization certificate contains the contract number,
license entitlement ID, and the content of the license.
A license file is a .dat file obtained after the license is activated. Customers need to load the
license file to the device or software to use the functions that require a license.
Categories
Licenses are divided into commercial licenses and non-commercial licenses according to their
actual purpose.
l Commercial license
This license is purchased under contract. If the customer needs to use license-controlled
features or the resources beyond the upper quantity limit, the customer must purchase
commercial licenses.
The commercial licenses are permanent or temporary. The permanent commercial
license includes the license certificate and the electronically delivered license file. Unless
otherwise specified, the term commercial license herein refers to permanent commercial
license. The temporary commercial license is for trial use or similar purposes.
l Non-commercial license
The license applies to non-commercial purposes such as internal tests, demonstrations,
and trainings. The non-commercial license requires no contract, and has a limited
validity period, which is no longer than three months.
According to authorization modes, licenses are classified into single-device licenses and
network licenses.
l Single-device licenses
The single-device license refers to that each FW corresponds to a separate license. This
type of license applies to scenario where the VM environment is fixed and licenses are
not updated frequently.
Each FW purchases, applies for, or activates licenses independently. In case of an ESN
change due to capacity expansion, a license certificate change, or FW migration, the
corresponding license needs to be updated.
l Network licenses
The network license refers to that all FWs in a cloud data center share one license. In this
case, a license server needs to deployed to manage the license in a unified manner and
send requests to the license center website (ESDP platform) for activating or updating
the license.
The FW competes with other devices to apply for resource authorization from the license
server. If the number of available resources on the license server is greater than or equal
to the number of requested ones, the authorization application succeeds.
Network licenses apply to rapid FW start or stop in a cloud data center. In this case, the
ESN of the FW changes rapidly, and the requirement of each FW for resources
dynamically changes.
Because the license server is fixed and the total requirements of all FWs for resources
are fixed, the corresponding license does not need to be updated even through the ESN
or resource requirement of each FW changes frequently.
NOTE
You must purchase the license for the basic software service time. Otherwise, the other license control items
do not take effect during license activation.
The control items excluding those for virtual systems correspond to different licenses based on models.
Basic software service time The functions that are not The validity periods of the
controlled by licenses are license-controlled functions,
available. resources, and upgrade
The maximum forwarding services are the same as the
throughput is 50 Mbit/s, and basic software service time
the maximum number of and classified into
sessions is 100. permanent and one-year.
After the validity period
expires, no license-
controlled function,
resource, or upgrade service
is available.
The forwarding throughput
and number of sessions are
limited by the device
performance.
Number of virtual systems Ten virtual systems are You can increase the number
supported. of supported virtual systems
by purchasing a license, but
the number of virtual
systems cannot exceed the
upper threshold supported
by the device. The
maximum number of virtual
systems supported by the
license varies according to
device models:
l USG6000V1: 20
l USG6000V2: 50
l USG6000V4: 200
l USG6000V8: 500
Control Item Status When the License Status When the Official
Is Not Activated License Is Activated
License Management
Single-device license management includes applying for, loading, and replacing the licensing
files. Table 1-20 describes license management.
2 Loadin The license file is Upload the license file to the Licenses are
g the obtained from the device and activate it. activated.
license license self-service
file platform.
The license file is 1. Revoke the current license file Licenses are
damaged because and obtain the invoke code activated.
the content of the 2. Log in to the license self-
existing license file service platform and enter the
is changed due to ESN and license revoke code
misoperation or the to retrieve the invalid license
license file is not file.
compatible with
existing licenses 3. Upload the new license file to
after device upgrade. the device and activate it.
The ESN is changed 1. Revoke the current license file Licenses are
during FW and obtain the invoke code activated.
migration and 2. Log in to the license self-
mismatches with the service platform, enter the
current license file, ESN and license revoke code,
you need to revoke and change the ESN to apply
the current license for a new license file.
file, obtain the
revoke code, and 3. Upload the new license file to
apply for a new the device and activate it.
license file.
License
License resource pool
Server
IPS IPS
IPS IPS
AV AV VSYS=100
SLB VSYS=150
VSYS=20 VSYS=50
After obtaining the ESN of the license server and the entitlement ID of the license certificate,
the administrator logs in to the license self-service platform to activate the license file and
uploads the license file to the license server. After the license file expires, the license server
can still deliver authorization within the grace period (60 days) of the license file as it does
when the license file is activated. After the grace period expires, the license server cannot
deliver any authorization.
To perform capacity expansion or replace the license server, apply for a new license file.
Before FW, apply for resource authorization from the license server.
Each FW applies for resources from the license server. The license server responds to the FW
by determining whether the license is within the validity period and whether the number of
available resources is greater than or equal to the number of requested ones. If the license is
within the validity period and the number of available resources is greater than or equal to the
number of requested ones, the license server assigns the resources to the FW. Otherwise, the
application fails.
If the FW does not use some functions or resources, the FW needs to request the license
server to release the corresponding authorization for timely resource sharing. If the FW
cannot proactively release authorization due to a network fault, the administrator can force the
FW to release the authorization through the license server, implementing flexible license
resource control.
If the FW and license server fails to communicate due to a fault, such as a fault in the FW, a
fault in the license server, and a fault in the device between the FW and license server and the
fault lasts less than 24 hours, the FW can continue to use the requested resources after the
communication with the license server recovers. If the fault lasts 24 hours or more than 24
hours, the requested authorization requested by the FW will be automatically deregistered and
retired to the resource pool, and the FW needs to reapply for required authorization.
When applying for the authorization for resources, the device must apply for the authorization for the basic
software. Otherwise, the authorization for resources does not take effect even if it is requested.
The control items excluding those for virtual systems correspond to different licenses based on models.
Basic software The functions that are not The validity periods of all
controlled by licenses are license-controlled functions
available. excluding the intrusion
The maximum forwarding prevention and antivirus
throughput is 50 Mbit/s, and signature database upgrade
the maximum number of services are the same as that
sessions is 100. of the basic software service
for a specific model defined
in the license.
The forwarding throughput
and number of sessions are
limited by the device
performance.
Control Item Status When the License Status When the Official
Is Not Activated License Is Activated
Number of virtual systems Ten virtual systems are Each FW requests the
supported. number of virtual systems
from the license server, but
the number of requested
virtual systems cannot
exceed the upper threshold
supported by the device.
The maximum number of
virtual systems supported by
the license varies according
to device models:
l USG6000V1: 20
l USG6000V2: 50
l USG6000V4: 200
l USG6000V8: 500
Intrusion prevention The function is available but After the license for
cannot be automatically intrusion prevention is
upgraded. requested from the license
server, intrusion prevention
can be used and
automatically upgraded.
The validity period of the
upgrade service is the same
as that of the IPS upgrade
service for a specific model
defined in the license. After
the license is expired, the
upgrade service becomes
unavailable, but the
intrusion prevention
function is still available.
Control Item Status When the License Status When the Official
Is Not Activated License Is Activated
License Management
Network-type license management includes applying for, loading, and replacing the licensing
files. Table 1-22 describes license management.
1 Applyi l The ESN of the Log in to the license self-service The license
ng for license server is platform and enter the ESN and file is
a obtained. the entitlement ID of the license obtained.
license l A license is certificate to apply for a license
file purchased to file.
obtain the license
certificate.
2 Loadin The license file is Upload the license file to the Licenses are
g the obtained from the license server and activate it. activated.
license license self-service
file platform.
Overview
Single-device licenses apply to scenarios where the VM environment is fixed, licenses do not
need to be updated frequently, and each FW purchases, applies for, and activates licenses
independently.
Before FW, you need to purchase the required license certificate and activate the license.
Before related licenses are activated, the maximum forwarding throughput is 50 Mbit/s, a
maximum of 100 sessions and a maximum of 10 virtual systems are supported, intrusion
prevention and antivirus are available but cannot be automatically upgraded, and functions
that are not controlled by licenses are available. After related licenses are activated, the
license-controlled functions and resources (upgrade services) are controlled according to the
licenses. After licenses expire or are revoked, the device enters the grace period of the
licenses. Users are allowed to access the device within the grace period (60 days) as they do
when the licenses are activated. After the grace period expires, the device enters the state
before the licenses are activated.
Find the license certificate in the delivery accessories and obtain the entitlement ID, as shown
in Figure 1-25.
NOTE
The license certificate is delivered together with the product to the customer in A4 papers or CD-ROMs.
If the license certificate is list, log in to the http://app.huawei.com/isdp (ESDP platform) to retrieve it
based on the contract number.
The license certificates may be different due to different purchase channels.
An ESN uniquely identifies a hardware device or software system. Before loading the license
file, ensure that the ESN of the device or system is the same as that in the license file.
Otherwise, the license file fails to be activated.
Log in to the device and choose Dashboard. In System Information, obtain SN.
Step 3 Obtain the license file from the license self-service platform.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the system
Help or information.
NOTE
When you apply for licenses for multiple devices, ensure that the entitlement ID and ESN of each device
match each other.
If you cannot obtain the license file in time, contact the customer service center.
Step 4 To carry out capacity expansion and add license-controlled functions, use the ESN and new
entitlement ID to obtain a new license file through the license self-service system. In this case,
the previous procedure still is applicable.
The license center automatically combines the licenses for new features with the existing
license and generates a new license.
----End
----End
Revoking Licenses
Licenses can be revoked only through command lines.
In the following scenarios, you need to revoke the existing licenses of the device and obtain
the revoke code, use the license revoke code and ESN to obtain a new license file through the
license self-service platform, and upload the new license file to the device and activate it.
l The license file is damaged because the content of the existing license file is changed
due to misoperation.
l The license file is not compatible with existing licenses after device upgrade.
l The ESN is changed due to FW migration.
NOTICE
The license file of the device cannot be reactivated after being revoked, regardless of whether
the license file expires or not.
Overview
Network licenses apply to rapid FW start or stop in a cloud data center. In this case, the ESN
of the FW changes rapidly, and the requirement of each FW for resources dynamically
changes.
When a network licenses is used, a license server is required to send requests to the license
center website (ESDP platform) for activating or updating license files and manage license
resources. For details on license server installation and deployment, see the product
documentation of the license server.
As shown in Figure 1-26, the administrator sends requests in a unified manner to the license
self-service platform (ESDP platform) for activating the license file and uploads the license
file to the license server. The license server manages the license resources in a unified manner.
All FWs serve as license clients and communicate with the license server through TCP/IP.
License
License resource pool
Server
IPS IPS
IPS IPS
AV AV VSYS=100
SLB VSYS=150
VSYS=20 VSYS=50
After obtaining the ESN of the license server and the entitlement ID of the license certificate,
the administrator logs in to the license self-service platform to activate the license file and
uploads the license file to the license server. After the license file expires, the license server
can still deliver authorization within the grace period (60 days) of the license file as it does
when the license file is activated. After the grace period expires, the license server cannot
deliver any authorization.
To perform capacity expansion or replace the license server, apply for a new license file.
Before FW, apply for resource authorization from the license server.
When no resource authorization is requested, the maximum forwarding throughput is 50
Mbit/s, a maximum of 100 sessions and a maximum of 10 virtual systems are supported,
intrusion prevention and antivirus are available but cannot be automatically upgraded, and
functions that are not controlled by the license are available. After resource authorization is
required, license-controlled functions and resources are controlled based on the number of
requested resources.
Each FW applies for resources from the license server. The license server responds to the FW
by determining whether the license is within the validity period and whether the number of
available resources is greater than or equal to the number of requested ones. If the license is
within the validity period and the number of available resources is greater than or equal to the
number of requested ones, the license server assigns the resources to the FW. Otherwise, the
application fails.
If the FW does not use some functions or resources, the FW needs to request the license
server to release the corresponding authorization for timely resource sharing. If the FW
cannot proactively release authorization due to a network fault, the administrator can force the
FW to release the authorization through the license server, implementing flexible license
resource control.
If the FW and license server fails to communicate due to a fault, such as a fault in the FW, a
fault in the license server, and a fault in the device between the FW and license server and the
fault lasts less than 24 hours, the FW can continue to use the requested resources after the
communication with the license server recovers. If the fault lasts 24 hours or more than 24
hours, the requested authorization requested by the FW will be automatically deregistered and
retired to the resource pool, and the FW needs to reapply for required authorization.
Step 1 Log in to the web UI and choose System > License Management.
When applying for authorization for resources, apply for the authorization for basic software. Otherwise, the
authorization for resources does not take effect even after being requested. That is, Basic Software is
mandatory, and other resources can be selected as required.
By default, a maximum of 10 virtual systems can be created. After the license is activated, 10 plus the
number of virtual systems specified in the license can be created totally.
Step 5 Click Activate to apply for resources from the license server.
In License Status, you can view the license status and authorization of each type of resource.
NOTE
If you apply for license activation several times, your last application result takes effect, and the activated
resources are not accumulated.
----End
Releasing Authorization
If the FW does not use some functions or resources, the FW needs to request the license
server to release the corresponding authorization for timely resource sharing.
Step 1 Log in to the web UI and choose System > License Management.
Step 3 Click Deactivate at the right site of License Status to release all requested authorization.
In License Status, you can view the license status and authorization of each type of resource.
----End
Overview
Single-device licenses apply to scenarios where the VM environment is fixed, licenses do not
need to be updated frequently, and each FW purchases, applies for, and activates licenses
independently.
Before FW, you need to purchase the required license certificate and activate the license.
Before related licenses are activated, the maximum forwarding throughput is 50 Mbit/s, a
maximum of 100 sessions and a maximum of 10 virtual systems are supported, intrusion
prevention and antivirus are available but cannot be automatically upgraded, and functions
that are not controlled by licenses are available. After related licenses are activated, the
license-controlled functions and resources (upgrade services) are controlled according to the
licenses. After licenses expire or are revoked, the device enters the grace period of the
licenses. Users are allowed to access the device within the grace period (60 days) as they do
when the licenses are activated. After the grace period expires, the device enters the state
before the licenses are activated.
NOTE
The license certificate is delivered together with the product to the customer in A4 papers or CD-ROMs.
If the license certificate is list, log in to the http://app.huawei.com/isdp (ESDP platform) to retrieve it
based on the contract number.
The license certificates may be different due to different purchase channels.
An ESN uniquely identifies a hardware device or software system. Before loading the license
file, ensure that the ESN of the device or system is the same as that in the license file.
Otherwise, the license file fails to be activated.
After logging in to the device, you can run the display esn command in any view to obtain
the ESN.
Step 3 Obtain the license file from the license self-service platform.
Log in to http://app.huawei.com/isdp to obtain the license file according to the system Help
or information.
NOTE
When you apply for licenses for multiple devices, ensure that the entitlement ID and ESN of each device
match each other.
If you cannot obtain the license file in time, contact the customer service center.
Step 4 To carry out capacity expansion or add license-controlled functions, you must reapply for the
license file according to the preceding procedure.
The license center automatically combines the licenses for new features with the existing
license and generates a new license.
----End
dir
Step 2 Upload the license file to the root directory of the storage device.
The license file can be renamed but its license file name extension .dat cannot be changed.
Otherwise, the system cannot properly load the license file. The license file is stored in the
root directory of the storage device.
For details on how to upload the license file to the root directory of the storage device, see
1.14.3 Transferring Files.
Step 3 Activate the specified license file.
license active file-name
After activating the license file, you can run the display license command to view license
information.
----End
Revoking Licenses
In the following scenarios, you need to revoke the existing licenses of the device and obtain
the revoke code, use the license revoke code and ESN to obtain a new license file through the
license self-service platform, and upload the new license file to the device and activate it.
l The license file is damaged because the content of the existing license file is changed
due to misoperation.
l The license file is not compatible with existing licenses after device upgrade.
l The ESN is changed due to FW migration.
NOTICE
The license file of the device cannot be reactivated after being revoked, regardless of whether
the license file expires or not.
----End
Overview
Network licenses apply to rapid FW start or stop in a cloud data center. In this case, the ESN
of the FW changes rapidly, and the requirement of each FW for resources dynamically
changes.
When a network licenses is used, a license server is required to send requests to the license
center website (ESDP platform) for activating or updating license files and manage license
resources. For details on license server installation and deployment, see the product
documentation of the license server.
As shown in Figure 1-28, the administrator sends requests in a unified manner to the license
self-service platform (ESDP platform) for activating the license file and uploads the license
file to the license server. The license server manages the license resources in a unified manner.
All FWs serve as license clients and communicate with the license server through TCP/IP.
License
License resource pool
Server
IPS IPS
IPS IPS
AV AV VSYS=100
SLB VSYS=150
VSYS=20 VSYS=50
After obtaining the ESN of the license server and the entitlement ID of the license certificate,
the administrator logs in to the license self-service platform to activate the license file and
uploads the license file to the license server. After the license file expires, the license server
can still deliver authorization within the grace period (60 days) of the license file as it does
when the license file is activated. After the grace period expires, the license server cannot
deliver any authorization.
To perform capacity expansion or replace the license server, apply for a new license file.
Before FW, apply for resource authorization from the license server.
When no resource authorization is requested, the maximum forwarding throughput is 50
Mbit/s, a maximum of 100 sessions and a maximum of 10 virtual systems are supported,
intrusion prevention and antivirus are available but cannot be automatically upgraded, and
functions that are not controlled by the license are available. After resource authorization is
required, license-controlled functions and resources are controlled based on the number of
requested resources.
Each FW applies for resources from the license server. The license server responds to the FW
by determining whether the license is within the validity period and whether the number of
available resources is greater than or equal to the number of requested ones. If the license is
within the validity period and the number of available resources is greater than or equal to the
number of requested ones, the license server assigns the resources to the FW. Otherwise, the
application fails.
If the FW does not use some functions or resources, the FW needs to request the license
server to release the corresponding authorization for timely resource sharing. If the FW
cannot proactively release authorization due to a network fault, the administrator can force the
FW to release the authorization through the license server, implementing flexible license
resource control.
If the FW and license server fails to communicate due to a fault, such as a fault in the FW, a
fault in the license server, and a fault in the device between the FW and license server and the
fault lasts less than 24 hours, the FW can continue to use the requested resources after the
communication with the license server recovers. If the fault lasts 24 hours or more than 24
hours, the requested authorization requested by the FW will be automatically deregistered and
retired to the resource pool, and the FW needs to reapply for required authorization.
system-view
Step 2 Configure an IP address and port number for the license server.
To use a network license, you need to configure an IP address and port number for the license
server so that devices can communicate with the license server. Ensure that the IP address and
port number of the license server configured on the devices are the same as those on the
license server.
By default, control items over functions and control items over upgrade services are not
enabled, and 10 virtual systems are supported.
When applying for authorization for resources, the device must apply for authorization for
basic software. Otherwise, the authorization for resources does not take effect even if it is
requested.
If you apply for license activation several times, your last application result takes effect, and
the activated resources are not accumulated.
net-license active
You can run the display net-license status command to check the network license status,
including the license server status and authorization of each type of resource.
----End
Releasing Authorization
If the FW does not use some functions or resources, the FW needs to request the license
server to release the corresponding authorization for timely resource sharing.
system-view
----End
Debugging a License
Before the debugging, you must run the terminal monitor and terminal debugging
commands in the user view to enable the display of logs, messages, debugging messages on
the terminal, so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function compromises the system performance. Therefore, after
debugging, run the undo debugging all command to disable the debugging function at once.
When Should I Start to Calculate the Activation Time of License Control Items?
When the ESDP binds authorization IDs and device ESNs and generates a license file, the
system time of the ESDP is the activation time of all license control items. The validity
periods of the license control items start from the activation time.
After the license file is generated, download and load it on the device to prevent resource
wastes.
1.6.1 Overview
You can connect to the update center to update your signature databases to detect the latest
intrusions, viruses, applications, malicious domain names,and locations of IP addresses.
Before you update the IPS signature, malicious domain name, or antivirus signature database, ensure
that the license for the specified database update service has been activated. The Intrusion prevention
signature database and malicious domain name database use the same update license.
Online update The FW connects to the update center over the Internet to
update the signature databases.
NOTE
Generally, the update center is the security center platform. Enterprises
will create their own update centers if their networks are isolated from
the Internet (such as for military sectors).
2
Intranet
FW
Update using a proxy When the FW cannot communicate with the update center over
server the Internet, a proxy server can be used to connect to the
update center and download signature databases for the FW.
NOTE
If the proxy server runs the Windows operating system, CCProxy is
recommended. If the proxy server runs the Linux operating system,
Squid is recommended. Ensure that the proxy server enables the HTTP
port and four access methods, namely, PUT, GET, CONNECT, and
POST.
1. Connects to the proxy server and sends it an update request.
2. Confirms the identity.
3. Forwards the update request and verifies the update
Security Service Center
permission.
4. Downloads the latest signature database.
1
Intranet 2
3
4
FW Proxy Server
Local update When the FW is physically isolated from the Internet and no
proxy server is deployed on the intranet, you can update
signature databases locally.
NOTE
The region identification signature database supports only local update.
Administrator
FW
Before you update the IPS signature, malicious domain name, or antivirus signature database,
ensure that the license for the specified database update service has been activated. The IPS
signature database and malicious domain name database use the same update license.
1.6.4.1 Preparation
This section describes preparations for signature database updates.
Step 2 In License Resource, search for the signature database to be updated. Check whether the
license is activated or expired in State.
l If State is Disable, activate the license. For operations, see 1.5.2 Managing Licenses
Using the Web UI.
l If State indicates that the service has expired, renew the corresponding license.
----End
Step 2 In System Resource, move the pointer to CF Card Usage to view the CF card usage.
----End
Step 2 In Update Center List, view Status of the signature database to be updated.
----End
Step 2 In Update Center List, view Status of the signature database to be updated and determine
whether it requires an update.
----End
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the FW.
l The FW can access the update server directly or through the proxy server.
l If the FW can access the update server directly, a security policy must have been
configured to permit HTTP and FTP traffic. If the FW can access the update server
through the proxy server, a security policy must have been configured to permit HTTP
traffic.
Procedure
Step 1 Choose System > Update Center.
Step 3 In the Configure Server dialog box that is displayed, set the IP address of the update server.
Parameter Description
Server IP Address Enter the IP address of the server that the FW accesses for the
scheduled update. By default, update through Huawei security
center (domain name: sec.huawei.com) is used.
NOTE
l You must configure the DNS to parse the domain name of the
security center. For details, see 4.6.4 DNS Configuration Using
the Web UI.
l To update through another update server, set the server IP address
to that of the specified update server.
port Enter the port of the server. The default value is 80.
Connect to the upgrade If the FW cannot access the update center directly, select this
center through a proxy item and configure a proxy server for the update.
server
Address If the FW cannot communicate with the update center over the
Internet, configure a proxy server to connect to the update
center and download signature databases for the FW. The
proxy server address can be an IP address or domain name.
NOTE
If a proxy server domain name is used, you must configure DNS to
resolve the domain name. For details, see 4.6.4 DNS Configuration
Using the Web UI.
Parameter Description
User Name Enter the user name and password for logging in to the proxy
server.
Password
Step 6 Click Scheduled Update time and set the time for the scheduled update.
Scheduled update of signature databases includes:
l Download Only: The FW regularly downloads the signature database to the specified
path but does not install the downloaded signature database.
l Download And Install: The FW regularly downloads and automatically installs the
signature database. By default, the system downloads and installs the signature database.
Step 7 Click OK.
Step 8 After the update is complete, you can view that Status is The online upgrade succeeded.
and Current Version is the target version.
If Configure Scheduled Update Time is set to Download Only, Status is displayed as The
download succeeded. Click Install immediately to install the signature database. After the
installation succeeds, Status is displayed as The loading succeeded.
NOTE
If the scheduled update consumes too much bandwidth and interrupts normal services of the FW, you
can run the update abort command to abort the update process.
----End
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the FW.
l The FW can access the update server directly or through the proxy server.
l If the FW can access the update server directly, a security policy must have been
configured to permit HTTP and FTP traffic. If the FW can access the update server
through the proxy server, a security policy must have been configured to permit HTTP
traffic.
Context
For scheduled and immediate updates, signature database download addresses (IP address of
the server configured on the FW or the IP address of the proxy server) and update procedures
are the same.
Procedure
Step 1 Choose System > Update Center.
Step 3 In the Configure Server dialog box that is displayed, set the IP address of the update server.
Parameter Description
Server IP Address Enter the IP address of the server that the FW accesses for the
scheduled update. By default, update through Huawei security
center (domain name: sec.huawei.com) is used.
NOTE
l You must configure the DNS to parse the domain name of the
security center. For details, see 4.6.4 DNS Configuration Using
the Web UI.
l To update through another update server, set the server IP address
to that of the specified update server.
port Enter the port of the server. The default value is 80.
Connect to the upgrade If the FW cannot access the update center directly, select this
center through a proxy item and configure a proxy server for the update.
server
Address If the FW cannot communicate with the update center over the
Internet, configure a proxy server to connect to the update
center and download signature databases for the FW. The
proxy server address can be an IP address or domain name.
NOTE
If a proxy server domain name is used, you must configure DNS to
resolve the domain name. For details, see 4.6.4 DNS Configuration
Using the Web UI.
User Name Enter the user name and password for logging in to the proxy
server.
Password
Step 7 After the update is complete, you can view that Status is The online upgrade succeeded.
and Current Version is the target version.
NOTE
If the immediate update consumes too much bandwidth and interrupts normal services of the FW, you
can abort the update process.
----End
Prerequisites
The update package has been uploaded to the root directory of the FW using the Web
interface.
Procedure
Step 1 Download the update package.
l AV-SDB, SA-SDB,Malicious domain database, and IPS-SDB: Download update
packages from the security center (sec.huawei.com). For details, refer to Help of the
security center.
The abbreviations of each signature database in the security center are as follows:
– Antivirus signature database: AV
– Application identification signature database: SA
– Malicious domain name database: CNC
– Intrusion prevention signature database: IPS
l The region identification signature database supports only local update. The database is
released irregularly. You can obtain an update file using either of the following methods:
– Log in to the technical support website and download the signature database from
the Downloads area.
– Download the update file from sec.huawei.com.
Step 2 Upload the update package to the specified directory of the FW.
NOTE
The signature database files are in ZIP format. You can upload them directly to the FW without
decompressing them.
Step 7 After the update is complete, Status is The local upgrade succeeded., and Current Version
is the target version.
----End
Context
You can roll back to only one version. If you perform version rollbacks repeatedly, the version
rollback is implemented between the current version and the rollback version.
Procedure
Step 1 Choose System > Update Center.
Step 4 After the rollback is complete, Status is The version rollback succeeded, and Current
Version is the source version.
----End
1.6.5.1 Preparation
This section describes preparations for signature database updates.
Step 1 Run the display license command to check whether the required license has been activated or
has expired.
<sysname> display license
Device ESN is: A9BFDA9904B737xxxxxxxxxxxxxxxx
The file activated is: hda1:/license.dat
The time when activated is: 2015/08/08 14:21:01
The time when expired is: 2016/08/08
Virtual System: 20
l If the status of the signature database to be updated is Disabled, activate the license. For
details on how to activate the license, see 1.5.3 Managing Licenses Using the CLI.
l If the status of the signature database to be updated is Enabled, check whether the
license has expired. If yes, purchase the license.
----End
To check the free space of the root directory, perform the following operations:
Step 1 In the user view, run the dir command to check the free space of the root directory on the
MPU.
<sysname> dir
Directory of hda1:/
Step 2 Optional: In the user view, run the delete command to delete unwanted files from the CF
card if the free space is insufficient.
NOTE
Files are deleted and cannot be restored after the delete command with the /unreserved parameter is
executed.
----End
Step 1 Run the display update status command to check the update status of the signature database.
<sysname> display update status
Current Update Status: Idle.
If Current Update Status is Idle, you can update the desired signature database. Otherwise,
repeat the display update status command until Current Update Status changes to Idle,
and then update the desired signature database.
----End
Step 1 Run the display version { { av-sdb | cnc | ips-sdb | sa-sdb } * | location-sdb } command to
check the signature database version.
# View the version of a region identification signature database.
<sysname> display version location-sdb
Location SDB Update Information List:
----------------------------------------------------------------
Current Version :
Signature Database Version : 2014010414
Signature Database Size(byte) : 836969
Update Time : 08:13:19 2014/08/26
Issue Time of the Update File : 14:07:35 2014/01/04
Backup Version :
Signature Database Version : 0
Signature Database Size(byte) : 0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------
----End
Context
Signature database updates offer two options:
l Download only: After signature databases are downloaded, you must manually install
them.
l Download and install: Signature databases are automatically installed after being
downloaded.
By default, the system downloads and installs the signature database. For details about how to
change the update option, see Procedure. If you choose to use the "download and install"
option, install the signature database after downloading it.
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
To restore to the default signature database update option, follow the instructions below:
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the FW.
l The FW can access the update server directly or through the proxy server.
l If the FW can access the update server directly, a security policy must have been
configured to permit HTTP and FTP traffic. If the FW can access the update server
through the proxy server, a security policy must have been configured to permit HTTP
traffic.
Procedure
Step 1 Configure an update center.
1. Access the system view.
system-view
The update center is the security center platform, and its default domain name is
sec.huawei.com.
Configure the DNS server to resolve the domain name of the update center. For details,
see Step 3.
Perform this step when the FW needs to access the update center using a proxy server.
2. Set the domain name (or IP address), user name, and password of the proxy server.
update proxy { domain domain-name | ip ip-address } [ port port-number ]
[ user user-name [ password password ] ]
NOTE
If a domain name is configured for the proxy server, a DNS server must be configured to resolve
the domain name. For details on how to configure the DNS server, see Step 3.
Step 4 Optional: Specify an interface over which update requests will be sent.
update host source interface-type interface-number
If VPN is used to access the Internet and scheduled or immediate update is enabled, you must
run the update host source command to specify the interface which sends the upgrade
request packets. Otherwise, the update fails.
Step 5 Enable the scheduled update function.
update
schedule { av-sdb | cnc | ips-sdb | sa-sdb } enable
update schedule { av-sdb | cnc | ips-sdb | sa-sdb } { daily | weekly { Mon | Tue
| Wed | Thu | Fri | Sat | Sun } } time
NOTE
During a scheduled update, you can run the update abort command to abort the update if the update
consumes too much bandwidth and interrupts normal services. Wait until the bandwidth is sufficient for
the update and normal services and then run the update online { av-sdb | cnc | ips-sdb | sa-sdb }
command to download the latest signature database.
You do not need to run this command if the system has been configured to download and
install the signature database. To change the signature database update option, see 1.6.5.2
Determining Signature Database Update Options.
----End
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the FW.
l The FW can access the update server directly or through the proxy server.
l If the FW can access the update server directly, a security policy must have been
configured to permit HTTP and FTP traffic. If the FW can access the update server
through the proxy server, a security policy must have been configured to permit HTTP
traffic.
Context
For scheduled and immediate updates, signature database download addresses (IP address of
the server configured on the FW or the IP address of the proxy server) and update procedures
are the same.
Procedure
Step 1 Optional: Configure an update center or a proxy server. For details, see 1.6.5.3 Scheduled
Update.
If the update center or proxy server has been configured as described in 1.6.5.3 Scheduled
Update, skip this step.
Step 2 Optional: Specify an interface over which update requests will be sent.
update host source interface-type interface-number
If VPN is used to access the Internet and scheduled or immediate update is enabled, you must
run the update host source command to specify the interface which sends the upgrade
request packets. Otherwise, the update fails.
NOTE
If the immediate update consumes too much bandwidth and interrupts normal services of the FW, you
can run the update abort command to abort the signature database update. Wait until the bandwidth is
sufficient for the update and normal services and then perform Step 3 to download the latest signature
database.
----End
Prerequisites
The update package has been uploaded to the specified directory of the FW using SFTP, FTP
or TFTP.
Procedure
Step 1 Download the update package.
l AV-SDB, SA-SDB,Malicious domain database, and IPS-SDB: Download update
packages from the security center (sec.huawei.com). For details, refer to Help of the
security center.
The abbreviations of each signature database in the security center are as follows:
– Antivirus signature database: AV
– Application identification signature database: SA
The signature database files are in ZIP format. You can upload them directly to the FW without
decompressing them.
----End
Context
You can roll back to only one version. If you perform version rollbacks repeatedly, the version
rollback is implemented between the current version and the rollback version.
Procedure
Step 1 Access the system view.
system-view
----End
Context
NOTICE
If the signature database is restored to the factory default version, all other versions on the FW
are deleted. Perform the operation with caution.
Procedure
Step 1 Access the system view.
system-view
----End
debugging display function of the terminal, so that debugging information can be displayed
on the terminal.
NOTICE
Enabling the debugging affects system performance. Therefore, after the debugging, you
should run the undo debugging all command to disable the debugging immediately.
For the description of the debugging commands, refer to the Debugging Reference.
Action Command
1.7 SNMP
The Simple Network Management Protocol (SNMP) provides a set of standard protocols for
the communication between the network management station (NMS) and devices, allowing
the NMS to normally manage devices and receive alarms reported by the devices.
1.7.1 Overview
This section describes the definition and objective of SNMP.
Definition
The Simple Network Management Protocol (SNMP) is a network management protocol
widely used in the TCP/IP network. SNMP is a method of managing network elements
through an NMS which runs network management software.
Objective
As network services develop, more devices are deployed on existing networks. The devices
are not close to the central equipment room where a network administrator works. When
faults occur on the remote devices, the network administrator cannot detect, locate or rectify
faults immediately because the devices do not report the faults. This affects maintenance
efficiency and greatly increases maintenance workload.
To resolve this problem, SNMP came into being. By employing the "network management
over networks" mode, SNMP is used to manage network devices in batches. In addition,
SNMP enables the unified management of network devices of different types and from
different vendors.
1.7.2 Mechanism
This section describes the SNMP principles.
SNMP Components
SNMP device management uses the following three components:
l NMS
The NMS sends various query packets to query managed devices and receives alarms
from these devices.
l Agent
A network-management process on a managed device. An agent has the following
functions:
– Receives and parses query packets sent from the NMS.
– Reads or writes management variables based on the query type, and generates and
sends response packets to the NMS.
– Sends an alarm to the NMS when triggering conditions defined on each protocol
module corresponding to the alarm are met. For example, the system view is
displayed or closed, or the device is restarted.
l Managed device
The managed device is managed by an NMS and generates and reports alarms to the
NMS.
Figure 1-29 shows the relationship between the NMS and agent.
Request
Response
NMS SNMP Agent
UDP Port162
MIB
A Management Information Base (MIB) specifies the variables maintained by network
elements. These variables are the information that can be queried and set by the management
process. A MIB presents a data structure, collecting all possible managed objects over the
network. The SNMP MIB adopts a tree structure like the Domain Name System (DNS) with
its root on the top without a name. Figure 1-30 shows a part of the MIB, called object naming
tree. Each managed object is uniquely identified by its object identifier.
root
org(3)
dod(6)
internet(1)
OID: 1.3.6.1.2
mib(1) Enterprises(1)
The NMS mainly manages the objects under the 1.3.6.1 MIB node on the FW. This node is
also called the ViewDefault view.
SNMP Operations
SNMP uses Get and Set operations to replace a complex command set. Table 1-27 gives
details on the SNMP operations.
Operation Function
GetNextRequest Retrieves the value of the next variable. The NMS sends
the request to a managed device to obtain the status of
the next object on the device.
Operation Function
SetRequest Sets the value of a variable. The NMS sends the request
to a managed device to adjust the status of an object on
the device.
l When you add users to the SNMP group, you are advised to add AAA users who use an
RADIUS or HWTACACS server for authentication, not local users.
l If a MIB Browser tool or NMS workstation connects to the FW, to ensure that the MIB
Browser tool or NMS workstation can read the MIB information on the FW, you are
advised to use SNMPv2c or SNMPv3.
l SNMPv3 is much securer than SNMPv1 and SNMPv2c. Therefore, you are advised to
use SNMPv3 rather than SNMPv1 and SNMPv2c.
Step 3 Set the parameters listed in Table 1-30 and Table 1-31 for connecting managed devices to the
NMS.
Trap Receiving Trap Receiving Host: IP address of By default, the UDP port number
Host: Port: the host that receives trap packets. is 162.
Security Name Port: port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: the same as the
name of the NMS server.
User Name User name used by an NMS user The user name on the NMS must
to access the managed device. be the same as that on the
managed devices.
Trap Receiving Trap Receiving Host: IP address of By default, the UDP port number
Host: Port: the host that receives trap packets. is 162.
Security Name Port: port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: the same as the
name of the NMS server.
----End
NOTICE
Operation statistics cannot be restored after they are cleared. Exercise caution when running
the reset snmp-agent statistics mib command.
l Run the reset snmp-agent statistics mib [ address ipv4-address | ipv6 ipv6-address |
vpn-instance vpn-instance-name address ipv4-address ] command in the user view to
clear operation statistics.
----End
To disable this function due to some reasons, for example, high CPU usage caused by
collecting statistics about the NMS accessing MIB objects, run the snmp-agent
statistics mib disable command in the system view.
----End
1.8.1 Overview
This section describes the definition and service flow of across-Layer-3 MAC identification.
If an intranet PC uses a dynamic IP address to access the Internet, IP address cannot be used
to match the traffic to or from the PC. In this case, you need to use the MAC address as the
matching condition of policies.
However, in the across-layer-3 networking as shown in Figure 1-31 and Figure 1-32, the FW
cannot directly obtain MAC addresses of intranet PCs. You must enable across-Layer-3 MAC
address identification on the FW.
The FW across-Layer-3 MAC address identification supports the following two networking
scenarios:
L3SW FW
Intranet
GE1/0/1 GE1/0/2
10.100.10.2/24 202.38.10.2/24
L3SW FW
Intranet
GE1/0/1 GE1/0/2
Service Flow
Figure 1-33 shows the service flow of across-Layer-3 MAC address identification on the FW.
Phase 1
Returns the ARP Entries
1. Phase 1
a. The SNMP agent on the Layer-3 network device is enabled, and the network device
obtains IP-MAC mapping of intranet PCs and generate or update ARP entries.
b. The FW periodically sends SNMP requests to the specified Layer-3 network device
for ARP entries.
c. The Layer-3 network device replies and returns the ARP entries.
d. The FW learns MAC addresses of intranet PCs and saves the ARP entries to the
memory.
2. Phase 2
An administrator can use the learned MAC addresses on the FW as conditions in
policies.
The MAC addresses are obtained from ARP entries in the memory, not from packet
header.
3. Phase 3
a. An intranet PC accesses the Internet through the Layer-3 network device and FW.
b. The FW permits or blocks intranet packets based on configured policies.
After receiving intranet PC packets, the FW compares the IP and MAC address of
the PC with the obtained ARP entries to verify whether the MAC address is the real
MAC address. The FW uses the actual MAC address to match policies and process
intranet packets based on matching results.
Prerequisites
Before configuring the across-Layer-3 MAC identification function, ensure that the Layer-3
network device connected to the FW supports SNMPv2c or SNMP v3, and the SNMP agent
has been enabled and community name has been configured on the network device.
Context
Intranet users use the FW to access the Internet, and the FW uses MAC addresses as matching
conditions to control intranet traffic. If the FW uses a Layer-3 network device to connect to an
intranet PC, the FW cannot obtain the MAC address of the intranet PC directly.
Therefore, across-Layer-3 MAC address identification must be enabled on the FW to
synchronize ARP entries from the Layer-3 network device using SNMP to obtain MAC
addresses of intranet PCs.
NOTE
If multiple Layer-3 network devices are deployed between the FW and an intranet PC, you are advised
to specify a network device closest to the intranet PC as the SNMP server. The FW can serve multiple
Layer-3 devices (SNMP servers) to synchronize ARP entries.
Procedure
Step 1 Choose System > Configuration > Across-Layer-3 MAC Identification.
Step 2 Select Enable on the right of Across-Layer-3 MAC Identification.
Step 3 Optional: Enter the parameters.
Parameter Description
Time of Failures in Accessing Length of time the SNMP server waits for a response to a
SNMP Server request sent to the target network device. You can specify
this parameter based on the update interval of a PC IP
address and the network delay.
Parameter Description
v3 Security User Name Uer name must have been configured on a specific
Layer-3 network device, and the user name and IP
address must identify the same Layer-3 network
device.
Encryption Password
Encryption Method
3. Click OK.
----End
Prerequisites
Before configuring the FW learning function, ensure that the Layer-3 network device
connected to the FW supports SNMPv2c or SNMPv3, and the SNMP agent has been enabled
and community name or user name has been configured on the network device.
Context
Intranet users use the FW to access the Internet, and the FW uses MAC addresses as matching
conditions to control intranet traffic. If the FW uses a Layer-3 network device to connect to an
intranet PC, the FW cannot directly obtain the MAC address of the intranet PC. Therefore,
across-Layer-3 MAC address learning must be enabled on the FW to synchronize ARP entries
of the intranet PCs from the specified Layer-3 network device.
NOTE
If multiple Layer-3 network devices are deployed between the FW and intranet PCs, you are advised to
specify a network device closest to the intranet PCs as a target network device. The FW can serve
multiple Layer-3 devices (SNMP agents).
This function can be configured using command lines in hot standby deployments.
Procedure
Step 1 Display the system view.
system-view
Step 2 Enable synchronization of Layer-3 network device ARP entries using SNMP in the system
view.
snmp-server arp-syn enable
Step 3 Configure the identification information of the target Layer-3 network device.
l SNMP v2c
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-
name ] community community-name v2c
address and community must identify the same Layer-3 network device. If the target
network device is configured in the specified VPN instance, vpn-instance, address, and
community must identify the same Layer-3 network device.
l SNMP v3
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-
name ] usm-user v3 user-name [ authentication-mode { md5 | sha } password
[ privacy-mode { 3des | aes128 | aes192 | aes256 | des56 } password ] ]
address and user-name must identify the same Layer-3 network device. If the target
network device is configured in the specified VPN instance, vpn-instance, address, and
user-name must identify the same Layer-3 network device.
NOTE
With across-Layer-3 MAC identification, the FW can specify multiple Layer-3 network devices as
SNMP servers to obtain ARP entries using SNMP. The device supports 64 Layer-3 network devices as
SNMP servers to synchronize ARP entries.
You can specify timeout time based on the update interval of a PC IP address and the network
delay.
----End
Example
# Specify a Layer-3 network device and enable the firewall to learn MAC addresses of
intranet PCs and set the IP address of the network device to 10.10.90.7 and community name
to Public@123.
<sysname> system-view
[sysname] snmp-server arp-syn enable
[sysname] snmp-server target-host arp-sync address 10.10.90.7 community
Public@123 v2c
[sysname] snmp-server arp-sync interval 10 timeout 5
Follow-up Procedure
Run the display snmp-server arp-sync table [ vpn-instance vpn-instance-name ] command
to view ARP entries obtained using SNMP.
<sysname> display snmp-server arp-sync table
Synchronization status of the IP-MAC address mapping table: Done
The start time of synchronizing IP-MAC mapping table: 2013/8/2 09:39:24
The end time of synchronizing IP-MAC mapping table: 2013/8/2
09:39:28
----------------------------------------------------------------------------------
-------------
IP Address MAC Address Expire(M) VPN
Instance
----------------------------------------------------------------------------------
-------------
10.10.90.220 0022-a105-b948
20
10.10.90.33 0000-1111-0000 20
----------------------------------------------------------------------------------
-------------
Total:2
The display information above includes obtained ARP entries. The synchronization status is
Done, indicating that ARP entry synchronization between the device and target network
device is complete.
1.9 Logs
You can display logs to gain visibility into device operating, which facilitates fault location.
1.9.1 Overview
This section describes basic log concepts.
Logs are information output during FW operating. You can display logs to learn about service
running status and functional module operating status on the FW.
Log Type
The FW supports the following types of logs:
l Session logs
After processing a packet, the FW sets up a session for it. The FW supports session logs.
You can enable the FW to output session logs after a session ages, when a session is
created, or regularly.
l Packet discard logs
After discarding a packet, the FW logs the packet information and packet discard cause.
The packet discard cause may be session table mismatching, failure to match any
security policy.
l Service Logs
The FW can output service logs, such as traffic, threat,policy matching logs.
l System logs
The FW can output the operating information about functional modules, including
administrator login/logout logs, attack defense logs, blacklist logs, service awareness
(SA) logs, intrusion prevention logs, and IP-CAR logs. You can refer to the Log
Reference to learn system log information generated by the functional modules on the
FW.
In addition, the FW can output NAT444 port pre-allocation logs. For details on port pre-
allocation, see NAT444.
Log Format
The FW supports the following log formats:
l Binary
Session Logs in binary format occupy few network resources. However, before viewing
binary logs, enable the FW to output them to a log server.
l Syslog
Session logs, packet discard logs and system logs in syslog format are displayed in texts.
l Netflow
The FW can also output session logs in netflow format to a log server for you to analyze
IP packet flows on the network.
l Dataflow
The FW outputs service logs in dataflow format to a log server.
Session logs
Service logs
Hard disk
Log query
Database and report Web UI-Monitor
processing
Remote terminal
Information channel
Log file
Information center
l The FW outputs session logs, packet discard logs, and port pre-allocation logs to a log
server through separate channels for you to view and analyze.
l The FW outputs service logs to a log server in separate channels for you to view and
analyze, outputs them to the memory database for the log query module for further
process before logs and reports are displayed on the web UI (for details, see Logs and
Reports), outputs them to to the log buffer and displays them on the Dashboard of web
UI, or outputs them to the information center.
l The FW outputs system logs from the information center. The information center is an
information hub of system software modules on the FW. It can output system logs to
specific log servers, log buffers, console (console user interfaces), log file, or terminals
(VTY user interfaces). You can view system logs on the FW or log server.
1.9.2 Mechanism
This section describes the log mechanism.
Table 1-32 Details on session log types, formats, and log output mechanisms
Log Type IPv4/IPv6 Log Format Log Output
Mechanism
Supports l Binary
IPv6. l Netflow only)
Supports l Binary
IPv6. l Netflow only)
Does not - -
support IPv6.
Does not - -
support IPv6.
Table 1-33 Details on packet discard log formats, and log output mechanisms
Log Type IPv4/IPv6 Log Format Log Output
Mechanism
Does not - -
support IPv6.
The FW can output service logs to the web UI, a log host, or the information center for you to
understand the operating of services and networks.
The FW outputs system logs from the information center. The information center is an
information hub of system software modules on the FW. The information center classifies the
output information in a fine-grained manner to effectively filter information.
NOTE
Except logs, the information center can also output alarm and debugging information. This section
describes only logs. For details on alarm and debugging information, see 1.10 Alarms and 1.11 Debugs.
Information Categorization
Information has eight levels based on its severity and emergency. More critical information
has a lower level, as shown in Table 1-34.
The FW outputs only the information of the specified severity level and more critical levels.
That is, the FW outputs information with the specified value and the smaller values.
For example, if the severity level for filtering information is set to 6, the FW outputs
information with severity levels from 0 to 6.
Information Output
The information center defines 10 information channels independent from each other to
facilitate information output control in each direction. You can configure system log output
rules for the FW to output specific information from specific information channels to specific
directions, as shown in Figure 1-35.
3 Trapbuffer
6 channel6
7 channel7
8 channel8
channel9 Logfile
9
Table 1-35 shows the mapping between information channels and output directions.
0 console console Local console that can receive logs, alarms, and
debugging messages.
1 monitor monitor VTY terminal that can receive logs, alarms, and
debugging messages to facilitate remote
maintenance.
2 loghost loghost Log host that can receive logs, alarms, and
debugging messages. Information is stored as
files on log hosts.
4 logbuffer logbuffer Log buffer that can receive log information. The
buffer allocated inside the FW is used to record
information.
9 channel9 logfile Log file that can receive logs, alarms, and
debugging messages. The information is saved as
files on the FW CF card.
When multiple log hosts are configured, you can enable the FW to output system logs from
one or more channels to different logs hosts. For example, the FW can output some system
logs from channel 2 (loghost) to one log host and some other logs from channel 6 to another
log host. You can also change the name of channel 6 to facilitate information channel
management.
Log Format
Figure 1-36 lists the formats of system logs.
AAA Module name Indicates the name of the module that outputs
information to the information center.
[N] Log position Display the position of the current log in the log
queue.
l Table 1-37 lists the mappings between log formats and log servers. Select a log server as
required.
Binary eLog
Netflow eLog
Syslog l Session logs, packet discard logs, and IM logs are output to an
eLog server if in the default format and to a third-party log server
if in MTN format.
l For system logs, you are advised to use an eLog server or a third-
party log server.
Dataflow eLog
Prerequisites
The system time setting is correct during the initial configuration. Changing system time
during device running results in incorrect timestamps in existing logs.
To output policy matching logs and session logs to log hosts, choose Policy > Security Policy
and enable Record Policy Matching Log and Record Session Log.
Log Host IP Address IP address of the log host that receives syslogs from the FW
This IP address must be the actual IP address of the log host.
Destination Port Port number of the log host that receives syslogs from the FW
This port number must be the actual port number configured
on the log host. The default port number on the log host is 514.
Parameter Description
Step 3 Click and repeat the preceding steps to add more log hosts.
If multiple log hosts are configured, the FW sends the same syslogs to different log hosts for
syslog backup.
If the Operation succeeded dialog box is displayed, the syslog sending function has
been configured.
----End
Send Binary Logs to All If Send Logs Concurrently is selected, session logs are sent to
Log Servers all log hosts.
If not, the device sends logs to all log hosts in turn based on the
specified log host IDs.
Source Port Source port of session logs. The default port is 1617.
Log Host IP Address IP address of the log host that receives session logs
Port Port of the log host that receives session logs. The default port
number depends on the log format.
The mappings between them are as follows:
l Binary: 9002
l Syslog: 514
l NetflowL: 9996
Parameter Description
Password Password for the encryption. You must set the same password
on the log server.
Step 3 Click and repeat the preceding steps to add more log hosts.
If the Operation succeeded dialog box is displayed, the session log sending function
has been configured.
----End
NOTICE
When service logs are output in dataflow format, the destination port number of packets is
fixed to 9903 and cannot be changed. The eLog host also uses port 9903 to receive service
logs. When service logs are output in Syslog, the destination port number of packets is the one
configured in Configuring Syslog Output. Because the eLog host always uses interface 514
to receive logs in Syslog format, the port number must be set to 514 in Configuring Syslog
Output.
If the Operation succeeded dialog box is displayed, the service log sending function
has been configured.
----End
Configuring SA
The FW enables SA by default and displays application information in service logs.
----End
If vpn-instance is specified, the session logs generated on the public system are output to the
log host on the virtual system specified by vpn-instance.
If you set the secondary parameter, the log host belongs to the secondary log host group.
NOTICE
For the eLog server, if the log format is binary, port 9002 is used; if the log format is netflow,
port 9996 is used; if the log format is syslog, port 514 is used.
Step 3 Set the source IP address and port for the FW to send session logs.
firewall log source ip-address port
If multiple log hosts are configured on the FW, the FW sends logs to the log hosts in turn. To
be specific, one log is sent to only one log host.
After the log concurrent function is enabled, the FW sends each log to every log host.
Step 5 Optional: Enable the log encryption function.
firewall log password password
After you run this command, the FW will use the specified encryption password to encrypt
the logs before sending. After receiving the binary logs, the log host will use the decryption
password to decrypt the logs. This ensures the log transmission security. The encryption
password specified on the FW and the decryption password specified on the log host must be
the same.
----End
NOTICE
l The FW outputs only IPv4 session logs in syslog format. If you set the output format of
session logs to syslog, then IPv6 session logs are output in binary format.
l The FW can output only IPv4 session logs If you set the output format of session logs to
netflow, then general IPv6 session logs are output in binary format.
l If the session log format is set to netflow, the log host must be an eLog server.
Step 3 Optional: Set the MTN format for the output of session logs in syslog format.
firewalllog syslog content format mtn
You can use this command only when the syslog format is employed to output session logs.
The default log format is default when the syslog format is employed to output session logs.
NOTE
A log in the default format contains a keyword and value, such as:
SourceIP=172.16.36.196,DestinationIP=128.18.75.33,SourcePort=4408,DestinationP
ort=80......
A log in the MTN format contains a complete sentence, such as:
172.16.36.196:4439[128.18.75.33:4439] (trust) to
128.18.75.33:80[172.16.36.196:80] (trust)......
Step 4 Optional: Specify the log header format when the syslog format is employed to output
session logs.
firewall log syslog header { default [ timestamp { utc | local | none } ] | host-
name | none }
If the default log header format (default) is used and no timestamp type is specified, the UTC
time applies by default.
If you specify parameter host-name, the log header contains only the device name. If you
specify parameter none, the output logs do not contain any log header.
Step 5 Optional: Specify the timestamp of log headers for session logs in netflow format.
firewall log netflow header default timestamp { utc | local }
----End
The session log function takes effect only when the policy action is set to permit.
----End
----End
timevalue indicates the interval for the FW to send IPv4 session logs. The default value is 180
minutes.
----End
NOTICE
NAT No-PAT logs must be output in binary format to log hosts.
----End
----End
To improve reliability of the links between the FW and log hosts, you can use the IP-Link
function to detect link status. After the IP-Link function is enabled, the FW sends logs to log
hosts only when the IP-Link is Up.
If vpn-instance is specified, the service logs generated on the public system are output to the
log host on the virtual system specified by vpn-instance.
If you set the secondary parameter, the log host belongs to the secondary log host group.
NOTICE
The FW can output service logs to a log host in either dataflow or syslog format. If service
logs are output in dataflow format, use the configured log host to output service logs. The port
number must be set to 9903. The eLog host also uses port 9903 to receive service logs.
Step 3 Set the source IP address and port for the FW to send service logs.
firewall log source ip-address port
If multiple log hosts are configured on the FW, the FW sends logs to the log hosts in turn. To
be specific, one log is sent to only one log host.
After the log concurrent function is enabled, the FW sends each log to every log host.
After you run this command, the FW will use the specified encryption password to encrypt
the logs before sending. After receiving the binary logs, the log host will use the decryption
password to decrypt the logs. This ensures the log transmission security. The encryption
password specified on the FW and the decryption password specified on the log host must be
the same.
----End
Step 4 Run the following commands to enable the policy matching log function.
1. Run the log type policy enable command to enable the function of generating policy
matching logs.
----End
To improve reliability of the links between the FW and log hosts, you can use the IP-Link
function to detect link status. After the IP-Link function is enabled, the FW sends logs to log
hosts only when the IP-Link is Up.
Step 2 Set the log host for receiving packet discard logs.
firewall log host host-id ip-address port [ vpn-instance vpn-instance-name ]
[ secondary ] [ track ip-link link-name ]
If you set the vpn-instance parameter, the FW outputs the packet discard logs generated in
the public system to the log host of the virtual system specified by the vpn-instance
parameter.
If you set the secondary parameter, the log host belongs to the secondary log host group.
NOTICE
If the log host is an eLog server and the log format is syslog, the port must be set to 514.
Step 3 Run:
firewall log source ip-address port
The source IP address and port used for the FW to send packet discard logs are specified.
If multiple log hosts are configured on the FW, the FW sends session logs to multiple log
hosts in turn by default.
After you enable the concurrent log sending function, the FW sends each log to all log hosts.
After you run this command, the FW will use the specified encryption password to encrypt
the logs before sending. After receiving the binary logs, the log host will use the decryption
password to decrypt the logs. This ensures the log transmission security. The encryption
password specified on the FW and the decryption password specified on the log host must be
the same.
----End
l If parameter session-miss is used, the FW sends a log when a packet mismatches the
session table.
l If parameter packet-filter is used, the FW sends a log when a packet is discarded
because the packet matches a security policy.
l If parameter default-packet-filter is used, the FW sends a log when a packet is
discarded because of default packet filtering.
----End
NOTICE
The FW sends packet discard logs to log hosts only in syslog format.
You can also set the header of the packet discard logs that the FW sends in syslog format.
Step 2 Set the MTN format for the output of packet discard logs in syslog format.
firewalllog syslog content format mtn
The default log format is default when the syslog format is employed to output packet discard
logs.
NOTE
A log in the default format contains a keyword and value, such as:
SourceIP=172.16.36.196,DestinationIP=128.18.75.33,SourcePort=4408,DestinationP
ort=80......
A log in the MTN format contains a complete sentence, such as:
172.16.36.196:4439[128.18.75.33:4439] (trust) to
128.18.75.33:80[172.16.36.196:80] (trust)......
Step 3 Specify the log header format when the syslog format is employed to output packet discard
logs.
firewall log syslog header { default [ timestamp { utc | local | none } ] | host-
name | none }
If the default log header format (default) is used and no timestamp type is specified, the UTC
time applies by default.
If you specify parameter host-name, the log header contains only the device name. If you
specify parameter none, the output logs do not contain any log header.
----End
1.9.5.4 Configuring the FW to Output Service Logs and System Logs to a Log
Host Through the Information Center
This section describes how to enable the FW to output service logs and system logs from the
information center so that you can learn the FW operating status after system log analysis.
Context
By default, the information center is enabled on the FW. If the information center is disabled,
perform the following operations to enable the information center.
NOTICE
When the information center is enabled and the system is busy sorting and outputting
information, system performance is affected.
Procedure
Step 1 Access the system view.
system-view
Each information channel must have a unique name, and the channel names must represent
the actual channel functions.
Step 4 Optional: Configure a timestamp for logs.
info-center timestamp log { none | boot | { date | short-date | format-date }
[ precision-time { tenth-second | millisecond } ] }
Currently, only 50 IDs can be shielded. The aggregation of these shielded IDs is called a log
ID filtering list. The log ID filtering list is arranged by ID values.
Step 6 Optional: Run the following commands to configure the log suppression function.
During the running of a device, if too many logs with the same log ID are generated, the
information center is too busy processing these logs to process logs with other log IDs, which
may even affect the running service. The information center monitors the traffic of logs with
different log IDs. When the traffic of logs with a specific log ID repeatedly exceeds the
threshold during the monitoring period, the information center suppresses the processing rate
of these specified logs by processing only the conforming traffic and discarding the non-
conforming traffic; when the traffic of logs with the specific log ID falls below the threshold
and remains below the threshold for five monitoring periods, the suppression is removed.
1. Run the info-center rate-limit threshold value [ byinfoid infoid | bymodule-alias
modname alias ] command to set the maximum number of logs with the same log ID that
the information center can process each second.
By default, the information center processes a maximum of 50 logs with the same log ID
each second. In certain application scenarios, the information center is required to
process a maximum of more than 30 logs with the same log ID every second. You can
set thresholds for logs with different log IDs.
NOTE
2. Run the info-center rate-limit global-threshold value command to set the total number
of logs that the information center can process each second.
3. Run the info-center rate-limit monitor-period value command to set the period for the
information center to limit the log processing rate.
4. Run the info-center rate-limit except { byinfoid infoid | bymodule-alias modname
alias } command to cancel the log processing rate limit for logs with the specified ID or
module name.
If logs with the specified ID or module name will never be generated in a huge number,
you can run this command to cancel the log processing rate limit for the logs. After this
command is run, the configured log processing rate limit will not be effective for logs
with the specified ID or module name.
Step 7 Optional: Enable the statistical output of consecutive duplicate logs.
info-center statistic-suppress enable
On the FW, service modules generate logs and control the volume of generated logs. The
information center processes the received logs.
Service modules, such as ARP and VRRP produce large numbers of duplicate logs in short
periods in some scenarios. In this case, you can enable the statistical output of consecutive
duplicate logs to prevent the information center from the failure in processing other logs.
NOTE
Consecutive duplicate logs have the same ID and parameters, and they do not have two or more other logs in
between.
----End
Context
By default, the information center enables the function of outputting logs to the log buffer.
Logs are output to the log buffer over information channel 4. You can change the information
channel over which logs are output to the log buffer and adjust the capacity of the log buffer.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which logs are output to the log buffer.
info-center logbuffer channel { channel-number | channel-name }
----End
Context
After this configuration, logs are output to log files and saved on the FW. You can view the
logs to know the operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which logs are output to log files.
info-center logfile channel { channel-number | channel-name }
If more log files are generated, the system deletes the earliest log files, ensuring that the
number of log files is smaller than or equal to the threshold.
----End
Context
After this configuration, you can log in to the FW in console mode and view logs to know the
operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which logs are output to the console.
info-center console channel { channel-number | channel-name }
Step 7 Optional: Enable the log information synchronous display function of the terminal.
terminal echo synchronous
----End
Context
After this configuration, you can log in to the FW using Telnet or STelnet and view logs to
know the operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which logs are output to the terminal.
info-center monitor channel { channel-number | channel-name }
Step 7 Optional: Enable the log information synchronous display function of the terminal.
terminal echo synchronous
----End
Context
The FW can output logs to a maximum of eight log hosts. The log hosts back up each other.
Procedure
Step 1 Access the system view.
system-view
NOTE
The command does not take effect for service logs and cannot control whether to enable service logs or the
levels of service logs. The FW sends logs of each level generated by all service modules to its connected log
server only after the info-center loghost command is run.
Step 3 Configure the channel through which logs are output to the log host.
NOTICE
The FW can output service logs to a log host in either dataflow or syslog format. If service
logs are output in dataflow format, use the configured log host to output service logs. When
the eLog host is used to receive logs, the configured port must be the same as the port used by
the eLog host to receive logs. Currently, the eLog host uses port 514 to receive non-encrypted
service logs and certificate-encrypted service logs, and therefore the port number must be set
to 514.
l On an IPv4 network, specify the channel through which logs are output to the log host.
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | language language-name | { vpn-instance vpn-instance-
name | public-net } ] *
This interface is recognized by the log host as the log sending interface.
The FW can output encrypted service logs to the log host in syslog format. Therefore, you
need to configure a CA certificate for the log host on the FW.
----End
Operation Command
Operation Command
Check log file information. display logfile driver path file-name [ offset
| hex ] *
Check rate limit records in the information display info-center rate-limit record
center.
Check rate limit records in the information display info-center rate-limit threshold
center.
Log information cannot be restored after it is cleared. Exercise caution before performing the
operation.
Operation Command
1.9.6.1 CLI: Example for Configuring the FW to Output Session Logs to Log Hosts
This section provides an example for configure the FW to output session logs to log hosts.
Networking Requirements
As shown in Figure 1-37, the FW is deployed on the network border. The network
environment is as follows:
l The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the
intranet access the Internet using the NAT function provided by the FW.
l The DMZ has two eLog servers.
The FW is required to send session information generated when intranet users access the
Internet to the eLog servers in the syslog format. The administrator can view and analyze
session information on the eLog servers. The log concurrent function is required, so that each
log can be sent to both eLog servers.
FW
GE2/0/1 GE2/0/3
Trust Untrust
Intranet 192.168.0.1/24 1.1.1.1/24
192.168.0.0/24
GE2/0/2
DMZ
172.16.0.1/24
Configuration Roadmap
NOTE
This example provides only the FW configuration. For the eLog server configuration, see the eLog
server product document.
1. Set the IP addresses for interfaces and add the interfaces to security zones.
2. Configure security policies.
3. Configure a NAT policy.
4. Configure routes.
5. Configure log hosts.
6. Enable the session log function in a security policy.
7. Configure the log output format and the source IP address and source port, and enable
the log concurrent function.
Procedure
Step 1 Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure a Trust-Untrust interzone security policy and enable the session log function. The
session log function takes effect only when the policy action is set to permit.
[FW] security-policy
[FW-policy-security] rule name trust_untrust
[FW-policy-security-rule-trust_untrust] source-zone trust
[FW-policy-security-rule-trust_untrust] destination-zone untrust
[FW-policy-security-rule-trust_untrust] source-address 192.168.0.0 24
[FW-policy-security-rule-trust_untrust] action permit
[FW-policy-security-rule-trust_untrust] session logging
[FW-policy-security-rule-trust_untrust] quit
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address
ranges from 1.1.1.10 to 1.1.1.15.
[FW] nat address-group add1
[FW-address-group-add1] mode pat
[FW-address-group-add1] section 0 1.1.1.10 1.1.1.15
[FW-address-group-add1] route enable
[FW-address-group-add1] quit
Step 5 Configure log hosts. When the log format is syslog, the log host must use port 514.
[FW] firewall log host 1 172.16.0.2 514
[FW] firewall log host 2 172.16.0.3 514
Step 6 Configure the log output format and the source IP address and source port, and enable the log
concurrent function.
[FW] firewall log session log-type syslog
[FW] firewall log session multi-host-mode concurrent
[FW] firewall log source 172.16.0.1 6000
----End
Configuration Script
#
sysname FW
#
mode
pat
route enable
section 0 1.1.1.10
1.1.1.15
interface
GigabitEthernet2/0/1
undo
shutdown
ip address 192.168.0.1
255.255.255.0
interface
GigabitEthernet2/0/2
undo
shutdown
ip address 172.16.0.1
255.255.255.0
interface
GigabitEthernet2/0/3
undo
shutdown
ip address 1.1.1.1
255.255.255.0
firewall zone
trust
set priority
85
add interface
GigabitEthernet2/0/1
firewall zone
untrust
set priority
5
add interface
GigabitEthernet2/0/3
firewall zone
dmz
set priority
50
add interface
GigabitEthernet2/0/2
#
security-policy
nat-
policy
return
1.9.6.2 CLI: Example for Configuring the FW to Output Service Logs to Log Hosts
Networking Requirements
As shown in Figure 1-38, the FW is deployed on the network border. The network
environment is as follows:
l The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the
intranet access the Internet using the NAT function provided by the FW.
l The DMZ has two eLog servers.
The FW sends traffic logs and threat logs (antivirus and IPS) to eLog servers in binary log
format so that you can view and analysis these logs on the eLog server. The log concurrent
function is required, so that each log can be sent to both eLog servers.
FW
GE2/0/1 GE2/0/3
Trust Untrust
Intranet 192.168.0.1/24 1.1.1.1/24
192.168.0.0/24
GE2/0/2
DMZ
172.16.0.1/24
Configuration Roadmap
NOTE
This example provides only the FW configuration. For the eLog server configuration, see the eLog
server product document.
1. Set the IP addresses for interfaces and add the interfaces to security zones.
2. Configure security policies.
3. Configure a NAT policy.
4. Configure routes.
5. Configure log hosts.
6. Enable the traffic log and threat logs function.
7. Enable the log concurrent function and configure the source IP address and source port.
Procedure
Step 1 Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GE 1/0/1.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 192.168.0.1 24
[FW-GigabitEthernet1/0/1] quit
[FW-policy-nat-rule-policy1] quit
[FW-policy-nat] quit
Step 5 Enable the traffic log function. By default, the traffic log function is used on the FW. If the
function is disabled, run the following command to enable it:
[FW] log type traffic enable
Step 6 Enable the threat log function. By default, the threat log function is used on the FW. If the
function is disabled, run the following command to enable it:
[FW] engine log av enable
[FW] engine log ips enable
Step 8 Enable the log concurrent function and configure the source IP address and source port.
[FW] firewall log session multi-host-mode concurrent
[FW] firewall log source 172.16.0.1 6000
----End
Configuration Script
#
sysname FW
#
mode
pat
route enable
section 0 1.1.1.10
1.1.1.15
interface
GigabitEthernet1/0/1
undo
shutdown
ip address 192.168.0.1
255.255.255.0
interface
GigabitEthernet1/0/2
undo
shutdown
ip address 172.16.0.1
255.255.255.0
interface
GigabitEthernet1/0/3
undo
shutdown
ip address 1.1.1.1
255.255.255.0
firewall zone
trust
set priority
85
add interface
GigabitEthernet1/0/1
firewall zone
untrust
set priority
5
add interface
GigabitEthernet1/0/3
firewall zone
dmz
set priority
50
add interface
GigabitEthernet1/0/2
#
security-policy
rule name trust_untrust
session logging
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
profile av default
profile ips default
action permit
rule name local_dmz
source-zone local
destination-zone dmz
destination-address 172.16.0.2 32
destination-address 172.16.0.3 32
action permit
#
nat-
policy
return
1.9.6.3 CLI: Example for Configuring the FW to Output Packet Loss Logs to Log
Hosts
This section provides a example for configure the FW to output packet loss logs to log hosts.
Networking Requirements
As shown in Figure 1-39, the FW is deployed on the network border. The network
environment is as follows:
l The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the
intranet access the Internet using the NAT function provided by the FW.
l The DMZ has two eLog servers.
The FW is required to send packet loss information as syslogs to the eLog servers. The
administrator can view and analyze packet loss information on the eLog servers. The log
concurrent function is required, so that each log can be sent to both eLog servers.
Figure 1-39 Networking for outputting packet loss logs to eLog servers
FW
GE1/0/1 GE1/0/3
Trust Untrust
Intranet 192.168.0.1/24 1.1.1.1/24
192.168.0.0/24
GE1/0/2
DMZ
172.16.0.1/24
Configuration Roadmap
NOTE
This example provides only the FW configuration. For the eLog server configuration, see the eLog
server product document.
1. Set the IP addresses for interfaces and add the interfaces to security zones.
2. Configure security policies.
3. Configure a NAT policy.
4. Configure routes.
5. Configure log hosts.
6. Enable the function of sending packet loss logs.
7. Enable the log concurrent function and configure the source IP address and source port.
Procedure
Step 1 Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address
ranges from 1.1.1.10 to 1.1.1.15.
[FW] nat address-group add1
[FW-address-group-add1] mode pat
[FW-address-group-add1] section 0 1.1.1.10 1.1.1.15
[FW-address-group-add1] route enable
[FW-address-group-add1] quit
Step 5 Configure log hosts. Packet loss information can be recorded only in the syslog format. The
log hosts must use port 514.
[FW] firewall log host 1 172.16.0.2 514
[FW] firewall log host 2 172.16.0.3 514
Step 7 Enable the log concurrent function and configure the source IP address and source port.
[FW] firewall log session multi-host-mode concurrent
[FW] firewall log source 172.16.0.1 6000
----End
Configuration Script
#
sysname FW
#
mode
pat
route enable
section 0 1.1.1.10
1.1.1.15
interface
GigabitEthernet1/0/1
undo
shutdown
ip address 192.168.0.1
255.255.255.0
interface
GigabitEthernet1/0/2
undo
shutdown
ip address 172.16.0.1
255.255.255.0
interface
GigabitEthernet1/0/3
undo
shutdown
ip address 1.1.1.1
255.255.255.0
firewall zone
trust
set priority
85
add interface
GigabitEthernet1/0/1
firewall zone
untrust
set priority
5
add interface
GigabitEthernet1/0/3
firewall zone
dmz
set priority
50
add interface
GigabitEthernet1/0/2
#
security-policy
rule name trust_untrust
session logging
source-zone trust
destination-zone untrust
source-address 192.168.0.0 24
action permit
nat-
policy
return
1.9.6.4 CLI: Example for Configuring the FW to Output Service Logs and System
Logs to a Log Host Through the Information Center
This section provides an example for configure the FW to output service logs and system logs
to a log host through the information center.
Networking Requirements
As shown in Figure 1-40, the FW connects to four eLog servers.
The FW is required to send system logs to the eLog servers to meet the following
requirements:
l The FW sends notification logs generated by the FIB and IP modules as well as all
service logs to eLog server 1. eLog server 3 backs up eLog server 1.
l The FW sends all service logs to eLog server 2. eLog server 4 backs up eLog server 2.
GE2/0/2
DMZ
172.16.0.1/24
eLog server4
FW 172.16.0.5
eLog server3
172.16.0.4
Configuration Roadmap
NOTE
This example provides only the FW configuration. For the eLog server configuration, see the eLog
server product document.
1. Set the IP addresses for interfaces and add the interfaces to security zones.
2. Configure a security policy.
3. Enable the information center.
4. Name the information channel.
5. Specify the modules from which logs are output.
6. Configure log hosts.
Procedure
Step 1 Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure eLog server 1 as the master log server and eLog server 3 as the backup log server
to receive logs generated by the FIB and IP modules. Set the log language to English and use
log recording tool Local2.
[FW] info-center loghost 172.16.0.2 channel loghost facility local2 language
english
[FW] info-center loghost 172.16.0.4 channel loghost facility local2 language
english
# Configure eLog server 2 as the master log server and eLog server 4 as the backup log server
to receive logs generated by the AV and IPS modules. Set the log language to English and use
log recording tool Local4.
[FW] info-center loghost 172.16.0.3 channel loghost1 facility local4 language
english
[FW] info-center loghost 172.16.0.5 channel loghost1 facility local4 language
english
----End
Configuration Script
#
sysname FW
#
interface
GigabitEthernet1/0/2
undo
shutdown
ip address 172.16.0.1
255.255.255.0
firewall zone
dmz
set priority
50
add interface
GigabitEthernet1/0/2
#
security-policy
rule name local_dmz
source-zone local
destination-zone dmz
destination-address 172.16.0.2 32
destination-address 172.16.0.3 32
destination-address 172.16.0.4 32
destination-address 172.16.0.5 32
action permit
#
return
1.9.7.1 Specifications
This section provides the specifications of the logs.
Function Specifications
Function Sub- Description Supported or Not
function
Logs Log type Session logs, packet loss Supported by all models
logs, service logs, and
system logs are
supported.
Performance Specifications
Function Sub-function Specifications
1.10 Alarms
By viewing alarms, you can rapidly be informed of faults occurring when the device is
running, helping quickly rectify the faults and ensure normal device operation.
1.10.1 Overview
This section describes the definition and objective of alarms.
Definition
Alarms are notifications generated on the FW upon detected faults. The alarms carry
corresponding fault information. Unlike logs, alarms are time-sensitive and must be reported
to the administrator as soon as possible.
Objective
By viewing alarms, the administrator can rapidly locate the modules where faults occurred
and rapidly rectify the faults to ensure normal operation of the FW.
1.10.2 Mechanism
This section describes the mechanism for alarm output.
The FW outputs alarms through the information center. The information center is an
information hub of system software modules on the FW. You can sort output system
information in a refined manner to effectively filter information.
NOTE
In addition to alarms, the information center can output logs and debugging information. This chapter
focuses on alarms, for logs and debugging information, see 1.9 Logs and 1.11 Debugs.
Information Output
10 information channels are defined for the information center to control information output
in different directions. These channels are independent of each other. You can configure alarm
output rules as required to allow information of different levels to be output through different
channels, as shown in Figure 1-41.
1
Alarms Monitor Remote terminal
2
Loghost Log host
3
Trapbuffer Trap buffer
4 Logbuffer
5
SNMP agent SNMP agent
6 channel6
7 channel7
8 channel8
Table 1-40 shows the relationships between information channels and output directions.
6 channel6 Not specified This channel is reserved. You can specify the
output direction.
7 channel7 Not specified This channel is reserved. You can specify the
output direction.
8 channel8 Not specified This channel is reserved. You can specify the
output direction.
If multiple log hosts are configured, you can configure the device to output alarms through
one or more channels to log hosts. For example, configure the device to output some alarms to
log hosts through channel 2 (loghost) and the rest alarms to log hosts through channel 6. You
can rename channel 6 to facilitate information channel management.
Information Format
Figure 1-42 shows the alarm format.
Context
By default, the information center is enabled on the FW. If the information center is disabled,
perform the following operations to enable the information center.
NOTICE
When the information center is enabled and the system is busy sorting and outputting
information, system performance is affected.
Procedure
Step 1 Access the system view.
system-view
Each information channel must have a unique name, and the channel names must represent
the actual channel functions.
Step 4 Optional: Configure a timestamp is configured for alarms.
info-center timestamp trap { none | boot | { date | short-date | format-date }
[ precision-time { tenth-second | millisecond } ] }
----End
Context
By default, the information center enables the function of outputting alarms to the trap buffer.
Alarms are output to the trap buffer over information channel 3. You can change the
information channel over which alarms are output to the trap buffer and adjust the capacity of
the trap buffer.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which alarms are output to the trap buffer.
info-center trapbuffer channel { channel-number | channel-name }
----End
Context
After this configuration, alarms are output to log files and saved on the FW. You can view the
alarms to know the operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which alarms are output to log files.
info-center logfile channel { channel-number | channel-name }
----End
Context
After this configuration, you can log in to the FW in console mode and view alarms to know
the operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which alarms are output to the console.
info-center console channel { channel-number | channel-name }
Step 7 Optional: Enable the alarm information synchronous display function of the terminal.
terminal echo synchronous
----End
Context
After this configuration, you can log in to the FW using Telnet or STelnet and view alarms to
know the operating status of the FW.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which alarms are output to the terminal.
info-center monitor channel { channel-number | channel-name }
Step 7 Optional: Enable the alarm information synchronous display function of the terminal.
----End
Context
The FW can output alarms to a maximum of eight log hosts. The log hosts back up each other.
Procedure
Step 1 Access the system view.
system-view
Step 3 Configure the channel through which alarms are output to the log host.
l On an IPv4 network, set the channel through which alarms are output to the log host.
info-center loghost ip-address [ channel { channel-number | channel-name } |
facility local-number | language language-name | { vpn-instance vpn-instance-
name | public-net } ] *
This interface is recognized by the log host as the alarm sending interface.
----End
Context
To output alarms to the NMS, you need to output alarms to the SNMP agent. The SNMP
agent then sends the alarms to the NMS server.
Procedure
Step 1 Access the system view.
system-view
Step 3 Optional: Specify the information channel through which alarms are output to the SNMP
agent.
info-center snmp channel { channel-number | channel-name }
After the SNMP agent function is enabled, you must configure the SNMP function.
Otherwise, alarms cannot be sent to the NMS. For the SNMP configuration, see 1.7 SNMP.
----End
Operation Command
Alarm information cannot be restored after it is cleared. Perform the operation with caution.
Context
As shown in Figure 1-43, the FW connects to the NMS. The administrator wants to view the
alarms generated on the FW on the NMS to monitor the operation of the FW and locate faults.
DMZ
GE1/0/0
10.1.1.1/24
NMS
FW
10.1.1.2
Configuration Roadmap
1. Set IP addresses to interfaces on the FW, assign the interfaces to security zones, and
configure security policies.
2. Enable the information center on the FW.
3. Configure the information channel through which alarms are output and the alarm output
rule.
4. Configure SNMP on the FW.
5. Configure the NMS.
Procedure
Step 1 Set an IP address for GE 1/0/0 on the FW, add the interface to a security zone, and configure a
security policy.
Step 3 Configure the information channel through which alarms are output and the alarm output rule.
# Configure the information channel through which alarms are output to the SNMP agent.
[FW] info-center snmp channel channel7
# Configure the rule according to which the FW outputs alarms to the SNMP agent.
[FW] info-center source ip channel channel7 trap level informational state on
NOTE
By default, the FW outputs alarms for all modules through the SNMP agent.
You need to refer to the configuration guide of the NMS that is deployed. The NMS
authentication parameters must be consistent with those on the FW. Otherwise, the NMS may
fail to manage the FW.
----End
Configuration Script
#
sysname FW
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent trap type base-trap
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0
#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100003598
snmp-agent community write cipher %$%$z=UX9vmQgCHS/E2xC5IPIZQH%$%$
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname %$%$
\d\R0yX`|T+ZwqXUB}o&,kbY%$%$ v2c
snmp-agent trap enable
#
security-policy
rule name local_dmz
source-zone local
destination-zone dmz
source-address 10.1.1.1 32
action permit
rule name dmz_local
source-zone dmz
destination-zone local
destination-address 10.1.1.1
32
action permit
#
return
1.10.6.1 Specifications
This section describes trap specifications.
Function Specifications
Function Description Supported or Not
Performance Specifications
Function Specifications
1.11 Debugs
To learn about device running information or commission the device, you can output the
debugging information of a specified module through the information center to different
directions.
1.11.1 Overview
This section describes the definition and objective of debugging information.
Definition
Debugging information refers to the tracking information on the operating of internal modules
of the FW.
Objective
The FW can output debugging information of multiple functional modules, helping the
administrator to understand the operating of functions and locate faults.
1.11.2 Mechanism
This section describes the debug mechanism.
The FW outputs debugging information through the information center. The information
center is an information hub of system software modules on the FW. You can sort output
system information in a refined manner to effectively filter information.
NOTE
In addition to debugging information, the information center can output logs and alarms. This chapter
focuses on debugging information, for logs and alarms, see 1.9 Logs and 1.10 Alarms.
Information Output
10 information channels are defined for the information center to control information output
in different directions. These channels are independent of each other. You can configure
debugging information output rules as required to allow information of different levels to be
output through different channels, as shown in Figure 1-44.
4 Logbuffer
5 SNMP agent
6 channel6
7 channel7
8 channel8
channel9 Logfile
9
Table 1-44 shows the relationships between information channels and output directions.
6 channel6 Not specified This channel is reserved. You can specify the
output direction.
7 channel7 Not specified This channel is reserved. You can specify the
output direction.
8 channel8 Not specified This channel is reserved. You can specify the
output direction.
If multiple log hosts are configured, you can configure the device to output debugging
information through one or more channels to log hosts. For example, configure the device to
output some debugging information to log hosts through channel 2 (loghost) and the rest
debugging information to log hosts through channel 6. You can rename channel 6 to facilitate
information channel management.
Debugging Functions
The output of debugging information depends on the following situations:
l Whether debugging information about a protocol is output
l Whether terminal display is enabled, that is, whether to display the debugging
information on the screen
Figure 1-45 shows the relationship between the preceding two situations. After the debugging
of protocol 1 and 3 is enabled, corresponding debugging information is output. As screen
Context
By default, the information center is enabled on the FW. If the information center is disabled,
perform the following operations to enable the information center.
NOTICE
l When the information center is enabled and the system is busy sorting and outputting
information, system performance is affected.
l Debugging degrades system performance. Therefore, after debugging, run the undo
debugging all command to disable debugging immediately.
Procedure
Step 1 Run:
system-view
----End
Context
After this configuration, debugging information is output to log files and saved on the FW.
You can view the debugging information to know the operating status of the FW.
Procedure
Step 1 Run:
system-view
The information channel through which debugging information is output to log files is
specified.
By default, channel 9 is used.
Step 4 Optional: Run:
info-center logfile size size
----End
Context
After this configuration, you can log in to the FW in console mode and view debugging
information to know the operating status of the FW.
Procedure
Step 1 Run:
system-view
The information channel through which debugging information is output to the console is
specified.
By default, channel 0 is used.
Step 4 Run:
quit
----End
Context
After this configuration, you can log in to the FW using Telnet or STelnet and view debugging
information to know the operating status of the FW.
Procedure
Step 1 Run:
system-view
The information channel through which debugging information is output to the terminal is
specified.
By default, channel 1 is used.
Step 4 Run:
quit
----End
Context
The FW can output debugging information to a maximum of eight log hosts. The log hosts
back up each other.
Procedure
Step 1 Run:
system-view
The channel through which debugging information is output to the log host is
configured.
By default, debugging information is not output to the log host.
l (On an IPv6 network) Run:
info-center loghost ipv6 ipv6-address [ channel { channel-number | channel-
name } | facility local-number | language language-name ] *
The channel through which debugging information is output to the log host is
configured.
By default, debugging information is not output to the log host.
l For a log host with a domain name specified, run:
info-center loghost domain domain-name [ channel { channel-number | channel-
name } | facility local-number | language language-name | log-counter
{ disable | enable } | local-time ] *
The channel through which debugging information is output to the log host is
configured.
By default, debugging information is not output to the log host.
Step 4 Optional: Run:
info-center loghost source { interface-type interface-number | ip-address }
A source interface is configured. This interface is recognized by the log host as the debugging
information sending interface.
----End
Networking Requirements
As shown in Figure 1-46, a PC connects to a server where the FW is installed. Debugging
information of the critical severity generated on the ARP module must be output to the
console.
Server
PC
Configuration Roadmap
1. Enable the information center.
2. Configure the module that is allowed to output debugging information.
3. Configure the channel through which the debugging information is output.
4. Enable the terminal monitor function and display the debugging information.
Procedure
Step 1 Enable the information center.
<FW> system-view
[FW] info-center enable
Step 2 Allow the debugging on the ARP module to be output to the Console with the severity of the
information as debugging.
[FW] info-center console channel console
[FW] info-center source arp channel console debug level debugging
[FW] quit
Step 3 Enable the terminal monitor function and display the debugging information.
<FW> terminal monitor
<FW> terminal debugging
----End
Configuration Files
#
sysname FW
#
info-center source ARP channel 0
#
return
1.11.6.1 Specifications
This section describes debugging specifications.
Function Specifications
Function Description Supported or Not
Context
After the mail service is enabled, the FW functions as an SMTP client to connect to the SMTP
server.
When the device sends information through mails, the device automatically references the
mail service parameters, such as email address.
Procedure
1. Choose System > Set Mail Service.
2. Configure the mail service.
Parameter Description Value
SMTP Mail Domain name, IPv4 address, or The default SMTP server port is
Server/Port port of the mail server. 25.
NOTE
The device does not support email
sending through a forcibly SSL-
connected email server, such as
Gmail. Commonly used email
servers, such as Sina, 163, and
Winmail, are recommended.
User Name/ User name and password for When the SMTP server requires
Password logging in to the SMTP mail ID authentication, select Verify
server. Sender's Name and Password,
and enter the user name and
password registered on the mail
server.
NOTE
When the SMTP mail server requires
ID authentication, "sender address"
is the mailbox address obtained
during the user name registration.
3. Click Apply.
4. Click Set Test Email and log in to the recipient's or CC recipient's mailbox to see
whether the test mail is received.
Test emails are sent to test whether email messages can be successfully sent and
received. If not, check whether the parameters are correctly configured. Then, check the
connectivity between the FW and the SMTP server.
1.13.1.1 Overview
This section describes basic concepts about status detection.
Using status detection, the FW checks the validity of the link status of packets and discards
the packets with invalid link status. Status detection takes effect on both common packets and
inner packets (decapsulated VPN packets).
When the FW is the only egress of a network, all packets are forwarded through the FW. In
this case, both incoming and outgoing packets pass through the FW. You can enable status
detection on the FW to secure services.
If either incoming or outgoing packets do not pass through the FW, the FW may not receive
the first packet, as shown in Figure 1-47.
Untrust
Switch
Outgoing traffic
Trust
Incoming traffic
In this case, you must disable stateful inspection to ensure normal services. The FW can also
establish sessions based on subsequent packets.
Table 1-46 shows session establishment on the FW for TCP, UDP, ICMP and SCTP packets.
The prerequisite for session establishment is that the packets pass the checks of security
mechanisms on the firewall, including security policies.
Table 1-46 Session establishment for TCP, UDP, ICMP and SCTP packets
Protocol Stateful Inspection Stateful Inspection
Enabled Disabled
TCP SYN packet The firewall creates The firewall creates sessions
sessions and forwards and forwards packets.
packets.
SYN+ACK The firewall does not create The firewall creates sessions
and ACK sessions and discards and forwards packets.
packets packets.
Echo Reply The firewall does not create The firewall creates sessions
packet (ping sessions and discards and forwards packets.
packet) packets.
Other ICMP The firewall does not create The firewall does not create
packets sessions but forwards sessions but forwards
packets. packets.
SCTP INIT packet The firewall creates The firewall creates sessions
sessions and forwards and forwards packets.
packets.
INIT— The firewall does not create The firewall creates sessions
ACK,COOK sessions and discards and forwards packets.
IE—ECHO packets.
and
COOKIE-
ACK packets
Context
You can enable or disable the IPv4 TCP or Internet Control Message Protocol (ICMP) status
check function as required.
Procedure
Step 1 Choose System > Setup > Status Detection.
Step 2 Select TCP Status Detection or ICMP Status Detection to enable this function.
The TCP status check function and ICMP status check function are independent of each other.
Enabling or disabling of one function does not affect the status check on the other type of data
flows.
NOTICE
Disabling the TCP status check function makes defending against SYN flood attacks in TCP
proxy mode unavailable.
----End
Context
You can enable or disable the IPv4/IPv6 TCP or ICMP status check function as required.
Procedure
Step 1 Access the system view.
system-view
Or
firewall ipv6 session link-state [ icmpv6 | tcp ] check
Or
undo firewall ipv6 session link-state [ icmpv6 | tcp ] check
After the status check function is enabled, a session is established only when the first packet
passes through the FW. After the status check function is disabled, sessions can be established
even if no subsequent packets are found.
----End
Follow-up Procedure
Run the display firewall [ ipv6 ] session link-state command to check whether the status
check function is enabled.
Check whether the IPv4 status check function is enabled. The command output shows that the
status check function is enabled for TCP flows but disabled for ICMP flows.
<FW> system-view
[FW] display firewall session link-state
Current firewall session link-
state:
------------------------------------
TCP check:
on
ICMP check:
off
------------------------------------
Check whether the IPv6 status check function is enabled. The command output shows that the
status check function is enabled for TCP and ICMP flows.
<FW> system-view
[FW] display firewall ipv6 session link-state
Current firewall ipv6 session link-state:
-----------------------------------------
TCP check: on
ICMPv6 check: on
-----------------------------------------
Context
The created session entry needs to be matched by packets constantly. If no packet matches for
a long time, it indicates that the connection between both communications parties is
interrupted, and the session entry is unnecessary. To save system resources, the system deletes
the entry that is not matched for a continuous period of time; that is, the session entry ages.
When the session entry ages and the packet whose quintuple is the same as that of the entry
passes through, the system determines whether to create a session entry based on the security
policy. If no session entry is created, the packet cannot be forwarded. The length of the aging
time of the session table affects system forwarding as following:
l If the aging time is too long, a large number of interrupted session entries may exist in
the system and consume system resources. In addition, new session entries may not be
created, affecting the forwarding of other services.
l If the aging time of the session entry is too short, certain connections that require a long
time for sending packets are interrupted, affecting service forwarding.
Generally, the default aging time of the session table is adopted. To change the aging time,
you should first estimate and identify the traffic type and connection number of the actual
network. For special services that require long time connections, you are advised to
implement the 1.13.3 Configuring a Persistent Connection function instead of running the
following command to lengthen the aging time of the traffic of a certain protocol.
Procedure
Step 1 Access the system view.
system-view
Or
display firewall ipv6 session table [ verbose ] [ source ipv6-address [ to end-
ipv6-address ] ] [ source-port source-port ] [ destination ipv6-address [ to end-
ipv6-address ] ] [ application application ] [ destination-port destination-
port ] [ long-link ]
----End
Context
Generally, the default aging time on the device can meet the forwarding requirements. You
can also fine-tune the aging time as needed. However, for some services, the idle time
between two packets can be very long. For example:
l When a user downloads large files using FTP, the idle time between control packets
along the control channel can be very long.
l A user may query a database server now and then, and the time between query
operations may be greater than the aging time of the TCP session.
To remedy this, you can set the aging time to a larger value. However, the aging time applies
to all protocol sessions, resulting in performance degradation.
Therefore, the aging time setting must be more precise. The persistent connection function
allows you to set the session aging time for specific flows. However, the FW supports
persistent connection only for TCP.
NOTE
l When stateful inspection is disabled, the device also creates session entries for non-first packets. In
this case, you do not need to enable the persistent connection function.
l The aging time specified through the persistent connection function is not affected by the global
aging time of the session table.
Procedure
Step 1 Access the system view.
system-view
security-policy
Step 3 Create a security policy rule and access the security policy rule view.
rule name rule-name
Step 4 Enable the persistent connection function.
long-link enable
Step 5 Specify the aging time of each persistent connection.
long-link aging-time interval
----End
Context
NOTE
The is a distributed device. You can insert multiple firewall SPUs in the device. When the
LPU receives the packets that need to be processed by SPUs, the hash algorithm is applied to
send the packets to the corresponding CPU of the SPU by computing the information of the
packets.
Currently, the supports the following hash based board selection modes:
l Hash-based board selection mode that is oriented to the source IP address
The source IP address of a packet determines the CPU of the SPU on the firewall that
processes the packet.
You must set the hash-based board selection mode to the source address mode to use the
following functions:
– Triplet NAT
l Hash-based board selection mode that is oriented to the source and destination IP
addresses
The source and destination IP addresses of a packet determine the CPU of the SPU on
the firewall that processes the packet.
According to the result of hash-based computation, different types of traffic may be sent to the
same CPU of the SPU on the firewall due to certain features of the hash algorithm. As a
result, the CPU cannot process other services. To avoid the preceding issue, the can adjust the
hash gene to evenly send different types of traffic to the SPUs on the firewall.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure the hash-based board selection mode.
firewall hash-mode { source-and-destination | source-only }
By default, the hash-based board selection mode is oriented to the source and destination IP
addresses.
The configuration takes effect after you restart the device.
Step 3 Specify a hash gene.
firewall hash-gene hash-gene
By default, the hash gene is 0.
The configuration takes effect after you restart the device.
NOTICE
You are recommended to use the default configuration.
----End
Version Description
1.14.1 Overview
This section describes the file system structure and file transfer mode of the FW.
The FW allows you to repair and format the storage devices, as well as create, delete, and
modify files or directories on the storage devices.
default-sdb Stores the default signature database file and version information.
Directory Function
Name
NOTICE
SFTP is recommended because of high security.
NOTE
Managing Directories
Table 1-51 lists the commands for managing directories.
NOTE
Display the files and dir [ /all ] [ filename | /all- l /all: Displays the
subdirectories in the specific filesystems ] [ /order information about all
directory. datetime [ reverse ] ] files, including deleted
files. Deleted files are
square-bracketed, for
example, [ text ].
l filename | directory:
Displays the files and
subdirectories of a
specific directory. If the
value is not specified, the
dir command displays
all files and
subdirectories in the
current directory.
l /all-filesystems: displays
information about files in
all storage medium root
directories.
l /order: displays
sequential file
information.
l datetime: displays file
information in ascending
order of file modification
time.
l reverse: displays file
information in
descending order of file
modification time.
Managing Files
Table 1-52 lists the commands for managing files.
NOTE
All these commands need to be executed in the user view, except execute filename and file prompt { alert |
quiet } (in the system view).
Configure a file system file prompt { alert | quiet } The file prompt command
prompt method. enables the system to
display information or alert
especially when your
operations may lead to data
loss or damage. You can run
this command to change the
file system prompt method.
NOTICE
If the prompt mode is set to
quiet, the file system does not
prompt for data loss caused by
misoperations, such as file
deletion.
NOTICE
SFTP is recommended because of high security.
Procedure
Step 1 Access the system view.
system-view
The FTP server is configured on the FW by default. You need to run this command to enable
the FTP service.
NOTE
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
4. Set the administrator level.
level level
NOTE
To ensure that the administrator can log in to the FW, set the administrator level to be 3 or higher.
5. Set the service type to FTP for the administrator account.
service-type ftp
6. Set the FTP service directory for the administrator account.
ftp-directory directory
7. Set the maximum number of administrators that can concurrently log in using this
administrator account.
access-limit max-number
8. Return to the AAA view.
quit
9. Return to the system view.
quit
To prevent unauthorized access, the FW automatically closes the FTP connections if the FW
does not receive any FTP request in a specific period of time. To use the FTP service, FTP
administrators must log in to the FTP server again.
NOTE
FTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
2. Configure an ACL rule.
quit
4. Configure basic ACLs for FTP connections.
----End
Procedure
Step 1 Log in to the FTP server.
Different commands are available for you to log in to the FTP server from different views.
l Set up a connection with the FTP server from the user view.
ftp ip-address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
l Set up a connection with the FTP server from the FTP client view.
open ip-address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
Step 2 Optional: Configure the data type and file transfer mode.
Download a file from the FTP server to the get remote-filename [ local-filename ]
local device.
Change the login account and log in again. user user-name [ password ]
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the SFTP server function.
sftp server enable
Step 3 Configure the VTY UI.
1. Access the VTY UI.
user-interface [ ui-type ] first-ui-number [ last-ui-number ]
2. Set the authentication mode to AAA.
authentication-mode aaa
3. Configure SSH.
protocol inbound ssh
4. Configure a VTY UI level.
user privilege level level
NOTE
To ensure that administrators can log in to the FW, set the VTY UI level to be 3 or higher.
To ensure that the administrator can log in to the FW, set the administrator level to be 3 or higher.
4. Set the service type to SSH for the administrator.
service-type ssh
5. Return to the system view.
quit
Step 5 Create an RSA key pair or a DSA key pair.
l Run the rsa local-key-pair create command to create a local RSA key pair.
NOTE
– You need to run the rsa local-key-pair create command to generate the local RSA key pair
before performing other SSH configurations. The host key pair length and server key pair
length range from 512 to 2048, in bits.
The default value is 2048 bit. As for version upgrade, if the original key pair length is smaller
than 1024 bits, you are advised to run the command after the upgrade.
– After creating a local RSA key pair, you can run the display rsa local-key-pair public
command to view the public key in the local key pair.
– You can run the rsa local-key-pair destroy to clear all local RSA key pairs, the host key pairs
and host key pairs.
After running the rsa local-key-pair destroy command, check whether all local RSA key
pairs are cleared. The command configuration takes effect only once and is not saved into the
configuration file.
l Run the dsa local-key-pair create command to create a local DSA key pair.
NOTE
– You need to run the dsa local-key-pair create command to generate the local DSA key pair
before performing other SSH configurations. The host key pair length and server key pair
length can be 512 bits, 1024 bits, or 2048 bits. The default key pair length is 2048 bits.
– After creating the local DSA key pair, you can run the display dsa local-key-pair public
command to view the public key in the local key pair.
– You can run the dsa local-key-pair destroy to clear all local DSA key pairs, the host key pairs
and host key pairs.
After running the dsa local-key-pair destroy command, check whether all local DSA key
pairs are cleared. The command configuration takes effect only once and is not saved into the
configuration file.
Configure the password 1. Run the ssh user username authentication-type password
authentication mode. command to set the authentication mode to password.
2. Run the aaa command to access the AAA view.
3. Run the manager-user user-name command to enter the
administrator view.
4. Run the password [ ciphercipher-password ] command to
set a password for the SFTP account.
NOTE
The interactive mode is recommended for creating administrator
passwords because the passwords configured using the cipher cipher-
password command are not safe.
Do not use the default password Admin@123. Otherwise, SFTP users
cannot log in to the device.
Configure the RSA 1. Run the ssh user username authentication-type rsa
authentication mode. command to set the authentication mode to RSA.
2. Bind the SFTP account with the RSA public key on the
client.
a. Run the rsa peer-public-key key-name [ encoding-type
{ der | pem | openssh } ] command to access the RSA
public key view.
b. Run the public-key-code begin command to access
public key editing view.
c. Enter the RSA public key of the client through typing or
copy and paste.
d. Run the public-key-code end command to return to the
RSA public key view.
e. Run the peer-public-key end command to return to the
system view.
f. Run the ssh user user-name assign rsa-key key-name
command to bind an RSA public key to the SFTP
account.
Configure the DSA 1. Run the ssh user username authentication-type dsa
authentication mode. command to set the authentication mode to DSA.
2. Bind the SFTP account with the DSA public key on the
client.
a. Run the dsa peer-public-key key-name [ encoding-type
{ der | pem | openssh } ] command to access the DSA
public key view.
b. Run the public-key-code begin command to access
public key editing view.
c. Enter the DSA public key of the client through typing or
copy and paste.
d. Run the public-key-code end command to return to the
DSA public key view.
e. Run the peer-public-key end command to return to the
system view.
f. Run the ssh user user-name assign dsa-key key-name
command to bind a DSA public key to the SFTP
account.
Configure the all The all authentication mode indicates either password or RSA
authentication mode. authentication. If both password authentication and RSA
authentication are configured, RSA authentication is used
preferentially.
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable first-time authentication or bind the RSA public key to the SFTP server. First-time
authentication is recommended.
NOTE
When communicating with an SFTP server, the FW (SFTP client) needs to compare the RSA public key sent
by the server with the locally stored RSA public key to check whether it is communicating with the correct
server.
If the server RSA public key is not obtained in advance and does not exist on theFW, enable first-time
authentication on the FW to ensure that the FW can log in to the server.
If you have obtained the server RSA public key in advance, you can copy the public key to the FW and bind
the server to this public key. This method also ensures that the FW can log in to the server, but binding the
server to the RSA public key is complex. Therefore, first-time authentication is recommended.
l Enable first-time authentication.
ssh client first-time enable
l Bind the SFTP server to an RSA public key.
a. Access the public key view.
If the binding between the SFTP server and the RSA public key becomes invalid, run the
undo ssh client servername assign rsa-key command to cancel the binding and bind the
SFTP server to a new RSA public key.
Step 3 If the SFTP server uses password authentication, perform Step 4 to log in to the SFTP server.
If the SFTP server uses RSA authentication, bind the SFTP account of the FW to the RSA
public key on the server as follows:
1. Generate an RSA key pair on the FW.
rsa local-key-pair create
2. Check the public key in the RSA key pair, copy the public key information of the host
key pair to the server, and bind the SFTP account on the FW to this public key. For
details, refer to the SFTP server operation guide.
display rsa local-key-pair public
NOTE
The public key information to be copied is the Key code, Host public key for PEM format code,
or Public key code for pasting into OpenSSH authorized_keys file (based on the server coding
format) field below the sysname_Host field in the display rsa local-key-pair public command
output.
<sysname> display rsa local-key-pair public
=====================================================
Key
code:
308188
028180
0203
010001
UJ1d4l5COtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h
41ix6Opzn6Azi+Dtcqmg7f5J/
QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSz
IP2gEPGN
+Q==
---- END SSH2 PUBLIC KEY
----
/QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSzIP2gEPGN+Q== rsa-
key
If first-time authentication is enabled and the FW does not store the server RSA public key,
you need to determine whether to trust the server and whether to save the server RSA public
key upon first login. Select Y when prompted.
[sysname] sftp 10.2.2.1
Please input the username:sysname
Trying 10.2.2.1 ...
Press CTRL+K to abort
Connected to 10.2.2.1 ...
The server is not authenticated. Continue to access it? [Y/N] :Y
Save the server's public key? [Y/N] :Y
The server's public key will be saved with the name 10.2.2.1. Please wait .
..
NOTE
To improve file transfer security, use AES128 preferentially as the encryption algorithm. DES and 3DES
are not recommended. Use SHA1 or SHA1-96 preferentially as the HMAC algorithm. MD5 and
MD5-96 are not recommended.
----End
Procedure
Step 1 Optional: Configure ACLs to limit the access from the FW to the TFTP server.
1. Access the system view.
system-view
2. Access the ACL view.
acl [ number ] acl-number [ vpn-instance vpn-instance ]
NOTE
TFTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
3. Configure ACL rules.
rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address source-wildcard
| any } | time-range time-name ]
4. Return to the system view.
quit
5. Use ACLs to limit the access from the FW to the TFTP server.
tftp-server acl acl-number
l In the user view, run the following command to download files through TFTP.
tftp tftp-server get source-filename [ destination-filename ]
l In the user view, run the following command to upload files through TFTP.
tftp tftp-server put source-filename [ destination-filename ]
----End
1.14.4.1 Displaying Information About the FTP Server and FTP Administrator
This section describes how to use commands to display FTP configuration information.
Context
In routine maintenance, you can run the commands shown in Table 1-53 in any view to
display FTP configurations and FTP administrators.
Table 1-53 Displaying information about FTP configurations and FTP administrators
Operation Command
1.14.4.2 Displaying Information About the SFTP Server and SFTP Administrator
This section describes how to display the SFTP server configuration and how to debug the
SFTP function.
Operation Command
Debugging SFTP
Before you enable the debugging function, you must run the terminal monitor command and
the terminal debugging command in the user view to enable the information display and
debugging display functions of the terminal. Then debugging information can be displayed on
the terminal.
NOTICE
Debugging commands compromise system performance. After the debugging is complete, run
the undo debugging all command to disable all debugging functions.
Requirements
You have already copied files to the specified directory.
NOTE
The is a root directory example.
Item Data
Procedure
Step 1 Display the information about the files in the directory of the storage device.
<FW> dir hda1:
Directory of hda1:/
----End
Verification
Check whether the copied files exist in the specified directory.
<FW> dir hda1:/test/
Directory of hda1:/test/
0 drw- - Jul 12 2009 17:35:57 database
1 drw- - Jul 12 2009 17:25:57 conf
3 drw- - Jul 12 2009 17:32:57 log
4 -rw- 23 Oct 24 2009 11:16:40 sample1.txt
Networking Requirements
As shown in Figure 1-48, a PC is used to log in to the FW and download files from the FW
through FTP.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
MGMT (GE0/0/0)
192.168.0.1/24
192.168.0.100/24
FW PC
Data Planning
Item Data
Procedure
Step 1 Configure the FW.
1. Configure a security policy for the Local-Trust interzone to permit the FTP service.
<FW> system-view
[FW] security-policy
[FW-policy-security] rule name policy_ftp
[FW-policy-security-rule-policy_ftp] service ftp
[FW-policy-security-rule-policy_ftp] source-zone trust
[FW-policy-security-rule-policy_ftp] destination-zone local
[FW-policy-security-rule-policy_ftp] source-address 192.168.0.100 32
[FW-policy-security-rule-policy_ftp] destination-address 192.168.0.1 32
[FW-policy-security-rule-policy_ftp] action permit
[FW-policy-security-rule-policy_ftp] quit
[FW-policy-security] quit
Step 2 Set an IP address and subnet mask for the PC. Details are omitted.
Step 3 Use FTP to log in to the FW from the PC and download files.
1. Choose Start > Run, enter cmd, and press Enter.
2. Enter D: and press Enter to set drive D as the working directory for the administrator's
PC.
3. Enter ftp 192.168.0.1, press Enter, and then use the account and password to log in to
the FW.
4. Download file sys.bin from the FTP directory on the FW to the root directory of drive D.
----End
Configuration Scripts
#
sysname FW
#
aaa
manager-user admin_ftp
password cipher %@%@*y:3*ZN}.%%qcB.|@XBVML1cCyDwlDWq'6JF(iOz2D8>A\SN%@
%@
service-type ftp
level 3
ftp-directory hda1:
#
security-policy
rule name policy_ftp
source-zone trust
destination-zone local
service ftp
source-address 192.168.0.100
32
destination-address 192.168.0.1 32
action permit
Networking Requirements
As shown in Figure 1-49, configure the FW as an FTP client and download files from the
FTP server to the specified local directory.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
GE1/0/1
192.168.0.100/24 192.168.0.1/24
Network
FTP Server FW
Data Planning
Item Data
Procedure
Step 1 Configure a security policy for the Local-Trust interzone to permit the FTP service.
<FW> system-view
[FW] security-policy
[FW-policy-security] rule name policy_ftp
[FW-policy-security-rule-policy_ftp] service ftp
[FW-policy-security-rule-policy_ftp] source-zone local
[FW-policy-security-rule-policy_ftp] destination-zone trust
[FW-policy-security-rule-policy_ftp] source-address 192.168.0.1 24
[FW-policy-security-rule-policy_ftp] destination-address 192.168.0.100 24
[FW-policy-security-rule-policy_ftp] action permit
[FW-policy-security-rule-policy_ftp] quit
[FW-policy-security] quit
Step 2 Log in to the FTP server from the FW and download the file to the specified directory.
# Log in to the FTP server.
<FW> ftp 192.168.0.100
Trying 192.168.0.100
Press CTRL+K to abort
Connected to 192.168.0.100
Warning: FTP is not a secure protocol, and you are advised to use SFTP.
# Set the file transfer mode to binary and display the current directory on the FW for saving
the file.
[ftp] binary
200 Type set to I.
[ftp] lcd
Info: Local directory now hda1:.
# Download the file from the FTP server and display the downloaded file in the specified
directory on the FW.
[ftp] get sys.bin
200 PORT command okay.
150 Opening BINARY mode data connection for sys.bin.
226 Transfer complete.
ftp: 20116676 byte(s) received, in 43.60 seconds at 461.40 kbytes/sec.
[ftp] quit
<FW> dir
Directory of hda1:/
...
3 -rw- 20116676 Aug 07 2009 06:58:17 sys.bin
...
----End
Networking Requirements
As shown in Figure 1-50, a PC is used to log in to the FW and download files from the FW
through SFTP.
Figure 1-50 Networking diagram for logging in to the FW through SFTP (password
authentication)
GE1/0/3
10.3.0.1/24
PC FW
10.3.1.100/24 (SFTP Server)
Data Planning
Item Data
Procedure
Step 1 Configure the FW.
1. Set an IP address for interface GigabitEthernet 1/0/3 and assign the interface to a security
zone.
<FW> system-view
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet1/0/3] service-manage enable
[FW-GigabitEthernet1/0/3] service-manage ssh permit
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[FW] security-policy
[FW-policy-security] rule name policy_sftp
[FW-policy-security-rule-policy_sftp] service ssh
[FW-policy-security-rule-policy_sftp] source-zone trust
[FW-policy-security-rule-policy_sftp] destination-zone local
[FW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[FW-policy-security-rule-policy_sftp] action permit
[FW-policy-security-rule-policy_sftp] quit
[FW-policy-security] quit
+
............+++++++++
6. Create an SFTP administrator account and specify an authentication mode and a service
type.
# Create SFTP administrator account sftpadmin_a and set the authentication mode to
password, service type to SFTP, and service directory to hda1:.
b. Enter y and type the user name and password (sftpadmin_a/Mydevice@a) to log in
to the FW, as shown in Figure 1-52.
----End
Configuration Scripts
#
sysname FW
#
aaa
manager-user sftpadmin_a
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%@
service-type ssh
level 3
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
sftp server enable
ssh user sftpadmin_a
ssh user sftpadmin_a authentication-type password
ssh user sftpadmin_a service-type sftp
ssh user sftpadmin_a sftp-directory hda1:
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 120 0
protocol inbound ssh
#
security-policy
rule name policy_sftp
source-zone trust
destination-zone local
service ssh
source-address 10.3.1.0 24
action permit
Networking Requirements
As shown in Figure 1-54, a PC is used to log in to the FW and download files from the FW
through SFTP.
Figure 1-54 Networking diagram for logging in to the FW through SFTP (RSA
authentication)
GE1/0/3
10.3.0.1/24
PC FW
10.3.1.100/24 (SFTP Server)
Data Planning
Item Data
Procedure
Step 1 Generate an RSA public key on the PC.
1. Install the PuTTY software. Details are omitted.
2. Use the PuTTYgen tool to generate a local RSA key pair (the following uses
PuTTYgen0.60 as an example).
a. Double-click PuTTYgen.exe. The interface shown in Figure 1-55 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.
Figure 1-55 Selecting the SSH version for generating the local RSA key pair
b. Figure 1-56 shows the interface for generating a local RSA key pair. You must
move the mouse continuously during the generation of the local RSA key pair.
Move the pointer only in the window other than the progress bar in green.
Otherwise, the progress bar suspends, and the generation of the key pair stops.
c. Figure 1-57 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
n OpenSSH: Copy the marked content in the Key text box.
n PEM: Click Save public key, enter public for the name of the public key file,
and click Save. Click Save private key, enter private for the name of the
private key file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter
the password again in the Confirm passphrase text box to set a password for using this key
pair.
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[FW] security-policy
[FW-policy-security] rule name policy_sftp
[FW-policy-security-rule-policy_sftp] service ssh
[FW-policy-security-rule-policy_sftp] source-zone trust
[FW-policy-security-rule-policy_sftp] destination-zone local
[FW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[FW-policy-security-rule-policy_sftp] action permit
[FW-policy-security-rule-policy_sftp] quit
[FW-policy-security] quit
12. Configure an SFTP service authorization directory for the SSH user.
b. Choose Connection > SSH in the left Category navigation tree. The interface
shown in Figure 1-59 is displayed. In the Protocol options area, set Preferred
SSH protocol version to 2.
c. Select Auth in SSH. The dialog box shown in Figure 1-60 is displayed. Click
Browse, import the private key file private.ppk in the saved RSA key pair.
Figure 1-60 Importing the private key in the RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 1-61.
NOTE
The saved session will be used in the SFTP login using the PSFTP tool. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.
Figure 1-61 Importing the private key in the RSA key pair
e. Double-click PSFPT.exe, enter open ssh-rsa and press Enter (ssh-rsa is the name
of the saved PyTTY session), and then enter SSH administrator account
sshadmin_b and press Enter. You can access the file directory on FW, as shown in
Figure 1-62.
----End
Configuration Scripts
#
sysname FW
#
rsa peer-public-key key_pc encoding-type openssh
public-key-code begin
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBwsFDGbVAbK35ecJqsioQ3BdTCa1+eU3i13YQBHvBltI
dI
9bOMKYEYJbjuY4UYXkdtwA2ar6LWTI8X1hHbtYGqPk2MvjSF0hXn1DBabNUXbLRyzWAhaopcsTbGbo
U8
8cQ6fe/DqE9jUpNLsPdg4EXz1LMyLNe134JCSe3Ufh7o/w== rsa-key
public-key-code end
peer-public-key end
#
aaa
manager-user sftpadmin_a
service-type ssh
level 3
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
sftp server enable
ssh user sftpadmin_a
ssh user sftpadmin_a authentication-type rsa
ssh user sftpadmin_a assign rsa-key key_pc
ssh user sftpadmin_a service-type sftp
ssh user sftpadmin_a sftp-directory hda1:
ssh user sftpadmin_a authorization-cmd aaa
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
Networking Requirements
As shown in Figure 1-64, the IP address of the TFTP server is 10.111.16.160/24. Log in to
the FW through PC and download test.cc from the TFTP server.
NOTICE
SFTP is recommended because of high security.
Figure 1-64 Networking diagram of downloading files from the TFTP server
TFTP Server FW PC
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Start the TFTP software on the TFTP server and set the location of the source file on the
server.
2. Use the tftp command to download the file to the FW.
Procedure
Step 1 Start the TFTP server. Specify the directory where test.cc resides as the base directory. Figure
1-65 shows the window.
NOTE
The display varies with the TFTP server software running on the PC.
Step 2 Log in to the device through the PC and run the following commands to download the file:
<FW> tftp 10.111.16.160 get test.cc hda1:/test.cc
Transfer file in binary mode.
Now begin to download file from remote tftp server, please wait for a while...
\
TFTP: 86235884 bytes received in 42734 second.
TFTP: 15805100 bytes received in 42734 second.
File downloaded successfully.
----End
Verification
Check whether the downloaded file is in the specified directory of the device.
<FW> dir hda1:
Directory of hda1:/
0 -rw- 86211956 Jun 08 2009 15:20:14 test.cc
1 -rw- 40 Jun 24 2009 09:30:40 private-data.txt
2 -rw- 396 May 19 2009 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2009 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2009 17:46:46 1.cfg
5 -rw- 14343 May 19 2009 15:00:10 paf.txt
6 -rw- 1004 Feb 05 2009 09:30:22 vrp1.zip
7 -rw- 6247 May 19 2009 15:00:10 license.txt
8 -rw- 14343 May 16 2009 14:13:42 paf.txt.bak
1.15.1 Overview
A configuration file defines the configuration items required for the startup of the FW. You
can save a configuration file on the device, modify and remove existing configuration files,
and specify the configuration file for the FW to load upon each startup.
Current Configuration
The current configuration is the configuration currently takes effect, not the configuration file.
A configuration file is generated only after you save the current configuration.
Configuration File
The configuration file is saved as a .txt file, and the requirements on its content are as follows:
l The configuration file is saved in commands.
l Only non-default parameters are saved. You can find the default value of each parameter
in relevant chapters of this document.
l Commands are organized by views. The commands available in the same view are listed
together to form a section, and adjacent sections are separated by a blank line or
comment line which starts with a number sign in a pair of square brackets ([#]). The
number of blank lines or comment lines can be one or more.
l Sections are usually arranged in the order from global configuration, physical interface
configuration, logical interface configuration, to routing protocol configuration.
NOTE
In a configuration file, the command that can be identified by the system must be a string of no more
than 510 characters. Directly modifying the configuration file may cause certain commands in the
configuration file to have more than 510 characters. Therefore, perform the operation with caution.
Concepts related to the configuration file are the configuration file for this startup,
configuration file for the next startup, and configuration file for disaster recovery.
l startup saved-configuration file
Indicates the configuration file for this startup.
l next startup saved-configuration file
Indicates the configuration file to be loaded for the next startup.
Related Operations
To manage configuration files, do as follows:
NOTICE
Restore the factory configuration will reboot the device.
Step 4 Click OK, and the device reboot and restore the factory defaults.
----End
The configuration file name extension must be .zip or .cfg, and the file name cannot contain
Chinese.
Step 2 Click Select. The Configuration File Management dialog box is displayed.
Step 6 Click to configure the current file as the startup configuration file.
The configuration takes effect only after the firewall is restarted.
----End
Displaying Configuration
You can display a maximum of 2000 configuration messages. To view more configuration
information, you must export the configuration information.
Step 2 Under Current Configuration, click Advanced Search, select search conditions on the
Query Condition dialog box, and click Search.
Parameter Description
----End
Step 3 Click Save and select a path on the terminal to save the configuration file.
----End
Comparing Configurations
You can compare the current configurations with the configurations saved in configuration
files.
----End
By default, only the system administrator has the configuration saving permission. If a non-system
administrator needs to save configuration, contact the system administrator for the permission.
Step 3 Select Overwrite configuration file for next startup or Save as.
If you select Save as, enter a new file name.
----End
1.16.1 Overview
This section describes basic concepts about the system software, patch files.
If no system software is specified for the startup or the file path or name is incorrectly
configured, the device cannot be normally started.
During the device upgrade, replace system software and set the system software file for the
next startup. Then restart the device to make new configurations take effect.
Patch Overview
During the operation of the device, you need to revise the system software sometimes such as
remove the system defects or add new functions for service requirements. We used to upgrade
the software after shutting down the system. This static upgrade affects the service on the
device and does not improve the communication. If we load a patch to the system software,
we can upgrade it online without interrupting the operation of the device. This dynamic
upgrade does not affect the service and can improve the communication.
Patch Area
In the memory of the Main Processing Unit (MPU) and Line Processing Unit (LPU), a certain
space is reserved to save the patch. This space is called patch area.
To install the patch, save the patch to the patch area in advance in the memory of the board.
The patch saved in the patch area is numbered uniquely. Up to 200 patches can be saved to the
patch area in the memory of the MPU or LPU.
Patch States
Patch status can be idle, deactivated, activated, and running. For details, see Table 1-56,
Idle The patch file is not loaded to the When the patch is loaded to the patch
patch area in the memory. area, the patch status is set to
d deactivated.
Deactivated The patch is loaded to the patch The patch in the deactivated state can
area but disabled. be as follows:
l Uninstalled, that is, deleted from
the patch area.
l Enabled temporarily and turns to
the active state.
Activated The patch is loaded to the patch The patch in the activated state can be
area and enabled temporarily. as follows:
If the board is reset, the active l Uninstalled, that is, deleted from
patch on that board turns to the the patch area.
deactivated state. l Disabled and turns to the
deactivated state.
l Enabled permanently, and turns to
the running state.
Running The patch is loaded to the patch The patch in the running state can be
area and enabled permanently. uninstalled and deleted from the patch
If the board is reset, the patch on area.
the board keeps in the running
state.
Load
Idle Deactivated
Delete
Delete
Delete Active Deactive
Running Activated
Run
Patch Functions
Installing patches can improve system functions or fix bugs. By installing a patch, you can
upgrade the system without upgrading the system software.
In some special scenarios, you can install patches specific to an MPU or LPU to optimize
board functions.
No Enable patch No
Normally run Bug removed Disable patch
temporarily
Yes Yes
----End
Step 6 Click to set the current file as the system software for the next startup.
The upgraded system software can be used only after you restart the .
----End
----End
Step 6 Click of the patch file in idle state and click Yes in the dialog box that is displayed to
upload, activate, and run the patch file.
----End
Step 2 Click One-Touch Patch Upgrade. The One-Touch Patch Upgrade wizard is displayed.
----End
Context
To upgrade the system software of the USG6000V, you only need to load the system
software.
Procedure
Step 1 Configure the FW to load the system software upon the startup of FW.
startup system-software system-file
save
Step 3 In the user view, check the running and startup systems and configuration files.
display startup
----End
All the information about the current patch is displayed, including information about the patch
units that are running, the patch units that are activated, and the patch units that are
deactivated.
If there are patches running, you must delete them before loading new patches.
Step 2 Optional: Delete the current patch.
patch delete all
----End
Loading a Patch
Upload the patch file to the root directory of the MPU before you install a patch.
Step 1 Upload the patch file to the root directory of the active MPU.
The FW supports FTP, TFTP, or SFTP.
NOTE
You are advised to use SFTP to upload the patch file as SFTP is more secure than FTP and TFTP.
----End
The system checks whether the patch version is consistent with the system software
version when the patch is loaded. If they are inconsistent, the system displays a
message indicating a patch loading failure.
After the patch is loaded, the patch is still in the deactivated state, even after the
MPU is restarted.
b. Activate the patch.
patch active all
Only patches that are loaded and in the deactivated state can be activated. The
patches take effect after being activated. However, if the MPU is restarted, the
patches will go back to the deactivated state.
c. Run the patch.
patch run all
You can run the patch successfully only when the patch file has been activated.
After the patch is run, the patch will be running even after the MPU is restarted.
d. View the patch information.
display patch-information [ history ]
b. View information about the patch file that will take effect upon device restart.
display startup
After the FW is restarted, the patch is in the running state. That is, the patch is
permanently active. During FW restart, the patch state is automatically synchronized to
the standby MPU.
----End
NOTE
----End
1.17.1 Overview
After you upgrade the system or load a host program or after an anomaly occurs in the
system, you need to restart the system.
Restarting the FW interrupts services. Therefore, select off-peak hours in non-emergent cases,
such as in the early morning, to restart the FW.
Upon the restart, the FW loads the startup configuration file specified before the restart.
Context
NOTICE
l If the FW works improperly, try to rectify the fault. Do not restart the system frequently in
case that services are affected.
l If you must restart the system, select off-peak hours in non-emergent cases, such as in the
early morning.
l Restarting the FW may result in temporary data loss. Before the restart, make sure that the
configuration data is backed up.
You are advised to back up the configuration file in use before you restart the system.
Procedure
Step 1 Choose System > Setup > Restart.
Step 2 Select either of the following to restart the system.
l Click Save and Restart to save the configuration and restart the system.
l Click Restart to restart the system without saving the configuration.
----End
Context
The user experience plan sends the data information collected by the FW to the data feedback
server for it to validate the signatures, reduce false positives, identify threat relationship, and
sense network threat status.
Procedure
Step 1 Choose System > Support.
Step 2 Select Enable for User Experience Plan and click Apply to enable the data feedback
function.
After the data feedback function is enabled, the FW will collect network threat information
and service statistics and sends them to the data feedback server. The data feedback server can
then analyze the data information to improve the threat prevention capability of the FW.
Table 1-57 lists the data that may be collected in data feedback.
Threat log Threat detection time, threat type, To optimize IPS and antivirus
threat number, threat name, attack signatures and reduce false
source IP address and port, positives.
application-layer protocol type,
transport-layer protocol type,
country name and country code of
the attack source, and country
name and country code of the
attack target
IPS engine IPS engine version, IPS signature To analyze the IPS engine
operating status database version, operating time, operating status and improve
current number of sessions, performance.
number of user-defined IPS
signatures, and engine ID
NOTE
To ensure that you can properly use the device, determine whether to enable the data feedback function
on the engine side. The data feedback function may collect network threat information and service
statistics on the device and sends them to the data feedback server for analysis so that the threat
prevention capability of the device can be improved. This function may involve transferring or
processing users' communication contents or personal data. Huawei Technologies Co., Ltd. alone is
unable to transfer or process the content of users' communications and personal data. It is suggested that
you activate the user data-related functions based on the applicable laws and regulations in terms of
purpose and scope of usage. You are obligated to take considerable measures to ensure that the content
of users' communications and personal data are fully protected when the content is being transferred and
processed.
----End
1.19 NQA
This chapter describes the Network Quality Analysis (NQA) mechanism, testing scenarios,
and general parameters and provides examples for configuring NQA.
1.19.1 Overview
The NQA function measures the performance of various protocols running on networks to
ensure that administrators can collect various network running indicators.
1.19.1.1 NQA
NQA tests the performance of various protocols running on networks and serves as an
effective tool for diagnosing and locating network faults.
Introduction to NQA
With the improving requirements regarding the QoS, especially after traditional IP networks
bear voice and video services, Service Level Agreements (SLAs) are commonly signed
between broadband service providers and their subscribers.
To ensure the committed bandwidth stated in the SLA, broadband service providers require
statistics on various network parameters, such as delay, jitter, and packet loss ratio and learn
about the performance status of the network in time. The NAQ function delivered by the FW
fulfills the requirements.
NQA measures the performance of various protocols running on networks to ensure that
broadband service providers can collect various network parameters in real time, for example,
the measurement of total HTTP latency, TCP latency, file transmission rate, and FTP latency.
Through network management based on these parameters, broadband service providers
provide users with services of different levels at different costs.
IP/MPLS
Network
NQA Client
The information about the round trip time of each packet or whether the transmission of a
packet times out is not displayed on the console terminal in real time. You can run the display
nqa results command after the test to view the test result.
You can set the parameters of all NQA operations on the NMS and start the test.
You need to create NQA instances on NQA clients. Each instance is identified by the
administrator who creates the instance and an operation tag.
In an instance view, you need to configure test parameters for related test. Note that not all
parameters apply to every test type.
NQA Server
For most tests, you need to configure only the NQA clients. For TCP, UDP, and Jitter tests,
however, you must configure the NQA server.
The NQA server processes the test packets from the clients. As shown in Figure 1-69, the
NQA server responds to the test request packet initiated by the client through the listening on
a specific port.
Figure 1-69 Relationship between the NQA client and the NQA server
IP/MPLS
Network
NQA Client NQA Server
You can create multiple TCP or UDP listening services on an NQA server. Each listening
service maps a specific destination address and a port. You can specify the same destination
address and port for multiple services.
After creating an instance and configuring related test parameters, start the NQA test by
running the start command, and then run the display nqa results command to view the test
result.
1.19.2 Mechanism
For an NQA test, both the NQA client and NQA server are involved. The NQA client sends
test requests to the server to initiate the an NQA test. You can use commands to configure
NQA instances or configure the NMS to send relevant configuration instructions to the FW.
Then, the NQA module on the FW places configured NQA instances into proper test queues
for scheduling.
You can immediately start an NQA instance after it is configured or delay the start for a
period of time, or you can set a specific time point in the future for the NQA instance to
automatically start. After an NQA instance starts, test packets are generated based on the test
type of the instance. If the packet size specified during the configuration of the instance is
smaller than the required minimum size of the packets transmitted through the tested protocol,
the minimum packet size takes effect.
After receiving the test request packet from the client, the NQA server returns a response
packet. Then the client timestamps the received response packet with the current local system
time and sends the packet back to the NQA server. After receiving another response packet
from the server, the client calculates the round-trip time (RTT) of the packet.
NOTE
For a Jitter test instance, both the client and the server timestamp the packet with the local system time
of their own. In this way, the client can calculate the jitter time of the packet.
Based on the RTT of the packet, you can learn about the running status of the tested packet.
HTTP Test
An NQA HTTP test is used to test the response speed in three phases. Figure 1-70 shows
these phases.
l DNS resolution: It is the time for the client to receive a DNS resolution packet
containing an IP address after it sends a DNS packet to the resolver for domain name
resolution.
l Setting up a TCP connection: It is the time for the client to set up a TCP connection with
the HTTP server through a three-way handshake.
l Transaction: It is a period from the time at which the client sends a Get or Post packet to
the HTTP server to the time at which a response packet sent by the client reaches the
HTTP server.
Through an HTTP test, the following items can be calculated based on the information in the
packets received by the client:
You can use these statistics to assess HTTP performance over the network.
IP Network
10.1.1.1/24
DNS Server
10.3.1.1/24
DNS Test
A DNS test is used to test the DNS resolution speed. The DNS test uses UDP packets. Figure
1-70 shows the process of a DNS test.
1. The client sends a query packet to the DNS server for domain name resolution.
2. After receiving the query packet, the DNS server returns a response packet to the client.
3. After receiving the response packet, the client calculates the time for DNS resolution
based on the time between the sending of the query packet and the receiving of the
response packet on the client. You can use the test result to assess the DNS performance
over the network.
FTP Test
An FTP test is used to test the response speed of the FTP server when you download a file
from or upload a file to the server. The FTP test uses TCP packets. You can obtain the
response speed in two phases. Figure 1-71 shows the process of an FTP test.
l Setting up and maintaining a control connection: It is the time that the client uses to set
up a TCP control connection with the FTP server through three-way handshake and
interchanges signals through the control connection.
l Setting up and maintaining a data transmission connection: It is the time that the client
uses to download a file from or upload a file to the FTP server through the data
transmission connection.
Through an FTP test, the following items can be calculated based on the information in the
packets received by the client:
l Minimum, maximum, and average time to set up a control connection
l Minimum, maximum, and average time to set up a data transmission connection
You can use these statistics to assess the FTP performance over the network.
TCP Test
A TCP test is used to test the TCP connection rate between a host and a TCP server through a
three-way handshake. Figure 1-72 shows the process of a TCP test.
1. The client (device A) sends a SYN packet to the TCP server (device B).
2. After receiving the TCP SYN packet, the TCP server accepts the request and responds a
SYN-ACK packet.
3. After receiving the SYN-ACK packet, the client returns an ACK packet to the TCP
server. Then, a TCP connection is established.
The client can calculate the TCP connection rate based on the time between the sending
of the SYN packet and the receiving of the ACK packet on the client. You can use the
test result to assess the TCP performance over the network.
UDP Test
A UDP test is used to test the packet transfer rate between a host and a UDP server. Figure
1-72 shows the process of a UDP test.
1. The client (device A) constructs a UDP packet and sends it to the UDP server (device B).
2. After receiving the UDP packet, the UDP server returns the packet to the client.
After receiving the returned packet, the client calculates the packet transfer rate between
the client and the UDP server based on the time between the sending and receiving of the
packet on the client. You can use the test result to assess the UDP performance over the
network.
ICMP Test
An ICMP test is used to test the reachability of the route between the NQA client and NQA
server. The ICMP test is similar to the ping command. However, the output of the test is more
diversified.
A B
Traceroute Test
A Traceroute test is used to detect the forwarding path between the NQA client and a
destination and collect statistics related to the routers along the forwarding path.Figure 1-74
shows the process of a Traceroute test.
1. The client (device A) constructs a UDP packet and sends the packet to the destination
(device B). The TTL of the packet is 1.
2. After the first-hop router (device C) receives the UDP packet, it checks the TTL field
and finds that the TTL is set to 0. Then, device C returns an ICMP Time Exceeded
packet.
3. After the client receives the ICMP Time Exceeded packet, it obtains the IP address of the
first-hop router and re-constructs a UDP packet. The TTL of this packet is 2.
4. After the second-hop router (device D) receives the UDP packet, it checks the TTL of
the packet and finds that the TTL is set to 0. Then, device D returns an ICMP Time
Exceeded packet.
5. The procedure repeats and after the packet reaches the last-hop router, the router returns
an ICMP Port Unreachable packet to the client.
The client can then obtain the forwarding path from the client to the destination and
collect statistics related to each router along the forwarding path based on the ICMP
packet returned by each hop. You can use this statistics to assess the network
performance.
A B
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following as required to set other ICMP test parameters.
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source interface that sends test packets.
source-interface [ interface-type interface-number ]
l Specify the source IP address.
source-address ipv4 ip-address
NOTE
If the destination IP address is in a different network segment from the source IP address, you cannot use
this command. Otherwise, the NQA test fails.
l Set the packet TTL value. ttl value
ttl value
ttl equals the -h option in the ping command.
l Set the type of service (ToS) field in the IP packet header.
tos value
tos equals the -tos option in the ping command.
l Configure padding characters.
datafill string
datafill equals the -p option in the ping command.
l Specify the interval for sending test packets.
interval seconds interval
interval seconds equals the -m option in the ping command.
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the number of probes for one time.
probe-count number
l Configure the test period of the NQA test instance.
frequency interval
NOTE
If the following conditions are met, the Completion field in the test results will be displayed as no
result:
– The system CPU usage exceeds 90% and the configured timeout period is less than 6s.
– frequency configured ≤ (probe-count - 1) x interval + 6.
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
Step 6 Start the NQA test.
start
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l testFlag is inactive
l The test is finished
l Completion:success
[sysname] display nqa results
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 31/46/36
Sum/Square-Sum Completion Time: 108/4038
Last Good Probe Time: 2006-8-2 10:7:11.4
Last Packet Loss 0 %
NOTE
NQA test results cannot be automatically displayed on a terminal. You must run the display nqa results
command to view the test results. The command output contains the test results of only the last five
tests.
Context
NOTE
You can configure the FW as a DHCP server. For details, refer to 4 Networks.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
nqa test-instance admin-name test-name
Step 4 Specify the source interface that sends the DHCP request packet.
source-interface interface-type interface-number
The specified source interface can be an Ethernet interface connected to the DHCP server, an
Eth-Trunk interface, or a VLANIF interface.
Step 5 Optional: Run the following commands to configure other parameters for the DHCP test.
l Set the timeout of the NQA test.
timeout time
NOTE
For the DHCP test, the time between the sending of the probe packet and the receiving of the response
packet may last for 10 seconds. By default, the timeout period is 15 seconds. You are advised to set the
timeout period longer than 10 seconds.
l Set the percentage of the failed NQA test items.
fail-percent percent
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
Context
NOTE
If you set the FTP source port, you must set the FTP destination port at the same time. Ensure both ports
are the same.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following operations as required to configure other parameters of the
FTP Download test:
l Specify the source IP address.
source-address ipv4 ip-address
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the FTP source port.
source-port port-number
l Specify the FTP destination port.
destination-port port-number
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
NOTE
– If no file path is specified, the system searches for the file in the current path. If the specified
file name does not exist, a file is created according to the specified file name, and the size of
the file is set to 1 MB.
– The file name cannot contain characters such as ~, *, /, \, ', ", but the file path can contain these
characters.
– The file name can contain the extension name but cannot contain the extension name only,
such as .txt.
l To upload the file with a specified size, run the ftp-filesize size command. The client
then automatically creates a file named "nqa-ftp-test.txt" for the upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is large, the test may fail
because of timeout.
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
<sysname> display nqa results
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProb:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 448 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Context
NOTE
If you set the FTP source port , set the destination port at the same time. Ensure both ports are the same.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the FTP
upload test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source port.
source-port port-number
l Specify the destination port.
destination-port port-number
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
NOTE
– The file name cannot contain characters, such as ~, *, /, \, ', ", but the file path can contain
these characters.
– The file name can include the file name extension but cannot be the file name extension only,
such as .txt.
l Specify the size of the file to be uploaded if necessary.
ftp-filesize size
The client then automatically creates a file named nqa-ftp-test.txt for the upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is large, the test may fail because
of timeout.
----End
Follow-up Procedure
Run the display nqa results command. If the following items are displayed, the test succeeds.
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
<sysname> display nqa results
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProb:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 5120 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 657/657/657
DataConnTime Min/Max/Average: 500/500/500
SumTime Min/Max/Average: 1157/1157/1157
Context
Do as follows on the NQA client (HTTP client):
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following operations as required to set other parameters for the HTTP
test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Specify the destination port.
destination-port port-number
NOTE
NOTE
Specify the name of the web page in the http-url deststring [ verstring ] command. Do not use http://
and the domain name. Otherwise, the test may fail.
If the HTTP version is not specified, HTTP1.0 is applied by default. You can set the HTTP version to
HTTP 1.1.
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l "DNSRTT"
l "TCPConnectRTT"
l "TransactionRTT and RTT"
<sysname> display nqa results
NQA entry(admin, http) :testFlag is inactive ,testtype is http
1 . Test 1 result The test is finished
SendProbe:3 ResponseProb:3
Completions: success OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.2.2
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 3 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 7/2/3
TransactionRTT Sum/Min/Max: 11/3/4 RTT Sum/Min/Max: 18/5/7
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Context
Do as follows on the NQA client (DNS client):
Procedure
Step 1 Access the system view.
system-view
Step 3 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
----End
Follow-up Procedure
Run the display nqa results [ admin-name test-name ] command. If the following output is
displayed, the test succeeds.
<sysname> display nqa results
NQA entry(admin, dns) :testFlag is inactive ,testtype is dns
1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.3.1.1
Min/Max/Average Completion Time: 5/5/5
Sum/Square-Sum Completion Time: 5/25
Last Good Probe Time: 2008-9-27 16:21:42.4
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
test-type traceroute
Step 5 Perform the following operations as required to set other parameters for the Traceroute test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the maximum hop failures.
tracert-hopfailtimes
l Specify the initial TTL and the maximum TTLof the test packets.
tracert-livetime first-ttl first-ttl max-ttl max-ttl
l Set the ToS field in the IP packet header.
tosvalue
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the destination port.
destination-port port-number
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
Step 6 Start the NQA test.
start
----End
Follow-up Procedure
Run the display nqa results command. If the statistics of each hop is displayed, the test
succeeds.
<sysname> display nqa results
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
1 . Test 1 result The test is finished
Completion:success Attempts number:1
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Drop operation number:0
Last good path Time:2006-8-5 14:38:58.5
1 . Hop 1
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 46/47/41
Sum/Square-Sum Completion Time: 125/5349
OverThresholds number: 0
Last Good Probe Time: 2006-8-5 14:38:58.3
Destination ip address:10.1.1.2
2 . Hop 2
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 31/79/62
Sum/Square-Sum Completion Time: 188/13286
RTD OverThresholds number: 0
Last Good Probe Time: 2006-8-5 14:38:58.5
Destination ip address:10.2.1.2
Context
Do as follows on the NQA server:
Procedure
Step 1 Access the system view.
system-view
NOTICE
The IP address and port listened by the server must be the same as those specified on the
client.
----End
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the UDP
test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Specify the interval for sending test packets.
interval seconds interval
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
The differences between the UDP Public test and the UDP Private test are as follows:
l For UDP Public tests, connection requests are initiated and sent to UDP port 7. You do
not need to specify the destination port on the client. However, you must configure the
server to listen in on UDP port 7.
l For UDP Private tests, you must specify the destination port on the client and enable the
listening service on the server.
----End
Follow-up Procedure
l Run the display nqa results [ admin-name test-name ] command to view the test results
on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
Run the display nqa results command. If the following output is displayed, the test succeeds.
<sysname> display nqa results
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 32/109/67
Sum/Square-Sum Completion Time: 203/16749
Last Good Probe Time: 2009-8-5 16:9:21.6
Context
The jitter time refers to the interval for sending two adjacent packets minus the interval for
receiving the two packets.
The process of a Jitter test is as follows:
1. The client sends packets to the destination at a specified interval.
2. After receiving each packet, the server timestamps the packet and returns it to the client.
3. After receiving the returned packet, the client calculates the jitter time based on the time
subtraction between the interval for sending two adjacent packets and the interval for
receiving the two packets.
You can use the maximum, minimum, and average jitter time calculated based on the
information received on the source to assess network performance.
In a Jitter test, you can set the number of packets to be sent consecutively. Through this
setting, you can simulate traffic of certain types within a short period. For example, you can
set 3000 UDP packets to be sent at an interval of 20 milliseconds for the simulation of G711
traffic.
Procedure
Step 1 Access the system view.
system-view
Note that the IP address and port listened by the NQA server must be the same as those
specified on the client.
NOTE
To improve the test accuracy, you can configure the Network Time Protocol (NTP) on both the client
and the server.
----End
Context
NOTE
The system supports the collection of the statistics on the maximum unidirectional transmission delay.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the Jitter
test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Set the number of test packets sent each time.
jitter-packetnum number number
The Jitter test collects statistics on and performs analysis on the transmission delay of the
UDP packets. The system sends multiple test packets for each test to calibrate the
statistics and analysis. The more test packets are sent, the more accurate the statistics and
analysis are. This process, however, is time consuming.
NOTE
The number of the Jitter tests performed depends on the settings in the probe-count command.
The number of test packets sent during each test depends on the settings in the jitter-packetnum
command. During the actual configuration, note that the number of tests being multiplied by the
number of the test packets for each test must be less than 3000.
l Set the interval for sending test packets.
interval { milliseconds interval | seconds interval }
The shorter the interval for sending the Jitter test packets is, the faster the test is
completed. If the interval, however, is set to a very small value, the test result may be
inaccurate.
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
Step 7 Start the NQA test.
start
----End
Follow-up Procedure
The configurations for jitter tests are complete.
l Run the display nqa results command to view the test results on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
If the following output is displayed, the jitter test succeeds.
<sysname> display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testFlag is inactive ,testtype is jitter
1 . Test 1 result The test is finished
SendProbe:100 ResponseProbe:100
Completion :success RTD OverThresholds number:0
OWD OverThresholds SD number:0 OWD OverThresholds DS number:0
Min/Max/Avg/Sum RTT:1/13/2/211 RTT Square Sum:589
NumOfRTT:100 Drop operation number:0
NOTE
If the delay for the source end to send packets is longer than that for the destination end to receive
packets, the jitter is a negative value.
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Perform the following operations as required to set the general parameters:
l Specify the description of the instance.
description string
l Specify the timeout period of the test.
timeout time
l Specify the number of probe packets sent during each test.
probe-count number
NOTE
The number of probe packets for each test does not apply to FTP and DNS tests.
l Specify the NQA test interval.
frequency interval
l Prohibit packet fragmentation.
set-df
NOTE
----End
Follow-up Procedure
The configurations of general NQA test parameters are complete.
l Run the display nqa-agent,to display the configured general parameters on the NQA
client.
<sysname> display nqa-agent
NQA Tests Max:2000 NQA Tests Number: 2
NQA Flow Max:1000 NQA Flow Remained:1000
nqa test-instance a a
test-type pwe3trace
local-pw-id 1
vc-type bgp
nqa status : normal
nqa test-instance a b
test-type icmpjitter
destination-address ipv4 10.1.1.201
source-address ipv4 10.1.1.200
hardware-based enable
ttl 100
tos 100
timeout 20
nqa status : normal
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
----End
Follow-up Procedure
l Run the display nqa-agent [ admin-name operation-tag ] [ verbose ] command to
display the configured round-trip delay threshold on the NQA client.
<sysname> diplay nqa-agent test jitter verbose
1 NQA entry(admin, icmp):
test type:icmp current flag:inactive
current status:finished current completion:success
start at : no start time end at : no end time
nqa status : normal
configuration :
test-type icmp
threshold rtd 2
send-trap rtd
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Enable the trap function for the FW to send trap messages if a test fails.
send-trap
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Enable the trap function for the FW to send trap messages when a probe fails.
send-trap probefailure
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Enable the trap function for the FW to send a trap message after the NQA test is complete.
send-trap testcomplete
----End
Context
NOTICE
Restarting an NQA test instance interrupts the running of the test.
To restart an NQA test instance, run the following command in the NQA test instance view.
Context
NOTICE
NQA statistics cannot be restored after you clear them. Therefore, confirm the action before
you use the command.
To clear NQA statistics, run the following command in the NQA view.
Context
Before you enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the display of terminal information and
terminal debugging messages, so that the debugging messages can be displayed on the
terminal.
NOTICE
Enabling the debugging affects system performance. Therefore, after debugging, you must
run the undo debugging all command to disable the debugging function.
Networking Requirements
As shown in Figure 1-75, FW_A functions as the NQA client to test whether FW_B is
routable.
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
NQA agent
Configuration Roadmap
1. Perform an ICMP test to check whether the packet sent by FW_A can arrive atFW_B
and obtain the round-trip time (RTT) of the packet.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Start the NQA client and create an ICMP test.
<FW_A> system-view
[FW_A] nqa test-instance admin icmp
[FW_A-nqa-admin-icmp] test-type icmp
[FW_A-nqa-admin-icmp] destination-address ipv4 10.1.1.2
----End
Result
[FW_A-nqa-admin-icmp] display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 31/46/36
Sum/Square-Sum Completion Time: 108/4038
Last Good Probe Time: 2009-8-2 10:7:11.4
Networking Requirements
As shown in Figure 1-76,
l FW_B functions as the DHCP server.
l Performing a DHCP test is required to obtain the time that the DHCP server to assign an
IP address to the client (FW_A).
GE1/0/1 GE1/0/1
10.2.1.1/24 10.2.1.2/24
NQA agent DHCP Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure FW_A as the NQA client.
2. Create a DHCP instance and perform the DHCP test on FW_A to check whether FW_A
can set up a connection with FW_B and obtain an IP address from FW_B.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.1.1 24
[FW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Enable the NQA client and create a DHCP instance.
<FW_A> system-view
[FW_A] undo dhcp enable
[FW_A] nqa test-instance admin dhcp
[FW_A-nqa-admin-dhcp] test-type dhcp
[FW_A-nqa-admin-dhcp] source-interface GigabitEthernet 1/0/1
[FW_A-nqa-admin-dhcp] timeout 20
----End
Result
[FW_A-nqa-admin-dhcp] display nqa results test-instance admin dhcp
NQA entry(admin, dhcp) :testFlag is active ,testtype is dhcp
1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.3
Min/Max/Average Completion Time: 1020/1040/1030
Sum/Square-Sum Completion Time: 3090/3182900
Last Good Probe Time: 2011-1-19 16:15:12.2
Networking Requirements
As shown in Figure 1-77, FW_A serves as the NQA client, and FW_B serves as the FTP
server. FW_A logs in to FW_B for downloading a test file.
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
FTP Client FTP Server
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure FW_A as the NQA client.
2. Create an FTP instance and start the test on FW_A to check whether FW_A can set up a
connection with the FTP server and obtain the time that FW_A uses to download the test
file from the FTP server.
Procedure
Step 1 Set IP addresses.
# Set IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure FW_B as the FTP server.
[FW_B] ftp server enable
[FW_B] aaa
[FW_B-aaa] manager-user user1
[FW_B-aaa-manager-user-user1] password
Enter Password:
Confirm Password:
[FW_B-aaa-manager-user-user1] level 3
[FW_B-aaa-manager-user-user1] service-type ftp
[FW_B-aaa-manager-user-user1] ftp-directory hda1:/
[FW_B-aaa-manager-user-user1] quit
[FW_B-aaa] quit
----End
Result
After the test, you can run the display nqa results admin command to view the test result.
[FW_A-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProbe:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 86 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 50/50/50
DataConnTime Min/Max/Average: 20/20/20
SumTime Min/Max/Average: 70/70/70
Networking Requirements
As shown in Figure 1-78, FW_A serves as the FTP client and tests the speed of uploading a
file to the FTP server (FW_C).
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
# Set IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between FW_A and FW_C. The detailed procedure is omitted.
Step 5 Create an FTP instance on FW_A and create a 10 KB file for uploading.
<FW_A> system-view
[FW_A] nqa test-instance admin ftp
[FW_A-nqa-admin-ftp] test-type ftp
[FW_A-nqa-admin-ftp] destination-address ipv4 10.2.1.2
[FW_A-nqa-admin-ftp] source-address ipv4 10.1.1.1
[FW_A-nqa-admin-ftp] ftp-operation put
[FW_A-nqa-admin-ftp] ftp-username user1
[FW_A-nqa-admin-ftp] ftp-password hello@123
[FW_A-nqa-admin-ftp] ftp-filesize 10
----End
Result
l You can run the display nqa resultsadmin ftp command on FW_A to view the test
result.
[FW_A-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is
finished
SendProbe:1 ResponseProbe:
1
Completion :success RTD OverThresholds number:
0
MessageBodyOctetsSum: 86 Stats errors number:
0
Operation timeout number: 0 System busy operation number:
0
Drop operation number:0 Disconnect operation number:
0
CtrlConnTime Min/Max/Average:
50/50/50
DataConnTime Min/Max/Average:
20/20/20
SumTime Min/Max/Average: 70/70/70
Networking Requirements
As shown in Figure 1-79, the FW connects to the HTTP server through the WAN. Perform an
HTTP test to test the response speed of the HTTP server.
FW
IP Network
GE1/0/1
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP address.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
----End
Result
After the test, you can run the display nqa resultsadmin http command to view the test
result.
[FW-nqa-admin-http] display nqa results test-instance admin http
NQA entry(admin, http) :testFlag is inactive ,testtype is http
1 . Test 1 result The test is finished
SendProbe:3 ResponseProbe:0
Completions: failed RTD OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.1.1
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 0 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 0/0/0
TransactionRTT Sum/Min/Max: 0/0/0 RTT Sum/Min/Max: 0/0/0
DNSServerTimeout:0 TCPConnectTimeout:3 TransactionTimeout: 0
Networking Requirements
As shown in Figure 1-80, theFW functions as a DNS client and accesses the host at
10.2.1.1/24 using domain name example.com.
FW
IP Network
GE1/0/1
10.1.1.1/24
DNS Server
10.3.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the FW as the NQA client.
2. Create a DNS instance and start the test on theFW to check whether theFW can set up a
connection with the DNS server and obtain the speed that the DNS server responds to an
address resolution request.
Procedure
Step 1 Set the IP address.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between the FW, the DNS server, and the host to be accessed.
(The detailed procedure is omitted.)
Step 4 Create a DNS instance.
<FW> system-view
[FW] dns server 10.3.1.1
[FW] nqa test-instance admin dns
[FW-nqa-admin-dns] test-type dns
[FW-nqa-admin-dns] dns-server ipv4 10.3.1.1
[FW-nqa-admin-dns] destination-address url example.com
----End
Result
After the test, you can run the display nqa resultsadmin dns command to view the test
result.
Networking Requirements
As shown in Figure 1-81, FW_A connects to FW_C through FW_B and serves as the NQA
client. Perform the traceroute test on FW_A to trace the routing path to GigabitEthernet 1/0/1
on FW_C.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure FW_A as the NQA client.
2. Create a traceroute instance and perform the traceroute test on FW_A to obtain the
statistics on each hop along the path fromFW_A to FW_C.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure reachable routes between FW_A and FW_C. (The detailed procedure is omitted.)
Step 4 Create a traceroute instance on FW_A and set the destination IP address of the test packets to
10.2.1.2.
<FW_A> system-view
[FW_A] nqa test-instance admin trace
[FW_A-nqa-admin-trace] test-type trace
[FW_A-nqa-admin-trace] destination-address ipv4 10.2.1.2
----End
Result
After the test, you can run the display nqa resultsadmin trace command on FW_A to view
the test result.
[FW_A-nqa-admin-trace] display nqa resultsadmin trace
[FW_A-nqa-admin-trace] display nqa results test-instance admin trace
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
1 . Test 1 result The test is finished
Completion:success Attempts number:1
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Drop operation number:0
Last good path Time:2009-8-5 14:38:58.5
1 . Hop 1
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 46/47/41
Sum/Square-Sum Completion Time: 125/5349
RTD OverThresholds number: 0
Last Good Probe Time: 2009-8-5 14:38:58.3
Destination ip address:10.1.1.2
2 . Hop 2
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 31/79/62
Sum/Square-Sum Completion Time: 188/13286
RTD OverThresholds number: 0
Last Good Probe Time: 2009-8-5 14:38:58.5
Destination ip address:10.2.1.2
Networking Requirements
As shown in Figure 1-82, FW_A connects to FW_C through FW_B. Start an UDP Public test
to test the round-trip time of the UDP packet transmitted between FW_A and FW_C.
Item Data
Configuration Roadmap
1. FW_A functions as the NQA client and FW_C functions as the NQA server.
2. Configure the listening port on the NQA server and create a UDP test instance on the
NQA client.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the FW_A.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between FW_A and FW_C. (The detailed procedure is omitted.)
# Set the IP address and port that the NQA server listens in on.
<FW_C> system-view
[FW_C] nqa-server udpecho 10.2.1.2 6000
----End
Result
After the test, you can run the display nqa resultsadmin udp command to view the test
result.
[FW_A-nqa-admin-udp] display nqa results test-instance admin udp
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 32/109/67
Sum/Square-Sum Completion Time: 203/16749
Last Good Probe Time: 2009-8-5 16:9:21.6
1.19.17.2 Specifications
This section provides the specifications of the NQA.
Function Specifications
Function Sub-function Supported or Not
Upload
Test Client
Test Client
Test Client
Round-Trip - All
Delay Thresholds
l RFC 1905: Protocol Operations for Version 2 of the Simple Network Management
Protocol (SNMPv2)
l RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
l RFC793\RFC862: Echo Protocol
l RFC 1393: Traceroute Using an IP Option
2 High Availability
This section describes what high availability is and how to configure it.
2.1.1 Overview
This section provides the background and definition of hot standby.
Nowadays, non-stop forwarding (NSF) is becoming increasingly crucial with the exponential
development of such services as mobile office, online shopping, IM, e-finance, and e-
education on networks.
As shown in the left figure in Figure 2-1, the FW is deployed at the enterprise network egress
to forward intranet and extranet service traffic. A single point of failure on the FW will
interrupt services between the intranet and extranet.
Therefore, in network architecture design, key places on the network usually require two
network devices for high availability. As shown in the right figure in Figure 2-1, when one
FW fails, another FW takes over services to ensure service continuity.
Router
Firewall
Switch
Intranet user
Fault
Traffic
For traditional network devices, such as routers and Layer-3 switches, you need only to back
up routes on the two devices to ensure high availability.
FWs are stateful inspection devices that completely check the first packet of each flow and set
up sessions to record packet status information (such as quintuples). Subsequent packets of
each flow can pass FWs only when matching sessions. Therefore, when network devices are
FWs, you need to additionally configure status information (such as sessions) backup.
The hot standby function of the FW perfectly resolves this problem.
As shown in Figure 2-2, the hot standby function provides a dedicated backup channel for
status negotiation and status information and configuration command backup between the
FWs.
Hot standby can be deployed in two modes: active/standby backup and load balancing.
In active/standby mode, as shown in Figure 2-2, the active FW processes services, and the
standby FW stays in standby state. If a fault occurs on the interface or link of the active FW or
the active FW is faulty, the standby FW becomes active and takes over services.
R2 R2
Subsequent packets
The first SYN packet matches the session on
sets up a session on FW_B, and no service
FW_A. interruption occurs.
Session Session
backup backup
R1 R1 Fault
Heartbeat link
As shown in Figure 2-3, load balancing means that two FWs serve as backup for each other
and both process services. When one FW is faulty, the other FW takes over all the services.
After active/standby
switchover,
subsequent FTP
R2 R2 and HTTP packets
match sessions on
FW_B, and no
Set up an FTP Set up an HTTP
service interruption
session on FW_A Mutual session session on FW_B Session
occurs.
backup backup
R1 R1
Fault
Heartbeat link
Backup traffic
FTP traffic
HTTP traffic
Figure 2-4 Networking diagram of in-line deployment when service interfaces work at
Layer 3 and connect to switches
Internet
Switch3 Switch4
Layer-3 Layer-3
interface interface
FW_A FW_B
Layer-3 Layer-3
interface interface
Switch1 Switch2
Intranet
Based on Figure 2-4, you can connect the upstream and downstream interfaces on
FW_A respectively to Switch4 and Switch2 and the upstream and downstream interfaces
on FW_B respectively to Switch3 and Switch1.
In this way, a full redundancy hot standby network is deployed, as shown in Figure 2-5.
Full redundancy hot standby improves network availability and service continuity in case
multiple links fail. For example, when GE1/0/1 and GE1/0/2 on FW_A and GE1/0/1 on
FW_B become faulty, service traffic can be forwarded through GE1/0/2 on FW_B.
Switch3 Switch4
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
FW_A FW_B
Switch1 Switch2
Figure 2-6 Networking diagram of in-line deployment when service interfaces work at
Layer 3 and connect to routers
Router3 Router4
OSPF
Layer-3 Layer-3
interface interface
FW_A FW_B
Layer-3 Layer-3
interface interface
OSPF
Router1 Router2
In transparent deployment, the service interfaces of the two FWs work at Layer 2 and connect
the two FWs to upstream and downstream devices in transparent mode. The FWs do not
participate in route calculation. You can directly add them to an existing network without
modifying configurations on upstream and downstream devices.
Figure 2-7 Networking diagram of transparent deployment when service interfaces work
at Layer 2 and connect to switches
Switch3 Switch4
Layer-2 Layer-2
interface interface
FW_A FW_B
Layer-2 Layer-2
interface interface Traffic flow when the
network is normal
Traffic flow when a
fault occurs
Switch1 Switch2
Heartbeat link
Figure 2-8 Networking diagram of transparent deployment when service interfaces work
at Layer 2 and connect to routers
Router3 Router4
OSPF
Layer-2 Layer-2
interface interface
FW_A FW_B
Layer-2 Layer-2
interface interface
Traffic forwarded by FW1
OSPF Traffic forwarded by FW2
Router1 Router2 Heartbeat link
Figure 2-9 Networking diagram for connecting the FWs to Layer-3 devices in off-line
mode
Internet
Heartbeat link
Layer-3 switch
Intranet
PC
Figure 2-10 Networking diagram for connecting the s to Layer-2 devices in off-line
mode
Internet
Heartbeat link
Layer-2 switch
FW_A FW_B
PC Intranet
As shown in Figure 2-10, this networking works similarly as the in-line deployment
where the FWs connect to Layer-2 devices.
2.1.3 Mechanism
This section describes the mechanism of hot standby.
2.1.3.1 VRRP
This section describes the basic concepts and problems of Virtual Router Redundancy
Protocol (VRRP).
Basic Concepts
VRRP enables a standby router to automatically replace a faulty active router (default
gateway) to forward packets, ensuring service continuity and availability.
As shown in Figure 2-11, the downstream interfaces of a group of routers on a LAN are
added to a VRRP group. The VRRP group works as a virtual router with its own virtual IP
and MAC addresses. The MAC address is in the format of 00-00-5E-00-01-{VRID}. (The
VRID is the ID of the VRRP group.)
On hosts on the LAN, the default gateway address can be set to the virtual IP address of the
VRRP group. These hosts seem to communicate with the Internet through the virtual router.
The VRRP group status depends on the priority specified by the administrator. The one with
the highest priority is the active group, and others are standby groups.
The VRRP group status determines the status of the router. The router whose VRRP group
status is active is the active router, and the other router is the standby router.
When the active router works properly, hosts on the LAN communicate with extranets
through the active router. When the active router fails, the backup router becomes the new
active router and takes over services.
Router1 Router2
Active Standby
Priority: 110 Priority: 100
Virtual router
(VRRP group 1) GE1/0/1 GE1/0/1
Virtual IP address: 10.1.1.3/24 10.1.1.1/24 10.1.1.2/24
Virtual MAC address: 00-00-5E-00-01-01
Host
Problems
Running VRRP on downstream interfaces ensures gateway availability. What if VRRP runs
on both upstream and downstream interfaces of the gateway?
As shown in Figure 2-12, the downstream interfaces of the two routers (gateways for intranet
and extranet users) are added to VRRP group 1, upstream interfaces are added to VRRP group
2. In normal cases, VRRP groups 1 and 2 of Router1 are both active. Router1 is the active
router in both groups, and all service traffic between the intranet and extranet is forwarded
through Router1.
PC2
Internet
LSW2
VRRP group 2
GE1/0/3 GE1/0/3
Virtual IP address: 1.1.1.1/24
Master Backup
Router1 Router2
LSW1
Eth0/0/2
Eth0/0/1
MAC address Port
Gateway address 00-00-5E-00-01-01 Eth0/0/1
of PC1:
10.1.1.1/24
Intranet
Internet access traffic
Return traffic
As shown in Figure 2-13, if GE1/0/1 on Router1 becomes faulty, VRRP group 1 of Router1
enters the Initialize state, and VRRP group 1 of Router2 enters the active state. Router2
becomes the active router in VRRP group 1 and sends gratuitous ARP packets to LSW1 to
refresh the MAC address entries on LSW1. In this case, packets from PC1 to PC2 (Internet
access packets) are forwarded by Router2. However, the link between Router1 and LSW2 is
normal. Therefore, the status of VRRP group 2 does not change. That is, Router1 is still the
active router in VRRP group 2. Packets from PC2 to PC1 is still forwarded to Router1.
However, Router1 discards the packets because GE1/0/1 is faulty, causing service
interruption.
Figure 2-13 Multiple VRRP groups being independent from each other
PC2
Internet
LSW2
VRRP group 2
GE1/0/3 Virtual IP address: GE1/0/3
Master 1.1.1.1/24 Backup
Router1 Router2
LSW1
Eth0/0/2
Eth0/0/1
MAC address Port
Gateway address 00-00-5E-00-01-01 Eth0/0/1
of PC1:
10.1.1.1/24
Intranet
Internet access traffic
Return traffic
The cause of the problem is that VRRP groups are independent from each other. Status
synchronization cannot be implemented when multiple VRRP groups exist on one device.
2.1.3.2 VGMP
This section describes the mechanism of VGMP and its usage in resolving VRRP problems.
All VRRP groups on the FW are added to a VGMP group for centralized status monitoring
and management. When detecting a status change in one VRRP group, the VGMP group
forces all VRRP groups to perform status switchover, ensuring the status consistency between
them.
As shown in Figure 2-14, VRRP groups 1 and 2 on FW_A are active and added to the active
VGMP group. VRRP groups 1 and 2 on FW_B are standby and added to the standby VGMP
group. In this case, FW_A is the active router in VRRP groups 1 and 2 (active device between
the two FWs), and FW_B is the standby router in VRRP groups 1 and 2 (standby device
between the two FWs). Therefore, all upstream and downstream traffic will be diverted to
FW_A.
PC2
Internet
Eth0/0/1 Eth0/0/2
VGMP VGMP
FW_A Active Standby FW_B
GE1/0/1 GE1/0/1
VRRP group 1
Active Standby
10.1.1.1/24
Eth0/0/1 Eth0/0/2
MAC address Port
00-00-5E-00-01-01 Eth0/0/1
Gateway
address of PC1:
10.1.1.1/24 Intranet
As shown in Figure 2-15, when an interface on FW_A becomes faulty, VGMP forces VRRP
groups to change status as follows:
1. When GE1/0/1 on FW_A fails, VRRP group 1 on it changes from active to initialize.
2. The VGMP group on FW_A senses the fault, decreases its priority, and compares
priority with the VGMP group on FW_B to negotiate active/standby status.
3. After negotiation, the VGMP group on FW_A becomes standby, and the one on FW_B
becomes active.
4. Meanwhile, the VGMP group on FW_A forces its VRRP group 2 to enter the standby
state, and the one on FW_B forces its VRRP groups 1 and 2 to enter the standby state. In
so doing, FW_B becomes the active router in VRRP groups 1 and 2 (active device
between the two FWs), and FW_A becomes the standby router in VRRP groups 1 and 2
(standby device between the two FWs).
5. FW2 sends gratuitous ARP packets to LSW1 and LSW2 to update their MAC address
forwarding tables, so that forward and return packets are forwarded to FW2. In this way,
the status of VRRP groups centrally switches over, preventing service interruption.
PC2
Internet
GE1/0/1
GE1/0/1 VRRP group 1
Active
Initialize 10.1.1.1/24
Eth0/0/1 Eth0/0/2
MAC address Port
00-00-5E-00-01-01 Eth0/0/2
Gateway
address of PC1:
10.1.1.1/24
Intranet
VGMP Overview
As shown in Figure 2-16, each FW has a VGMP group. Each VGMP group can be in any of
the following statuses:
l Initialize: It is the temporary initial status of a VGMP group after hot standby is
enabled.
l Load Balance: When the priorities of the local and peer VGMP groups are the same,
both VGMP groups are in Load Balance state.
l Active: When the priority of the local VGMP group is higher than that of the peer
VGMP group, the local VGMP group is in Active state.
l Standby: When the priority of the local VGMP group is lower than that of the peer
VGMP group, the local VGMP group is in Standby state.
After two FWs are deployed in hot standby mode, the VGMP groups on them have the same
priority, and both are in Load Balance state. In this case, the two FWs are in load balancing
state.
You can configure the active/standby status using VRRP configuration or by manually
designate the standby device.
The VRRP configuration method applies to networks where the FW connects to Layer-2
switches, and the manual designation method applies to other networks.
Figure 2-17 VGMP groups temporarily in standby state after being enabled
VGMP
packet
2. As shown in Figure 2-18, after receiving the VGMP packets from the peer ends, the
VGMP groups compare priorities and find that their priorities are the same. Therefore,
both enter the Load Balance state. In this way, the two FWs form a load balancing
network.
3. As shown in Figure 2-19, you can designate FW_B as the standby device.
FW_A learns about FW_B's standby status from the VGMP packets regularly sent by
FW_B.
Then FW_A is the active device that forwards downstream and upstream traffic. The two
FWs form an active/standby backup network.
hrp standby-device
packet
Status: Load Status: Load
Balance Balance
Priority: 49004 Priority: 49004
VGMP
packet
4. As shown in Figure 2-20, if a service interface on FW_A fails, the VGMP group on
FW_A decreases its priority by 2.
After priority comparison, FW_A switches to the standby state and immediately sends a
VGMP packet to FW_B to inform its status and priority change.
After receiving the VGMP packet, FW_B performs priority comparison and switches to
the active state.
In this way, FW_B is active, and FW_A is standby. FW_B diverts and forwards
upstream and downstream traffic.
Figure 2-20 Active/Standby switchover when an interface becomes faulty on the active
FW
If the FW_A (active device) fails, the VGMP group on FW no long sends HRP heartbeat
packets. If the VGMP group on FW_B (standby device) cannot receive HRP heartbeat
reply packets in 5 consecutive attempts, it considers the peer as faulty and switches to the
active state.
5. As shown in Figure 2-21, when a service interface on FW_A (original active device)
recovers from a fault, the priority of the VGMP group on FW_A increases.
The VGMP group on FW_A compares priorities and find that the priority of the VGMP
group on FW_B is the same. If preemption is configured, the preemption delay will be
enabled in this case. After the preemption delay times out, the VGMP group on FW_A
switches to the load balance state and immediately sends a VGMP packet to FW_B to
inform its status and priority change.
After receiving the VGMP packet, FW_B performs priority comparison and switches to
the load balance state.
FW_B is the designated standby device. Therefore, FW_A and FW_B regularly
exchange VGMP packets to confirm each other's identity. That is, FW_A will become
the active device, and FW_B will become the standby device again.
Figure 2-21 Original active FW recovering from a fault and becoming active again
through preemption
In conclusion, after VGMP status switchover, the active VGMP group diverts and forwards
traffic. The traffic diversion method varies depending on networks. For details on its
configuration method and mechanism, see 2.1.4 Analysis of Typical Hot Standby Networks.
You can define various VGMP and HRP packets by setting the Type field in packet headers:
l VGMP packets: used to exchange VGMP group information and negotiate active/
standby status between two FWs.
l HRP heartbeat packets: used to detect whether the peer device is working.
l HRP data packets: used to back up data, including command line configuration and
status information, between the active and standby devices.
l HRP link detection packets: used to detect whether peer heartbeat interfaces can receive
packets from the local end to determine whether any peer heartbeat interface is available.
l Consistency check packets: used to check whether the two FWs in hot standby mode
have the same policy configurations.
This section describes the VGMP and HRP heartbeat packets. The next section will deliberate
on the rest three types of packets.
The VGMP groups of the two FWs exchange VGMP packets regularly (at one second
intervals). The local VGMP group compares the local information with the peer information
to determine whether the device status is stable and whether a switchover is required.
Besides, VGMP packets are also sent in the following conditions:
l The hot standby function is enabled or disabled.
l The priority increases or decreases.
l The preemption times out.
l Link detection packets time out.
The two VGMP groups regularly exchange VGMP packets. Therefore, both know each
other's priority and status. When an interface or a link of one FW fails, the local VGMP group
priority decreases and compares with the peer VGMP group priority recorded locally. If the
local VGMP group priority is lower, the local VGMP group switches to the standby state and
sends a VGMP packet to the peer to inform its status and priority change.
The Data part of a VGMP packet includes the following contents:
l Whether the local device is busy: If the local device is busy in loading patches or
accelerating policies, it may fail to send heartbeat packets. Therefore, it request the peer
not to switch status for failures in receiving heartbeat packets.
l Whether the local device needs to send gratuitous ARP packets: If the local device has a
VRRP group configured and its status is active, it needs to send gratuitous ARP packets
to upstream and downstream devices to declare its active status and divert and forward
traffic.
l Local VGMP group status
l Priority of the peer VGMP group
l Status designated by the administrator: If hrp standby-device is run on the local device,
the local device is the standby device.
l Whether manual switchover is performed: If hrp switch {active | standby} is run on the
local device, the local device is forced to be the active or standby device. If it is forced to
be the active device, it diverts and forwards traffic; if it is forced to be the standby
device, the peer device diverts and forwards traffic.
Active
7 4
2
Load
Initialize 6 5 Balance
0 1
8 3
Standby
As shown in Figure 2-23, the VGMP status machine switches status as follows:
1. After hot standby is enabled, the VGMP group enters the standby state.
2. If the local device is working and finds that the local VGMP group priority is the same
as the peer VGMP group priority (the peer VGMP group is also in standby state), the
local VGMP group switches to the load balance state. If the local device recovers from a
fault and finds that the local VGMP group priority is the same as the peer VGMP group
priority (the peer VGMP group is in active state) and preemption is configured, the local
VGMP group switches to the load balance state from the standby state after the
preemption delay times out.
3. If the peer device fails and the local VGMP group finds that its priority is higher than
that of the peer end, it switches to the active state.
4. If the local device fails and the local VGMP group finds that its priority is lower than
that of the peer end, it switches to the standby state.
5. If the peer device recovers from a fault and has preemption configured, the local VGMP
group finds that its priority is the same as that of the peer VGMP group, it switches to
the load balance state. If the heartbeat link recovers from fault (it can receive heartbeat
packets from the peer), the local VGMP group finds that its priority is the same as that of
the peer VGMP group, it also switches to the load balance state.
6. If the peer device fails or recovers from a fault and the local VGMP group finds that its
priority is lower than that of the peer end, it switches to the standby state.
7. If the peer device fails and the local VGMP group finds that its priority is higher than
that of the peer end, it switches to the active state. If the heartbeat link becomes faulty (it
cannot receive heartbeat packets from the peer), the local VGMP group switches to the
active state.
8. Disable hot standby.
9. Disable hot standby.
10. Disable hot standby.
2.1.3.3 HRP
This section describes the mechanism of HRP.
Function
The FW delivers various functions based on the configuration commands on the CLI or web
UI. If the configuration commands are not synchronized to the standby FW before an active/
standby switchover, the standby FW fails to provide required functions, causing service
interruption.
To ensure the smooth failover between two FWs, key configuration commands and session
status information must be synchronized between them in advance.
For this reason, Huawei FW uses Huawei Redundancy Protocol (HRP) to synchronize key
configuration commands and session status information between two FWs.
On load balancing networks, the two FWs are active. Therefore, if both FWs synchronize
commands to each other, command overwrite or conflict problems may occur. To centrally
manage the configurations of the two FWs, you need to configure the designated active and
standby devices.
On load balancing networks, the sender of the configuration backup command is the
designated active device (identified by HRP_M), and the receiver is the designated standby
device (identified by HRP_S).
Configuration commands can be synchronized only from the designated active device to the
designated standby device, and status information is mutually backed up between the two
devices.
On load balancing networks, the FW with a smaller sysname American Standard Code for
Information Interchange (ASCII) character is the designated active device. For example, when
FW_A and FW_B share load, FW_A is the designated active device.
Mechanism
The FWs exchange HRP data packets to synchronize configuration and status information
through the heartbeat link.
1. When sending HRP data packets, FW_A writes the ID of the feature module (ASPF
module in this example) into the usSrcModuleID and ulDstModuleID fields and
encapsulates the feature module configuration and entry information into the HRP data
packets.
2. FW_A sends the HRP data packets to FW_A through the heartbeat link.
3. After receiving the HRP data packets, FW_B sends the configuration and entry
information to the local feature module based on the usSrcModuleID and
ulDstModuleID fields and delivers the configurations and entries.
FW_A FW_B
HRP data
packet
Backup tunnel
l Policies: security, NAT, bandwidth management policies, attack defense, blacklist, and
ASPF
l Objects: address, region, service, application, user, authentication server, time range,
signature, and security configuration profile (such as antivirus and intrusion prevention
profiles)
l Network: new logical interface, security zone, DNS, and IPSec
To conclude, the FW cannot back up basic network configurations, such as interface addresses
or routes. Therefore, you need to configure them before the hot backup status is set up. The
preceding supported configurations need only to be configured on the active FW after the hot
backup status is set up.
l Session table
l Server map
l Static ARP table
l Blacklist
l Whitelist
l PAT-based port mapping table
l NO-PAT-based address mapping table
l Layer-2 forwarding table (static MAC backup)
l AAA user table (default user admin is not backed up)
l PKI certificate, CRL
l IPSec
– IKE and IKEv2 SAs
– Batch tunnel backup
– Real-time backup of tunnels and sequence numbers
l Automatic backup
By default, automatic backup is enabled on the FW to automatically back up
configuration commands in real time and status information regularly. This backup
method applies to various hot standby networks.
After automatic backup is enabled, any command that can be backed up and that is run
on the designated active device is immediately synchronized to the designated standby
device.
If you run a command that does not support backup on the designated active device, it is
not synchronized to the designated standby device.
On the designated standby device, you can configure only configuration commands that
do not support backup, but not those that support backup.
After automatic backup is enabled, the designated active device can synchronized status
information to the designated standby device regularly but not immediately.
The following types of session cannot be backed up in automatic backup (but can be
backed up in quick session backup):
– Sessions created by traffic destined for the FW, for example, sessions created by
administrator login to the FW
Heartbeat interface
HRP Data packet
l invalid: The local heartbeat interface is incorrectly configured (the physical status is UP
and protocol status is DOWN). For example, the heartbeat interface is a Layer-2
interface, or no IP address is configured for the heartbeat interface.
l down: The physical and protocol statuses of the local heartbeat interface are both
DOWN.
l peerdown: The local heartbeat interface (physical and protocol statuses are both UP)
cannot receive heartbeat link detection reply packets from the peer heartbeat interface. In
this case, the FW sets the status of the local heartbeat interface to peerdown. Even so,
the local heartbeat interface continues sending heartbeat link detection packets and
expects to resume the heartbeat link when the peer heartbeat interface is brought up .
l ready: The local heartbeat interface (physical and protocol statuses are both UP)
receives heartbeat link detection reply packets from the peer heartbeat interface. In this
case, the FW sets the status of the local heartbeat interface to ready, indicating that it is
ready to send and receive heartbeat packets. Besides, it continues sending heartbeat link
detection packets to keep the heartbeat link status.
l running: When multiple local heartbeat interfaces are in ready state, the FW sets the
status of the first configured one to running. If only one interface is in ready state, the
FW sets its status to running. The running interface is used to send and receive HRP
heartbeat packets, HRP data packets, HRP consistency check packets, and VGMP
packets.
Other local heartbeat interfaces in ready state serve as backups and take up services in
sequence (based on the order of configuration) when the running heartbeat interface or the
heartbeat link fails.
Among the heartbeat links shown in Figure 2-26, their interface IDs indicate the order of
configuration. Therefore, when GE1/0/2 fails and GE1/0/3 and GE1/0/4 are both in ready
state, GE1/0/3 switches to the running state.
Interface
Heartbeat link
HRP heartbeat link
detection packets
HRP data packets
To conclude, heartbeat link detection packets are used to detect whether the peer heartbeat
interface can receive packets and determine whether the heartbeat link is available. The local
heartbeat interface sends heartbeat link detection packets as long as its physical and protocol
statuses are UP.
As described in previous sections, HRP heartbeat packets are used to detect and sense whether
the peer device (peer VGMP group) is working properly. These packets can be sent only by
the running heartbeat interface in the VGMP group on the active device.
The hot standby configurations to be checked include whether the same service interfaces are
monitored and whether the same heartbeat interfaces are configured on the two FWs.
The policy configurations to be checked include whether the same policies (such as security,
bandwidth, NAT, authentication policies) are configured on the two FWs.
1. After the HRP consistency check command is configured on a FW, the FW sends an
HRP consistency check request packet to the peer end and collect a configuration
information digest of local related modules.
2. After receiving the request packet, the peer end collects a configuration information
digest of local related modules and encapsulates it into the reply packet.
3. The local end compares its and the peer end's configuration information digests and
records the comparison information. You can run display hrp configuration check to
check the consistency check result.
Active/Standby Backup
Figure 2-27 Networking diagram of active/standby backup when service interfaces work at
Layer 3 and connect to switches
Next-hop address of
the router: 1.1.1.1/24
GE1/0/3 GE1/0/3
Status: Status:
Active VRRP group 2 Standby
Virtual IP address:
Active 1.1.1.1/24 Active
NGFW_A NGFW_B
VRRP group 1
GE1/0/1 GE1/0/1
Virtual IP address:
Status: Status:
10.1.1.1/24
Active Standby
Virtual MAC address:
ARP reply packet 0000-5e00-0101
0000-5e00-0101
Eth0/0/2
Eth0/0/1 MAC address Port
0000-5e00-0101 Eth0/0/1
Gateway
address of the
PC: 10.1.1.1/24
Intranet VRRP group
Service traffic
ARP reply
Heartbeat link
As shown in Figure 2-27, a VRRP group is configured on each service interface of FW_A,
and its status is set to active. a VRRP group is configured on each service interface of FW_B,
and its status is set to standby. The virtual IP address of the corresponding VRRP group is
configured as the gateway address of the PC on the intranet.
The analysis on network operating is as follows:
1. The PC sends an ARP packet to the directly connected switch for requesting the MAC
address of the gateway (address of VRRP group 1). The switch broadcasts the ARP
packet.
2. Only FW_A whose VRRP group is in active state responds to the ARP packet and sends
the virtual MAC address of VRRP group 1.
3. The switch records the mapping between the virtual MAC address and Eth0/0/1 and
sends the MAC address to the PC.
4. The PC sends a service packet with the virtual MAC address of VRRP group 1 as the
destination address to the switch.
5. Based on the mapping between the MAC address and port, the switch sends the packet to
FW_A from Eth0/0/1.
Normally, the traffic sent from the PC is forwarded by FW_A (active device).
Next-hop address of
the router: 1.1.1.1/24
GE1/0/3 GE1/0/3
Status: Standby VRRP group 2 Status: Active
Virtual IP address:
Standby 1.1.1.1/24 Active
NGFW_A NGFW_B
VRRP group 1
GE1/0/1
Virtual IP address: GE1/0/1
Status: Standby
10.1.1.1/24 Status: Active
Virtual MAC address:
0000-5e00-0101 Gratuitous ARP packet
0000-5e00-0101
Eth0/0/2
Eth0/0/1 MAC address Port
0000-5e00-0102 Eth0/0/2
Gateway
address of the
PC: 10.1.1.1/24
Intranet VRRP group
Service traffic
Heartbeat link
Fault
The analysis on the operating of the network where FW_A goes faulty, as shown in Figure
2-28, is as follows:
1. When a service interface of FW_A goes faulty, FW_A becomes the standby device, and
FW_B becomes the active device.
2. FW_B sends gratuitous ARP packets, containing the virtual IP and MAC addresses of
the VRRP group.
3. The switch updates the mappings between MAC addresses and ports (such as the
mapping between the virtual MAC address of VRRP group 1 and Eth0/0/2) after
receiving the gratuitous ARP packets.
4. When the PC sends a service packet to the switch, the switch forwards the packet to
FW_B from Eth0/0/2.
If FW_A becomes faulty, traffic sent by the PC is diverted to FW_B (new active device).
Load Balancing
As shown in Figure 2-29, the load balancing networking is configured as follows:
l VRRP groups 1 and 2 are configured on GE1/0/1 of FW_A. GE1/0/1 is in active state in
VRRP group 1 and in standby state in VRRP group 2.
l VRRP groups 1 and 2 are configured on GE1/0/1 of FW_B. GE1/0/1 is in standby state
in VRRP group 1 and in active state in VRRP group 2.
l Set the gateway of some PCs to the virtual IP address of VRRP group 1 and that of other
PCs to the virtual IP address of VRRP group 2.
l VRRP groups 3 and 4 are configured on GE1/0/1 of FW_A. GE1/0/3 is in active state in
VRRP group 3 and in standby state in VRRP group 4.
l VRRP groups 3 and 4 are configured on GE1/0/1 of FW_B. GE1/0/3 is in standby state
in VRRP group 3 and in active state in VRRP group 4.
l Two static routes are configured on the router. The next-hop addresses of the two routes
are the virtual IP addresses of VRRP groups 3 and 4 respectively.
GE1/0/1 of FW_A uses the virtual IP address of VRRP group 1 as the next-hop address to
forward packets. GE1/0/1 of FW_B uses the virtual IP address of VRRP group 2 as the next-
hop address to forward packets. Some PC traffic is forwarded by FW_A, while the other PC
traffic is forwarded by FW_B, implementing load balancing.
Figure 2-29 Networking diagram of load balancing when service interfaces work at Layer 3
and connect to switches
Next-hop address of
the router: 1.1.1.1/24
VRRP group 4
Virtual IP address:
1.1.1.2/24
GE1/0/3 VRRP group 3 GE1/0/3
Virtual IP address: Active
Active
1.1.1.1/24
NGFW_A NGFW_B
VRRP group
Traffic from PC1
Traffic from PC2
Heartbeat link
Active/Standby Backup
Figure 2-30 Networking diagram of active/standby backup when service interfaces work at
Layer 3 and connect to switches
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B
As shown in Figure 2-30, FW_A (active device) advertises routes properly. FW_B (standby
device) increases the cost of each route to be advertised by 65500.
The routers connected to the FWs use the path with the smaller cost to forward traffic.
Therefore, traffic is forwarded by FW_A (active device).
When a service interface of FW_A goes faulty, FW_A becomes the standby device, and
FW_B becomes the active device.
FW_B advertises routes properly, whereas FW_A increases the cost of each route to be
advertised by 65500. After route reconvergence, traffic is forwarded by FW_B.
Load Balancing
Figure 2-31 Networking diagram of load balancing when service interfaces work at Layer 3
and connect to switches
Router_C Router_D
Cost10 Cost10
OSPF
NGFW_A NGFW_B
OSPF
Cost10 Cost10
Router_A Router_B
As shown in Figure 2-31, FW_A and FW_B that work in load balancing mode are both active
devices and properly advertise routes.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
FW_A and the interfaces that connect Routers B and D to FW_B. This setting allows traffic to
be balanced between FW_A and FW_B.
Precautions
As shown in Figure 2-30 and Figure 2-31, the upstream router uses OSPF to advertise default
routes to the FW, and the FWadvertises learned default routes to the downstream router. In
this networking, you need to configure routing policies to filter default routes on the FW and
downstream router. Otherwise, loops may occur between the FW and downstream router.
As shown in Figure 2-32, the upstream and downstream interfaces on the FW work at Layer
2 and connect to Layer-2 switches directly. The upstream and downstream service interfaces
on each FW are added to the same VLAN.
Figure 2-32 Networking diagram of active/standby backup when service interfaces work at
Layer 2 and connect to switches
Switch_C Switch_D
NGFW_A NGFW_B
Switch_A Switch_B
Service link
Heartbeat link
VLAN
Traffic flow when no fault occurs
Traffic flow when a fault occurs
Active/Standby Backup
As shown in Figure 2-32, the VLAN on FW_A (active device) is enabled and can forward
traffic. The VLAN on FW_B (standby device) is disabled and cannot forward traffic.
Therefore, all traffic is forwarded by FW_A.
NOTICE
This network does not support load balancing. If FW_A and FW_B work in load balancing
mode, the VLANs on both devices are enabled and can forward traffic, causing a loop on the
network.
When FW_A goes faulty, FW_A becomes the standby device, and FW_B becomes the active
device.
When FW_A becomes the standby device, all interfaces on the VLAN of the FW_A goes
Down and then Up. Because of interface status changes, all switches update their MAC
forwarding tables. Therefore, traffic is diverted to FW_B.
As shown in Figure 2-33, the upstream and downstream interfaces on the FW work at Layer
2 and connect to routers directly. The FWs and their directly connected routers use OSPF to
communicate. The upstream and downstream service interfaces on each FW are added to the
same VLAN.
Figure 2-33 Networking diagram for load balancing when service interfaces working at Layer
2 and connect to routers
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B
Service link
Heartbeat link
VLAN
Traffic to be forwarded by NGFW_A
Traffic to be forwarded by NGFW_B
Load Balancing
The VLANs on FW_A and FW_B are enabled and can forward traffic. FW_A, FW_B, and
their directly connected routers need to run OSPF to divert traffic.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
FW_A and the interfaces that connect Routers B and D to FW_B. This setting allows traffic to
be balanced between FW_A and FW_B.
NOTICE
This network does not support active/standby. If FW_A and FW_B work in active/standby
mode, the VLAN on the standby device is disabled. The routers directly connected to the
standby device cannot communicate and cannot establish an OSPF neighbor relationship.
During an active/standby switchover, the standby device cannot take over services from the
active device, causing service interruptions.
When FW_A goes faulty, FW_A becomes the standby device, and FW_B becomes the active
device.
When FW_A becomes the standby device, all interfaces on the VLAN of the FW_A goes
Down and then Up. As a result, all routers need to recalculate routes. In this case, the VLAN
on FW_A is disabled, and the cost of the path that passes through FW_A increases. Therefore,
all traffic is forwarded by FW_B.
Connecting FWs to Layer-3 Switches in Off-line Mode Using VRRP and Static
Routing
As shown in Figure 2-34, to divert traffic passing core switches to the FWs using static
routing, static routes need to be configured on core switches, with the next hop being the
interface addresses of the FWs. However, core switches generally use OSPF to communicate
with upstream routers and downstream aggregation switches. OSPF routes have higher
priorities than static routes. Therefore, core switches directly forward received traffic to
upstream or downstream devices using OSPF routes, but do not divert traffic to the FWs using
static routes.
Figure 2-34 Networking diagram for deploying FWs in off-line mode using VRRP and static
routing
GE1/0/7 GE1/0/7
10.10.0.1/24 10.10.0.2/24
GE1/0/1
GE1/0/1
10.1.0.1/24 GE1/0/2
Public Public 10.1.0.2/24
GE1/0/1 GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4 GE1/0/3
VRF GE1/0/4 VRF
GE1/0/0
GE1/0/0 10.0.0.2/24
FW_A Core switch FW_B
10.0.0.1/24
Traffic
Static route
Therefore, virtual routing and forwarding (VRF) must be configured on core switches to
virtualize each core switch into a public switch for connecting upstream switches and a virtual
switch for connecting downstream switches, as shown in Figure 2-35. The two virtualized
switches are isolated. Therefore, traffic can be diverted to the FWs based on static routes.
Figure 2-35 Diverting traffic to the FWs using static routing and VRF
GE1/0/7 GE1/0/7
10.10.0.1/24 10.10.0.2/24
GE1/0/1
GE1/0/1
10.1.0.1/24 GE1/0/2
Public Public 10.1.0.2/24
GE1/0/1 GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4 GE1/0/3
VRF GE1/0/4 VRF
GE1/0/0
GE1/0/0 10.0.0.2/24
FW_A Core switch FW_B
10.0.0.1/24
Traffic
Static route
For easy understanding, you can transform the off-line deployment shown in Figure 2-35 into
the in-line deployment shown in Figure 2-35. Figure 2-36 shows a typical networking
described in 2.1.4.1 In-line Deployment with Upstream and Downstream Switches. In this
networking, VRRP groups need to be configured on the service interfaces of the FWs.
Static routes need to be configured on the VRF and public virtual switches with the next hop
being the virtual addresses of VRRP groups 1 and 2 respectively, so that the two virtual
switches can forward traffic to the FWs. Besides, two static return routes also need to be
configured on each FW with the next hops being the virtual addresses of VRRP group 3 of the
VRF virtual switch and VRRP group 4 of the public virtual switch. Actually, the two FWs use
the virtual addresses of the VRRP groups to communicate with the two virtual switches.
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Heartbeat link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/4 GE1/0/3 GE1/0/0
GE1/0/3 10.0.0.2/24
NGFW_A GE1/0/0 Core switch NGFW_B
10.0.0.1/24
Server cluster
Traffic
Static route
Connecting FWs to Layer-3 Devices in Off-line Mode Using OSPF and PBR
On the network shown in Figure 2-37, to divert traffic passing core switches to the FWs using
policy-based routing (PBR), policy-based routes need to be configured on the core switches
with the redirect next hops being the interface addresses of the FWs. However, core switches
generally use OSPF to communicate with upstream routers and downstream aggregation
switches. Policy-based routes have higher priorities than the routes of all routing protocols.
Therefore, core switches can divert received traffic to the FWs based on the policy-based
routes, but not upstream or downstream devices using OSPF routes.
The FWs check the traffic and return it to the core switches. For this reason, the OSPF must
run on the FWs and core switches, so that the FWs can return traffic to the core switches
using OSPF routes. However, each FW connects to a core switch through two interfaces.
Therefore, the FW can find two equal-cost OSPF routes in the routing table and may return
traffic to the switch through the interface where the traffic is received. If the incoming and
outgoing interfaces are the same, the FW cannot comprehensively check and control traffic.
To resolve this problem, allocate two OSPF processes to each core switch and FW and import
them to each other on the FWs. In this way, after a core switch diverts traffic to an interface
on the FW based on PBR, the FW finds only the OSPF route from the imported process and
returns the traffic to the switch through the other interface.
Figure 2-37 Networking diagram for deploying FWs in off-line mode using OSPF and PBR
Internet/WAN
Egress
router
Aggregation
switch
Server cluster
PBR
Actual traffic
For easy understanding, you can transform the off-line deployment shown in Figure 2-37 into
the in-line deployment shown in Figure 2-37. The networking shown in Figure 2-36 is
similar to the typical networking described in 2.1.4.2 In-line Deployment with Upstream
and Downstream Routers with the following differences: Two OSPF processes need to be
configured on the FWs and import each other, and PBR needs to be configured together with
OSPF on the switches.
Figure 2-38 Transforming off-line deployment to in-line deployment by connecting the FWs
to routers
Switch1 Switch2
GE1/0/3 GE1/0/3
10.1.0.2/24 10.3.0.2/24
GE1/0/1 OSPF200
GE1/0/1
10.1.0.1/24 10.3.0.1/24
GE1/0/7
10.10.0.1/24
FW_A FW_B
GE1/0/7
GE1/0/0 10.10.0.2/24
GE1/0/0
10.0.0.1/24
OSPF100 10.2.0.1/24
GE1/0/2 GE1/0/2
10.0.0.2/24 10.2.0.2/24
GE1/0/1
172.16.3.2/24
Switch1 Switch2
GE1/0/1
172.16.3.1/24
GE1/0/0 GE1/0/0
172.16.1.1/24 OSPF100 172.16.2.1/24
PBR
Actual traffic
Hardware Restrictions
l Currently, hot standby can be implemented between only two devices.
l The active and standby devices must have the same product model and version.
Software Restriction
l The active and standby devices must run software of the same version. Otherwise, some
configurations or session table structures on the two devices may be different. As a
result, faults may occur when the active and standby devices synchronize configurations
and status.
l The BootROM versions on the active and standby devices must be the same.
l If configuration commands are executed manually on the active and standby devices
after the automatic backup function is disabled, the configuration contents are the same
but the configuration order is not. For example, the policy matching conditions on the
active and standby devices are different. In such cases, the consistency check function
will determine that the active and standby device configurations are different. However,
this impacts neither the hot standby service nor the performance. You just need to re-
configure the commands.
l It is recommended that the active and standby devices use their initial configuration files.
Otherwise, faults may occur after an active/standby switchover because of configuration
conflicts.
l The service interfaces and heartbeat interfaces used by active and standby devices must
be the same. For example, if the active device uses GigabitEthernet1/0/1 as the service
interface and GigabitEthernet1/0/7 as the heartbeat interface, the standby device must
use the same interfaces.
l The interfaces on the same slot of the active and standby devices must be added to the
same security zone. For example, if GigabitEthernet1/0/1 interface on the active device
is added to the Trust zone,GigabitEthernet1/0/1 on the standby device must also be
added to the Trust zone.
l The interfaces with vrrp virtual-mac enable configured cannot function as heartbeat
interfaces.
l The MTU of the heartbeat interfaces must be set to 1500.
l The service interfaces of the active and standby devices use fixed IP addresses.
Therefore, you cannot use the hot standby function together with such features as PPPoE
and DHCP which use dynamic IP addresses.
l Before changing the working mode on the web page after hot standby is established, you
must clear all hot standby-related configurations.
l When hot standby is used with virtual systems, ensure that the two devices have the
same VSYS name and ID.
may translate the source IP addresses of traffic from different hosts to the same IP
address, causing address conflicts.
In this case, you are advised to create two NAT address pools for the FWs to translate
source IP addresses to addresses in different address pools. For example, FW_A and
FW_B are deployed in hot standby mode and process traffic from 10.1.1.1 to 10.1.1.128
and 10.1.1.129 to 10.1.1.254 respectively. Configure address pool-based source NAT
without port translation, create NAT address pools addressgroup1 and addressgroup2,
and configure two source NAT policies for the FWs to translate the source IP addresses
of the traffic from 10.1.1.1 to 10.1.1.128 to addresses in addressgroup1 and those of the
traffic from 10.1.1.129 to 10.1.1.254 to addresses in addressgroup2.
Prerequisites
l Interfaces at Layer 3 are specified with IP addressed.
l Interfaces at Layer 2 are added to the VLAN.
l Interfaces are assigned to security zones.
l Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned.
Context
Dual-system hot backup configurations vary with networking.
Networking Configurations
Service interfaces work at Layer 3 and Configure virtual IP addresses and add
connect to switches. upstream and downstream service interfaces
to the VRRP backup group.
Networking Configurations
Service interfaces work at Layer-3 and Configure virtual IP addresses and add
connect to the upstream router and downstream service interfaces to the VRRP
downstream switch. backup group.
Configure interface status monitoring in
interface monitoring to monitor upstream
service interfaces.
Procedure
Step 1 Choose System > High Availability > Dual-System Hot Backup.
Step 2 On the Dual-System Hot Backup page, click to configure basic dual-system hot backup
functions.
Parameter Description
Hello Packet Interval Indicates the interval for sending hello packets.
Parameter Description
Interface IP Address/ Indicates the IP address and mask of the interface added to
MASK the VRRP backup group.
Virtual IP Address/ Indicates the virtual IP address and mask of the VRRP
MASK backup group.
A virtual IP address represents both devices working in
dual-system hot backup. The next-hop IP address of the
upstream and downstream devices must be the virtual IP
address if they are connected to both devices through static
routes. The subnet mask is required if the virtual IP address
does not reside on the same subnet of the actual IP address
of the interface.
2. Click OK.
3. Click .
2. Click .
2. Click .
----End
Follow-up Procedure
After you compete the preceding operations, choose System > High Availability > Dual-
System Hot Backup to view the operating status of hot standby. The parameters related to
hot standby are described as follows:
Parameter Description
Current Working Mode l Single Device: is displayed if hot standby is not enabled.
l Active/Standby Backup: is displayed when the devices
work in active/standby mode.
l Load Balancing: is displayed when the devices work in load
balancing mode.
Security zone
Route
Security policy
Layer-3 interfaces Layer-2 service
connect to switches interfaces
Layer-3 interfaces
connect to routers
3 Configuring Heartbeat
Interfaces
hrp interface
Configuring security
6
services
Prerequisites
Complete service interface configurations, such as IP address and security zone
configurations.
Context
l In active/standby mode, the configuration roadmap is as follows:
a. Configure a VRRP group on each service interface of the active device and add the
VRRP groups to the active VGMP group.
As shown in Figure 2-40, VRRP group 2 configured on GE1/0/1 and VRRP group
1 configured on GE1/0/3 of FW_A are added to the active VGMP group.
b. Configure a VRRP group on each service interface of the standby device and add
the VRRP groups to the standby VGMP group.
As shown in Figure 2-40, VRRP group 2 configured on GE1/0/1 and VRRP group
1 configured on GE1/0/3 of FW_B are added to the standby VGMP group.
c. On the hosts or devices that are directly connected to each switch, set the gateway
address or next-hop address of the static route to the virtual IP address of the
corresponding VRRP group.
FW_A
SwitchA GE1/0/3 GE1/0/1 SwitchC
10.3.0.1/24 10.2.0.1/24
Active Active
Standby Standby
configure VRRP group 2 and add it to the active VGMP group; configure VRRP
group 4 and add it to the standby VGMP group.
b. On the service interfaces of FW_B, configure the same VRRP groups but add them
to the opposite VGMP groups.
As shown in Figure 2-41, on the downstream interface GE1/0/3 of FW_B,
configure VRRP group 1 and add it to the standby VGMP group; configure VRRP
group 3 and add it to the active VGMP group. On the upstream interface GE1/0/1,
configure VRRP group 2 and add it to the standby VGMP group; configure VRRP
group 4 and add it to the active VGMP group.
c. On the hosts or devices that are directly connected to each switch, configure two
static routes, with the next hop addresses being the virtual IP addresses of the two
VRRP groups respectively.
Procedure
Step 1 In the user view, access the system view.
system-view
The interfaces that support VRRP groups include Layer-3 Ethernet interfaces and their
subinterfaces, Layer-3 Eth-Trunk interfaces, and VLANIF interfaces.
Step 3 Run the following commands to configure a VRRP or VRRPv6 group as required:
l Configure a VRRP group.
vrrp vrid virtual-router-id virtual-ip virtual-address [ ip-mask | ip-mask-length ]
{ active | standby }
l Configure a VRRPv6 group.
a. Configure a link-local address.
vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address link-local { active |
standby }
l virtual-router-iD specifies the VRRP group ID. The two hot standby FWs must be
configured with the same VRID.
l virtual-ipv6-address link-local specifies the link-local address of the VRRPv6 group.
The link-local address is an IPv6 address whose prefix is FE80::/10. This address is used
for communication between adjacent nodes on a link and is valid only for the link. When
configuring a virtual IPv6 address for a VRRPv6 group, you must also configure a link-
local address for the group.
l The virtual IP addresses of VRRP groups specified by virtual-address and virtual-ipv6-
address must not be the same as physical interface addresses.
Both FWs use the virtual IP address to communicate with other devices. For upstream
and downstream devices, the two FWs serve as one device, with the virtual IP address
being the interface address. If you configure static routes on upstream and downstream
devices, configure the virtual IP address as the next hop.
l ip-mask | ip-mask-length specifies the subnet mask of the virtual IPv4 address of the
VRRP group. If the virtual IP address and interface IP address are on different network
segments, configure the subnet mask for the virtual IP address.
By default, VRRP packets are not authenticated by the FW. VRRP packet authentication is
not required on a secure network.
You can enable VRRP packet authentication if necessary. The NGFW supports simple text
authentication (with parameter simple configured) and MD5 authentication.
NOTE
Set the same VRRP authentication key on the service interfaces that are added to the same VRRP group.
VRRPv6 groups do not support VRRP authentication.
Enable this function on interfaces when the directly connected device is a Layer-4 switch.
Step 6 Optional: In the system view, configure the interval at which the active device sends
gratuitous ARP packets.
By default, the active device sends gratuitous ARP packets every 300s (5 minutes).
The time value must be smaller than the aging time of the MAC address entries on the
switches directly connected to the FW. A small time value enables switches to update the
MAC address table rapidly an active/standby switchover of the FWs.
----End
Example
On the active/standby backup network shown in Figure 2-40, the VRRP group configurations
are as follows:
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 active
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[FW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[FW_B-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[FW_B-GigabitEthernet1/0/3] quit
On the load balancing network shown in Figure 2-41, the VRRP group configurations are as
follows:
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[FW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 active
[FW_A-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 standby
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 standby
[FW_A-GigabitEthernet1/0/3] quit
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[FW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[FW_B-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 active
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[FW_B-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[FW_B-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 active
[FW_B-GigabitEthernet1/0/3] quit
Prerequisites
1. Complete service interface configurations, such as IP address and security zone
configurations.
2. OSPF is configured on the FWs and their downstream and upstream routers.
3. A security policy is configured to permit legitimate traffic.
Context
In active/standby mode, the configuration roadmap is as follows:
1. Configure VGMP groups on the active and standby FWs to monitor all service
interfaces.
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
RouterB FW_B RouterD
In load balancing mode, you need only to configure VGMP groups on both FWs to monitor
all service interfaces.
Procedure
Step 1 In the user view, access the system view.
system-view
VGMP groups can monitor Layer-3 Ethernet interfaces and subinterfaces and Layer-3 Eth-
Trunk interfaces.
Step 3 On FW_B, configure FW_B as the standby FW.
hrp standby-device
NOTE
l You must run this command in active/standby scenario and must not in load balancing scenario.
l If this command is run on a FW where a VRRP group is configured, the status of the FW is determined
by the VRRP group configuration.
Step 4 Enable OSPF, OSPFv3, or BGP cost adjustment based on VGMP group status.
hrp adjust { ospf-cost | ospfv3-cost | bgp-cost } enable [ slave-cost ]
NOTICE
This command is not required on load balancing networks but must be configured on active/
standby backup networks where the service interfaces of the FW work at Layer 3 and connect
to routers.
The cost can be the default value or a user-defined one. In this way, when upstream and
downstream routers calculate routes, the next hop is pointed to the active device, and packets
are forwarded to the active device.
After this command is run:
l If the routing protocol is OSPF or OSPFv3, the active FW directly advertises the learned
OSPF or OSPFv3 routes, and the standby FW adds a specific slave-cost value to the cost
of the learned routes. By default, the standby FW advertises OSPF or OSPFv3 routes
whose costs are 65500.
l If the routing protocol is EBGP or IBGP, the active FW directly advertises the learned
EBGP or IBGP routes, and the standby FW adds a specific slave-cost value to the MED
value in the learned routes. By default, the slave-cost value is 100.
NOTE
hrp adjust ospfv3-cost enable cannot adjust OSPFv3 cost on loopback interfaces.
----End
Example
On the active/standby backup network shown in Figure 2-42, the interface monitoring
configurations are as follows:
[FW_A] hrp track interface GigabitEthernet 1/0/1
[FW_A] hrp track interface GigabitEthernet 1/0/3
[FW_A] hrp adjust ospf-cost enable
[FW_B] hrp track interface GigabitEthernet 1/0/1
[FW_B] hrp track interface GigabitEthernet 1/0/3
[FW_B] hrp standby-device
[FW_B] hrp adjust ospf-cost enable
On the load balancing network shown in Figure 2-42, the interface monitoring configurations
are as follows:
[FW_A] hrp track interface GigabitEthernet 1/0/1
[FW_A] hrp track interface GigabitEthernet 1/0/3
[FW_B] hrp track interface GigabitEthernet 1/0/1
[FW_B] hrp track interface GigabitEthernet 1/0/3
Prerequisites
1. Service interfaces are configured, including configuring interfaces as Layer 2 interfaces
and assigning interfaces to security zones.
2. The upstream and downstream service interfaces are added to the same VLAN (not
VLAN1).
3. A security policy is configured to permit legitimate traffic.
Context
As shown in Figure 2-43, when the upstream and downstream service interfaces work at
Layer 2 and connect to switches, VLAN monitoring can be implemented only in active/
standby mode. The configuration roadmap is as follows:
1. Configure VGMP groups on the active and standby FWs to monitor the VLANs of
service interfaces.
As shown in Figure 2-43, configure a VGMP group respectively on FW_A and FW_B
to monitor VLAN2.
2. On FW_B, configure FW_B as the standby FW.
Figure 2-43 Configuring VGMP groups to monitoring VLANs (service interfaces connect to
switches)
GE1/0/3 GE1/0/1
VLAN2 VLAN2
GE1/0/3 GE1/0/1
Service link
Heartbeat link
VLAN
As shown in Figure 2-44, when the upstream and downstream service interfaces work at
Layer 3 and connect to routers, VLAN monitoring can be implemented only in load balancing
mode. The configuration roadmap is as follows:
1. Configure VGMP groups on both FWs to monitor the VLANs of service interfaces.
As shown in Figure 2-44, configure a VGMP group respectively on FW_A and FW_B
to monitor VLAN2.
2. Configure the same route cost on the interfaces of the upstream or downstream routers.
As shown in Figure 2-44, configure the same OSPF cost on the Router A (Router C) and
Router B (Router D) interfaces connecting to the FWs.
Figure 2-44 Configuring VGMP groups to monitoring VLANs (service interfaces connect to
routers)
OSPF
area
GE1/0/3 GE1/0/1
VLAN2
Router B FW_B Router D
Service link
Heartbeat link
VLAN
Procedure
Step 1 Access the system view from the user view.
system-view
NOTE
You must run this command in active/standby scenario and must not in load balancing scenario.
----End
Example
As shown in Figure 2-43, when service interfaces work at Layer 2 and connect to switches
(active/standby), the configurations of VLAN monitoring by VGMP groups are as follows:
[FW_A] VLAN 2
[FW_A-vlan-2] port GigabitEthernet 1/0/1
[FW_A-vlan-2] port GigabitEthernet 1/0/3
[FW_A-vlan-2] quit
[FW_A] hrp track VLAN 2
[FW_B] VLAN 2
[FW_B-vlan-2] port GigabitEthernet 1/0/1
[FW_B-vlan-2] port GigabitEthernet 1/0/3
[FW_B-vlan-2] quit
[FW_B] hrp track VLAN 2
[FW_B] hrp standby-device
As shown in Figure 2-44, when service interfaces work at Layer 3 and connect to routers
(load balancing), the configurations of VLAN monitoring by VGMP groups are as follows:
[FW_A] VLAN 2
[FW_A-vlan-2] port GigabitEthernet 1/0/1
Context
In a hot standby scenario, after you enable IP-link and configure a VGMP group to monitor
IP-link status, if a link that IP-link monitors is faulty, the priority of the VGMP group is
reduced by 2.
Procedure
Step 1 Access the system view.
system-view
Step 6 In the system view, configure a VGMP group to monitor IP-link status.
hrp track ip-link ip-link name [ vsys vsys-name ]
----End
Context
In a hot standby scenario, after you enable BFD and configure a VGMP group to monitor IP-
link status, if a link that BFD monitors is faulty, the priority of the VGMP group is reduced by
2.
You need to configure BFD on the devices at both ends of the link to be monitored.
Procedure
Step 1 Access the system view.
system-view
4. Configure discriminators.
– Run the discriminator local discr-value command to configure a local
discriminator.
– Run the discriminator remote discr-value command to configure a remote
discriminator.
NOTE
The local discriminator on one end of a BFD session must be the same as the remote discriminator
on the other end of the BFD session. Otherwise, the session fails to be established. The local and
remote discriminators cannot be changed once they are created.
5. Commit the configurations.
commit
NOTE
After all necessary parameters (such as the local and remote discriminators) are specified, you
must run the commit command to successfully create a BFD session.
----End
Context
The FWs use the heartbeat interfaces to exchange heartbeat packets and synchronize
configuration and status information.
You are advised to directly connect the heartbeat interfaces on the FWs.
You can also use an Eth-Trunk interface as the heartbeat interface to improve network
availability and increase the bandwidth of the heartbeat link.
Procedure
Step 1 Set an IP address for each heartbeat interface.
1. Access the interface view from the system view.
A heartbeat interface can be a Layer-3 Ethernet interface or its subinterface, Layer-3 Eth-
Trunk interface, PoS interface or VLANIF interface.
2. Set an IP address for each heartbeat interface.
You can set a private IP address because the heartbeat interface does not advertise routes
or forward service traffic.
You must assign the heartbeat interfaces on the two FWs to the same security zone.
2. Assign the heartbeat interfaces to a security zone.
l The type and ID of the heartbeat interfaces on the FWs must be the same. For example,
if you set GigabitEthernet 1/0/7 as the heartbeat interface on FW_A, you must also set
GigabitEthernet 1/0/7 as the heartbeat interface on FW_B.
l You can run the remote { ip-address | ipv6-address } command to specify the IP address
of the remote heartbeat interface.
l GigabitEthernet 0/0/0 on the MPU cannot be used as the HRP backup channel interface.
l The interface on which the vrrp virtual-mac enable command is executed cannot be
used as the HRP backup channel interface.
l When a service interface is used as a heartbeat link interface and backing up connection
status exhausts too much bandwidth, the total of service traffic and HRP traffic may
overload the service interface, causing unstable hot standby status. You can set parameter
heartbeat-only for the heartbeat link to transmit only HRP packets.
Step 4 Optional: Configure the action as permit in the security policy implemented between the
Local zone and the security zone to which the heartbeat interfaces are assigned.
1. Access the security policy view from the system view.
security-policy
2. Create a security policy rule and access the security policy rule view.
rule name rule-name
3. Specify the source security zone.
source-zone { zone-name &<1-6> | any }
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces
are assigned.
NOTE
Specify two security zones for both source-zone and destination-zone to permit bidirectional traffic
between the Local zone and the security zone to which the heartbeat interfaces are assigned.
4. Specify the destination security zone.
destination-zone { zone-name &<1-6> | any }
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces
are assigned.
5. Set the action to permit.
action permit
----End
Example
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
Router2 NGFW_B Router4
As shown in Figure 2-45, FW_A and FW_B are connected using heartbeat interfaces
GigabitEthernet1/0/7, and GigabitEthernet1/0/7 is assigned to the DMZ.
The heartbeat interface configuration on FW_A is as follows:
[FW_A] interface GigabitEthernet 1/0/7
[FW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet1/0/7] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
[FW_A] security-policy
[FW_A-policy-security] rule name ha
The heartbeat interface configuration on FW_B is the same as that on FW_A except the
interface IP address.
Context
In active/standby mode, after you enable hot standby, the HRP_M command prompt is
displayed on the active device, and the HRP_S command prompt is displayed on the standby
device.
In load balancing mode, both devices process services. The HRP_M command prompt is
displayed on the device on which hot standby is enabled first, and the HRP_S command
prompt is displayed on the other device.
NOTICE
In normal cases, HRP_M or HRP_S is not displayed on both devices at the same time.
You must enable hot standby for the devices to establish active/standby status before you
configure other services, such as NAT and IPSec. Then the configurations and status
information can be synchronized from the active device to the standby device.
Procedure
Step 1 Optional: In the system view, set the Hello interval.
The default Hello interval for the active VGMP group is 1000 milliseconds.
NOTICE
You are advised to use the default interval. If you set the interval to a smaller value, active/
standby switchover may be triggered when no fault occurs.
If you need to change this value, ensure that the intervals specified on active and standby FWs
are the same. Otherwise, the active/standby status of the FWs may frequently change.
Step 2 Optional: Set the preemption delay for the VGMP group.
The preemption function of the VGMP group is enabled by default, and the default
preemption delay is 60 seconds.
NOTICE
In hot standby mode, if VRRP and dynamic routing protocols run on the FWs and their
upstream and downstream devices, ensure that the preemption delay for the VGMP groups is
longer than the convergence period of the dynamic routing protocols (such as OSPF) to
prevent service interruptions. Or you can disable the preemption function.
----End
Prerequisites
Enabling Hot Standby is complete before you enable automatic or manual backup.
Context
The FW supports three backup modes shown in Table 2-1.
Automatic backup With automatic When both FWs are Automatic backup is
backup enabled and running properly enabled on the FW
both the active and and status by default. The
standby FWs information that active FW
working properly, needs to be backed automatically
each command that up is generated on synchronizes the
is executed on the the active FW, the configuration
active FW is active FW commands and
synchronized to the automatically status information to
standby FW if the synchronizes the the standby FW.
command can be status information to This function
backed up. The the standby FW. applies to various
commands that Automatic backup hot standby
cannot be backed up of the status networks.
are executed only on information fails
the active FW. when the standby
Commands that can FW is faulty.
be backed up are
configured only on
the active FW.
The commands that
cannot be backed up
can be configured on
both FWs.
Automatic backup
of configuration
commands fails
when the standby
FW is faulty.
Manual batch When both the When both the Manual batch
backup active and standby active and standby backup is required
FWs are working FWs are working when the
properly, you can properly, you can configurations
execute commands execute commands between the active
to instruct the active to instruct the active and standby FWs are
FW to synchronize FW to synchronize different.
the configuration the status
commands that can information that can
be backed up to the be backed up to the
standby FW. Then standby FW.
the commands Manual batch
executed on the backup of status
active FW are information fails
executed on the when the standby
standby FW at the FW is faulty.
same time.
Manual batch
backup of
configuration
commands fails
when the standby
FW is faulty.
Procedure
l Enable automatic backup of commands and status information in the system view.
hrp auto-sync [ config | connection-status ]
By default, this function is enabled.
When you run the hrp auto-sync command without specifying parameter config or
connection-status, both the commands and status information are automatically backed
up.
Enable manual batch backup when automatic backup fails or when configurations are out
of sync.
l Enable quick session backup in the system view.
When the FWs work in load-balancing mode, the forward and return packets may pass
through different FWs. To ensure service continuity, you must enable quick session
backup to ensure that the session information on one FW is timely synchronized to the
other FW.
When the FWs work in active/standby mode, enabling quick session backup is optional.
NOTE
----End
Prerequisites
The following requirements must be met before configuring mirroring mode:
Context
In the mirroring mode, all the configuration commands (except for a few) are configured on
only one device on the dual-system hot backup network because all these configurations are
automatically synchronized to the peer device. Ensure that the peer device is connected to the
local device and started successfully.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Run the hrp mirror config enable command to enable the mirroring mode.
Step 4 Run the hrp sync config command to manually back up the configuration commands in
batches.
----End
Prerequisites
Before you bind a NAT address pool to a VRRP group, ensure that:
l Hot standby has been configured on the FWs.
l The NAT policy configured on the active FW has been backed up to the standby FW.
Internet
Router
Broadcasts an ARP GE0/0/1
packet to request for the 1.1.1.100/24
MAC address of 1.1.1.5.
Eth0/0/1 Eth0/0/2
Replies to the Replies to the ARP
ARP request with request with
S1
0000-00d8-9a01 0000-0011-4901.
GE1/0/1 GE1/0/1
1.1.1.2/24 VRRP group 1 1.1.1.3/24
0000-00d8-9a01 1.1.1.1/24 0000-0011-4901
State: Active 0000-5e00-0101 State: Standby
Intranet user
10.1.1.10/24
Intranet
In such scenarios, you need to bind the NAT address pools to the VRRP groups on the FWs.
As shown in Figure 2-47, after the configuration is complete, only the FW with the active
VRRP group (FW_A) can reply to the ARP request from the Router. FW_A replies the virtual
MAC address (for example, 0000-5e00-0101) of VRRP group 1 in the ARP reply packet to
the Router. As a result, all return packets from the Internet to intranet users are forwarded
only to FW_A.
The system can automatically bind the NAT address pool to the VRRP group with the
smallest VRID if the NAT address pool and VRRP group reside on the same subnet.
Therefore, in active/standby mode, you do not need to manually bind the NAT address
pool to any VRRP groups.
Internet
Router
Broadcasts an ARP GE0/0/1
packet to request for the 1.1.1.100/24
MAC address of 1.1.1.5.
Eth0/0/1 Eth0/0/2
Replies to the ARP
request with
S1
0000-5e00-0101.
GE1/0/1 GE1/0/1
1.1.1.2/24 VRRP group 1 1.1.1.3/24
0000-00d8-9a01 1.1.1.1/24 0000-0011-4901
State: Active 0000-5e00-0101 State: Standby
Active Standby
FW_A FW_B
Intranet users
10.1.1.10/24
Intranet
forwarded only to FW_A, and the return packets of users in area 2 are forwarded only to
FW_B.
Internet
Router
Broadcasts an ARP
MAC address Port GE0/0/1 packet to request for the
0000-00d8-9a01 Eth0/0/1 1.1.1.1.15/24 MAC address of
0000-5e00-0101 Eth0/0/1 1.1.1.15.
Eth0/0/1 Eth0/0/2
0000-0011-4901 Eth0/0/2
0000-5e00-0102 Eth0/0/2 Replies to the
S1 ARP request with
0000-5e00-0102.
GE1/0/1 VRRP group 1 GE1/0/1
1.1.1.3/24 1.1.1.1/24 1.1.1.4/24
0000-00d8-9a01 0000-5e00-0101 0000-0011-4901
VRRP1: Active VRRP1: Standby
VRRP group 2
VRRP2: Standby VRRP2: Active
1.1.1.2/24
FW_A 0000-5e00-0102
Active FW_B Active
VRRP group 3
NAT address pool 1 10.1.1.1/24 NAT address pool 2
1.1.1.5 1.1.1.10 VRRP group 4 1.1.1.11 1.1.1.15
bound with VRRP group 1 10.1.1.2/24 bound with VRRP group 2
Area 1 Area 2
Procedure
Step 1 Access the system view.
system-view
Step 5 Set the respective IP address or port ranges available for the NAT address pools on the FWs.
hrp nat resource { primary-group | secondary-group }
NOTICE
In load balancing scenarios, both FWs process service traffic. If NAPT is configured, the FWs
may have conflicting public ports. If NAT No-PAT is configured, the FWs may have
conflicting public IP addresses. To prevent such conflicts, configure respective NAT resources
(including public IP addresses and ports) for the FWs. You can run the hrp nat resource
primary-group command on the active FW. The standby FW will automatically generate the
hrp nat resource secondary-group command (if you run the hrp nat resource secondary-
group command on the active FW, the standby FW will automatically generate the hrp nat
resource primary-group command).
In active/standby scenarios, you do not need to run the command.
----End
Prerequisites
Before you bind NAT server to a VRRP group, ensure that:
l Hot standby has been configured on the FWs.
l The NAT policy configured on the active FW has been backed up to the standby FW.
Internet
Router
Broadcasts an ARP packet GE0/0/1
to request for the MAC 1.1.1.100/24
address of 1.1.1.10.
Eth0/0/1 Eth0/0/2
Replies to the Replies to the ARP
ARP request with S1 request with
0000-00d8-9a01. 0000-0011-4901.
GE1/0/1 GE1/0/1
1.1.1.2/24 VRRP group 1 1.1.1.3/24
0000-00d8-9a01 1.1.1.1/24 0000-0011-4901
State: Active 0000-5e00-0101 State: Standby
Active Standby
FW_A FW_B
nat server global 1.1.1.10 nat server global 1.1.1.10
inside 10.1.1.10 inside 10.1.1.10
VRRP group 2
Server
10.1.1.10/24
Intranet
In such scenarios, you need to bind NAT Server to the VRRP groups on the FWs.
As shown in Figure 2-50, after the configuration is complete, only the FW with the active
VRRP group (FW_A) can reply to the ARP request from the Router. FW_A replies the virtual
MAC address (for example, 0000-5e00-0101) of the VRRP group in the ARP reply packet to
the Router. As a result, all packets from Internet users to the intranet are forwarded only to
FW_A.
The system can automatically bind NAT Server to the VRRP group with the smallest
VRID if the NAT Server and VRRP group reside on the same subnet. Therefore, in
active/standby mode, you do not need to manually bind NAT Server to any VRRP
groups.
Internet
Router
Broadcasts an ARP GE0/0/1
packet to request for the 1.1.1.100/24 MAC address Port
MAC address of 1.1.1.10. 0000-00d8-9a01 Eth0/0/1
Eth0/0/1 Eth0/0/2 0000-5e00-0101 Eth0/0/1
Replies to the 0000-0011-4901 Eth0/0/2
ARP request with
S1
0000-5e00-0101.
GE1/0/1 GE1/0/1
1.1.1.2/24 VRRP group 1 1.1.1.3/24
0000-00d8-9a01 1.1.1.1/24 0000-0011-4901
State: Active 0000-5e00-0101 State: Standby
Active Standby
FW_A FW_B
Server
10.1.1.10/24
Intranet
Figure 2-51 Binding NAT Server to VRRP groups in load balancing mode
Internet
Router
MAC address Port GE0/0/1 Broadcasts an ARP
0000-00d8-9a01 Eth0/0/1 1.1.1.100/24 packet to request for the
MAC address of 1.1.1.11.
0000-5e00-0101 Eth0/0/1
Eth0/0/1 Eth0/0/2
0000-0011-4901 Eth0/0/2
0000-5e00-0102 Eth0/0/2 Replies to the
S1 ARP request with
0000-5e00-0102.
GE1/0/1 VRRP group 1 GE1/0/1
1.1.1.3/24 1.1.1.1/24 1.1.1.4/24
0000-00d8-9a01 0000-5e00-0101 0000-0011-4901
VRRP1: Active VRRP1: Standby
VRRP group 2
VRRP2: Standby VRRP2: Active
1.1.1.2/24
Active FW_A 0000-5e00-0102 FW_B Stand
by
nat server 1 global 1.1.1.10 nat server 1 global 1.1.1.10
inside 10.1.1.10 vrrp 1 inside 10.1.1.10 vrrp 1
nat server 2 global 1.1.1.11 nat server 2 global 1.1.1.11
inside 10.1.1.11 vrrp 2 inside 10.1.1.11 vrrp 2
Server 1 Server 2
10.1.1.10/24 10.1.1.11/24
Intranet
Procedure
Step 1 Access the system view.
system-view
----End
Procedure
Step 1 Check command prompts.
After the HRP active/standby relationship is established, the FW whose command line prompt
is HRP_M is the active device, and the NGFW whose command prompt is HRP_S is the
standby device.
General items
1 Mand Models and software versions of the <sysname> display version □Passed
atory active and standby FWs are the □Not passed
same.
2 Mand Types and slots of interface cards on <sysname> display device □Passed
atory the active and standby FWs are the □Not passed
same.
3 Mand Service interfaces of the active and <sysname> display hrp state □Passed
atory standby FWs are the same. verbose □Not passed
4 Mand Heartbeat interfaces of the active <sysname> display hrp interface □Passed
atory and standby FWs are the same. □Not passed
4.a Optio If the Eth-Trunk is used as the <sysname> display eth-trunk □Passed
nal heartbeat link, member interfaces of trunk-id □Not passed
the active and standby FWs are the
same.
4.b Optio If the service link is used as the <sysname> display current- □Passed
nal heartbeat link, both the heartbeat configuration | include hrp □Not passed
interface and the IP address of the interface
peer heartbeat interface are
specified.
5 Mand Interfaces of the active and standby <sysname> display zone □Passed
atory FWs are assigned to the same □Not passed
security zone.
6 Optio Service interfaces of the active and l IPv4: <sysname> display vrrp □Passed
nal standby FWs are added to the same interface interface-type □Not passed
VRRP group and share the same interface-number
virtual IP address. l IPv6: <sysname> display vrrp6
interface interface-type
interface-number
7 Optio Service interfaces of the active and <sysname> display hrp state □Passed
nal standby FWs are added to VGMP verbose □Not passed
groups.
8 Mand The preemption function of the <sysname> display hrp state □Passed
atory active FW is enabled or disabled. verbose □Not passed
10 Mand The upstream and downstream <sysname> display port vlan □Passed
atory service interfaces are added to the [ interface-type interface-number ] □Not passed
same VLAN.
11 Mand VGMP groups are configured to <sysname> display hrp state □Passed
atory monitor the status of service verbose □Not passed
interfaces.
12 Optio If FWs are connected to switches, <sysname> display hrp state □Passed
nal the FWs work in active/standby □Not passed
mode.
13 Optio If FWs are connected to routers, the <sysname> display hrp state □Passed
nal FWs work in load bandaging mode. □Not passed
14 Mand IP addresses are set for the interfaces <sysname> display ip interface □Passed
atory of the active and standby FWs. brief □Not passed
15 Optio If FWs are connected to switches, Check the static route configurations □Passed
nal the switches are configured to of the upstream and downstream □Not passed
consider the virtual IP address of the devices.
VRRP group as their next hop.
16 Optio If FWs are connected to routers, <sysname> display ospf [ process- □Passed
nal OSPF runs between the FWs and the id ] brief □Not passed
heartbeat interfaces are not in the
OSPF area.
17 Optio If FWs are connected to routers and <sysname> display current- □Passed
nal work in active/standby mode, route configuration | include hrp ospf- □Not passed
costs of the FWs are adjusted cost
according to the status of hot
standby.
Load balancing
19 Optio The port range of the NAT address <sysname> display current- □Passed
nal pool is specified. configuration | include hrp nat □Not passed
Step 3 In the interface view of the active device, check whether active/standby switchover can be
implemented.
shutdown
After you run the shutdown command on a service interface of the active device, the
interface goes down and other service interfaces are working properly. If the command
prompt on the active device begins with HRP_S, the command prompt on the standby device
begins with HRP_M, and traffic is forwarded properly, the active/standby switchover
succeeds.
After you run the undo shutdown command on the same interface of the active device, the
interface goes up. After the preemption delay expires, the preemption succeeds if the
command prompt on the active device begins with HRP_M, the command prompt on the
standby device begins with HRP_S and traffic is forwarded properly.
Step 4 In the interface view of the active device, restart the active device and check whether the
active/standby failover is performed.
reboot
After you run the reboot command on the active device, the active/standby switchover
succeeds if the command prompt on the standby device begins with HRP_M and packets are
properly forwarded.
The active device continues to work upon restart. After the preemption delay expires, the
preemption succeeds if the command prompt on the active device begins with HRP_M, the
command prompt on the standby device begins with HRP_S and traffic is forwarded
properly.
----End
2.1.8.1 Web: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-2 Upstream and Downstream Devices
This section provides an example of how to configure hot standby in active/standby mode in
which the service interfaces of each FW work at Layer 3 and are directly connected to
switches.
Networking Requirements
On the network shown in Figure 2-52, the service interfaces of two FWs work at Layer 3 and
are directly connected to switches.
The upstream switch is connected to the carrier network and the public IP address assigned to
the enterprise is 1.1.1.1.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. When FW_A goes faulty, FW_B takes over.
Figure 2-52 Active/standby networking in which the service interfaces of each FW work at
Layer 3 and are directly connected to switches
Router
1.1.1.2/24
VRRP group 1
GE1/0/1 1.1.1.1/24 GE1/0/1
10.2.0.1/24 10.2.0.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24
Heartbeat link
Procedure
Step 1 Complete interfaces and basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.0.2/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
a. Choose Policy > Security Policy > Security Policy.
b. Click Add.
c. Configure security policy ha and set the parameters as follows:
Name ha
Action Permit
d. Click OK.
Step 2 Configure hot standby.
1. Configure hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
2.
Name policy_sec
Action Permit
4. Click OK.
Step 5 Configure a NAT policy to allow intranet users to access the Internet.
Name 1
5. Click OK.
6. Click the Source NAT tab.
7. Click Add.
8. Configure NAT policy policy_nat and set the parameters as follows:
Name policy_nat
Action NAT
After NAT
Address pool 1
9. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of FW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
Configuration Script
FW_A FW_B
# #
hrp enable hrp enable
hrp standby-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 vrrp vrid 1 virtual-ip 1.1.1.1
255.255.255.0 active 255.255.255.0 standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active vrrp vrid 2 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ip route-static 0.0.0.0 0.0.0.0 #
GigabitEthernet1/0/1 1.1.1.2 ip route-static 0.0.0.0 0.0.0.0
# GigabitEthernet1/0/1 1.1.1.2
nat address-group 1 #
section 0 1.1.1.1 1.1.1.1 nat address-group 1
# section 0 1.1.1.1 1.1.1.1
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec action permit
source-zone trust rule name policy_sec
destination-zone untrust source-zone trust
action permit destination-zone untrust
# action permit
nat-policy #
rule name policy_nat nat-policy
source-zone trust rule name policy_nat
destination-zone untrust source-zone trust
action nat address-group 1 destination-zone untrust
action nat address-group 1
2.1.8.2 Web: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-2 Upstream and Downstream Devices
This section provides an example of configuring hot standby in load balancing mode in which
the service interfaces work at Layer 3 and are upstream and downstream connected to
switches.
Networking Requirements
As shown in Figure 2-53, service interfaces of the two FW devices work at Layer 3, having
upstream and downstream connections to Layer-2 switches.
Now the FW devices are supposed to work in load sharing mode. Normally, both FW_A and
FW_B forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-53 Load balancing networking in which the service interfaces work at Layer 3 and
are upstream and downstream connected to switches
GE1/0/1 GE1/0/1
1.1.1.1/24 1.1.1.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 10.3.0.2/24
Intranet
Service path
Backup path
Procedure
Step 1 Configure interfaces and perform the basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the following parameters:
IPv4
IP Address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3
interface.
IPv4
IP Address 10.3.0.1/24
e. Repeat the preceding steps to set the following parameters for the GE1/0/7
interface.
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 1.1.1.2/24
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3
interface.
IPv4
IP Address 10.3.0.2/24
e. Repeat the preceding steps to set the following parameters for the GE1/0/7
interface.
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
Name ha
Action Permit
d. Click OK.
Step 2 Configure dual-system hot standby.
1. Configure dual-system hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure dual-system hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure default routes on the Intranet devices to set virtual IP address 10.3.0.3 of VRRP
backup group 3 as the next hop for certain devices and virtual IP address 10.3.0.4 of VRRP
backup group 4 as the next hop for the other devices.
Name policy_sec
Action Permit
4. Click OK.
----End
Verification
Choose System > High Availability > Dual-System Hot Standby.
l Normally, Working Mode is Load Sharing for both FW_A and FW_B; Current Status
is Active for FW_A and Standby for FW_B. In this case, both FW forward traffic.
l If FW_A malfunctions, Working Mode is Active/Standby Backup for both FW_A and
FW_B; Current Status is Standby for FW_A and Active for FW_B. In this case,
FW_B only forwards traffic.
Configuration Script
FW_A FW_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.3 active vrrp vrid 1 virtual-ip 1.1.1.3 standby
vrrp vrid 2 virtual-ip 1.1.1.4 standby vrrp vrid 2 virtual-ip 1.1.1.4 active
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.3.0.3 active vrrp vrid 3 virtual-ip 10.3.0.3
vrrp vrid 4 virtual-ip 10.3.0.4 standby
standby vrrp vrid 4 virtual-ip 10.3.0.4 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec rule name policy_sec
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
2.1.8.3 Web: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Downstream Devices
This section provides an example of how to configure hot standby in active/standby mode in
which the service interfaces of each FW work at Layer 3 and are directly connected to routers.
Networking Requirements
On the network shown in Figure 2-54, the service interfaces of two FWs work at Layer 3 and
are directly connected to routers. The FWs and directly connected routers run OSPF.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. When FW_A goes faulty, FW_B takes over.
Figure 2-54 Active/standby networking in which the service interfaces of each FW work at
Layer 3 and are directly connected to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.1.1/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
Name ha
Action Permit
d. Click OK.
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on FW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.1.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
Step 3 Configure hot standby.
1. Configure hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
d. Click OK.
Step 4 Configure the security policies.
Security policies configured on FW_A are automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add.
3. Configure security policy policy_sec and set the parameters as follows:
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of FW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
Configuration Script
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp standby-device
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp track interface GigabitEthernet remote 10.10.0.1
1/0/1 hrp track interface GigabitEthernet
hrp track interface GigabitEthernet 1/0/1
1/0/3 hrp track interface GigabitEthernet
# 1/0/3
interface GigabitEthernet 1/0/1 #
ip address 10.2.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet 1/0/3 #
ip address 10.3.0.1 255.255.255.0 interface GigabitEthernet 1/0/3
# ip address 10.3.1.1 255.255.255.0
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet1/0/3 set priority 85
# add interface GigabitEthernet1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet 1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.1.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec action permit
source-zone local rule name policy_sec
source-zone trust source-zone local
source-zone untrust source-zone trust
destination-zone local source-zone untrust
destination-zone trust destination-zone local
destination-zone untrust destination-zone trust
action permit destination-zone untrust
action permit
2.1.8.4 Web: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Downstream Devices
This section provides an example of how to configure hot standby in the load balancing mode
in which the service interfaces of each FW work at Layer 3 and are directly connected to
routers.
Networking Requirements
On the network shown in Figure 2-55, the service interfaces of two FWs work at Layer 3 and
are directly connected to routers. The FWs and directly connected routers run OSPF.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. When one FW goes faulty, the other FW takes over all the traffic load.
Figure 2-55 Load balancing networking in which the service interfaces of each FW work at
Layer 3 and are directly connected to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
IPv4
IP Address 10.10.0.1/24
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.1.1/24
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
Action Permit
d. Click OK.
Step 2 Configure OSPF to ensure IP connectivity.
1. Configure OSPF on FW_A.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on FW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.1.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
Step 3 Configure hot standby.
1. Configure hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Load Balancing and the Current
State is Active. The Current Working Mode of FW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
l s
Configuration Script
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/1 1/0/1
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/3 1/0/3
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec rule name policy_sec
source-zone local source-zone local
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
2.1.8.5 Web: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Layer-2 Downstream Devices
This section provides an example of how to configure hot standby in the active/standby mode
in which the service interfaces of each FW work at Layer 3 with routers as upstream devices
and switches as downstream devices.
Networking Requirements
On the network shown in Figure 2-56, the service interfaces of two FWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The FWs and directly
connected routers run OSPF.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. When FW_A goes faulty, FW_B takes over.
Figure 2-56 Active/standby networking in which the service interfaces of each FW work at
Layer 3 with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
Name ha
Action Permit
d. Click OK.
Step 2 Configure OSPF to ensure IP connectivity.
1. Configure OSPF on FW_A.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on FW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
Step 3 Configure hot standby.
1. Configure hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 4 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
1.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of FW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
Configuration Script
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/1 1/0/1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.3 active vrrp vrid 1 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone trust rule name policy_sec1
destination-zone untrust source-zone trust
action permit destination-zone untrust
rule name policy_sec2 action permit
source-zone local rule name policy_sec2
source-zone untrust source-zone local
destination-zone local source-zone untrust
destination-zone untrust destination-zone local
action permit destination-zone untrust
action permit
2.1.8.6 Web: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Layer-2 Downstream Devices
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 3, with routers as upstream devices
and switches as downstream devices.
Networking Requirements
On the network shown in Figure 2-57, the service interfaces of two FWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The FWs and directly
connected routers run OSPF.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. When one FW goes faulty, the other FW takes over all the traffic load.
Figure 2-57 Load balancing networking in which the service interfaces of each FW work at
Layer 3, with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
VRRP group 2
Slave Master
10.3.0.4/24
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on FW_A.
a. Choose Network > Interface.
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
IPv4
IP Address 10.10.0.1/24
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
IPv4
IP Address 10.10.0.2/24
3. Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned on FW_A and
FW_B.
NOTE
Only need to configure this security policy, but do not need to.
Name ha
Action Permit
d. Click OK.
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on FW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 4 Configure the default routes on intranet devices. You can set the next hop of some devices to
the virtual IP address (10.3.0.3) of VRRP group 1 and that of other devices to the virtual IP
address (10.3.0.4) of VRRP group 2.
Step 5 Configure the security policies.
Security policies configured on FW_A are automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add.
3. Configure security policy policy_sec and set the parameters as follows:
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Load Balancing and the Current
State is Active. The Current Working Mode of FW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
Configuration Script
FW_A FW_B
# #
hrp enable hrp mirror session enable
hrp interface GigabitEthernet 1/0/7 hrp enable
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp mirror session enable remote 10.10.0.1
hrp track interface GigabitEthernet hrp mirror session enable
1/0/1 hrp track interface GigabitEthernet
# 1/0/1
interface GigabitEthernet 1/0/1 #
ip address 10.2.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet 1/0/3 #
ip address 10.3.0.1 255.255.255.0 interface GigabitEthernet 1/0/3
vrrp vrid 1 virtual-ip 10.3.0.3 active ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.4 vrrp vrid 1 virtual-ip 10.3.0.3
standby standby
# vrrp vrid 2 virtual-ip 10.3.0.4 active
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet 1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone trust rule name policy_sec1
destination-zone untrust source-zone trust
action permit destination-zone untrust
rule name policy_sec2 action permit
source-zone local rule name policy_sec2
source-zone untrust source-zone local
destination-zone local source-zone untrust
destination-zone untrust destination-zone local
action permit destination-zone untrust
action permit
2.1.8.7 Web: Load Balancing Networking in Which the FWs Are Connected
Transparently to Layer-3 Upstream and Downstream Devices
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 2 and are directly connected to routers.
Networking Requirements
On the network shown in Figure 2-58, the service interfaces of two FWs work at Layer 2 and
are directly connected to routers. The uplink and downlink service interfaces of each FW are
added to VLAN2.
The FWs and directly connected routers run OSPF. The FWs transparently transmit OSPF
packets and do not calculate routes.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. When one FW goes faulty, the other FW takes over all the traffic load.
Figure 2-58 Load balancing networking in which the service interfaces of each FW work at
Layer 2 and are directly connected to routers
OSPF
OSPF
Service link
Heartbeat link
VLAN
Procedure
Step 1 Configure hot standby.
1. Configure hot standby on FW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 2 Configure the security policies.
Security policies configured on FW_A are automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add.
3. Configure security policy policy_sec and set the parameters as follows:
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating
status of hot standby.
l Normally, the Current Working Mode of FW_A is Load Balancing and the Current
State is Active. The Current Working Mode of FW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by FW_A.
l When FW_A goes faulty, the Current Working Mode of FW_A is Active/Standby
Backup and the Current State is Standby. The Current Working Mode of FW_B is
Active/Standby Backup and the Current State is Active. This shows that traffic is
forwarded by FW_B.
Configuration Script
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
hrp mirror session enable hrp mirror session enable
hrp track vlan 2 hrp track vlan 2
# #
vlan batch 2 vlan batch 2
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port default vlan 2 port default vlan 2
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
portswitch portswitch
port default vlan 2 port default vlan 2
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
2.1.8.8 Web: Active/Standby Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Static Routing Mode)
This section provides an example for configuring the active/standby FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using static routing.
Networking Requirements
As shown in Figure 2-59, two FWs are connected off-line to the core switches in the data
center to secure the data center network. All traffic on the core switches is diverted to the
FWs based on static routes for security checks.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-59 Networking diagram for configuring hot standby when the FWs are deployed in
off-line mode (using static routing for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Heartbeat Link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/4 GE1/0/3 GE1/0/0
GE1/0/0 GE1/0/3
10.0.0.2/24
10.0.0.1/24
NGFW_A NGFW_B
Server area
192.168.0.0/16
Configuration Roadmap
1. As shown in Figure 2-60, if the core switches need to use static routes to divert traffic to
the FWs, you need to configure static routes and set the next hops to the IP addresses of
the FW interfaces. However, the core switches and upstream routers and downstream
aggregation switches run OSPF. Therefore, traffic cannot be diverted to the FWs after
reaching the core switches. Instead, the traffic is directly forwarded to the upstream and
downstream devices.
Therefore, you must configure the virtual routing and forwarding (VRF) function on the
core switches to virtualize each core switch into a public switch (Public) for connecting
to the upstream switch and a virtual switch (VRF) for connecting to the downstream
switch. The two virtualized switches are isolated. Therefore, traffic can be diverted to the
FWs.
GE1/0/7 GE1/0/7
10.10.0.1/24 10.10.0.2/24
GE1/0/1 GE1/0/1
10.1.0.1/24 Public GE1/0/2 Public 10.1.0.2/24
GE1/0/1 GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4 GE1/0/3
VRF GE1/0/4 VRF
GE1/0/0 GE1/0/0
10.0.0.1/24 SW1 SW2 10.0.0.2/24
NGFW_A NGFW_B
2. Figure 2-60 can be abstracted as Figure 2-61. The FWs run static routes with upstream
and downstream switches (Public and VRF). Therefore, you need to configure VRRP
groups on the FWs and switches for them to communicate using the virtual IP addresses
of VRRP groups.
As shown in Figure 2-61, configure static routes on the FWs and set the next hops to the
IP addresses of VRRP groups 3 and 4. Configure a static route on the Public switch and
set the next hop to the IP address of VRRP group 2. Configure a static route on the VRF
switch and set the next hop to the IP address of VRRP group 1.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
VRRP4 GE1/0/1 GE1/0/1
10.1.0.6/24 Active VLANIF3 VLANIF3 Standby
10.1.0.4/24 10.1.0.5/24
GE1/0/1 GE1/0/1
VRRP2
Active 10.1.0.1/24 10.1.0.2/24 Standby
10.1.0.3/24
GE1/0/7
10.10.0.1/24
GE1/0/7
VRRP1 10.10.0.2/24
10.0.0.3/24 Active GE1/0/0 GE1/0/0 Standby
10.0.0.1/24 10.0.0.2/24
NOTE
The core switches run static routes with the FWs and OSPF with other devices. Figure 2-61 lists only
the core switch interfaces related to the FWs.
3. Specify GE1/0/7 on the FW as the heartbeat interface and enable hot standby.
4. Configure security functions, such as security policies, on FW_A. FW_A will
automatically synchronizes its configurations to FW_B. This section describes only
security policy configurations as an example.
Procedure
Step 1 Create static routes.
# This section uses the configurations on FW_A as an example. The configurations on FW_B
are the same as those on FW_A.
1. Choose Network > Router > Static Route.
2. Click Add.
3. Configure a static route (default route) for the upstream direction and set the next hop to
the IP address of VRRP group 4.
Mask 0.0.0.0
4. Click OK.
5. Configure a static route for the downstream direction and set the destination address to
an address in the server area and the next hop to the IP address of VRRP group 3.
Destination Address 192.168.0.0
Mask 255.255.0.0
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure security functions.
Configure a security policy on FW_A to allow Internet users to access the server area (subnet:
192.168.0.0/16, port: 80) in the data center. Security policies configured on FW_A will be
automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add.
3. Configure security policy policy_sec1 and set the parameters as follows:
Name policy_sec1
Service http
Action Permit
4. Click OK.
Step 4 Configure the core switches.
NOTE
This example describes only the switch configurations related to FW connection.
# Configure Switch1.
[Switch1] ip vpn-instance VRF //Create VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
# Configure Switch2.
[Switch2] ip vpn-instance VRF //Create VRF.
[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch2-Vlanif2] ip address 10.0.0.5 24
[Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif2] quit
[Switch2] vlan 3
[Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch2-vlan3] quit
[Switch2] interface Vlanif 3
[Switch2-Vlanif3] ip address 10.1.0.5 24
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif3] quit
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 1.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 2.
----End
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.3 active vrrp vrid 1 virtual-ip 10.0.0.3
# standby
interface GigabitEthernet 1/0/1 #
ip address 10.1.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
vrrp vrid 2 virtual-ip 10.1.0.3 active ip address 10.1.0.2 255.255.255.0
# vrrp vrid 2 virtual-ip 10.1.0.3
interface GigabitEthernet 1/0/7 standby
ip address 10.10.0.1 255.255.255.0 #
# interface GigabitEthernet 1/0/7
firewall zone trust ip address 10.10.0.1 255.255.255.0
set priority 85 #
add interface GigabitEthernet 1/0/0 firewall zone trust
# set priority 85
firewall zone dmz add interface GigabitEthernet 1/0/0
set priority 50 #
add interface GigabitEthernet1/0/7 firewall zone dmz
# set priority 50
firewall zone untrust add interface GigabitEthernet1/0/7
set priority 5 #
add interface GigabitEthernet 1/0/1 firewall zone untrust
# set priority 5
ip route-static 0.0.0.0 0.0.0.0 add interface GigabitEthernet 1/0/1
10.1.0.6 #
ip route-static 192.168.0.0 ip route-static 0.0.0.0 0.0.0.0
255.255.0.0 10.0.0.6 10.1.0.6
# ip route-static 192.168.0.0
security-policy 255.255.0.0 10.0.0.6
rule name ha #
source-zone local security-policy
source-zone dmz rule name ha
destination-zone local source-zone local
destination-zone dmz source-zone dmz
action permit destination-zone local
rule name policy_sec1 destination-zone dmz
source-zone untrust action permit
destination-zone trust rule name policy_sec1
destination-address 192.168.0.0 16 source-zone untrust
service http destination-zone trust
action permit destination-address 192.168.0.0 16
service http
action permit
2.1.8.9 Web: Load Balancing Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Static Routing Mode)
This section provides an example for configuring the load balancing FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using static routing.
Networking Requirements
As shown in Figure 2-62, two FWs are connected off-line to the core switches in the data
center to secure the data center network. All traffic on the core switches is diverted to the
FWs based on static routes for security checks.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-62 Networking diagram for configuring hot standby when the FWs are deployed in
off-line mode (using static routing for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Heartbeat link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/0 GE1/0/3 GE1/0/4 GE1/0/3 GE1/0/0
10.0.0.1/24 10.0.0.2/24
FW_A FW_B
Server area
192.168.0.0/16
Configuration Roadmap
1. As shown in Figure 2-63, if the core switches need to use static routes to divert traffic to
the FWs, you need to configure static routes and set the next hops to the IP addresses of
the FW interfaces. However, the core switches and upstream routers and downstream
aggregation switches run OSPF. Therefore, traffic cannot be diverted to the FWs after
reaching the core switches. Instead, the traffic is directly forwarded to the upstream and
downstream devices.
Therefore, you must configure the virtual routing and forwarding (VRF) function on the
core switches to virtualize each core switch into a public switch (Public) for connecting
to the upstream switch and a virtual switch (VRF) for connecting to the downstream
switch. The two virtualized switches are isolated. Therefore, traffic can be diverted to the
FWs.
2. Figure 2-63 can be abstracted as Figure 2-64. The FWs run static routes with upstream
and downstream switches (Public and VRF). Therefore, you need to configure VRRP
groups on the FWs and switches for them to communicate using the virtual IP addresses
of VRRP groups.
As shown in Figure 2-64, the FWs work in load balancing mode. You need to configure
two equal-cost static routes in the same direction on the FWs and set the next hops
respectively to the IP addresses of the two peer VRRP groups. Configure another two
equal-cost static routes on the Public or VRF switch and set the next hops respectively to
the IP addresses of the two VRRP groups on the FW interfaces.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
GE1/0/1 GE1/0/1 VRRP group 4
Active 10.1.0.6/24
VLANIF3 VLANIF3 Standby
Standby 10.1.0.4/24 10.1.0.5/24 Active
VRRP group 8
VRRP group 6 10.1.0.8/24
10.1.0.7/24 Standby Active
GE1/0/1 GE1/0/1
Active 10.1.0.1/24 10.1.0.2/24 Standby
VRRP group 2 GE1/0/7
10.1.0.3/24 10.10.0.1/24
GE1/0/7
VRRP group 1 10.10.0.2/24
10.0.0.3/24 Active GE1/0/0 GE1/0/0 Standby
10.0.0.1/24 10.0.0.2/24
VRRP group 5Standby Active
10.0.0.7/24
VRRP group 7
Standby Active
10.0.0.8/24
Active VLANIF2 VLANIF2 Standby
10.0.0.4/24 10.0.0.5/24 VRRP group 3
GE1/0/3 GE1/0/3 10.0.0.6/24
VLAN2
VRF VRF
GE1/0/4 GE1/0/4
OSPF
NOTE
The core switches run static routes with the FWs and OSPF with other devices. Figure 2-64 lists only
the core switch interfaces related to the FWs.
3. Specify GE1/0/7 on the FW as the heartbeat interface and enable hot standby.
4. Configure security functions, such as security policies, on FW_A. FW_A will
automatically synchronizes its configurations to FW_B. This section describes only
security policy configurations as an example.
Procedure
Step 1 Create static routes.
# This section uses the configurations on FW_A as an example. The configurations on FW_B
are the same as those on FW_A.
3. Configure a static route (default route) for the upstream direction and set the next hop to
the IP address of VRRP group 4.
Destination Address 0.0.0.0
Mask 0.0.0.0
4. Click OK.
5. Configure a static route for the downstream direction and set the destination address to
an address in the server area and the next hop to the IP address of VRRP group 3.
Destination Address 192.168.0.0
Mask 255.255.0.0
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure security functions.
Configure a security policy on FW_A to allow Internet users to access the server area (subnet:
192.168.0.0/16, port: 80) in the data center. Security policies configured on FW_A will be
automatically backed up to FW_B.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add.
3. Configure security policy policy_sec1 and set the parameters as follows:
Name policy_sec1
Service http
Action Permit
4. Click OK.
Step 4 Configure the core switches.
NOTE
This example describes only the switch configurations related to FW connection.
# Configure Switch1.
[Switch1] ip vpn-instance VRF //Create VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Create VRRP group 7.
[Switch1-Vlanif2] vrrp vrid 7 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch1-vlan3] quit
[Switch1] interface Vlanif 3
[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //Create VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 8 priority 120 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 1.
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 5.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 2.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 6.
# Configure Switch2.
[Switch2] ip vpn-instance VRF //Create VRF.
[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch2-Vlanif2] ip address 10.0.0.5 24
[Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Create VRRP group 7.
[Switch2-Vlanif2] vrrp vrid 7 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch2-Vlanif2] quit
[Switch2] vlan 3
[Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch2-vlan3] quit
[Switch2] interface Vlanif 3
[Switch2-Vlanif3] ip address 10.1.0.5 24
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.8 //Create VRRP group 8.
[Switch2-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The
----End
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.3 active vrrp vrid 1 virtual-ip 10.0.0.3
vrrp vrid 5 virtual-ip 10.0.0.7 standby
standby vrrp vrid 5 virtual-ip 10.0.0.7 active
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.1.0.1 255.255.255.0 ip address 10.1.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.0.3 active vrrp vrid 2 virtual-ip 10.1.0.3
vrrp vrid 6 virtual-ip 10.1.0.7 standby
standby vrrp vrid 6 virtual-ip 10.1.0.7 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.1 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/0 add interface GigabitEthernet 1/0/0
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
ip route-static 0.0.0.0 0.0.0.0 ip route-static 0.0.0.0 0.0.0.0
10.1.0.6 10.1.0.6
ip route-static 0.0.0.0 0.0.0.0 ip route-static 0.0.0.0 0.0.0.0
10.1.0.8 10.1.0.8
ip route-static 192.168.0.0 ip route-static 192.168.0.0
255.255.0.0 10.0.0.6 255.255.0.0 10.0.0.6
ip route-static 192.168.0.0 ip route-static 192.168.0.0
255.255.0.0 10.0.0.8 255.255.0.0 10.0.0.8
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 192.168.0.0 16 destination-address 192.168.0.0 16
service http service http
action permit action permit
2.1.8.10 Web: Active/Standby Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Dynamic Routing Mode)
This section provides an example for configuring the active/standby FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using PBR.
Networking Requirements
As shown in Figure 2-65, two FWs are connected off-line to the core switches in the data
center to secure the data center network and isolate areas on the intranet. All traffic on the
core switches is diverted to the FWs based on PBR for security checks.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-65 Networking diagram for configuring hot standby when the s are deployed in off-
line mode (using PBR for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Switch1 OSPF GE1/0/4 Switch2 10.10.0.2/24
GE1/0/4
GE1/0/1 GE1/0/3 10.4.0.1/24 10.5.0.1/24 GE1/0/3 GE1/0/1
10.1.0.1/24 10.1.0.2/24 GE1/0/1 10.3.0.2/24 10.3.0.1/24
172.16.3.2/24
GE1/0/1
GE1/0/0 GE1/0/2 172.16.3.1/24 GE1/0/2 GE1/0/0
10.0.0.1/24 10.0.0.2/24 GE1/0/0 GE1/0/0 10.2.0.2/24 10.2.0.1/24
FW_A 172.16.1.1/24 172.16.2.1/24 FW_B
OSPF
Server area
192.168.0.0/16
PBR
Actual traffic
Configuration Roadmap
1. As shown in Figure 2-65, the traffic on the core switches is diverted to the FW using
PBR. The FW detects the traffic and injects the traffic back to the core switch. In such
cases, the FW and core switch need to run a dynamic routing protocol (OSPF is used as
an example).
To ensure that traffic is forwarded in the direction shown in Figure 2-65, configure two
OSPF processes on the FW, import them to each other, and then configure another two
OSPF processes on the core switches.
2. Figure 2-65 can be abstracted to Figure 2-66. Figure 2-66 is typical load balancing
networking in which the FWs are connected to Layer-3 devices. You can understand the
relationship between the two figures based on the interface numbers and the actual traffic
direction.
Figure 2-66 Networking diagram for configuring hot standby when the FWs are
connected to Layer-3 devices
Switch1 Switch2
GE1/0/3 GE1/0/3
10.1.0.2/24 10.3.0.2/24
GE1/0/1 OSPF
GE1/0/1
10.1.0.1/24 10.3.0.1/24
GE1/0/7
10.10.0.1/24
FW_A FW_B
GE1/0/7
GE1/0/0 10.10.0.2/24
GE1/0/0
10.0.0.1/24
OSPF 10.2.0.1/24
GE1/0/2 GE1/0/2
10.0.0.2/24 10.2.0.2/24
GE1/0/1
172.16.3.2/24
Switch1 Switch2
GE1/0/1
172.16.3.1/24
GE1/0/0 GE1/0/0
172.16.1.1/24 OSPF 172.16.2.1/24
PBR
Actual traffic
Procedure
Step 1 Configure OSPF to ensure IP connectivity.
1. Configure OSPF on FW_A.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process 100 and set the parameters as follows:
Process ID 100
d. Click OK.
e. Click of the OSPF process 100.
f. Choose Basic Configuration > Area Settings.
g. Click Add.
h. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.0.0.0
i. Click OK.
j. Click Close.
k. Click Add.
l. Create an OSPF process 200 and set the parameters as follows:
Process ID 200
m. Click OK.
n. Click of the OSPF process 200.
o. Choose Basic Configuration > Area Settings.
p. Click Add.
q. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.1.0.0
r. Click OK.
s. Click Close.
t. Click of the OSPF process 100.
u. Choose Advanced > Route Import.
v. Click Add.
w. Set the parameters to import OSPF 200 as follows:
Process ID 200
x. Click OK.
y. Click Close.
z. Click of the OSPF process 200.
aa. Choose Advanced > Route Import.
ab. Click Add.
ac. Set the parameters to import OSPF 100 as follows:
Process ID 100
Process ID 100
d. Click OK.
e. Click of the OSPF process 100.
f. Choose Basic Configuration > Area Settings.
g. Click Add.
h. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.2.0.0
i. Click OK.
j. Click Close.
k. Click Add.
l. Create an OSPF process 200 and set the parameters as follows:
Process ID 200
m. Click OK.
n. Click of the OSPF process 200.
o. Choose Basic Configuration > Area Settings.
p. Click Add.
q. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.3.0.0
r. Click OK.
s. Click Close.
t. Click of the OSPF process 100.
u. Choose Advanced > Route Import.
v. Click Add.
w. Set the parameters to import OSPF 200 as follows:
Process ID 200
x. Click OK.
y. Click Close.
z. Click of the OSPF process 200.
aa. Choose Advanced > Route Import.
ab. Click Add.
ac. Set the parameters to import OSPF 100 as follows:
Process ID 100
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Configure a security policy on FW_A to allow Internet users to access the server area (subnet:
192.168.0.0/16, port: 80) in the data center. Security policies configured on FW_A will be
automatically backed up to FW_B.
2. Click Add.
3. Configure security policy policy_sec1 and set the parameters as follows:
Name policy_sec1
Service http
Action Permit
4. Click OK.
# Configure Switch1.
2. Configure OSPF.
As shown in Figure 2-66, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch1] router id 3.3.3.3
[Switch1] ospf 100
[Switch1-ospf-100] area 0
[Switch1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] quit
[Switch1-ospf-100] quit
[Switch1] ospf 200
[Switch1-ospf-200] area 0
[Switch1-ospf-200-area-0.0.0.0] network 10.1.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] quit
[Switch1-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch1] acl 3000
[Switch1-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3000] quit
[Switch1] traffic classifier in
[Switch1-classifier-in] if-match acl 3000
[Switch1-classifier-in] quit
[Switch1] traffic behavior in
[Switch1-behavior-in] redirect ip-nexthop 10.1.0.1
[Switch1-behavior-in] quit
[Switch1] traffic policy in
[Switch1-trafficpolicy-in] classifier in behavior in
[Switch1-trafficpolicy-in] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch1-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch1] acl 3001
[Switch1-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3001] quit
[Switch1] traffic classifier out
[Switch1-classifier-out] if-match acl 3001
[Switch1-classifier-out] quit
[Switch1] traffic behavior out
[Switch1-behavior-out] redirect ip-nexthop 10.0.0.1
[Switch1-behavior-out] quit
[Switch1] traffic policy out
[Switch1-trafficpolicy-out] classifier out behavior out
[Switch1-trafficpolicy-out] quit
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
2. Configure OSPF.
As shown in Figure 2-66, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch2] router id 4.4.4.4
[Switch2] ospf 100
[Switch2-ospf-100] area 0
[Switch2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] quit
[Switch2-ospf-100] quit
[Switch2] ospf 200
[Switch2-ospf-200] area 0
[Switch2-ospf-200-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] network 10.5.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] quit
[Switch2-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch2] acl 3000
[Switch2-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3000] quit
[Switch2] traffic classifier in
[Switch2-classifier-in] if-match acl 3000
[Switch2-classifier-in] quit
[Switch2] traffic behavior in
[Switch2-behavior-in] redirect ip-nexthop 10.3.0.1
[Switch2-behavior-in] quit
[Switch2] traffic policy in
[Switch2-trafficpolicy-in] classifier in behavior in
[Switch2-trafficpolicy-in] quit
[Switch2] interface gigabitethernet 1/0/4
[Switch2-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch2-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch2] acl 3001
[Switch2-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3001] quit
[Switch2] traffic classifier out
[Switch2-classifier-out] if-match acl 3001
[Switch2-classifier-out] quit
[Switch2] traffic behavior out
[Switch2-behavior-out] redirect ip-nexthop 10.2.0.1
[Switch2-behavior-out] quit
[Switch2] traffic policy out
[Switch2-trafficpolicy-out] classifier out behavior out
[Switch2-trafficpolicy-out] quit
[Switch2] interface gigabitethernet 1/0/0
[Switch2-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch2-GigabitEthernet1/0/0] quit
----End
Configuration Scripts
FW_A FW_B
# #
router id 1.1.1.1 router id 2.2.2.2
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp standby-device
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp track interface remote 10.10.0.1
GigabitEthernet1/0/0 hrp track interface
hrp track interface GigabitEthernet1/0/0
GigabitEthernet1/0/1 hrp track interface
# GigabitEthernet1/0/1
interface GigabitEthernet 1/0/0 #
ip address 10.0.0.1 255.255.255.0 interface GigabitEthernet 1/0/0
# ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet 1/0/1 #
ip address 10.1.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.3.0.1 255.255.255.0
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.1 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/0 set priority 85
# add interface GigabitEthernet 1/0/0
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
ospf 100 #
import-route ospf 200 ospf 100
area 0.0.0.0 import-route ospf 200
network 10.0.0.0 0.0.0.255 area 0.0.0.0
ospf 200 network 10.2.0.0 0.0.0.255
import-route ospf 100 ospf 200
area 0.0.0.0 import-route ospf 100
network 10.1.0.0 0.0.0.255 area 0.0.0.0
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone untrust rule name policy_sec1
destination-zone trust source-zone untrust
destination-address 192.168.0.0 16 destination-zone trust
service http destination-address 192.168.0.0 16
action permit service http
action permit
2.1.8.11 Web: Load Balancing Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Dynamic Routing Mode)
This section provides an example for configuring the load balancing FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using PBR.
Networking Requirements
As shown in Figure 2-67, two FWs are connected off-line to the core switches in the data
center to secure the data center network and isolate areas on the intranet. All traffic on the
core switches is diverted to the FWs based on PBR for security checks.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-67 Networking diagram for configuring hot standby when the s are deployed in off-
line mode (using PBR for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Switch1 OSPF GE1/0/4 Switch2 10.10.0.2/24
GE1/0/4
GE1/0/1 GE1/0/3 10.4.0.1/24 10.5.0.1/24 GE1/0/3 GE1/0/1
10.1.0.1/24 10.1.0.2/24 GE1/0/1 10.3.0.2/24 10.3.0.1/24
172.16.3.2/24
GE1/0/1
GE1/0/0 GE1/0/2 172.16.3.1/24 GE1/0/2 GE1/0/0
10.0.0.1/24 10.0.0.2/24 GE1/0/0 GE1/0/0 10.2.0.2/24 10.2.0.1/24
NGFW_A 172.16.1.1/24 172.16.2.1/24 NGFW_B
OSPF
Server area
192.168.0.0/16
PBR
Traffic
Configuration Roadmap
1. As shown in Figure 2-67, the traffic on the core switches is diverted to the FW using
PBR. The FW detects the traffic and injects the traffic back to the core switch. In such
cases, the FW and core switch need to run a dynamic routing protocol (OSPF is used as
an example).
To ensure that traffic is forwarded in the direction shown in Figure 2-67, configure two
OSPF processes on the FW, import them to each other, and then configure another two
OSPF processes on the core switches.
2. Figure 2-67 can be abstracted to Figure 2-68. Figure 2-68 is typical load balancing
networking in which the FWs are connected to Layer-3 devices. You can understand the
relationship between the two figures based on the interface numbers and the actual traffic
direction.
Figure 2-68 Networking diagram for configuring hot standby when the FWs are
connected to Layer-3 devices
Switch1 Switch2
GE1/0/3 GE1/0/3
10.1.0.2/24 10.3.0.2/24
GE1/0/1 OSPF
GE1/0/1
10.1.0.1/24 10.3.0.1/24
GE1/0/7
10.10.0.1/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/0 10.10.0.2/24
GE1/0/0
10.0.0.1/24
OSPF 10.2.0.1/24
GE1/0/2 GE1/0/2
10.0.0.2/24 10.2.0.2/24
GE1/0/1
172.16.3.2/24
Switch1 Switch2
GE1/0/1
172.16.3.1/24
GE1/0/0 GE1/0/0
172.16.1.1/24 OSPF 172.16.2.1/24
PBR
Traffic
b. Configure PBR for the core switches to divert traffic to the FWs.
Procedure
Step 1 Configure OSPF to ensure IP connectivity.
1. Configure OSPF on FW_A.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process 100 and set the parameters as follows:
Process ID 100
d. Click OK.
e. Click of the OSPF process 100.
f. Choose Basic Configuration > Area Settings.
g. Click Add.
h. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.0.0.0
i. Click OK.
j. Click Close.
k. Click Add.
l. Create an OSPF process 200 and set the parameters as follows:
Process ID 200
m. Click OK.
n. Click of the OSPF process 200.
o. Choose Basic Configuration > Area Settings.
p. Click Add.
q. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.1.0.0
r. Click OK.
s. Click Close.
Process ID 200
x. Click OK.
y. Click Close.
z. Click of the OSPF process 200.
aa. Choose Advanced > Route Import.
ab. Click Add.
ac. Set the parameters to import OSPF 100 as follows:
Process ID 100
Process ID 100
d. Click OK.
e. Click of the OSPF process 100.
f. Choose Basic Configuration > Area Settings.
g. Click Add.
h. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.2.0.0
i. Click OK.
j. Click Close.
k. Click Add.
Process ID 200
m. Click OK.
n. Click of the OSPF process 200.
o. Choose Basic Configuration > Area Settings.
p. Click Add.
q. Create the area 0 and set the parameters as follows:
Area 0
IP Network 10.3.0.0
r. Click OK.
s. Click Close.
t. Click of the OSPF process 100.
u. Choose Advanced > Route Import.
v. Click Add.
w. Set the parameters to import OSPF 200 as follows:
Process ID 200
x. Click OK.
y. Click Close.
z. Click of the OSPF process 200.
aa. Choose Advanced > Route Import.
ab. Click Add.
ac. Set the parameters to import OSPF 100 as follows:
Process ID 100
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
2. Configure hot standby on FW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Configure a security policy on FW_A to allow Internet users to access the server area (subnet:
192.168.0.0/16, port: 80) in the data center. Security policies configured on FW_A will be
automatically backed up to FW_B.
Name policy_sec1
Service http
Action Permit
4. Click OK.
Step 4 Configure the core switches.
# Configure Switch1.
1. Assign IP addresses to interfaces.
Set an IP address for each interface based on Figure 2-67. GE1/0/0 is used as an
example.
<Switch1> system-view
[Switch1] interface GigabitEthernet 1/0/0
[Switch1-GigabitEthernet1/0/0] ip address 172.16.1.1 24
[Switch1-GigabitEthernet1/0/0] quit
2. Configure OSPF.
As shown in Figure 2-68, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch1] router id 3.3.3.3
[Switch1] ospf 100
[Switch1-ospf-100] area 0
[Switch1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] quit
[Switch1-ospf-100] quit
[Switch1] ospf 200
[Switch1-ospf-200] area 0
[Switch1-ospf-200-area-0.0.0.0] network 10.1.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] quit
[Switch1-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch1] acl 3000
[Switch1-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3000] quit
[Switch1] traffic classifier in
[Switch1-classifier-in] if-match acl 3000
[Switch1-classifier-in] quit
[Switch1] traffic behavior in
[Switch1-behavior-in] redirect ip-nexthop 10.1.0.1
[Switch1-behavior-in] quit
[Switch1] traffic policy in
[Switch1-trafficpolicy-in] classifier in behavior in
[Switch1-trafficpolicy-in] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch1-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
# Configure Switch2.
2. Configure OSPF.
As shown in Figure 2-68, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch2] router id 4.4.4.4
[Switch2] ospf 100
[Switch2-ospf-100] area 0
[Switch2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] quit
[Switch2-ospf-100] quit
[Switch2] ospf 200
[Switch2-ospf-200] area 0
[Switch2-ospf-200-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] network 10.5.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] quit
[Switch2-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch2] acl 3000
[Switch2-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3000] quit
[Switch2] traffic classifier in
[Switch2-classifier-in] if-match acl 3000
[Switch2-classifier-in] quit
[Switch2] traffic behavior in
[Switch2-behavior-in] redirect ip-nexthop 10.3.0.1
[Switch2-behavior-in] quit
[Switch2] traffic policy in
[Switch2-trafficpolicy-in] classifier in behavior in
[Switch2-trafficpolicy-in] quit
[Switch2] interface gigabitethernet 1/0/4
[Switch2-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch2-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
----End
Configuration Scripts
FW_A FW_B
# #
router id 1.1.1.1 router id 2.2.2.2
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface hrp track interface
GigabitEthernet1/0/0 GigabitEthernet1/0/0
hrp track interface hrp track interface
GigabitEthernet1/0/1 GigabitEthernet1/0/1
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.2.0.1 255.255.255.0
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.1.0.1 255.255.255.0 ip address 10.3.0.1 255.255.255.0
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.1 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/0 add interface GigabitEthernet 1/0/0
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
ospf 100 ospf 100
import-route ospf 200 import-route ospf 200
area 0.0.0.0 area 0.0.0.0
network 10.0.0.0 0.0.0.255 network 10.2.0.0 0.0.0.255
ospf 200 ospf 200
import-route ospf 100 import-route ospf 100
area 0.0.0.0 area 0.0.0.0
network 10.1.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 192.168.0.0 16 destination-address 192.168.0.0 16
service http service http
action permit action permit
2.1.8.12 CLI: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-2 Upstream and Downstream Devices
This section provides an example of how to configure hot standby in active/standby mode in
which the service interfaces of each FW work at Layer 3 and are directly connected to
switches.
Networking Requirements
On the network shown in Figure 2-69, the service interfaces of two FWs work at Layer 3 and
are directly connected to switches.
The upstream switch is connected to the carrier network, and the public IP address the carrier
assigns to the enterprise is 1.1.1.1.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-69 Networking diagram for configuring active/standby when service interfaces work
at Layer 3 and connect to switches
Router
1.1.1.2/24
VRRP group 1
GE1/0/1 1.1.1.1/24 GE1/0/1
10.2.0.1/24 10.2.0.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24
Heartbeat link
Procedure
Step 1 Complete basic network configurations on FW_A.
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure VRRP group 1 on upstream service interface GE1/0/1 and set the VRRP group
status to Active. Note that if the interface IP address resides on a different subnet from the
address of the VRRP group, you need to specify a subnet mask when setting the address of
the VRRP group.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
[FW_A-GigabitEthernet1/0/1] quit
# Configure VRRP group 2 on downstream service interface GE1/0/3 and set the VRRP
group status to Active.
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/3] quit
Step 3 Specify the heartbeat interface and enable hot standby on FW_A.
[FW_A] hrp interface GigabitEthernet 1/0/7 remote 10.10.0.2
[FW_A] hrp enable
Step 6 Configure a NAT policy on FW_A. After hot standby relationship is established, the NAT
policy on FW_A will be automatically backed up to FW_B.
# Configure a NAT policy to translate source addresses on subnet 10.3.0.0/16 to an IP address
in the NAT address pool (1.1.1.2 to 1.1.1.5) when intranet users access the Internet.
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16
HRP_M[FW_A-policy-nat-rule-policy_nat1] action nat address-group group1
----End
Verification
1. Run the display vrrp command on FW_A to check the status information about the
interfaces in the VRRP group. If the following information is displayed, the VRRP group
is successfully created.
HRP_M<FW_A> display vrrp
GigabitEthernet1/0/1 | Virtual Router
1
State :
Active
Virtual IP :
1.1.1.1
Master IP :
10.2.0.1
PriorityRun :
120
PriorityConfig :
100
MasterPriority :
120
Preempt : YES Delay Time : 0
s
TimerRun : 60
s
TimerConfig : 60
s
Auth type :
NONE
Virtual MAC :
0000-5e00-0101
Check TTL :
YES
Config type : vgmp-
vrrp
Backup-forward :
disabled
Create time : 2015-03-17 17:35:54 UTC
+08:00
Last change time : 2015-03-22 16:01:56 UTC+08:00
2. Run the display hrp state verbose command on FW_A to check the VGMP group
status. If the following information is displayed, hot standby relationship is successfully
established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 46002,
peer_priority = 46002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/1 vrrp vrid 1: active
GigabitEthernet1/0/3 vrrp vrid 2: active
3. Ping the Router in the Untrust zone from the PC in the Trust zone, and display session
information on FW_A and FW_B.
HRP_M<FW_A> display firewall session table
The command output shows that sessions tagged with Remote are created on FW_B,
indicating that sessions are successfully backed up after you configure hot standby.
4. Run the ping 1.1.1.10 -t command on the PC, pull out the cable from GE1/0/1 on
FW_A, and then check whether active/standby switchover is performed and whether
ping packets are discarded. Insert the cable back to GE1/0/1 on FW_A and check again
whether active/standby switchover is performed and whether ping packets are discarded.
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 vrrp vrid 1 virtual-ip 1.1.1.1
255.255.255.0 active 255.255.255.0 standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active vrrp vrid 2 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ip route-static 0.0.0.0 0.0.0.0 #
1.1.1.2 ip route-static 0.0.0.0 0.0.0.0
# 1.1.1.2
nat address-group group1 1 #
section 0 1.1.1.2 1.1.1.5 nat address-group group1 1
# section 0 1.1.1.2 1.1.1.5
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name trust_to_untrust action permit
source-zone trust rule name trust_to_untrust
destination-zone untrust source-zone trust
action permit destination-zone untrust
# action permit
nat-policy #
rule name policy_nat1 nat-policy
source-zone trust rule name policy_nat1
destination-zone untrust source-zone trust
source-address 10.3.0.0 16 destination-zone untrust
action nat address-group group1 source-address 10.3.0.0 16
action nat address-group group1
2.1.8.13 CLI: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-2 Upstream and Downstream Devices
This section provides an example for configuring hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 3 and directly connect to switches.
Networking Requirements
As shown in Figure 2-70, the service interfaces of the FWs work at Layer 3 and are directly
connected to switches.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-70 Networking diagram for configuring load balancing when service interfaces
work at Layer 3 and connect to switches
GE1/0/1 GE1/0/1
1.1.1.1/24 1.1.1.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 10.3.0.2/24
Intranet
Service path
Backup path
Procedure
Step 1 Complete basic network configurations on FW_A.
# Set IP addresses for the interfaces.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# To implement load balancing, configure two VRRP groups on each service interface and set
the status of one VRRP group to Active and the other to Standby.
# Configure VRRP groups 1 and 2 on upstream service interface GE1/0/1 and set the status of
VRRP group 1 to Active and status of VRRP group 2 to Standby.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.3 24 active
[FW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 1.1.1.4 24 standby
[FW_A-GigabitEthernet1/0/1] quit
# Configure VRRP groups 3 and 4 on downstream service interface GE1/0/3 and set the status
of VRRP group 3 to Active and status of VRRP group 4 to Standby.
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 active
[FW_A-GigabitEthernet1/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 standby
[FW_A-GigabitEthernet1/0/3] quit
Step 3 On FW_A, configure quick session backup, specify the heartbeat interface, and enable hot
standby.
# Configure quick session backup on both FWs in case of inconsistent forward and return
packet paths.
[NGFW_A] hrp mirror session enable
# Configure VRRP groups 3 and 4 on downstream service interface GE1/0/3 and set the status
of VRRP group 3 to Standby and status of VRRP group 4 to Active.
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B -GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.3 standby
[NGFW_B -GigabitEthernet1/0/3] vrrp vrid 4 virtual-ip 10.3.0.4 active
[NGFW_B -GigabitEthernet1/0/3] quit
Step 6 On FW_B, configure quick session backup, specify the heartbeat interface, and enable hot
standby.
# Configure quick session backup on both FWs in case of inconsistent forward and return
packet paths.
[NGFW_B] hrp mirror session enable
Step 7 Create a security policy on FW_A. After hot standby relationship is established, the security
policy on FW_A will be automatically backed up to FW_B.
# Configure a security policy to allow intranet users to access the Internet.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit
Step 8 Configure a NAT policy on FW_A. After hot standby relationship is established, the NAT
policy on FW_A will be automatically backed up to FW_B.
# Configure a NAT policy to translate source addresses on subnet 10.3.0.0/16 to an IP address
in the NAT address pool (1.1.1.5 to 1.1.1.8) when intranet users access the Internet.
HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1
# To prevent port conflicts in address translation on the FWs in load balancing mode,
configure available port ranges respectively on FW_A and FW_B. The configuration on
FW_A is as follows:
HRP_M[NGFW_A] hrp nat resource primary-group
----End
Verification
1. Run the display vrrp command on FW_A to check the status information about the
interfaces in the VRRP group. If the following information is displayed, the VRRP group
is successfully created.
HRP_M<FW_A> display vrrp
GigabitEthernet1/0/1 | Virtual Router
1
State :
Active
Virtual IP :
1.1.1.3
Master IP :
1.1.1.1
PriorityRun :
120
PriorityConfig :
100
MasterPriority :
120
Preempt : YES Delay Time : 0
s
TimerRun : 60
s
TimerConfig : 60
s
Auth type :
NONE
Virtual MAC :
0000-5e00-0101
Check TTL :
YES
Config type : vgmp-
vrrp
Backup-forward :
disabled
Create time : 2015-03-17 17:35:54 UTC
+08:00
2. Run the display hrp state verbose command on FW_A to check the VGMP group
status. If the following information is displayed, hot standby relationship is successfully
established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 4604.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/1 vrrp vrid 1: active
GigabitEthernet1/0/1 vrrp vrid 2: standby
GigabitEthernet1/0/3 vrrp vrid 3: active
GigabitEthernet1/0/3 vrrp vrid 4: standby
3. Ping the Router in the Untrust zone from the PC in the Trust zone, and display session
information on FW_A and FW_B.
HRP_M<FW_A> display firewall session table
The command output shows that sessions tagged with Remote are created on FW_B,
indicating that sessions are successfully backed up after you configure hot standby.
4. Run the ping 1.1.1.10 -t command on the PC, pull out the cable from GE1/0/1 on
FW_A, and then check whether active/standby switchover is performed and whether
ping packets are discarded. Insert the cable back to GE1/0/1 on FW_A and check again
whether active/standby switchover is performed and whether ping packets are discarded.
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp nat resource primary-group hrp nat resource secondary-group
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.3 active vrrp vrid 1 virtual-ip 1.1.1.3 standby
vrrp vrid 2 virtual-ip 1.1.1.4 standby vrrp vrid 2 virtual-ip 1.1.1.4 active
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.3.0.3 active vrrp vrid 3 virtual-ip 10.3.0.3
vrrp vrid 4 virtual-ip 10.3.0.4 standby
standby vrrp vrid 4 virtual-ip 10.3.0.4 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
ip route-static 0.0.0.0 0.0.0.0 ip route-static 0.0.0.0 0.0.0.0
1.1.1.10 1.1.1.10
# #
nat address-group group1 1 nat address-group group1 1
section 0 1.1.1.2 1.1.1.5 section 0 1.1.1.2 1.1.1.5
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name trust_to_untrust rule name trust_to_untrust
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
# #
nat-policy nat-policy
rule name policy_nat1 rule name policy_nat1
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
source-address 10.3.0.0 16 source-address 10.3.0.0 16
action nat address-group group1 action nat address-group group1
2.1.8.14 CLI: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Downstream Devices
This section provides an example for configuring hot standby in active/standby mode in
which the service interfaces of each FW work at Layer 3 and are directly connected to routers.
Networking Requirements
As shown in Figure 2-71, the service interfaces of the FWs work at Layer 3 and are directly
connected to routers. OSPF runs between the FWs and upstream and downstream routers.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-71 Networking diagram for configuring active/standby when service interfaces work
at Layer 3 and connect to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Complete basic network configurations on FW_A.
# Set IP addresses for the interfaces.
<FW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/7
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure the function of adjusting the OSPF cost based on VGMP status. After you enable
this function, FW_A determines whether it is the active or standby FW when advertising
OSPF routes. If FW_A is the active device, it directly advertises the routes that it have
learned. If it is the standby device, it advertises the routes after increasing the cost values. In
this way, when upstream and downstream routers calculate routes, the next hop is pointed to
the active device, and packets are forwarded to the active device.
[NGFW_A] hrp adjust ospf-cost enable
1. The IP addresses of interfaces on FW_B are different from those of interfaces on FW_A.
2. The subnets to which FW_B advertises OSPF routes to are different from those to which
FW_A advertises OSPF routes to.
3. You need to specify the standby device on FW_B (hrp standby-device).
Step 4 Create a security policy on FW_A. After hot standby relationship is established, the security
policy on FW_A will be automatically backed up to FW_B.
HRP_M[NGFW_A] security-policy
HRP_M[NGFW_A-policy-security] rule name policy_sec
HRP_M[NGFW_A-policy-security-rule-policy_sec] source-zone local trust untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec ] destination-zone local trust
untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec ] action permit
Configure OSPF on the routers to advertise routes. For configuration commands, refer to the
related documents of the routers.
----End
Verification
Run the display hrp state verbose command on FW_A and FW_B to check the VGMP
group status. If the following information is displayed, hot standby relationship is successfully
established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer: standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage: 30%
Stable time: 1 days, 13 hours, 35 minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1: up
GigabitEthernet1/0/3: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer: active
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage: 30%
Stable time: 1 days, 13 hours, 35 minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(standby), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
Detail information:
GigabitEthernet1/0/1: up
GigabitEthernet1/0/3: up
ospf-cost: +65500
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp standby-device
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp track interface GigabitEthernet remote 10.10.0.1
1/0/1 hrp track interface GigabitEthernet
hrp track interface GigabitEthernet 1/0/1
1/0/3 hrp track interface GigabitEthernet
# 1/0/3
interface GigabitEthernet 1/0/1 #
ip address 10.2.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet 1/0/3 #
ip address 10.3.0.1 255.255.255.0 interface GigabitEthernet 1/0/3
# ip address 10.3.1.1 255.255.255.0
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet1/0/3 set priority 85
# add interface GigabitEthernet1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet 1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.1.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec action permit
source-zone local rule name policy_sec
source-zone trust source-zone local
source-zone untrust source-zone trust
destination-zone local source-zone untrust
destination-zone trust destination-zone local
destination-zone untrust destination-zone trust
action permit destination-zone untrust
action permit
2.1.8.15 CLI: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Downstream Devices
This section provides an example for configuring hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 3 and are directly connected to routers.
Networking Requirements
As shown in Figure 2-72, the service interfaces of the FWs work at Layer 3 and are directly
connected to routers. OSPF runs between the FWs and upstream and downstream routers.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-72 Networking diagram for configuring load balancing when service interfaces
work at Layer 3 and connect to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Complete basic network configurations on FW_A.
# Set IP addresses for the interfaces.
<FW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure quick session backup on both FWs in case of inconsistent forward and return
packet paths.
[NGFW_A] hrp mirror session enable
Configure OSPF on the routers to advertise routes. For configuration commands, refer to the
related documents of the routers.
----End
Verification
Run the display hrp state verbose command on FW_A and FW_B to check the VGMP
group status. If the following information is displayed, hot standby relationship is successfully
established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer: standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage: 30%
Stable time: 1 days, 13 hours, 35 minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: on
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1: up
GigabitEthernet1/0/3: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer: active
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage: 30%
Stable time: 1 days, 13 hours, 35 minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(standby), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: on
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/1: up
GigabitEthernet1/0/3: up
ospf-cost: +0
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/1 1/0/1
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/3 1/0/3
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec rule name policy_sec
source-zone local source-zone local
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
2.1.8.16 CLI: Active/Standby Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Layer-2 Downstream Devices
This section provides an example for configuring hot standby in active/standby mode in
which the service interfaces of each FW work at Layer 3 and are connected to upstream
routers and downstream switches.
Networking Requirements
As shown in Figure 2-73, the service interfaces of the FWs work at Layer 3 and are
connected to upstream routers and downstream switches. OSPF runs between the FWs and
upstream routers.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-73 Networking diagram for configuring active/standby when service interfaces work
at Layer 3 and connect to upstream routers and downstream switches
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
Service link
Heartbeat link
Procedure
Step 1 Complete basic network configurations on FW_A.
# Set IP addresses for the interfaces.
<FW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] interface GigabitEthernet 1/0/7
[NGFW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 24
[NGFW_A-GigabitEthernet1/0/7] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure a VGMP group on FW_A to monitor the upstream interface and configure a
VRRP group on the downstream interface.
# Configure VRRP group 1 on downstream service interface GE1/0/3 and set the VRRP
group status to Active.
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[NGFW_A-GigabitEthernet1/0/3] quit
# Configure the function of adjusting the OSPF cost based on VGMP status.
[NGFW_A] hrp adjust ospf-cost enable
1. The IP addresses of interfaces on FW_B are different from those of interfaces on FW_A.
2. The subnets to which FW_B advertises OSPF routes to are different from those to which
FW_A advertises OSPF routes to.
3. The status of VRRP group 1 on downstream service interfaces GE1/0/3 on FW_B must
be set to Standby.
Step 4 Create security policies on FW_A. After hot standby relationship is established, the security
policies on FW_A will be automatically backed up to FW_B.
# Configure a security policy to allow intranet users to access the Internet.
HRP_M[NGFW_A] security-policy
HRP_M[NGFW_A-policy-security] rule name policy_sec1
HRP_M[NGFW_A-policy-security-rule-policy_sec1] source-zone trust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] action permit
HRP_M[NGFW_A-policy-security-rule-policy_sec1] quit
# Configure a security policy to allow FW_A and the upstream router (in the Untrust zone) to
exchange OSPF packets.
HRP_M[NGFW_A-policy-security] rule name policy_sec2
HRP_M[NGFW_A-policy-security-rule-policy_sec2] source-zone local untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec2] destination-zone local untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec2] action permit
----End
Verification
1. Run the display vrrp command on FW_A to check the status information about the
interfaces in the VRRP group. If the following information is displayed, the VRRP group
is successfully created.
HRP_M<NGFW_A> display vrrp
GigabitEthernet1/0/3 | Virtual Router
1
State :
Active
Virtual IP :
10.3.0.3
Master IP :
10.3.0.1
PriorityRun :
120
PriorityConfig :
100
MasterPriority :
120
Preempt : YES Delay Time : 0
s
TimerRun : 60
s
TimerConfig : 60
s
Auth type :
NONE
Virtual MAC :
0000-5e00-0101
Check TTL :
YES
Config type : vgmp-
vrrp
Backup-forward :
disabled
Create time : 2015-03-17 17:35:54 UTC
+08:00
Last change time : 2015-03-22 16:01:56 UTC+08:00
2. Run the display hrp state verbose command on FW_A and FW_B to check the VGMP
group status. If the following information is displayed, hot standby relationship is
successfully established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 4604.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/3 vrrp vrid 1: active
GigabitEthernet1/0/1: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(standby), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/3 vrrp vrid 1: standby
GigabitEthernet1/0/1: up
ospf-cost: +65500
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp track interface GigabitEthernet hrp track interface GigabitEthernet
1/0/1 1/0/1
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.3 active vrrp vrid 1 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone trust rule name policy_sec1
destination-zone untrust source-zone trust
action permit destination-zone untrust
rule name policy_sec2 action permit
source-zone local rule name policy_sec2
source-zone untrust source-zone local
destination-zone local source-zone untrust
destination-zone untrust destination-zone local
action permit destination-zone untrust
action permit
2.1.8.17 CLI: Load Balancing Networking in Which the FWs Are Connected In-
line to Layer-3 Upstream and Layer-2 Downstream Devices
This section provides an example for configuring hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 3 and are connected to upstream
routers and downstream switches.
Networking Requirements
As shown in Figure 2-74, the service interfaces of the FWs work at Layer 3 and are
connected to upstream routers and downstream switches. OSPF runs between the FWs and
upstream routers.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-74 Networking diagram for configuring load balancing when service interfaces
work at Layer 3 and connect to upstream routers and downstream switches
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
VRRP group 2
Slave Master
10.3.0.4/24
Service link
Heartbeat link
Procedure
Step 1 Complete basic network configurations on FW_A.
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure VRRP groups 1 and 2 on downstream service interface GE1/0/3 and set the status
of VRRP group 1 to Active and status of VRRP group 2 to Standby to implement load
balancing.
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.4 standby
[NGFW_A-GigabitEthernet1/0/3] quit
Step 4 Create security policies on FW_A. After hot standby relationship is established, the security
policies on FW_A will be automatically backed up to FW_B.
# Configure a security policy to allow intranet users to access the Internet.
HRP_M[NGFW_A] security-policy
HRP_M[NGFW_A-policy-security] rule name policy_sec1
HRP_M[NGFW_A-policy-security-rule-policy_sec1] source-zone trust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] destination-zone untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] action permit
HRP_M[NGFW_A-policy-security-rule-policy_sec1] quit
# Configure a security policy to allow FW_A and the upstream router (in the Untrust zone) to
exchange OSPF packets.
HRP_M[NGFW_A-policy-security] rule name policy_sec2
HRP_M[NGFW_A-policy-security-rule-policy_sec2] source-zone local untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec2] destination-zone local untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec2] action permit
----End
Verification
1. Run the display vrrp command on FW_A to check the status information about the
interfaces in the VRRP group. If the following information is displayed, the VRRP group
is successfully created.
HRP_M<NGFW_A> display vrrp
GigabitEthernet1/0/3 | Virtual Router
1
State :
Active
Virtual IP :
10.3.0.3
Master IP :
10.3.0.1
PriorityRun :
120
PriorityConfig :
100
MasterPriority :
120
Preempt : YES Delay Time : 0
s
TimerRun : 60
s
TimerConfig : 60
s
Auth type :
NONE
Virtual MAC :
0000-5e00-0101
Check TTL :
YES
Config type : vgmp-
vrrp
Backup-forward :
disabled
2. Run the display hrp state verbose command on FW_A and FW_B to check the VGMP
group status. If the following information is displayed, hot standby relationship is
successfully established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
on
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/3 vrrp vrid 1: active
GigabitEthernet1/0/3 vrrp vrid 2: standby
GigabitEthernet1/0/1: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = initial, new_state = normal(standby), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
on
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/3 vrrp vrid 1: standby
GigabitEthernet1/0/3 vrrp vrid 2: active
GigabitEthernet1/0/1: up
ospf-cost: +0
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp mirror session enable
hrp interface GigabitEthernet 1/0/7 hrp enable
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp mirror session enable remote 10.10.0.1
hrp track interface GigabitEthernet hrp mirror session enable
1/0/1 hrp track interface GigabitEthernet
# 1/0/1
interface GigabitEthernet 1/0/1 #
ip address 10.2.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet 1/0/3 #
ip address 10.3.0.1 255.255.255.0 interface GigabitEthernet 1/0/3
vrrp vrid 1 virtual-ip 10.3.0.3 active ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.4 vrrp vrid 1 virtual-ip 10.3.0.3
standby standby
# vrrp vrid 2 virtual-ip 10.3.0.4 active
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet 1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone trust rule name policy_sec1
destination-zone untrust source-zone trust
action permit destination-zone untrust
rule name policy_sec2 action permit
source-zone local rule name policy_sec2
source-zone untrust source-zone local
destination-zone local source-zone untrust
destination-zone untrust destination-zone local
action permit destination-zone untrust
action permit
2.1.8.18 CLI: Load Balancing Networking in Which the FWs Are Connected
Transparently to Layer-3 Upstream and Downstream Devices
This section provides an example for configuring hot standby in load balancing mode in
which the service interfaces of each FW work at Layer 2 and are directly connected to routers.
Networking Requirements
As shown in Figure 2-75, the service interfaces of the FWs work at Layer 2 and are directly
connected to routers. The upstream and downstream service interfaces on the FWs are added
to VLAN2.
OSPF runs between the upstream and downstream routers. The FWs work as Layer-2 devices
and transparently forward OSPF packets.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-75 Networking diagram for configuring load balancing when service interfaces
work at Layer 2 and connect to routers
OSPF
OSPF
Service link
Heartbeat link
VLAN
Procedure
Step 1 Complete basic network configurations on FW_A.
# Use the upstream and downstream service interfaces as Layer-2 interfaces and add them to
the same VLAN.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] portswitch
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] portswitch
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] vlan 2
[NGFW_A-vlan2] port GigabitEthernet 1/0/1
[NGFW_A-vlan2] port GigabitEthernet 1/0/3
[NGFW_A-vlan2] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# To implement load balancing, configure active and standby VGMP groups to monitor the
VLANs.
# Configure quick session backup on both FWs in case of inconsistent forward and return
packet paths.
[NGFW_A] hrp mirror session enable
Configurations on FW_B and FW_A are the same except that the heartbeat interface on
FW_B has a different IP address from that on FW_A.
Step 4 Create a security policy on FW_A. After hot standby relationship is established, the security
policy on FW_A will be automatically backed up to FW_B.
# Configure a security policy to allow OSPF packets transmitted between the upstream and
downstream routers and the packets exchanged between the intranet and Internet.
HRP_M[NGFW_A] security-policy
HRP_M[NGFW_A-policy-security] rule name policy_sec1
HRP_M[NGFW_A-policy-security-rule-policy_sec1] source-zone trust untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] destination-zone trust untrust
HRP_M[NGFW_A-policy-security-rule-policy_sec1] action permit
Configure OSPF on the routers to advertise routes. For configuration commands, refer to the
related documents of the routers.
----End
Verification
# Run the display hrp state verbose command on FW_A to check the VGMP group status. If
the following information is displayed, hot standby relationship is successfully established.
HRP_M<FW_A> display hrp state verbose
Role: active, peer: standby
Running priority: 46004, peer: 46004
Core state: normal, peer: normal
Backup channel usage: 30%
Stable time: 1 days, 13 hours, 35 minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(active), local_priority = 46004,
peer_priority = 46004.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: on
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
vlan 2: enabled
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
hrp mirror session enable hrp mirror session enable
hrp track vlan 2 hrp track vlan 2
# #
vlan batch 2 vlan batch 2
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port default vlan 2 port default vlan 2
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
portswitch portswitch
port default vlan 2 port default vlan 2
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
2.1.8.19 CLI: Active/Standby Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Static Routing Mode)
This section provides an example for configuring the active/standby FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using static routing.
Networking Requirements
As shown in Figure 2-76, two FWs are connected off-line to the core switches in the data
center to secure the data center network. All traffic on the core switches is diverted to the
FWs based on static routes for security checks.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-76 Networking diagram for configuring hot standby when the FWs are deployed in
off-line mode (using static routing for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Heartbeat Link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/4 GE1/0/3 GE1/0/0
GE1/0/0 GE1/0/3
10.0.0.2/24
10.0.0.1/24
NGFW_A NGFW_B
Server area
192.168.0.0/16
Configuration Roadmap
1. As shown in Figure 2-77, if the core switches need to use static routes to divert traffic to
the FWs, you need to configure static routes and set the next hops to the IP addresses of
the FW interfaces. However, the core switches and upstream routers and downstream
aggregation switches run OSPF. Therefore, traffic cannot be diverted to the FWs after
reaching the core switches. Instead, the traffic is directly forwarded to the upstream and
downstream devices.
Therefore, you must configure the virtual routing and forwarding (VRF) function on the
core switches to virtualize each core switch into a public switch (Public) for connecting
to the upstream switch and a virtual switch (VRF) for connecting to the downstream
switch. The two virtualized switches are isolated. Therefore, traffic can be diverted to the
FWs.
GE1/0/7 GE1/0/7
10.10.0.1/24 10.10.0.2/24
GE1/0/1 GE1/0/1
10.1.0.1/24 Public GE1/0/2 Public 10.1.0.2/24
GE1/0/1 GE1/0/2 GE1/0/1
GE1/0/3 GE1/0/4 GE1/0/3
VRF GE1/0/4 VRF
GE1/0/0 GE1/0/0
10.0.0.1/24 SW1 SW2 10.0.0.2/24
NGFW_A NGFW_B
2. Figure 2-77 can be abstracted as Figure 2-78. The FWs run static routes with upstream
and downstream switches (Public and VRF). Therefore, you need to configure VRRP
groups on the FWs and switches for them to communicate using the virtual IP addresses
of VRRP groups.
As shown in Figure 2-78, configure static routes on the FWs and set the next hops to the
IP addresses of VRRP groups 3 and 4. Configure a static route on the Public switch and
set the next hop to the IP address of VRRP group 2. Configure a static route on the VRF
switch and set the next hop to the IP address of VRRP group 1.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
VRRP4 GE1/0/1 GE1/0/1
10.1.0.6/24 Active VLANIF3 VLANIF3 Standby
10.1.0.4/24 10.1.0.5/24
GE1/0/1 GE1/0/1
VRRP2
Active 10.1.0.1/24 10.1.0.2/24 Standby
10.1.0.3/24
GE1/0/7
10.10.0.1/24
GE1/0/7
VRRP1 10.10.0.2/24
10.0.0.3/24 Active GE1/0/0 GE1/0/0 Standby
10.0.0.1/24 10.0.0.2/24
NOTE
The core switches run static routes with the FWs and OSPF with other devices. Figure 2-78 lists only
the core switch interfaces related to the FWs.
3. Specify GE1/0/7 on the FW as the heartbeat interface and enable hot standby.
4. Configure security functions, such as security policies, on FW_A. FW_A will
automatically synchronizes its configurations to FW_B. This section describes only
security policy configurations as an example.
Procedure
Step 1 Set interface IP addresses and assign the interfaces to security zones.
# Set IP addresses for the interfaces of FW_A and FW_B based on the parameters in Figure
2-78.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/0
[FW_A-GigabitEthernet1/0/0] ip address 10.0.0.1 24
[FW_A-GigabitEthernet1/0/0] quit
# Assign the interfaces to security zones. This section uses the configurations on FW_A as an
example. The configurations on FW_B are the same as those on FW_A.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/0
[FW_A-zone-trust] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned on FW_A and FW_B.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure a static route for the downstream direction and set the destination address to an
address in the server area and the next hop to the IP address of VRRP group 3.
[FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6
# Configure Switch1.
[Switch1] ip vpn-instance VRF //Create VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch1-vlan3] quit
[Switch1] interface Vlanif 3
[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 1.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 2.
# Configure Switch2.
[Switch2] ip vpn-instance VRF //Create VRF.
[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
----End
Verification
1. Run the display hrp state verbose command on FW_A and FW_B to view hot standby
status.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1 vrrp vrid 2: active
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = initial, new_state = normal(standby), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1 vrrp vrid 2: standby
2. Run the display firewall session table command on FW_A and FW_B. You can view
that FW_A has sessions, indicating that the traffic on the core switch is diverted to the
FW, and hot standby in active/standby mode is successfully configured.
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.3 active vrrp vrid 1 virtual-ip 10.0.0.3
# standby
interface GigabitEthernet 1/0/1 #
ip address 10.1.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
vrrp vrid 2 virtual-ip 10.1.0.3 active ip address 10.1.0.2 255.255.255.0
# vrrp vrid 2 virtual-ip 10.1.0.3
interface GigabitEthernet 1/0/7 standby
ip address 10.10.0.1 255.255.255.0 #
# interface GigabitEthernet 1/0/7
firewall zone trust ip address 10.10.0.1 255.255.255.0
set priority 85 #
add interface GigabitEthernet 1/0/0 firewall zone trust
# set priority 85
firewall zone dmz add interface GigabitEthernet 1/0/0
set priority 50 #
add interface GigabitEthernet1/0/7 firewall zone dmz
# set priority 50
firewall zone untrust add interface GigabitEthernet1/0/7
set priority 5 #
add interface GigabitEthernet 1/0/1 firewall zone untrust
# set priority 5
ip route-static 0.0.0.0 0.0.0.0 add interface GigabitEthernet 1/0/1
10.1.0.6 #
ip route-static 192.168.0.0 ip route-static 0.0.0.0 0.0.0.0
255.255.0.0 10.0.0.6 10.1.0.6
# ip route-static 192.168.0.0
security-policy 255.255.0.0 10.0.0.6
rule name ha #
source-zone local security-policy
source-zone dmz rule name ha
destination-zone local source-zone local
destination-zone dmz source-zone dmz
action permit destination-zone local
rule name policy_sec1 destination-zone dmz
source-zone untrust action permit
destination-zone trust rule name policy_sec1
destination-address 192.168.0.0 16 source-zone untrust
service http destination-zone trust
action permit destination-address 192.168.0.0 16
service http
action permit
2.1.8.20 CLI: Load Balancing Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Static Routing Mode)
This section provides an example for configuring the load balancing FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using static routing.
Networking Requirements
As shown in Figure 2-79, two FWs are connected off-line to the core switches in the data
center to secure the data center network. All traffic on the core switches is diverted to the
FWs based on static routes for security checks.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-79 Networking diagram for configuring hot standby when the FWs are deployed in
off-line mode (using static routing for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Heartbeat link 10.10.0.2/24
10.1.0.1/24 10.1.0.2/24
GE1/0/2
GE1/0/1 GE1/0/1 GE1/0/1 GE1/0/1
GE1/0/2
GE1/0/4
GE1/0/0 GE1/0/3 GE1/0/4 GE1/0/3 GE1/0/0
10.0.0.1/24 10.0.0.2/24
FW_A FW_B
Server area
192.168.0.0/16
Configuration Roadmap
1. As shown in Figure 2-80, if the core switches need to use static routes to divert traffic to
the FWs, you need to configure static routes and set the next hops to the IP addresses of
the FW interfaces. However, the core switches and upstream routers and downstream
aggregation switches run OSPF. Therefore, traffic cannot be diverted to the FWs after
reaching the core switches. Instead, the traffic is directly forwarded to the upstream and
downstream devices.
Therefore, you must configure the virtual routing and forwarding (VRF) function on the
core switches to virtualize each core switch into a public switch (Public) for connecting
to the upstream switch and a virtual switch (VRF) for connecting to the downstream
switch. The two virtualized switches are isolated. Therefore, traffic can be diverted to the
FWs.
2. Figure 2-80 can be abstracted as Figure 2-81. The FWs run static routes with upstream
and downstream switches (Public and VRF). Therefore, you need to configure VRRP
groups on the FWs and switches for them to communicate using the virtual IP addresses
of VRRP groups.
As shown in Figure 2-81, the FWs work in load balancing mode. You need to configure
two equal-cost static routes in the same direction on the FWs and set the next hops
respectively to the IP addresses of the two peer VRRP groups. Configure another two
equal-cost static routes on the Public or VRF switch and set the next hops respectively to
the IP addresses of the two VRRP groups on the FW interfaces.
OSPF
GE1/0/2 GE1/0/2
Public Public
VLAN3
GE1/0/1 GE1/0/1 VRRP group 4
Active 10.1.0.6/24
VLANIF3 VLANIF3 Standby
Standby 10.1.0.4/24 10.1.0.5/24 Active
VRRP group 8
VRRP group 6 10.1.0.8/24
10.1.0.7/24 Standby Active
GE1/0/1 GE1/0/1
Active 10.1.0.1/24 10.1.0.2/24 Standby
VRRP group 2 GE1/0/7
10.1.0.3/24 10.10.0.1/24
GE1/0/7
VRRP group 1 10.10.0.2/24
10.0.0.3/24 Active GE1/0/0 GE1/0/0 Standby
10.0.0.1/24 10.0.0.2/24
VRRP group 5Standby Active
10.0.0.7/24
VRRP group 7
Standby Active
10.0.0.8/24
Active VLANIF2 VLANIF2 Standby
10.0.0.4/24 10.0.0.5/24 VRRP group 3
GE1/0/3 GE1/0/3 10.0.0.6/24
VLAN2
VRF VRF
GE1/0/4 GE1/0/4
OSPF
NOTE
The core switches run static routes with the FWs and OSPF with other devices. Figure 2-81 lists only
the core switch interfaces related to the FWs.
3. Specify GE1/0/7 on the FW as the heartbeat interface and enable hot standby.
4. Configure security functions, such as security policies, on FW_A. FW_A will
automatically synchronizes its configurations to FW_B. This section describes only
security policy configurations as an example.
Procedure
Step 1 Set interface IP addresses and assign the interfaces to security zones.
# Set IP addresses for the interfaces of FW_A and FW_B based on the parameters in Figure
2-81.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/0
[FW_A-GigabitEthernet1/0/0] ip address 10.0.0.1 24
[FW_A-GigabitEthernet1/0/0] quit
# Assign the interfaces to security zones. This section uses the configurations on FW_A as an
example. The configurations on FW_B are the same as those on FW_A.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/0
[FW_A-zone-trust] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned on FW_A and FW_B.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
# Configure two static routes for the downstream direction and set the destination addresses to
addresses in the server area and the next hops respectively to the IP addresses of VRRP
groups 3 and 7.
[FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6
[FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.8
# Configure quick session backup on both FWs in case of inconsistent forward and return
packet paths.
[FW_A] hrp mirror session enable
[FW_B] hrp mirror session enable
# Configure Switch1.
[Switch1] ip vpn-instance VRF //Create VRF.
[Switch1-vpn-instance-VRF] ipv4-family
[Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch1-vpn-instance-VRF-af-ipv4] quit
[Switch1-vpn-instance-VRF] quit
[Switch1] vlan 2
[Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch1-vlan2] quit
[Switch1] interface Vlanif 2
[Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch1-Vlanif2] ip address 10.0.0.4 24
[Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Create VRRP group 7.
[Switch1-Vlanif2] vrrp vrid 7 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch1-Vlanif2] quit
[Switch1] vlan 3
[Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch1-vlan3] quit
[Switch1] interface Vlanif 3
[Switch1-Vlanif3] ip address 10.1.0.4 24
[Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch1-Vlanif3] vrrp vrid 8 virtual-ip 10.1.0.8 //Create VRRP group 4.
[Switch1-Vlanif3] vrrp vrid 8 priority 120 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch1-Vlanif3] quit
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 1.
[Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 5.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 2.
[Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 6.
# Configure Switch2.
[Switch2] ip vpn-instance VRF //Create VRF.
[Switch2-vpn-instance-VRF] ipv4-family
[Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1
[Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both
[Switch2-vpn-instance-VRF-af-ipv4] quit
[Switch2-vpn-instance-VRF] quit
[Switch2] vlan 2
[Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to
VLAN2.
[Switch2-vlan2] quit
[Switch2] interface Vlanif 2
[Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF.
[Switch2-Vlanif2] ip address 10.0.0.5 24
[Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3.
[Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif2] vrrp vrid 7 virtual-ip 10.0.0.8 //Create VRRP group 7.
[Switch2-Vlanif2] vrrp vrid 7 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch2-Vlanif2] quit
[Switch2] vlan 3
[Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to
VLAN3.
[Switch2-vlan3] quit
[Switch2] interface Vlanif 3
[Switch2-Vlanif3] ip address 10.1.0.5 24
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4.
[Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The
VRRP group with low priority is standby.
[Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.8 //Create VRRP group 8.
[Switch2-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The
VRRP group with high priority is active.
[Switch2-Vlanif3] quit
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 1.
[Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.7 //
Configure a default route on the VRF and set the next hop to the virtual IP
address of VRRP group 5.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 2.
[Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.7 //Configure a
static route on the Public switch and set the next hop to the virtual IP address
of VRRP group 6.
----End
Verification
1. Run the display hrp state verbose command on FW_A and FW_B to view hot standby
status.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
on
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/0 vrrp vrid 5: standby
GigabitEthernet1/0/1 vrrp vrid 2: active
GigabitEthernet1/0/1 vrrp vrid 6: standby
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = initial, new_state = normal(standby), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
on
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/0 vrrp vrid 5: active
GigabitEthernet1/0/1 vrrp vrid 2: standby
GigabitEthernet1/0/1 vrrp vrid 6: active
2. Run the display firewall session table command on FW_A and FW_B. You can view
that FW_A has sessions, indicating that the traffic on the core switch is diverted to the
FW, and hot standby in load balancing mode is successfully configured.
Configuration Scripts
FW_A FW_B
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.3 active vrrp vrid 1 virtual-ip 10.0.0.3
vrrp vrid 5 virtual-ip 10.0.0.7 standby
standby vrrp vrid 5 virtual-ip 10.0.0.7 active
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.1.0.1 255.255.255.0 ip address 10.1.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.0.3 active vrrp vrid 2 virtual-ip 10.1.0.3
vrrp vrid 6 virtual-ip 10.1.0.7 standby
standby vrrp vrid 6 virtual-ip 10.1.0.7 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.1 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/0 add interface GigabitEthernet 1/0/0
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
ip route-static 0.0.0.0 0.0.0.0 ip route-static 0.0.0.0 0.0.0.0
10.1.0.6 10.1.0.6
ip route-static 0.0.0.0 0.0.0.0 ip route-static 0.0.0.0 0.0.0.0
10.1.0.8 10.1.0.8
ip route-static 192.168.0.0 ip route-static 192.168.0.0
255.255.0.0 10.0.0.6 255.255.0.0 10.0.0.6
ip route-static 192.168.0.0 ip route-static 192.168.0.0
255.255.0.0 10.0.0.8 255.255.0.0 10.0.0.8
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 192.168.0.0 16 destination-address 192.168.0.0 16
service http service http
action permit action permit
2.1.8.21 CLI: Active/Standby Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Dynamic Routing Mode)
This section provides an example for configuring the active/standby FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using PBR.
Networking Requirements
As shown in Figure 2-82, two FWs are connected off-line to the core switches in the data
center to secure the data center network and isolate areas on the intranet. All traffic on the
core switches is diverted to the FWs based on PBR for security checks.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by
FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Figure 2-82 Networking diagram for configuring hot standby when the s are deployed in off-
line mode (using PBR for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Switch1 OSPF GE1/0/4 Switch2 10.10.0.2/24
GE1/0/4
GE1/0/1 GE1/0/3 10.4.0.1/24 10.5.0.1/24 GE1/0/3 GE1/0/1
10.1.0.1/24 10.1.0.2/24 GE1/0/1 10.3.0.2/24 10.3.0.1/24
172.16.3.2/24
GE1/0/1
GE1/0/0 GE1/0/2 172.16.3.1/24 GE1/0/2 GE1/0/0
10.0.0.1/24 10.0.0.2/24 GE1/0/0 GE1/0/0 10.2.0.2/24 10.2.0.1/24
FW_A 172.16.1.1/24 172.16.2.1/24 FW_B
OSPF
Server area
192.168.0.0/16
PBR
Actual traffic
Configuration Roadmap
1. As shown in Figure 2-82, the traffic on the core switches is diverted to the FW using
PBR. The FW detects the traffic and injects the traffic back to the core switch. In such
cases, the FW and core switch need to run a dynamic routing protocol (OSPF is used as
an example).
To ensure that traffic is forwarded in the direction shown in Figure 2-82, configure two
OSPF processes on the FW, import them to each other, and then configure another two
OSPF processes on the core switches.
2. Figure 2-82 can be abstracted to Figure 2-83. Figure 2-83 is typical load balancing
networking in which the FWs are connected to Layer-3 devices. You can understand the
relationship between the two figures based on the interface numbers and the actual traffic
direction.
Figure 2-83 Networking diagram for configuring hot standby when the FWs are
connected to Layer-3 devices
Switch1 Switch2
GE1/0/3 GE1/0/3
10.1.0.2/24 10.3.0.2/24
GE1/0/1 OSPF
GE1/0/1
10.1.0.1/24 10.3.0.1/24
GE1/0/7
10.10.0.1/24
FW_A FW_B
GE1/0/7
GE1/0/0 10.10.0.2/24
GE1/0/0
10.0.0.1/24
OSPF 10.2.0.1/24
GE1/0/2 GE1/0/2
10.0.0.2/24 10.2.0.2/24
GE1/0/1
172.16.3.2/24
Switch1 Switch2
GE1/0/1
172.16.3.1/24
GE1/0/0 GE1/0/0
172.16.1.1/24 OSPF 172.16.2.1/24
PBR
Actual traffic
Procedure
Step 1 Set interface IP addresses and assign the interfaces to security zones.
# Set IP addresses for the interfaces of FW_A and FW_B based on the parameters in Figure
2-83.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/0
[FW_A-GigabitEthernet1/0/0] ip address 10.0.0.1 24
[FW_A-GigabitEthernet1/0/0] quit
# Assign the interfaces to security zones. This section uses the configurations on FW_A as an
example. The configurations on FW_B are the same as those on FW_A.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/0
[FW_A-zone-trust] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned on FW_A and FW_B.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
2. Configure OSPF.
As shown in Figure 2-83, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch1] router id 3.3.3.3
[Switch1] ospf 100
[Switch1-ospf-100] area 0
[Switch1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] quit
[Switch1-ospf-100] quit
[Switch1] ospf 200
[Switch1-ospf-200] area 0
[Switch1-ospf-200-area-0.0.0.0] network 10.1.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] quit
[Switch1-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch1] acl 3000
[Switch1-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3000] quit
[Switch1] traffic classifier in
[Switch1-classifier-in] if-match acl 3000
[Switch1-classifier-in] quit
[Switch1] traffic behavior in
[Switch1-behavior-in] redirect ip-nexthop 10.1.0.1
[Switch1-behavior-in] quit
[Switch1] traffic policy in
[Switch1-trafficpolicy-in] classifier in behavior in
[Switch1-trafficpolicy-in] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch1-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch1] acl 3001
[Switch1-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3001] quit
[Switch1] traffic classifier out
[Switch1-classifier-out] if-match acl 3001
[Switch1-classifier-out] quit
[Switch1] traffic behavior out
[Switch1-behavior-out] redirect ip-nexthop 10.0.0.1
[Switch1-behavior-out] quit
[Switch1] traffic policy out
[Switch1-trafficpolicy-out] classifier out behavior out
[Switch1-trafficpolicy-out] quit
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
2. Configure OSPF.
As shown in Figure 2-83, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch2] router id 4.4.4.4
[Switch2] ospf 100
[Switch2-ospf-100] area 0
[Switch2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] quit
[Switch2-ospf-100] quit
[Switch2] ospf 200
[Switch2-ospf-200] area 0
[Switch2-ospf-200-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] network 10.5.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] quit
[Switch2-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch2] acl 3000
[Switch2-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3000] quit
[Switch2] traffic classifier in
[Switch2-classifier-in] if-match acl 3000
[Switch2-classifier-in] quit
[Switch2] traffic behavior in
[Switch2-behavior-in] redirect ip-nexthop 10.3.0.1
[Switch2-behavior-in] quit
[Switch2] traffic policy in
[Switch2-trafficpolicy-in] classifier in behavior in
[Switch2-trafficpolicy-in] quit
[Switch2] interface gigabitethernet 1/0/4
[Switch2-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch2-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch2] acl 3001
[Switch2-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3001] quit
[Switch2] traffic classifier out
[Switch2-classifier-out] if-match acl 3001
[Switch2-classifier-out] quit
[Switch2] traffic behavior out
[Switch2-behavior-out] redirect ip-nexthop 10.2.0.1
[Switch2-behavior-out] quit
[Switch2] traffic policy out
[Switch2-trafficpolicy-out] classifier out behavior out
[Switch2-trafficpolicy-out] quit
[Switch2] interface gigabitethernet 1/0/0
[Switch2-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch2-GigabitEthernet1/0/0] quit
----End
Verification
1. Run the display hrp state verbose command on FW_A and FW_B to view hot standby
status.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0: up
GigabitEthernet1/0/1: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = initial, new_state = normal(standby), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0: up
GigabitEthernet1/0/1: up
ospf-cost: +65500
2. Run the display firewall session table command on FW_A and FW_B. You can view
that FW_A has sessions, indicating that the traffic on the core switch is diverted to the
FW, and hot standby in active/standby mode is successfully configured.
Configuration Scripts
FW_A FW_B
# #
router id 1.1.1.1 router id 2.2.2.2
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp standby-device
remote 10.10.0.2 hrp interface GigabitEthernet 1/0/7
hrp track interface remote 10.10.0.1
GigabitEthernet1/0/0 hrp track interface
hrp track interface GigabitEthernet1/0/0
GigabitEthernet1/0/1 hrp track interface
# GigabitEthernet1/0/1
interface GigabitEthernet 1/0/0 #
ip address 10.0.0.1 255.255.255.0 interface GigabitEthernet 1/0/0
# ip address 10.2.0.1 255.255.255.0
interface GigabitEthernet 1/0/1 #
ip address 10.1.0.1 255.255.255.0 interface GigabitEthernet 1/0/1
# ip address 10.3.0.1 255.255.255.0
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.1 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/0 set priority 85
# add interface GigabitEthernet 1/0/0
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
ospf 100 #
import-route ospf 200 ospf 100
area 0.0.0.0 import-route ospf 200
network 10.0.0.0 0.0.0.255 area 0.0.0.0
ospf 200 network 10.2.0.0 0.0.0.255
import-route ospf 100 ospf 200
area 0.0.0.0 import-route ospf 100
network 10.1.0.0 0.0.0.255 area 0.0.0.0
# network 10.3.0.0 0.0.0.255
security-policy #
rule name ha security-policy
source-zone local rule name ha
source-zone dmz source-zone local
destination-zone local source-zone dmz
destination-zone dmz destination-zone local
action permit destination-zone dmz
rule name policy_sec1 action permit
source-zone untrust rule name policy_sec1
destination-zone trust source-zone untrust
destination-address 192.168.0.0 16 destination-zone trust
service http destination-address 192.168.0.0 16
action permit service http
action permit
2.1.8.22 CLI: Load Balancing Networking in Which the FWs Are Connected Off-
line to Layer-3 Devices (Dynamic Routing Mode)
This section provides an example for configuring the load balancing FWs connected in off-
line mode to the core switches in the data center to process the traffic that the core switches
divert to the FWs using PBR.
Networking Requirements
As shown in Figure 2-84, two FWs are connected off-line to the core switches in the data
center to secure the data center network and isolate areas on the intranet. All traffic on the
core switches is diverted to the FWs based on PBR for security checks.
The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B
forward traffic. If either FW fails, the other FW forwards all traffic to ensure service
continuity.
Figure 2-84 Networking diagram for configuring hot standby when the s are deployed in off-
line mode (using PBR for traffic diversion)
Internet/WAN
GE1/0/7 GE1/0/7
10.10.0.1/24 Switch1 OSPF GE1/0/4 Switch2 10.10.0.2/24
GE1/0/4
GE1/0/1 GE1/0/3 10.4.0.1/24 10.5.0.1/24 GE1/0/3 GE1/0/1
10.1.0.1/24 10.1.0.2/24 GE1/0/1 10.3.0.2/24 10.3.0.1/24
172.16.3.2/24
GE1/0/1
GE1/0/0 GE1/0/2 172.16.3.1/24 GE1/0/2 GE1/0/0
10.0.0.1/24 10.0.0.2/24 GE1/0/0 GE1/0/0 10.2.0.2/24 10.2.0.1/24
NGFW_A 172.16.1.1/24 172.16.2.1/24 NGFW_B
OSPF
Server area
192.168.0.0/16
PBR
Traffic
Configuration Roadmap
1. As shown in Figure 2-84, the traffic on the core switches is diverted to the FW using
PBR. The FW detects the traffic and injects the traffic back to the core switch. In such
cases, the FW and core switch need to run a dynamic routing protocol (OSPF is used as
an example).
To ensure that traffic is forwarded in the direction shown in Figure 2-84, configure two
OSPF processes on the FW, import them to each other, and then configure another two
OSPF processes on the core switches.
2. Figure 2-84 can be abstracted to Figure 2-85. Figure 2-85 is typical load balancing
networking in which the FWs are connected to Layer-3 devices. You can understand the
relationship between the two figures based on the interface numbers and the actual traffic
direction.
Figure 2-85 Networking diagram for configuring hot standby when the FWs are
connected to Layer-3 devices
Switch1 Switch2
GE1/0/3 GE1/0/3
10.1.0.2/24 10.3.0.2/24
GE1/0/1 OSPF
GE1/0/1
10.1.0.1/24 10.3.0.1/24
GE1/0/7
10.10.0.1/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/0 10.10.0.2/24
GE1/0/0
10.0.0.1/24
OSPF 10.2.0.1/24
GE1/0/2 GE1/0/2
10.0.0.2/24 10.2.0.2/24
GE1/0/1
172.16.3.2/24
Switch1 Switch2
GE1/0/1
172.16.3.1/24
GE1/0/0 GE1/0/0
172.16.1.1/24 OSPF 172.16.2.1/24
PBR
Traffic
b. Configure PBR for the core switches to divert traffic to the FWs.
Procedure
Step 1 Set interface IP addresses and assign the interfaces to security zones.
# Set IP addresses for the interfaces of FW_A and FW_B based on the parameters in Figure
2-85.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/0
[FW_A-GigabitEthernet1/0/0] ip address 10.0.0.1 24
[FW_A-GigabitEthernet1/0/0] quit
# Assign the interfaces to security zones. This section uses the configurations on FW_A as an
example. The configurations on FW_B are the same as those on FW_A.
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[FW_A-zone-dmz] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/0
[FW_A-zone-trust] quit
# Configure the action as permit in the security policy implemented between the Local zone
and the security zone to which the heartbeat interfaces are assigned on FW_A and FW_B.
[FW_A] security-policy
[FW_A-policy-security] rule name ha
[FW_A-policy-security-rule-ha] source-zone local dmz
[FW_A-policy-security-rule-ha] destination-zone local dmz
[FW_A-policy-security-rule-ha] action permit
[FW_A-policy-security-rule-ha] quit
[FW_A-policy-security] quit
[FW_B-ospf-100] quit
[FW_B] ospf 200
[FW_B-ospf-200] area 0
[FW_B-ospf-200-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[FW_B-ospf-200-area-0.0.0.0] quit
[FW_B-ospf-200] quit
[FW_B] ospf 100
[FW_B-ospf-100] import-route ospf 200
[FW_B-ospf-100] quit
[FW_B] ospf 200
[FW_B-ospf-200] import-route ospf 100
[FW_B-ospf-200] quit
# Configure hot standby on FW_B. Hot standby configurations on FW_B and FW_A are the
same except that a different remote parameter is specified in heartbeat interface
configuration.
1. Configure VGMP groups to monitor upstream and downstream service interfaces.
[FW_B] hrp track interface GigabitEthernet 1/0/0
[FW_B] hrp track interface GigabitEthernet 1/0/1
2. Configure OSPF.
As shown in Figure 2-85, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch1] router id 3.3.3.3
[Switch1] ospf 100
[Switch1-ospf-100] area 0
[Switch1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] network 10.0.0.0 0.0.0.255
[Switch1-ospf-100-area-0.0.0.0] quit
[Switch1-ospf-100] quit
[Switch1] ospf 200
[Switch1-ospf-200] area 0
[Switch1-ospf-200-area-0.0.0.0] network 10.1.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] network 10.4.0.0 0.0.0.255
[Switch1-ospf-200-area-0.0.0.0] quit
[Switch1-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch1] acl 3000
[Switch1-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3000] quit
[Switch1] traffic classifier in
[Switch1-classifier-in] if-match acl 3000
[Switch1-classifier-in] quit
[Switch1] traffic behavior in
[Switch1-behavior-in] redirect ip-nexthop 10.1.0.1
[Switch1-behavior-in] quit
[Switch1] traffic policy in
[Switch1-trafficpolicy-in] classifier in behavior in
[Switch1-trafficpolicy-in] quit
[Switch1] interface gigabitethernet 1/0/4
[Switch1-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch1-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch1] acl 3001
[Switch1-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch1-acl-adv-3001] quit
[Switch1] traffic classifier out
[Switch1-classifier-out] if-match acl 3001
[Switch1-classifier-out] quit
[Switch1] traffic behavior out
[Switch1-behavior-out] redirect ip-nexthop 10.0.0.1
[Switch1-behavior-out] quit
[Switch1] traffic policy out
[Switch1-trafficpolicy-out] classifier out behavior out
[Switch1-trafficpolicy-out] quit
[Switch1] interface gigabitethernet 1/0/0
[Switch1-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch1-GigabitEthernet1/0/0] quit
# Configure Switch2.
2. Configure OSPF.
As shown in Figure 2-85, create two OSPF processes (blue and green cycles in the
figure) and advertise OSPF routes.
[Switch2] router id 4.4.4.4
[Switch2] ospf 100
[Switch2-ospf-100] area 0
[Switch2-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 172.16.3.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.0.255
[Switch2-ospf-100-area-0.0.0.0] quit
[Switch2-ospf-100] quit
[Switch2] ospf 200
[Switch2-ospf-200] area 0
[Switch2-ospf-200-area-0.0.0.0] network 10.3.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] network 10.5.0.0 0.0.0.255
[Switch2-ospf-200-area-0.0.0.0] quit
[Switch2-ospf-200] quit
3. Configure PBR.
Configure policy-based route in for incoming traffic and set the next hop to the IP
address of GE1/0/1 on the FW so that the incoming traffic is diverted to the FW.
[Switch2] acl 3000
[Switch2-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3000] quit
[Switch2] traffic classifier in
[Switch2-classifier-in] if-match acl 3000
[Switch2-classifier-in] quit
[Switch2] traffic behavior in
[Switch2-behavior-in] redirect ip-nexthop 10.3.0.1
[Switch2-behavior-in] quit
[Switch2] traffic policy in
[Switch2-trafficpolicy-in] classifier in behavior in
[Switch2-trafficpolicy-in] quit
[Switch2] interface gigabitethernet 1/0/4
[Switch2-GigabitEthernet1/0/4] traffic-policy in inbound
[Switch2-GigabitEthernet1/0/4] quit
Configure policy-based route out for outgoing traffic and set the next hop to the IP
address of GE1/0/0 on the FW so that the outgoing traffic is diverted to the FW.
[Switch2] acl 3001
[Switch2-acl-adv-3001] rule permit ip source 192.168.0.0 0.0.0.255
[Switch2-acl-adv-3001] quit
[Switch2] traffic classifier out
[Switch2-classifier-out] if-match acl 3001
[Switch2-classifier-out] quit
[Switch2] traffic behavior out
[Switch2-behavior-out] redirect ip-nexthop 10.2.0.1
[Switch2-behavior-out] quit
[Switch2] traffic policy out
[Switch2-trafficpolicy-out] classifier out behavior out
[Switch2-trafficpolicy-out] quit
[Switch2] interface gigabitethernet 1/0/0
[Switch2-GigabitEthernet1/0/0] traffic-policy out inbound
[Switch2-GigabitEthernet1/0/0] quit
----End
Verification
1. Run the display hrp state verbose command on FW_A and FW_B to view hot standby
status.
HRP_M<FW_A> display hrp state verbose
Role: active, peer:
standby
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = normal(standby), new_state = normal(active), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0: up
GigabitEthernet1/0/1: up
ospf-cost: +0
HRP_S<FW_B> display hrp state verbose
Role: standby, peer:
active
Running priority: 47002, peer: 47002
Core state: normal, peer: normal
Backup channel usage:
30%
Stable time: 1 days, 13 hours, 35
minutes
Last state change information: 2015-03-22 16:01:56 HRP core state changed,
old_
state = initial, new_state = normal(standby), local_priority = 47002,
peer_priority = 47002.
Configuration:
hello interval:
1000ms
preempt:
60s
mirror configuration:
off
mirror session:
off
track trunk member:
on
auto-sync configuration:
on
auto-sync connection-status:
on
adjust ospf-cost:
on
adjust ospfv3-cost:
on
adjust bgp-cost:
on
nat resource:
off
Detail
information:
GigabitEthernet1/0/0: up
GigabitEthernet1/0/1: up
ospf-cost: +0
2. Run the display firewall session table command on FW_A and FW_B. You can view
that FW_A has sessions, indicating that the traffic on the core switch is diverted to the
FW, and hot standby in load balancing mode is successfully configured.
Configuration Scripts
FW_A FW_B
# #
router id 1.1.1.1 router id 2.2.2.2
# #
hrp enable hrp enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface hrp track interface
GigabitEthernet1/0/0 GigabitEthernet1/0/0
hrp track interface hrp track interface
GigabitEthernet1/0/1 GigabitEthernet1/0/1
# #
interface GigabitEthernet 1/0/0 interface GigabitEthernet 1/0/0
ip address 10.0.0.1 255.255.255.0 ip address 10.2.0.1 255.255.255.0
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.1.0.1 255.255.255.0 ip address 10.3.0.1 255.255.255.0
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.1 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/0 add interface GigabitEthernet 1/0/0
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
ospf 100 ospf 100
import-route ospf 200 import-route ospf 200
area 0.0.0.0 area 0.0.0.0
network 10.0.0.0 0.0.0.255 network 10.2.0.0 0.0.0.255
ospf 200 ospf 200
import-route ospf 100 import-route ospf 100
area 0.0.0.0 area 0.0.0.0
network 10.1.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
# #
security-policy security-policy
rule name ha rule name ha
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
rule name policy_sec1 rule name policy_sec1
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-address 192.168.0.0 16 destination-address 192.168.0.0 16
service http service http
action permit action permit
2.1.9.1 Specifications
This section describes hot standby specifications.
Function Specifications
Function Sub-function Description
Hot standby Hot standby mode The FW supports two hot standby
modes:
l Active/Standby mode: The
active device processes
services, and the standby
device stays in standby state. If
an error occurs on the interface
or link of the active device or
the active device is faulty, the
standby device becomes active
and takes over services.
l Load balancing mode:
Normally, both devices process
services. If one device is faulty,
the other device takes over all
the services to ensure service
continuity.
Mutual backup of -
configurations between
the active and standby
devices
Performance Specifications
Function Sub-function Specifications
Version Description
Why Are the Same Configuration Items Arranged in Different Orders in the
Configuration Files on the Active and Standby FWs?
The fault usually results from inconsistent initial configurations of the two FWs. You need to
delete the configuration items in different orders and reconfigure them.
You are advised to configure hot standby based on the default settings.
Why Are the Session Tables on the Active and Standby FWs Different?
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active FW
cannot be synchronized to the standby FW.
If the automatic session backup function is disabled, the sessions on the two FWs are
different. Even when the automatic session backup function is enabled, sessions are not
synchronized in real time. Only when the sessions to be synchronized are detected by the
session aging thread, the sessions are synchronized to the standby FW. Therefore, established
sessions are synchronized to the standby FW after a period (about 10 seconds).
The FWs do not back up sessions of the following types when the automatic session backup
function is enabled:
l Sessions to the FW
l Half-open TCP connections
l Sessions in which the first packets are UDP packets and subsequent packets are not (such
as the BitTorrent packets)
What Are the Differences Between Automatic Session Backup and Quick
Session Backup? Why Is Quick Session Backup Required in Case of Inconsistent
Forward and Return Paths?
The differences between quick session backup and automatic session backup are as follows:
l In quick session backup, sessions are synchronized to the standby FW immediately after
being set up. In automatic session backup, only sessions that require backup and are
detected by the session aging thread are synchronized to the standby FW.
l The quick session backup function can back up half-open TCP sessions and sessions to
the FW.
If the forward and return paths are different, enable quick session backup to ensure that the
sessions on the two FWs are the same.
Why Does TCP Services Are Interrupted When Quick Session Backup Is
Enabled in Case of Inconsistent Forward and Return Paths?
In case of inconsistent forward and return paths, the synchronization may fail or be delayed
due to traffic bursts, result in service delay or interruption. For example, one FW forwards
TCP SYN packets, and the other forwards TCP ACK packets. If the session table is not
synchronized, ACK packets may be discarded.
If this condition poses great impacts on services, disable stateful inspection on the FW.
Why Are the Sessions of the Current Active FW Marked with Remote After
Active/Standby Switchover?
The sessions marked with remote are synchronized from the original active FW. After active/
standby switchover, the synchronized sessions are still marked with remote until the sessions
age out.
Why Does the Log Server Receive NAT Session Logs from Both the Active and
Standby FWs?
Log configuration on the active FW is automatically synchronized to the standby FW. If the
log configuration is synchronized to the standby FW, the standby FW sends logs to the log
server.
You can perform the following steps to negate the log configuration on the standby FW:
1. Run the undo hrp auto-sync config command to disable the automatic configuration
synchronization function.
2. Negate the log server configuration.
3. Run the hrp auto-sync config command to enable the automatic configuration
synchronization. This ensures that subsequent configurations can be automatically
synchronized to the standby FW.
Why Does the Ping to the Virtual IP Address of the VRRP Group Fail?
Possible causes are as follows:
l VRIDs conflict.
l Pinging virtual IP addresses is disabled. Huawei FWs enable you to ping virtual IP
addresses by default. If ping virtual IP address is disabled, run the vrrp virtual-ip ping
enable command.
Must I Set a Physical IP Address for the Uplink or Downlink Interface After I
Set the Virtual IP Address of the VRRP Group on the Interface?
Yes. You must set a physical IP address for the interface before you set the virtual IP address
of the VRRP group on the interface. The physical IP address and the virtual address of the
VRRP group can reside on the same network segment or different network segments.
Why Does the Active FW Require a Longer Preemption Delay Than That on the
Standby FW?
Preemption starts after the original active FW recovers. If the preemption delay of the active
FW is too shorter than that on the standby FW, the active FW may switch status before the
session entries on the standby FW are completely synchronized to the active FW. As a result,
some services may be interrupted. Therefore, the active FW requires a longer preemption
delay.
Preemption does not start after the standby FW recovers. Therefore, preemption delay is
meaningless for the standby FW and you can use the default preemption delay.
Does a Long Preemption Delay for the Active FW Affect the Failure Response
Speed?
No. When the active FW fails, services are immediately switched to the standby FW. After
the original active FW recovers, it must wait for the preemption delay before preempting
During the process, the standby FW is working. Therefore, the long preemption delay of the
active FW does not affect the failure response speed.
How Does the Adjustment to the VGMP Hello Interval Affect the Network?
VGMP Hello packets are known as heartbeat packets and are used to check the operating
status of the active and standby FWs. If the standby VGMP group does not receive any
VGMP Hello packet from the peer within three consecutive Hello intervals, the standby
VGMP group considers that the peer fails and switches to the active state. Therefore, a short
VGMP Hello interval enhances the failure response speed of the FW.
However, if the interval is too short, the hot standby status may become unstable. When the
CPU is overloaded, the task of sending VGMP Hello packets cannot be scheduled, resulting
in a false switchover. Therefore, the default value, 1 second, is recommended.
What Should I Pay Attention to When Configuring IPSec VPN in Hot Standby
Networking?
l The service interfaces (including VLANIFs) connecting the FW to upstream and
downstream devices must work at Layer 3.
l Before configuring IPSec VPN, you must establish the hot standby status. The IPSec
policy configured on the active FW will be automatically synchronized to the standby
one. On the standby FW, you only need to apply the synchronized IPSec policy to the
outgoing interface.
l If the FW serves as the initiator of the IPSec tunnel, you must run the tunnel local ip-
address command to specify the virtual IP address of the VRRP group as the IP address
for IPSec negotiation.
l Configure DPD to delete the tunnel that has been established on the original active FW
after an active/standby switchover to prevent packet loss.
Is Security Policy Required to Permit Packets Between the Local Zone and the
Zone Where the Heartbeat Interface Resides?
Yes.
Configuration commands can be synchronized only from the designated active device to the
designated standby device, and status information is mutually backed up between the two
devices.
On load balancing networks, the FW with a smaller sysname American Standard Code for
Information Interchange (ASCII) character is the designated active device. For example, when
FW_A and FW_B share load, FW_A is the designated active device.
In the ARP reply, the source MAC address in the Ethernet header is the MAC address of the
interface that sends the reply, and the sender MAC address in the reply payload is the virtual
MAC address of the VRRP group. Upstream and downstream Layer-3 devices learn the
virtual MAC address mapped to the virtual IP address through the ARP reply.
Upstream and downstream use the virtual MAC address as the destination MAC address
when sending packets to the FW.
hrp sync immediately synchronizes the existing configurations and status entries from the
active FW to the standby FW. The command takes effect immediately and does not affect
subsequent configurations and status entries.
Can the Virtual IP Address of a VRRP Group Be Added to the NAT Address
Pool?
Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet,
you can add the virtual IP address to the NAT address pool.
Can the Virtual MAC Address Be Used as the Source MAC Address of Packets?
Yes. By default, the FW uses the physical MAC address to encapsulate Layer-3 service
packets. To use the virtual MAC address, run the vrrp virtual-mac enable command in the
interface view.
l IPv6: 00-00-5E-00-02-{VRID}
On a service interface of the FW, you can run the following command to use the virtual MAC
address to encapsulate service packets.
<sysname> system-view
[sysname] interface GigabitEthernet 1/0/1
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable
2.2 IP-Link
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the device.
2.2.1 Overview
This section describes the definition and purpose of IP-link.
Definition
With IP-link, the FW periodically transmits ICMP echo request or ARP request to a specific
destination IP address and waits for the response. If not receiving any response packet within
the specified interval (three seconds by default), the FW considers that the current link is
faulty, and then performs link-related subsequent operations. If receiving three successive
response packets within the time limit specified later through the link that is considered to be
faulty, the FW considers that the link recovers, and then performs the subsequent operations
of link recovery.
Objective
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the FW to ensure service continuity.
If the FW works in dual-system hot backup networking and identifies a fault affecting
services, you can set the VGMP management group to monitor IP-link. In this case, the FW
adjusts the priority of VGMP management group to trigger the active/standby switchover,
ensuring service continuity.
After VGMP management group monitor IP-link is configured, the status of links or
interfaces indirectly connected to the FW can be identified. As shown in Figure 2-86, if the
interface (with IP address 1.1.1.1/24) of the router in the Untrust zone is faulty and IP-link is
enabled, the system automatically triggers the active/standby switchover to ensure service
continuity.
FW_B
When IP-link identifies link faults, the FW adjusts its static routes accordingly to ensure that
the link used every time enjoys the highest priority and is routable, which keeps service
continuity.
As shown in Figure 2-87, when intranet users access the Internet, two static routes are
available. One route is bound with IP-link. When this link is faulty, the traffic is switched to
the other, ensuring the normal running of services.
IP-Link 1
FW
Switch
Intranet GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1/24
10.10.1.3/24
Router 2
PPPoE
Prerequisites
Before you configure IP-link, ensure that:
Procedure
Step 1 Choose System > High Availability > IP-Link.
Parameter Description
Bound Interface Indicates the interface type and interface number of the local
end of the IP-link.
----End
Context
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the FW to ensure service continuity.
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the IP-link check function.
ip-link check enable
Step 3 Set up an IP-link and access the IP-link view.
ip-link name ip-link-name [ vpn-instance vpn-instance-name ]
Step 4 Configure the destination IPv4 address or domain name for IP-link.
destination { ip-address | domain-name } [ interface interface-type interface-number ]
[ mode { icmp [ next-hop { nexthop-address | dhcp | dialer } ] | arp } ]
Step 5 Configure the destination IPv6 address or domain name for IP-link.
ipv6 destination { ipv6-address | domain-name } [ interface interface-type interface-
number ] [ mode { icmp6 [ next-hop nexthop-ipv6-address ] | ns } ]
Step 6 Configure the source address for IP-link.
source-ip
----End
Follow-up Procedure
Run the display ip-link verbose command to view the detailed information about IP-link.
<sysname> display ip-link verbose
Current Total Ip-link Number : 1
-------------------------------------------------------------------------------
Name : test
Index : 2
Enable Flag : 1
Vrf : public/0
Member Number : 2
Tx-interval (default is 5) : 5
Times (default is 3) : 3
Least active-linknumber (default is 1) : 1
State : up
Init State Number : 0
DOWN State Number : 0
UP State Number : 2
-------------------------------------------------------------------------------
State : up
Destination Type/Destination Info : IP/1.1.1.1
Protocol/Port : icmp/0
Healthcheck detect index : 8
State : up
Destination Type/Destination Info : IP/2.2.2.2
Protocol/Port : icmp/0
Out If Index : GigabitEthernet1/0/1
Healthcheck detect index : 9
-------------------------------------------------------------------------------
2.2.5.1 CLI: Example for Configuring the Interworking Between IP-Link and Hot
Standby
This section describes how to configure the interworking between IP-link and hot standby
according to the example for configuring active/standby hot standby.
Network Requirements
The FW's upstream and downstream devices are routers. FW_A and FW_B work in active/
standby mode
Figure 2-89 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two FWs. The router sends service packets to the
Active FW according to the route calculation result.
l The upstream and downstream ports of the FW are added to the same link-group. The
route convergence rate is accelerated if a link is faulty.
l FW monitor the network egress through the interworking function between IP-link and
hot standby. When the network egress on the link where FW_A resides is down, FW_B
can switch to active device and the service packets are sent to FW_B.
Figure 2-89 Networking diagram of the example for configuring the interworking between
IP-link and hot standby
GE1/0/1 GE1/0/3
FW_A
10.100.10.2/24 10.100.30.2/24
Trust 1.1.1.1/24 Untrust
GE1/0/2 GE1/0/2
10.100.50.2/24 10.100.50.3/24
IP-Link
Procedure
Step 1 Complete the basic configurations on FW_A.
# Add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 to the same link-group management
group.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] link-group 1
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] link-group 1
[FW_A-GigabitEthernet1/0/3] quit
# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the FW is deployed on the OSPF network to work in hot standby mode, this command
must be configured.
# Configure the interworking between IP-link and hot standby. When the network egress is
down, the IP-link status turns to down and the priority of VGMP group reduces 2.
[FW_A] hrp track ip-link test
# Enable HRP.
[FW_A] hrp enable
l Run the hrp standby-device command on FW_B to specify FW_B as a standby device.
Step 3 Configure the interworking between IP-link and hot standby on FW_B.
[FW_B] ip-link check enable
[FW_B] ip-link name test
[FW_B-iplink-test] destination 2.2.2.2 interface GigabitEthernet 1/0/3
[FW_B-iplink-test] quit
[FW_B] hrp track ip-link test
Step 4 Enable automatic backup of configuration commands, and configure the interzone packet-
filtering rules for the Trust zone and Untrust zone on FW_A.
NOTE
When HRP is enabled on both FW_A and FW_B, and the automatic backup of configuration commands
is enabled on FW_A, the security policy configured on FW_A are automatically backed up to FW_B.
# Configure security policy to ensure that the users on network segment 192.168.1.0/24 can
access the Untrust zone.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name ha
HRP_M[FW_A-policy-security-rule-ha] source-zone trust
HRP_M[FW_A-policy-security-rule-ha] destination-zone untrust
HRP_M[FW_A-policy-security-rule-ha] source-address 192.168.1.0 24
HRP_M[FW_A-policy-security-rule-ha] action permit
----End
Configuration Script
Configuration script of FW_A:
#
sysname FW_A
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 10.100.50.3
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/3
hrp track ip-link test
#
ip-link check enable
ip-link name test
destination 1.1.1.1 interface GigabitEthernet1/0/3
#
interface GigabitEthernet 1/0/1
ip address 10.100.10.2 255.255.255.0
link-group 1
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.30.2 255.255.255.0
link-group 1
#
firewall zone trust
#
return
2.2.5.2 CLI: Example for Configuring the Interworking Between Static Routes
and IP-Link
This section describes the example for configuring IPv4 static routes binding with IP-link.
Networking Requirements
As shown in Figure 2-90, the switch is connected to two routers and the company has two
links to access the Internet. Two IP-links are configured. IP-link 1 is from the FW to router 1
and IP-link 2 is from the FW to router 2. IP-link 1 is the primary link. Two static routes are
installed, one bound to IP-link 1, the other to IP-link 2. If IP-link 1 fails, traffic will be
switched to IP-link 2 so that Internet access will not be interrupted.
Figure 2-90 Networking of configuring the interworking between static routes and IP-link
Router 1
10.10.1.2./24
IP-Link 1
FW
Switch
Intranet
GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1./24
10.10.1.3./24
Router 2
Procedure
Step 1 Configure two IP-links to detect the links from FW to router 1 and router 2.
[FW] ip-link check enable
[FW] ip-link name test1
[FW-iplink-test1] destination 10.10.1.2
[FW-iplink-test1] quit
[FW] ip-link name test2
[FW-iplink-test2] destination 10.10.1.3
[FW-iplink-test2] quit
Step 2 Install two static routes to reach the Internet and bind them to the two IP-links. Set the
preferences of the two links to ensure that the link to router 1 has a higher preference.
[FW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link test1
[FW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link test2
----End
Configuration Verification
Verify the configuration on the FW as follows:
When the links between the FW and the two routers are both normal, run the display ip-link
command. The output resembles:
Run the display ip routing-table command, the output shows that the default route to the
Internet is the one directed to router 1.
[FW] display ip routing-
table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.1.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h03m29s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000004
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 10.10.1.3 Neighbour: 0.0.0.0
State: Invalid Adv Relied Age: 00h00m08s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000005
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: R
The output shows that when the two links are normal, the preference value of the route to
10.10.1.2 is 60 (the default preference value). Therefore, the link is in the Active state and is
installed in the routing table. The route to 10.10.1.3 has a preference value of 70 and is in the
Inactive state. This route is the backup route and is not installed in the routing table.
When the link to router 1 breaks, run the display ip-link command. The output shows that the
IP-link to 10.10.1.2 is down.
[FW] display ip-link
Current Total Ip-link Number : 2
Name Member State Up/Down/Init
test1 1 down 0 1 0
test2 1 up 1 0 0
Run the display ip routing-table command, the output shows that the default route to the
Internet is the one directed to router 2.
[FW] display ip routing-
table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 10.10.1.3 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h00m08s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000004
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: R
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.1.2 Neighbour: 0.0.0.0
State: Invalid Adv Relied Age:
00h03m29s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000005
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
The output shows that when the link to 10.10.1.2 breaks, the state of IP-link 1 is Down and
the route to 10.10.1.2 is set to Invalid. The route to 10.10.1.3, which has a preference value of
70, is set to Active and installed in the routing table.
Configuration Scripts
#
sysname FW
#
ip-link check enable
ip-link name test1
destination 10.10.1.2
ip-link name test2
destination 10.10.1.3
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link test1
ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link
test2
#
return
2.2.5.3 CLI: Example for Configuring the Interworking Between PBR and IP-Link
This example describes how to configure PBR to select next hops for various packets and
balance link traffic. It also describes how to use IP-link for monitoring the reachability of
links where the next hops of the packets on policy-based routes reside and dynamically
determining the availability of the policy-based routes by IP-link state. When a policy-based
route is unavailable, the device can search for standby routes to ensure link continuity.
Networking Requirements
As shown in Figure 2-91, an enterprise has departments A and B. Departments A and B,
acting as service departments, have heavy traffic and require different links for traffic
balancing. In addition, the departments require high stability and continuity.
To meet their requirements, the enterprise applies for two links that access the Internet,
namely, ISP1 and ISP2 to balance link traffic. The two links are mutually backed up to ensure
link continuity.
The requirements are as follows:
l Department A resides on network segment 10.1.0.0/16 and its packets for accessing the
Internet pass through link ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets for accessing the
Internet pass through link ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Router_A
Switch 1.1.2.1/24
Department A GE1/0/4 nk1
IP-Li
10.1.0.1/16 ISP1
GE1/0/2
FW 1.1.2.2/24
GE1/0/3
1.1.3.2/24
ISP2
Department B GE1/0/1 IP-Li
10.2.0.1/16 nk2
Switch Router_B
1.1.3.1/24
Configuration Roadmap
NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and FW) required by the FW for providing Internet access
services.
Procedure
Step 1 Configure IP-link.
NOTE
To ensure interworking between PBR and IP-link, the destination IP address detected by IP-link must be
consistent with the setting of the next hop of packets.
# Enable IP-link.
[FW] ip-link check enable
# Create IP-link 1 for detecting link reachability from the FW to destination address 1.1.2.1.
# Create IP-link 2 for detecting link reachability from the FW to destination address 1.1.3.1.
[FW] ip-link name test2
[FW-iplink-test2] destination 1.1.3.1
[FW-iplink-test2] quit
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.
[FW-policy-pbr] rule name A_2
[FW-policy-pbr-rule-A_2] ingress-interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-A_2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-A_2] action pbr next-hop 1.1.2.1
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[FW-policy-pbr] rule name B_1
[FW-policy-pbr-rule-B_1] ingress-interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-B_1] source-address 10.2.0.0 16
[FW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[FW-policy-pbr-rule-B_1] action no-pbr
[FW-policy-pbr-rule-B_1] quit
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[FW-policy-pbr] rule name B_2
[FW-policy-pbr-rule-B_2] ingress-interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-B_2] source-address 10.2.0.0 16
[FW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
# Configure the default route, set the next hop to 1.1.3.1/24, and associate the route with IP-
link 2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track ip-link test2
----End
Verification
1. When active links are reachable, packets for accessing the Internet from department A
are forwarded by the FWto ISP1, and packets for accessing the Internet from department
B are forwarded by the FW to ISP2.
# Run the display ip-link command. You can view that the IP-links are Up.
[FW] display ip-
link
Current Total Ip-link Number :
2
Name Member State Up/Down/
Init
test1 1 up 1 0 0
test2 1 up 1 0 0
# Run the ping 1.1.2.1 command in department A. The ping attempt is successful. Then
run the ping 1.1.3.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartA>ping 1.1.2.1
# Run the ping 1.1.3.1 command in department B. The pinging attempt is successful.
Then run the ping 1.1.2.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartB>ping 1.1.3.1
2. When the active link is faulty, the FW searches for the standby route and forwards the
packets of departments to the corresponding standby link. Active link ISP1 of
department A is used as an example for explanation.
# Run the display ip-link command. The IP-link where department A resides is Down.
[FW] display ip-
link
Current Total Ip-link Number :
2
Name Member State Up/Down/
Init
test1 1 down 0 1 0
test2 1 up 1 0 0
# Run the ping 1.1.2.1 command in department A. The pinging attempt is unsuccessful.
Then run the ping 1.1.3.1 command. The pinging attempt is successful.
C:\Documents and Settings\DepartA>ping 1.1.3.1
3. When active links restore to normal, the FW forwards all packets to the active links.
Active link ISP1 of department A is used as an example.
# Run the display ip-link command. Both IP-links of department A are Up.
[FW] display ip-
link
Current Total Ip-link Number :
2
Name Member State Up/Down/
Init
test1 1 up 1 0 0
test2 1 up 1 0 0
# Run the ping 1.1.2.1 command in department A. The pinging attempt is successful.
Then run the ping 1.1.3.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartA>ping 1.1.2.1
4. The mutual access of departments A and B is successful. The pinging attempt from
department A to B is used as an example.
C:\Documents and Settings\DepartA>ping 10.2.0.111
Configuration Scripts
Configuration scripts of FW
#
sysname FW
#
ip-link check enable
ip-link name test1
destination 1.1.2.1
ip-link name test2
destination 1.1.3.1
#
interface GigabitEthernet1/0/1
ip address 10.2.0.1 255.255.0.0
#
interface GigabitEthernet1/0/2
ip address 1.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 1.1.3.2 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 10.1.0.1 255.255.0.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track ip-link test1
ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track ip-link test2
#
policy-based-route
rule name A_1
ingress-interface GigabitEthernet1/0/4
source-address 10.1.0.0 16
destination-address 10.2.0.0 16
action no-pbr
rule name A_2
ingress-interface GigabitEthernet1/0/4
source-address 10.1.0.0 16
track ip-link
test1
action pbr next-hop 1.1.2.1
rule name B_1
ingress-interface GigabitEthernet1/0/1
source-address 10.2.0.0 16
destination-address 10.1.0.0 16
action no-pbr
rule name B_2
ingress-interface GigabitEthernet1/0/1
source-address 10.2.0.0 16
track ip-link
test2
action pbr next-hop 1.1.3.1
#
return
2.2.5.4 CLI: Example for Configuring the Interworking Between DHCP and IP-
Link
By binding the link where DHCP runs to IP-link, you can resolve the problem that the
automatically delivered static route cannot be bound to the IP-link.
Networking Requirements
As shown in Figure 2-92, the router is the gateway of a building. All enterprises in the
building access the Internet through the router. FW_A acts as the gateway of an enterprise in
the building. To ensure network continuity, the enterprise uses the dual-uplink networking.
The active link accesses the Internet through DHCP, that is, FW_A as the DHCP client
accesses the Internet by obtaining the IP address from the DHCP server. The standby link
accesses the Internet through 3G, that is, 3G dial-on-demand.
Because the DHCP client cannot sense link reachability, FW_A cannot switch the traffic to
the standby link in the event of link faults. To interwork with IP-link, check the availability of
the link where the DHCP client resides. Upon link faults, service traffic is switched to the
standby link.
Figure 2-92 Networking diagram of configuring the interworking between DHCP and IP-link
IP-Link 1 Building
Enterprise
PC
DHCP client Router
GE1/0/2 DHCP server
10.1.1.2/24 8.8.8.1/24
Intranet 10.1.1.1/24 8.8.8.2/24
GE1/0/1
FW
PPPoE dialer
Procedure
Step 1 Configure IP-link.
NOTE
To ensure interworking between DHCP and IP-link, the destination IP address detected by IP-link must
be consistent with the IP address of the Router.
# Enable IP-link.
<FW> system-view
[FW] ip-link check enable
# Create IP-link test for detecting link reachability from the FW_A to destination address
8.8.8.1.
[FW] ip-link name test
[FW-iplink-test]destination 8.8.8.1 interface GigabitEthernet 1/0/2 mode icmp
next-hop dhcp
[FW-iplink-test]quit
Step 2 Configure the DHCP client function, and associate DHCP with the IP-link.
# Enable the DHCP client function on interface GigabitEthernet 1/0/2, and associate DHCP
with the IP-link 1.
[FW] dhcp enable
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address dhcp-alloc
[FW-GigabitEthernet1/0/2] dhcp client track ip-link test
[FW-GigabitEthernet1/0/2] quit
NOTE
When the FW acts as the DHCP client, the priority of the default route obtained from the DHCP server
is 245. When PPPoE is used for backup access, the priority of the default route must be larger than 245.
The higher the priority value, the lower the priority.
[FW] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
----End
Verification
1. When the active link is reachable, access packets are forwarded by FW to the active link.
# Run the display ip-link command. You can view that IP-link is created and it is in Up
state.
[FW] display ip-
link
Current Total Ip-link Number :
1
Name Member State Up/Down/
Init
test 1 up 1 0 0
# Run the display ip routing-table command on FW You can view that the default route
to FW is the gateway address obtained through the DHCP server and the route priority is
245.
[FW] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
2. When the active link is faulty, FW switches the traffic to the standby link.
# Run the display ip-link command. You can view that the status of the IP-link is Down.
[FW] display ip-
link
Current Total Ip-link Number :
1
Name Member State Up/Down/
Init
test 1 down 0 1 0
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.
[FW] display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 5 Routes : 5
3. When the active link recovers, run the display ip-link command on FW. You can view
that the status of the IP-link turns to Up. Run the display ip routing-table command.
You can view that the default route to FW obtained through the DHCP server is re-
loaded to the routing table.
Configuration Scripts
Configuration scripts of FW
#
sysname FW
ip-link check enable
2.2.6.1 Specifications
This section describes IP-link specifications.
Function Specifications
Function Sub-function Description
Performance Specifications
Function Sub-function Specifications
Version Description
2.3 Link-Group
In link-group, multiple physical interfaces are bound to a logical group to ensure the status
consistency of the interfaces in the group.
2.3.1 Overview
This section describes the definition and purpose of link-group.
Definition
A link-group is used to bind the state of several physical interfaces to form a logical group. If
one of the interfaces within the logical group is faulty, the system sets the state of the other
interfaces as Down. After all the interfaces are functional, the system resets the state of the
interfaces within the logical group as Up.
Objective
The Link-group management group ensures the status consistency of the physical interfaces in
the group, and accelerates the route convergence when the link is faulty.
Context
Link-group is to bind several physical interfaces to form a logical group. If any interface in
the logical group is faulty, the system sets the status of the other interfaces to Down. The
system changes the status of all the interfaces back to Up only after all the interfaces in the
link-group recover.
Procedure
Step 1 Choose System > High Availability > Link-Group.
----End
Prerequisites
Set the IP addresses of interfaces and add the interfaces to security zones.
Context
The link group function binds the status of several interfaces to form a logical group. If one
interface in the logical group is faulty, the system changes the status of the other interfaces to
Down. After all the interfaces recover, the system changes the status of the interfaces to Up.
The link group function ensures that the status of the upstream and downstream interfaces are
consistent with each other, avoiding the inconsistency of upstream and downstream paths
upon active/standby switchover.
Procedure
Step 1 Access the system view.
system-view
Step 2 Access the interface view.
interface interface-type interface-number
Step 3 Add the interface to the link-group.
link-group link-group-id
By default, the system is not configured with the link-group management group.
----End
Follow-up Procedure
Run the display link-group link-group-id command to check the configuration of the link-
group.
<FW> display link-group 1
link group 1, total 2, fault 0
GigabitEthernet1/0/2 : up
GigabitEthernet1/0/1 : up
2.3.4.1 Specifications
This section describes Link-Group specifications.
Function Specifications
Function Sub-function Description
Performance Specifications
Function Sub-function Specifications
Version Description
2.4 BFD
As an independent hello protocol, BFD implements low-overhead and rapid fault detection.
By interworking with upper-layer protocols, BFD enables them to rapidly identify and recover
from faults.
2.4.1 Overview
This section describes the definition and purpose of BFD.
Definition
Bidirectional Forwarding Detection (BFD) quickly detects communications faults between
systems and reports corresponding faults to the upper-layer protocol.
Objective
To minimize the impact of failures and improve network availability, network devices need to
rapidly detect communication failures to take early remedial actions to ensure service
continuity.
The current fault detection mechanisms include:
l Hardware detection: For example, the Synchronous Digital Hierarchy (SDH) alarms are
used to detect faults on links. This mechanism features quick identification of faults;
however, not all medium can provide this mechanism.
l Slow Hello mechanism: It usually refers to the Hello mechanism offered by a routing
protocol. The slow Hello mechanism can detect a fault in seconds. In high-speed data
transmission, for example, at Gbit/s rate, the detection delay of more than one second
causes the loss of a large amount of data. In delay-sensitive services such as the voice
service, the delay of more than one second is unacceptable.
l Other detection mechanisms: Specific detection mechanisms may be provided by
different protocols or device vendors. If a network has devices from multiple vendors,
these detection mechanisms are difficult to implement.
BFD overcomes the limitations of earlier detection mechanisms.
BFD provides the following functions:
l Provides low-overhead and quick fault detection for channels between adjacent
forwarding engines. The detected faults may occur on interfaces, data links, or
forwarding engines.
l Provides a single mechanism to detect any media and protocol layers in real time. In
addition, the detection duration and overhead range are variable.
Applicable Environment
The hot standby function enables the standby device to take over services from the faulty
active device to ensure service continuity.
Virtual Router Redundancy Protocol (VRRP) Group Management Protocol (VGMP) groups
determine the active/standby status of devices.
When BFD works with hot standby, VGMP groups are used to monitor static BFD sessions,
and the priorities of VGMP groups change based on the status of BFD sessions. The change
of the priorities of VGMP groups triggers active/standby switchover.
Typical Application
As shown in Figure 2-93, FW_A and FW_B are deployed on a hot standby network. FW_A
functions as the active device, and FW_B functions as the standby device.
To improve network reliability and enable the FWs to monitor the status of indirectly-
connected links, you need to create BFD sessions between the FW_A and the router_A and
use active VGMP group on the FW_A to monitor the status of BFD session. And you need to
create BFD sessions between the FW_B and the router_B and use standby VGMP group on
the FW_B to monitor the status of BFD session.
As shown in Figure 2-93, if interface GE1/0/1 on Router_A is faulty, the BFD session detects
the interface fault (changes the status from Up to Down) and notifies the VGMP group on
FW_A of the fault. Then the priority of the VGMP group on FW_A is lower than the priority
of the VGMP group on FW_B and triggers active/standby switchover. Therefore, FW_A
becomes the standby device, and FW_B becomes the active device.
Figure 2-93 Networking diagram of interworking between BFD and hot standby
GE1/0/1
Applicable Environment
Static route is manually configured by administrators for a known path. Different from
dynamic route, static route does not have the detection mechanism. When the network fails,
administrator intervention is needed.
By interworking, the static route is bound to a static BFD session. Therefore, the status of the
static route changes with the status of the BFD session.
Typical Application
As shown in Figure 2-94, Router_A connects Router_B with a Layer-2 switch, and can
communicate with the Internet through a static route. The link from Router_A to Router_B
serves as the active link while the link from Router_A to Router_C to Router_B serves as the
standby link.
To increase the network reliability and shorten the route convergence time, you can establish a
BFD session between Router_A and Router_B to check the link status.
l If the BFD session on the static route detects a fault (the status changes from Up to
Down), BFD reports the fault to the system. The system deletes this route from the
routing table, and the traffic switches to the standby link.
l If the BFD session on the static route is successfully created (the status changes from
Down to Up), BFD reports to the system. The system adds this route to the routing table,
and the traffic switches back to the active link.
Figure 2-94 Networking diagram of interworking between BFD and static routes (one-hop
detection)
BFD session
Router_A Router_B
The interworking between BFD and static route supports two detection modes:
l One-hop detection
Devices on both ends of the BFD session connect directly or with a Layer-2 switch, that
is, the BFD session and the static route share the same outbound interface, and the IP
address of the peer end is the next hop of the route. Figure 2-94 shows the typical
application of the one-hop detection networking.
l Multi-hop detection
As Figure 2-95 shows, the devices on both ends of the BFD session are indirectly
connected with multi-hop routing channels. In this case, the BFD session binds the IP
address of the peer end but not the outbound interface of the static route.
Figure 2-95 Networking diagram of interworking between BFD and static routes (multi-
hop detection)
BFD Session
Applicable Environment
A link fault or the change of topology may lead to rerouting in a network. The short-duration
convergence of a routing protocol is important for the improvement of availability of the
network. A feasible solution is to fast detect the fault and notify the fault to the routing
protocol immediately.
In the BFD-OSPF interworking, OSPF is associated with a BFD session. The BFD session
fast detects a link fault and notifies OSPF of the fault. In this manner, OSPF speeds up the
response to the change of the network topology.
Table 2-3 shows statistics of convergence speeds when OSPF is and is not associated with a
BFD session.
Not associated with Timeout of the OSPF Hello keepalive timer At the second level
BFD
Typical Application
As shown in Figure 2-96, OSPF runs among Router_A, Router_B, and Router_C which are
mutual neighbors. The link from Router_A to Router_B serves as the active link while the
link from Router_A to Router_C to Router_B serves as the standby link.
Create a BFD session on the link between Router_A and Router_B. Therefore, when the link
status changes, the convergence speed of OSPF increases. If the link between Router_A and
Router_B fails, BFD rapidly identifies the fault and notifies OSPF of the fault. Therefore, the
service traffic is switched to the standby link.
BFD Session
Router_A Router_B
Area 0
Router_C
Applicable Environment
BGP enables the device to periodically send packets to the neighboring devices for fault
detection, but detecting a fault takes more than 1s. When traffic is transmitted at Gbit/s rates,
long-time fault detection will cause data loss, failing to meet the high reliability requirements
of carrier-class networks.
Therefore, BFD interworking with BGP is introduced to quickly identify link faults between
BGP peers (faults can be detected within milliseconds) and report the faults to BGP,
implementing fast BGP route convergence.
Typical Application
As shown in Figure 2-97, Router_A and Router_B respectively belong to AS100 and AS200
and establish EBGP connections in between.
BFD is configured to detect the BGP neighboring relationship between Router_A and
Router_B. When the link between Router_A and Router_B fails, BFD can rapidly detect the
fault and report it to the BGP protocol.
AS100 AS200
EBGP
BFD Session
Router_A Router_B
When interworking with IS-IS, BFD can rapidly sense link changes and converges routes.
As shown in Figure 2-98, when the link between Router_A and Router_B fails, BFD can
rapidly detect the fault and report it to the IS-IS protocol. Then IS-IS shuts down the
interfaces connecting to the neighbors and deletes the neighboring IP protocols to trigger
topology calculation and update the Link State PDUs (LSP) so that other neighbors (such as
neighbors Router_C of Router_B) can receive the updated LSP of Router_B in time to
complete fast network topology convergence.
BFD Session
Router_A Router_B
Applicable Environment
Policy-Based Routing (PBR) is a mechanism, which selects routes based on the customized
policy rather than forwards packets by searching the FIB table based on the destination
addresses of IP packets. The PBR can be used for the purpose of security or load balancing.
PBR supports route selection based on packet information such as the source IP addresses and
packet types of received packets. Packets that meet certain conditions are forwarded
according to packet information such as the outbound interface and next hop, and the default
outbound interface and next hop.
PBR cannot sense the availability of the link where the PBR is enabled. When the link is
unreachable and the device forwards the packet, the packet forwarding may fail.
The BFD-PBR interworking resolves the previous problems, and improves the flexibility of
PBR applications and the dynamic network environment sensation of PBR. After the actions
of PBR are associated with the static BFD session, the BFD can monitor the reachability of
the next hop or outbound interface and dynamically detect the availability of the policy-based
routes.
Typical Application
As shown in Figure 2-99, Router_A serves as the egress gateway of a company. There are
two links connecting to the Internet. Normally, the service initiated by Department A travels
from Router_A to Router_B. When a fault occurs, the service traffic is switched to the other
link.
To ensure that Router_A can rapidly and dynamically sense the availability of PBR, you can
create a BFD session between Router_A and Router_B. When the link between Router_B and
the Layer-2 switch fails, the BFD can identify the fault and notify Router_A rapidly, and the
PBR bound to the BFD session becomes invalid. In this way, Router_A searches for standby
routes to ensure service continuity.
sion
D Ses
BF Router_B
PC
Department A Router_A
PC Router_C
PC
Applicable Environment
To ensure network reliability, some enterprises use the dual-uplink networking. Usually, the
DHCP link serves as the active link. In such case, the egress gateway of the company serves
as the DHCP client, and the company obtains IP addresses from the DHCP server to access
the Internet. Links such as PPPoE link serve as the standby links.
As the DHCP client, the egress gateway cannot sense the availability of the link on which the
egress gateway resides. When the link fails, the gateway cannot switch the service traffic to
the standby link rapidly, resulting in service interruptions.
The BFD-DHCP interworking resolves this problem. The association of the DHCP client with
the BFD session enables BFD to dynamically determine the availability of the DHCP link
according to BFD session status.
Typical Application
As shown in Figure 2-100, Router_A serves as the egress gateway of a building. All
companies in the building access the Internet through Router_A. Router_B serves as the
egress gateway of a company in the building. To ensure network continuity, the company uses
the dual-uplink networking, with DHCP and PPPoE links as the active and standby link
respectively.
BFD Session
PC
Router_B DHCP Server Router_A
Intranet
DHCP Client
PPPoE
To ensure that the DHCP client can sense the fault and perform the link switch quickly when
the active link fails, you can establish a static BFD session between Router_A and Router_B,
and bind the DHCP to BFD on Router_B.
2.4.3 Mechanism
This section describes the mechanism of BFD.
BFD packets fall into two types, namely, BFD control packet and BFD echo packet.
A BFD control packet consists of a mandatory part and an optional authentication part.
Figure 2-101 shows the format of the BFD control packet.
0 7 16 23 31
Vers Diag Sta P F C A D R Detect Mult Length
My Discriminator
Your Discriminator
NOTE
Vers (Version) 3 bits Indicates the version number of the protocol. The current
version number is 1.
Diag 5 bits Indicates the cause that the status of the latest session changes
(Diagnostic) from Up to other status in the local system. Different values
indicate different causes:
l 0: No Diagnostic
l 1: Control Detection Time Expired
l 2: Echo Function Failed
l 3: Neighbor Signaled Session Down
l 4: Forwarding Plane Reset
l 5: Path Down
l 6: Concatenated Path Down
l 7: Administratively Down
l 8: Reverse Concatenated Path Down
l 9 to 31: Reserved for future use
Sta (State) 2 bits Indicates the status of the current BFD session. Different
values indicate different statuses:
l 0: AdminDown. Indicates that the BFD session is in
administrative Down state.
l 1: Down. Indicates that the BFD session is Down or just
established.
l 2: Init. Indicates that the BFD session can communicate
with the peer end and the local end expects the session to
enter the Up state.
l 3: Up. Indicates that the BFD session is successfully
established.
P (Poll) 1 bit Indicates the bit for connection request confirmation. Different
values indicate different meanings:
l 1: indicates that the sending system requests the
confirmation of the connection or the parameter changes.
l 0: indicates that the sending system does not request the
confirmation of the connection or the parameter changes.
F (Final) 1 bit Indicates the bit determining whether the sending system
responds to a BFD control packet with P bit as 1. Different
values indicate different meanings:
l 1: indicates that the sending system responds to a BFD
control packet with P bit as 1.
l 0: indicates that the sending system does not respond to a
BFD control packet with P bit as 1.
C (Control 1 bit Indicates the bit determining whether BFD control packets are
Plane transmitted on the control plane. Different values indicate
Independent) different meanings:
l 1: indicates that the sending system implements BFD
independent of the control plane. That is, BFD packets are
transmitted on the forwarding plane. BFD continues to
work even if the control plane fails.
l 0: indicates that BFD packets are transmitted on the control
plane.
D (Demand) 1 bit Indicates the demand mode operation bit. Different values
indicate different meanings:
l 1: indicates that the sending system expects to run in
demand mode.
l 0: indicates that the sending system does not expect to or
cannot run in demand mode.
R (Reserved) 1 bit This field is set to 0 when a BFD control packet is sent. This
field is ignored when a BFD control packet is received.
Detect Mult 1 byte Indicates the detection time multiplier, that is, the maximum
(Detect time number of continuous loss of packets permitted by the packet
multiplier) receiver. The bit is used to check whether the link is normal.
l Demand mode: uses the local detection time multiplier.
l Asynchronous mode: uses the detection time multiplier of
the peer end.
Desired Min Tx 4 Indicates the desired minimum interval for sending BFD
Interval bytes control packets by the local system, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Rx Interval bytes BFD control packets, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Echo Rx bytes BFD echo packets, in microseconds. If the interval is set to 0,
Interval the sending system cannot receive BFD echo packets.
Auth Type 1 byte Indicates the authentication type of BFD control packets.
Different values indicate different authentication types:
l 0: Reserved
l 1: Simple Password
l 2: Keyed MD5
l 3: Meticulous Keyed MD5
l 4: Keyed SHA1
l 5: Meticulous Keyed SHA1
l 6 to 255: Reserved for future use
Auth Len 1 byte Indicates the length of the authentication field, including the
authentication type field and the authentication length field, in
bytes.
Detection Mode
BFD supports the following detection modes:
l Asynchronous mode
In this mode, two systems periodically transmit BFD control packets to each other on the
basis of the negotiated packet sending/receiving interval. If one system does not receive
any BFD control packets from the other system in the detection period, it is regarded that
the BFD session is Down. The asynchronous mode is the most frequently used BFD
mode.
l Demand mode
In this mode, once a BFD session is established, the system does not periodically send
BFD control packets. Instead, other detection mechanisms (such as the Hello mechanism
of routing protocols and hardware detection mechanism) are adopted to reduce the costs
caused by BFD sessions. In demand mode, there is a timer in the system. When the timer
expires, the system sends a query packet with short sequence to check the link. If the
system does not receive the reply packet, it is regarded that the session is Down.
A supplementary function for the previous modes is the echo function. When the echo
function is enabled, a BFD control packet is transmitted in this method: The local system
sends a BFD control packet, and the remote system loops it back through the forwarding
channel. If none of several consecutive echo packets is received, it is regarded that the BFD
session is Down. The echo function can interwork with the asynchronous mode or demand
mode.
Currently, the system supports only the passive echo function for the one-hop session in
asynchronous mode. If devices supporting the echo function are available on the network, you
need to configure the BFD passive echo function on the device to enable its compatibility
with other devices. When the device enters the passive echo mode, the interval for
transmitting BFD control packets is increased. The devices on both ends of the BFD session
send the BFD echo packets (the source and destination IP address are both the IP address of
the outbound interface on the local end) which returns to the local end through ICMP
redirection. In this way, the link status is checked.
Detection Time
The BFD time is determined by the following three values:
l Desired Min Tx Interval (DMTI): the minimum interval for the transmission of BFD
control packets desired by the local end
l Required Min Rx Interval (RMRI): the minimum interval for the reception of BFD
control packets required by the local end
l Detect time multiplier (Detect Mult): the detect time multiplier
After one system receives the BFD control packet from the peer end, it compares the RMRI
attached in the packet with the local DMTI, and uses the larger value as the interval for the
transmission of BFD control packets. That is, the system with a slower speed determines the
transmission rate of BFD control packets.
The value of Detect Mult is not negotiated. It is configured by the two systems on both ends.
The detection time in asynchronous mode equals to the value of the received Detect Mult
from the peer end times the larger value of the local RMRI and the received DMTI.
The detection time in demand mode equals to the value of the local Detect Mult times the
larger value of the local DMTI and the received RMRI.
For example, the value of the local RMRI is 400 milliseconds; the value of the local DMTI is
300 milliseconds; the value of the received DMTI is 300 milliseconds, the value of the
received RMRI is 400 milliseconds, the value of the received Detect Mult is 4, and the value
of the local Detect Mult is 5.
The detection time in asynchronous mode = 4 x maximum (400 milliseconds and 300
milliseconds) = 1600 milliseconds. And the detection time in demand mode = 5 x maximum
(300 milliseconds and 400 milliseconds) = 2000 milliseconds.
The values of DMTI, RMRI, and Detect Mult can be configured independently. Therefore, the
two systems may differ in the transmission rate of BFD control packets.
You are advised to configure the same value on both ends for hardware using the same
transmission medium.
a. The local end immediately sends a BFD control packet (carries a new RMRI) with
P bit as 1 in the transmission interval.
b. The local end recounts the detection time, and compares it with the current one.
If the detection time becomes greater, the following situation occurs:
n The local end restarts the detection timer, and detects links based on the new
detection time. The local end continues sending BFD control packets (carries a
new RMRI) with P bit as 1.
n After receiving the BFD control packets with P bit as 1, the peer end
immediately replies a BFD control packets with F bit as 1, recounts the
transmission interval, and restarts the sending timer.
n After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1.
If the detection time becomes smaller, the following occurs:
n The local end sends BFD control packets (carries a new RMRI) with P bit as 1
based on the current transmission interval.
n After receiving the BFD control packets with P bit as 1, the peer end
immediately replies a BFD control packets with F bit as 1, recounts the
transmission interval, and restarts the sending timer.
n After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1, updates the detection time,
and restarts the detection timer.
If the recalculated detection time and the current detection time are equal, the local
end does not change the detection time.
c. Detect Mult change
i. The local end immediately sends a BFD control packet (carries a new detect
time multiplier) with P bit as 1 in the transmission interval. The new detect
time multiplier is attached in every packet from then on.
ii. After receiving the BFD control packet, the peer end recounts the detection
time, and detects links based on the new detection time.
BFD session. Meanwhile, the establishment and deletion of the BFD session is manually
triggered, and lacks flexibility.
The interworking between BFD and PBR, DHCP, or FRR requires the static BFD session
with manually designated discriminators. In the application of interworking between
BFD and static routes, you can choose the static BFD session with manually designated
discriminators or the static BFD session with negotiated discriminators according to the
network status.
l Static BFD session with an automatically negotiated discriminator
You need to manually establish the BFD session, but do not need to configure My
Discriminator and Your Discriminator. Both discriminators are negotiated through the
BFD session.
In the application of interworking between BFD and static routes, the BFD session with
an automatically negotiated discriminator is required in the scenario where the device at
the peer end does not support static BFD session, and the dynamic BFD session is
adopted; meanwhile, the local device is routable to the peer end, and ensures the
application of interworking between BFD and static routes.
l Dynamic BFD session triggered by protocols
Dynamic BFD session triggered by protocols refers to the BFD session dynamically
triggered by routing protocols.
In dynamic establishment mode, the system processes My Discriminator and Your
Discriminator in the following ways:
– Dynamically assigning My Discriminator
When an application program triggers the dynamic establishment of BFD sessions,
the system assigns a value from the dynamic session discriminators as the My
Discriminator of the BFD session. The system sends a BFD control packet with
the value of Your Discriminator as 0 (the value of My Discriminator is the
assigned value, and the state is Down) to the peer system to negotiate a session.
NOTE
The system distinguishes static BFD session and dynamic BFD session according to the
classification of discriminators. The value of My Discriminator for static BFD session
ranges from 1 to 8191, and the value of My Discriminator for dynamic BFD session ranges
from 8192 to 16,383.
– Self-learning Your Discriminator
Upon receiving the BFD control packet with the value of Your Discriminator as 0,
the system on one end of the BFD session determines whether the packet matches
the local BFD session according to the quadruplet (source IP address, destination IP
address, outbound interface, and VPN index). If yes, the system learns the value of
My Discriminator in the received packet to obtain the value of Your
Discriminator.
Router_A Router_B
Init-> Up
Sta: Up Init-> Up
Sta: Up
1. After receiving the message from the upper-layer protocol, BFDs of Router_A and
Router_B send BFD control packets with the status as Down. In static BFD session with
manually designated discriminator, the value of Your Discriminator in the packet is
manually designated. In static BFD session with negotiated discriminator, the value of
Your Discriminator in the packet is negotiated by both parties. In the dynamic
establishment of BFD sessions, the value of Your Discriminator is 0.
2. After receiving the BFD control packet with the status as Down, Router_B switches the
session status to Init, and sends a BFD control packet with the status as Init. The change
of BFD sessions of Router_A is the same as Router_B.
3. After receiving the BFD control packet with the status as Init, Router_B switches the
session status to Up, and sends a BFD control packet with the status as Up. The change
of BFD sessions of Router_A is the same as Router_B.
4. When the statuses of Router_A and Router_B are both Up, the session is successfully
established and starts to detect the link.
After the status switches from Down to Init, a timeout timer is enabled on Router_A and
Router_B respectively. If the routers do not receive the BFD control packet whose status is
Init or Up within the timeout, the BFD session status in the local system automatically
switches to Down.
Procedure
Step 1 Choose System > High Availability > BFD.
Interface Status Determines whether the BFD status is bound to the interface
Synchronization status.
This item is displayed only when the probing type is set to
Broadcast IP address-based probing.
Local Detection Multiple Indicates the local detection multiple of a BFD session.
Waiting for Recovery Indicates the recovery waiting time of a BFD session.
Time
----End
Context
Enabling the global BFD function is mandatory when configuring BFD. When you enable the
global BFD function, the BFD view is displayed. In the BFD view, you can configure the
following global optional functions based on your network requirements:
Delaying the Up State Change of the BFD Session
In actual networking, some devices enable traffic switchover based on the BFD session status.
However, the routing protocol becomes Up later than the interface. As a result, traffic fails to
find the route when switched back, and is therefore lost. After you delay the Up state change
of the BFD session, the session will become Up a period after the fault is rectified, making up
the defect that the routing protocol becomes Up later than the interface.
Configuring the Default Multicast Address for One-hop BFD
When you perform one-hop BFD on the Layer-3 physical interfaces without IP addresses or
Layer-2 interfaces, use the default multicast IP address.
By default, the default multicast IP address for BFD is 224.0.0.184.
The default multicast IP address must be changed in the following situations:
l Other protocols on the network use this multicast IP address.
l If there are overlapping BFD sessions on the BFD path, for example, Layer-3 interfaces
are connected by BFD-enabled Layer-2 switching devices, the devices where different
devices reside must be configured with different default multicast IP addresses. This
prevents BFD packets from being forwarded incorrectly.
l If the Layer-2 interfaces of the two devices are connected through a Layer-2 switch that
provides the BFD function, and multicast IP addresses are used to set up BFD sessions,
when the global BFD function is enabled on the switch, run the default-ip-address
command to configure different default multicast IP addresses for the two devices and
switch. Otherwise, the switch cannot forward the BFD multicast packets, resulting in
BFD session interruption.
Enabling Passive Echo
The BFD passive echo function enables the device to communicate with an echo-supported
device on the network. This function applies only to one-hop detection.
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the global BFD function and access the BFD global view.
bfd
By default, the Up state change delay of the BFD session is 0 second. That is, the Up state
change of the BFD session is not delayed.
Step 4 Optional: Set the default multicast IP address for BFD.
default-ip-address ip-address
l If you configure all, the passive echo function of all BFD sessions is enabled.
l If you configure acl basic-acl-number, the passive echo function of BFD sessions is
determined by the ACL rule. That is, the passive function of only ACL-compliant BFD
sessions is enabled.
NOTE
BFD echo packets loop back through ICMP redirection on the peer end. In an IP packet
encapsulating the BFD echo packet, the destination address and source address are both the IP
address of the local outbound interface. Therefore, the ACL rule must allow the source IP
addresses of both the local end and peer end.
Step 6 Run:
peer-ip peer-ip mask-length ttl { single-hop | multi-hop } ttl-value
NOTE
You can use this command to set the TTL globally to enable Huawei devices running different FW versions to
interwork with each other and non-Huawei devices.
Step 7 Run:
multi-hop destination-port { 3784 | 4784 }
Configure the number of the default destination port for the multi-hop BFD control packet.
By default, destination port 3784 is used for the multi-hop BFD control packet.
NOTE
According to the BFD draft, 4784 is the destination port number of multi-hop BFD session packets.
During interworking with devices of earlier versions, the FW chooses 3784 as the destination port number of
multi-hop BFD session packets. During interworking with the devices of other vendors, the FW uses 4784 as
the destination port number of multi-hop BFD session packets.
----End
Prerequisites
Before you configure a static BFD session, complete the following tasks:
l Correctly connecting interfaces and setting IP addresses.
l Configuring routing protocols for the reachability of the network layer.
l Configure global BFD functions, including enabling BFD and adjusting global
parameters. For details, see 2.4.5.1 Configuring Global BFD Functions.
Context
One-hop detection and multi-hop detection of static BFD sessions are described as follows:
l One-hop detection detects the connectivity of the IP link between two directly-connected
systems. One-hop refers to a hop of the IP address.
Only one BFD session exists on the specified interface between the two systems going
through BFD one-hop detection.
l Multi-hop detection detects any paths between two systems. The paths may cover
multiple hops or even overlap in certain parts.
To detect and monitor direct links (or links connected by a Layer-2 switch) rapidly, you can
configure either BFD one-hop detection or multi-hop detection. However, the former is
recommended.
If the peer IP address resides on different network segments from the IP address of the local
outbound interface, you can configure only multi-hop detection to rapidly detect and monitor
the connectivity of IP links. By creating BFD sessions on both ends of a multi-hop path, you
can detect faults on the path rapidly.
To detect the physical link status using BFD, static BFD sessions can be configured in the
following ways:
l Specifying the peer IP address
If the peer IP address is known, bind the BFD session to this IP address and send BFD
control packets to the IP address.
l Using the default IP address
If the peer IP address cannot be specified (in some cases, the peer end does not have an
IP address), bind the BFD session to a multicast address and send BFD control packets
to the multicast address. The multicast address can be adjusted as required. For details,
see 2.4.5.1 Configuring Global BFD Functions.
Creating a BFD session through the default IP address is valid only for one-hop
detection.
NOTE
When multiple protocols are bound to one static BFD session, the change of the session status affects all
related protocols.
Procedure
Step 1 Access the system view.
system-view
Step 2 Select the following configuration methods according to the network status of both ends
where the static BFD session is created.
l For the Layer-3 interfaces with IP addresses, create a BFD binding and set up BFD
sessions:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number ] [ source-ip source-ip [ auto ] ]
l For Layer-2 interfaces and the Layer-3 interfaces without IP addresses, create a static
BFD session (by using the default multicast IP address) and access the BFD session
view:
bfd cfg-name bind peer-ip default-ip interface interface-type interface-number
[ source-ip source-ip ]
Step 3 Configure the discriminator.
l Configure a local discriminator.
discriminator local local-discr-value
NOTE
l The local discriminator must correspond to the remote discriminator on both ends of a BFD session.
Otherwise, the session cannot be established.
l For a BFD session bound to the default multicast address, the local discriminator cannot be the same
as the remote one.
l The local and remote discriminators cannot be changed once they are created.
NOTE
After all necessary parameters (such as the local and remote discriminators) are specified, you must run
the commit command to successfully create a BFD session.
----End
Example
# Create static BFD session test on FW_A, set the peer IP address to 10.1.1.1, and set the
local discriminator to 10 and remote one to 20.
<FW_A> system-view
[FW_A] bfd
[FW_A-bfd] quit
[FW_A] bfd test bind peer-ip 10.1.1.1
[FW_A-bfd-session-test] discriminator local 10
[FW_A-bfd-session-test] discriminator remote 20
[FW_A-bfd-session-test] commit
# Create static BFD session test on FW_B, set the peer IP address to 10.1.1.2, and set the
local discriminator to 20 and remote one to 10.
<FW_B> system-view
[FW_B] bfd
[FW_B-bfd] quit
[FW_B] bfd test bind peer-ip 10.1.1.2
[FW_B-bfd-session-test] discriminator local 20
[FW_B-bfd-session-test] discriminator remote 10
[FW_B-bfd-session-test] commit
Follow-up Procedure
l Run the display bfd configuration command to display the configuration information
about the static BFD session. The following uses the information that is displayed on
FW_A as an example.
<FW_A> display bfd configuration static verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name :
test
------------------------------------------------------------------------------
--
Local Discriminator : 10 Remote Discriminator : 20
BFD Bind Type : Peer IP Address
Bind Session Type : Static
Bind Peer IP Address : 10.1.1.1
Bind Interface : -
Select Board : -
Track Interface : -
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Proc interface status : Disable WTR Interval (ms) : -
Bind Application : No Application Bind
Session Description : -
------------------------------------------------------------------------------
--
The local and remote discriminators, interface bound to the session, and peer IP address
configured on FW_A are displayed in the output information. According to the statistics,
the configuration of the session is submitted.
l Run the display bfd session command to display the information about the static BFD
session. The following uses the information that is displayed on FW_A as an example.
<FW_A> display bfd session static
------------------------------------------------------------------------------
--
Local Remote PeerIpAddr State Type InterfaceName
------------------------------------------------------------------------------
--
10 20 10.1.1.1 Up S_IP_PEER -
According to the output, if the BFD session is in Up state, the BFD session between two
devices is established. If the BFD session is in Down state, it failed to be established.
Context
The detection parameters of a BFD session includes the BFD control packet sending interval,
receiving interval, and local detection multiple. After detection parameters are changed, the
mapping between valid parameters and configured parameters on the local and peer devices is
as follows:
l Actual BFD control packet sending interval in the local = maximum (configured local
sending interval and configured peer receiving interval)
l Actual BFD control packet receiving interval in the local = maximum (configured peer
sending interval and configured local receiving interval)
l In asynchronous mode, actual BFD control packet detection interval in the local = Actual
local receiving interval x Configured peer BFD detection multiple
l In demand mode, actual BFD control packet detection interval in the local = Actual local
sending interval x Configured local BFD detection multiple
NOTE
When the network is in poor quality or overloaded, increase the BFD detection interval as required.
A larger BFD detection interval is required when a low-speed interface (such as virtual template, dialer, or
tunnel interface), the IPSec or L2TP tunnel, or traffic limiting through QoS is used.
For example:
l The configured local sending interval is 300 ms, receiving interval is 300 ms, and
detection multiple is 4.
l The configured peer sending interval is 400 ms, receiving interval is 600 ms, and
detection multiple is 5.
Then,
l The actual sending interval in the local is the maximum value between 300 ms and 600
ms, namely, 600 ms. The actual receiving interval is the maximum value between 400
ms and 300 ms, namely, 400 ms. The actual detection interval in asynchronous mode is
2000 ms (400 ms x 5). The actual detection interval in demand mode is 2400 ms (600 ms
x 4).
l The actual sending interval on the peer end is the maximum value between 400 ms and
300 ms, namely, 400 ms. The actual receiving interval is the maximum value between
300 ms and 600 ms, namely, 600 ms. The actual detection interval in asynchronous mode
is 2400 ms (600 ms x 4). The actual detection interval in demand mode is 2000 ms (400
ms x 5).
NOTE
The system automatically changes the local sending interval and receiving interval to random values
ranging from 2,000 ms to 3,000 ms upon detecting the BFD session in Down state. When the BFD
session becomes Up, the system restores the intervals to the configured values. This limits the
consumption over system resources.
Procedure
Step 1 Access the system view.
system-view
NOTE
To change session parameters (by using the min-tx-interval, min-rx-interval, detect-multiplier, tos-
exp, wtr, or description command) after a BFD session is created, you must run the commit command.
In this case, the configurations can take effect.
----End
Context
This function is used, when BFD interworks with the static route and the local device needs to
communicate with the peer device, which uses the dynamic BFD session.
Local and remote discriminators cannot be configured on the device when you configure the
auto-negotiation of static discriminators.
The configuration difference between the static auto-negotiated BFD session and the static
BFD session lies in:
l After you create the static auto-negotiation configuration by running the bfd bind peer-
ip source-ip auto command, the BFD session can be established without the commit
command executed.
l After the parameters (such as the BFD control packet sending interval, receiving interval,
and local detection multiple) of the static auto-negotiated BFD session are changed, they
take effect without the commit command executed.
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the global BFD function and access the BFD global view.
bfd
Step 4 Create a static auto-negotiated BFD session with the static discriminator.
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number ] source-ip source-ip auto
l If both interface and source-ip are specified, the source IP address must be the same as
the IP address of the interface.
----End
Context
NOTE
The description command is valid only for statically configured BFD sessions, but invalid for the
dynamically configured BFD sessions and the auto-negotiated BFD sessions with static discriminators.
Procedure
Step 1 Access the system view.
system-view
NOTE
To change session parameters (by using the min-tx-interval, min-rx-interval, detect-multiplier, tos-
exp, wtr, or description command) after a BFD session is created, you must run the commit command.
In this case, the configurations can take effect.
----End
Procedure
Step 1 Access the system view.
system-view
In the case of congestion, the system preferentially sends the BFD packet with a higher
priority. You are advised to change the default configuration only after you have known the
related affects.
Step 4 Commit the configuration.
commit
NOTE
To change session parameters (by using the min-tx-interval, min-rx-interval, detect-multiplier, tos-
exp, wtr, or description command) after a BFD session is created, you must run the commit command.
In this case, the configurations can take effect.
----End
Context
If a BFD session flaps, BFD-related applications will be frequently switched between active
and standby devices. To avoid this case, you can configure the WTR time for the BFD
session. When a BFD session changes from Down to Up, the BFD will notify this status
change to upper-layer applications only after the WTR time.
Procedure
Step 1 Access the system view.
system-view
By default, the time of waiting for recovery of the BFD session is 0, indicating no waiting.
NOTE
The BFD session is bidirectional. The detection is performed by BFD sessions set up on both ends
respectively. If WTR is needed, configure it on two ends manually. Or, when the status of the session on
one end changes, the applications on both ends can find that the status of the BFD sessions are
inconsistent.
NOTE
To change session parameters (by using the min-tx-interval, min-rx-interval, detect-multiplier, tos-
exp, wtr, or description command) after a BFD session is created, you must run the commit command.
In this case, the configurations can take effect.
----End
and DHCP. Dynamic BFD interworking refers to interworking between BFD and RIP, OSPF,
OSPFv3, BGP, and BGP4+. BFD and IS-IS can carry out either static or dynamic
interworking.
Prerequisites
Before you configure interworking between BFD and hot standby, complete the following
tasks on devices at both ends:
l Manually configuring the static BFD session. For details, see 2.4.5.2.1 Creating a Static
BFD Session.
l Configuring the hot standby. For details, see 2.1 Hot Standby.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure a VGMP group to monitor the status of a BFD session.
hrp track bfd-session local-discr-value
----End
Prerequisites
Before you configure interworking between BFD and static routes, perform the following on
devices at both ends:
l Setting the IP addresses of interfaces to ensure reachable adjacent nodes.
l Configuring a static route. For details, see 5.3.4 Configuring Static Route-CLI.
l Manually configuring the static BFD session. For details, see 2.4.5.2.1 Creating a Static
BFD Session.
The static BFD session can be one-hop or multi-hop.
Procedure
Step 1 Access the system view.
system-view
l Before you configure the interworking, make sure that the destination IP address and
next-hop IP address (or outbound interface) are the same as those of the static route.
Generally, configure the static route, and then bind it to the BFD session.
l cfg-name specifies the BFD session, where the link to be monitored is specified.
----End
Prerequisites
Before you configure BFD-PBR interworking, complete the following tasks on devices at
both ends:
l Manually configuring the static BFD session. For details, see 2.4.5.2.1 Creating a Static
BFD Session.
The static BFD session can be of the one-hop or multi-hop type.
l Configuring the IP unicast PBR. For details, see 6.2.5 Configuring PBR Using the
CLI.
Context
You need to configure the interworking function only on the device where the PBR function is
enabled.
When the interworking function is configured and the BFD session is deleted from the remote
device, the interworking function fails. In this case, the local device continues forwarding
traffic based on the PBR.
Procedure
Step 1 Access the system view.
system-view
NOTE
----End
Prerequisites
Before you configure BFD-DHCP interworking, complete the following tasks:
1. Configuring the device as the DHCP client and enable the device to obtain the IP address
from the DHCP server. For details, see 4.7.5.3 Configuring the Device as a DHCP
Client.
2. Manually configuring static BFD sessions on devices at both ends. For details, see
2.4.5.2.1 Creating a Static BFD Session.
The neighbor relationship can be successfully negotiated only if static BFD sessions
(excluding auto-negotiated static sessions), must be specified with local and remote
discriminators.
When one end of the BFD session is the DHCP client, the next hop of the static BFD
session needs to be specified as nexthop dhcp. That is, when the device acts as the
DHCP client, the obtained gateway address serves as the next-hop IP address for
forwarding BFD packets.
For the peer DHCP client for BFD interworking, you need to specify the peer IP address
in the static BFD session as the IP address of the DHCP client. If the IP address obtained
by the DHCP client changes, you need to re-create a BFD session.
Context
In dual-uplink networking, if active/standby switchover between links is required, the active
link must be assigned a high-priority route. The smaller the value, the higher the priority.
When the device acts as the DHCP client, the priority of the default route obtained from the
DHCP server is 245. In dual-uplink networking, if the active link is in DHCP mode and the
standby link is in 4G LTE mode, the route priority of the standby link must be larger than 245.
Thereby, in DHCP-BFD interworking, the system disconnects the DHCP link upon
identifying its fault. In this way, traffic is switched to the standby link.
NOTE
To implement DHCP-BFD interworking, you need to only configure the device serving as the DHCP
client.
Procedure
Step 1 Access the system view.
system-view
----End
Prerequisites
Before configuring BFD for RIP, complete the following tasks:
Context
Generally, RIP uses timers to receive and send Update messages to maintain neighbor
relationships. If a RIP device does not receive an Update message from a neighbor after the
Age timer expires, the RIP device will announce that this neighbor goes Down. The default
value of the Age timer is 180s. If a link fault occurs, RIP can detect this fault after 180s. If
high-rate data services are deployed on a network, a great deal of data will be lost during the
aging time.
BFD provides millisecond-level fault detection. It can rapidly detect faults in protected links
or nodes and report them to RIP. This speeds up RIP processes' response to network topology
changes and achieves rapid RIP route convergence.
In BFD for RIP, BFD session establishment is triggered by RIP. When establishing a neighbor
relationship, RIP will send detection parameters of the neighbor to BFD. Then, a BFD session
will be established based on these detection parameters. If a link fault occurs, the local RIP
process will receive a neighbor unreachable message within seconds. Then, the local RIP
device will delete routing entries in which the neighbor relationship is Down and use the
backup path to transmit messages.
Either of the following methods can be used to configure BFD for RIP:
l Enable BFD in a RIP process: This method is recommended when BFD for RIP needs to
be enabled on most RIP interfaces.
l Enable BFD on RIP interfaces: This method is recommended when BFD for RIP needs
to be enabled on a small number of RIP interfaces.
Procedure
l Enable BFD in a RIP process.
a. Access the system view.
system-view
b. Enable BFD.
bfd
If BFD is enabled globally, RIP will use default BFD parameters to establish BFD
sessions on all the interfaces where RIP neighbor relationships are in the Up state.
BFD parameter values are determined by the actual network situation and network
reliability requirement.
n If links have a high reliability requirement, reduce the interval at which BFD
packets are sent.
n If links have a low reliability requirement, increase the interval at which BFD
packets are sent.
Running the bfd all-interfaces command changes BFD session parameters on all
RIP interfaces. The default detection multiplier and interval at which BFD packets
are sent are recommended.
g. (Optional) Perform the following operations to prevent an interface in the RIP
process from establishing BFD sessions:
n Run the quit command to return to the system view.
n Run the interface interface-type interface-number command to access the
view of a specified interface.
n Run the rip bfd block command to prevent the interface from establishing
BFD sessions.
l Enable BFD on RIP interfaces.
a. Access the system view.
system-view
b. Enable BFD.
bfd
e. Enable BFD.
rip bfd enable
----End
Prerequisites
Before you configure BFD-OSPF interworking, complete the following tasks on devices at
both ends:
l Setting the IP addresses of interfaces to ensure reachable adjacent nodes.
l Configuring basic OSPF functions to enable neighbor relationship in Full state. For
details, see 5.6.5 OSPF Configuration Using the CLI.
l Configure global BFD functions, including enabling BFD and adjusting global
parameters. For details, see 2.4.5.1 Configuring Global BFD Functions.
Context
NOTE
You can select one of the following modes to configure BFD-OSPF interworking:
l Enable BFD in the OSPF process.
To enable BFD on all interfaces in the OSPF process, enable BFD on all interfaces of
devices at both ends of the link where the BFD session is to be established.
l Enable BFD on the interface.
The priority of BFD on the interface is higher than that of BFD in the OSPF process.
To enable BFD on certain interfaces or enable certain interfaces to rapidly identify link
faults in the case that BFD is enabled in the OSPF process, you can enable BFD on the
specified interface.
Procedure
Step 1 Access the system view.
system-view
After BFD is enabled in the OSPF process, BFD sessions are created on all
interfaces whose neighbor status is Full in the process.
c. (Optional) Configure BFD session parameters.
bfd all-interfaces { detect-multiplier multiplier-value | min-rx-
interval receive-interval | min-tx-interval transmit-interval } *
After BFD is enabled on all interfaces in the OSPF process, you can run this
command on certain interfaces to reduce monitored links. This improves
performance.
l Enable BFD on the interface.
a. Access the interface view.
interface interface-type interface-number
----End
Prerequisites
Before you configure BFD-BGP interworking, complete the following tasks on devices at
both ends:
Context
As technologies develop, voice and video services are widely applied. These services are
sensitive to the packet loss and delay. BGP periodically sends Keepalive packets to its peers
to detect the status of its peers. The detection mechanism, however, takes more than one
second. When the data transmission rate reaches the level of Gbit/s, such slow detection will
cause a large amount of data to be lost. As a result, the requirement for high reliability of
carrier-class networks cannot be met.
BFD for BGP can be used to reduce packet loss and delay. BFD for BGP detects faults on
links between BGP peers within 50 milliseconds. The fast detection speed ensures fast BGP
route convergence and minimizes traffic loss.
Procedure
Step 1 Access the system view.
system-view
Step 3 (Optional) Access the BGP-VPN instance IPv4 address family view.
ipv4-family vpn-instance vpn-instance-name
NOTE
BFD for BGP can be configured for the VPN in this view. To configure BFD for BGP for the public
network, skip this step.
NOTE
The BFD parameters of peers take precedence over those of peer groups. If BFD parameters are
configured on peers, they will be used in BFD session establishment.
The default interval for transmitting BFD packets and the default detection multiplier are
recommended. When changing the default values, pay attention to the network status and the
network reliability requirement. A short interval for transmitting BFD packets can be
configured for a link that has a higher reliability requirement. A long interval for transmitting
BFD packets can be configured for a link that has a lower reliability requirement.
NOTE
There are three formulas: Actual interval for the local device to send BFD packets = max {Locally
configured interval for transmitting BFD packets, Remotely configured interval for receiving BFD
packets}, Actual interval for the local device to receive BFD packets = max {Remotely configured
interval for transmitting BFD packets, Locally configured interval for receiving BFD packets}, and
Local detection period = Actual interval for receiving BFD packets x Remotely configured BFD
detection multiplier.
For example:
l On the local device, the configured interval for transmitting BFD packets is 200 ms, the interval for
receiving BFD packets is 300 ms, and the detection multiplier is 4.
l On the peer device, the configured interval for transmitting BFD packets is 100 ms, the interval for
receiving BFD packets is 600 ms, and the detection multiplier is 5.
Then:
l On the local device, the actual interval for transmitting BFD packets is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the interval for receiving BFD packets is 300 ms calculated by
using the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying
300 ms by 5.
l On the peer device, the actual interval for transmitting BFD packets is 300 ms calculated by using
the formula max {100 ms, 300 ms}; the interval for receiving BFD packets is 600 ms calculated by
using the formula max {200 ms, 600 ms}; the detection period is 2400 ms calculated by multiplying
600 ms by 4.
wtr wtr-value can be specified in the command to suppress frequent BFD and BGP session
flapping caused by link flapping. If a BFD session over a link goes Down, it does not go Up
immediately after the link recovers. Instead, the BFD session waits for the WTR timer to
expire before going Up. If the link fails again before the WTR timer expires, BFD does not
send a link fault message to BGP, and the BGP session status is stabilized.
The default value of wtr-value is 0, which means that the WTR timer will not be started.
Step 5 Enable BFD for the peer or peer group and create a BFD session using default parameters.
peer { group-name | ipv4-address } bfd enable [ single-hop-prefer ]
If a peer joins a peer group enabled with BFD, the peer inherits the BFD configuration of the
group and creates a BFD session. To prevent the peer from inheriting the BFD function of the
peer group, perform this step.
NOTE
The peer bfd block command and the peer bfd enable command are mutually exclusive. After the peer
bfd block command is run, the BFD session is automatically deleted.
----End
Prerequisites
Before you configure BFD-BGP4+ interworking, complete the following tasks on devices at
both ends:
l Setting the IP addresses of interfaces to ensure reachable adjacent nodes.
l Configuring basic BGP4+ functions to enable neighbor relationship in Full state. For
details, see 5.11.3 BGP4+ Configuration.
l Configure global BFD functions, including enabling BFD and adjusting global
parameters. For details, see 2.4.5.1 Configuring Global BFD Functions.
Context
BFD can rapidly detect IPv6 forwarding failures. By adopting the BFD fast detection
mechanism, an IPv6 network can transmit voice services, video services, and VoD services
with high QoS. This enables service provides to provide their customers with highly available
and reliable voice over IP (VoIP) and other real-time services.
BGP periodically sends Keepalive messages to the peer to detect faults on the neighbor. This
mechanism, however, takes more than one second to detect a fault. When the data rate is up to
Gbit/s, the detection mechanism causes a great packet loss. This mechanism fails to meet the
requirement on the reliability of core networks.
BGP introduces BFD for BGP4+. The fast detection mechanism of BFD can faster detect
faults on the links between BGP peers. The convergence of networks therefore speeds up.
Procedure
Step 1 Access the system view.
system-view
Step 3 (Optional) Access the BGP-VPN instance IPv6 address family view.
ipv6-family vpn-instance vpn-instance-name
NOTE
BFD for BGP can be configured for the VPN in this view. To configure BFD for BGP for the public
network, skip this step.
Step 4 Enable BFD for the peer or peer group and create a BFD session using default parameters.
peer { group-name | ipv6-address } bfd enable [ single-hop-prefer ]
NOTE
The BFD parameters of peers take precedence over those of peer groups. If BFD parameters are
configured on peers, they will be used in BFD session establishment.
The default interval for transmitting BFD packets and the default detection multiplier are
recommended. When changing the default values, pay attention to the network status and the
network reliability requirement. A short interval for transmitting BFD packets can be
configured for a link that has a higher reliability requirement. A long interval for transmitting
BFD packets can be configured for a link that has a lower reliability requirement.
NOTE
There are three formulas: Actual interval for the local device to send BFD packets = max {Locally
configured interval for transmitting BFD packets, Remotely configured interval for receiving BFD
packets}, Actual interval for the local device to receive BFD packets = max {Remotely configured
interval for transmitting BFD packets, Locally configured interval for receiving BFD packets}, and
Local detection period = Actual interval for receiving BFD packets x Remotely configured BFD
detection multiplier.
For example:
l On the local device, the configured interval for transmitting BFD packets is 200 ms, the interval for
receiving BFD packets is 300 ms, and the detection multiplier is 4.
l On the peer device, the configured interval for transmitting BFD packets is 100 ms, the interval for
receiving BFD packets is 600 ms, and the detection multiplier is 5.
Then:
l On the local device, the actual interval for transmitting BFD packets is 600 ms calculated by using
the formula max {200 ms, 600 ms}; the interval for receiving BFD packets is 300 ms calculated by
using the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by multiplying
300 ms by 5.
l On the peer device, the actual interval for transmitting BFD packets is 300 ms calculated by using
the formula max {100 ms, 300 ms}; the interval for receiving BFD packets is 600 ms calculated by
using the formula max {200 ms, 600 ms}; the detection period is 2400 ms calculated by multiplying
600 ms by 4.
wtr wtr-value can be specified in the command to suppress frequent BFD and BGP session
flapping caused by link flapping. If a BFD session over a link goes Down, it does not go Up
immediately after the link recovers. Instead, the BFD session waits for the WTR timer to
expire before going Up. If the link fails again before the WTR timer expires, BFD does not
send a link fault message to BGP, and the BGP session status is stabilized.
The default value of wtr-value is 0, which means that the WTR timer will not be started.
Step 6 (Optional) Disable the peer from inheriting the BFD function of the peer group to which it
belongs.
peer ipv6-address bfd block
If a peer joins a peer group enabled with BFD, the peer inherits the BFD configuration of the
group and creates a BFD session. To prevent the peer from inheriting the BFD function of the
peer group, perform this step.
NOTE
The peer bfd block command and the peer bfd enable command are mutually exclusive. After the peer
bfd block command is run, the BFD session is automatically deleted.
----End
Prerequisites
Before you configure BFD-IS-IS interworking, complete the following tasks on devices at
both ends:
l Configuring basic IS-IS functions to enable neighbor relationship in Full state. For
details, see 5.8.3 IS-IS Configuration.
l Configure global BFD functions, including enabling BFD and adjusting global
parameters. For details, see 2.4.5.1 Configuring Global BFD Functions.
l To configure static BFD interworking with IS-IS, manually configure static BFD
sessions first. For details, see 2.4.5.2.1 Creating a Static BFD Session.
Context
Connection status between an IS-IS device and its neighbors can be monitored by exchanging
Hello packets at intervals. The minimum allowable sending interval is 3s, and a neighbor is
declared Down after at least three intervals during which no response Hello packet is received
from the neighbor. IS-IS takes more than one second to detect that a neighbor becomes Down,
resulting in loss of a large amount of high-speed data.
To solve this problem, BFD must be configured for IS-IS. BFD provides millisecond-level
fault detection. After detecting a link or node failure, BFD will notify IS-IS of the failure,
accelerating the IS-IS route convergence speed.
A static BFD session can only be established and released manually. A configuration error
will lead to a BFD failure. For example, if a local or remote discriminator is incorrectly
configured, a BFD session will not work properly.
Dynamic BFD for IPv4 IS-IS implements dynamic setup of BFD sessions. When a new IS-IS
neighbor relationship is set up, BFD is notified of the neighbor parameters and the detection
parameters (including source and destination IP addresses). Then a BFD session will be
established based on the received neighbor parameters. Dynamic BFD is more flexible than
static BFD.
Procedure
l Enable static BFD on an interface.
a. Access the system view.
system-view
b. Access the interface view.
system-view
b. Access the IS-IS view.
isis [ process-id
c. Enable BFD for IS-IS.
After BFD is enabled globally and the neighbor status becomes Up, IS-IS adopts
default BFD parameters to establish BFD sessions on all interfaces.
d. (Optional) Set the parameters for establishing BFD sessions for all interfaces.
bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval transmit-
interval | detect-multiplier multiplier-value } *
The command execution result is applicable to BFD session parameters on all IS-IS
interfaces.
e. Return to the system view.
quit
To disable the BFD function on an interface, run the isis bfd block command in the
interface view to disable the interface from establishing BFD sessions.
l Enable dynamic BFD on an IPv4 interface.
a. Access the system view.
system-view
b. Access the interface view.
interface interface-type interface-number
c. Enable BFD.
isis bfd enable
After BFD is configured globally and the neighbor status is Up (on a broadcast
network, DIS is in the Up state), default BFD parameters will be used to establish
BFD sessions on the specified interface.
d. (Optional) Configure BFD session parameters.
isis bfd { min-rx-interval receive-interval | min-tx-interval transmit-interval |
detect-multiplier multiplier-value } *
NOTE
The priority of BFD configured on an interface is higher than that of BFD configured for a
process. If BFD session parameters are configured for both a process and an interface, the
parameters on the interface will be used to establish a dynamic BFD session.
----End
NOTE
You can view the information about BFD session statistics and BFD sessions only after parameters for
BFD sessions are specified and BFD sessions are successfully created.
Check the configuration of display bfd configuration { all | dynamic | peer-ip peer-ip
the BFD session. [ vpn-instance vpn-instance-name ] | static [ name cfg-
name ] | static-auto } [ verbose ]
Check statistics on BFD display bfd statistics session { all | discriminator local-
sessions. discr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-
instance-name ] | static | static-auto }
NOTICE
BFD statistics cannot be restored after you clear them. Therefore, perform the operation with
caution.
Debugging BFD
When a BFD running fault occurs, you can run the debugging commands in the user view to
debug BFD, view the debugging information, and locate and analyze the fault.
Before you enable debugging functions, run the terminal monitor and terminal debugging
commands in the user view to enable terminal information display and debugging information
display on the terminal.
Enabling debugging functions will deteriorate system performance. After debugging
processes are complete, run the undo debugging all command in a timely manner to disable
the debugging functions.
For the description of debugging commands, refer to the Debugging Reference.
2.4.6.1 CLI: Example for Configuring Interworking Between BFD and Hot
Standby
Introduce the example for configuring interworking between BFD and hot standby according
to the example for configuring active/standby mode.
Network Requirements
The FW is deployed on the service node as a security device. Upstream and downstream
devices are routers. FW_A and FW_B work in active/standby mode
Figure 2-103 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two FWs. The router sends service packets to the
Active FW according to the route calculation result.
l FW monitor the network egress through the interworking function between BFD and hot
standby. When the network egress on the link where FW_A resides is down, FW_B can
switch to active device and the service packets are sent to FW_B.
Figure 2-103 Networking diagram of the example for configuring interworking between BFD
and hot standby
FW_A
GE1/0/1 GE1/0/3
10.100.10.2/24 10.100.30.2/24 Router_A
192.168.1.0/24
1.1.1.2
GE1/0/2
10.100.50.2/24 GE1/0/2
10.100.50.3/24
2.2.2.2
Procedure
Step 1 Configure the hot standby function on FW_A.
# Set an IP address for GigabitEthernet 1/0/1.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.100.10.2 24
[FW_A-GigabitEthernet1/0/1] quit
# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the FW is deployed on the OSPF network to work in dual-system hot backup mode,
this command must be configured.
# Enable HRP.
[FW_A] hrp enable
The configuration on the FW_B is similar to that on the FW_A. The differences are as
follows:
Step 3 Configure IP addresses and OSPF on the router to ensure the network is reachable. For
detailed configuration commands, refer to documents related to the router.
Step 4 Configure security policy to ensure that the users on network segment 192.168.1.0/24 can
access the Untrust zone.
# Configure BFD session 1 with peer IP address 1.1.1.2, local discriminator 10, and remote
discriminator 20 on FW_A.
HRP_M[FW_A] bfd
HRP_M[FW_A-bfd] quit
HRP_M[FW_A] bfd 1 bind peer-ip 1.1.1.2
HRP_M[FW_A-bfd-session-1] discriminator local 10
HRP_M[FW_A-bfd-session-1] discriminator remote 20
HRP_M[FW_A-bfd-session-1] commit
HRP_M[FW_A-bfd-session-1] quit
# Configure BFD session 1 with peer IP address 10.100.30.2, local discriminator 20, and
remote discriminator 10 on Router_A.
<Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 10.100.30.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit
# Configure BFD session 1 with peer IP address 2.2.2.2, local discriminator 10, and remote
discriminator 20 on FW_B.
HRP_S[FW_B] bfd
HRP_S[FW_B-bfd] quit
HRP_S[FW_B] bfd 1 bind peer-ip 2.2.2.2
HRP_S[FW_B-bfd-session-1] discriminator local 10
HRP_S[FW_B-bfd-session-1] discriminator remote 20
HRP_S[FW_B-bfd-session-1] commit
HRP_S[FW_B-bfd-session-1] quit
# Configure BFD session 1 with peer IP address 10.100.40.2, local discriminator 20, and
remote discriminator 10 on Router_B.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 1 bind peer-ip 10.100.40.2
[Router_B-bfd-session-1] discriminator local 20
[Router_B-bfd-session-1] discriminator remote 10
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
----End
Configuration Script
Configuration script of FW_A:
#
sysname FW_A
#
bfd
#
hrp enable
hrp interface GigabitEthernet 1/0/2 remote 10.100.50.3
hrp track interface GigabitEthernet 1/0/1
hrp track interface GigabitEthernet 1/0/3
hrp track bfd-session 10
#
interface GigabitEthernet 1/0/1
ip address 10.100.10.2 255.255.255.0
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.30.2 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
add interface GigabitEthernet 1/0/2
#
firewall zone untrust
add interface GigabitEthernet 1/0/3
#
bfd 1 bind peer-ip 1.1.1.2
discriminator local 10
discriminator remote 20
commit
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
#
return
2.4.6.2 CLI: Example for Configuring Interworking Between BFD and Static
Routes
If two static routes with different priorities to the same destination are configured, active and
standby links can be automatically switched through the probing over the reachability of the
gateway.
Networking Requirements
As shown in Figure 2-104, a company accesses the Internet through dual links. Static routes
are configured respectively between FW_A and FW_B as well as between FW_A and FW_C.
FW_A->FW_B is the active link, and FW_A->FW_C is the standby link. It is required that
traffic can be immediately switched to the standby link when the active link is faulty, and it
can be also switched back after the active link is recovered.
Figure 2-104 Networking diagram of configuring interworking between BFD and static
routes
ion FW_B
ss
Se /1 GE
D 1/0 24 19 1/0/
BF E
G .2/ 2.1 2
1 68
0 .1. .1.
1 1 /24
/1
1/0 /24
GE .1.1.1
10
GE
10 1/0/
.1. 2
2.1
4
FW_A /2
/2
4
10 GE1
1
16 1
2.
2. /0/
.1.
2.2 /0/2
8.
19 E1
/24
G
FW_C
Configuration Roadmap
The roadmap is as follows:
1. Configure static routes to different destinations between FW_A and FW_B as well as
between FW_A and FW_C. Configure the priorities for the routes, distinguishing the
active and standby links.
2. To better switch traffic on the active link, manually configure the BFD function between
FW_A and FW_B.
Procedure
Step 1 Configure FW_A.
NOTE
This example describes only major BFD-related configurations, with IP address and security zone
configurations omitted.
# Configure a static route, and set the priority of the static route between FW_A and FW_C to
100. In this case, FW_A->FW_B is the active link, and FW_A->FW_C is the standby link.
<FW_A> system-view
[FW_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2
[FW_A] ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100
----End
Configuration Verification
1. After the configurations are complete, view the information in the routing table.
# Run the display ip routing-table command on FW_A. In the routing table, there are
two static routes to different destinations.
<FW_A> display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 8 Routes :
8
If the Pre field has a smaller value, the route to destination IP address 192.168.1.0/24
has a higher priority, and serves as the active link. When the link is normal, traffic is
forwarded from this link.
2. View the BFD session status on FW_A or FW_B.
# Run the display bfd session all command. You can view that the status of the BFD
session is Up. The following uses the information that is displayed on FW_A as an
example.
<FW_A> display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 10.1.1.2 -- Up
Static
------------------------------------------------------------------------------
--
Routing Tables:
Public
Destinations : 5 Routes :
5
When you check the routing table on FW_A, you can view that the static route to
192.168.1.0/24 is deleted and the standby link is used in this case.
After the undo shutdown command is configured, the active link is recovered, and the
static route to 192.168.1.0/24 is added to the routing table again.
Configuration Scripts
l Configuration scripts of FW_A
#
sysname FW_A
#
bfd
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/2
ip address 10.1.2.1 255.255.255.0
#
bfd ab bind peer-ip
10.1.1.2
discriminator local
10
discriminator remote
20
commit
#
ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab
ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100
#
return
Networking Requirements
As shown in Figure 2-105, FW_A carries main services of an enterprise and OSPF runs
between FW_B and FW_C. The link from FW_A to FW_B is an active link, whereas the link
from FW_A, FW_C, to FW_B is a standby link. It is required that traffic can be immediately
switched to the standby link when the active link is faulty, and it can be also switched back
after the active link is recovered.
FW_A FW_B
Loopback 0 BFD Session Loopback 0
172.16.1.1/32 172.16.1.2/32
GE1/0/3 GE1/0/1 GE1/0/1
192.168.1.1/24 10.1.1.1/24 10.1.1.2/24
.1 /2
G 0.1
.2 /0
E1 .3
4
1
.1 E1
/2
/0 .1/2
10
G
G .3.2
4
/2 4
.2 1
E1 /2
/2
.1 /0/
.1
.2
/0 4
10 E1
10
/2
G
Loopback 0
172.16.1.3/32
FW_C
Area 0
Configuration Roadmap
The configuration roadmap is as follows:
1. OSPF runs among FW_A, FW_B, and FW_C. The OSPF neighbor status is Full.
2. To monitor the active link, enable BFD for the OSPF process on each device.
3. To better switch traffic on the active link, enable BFD between FW_A and FW_B.
Procedure
Step 1 Configure FW_A.
NOTE
This example describes only major BFD-related configurations, with IP address and security zone
configurations omitted.
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ospf bfd enable
[FW_A-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
[FW_A-GigabitEthernet1/0/1] quit
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ospf bfd enable
[FW_B-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
[FW_B-GigabitEthernet1/0/1] quit
----End
Configuration Verification
1. After configurations are complete, view the next-hop address of the external route in the
OSPF process on FW_B, to determine whether to use the active link.
# Run the display ospf routing command. You can view the next hop of 192.168.1.1 is
10.1.1.1. In this case, the active link is used.
<FW_B> display ospf routing
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.1.1 172.16.1.3
0.0.0.0
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0
10.1.1.0/24 1 Transit 10.1.1.2 172.16.1.2
0.0.0.0
172.16.1.1/32 2 Stub 10.1.1.1 172.16.1.1
0.0.0.0
192.168.1.0/24 2 Stub 10.1.1.1 172.16.1.1 0.0.0.0
Total Nets:
8
Intra Area: 8 Inter Area: 0 ASE: 0 NSSA:
0
2. View the OSPF neighbor status on one device. The following uses the information
displayed on FW_A as an example.
# Run the display ospf peer command to view the OSPF neighbor status. You can view
that OSPF neighbor status is Full. Therefore, the BFD session is automatically
established after BFD for the OSPF process is enabled.
<FW_A> display ospf peer
Neighbors
00:20:00
Authentication Sequence:
[ 0 ]
Neighbors
# Run the display ospf bfd session all command. You can view that the status of the
BFD session is Up.
<FW_B> display ospf bfd session all
NeighborId:172.16.1.1 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :1000 tx :
1000
Multiplier:3 BFD Local Dis:8192 LocalIpAdd:
10.1.1.2
RemoteIpAdd:10.1.1.1 Diagnostic
Info:Init
NeighborId:172.16.1.3 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/2
BFDState:up rx :1000 tx :
1000
Multiplier:3 BFD Local Dis:8193 LocalIpAdd:
10.1.2.1
RemoteIpAdd:10.1.2.2 Diagnostic
Info:Init
NeighborId:172.16.1.2 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :500 tx :
500
Multiplier:4 BFD Local Dis:8192 LocalIpAdd:
10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic
Info:Init
NeighborId:172.16.1.3 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/2
BFDState:up rx :1000 tx :
1000
Multiplier:3 BFD Local Dis:8193 LocalIpAdd:
10.1.3.1
RemoteIpAdd:10.1.3.2 Diagnostic Info:Init
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.1/32 3 Stub 10.1.2.2 172.16.1.1
0.0.0.0
192.168.1.0/24 3 Stub 10.1.2.2 172.16.1.1 0.0.0.0
Total Nets:
6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA:
0
# Run the undo shutdown command on GigabitEthernet 1/0/1 of FW_A. The traffic is
switched to the active link. 1 shows the routing table.
Configuration Scripts
l Configuration scripts of FW_A
#
sysname FW_A
#
bfd
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.1 255.255.255.0
ospf bfd
enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier
4
#
interface GigabitEthernet 1/0/2
ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 192.168.1.1 255.255.255.0
#
interface Loopback 0
ip address 172.16.1.1 255.255.255.255
#
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.1
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.3.0
0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.2
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.2.0
0.0.0.255
#
return
#
interface Loopback 0
ip address 172.16.1.3 255.255.255.255
#
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.3
0.0.0.0
network 10.1.2.0
0.0.0.255
network 10.1.3.0
0.0.0.255
#
return
Networking Requirements
As shown in Figure 2-106, an enterprise has departments A and B. Departments A and B,
acting as service departments, generate heavy traffic and require different links for traffic
balancing. In addition, the departments require high stability and service continuity.
To meet their requirements, the enterprise has two links (ISP1 and ISP2) to access the
Internet. The two links share the traffic and can back up for each other to ensure service
continuity.
The requirements are as follows:
l Department A resides on network segment 10.1.0.0/16 and its packets pass through link
ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets pass through link
ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Figure 2-106 Networking diagram of configuring interworking between PBR and BFD
PC
BFD session 1
ISP1 Router_A
Department A GE1/0/1 1.1.2.1/24
GE1/0/3
10.1.0.1/16 1.1.2.2/24
PC
PC PC FW
Configuration Roadmap
NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and FW) required by the FW for providing Internet access.
Procedure
Step 1 Configure the FW.
NOTE
This example describes only major BFD-related configurations, with IP address and security zone
configurations omitted.
1. Configure static BFD sessions.
# Configure BFD session 1 with peer IP address 1.1.2.1, local discriminator 10, and
remote discriminator 20.
[FW] bfd
[FW-bfd] quit
[FW] bfd 1 bind peer-ip 1.1.2.1
[FW-bfd-session-1] discriminator local 10
[FW-bfd-session-1] discriminator remote 20
[FW-bfd-session-1] commit
[FW-bfd-session-1] quit
# Configure BFD session 2 with peer IP address 1.1.3.1, local discriminator 30, and
remote discriminator 40.
[FW] bfd 2 bind peer-ip 1.1.3.1
[FW-bfd-session-2] discriminator local 30
[FW-bfd-session-2] discriminator remote 40
[FW-bfd-session-2] commit
[FW-bfd-session-2] quit
[FW] policy-based-route
[FW-policy-pbr] rule name A_1
[FW-policy-pbr-rule-A_1] ingress-interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-A_1] source-address 10.1.0.0 16
[FW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[FW-policy-pbr-rule-A_1] action no-pbr
[FW-policy-pbr-rule-A_1] quit
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.
[FW-policy-pbr] rule name A_2
[FW-policy-pbr-rule-A_2] ingress-interface GigabitEthernet 1/0/4
[FW-policy-pbr-rule-A_2] source-address 10.1.0.0 16
[FW-policy-pbr-rule-A_2] action pbr next-hop 1.1.2.1
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[FW-policy-pbr] rule name B_1
[FW-policy-pbr-rule-B_1] ingress-interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-B_1] source-address 10.2.0.0 16
[FW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[FW-policy-pbr-rule-B_1] action no-pbr
[FW-policy-pbr-rule-B_1] quit
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[FW-policy-pbr] rule name B_2
[FW-policy-pbr-rule-B_2] ingress-interface GigabitEthernet 1/0/1
[FW-policy-pbr-rule-B_2] source-address 10.2.0.0 16
[FW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
# Configure a default route, set the next hop to 1.1.3.1/24, and associate the route with
BFD session 2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
# Configure BFD session 2 with peer IP address 1.1.3.2, local discriminator 40, and remote
discriminator 30.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 2 bind peer-ip 1.1.3.2
[Router_B-bfd-session-1] discriminator local 40
[Router_B-bfd-session-1] discriminator remote 30
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
----End
Configuration Verification
1. When active links are reachable, packets from department A are forwarded by the FW to
ISP1, and those from department B are forwarded by the FW to ISP2.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state.
[FW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping
1.1.3.1 command. The ping fails.
C:\Documents and Settings\DepartA>ping 1.1.2.1
# Run the ping 1.1.3.1 command in department B. The ping succeeds. Then run the ping
1.1.2.1 command. The ping fails.
C:\Documents and Settings\DepartB>ping 1.1.3.1
3. When active links restore to normal, the FW forwards all packets to the active links. The
following uses active link ISP1 of department A as an example.
# Run the display bfd session all command. The status of the BFD session of the link
where department A resides is Up.
[FW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping
1.1.3.1 command. The ping fails.
C:\Documents and Settings\DepartA>ping 1.1.2.1
4. Departments A and B can communicate with each other. In the following example, the
user in department A pings that in department B.
C:\Documents and Settings\DepartA>ping 10.2.0.111
Configuration Scripts
l Configuration scripts of FW
#
sysname FW
#
bfd
#
interface GigabitEthernet1/0/1
ip address 10.1.0.1 255.255.0.0
#
interface GigabitEthernet1/0/2
ip address 10.2.0.1 255.255.0.0
#
interface GigabitEthernet1/0/3
ip address 1.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 1.1.3.2 255.255.255.0
#
bfd 1 bind peer-ip 1.1.2.1
discriminator local 10
discriminator remote 20
commit
#
bfd 2 bind peer-ip 1.1.3.1
discriminator local 30
discriminator remote 40
commit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1
ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
#
policy-based-
route
rule name
A_1
ingress-interface
GigabitEthernet1/0/1
source-address 10.1.0.0
16
destination-address 10.2.0.0
16
action no-
pbr
rule name
A_2
ingress-interface
GigabitEthernet1/0/1
source-address 10.1.0.0
16
track bfd-session
10
action pbr next-hop
1.1.2.1
rule name
B_1
ingress-interface
GigabitEthernet1/0/2
source-address 10.2.0.0
16
destination-address 10.1.0.0
16
action no-
pbr
rule name
B_2
ingress-interface
GigabitEthernet1/0/2
source-address 10.2.0.0
16
track bfd-session
30
action pbr next-hop 1.1.3.1
#
return
Networking Requirements
As shown in Figure 2-107, the router is the gateway of a building. All enterprises in the
building access the Internet through the router. FW acts as the gateway of an enterprise in the
building. To ensure network continuity, the enterprise uses the dual-uplink networking. The
active link accesses the Internet through DHCP, that is, FW as the DHCP client accesses the
Internet by obtaining the IP address from the DHCP server. The standby link accesses the
Internet through PPPoE.
Because the DHCP client cannot sense link reachability, FW cannot switch the traffic to the
standby link in the event of link faults. To interwork with BFD, check the availability of the
link where the DHCP client resides. Upon link faults, service traffic is rapidly switched to the
standby link.
Procedure
Step 1 Configure static BFD sessions.
NOTE
This example describes only major BFD-related configurations, with IP address and security zone
configurations omitted.
# Configure BFD session 1 with peer IP address 8.8.8.1, local discriminator 10, and remote
discriminator 20.
[FW] bfd
[FW-bfd] quit
[FW] bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet 1/0/1 nexthop dhcp
[FW-bfd-session-1] discriminator local 10
[FW-bfd-session-1] discriminator remote 20
[FW-bfd-session-1] commit
[FW-bfd-session-1] quit
# Configure the default route with outbound interface Dialer 0 and route priority 255.
NOTE
When the FW acts as the DHCP client, the priority of the default route obtained from the DHCP server
is 245. When PPPoE is used for backup access, the priority of the default route must be larger than 245.
The higher the priority value, the lower the priority.
[FW] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
# Configure BFD session 1 with peer IP address 10.1.1.2, local discriminator 20, and
remote discriminator 10.
<Router> system-view
[Router] bfd
[Router-bfd] quit
[Router] bfd 1 bind peer-ip 10.1.1.2
[Router-bfd-session-1] discriminator local 20
[Router-bfd-session-1] discriminator remote 10
[Router-bfd-session-1] commit
[Router-bfd-session-1] quit
2. Configure a static route with destination IP address 10.1.1.0/24 and next hop 8.8.8.2 to
FW.
[Router] ip route-static 10.1.1.0 255.255.255.0 8.8.8.2
----End
Configuration Verification
1. When the active link is reachable, access packets are forwarded by FW to the active link.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state. The following uses the information displayed on FW as an
example.
[FW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 8.8.8.1 GigabitEthernet1/0/1 Up
Static
------------------------------------------------------------------------------
--
# Run the display ip routing-table command on FW. You can view that the default
route to FW is the gateway address obtained through the DHCP server and the route
priority is 245.
[FW] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
2. When the active link is faulty, FW switches the traffic to the standby link.
# Run the display bfd session all command. You can view that the status of the BFD
session is Down. The following uses the information displayed on FW as an example.
[FW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 8.8.8.1 GigabitEthernet1/0/1 Down
Static
------------------------------------------------------------------------------
--
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.
[FW] display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 5 Routes : 5
3. When the active link recovers, run the display bfd session all command on FW. You can
view that the status of the BFD session turns to Up. Run the display ip routing-table
command. You can view that the default route to FW obtained through the DHCP server
is re-loaded to the routing table.
Configuration Scripts
l Configuration scripts of FW
#
sysname FW
#
bfd
#
interface GigabitEthernet1/0/1
ip address dhcp-alloc
dhcp client track bfd-session 10
#
bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet1/0/1 nexthop dhcp
discriminator local 10
discriminator remote 20
commit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 preference 245 track bfd-session 1
#
return
2.4.7.1 Specifications
This section describes BFD specifications.
Function Specifications
Function Sub-function Description
Dynamically changing -
BFD session parameters
Performance Specifications
Function Sub-function Specifications
Version Description
3 Virtual System
3.1 Overview
A virtual system is a logical device created on a physical device. Virtual systems are
independent from each other.
3.2 Application Scenario
This section describes the application scenarios of virtual systems.
3.3 Mechanism
This section describes the mechanism of the virtual system.
3.4 Restrictions and Precautions
This section describes the restrictions and precautions that apply to the use of virtual systems.
3.5 Deploying a Virtual System Using the Web UI
This section describes how to deploy a virtual system using the web UI as a public system
administrator.
3.6 Deploying a Virtual System Using the CLI
This section describes how to deploy a virtual system using the CLI as a public system
administrator.
3.7 Configuring Virtual System Services
This section describes how to configure services for a virtual system.
3.8 Configuration Examples
This section provides examples for configuring virtual systems in multiple application
scenarios.
3.9 Feature Reference
This section provides virtual system references.
3.10 Virtual System FAQ
This section describes frequently asked questions (FAQs) about virtual system.
3.1 Overview
A virtual system is a logical device created on a physical device. Virtual systems are
independent from each other.
A FW can be logically divided into multiple virtual systems. Each virtual system has its
resources and configurations, such as interface, address set, user/user group, and routing table
and policies, and provides the same functions as a physical system.
Virtual systems have the following features:
l Each virtual system has its own administrators and can be managed independently. With
virtual systems, a large network can be divided into smaller subnets with each being
served by a virtual system, simplifying the network management.
l Each virtual system has its own configurations and routing table so that networks
connected to different virtual systems can have overlapping private addresses.
l Each virtual system has its own resource quota so that a busy virtual system has no
impact on other virtual systems.
l The traffic of different virtual systems is separated to ensure security. However, different
virtual systems can still communicate with each other if needed.
l Virtual system technology reduces hardware investment, power consumption, and
equipment footprint.
Device Leasing
Some small enterprises cannot afford dedicated network security devices, the related license,
and after-sales services, but require network protection for service expansion. In such cases,
the network service provider or dedicated device leasing vendor can purchase a network
security device, divide this device to multiple logically independent virtual devices using the
virtual system technology, and provide security functions for different enterprises. Then
multiple enterprises share the hardware resource, but the actual traffic is isolated, which saves
the cost for purchasing and maintaining the devices and secures enterprise networks. For
network service providers and device leasing vendors, this service yields profits.
The small enterprises who lease the FW are equipped with basic firewall functions. In this
way, intranet and Internet resources are available.
As shown in Figure 3-1, enterprise A and enterprise B lease one FW. Enterprise A and
enterprise B use Virtual system A and Virtual system B respectively. Both enterprises can
access Internet.
FW
Enterprise A
Virtual system A
Enterprise B
Virtual system B
Service data flow
R&D
department
Financial
department
Administrative
department
Enterprise A Enterprise A
Virtual
system A
Enterprise B Enterprise B
Virtual
system B Service data flow
3.3 Mechanism
This section describes the mechanism of the virtual system.
Virtual System
The FW has two types of virtual systems: public system (public) and virtual system (VSYS).
l Public system (public)
The public system is a special virtual system on the FW and is available even if the
virtual system function is disabled. After the virtual system function is enabled on the
FW, the public system inherits all the configurations of the FW.
The public system manages other virtual systems and forwards data between them.
l Virtual system (VSYS)
Figure 3-4 Logical structure of the public system and virtual systems
Virtual system N
Virtual system A
Virtual system B
……
Public system
To forward, isolate, and independently manage traffic of different virtual systems, the FW
implements virtualization in the following aspects:
l Resources: Each virtual system has dedicated resources, including interfaces, VLANs,
policies, and sessions. The resources are assigned by public system administrators and
managed by virtual system administrators.
l Configuration: Each virtual system has its own configuration interface and
administrators and cannot be accessed by administrators of other virtual systems.
l Security function virtualization: Each virtual system has independent security policies
and other security functions which apply only to packets of the virtual system.
l Route virtualization: Each virtual system maintains separate routing tables, independent
and isolated from each other. Currently, only static routes are supported.
With the preceding virtualization techniques, each virtual system can function as a dedicated
firewall that is exclusively managed by its administrator.
Administrator
Administrators are classified into public system administrators and virtual system
administrators. Figure 3-5 illustrates the permissions of the two types of administrators.
system N
system A
system B
Virtual
Virtual
Virtual
system resources.
……
Public system
Basic resources, such as security zones, policies, and sessions, can be either automatically or
manually assigned to virtual systems, whereas other resources are preempted by all virtual
systems.
Resource Allocation
Table 3-1 lists the resources that are automatically and manually assigned.
New Session Rate Manually assigned The new session rate indicates the number of
new sessions a virtual system can create in one
second.
l Guaranteed value: specifies the amount of a resource committed to a virtual system and
cannot be preempted by other virtual systems.
l Maximum value: specifies the maximum allowed amount of resource that a virtual
system can have. Whether the virtual system can achieve the maximum value depends on
available resources and competition between virtual systems.
For example, 10 virtual systems are configured on the FW and the total number of sessions
available for the FW is 500,000. If virtual system A is configured with a guaranteed number
of 10,000 sessions and a maximum number of 50,000 sessions, then virtual system A can
establish 10,000 sessions without preemption. However, whether virtual system A can
establish 50,000 sessions depends on the competition of other nine virtual systems and the
public system. If the total number of sessions established by the other nine virtual systems and
the public system is less than 450,000, then virtual system A can establish a maximum
number of 50,000 sessions.
Public system administrators can assign resources to virtual systems based on their purpose.
For example, virtual system 1 connects to the zone where the enterprise servers reside to
protect the servers and virtual system 2 connects to the zone created for a department of 20
employees to control Internet access. In this case, the two virtual systems have different needs
for resources. Virtual system 1 needs more sessions than virtual system 2, but does not need
any users, whereas virtual system 2 needs a quota of 20 users but needs fewer sessions than
virtual system 1.
Resource Preemption
The following resources are preempted by all virtual systems:
l Address and address group
l Region and region group
l User-defined service and service group
l User-defined application and application group
l NAT address pool
l Schedule
l Traffic profile
l Static route
l Various types of tables, including the server-map, IP-MAC binding, ARP, and MAC
address table
GE1/0/4
Traffic sorting
GE1/0/1(VSYSA) GE1/0/3(VSYSC)
GE1/0/2(VSYSB)
10.3.0.0/24 10.3.2.0/24
10.3.1.0/24
GE1/0/2
Trunk VLAN10,20,30
Traffic sorting
GE1/0/1
Trunk VLAN10,20,30
VLAN 10 VLAN 30
VLAN 20
Virtual Interface
Virtual interfaces are logical interfaces used for inter-virtual system communication. After a
virtual system is created, the system automatically creates a virtual interface for the virtual
system. Virtual interfaces are named in the format of Virtual-if+number, with the virtual
interface of the public system numbered 0 (Virtual-if0). Other virtual interfaces are
automatically numbered from 1.
As shown in Figure 3-8, the virtual interfaces (Virtual-if1 to Virtual-ifN) of all virtual
systems are connected to the virtual interface (Virtual-if0) of the public system through a
virtual link. You can add virtual interfaces to secure zones and configure routes and security
policies to enable and control the communication between the public system and virtual
systems.
You can compare the public system to a router that forwards traffic for virtual systems.
Virtual-if2
Virtual system B Virtual-if0
Virtual interface
The communication between virtual systems and between a virtual system and the public
system is described as follows.
Figure 3-9 Communication between a virtual system and the public system
2 Forwards packets VSYSA routing table Public routing table
based on the Destination Destination Outgoing Destination Destination Outgoing
firewall processing Next hop Next hop
Address VSYS interface Address VSYS interface
flow and find the
destination VSYS in 3.3.3.3/32 public - - 3.3.3.3/32 public GE1/0/1 1.1.1.254
the routing table 10.3.0.0/24 VSYSA GE1/0/2 - 10.3.0.0/24 VSYSA - -
based on the
destination address. …… …… …… …… …… …… …… ……
4 Forwards packets based on the
firewall processing flow and find
1
Se the outgoing interface and next
req nds hop in the routing table based on
ue an a
st. cc the destination address.
e ss 3 Sends
2 Forwards 4 Forwards 5 Access the Internet.
packets.
packets. packets.
Configure routes as follows to enable communication between VSYSA and the public system:
1. Configure a static route on VSYSA. Set the destination IP address to 3.3.3.3 and
destination virtual system to public.
2. Configure a static route on the public system. Set the destination IP address to 3.3.3.3,
the outgoing interface to GE1/0/1, and the next hop to the gateway IP address obtained
from the carrier. The static routes in steps 1 and 2 are used to forward traffic from hosts
connected to VSYSA to the Internet.
3. Configure a static route on the public system. Set the destination IP address to
10.3.0.0/24 and destination virtual system to VSYSA.
4. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 3 and 4 are used to forward
traffic from the Internet to hosts connected to VSYSA.
Configure security policies as follows to enable communication between VSYSA and the
public system:
1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtual-if1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On the public system, add interface GE1/0/1 to the Untrust zone and Virtual-if0 to the
Trust zone, and configure a security policy to allow the Trust zone to access the Untrust
zone.
Network 10.3.0.0/24 is a private network. Therefore, a NAT policy must be configured for the
network to access the Internet. The NAT policy can be configured on VSYSA or the public
system, whichever the public IP addresses are configured.
1 Sends an access
Virtual
request.
system A
2 Forwards
(VSYSA)
packets. 3 Finds the outgoing
GE1/0/2 interface in the
10.3.0.0/24 Virtual-if1
routing table of the
public system.
Virtual-if0
4 Sends packets.
10.3.1.0/24 GE1/0/3 Virtual-if2
Public
5 Forwards Virtual system
packets. system B
Server 6 Access the (VSYSB)
10.3.1.3 server.
…… …… …… ……
1. Configure a static route on VSYSA. Set the destination IP address to 10.3.1.3 and
destination virtual system to public.
2. Configure a static route on the public system. Set the destination IP address to 10.3.1.3
and destination virtual system to VSYSB.
3. Configure a static route on VSYSB. Set the destination IP address to 10.3.1.3 and the
outgoing interface to GE1/0/3. The static routes in steps 1, 2, and 3 are used to forward
traffic from hosts connected to VSYSA to the server connected to VSYSB.
4. Configure a static route on VSYSB. Set the destination IP address to 10.3.0.0/24 and
destination virtual system to public.
5. Configure a static route on the public system. Set the destination IP address to
10.3.0.0/24 and destination virtual system to VSYSA.
6. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 4, 5, and 6 are used to forward
traffic from VSYSB to hosts connected to VSYSA.
1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtual-if1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On VSYSB, add interface GE1/0/3 to the Trust zone and Virtual-if2 to the Untrust zone,
and configure a security policy to allow the Untrust zone to access the Trust zone.
NOTE
The public system only forwards packets between virtual systems based on the routing table and does
not implement any security functions. Therefore, you do not need to configure any security policies on
the public system.
10.3.0.0/24 192.168.1.1
- 192.168.2.1 public -
- 192.168.2.1 VSYSB -
Restrictions
The FW provides a specific quantity of virtual systems by default. If the administrators need
more, they must purchase a license. For details, see 3.9.2 Specifications.
Most functions of the FW are available in virtual systems. For detailed function availability,
see 3.9.1 Function Availability for Virtual Systems. Table 3-2 describes the usage
restrictions for some functions available on virtual systems.
Function Restrictions
Function Restrictions
Signature database and The signature database and system software can only be
system software update updated on the public system.
Port management The ports for services, including HTTP, HTTPS, and SSH, can
only be set on the public system.
Precautions
A Layer-3 GE, VLAN, or VLANIF interface cannot be assigned in any of the following
situations:
The following configurations of an interface are automatically cleared when the interface is
assigned to a virtual system:
l IP address
l IPSec
l In exclusive mode, a public IP address can be assigned only to one virtual system. In free
mode, an public IP address can be assigned to multiple virtual systems.
l The public IP address differs from the global IP address for NAT Server in the public
system.
l The public IP address differs from the IP addresses in the NAT address pool in the public
system.
Trunk and hybrid Layer-2 interfaces and Layer-3 interfaces on which subinterfaces are created
may be simultaneously used by multiple virtual systems. Therefore, the Traffic History
displayed on the Dashboard of each virtual system is the total traffic of all virtual systems
that use the interfaces.
Virtual systems can forward only session logs and packet discard logs (excluding policy
matching logs) to the log server of the public system.
Procedure
Step 1 Access the Dashboard page. Click Configure next to Virtual System in the System
Information group area.
Step 2 Select Enable.
Step 3 Click Apply.
----End
Context
All virtual systems created on a FW share the resources available on the FW. To ensure the
availability of system resources for all virtual systems and prevent a virtual system from
overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources for the resource class, and bind
the resource class to a virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type
and amount of system resources, bind the same resource class to each of these virtual systems.
NOTE
Resource class r0 is bound to the public system by default and cannot be deleted or renamed.
Procedure
Step 1 Check resource usage.
Before allocating resources for virtual systems, check the available resources using a public
system administrator account.
Parameter Description
Name -
Parameter Description
----End
Context
A resource class must be specified for a virtual system to allocate resources, such as policy
and concurrent sessions quota.
In addition, public IP addresses, interfaces and VLANs must be allocated as required after a
virtual system has been added.
Procedure
Step 1 Choose System > Virtual System > Virtual System.
Step 2 Click Add. Then click the Basic Configuration tab and configure necessary parameters.
Parameter Description
Share the following IP Address Ranges: The public IP address assigned to a virtual
system can still be assigned in share mode only to other virtual systems.
After a public IP address is assigned in exclusive or share mode to a virtual system, the
public system cannot use the address any more.
Step 4 Click OK.
----End
Follow-up Procedure
After configurations are complete, perform the following operations:
l Check the created virtual system and system resources allocated to it in Virtual System
List.
l Select a virtual system in Virtual System List and click Resource Usage to view the
usage of the resources allocated to the virtual system.
l Select a virtual system and click to access the virtual system configuration page.
To delete a virtual system, select the virtual system in the Virtual System List, and click
Delete. Then, click OK in the dialog box that is displayed. All configurations of the deleted
virtual system are cleared, and all resources allocated to the virtual system are reclaimed.
Context
To enable the communication between the virtual system and public system, you need to
correctly configure the routes and security policies on the virtual system and public system,
just as on two physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the public system and learn about the mechanism for the communication
between a virtual system and the public system.
As shown in Figure 3-11, routes and security policies must be configured to enable the users
of vsysa to access the Internet server at IP address 3.3.3.3 through public interface GE1/0/1 of
the public system.
Figure 3-11 Communication between a virtual system and the public system
Trust Untrust
FW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
vsysa public
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface
Procedure
Step 1 Configure routes and security policies on vsysa.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page
to access virtual system vsysa.
2. Choose Network > Router > Static Route.
3. Click Add and configure a static route to the Internet as follows:
Next Hop -
Interface -
4. Click OK.
5. Choose Network > Interface.
6. Click next to the Virtual-if1 interface to set an IP address, add the interface to the
Untrust zone. The IP address can be any value as long as it does not conflict with the IP
address on any other interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtual-if1. You can view the mapping between the
virtual system and virtual interface in Interface List.
7. Choose Policy > Security Policy > Security Policy.
8. Click Add and configure a security policy as follows:
Name to_internet
Action Permit
9. Click OK.
Protocol IPv4
Interface -
4. Click OK.
5. Repeat the preceding step and configure a static route to the users of vsysa.
Protocol IPv4
Next Hop -
Interface -
7. Click next to the Virtual-if0 interface to set an IP address, add the interface to the
Trust zone. The IP address can be any value as long as it does not conflict with the IP
address on any other interface.
8. Choose Policy > Security Policy > Security Policy.
9. Click Add and configure a security policy as follows:
Name vsys_to_internet
Action Permit
----End
Context
As shown in Figure 3-12, users of virtual system vsysa must use the public system to access
the server connected to virtual system vsysb. The public system acts as a router that connects
both virtual systems and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.
Trust FW
GE1/0/3
10.3.0.1/24
10.3.0.0/24 vsysa
Virtual interface
Trust
GE1/0/4 public
10.3.1.0/24 10.3.1.1/24
vsysb
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between vsysa and vsysb on the public system.
NOTE
The public system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies in the public
system.
1. Select public in the Virtual System drop-down list at the upper right corner of the page
to access the public system.
2. Choose Network > Router > Static Route.
3. Click Add and configure a static route to vsysb as follows:
Protocol IPv4
Next Hop -
Interface -
4. Click OK.
5. Repeat the preceding step and configure a static route to the users of vsysa.
Protocol IPv4
Next Hop -
Interface -
6. Click next to the Virtual-if0 interface to set an IP address, add the interface to the
Trust zone. The IP address can be any value as long as it does not conflict with the IP
address on any other interface.
Next Hop -
Interface -
4. Click OK.
5. Choose Network > Interface.
6. Click next to the Virtual-if1 interface to set an IP address, add the interface to the
Untrust zone. The IP address can be any value as long as it does not conflict with the IP
address on any other interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtual-if1. You can view the mapping between the
virtual system and virtual interface in Interface List.
7. Choose Policy > Security Policy > Security Policy.
8. Click Add and configure a security policy as follows:
Name to_server
Action Permit
9. Click OK.
Next Hop -
Interface -
4. Click OK.
5. Choose Network > Interface.
6. Click next to the Virtual-if2 interface to set an IP address, add the interface to the
Untrust zone. The IP address can be any value as long as it does not conflict with the IP
address on any other interface.
7. Choose Policy > Security Policy > Security Policy.
8. Click Add and configure a security policy as follows:
Name vsysa_to_server
Action Permit
9. Click OK.
----End
Context
Once a virtual system is created, the public system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using
the accounts of these administrators. The public system administrator can create system
administrators for a virtual system only on the configuration page of the virtual system. The
method for creating a virtual system administrator is the same as that for creating a public
system administrator.
Data Planning
Item Data
NOTE
The following assumes that vsysa has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
Procedure
Step 1 Create a virtual system administrator.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page
to access vsysa.
2. Choose System > Administrator > Administrator.
3. Click Add and set the parameters.
Password Vsysadmin@123
Role system-admin
NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user
name configured on the authentication server does not need to carry the suffix "@@virtual system
name". For example, if the authentication server needs to authenticate administrator admin@@vsysa of
virtual system vsysa, configure user name admin on the authentication server.
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP
address of the administrator PC is fixed, add the IP address as a trusted host so that the administrator
can log in to the virtual system using the PC. If the IP address of the administrator PC is dynamically
allocated, do not configure any trusted hosts. Otherwise, the administrator may fail to log in to the
virtual system if the IP address of the administrator PC changes.
4. Click OK.
Step 2 Configure the login interface.
1. Choose Network > Interface.
2. Click next to GE1/0/3 and configure necessary parameters.
IP Address 10.3.0.1/255.255.255.0
NOTE
Select HTTPS in Access management so that the virtual system administrator can log in to the Web UI
over HTTPS. Another option is HTTP. However, you are advised to select HTTPS for security
reasons.
Select Ping so that the interface can be pinged to test the connectivity between the administrator PC and
the login interface.
3. Click OK.
----End
Follow-up Procedure
After the configuration is complete, you can log in to the virtual system as the virtual system
administrator as follows:
1. Open a browser and enter https://10.3.0.1:Port number. Port number indicates the port
number specified when you enable the HTTPS service.
NOTE
If the browser displays a certificate error page, ignore it and continue to the website.
2. On the login page, enter the user name (admin@@vsysa) and password
(Vsysadmin@123) of the virtual system administrator and click Login to log in to the
virtual system.
Procedure
Step 1 Access the system view and run the following command to enable the virtual system function.
vsys enable
----End
Context
All virtual systems created on a FW share the resources available on the FW. To ensure the
availability of system resources for all virtual systems and prevent a virtual system from
overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources available for the resource class,
and bind the resource class to the virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type
and amount of system resources, configure a single resource class and bound the resource class to each of
these virtual systems.
Procedure
Step 1 Run the following command to check resource usage.
Check the available resources as the public system administrator before allocating resources
for virtual systems.
l Guaranteed value: Minimum amount of a specified resource item available for a virtual system. Once the
amount of system resources are allocated to a virtual system, they are exclusively used by the virtual
system.
l Maximum value: Maximum allowed amount of a specified resource item available for a virtual system.
Whether the resources used by a virtual system can reach the maximum amount is determined by the
resources used by other virtual systems.
----End
Context
A resource class must be specified for a virtual system to allocate resources, such as policy
and concurrent sessions quota.
In addition, public IP addresses, interfaces and VLANs must be allocated as required after a
virtual system has been added.
Procedure
Step 1 Optional: Set the public interface in the interface view.
NOTE
set public-interface
When you configure bandwidth management, you need to set an interface as the public
interface in the public system to collect traffic statistics of virtual systems and then assign the
interface to virtual systems.
After the configuration is complete, the traffic entering virtual systems from this interface is
inbound traffic, and the traffic exiting virtual systems from this interface is outbound traffic. If
a virtual system has multiple public interfaces, the traffic entering the virtual system and the
traffic exiting the virtual system from these public interfaces is the entire traffic.
Step 2 Run the following command in the system view to create a virtual system and access the
management view of the virtual system.
vsys name vsys-name
Step 3 Optional: Run the following command to configure the description of a virtual system.
description description
The description must clearly indicate the function of the virtual system so that virtual systems
can be easily searched for.
Step 4 Bind a resource class to the virtual system.
assign resource-class resource-class-name
Step 5 Allocate public IP address, interfaces or VLANs for the added virtual system.
l Run the following command to allocate public IP addresses for the added virtual system.
assign global-ip start-address end-address { exclusive | free }
The public IP address allocated to the virtual system is applied to the NAT, NAT Server,
and interface.
After a public IP address is assigned in exclusive or free mode to a virtual system, the
public system cannot use the address any more.
l Run the following command to allocate interfaces for the added virtual system.
assign interface interface-type interface-number
The interface must be an available Layer-3 interface or subinterface.
The management interface GigabitEthernet 0/0/0 cannot be assigned to virtual system.
l Run the following command to allocate the VLAN to the added virtual system.
assign vlan vlan-id
The Layer-2 interface or VLANIF interfaces of the VLAN are also available for the
virtual system.
save [ configuration-file ]
You are advised to save the current configuration after the virtual system is created.
----End
Follow-up Procedure
After configurations are complete, perform the following:
l Run the display vsys [ verbose ] [ vsys-name ] command to view the configuration of
the created virtual system.
l Run the display resource resource-usage vsys vsys-name command to view the
resources used by the virtual system.
l Run the switch vsys vsys-name command in the system view to access the virtual system
view and configure services on the virtual system.
l Run the undo vsys name vsys-name command in the system view to delete a virtual
system. All configurations of the deleted virtual system are cleared, and all resources
allocated to the virtual system are reclaimed.
Context
To enable the communication between the virtual system and public system, you need to
correctly configure the routes and security policies on the virtual system and public system,
just as on two physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the public system and learn about the mechanism for the communication
between a virtual system and the public system.
As shown in Figure 3-13, routes and security policies must be configured to enable the users
of vsysa to access the Internet server at IP address 3.3.3.3 through public interface GE1/0/1 of
the public system.
Figure 3-13 Communication between a virtual system and the public system
Trust Untrust
FW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
vsysa public
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface
Procedure
Step 1 Configure routes and security policies on vsysa.
# Access the vsysa view.
<FW> system-view
[FW] switch vsys vsysa
NOTE
Users connected to vsysa access the Internet through the public interface of the public system. Therefore, the
destination VPN of the static route must be the VPN instance named public of the public system.
<FW-vsysa> system-view
[FW-vsysa] ip route-static 3.3.3.3 32 public
# Set an IP address for the virtual interface Virtual-if1 on the virtual system vsysa and add
the interface to the Untrust zone. The IP address can be any value as long as it does not
conflict with the IP address on any other interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the
actual interface may not be Virtual-if1. To view the virtual interface of the virtual system, run display
interface brief.
[FW-vsysa] interface Virtual-if 1
[FW-vsysa-Virtual-if1] ip address 172.16.1.1 24
[FW-vsysa-Virtual-if1] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface Virtual-if1
[FW-vsysa-zone-untrust] quit
# Configure the policies for users of vsysa to access the server on the Internet.
[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name to_internet
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[FW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-to_internet] destination-address 3.3.3.3 32
[FW-vsysa-policy-security-rule-to_internet] action permit
[FW-vsysa-policy-security-rule-to_internet] quit
[FW-vsysa-policy-security] quit
# Configure a default route to the Internet and set the next hop of the default route to
1.1.1.254.
[FW] ip route-static 3.3.3.3 32 1.1.1.254
NOTE
After a virtual system is created, the FW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to
the VPN instance corresponding to the virtual system.
[FW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Set an IP address for the virtual interface Virtual-if0 on the public system and add the
interface to the Trust zone. The IP address can be any value as long as it does not conflict with
the IP address on any other interface.
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if0
[FW-zone-trust] quit
# Configure the policies for users of vsysa to access the server on the Internet.
[FW] security-policy
[FW-policy-security] rule name vsys_to_internet
[FW-policy-security-rule-vsysa_to_internet] source-zone trust
[FW-policy-security-rule-vsysa_to_internet] destination-zone untrust
[FW-policy-security-rule-vsysa_to_internet] source-address any
[FW-policy-security-rule-vsysa_to_internet] destination-address any
[FW-policy-security-rule-vsysa_to_internet] action permit
[FW-policy-security-rule-vsysa_to_internet] quit
[FW-policy-security] quit
----End
Context
As shown in Figure 3-14, users of virtual system vsysa must use the public system to access
the server connected to virtual system vsysb. The public system acts as a router that connects
both virtual systems and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.
Trust FW
GE1/0/3
10.3.0.1/24
10.3.0.0/24 vsysa
Virtual interface
Trust
GE1/0/4 public
10.3.1.0/24 10.3.1.1/24
vsysb
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between virtual systems vsysa and vsysb on the
public system.
NOTE
The public system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies in the public
system.
NOTE
After a virtual system is created, the FW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to
the VPN instance corresponding to the virtual system.
<FW> system-view
[FW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Set an IP address for the virtual interface Virtual-if0 on the public system and add the
interface to the Trust zone. The IP address can be any value as long as it does not conflict with
the IP address on any other interface.
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if0
[FW-zone-trust] quit
NOTE
The traffic destined for vsysb passes the public system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the public system.
<FW-vsysa> system-view
[FW-vsysa] ip route-static 10.3.1.3 32 public
# Configure a static route to users of vsysa with interface GE1/0/3 as the outgoing interface.
[FW-vsysa] ip route-static 10.3.0.0 24 GigabitEthernet 1/0/3
# Set an IP address for the virtual interface Virtual-if1 on the virtual system vsysa and add
the interface to the Untrust zone. The IP address can be any value as long as it does not
conflict with the IP address on any other interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the
actual interface may not be Virtual-if1. To view the virtual interface of the virtual system, run display
interface brief.
[FW-vsysa] interface Virtual-if 1
[FW-vsysa-Virtual-if1] ip address 172.16.1.1 24
[FW-vsysa-Virtual-if1] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface Virtual-if1
[FW-vsysa-zone-untrust] quit
# Configure the policies for users of vsysa to access the server connected to vsysb.
[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name to_server
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[FW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-to_internet] destination-address 10.3.1.3 32
[FW-vsysa-policy-security-rule-to_internet] action permit
[FW-vsysa-policy-security-rule-to_internet] quit
[FW-vsysa-policy-security] quit
# Configure a static route to the server connected to vsysb with interface GE1/0/4 as the
outgoing interface.
<FW-vsysb> system-view
[FW-vsysb] ip route-static 10.3.1.0 24 GigabitEthernet 1/0/4
NOTE
The traffic destined for vsysa passes the public system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the public system.
[FW-vsysb] ip route-static 10.3.0.0 24 public
# Set an IP address for the virtual interface Virtual-if2 on the virtual system vsysb and add
the interface to the Untrust zone. The IP address can be any value as long as it does not
conflict with the IP address on any other interface.
[FW-vsysb] interface Virtual-if 2
[FW-vsysb-Virtual-if1] ip address 172.16.2.1 24
[FW-vsysb-Virtual-if1] quit
[FW-vsysb] firewall zone untrust
[FW-vsysb-zone-untrust] add interface Virtual-if2
[FW-vsysb-zone-untrust] quit
# Configure the policies for users of vsysa to access the server connected to vsysb.
[FW-vsysb] security-policy
[FW-vsysb-policy-security] rule name vsysa_to_server
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] source-zone untrust
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-zone trust
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] source-address 10.3.0.0 24
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-address 10.3.1.3 32
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] action permit
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] quit
[FW-vsysb-policy-security] quit
----End
Context
Once a virtual system is created, the public system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using
the accounts of these administrators. The public system administrator can create system
administrators for a virtual system only on the configuration page of the virtual system. The
method for creating a virtual system administrator is the same as that for creating a public
system administrator.
Data Planning
Item Data
Item Data
NOTE
The following assumes that vsysa has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
If you have already configured the administrators that log in to the CLI using Telnet, perform only the
operations in Step 4 through Step 6.
Procedure
Step 1 Enable Telnet.
<FW> system-view
[FW] telnet server enable
NOTE
To ensure that the administrator can log in to the device, you are advised to set the level of the VTY
administrator interfaces to 3 or larger.
Step 3 Configure the automatic lockout function for failed login attempts.
By default, an account is locked for 30 minutes after three consecutive login failures. In the
following example, the account is locked for 10 minutes after five consecutive login failures.
[FW] aaa
[FW-aaa] lock-authentication enable
[FW-aaa] lock-authentication failed-count 5
[FW-aaa] lock-authentication timeout 10
NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user name
configured on the authentication server does not need to carry the suffix "@@virtual system name". For
example, if the authentication server needs to authenticate administrator admin@@vsysa of virtual system
vsysa, configure user name admin on the authentication server.
NOTE
To ensure that the administrator can log in to the device properly, you are advised to set the administrator
level to 3 or larger.
The maximum number of the connections for the account must be smaller than the number of online users
configured for the virtual system.
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP address
of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can log in to the
virtual system using the PC. If the IP address of the administrator PC is dynamically allocated, do not
configure any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if the IP
address of the administrator PC changes.
----End
Follow-up Procedure
After the configuration is complete, the virtual system administrator can log in to the virtual
system as follows:
1. The following uses the Windows operating system as an example. Choose Start > Run.
The Run dialog box is displayed. Then enter telnet 10.3.0.1 in Open.
2. Click OK. The PC starts to connect to the FW.
3. Enter admin@@vsysa as the user name and press Enter.
4. Enter Vsysadmin@123 as the password and press Enter to access the CLI of the virtual
system.
Context
The system, session, packet discard, and service logs of the public system can be sent to the
log server of the public system. The session, packet discard, and service logs can also be sent
to the log server of a virtual system.
The system logs of a virtual system can be sent to the log server of the virtual system using
the information center (info-center loghost). The session, packet discard, and service logs of
a virtual system can be sent to the log server of the virtual system using the log host (firewall
log host). For configurations of the information center and log host, see Logs.
The session and packet discard logs can also be sent to the log server of the public system.
This section describes how to configure the function of sending session and packet discard
logs of virtual systems to the log server of the public system.
Procedure
Step 1 In the system view, switch to the user view of a virtual system.
system-view
Step 3 Configure the sending of virtual system logs to the log server of the public system.
session-log send-to-public log-type { all | nat | none }
By default, session and packet discard logs are sent to the log server of the public system.
----End
Table 3-3 lists the commands for checking virtual system configurations.
View VLAN allocation display assign vlan { vlan-id | vsys vsys-name | all }
information.
Context
As shown in Figure 3-15, each virtual system has independent resources, such as interfaces,
security zones, and users quota, and acts as a separate device. Configuring services for virtual
system is the same as configuring service for the public system. However, certain functions
may be restricted due to the limit of resources for the virtual system and permissions of virtual
system administrators.
10.2.0.0/24
DMZ
Trust Untrust
GE1/0/6
10.3.0.0/24
GE1/0/3 GE1/0/1
VSYSA
The following procedure covers only the key points and precautions in configuring virtual
system services. For details, see corresponding sections in the administrator guide.
Procedure
Step 1 Access the configuration page of the virtual system.
Virtual system services can be configured by the public system or virtual system
administrator. The public system and virtual system administrators access the virtual system
in different ways. For details, see Table 3-4.
l For the public system administrator
– If the Web UI is used
Select a virtual system from the Virtual System drop-down list at the upper right
corner, or
– If the CLI is used
Run the switch vsys vsys-name command in the system view.
l To log in to the virtual system as a virtual system administrator, log in to the Web UI of
the virtual system using a browser or to the CLI using a remote login tool.
Step 2 Configure the service interface.
The key step in the configuration of a service interface is to add the configured interface to a
proper security zone. After interfaces are assigned into proper security zones, the networks
connected to these interfaces are divided. Then, you can configure services specific to security
zones. By default, security zones Trust, Untrust, DMZ, and Local are created on each virtual
system. Plan the security zones on a virtual system by following the same rules that apply to
the public system.
Table 3-4 lists the interface types that may be available on a virtual system and their
configuration descriptions.
NOTE
The public system administrator has already completed the configuration of the interface before assigning
them to virtual systems. Therefore, these interfaces are not configurable on the virtual system.
Table 3-5 Configure other security function for the created virtual system.
Configure policy-based routing Policy-based routing enables the virtual system to
control packet routing and forwarding. In many
scenarios, policy-based routing is used to specify the
outgoing interface or next hop of a traffic flow.
----End
Networking Requirements
As shown in Figure 3-16, a FW is deployed in area of the large campus network as the access
gateway. The network of area A comprises the R&D and non-R&D departments, and the two
departments have different network access permissions. Requirements are as follows:
l Some employees in the R&D department can access the Internet, and all employees in
the non-R&D department can access the Internet.
l The R&D and non-R&D departments are isolated from each other and cannot
communicate.
l The service volumes of the R&D and non-R&D departments are nearly the same.
Therefore, the same virtual system resources are allocated to them.
Figure 3-16 Networking diagram of network isolation (Layer-3 access, virtual systems having
independent WAN interfaces)
Area A Intranet FW
Trust
GE1/0/3 GE1/0/1
R&D 10.3.0.1/24 10.1.1.8/24
department
10.3.0.0/24
vsysa
Trust
GE1/0/4 GE1/0/2
Non-R&D 10.3.1.1/24 10.1.1.9/24
department
10.3.1.0/24
vsysb 10.1.1.1/24
Data Planning
Item Data Description
Configuration Roadmap
1. The public system administrator creates two virtual systems vsysa, and vsysb, assigns
resources.
2. The public system administrator configures IP addresses, routes, security policies, and
NAT policies for vsysa.
3. The public system administrator configures IP addresses, routes, security policies, and
NAT policies for vsysb.
Procedure
Step 1 The public system administrator creates virtual systems vsysa, and vsysb, and assigns
resources to them.
# Use the account of the public system administrator to log in to the FW.
# Enable the virtual system function.
<FW> system-view
[FW] vsys enable
Step 2 The public system administrator configures IP addresses, routes, security policies, and NAT
policies for vsysa.
# The public system administrator configures a security policy for vsysa. This security policy
allows intranet users of a specific network segment to access the Internet.
[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name to_internet
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[FW-vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[FW-vsysa-policy-security-rule-to_internet] action permit
[FW-vsysa-policy-security-rule-to_internet] quit
# The public system administrator configures a security policy for vsysa. This security policy
prohibits all employees from accessing the Internet. The priority of this policy is lower than
that of the previous policy, and therefore no address range needs to be specified.
[FW-vsysa-policy-security] rule name
to_internet2
[FW-vsysa-policy-security-rule-to_internet2] source-zone
trust
[FW-vsysa-policy-security-rule-to_internet2] destination-zone
untrust
[FW-vsysa-policy-security-rule-to_internet2] action deny
[FW-vsysa-policy-security-rule-to_internet2]
quit
[FW-vsysa-policy-security] quit
Step 3 The public system administrator configures IP addresses, routes, security policies, and NAT
policies for vsysb.
The configuration is similar as that of the R&D department except the following:
l The IP address of the inside interface is different.
l You do not need to create an IP address range for the non-R&D department. You only
need to configure a security policy to allow all IP addresses to access the Internet.
l The outbound interface of the NAT policy must be set to GE1/0/2, and the source address
must be set to any.
----End
Verification
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department and use the PCs to access the Internet. If the results
are as expected, the IP addresses, security policies and NAT policies of vsysa are
correctly configured.
l Access the Internet from the non-R&D department. If the access succeeds, the IP
addresses, security policies and NAT policies of vsysb are correctly configured.
Configuration Scripts
Configuration script of the public system
#
sysname FW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy
rule name to_internet
source-zone trust
destination-zone untrust
action permit
#
nat-policy
rule name nat1
source-zone trust
egress-interface GigabitEthernet1/0/2
action nat easy-ip
#
return
Networking Requirements
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The intranet has only one public IP address and one outside interface. Therefore, all
departments must use the same interface to access the Internet.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial
department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 3-17 shows the
networking diagram.
Figure 3-17 Networking diagram of network isolation (Layer-3 access, virtual systems
sharing the WAN interface of the public system)
Intranet
Trust FW
GE1/0/3
R&D 10.3.0.1/24
department
10.3.0.0/24
vsysa
Trust
GE1/0/4
Financial 10.3.1.1/24
department
10.3.1.0/24 GE1/0/1
1.1.1.1/24
vsysb public
Trust
GE1/0/5
Administrative 10.3.2.1/24
department
10.3.2.0/24
vsysc
Data Planning
Item Data Description
Configuration Roadmap
1. The public system administrator creates three virtual systems vsysa, vsysb, and vsysc,
assigns resources, and configures an administrator for each virtual system.
2. The public system administrator configures routes and NAT policies for intranet users to
access the Internet.
3. The administrator of the R&D department logs in to the FW to configure IP addresses,
routes, and security policies for vsysa.
4. The administrator of the financial department logs in to the FW to configure IP
addresses, routes, and security policies for vsysb.
5. The administrator of the administrative department logs in to the FW to configure IP
addresses, routes, and security policies for vsysc.
Procedure
Step 1 The public system administrator creates virtual systems vsysa, vsysb, and vsysc and assigns
resources to them.
# Use the account of the public system administrator to log in to the FW.
Step 2 The public system administrator configures administrators for virtual systems.
# The public system administrator creates administrator account admin@@vsysa for vsysa.
[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] aaa
[FW-vsysa-aaa] manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa] password
Enter Password:
Confirm Password:
[FW-vsysa-aaa-manager-user-admin@@vsysa] service-type web telnet ssh
[FW-vsysa-aaa-manager-user-admin@@vsysa] level 15
[FW-vsysa-aaa-manager-user-admin@@vsysa] quit
[FW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin
[FW-vsysa-aaa] quit
[FW-vsysa] quit
<FW-vsysa> quit
Step 3 The public system administrator configures routes, security policies, and NAT policies for
intranet users to access the Internet.
# Set IP addresses for interfaces and add the interfaces to security zones. The IP address of
Virtual-if0 can be any value as long as it does not conflict with the IP address on any other
interface.
# Configure a static route. This static route is used to divert to vsysa the Internet traffic
requested by users of vsysa.
[FW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Configure a static route. This static route is used to divert to vsysc the Internet traffic
requested by users of vsysc.
[FW] ip route-static 10.3.2.0 24 vpn-instance vsysc
# Configure a security policy. This security policy allows intranet users to access the Internet.
A virtual system administrator can configure security policies specific to intranet users' IP
addresses. Therefore, the public system administrator does not need to specify IP address
ranges when configuring a security policy.
[FW] security-policy
[FW-policy-security] rule name to_internet
[FW-policy-security-rule-to_internet] source-zone trust
[FW-policy-security-rule-to_internet] destination-zone untrust
[FW-policy-security-rule-to_internet] action permit
[FW-policy-security-rule-to_internet] quit
[FW-policy-security] quit
Step 4 The administrator of the R&D department configures IP addresses, routes, and security
policies for vsysa.
# Use the virtual system administrator account admin@@vsysa to log in to the FW. Change
the login password before performing the following operations.
# Set IP addresses for interfaces and add the interfaces to security zones. The IP address of
Virtual-if1 can be any value as long as it does not conflict with the IP address on any other
interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtual-if1.
NOTE
<vsysa> system-view
[vsysa] interface GigabitEthernet 1/0/3
[vsysa-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[vsysa-GigabitEthernet1/0/3] quit
[vsysa] interface Virtual-if 1
[vsysa-Virtual-if1] ip address 172.16.1.1 24
[vsysa-Virtual-if1] quit
[vsysa] firewall zone trust
[vsysa-zone-trust] add interface GigabitEthernet 1/0/3
[vsysa-zone-trust] quit
[vsysa] firewall zone untrust
[vsysa-zone-untrust] add interface Virtual-if 1
[vsysa-zone-untrust] quit
# Configure a static route. This static route is used to divert the Internet traffic requested by
users of vsysa to the public system.
NOTE
For simplicity, this example is based on the assumption that vsysa only processes the Internet access of
intranet users. Therefore, in this example, Destination Address/Mask is set to 0.0.0.0 0.0.0.0 so that all
packets are sent to the public system by default. In real-world configurations, to ensure correct routing,
you must set Destination Address/Mask to a specific IP address range that is allowed to access the
Internet. If the routing configuration is incorrect, the private networks attached to vsysa may not
communicate with each other.
[vsysa] ip route-static 0.0.0.0 0.0.0.0 public
# Configure a security policy to prohibit employees on the specified subnets from accessing
the administrative department network. A route is configured in the public system to divert
the return traffic to vsysa and vsysc. Therefore, vsysa and vsysc can communicate with the
communication packets relayed by the public system. To isolate vsysa from vsysc, you need
to configure a security policy in vsysa to prohibit employees in vsysc from accessing vsysa.
[vsysa] security-policy
[vsysa-policy-security] rule name
to_admin_department
[vsysa-policy-security-rule-to_admin_department] source-zone
trust
[vsysa-policy-security-rule-to_admin_department] destination-zone
untrust
[vsysa-policy-security-rule-to_admin_department] source-address address-set
ipaddress1
[vsysa-policy-security-rule-to_admin_department] destination-address 10.3.2.0 24
[vsysa-policy-security-rule-to_admin_department] action
deny
[vsysa-policy-security-rule-to_admin_department] quit
# Configure a security policy. This security policy allows intranet users of a specific network
segment to access the Internet.
[vsysa-policy-security] rule name to_internet
[vsysa-policy-security-rule-to_internet] source-zone trust
[vsysa-policy-security-rule-to_internet] destination-zone untrust
[vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[vsysa-policy-security-rule-to_internet] action permit
[vsysa-policy-security-rule-to_internet] quit
# Configure a security policy. This security policy prohibits all employees from accessing the
Internet. The priority of this policy is lower than that of the previous policy, and therefore no
address range needs to be specified.
[vsysa-policy-security] rule name to_internet2
[vsysa-policy-security-rule-to_internet2] source-zone trust
[vsysa-policy-security-rule-to_internet2] destination-zone untrust
[vsysa-policy-security-rule-to_internet2] action deny
[vsysa-policy-security-rule-to_internet2] quit
[vsysa-policy-security] quit
----End
Verification
l Access the Internet from the administrative department. If the access succeeds, the IP
addresses, security policies of vsysc, and NAT policy of the public system are correctly
configured.
l Access the Internet from the financial department. If the access fails, the IP addresses
and security policies of vsysb are correctly configured.
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department to access the Internet. If the results are as expected,
the IP addresses and security policies of vsysa are correctly configured.
Configuration Scripts
Configuration script of the public system
#
sysname FW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth 20 entire
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/3
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/4
#
vsys name vsysc 3
assign resource-class r1
assign interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface Virtual-if0
ip address 172.16.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Virtual-if0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysc
#
security-policy
rule name to_internet
source-zone trust
destination-zone untrust
action permit
#
nat-policy
rule name nat1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 16
action nat easy-ip
#
return
#
security-policy
rule name to_admin_department
source-zone trust
destination-zone untrust
source-address address-set ipaddress1
destination-address 10.3.2.0 24
action deny
rule name to_internet
source-zone trust
destination-zone untrust
source-address address-set ipaddress1
action permit
rule name to_internet2
source-zone trust
destination-zone untrust
action deny
#
return
Networking Requirements
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The FW connects to an existing intranet through Layer-2 access, without changing the
intranet's network topology.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial
department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 3-18 shows the
networking diagram.
Trust
Financial
department
10.3.0.100~
199 GE1/0/2 vsysb GE1/0/1
vlan20 vlan10,20,30 vlan20 vlan10,20,30
Trust
Administrative
department
10.3.0.200~
254 vsysc
vlan30 vlan30
Data Planning
Item Data Description
Configuration Roadmap
1. Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.
2. The public system administrator creates three virtual systems vsysa, vsysb, and vsysc,
assigns VLANs and resources, and configures an administrator for each virtual system.
3. The administrator of the R&D department logs in to the FW to configure security
policies for vsysa.
4. The administrator of the financial department logs in to the FW to configure security
policies for vsysb.
5. The administrator of the administrative department logs in to the FW to configure
security policies for vsysc.
Procedure
Step 1 Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.
# Use the account of the public system administrator to log in to the FW.
# Create VLANs.
<FW> system-view
[FW] vlan 10
[FW-vlan-10] quit
[FW] vlan 20
[FW-vlan-20] quit
[FW] vlan 30
[FW-vlan-30] quit
# Configure interfaces.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] portswitch
[FW-GigabitEthernet1/0/1] port link-type trunk
[FW-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] portswitch
[FW-GigabitEthernet1/0/2] port link-type trunk
[FW-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20 30
[FW-GigabitEthernet1/0/2] quit
Step 2 The public system administrator creates virtual systems vsysa, vsysb, and vsysc and assigns
VLANs to them.
# Enable the virtual system function.
[FW] vsys enable
Step 3 The public system administrator configures administrators for virtual systems.
# The public system administrator creates administrator account admin@@vsysa for vsysa.
[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] aaa
[FW-vsysa-aaa] manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa] password
Enter Password:
Confirm Password:
[FW-vsysa-aaa-manager-user-admin@@vsysa] service-type web telnet ssh
[FW-vsysa-aaa-manager-user-admin@@vsysa] level 15
[FW-vsysa-aaa-manager-user-admin@@vsysa] quit
[FW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin
[FW-vsysa-aaa] quit
[FW-vsysa] quit
<FW-vsysa> quit
Step 4 The administrator of the R&D department configures security zones and security policies for
vsysa.
# Use the administrator account admin@@vsysa of vsysa to log in to the firewall. Change
the login password before performing the following operations.
# Configure a security policy. This security policy allows intranet users of a specific network
segment to access the Internet.
[vsysa] security-policy
[vsysa-policy-security] rule name to_internet
[vsysa-policy-security-rule-to_internet] source-zone trust
[vsysa-policy-security-rule-to_internet] destination-zone untrust
[vsysa-policy-security-rule-to_internet] source-address address-set ipaddress1
[vsysa-policy-security-rule-to_internet] action permit
[vsysa-policy-security-rule-to_internet] quit
# Configure a security policy. This security policy prohibits all employees from accessing the
Internet. The priority of this policy is lower than that of the previous policy, and therefore no
address range needs to be specified.
[vsysa-policy-security] rule name to_internet2
[vsysa-policy-security-rule-to_internet2] source-zone trust
[vsysa-policy-security-rule-to_internet2] destination-zone untrust
[vsysa-policy-security-rule-to_internet2] action deny
[vsysa-policy-security-rule-to_internet2] quit
[vsysa-policy-security] quit
----End
Verification
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department to access the Internet. If the results are as expected,
the security policies of vsysa are correctly configured.
l Access the Internet from the financial department. If the access fails, the security policies
of vsysb are correctly configured.
l Access the Internet from the administrative department. If the access succeeds, the
security policies of vsysc are correctly configured.
Configuration Scripts
Configuration script of the public system
#
sysname FW
#
vlan batch 10 20 30
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth 20 entire
#
vsys name vsysa 1
assign vlan 10
assign resource-class r1
#
vsys name vsysb 2
assign vlan 20
assign resource-class r1
#
vsys name vsysc 3
assign vlan 30
assign resource-class r1
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 10 20 30
#
return
Networking Requirements
A cloud computing data center uses a FW for security protection of the egress gateway to
meet the following requirements:
l Customers of the data center can independently manage and access their server
resources.
l The FW has only one outside interface but provides sufficient public IP addresses. NAT
polices are configured on the FW so that customers have independent public IP
addresses to access their own server resources.
l Enterprises A and B have similar traffic volumes and purchase the same amount of
resources.
Configure virtual systems to meet the preceding requirements. Figure 3-19 shows the
networking diagram.
Trust GE1/0/1
public 1.1.1.1/24
… GE1/0/2.2
10.3.1.1/24 Enterprise B
10.3.1.2/24
Enterprise B
10.3.1.0/24 vsysb
Data Planning
Item Data Description
Configuration Roadmap
1. The public system administrator creates virtual systems vsysa and vsysb and allocates
resources to them.
2. Create subinterfaces GE1/0/2.1 and GE1/0/2.2 on the GE1/0/2 and configure these two
subinterfaces as inside interfaces of vsysa and vsysb, respectively.
3. The public system administrator configures IP address mapping for vsysa and vsysb.
4. The public system administrator configures routes and security policies for vsysa and
vsysb.
Procedure
Step 1 The public system administrator creates virtual systems vsysa and vsysb and allocates
resources to them.
# Use the public system administrator account to log in to the FW.
# Create subinterfaces.
<FW> system-view
[FW] interface GigabitEthernet 1/0/2.1
[FW-GigabitEthernet1/0/2.1] vlan-type dot1q 10
[FW-GigabitEthernet1/0/2.1] quit
[FW] interface GigabitEthernet 1/0/2.2
[FW-GigabitEthernet1/0/2.2] vlan-type dot1q 20
[FW-GigabitEthernet1/0/2.2] quit
Step 2 Configure inside interfaces, outside interfaces, and virtual interfaces on the public system.
# On the public system, set IP addresses for interfaces and add the interfaces to security
zones. The IP address of Virtual-if0 can be any value as long as it does not conflict with the IP
address on any other interface.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet1/0/1] quit
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
# On vsysa, set IP addresses for interfaces and add the interfaces to security zones. The IP
address of Virtual-if1 can be any value as long as it does not conflict with the IP address on
any other interface.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtual-if1 or Virtual-if2.
# On vsysb, set IP addresses for interfaces and add the interfaces to security zones. The
procedure is similar to that on vsysa.
Step 3 Configure routes, security policies, and NAT policies on the public system.
# Configure a static route. This static route is used to divert to vsysa the server traffic
requested by users of enterprise A.
[FW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Configure a static route. This static route is used to divert to vsysb the server traffic
requested by users of enterprise B.
[FW] ip route-static 10.3.1.0 24 vpn-instance vsysb
# Configure a security policy. This security policy allows intranet users to access servers on
the intranet.
[FW] security-policy
[FW-policy-security] rule name
internet_to_server
[FW-policy-security-rule-internet_to_server] source-zone
untrust
[FW-policy-security-rule-internet_to_server] destination-zone trust
[FW-policy-security-rule-internet_to_server] destination-address 10.3.0.0 16
[FW-policy-security-rule-internet_to_server] action
permit
[FW-policy-security-rule-internet_to_server]
quit
[FW-policy-security] quit
# Configure a static route. This static route is used to divert to the public system the server
traffic requested by users of enterprise A.
[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 public
# Configure a security policy. This security policy allows intranet users to access servers on
the intranet.
[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name internet_to_server
[FW-vsysa-policy-security-rule-internet_to_server] source-zone
untrust
[FW-vsysa-policy-security-rule-internet_to_server] destination-zone trust
[FW-vsysa-policy-security-rule-internet_to_server] destination-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-internet_to_server] action
permit
[FW-vsysa-policy-security-rule-internet_to_server] quit
[FW-vsysa-policy-security] quit
[FW-vsysa] quit
<FW-vsysa> quit
----End
Verification
l Access http://1.1.1.2:8080 from enterprise A. If the access succeeds, IP address mapping
and security policies are correctly configured.
l Access http://1.1.1.3:8080 from enterprise B. If the access succeeds, IP address mapping
and security policies are correctly configured.
Configuration Scripts
Configuration script of the public system
#
sysname FW
#
vsys enable
#
nat server publicserver_vsysa 0 protocol tcp global 1.1.1.2 8080 inside 10.3.0.2
www no-reverse
nat server publicserver_vsysb 1 protocol tcp global 1.1.1.3 8080 inside 10.3.1.2
www no-reverse
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit bandwidth 20 entire
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/2.1
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/2.2
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2.1
vlan-type dot1q 10
ip binding vpn-instance vsysa
#
interface GigabitEthernet1/0/2.2
vlan-type dot1q 20
ip binding vpn-instance vsysb
#
interface Virtual-if0
ip address 172.16.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Virtual-if0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysb
#
security-policy
rule name internet_to_server
source-zone untrust
destination-zone trust
destination-address 10.3.0.0 16
action permit
#
return
Networking Requirements
As shown in Figure 3-20, a FW is deployed in area of the large campus network as the access
gateway. The network of area A comprises the R&D and non-R&D departments, and the two
departments have different network access permissions. Requirements are as follows:
l Some employees in the R&D department can access the Internet, and all employees in
the non-R&D department can access the Internet.
l The R&D department is isolated from non-R&D departments, but specific employees in
the two departments can communicate.
l The service volumes of the R&D and non-R&D departments are nearly the same.
Therefore, the same virtual system resources are allocated to them.
Trust
GE1/0/4 GE1/0/2
Non-R&D 10.3.1.1/24 10.1.1.9/24
department
10.3.1.0/24
vsysb 10.1.1.1/24
Data Planning
Item Data Description
Configuration Roadmap
1. The public system administrator creates two virtual systems vsysa, and vsysb, assigns
resources.
2. The public system administrator configures routes for the employees that can
communicate.
3. The public system administrator configures IP addresses, routes, security policies, and
NAT policies for vsysa.
4. The public system administrator configures IP addresses, routes, security policies, and
NAT policies for vsysb.
Procedure
Step 1 The public system administrator creates virtual systems vsysa, and vsysb, and assigns
resources to them.
# Use the account of the public system administrator to log in to the FW.
# Enable the virtual system function.
<FW> system-view
[FW] vsys enable
# Set an IP address for the virtual interface Virtual-if0 on the public system and add the
interface to the Trust zone. The IP address of Virtual-if0 can be any value as long as it does
not conflict with the IP address on any other interface.
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit
Step 2 The public system administrator configures routes for the employees that can communicate.
[FW] ip route-static 10.3.0.0 24 vpn-instance vsysa
[FW] ip route-static 10.3.1.0 24 vpn-instance vsysb
Step 3 The public system administrator configures IP addresses, routes, security policies, and NAT
policies for vsysa.
# The public system administrator configures interfaces for vsysa. The IP address of Virtual-
if1 can be any value as long as it does not conflict with the IP address on any other interface.
[FW] switch vsys vsysa
<FW-vsysa> system-view
[FW-vsysa] interface GigabitEthernet 1/0/1
[FW-vsysa-GigabitEthernet1/0/1] ip address 10.1.1.8 24
[FW-vsysa-GigabitEthernet1/0/1] quit
[FW-vsysa] interface GigabitEthernet 1/0/3
[FW-vsysa-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet1/0/3] quit
[FW-vsysa] interface Virtual-if 1
[FW-vsysa-Virtual-if1] ip address 172.16.1.1 24
[FW-vsysa-Virtual-if1] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 1/0/3
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-vsysa-zone-untrust] quit
[FW-vsysa] firewall zone dmz
[FW-vsysa-zone-dmz] add interface Virtual-if1
[FW-vsysa-zone-dmz] quit
# The public system administrator configures a static route for vsysa to access the Internet.
[FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
# The public system administrator configures a static route for vsysa to access vsysb.
[FW-vsysa] ip route-static 10.3.1.0 24 public
# The public system administrator configures a security policy for vsysa. This security policy
allows intranet users of a specific network segment to access the Internet.
[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name to_internet
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
[FW-vsysa-policy-security-rule-to_internet] destination-zone untrust
# The public system administrator configures a security policy for vsysa. This security policy
prohibits all employees from accessing the Internet. The priority of this policy is lower than
that of the previous policy, and therefore no address range needs to be specified.
[FW-vsysa-policy-security] rule name
to_internet2
[FW-vsysa-policy-security-rule-to_internet2] source-zone
trust
[FW-vsysa-policy-security-rule-to_internet2] destination-zone
untrust
[FW-vsysa-policy-security-rule-to_internet2] action deny
[FW-vsysa-policy-security-rule-to_internet2]
quit
[FW-vsysa-policy-security] quit
# The public system administrator configures a security policy for vsysa. This security policy
allows specific employees in vsysa and vsysb to communicate.
[FW-vsysa-policy-security] rule name to_vsysb
[FW-vsysa-policy-security-rule-to_vsysb] source-zone trust
[FW-vsysa-policy-security-rule-to_vsysb] destination-zone dmz
[FW-vsysa-policy-security-rule-to_vsysb] source-address range 10.3.0.20 10.3.0.30
[FW-vsysa-policy-security-rule-to_vsysb] destination-address range 10.3.1.20
10.3.1.30
[FW-vsysa-policy-security-rule-to_vsysb] action permit
[FW-vsysa-policy-security-rule-to_vsysb] quit
[FW-vsysa-policy-security] quit
Step 4 The public system administrator configures IP addresses, routes, security policies, and NAT
policies for vsysb.
The configuration is similar as that of the R&D department except the following:
----End
Verification
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department and use the PCs to access the Internet. If the results
are as expected, the IP addresses, security policies and NAT policies of vsysa are
correctly configured.
l Access the Internet from the non-R&D department. If the access succeeds, the IP
addresses, security policies and NAT policies of vsysb are correctly configured.
Configuration Scripts
Configuration script of the public system
#
sysname FW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth 20 entire
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/1
assign interface GigabitEthernet1/0/3
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/2
assign interface GigabitEthernet1/0/4
#
interface Virtual-if0
ip address 172.16.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Virtual-if0
#
ip route-static 10.3.0.0 24 vpn-instance vsysa
ip route-static 10.3.1.0 24 vpn-instance vsysb
#
return
source-zone trust
egress-interface GigabitEthernet1/0/2
action nat easy-ip
#
return
Configuratio Supported -
n File
Management
IP-Link Supported -
Security Supported -
Zones
Domain Supported -
Group
Application Supported -
and
Application
Group
Schedule Supported -
ACL Supported -
Bandwidth Supported -
Management
Policy
Blacklist Supported -
IP-MAC Supported -
Binding
ASPF Supported -
Session Supported -
Table
Diagnosis Supported -
Center
3.9.2 Specifications
This section provides the specifications of the virtual system.
Function specifications
Function Sub- Description Supported or Not
function
Performance Specifications
Function Specifications
How Can I Use VPN Instances to Isolate Sessions When Packets Pass Through
the FW Twice?
As shown in Figure 3-21, the gateway address of the PC is set to the IP address (192.168.0.1)
of VLANIF10 on the Layer-3 switch. The PC logs in to the FW with the Layer-3 switch as the
relay for management.
At the first time, the packets from the PC to the FW traverse the FW through VLAN10. At the
second time, the packets are forwarded to the FW from VLANIF20. The packets pass through
the FW twice, but the FW cannot distinct the two sessions, causing the PC login failure.
In such cases, you can configure a VPN instance to isolate the sessions.
<sysname> system-view
[sysname] ip vpn-instance vpn1
[sysname-vpn-instance-vpn1] ipv4-family
[sysname-vpn-instance-vpn1-af-ipv4] route-distinguisher 1:1
[sysname-vpn-instance-vpn1-af-ipv4] vpn-target 2:1
[sysname-vpn-instance-vpn1-af-ipv4] quit
[sysname-vpn-instance-vpn1] quit
At last, configure a route to the specified VPN instance and set the next hop to the IP address
(192.168.1.1) of VLANIF20 on the Layer-3 switch.
[sysname] ip route-static vpn-instance vpn1 192.168.0.0 24 192.168.1.1
After you configure a VPN instance to isolate the sessions, the PC can log in to the FW.
You may also encounter another scenario. As shown in Figure 3-22, the gateway address of
the PC is set to the IP address (192.168.0.1) of VLANIF10 on the Layer-3 switch. The PC
logs in to the FW with the Layer-3 switch as the relay.
VLANIF20 GE1/0/1
192.168.1.1 192.168.0.2
192.168.1.2
L3 VLAN10 VLAN10
Switch
VLANIF10
192.168.0.1 FW PC
Similar with scenario 1, you need to bind a VPN instance on GE1/0/1 to isolate sessions.
VLAN10 VLAN10
1.1.1.0/24 1.1.1.0/24
VLAN10 VLAN10
VLAN20 VLAN20
In such cases, you can configure two virtual systems (or configure one public system and one
virtual system) on the FW and allocate VLAN10 and VLAN20 to different virtual systems. In
this way, the traffic of the two VLANs is separated.
4 Networks
4.1 Interfaces
This section describes basic interface concepts and configuration procedure and provides
configuration examples.
4.2 Interface Pairs
This section describes interface pair concepts and how configure interface pairs, as well as
provides configuration examples.
4.3 Security Zones
This section describes security zone concepts and how to configure a security zone.
4.4 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
4.5 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to
configure PPPoE, as well as provides configuration examples.
4.6 DNS
This chapter describes the principles, basic functions and configuration procedures of DNS,
and provides configuration examples.
4.7 DHCP
This section describes DHCP concepts and how to configure DHCP, as well as provides
configuration examples.
4.8 DHCP Snooping
This section describes concepts and the configuration procedure of Dynamic Host
Configuration Protocol (DHCP) snooping, as well as provides configuration examples.
4.9 MAC Address Table
This section describes MAC address table concepts and how to configure a MAC address
table, as well as provides a configuration example.
4.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure
ARP, as well as provides configuration examples.
4.11 VLAN
This section describes virtual local area network (VLAN) concepts and how to configure a
VLAN, as well as provides configuration examples.
4.12 IPv6 Neighbor Discovery
This section describes IPv6 neighbor discovery (ND) concepts and how to configure IPv6
ND, as well as provides configuration examples.
4.13 IP Performance
This section describes IP performance parameter concepts and how to configure the
parameters.
4.1 Interfaces
This section describes basic interface concepts and configuration procedure and provides
configuration examples.
4.1.1 Overview
An interface on a device serves for the data exchange between devices on the network.
Interface Type
Interfaces of a device are used to exchange data and interact with other network devices.
Interfaces are classified into physical interface, and logical interfaces, as shown in Table 4-1.
NULL Any packets transmitted NULL0 exists on the NULL0 exists on the
Interfac over a null interface are FW by default. FW by default. For
e discarded. It is used for details, see 4.1.3.8
route filtering. Configuring a Null
NULL0 exists on the FW Interface.
by default.
4.1.1.2 IP Addresses
This section describes the concepts and features related to IPv4 addresses and IPv6 addresses.
IPv4 Addresses
An IPv4 address consists of four binary octets separated by dots. Each octet can be expressed
in a decimal number. For example, 10.0.0.1 is an IPv4 address.
l IPv4 address classes
An IPv4 address consists of the following fields:
– Network ID field: distinguishes a networks from each other. The network ID is
called a class field, and network ID bits are called class bits.
– Host ID field: identifies a host on a network.
IPv4 addresses have five classes to facilitate address management and networking.
Figure 4-1 shows classes of IPv4 addresses.
A 0 Net-id Host-id
B 10 Net-id Host-id
D 1110 Multicast-address
E 11110 Reserved
Most IPv4 addresses in use belong to class A, B, or C. Class D addresses are multicast
addresses. Class E addresses are reserved. For more information, see RFC 1166 "Internet
Numbers."
Some IPv4 addresses are reserved for special use. Table 4-3 lists the range of each class
of IPv4 addresses.
NOTE
the Internet Assigned Numbers Authority (IANA) has reserved three IPv4 address blocks
for private networks.
Table 4-5 lists private network IPv4 addresses.
IPv6 Addresses
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is a set of
specifications designed by the Internet Engineering Task Force (IETF).
IPv6 is a second-generation network protocol and an upgraded version of IPv4. Different
from IPv4, IPv6 extends an address to 128 bits long.
l IPv6 address formats
IPv6 addresses are expressed in either of the following formats:
– X:X:X:X:X:X:X:X
An IPv6 address is divided into eight groups, separated by colons. Each group has
16 bits. Each 16–bit group is represented by four hexadecimal digits, including 0 to
9 and A to F. For example, 2031:0000:130F:0000:0000:09C0:876A:130B is an
IPv6 address.
For convenience, all 0s in a group are displayed as a single 0. The example address
can be written as 2031:0:130F:0:0:9C0:876A:130B.
Two or more consecutive groups of 0s can be replaced with an empty group using a
pair of colons (::), which helps minimize the IPv6 address length. The example
address can also be written as 2031:0:130F::9C0:876A:130B.
NOTE
An IPv6 address can only contain a single pair of colons (::). If an IPv6 address contains
more than one pair of colons, a FW cannot restore the compressed address to the original
128-bit address because it cannot identify the number of zeros in the IPv6 address.
– X:X:X:X:X:X:d.d.d.d
Each "X" is 16 bits long and consists of four hexadecimal digits. Each "d" is 8 bits
long and is presented by a decimal number. "d.d.d.d" is an IPv4 address. The
following addresses are expressed in this format:
n 0:0:0:0:0:0:IPv4-address: an IPv4-compatible IPv6 address. The most
significant 96 bits of 0s precede a 32-bits IPv4 address. The IPv4 address must
be reachable on an IPv4 network and can only be a unicast address, but not a
multicast address, a broadcast address, a loopback address, or an unspecified
address (0.0.0.0, for example).
An IPv4-compatible IPv6 address is used to configure an IPv6 over IPv4
tunnel.
n 0:0:0:0:0:FFFF:IPv4-address: IPv4-mapped IPv6 address that is mapped to
an IPv4 address of an IPv4 node.
An IPv6 address is divided into two parts:
– Network prefix: equivalent to the network ID of an IPv4 address.
– Interface ID: equivalent to the host ID in an IPv4 address. The interface ID length is
as follows:
Interface ID length = 128 bits – n bits, where n is the length of the network ID
Figure 4-2 illustrates the structure of IPv6 address
2001:A304:6101:1::E0:F726:4E58 /64.
64 bits 64 bits
2001:A304:6101:0001 0000:00E0:F726:4E58
n Loopback address
n Unspecified address
n Global unicast address
Table 4-6 lists these five types of addresses.
– Anycast address: identifies a group of interfaces on different nodes. Packets bound
for an anycast address reach the interface that is nearest to the source node among
interfaces in the interface group identified by the anycast address. A routing
protocol determines the shortest path.
NOTE
MAC: 0012-3400-ABCD
EUI-64: 0212:34FF:FE00:ABCD
l Static IP
Specify IPv6 addresses for Layer 3 Ethernet interfaces and their subinterfaces, VLAN
interfaces, Eth-Trunk interfaces, and loopback interfaces.
l DHCP
Configure DHCP to automatically assign IPv6 addresses for Layer 3 Ethernet interfaces
and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l PPPoE
Configure PPPoE to perform PPP negotiation to assign IPv6 addresses to Layer 3
Ethernet interfaces and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l Neighbor Discovery (ND) Router Advertisement (RA)
Configure stateless address autoconfiguration to enable interfaces to obtain IPv6 prefixes
from RA messages. The interfaces then use IPv6 prefixes and local interface IDs to form
EUI-64 IPv6 addresses.
The interfaces can be Layer 3 Ethernet interfaces or their subinterfaces, VLAN
interfaces, or Eth-Trunk interfaces.
Context
A Layer 3 Ethernet interface uses an IPv4 address to connect to an IPv4 network or an IPv6
address to connect to an IPv6 network.
Procedure
Step 1 Choose Network > Interface.
IPv4
Parameter Description
Multi-egress options After you select Multi-egress options, the interface will
function as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent
Uplink Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default Route After you select this option, the FW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of
the FW, the FW will use the default route to forward the data
packet. Both the destination network address and the subnet
mask of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the FW will generate
static routes in a batch to the ISP network. In the generated
static routes, the destination is an IP address in the ISP address
file, and the next hop is the gateway address specified on the
outbound interface. These static routes are called ISP routes.
They have the same priority as common static routes, and the
default priority is 60.
Choose Network > Router > Routing Table. You can view
the generated ISP route entries.
Parameter Description
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the FW
looks up the routing table for an outgoing interface to send the
return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the
server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The FW uses the incoming interface of the forward packets as
the outgoing interface of return packets instead of looking up
the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the
sticky load balancing function.
IPv6
Interface Bandwidth
Management Access
Parameter Description
Advanced
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4
address to be assigned must be specified on the PPPoE server.
Use the Following IP Set an IPv4 address statically. This method requires the input
Address of an IPv4 address in IP Address. The IPv4 address must be
one that a PPPoE server can assign.
Parameter Description
Parameter Description
----End
Follow-up Procedure
l Check the interface status.
a. Choose Network > Interface.
b. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
l Enable or disable the interface.
a. Choose Network > Interface.
b. Perform either of the following operations as needed:
n To enable the interface, select the Enable check box of the interface.
n To disable the interface, clear the Enable check box of the interface.
Context
Ensure that you have performed the following operations:
l Select an Ethernet interface and switch it to Layer 2 mode.
l Assign the interface to a specific VLAN. For more information about VLANs, see 4.11
VLAN.
l Configure interface parameters, such as a duplex mode and a transmission rate.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on FW, you need to choose
Dashboard > System Information to enable the global IPv6 function.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Mode Layer at which the interface works when the interface works at
Layer 2:
l Select Switch to enable the interface to work at Layer 2.
l Select Interface Pair to enable the interface work as a
member of an interface pair.
When a Layer 3 Ethernet interface is configured to work in
Layer 2 mode, the device automatically clears specific
configurations, such as, DHCP, DDNS, androute
configurations of the interface and retains specific
configurations, such as HRP heartbeat interface configurations
of the interface. If the interface is specified as a heartbeat
interface, the interface cannot be configured to work in Layer 2
mode. Therefore, before you configure a Layer 3 Ethernet
interface to work in Layer 2 mode, ensure that the interface has
no configuration.
Parameter Description
Interface Bandwidth
Advanced
----End
Follow-up Procedure
l Check the interface status.
a. Choose Network > Interface.
b. Check the physical status of the interface.
l Enable or disable the interface.
a. Choose Network > Interface.
b. Perform either of the following operations as needed:
n To enable the interface, select the Enable check box.
n To disable the interface, clear the Enable check box.
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces
share the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface
status change does not affect the main interface status, whereas a main interface status change
affects the subinterface status. Subinterfaces work properly only when their main interface is
in the Up state.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Primary Interface Type and number of a interface to which the new subinterface
belongs.
Parameter Description
IPv4
Multi-egress options After you select Multi-egress options, the interface will
function as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see 6 Intelligent
Uplink Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default Route After you select this option, the FW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of
the FW, the FW will use the default route to forward the data
packet. Both the destination network address and the subnet
mask of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Parameter Description
Carrier Route After you enable the ISP route function, the FW will generate
static routes in a batch to the ISP network. In the generated
static routes, the destination is an IP address in the ISP address
file, and the next hop is the gateway address specified on the
outbound interface. These static routes are called ISP routes.
They have the same priority as common static routes, and the
default priority is 60.
Choose Network > Router > Routing Table. You can view
the generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the FW
looks up the routing table for an outgoing interface to send the
return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the
server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The FW uses the incoming subinterface of the forward packets
as the outgoing subinterface of return packets instead of
looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the
sticky load balancing function.
IPv6
Interface Bandwidth
Parameter Description
Management Access
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4
address to be assigned must be specified on the PPPoE server.
Use the Following IP Set an IPv4 address statically. This method requires the input
Address of a fixed IPv4 address in IP Address. The IPv4 address to be
entered is the one that a PPPoE server can assign.
Parameter Description
If the operation is successful, the new subinterface is displayed among Layer 3 interfaces in
Interface List.
----End
Follow-up Procedure
l Check the subinterface status.
a. Choose Network > Interface.
b. Verify that the physical, IPv4, and IPv6 statuses of the subinterface are Up.
l Enable or disable the interface.
a. Choose Network > Interface.
b. Perform either of the following operations as needed:
n To enable the interface, select the Enable check box.
n To disable the interface, clear the Enable check box.
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces
share the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface
status change does not affect the main interface status, whereas a main interface status change
affects the subinterface status. Subinterfaces work properly only when their main interface is
in the Up state.
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk
interfaces. Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Choose Network > Interface.
Primary Interface Type and number of a Layer 2 interface to which the new
subinterface belongs.
Parameter Description
VLAN Tag Specifies the VLAN tag (ID of the VLAN to which the new
subinterface belongs). Each subinterface receives or forwards
only packets that carry the specified VLAN tag.
Access VLAN ID Specifies the access VLAN ID. Subinterfaces must be added to
the same VLAN to communicate with each other.
Interface Bandwidth
----End
Follow-up Procedure
l Check the subinterface status.
a. Choose Network > Interface.
b. Verify that the physical, IPv4, and IPv6 statuses of the subinterface are Up.
l Enable or disable the interface.
a. Choose Network > Interface.
b. Perform either of the following operations as needed:
n To enable the interface, select the Enable check box.
n To disable the interface, clear the Enable check box.
Context
A LAN can be divided into logical broadcast domains. A broadcast domain is a VLAN.
Devices on a LAN logically belong to different VLANs, regardless of their physical locations.
When hosts on a VLAN need to communicate with a device at the network layer, you can
create a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface
to provide Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
Step 1 Choose Network > Interface.
IPv4
Multi-egress options After you select Multi-egress options, the interface will
function as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see 6 Intelligent
Uplink Selection.
Parameter Description
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default Route After you select this option, the FW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of
the FW, the FW will use the default route to forward the data
packet. Both the destination network address and the subnet
mask of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the FW will generate
static routes in a batch to the ISP network. In the generated
static routes, the destination is an IP address in the ISP address
file, and the next hop is the gateway address specified on the
outbound interface. These static routes are called ISP routes.
They have the same priority as common static routes, and the
default priority is 60.
Choose Network > Router > Routing Table. You can view
the generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the FW
looks up the routing table for an outgoing interface to send the
return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the
server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The FW uses the incoming subinterface of the forward packets
as the outgoing subinterface of return packets instead of
looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the
sticky load balancing function.
IPv6
Parameter Description
Interface Bandwidth
Management Access
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4
address to be assigned must be specified on the PPPoE server.
Use the Following IP Statically set an IPv4 address. This method requires the input
Address of an IPv4 address in IP Address. The IPv4 address must be
one that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and
Secondary DNS Server.
Parameter Description
----End
Follow-up Procedure
l Check the VLAN interface status.
a. Choose Network > Interface.
b. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
l Enable or disable the interface.
a. Choose Network > Interface.
b. Perform either of the following operations as needed:
n To enable the interface, select the Enable check box.
n To disable the interface, clear the Enable check box.
Context
This configuration is supported only in the direct SR-IOV mode.
Many Ethernet interfaces are bundled into an Eth-Trunk interface. An Eth-Trunk interface
provides bandwidth that is equal to the total bandwidth of all its member interfaces. If a
member interface goes Down, traffic transmission over other member interfaces continues,
which increases link reliability.
An Eth-Trunk interface directs traffic to different links to balance traffic loads.
A physical interface can only be assigned to a single Eth-Trunk at a time. Before assigning the
physical interface to another Eth-Trunk, you must first remove it from the Eth-Trunk to which
it is currently attached.
Procedure
Step 1 Choose Network > Interface.
Mode Layer at which the interface works when the interface works at
Layer 2:
l Select Route to enable the interface to work at Layer 3.
l Select Switch to enable the interface to work at Layer 2.
For the description of parameter Connection Type in
switching mode, see Table 4-23.
l Select Interface Pair to enable the interface work as a
member of an interface pair.
Parameter Description
IPv4
Multi-egress options After you select Multi-egress options, the interface will
function as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent
Uplink Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default Route After you select this option, the FW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of
the FW, the FW will use the default route to forward the data
packet. Both the destination network address and the subnet
mask of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Parameter Description
Carrier Route After you enable the ISP route function, the FW will generate
static routes in a batch to the ISP network. In the generated
static routes, the destination is an IP address in the ISP address
file, and the next hop is the gateway address specified on the
outbound interface. These static routes are called ISP routes.
They have the same priority as common static routes, and the
default priority is 60.
Choose Network > Router > Routing Table. You can view
the generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the FW
looks up the routing table for an outgoing interface to send the
return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the
server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The FW uses the incoming Eth-Trunk interface of the forward
packets as the outgoing Eth-Trunk interface of return packets
instead of looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the
sticky load balancing function.
IPv6
Interface Bandwidth
Parameter Description
Management Access
Parameter Description
Advanced
Parameter Description
Lower Limit of Up Links Lower limit of member interfaces in the Up state before an
Eth-Trunk interface goes Down. If the number of member links
in the Up state is smaller than the lower limit, the Eth-Trunk
interface goes Down, and all its member interfaces cannot
forward data. This prevents a small number of member links in
the Up state from discarding packets due to overload.
To ensure proper forwarding, configure the same lower limit
for an Eth-Trunk interface on both ends of a link.
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4
address to be assigned must be specified on the PPPoE server.
Use the Following IP Statically set an IPv4 address. This method requires the input
Address of a fixed IPv4 address in IP Address. The IPv4 address must
be one that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and
Secondary DNS Server.
Parameter Description
Parameter Description
Hybrid VLAN ID (With ID of the VLAN to which the hybrid interface belongs. Frames
VLAN Tag) on the VLAN are sent from this interface in Tagged mode. This
parameter is set only when Connection Type is set to Hybrid.
If the operation is successful, the new Eth-Trunk interface is displayed in Interface List.
----End
Follow-up Procedure
l Check interface status.
Context
This section describes how to configure a loopback interface. A loopback interface is a virtual
interface. The IP address of a loopback interface is specified as a source address for packets to
improve network reliability.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
IPv4
IPv6
Parameter Description
----End
Follow-up Procedure
Check the interface status.
1. Choose Network > Interface.
2. Verify that the physical, IPv4, and IPv6 statuses of the interface are Up.
Context
A tunnel interface is a logical interface for packet encapsulation. By default, tunnel interfaces
created through the Web use only IPSec, that is, supporting only IPSec tunnels. GRE is
another common encapsulation protocol. When configuring GRE through the Web, tunnel
interfaces are automatically created and configured. For details, see 9.4.3 Configuring GRE
Using the Web UI.
Procedure
Step 1 Choose Network > Interface.
Interface Name Another name specified for the tunnel interface, facilitating
memorization and identification.
Parameter Description
IPv4
IP Address/Mask Ensure that the IP addresses of the tunnel interfaces at the two
ends of the IPSec tunnel are routable.
Multi-egress options After you select Multi-egress options, the interface will
function as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent
Uplink Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default Route After you select this option, the FW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of
the FW, the FW will use the default route to forward the data
packet. Both the destination network address and the subnet
mask of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the FW will generate
static routes in a batch to the ISP network. In the generated
static routes, the destination is an IP address in the ISP address
file, and the next hop is the gateway address specified on the
outbound interface. These static routes are called ISP routes.
They have the same priority as common static routes, and the
default priority is 60.
Choose Network > Router > Routing Table. You can view
the generated ISP route entries.
Parameter Description
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the FW
looks up the routing table for an outgoing interface to send the
return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the
server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The FW uses the incoming interface of the forward packets as
the outgoing interface of return packets instead of looking up
the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the
sticky load balancing function.
Interface Bandwidth
Management Access
Parameter Description
If the operation succeeds, Interface List displays the new tunnel interface.
----End
Follow-up Procedure
l Check the interface status.
a. Choose Network > Interface.
b. Check the physical status of the interface.
l Disable or enable an interface.
a. Choose Network > Interface.
b. Disable or enable an interface.
n Deselect the Enable check box corresponding to an interface to disable it.
n Select the Enable check box corresponding to an interface to enable it.
An EUI-64 address supports the same function as a global unicast address. The
difference between the two addresses is as follows:
– Only the network bits need to be specified for the EUI-64 address, because the host
bits are transformed from the MAC addresses of the interface. The prefix length of
the network bits in an EUI-64 address must not be longer than 64 bits.
– A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the
same network segment.
By default, an interface works in auto-negotiation mode. To set parameters duplex and speed
to adjust the duplex mode and rate of an interface, run the undo negotiation auto command
to disable the interface from working in auto-negotiation mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the FW
drops the packet. To ensure service continuity, you can run the clear ip df command to enable the
clearing function, delete non-fragment flags, and forward packets in fragments.
Step 11 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 12 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
Step 14 Optional: Allow or block HTTP, HTTPS, Ping, SSH, Telnet, SNMP, and NETCONF access
to the FW.
service-manage { http | https | ping | ssh | snmp | NETCONF | telnet } { permit | deny }
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, Ping access to a FW,
and a non-management interface denies HTTP, HTTPS, ping, SSH, Telnet, SNMP, and
NETCONF access to a FW.
Step 15 Optional: Restore the access control management function of an interface to the default
setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping to
access the device. For non-management interfaces, the access control management function is
enabled, but the administrator is not allowed to use HTTP, HTTPS, Ping, SSH, Telnet, SNMP,
and NETCONF to access the device.
gateway gateway-address
When you configure sticky load balancing, you need to set the gateway address, that is, to
specify the next-hop IP address of the outbound interface.
redirect-reverse enable
In the multi-ISP load balancing NAT server scenario, the FW looks up the routing table for an
outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1.
The inconsistent forward and return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function on the incoming interface of
ISP1.
The FW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
When an interface works properly, disable the loopback. By default, the loopback is
disabled.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on FW, you need to run the
ipv6 command to enable the global IPv6 function.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
Step 6 Optional: Specify a duplex mode.
duplex { full | half }
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
Step 7 Optional: Set a working rate.
speed { 10 | 100 | 1000 }
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces
that work in electrical interface mode.
Step 8 Optional: Configure an interface description.
description interface-description
Step 9 Optional: Specify the alias for an interface.
alias alias
Step 10 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 11 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
----End
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces
share the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface
status change does not affect the main interface status, whereas a main interface status change
affects the subinterface status. Subinterfaces work properly only when their main interface is
in the Up state.
Subinterfaces can be created on Layer 3 Ethernet and Eth-Trunk interfaces. To distinguish
VLAN packets on a Layer 3 Ethernet interface or an Eth-Trunk interface, configure
subinterfaces with different VLAN IDs. Each subinterface with a specific VLAN ID forwards
packets carrying the VLAN ID, which provides configuration flexibility.
Procedure
Step 1 Display the system view.
system-view
To ensure VLAN connectivity, set the same VLAN ID on two subinterfaces at two ends of a
link.
To assign the second and subsequent IPv4 addresses to the interface, configure the sub
parameter in the ip address command.
Before performing IPv6 configurations in the interface view, enable the IPv6 capability
in the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system
view.
2. Perform either of the following operations to configure an IPv6 link-local address:
– To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local
Allowing the system to automatically generate a link-local address is recommended.
This is because the link-local address is only used for protocol-based
communication between link-local nodes, regardless of communication between
users.
If no IPv6 link-local address is specified for an interface, the device automatically
generates an IPv6 link-local address for the interface after an IPv6 global unicast
address of the interface is specified.
– To specify an IPv6 link-local address, run:ipv6 address ipv6-address link-local
The prefix of an IPv6 link-local address is FE80::/10.
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-
local addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The
difference between the two addresses is as follows:
– Only the network bits need to be specified for the EUI-64 address, because the host
bits are transformed from the MAC addresses of the interface. The prefix length of
the network bits in an EUI-64 address must not be longer than 64 bits.
– A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the
same network segment.
Step 6 Optional: Configure an interface description.
description interface-description
Step 7 Optional: Specify the alias for an interface.
alias alias
Step 8 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 9 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
Step 10 Optional: Enable access control on an interface.
service-manage enable
By default, access control is enabled on interfaces.
Step 11 Optional: Allow or block HTTP, HTTPS, Ping, SSH, Telnet, SNMP, and NETCONF access
to the FW.
service-manage { http | https | ping | ssh | snmp | NETCONF | telnet } { permit | deny }
The service-manage command allows an administrator to manage a FW through a specified
interface even if no security policy is enforced for traffic between the Local zone and the
security zone to which the interface belongs.
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, Ping access to a FW,
and a non-management interface denies HTTP, HTTPS, Ping, SSH, Telnet, SNMP, and
NETCONF access to a FW.
Step 12 Optional: Restore the access control management function of an interface to the default
setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping to
access the device. For non-management interfaces, the access control management function is
enabled, but the administrator is not allowed to use HTTP, HTTPS, Ping, SSH, Telnet, SNMP,
and NETCONF to access the device.
Step 13 Optional: Set a gateway address for the interface.
gateway gateway-address
When you configure sticky load balancing, you need to set the gateway address, that is, to
specify the next-hop IP address of the outbound interface.
Step 14 Optional: Enable the sticky load balancing function.
redirect-reverse enable
In the multi-ISP load balancing NAT server scenario, the FW looks up the routing table for an
outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1.
The inconsistent forward and return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function on the incoming interface of
ISP1.
The FW uses the incoming subinterface of the forward packets as the outgoing subinterface of
return packets instead of looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces
share the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface
status change does not affect the main interface status, whereas a main interface status change
affects the subinterface status. Subinterfaces work properly only when their main interface is
in the Up state.
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk
interfaces. Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Run the interface interface-type interface-number command to access the interface view.
Step 3 Run the portswitch command to configure a Layer 3 Ethernet interface to work in Layer 2
mode.
Step 6 Run the vlan-type dot1q vlan-id command to configure the encapsulation type for the
subinterface and associate a VLAN ID with the subinterface.
Step 7 Run the portswitch command to configure the subinterface as a Layer 2 subinterface.
Step 8 Run the port default vlan vlan-id command to add the Layer 2 subinterface to a specific
VLAN,
Step 9 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 10 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
Step 11 Optional: Run the bypass-detection command to enable the bypass detection function on the
interface.
After bypass detection is enabled, the device detects packets received on this interface and
then discards them.
----End
Context
A LAN can be divided into several logical LANs. Each logical LAN is a broadcast domain,
which is called a VLAN. Devices on a LAN logically belong to different VLANs, regardless
of their physical locations. VLANs separate broadcast domains within a LAN from each
other.
When hosts on a VLAN need to communicate with a device at the network layer, you can
create a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface
to provide Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
Step 1 Display the system view.
system-view
Step 2 Display the specified interface view.
interface interface-type interface-number
Step 3 Switch the Layer 3 Ethernet interface to Layer 2 mode.
portswitch
Step 4 Return to the system view.
quit
Step 5 Create a VLAN and display the VLAN view.
vlan vlan-id
If a VLAN already exists, running this command directly displays the VLAN view.
Step 6 Assign specified interfaces to the VLAN.
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
Only access interfaces can be added to a VLAN using this command.
Step 7 Return to the system view.
quit
Step 8 Create a Vlanif interface for a specific VLAN and display the Vlanif interface view.
interface vlanif vlan-id
If a Vlanif interface already exists, running this command directly displays the Vlanif
interface view.
A VLAN must exist before a Vlanif interface is created for it.
Step 9 Assign an IPv4 address to the interface.
ip address ip-address { mask | mask-length } [ sub ]
To assign the second and subsequent IPv4 addresses to the interface, configure the sub
parameter in the ip address command.
Step 10 Assign an IPv6 address to the interface.
1. Enable the IPv6 capability on the interface.
ipv6 enable
By default, the IPv6 capability is disabled on the interface.
Enable the IPv6 capability in the interface view before performing IPv6 configurations in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system
view.
2. Perform either of the following operations to configure an IPv6 link-local address:
– To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local
Allowing the system to automatically generate a link-local address is recommended.
This is because the link-local address is only used for protocol-based
communication between link-local nodes, regardless of communication between
users.
If no IPv6 link-local address is specified for an interface, the device automatically
generates an IPv6 link-local address for the interface after an IPv6 global unicast
address of the interface is specified.
– To specify an IPv6 link-local address, run:ipv6 address ipv6-address link-local
The prefix of an IPv6 link-local address is FE80::/10.
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-
local addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The
difference between the two addresses is as follows:
– Only the network bits need to be specified for the EUI-64 address, because the host
bits are transformed from the MAC addresses of the interface. The prefix length of
the network bits in an EUI-64 address must not be longer than 64 bits.
– A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the
same network segment.
Step 11 Optional: Configure an interface description.
description interface-description
Step 12 Optional: Specify the alias for an interface.
alias alias
Step 13 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 14 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
Step 15 Optional: Enable access control on an interface.
service-manage enable
By default, access control is enabled on interfaces.
Step 16 Optional: Allow or block HTTP, HTTPS, Ping, SSH, Telnet, SNMP, and NETCONF access
to the FW.
service-manage { http | https | ping | ssh | snmp | NETCONF | telnet } { permit | deny }
The service-manage command allows an administrator to manage a FW through a specified
interface even if no security policy is enforced for traffic between the Local zone and the
security zone to which the interface belongs.
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, Ping access to a FW,
and a non-management interface denies HTTP, HTTPS, Ping, SSH, Telnet, SNMP, and
NETCONF access to a FW.
Step 17 Optional: Restore the access control management function of an interface to the default
setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping to
access the device. For non-management interfaces, the access control management function is
enabled, but the administrator is not allowed to use HTTP, HTTPS, Ping, SSH, Telnet, SNMP,
and NETCONF to access the device.
Step 18 Optional: Set a gateway address for the interface.
gateway gateway-address
When you configure sticky load balancing, you need to set the gateway address, that is, to
specify the next-hop IP address of the outbound interface.
Step 19 Optional: Enable the sticky load balancing function.
redirect-reverse enable
In the multi-ISP load balancing NAT server scenario, the FW looks up the routing table for an
outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1.
The inconsistent forward and return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function on the incoming interface of
ISP1.
The FW uses the incoming Vlanif interface of the forward packets as the outgoing Vlanif
interface of return packets instead of looking up the routing table.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
Start
Configuring a
Working Mode
Adding Physical
Interfaces to an
Eth-Trunk Interface
Configuring a Load
Balancing Mode
End
Mandatory Optional
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
If the FW has multiple Layer 3 Eth-Trunk interfaces directly connected to Layer 2 interfaces
of switches, change the MAC addresses of the Layer 3 Eth-Trunk interfaces to ensure that
return packets sent from the switches are forwarded to correct Layer 3 Eth-Trunk interfaces.
NOTE
The mac-address command can be used only on the Eth-Trunk interface that works in Layer 3 mode.
If an Eth-Trunk interface has a large number of Eth-Trunk sub-interfaces, changing the MAC address of
the Eth-Trunk interface causes the local device to send a large number of gratuitous ARP packets to the
peer device. If CPCAR is configured on the peer device, increase the bandwidth for transmitting
gratuitous ARP packets, which prevents gratuitous ARP packets from being discarded.
NOTICE
– The mtu mtu command cannot be used on Layer 2 Eth-Trunk interfaces.
– The same MTU must be set for two directly connected interfaces. To use the mtu
command to change the MTU of an interface, ensure that the MTUs on both ends are
the same. Otherwise, services may be interrupted.
– If you run the mtu command to change the MTU to be smaller than 1280 bytes for
the Eth-Trunk interface running IPv6, IPv6 cannot properly run on the interface.
When IPv6 runs on an Eth-Trunk interface, set the MTU to be greater than or equal to
1280 for the interface.
a. To enable IPv6 for the interface, run the ipv6 enable command
b. To configure an IPv6 MTU for the interface, run the ipv6 mtu mtu command.
----End
Follow-up Procedure
After configuring a Layer 3 Eth-Trunk interface, view the status of the Eth-Trunk, member
interface information, and forwarding table of the Eth-Trunk interface.
l Run the display interface eth-trunk [ trunk-id ] command to check the status of the
Eth-Trunk interface.
l Run the display trunkmembership eth-trunk trunk-id command to check the member
interfaces of the Eth-Trunk interface.
l Run the display trunkfwdtbl eth-trunk trunk-id [ slot slot-id ] command to check the
forwarding table of the Eth-Trunk interface.
Example
Run the display interface eth-trunk command. The command output shows information
about Eth-Trunk sub-interfaces, including IP addresses, MAC addresses, and hash algorithms.
<sysname> display interface Eth-Trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2011-09-30 01:45:43 UTC+08:00
Description : Eth-Trunk1 Interface
Route Port,Hash arithmatic : According to flow,Maximal BW: 2G, Current BW: 2G,
The Maximum Transmit Unit is 1500
Internet Address is 100.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Physical is ETH_TRUNK
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
Realtime 0 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 0 seconds output rate 0 bits/sec, 0 packets/sec
Input: 1 packets,3 bytes,
7 unicast,9 broadcast,8 multicasts
10 errors,5 drops,11 unknowprotocol
Output: 2 packets,4 bytes,
12 unicast,14 broadcast,13x multicasts
15 errors,6 drops
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
GigabitEthernet1/0/1 UP 1
GigabitEthernet1/0/2 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
Run the display trunkmembership eth-trunk command. The command output shows
information about the member interfaces of an Eth-Trunk interface, including the status and
working mode.
<sysname> display trunkmembership eth-trunk 0
Trunk ID: 0
used status: VALID
TYPE: ethernet
Working Mode : Normal
Working State: Normal
Run the display trunkfwdtbl eth-trunk command. The command output shows the active
and standby Ethernet interface numbers in the forwarding table of an Eth-Trunk interface.
<sysname> display trunkfwdtbl eth-trunk 1
Show the Trunk Forwarding Table
Eth-Trunk1's forwarding table is:
MASTER SLAVE
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
GigabitEthernet1/0/0 GigabitEthernet1/0/0
Context
To add an Eth-Trunk interface to a VLAN, configure Layer 2 functions for the Eth-Trunk
interface.
Layer 2 Eth-Trunk interfaces are mainly used in trunk interfaces in VLANs to increase the
bandwidth for communication between the VLANs of two devices.
Procedure
Step 1 Run:
system-view
To add an Eth-Trunk interface to a VLAN, switch the Eth-Trunk interface from the Layer 3
mode to the Layer 2 mode. During the switching, only the shutdown, undo shutdown, and
description commands can be run on the interface. If other command configurations exist on
the interface, delete them.
The undo portswitch command switches an Eth-Trunk interface from the Layer 2 mode to
the Layer 3 mode.
NOTE
l The minimum interval for running the portswitch and undo portswitch commands in consecutive
order is 30s.
l Changing the working mode of an Eth-Trunk interface has no impact on interface addition to the
Eth-Trunk interface. Interfaces can be added to either a Layer 2 or Layer 3 Eth-Trunk interface.
----End
Follow-up Procedure
After configuring a Layer 2 Eth-Trunk interface, view the brief information about the
interface, including the physical state, protocol state, and bandwidth utilization.
l Run the display interface eth-trunk [ trunk-id ] command to check the status of the
Eth-Trunk interface.
l Run the display interface brief command to check the brief information of the Eth-
Trunk interface, including physical state, protocol state, and bandwidth utilization.
Example
Run the display interface eth-trunk command. The command output shows the Hash
algorithm of an Eth-Trunk interface.
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description : Eth-Trunk1 Interface
Route Port,Hash arithmatic : According to flow,Maximal BW: 2G, Current BW: 2G,
The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Physical is ETH_TRUNK
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
Realtime 0 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 0 seconds output rate 0 bits/sec, 0 packets/sec
Input: 1 packets,3 bytes,
7 unicast,9 broadcast,8 multicasts
10 errors,5 drops,11 unknowprotocol
Output: 2 packets,4 bytes,
12 unicast,14 broadcast,13x multicasts
15 errors,6 drops
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
GigabitEthernet1/0/1 UP 1
GigabitEthernet1/0/2 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
Run the display interface brief command. The command output shows the physical state,
link-layer protocol status, bandwidth utilization of an Eth-Trunk interface and the number of
error packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
quit
Step 4 Run:
interface eth-trunk trunk-id.subnumber
subnumber specifies the number of an Eth-Trunk sub-interface. The number ranges from 1 to
4096 on the FW. A maximum of 1024 sub-interfaces can be created on each Eth-Trunk
interface.
– To configure an IPv6 address in the format of EUI-64 for the sub-interface, run the
ipv6 address ipv6-address/prefix-length [ eui-64 ] command.
Step 6 Run:
vlan-type dot1q vlan-id
An encryption type and associated VLAN ID are configured for the Eth-Trunk sub-interface.
NOTE
The FW allows you to associate an Eth-Trunk sub-interface with a maximum of one VLAN.
NOTICE
If you run the mtu command to set an MTU to be smaller than 1280 for an Eth-Trunk
sub-interface running IPv6, IPv6 cannot work properly on the sub-interface. When IPv6
runs on an Eth-Trunk sub-interface, set the MTU of the sub-interface to be greater than
or equal to 1280.
----End
Follow-up Procedure
After configuring an Eth-Trunk sub-interface, view information about the sub-interface,
including the IP address and MAC address.
l Run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check the
status of the Eth-Trunk sub-interface.
Example
Run the display interface eth-trunk command. The command output shows the IP address
and MAC address of an Eth-Trunk sub-interface.
<sysname> display interface eth-trunk 1.1
Eth-Trunk1.1 current state : UP
Line protocol current state : UP
Context
A physical interface can be added to one Eth-Trunk interface only. If the physical interface
needs to be added to other Eth-Trunk interfaces, you should remove it from the former Eth-
Trunk interface.
NOTE
USG6000V have the independent management interfaces, so they cannot add GigabitEthernet 0/0/0 to
the Eth-Trunk.
Procedure
l Configure either of the following methods:
– In the Eth-Trunk interface view:
i. Run system-view, The system view is displayed.
ii. Run interface eth-trunk trunk-id. The Eth-Trunk interface view is displayed.
iii. Run either of the following commands to add physical interfaces to the Eth-
Trunk interface.
○ To add a single physical interface to the Eth-Trunk interface, run the
trunkport interface-type interface-number command.
○ To add multiple physical interfaces to the Eth-Trunk interface in batches,
run the trunkport interface-type { interface-number1 [ to interface-
number2 ] } &<1-16> command.
A maximum 16 interfaces can be added to the Eth-Trunk interface at a time.
– In the member interface view:
i. Run system-view The system view is displayed.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
least active-linknumber link-number
The lower limit of Up member interfaces is configured for the Eth-Trunk interface.
The default value is 1. The Eth-Trunk interface is Up as long as one member interface is Up.
NOTE
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface eth-trunk trunk-id
Step 3 Run:
load-balance { src-dst-ip | packet-all }
To ensure the bandwidth use efficiency of each member link, you can configure packet-all.
l In per-packet load balancing, traffic is evenly distributed to member links by packet, not
by data flow.
l Per-packet load balancing ensures bandwidth use efficiency, but not packet order, and
therefore applies to the scenarios where packet order is not strictly required.
l Per-destination load balancing differentiate data flows based on IP addresses to allow the
packets of one data flow to travel along the same member link.
l Per-destination load balancing ensures packet order, but not bandwidth use efficiency.
Step 4 Run:
quit
Step 5 Run:
interface interface-type interface-number interface-number
Step 6 Run:
distribute-weight weight-value
NOTE
If an Eth-Trunk interface carries multicast traffic and the distribute-weight command is used to change the
load balancing weight for a member interface, run the shutdown and then undo shutdown commands to
restart the member interface.
----End
Context
As the loopback interface always remains in the Up state once created and has the loopback
characteristic, it can be used to improve the reliability.
The loopback interface is usually used in two situations.
l The IP address of the loopback interface is designated as the source address of packets.
l Controlling the access interface and filtering log based on the IP address simplify
information.
Generally, BGP uses the optimal local address to set up the TCP connection with its neighbor.
If the interface turns to Down, the BGP neighbor relationship cannot be set up. In practice,
often more than one link can reach the same neighbor. In this situation, using the loopback
interface as the BGP neighbor of the local FW can ensure the reliable connection.
Do as follows on the FW.
Procedure
Step 1 Run:
system-view
----End
Follow-up Procedure
After loopback interfaces are configured, you need to check whether the configuration is
correct. In addition, you can view the statistics about loopback interfaces.
l Run the display interface loopback [ loopback-number ] command to check the status
of a loopback interface.
Example
Run the display interface loopback command, and you can view that the link layer protocol
status of the interface is Up.
<sysname> display interface loopback 6
LoopBack6 current state : UP
Line protocol current state : UP (spoofing)
Description : LoopBack6 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.10.1.1/24
Physical is Loopback
Statistics last cleared: never
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets,0 bytes,
0 unicast,0 broadcast,0 multicast
0 errors,0 drops,
Output:0 packets,0 bytes,
0 unicast,0 broadcast,0 multicast
0 errors,0 drops
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
Context
The Null interface is like the null devices supported by some operating systems. All packets,
which are sent to the Null interface, are dropped. The system creates a Null interface NULL0.
Since all packets sent to the Null interface are dropped, you can directly send packets to be
filtered out to the Null interface. In this case, you may not configure a security policy.
For example, using the following command will discard all packets that are sent to the
192.101.0.0 network segment.
[sysname] ip route-static 192.101.0.0 255.255.0.0 null 0
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface NULL 0
----End
Follow-up Procedure
After null interfaces are configured, you need to check whether the configuration is correct. In
addition, you can view statistics about null interfaces.
Run the display interface null [ 0 ] command to check the status of a null interface.
Example
l Run the display interface null command, and you can view that the status of the null
interface is Up.
<sysname> display interface null 0
NULL0 current state : UP
Line protocol current state :UP (spoofing)
Description: NULL0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
Physical is NULL DEV
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds output rate 0 bits/sec, 0 packets/sec
Input: 0 packets,0 bytes,
0 unicast,0 broadcast,0 multicast
0 errors,0 drops,
Output:0 packets,0 bytes,
0 unicast,0 broadcast,0 multicast
0 errors,0 drops
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
Procedure
Step 1 Run:
system-view
By default, the encapsulation protocol of a tunnel interface is GRE. For details, refer to the
related configuration of each specified protocol. For one tunnel, the same encapsulation mode
needs to be configured on the interfaces at both ends.
After running the mtu command, run the shutdown command and then the undo shutdown
command to restart the interface to validate the MTU configuration. The interval between
shutdown and undo shutdown command must be longer than 15 seconds.
Step 5 Run:
ip address ip-address { mask | mask-length } [ sub ]
Step 6 Run:
source { interface-type interface-number | source-ip-address }
The source address of the tunnel interface can be of the interface name or the IP address type.
If the interface name is adopted, the value can be GigabitEthernet, Eth-Trunk.
Step 7 Run:
destination [ vpn-instance vpn-instance-name ] dest-ip-address
The destination address of the tunnel interface must be different from the source address.
----End
Context
When PPP is required to bear other link layer protocols, VT interfaces are created to realize
the intercommunication. The VT interface is used in VPN applications.
The link layer of VT interfaces only supports the PPP protocol and the network layer only
supports IP.
NOTICE
l The newly configured or modified parameters of a VT interface can take effect only after
the shutdown and the undo shutdown command are run.
l To configure or modify services such as MTU or IS-IS, configure or modify those
services, and then perform related VT interface configuration on the other interfaces.
Procedure
Step 1 Run:
system-view
An IP address is configured.
Step 4 Run:
broadcast-limit link number
The maximum number of links that support the sending of multicast or broadcast packets is
configured.
When a VT interface has many links, multicast or broadcast packets are sent through each
link, affecting system performance. In this case, you can run the broadcast-limit link
command to allow a specified number of links to send multicast or broadcast packets. If every
link works at the highest speed, excess multicast or broadcast packets will be discarded.
NOTE
----End
Follow-up Procedure
After VT interfaces are configured, you need to check whether the configuration is correct. In
addition, you can view the statistics about VT interfaces.
l Run the display interface virtual-template [ vt-number ] command to check the status
of a VT interface.
Example
Run the display interface virtual-template command. If the configuration of a VT interface
is displayed, it means the configuration succeeds.
<sysname> display interface virtual-template 1
Virtual-Template1 current state : UP
Line protocol current state :UP (spoofing)
Description: Virtual-Template1 Interface
Route Port,The Maximum Transmit Unit is 1492
Internet Address is 10.1.1.1/24
Physical is None, baudrate is 64000 bps
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds input rate 0 bits/sec, 0 packets/sec
Realtime 2 seconds output rate 0 bits/sec, 0 packets/sec
Display brief information about Ethernet display interface ethernet brief [ | { begin
interfaces. | include | exclude } regular-expression ]
Display brief information about interfaces. display interface brief [ | { begin | include
| exclude } regular-expression ]
Display the status of the null interface. display interface null [ number ] [ | { begin
| include | exclude } regular-expression ]
Display the status of the loopback interface. display interface loopback [ number ] [ |
{ begin | include | exclude } regular-
expression ]
NOTICE
Statistics cannot be restored after you clear it. So, confirm the action before you use the
command.
To clear the interface statistics collected through the NMS or with the display interface
command, run the following reset counters commands in the user view. After that, you can
clear the traffic statistics on the interfaces again.
NOTE
For details on how to view the traffic statistics collected through the NMS, refer to the related manual
about the NMS.
You can run a reset command in the user view to clear the statistics of interfaces. Table 4-25
lists the display commands.
Action Command
Clear the interface statistics collected with reset counters interface [ interface-type
the display interface command. [ interface-number ] ]
clear the interface statistics collected reset counters if-mib interface [ interface-
through the NMS. type [ interface-number ] ]
Context
NOTICE
Debugging affects the performance of the system. So, after debugging, run the undo
debugging all command to disable it immediately.
When a fault occurs on an interface, run the following debugging commands in the user view
to locate the fault.
Procedure
l Run the debugging ethernet packet [ arp | error | ip | ipv6 | isis ] [ verbose ]
[ interface interface-type interface-number ] in the user view to debug the Ethernet
interface.
4.1.4.1 CLI: Example for Accessing the Internet Using a Static IPv4 Address
A FW is assigned a static IPv4 address to access the Internet and provides access services for
intranet users.
Networking Requirements
An enterprise deploys a FW as a security gateway on the network shown in Figure 4-5 and
purchases broadband services from an ISP.
The networking requirements are as follows:
l Intranet PCs communicate with each other using addresses on the network segment
10.3.0.0/24. The FW allocates private network addresses and a DNS server address to
the PCs.
l Intranet PCs are able to access the Internet.
Trust Untrust
PC
1.1.1.254
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
FW Router
PC
The following information is used as an example. Obtain the desired service information from
your local ISP.
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to interfaces and add the interfaces to security zones. Set the default
gateway address to 1.1.1.254 for GigabitEthernet 1/0/1.
2. Configure the DHCP server function on the FW to allocate IP addresses and a DNS
server address to intranet PCs.
3. Configure security policies to allow PCs to access the Internet.
4. Configure NAT policies for source address translation. As the FW translates private
addresses into a fixed public network address that is assigned by the ISP, easy-IP is used
to simplify the configuration.
Procedure
Step 1 Set the IP addresses of interfaces, and then assign the interfaces to security zones.
<FW> system-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
# Create an interface address pool and specify the default gateway IP address and the DNS
server address for PCs on the intranet.
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server dns-list 9.9.9.9
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit
Step 3 Configure security policies, allowing PCs on the intranet to access the Internet.
[FW] security-policy
[FW-security-policy] rule name policy_sec_1
[FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_1] source-zone trust
[FW-security-policy-sec_policy_1] destination-zone untrust
[FW-security-policy-sec_policy_1] action permit
[FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit
Step 4 Configure a NAT policy, allowing PCs on the intranet to access the Internet by using the
resulting public IP address of translation.
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
[FW-policy-nat-rule-policy_nat_1] action nat easy-ip
[FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit
Step 5 Configure the default route whose next hop IP address is 1.1.1.254.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
----End
Configuration Verification
1. View details about GigabitEthernet 1/0/1 and check whether interface GigabitEthernet
1/0/1 has obtained a public IP address and both the physical and IPv4 states are Up.
[FW] display interface GigabitEthernet 1/0/1
GigabitEthernet 1/0/1 current state :
UP
2. Run the ipconfig/all command on a PC to verify that the PC has obtained a valid IP
address and DNS address. The following example uses a PC running Windows XP. The
actual command output may vary.
Ethernet adapter Local Area Connection:
3. Check whether an intranet PC can use a domain name to access the Internet. If the PC
can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
dhcp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
Applicable Products
USG6000V
Networking Requirements
Figure 4-6 shows that a FW functions as an egress gateway and connect PCs in an intranet to
the Internet. The network plan is as follows:
l An administrator manually specifies an IPv4 address for each PC on the network
segment 10.3.0.0/24.
l An interface with a static IPv4 address connects the FW to the intranet.
l Another interface on the FW that functions as a DHCP client applies for a client IPv4
address and a DNS server IP address from a DHCP server and connects the intranet to
the Internet.
Figure 4-6 Networking diagram for accessing the Internet using DHCP
Trust Untrust
PC FW
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 DHCP Client
DHCP Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP client function on GigabitEthernet 1/0/1 of the FW to obtain a client
IPv4 address and a DNS server address from a DHCP server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the FW to the
intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the FW.
4. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. This example
provides the configuration procedure on the FW. The configuration procedure for the
PCs is not provided.
NOTE
After the FW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to the
FW that function as a DHCP client. The next hop of the default route is a carrier's device. Therefore,
there is no need to configure a default route.
Procedure
Step 1 Configure the IP address of the interface and assign the interfaces to the security zones.
<FW> system-view
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
Step 4 Configure a security policy to allow the PCs to access the Internet.
[FW] security-policy
[FW-policy-security] rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1] source-zone trust
[FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0/24
[FW-policy-security-rule-policy_sec_1] egress-interface GigabitEthernet1/0/1
[FW-policy-security-rule-policy_sec_1] action permit
[FW-policy-security-rule-policy_sec_1] quit
[FW-policy-security] quit
Step 5 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before PCs access the Internet.
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] destination-zone untrust
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 24
[FW-policy-nat-rule-policy_nat_1] action nat easy-ip
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is DHCP, and the interface obtained an IPv4 address.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
dns resolve
dns server unnumbered interface GigabitEthernet1/0/1
#
dns proxy enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address dhcp-alloc
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 preference 245
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return
4.1.4.3 CLI: Example for Accessing the Internet Using IPv4 PPPoE
This section provides an example for the device, working as a PPPoE client, to obtain an IP
address by dialing up to the carrier's server through PPPoE for Internet access.
Networking Requirements
As shown in Figure 4-7, FW works as an egress gateway, providing an Internet egress for
PCs on the LAN. The company network is planned as follows:
l All PCs on the LAN are deployed on network segment 10.1.1.0/24, and they
dynamically obtain IP addresses through DHCP.
l The device connects to all PCs of the company over the downstream link.
l The device applies for Internet service from the carrier over the upstream link. The
Internet access service is provided using the PPPoE protocol.
According to the previous requirements, specify the FW as a PPPoE client. After the client
obtains IP and DNS addresses from the carrier's server, the Intranet users can access the
Internet.
Trust Untrust
FW
GE1/0/5
10.0.0.1 GE1/0/1
Intranet
In this example, the information provided by the carrier is used only for reference.
Data Description
Interface number: GigabitEthernet The device obtains IP and DNS addresses from the
1/0/1 PPPoE server (deployed by the carrier) through
Security zone: untrust dial-up.
l Dial-up user name: user
l Dial-up password: password
Data Description
Configuration Roadmap
1. Configure the downstream link.
Enable DHCP server on the GigabitEthernet 1/0/5 interface so that it dynamically
assigns IP addresses to PCs, and specify the GigabitEthernet 1/0/5 interface's IP address
as the gateway and DNS server addresses for the PCs.
During Internet access, a PC usually requires domain name resolution. This is why a
DNS server shall be specified. In this example, FW works as a DNS relay.
2. Configure the upstream link and use PPPoE to obtain IP and DNS addresses.
3. Add the interfaces into security zones and configure security policies.
Add the interface connected to the LAN to a high-priority security zone (Trust zone), and
the upstream interface connected to the Internet to a low-priority security zone (Untrust
zone).
4. The IP addresses used on LANs are private IP addresses, which shall be converted by
NAT to public IP addresses for Internet access, if needed. In this example, the upstream
interface obtains its IP address by dial-up. This IP address may vary for each dial-up.
Therefore, easy IP is recommended.
Procedure
Step 1 Configure the IP address of the interface GigabitEthernet 1/0/5.
<FW> system-view
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] ip address 10.0.0.1 255.255.255.0
[FW-GigabitEthernet1/0/5] quit
Step 3 Configure the device as a DHCP server to assign IP addresses to PCs on the LAN.
# Enable the DHCP function.
[FW] dhcp enable
# Create an interface address pool on the interface and specify the DNS server for the Intranet
PCs.
[FW] interface GigabitEthernet 1/0/5
[FW-GigabitEthernet1/0/5] dhcp select interface
[FW-GigabitEthernet1/0/5] dhcp server dns-list unnumbered interface
GigabitEthernet 1/0/5
Step 4 Configure interface GigabitEthernet 1/0/1 so that it obtains IP and DNS addresses using
PPPoE.
[FW] dialer-rule 1 ip permit
[FW] interface Dialer 1
[FW] link-protocol ppp
[FW-Dialer1] dialer user user
[FW-Dialer1] ip address ppp-negotiate
[FW-Dialer1] ppp ipcp dns admit-any
[FW-Dialer1] dialer-group 1
[FW-Dialer1] dialer bundle 1
[FW-Dialer1] ppp pap local-user user password cipher password
[FW-Dialer1] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface Dialer 1
[FW-zone-untrust] quit
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4
[FW-GigabitEthernet1/0/1] quit
Step 5 Configure a security policy to allow Intranet PCs to access the Internet.
[FW] security-policy
[FW-security-policy] rule name sec_policy_1
[FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_1] source-zone trust
[FW-security-policy-sec_policy_1] destination-zone untrust
[FW-security-policy-sec_policy_1] action permit
[FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit
Step 6 Configure a NAT policy to allow Intranet users to access the Internet.
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-address 10.0.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
[FW-policy-nat-rule-policy_nat_1] action nat easy-ip
[FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit
Step 7 Configure a default route to ensure that the LAN users are routable to the Internet. The next
hop shall be the gateway address assigned by the carrier to the enterprise.
[FW] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/1
----End
Verification
1. Display the detailed information of GigabitEthernet 1/0/1 and check whether the
physical status and IPv4 status of the interface is up and whether the link type is PPPoE.
[FW] display interface GigabitEthernet 1/0/1
GigabitEthernet 1/0/1 current state :
UP
Line protocol current state : UP
GigabitEthernet 1/0/1 current firewall zone : untrust
Description : GigabitEthernet 1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 1.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a100-
a101
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s-speed mode, full-duplex mode, link type is auto negotiation
QoS max-bandwidth : 100000 Kbps
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/5
ip address 10.0.0.1 24
dhcp select interface
dhcp server dns-list 2.2.2.2
#
interface Dialer1
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp pap local-user user password cipher %$%$8*YSTS6T4Xon5,*wo<v~0>5,%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
dialer-group 1
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/5
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 3.3.3.3
#
security-policy
rule name sec_policy_1
source-zone trust
destination-zone untrust
source-address 10.0.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
source-address 10.0.0.0 24
egress-interface GigabitEthernet1/0/1
action nat easy-ip
#
return
4.1.4.4 CLI: Example for Configuring Static IPv6 Addresses for Devices to
Communicate
This section describes how to configure static IPv6 addresses for devices to communicate.
The interfaces connecting two devices are configured with IPv6 addresses.
Networking Requirements
FW_A and FW_B are connected, as shown in Figure 4-8. Global unicast IPv6 addresses can
be assigned to interfaces that directly connect FW_A and FW_B to allow the two devices to
communicate with each other.
Untrust
GE1/0/1 GE1/0/1
3000::1/64 3000::2/64
FW_A FW_B
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure FW_A.
1. Enable IPv6 globally to allow the FW to forward IPv6 packets.
<FW> system-view
[FW] sysname FW_A
[FW_A] ipv6
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1. The following example uses GigabitEthernet
1/0/1 on FW_A. If the configuration is successful, the configured global unicast address
can be displayed. In addition, the physical status and IPv6 status of the interface is up.
[FW_A] display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state :
UP
IPv6 protocol current state :
UP
IPv6 is enabled, link-local address is
FE80::2A6E:D4FF:FE48:3EF
Global unicast
address(es):
3000::1, subnet is
3000::/64
Joined group
address(es):
FF02::1:FF00:1
FF02::2
FF02::1
FF02::1:FF48:3EF
MTU is 1500
bytes
ND DAD is enabled, number of DAD attempts:
1
ND reachable time is 30000
milliseconds
ND retransmit interval is 1000
milliseconds
ND stale time is 1200
seconds
ND advertised reachable time is 0
milliseconds
ND advertised retransmit interval is 0
milliseconds
ND router advertisement max interval 600 seconds, min interval 200
seconds
ND router advertisements live for 1800
seconds
ND router advertisements hop-limit
64
ND default router preference
medium
Hosts use stateless autoconfig for
addresses
2. Run the ping command on FW_A to test the connectivity between the devices.
Configuration Scripts
Configuration script for FW_A:
#
ipv6
#
sysname FW_A
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
security-policy
rule name policy_sec_1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
#
return
source-zone untrust
destination-zone local
destination-zone untrust
action permit
#
return
Networking Requirements
As shown in Figure 4-9, two project teams in the same R&D department which need to be
isolated belong to different VLANs. To enable project teams to coordinate with each other,
ensure that PCs in these project teams can communicate.
GE1/0/0 GE1/0/2
GE1/0/1 GE1/0/3
VLANIF2 VLANIF3
10.1.1.1/24 10.2.1.1/24
VLAN2 VLAN3
10.1.1.0/24 10.2.1.0/24
Configuration Roadmap
The configuration roadmap is as follows:
The default gateway address of each PC in a VLAN must be the IP address of the corresponding
VLANIF interface. Otherwise, inter-VLAN communication will fail.
Data Preparation
To complete the configuration, you need the following data:
l GigabitEthernet 1/0/0 and GigabitEthernet 1/0/1 belong to VLAN 2.
l GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 belong to VLAN 3.
l GigabitEthernet 1/0/0 and GigabitEthernet 1/0/1 belong to the Trust zone.
l GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 belong to the Untrust zone.
l The IP address of VLANIF 2 is 120.1.1.1/24.
l The IP address of VLANIF 3 is 130.1.1.1/24.
Procedure
Step 1 Configure VLANs and add interfaces.
# Create VLAN2.
<FW> system-view
[FW] vlan 2
[FW-vlan-2] quit
# Create VLAN3.
<FW> system-view
[FW] vlan 3
[FW-vlan-3] quit
Step 3 Add interfaces to corresponding security zones and configure interzone packet filtering to
ensure normal network communication. Details are omitted.
Step 4 Set the IP address of the host gateway that belongs to VLAN2 to 120.1.1.1 and set that
belongs to VLAN3 to 130.1.1.1.
After the configuration, the hosts in VLAN2 and VLAN3 can ping through each other.
Suppose that a host at IP address 130.1.1.5 exists on VLAN3, and you run the ping command
on a certain host on VLAN2 to test the communications with the host on VLAN3.
C:\Documents and Settings\Administrator> ping 130.1.1.5
----End
Configuration Files
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif3
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type access
port default vlan 3
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
add interface Vlanif2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface Vlanif3
#
security-policy
rule name sec_policy_1
source-zone trust
source-zone untrust
destination-zone untrust
destination-zone trust
source-address 192.168.100.0 24
action permit
#
return
Networking Requirements
Three project teams in the R&D department shown in Figure 4-10 are deployed separately
and belong to VLAN10, VLAN20, and VLAN30, respectively. PCs of these project teams
need to communicate with each other to enable project teams to work with each other.
Figure 4-10 Networking diagram for configuring VLANs on Layer 3 subinterfaces to allow
the VLANs to communicate with each other
FW
GE1/0/3
Trust
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the Lay-3 Ethernet sub-interfaces.
<FW> system-view
[FW] interface GigabitEthernet 1/0/3.1
[FW-GigabitEthernet1/0/3.1] alias GigabitEthernet1/0/3.1
[FW-GigabitEthernet1/0/3.1] vlan-type dot1q 10
[FW-GigabitEthernet1/0/3.1] ip address 10.3.1.1 255.255.255.0
[FW-GigabitEthernet1/0/3.1] quit
[FW] interface GigabitEthernet 1/0/3.2
[FW-GigabitEthernet1/0/3.2] alias GigabitEthernet1/0/3.2
[FW-GigabitEthernet1/0/3.2] vlan-type dot1q 20
[FW-GigabitEthernet1/0/3.2] ip address 10.3.2.1 255.255.255.0
[FW-GigabitEthernet1/0/3.2] quit
[FW] interface GigabitEthernet 1/0/3.3
----End
Configuration Verification
1. Display the status of GigabitEthernet 1/0/3.1, GigabitEthernet 1/0/3.2 and
GigabitEthernet 1/0/3.3. Check whether the physical status and the IPv4 status of each
sub-interface is up. Now set the GigabitEthernet 1/0/3.1 of USG6000V as an example.
[FW] display interface GigabitEthernet 1/0/3.1
GigabitEthernet1/0/3.1 current state : UP
Line protocol current state :
UP
Last line protocol up time : 2015-05-26 18:09:59 UTC
+08:00
Description:Huawei, Series, GigabitEthernet1/0/3.1 Interface
Route Port,The Maximum Transmit Unit is
1500
Internet Address is 10.3.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 286e-
d448-03f9
Encapsulation dot1q Virtual LAN, The number of Vlan is 1, Vlan ID
10
Current system time: 2015-05-30
17:11:17+08:00
Last 300 seconds input rate 0 bits/sec, 0 packets/
sec
Last 300 seconds output rate 8 bits/sec, 0 packets/
sec
Realtime 0 seconds input rate 0 bits/sec, 0 packets/
sec
Realtime 0 seconds output rate 0 bits/sec, 0 packets/
sec
Input: 0 packets,0
bytes,
0 unicast,0 broadcast,0
multicast
0 errors,0
drops,
Output:8558 packets,547712
bytes,
0 unicast,2856 broadcast,5702
multicast
0 errors,0
drops
Input bandwidth utilization :
0%
Output bandwidth utilization : 0%
2. Check whether PCs in VLAN10, VLAN20, and VLAN30 can communicate. If they can
communicate, the configuration is successful. If they fail to communicate, modify the
configuration and try again.
Configuration Script
#
interface GigabitEthernet1/0/3.1
vlan-type dot1q 10
alias GigabitEthernet1/0/3.1
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3.2
vlan-type dot1q 20
alias GigabitEthernet1/0/3.2
ip address 10.3.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3.3
vlan-type dot1q 30
alias GigabitEthernet1/0/3.3
ip address 10.3.3.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3.1
add interface GigabitEthernet1/0/3.2
add interface GigabitEthernet1/0/3.3
#
return
4.1.4.7 CLI Example for Configuring VLAN Trunk Interfaces to Enable VLANs
on Different Network Segments to Communicate
This section provides an example for configuring VLAN trunk interfaces when VLANs are
deployed across devices. Data of a specific VLAN is identified by an 802.1q tag and is
transmitted over trunk links formed by connected trunk interfaces.
Networking Requirements
As shown in Figure 4-11, PCs of the financial and marketing departments of an enterprise are
distributed in two buildings, each of which is connected to a FW. The two FWs are connected
to each other. To improve service security, the FWs can be configured to forbid inter-
department communication so that only PCs of the same department can communicate with
each other.
VLAN5 VLAN5
Financial Financial
Department Trust Trust
Department
GE1/0/2 VLAN5 GE1/0/2
GE1/0/1 GE1/0/1
FW_A FW_B
VLAN9 VLAN9
Marketing Marketing
Department Department
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN5 and VLAN9 on both FW_A and FW_B. Add interfaces of each FW to
two VLANs so that PCs connected to each interface can access separate VLANs.
2. Configure trunk interfaces on FW_A and FW_B to allow VLAN5 and VLAN9 packets
through.
Procedure
l Configure FW_A.
# Create VLANs.
<FW> system-view
[FW] sysname FW_A
[FW_A] vlan batch 1 5 9
l Configure FW_B.
The configuration of FW_B is similar to that of FW_A. The configuration details are not
provided.
----End
Configuration Verification
1. Run the display interface command in the system view to display the information of
GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, then you can
check whether the physical status of each interface is up.
2. After completing the configuration, verify that PCs only in the same department can
communicate with each other.
Configuration Scripts
Configuration script for FW_A:
#
vlan batch 1 5 9
#
sysname FW_A
#
interface GigabitEthernet1/0/1
portswitch
port link-type trunk
port trunk permit vlan 5 9
#
interface GigabitEthernet1/0/2
portswitch
port link-type access
port default vlan 5
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
port default vlan 9
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
return
Networking Requirements
A company has two branches on LAN 1 and LAN 2. LAN 1 is connected to FW_A, and LAN
2 is connected to FW_B, as shown in Figure 4-12.
A large amount of traffic continuously goes between LAN 1 and LAN 2. Links can be
bundled in to an Eth-Trunk interface to increase the link bandwidth. LAN 1 and LAN 2 are on
the same network segment 192.168.0.1/24.
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Eth-Trunk 1 Eth-Trunk 1
GE1/0/3 Untrust Untrust GE1/0/3
Trust Trust
LAN 1 LAN 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a Layer-2 Eth-Trunk interface. Because LAN 1 and LAN 2 are on the same
network segment, the Layer-2 Eth-Trunk interface is used.
2. Assign interfaces to security zones and configure security policies.
Procedure
Step 1 Configure FW_A.
# Create a Layer-2 Eth-Trunk interface.
<FW> system-view
[FW] sysname FW_A
[FW_A] interface eth-trunk 1
[FW_A-Eth-Trunk1] portswitch
[FW_A-Eth-Trunk1] port link-type access
[FW_A-Eth-Trunk1] quit
----End
Configuration Verification
View Eth-Trunk 1 information on FW_A.
<FW_A> display trunkmembership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 2
Number Of Up Ports In Trunk : 2
Operate Status : Up
The previous information shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have
already become member interfaces of Eth-Trunk 1.
Use a PC in LAN 1 and a PC in LAN 2 to ping each other. Check whether the two PCs can
ping each other. If they fail to ping each other, modify the configuration and try again.
Configuration Script
Configuration script for FW_A:
#
sysname FW_A
#
interface Eth-Trunk1
portswitch
port link-type access
#
interface GigabitEthernet1/0/1
portswitch
port link-type access
eth-trunk 1
interface GigabitEthernet1/0/2
portswitch
port link-type access
eth-trunk 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface Eth-Trunk1
#
security-policy
rule name policy_sec_1
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
#
return
Symptom
Figure 4-13 shows the networking diagram for the Ethernet interface. The indicator
connected to the interface is off, or the physical status of the FW is Down.
GE1/0/1 GE1/0/1
NGFW_A NGFW_B
Possible Causes
The possible causes are as follows:
Fault Diagnosis
Figure 4-14 shows the troubleshooting flow when the electronic interface cannot go Up.
Figure 4-14 Flowchart for troubleshooting the fault that the electronic interface cannot go Up
The indicator of the
interface is off.
Yes Yes
Is the cable faulty? Replace the cable. Is the fault rectified?
No
No
No
No
Is auto Yes Configure the
negotiation adopted by
mandatory rate and
interfaces at both
duplex mode. Yes
ends?
Is the fault rectified?
No
Seek technical
End
support
Procedure
l Run the display interface GigabitEthernet interface-number command in the user or
system view to view the current running status of the interfaces of FWs on both ends.
For example, run the display interface GigabitEthernet 1/0/1 command on FW_A.
interface GigabitEthernet
1/0/1
speed
100
duplex
full
return
l Cause four: The interfaces on both ends are configured with different rates or working
modes.
a. Check whether the configured rates and working modes of the interfaces on both
ends are consistent. If the rates and working modes are inconsistent, change them to
the same settings.
l Cause five: A subcard of the FW fails.
a. Run the loopback command in the interface view.
b. Run the display interface interface-type interface-number command to view the
physical status of the interface.
If the physical status of the interface is Down, hardware is abnormal.
c. Run the undo loopback command to disable the loopback function.
NOTE
After testing and troubleshooting the cable or hardware, run the loopback command to
disable the loopback function.
d. Replace the interface on the local device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed.
n If the fault persists, go to e.
n If the fault does not occur on other subcards, contact technical support
personnel to repair the faulty subcard.
e. Replace the interface on the remote device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed. If the fault persists, contact technical support personnel to repair the
faulty subcard.
----End
Symptom
NOTICE
When maintaining devices that have optical modules or interfaces, note the following issues:
l Do not look into the fiber connector when installing and maintaining fibers.
l Do not look into the fiber connector without eye protection when replacing a pluggable
optical module.
l Wear an electrostatic discharge (ESD) wrist strap when replacing a pluggable optical
module.
l Only engineers with professional training are allowed to operate optical modules or fibers.
Configure the subcard on which the optical interface resides on the FW with the SFP optical
or electronic module.
After optical interfaces are interconnected, the LINK indicator is off, or the interface is in
Down state. Figure 4-15 shows the typical networking.
Receive Send
Send Receive
NGFW_A NGFW_B
Possible Causes
l Cause one: The optical modules or fibers on both ends are inconsistent.
l Cause two: An optical fiber or module is abnormal.
l Cause three: The interface configurations on both ends are inconsistent.
l Cause four: An interface or a subcard fails.
Fault Diagnosis
Figure 4-16 Flowchart for troubleshooting the fault that the physical status of the optical
interface cannot be Up
The optical interface
cannot be in Up state.
Change to the
Does the optical No Yes
optical module and
module match the LPU Is the fault rectified?
fibers that match
and fibers? each other.
No
Yes
No Yes
Are the fibers normal? Replace the fibers. Is the fault rectified?
No
Yes
Yes No
No Yes
Is the interface card or Replace the
Is the fault rectified?
slot normal? interface card.
No
Yes
When troubleshooting faults, you may use tools, meters, and materials listed in Table 4-27.
Procedure
l Run the display interface command on both ends to view the current status of the
interfaces.
For example, run the display interface GigabitEthernet 1/0/1 command on FW_A.
[FW_A] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : Administratively DOWN
Description : GigabitEthernet1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.8.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-
a100-0008
Media type is SFP,Loopback not set,promiscuous mode not set
1000Mb/s-speed mode, full-duplex mode, link type is auto negotiation
Vendor Name: huawei
Vendor PN: 02310CRM
SN: AD1342R001C
Transceiver max BW: 1G
Transceiver Mode: SingleMode
WaveLengh: 1310nm
Transmission Distance: 52km
Current SFP module temperature(0.00c/75.00c): 30.00 c
Current SFP module supply(3.09/3.50V): 3.25 V
Current SFP module Tx bias(0.00/39.95mA): 10.45
mA
Current SFP module Rx power(<8.129dBm): -4.98
dBm
Default Rx Power High Threshold: -2.97
dBm
Default Rx Power Low Threshold: -6.96
dBm
Current SFP module Tx power(<8.129dBm): -1.84 dBm
Default Tx Power High Threshold: -2.97 dBm
Default Tx Power Low Threshold: -12.19 dBm
Max-bandwidth : 1000000 Kbp
---- More ----
n negotiation disable: The interface is configured with the mandatory rate and
mandatory working mode, and no negotiation is needed.
– full-duplex mode: The interface is working in full-duplex mode.
l Cause one: The optical modules or fibers are inconsistent.
a. Verify that the fibers for sending and receiving packets are correctly connected. If
the fibers are reversely inserted, reconnect the fibers and tightly insert the fibers to
prevent bad connections.
b. Verify that the subcard of the interface supports the module type. For example,
some interfaces only support optical modules.
c. Verify that the optical modules of the interfaces on both ends are consistent. For
example, a single-mode module cannot be connected to a multi-mode module, and
an FE optical module cannot be connected to a GE optical module.
d. Verify that the optical module and fiber are consistent. For example, a single-mode
optical module does not match a multi-mode fiber (orange), and a multi-mode
optical module does not match a single-mode fiber (light yellow).
l Cause two: The fibers or optical modules are abnormal.
You can test the input optical power based on segments by using the optical power meter
to locate the segment on which the fault occurs. If the input optical power is not in the
sensitivity range of the optical interface, a fault of the optical power may occur on the
remote end, or a fault may occur in the optical cable.
Run the display this command in GigabitEthernet 1/0/1 view of FW_A to view the
interface configuration.
[FW_A-GigabitEthernet 1/0/1] display this
#
interface GigabitEthernet 1/0/1
speed 1000
duplex full
#
return
The Status field shows the subcard status. If the status of the subcard is Normal,
the subcard is working properly.
----End
4.2.1 Overview
This section describes the basic concepts about interface pairs.
After an interface pair is formed, the traffic enters the incoming interface of the interface pair
is forwarded out of the outgoing interface in the interface pair, without routing table or MAC
address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the
interface are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and Layer 2 Eth-
Trunk interfaces.
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is
formed, the traffic enters the incoming interface of the interface pair is forwarded out of the
outgoing interface in the interface pair, without MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the
interface are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and Layer 2 Eth-
Trunk interfaces.
Procedure
Step 1 Choose Network > Interface Pair.
Advanced
----End
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is
formed, the traffic enters the incoming interface of the interface pair is forwarded out of the
outgoing interface in the interface pair, without MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the
interface are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and Layer 2 Eth-
Trunk interfaces.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Run the pair-interface name name command to access the system view.
----End
4.2.4.1 Specifications
This section describes interface pair specifications.
Function Specifications
Function Description Supported or Not
Configuring Interface pairs An interface pair is a pair of Supported by all the models.
incoming and outgoing
interfaces.
After an interface pair is
formed, the traffic enters the
incoming interface of the
interface pair is forwarded
out of the outgoing interface
in the interface pair, without
routing table or MAC
address table lookup.
4.3.1 Overview
A security zone or zone is a security concept introduced by the device. Most security policies
are implemented based on security zones.
Definition
A security zone is a set of the networks connected by interfaces. Users on these networks have
the same security attributes.
Purpose
In the application of network security, if the network security device checks all packets one by
one, a large number of resources are consumed and performance is severely degraded.
Moreover, it is unnecessary to check all packets. Therefore, a packet check mechanism based
on the security zone is brought forward in the network security field.
Then the network administrator can classify the network devices at the same security level
into one security zone. Since the network devices in the same security zone are at the same
security level, the FW considers that data flows in the same security zone bring no security
risks and thus no security policy is required. The FW triggers the security check and
implements security policies only on data flows between security zones.
All in all, in addition to the direct forwarding of packets, the FW supports creating security
zones, and allows the network administrator to implement security check on special packets
and enable the security function on the basis of security zones.
4.3.2 Mechanism
This section describes the security zone mechanism.
Security Zones
A security zone is a set of the networks connected by interfaces. Users on these networks have
same security attributes.
The FW considers that data flows within a single security zone are trustful and require no
security policy. The FW enforces security policies only on data flows between security zones.
The security level value ranges from 1 to 100. The larger the value, the higher the security
level.
Table 4-28 lists default security zones on the FW.
NOTE
Default security zones cannot be deleted, and their security levels cannot be reset.
You can create security zones and specify their security levels as needed.
Local area 100 A local zone is a device itself, including interfaces on the
(highest) device. All packets constructed on and proactively sent from
the device are regarded as from the Local area; those to be
responded and processed by the device (including the packets
to be detected or directly forwarded) are regarded as to the
Local area.
Users cannot change Local area configurations, for example,
adding interfaces to the Local area.
NOTE
A security policy for exchanging packets between the Local zone and
the security zone of a peer can be configured in the following
scenarios:
l A local device itself requires management using Telnet, web, or
SNMP NMS.
l A local device serves as a client to initiate requests or as a server
to processes requests in the FTP, PPPoE dial-up, NTP, or IPSec
VPN scenario.
An interface is added to a security zone. A network connected to the
interface is in the security zone, and the interface is in the Local zone.
If packets exchanged between the client and web server match the quintuple, the FW
processes the packets based on the outbound security policy, without re-checking the packet
transmission direction.
If a user only enables an outbound security policy for Trust-to-Untrust traffic in an interzone,
the following situations occur:
l A terminal in a Trust zone proactively initiates a connection to another terminal in an
Untrust zone. Packets replied by the Untrust zone can pass through the interzone.
l Terminals in an Untrust zone can only receive requests for connections initiated by
terminals in a Trust zone.
Zone Name Name of a security zone. The name of the security zone cannot
be changed once it is configured.
The value must be different from the name of an existing
security zone.
----End
NOTE
A Local zone defines a device itself, including the interfaces on the device. Although an interface is
assigned to a security zone, only the network connected to the interface is in the security zone, and the
interface is in the Local zone.
Step 2 Perform either of the following methods to enter the operation page before adding interfaces
to security zones:
l When creating a security zone, perform operations on the Add Zone page.
l Click of the line where the entry to be modified resides and enter the Modify Zone
operation page.
Step 3 In Select Zone Interface, perform one of the following operations:
l On the Un-Added Interface page, double-click a desired interface. This interface
appears in the Added Interface window.
l On the Un-Added Interface page, select a desired interface and click . This interface
appears in the Added Interface window.
----End
Step 2 Create a security zone and display the security zone view.
firewall zone [ name ] zone-name
Set a security level (priority) for a security zone based on the following rules:
l A security level is only set for a user-defined security zone. A new security zone without
a security level configured cannot take effect.
l A security level cannot be changed after being configured.
l Interfaces can only be manually assigned to security zone, except for the Local zone.
l Either a physical or logical interface can be assigned to a security zone.
l A maximum of 1024 interfaces can be assigned to a security zone.
Appropriate descriptions help the administrator learn system configurations and device
maintenance.
----End
Two related security zones must be already created. For details, see Creating a Security
Zone and Adding an Interface to It.
After a new security zone is created, the view of the interzone between the security zone and
another security zone is automatically created.
Step 2 Display the view of the interzone between two security zones.
firewall interzone zone-name1 zone-name2
Security policy checks are triggered when the data flows in security interzones. After entering
the security interzone view, you can configure security functions, such as application specific
packet filter (ASPF).
----End
Table 4-29 lists the commands used to display security zone configurations.
Action Command
4.3.5.1 Specifications
This section describes security zone specifications.
Function Specifications
Function Description Supported or Not
Default security zone Untrust, DMZ, Trust, and Supported by all models.
Local
Performance Specifications
Function Specifications
4.4 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
4.4.1 Overview
The Point-to-Point Protocol (PPP) is a data link-layer protocol used to transmit and
encapsulate network layer packets on point-to-point (P2P) links.
Definition
A P2P connection is a simple WAN connection. Link layer protocols for PPP links are as
follows:
l PPP: supports both synchronous and asynchronous transmission.
l High-level Data Link Control protocol (HDLC): only supports synchronous
transmission.
PPP defines a set of protocols:
l Link Control Protocol (LCP): used to establish, monitor, and terminate data links.
l Network Control Protocol (NCP): used to establish and configure different network layer
protocols and negotiate the format and type of packets transmitted over data links.
l Authentication protocols: include Password Authentication Protocol (PAP) and
Challenge-Handshake Authentication Protocol (CHAP).
Objective
Located at the data link layer of the Open Systems Interconnection (OSI) model, PPP
supports both synchronous or asynchronous full-duplex links to transmit data. PPP is widely
used because it has the following advantages:
l Provides user authentication.
l Supports synchronous and asynchronous communications.
l Is easily expanded.
4.4.2 Applications
This section describes the application scenario of PPP.
Application Environment
When a FW functions as the enterprise egress gateway, the LAN-side interface connects to a
host on the intranet and the WAN-side interface connects to a carrier's device. The carrier's
device can be a digital subscriber line access multiplexer (DSLAM), an optical line terminal
(OLT), or a wireless base station, depending on the WAN-side interface type.
Typical Application
PPP can be used in the following scenarios:
l FW_A connects to the WAN-side interface of FW_B using a PPP link. FW_A obtains
the IP address allocated by a carrier's device, through IPCP negotiation in the PPP link
establishment process, and connects to the WAN. PPP links are widely used for
communication between enterprise branches and the headquarters.
POS1/0/0 POS1/0/0
Branch Headquarters
FW_A FW_B
l PPP can be used with other technologies to provide various services. such as PPPoE.
4.4.3 Mechanism
This section describes the mechanism of Point-to-Point Protocol (PPP).
PPP-enabled devices on two ends of a link must send LCP packets to set up a P2P link. After
the LCP configuration parameters have been negotiated, the two communicating devices
choose the authentication mode according to the authentication parameters in the Configure-
Request packets.
By default, the devices on the two ends do not authenticate each other. After the negotiation
of the LCP configuration parameters, the devices negotiate NCP configuration parameters
without any authentication. After all the negotiations, the two devices on the P2P link can
transmit network-layer packets, and the whole link is available.
A link is torn down and a PPP session ends if one of the following situations occurs:
l The device on either end receives an LCP or an NCP Terminate frame that aims at
closing the link.
l The physical layer cannot detect a carrier.
l The network administrator shuts down the link.
Typically, NCP should not necessarily have the capability in closing links. Therefore, the
packet used to close a link is usually sent during the LCP negotiation or application program
session.
Figure 4-18 shows the setup process of a PPP session and status transition.
UP OPENED
Dead Establish Authenticate
SUCCESS/NONE
FAIL FAIL
DOWN CLOSING
Terminate Network
l the Link Establishment phase is the first phase to set up a PPP link.
l LCP negotiation is performed, during which the working mode, MRU, authentication
mode, magic number, and asynchronous character mapping are negotiated. The working
mode can be Single-link PPP (SP) or Multilink PPP (MP). If the LCP negotiation is
successful, the LCP status turns to Opened.
l If no authentication is configured, the communicating devices directly enter the NCP
negotiation phase. If authentication is configured, the communicating devices enter the
Authentication phase and perform CHAP or PAP authentication.
l If the authentication fails, the devices enter the Terminate phase and disconnect the link,
and LCP status becomes Down. If the authentication is successful, the devices enter the
NCP negotiation phase. The LCP status remains Opened, whereas the NCP status
changes from Inital to Starting.
l The devices run an NCP protocol to negotiate parameters. The NCP suite includes the
Internet Protocol Control Protocol (IPCP), Multiprotocol Label Switching Control
Protocol (MPLSCP), and Open System Interconnection Control Protocol (OSCICP).
Devices run IPCP to negotiate IP addresses. A network layer protocol is selected during
NCP negotiation. The network layer protocol sends packets over the PPP link only after
negotiation of the network layer protocol is successful.
l The PPP link remains in Up until an LCP or NCP frame is generated to close the link or
traffic is interrupted.
After a link is torn down, the link returns to the Link Dead phase. In real-world
situations, this state does not last long and is only used to detect the existence of a peer
device.
l Link Establishment phase
The Link Establishment phase is the most complex PPP phase.
The two devices on both ends of a PPP link exchange packets, which do not include
network layer protocol parameters. Both devices enter the next phase.
The next phase can be Authentication phase or Network-Layer Protocol phase. The next
phase is selected according to the configuration on both the devices. It is usually
configured by the user.
In the Link Establishment phase, the LCP state machine changes twice:
– When the link is in the Link Dead phase, the LCP state machine is in the status of
Initial or Starting. If the link is Up, the physical layer sends an Up event in a packet
to the data link layer. The data link layer changes the LCP status to Request-Sent.
LCP then sends Configure-Request packets to configure a data link.
– After one end receives the Configure-Ack packet, the LCP status changes to
Opened. The link enters the next phase.
Note that the link configurations on both ends are mutually independent. In the Link
Establishment phase, devices discard non-LCP packets.
l Authentication phase
Authentication is performed before devices on both ends enter the Network-Layer
Protocol phase.
PPP authentication is disabled by default. To enable authentication, specify an
authentication protocol in the Link Establishment phase.
PPP authentication is used on the following two types of links:
– Non-leased lines between hosts and devices
– Leased lines
PPP provides the following two authentication modes:
– PAP: Password Authentication Protocol
– CHAP: Challenge-Handshake Authentication Protocol
The authentication mode used is determined based on negotiation performed during the
Link Establishment phase. Link quality detection is also performed in the Link
Establishment phase. According to the PPP protocol, detection delays the authentication
process within a specified period of time.
The link control protocol, authentication protocol, and quality detection packets are
supported in the Authentication phase. The packets of other types are discarded. If a
device receives a Configure-Request packet in the Authentication phase, the link restores
the Link Establishment phase.
l Network-Layer Protocol phase
Network protocols, such as IP, IPX, and AppleTalk, are negotiated using NCPs, which
can be enabled or disabled during any phase. After an NCP state machine turns to
Opened, PPP links can transmit network layer packets.
If a device receives a Configure-Request packet in the Network-Layer Protocol phase,
the device and its peer device enter the Link Establishment phase.
l Termination phase
PPP can terminate links at any time. In addition, a network administrator can manually
disconnect links. Carrier connection loss, authentication failures, or link-quality
detection failures can cause link disconnections. When devices exchange LCP Terminate
frames during the Link Establishment phase, the link in question is torn down. Therefore,
NCP does not need to close a PPP link.
PAP
PAP supports two-way handshake authentication and simple passwords. The authentication
process is performed in the Link Establishment phase.
After the Link Establishment phase is complete, the user name and password of a supplicant
are repeatedly sent to the authenticator until authentication is successful or the link is ended.
PAP authentication is the optimal option when a password transmitted in plain text must be
used to simulate logging into a remote host.
Authenticated Authenticator
Authenticate-Request
Authenticate-Ack
Authenticate-Nak
1. The supplicant sends the local user name and password to the authenticator.
2. The authenticator checks the user list for the user name and whether the password is
correct and returns an appropriate response.
PAP is an unsecured protocol. Simple passwords are sent over links. After a PPP link is
established, the supplicant repeatedly sends the user name and password until authentication
is complete, which could leave the system vulnerable to malicious attacks.
CHAP
CHAP is a three-way handshake authentication protocol. CHAP authentication only allows
user names to be transmitted over a network. Compared with PAP, CHAP provides higher
security because passwords are not transmitted.
CHAP authentication is generally performed before the link is set up. However, it can be
performed at any time using CHAP negotiation packets.
After the Link Establishment phase ends, an authenticator sends a Challenge packet to a
supplicant. After performing the "one-way hash" algorithm, the supplicant returns a calculated
value to the authenticator.
The authenticator compares the value it itself has calculated using the hash algorithm with the
value provided by the supplicant. If the two values match, authentication is successful. If the
values do not match, the authentication fails, and the link is torn down.
Figure 4-20 shows the CHAP authentication process.
Authenticated Authenticator
Challenge
Response
Success
Failure
l Unidirectional: One end acts as the authenticator, while the other end acts as a
supplicant.
l Bidirectional: Two ends act as both the authenticator and supplicant.
There are two possible scenarios for unidirectional CHAP authentication: the authenticator is
configured with a user name and the authenticator is not configured with a user name.
Configuring a user name for the authenticator is recommended for improved connection
security.
l When the authenticator is configured with a user name, the authentication process is as
follows:
a. The authenticator sends a randomly generated Challenge packet and the host name
to the supplicant.
b. The supplicant searches for the local password in the local user list according to the
user name of the authenticator. Based on the found password and the Challenge
packet, a supplicant obtains a value calculated using the message digest algorithm 5
(MD5) algorithm. The supplicant then sends its host name and the calculated value
in a response packet to the authenticator.
c. After receiving the response packet, the authenticator searches for the supplicant's
password in the local user list based on the supplicant's host name. After locating
the password, the authenticator uses the Challenge packet and the password of the
authenticated to obtain a value through the MD5 algorithm, compares the value
with that in the received Response packet, and then returns the authentication result,
that is, allow or deny.
l When the authenticator is not configured with a user name, the authentication process is
as follows:
a. The authenticator sends the Challenge packet to a supplicant.
b. The supplicant uses the message digest algorithm 5 (MD5) algorithm to calculate a
value based on the local password and the Challenge packet. The supplicant then
sends its host name and the calculated value in a response packet to the
authenticator.
c. The authenticator searches for the supplicant's password in the local user list based
on the supplicant's host name.
Procedure
Step 1 Display the system view.
system-view
----End
Prerequisites
A FW functions as an authenticator and uses PAP to authenticate its peer. PAP authentication
is performed locally on the authenticator or on a remote authentication server. To implement
PAP authentication, configure user accounts and the authentication mode. If remote
authentication is used, configure an authentication server as well.
Context
PAP uses simple passwords and is the least secure authentication protocol. After a PPP link is
established, the device to be authenticated repeatedly sends a user name and a password until
authentication is complete. During PAP authentication, the transmitted user name and
password are susceptible to monitoring.
By default, PPP packets are not authenticated.
Procedure
l Configure an authenticator to authenticate the peer end in PAP mode.
a. Display the system view.
system-view
c. Configure the local end to authenticate its peer end in PAP mode.
ppp authentication-mode [ chap ] pap
c. Enable the local end to be authenticated by the peer end in PAP mode and send a
PAP user name and a password.
ppp pap local-user user-name password cipher password
Prerequisites
A FW functioning as an authenticator supports local and remote authentication. If local
authentication is used, you must configure a user account and an authentication mode. If
remote authentication is used, you must also configure an authentication server.
If the FW is a supplicant, you must configure a user name and an authentication mode. And
an authentication server also needs to be configured if remote authentication is used.
Context
Devices enabled with CHAP authentication only transmit user names over a network. CHAP
supports higher security than the Password Authentication Protocol (PAP) because passwords
are not transmitted.
By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.
Procedure
l Configure an authenticator to use CHAP to authenticate the peer end when the user name
is specified.
NOTE
When an authenticator sets a user name, the authenticator must set the same password the same as
that for the authenticated end.
– Configure a FW that authenticates a peer end.
i. Display the system view.
system-view
iii. Configure a local end to use CHAP to authenticate the peer end.
ppp authentication-mode chap [ pap ]
system-view
l Configure the authenticator to authenticate the peer end in CHAP mode if the user name
is not specified.
During authentication, the authenticator searches locally configured AAA user names. If
the user name and password configured on the peer interface match those on the local
end, authentication succeeds.
– Configure a FW that authenticates a peer end.
i. Display the system view.
system-view
iii. Configure a local end to use CHAP to authenticate the peer end.
ppp authentication-mode chap [ pap ]
iv. Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
Context
When the FW connects to a carrier's access server using PPP, the device must be configured
to accept the DNS server address specified by the access server or to request a DNS server
address from the access server. In this way, the device can connect to the network using a
domain name.
Procedure
Step 1 Access the system view.
system-view
Step 3 Configure the local end to request the peer end for the IP address of the DNS server.
ppp ipcp dns request
Step 4 Enable the device to use any DNS server address proposed by the peer end.
ppp ipcp dns admit-any
By default, the DNS server address proposed by the peer end is not accepted.
----End
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the device to use any WINS server address proposed by the peer end.
ppp ipcp nbns request
By default, the device does not request for the IP address of the WINS server from the peer
end.
----End
Context
In PPP negotiation, if the local end does not receive any response from the remote end within
the specified timeout period, it resends a packet. This specified timeout period is called
timeout interval.
If the negotiation timeout period is too long, link transmission efficiency decreases. If the
negotiation timeout period is too short, unnecessary packet retransmission occurs, increasing
the link load.
Therefore, the negotiation timeout period must be set properly.
Procedure
Step 1 Access the system view.
system-view
----End
Context
The polling interval of an interface is the interval at which the interface sends Keepalive
packets.
Keepalive packets are used to monitor and maintain the link status. If an interface does not
receive any Keepalive packet after five Keepalive intervals, it considers that the link fails.
On a low-speed link, the seconds parameter cannot be set to a small value because it may take
a long time to transmit oversized packets on the link. If the interval for sending Keepalive
packets is set to a small value, transmission of Keepalive packets is delayed. If an interface
does not receive any Keepalive packet from the remote interface after five Keepalive
intervals, the interface considers that the link fails.
The negotiation polling interval must be set based on the site requirements.
Procedure
Step 1 Access the system view.
system-view
----End
You can display the PPP configurations by run the command listed in Table 4-30 in any view.
Action Command
Debugging PPP
If PPP running faults occur, you can run the debugging commands in the user view to debug
PPP, view the debugging information, and locate and analyze faults.
Before enabling the debugging, you must run the terminal monitor command in the user
view to enable the terminal information display and the terminal debugging command in the
user view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete,
run the undo debugging all command to disable the debugging immediately.
Action Command
Enable the debugging of all PPP debugging ppp all [ verbose ] [ interface
information. interface-type interface-number ]
Enable the debugging of PPP control debugging ppp { ccp | chap | ipcp | ipv6cp
protocols. | lcp | pap } { all | error | event | packet
core [ verbose ] | state } [ interface interface-
type interface-number ]
Enable the debugging of PPP EAP packets. debugging ppp eap { all | error | event |
packet [ verbose ] | state } [ interface
interface-type interface-number ]
Enable the debugging of PPP core events. debugging ppp core event [ interface
interface-type interface-number ]
Networking Requirements
As shown in Figure 4-21, FW_A and FW_B are connected through the Pos interface. FW_A
(the authenticator) is required to authenticate FW_B (the authenticated) in PAP mode.
POS1/0/0
10.110.0.1/24 FW_B
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the user name and password of FW_B to the local user list of FW_A.
2. Configure FW_A to authenticate FW_B in PAP mode.
3. Configure the local user name and password on FW_B.
Data Preparation
To complete the configuration, you need the following data:
l The user name and password of FW_B
l The IP address of the interface on FW_A
l The IP address of the interface on FW_B
Procedure
Step 1 Configure FW_A
# Add the username and password of FW_B to the local user list of FW_A.
<FW> system-view
[FW] sysname FW_A
[FW_A] user-manage user userb
[FW_A-localuser-userb] password Admin@123
[FW_A-localuser-userb] quit
# Configure an IP address for Pos1/0/0 and configure the link-layer encapsulation protocol as
PPP.
[FW_A] interface pos 1/0/0
[FW_A-Pos1/0/0] ip address 10.110.0.1 255.255.255.0
NOTE
l When you configure an IP address for an interface on a PPP link, if you delete the IP address of the
interface on the PPP link that fulfills the IPCP negotiation and assign this IP address to an interface
on another PPP link, the IPCP negotiation of the later PPP link is definitely unsuccessful. To solve
this problem, you can run the shutdown and undo shutdown commands on the former interface to
restore the IPCP negotiation or assign a new IP address to the later interface.
l When you configure an IP address for an interface on a PPP link, if the configuration is correct but
the negotiation is always unsuccessful, it is recommended that you assign a new IP address to the
interface.
[FW_A-Pos1/0/0] link-protocol ppp
# Configure the username and password sent to the authentication object in the PAP mode.
[FW_B-Pos1/0/0] ppp pap local-user userb password cipher Admin@123
----End
Configuration Files
l Configuration file of FW_A
#
sysname FW_A
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
Networking Requirements
As shown in Figure 4-22,Pos1/0/0 of FW_A connects to Pos1/0/0 of FW_B.
Users want that FW_A performs simple authentication on FW_B and FW_B performs simple
authentication on FW_A.
POS1/0/0
10.110.0.1/24 FW_B
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure PAP authentication because PAP authentication meets user's requirements of
simple authentication and low security.
2. Configure both FW_A and FW_B as the PAP authenticator and authenticated party to
meet the bidirectional authentication requirement.
NOTE
In PAP authentication, passwords are transmitted in plain text on the network, bringing potential security
risks.
Procedure
Step 1 Configure FW_A
# Assign an IP address to Pos1/0/0 and configure PPP as the link layer protocol of Pos1/0/0.
<FW> system-view
[FW] sysname FW_A
[FW_A] interface pos 1/0/0
[FW_A-Pos1/0/0] link-protocol ppp
[FW_A-Pos1/0/0] ip address 10.110.0.1 24
# Configure the user name and password sent from FW_A to FW_B in PAP authentication
and restart the interface.
[FW_A] interface pos 1/0/0
[FW_A-Pos1/0/0] ppp pap local-user userb password cipher Huawei2
[FW_A-Pos1/0/0] shutdown
[FW_A-Pos1/0/0] undo shutdown
# Configure the user name and password sent from FW_B to FW_A in PAP authentication
and restart the interface.
[FW_B] interface pos 1/0/0
[FW_B-Pos1/0/0] ppp pap local-user usera password cipher Huawei1
[FW_B-Pos1/0/0] shutdown
[FW_B-Pos1/0/0] undo shutdown
Alignments: 0, Overruns: 0
Dribbles: 0, Aborts: 0
No Buffers: 0, Frame Error: 0
----End
Configuration Files
l Configuration file of FW_A
#
sysname FW_A
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ppp authentication-mode pap
ppp pap local-user userb password cipher %$%$nJ2sbcJp7pHX:7h{[\>,.%sh%$%$
ip address 10.110.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Pos1/0/0
#
security-
policy
default action permit
rule name policy_sec_1
source-zone
local
source-zone
trust
destination-zone
local
destination-zone
trust
action permit
#
return
#
sysname FW_B
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ppp authentication-mode pap
ppp pap local-user usera password cipher %$%$nJ2sJbBsp7pHX:7h{[\>,.%y%$%$
ip address 10.110.0.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface Pos1/0/0
#
security-
policy
default action permit
rule name policy_sec_1
source-zone
local
source-zone
trust
destination-zone
local
destination-zone
trust
action permit
#
return
Networking Requirements
As shown in Figure 4-23, FW_A is required to authenticate FW_B in CHAP mode and
should be configured with a user name.
POS1/0/0
10.110.0.1/24 FW_B
Configuration Roadmap
The configuration roadmap is as follows:
1. Add the user name and password of FW_B to the local user list of FW_A.
2. Configure the local user name for FW_A.
3. Configure FW_A to authenticate the peer in CHAP mode.
4. Add the user name and password of FW_A to the local user list of FW_B.
5. Configure the local user name for FW_B.
Data Preparation
To complete the configuration, you need the following data:
l Local user name of FW_A
l Local user name and password of FW_B
l IP address of the interface on FW_A
l IP address of the interface on FW_B
Procedure
Step 1 Configure FW_A.
# Add the username and password of FW_B to the local user list of FW_A.
<FW> system-view
[FW] sysname FW_A
[FW_A] user-manage user userb
[FW_A-localuser-userb] password Password1
# Configure an IP address for Pos1/0/0 and configure the link-layer encapsulation protocol as
PPP.
[FW_A] interface pos 1/0/0
[FW_A-Pos1/0/0] ip address 10.110.0.1 255.255.255.0
NOTE
l When you configure an IP address for an interface on a PPP link, if you delete the IP address of the
interface on the PPP link that fulfills the IPCP negotiation and assign this IP address to an interface
on another PPP link, the IPCP negotiation of the later PPP link is definitely unsuccessful. To solve
this problem, you can run the shutdown and undo shutdown commands on the former interface to
restore the IPCP negotiation or assign a new IP address to the later interface.
l When you configure an IP address for an interface on a PPP link, if the configuration is correct but
the negotiation is always unsuccessful, it is recommended that you assign a new IP address to the
interface.
[FW_A-Pos1/0/0] link-protocol ppp
[FW_A] security-policy
[FW_A-policy-security] rule name policy_sec_1
[FW_A-policy-security-rule-policy_sec_1] source-zone local
[FW_A-policy-security-rule-policy_sec_1] source-zone trust
[FW_A-policy-security-rule-policy_sec_1] destination-zone trust
[FW_A-policy-security-rule-policy_sec_1] destination-zone local
[FW_A-policy-security-rule-policy_sec_1] action permit
[FW_A-policy-security-rule-policy_sec_1] quit
[FW_A-policy-security] quit
# Configure the IP address for Pos1/0/0 and configure the link-layer encapsulation protocol as
PPP.
[FW_B] interface pos 1/0/0
[FW_B-Pos1/0/0] ip address 10.110.0.2 255.255.255.0
NOTE
l When you configure an IP address for an interface on a PPP link, if you delete the IP address of the
interface on the PPP link that fulfills the IPCP negotiation and assign this IP address to an interface
on another PPP link, the IPCP negotiation of the later PPP link is definitely unsuccessful. To solve
this problem, you can run the shutdown and undo shutdown commands on the former interface to
restore the IPCP negotiation or assign a new IP address to the later interface.
l When you configure an IP address for an interface on a PPP link, if the configuration is correct but
the negotiation is always unsuccessful, it is recommended that you assign a new IP address to the
interface.
[FW_B-Pos1/0/0] link-protocol ppp
----End
Configuration Files
l Configuration file of FW_A
#
sysname FW_A
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ppp authentication-mode chap
ppp chap user usera
ip address 10.110.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Pos1/0/0
#
security-
policy
default action permit
rule name
policy_sec_1
source-zone
local
source-zone
trust
destination-zone
local
destination-zone
trust
action
permit
return
Networking Requirements
As shown in Figure 4-24, FW_A and FW_B need to perform bidirectional CHAP
authentication.
POS1/0/0
10.110.0.1/24 FW_B
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
FW_A and FW_B must be configured with the same password, or the authentication fails.
Procedure
Step 1 Configure FW_A.
# Add the username and password of FW_B to the local user list of FW_A.
<FW> system-view
[FW] sysname FW_A
[FW_A] user-manage user userb
[FW_A-localuser-userb] password Password1
# Configure an IP address for POS 1/0/0 and configure the link-layer encapsulation protocol
as PPP.
[FW_A] interface pos 1/0/0
[FW_A-Pos1/0/0] ip address 10.110.0.1 255.255.255.0
NOTE
l When you configure an IP address for an interface on a PPP link, if you delete the IP address of the
interface on the PPP link that fulfills the IPCP negotiation and assign this IP address to an interface
on another PPP link, the IPCP negotiation of the later PPP link is definitely unsuccessful. To solve
this problem, you can run the shutdown and undo shutdown commands on the former interface to
restore the IPCP negotiation or assign a new IP address to the later interface.
l When you configure an IP address for an interface on a PPP link, if the configuration is correct but
the negotiation is always unsuccessful, it is recommended that you assign a new IP address to the
interface.
[FW_A-Pos1/0/0] link-protocol ppp
# Configure the username of FW_A used in its authentication by FW_B in the CHAP mode.
[FW_A-Pos1/0/0] ppp chap user usera
# Configure an IP address for POS 1/0/0 and configure the link-layer encapsulation protocol
as PPP.
[FW_B] interface pos 1/0/0
[FW_B-Pos1/0/0] ip address 10.110.0.2 255.255.255.0
NOTE
l When you configure an IP address for an interface on a PPP link, if you delete the IP address of the
interface on the PPP link that fulfills the IPCP negotiation and assign this IP address to an interface
on another PPP link, the IPCP negotiation of the later PPP link is definitely unsuccessful. To solve
this problem, you can run the shutdown and undo shutdown commands on the former interface to
restore the IPCP negotiation or assign a new IP address to the later interface.
l When you configure an IP address for an interface on a PPP link, if the configuration is correct but
the negotiation is always unsuccessful, it is recommended that you assign a new IP address to the
interface.
[FW_B-Pos1/0/0] link-protocol ppp
# Configure the user name of FW_B used in its authentication by FW_A in the CHAP mode.
[FW_B-Pos1/0/0] ppp chap user userb
----End
Configuration Files
l Configuration file of FW_A
#
sysname FW_A
#
interface Pos1/0/0
link-protocol ppp
undo shutdown
ppp authentication-mode chap
ppp chap user usera
ip address 10.110.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Pos1/0/0
#
security-
policy
default action permit
rule name
policy_sec_1
source-zone
local
source-zone
trust
destination-zone
local
destination-zone
trust
action
permit
#
return
4.4.7.1 Specifications
This section describes PPP specifications.
Function Specifications
Function Description Supported or Not
4.5 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to
configure PPPoE, as well as provides configuration examples.
4.5.1 Overview
PPPoE describes the method used to set up PPPoE sessions and encapsulate PPP datagram
over the Ethernet. These functions require a point-to-point (P2P) relationship between the
peers instead of the multi-point relationships that are available in the Ethernet and other multi-
access environments.
Definition
PPPoE is the short for Point-to-Point Protocol over Ethernet. It connects a network of hosts
formed by the Ethernet to a remote access device to gain access to the Internet. It allows you
to perform access control and accounting on a per-host basis. As it is highly cost-effective,
PPPoE is widely adopted, for example, in network construction for residential areas.
Purpose
PPPoE performs the following functions when multiple users access a server using PPP links:
l Provides cost effective access services for users and allows a few or no configuration
changes. An Ethernet is the most cost-effective networking mode.
l Allows a service provider to connect multiple hosts at a remote site to the same access
server and supports access control and accounting functions in a way similar to dial-up
services using Point-to-Point Protocol (PPP).
Although PPP is widely used, it does not apply to an Ethernet. Therefore, the PPPoE
technology was introduced. PPPoE is an extension to PPP and applies PPP to an Ethernet.
PPPoE enables a bridged access server to connect multiple hosts on a network to a remote
access server.
NOTE
A FW currently supports IPv4 PPPoE server and client functions and IPv6 client functions.
4.5.2 Mechanism
This section describes the Point-to-Point Protocol over Ethernet (PPPoE) mechanism.
PPPoE works in the client/server mode. PPPoE provides point-to-point connectivity over
Ethernet networks by encapsulating PPP packets in Ethernet frames.
Figure 4-25 shows the process for establishing an IPv4 PPPoE connection.
PADI
PADO
Discovery
phase PADR
PADS
Discovery Phase
After the Discovery phase is complete, both ends of a connection obtain the PPPoE
Session_ID and peer Ethernet address. The PPPoE Session_ID and peer Ethernet address
together define a unique PPPoE session.
1. A host broadcasts a PPPoE Active Discovery Initial (PADI) packet within a local
Ethernet. This packet contains service information required by the host.
NOTE
Session Phase
The host encapsulates a PPP packet as the payload of a PPPoE frame into an Ethernet frame
before sending the Ethernet frame to its peer. The Ethernet frame carries a Session_ID
determined at the Discovery phase and a peer MAC address. The PPP packet section in the
frame begins at the Protocol ID. An Ethernet packet is a unicast packet.
In the Session phase, either the host or server may send PPPoE Active Discovery Terminate
(PADT) packets to instruct the other to end this session.
Prerequisites
PPPoE authentication works in either local or remote mode. You must configure a user
account and an authentication mode to implement authentication. If remote authentication is
used, you must also configure an authentication server..
After the basic PPPoE functions of are configured, you can set PPPoE parameters of as
required to optimize links.
Context
You can use PPPoE to allow many hosts on a single Ethernet to connect to a peer server and
create PPPoE sessions to implement access control and the accounting.
NOTICE
A FW serves both as a PPPoE server to provide local access services and as a Layer 2
Tunneling Protocol (L2TP) access concentrator (LAC) to provide remote dial-up services.
After a PPPoE server is started and LAC configuration is implemented on the FW, L2TP
configuration takes precedence over PPPoE server configuration. For example, if a user name
is set to user123 in both L2TP and PPPoE configurations, the FW initiates a dial-up using the
user name user123 and performs L2TP authentication, not PPPoE authentication.
Procedure
Step 1 Configure a Virtual-Template (VT) interface.
A PPPoE server communicates with its clients using a VT interface. If no IP address is
specified on a client, the PPPoE server allocates an IP address to the client. The IP address to
be allocated must be specified on the VT interface.
1. Display the system view.
system-view
3. Set an IP address.
ip address ip-address { mask | mask-length }
7. Optional:
Set an IP address of the DNS server for the peer end.
ppp ipcp dns { admit-any | request }
3. Optional:
Specify a PPPoE service name.
pppoe-server service-name service-name
The server name identifies a service type required by a client. If the server name is
rejected by the client, the client replies with service error information to the server. Upon
receipt, the server terminates the connection to the client.
– The interface must be bound to the VT interface before you configure the PPPoE
server name on the server interface.
– After specifying the PPPoE server name, restart the interface to allow the clients to
be reconnected.
4. Return to the system view.
quit
l Specify the maximum number of sessions that can be created using a peer MAC address.
pppoe-server max-sessions remote-mac number
l Specify the maximum number of sessions that can be created in the system is specified.
pppoe-server max-sessions total number
----End
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
Procedure
Step 1 Display the system view.
system-view
Step 4 It is recommended that both PAP and CHAP user names and passwords be specified on the
client. Configure an authentication mode using either of the following methods:
l Configure PAP authentication.
Specify a PAP user name and a password.
ppp pap local-user user-name password cipher password
– Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
NOTE
The IP address negotiated by the device is a host IP address with a 32-digit mask. If the device needs to
communicate with other PPPoE clients, run the ip route-static command to manually configure the
static route to the network segment.
NOTE
The same group-number value must be specified in the dialer-rule and dialer-group commands.
Step 11 Create a PPPoE session and specify the dialer bundle for the session.
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds
[ queue-length packets ] ] [ ipv4 ]
----End
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
Procedure
Step 1 Display the system view.
system-view
Step 3 Create a dialer interface and display the dialer interface view.
interface dialer number
Step 4 Configure an authentication mode. The server may use PAP or CHAP authentication.
Configuring both PAP and CHAP user names and passwords is recommended.
l Configure PAP authentication.
Specify a PAP user name and a password.
ppp pap local-user user-name password cipher password
----End
Procedure
l In any view, you can check the PPPoE configuration by running the commands listed in
Table 4-32.
----End
Context
NOTICE
Cleared PPPoE statistics cannot be recovered. Exercise caution when performing this
operation.
Procedure
l You can run the command in Table 4-33 in the user view to clear PPPoE statistics.
Action Command
----End
Procedure
l You can run the command in Table 4-34 in the user view to reset a PPPoE session.
Action Command
Reset a session on a PPPoE client and re- reset pppoe-client { all | dial-bundle-
establish a session later. number number }
----End
Networking Requirements
As shown in Figure 4-26, FW_A functions as a PPPoE client, and FW_B functions as a
PPPoE server. FW_B assigns an IP address to FW_A allowing PCs on networks A and B to
communicate.
FW_B (server) runs PAP to authenticate FW_A (client). The user name is set to usera, and
the password is set to Password1. FW_B assigns FW_A an IP address 10.2.0.2.
GE1/0/1
NetworkA NetworkB
GE1/0/3 GE1/0/1 GE1/0/3
10.3.0.1/24 PPPoE Client 10.4.0.1/24
PPPoE
PC Server PC
Procedure
Step 1 # Configure FW_B.
NOTE
PAP is not a secure protocol, and CHAP is recommended.
[FW_B] interface virtual-template 1
[FW_B-Virtual-Template1] ppp authentication-mode pap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/
N]: y
[FW_B-Virtual-Template1] ip address 10.2.0.1 24
[FW_B-Virtual-Template1] remote service-scheme scheme1
[FW_B-Virtual-Template1] quit
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface virtual-template 1
[FW_B-zone-untrust] quit
----End
Example
After completing the configuration, check statistics about PPPoE session packets.
l Check statistics about PPPoE packets of the PPPoE server.
[FW_B] display pppoe-server session all
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE1/0/1 0022.a100.11ab
0018.82cf.ebed
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
dialer-rule 1 ip permit
#
interface Dialer1
link-protocol ppp
ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%$
ip address ppp-negotiate
dialer user usera
dialer-group 1
dialer bundle 1
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer1
#
ip route-static 10.4.0.0 24 Dialer1
#
security-policy
default action permit
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.1.0 24
destination-address 10.4.1.0 24
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
source-address 10.4.1.0 24
destination-address 10.3.1.0 24
action permit
#
return
#
security-policy
default action permit
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.4.1.0 24
destination-address 10.3.1.0 24
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
source-address 10.3.1.0 24
destination-address 10.4.1.0 24
action permit
#
return
Networking Requirements
The FW shown in Figure 4-27 functions as an IPv6 PPPoE client and uses stateless address
autoconfiguration to obtain an IPv6 address from an IPv6 PPPoE server.
GE1/0/1 GE0/0/1
Trust 3001::1/64 IPv6
Network
FW
IPv6 PPPoE Server
IPv6 PPPoE Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the FW to enable the
interface to access an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on FW so that a dialer interface can
automatically obtain an IPv6 address.
4. Configure a global unicast address for GigabitEthernet 1/0/1 on the PPPoE server and
enable RA advertisement to advertise the IPv6 prefix to GigabitEthernet 1/0/1 of the FW
using a router advertisement (RA) message.
Procedure
Step 1 Configure the FW.
# Configure the FW as an IPv6 PPPoE client.
<FW> system-view
[FW] interface Dialer1
[FW-Dialer1] link-protocol ppp
[FW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[FW-Dialer1] dialer user admin-example
[FW-Dialer1] dialer bundle 1
[FW-Dialer1] quit
# Enable IPv6.
[FW] ipv6
Step 2 Configure a PPPoE server. The actual configuration varies depending on devices.
# Create a PPPoE user and set the user name to admin-example and the password to
Admin@123, which are the same as those specified on the PPPoE client.
# Set the global unicast address to 3001::1/64 for the interface that directly connects the
PPPoE server to the PPPoE client.
# Enable RA message advertisement.
----End
Configuration Script
#
sysname FW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher %$%$(TT8F ] Y\5SQ=^Q`MAF4<1!!%$%
$
ipv6 enable
dialer user admin-example
dialer bundle 1
ipv6 address auto link-local
ipv6 address auto global
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv6
undo shutdown
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface Dialer1
#
return
4.5.6.1 Specifications
This section describes PPPoE specifications.
Function Specifications
Function Description Supported or Not
Performance Specifications
Function Sub-function Specifications
4.6 DNS
This chapter describes the principles, basic functions and configuration procedures of DNS,
and provides configuration examples.
4.6.1 Overview
The Domain Name System (DNS) establishes the mapping between domain names and IP
addresses.
Definition
TCP/IP uses IP addresses to connect to devices. Users find it is difficult to memorize the IP
address of each device. Therefore, the host naming mechanism is specially designed to match
IP addresses with host names in the string format. The DNS provides the conversion and
query mechanism between IP addresses and host names.
Objective
The DNS uses a hierarchical naming mode to specify a meaningful name for each device on a
network, set the DNS server, and establish the mapping between the domain name and the IP
address.
Application Environment
The FW can use the protocol of DNS to dynamically obtain the IP address of the domain
name from the DNS server, which is convenient for user communication.
Typical Application
Figure 4-28 shows the typical networking in which FW serves as a DNS Client.
When the FW performs the following services, it can send DNS request packets to the DNS
server as a DNS client.
l Perform ping or tracert by domain name.
l Access to the Security Service Center by domain name to update the signature databases.
l Access to the CA server to obtain the certificate online by domain name.
Application Environment
After the DNS proxy function is enabled, the device can forward DNS request and response
packets between the internal DNS clients and external DNS server. When the DNS server
address changes, you only need to configure the DNS proxy, not all the DNS clients on the
LAN. Therefore, the DNS proxy simplifies network management.
Typical Application
Figure 4-29 shows the typical networking in which FW serves as a DNS Proxy.
FW
Branch Headquarters
DNS Proxy
Host_B
DNS Client FTP Server
In the network environment shown in Figure 4-29, FW works as the egress gateway of the
branch. In the headquarters, the network is configured with DNS server and FTP server, and
the mappings between the domain names and the IP address of the FTP server is recorded on
the DNS server. In addition, the routes between both the servers and the FW are reachable. In
order to realize that users of the branch to access to the FTP server of the headquarters by
domain name, the FW can be configured to forward the request and response packets between
the user hosts of the branch and the DNS server of the headquarters as a DNS proxy.
4.6.2.3 The Device Serving as a DDNS Client to Realize Updates by the DDNS
Server
This section describes the application scenario in which the device serves as a DDNS client to
make the DNS server dynamically update the mapping between domain names and IP
addresses by the DDNS server.
Application Environment
Take the scenario in which the Internet users access to the Web server by domain names.
When the IP address of the Web server changes, to make users access to the Web server by
domain name normally, you can configure the Web server as a DDNS client to send the
request of updating the mapping between the domain name and the IP address. After the
DDNS server receives the DDNS request from the Web server, it notifies the DNS server to
dynamically update the mapping between the domain name and the IP address. In this way,
although the IP address of the application server changes, the Internet users can also access to
the server by the same domain name.
Typical Application
Figure 4-30 shows the networking in which FW serving as a DDNS Client realizes the
mapping between domain names and IP addresses by the DDNS server.
Interface 1
Intranet
DDNS Client
DNS PC
Server
At the boarder of the enterprise network, the FW serves as a gateway. The Internet users can
access to the internal Web server with the help of the NAT server by domain name. However,
the public IP address of Interface 1 of the FW always changes as it obtain an IP address
through dial-up. If the mapping between the domain name and the IP address of the FW,
which is also the domain name of the internal Web server can cannot be updated in time, the
Internet users will fail to access to the Web server by domain name. At this time, you can
configure the FW as a DDNS client to send the request of updating the mapping between
domain names and IP addresses. Finally, the Internet users can access to the Web server of the
internel enterprise network by domain name.
Application Environment
An enterprise rents multiple ISP links as network egresses, and each ISP network deploys the
same Web servers. Generally speaking, the same DNS server address (such as the DNS server
address of ISP1) is configured on the clients of all intranet users. The DNS server then
resolves domain names to the address of the Web server (such as the Web server address of
ISP1) on the same ISP network. Therefore, the Internet access traffic from all intranet users is
forwarded on the same ISP link, causing link congestion and compromising users' Internet
access experiences. At the same time, other ISP links are not used, causing resource waste.
Typical Application
The DNS transparent proxy function on the FW can change the destination address of some
DNS query messages to the DNS server addresses on other ISP networks (such as the DNS
server address on ISP2 network). The DNS requests are then forwarded to different ISP
networks, and the resolved Web server addresses belong to different ISPs. Therefore, the
Internet access traffic will be forwarded over different ISP links. In this way, all link resources
are made full use of, as shown in Figure 4-31.
ISP1 ISP2
FW
Intranet
DNS requests
4.6.3 Mechanism
This section describes the implementation of DNS.
TCP/IP designs a hierarchical DNS structure. The domain name structure of the Internet is
defined by the DNS in the TCP/IP protocol stack. The DNS divides the Internet into multiple
top-level domains (TLDs). Table 4-35 lists the domain name of each TLD. TLDs are
classified in either organization or geography mode. The geography mode is used to classify
domain names based on countries. Each country must register a TLD with the NIC before
joining the Internet. For example, "cn" represents China, and "us" represents the United
States.
NOTE
The first seven domains are defined in organization mode, and the country code domain is defined in
geography mode.
The NIC authorizes management agencies to classify domains into subdomains. The agencies
in charge of this can authorize subordinate agencies to continue classifying domains. As a
result, the Internet has a hierarchical domain architecture.
Request Request
User
Resolver
Program
Response Response
Save Read
DNS Server
Cache
In Figure 4-32, the DNS client, consisting of the resolver and the cache, is used to accept and
respond to the DNS queries from user programs. Generally, user programs (ping, Tracert), the
cache, and the resolver are on the same host; whereas the DNS server is on another host.
1. A client uses a specific application, such as ping or Telnet, to send a DNS request to a
device.
2. The device queries a local cache for the required mapping entry. The resolver first check
the local cache.
– If the resolver finds a mapping entry in the local cache, it directly return the IP
address mapping the domain name to the user program.
– If the resolver does not find a mapping entry in the local cache, it sends a query
packet to the DNS server.
3. The DNS server first checks whether the requested domain name is within the sub-
domain it manages and responds to the device according to different results.
– If the requested domain name is within the sub-domain it manages, this DNS server
query the IP address corresponding to the domain name in its own database.
– If the requested domain name is not within the sub-domain it manages, this DNS
server forward the request to the DNS sever of the upper level till the resolution is
finished and the result of resolution is returned.
4. The resolver of the DNS client receives and resolves the packet returned by the DNS
server, and return the result to the user program.
When resolving a domain name that is stored in the cache, the DNS client obtains the
corresponding IP address from the cache directly and does not send a query message to the
DNS server. Mappings stored in the cache will be deleted when the aging time expires to
ensure that the latest mappings can be obtained from the DNS server. The aging time is set by
the DNS server. The DNS client obtains the aging time from protocol packets.
For instance, If you configure "com" in the suffix list and enter "example" in a domain name
query, the system automatically associates "example" with the suffix "com" and searches for
"example.com."
You may encounter the following situations during a resolution process:
l If you enter a domain name without a dot (.), such as "example", the system considers it
as a host name and adds suffixes one by one used for search. If there are no matched
domain names, the system searches for an IP address mapped to "example."
l If you enter a domain name with a dot (.), such as "www.example", the system
immediately searches for it. If the system does not find a matched entry, the system adds
every configured suffix to the domain name to search for an IP address mapped to the
domain name.
l If you enter a domain name with a dot (.) at the end, such as "example.com.", the system
removes the last dot (.) before searching for an IP address mapped to the domain name.
If the search fails, the system adds every configured suffix to the domain name without
the last dot to search for an IP address mapped to the domain name.
Difference of Function Implementation Between the DNS Proxy and the DNS
Relay
DNS relay is similar to DNS proxy. The difference is whether they search for DNS entries
saved in the local domain name resolution table, including the static domain name resolution
table and the local domain name cache after receiving DNS query messages from DNS
clients.
The DNS proxy searches for DNS entries saved in the local domain name cache after
receiving DNS query messages from DNS clients. If requested DNS entries are not saved in
the cache, DNS query messages are forwarded to the DNS server.
The DNS relay does not searches for DNS entries saved in the local domain name cache after
receiving DNS query messages from DNS clients. It forwards the messages directly to the
DNS server for resolution. On one hand, it can save the cost for the cache on the DNS relay.
On the other hand, it guarantees the real-time requirements for that the DNS client obtain
resolution results. (If the domain names and IP addresses on the DNS server changes and the
cache on the DNS proxy is not updated in time, the resolution result obtained by the DNS
Client is incorrect.)
Respons Respons
e e
DNS Client DNS Proxy DNS Server
NOTE
Only when the IP address of the DNS server and the route to the DNS server exist on the DNS proxy,
the DNS proxy sends domain name resolution requests to the DNS server. Otherwise, the DNS proxy
neither sends any domain name resolution request to the DNS server nor replies any request from the
DNS client.
DDNS Overview
DNS resolves domain names into IP addresses so that you can access network nodes using
domain names. DNS provides static mappings between domain names and IP addresses.
When IP addresses of nodes change, DNS cannot dynamically update mappings. If a user uses
the original domain name to access the node, the user will fail to access the node because the
IP address mapping the domain name is incorrect. The Dynamic Domain Name System
(DDNS) updates mappings between domain names and the IP addresses on the DNS server to
ensure that the IP address can be resolved correctly.
l Deploying the DDNS service needs the support from the DDNS service providers, namely DDNS
servers. Currently, the device supports to communicate with the following DDNS service providers:
www.3322.org, dyndns.org, freedns.afraid.org, zoneedit.com and no-ip.com.
l The DDNS Server is usually deployed in the Internet, so you need to guarantee that the FW
functioning as teh DDNS client can access to the Internet normally when applying the DDNS
service.
Figure 4-34 Typical DDNS networking for the update mode implemented through the DDNS
server
DDNS Server
FW 1
2
PC
As shown in Figure 4-34, the interface that connects theFW functioning as the DDNS Client
to the Internet obtains the IP address from the network carrier. The IP address obtained each
time is different, so the PCs need to access to the FW functioning as the HTTP server and
providing services of application layer by domain name. However, traditional DNS cannot
dynamically update the mapping between the domain names and the IP addresses, which can
make PCs fail to access to the FW. To deploy the DDNS server can solve the problem.
1. DDNS client: updates the mapping between the domain name and IP address when an IP
address changes.
To make users can access to the FW by domain name when the IP address of the FW
changes, configure the FW to function as a DDNS client and sends a request for updating
the mapping between the domain name and the IP address to the DDNS server.
2. DDNS server: is responsible to instructsthe DNS server to dynamically update the
mapping between the domain name and the IP address on the DNS server.
After receiving the DDNS update request, the DDNS server instructs the DNS server to
reestablish the mapping between the domain name and the IP address on the DNS server
to ensure that Internet users can access the DDNS client using the same domain name
when the IP address changes.
Start
No Is DNS transparent
proxy required?
Yes
No Yes
Is any DNS
server bound to the
No outgoing interface and
the DNS request
marked?
Yes
End
1. An administrator determines which DNS requests require DNS transparent proxy based
on a DNS transparent proxy policy. As the policy is matched based only on the source
and destination addresses of the DNS requests, DNS transparent proxy works no matter
what DNS server address is on the client (an extreme situation is that no DNS server
address is set), implementing DNS server redirection and error correction functions.
If the FW has multiple DNS transparent proxy policies, DNS requests are matched in the
policy configuration order. As long as one policy is matched, the action specified in this
policy is taken, and the policy matching activity finishes. Therefore, you are advised to
first configure policies with narrow matching scopes.
2. When a DNS request matches a DNS transparent proxy policy, if the DNS request
requires DNS transparent proxy, the FW first checks whether the domain name is an
exception. If so, the FW does not perform DNS transparent proxy. If not, the FW marks
DNS transparent proxy on the DNS request for the subsequent process.
For an exception, if another DNS server is required to parse this domain name, the FW
changes the destination address of the DNS request to the desired DNS server address.
3. The FW searches for a route for the DNS request (the route can be a policy-based route,
static route, or dynamic route) to determine the outgoing interface.
If intelligent uplink selection (Global Route Selection Policy or PBR-based Intelligent
Uplink Selection) is configured on the FW and the DNS request matches the
corresponding equal-cost route or policy-based route, the FW forwards the DNS request
based on the intelligent uplink selection result. Note that the intelligent uplink selection
result is dynamic and determined by the uplink selection mode and real-time link status.
The result may vary even if a user accesses the same domain name twice.
4. A maximum of two DNS servers can be bound to each outgoing interface on the FW,
with one primary DNS server and the other secondary DNS server. Both DNS servers
belong to the ISP network directly connected to the outgoing interface. After the FW
determines the outgoing interface of the DNS request, the DNS transparent proxy
function preferentially replaces the destination address of the DNS request with the
primary DNS server address. The secondary DNS server address is used only when the
primary DNS server is Down.
The FW performs DNS transparent proxy only when a DNS server is bound to the
outgoing interface and the DNS request has a DNS transparent proxy mark.
Figure 4-36 shows the DNS transparent proxy process.
ISP2
ISP1
Intranet
1. After receiving a DNS request, the FW first matches the DNS request with the DNS
transparent proxy policy.
2. If the DNS request matches the policy, the FW selects an outgoing interface based on the
route search result.
3. The FW replaces the destination address of the DNS request with the DNS server
address bound to the outgoing interface.
4. The DNS server returns the parsed web server address to the user. The web server and
DNS server reside on the same ISP network.
5. The user accesses the web server based on the returned address. The ISP Uplink
Selection function is required to ensure that the user accesses the web server through the
ISP network where the web server resides, preventing cross-ISP network access.
4.6.4.1 DNS
After you specify a DNS server address on a device, the device can serve as a DNS client or
DNS proxy agent to send domain name resolution requests to a specific DNS server.
Context
A DNS server accepts the domain name resolution requests initiated by a DNS client. You can
manually set an address for the DNS server connected to a device. The DNS server address is
generally provided by an Internet Service Provider (ISP). The address can also be
automatically obtained using Dynamic Host Configuration Protocol (DHCP) or Point-to-Point
Protocol over Ethernet (PPPoE) on an interface. For information about how to configure
interfaces, see Interface.
The DNS server whose address is manually configured has a higher priority than the one
whose address is dynamically obtained. If two DNS servers obtain addresses in the same way,
the one that obtains an address earlier enjoys a higher priority. When resolving domain names,
the device sends query packets (based on the priorities) to DNS servers until the query
succeeds.
Procedure
Step 1 Choose Network > DNS > DNS.
If the operation succeeds, the new configuration with Obtaining Mode of Manual is
displayed in DNS Server List.
Repeat the previous operations to assign IPv4/IPv6 addresses to multiple DNS servers.
NOTE
In addition to Manual, the following address allocation modes can be selected from DNS Server List:
l DHCP: The address of the DNS server is obtained dynamically using DHCP.
l PPPoE: The address of the DNS server is obtained dynamically using PPPoE.
----End
Follow-up Procedure
When deleting a DNS server, you can delete only the DNS server addresses that are obtained
manually, but not those obtained using DHCP or PPPoE. If the interface that is connected
using DHCP or PPPoE is physically Down, or the interface fails to be connected using DHCP
or PPPoE, the corresponding DNS server address is deleted automatically from the DNS
server list.
Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server
addresses bound on interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name analysis, and the
FW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy and ISP Link Selection are used together. ISP link selection ensures
that users access a server through the ISP network where the server resides, preventing cross-
ISP network access. For the implementation of DNS transparent proxy, see DNS Transparent
Proxy.
Procedure
Step 1 Choose Network > DNS > DNS.
Parameter Description
Preferred DNS server Address of the DNS server on the ISP network connecting to
the WAN interface.
The FW substitutes the destination addresses of DNS query
messages with the address of the preferred DNS server
preferentially.
Alternate DNS server Address of the DNS server on the ISP network connecting to
the WAN interface.
When the preferred DNS server is Down, the FW will
substitute the destination addresses of DNS query messages
with the address of the alternate DNS server.
DNS Transparent Proxy Select Enable to enable the DNS transparent proxy function.
Enter domain name Specify the domain names that do not require DNS transparent
exceptions proxy.
You can specify the DNS server address for the domain name.
Then the DNS query message will be forwarded to the
specified DNS server.
Source Address Set the source IP address as a matching condition of the PBR
rule.
Action Action that will be taken on packets matching the PRB rule:
l Proxy
l No proxy
----End
Context
A DDNS policy is a collection of such information as the DDNS server address, login user
name, password, DDNS client domain name, and bound interface. After a DDNS policy is
created, the same DDNS policy can be bound to different interfaces, which simplifies the
DDNS configuration.
Procedure
Step 1 Choose Network > DNS > DDNS.
Step 2 Click Add in DDNS Policy List.
Step 3 Set the following DDNS policy parameters.
Parameter Description
Domain Name Register the DDNS client domain name to the DDNS service
provider.
User Name User name used by the DDNS client to access the DDNS
service provider.
The user name must be registered to the DDNS service
provider in advance.
Password Password for the user name used by the DDNS client to access
the DDNS service provider.
Context
If the FW need to communicate with other devices by using domain names, you can configure
static domain name resolution on the FW. A DNS entry maps a domain name to an IPv4
address.
Prior to configuring IPv4 static domain name resolution, you must know the mapping
between the domain name and the IPv4 address. In case of a change in the mapping, you must
modify the DNS entry manually.
Procedure
Step 1 Run:
system-view
Step 2 Specify a host name and an IPv4 address mapped to the host name.
ip host host-name ip-address
A host name is mapped to only a single IPv4 address. When you configure an IPv4 address
for a host several times, only the IPv4 address configured at the latest is valid. Repeat Step 2
to allow the device to resolve several host names.
----End
Prerequisites
Before configuring IPv4 dynamic domain name resolution, complete the following tasks:
Context
Dynamic domain name resolution supports the domain name suffix list function. You can
configure specific domain name suffixes and enter some fields of a domain name before the
system automatically adds different suffixes to the domain name for resolution.
Procedure
Step 1 Run:
system-view
The DNS server IP address obtained by the specific interface to be the DNS server IP
address of the local device is borrowed.
Step 4 Optional: Run:
dns server source-ip ip-address
The source IP address is configured for the local device to receive DNS packets.
By default, no source IP address is configured for the local device to receive DNS packets.
NOTICE
Make sure that the configured source IP address is the IP address of the local FW (the IP
address of an interface or logical interface on the local FW), and there is a reachable route
between the interface and the DNS server.
The maximum value or minimum value of the lifetime for the DNS application cache is A
domain name suffix is configured.
----End
Context
DNS Relay is similar to DNS Proxy. The difference is that the DNS Proxy searches for DNS
entries saved in the domain name cache after receiving DNS query messages from DNS
clients. The DNS Relay, however, directly forwards DNS query messages to the DNS server,
reducing the cache usage.
Procedure
Step 1 Run:
system-view
a. Run:
dns resolve
The DNS server that the DNS Proxy or Relay connects to is configured.
By default, no IP address is configured for the DNS server.
n Run:
dns server unnumbered Interface { interface-name | interface-type
interface-number }
The interface that obtain the IP address of the DNS Server is configured.
c. (Optional) Run:
dns server source-ip ip-address
The source IP address that the device uses to exchange packets with the DNS server
is configured.
By default, no source IP address is configured for the device.
The number of times for the device to retransmit query requests to the destination DNS server
is set.
The retransmission timeout period that the device sends Query packets to the destination DNS
server is set.
By default, the retransmission timeout period for which the device sends DNS query requests
to the destination DNS server is 3 seconds.
The total query timeout period is determined by the retransmission times and retransmission
timeout interval.
l When the auto algorithm is used for selecting the destination DNS server, the total query
timeout period is calculated based on the following formula: Total query timeout period
= (Retransmission times +1) * Retransmission timeout interval
l When the fixed algorithm is used for selecting the destination DNS server, the total
query timeout period is calculated based on the following formula: Total query timeout
period = (Retransmission times +1) * Retransmission timeout interval *Number of DNS
servers
NOTE
The total timeout period for DNS query requests configured by dns forward retry-number and dns
forward retry-timeout cannot be too short. Generally, it is recommended to use the default value. If the
time of waiting for the resolution response from the DNS server is too long, and the service exception is
caused, you can prolong the retransmission timeout period as required.
----End
Context
You can specify the DDNS or DNS server to which update requests are sent when configuring
the DDNS policy.
When the FW functioning as a DDNS client needs to update the mapping between domain
names and IP addresses on the DNS server, the following update modes are supported:
l DDNS update mode (defined by the RFC2136): The FW functioning as a DDNS client
dynamically updates the mapping between domain names and IP addresses on the DNS
server. To configure this mode, run the method ddns [ both ] command.
l Update mode implemented through the DDNS server: The FW functioning as DDNS
client sends the mapping between domain names and IP addresses to the DDNS server
with a specified URL. The DDNS server then informs the DNS server to dynamically
update the mapping between domain names and IP addresses.
– To use the Siemens DDNS server or DDNS servers provided at www.3322.org,
www.dyndns.com, or www.oray.cn, run the method vendor-specific command.
– To use an HTTP-based common DDNS server, run the method http command.
Procedure
Step 1 Run:
system-view
The update mode is configured for the FW functioning as the DDNS client.
By default, the update mode is vendor-specific for the FW functioning as the DDNS client
l Configuring the update mode to ddns when hoping to select the DDNS update mode
defined by the RFC2136
a. Run:
name-server name-server
The DNS server for receiving update messages from the DDNS client is configured.
By default, no DNS server for receiving DDNS update messages is configured on
the FW.
b. Optional:
Run:
interval interval-time
NOTE
In the preceding URLs, username and password indicate the user name and password for
logging in to the DDNS server. Set these parameters based on the registry information. For
example, in http://huawei1:huawei2@merri.s.dnaip.fi/reg/h=<h>&a=<a>, huawei1 and
huawei2 indicate the user name and password for logging in to the DDNS server.
n If username username password password is specified, the URL only
contains the fixed format <username>:<password>, not the user name and
password. The user name and password are specified by username and
password, and the password configuration is displayed in cipher text.
The different modes of configuring URLs in which the FW sends requests for
updating the DNS entries to different DDNS servers are shown as follows:
Sending Requests for Updates Mode of Configuring the URL
to the DDNS Server of the DDNS Server
NOTE
○ If the URL needs to include a question mark (?), enter the first part of double quotation
marks (""), the URL including a question mark (?), and the last part of double quotation
marks ("") in sequence. That is, the URL must be enclosed by double quotation marks
("").
○ In the preceding URLs, <username> and <password> are fixed formats, which cannot
be modified.
○ The DDNS service is provided by DDNS servers from different vendors. When the
DDNS server URL changes or the DDNS server stops providing service, the device
used as the DDNS client cannot exchange packets with the DDNS server. The DDNS
function may not take effect.If you fail to update the mapping entries between the
DDNS domain name and IP address, you are advised to upgrade the router to the latest
version.
b. Optional:
Run:
interval interval-time
The interval for sending DDNS update requests after the DDNS update is enabled is
set on the FW.
After the interval for sending DDNS update requests is set in the configured DDNS
policy, the device sends DDNS update requests at intervals. By default, the interval
for sending DDNS update requests is 3600 seconds.
----End
Context
You can bind a DDNS policy to an interface to update the mapping between the domain name
and an IP address and to start DDNS update.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
----End
Context
To update DDNS manually can complete the update of the mapping between domain names
and IPv4 addresses in time. The DNS server can obtain the latest information to provide to the
DNS client.
Procedure
Step 1 Run:
system-view
The DDNS client is triggered manually to send a request to the DDNS server for updating the
mapping between domain names and IP addresses.
NOTE
When the network is stable, it is recommended that you do not run this command to update DDNS for
many time within a short period of time. For the DDNS updates can be completely performed every time
you manually update DDNS, it may result in the unstable status of the connection between the DDNS
client and the DDNS server.
----End
Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server
addresses bound on interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name analysis, and the
FW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy and ISP Link Selection are used together. ISP link selection ensures
that users access a server through the ISP network where the server resides, preventing cross-
ISP network access. For the implementation of DNS transparent proxy, see DNS Transparent
Proxy.
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the DNS transparent proxy function.
dns transparent-proxy enable
By default, the DNS transparent proxy function is enabled.
Step 3 Set the IP address of the DNS server bound to the interface.
dns server bind interface interface-type interface-number preferred preferred-dns-address
[ alternate alternate-dns-address ] [ healthchk { enable [ times times | tx-interval tx-
interval ] * | disable } ]
The FW uses the address of the preferred DNS server (preferred preferred-dns-address) to
replace the destination addresses of DNS query messages. When the preferred DNS server is
down, the FW will replace the destination addresses of DNS query messages with the address
of the alternate DNS server (alternate alternate-dns-address).
Step 4 Specify the domain names that do not require DNS transparent proxy.
dns transparent-proxy exclude domain domain-name [ server server-address ]
If you exclude a domain name from DNS transparent proxy, even if DNS transparent proxy is
configured on the DNS server specified on the client, the FW directly forwards the DNS
query messages without honoring the messages. If you specify the DNS server address for
resolving this domain name (server server-address), the DNS query messages are forwarded
to this server, not to the DNS server specified on clients.
If multiple domain names do not require DNS transparent processing, you need to perform
this step for these domain names.
Step 5 Configure a DNS transparent proxy policy.
1. Access the DNS transparent proxy policy view.
dns-transparent-policy
2. Create a DNS transparent proxy policy rule or access the view of an existing DNS
transparent proxy policy.
rule name rule-name
3. Configure a description for the DNS transparent proxy policy rule.
description text
4. Enable the transparent DNS proxy policy rule.
enable
By default, the DNS transparent proxy policy rule is enabled.
5. Configure an action for the DNS transparent proxy policy rule.
action { tpdns | no-tpdns }
6. Configure a source IP address for the DNS transparent proxy policy rule.
source-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-
length | mask mask-address } | range ipv4-start-address ipv4-end-address | any }
7. Configure a destination IP address for the DNS transparent proxy policy rule.
destination-address { address-set address-set-name &<1-6> | ipv4-address { ipv4-
mask-length | mask mask-address } | range ipv4-start-address ipv4-end-address | any }
----End
Action Command
Action Command
Table 4-38 lists the operation for checking information about DNS transparent proxy policies.
Action Command
Action Command
Debugging DNS
Before enabling the debugging, you must run the terminal monitor command in the user
view to enable the terminal information display and the terminal debugging command in the
user view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete,
run the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Table 4-40 lists the commands to debug DNS information.
Networking Requirements
A FW functioning as a gateway connects PCs on an intranet to the Internet. The interface IP
addresses, a security zone, a security policy, and a NAT policy are configured on the FW. The
DNS function needs to be configured on the FW. The FW functions as a DHCP relay agent
and sends domain names that users on PCs enter to a DNS server on the Internet. Upon
receipt, the DNS server translates the domain names into IP addresses to allow the PCs to
access the Internet. The IP address of a DNS server on the Internet is 2.2.2.2.
Trust Untrust
DNS Server
PC FW 2.2.2.2
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
PC
Configuration Roadmap
1. Configure the FW to function as a DNS Client to realize dynamic domain resolution and
communicate with the specific DNS server.
2. Configure the domain name suffix on the FW to support a domain name suffix list.
3. Set the IP address of the gateway of the internal PCs and the IP address of the DNS
server to 10.3.0.1. This example provides the configuration procedure on the FW, not on
PCs.
Data Planning
Item Data Description
Procedure
Step 1 Configure IP addresses for interfaces and assign them to security zones.
# Configure the IP address for GigabitEthernet 1/0/3 and assign it to the Trust zone.
<FW> sysname-view
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
# Configure an IP address for GigabitEthernet 1/0/1 and assign it to the Untrust zone.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet1/0/1] quit
----End
Configuration Verification
1. Run the command display dns server on the FW to check the configuration information
of the DNS server.
[FW] display dns server
Type:
D:Dynamic
S:Static
2. Run the command display dns dynamic-host on the FW to check the information of
dynamic DNS entries in the cache of domain names.
[FW] display dns dynamic-host
Host TTL Type
Address(es)
example.com 114 IP 2.2.2.1
Total : 1
3. Check whether the internal PCs can access to the Internet by domain names. If they can,
it means that the configuration is successful. Otherwise, please check the configuration.
Configuration Script
#
dns resolve
dns server 2.2.2.2
dns domain net
dns domain com
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet 1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet 1/0/1
#
return
Networking Requirements
As shown in Figure 4-38, the enterprise has many brach LAN in its network. There are the
DNS server and the FTP server deployed in the headquarters. In this way, users of the
branches can access to the FTP server of the headquarter by domain name. However, when
the IP address of the DNS server changes, all the DNS clients in the LANs can be affected,
which can make network maintenance difficult. The FW can be deployed on the link between
which the branch LAN and the headquarters communicate with each other, and can be
configured to function as a DNS proxy to forward the requests and response packets between
the hosts in the branch LAN and the DNS server of the headquarters. In this way, when the IP
address of the DNS server changes, only the configuration on the FW needs to be changed,
and the internal users of the LAN are not affected.
FW
GE1/0/1 GE1/0/1
1.1.1.1/24 1.1.1.2/24
Brach Headquarters
DNS Proxy
Configuration Roadmap
Enable the function of DNS proxy of the FW to realize the forward of DNS packets between
the DNS server and the DNS client.
NOTE
After the function of DNS proxy is enabled on the FW, the FW can be considered as the DNS server of
Host_A and Host_B. On both the hosts, the IP address of the DNS server needs to be specified to the IP
address of the FW. The IP address of the DNS server on the FW needs to be configured to the IP address of
the DNS server of the headquarter, 2.2.2.2. In this way, when the IP address of the DNS server changes, only
the configuration on the FW_A needs to be changes, which the internal users cannot be aware of.
Procedure
Step 1 Configure the IP address of the interfaces on the FW and assign them to security zones.
# Configure the IP address of GigabitEthernet 1/0/1 and assign it to the Trust zone.
<FW> sysname-view
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet 1/0/1] ip address 1.1.1.1 24
[FW-GigabitEthernet 1/0/1] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/1
[FW-zone-trust] quit
Step 4 On the hosts of the branch intranet, taking Host_A as an example, configure the IP address of
the DNS server to 1.1.1.1.
----End
Configuration Verification
# Run the command display current-configuration on the FW to display the related
configuration of DNS proxy. The following only shows the configuration related to DNS.
<FW> display current-configuration
------------------------------------------------------------------------------
#
dns resolve
dns server 3.3.3.3
dns server 2.2.2.2
dns proxy enable
------------------------------------------------------------------------------
Configuration Script
#
dns resolve
dns server 2.2.2.2
dns proxy enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
return
4.6.6.3 CLI: Example for Configuring the Device as a DDNS Client (Using the
Update Mode Defined by the RFC2136)
This section provides an example for configuring the device as a DDNS Client using the
update mode defined by the RFC2136.
Networking Requirements
As shown in Figure 4-39, the Web Server is deployed at the border of the enterprise intranet.
The FW functions as the gateway to connect the intranet to the Internet. The Internet users can
access to the intranet Web server through the function of NAT server of the FW. The domain
name of the Web Server is www.example.com, which is mapped to the IP address of the
interface of the FW. However, the interface of the FW that connects to the Internet obtain the
public address through dialer-up, which can result in frequent changes of the IP address.
Configure the FW as a DDNS Client using the update mode of ddns defined by the RFC2136,
In this way, when the IP address of the FW changes, it can dynamically update the
information on the DNS server, that is, the mapping between the interface IP address of the
FW and the domain name of the internal Web server. The Internet user can access to the Web
server in the enterprise intranet normally.
1.1.1.254/24
Intranet
GE1/0/2 GE1/0/1
10.1.1.1/24
DDNS Client
PC
Configuration Roadmap
By configuring the FW to function as a DDNS client using the update mode of ddns, you can
realize to dynamically update the mapping between the IP address and the domain name of
the Web server on the DNS server, when the interface IP address of the FW changes.
Procedure
Step 1 Configure the IP address of the interface and assign it to the security zone.
<FW> sysname-view
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet 1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet 1/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit
Step 2 Configure a security policy to allow users of external networks to access the internal Web
server.
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone trust
[FW-policy-security-rule-policy1] destination-address 10.1.1.3 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit
Step 3 Configure a static mapping based on interface to map the public IP address of GigabitEthernet
1/0/1 to the private IP address of the Web server 10.1.1.3, with the public port of 80 and the
private port of 8080.
[FW] nat server policy_web protocol tcp global interface GigabitEthernet 1/0/1 80
inside 10.1.1.3 8080
NOTE
After the configuration is completed, when the IP address of GigabitEthernet1/0/1 changes, theFW notifies
the DNS server to update the mapping between the domain name www.example.com and the new IP address.
In this way, users on the Internet can access the new IP address by the domain name www.example.com.
Step 5 Configure the default route on the FW to the DNS server. Assume the IP address of the peer
of the FW is 1.1.1.254/24.
----End
Configuration Verification
Run the command display ddns policy mypolicy on the FW to display the information of the
DDNS policy named mypolicy.
<FW> display ddns policy mypolicy
Policy name : mypolicy
Server : 2.2.2.2
User name : -
Password : -
Update method : ddns both
Update interval : 3600 seconds
Apply interface : GigabitEthernet1/0/1
Configuration Script
#
ddns policy mypolicy
method ddns both
name-server 2.2.2.2
#
interface GigabitEthernet1/0/1
undo shutdown
ddns apply policy mypolicy
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
nat server policy_web 0 protocol tcp global interface GigabitEthernet1/0/1 www
inside 10.1.1.3 8080
#
security-policy
rule name policy1
source-zone trust
destination-zone untrust
destination-address 10.1.1.3 32
action permit
#
return
4.6.6.4 CLI Example for Configuring the Device as a DDNS Client (Using the
Update Mode Implemented Through the DDNS Server)
This section provides an example for configuring the device as a DDNS Client using the
update mode implemented through the DDNS server.
Networking Requirements
As shown in Figure 4-40, the Web Server is deployed at the border of the enterprise intranet.
The FW functions as the gateway to connect the intranet to the Internet. The Internet users can
access to the intranet Web server through the function of NAT server of the FW. The domain
name of the Web Server is www.example.com, which is mapped to the IP address of the
interface of the FW. However, the interface of the FW that connects to the Internet obtain the
public address through dialer-up, which can result in frequent changes of the IP address.
Configure the FW as a DDNS Client using the update mode of http or vendor-specific,
which is implemented through the DDNS server. In this way, when the IP address of the FW
changes, it send the request of updating domain to the DDNS server. The DDNS server
notifies the DNS server to update the mapping between the interface IP address of the FW and
the domain name of the internal Web server. The Internet user can access to the Web server in
the enterprise intranet normally.
1.1.1.254/24
Intranet
GE1/0/2 GE1/0/1
10.1.1.1/24
DDNS Client
PC
Configuration Roadmap
1. By configuring the FW to function as a DDNS client using the update mode of ddns,
you can realize to dynamically update the mapping between the IP address and the
domain name of the Web server on the DNS server, when the interface IP address of the
FW changes.
2. Assign 10.3.0.1 to the FW that functions as a gateway for the web server on the intranet.
This example provides the configuration procedure on the FW. The configuration details
on the web server are not provided.
Procedure
Step 1 Configure the IP address of the interface and assign it to the security zone.
<FW> sysname-view
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet 1/0/2] ip address 10.1.1.1 24
[FW-GigabitEthernet 1/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit
Step 2 Configure a security policy to allow users of external networks to access the internal Web
server.
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone trust
[FW-policy-security-rule-policy1] destination-address 10.1.1.3 24
[FW-policy-security-rule-policy1] action permit
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit
Step 3 Configure a static mapping based on interface to map the public IP address of GigabitEthernet
1/0/1 to the private IP address of the Web server 10.1.1.3, with the public port of 80 and the
private port of 8080.
[FW] nat server policy_web protocol tcp global interface GigabitEthernet 1/0/1 80
inside 10.1.1.3 8080
NOTE
By default, the update mode of the DDNS client is vendor-specific. If the default update mode is not
modified by running the method command, do not run the method vendor-specific command.
NOTE
After the configuration is completed, when the IP address of GigabitEthernet1/0/1 changes, theFW notifies
the DNS server to update the mapping between the domain name www.example.com and the new IP address.
In this way, users on the Internet can access the new IP address by the domain name www.example.com.
Step 5 Configure the default route on the FW to the DNS server. Assume the IP address of the peer
of the FW is 1.1.1.254/24.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
----End
Configuration Verification
Run the command display ddns policy mypolicy on the FW to display the information of the
DDNS policy named mypolicy.
[FW] display ddns policy mypolicy
Policy name : mypolicy
Server : url oray://steven:nevets@phddnsdev.oray.net
User name : -
Password : -
Update method : vendor-specific
Update interval : 300 seconds
Apply interface : GigabitEthernet1/0/1
# Run the command display ddns interface GigabitEthernet 1/0/1 on the FW, you can
check the information of GigabitEthernet 1/0/1 related to the DDNS policy. Presume that the
public IP address obtained by GigabitEthernet 1/0/1 is 1.1.10.10.
[FW] display ddns interface GigabitEthernet 1/0/1
Policies applied on interface GigabitEthernet1/0/1 :
------------------------------------------------------------------------------
Policy name : mypolicy
Server : oray://steven:nevets@phddnsdev.oray.net
User name : -
Password : -
Update method : vendor-specific
Update interval : 300 seconds
Current status : INIT
Client IP : 1.1.10.10
Server IP : 3.3.3.3
Configuration Script
The configuration script of FW.
#
dns resolve
dns server 2.2.2.2
#
ddns policy mypolicy
interval 300
url oray://steven:nevets@phddnsdev.oray.net
#
interface GigabitEthernet1/0/1
undo shutdown
ddns apply policy mypolicy
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
nat server policy_web 0 protocol tcp global interface GigabitEthernet1/0/1 www
inside 10.1.1.3 8080
#
security-policy
rule name policy1
source-zone unrust
destination-zone trust
destination-address 10.1.1.3 32
action permit
#
return
Networking Requirements
As shown in Figure 4-41, an enterprise rents links from both ISP1 and ISP2. The bandwidth
of ISP1 link is 100M, and that of ISP2 link is 50M. The DNS server addresses of ISP1 are
8.8.8.8 and 8.8.8.9, and the DNS server addresses of ISP2 are 9.9.9.8 and 9.9.9.9. The DNS
server address specified on all intranet user clients is 10.2.0.70.
l The enterprise requires that the Internet access traffic of intranet users residing on
network segment 10.3.0.0/24 can be distributed to ISP1 and ISP2 links in the ratio of 2:1
to ensure that the links are made full use of but not congested to improve users' Internet
access experience.
l When intranet users access domain name www.example.com, FW does not perform DNS
transparent proxying, but the Web server address of the domain name must be resolved
by the specified DNS server (8.8.8.10).
l When one link is overloaded (the threshold is 90%), follow-up traffic will be forwarded
on the other link.
www.example.com
DNS server Web server on ISP1 Web server on ISP2
8.8.8.10
ISP2
ISP1
100M 50M
DNS server on ISP1 GE1/0/1 GE1/0/7 DNS server on ISP2
8.8.8.8 1.1.1.1 2.2.2.2 9.9.9.8
8.8.8.9 9.9.9.9
FW
GE1/0/3
10.3.0.1
Intranet
DNS requests
Modified DNS requests
Internet access traffic
Configuration Roadmap
Configure the transparent proxy function on the FW to distribute DNS query messages from
intranet users in the ratio of 2:1 to the DNS servers on ISP1 and ISP2 networks. In this case,
the Internet access traffic from intranet users can also be distributed to ISP1 and ISP2 links in
the ratio of 2:1. When processing DNS query messages, the DNS transparent proxy function
replaces the destination addresses of the messages with the DNS server address bound to the
outbound interface. The selection of the outbound interface depends on the intelligent uplink
selection function. Because the enterprise requires that the Internet access traffic can be
distributed in the ratio of 2:1 to both links, you need to set the intelligent uplink selection
mode to load balancing by link bandwidth. In the example, global link selection policies are
configured. To ensure that the Internet access traffic is directly forwarded to the Web server
on the ISP network of the destination address without taking a detour on other ISP networks,
you need to configure ISP address database link selection.
1. Optional: Configure the health check function. Configure a health check respectively for
ISP1 and ISP2.
2. Set the interface IP address, security zone, gateway, bandwidth, and overload protection
threshold, and apply the health check respectively on the interfaces.
3. Configure ISP link selection function. Make two ISP address files, isp1.csv and isp2.csv,
and upload the two ISP address files to the FW.
4. Configure DNS transparent proxy. Bind the DNS server address on the outbound
interface, specify the DNS server addresses requiring DNS transparent proxy, and
specify the domain names to be excluded.
5. Configuring a global link selection policy. Set the intelligent uplink selection mode to
load balancing by link bandwidth and configure the outbound interfaces on the FW
connecting to ISP1 and ISP2 as intelligent uplink selection member interfaces.
6. Configure a basic security policy to allow intranet users to access the Internet.
Procedure
Step 1 Optional: Enable the health check function and create a health check for ISP1 and ISP2 link
respectively. It is assumed that the destination network segment for health check is
3.3.10.0/24 on ISP1 network and is 9.9.20.0/24 on ISP2 network.
<FW> system-view
[FW] healthcheck enable
[FW] healthcheck name isp1_health
[FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 10001
[FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 10002
[FW-healthcheck-isp1_health] quit
[FW] healthcheck name isp2_health
[FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet
1/0/7 protocol tcp-simple destination-port 10003
[FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet
1/0/7 protocol tcp-simple destination-port 10004
[FW-healthcheck-isp2_health] quit
Step 2 Configure IP addresses, gateway addresses, bandwidth, overload protection thresholds for
interfaces and apply health check on the interfaces.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet1/0/1] gateway 1.1.1.254
[FW-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 90
[FW-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 90
[FW-GigabitEthernet1/0/1] healthcheck isp1_health
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] quit
[FW] interface GigabitEthernet 1/0/7
[FW-GigabitEthernet1/0/7] ip address 2.2.2.2 255.255.255.0
[FW-GigabitEthernet1/0/7] gateway 2.2.2.254
[FW-GigabitEthernet1/0/7] bandwidth ingress 50000 threshold 90
[FW-GigabitEthernet1/0/7] bandwidth egress 50000 threshold 90
[FW-GigabitEthernet1/0/7] healthcheck isp2_health
[FW-GigabitEthernet1/0/7] quit
Step 3 Upload ISP address files to the FW using SFTP. Details are omitted.
Step 4 Create ISP name isp1_ifgrp for ISP1 and ISP name isp2_ifgrp for ISP2 and associate them
with the corresponding ISP address files.
[FW] isp name isp1_ifgrp
[FW] isp name isp1_ifgrp set filename isp1.csv
[FW] isp name isp2_ifgrp
[FW] isp name isp2_ifgrp set filename isp2.csv
Step 5 Create an ISP interface group for ISP1 and ISP2 respectively and add interfaces to
corresponding ISP interface groups. Then ISP routes will be delivered by default.
[FW] interface-group 1 isp isp1_ifgrp
[FW-interface-isp-group-1] add interface GigabitEthernet 1/0/1
[FW-interface-isp-group-1] quit
[FW] interface-group 2 isp isp2_ifgrp
[FW-interface-isp-group-2] add interface GigabitEthernet 1/0/7
[FW-interface-isp-group-2] quit
Step 6 Configure DNS transparent proxy. Bind the DNS server address to the outbound interface,
implement DNS transparent proxy for traffic whose source address belongs to network
segment 10.3.0.0/24, and configure excluded domain names.
[FW] dns transparent-proxy enable
[FW] dns server bind interface GigabitEthernet 1/0/1 preferred 8.8.8.8 alternate
8.8.8.9
[FW] dns server bind interface GigabitEthernet 1/0/7 preferred 9.9.9.8 alternate
9.9.9.9
[FW] dns transparent-proxy exclude domain www.example.com server 8.8.8.10
[FW] dns-transparent-policy
[FW-policy-dns] rule name abc
[FW-policy-dns-rule-abc] action tpdns
[FW-policy-dns-rule-abc] source-address 10.3.0.0 24
[FW-policy-dns-rule-abc] quit
[FW-policy-dns] quit
Step 7 Configure a global route selection policy to load balance traffic by link bandwidth.
[FW] multi-interface
[FW-multi-inter] add interface GigabitEthernet1/0/1
[FW-multi-inter] add interface GigabitEthernet1/0/7
[FW-multi-inter] mode proportion-of-bandwidth
[FW-multi-inter] quit
Step 9 Configure a security policy between the Trust and Untrust zones to allow intranet users to
access extranet resources. It is assumed that the intranet user network segment is 10.3.0.0/24.
[FW] security-policy
[FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit
----End
Configuration Scripts
#
isp name isp1_ifgrp
isp name isp1_ifgrp set filename isp1.csv
isp name isp2_ifgrp
isp name isp2_ifgrp set filename isp2.csv
#
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/1 preferred 8.8.8.8 alternate
8.8.8.9
Fault Description
The FW functions as a DNS client that is configured with dynamic domain name resolution
but cannot resolve domain names to IP addresses correctly.
Procedure
Step 1 Run the display dns dynamic-host command check whether the specified domain name
exists in the dynamic domain name cache.
l If not, check whether the DNS client communicates with the DNS server properly, the
DNS server runs properly, and dynamic domain name resolution is enabled.
l If so, but the IP address is incorrect, go to step 2.
Step 2 Run the display dns server command to verify that the IP address of the DNS server is
correct on the DNS client.
If the DNS server IP address is incorrect, run the undo dns server ip-address command to
delete the configured DNS server IP address, and run the dns server ip-address command to
reconfigure a correct IP address for the DNS server.
----End
4.6.8.1 Specifications
This section provides DNS specifications.
Function Specifications
Function Description Supported or Not
Configuring the device to The DNS client is used for Supported by all models.
serve as a DNS client online signature database
upgrade and PKI CRL
download.
Configuring the device to The DNS proxy forwards a Supported by all models.
serve as a DNS proxy DNS request packet from a
DNS client to a DNS server
and a response packet from
the DNS server to the DNS
client. It searches the local
domain name resolution
table before forwarding a
DNS request.
Configuring the device to The DNS relay forwards a Supported by all models.
serve as a DNS relay DNS request packet from a
DNS client to a DNS server
and a response packet from
the DNS server to the DNS
client. However, it does not
search the local domain
name resolution table before
forwarding a DNS request.
Instead, it directly forwards
the packet to the DNS
server.
Performance Specifications
Function Sub-Function Specifications
Number of configurable 50
static DNS entries
Number of configurable 10
domain name suffixes in a
domain name list
4.7 DHCP
This section describes DHCP concepts and how to configure DHCP, as well as provides
configuration examples.
4.7.1 Introduction
The Dynamic Host Configuration Protocol (DHCP) applies to IPv4 networks to dynamically
assign information, such as IPv4 addresses to clients.
Definition
DHCP is a technology used to dynamically manage and configure IPv4 addresses for clients.
DHCP uses the client/server model. A client applies to a server for parameters, such as the
IPv4 address, default gateway address, DNS server address, and WINS server address. The
server replies with corresponding configuration parameters based on policies. DHCP dynamic
allocates IPv4 addresses and allows you to configure and manage other network parameters
on a server before delivering the parameters to clients.
Objective
As the network expands and network complexity increases, the number of PCs usually
exceeds the number of available IPv4 addresses. Furthermore, with the popularity of laptops
and wireless networks, PC locations and IPv4 addresses are changeable. To dynamically and
properly assign IPv4 addresses to hosts, DHCP is introduced.
DHCP is developed based on the Bootstrap Protocol (BOOTP). BOOTP runs in a static
environment where each host has a fixed network connection. An administrator configures a
specific BOOTP parameter file for each host, and the file keeps unchanged in a long period.
DHCP extends BOOTP in the following aspects:
l DHCP provides automatic allocation of reused network addresses and configuration
options, which enables a PC to obtain required configurations by sending a request.
l DHCP dynamically assigns an IPv4 address to each host, instead of specifying an IPv4
address for each host.
DHCP dynamically manages and configures IPv4 addresses for clients in a concentrated
manner, which simplifies manual configuration and enables enterprise users to adapt to
frequent network changes.
Application Environment
Generally, the DHCP server is used to assign IP addresses in the following scenarios:
l On a large network, manual configurations take a long time and bring difficulties to
centralized management over the entire network.
l Only a few hosts on the network require fixed IP addresses, and most hosts can avoid
using fixed IP addresses.
l Hosts on the network are more than available IP addresses. Thus, not every host has a
fixed IP address. Many hosts must share a few IP addresses through the DHCP server.
Typical Application
A DHCP server is used in the following two application scenarios:
l The DHCP server and clients reside on the same network segment.
The FW functions as a DHCP server to connect to DHCP clients using a Layer 2 switch
(or hub) on the network shown in Figure 4-42.
Figure 4-42 Typical network where the DHCP server and clients reside on the same
network segment
FW
Layer 2 Layer 2
LAN switch LAN switch
DHCP Server
way, the DHCP clients communicate with the DHCP server through the DHCP server.
For the detailed scenario description, please refer to 4.7.2.2 The Device Serving as a
DHCP Relay.
Figure 4-43 Typical network where the DHCP server and clients reside on different
network segments
FW_A FW_B
Application Environment
A DHCP client sends a DHCP Request packet to apply for a dynamic IP address in broadcast
mode. This means that the DHCP server can receive the request only if the server is on the
same network segment as the client. Deploying a DHCP server on each network segment to
assign IP addresses is uneconomical.
DHCP relay can be used to address this problem. DHCP relay allows DHCP clients on
different network segments to communicate with a single DHCP server and obtain IP
addresses. This function helps reduce costs and facilitate centralized management.
Typical Application
The DHCP server and clients reside on different network segments, as shown in Figure 4-44.
A DHCP relay agent is deployed to enable DHCP clients to obtain configuration information,
such as IP addresses, from the DHCP server.
Network
Segment 1
FW_A FW_B
Network
Segment 2 DHCP Relay DHCP Server
Network
DHCP Clients Segment 3
Application Environment
Some network border devices cannot obtain fixed IP addresses because IP addresses are
insufficient. To address this problem, the network devices can be configured as DHCP clients
or BOOTP clients and dynamically obtain configuration information, such as IP addresses,
from a DHCP server.
The DHCP Server can communicate with BOOTP clients, so there is no need for users to
configure BOOTP server. The DHCP server can be configured to allocate IP addresses for
BOOTP clients.
Typical Application
This typical application only set the case in which the FW functions as a DHCP client as an
example. The case in which the FW functions as a BOOTP client is similar, and thus omitted.
A building shown in Figure 4-45 accesses the Internet through a router, and the router also
works as a DHCP server to assign IP addresses to enterprise users in the building. The FW
functions as a gateway for a small enterprise in the building. The DHCP client function is
enabled on Interface 1 of the FW to enable Interface 1 to dynamically obtain network
parameters, including an IP address, from the DHCP server and to provide online services for
enterprise users.
FW
Enterprise Network
边缘网络
Interface 2 Interface 1
DHCP Server DHCP Client DHCP Server
4.7.3 Mechanism
This section describes the implementation of DHCP.
In Figure 4-46, numbers in the round brackets indicate the field length in bytes. Table 4-42
shows the description of each field in the DHCP packet.
htype 1 byte Indicates the type of hardware addresses. It is valid only for
(Hardware Ethernet now. The value is 1.
Address
Type)
hops 1 byte Indicates the number of DHCP relays that current DHCP packets
pass. This field is set to 0 by the client. When passing a DHCP
relay, this field increases by 1. This field is used to limit the
number of DHCP relays that DHCP packets pass.
NOTE
The number of DHCP relays between the server and client cannot exceed
4. That is, the value of hops cannot be greater than 4. Otherwise, DHCP
packets are discarded.
xid 4 bytes Indicates the random number selected by clients. This number
(Transactio associates the packet replied by the server with the packet sent by
n ID) the client.
secs 2 bytes Indicates the seconds that elapse since a client begin address
(Seconds) acquisition or renewal process, in seconds.
flags 2 bytes Indicates the Flag field. Only the most significant bit has meaning,
and the rest bits are 0. The most significant bit is the broadcast
response flag bit. It determines whether the DHCP server
responds to packets in unicast or broadcast mode. The meaning of
each value is as follows:
l 0: in unicast mode
l 1: in broadcast mode
ciaddr 4 bytes Indicates the IP address of the client. The address can either be a
(Client IP client IP address assigned by the server or an existing client IP
Address) address. In the initial state, the client does not have an IP address.
This field is 0.0.0.0.
NOTE
The IP address 0.0.0.0 is used only for temporary communication after the
system in DHCP mode starts up. It cannot be an effective destination
address.
yiaddr 4 bytes Indicates the IP address assigned to the client by the server.
(Your
(Client) IP
Address)
giaddr 4 bytes Indicates the IP address of the first DHCP relay. The client sends
(Relay a DHCP request. If the server and client are in different networks,
Agent IP the first DHCP relay fills this field with its IP address when
Address) forwarding this DHCP request. The server determines the network
segment address based on this field, and then selects the address
pool to be assigned to the client. The server also sends this
response packet to this first DHCP relay. Then, the DHCP relay
sends this packet to the client.
NOTE
If the packet passes more than one DHCP relay before arriving at the
DHCP server, the relay after the first DHCP relay adds 1 to the number of
hops without changing this field.
chaddr 16 Indicates the MAC address of the client. This field is the same as
(Client bytes the preceding "Hardware Type" and "Hardware Length". When a
Hardware DHCP request is sent, the client fills this field with its hardware
Address) address. For the Ethernet, this field must be filled with a 6-byte
Ethernet MAC address when the "Hardware Type" and "Hardware
Length" are 1 and 6 respectively.
file (Boot 128 Indicates the startup configured file name of the client. This field
File Name) bytes is optional and is filled by the DHCP server with a string of
characters ending with 0.
options Variabl Indicates the Option field of DHCP. It cannot be less than 312
e bytes. This field contains the configuration information, such as
the IP address of the gateway, DNS server, and NetBIOS server,
assigned by the server to the client. The client can use information
such as the valid lease time of IP addresses. For details, refer to
Format and Functions of the Options Field.
Message Description
Name
DHCP OFFER A DHCP Offer packet is sent by a DHCP server to respond to a DHCP
Discover packet. A DHCP Offer packet carries various configuration
information.
DHCP ACK A DHCP ACK packet is sent by a DHCP server to acknowledge the
DHCP Request packet from a DHCP client. After receiving a DHCP
ACK packet, the DHCP client obtains the configuration parameters
including the IP address.
DHCP NAK A DHCP NAK packet is sent by a DHCP server to reject the DHCP
Request packet from a DHCP client. For example, after a DHCP server
receives a DHCP Request packet, it cannot find matching lease records.
Then the DHCP server sends a DHCP NAK packet, notifying that no IP
address is available for the DHCP client.
DHCP A DHCP Decline packet is sent by a DHCP client to notify the DHCP
DECLINE server that the assigned IP address conflicts with another IP address.
Then the DHCP client applies to the DHCP server for another IP address.
DHCP A DHCP Inform packet is sent by a DHCP client to obtain other network
INFORM configuration parameters such as the gateway address and DNS server
address after the DHCP client has obtained an IP address.
0 7 15
Code Length Value
The Options field consists of Code, Length, and Value. Table 4-44 shows the description of
each field in the Options field.
The value of the Options field ranges from 1 to 255. Table 4-45 lists common DHCP options.
FW_A
FW_C FW_B
DHCP DHCP
Relay Server
DHCP Client
4.7.3.3 How a DHCP Server Allocates Network Parameters to New DHCP Clients
This section describes the mechanism of the interaction between the DHCP server and clients
which access to a network for the first time.
The following parts introduce the mechanism of DHCP clients accessing to a network for the
first time in the scenarios of having a DHCP relay deployed or not respectively.
NOTE
DHCP messages are transmitted using the User Datagram Protocol (UDP). A DHCP client sends
messages with UDP port 67 to a DHCP server, and a DHCP server sends messages with UDP port 68 to
a DHCP client.
Figure 4-49 Message exchange between a DHCP server and a new DHCP client when no
DHCP relay agent is deployed
DHCP Client DHCP Server
l The Options field in a DHCP Discover message defines network parameters that a client requires.
Each option identifies a parameter. For example, Option 3 indicates the requested gateway address.
(A client adds Option 3 in the Option 55 field when it requests the gateway address.) Option 53
indicates the DHCP message type (such as Discover message). Options are classified into well-
known and self-defined options. For more information about well-known DHCP options, see RFC
2132. Vendors can define their own options, for example, Option 43 is defined to indicate vendor-
specific information. For details on options, see Format and Functions of the Options Field.
l The Flags field is defined in RFC 2131. The leftmost bit of this field indicates whether the server is
required to send the DHCP Offer/ACK message in unicast or broadcast mode. The value 0 indicates
the unicast mode, and the value 1 indicates the broadcast mode.
2. Offer stage: A DHCP server offers network parameters to the DHCP client.
All DHCP servers on the same network segment as the DHCP client can receive the
DHCP Discover message. Each DHCP server may have multiple address pools to
manage network parameters including allocatable IP addresses. A DHCP server selects
an address pool on the same network segment as the IP address of the interface receiving
the DHCP Discover message, and selects an idle IP address from the address pool. The
DHCP server then sends a DHCP Offer message carrying the allocated IP address (in the
Yiaddr field) to the DHCP client. The DHCP Offer message also carries other network
parameters such as the IP address lease.
In most cases, an address pool specifies the leases of IP addresses in it. If the DHCP
Discover message carries an expected lease, the DHCP server compares the expected
lease with the specified lease and allocates the IP address with a smaller lease to the
DHCP client.
IP addresses in an address pool are added to different IP address lists based on the IP
address status. Unallocated IP addresses belong to the allocatable IP address list.
Allocated IP addresses belong to the in-use IP address list. Conflicting IP addresses
belong to the conflicting IP address list. IP addresses that cannot be allocated belong to
the unallocatable IP address list. The DHCP server selects an IP address for the client
from the address pool in the following sequence:
a. IP address statically bound to the MAC address of the client on the DHCP server
b. IP address that has been allocated to the client
c. IP address specified in the Option 50 field (requested IP address) in the DHCP
Discover message
d. Largest allocatable IP address
e. If the DHCP server does not find any allocatable IP address, it searches for the
expired IP addresses and conflicting IP addresses in turn, and then allocates a valid
IP address to the client. If all the IP addresses are in use, the DHCP server replies
with a DHCP NAK message to notify the client that no IP address is available.
After receiving the DHCP NAK message, the DHCP client sends a DHCP Discover
message to apply for a new IP address.
NOTE
The FWcan exclude some IP addresses that cannot be allocated through DHCP from address
pools. For example, if 192.168.1.100/24 has been manually configured for the DNS server,
the DHCP server needs to exclude this IP address from the address pool on network segment
192.168.1.0/24. In this way, IP address 192.168.1.100 will not be allocated through DHCP,
preventing IP address conflicts.
To prevent conflicts between a newly allocated IP address with existing IP addresses, the
DHCP server sends an ICMP Echo Request packet with the IP address to be allocated in
both the source and destination IP address fields before sending a DHCP Offer messages.
If the DHCP server receives no ICMP Echo Reply packet within the detection period, no
client is using this IP address, and the DHCP server can allocate it. If the DHCP server
receives an ICMP Echo Reply packet within the detection period, this IP address has
been used by another client, and the DHCP server lists this IP address as a conflicting IP
address. The DCHP server then waits for the next DHCP Discover message to start the
IP address selection process again.
NOTE
The IP address allocated in this stage may not be the final IP address used by the client. This is
because the IP address may be allocated to another client if the DHCP server receives no response
16 seconds after the DHCP Offer message is sent. The IP address for the client can be determined
only after the request and acknowledge stages.
Figure 4-50 Process of applying an IP address of a DHCP Client through a DHCP relay
1. Discovery stage
The DHCP Client sends a DHCP DISCOVER broadcast packet on the local network.
When receiving a DHCP DISCOVER broadcast packet on the local network where no
DHCP server exists, the device functioning as a DHCP relay agent performs the
following steps:
a. Check whether the value of the Hops field exceeds 32. If so, the DHCP relay agent
discards the message. If not, the DHCP relay agent increases this value by 1 and
proceeds to the next step.
The Hops field indicates the number of DHCP relay agents that a DHCP message
has passed through. This field is set to 0 by a DHCP client or a server. Its value
increases by 1 each time the message passes through a DHCP relay agent. This field
can limit the number of DHCP relay agents that a DHCP message can pass through.
Currently, the FW supports a maximum of 32 DHCP relay agents are allowed
between a DHCP client and server.
b. Check whether the value of the Giaddr field is 0. If so, the DHCP relay agent sets
the Giaddr field to the IP address of the interface receiving the DHCP Discover
message. If not, the DHCP relay agent does not change the field and proceeds to the
next step.
The Giaddr field indicates the gateway IP address. If the DHCP server and client
are located on different network segments, the first DHCP relay agent fills this field
with its own IP address and forwards the message to the DHCP server. Other DHCP
relay agents on the path forward the message without changing this field. The
DHCP server determines which network segment the client resides based on the
Giaddr field, and allocates an IP address on this network segment to the client.
c. Change the destination IP address of the DHCP Discover message to the IP address
of the DHCP server or the next-hop DHCP relay agent, and change the source IP
address to the IP address of the interface connecting the DHCP relay agent to the
client. The message is then sent to the DHCP server or the next-hop DHCP relay
agent through unicast routing.
After the process mentioned above, the DHCP relay forwards the unicast packets to the
specific DHCP server on the other network or the next DHCP relay.
NOTE
If multiple DHCP relay agents exist between the DHCP client and server, the DHCP relay agents
process the DHCP Discover message using the same method.
2. Offer stage
After receiving the DHCP Discover message, the DHCP server selects an address pool
on the same network segment as that specified in the Giaddr field and allocates an IP
address and other network parameters from the address pool. The IP address selection
rule is the same as that described in Network Parameter Allocation Without a DHCP
Relay Agent. The DHCP server then sends a unicast DHCP Offer message to the DHCP
relay agent specified in the Giaddr field.
When receiving the DHCP Offer message, the DHCP relay agent performs the following
steps:
– Check whether the value of the Giaddr field is the IP address of the interface
receiving the DHCP Offer message. If so, the DHCP relay agent proceeds to the
next step. If not, the DHCP relay agent discards the message.
– Check whether the value of the Flags field is 1. If so, the DHCP relay agent sends a
broadcast DHCP Offer message to the DHCP client. If not, the DHCP relay agent
sends a unicast the DHCP Offer message.
3. Request stage
The DHCP client sends DHCP REQUEST broadcast packets to the DHCP Relay as a
response. After receiving the packets, the DHCP relay processes the packets as described
in the first step and then sends them in the unicast mode to the DHCP server.
4. Acknowledgment stage
The DHCP server sends DHCP ACK or DHCP NAK packets to the DHCP client
through the DHCP relay. After receiving the packets, the DHCP relay processes the
packets as described in the second step and sends them to the DHCP client.
NOTE
Not all clients can reuse IP addresses that have been allocated to them.
The DHCP client exchanges DHCP messages with a DHCP server, as shown in Figure 4-51.
After the two stages, the DHCP client can obtain the network parameters including IP
addresses that has been allocated to it.
Figure 4-51 Message exchange for IP address reuse between a DHCP client and a server
DHCP Client DHCP Server
1. The DHCP client broadcasts a DHCP Request message carrying the IP address that the
client has used. The requested IP address is added in the Option 50 field.
2. After receiving the DHCP Request message, the DHCP server checks whether the lease
record exists based on the MAC address in the message. If so, the DHCP server replies
with a DHCP ACK message to notify the DHCP client that the requested IP address can
be used. If not, the DHCP server performs no operation and waits for a new DHCP
Discover message from the client.
IP addresses that are dynamically allocated by a DHCP server have leases. A DHCP Discover
message from a DHCP client can carry an expected lease. When allocating network
parameters, the DHCP server compares the expected lease with the specified lease in the
address pool and allocates the IP address with a smaller lease to the DHCP client. When the
lease expires, the DHCP server reclaims the IP address, which can then be allocated to other
clients. This mechanism improves IP address utilization and releases IP addresses after clients
get offline. To keep using this IP address, the DHCP clients need to renew the IP address
leases.
The DHCP server defines a specific lease for each address pool, and the addresses in the same
DHCP address pool have the same lease.
Timer Value
On a DHCP client assigned an IP address and changing to the binding status, the three timers
take effect as follows:
l After the Lease renewal timer expires, the DHCP client must renew its IP address. The
DHCP client automatically sends DHCP REQUEST packets to the DHCP server which
has ever allocated IP addresses for it, and it changes to the renewing status. If the IP
address is valid, the DHCP server replies with a DHCP ACK packet to the client to
renew the lease. The DHCP client then re-enters the binding status. If the DHCP client
receives a DHCP NAK packet, it changes to the initializing status.
l After the DHCP client sends DHCP REQUEST packets to renew the lease, it keeps in
the renewing status and waits for the response. After the Rebinding timer expires and the
client receives no response, the client considers the original DHCP server to be
unavailable and broadcasts a DHCP REQUEST message.
Any DHCP server on the network can respond to the request of the client and send a
DHCPACK or DHCPNAK message to the client.
If the client receives a DHCP ACK message, it enters the binding state and resets the
Lease renewal and Rebinding timers.
If the client receives a DHCP NAK message, it enters the initializing state, stops using
the existing IP address, and requests a new IP address.
l After the Lease expiration timer expires and the client receives no response, it stops
using this IP address immediately, returns to the initializing state, and requests a new IP
address.
DHCP REQUEST
Step 1
1. When the lease reaches 50% (T1), the DHCP client sends a unicast DHCP Request
message to the DHCP server to request lease renewal. If the DHCP client receives a
DHCP ACK message, the IP address lease is successfully renewed (counted from 0). If
the DHCP client receives a DHCP NAK message, the DHCP client needs to send a
DHCP Discover message to apply for a new IP address.
2. If no response is received from the DHCP server when the lease reaches 87.5% (T2), the
DHCP client sends a broadcast DHCP Request message to request lease renewal. If the
DHCP client receives a DHCP ACK message, the IP address lease is successfully
renewed (counted from 0). If the DHCP client receives a DHCP NAK message, the
DHCP client needs to send a DHCP Discover message to apply for a new IP address.
3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP Discover message to apply for a new IP address.
NOTE
l If a DHCP client does not need to use the allocated IP address before the lease expires, the DHCP
client can send a DHCP Release message to the DHCP server to request IP address release. The
DHCP server saves the configuration of this DHCP client and records the IP address in the allocated
IP address list. This IP address can then be allocated to this DHCP client or other clients.
l A DHCP client can send a DHCP Inform message to the DHCP server to request configuration
update.
Figure 4-53 Process of renewing the IP address lease through a DHCP relay agent
DHCP Client DHCP Relay DHCP Server
T1: indicates the moment when the lease renewal timer expires
T2: indicates the moment when the Rebinding timer expires
1. When the lease renewal timer of the DHCP client expires, the DHCP client can prolong
the lease by performing the following steps and the packets do not pass through DHCP
relay:
a. The DHCP client sends a unicast DHCP Request message to the same DHCP server
which assigned a IP address to it.
b. The DHCP server directly send the unicast DHCP ACK packets or DHCP NAK
packets to the DHCP client. If the DHCP client receives a DHCP ACK message,
the IP address lease is successfully renewed. If the DHCP client receives a DHCP
NAK message, the DHCP client needs to apply for a new IP address again.
2. If no response is received from the DHCP server when the lease rebinding timer of the
DHCP client expires, the DHCP client can prolong the lease by performing the following
steps and the packets pass through the DHCP relay:
a. The DHCP client sends a broadcast DHCP REQUEST packet. The DHCP relay
agent then sends the DHCP REQUEST packet to the DHCP server in unicast mode
after proper process.
b. The DHCP server sends the DHCP ACK packets or DHCP NAK packets to the
DHCP client through the DHCP relay. After the DHCP relay receives these packets,
it processes them and send them to the DHCP client. If the DHCP client receives a
DHCP ACK packet, the IP address lease is successfully renewed. If the DHCP
client receives a DHCP NAK packet, the DHCP client needs to send a DHCP
DISCOVER message to apply for a new IP address.
3. If no response is received when the lease expires, the DHCP client stops using the IP
address and sends a DHCP DISCOVER packet to apply for a new IP address.
To meet the preceding requirements, the DHCP server provides the following address
allocation policies:
1. IP address in the database of the DHCP server that is statically bound with the client's
MAC address
2. IP address assigned to the client before, that is, the IP address in the requested IP Addr
option of the DHCP Discover packet sent by the client
3. IP address specified in the Option 50 (IP address option) field in the DHCPDISCOVER
packets sent by the client.
4. IP address first found when the server searches for available IP addresses in the DHCP
address pool
5. If the DHCP address pool has no available address, the DHCP server searches the
timeout IP addresses and the conflict IP addresses in turn for the unused IP address and
assigns the unused IP address to the client. If all the IP addresses are used, the server
sends an error message.
Using the ping command, you can check if there is a ping response of the address to be
assigned within the specific time. If there is no response after a specific time, it indicates that
the IP address is not in use. In this way, it is ensured that a unique IP address is assigned to the
client.
By default, two ping packets can be sent and the longest time to wait for a response is 500 ms.
Context
If a DHCP server and clients are on the same network segment, the DHCP server provides the
clients with dynamically assigned IP addresses, statically configured IP addresses, designated
DNS servers, gateways, and WINS servers.
The DHCP server and relay services cannot coexist on the same interface.
NOTE
The sum of the number of IP addresses being in use and that of expired IP addresses equals to the
number of DHCP clients. When the sum of the number of IP addresses being in use and that of expired
IP addresses reaches to the maximum of DHCP client specification, the device can automatically release
some of the expired IP addresses to reduce the memory usage.
Procedure
Step 1 Choose Network > DHCP Server > Service.
NOTE
For the DHCP server configuration on the web UI, only the interface address pool is supported, and the
assigned addresses in the address pool must belong to the same network segment as the specified
interface IP address. Therefore, IP address assignment across network segments cannot be configured
for the DHCP server on the web UI.
Parameter Description
Interface Name Name of the interface on which the DHCP server function is
configured.
The interface must be an existing one and Connection Type
must be set to Static IP.
Service Type Enable either the DHCP server or relay service on this
interface.
When the DHCP server is enabled on the interface, the Service
Type must be set to Server.
Subnet Mask Subnet mask of the IP address assigned to a DHCP client. The
subnet mask determines which part of an IP address serves as
the network/subnet ID and which part serves as a host ID.
By default, the system uses the mask of the interface IP
address as the subnet mask. If necessary, you can change the
subnet mask.
Parameter Description
Primary DNS Server Primary DNS server address assigned to a DHCP client.
This parameter needs to be specified when DNS Service is
Specify.
Secondary DNS Server Secondary DNS server address assigned to a DHCP client.
When the DHCP client fails to resolve domain names using the
primary DNS server, the DHCP client requests the secondary
DNS server for domain name resolution.
This parameter can be specified when DNS Service is Specify.
The secondary DNS server address must be different from the
primary one.
Advanced
Lease Duration Lase for an address assigned to a DHCP client. The lease
specifies how long the DHCP client can use the IP address
assigned by the server.
You can set an address lease based on the duration of a
connection between a client and a physical network in an
address pool. If clients on a wireless network frequently
disconnect from the network, you can decrease the address
lease, such as to 0 days 8 hours 0 minutes. If clients are
connected to the network for a stably long period of time, you
can increase the lease or even set an infinite period.
Primary WINS Server Primary WINS server address assigned to a DHCP client.
Hosts running the Windows operating system and NetBIOS
resolve NetBIOS host names to IP addresses. The resolution
methods for NetBIOS host name include local name resolution,
broadcast query, and WINS server resolution. WINS server
resolution is implemented by a WINS server.
The primary WINS server and DHCP server must be routable.
Parameter Description
Secondary WINS Server Secondary WINS server address assigned to a DHCP client.
When the DHCP client fails to resolve NetBIOS host names
using the primary WINS server, the client requests the
secondary WINS server for host name resolution.
The secondary WINS server and DHCP server must be
routable.
----End
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay agent.
l The DHCP server and DHCP relay interface are reachable to each other.
l The DHCP relay interface and client reside on the same network segment.
The IP address of the DHCP relay interface must be on the same network segment as the
IP address that the DHCP server assigns to the client.
l The default gateway address of the DHCP client must be the IP address of the DHCP
relay interface.
Context
The DHCP server and relay cannot be configured on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Service.
Interface Name Name of the interface on which the DHCP relay function is
configured.
The interface must exist. Connection Type can be set only to
Static IP, and the interface IP address must be on the same
network segment as the DHCP client.
Service Type Enable either the DHCP server or relay service on this
interface.
When DHCP relay is enabled on the interface, the Service
Type must be Relay.
IPv4 Server IP Address IP address that a DHCP server assigns and the DHCP relay
agent forwards to a client.
----End
Step 2 Click Refresh to refresh the latest information about address lease duration.
----End
MAC Address MAC address of a client to which a DHCP server that assigns
an IP address.
Lease Expiration Expiration date and time of the lease for an IP address assigned
by a DHCP server. Values and their meanings are as follows:
l Specific time (such as 2011-11-7 18:01:20): Date and time
when a lease expires.
l NOT used: A statically bound lease is not assigned to the
specific client yet.
l Unlimited: A lease does not expire.
Parameter Description
----End
l Plan VLANs to ensure that only one DHCP server (or a DHCP relay agent) can receive
DHCP Discovery messages in a VLAN.
l Configure DHCP snooping on client access devices to ensure that the clients can apply to
the correct DHCP servers for network parameters.
Planning IP Addresses
l IP address range that can be automatically allocated
The IP address range needs to be properly planned based on the number of concurrent
online clients on the network. If the number of IP addresses in this range is too small,
some clients cannot obtain IP addresses. If the number of IP addresses in this range is too
large, IP addresses are wasted.
l (Optional) IP addresses that cannot be automatically allocated
Some IP addresses in the address pool are reserved for devices that require static IP
addresses. For example, in an address pool ranging from 192.168.100.1 to
192.168.100.254, 192.168.100.2 is reserved for the DNS server. Exclude the IP address
192.168.100.2 from the address pool so that the DHCP server will not allocate
192.168.100.2 to other clients.
l IP address allocation
DHCP supports two mechanisms for IP address allocation. Network administrators can
select different mechanisms for hosts based on network requirements.
– Dynamic allocation: DHCP allocates an IP address with a limited validity period
(known as a lease) to a client. This mechanism applies to hosts that temporarily
connect to a network with fewer IP addresses than the total number of hosts. For
example, this mechanism can be used to allocate IP addresses to laptops used by
employees on business trips or mobile terminals in cafes.
– Static allocation: A network administrator allocates fixed IP addresses to specified
clients, and DHCP is used simply to convey the allocated addresses to the clients.
This mechanism applies to hosts with special IP address requirements. For example,
the file server of an enterprise needs to use a fixed IP address to provide services for
extranet users. Compared to manual IP address configuration, DHCP static
allocation prevents manual configuration errors and helps network administrators
perform unified maintenance and management.
NOTE
DHCP servers can allocate IP addresses as well as other network parameters to clients. Administrators can
plan other network parameters based on network requirements. For example, to enable a client to
communicate with other network devices through the domain name and obtain DNS parameters using DHCP,
plan the IP address of the DNS server and domain name of the client.
Planning Leases
Plan an IP address lease for a client based on the online duration of the client. By default, the
IP address lease is one day.
l In locations where clients often move and stay online for a short period of time, for
example, cafes, airports, and hotels, plan a short-term lease to ensure that IP addresses
are released quickly after the clients go offline.
l In locations where clients seldom move and stay online for a long period of time, for
example, office areas of an enterprise, plan a long-term lease to prevent services from
being affected by frequent lease or address renewals.
Context
Before enabling the DHCP server function, you must enable DHCP in the system view.
Procedure
Step 1 Run:
system-view
DHCP is enabled.
By default, DHCP is disabled.
----End
Context
Address pools allow DHCP servers to allocate network parameters including IP addresses to
clients. You can specify network parameters in an address pool, including the IP address
range, gateway address, and the IP address of the DNS server.
Address pools are classified into interface address pools and global address pools.
l Interface address pool: After an IP address is configured for an interface on a DHCP
server, you can create an address pool on the same network segment as this interface.
Addresses in the address pool can be allocated only to clients connected to the interface.
The interface address pool is easy to configure and can allocate IP addresses to clients on
the same network segment as the DHCP server, that is, when no DHCP relay agent
exists. A DHCP server allocates IP addresses to clients connected to one interface or IP
addresses on different network segments to clients connected to multiple interfaces.
l Global address pool: On a DHCP server, you can create an address pool on the specified
network segment in the system view. Addresses in the address pool can be allocated to
all clients connected to the DHCP server. The global address pool is applicable to the
following scenarios:
– The DHCP server and clients are not on the same network segment, that is, a DHCP
relay agent exists.
– The DHCP server and clients are on the same network segment, and the DHCP
server needs to allocate IP addresses to clients connected to one interface or IP
addresses to multiple interfaces.
NOTE
When a DHCP server and clients are on the same network segment, interface address pools are recommended
because the configuration is simple.
NOTE
The sum of the number of IP addresses being in use and that of expired IP addresses equals to the
number of DHCP clients. When the sum of the number of IP addresses being in use and that of expired
IP addresses reaches to the maximum of DHCP client specification, the device can automatically release
some of the expired IP addresses to reduce the memory usage.
Procedure
l Creating an interface address pool
a. Run:
system-view
NOTE
f. Run:
dhcp server ip-range start-ip-address end-ip-address
The subnet mask of IP addresses that a DHCP server pre-allocates to DHCP clients
is configured.
h. Optional: Run:
dhcp server logging [ allocation-fail | allocation-success | release |
renew-fail | renew-success | detect-conflict | recycle-conflict ] *
The logging function during IP address allocation of the DHCP server is enabled.
By default, the logging function during IP address allocation of the DHCP server is
disabled.
l Creating a global address pool
a. Run:
system-view
A global address pool is created and the global address pool view is displayed.
By default, no global address pool is created on the device.
The parameter ip-pool-name uniquely specifies the name of an address pool. For
example, create a global address pool named global_f1 for employees on the first
floor.
[sysname] ip pool global_f1
d. Run:
network ip-address [ mask { mask | mask-length } ]
The range of IP addresses that can be dynamically allocated from the global address
pool is specified.
By default, the range of IP addresses that can be allocated dynamically to clients is
not specified.
An address pool can be configured with only one IP address segment. The IP
address range is determined by the mask length.
NOTE
When specifying the IP address range, ensure that IP addresses within the range are on the same
network segment as the interface IP address of the DHCP server or DHCP relay agent to avoid
incorrect IP address allocation.
e. Optional: Run:
section section-id | start-address [ end-address ]
NOTE
When running both the network and section commands, ensure that the address segment
specified in the section command is included in the address range specified in the network
command.
f. Optional: Run:
logging [ allocation-fail | allocation-success | release | renew-fail |
renew-success | detect-conflict | recycle-conflict ] *
The logging function during IP address allocation of the DHCP server is enabled.
g. Enabling an interface to use the global address pool.
i. Run:
interface interface-type interface-number
The device can select the global address pool based on the primary and secondary
interface IP addresses only when the DHCP client and server are located in the same
network segment.
○ If the device and client are located in different network segments (that is,
a relay exists), the DHCP server parses the IP address specified by the
giaddr field in the received DHCP request packet and selects the address
This step is optional if a DHCP relay agent exists between the device and clients; this step is
mandatory if no relay agent exists.
----End
Context
Some IP addresses in an address pool may be used by servers and other clients, or some
clients may require special IP addresses. In these cases, you need to exclude these IP
addresses from the address pool so that the DHCP server does not automatically allocate these
IP addresses to clients, therefore preventing IP address conflicts. For example, in an
enterprise, a DHCP server allocates IP addresses on the network segment 192.168.1.0/24 to
employee PCs. On this network segment, 192.168.1.1 is used as the gateway IP address, and
192.168.1.10 is used as the DNS server IP address. The DNS server IP address is manually
configured to ensure stability, and other hosts obtain IP addresses using DHCP. Therefore,
192.168.1.10 must be excluded from the range of IP addresses that can be automatically
allocated.
NOTE
You do not need exclude the IP addresses of interfaces connecting to clients or the gateway address
configured using the gateway-list command. The DHCP server automatically adds these addresses to the list
of IP addresses that cannot be automatically allocated.
Procedure
l Excluding IP addresses from an interface address pool
a. Run:
system-view
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
If you run this command multiple times, you can set multiple IP address ranges that
cannot be automatically allocated from the address pool.
For example, exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated.
[sysname-GigabitEthernet1/0/1] dhcp server excluded-ip-address
192.168.1.10
The range of IP addresses that are not automatically allocated from the address pool
is configured.
By default, all IP addresses are automatically allocated from the address pool.
If you run this command multiple times, you can set multiple IP address ranges that
cannot be automatically allocated from the address pool.
For example, exclude 192.168.1.10 from the range of IP addresses that can be
automatically allocated.
[sysname-ip-pool-global_f1] excluded-ip-address 192.168.1.10
----End
Context
A DHCP server leases IP addresses to clients. The clients need to apply for new IP addresses
when the lease expires. To ensure stability, some hosts need to use fixed IP addresses. In this
case, configure the DHCP server to allocate fixed IP addresses to specified clients. The MAC
addresses of the specified clients are bound to fixed IP addresses. When such a client applies
to the DHCP server for an IP address, the DHCP server searches the binding entries for the
MAC address of the client and allocates the matched IP address to the client. DHCP static
allocation prevents manual configuration errors and helps network administrators perform
unified management.
NOTE
Before performing this configuration task, ensure that the DHCP server has not allocated the IP addresses for
static allocation (using the display ip pool command). If an IP address has been allocated, change an IP
address or release the allocated address using the reset ip pool command and perform the binding again.
Procedure
l Configuring a DHCP server to allocate fixed IP addresses from an interface address pool
a. Run:
system-view
Context
NOTE
Except for allocating fixed IP addresses to specified clients, a DHCP server can
dynamically allocate IP addresses with leases to clients. This mechanism applies to scenarios
where hosts temporarily access the network and the number of idle IP addresses is less than
the total number of hosts.
The lease time varies depending on network access requirements. By default, the IP address
lease is one day.
l In locations where clients often move, for example, cafes, airports, and hotels, plan a
short-term lease to ensure that IP addresses are released quickly after the clients go
offline.
l In locations where clients seldom move, for example, office areas of an enterprise, plan a
long-term lease to prevent services from being affected by frequent address renewals.
Different address pools on a DHCP server can be configured with different IP address leases,
but the IP addresses in an address pool must be configured with the same lease.
Procedure
l Configuring the lease time based on an interface address pool
a. Run:
system-view
Context
Before allocating an IP address to a client, the DHCP server can be configured with IP
address conflict detection to prevent address conflicts.
After IP address conflict detection is configured, a DHCP server sends an ICMP Echo
Request packet in which the source and destination IP addresses are both the specified IP
address before sending DHCP Offer messages. If the DHCP server does not receive an ICMP
Echo Reply packet after the maximum waiting period (specified using the dhcp server ping
timeout milliseconds command), the DHCP server continues to send the ICMP Echo Request
packet until the maximum number of detection times (specified using the dhcp server ping
packet number command) has been reached.
l If the DHCP server receives no ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is not used by
any client and the DHCP server allocates the IP address to the client by sending a DHCP
Offer message to the client.
l If the DHCP server receives an ICMP Echo Reply packet within the detection period
(number of detection times x maximum waiting period), this IP address is being used by
a client, and the DHCP server lists this IP address as a conflicting IP address and waits
for the next DHCP Discover message.
This configuration task takes effect for both the interface and global address pools.
NOTE
If the detection period is too long, clients may fail to obtain IP addresses. Set the detection period to less than
8 seconds.
Procedure
Step 1 Run:
system-view
Step 2 Run:
dhcp server ping packet number
The number of times the device detects IP address conflicts before allocating IP addresses is
set.
By default, the device detects IP address conflicts twice before allocating IP addresses.
Step 3 Run:
dhcp server ping timeout milliseconds
By default, the maximum wait time for each conflict detection is 500 milliseconds.
----End
Context
If a DHCP server is restarted upon an upgrade or is faulty, IP address allocation information
on the DHCP server is lost. After the restart, the DHCP server needs to re-allocate IP
addresses. To prevent data loss and support data recovery upon a restart, you can configure
automatic saving of IP address allocation information (including address leases and
conflicting IP addresses) so that IP address allocation information is periodically saved in a
set of files. When the DHCP server restarts, data can be recovered from the files in storage.
This configuration task takes effect for both the interface and global address pools.
Procedure
Step 1 Run:
system-view
----End
Context
When a DHCP client connects to a DHCP server or host outside the local network segment,
data must be forwarded through the egress gateway. You can configure the gateway address
for clients. This configuration is required only when the global address pool is used. When the
interface address pool is used, the gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client.
NOTE
l In global address pool mode, if a gateway address is configured on the DHCP server, a DHCP client
obtains the gateway address from the DHCP server and automatically generates a default route to the
gateway address. If you run the option121 command on the DHCP server to allocate classless static
routes to DHCP clients, the DHCP client uses an allocated classless static route and does not
automatically generate a default route to the gateway address.
l In interface address pool mode, the egress gateway address is the IP address of the interface
connecting the DHCP server to the DHCP client. The DHCP client obtains the IP address as the
gateway address and automatically generates a default route to the gateway address. If you run the
dhcp server option121 command on the DHCP server to allocate classless static routes to DHCP
clients, the DHCP client uses an allocated classless static route and does not automatically generate a
default route to the gateway address.
You do not need to configure the gateway address for DHCP clients in the following
scenarios:
l When no DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP server to the DHCP client.
l When a DHCP relay agent is deployed, the gateway address is the IP address of the
interface connecting the DHCP relay agent to the client.
In a scenario where Virtual Router Redundancy Protocol (VRRP) and DHCP are deployed, if
the VRRP group functions as the DHCP server, perform this task to configure the group
virtual IP address as the gateway address.
To load balance traffic and improve network reliability, you can configure multiple egress
gateways. Each address pool can be configured with a maximum of eight gateway addresses.
Depending on clients' requirements, IP addresses in address pools can be allocated using the
dynamic or static allocation mode.
l Dynamic allocation: A DHCP server dynamically allocates IP addresses to clients from
the global address pool. This mode is often used to allocate IP addresses to clients
without special requirements. This type of client is called a dynamic client. IP addresses
obtained by dynamic clients have leases.
l Static allocation: A DHCP server allocates fixed IP addresses to specified clients by
binding the IP addresses to MAC addresses of the clients. This mode is often used to
allocate IP addresses to clients with special requirements. This type of client is called a
static client.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients.
Procedure
l Based on an interface address pool:
a. Run:
system-view
c. Run:
dhcp server gateway-list ip-address &<1-8>
The default gateway IP address that a DHCP server pre-allocates to DHCP clients is
configured.
l Based on a global address pool:
a. Run:
system-view
4.7.5.1.10 Configuring DNS and the NetBIOS Service on the DHCP Clients
Context
When DHCP clients need to communicate with devices on other networks through host
names, you can configure the DNS or NetBIOS service.
DNS, defined by RFC 1034, is a host naming mechanism provided by TCP/IP that can
translate host names into IP addresses.
NetBIOS, defined by IBM, is applicable to small LANs with dozens of PCs to provide the
following services:
l m-node: indicates a node in mixed mode. An m-node is a p-node that has some broadcast
features. The node first sends broadcast packets to obtain its mapping. If no mapping is
obtained, the node sends unicast packets.
l h-node: indicates a node in hybrid mode. An h-node is a b-node enabled with an end-to-
end communication mechanism. The node first sends unicast packets to obtain its
mapping. If no mapping is obtained, the node sends broadcast packets.
NOTE
When installing a Microsoft Windows operating system on a PC, you must define a host name. Otherwise, the
system generates a host name at random. Host names are unique on a network.
Depending on clients' requirements, IP addresses in address pools can be allocated using the
dynamic or static allocation mode.
l Dynamic allocation: A DHCP server dynamically allocates IP addresses to clients from
the global address pool. This mode is often used to allocate IP addresses to clients
without special requirements. This type of client is called a dynamic client. IP addresses
obtained by dynamic clients have leases.
l Static allocation: A DHCP server allocates fixed IP addresses to specified clients by
binding the IP addresses to MAC addresses of the clients. This mode is often used to
allocate IP addresses to clients with special requirements. This type of client is called a
static client.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients.
Procedure
l Based on an interface address pool:
– Configuring the DNS service
i. Access the system view.
system-view
iii. Run the following commands to configure the IP address of the DNS server
and domain name for the DHCP clients.
○ Configure the IP address of the DNS server for DHCP clients.
dhcp server dns-list { ip-address &<1-8> | unnumbered interface
interface-type interface-name }
iii. Run the following commands to configure the IP address of the NetBIOS
server and NetBIOS node type for the DHCP clients.
○ Configure the IP address of the NetBIOS server for DHCP clients.
dhcp server nbns-list ip-address &<1-8>
iii. Run the following commands to configure the IP address of the DNS server
and domain name for the DHCP clients.
○ Configure the IP address of the DNS server for DHCP clients.
dns-list { ip-address &<1-8> | unnumbered interface interface-
type interface-number }
iii. Run the following commands to configure the IP address of the NetBIOS
server and NetBIOS node type for the DHCP clients.
○ Configure the IP address of the NetBIOS server for DHCP clients.
nbns-list ip-address &<1-8>
Context
Some clients can work normally only after network parameters are configured in addition to
obtained IP addresses. A DHCP server can allocate configuration information such as the
startup configuration file to clients. Configuration files may be saved on the DHCP server or
dedicated file server. The DHCP server can specify the address of the file server so that clients
can easily obtain files from the file server.
NOTE
When the startup configuration file is saved on a specified file server, the route between a DHCP client and
the file server must be reachable.
Depending on clients' requirements, IP addresses in address pools can be allocated using the
dynamic or static allocation mode.
l Dynamic allocation: A DHCP server dynamically allocates IP addresses to clients from
the global address pool. This mode is often used to allocate IP addresses to clients
without special requirements. This type of client is called a dynamic client. IP addresses
obtained by dynamic clients have leases.
l Static allocation: A DHCP server allocates fixed IP addresses to specified clients by
binding the IP addresses to MAC addresses of the clients. This mode is often used to
allocate IP addresses to clients with special requirements. This type of client is called a
static client.
When a global address pool is used to allocate network parameters, configuration commands
are different for dynamic and static clients.
Procedure
l Configuring configuration files based on an interface address pool
a. Run:
system-view
The name of the startup configuration file for DHCP clients is configured.
By default, the name of the startup configuration file for DHCP clients is not
configured.
d. Run:
dhcp server sname sname
The name of the server from which DHCP clients obtain the startup configuration
file is configured.
By default, the name of the server from which a DHCP client obtains the startup
configuration file is not configured.
e. (Optional) Run:
dhcp server next-server ip-address
The IP address of a server is configured to provide the network service for the client
after the client automatically obtains the IP address.
By default, the server IP address is not configured for the client after the client
automatically obtains the IP address.
To obtain files from the file server, perform this step.
l Configuring configuration files based on a global address pool
a. Run:
system-view
The name of the startup configuration file for DHCP clients is configured.
By default, the name of the startup configuration file for DHCP clients is not
configured.
d. Run:
sname sname
The name of the server from which DHCP clients obtain the startup configuration
file is configured.
By default, the name of the server from which a DHCP client obtains the startup
configuration file is not configured.
e. (Optional) Run:
next-server ip-address
The IP address of a server is configured to provide the network service for the client
after the client automatically obtains the IP address.
By default, the server IP address is not configured for the client after the client
automatically obtains the IP address.
To obtain files from the file server, perform this step.
----End
Context
Vendors can define DHCP options. A device functioning as the DHCP server can allocate
vendor-defined network parameters to clients using the following methods:
Depending on clients' requirements, IP addresses in address pools can be allocated using the
dynamic or static allocation mode.
l Dynamic allocation: A DHCP server dynamically allocates IP addresses to clients from
the global address pool. This mode is often used to allocate IP addresses to clients
without special requirements. This type of client is called a dynamic client. IP addresses
obtained by dynamic clients have leases.
l Static allocation: A DHCP server allocates fixed IP addresses to specified clients by
binding the IP addresses to MAC addresses of the clients. This mode is often used to
allocate IP addresses to clients with special requirements. This type of client is called a
static client.
The configuration commands for dynamic DHCP clients and static DHCP clients are
different, when the IP addresses are configured based on a global address pool.
Procedure
l Configuring user-defined options for clients based on an interface address pool:
a. Run:
system-view
The Option 82 field is called the DHCP relay agent information field. It records the
location of a DHCP client, based on which a DHCP server can select address
allocation policies including IP addresses and other network parameters. Vendors
can define Option 82 based on their requirements. Currently, a device functioning
as the DHCP server cannot allocate network parameters to clients based on policies.
After the device is enabled to trust Option 82, the device normally allocates IP
addresses to clients. If the device is disabled from trusting Option 82, the device
discards received messages carrying Option 82.
c. Run:
interface interface-type interface-number
NOTE
When an option carries a password, ascii and hex are insecure. The cipher type is recommended.
For security, the password must consist of at least six characters and contain at least two of the
following: digits, lowercase letters a to z, uppercase letters A to Z, and special characters.
After an option is configured, the device provides this option only when requested
by clients.
Some options are configured using other commands, as described in the following
table.
e. Run:
dhcp server option121 ip-address { ip-address mask-length gateway-
address } &<1-8>
When an option carries a password, ascii and hex are insecure. The cipher type is
recommended. For security, the password must consist of at least six characters and contain
at least two of the following: digits, lowercase letters a to z, uppercase letters A to Z, and
special characters.
Some options are configured using other commands, as described in the
following table.
v. Run:
option121 ip-address { ip-address mask-length gateway-address }
&<1-8>
----End
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay.
l The DHCP server and the DHCP relay interface are routable to each other.
l The DHCP relay interface and the DHCP client reside on the same network segment.
The IP address of the DHCP relay interface is on the same network segment as the IP
address of the client that is assigned by the DHCP server.
l The default gateway address of the DHCP client must be the IP address of the DHCP
relay interface.
Context
During certain phases in DHCP configuration, the DHCP client sends broadcast packets;
therefore, the DHCP relay interface must support the broadcast mode.
NOTE
A DHCP message sent from a client to a server can be relayed for a maximum of four times. If more
than four times, the packet will be discarded. If more than one DHCP relay agent exists on the network,
the DHCP relay function must be enabled on each DHCP relay agent, and the client, relay agents, and
DHCP server are routable to each other. The last DHCP relay agent specifies the IP address of the
DHCP server as the source IP address. The other DHCP relay agents specify the IP address of the next
DHCP relay as the source IP address.
Procedure
Step 1 Access the system view.
system-view
NOTE
The interface can be a GE interface or its subinterface, a Vlanif interface, or an Eth-trunk interface.
Step 4 Specify the DHCP server IP address for the DHCP relay interface.
ip relay address ip-address
NOTE
When more than one DHCP relay agents exist on a network, the last DHCP relay agent specifies the IP
address of the DHCP server. The other DHCP relay agents specify the IP address of the next DHCP
relay agent.
Step 5 Apply the DHCP relay interface configurations to the current interface.
dhcp select relay
----End
Follow-up Procedure
1. Configure a DHCP client (using a Windows XP-based PC as an example).
Set the network connection properties.
Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically
and Obtain DNS server address automatically.
2. On each DHCP client, run the ipconfig /all command to view the configuration of the
DHCP client. Check whether the DHCP client has obtained the key configuration,
including an IP address, a default gateway, and a DNS server.
– If all key information is displayed, no action is required.
– If some PCs fail to obtain the information, such as IP addresses, troubleshoot the
PC settings and network connections. Then, go to 2.
– If some PCs obtain IP addresses but fail to obtain other network parameters, restart
the PC NIC to disable and enable the network connection. Or, run the ipconfig /
release command and the ipconfig /renew command in sequence to apply for new
IP addresses and network parameters. Then, go to 2.
– If all PCs fail to obtain the information, such as IP addresses, go to 3.
3. On the DHCP relay agent, run the display dhcp relay statistics command to view
DHCP relay statistics, including the numbers of false packets and different types of
DHCP messages.
If the number of packets sent and received between the DHCP relay, server, and client is
0, the communication is down.
– If the number is 0, verify that the dhcp select relay command has been executed on
the relay interface. Run the display dhcp relay configuration command to check
whether the specified DHCP server address is correct. If the number remains 0, go
to 4, 5, and 6.
– If the number is not 0 but DHCP messages received from servers is 0, go to 5 and
6.
– If the number is not 0 but DHCP messages received from clients is 0, go to 4 and
6.
4. On the DHCP client, run the ping command to check whether the DHCP client and relay
agent are routable to each other. If they are not routable, troubleshoot the network
connection problem.
5. On the DHCP relay, run the ping command to check whether the DHCP relay interface
and the DHCP server are routable to each other. If they are not routable, troubleshoot the
network connection and routing problems.
6. Check whether the security policy rules are correct. Add the interfaces to security zones
and enable security policy between the security zone where the DHCP relay interface
resides and the Local zone, to allow packets through.
Context
When a DHCP server dynamically allocates an IP address with a lease to a client, the DHCP
server compares the configured lease with the expected lease of the client and selects the
smaller value as the lease of the IP address. A device functioning as the DHCP client supports
the configuration of an expected lease.
Procedure
Step 1 Run:
system-view
Step 4 Run:
dhcp client renew
The dhcp client renew command can be normally run only after the DHCP client function is
enabled on the interface and an IP address is obtained.
----End
Context
After an interface is enabled with the DHCP client function, the device can obtain network
parameters including the IP address from the DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use this IP address and does not re-apply for an IP address. To
allow the interface to re-apply for an IP address, run the shutdown and then the undo
shutdown command on the interface. Alternatively, you can run the undo ip address dhcp-
alloc and then the ip address dhcp-alloc command on the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
ip address dhcp-alloc
----End
Prerequisites
Before configuring a BOOTP client, complete the following tasks:
Only interfaces on the wired side of a device can function as BOOTP clients.
Context
After an interface is enabled with the BOOTP client function, the device can obtain network
parameters including the IP address from the DHCP server.
If the allocated IP address and IP addresses of other interfaces are on the same network
segment, the interface does not use this IP address and does not re-apply for an IP address. To
allow the interface to re-apply for an IP address, you can run the shutdown and then the undo
shutdown command on the interface. Alternatively, you can run the undo ip address bootp-
alloc and then the ip address bootp-alloc command on the interface.
Procedure
Step 1 Run:
system-view
----End
Context
You can view DHCP configuration information and statistics about received and sent DHCP
messages to locate faults during routine maintenance.
Procedure
l Run the display dhcp server database command to display information about the
DHCP database.
l Run the display dhcp relay configuration command to display the configurations of the
DHCP relay agent.
l Run the display dhcp client command to displays DHCP/BOOTP client information.
l Run the display dhcp server statistics command to view statistics about DHCP
messages sent and received on a DHCP server.
l Run the display dhcp relay statistics command to view statistics about DHCP messages
sent and received on a DHCP relay agent.
l Run the display dhcp client statistics [ interface interface-type interface-number ]
command to view statistics about DHCP messages sent and received on a DHCP client.
----End
Context
Before collecting statistics about DHCP messages for a period of time, clear statistics about
DHCP messages.
NOTICE
DHCP statistics cannot be restored after they are cleared. Exercise caution when performing
this operation.
Procedure
l In the user view, run the reset dhcp server statistics command to clear statistics about
DHCP messages sent and received on a DHCP server.
l In the system view, run the reset dhcp relay statistics command to clear statistics about
DHCP messages sent and received on a DHCP relay agent.
l In the user view, run the reset dhcp client statistics [ interface interface-type interface-
number ] command to clear statistics about DHCP messages sent and received on a
DHCP client.
----End
Context
You can reset an address pool when the DHCP server needs to re-allocate IP addresses to
clients or set IP addresses in the address pool to idle. Idle IP addresses will be preferentially
allocated.
Procedure
l Run the following commands to reset address pools on the device.
– Interface address pool:
reset ip pool interface pool-name { start-ip-address [ end-ip-address ] | all |
conflict | expired | used }
Parameter Description
l Configure a device that functions as the DHCP relay agent to request the DHCP server to
release IP addresses of clients.
After the DHCP relay agent is configured to request the DHCP server to release IP
addresses of clients, the DHCP relay agent sends DHCP Release messages to the
specified DHCP server. After receiving the message, the DHCP server restores specified
IP addresses to the idle status. In this way, released IP addresses can be allocated to other
clients. Run the following commands to configure the DHCP relay agent to request the
DHCP server to release IP addresses of clients:
Context
When a DHCP server is migrated, address pools on the DHCP server need to be transferred to
a DHCP server on the live network. To prevent impacting clients that have obtained IP
address from the to-be-migrated DHCP server, you can lock the address pools on the DHCP
server. When new users get online, they will apply for IP addresses from the new address
pool.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the ip pool ip-pool-name command to enter the global address pool view.
----End
Networking Requirements
As shown in Figure 4-54, an enterprise plans two network segments for office terminals:
10.1.1.0/24 for fixed terminals and 10.1.2.0/24 for terminals used by staff on business trips.
To facilitate unified management, the enterprise requires that terminals automatically obtain
IP addresses and the IP address of the DNS server (if users need to access the DNS server
using the domain name) from the Switch. A PC (DHCP Client_1) requires fixed IP address
10.1.1.100/24 to meet service requirements.
Figure 4-54 Networking diagram for configuring a device as the DHCP server
DNS Server
10.1.3.1/24
IP Network
GE1/0/1 GE1/0/2
VLANIF10 VLANIF11
10.1.1.1/24 10.1.2.1/24
FW
DHCP Server
Configuration Roadmap
The configuration roadmap is as follows:
Configure the Switch as the DHCP server to dynamically allocate IP addresses on the two
network segments and the IP address of the DNS server to enterprise terminals. IP addresses
on 10.1.1.0/24 are allocated to fixed terminals and have a lease of 30 days. The fixed IP
address 10.1.1.100/24 is statically allocated to DHCP Client_1. IP addresses on 10.1.2.0/24
are allocated to terminals used by staff on business trips and have a lease of two days.
Procedure
Step 1 Enable the DHCP service.
<FW> system-view
[FW] dhcp enable
Step 2 Configure the IP addresses of the interfaces and assign the interfaces to security zones.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.2.1 24
[FW-GigabitEthernet1/0/2] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/1
[FW-zone-trust] add interface GigabitEthernet 1/0/2
[FW-zone-trust] quit
# Configure the DHCP clients under GigabitEthernet 1/0/2 to obtain the network parameters,
such as IP addresses from the interface interface address pool.
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] dhcp select interface
[FW-GigabitEthernet1/0/2] dhcp server lease day 2
[FW-GigabitEthernet1/0/2] dhcp server domain-name huawei.com
[FW-GigabitEthernet1/0/2] dhcp server dns-list 10.1.1.2
[FW-GigabitEthernet1/0/2] quit
-----------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 254 0 254(0) 0 0
-----------------------------------------------------------------------------
[FW] display ip pool interface GigabitEthernet 1/0/2
Pool-name : GigabitEthernet1/0/2
Pool-No : 3
Lease : 2 Days 0 Hours 0 Minutes
Domain-name : huawei.com
DNS-server0 : 10.1.1.2
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : -
Network : 10.1.2.0
Mask : 255.255.255.0
Logging : Disabled
Address Statistic: Total :252 Used :0
Idle :252 Expired :0
Conflict :0 Disable :0
-----------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 254 0 254(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
Configuration file of the FW
#
dhcp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
dhcp server static-bind ip-address 10.1.1.100 mac-address 286e-d488-b684
dhcp server lease day 30 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
dhcp select interface
dhcp server lease day 2 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server domain-name huawei.com
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#
security-
policy
4.7.6.2 CLI Example for Configuring the Device as a DHCP Server (Using the
Global Address Pool-based Layer-3 Ethernet Interface)
After learning this configuration example, you can understand how to use the Layer-3
Ethernet Interfaces to configure the device as a DHCP server based on global address pools,
and enable the DHCP server to provide services for clients, including dynamic address
allocation, static address allocation, egress gateway address, DNS server address, and WINS
server address.
Networking Requirements
As shown in Figure 4-55, an enterprise has two offices, which are connected to the FW using
the Layer 2 switches. To save resources, the FW also works as the DHCP server for the hosts
in the two offices to assign IP addresses, gateways, DNS servers, and WINS servers.
l Fixed IP addresses have been assigned to the four hosts (DNS server, WINS server, and
two hosts in the offices). The IP addresses are respectively are 10.1.1.2/25, 10.1.1.4/25,
10.1.1.126/25, and 10.1.1.254/25.
l The two hosts require higher access permissions, and apply for new fixed IP addresses
10.1.1.5/25 and 10.1.1.253/25.
l Office 1 resides on network segment 10.1.1.0/25. Its address lease is 10 days and 12
hours, domain name suffix is example.com, DNS server address is 10.1.1.2/25, WINS
server address is 10.1.1.4/25, and egress gateway address is 10.1.1.1/25.
l Office 2 resides on network segment 10.1.1.128/25. Its address lease is 5 days, domain
name suffix is example.com, DNS server address is 10.1.1.2/25, no WINS server is
configured, and egress gateway address is 10.1.1.129/25.
Figure 4-55 Networking diagram for configuring a global address pool-based DHCP server
using the Layer-3 Ethernet Interfaces
GE1/0/1 GE1/0/2
Layer-2 Trust Trust Layer-2
LAN switch LAN switch
FW
DNS DHCP
Host1 Host2
Server Client
Network: 10.1.1.0/25 Network: 10.1.1.128/25
Configuration Roadmap
The configuration roadmap of DHCP server is as follows:
1. Enable DHCP service.
2. Reserve the IP addresses that have been specified (such as DNS server address, WINS
server address, and two host addresses) to avoid reassigning them.
3. Dynamically allocate IP addresses and other network parameters.
On the network, the FW connects to clients using a Layer 2 switch and multiple
interfaces; therefore, you are advised to assign IP addresses based on global address
pools. To simplify the configuration, you can employ three address pools. Address pool 0
(network segment 10.1.1.0/24) specifies the common attributes of all clients (such as
their domain name suffix and DNS server). Address pool 1 (network segment
10.1.1.0/25) and address pool 2 (network segment 10.1.1.128/25) specify the unique
attributes of each network segment (such as their address ranges, address lease, gateway
addresses, and WINS servers).
NOTE
You can also employ two address pools, pool 1 and pool 2. The two address pools cannot inherit
the configurations of their parent node; therefore, their unique attributes must be configured
separately.
4. To meet the requirement of the hosts for using fixed IP addresses, allocate IP addresses
statically and configure other network parameters.
Create two global address pools 3 and 4, each of which has one IP address (10.1.1.5/25
and 10.1.1.253/25 respectively) for static address allocation. Address pool 3 inherits the
common attributes of address pool 0 and address pool 1. Address pool 4 inherits
common attributes of address 0 and address 2. No other network parameter needs to be
configured for address pools 3 and 4.
5. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically
and Obtain DNS server address automatically on each DHCP client, enabling the
DHCP clients to automatically obtain IP addresses and other network parameters
allocated by the DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name
suffix, DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network access
errors caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<FW> system-view
[FW] dhcp enable
Step 2 Configure the global address pool attributes of the DHCP server.
# Configure the attributes of address pool 1 (the IP address range of the address pool, the
egress gateway, and the address lease).
[FW] ip pool 1
[FW-ip-pool-1] network 10.1.1.0 mask 255.255.255.128
[FW-ip-pool-1] domain-name example.com
[FW-ip-pool-1] dns-list 10.1.1.2
[FW-ip-pool-1] excluded-ip-address 10.1.1.4
[FW-ip-pool-1] excluded-ip-address 10.1.1.126
[FW-ip-pool-1] excluded-ip-address 10.1.1.254
# Configure the attributes of address pool 2 (the IP address range of the address pool, the
egress gateway, the WINS server address, and the address lease).
[FW] ip pool 2
[FW-ip-pool-2] network 10.1.1.128 mask 255.255.255.128
[FW-ip-pool-2] domain-name example.com
[FW-ip-pool-2] dns-list 10.1.1.2
[FW-ip-pool-2] excluded-ip-address 10.1.1.4
[FW-ip-pool-2] excluded-ip-address 10.1.1.126
[FW-ip-pool-2] excluded-ip-address 10.1.1.254
[FW-ip-pool-2] nbns-list 10.1.1.4
[FW-ip-pool-2] gateway-list 10.1.1.129
[FW-ip-pool-2] lease day 5
[FW-ip-pool-2] quit
# Configure the attributes of address pool 3, and perform IP-MAC address binding in the
address pool.
[FW] ip pool 3
[FW-ip-pool-3] network 10.1.1.5 mask 255.255.255.128
[FW-ip-pool-3] domain-name example.com
[FW-ip-pool-3] dns-list 10.1.1.2
[FW-ip-pool-3] gateway-list 10.1.1.1
[FW-ip-pool-3] lease day 10 hour 12
[FW-ip-pool-3] static-bind ip-address 10.1.1.5 mac-address 0021-97cf-2238
[FW-ip-pool-3] reserved ip-address mac
[FW-ip-pool-3] quit
# Configure the attributes of address pool 4, and perform IP-MAC address binding in the
address pool.
[FW] ip pool 4
[FW-ip-pool-4] network 10.1.1.253 mask 255.255.255.128
[FW-ip-pool-4] domain-name example.com
[FW-ip-pool-4] dns-list 10.1.1.2
[FW-ip-pool-4] nbns-list 10.1.1.4
[FW-ip-pool-4] gateway-list 10.1.1.129
[FW-ip-pool-4] lease day 5
[FW-ip-pool-4] static-bind ip-address 10.1.1.253 mac-address 00e0-4c86-58eb
[FW-ip-pool-4] reserved ip-address mac
[FW-ip-pool-4] quit
Step 3 Specify the interface IP address, and configure the clients under the interface to obtain IP
addresses from global address pools.
# Configure the clients under interface GigabitEthernet 1/0/1 to obtain IP addresses from
global address pools.
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.128
[FW-GigabitEthernet1/0/1] dhcp select global
[FW-GigabitEthernet1/0/1] quit
# Configure the clients under interface GigabitEthernet 1/0/2 to obtain IP addresses from
global address pools.
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.1.1.129 255.255.255.128
[FW-GigabitEthernet1/0/2] dhcp select global
[FW-GigabitEthernet1/0/2] quit
Step 4 Add interfaces to corresponding security zones and configure the security policy.
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/1
----End
Configuration Verification
1. On any PC on the two network segments where office 1 and office 2 reside, run the cmd
command to enter the DOS environment. Run the ipconfig /all command to verify
whether the client has obtained the network parameters, such as an IP address, default
gateway address, WINS server address, and DNS server address. If the configurations
are correct, host 1 and host 2 are specified with fixed IP addresses.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Windows IP Configuration
2. On the DHCP server FW, run the display dhcp server statistics command to view the
statistics information.
[FW] display dhcp server statistics
Global Pool:
Pool Number: 5
Binding
Auto: 2
Manual: 2
Expire: 0
Interface Pool:
Pool Number: 0
Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 46
Dhcp Discover: 16
Dhcp Request: 22
Dhcp Decline: 0
Dhcp Release: 0
Dhcp Inform: 8
Boot Reply: 32
Dhcp Offer: 8
Dhcp Ack: 22
Dhcp Nak: 2
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
Configuration Scripts
Configuration scripts of FW
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.128
dns-list 10.1.1.2
domain-name example.com
gateway-list 10.1.1.1
lease day 10 hour 12
#
ip pool 2
network 10.1.1.128 mask 255.255.255.128
dns-list 10.1.1.2
domain-name example.com
gateway-list 10.1.1.129
nbns-list 10.1.1.4
lease day 5
#
ip pool 3
dns-list 10.1.1.2
domain-name example.com
gateway-list 10.1.1.1
lease day 10 hour 12
static-bind ip-address 10.1.1.5 mac-address 0000-e03f-0305
#
ip pool 4
dns-list 10.1.1.2
domain-name example.com
gateway-list 10.1.1.129
nbns-list 10.1.1.4
lease day 5
4.7.6.3 CLI Example for Configuring a Global Address Pool-based DHCP Server
(Using Sub-interfaces)
After learning this configuration example, you can understand how to use theFW sub-
interfaces to configure a DHCP server based on global address pools, and enable the DHCP
server to provide services for DHCP clients on VLANs, including dynamic address allocation,
egress gateway address, DNS server address, and WINS server address.
Networking Requirements
An enterprise attempts to divide different VLANs for different departments using a Layer 2
switch. To save resources, the FW works as the DHCP server to specify network parameters
to all hosts on VLANs, including allocating IP addresses, configuring domain names, DNS
server addresses, WINS server addresses, and egress gateway addresses.
As shown in Figure 4-56, the FW connects to the Layer 2 switch using interface
GigabitEthernet 1/0/1, and divides interface GigabitEthernet 1/0/1 to two subinterfaces that
connect to VLAN 10 and VLAN 20 respectively.
NOTE
To focus on how to assign IP addresses to DHCP clients on VLANs using sub-interfaces, this section
highlights a part of the network.
l Two servers are specified with fixed IP addresses: 10.1.2.2/24 and 10.1.1.4/24.
l For hosts on VLAN 10, their address lease is 10 days and 12 hours, domain name is
example.com, DNS server address is 10.1.2.2/24, WINS server address is 10.1.1.4//24,
and egress gateway address is 10.1.1.1/24.
l For hosts on VLAN 20, their address lease is 5 days, domain name is example.com, DNS
server address is 10.1.2.2/24, no WINS server is configured, and egress gateway address
is 10.1.2.1/24.
Figure 4-56 Networking diagram for configuring a global address pool-based DHCP server
using subinterfaces
WINS server
DHCP client
10.1.1.4/24
VLAN10
FW
GE1/0/1.1
Layer-2 Trust
LAN switch GE1/0/1.2
Trust
DHCP
VLAN20 server
10.1.2.2/24
DHCP client
DNS server
Configuration Roadmap
The configuration roadmap is as follows:
1. To assign IP addresses and specify network parameters for DHCP clients on VLANs
using interfaces, you need to configure the following items on DHCP servers.
a. Enable the DHCP service.
b. Dynamically allocate IP addresses and other network parameters.
You can employ two address pools, address pool 1 (network segment 10.1.1.0/24)
and address pool 2 (network segment 10.1.2.0/24) specify the unique properties of
each network segment (such as their address ranges, address lease, gateway
addresses, and WINS servers).
Both the two IP address pools specify the common properties of all clients (such as
their domain name suffix and DNS server). In addition, you need to reserve the IP
addresses that have been specified (such as DNS server address and WINS server
address) to avoid reassigning them.
c. Associate two sub-interfaces to VLAN 10 and VLAN 20. Enable global address
pools for the two sub-interfaces.
2. Set the switch interface connected to the FW as a Trunk interface. Add the switch
interfaces connected to PCs to related VLANs in default mode. (The configuration
procedure is not mentioned here. )
3. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically
and Obtain DNS server address automatically on each DHCP client, enabling the
DHCP clients to automatically obtain IP addresses and other network parameters
allocated by the DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name
suffix, DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network
access errors caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<FW> system-view
[FW] dhcp enable
Step 2 Configure the global address pool attributes of the DHCP server.
# Configure the IP address pool 1.
[FW] ip pool 1
[FW-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[FW-ip-pool-1] excluded-ip-address 10.1.1.4
[FW-ip-pool-1] excluded-ip-address 10.1.2.2
[FW-ip-pool-1] domain-name example.com
[FW-ip-pool-1] dns-list 10.1.2.2
[FW-ip-pool-1] gateway-list 10.1.1.1
[FW-ip-pool-1] nbns-list 10.1.1.4
[FW-ip-pool-1] lease day 10 hour 12
[FW-ip-pool-1] quit
Step 3 Configure sub-interfaces, and assign IP addresses and specify network parameters to clients in
VLANs.
Step 4 Add interfaces to corresponding security zones and configure the security policy.
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/1.1
[FW-zone-trust] add interface GigabitEthernet 1/0/1.2
[FW-zone-trust] quit
[FW] security-policy
[FW-policy-security] rule name sec_policy
[FW-policy-security-rule-sec_policy] source-zone trust
[FW-policy-security-rule-sec_policy] source-zone local
[FW-policy-security-rule-sec_policy] destination-zone local
[FW-policy-security-rule-sec_policy] destination-zone trust
[FW-policy-security-rule-sec_policy] action permit
3. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol
(TCP/IP) Properties window is displayed. Select Obtain an IP address automatically
and Obtain DNS server address automatically.
----End
Configuration Verification
1. On any PC on a VLAN, run the cmd command to enter the DOS environment. Run the
ipconfig /all to verify whether the client has obtained the network parameters, such as an
IP address, default gateway address, WINS server address, and DNS server address.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Windows IP Configuration
2. On the DHCP server FW, run the display dhcp server statistics command to view the
statistics information.
[FW] display dhcp server statistics
Global Pool:
Pool Number: 3
Binding
Auto: 2
Manual: 0
Expire: 0
Interface Pool:
Pool Number: 0
Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 131
Dhcp Discover: 125
Dhcp Request: 5
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Boot Reply: 38
Dhcp Offer: 33
Dhcp Ack: 5
Dhcp Nak: 0
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
Configuration Scripts
Configuration scripts of FW:
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.4
excluded-ip-address 10.1.2.2
dns-list 10.1.2.2
domain-name example.com
gateway-list 10.1.1.1
nbns-list 10.1.1.4
lease day 10 hour 12 minute 0
#
ip pool 2
network 10.1.2.0 mask 255.255.255.0
excluded-ip-address 10.1.1.4
excluded-ip-address 10.1.2.2
dns-list 10.1.2.2
domain-name example.com
gateway-list 10.1.2.1
lease day 5 hour 0 minute 0
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1.2
vlan-type dot1q 20
ip address 10.1.2.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1.1
add interface GigabitEthernet1/0/1.2
#
security-policy
rule name sec_policy
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
#
return
Networking Requirements
The IP address plan of a department on the network shown in Figure 4-57 is as follows:
A DHCP relay agent needs to be deployed on the same network segment as a DHCP client to
connect the DHCP client and server across network segments. DHCP relay enables the DHCP
client to request the DHCP server for configurations, such as the IP address and DNS server
address.
Trust DMZ
DHCP Client FW_A FW_B
(DHCP Relay) (DHCP Server)
GE1/0/1
10.1.1.2/24
GE1/0/1 GE1/0/2
192.168.20.1/24 10.1.1.1/24
FTP server
0021-97cf-2238
Configuration Roadmap
The configuration roadmap is as follows:
1. To enable the DHCP server to assign network parameters, including an IP address, to the
DHCP client across different network segments, configure an available IP address range
(includes the DHCP relay interface address) on FW_B and specify DHCP client
parameters, such as an egress gateway, a domain name suffix, and a DNS server address.
a. Enable DHCP.
b. Configure dynamic IP address allocation and other network parameters assigned to
the DHCP client.
c. Configure static IP address allocation and other network parameters assigned to the
FTP server.
d. Configure a route between the DHCP server and the relay interface.
2. Enable the DHCP relay function on FW_A to enable communication between the DHCP
client and server across different network segments:
a. Enable DHCP.
b. Specify a DHCP server IP address on the relay interface.
Procedure
Step 1 Configure the IP addresses for the interface of FW_B and assign the interface to the specified
security zone.
<FW> system-view
[FW] sysname FW_B
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ip address 10.1.1.2 255.255.255.0
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] firewall zone dmz
[FW_B-zone-trust] add interface GigabitEthernet 1/0/1
[FW_B-zone-trust] quit
3. Configure the clients under the interface GigabitEthernet 1/0/1 to obtain IP addresses
from global address pools.
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] dhcp select global
[FW_B-GigabitEthernet1/0/1] quit
4. Add a static route between the DHCP server and the DHCP relay interface, enabling the
two are routable to each other.
NOTE
The IP address of the DHCP relay interface and the IP address of the DHCP server reside on
different network segments, you need to configure a static route or employ a dynamic route
protocol on the DHCP server to route the DHCP relay interface and the DHCP server.
[FW_B] ip route-static 192.168.20.1 255.255.255.0 10.1.1.1
Step 3 Configure the IP addresseses for the interfaces of FW_A and assign the interfaces to the
specified security zones.
<FW> system-view
[FW] sysname FW_A
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 192.168.20.1 255.255.255.0
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.1.2 255.255.255.0
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/1
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
2. Specify a DHCP server address and enable the relay interface configurations.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip relay address 10.1.1.2
[FW_A-GigabitEthernet1/0/1] dhcp select relay
[FW_A-GigabitEthernet1/0/1] quit
Step 5 Add interfaces to corresponding security zones and configure interzone packet filtering to
ensure normal network communication. Details are omitted.
NOTE
To realize mutual access between the DHCP relay and the DHCP server, you need to configure the
packet filtering on the FW for the interzone between the Local zone and the zone where the DHCP client
resides to allow packets through. To realize mutual access between the DHCP client and the DHCP
relay, as well as between the DHCP relay and the DHCP server, you need to configure the packet
filtering on FW_A and FW_B for the interzone between the Local zone and the zone where the interface
resides to allow packets through.
----End
Configuration Verification
1. On any PC in the department, press Start > Run and enter cmd to display the DOS
screen. Run the ipconfig /all command to view the network parameters obtained by the
client, such as an IP address, a default gateway address, a WINS server address, and a
DNS server address. Also, verify that the FTP server has obtained a fixed IP address
192.168.20.254.
NOTE
If the DHCP client obtains incomplete information (for example, only the IP address is obtained),
run the ipconfig /release command to lease the dynamic IP address, and run the ipconfig /renew
command to apply for a new IP address and other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Ethernet adapter Local Area Connection:
2. Check the address lease duration list of the DHCP server to determine whether the
DHCP server assigns IP addresses to the PC and FTP server on the LAN.
a. Choose Network > DHCP Server > Monitor.
b. Verify the client IP address assigned by the DHCP server.
Configuration Scripts
Configuration scripts of FW_A
#
sysname FW_A
#
interface GigabitEthernet1/0/1
ip address 192.168.20.1 255.255.255.0
ip relay address 10.1.1.2
dhcp select relay
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
security-policy
rule name sec_policy_1
source zone local
source zone dmz
destination zone local
destination zone dmz
action permit
#
security-policy
rule name sec_policy_2
source zone local
source zone trust
destination zone local
destination zone trust
action permit
#
return
dns-list 3.3.3.3
domain-name example.com
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.2 255.255.255.0
dhcp select global
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 192.168.20.0 255.255.255.0 10.1.1.1
#
security-policy
rule name sec_policy
source zone local
source zone dmz
destination zone local
destination zone dmz
action permit
#
return
Applicable Products
USG6000V
Networking Requirements
Figure 4-58 shows that a FW functions as an egress gateway and connect PCs in an intranet
to the Internet. The network plan is as follows:
Figure 4-58 Networking diagram for accessing the Internet using DHCP
Trust Untrust
PC FW
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 DHCP Client
DHCP Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP client function on GigabitEthernet 1/0/1 of the FW to obtain a client
IPv4 address and a DNS server address from a DHCP server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the FW to the
intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the FW.
4. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. This example
provides the configuration procedure on the FW. The configuration procedure for the
PCs is not provided.
NOTE
After the FW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to the
FW that function as a DHCP client. The next hop of the default route is a carrier's device. Therefore,
there is no need to configure a default route.
Procedure
Step 1 Configure the IP address of the interface and assign the interfaces to the security zones.
<FW> system-view
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
Step 4 Configure a security policy to allow the PCs to access the Internet.
[FW] security-policy
[FW-policy-security] rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1] source-zone trust
[FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0/24
[FW-policy-security-rule-policy_sec_1] egress-interface GigabitEthernet1/0/1
[FW-policy-security-rule-policy_sec_1] action permit
[FW-policy-security-rule-policy_sec_1] quit
[FW-policy-security] quit
Step 5 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before PCs access the Internet.
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] destination-zone untrust
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 24
[FW-policy-nat-rule-policy_nat_1] action nat easy-ip
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is DHCP, and the interface obtained an IPv4 address.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
dns resolve
dns server unnumbered interface GigabitEthernet1/0/1
#
dns proxy enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address dhcp-alloc
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 preference 245
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return
4.7.7.1 Specifications
This section describes DHCP specifications.
Function Specifications
Function Description Supported or Not
Configuring the device to The device can serve as a Supported by all models.
serve as a DHCP server DHCP server and allocate
IP addresses to DHCP
clients.
Global address pool The device can serve as the Supported by all models.
DHCP server and allocate
IP addresses in a global
address pool to DHCP
clients.
Interface address pool The device can serve as the Supported by all models.
DHCP server and allocate
IP addresses in an interface
address pool to DHCP
clients.
Static and dynamic address Static address allocation Supported by all models.
allocation refers to allocating fixed IP
addresses to some clients.
Configuring the device to The DHCP client can Supported by all models.
serve as a DHCP relay communicate with a DHCP
server on a different
network segment through
the DHCP relay and obtain
an IP address from the
server.
Configuring the device to The device can serve as a Supported by all models.
serve as a DHCP client DHCP client and obtain
parameters, such as an IP
address from the DHCP
server.
Performance Specifications
Function Sub-Function Specifications
4.8.1 Overview
DHCP snooping defends against the attacks launched using DHCP messages.
Definition
The Dynamic Host Configuration Protocol (DHCP) snooping, a DHCP security feature, filters
untrusted DHCP messages by creating and maintaining a binding table. This binding table
contains the following items:
l MAC addresses
l IP addresses
l IP leases
l Binding types
l VLAN IDs
l Interface information
DHCP snooping acts as a firewall between a DHCP client and a DHCP server.
Objective
DHCP snooping is used to prevent the following problems:
l DHCP denial of service (DoS) attacks
L3 network
Untrusted
User network
DHCP
Snooping L3
enable network
Trusted
Untrusted
DHCP Relay
L2
network DHCP Server
User network
4.8.2 Mechanism
This section describes the mechanism of Dynamic Host Configuration Protocol (DHCP)
snooping.
DHCP Client
DHCP pseudo Server
To prevent bogus DHCP server attacks, configure DHCP snooping, which works in either
trusted or untrusted mode.
You can configure a trusted or untrusted physical or VLAN interface. DHCPRESPONSE
messages (Offer, ACK, or NAK messages) received by an untrusted interface are directly
discarded to prevent bogus DHCP server attacks. Figure 4-62 shows DHCP snooping that
works in trusted or untrusted mode.
Untrusted
DHCP pseudo
Server
Middleman Attacks
A middleman sends a packet carrying its own MAC address and the IP address of a DHCP
server. Upon receipt, the client learns the IP and MAC addresses and considers the middleman
as a DHCP server and sends all packets to the middleman, not the DHCP server. After
receiving the packets, the middleman forwards the packet carrying its own MAC and IP
addresses to the server. The DHCP server learns the IP and MAC address and considers the
middleman a client. The DHCP server sends packets to the middleman, not the client. Figure
4-63 shows a middleman attack.
A middleman relays data between the DHCP server and client. The DHCP server and client
assume that they have exchanged packets with each other.
Middleman
(2) (1)
10.1.1.2/32
MAC:2-2-2
10.1.1.3/32 10.1.1.2/32
MAC:3-3-3 MAC:2-2-2
Attacker DHCP Client
A DHCP snooping binding table can be used to prevent IP/MAC spoofing and middleman
attacks.
When an interface receives an ARP or IP packet, the interface matches the source IP and
MAC addresses of the packet with entries in a local DHCP snooping binding table. Packets
that match the entries are forwarded, whereas unmatched packets are discarded. Figure 4-65
shows data transmission based on a DHCP snooping binding table.
ARP packets or IP packets sent by clients with static IP addresses are discarded. This is
because these clients do not obtain IP addresses by sending DHCPREQUEST messages, and
no DHCP snooping binding entry exists for them. As a result, these clients are prevented from
accessing the network illegally. To allow the users with statically allocated IP addresses to
access the network, configuring a static DHCP snooping binding table is mandatory.
Similarly, packets from a client that embezzle a legal IP address of other clients are discarded.
The client does not obtain IP addresses by sending DHCPREQUEST messages. Hence the
MAC address and interface information in the DHCP snooping binding table corresponding to
the IP address are inconsistent with those of the embezzler. In this way, these clients are
prevented from accessing the network illegally.
Entries in a DHCP snooping binding table are classified into the following types:
l Static entries: manually configured on a FW. These entries can only be manually deleted.
l Dynamic entries: automatically learned by a FW using DHCP snooping. These entries
age after IP address leases expire.
Dynamic entries in a DHCP snooping binding table are automatically generated based on
DHCPACK messages sent by a DHCP server. The procedure for generating dynamic entries is
as follows:
l On a Layer 2 device:
– An Option 82-enabled Layer 2 device receives a DHCPREQUEST message and
appends Option 82 to the message. The Layer 2 device determines an outbound
interface to which a DHCPRESPONSE message is sent based on Option 82 and
generates a DHCP snooping binding entry.
– An Option 82-disabled Layer 2 device identifies interface information in messages
based on a MAC address table.
l On a Layer 3 device
A device obtains the IP address of an untrusted interface assigned by a DHCP server, the
MAC address of the interface, and the interface through which messages pass by
monitoring a DHCPRESPONSE message. An IP and MAC binding entry of the
untrusted interface is then generated. The dynamic binding entry has the same lease as
the IP address of the client. After the lease expires or the client releases the IP address,
the entry is automatically deleted.
Filename-128 bytes
DHCP Options
To prevent DoS attacks, enable DHCP snooping to check the CHADDR field in a
DHCPREQUEST message. If the CHADDR field matches the source MAC address in the
frame header, the message is forwarded. If the CHADDR field does not match the source
MAC address, the message is discarded.
Option 82
l Format of a packet with an Option 82 field
Option 82 is a DHCP Relay Agent Information option that records location information
about a DHCP client. It is a special field contained in a DHCP message.
When a DHCPREQUEST message sent by a DHCP client passes through a DHCP relay
agent, the relay agent adds an Option 82 field to this DHCPREQUEST message. Upon
receipt, a DHCP server replies with a DHCPRESPONSE message containing the same
Option 82 field to the DHCP relay agent. The DHCP relay agent then determines for
which interface the DHCPRESPONSE message is destined based on the Option 82 field.
Figure 4-67 shows the format of a DHCP message with Option 82 field.
82 N i1 i2 i3 i4 i5 … iN
1 N a1 a2 a3 a4 a5 … aN
2 N b1 b2 b3 b4 b5 … bN
9 N c1 c2 c3 c4 c5 … cN
MAC binding entries based on Option 82. The following describes how to use Option 82
on Layer 2 devices and Layer 3 devices.
l Option 82 appended by a Layer 2 device
The client shown in Figure 4-69 accesses a Layer 2 device, and the Layer 2 device
connects the client to the DHCP relay agent and server over a Layer 2 network.
If DHCP snooping is enabled on the Layer 2 device, the Layer 2 interface may receive
broadcast DHCPRESPONSE messages. Upon receipt, the Layer 2 device performs the
following operations:
– Searches for a VLAN based on the MAC address carried in each message.
– Determines an outbound interface for the message.
– Generates an entry for the binding between the IP and MAC address.
If the DHCP Option 82 function is enabled, the Layer 2 device can monitor DHCP
messages and append Option 82 to a DHCPDISCOVERY message. After receiving a
DHCPDISCOVERY message, a DHCP server replies with the DHCPRESPONSE
message carrying Option 82. The Layer 2 device determines the interface to which the
DHCPRESPONSE message is sent based on Option 82 and generates DHCP snooping
binding entries. The Layer 2 device removes Option 82 before forwarding the
DHCPRESPONSE message to the client.
Discover
Discover+Option82
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
After Option 82 is enabled on the DHCP relay agent shown in Figure 4-70, the DHCP
relay agent appends Option 82 to the DHCPREQUEST message to a DHCP server. The
DHCP server assigns an IP address and delivers network parameters based on Option 82.
The DHCP server also adds Option 82 into a DHCPRESPONSE message sent to the
DHCP relay agent. After the DHCPRESPONSE message arrives, the DHCP relay agent
removes Option 82 before forwarding the message to a client.
Discover
Discover+Option82
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
l Option 82 implementation
After the Option 82 function is enabled, a DHCP relay agent must check whether an
Option 82 field is carried in a DHCPREQUEST message sent by a client.
– If the DHCPREQUEST message contains an Option 82 field, the agent checks the
mode Option 82 information was added in:
n Rebuild mode: The agent does not trust the Option 82 field contained in the
received message and modifies Sub-option 1 contained in the Option 82 field.
n Insert mode: The agent trusts the Option 82 field contained in a received
message and does not need to modify Sub-option 1 contained in the Option 82
field. The agent checks whether there is Sub-option 9. If Sub-option 9 is not
contained, the agent adds Sub-option 9 to the message. If the message contains
Sub-option 9, the agent checks whether this option contains the Device
Identifier field. If there is no Device Identifier field, the agent adds the field
that follows the manufacturer information field in the message.
– If the DHCPREQUEST message does not contain an Option 82 field, the agent
adds an Option 82 field with Sub-option 1, regardless of the Insert or Rebuild mode.
The agent checks whether the message contains Sub-option 1 or Sub-option 9 and
whether a sub-option contains the Device Identifier field. If the message contains Sub-
option 1 or Sub-option 9 or if a sub-option contains the Device Identifier field, the agent
properly parses the Option 82 field. It strips the Device Identifier field off Sub-option 1
or Sub-option 9 before forwarding the DHCPRESPONSE message.
Prerequisites
Before preventing a bogus DHCP server attack on a Layer 2 interface, configure a DHCP
server.
Context
NOTE
Procedure
Step 1 Access the system view.
system-view
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on a specified interface.
Prerequisites
Before preventing a bogus DHCP server attack on a device, complete the following tasks:
Context
Note the following issues
l When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP
server is trusted by default.
l When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is
untrusted by default.
The device discards messages sent by the untrusted VLAN or interface. To configure the
VLAN or interface to be trusted, run the dhcp snooping trusted command.
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on a specified interface.
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 2
Interface, configure a DHCP server.
Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address
of the client and generates an IP and MAC binding entry. This binding table requires no
configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC
address of the client or generate an IP and MAC binding entry. You need to create IP and MAC
binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may
occur:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server
properly. By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC
addresses with entries in the DHCP snooping binding table and verify information about the
MAC, IP, interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.
A binding table with accurate interface information can be created after Option 82 is enabled.
Step 10 Configure how to process the IP and ARP packets if the DHCP snooping binding table does
not contain mapping entries.
1. Specify a rule for processing mismatching packets in the VLAN view.
dhcp snooping nomatch-packet { arp | ip } action { forward | discard }
interface interface-type interface-number
If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on a specified interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 3
Interfaces, complete the following tasks:
Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address
of the client and generates an IP and MAC binding entry. This binding table requires no
configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC
address of the client or generate an IP and MAC binding entry. You need to create IP and MAC
binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server
properly. By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC
addresses with entries in the DHCP snooping binding table and verify information about the
MAC, IP, interface and VLAN.
l If they do not match, the packet is discarded.
l If they totally match, the packet is forwarded.
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
Step 3 Access the interface view.
interface interface-type interface-number
If the original message does not carry Option 82, Option 82 is appended to DHCP
messages. If the message carries Option 82, Sub-option 9 is added to DHCP messages.
l Enable the device to forcibly add Option 82 into packets, run:
dhcp option82 rebuild enable interface interface-type interface-number
If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on an interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.
If the following results are displayed, the configuration is successful:
l DHCP snooping is enabled in both the system and interface views.
l Option 82 is enabled on the interface.
l Statistics about the discarded ARP, IP, and DHCP packets are displayed.
l Interface names and the matching MAC and IP addresses in the DHCP snooping binding
table are displayed.
<sysname> display dhcp snooping interface GigabitEthernet 1/0/1
dhcp snooping
enable
dhcp snooping
trusted
Procedure
Step 1 Access the system view.
system-view
Step 6 Enable the device to check CHADDRs of packets from a specified VLAN.
dhcp snooping check dhcp-chaddr enable interface interface-type interface-number
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on an interface.
If the following results are displayed, the configuration is successful:
l DHCP snooping is enabled in both the system and interface views.
l Statistics about the discarded ARP, IP, and DHCP packets are displayed.
<sysname> display dhcp snooping vlan 100 interface GigabitEthernet 1/0/1
dhcp snooping enable interface GigabitEthernet 1/0/1
dhcp snooping check dhcp-chaddr enable interface GigabitEthernet 1/0/1
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
Prerequisites
Before preventing the attacker from changing CHADDR through a Layer 3 device, complete
the following tasks:
l Configure the DHCP server.
l Configure a DHCP relay agent.
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
Step 3 Access the interface view.
interface interface-type interface-number
Enable checking CHADDRs. The device compares the CHADDR field in the received DHCP
Request message with the source MAC address in the frame header. If they are inconsistent,
the received DHCP request message is considered as an attack packet and is directly
discarded.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC
address of the client and generates IP and MAC binding table. This binding table requires no
configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC
addresses with entries in the DHCP snooping binding table and verify information about the
MAC, IP, interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Step 4 Enable the check of the rate at which DHCP messages are sent.
dhcp snooping check dhcp-rate enable
Step 8 Enable the device to check DHCP Request messages from a specified VLAN.
dhcp snooping check dhcp-request enable interface interface-type interface-number
If the original message does not carry Option 82, Option 82 is appended to DHCP
messages. If the message carries Option 82, Sub-option 9 is added to DHCP messages.
l Enable the device to forcibly add Option 82 into packets, run:
dhcp option82 rebuild enable interface interface-type interface-number
A binding table with accurate interface information can be created after Option 82 is enabled.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on an interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.
Prerequisites
Before preventing the attacker from sending bogus messages for extending IP leases,
complete the following tasks:
Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC
address of the client and generates IP and MAC binding table. This binding table requires no
configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may
occur:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC
addresses with entries in the DHCP snooping binding table and verify information about the
MAC, IP, interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Step 4 Enable the check of the rate at which DHCP messages are sent.
dhcp snooping check dhcp-rate enable
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
Step 7 Enable the device to check DHCP Request messages sent by a specified interface.
dhcp snooping check dhcp-request enable
A binding table with accurate interface information can be created after Option 82 is enabled.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table {ip-address ip-address | mac-address mac-
address | static | dynamic | all } command to view information about the DHCP
snooping binding table.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on the interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.
Prerequisites
Before configuring alarms about discarded packets, complete the following tasks:
Procedure
Step 1 Access the system view.
system-view
Step 4 Set the alarm threshold of the maximum number of discarded packets.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-
id [ interface interface-type interface-number ] } command to view DHCP snooping
information on a specified interface.
Resetting the DHCP snooping binding table results in information loss in the binding table. Perform the
resetting of the DHCP snooping binding table with caution.
Table 4-51 lists the commands run in the system view to maintain a DHCP snooping binding
table.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete,
run the undo debugging all command to disable the debugging immediately.
Networking Requirements
DHCP clients access the DHCP relay agent on the network shown in Figure 4-71. DHCP
snooping needs to be configured on Layer 3 interfaces GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2 on FW. The interface on the DHCP client side is untrusted, and the
interface on the DHCP server agent side is trusted.
In such a case, FW is capable of preventing the following attacks:
l Bogus DHCP server attack
l Middleman attack or IP/MAC address attack
l DoS attack by changing CHADDR
l Attack by generating bogus DHCP messages to extend IP leases
DHCP client1 uses the dynamically allocated IP address, and DHCP client2 uses the statically
configured IP address.
Figure 4-71 Networking diagram for configuring DHCP snooping on the device
DHCP Server
10.11.1.2/24
Trusted
GE1/0/2
NGFW
10.11.1.1/24
DHCP Relay
Trust
GE1/0/1
Untrusted 10.1.1.254/24
Trust
Switch
DHCP Client2
DHCP
IP:10.1.1.1/24
Client1
mac:00e0-fc5e-008a
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP snooping globally and in the interface view.
2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3. Configure DHCP snooping binding tables and enable matching ARP packets, IP packets,
and DHCPREQUEST messages with entries in the DHCP snooping tables to prevent
middleman attack or IP/MAC address attacks and bogus DHCP messages to extend IP
leases.
4. Configure CHADDR check to prevent attackers from changing CHADDRs in the
messages.
5. Configure Option 82 and create a binding table covering accurate interface information.
6. Configure the sending of alarms to the network management station (NMS).
Procedure
Step 1 Configure basic DHCP relay function.
# Assign an IP address to GigabitEthernet 1/0/2.
<FW> system-view
[FW] sysname DHCP-Relay
# Configure the sub-interface on which the DHCP relay agent is to be enabled and configure
the IP address and mask for the sub-interface. Ensure that the sub-interface and the DHCP
client must be at the same network segment.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] ip address 10.1.1.254 24
[DHCP-Relay-GigabitEthernet1/0/1] dhcp select relay
[DHCP-Relay-GigabitEthernet1/0/1] ip relay address 10.11.1.2
[DHCP-Relay-GigabitEthernet1/0/1] quit
Step 4 Enable the interface to check specified types of packets and configure DHCP snooping
binding tables.
# Check ARP and IP packets on the interfaces on the DHCP client side to prevent IP/MAC
spoofing attacks.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check arp enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check ip enable
# Enable the interfaces on the DHCP client side to check DHCPREQUEST messages to
prevent attackers from sending bogus DHCP messages to extend IP leases.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-request enable
# Enable checking CHADDRs on the interfaces on the DHCP client side to prevent attackers
from changing CHADDRs in the messages.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable
Step 7 Configure behaviors to process packets that do not match the entries.
# Configure the global behaviors to process ARP and IP packets that do not match the entries.
[DHCP-Relay] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay] dhcp snooping nomatch-packet ip action discard
# Configure behaviors to process the ARP and IP packets that do not match the entries on the
interface.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet ip action discard
----End
Result
l Run the display dhcp snooping global command on the DHCP relay agent. You can see
that DHCP snooping is enabled in the system and interface views. You can also view
statistics about alarms sent to the NMS.
[DHCP-Relay] display dhcp snooping global
dhcp snooping enable
dhcp snooping nomatch-packet ip action discard
dhcp snooping nomatch-packet arp action discard
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate alarm enable
Configuration Script
#
dhcp snooping enable
dhcp snooping nomatch-packet ip action discard
dhcp snooping nomatch-packet arp action discard
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 40
#
sysname DHCP-Relay
#
interface GigabitEthernet1/0/1
ip address 10.1.1.254 255.255.255.0
ip relay address 10.11.1.2
dhcp select relay
dhcp snooping enable
dhcp snooping check arp enable
dhcp snooping alarm arp enable
dhcp snooping alarm arp threshold 10
dhcp snooping nomatch-packet arp action discard
dhcp snooping check ip enable
dhcp snooping nomatch-packet ip action discard
dhcp snooping alarm dhcp-reply enable
4.8.10.1 Specifications
This section provides DHCP snooping specifications.
Function Specifications
Function Description Supported or Not
Static DHCP Snooping You can manually configure Supported by all models.
binding table to generate the DHCP
Snooping binding table. The
contents of the binding table
include IP addresses, MAC
addresses, VLAN ID and
interface information.
Management of DHCP You can add, delete, modify, Supported by all models.
Snooping binding table query, save or restore the
dynamic or static DHCP
Snooping binding table by
commands.
Defense against attacks If the attacker changes the Supported by all models.
launched by changing the Client Hardware Address
CHADDR value (CHADDR) value of DHCP
packets instead of changing
the source MAC address of
the data frame header to
continuously apply for an IP
address, you can use the
function of checking the
CHADDR field in the
DHCP request packets by
DHCP Snooping. If the field
matches the source MAC
address of the data frame
header, the packet is
forwarded; otherwise, the
packet is discarded.
Processing and generating The process modes for IP Supported by all models.
alarms for illegitimate IP packets and ARP packets
packets and ARP packets which cannot be matched by
any entries in the DHCP
Snooping binding table can
be specified. The alarm
threshold for illegitimate IP
packets and ARP packets
can also be set.
Performance Specifications
None
4.9.1 Overview
A MAC address table is an interface-based Layer 2 forwarding table. It stores information
about the MAC addresses learned by a device.
MAC A MAC C
MAC B MAC D
Port 1 Port 2
NGFW
When forwarding packets, the FW takes the following measures based on the mapping
between the destination MAC address in the received packet and the entry in the MAC
address table:
l If a mapping entry exists, the FW directly forwards the packet through the corresponding
port.
l If no mapping entry exists, the FW forwards the packet in broadcast mode.
After the broadcast packet is sent, the following situations may occur:
– The packet reaches the device with the destination MAC address. The destination
device replies to the broadcast packet, and the MAC address of the destination
device is included in the reply packet (namely, the source MAC address of the reply
packet).
After receiving the reply packet, the FW learns the source MAC address of the
reply packet and adds the MAC address to the MAC address table.
Therefore, packets with the source MAC address of the reply packet as the
destination MAC address are directly forwarded based on the entry.
– The packet cannot reach the device with the destination MAC address, the FW
broadcasts the packet.
4.9.2.1 Configuring the MAC Address Table Based on the VLAN and Layer 2
Interface
If user networks are connected through Layer 2 devices and do not forward data through
Layer 3 routing, you can configure a MAC address table based on Layer 2 interfaces and
VLANs for data forwarding. Thus, user networks can communicate with each other.
Context
To enhance the security of an interface and to prevent the invalid users from accessing the
interface, the network administrator can manually configure static MAC address entries and
bind MAC addresses to the interface, or discard the packets with specified destination MAC
addresses. The interface to which the MAC addresses are bound must be a Layer 2 interface,
and must be added to a specified VLAN, or the interface allows the packets with specified
VLAN IDs to pass through.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id [ ce-
vlan ce-vlan ]
You can add only unicast MAC addresses rather than multicast MAC addresses and special
MAC addresses to a MAC address table. Special MAC addresses are reserved for special
usage, such as MAC addresses of special packets.
The interface type can be physical interface such as Ethernet interface and GE interface, or
logical interface such as Eth-Trunk interface and MAC-Tunnel. The interface specified in the
this command must be an outbound interface for Layer 2 forwarding.
The vlan-id must be associated with ports. That is, the VLAN contains the port. Alternatively,
this interface allows the VLAN to pass through.
Step 3 Run:
mac-address blackhole mac-address vlan vlan-id
----End
Context
After the aging time of MAC address entries is configured, the dynamic MAC address entries
are automatically deleted if the aging time expires.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address aging-time seconds [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]
the value can be zero or an integer ranging 10 to 1,000,000, in second. The default value is
300.
----End
Context
A limit rule for learning dynamic MAC addresses is applicable to insecure networks with
fixed access users, such as cell access network or intranet that lacks security management.
When the number of access users reaches the upper limit, the MAC addresses of new users
cannot be learned, and the packets of the new users are discarded.
NOTICE
Before configuring a limit rule for learning dynamic MAC addresses, if learned MAC
addresses exist on the port, run the undo mac-address dynamic command in the system view
to clear the MAC addresses. If this command is not run, the limit rule cannot function
properly.
Procedure
Step 1 Access the system view.
system-view
NOTE
LPUF-21 and LPUF-40-A do not support to configure this function.
----End
Display the limit rules for learning display mac-limit [ interface-type interface-
MAC addresses. number ]
4.9.4.1 Example for Configuring the MAC Address Table Based on the Interface
and VLAN
In this networking, the network administrator binds MAC addresses of user devices to the
access interface, which can prevent invalid users from accessing the network through other
switching devices.
Networking Requirements
A device learns source MAC addresses and then creates a MAC address table. MAC address
learning, however, cannot identify whether the packets are from legal users or hackers, which
brings security threats.
To improve interface security, a network administrator can manually add specific MAC
address entries to the MAC address table. The MAC addresses of user devices and interfaces
are then bound to prevent illegal users from obtaining data.
On the network shown in Figure 4-73, static MAC address entries can be configured to be
bound to interfaces, preventing attacks.
Figure 4-73 Networking diagram of configuring the MAC address table based on the
interface and VLAN
FW
GE1/0/1 GE1/0/2
Switch1 Switch2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the switch, and plan the VLAN where the users reside.
2. Configure interface attributes, and associate each interface with the VLAN on the FW.
3. Configure static MAC address entries on the FW, and bind them to interfaces.
Data Preparation
To complete the configuration, you need the following data:
l User VLAN ID
l MAC address of each CE
In this example, Switch1's MAC address is 0011-2233-44aa, and Switch2's MAC
address is 0011-2233-44bb.
Procedure
Step 1 Configure the switch, and plan the VLAN where the users reside.
For details on switch configuration, refer to related product manuals.
Step 2 Configure interface attributes and associate the interface to the VLAN.
# Create VLAN 2.
<FW> system-view
[FW] vlan 2
[FW-vlan2] quit
# After completing the preceding configurations, run the display mac-address static
command on the PE. The configured static MAC address entries are displayed.
[FW] display mac-address static
MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
0011-2233-44aa 2 - - GE1/0/1 static -
0011-2233-44bb 2 - - GE1/0/2 static -
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 2
----End
Configuration Files
Configuration file of FW
#
sysname FW
#
vlan batch 2
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 2
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 2
#
mac-address static 0011-2233-44aa GigabitEthernet1/0/1 vlan 2
mac-address static 0011-2233-44bb GigabitEthernet1/0/2 vlan 2
#
return
4.9.5.1 Specifications
This section describes the related specification of MAC address table.
Function Specifications
Function Description Supported or Not
Performance Specifications
Function Specifications
4.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure
ARP, as well as provides configuration examples.
4.10.1 Overview
The Address Resolution Protocol (ARP) is at the link layer of the TCP/IP protocol suite. An
Ethernet device must support ARP. ARP dynamically map Layer 3 IP addresses and Layer 2
Medium Access Control (MAC) addresses.
Definition
ARP maps IP addresses to MAC addresses. ARP entries are classified as static and dynamic
ARP entries. In addition, ARP provides extension application functions, such as proxy ARP
and gratuitous ARP.
Objective
Each host or device in a local area network (LAN) has a 32-bit IP address for communicating
with other hosts. IP addresses are independent of hardware addresses. On an Ethernet, a host
or a router transmits Ethernet frames based on 48-bit MAC addresses. A MAC address is also
called a physical or hardware address. It is allocated to an Ethernet interfaces when a device is
produced. In actual networking, MAC and IP addresses must be mapped using an address
resolution mechanism.
l Dynamic ARP
ARP dynamically resolves an IP address into an Ethernet MAC address based on ARP
packets. No network administrator interference is required.
l Static ARP
Static ARP establishes a fixed mapping between the IP and MAC addresses, which
cannot be dynamically adjusted on a host or router. Network administrator interference is
required.
l Proxy ARP
Also called routed proxy ARP. If a host is not configured with a default gateway address,
the host can send an ARP Request packet to request the destination host MAC address.
After the device enabled with proxy ARP receives the packet, it sends an ARP Reply
packet containing its own MAC address so that internal hosts on different physical
networks but on the same network segment can communicate.
l Gratuitous ARP
Gratuitous ARP checks existing IP addresses and declares new MAC addresses.
l Authorized ARP
Authorized ARP, valid on only devices enabled with the DHCP server function, applies
when the DHCP server and DHCP client reside on the same network segment to prevent
attackers from forging the IP addresses or MAC addresses of legitimate DHCP clients to
launch attacks.
4.10.2 Mechanism
This section describes the mechanism of the Address Resolution Protocol (ARP).
Ethernet
ARP Request
Host A Host B
2. ARP reply
All hosts on the network, including host B, receive the ARP request packet. Only host B
responds to the ARP request packet. Host B shown in Figure 4-75 sends an ARP reply
packet carrying a local MAC address to host A.
Host A obtains host B's MAC address and uses this MAC address to communicate with
host B.
Ethernet
ARP Reply
Host A Host B
Static ARP
Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers
involved cannot change mappings dynamically. Static ARP is configured manually by
network administrators.
Dynamic ARP
Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC
addresses. Dynamic ARP does not require the involvement of an administrator.
A FW creates or updates an ARP entry if a received ARP packet satisfies any of the following
conditions:
l The ARP packet carries a non-broadcast source address that is on the same network
segment as the inbound interface address. The ARP packet is bound for the IP address of
the inbound interface.
l The ARP packet carries a non-broadcast source address that is on the same network
segment as the inbound interface address. The ARP packet is bound for the virtual IP
address of a Virtual Router Redundancy Protocol (VRRP) backup group created on the
inbound interface.
l The ARP packet is bound for an address in a Network Address Translation (NAT)
address pool configured on the inbound interface.
If the source IP address of the received ARP packet maps to an ARP entry of the inbound
interface, the FW also updates the ARP entry.
Proxy ARP
A gateway runs proxy ARP to enable hosts to communicate with each other when the hosts
are on the same network segment but different physical networks.
Proxy ARP has the following characteristics:
l A proxy ARP-enabled subnet gateway processes all ARP packets, except for hosts
connected to the gateway.
l Proxy ARP enables hosts to communicate with each other over a single IP network,
regardless of physical subnets.
l Proxy ARP updates cached ARP entries only on hosts, but does not update entries in the
ARP cache and routing table on a gateway.
l The aging time of ARP entries must be reduced on hosts connected to a proxy ARP-
enabled gateway. This approach speeds up the aging of invalid ARP entries and
minimizes the number of packets that the gateway receives but fails to forward because
of invalid ARP entries.
The device supports routed proxy ARP. Routed proxy ARP enables communication between
PCs or routers on the same network segment but different physical networks. If a host
connected to a router is not configured with a default gateway address, the host cannot
forward data packets.
Routed proxy ARP was introduced to solve this problem. The host sends an ARP Request
packet requesting the MAC address of a destination host. After receiving the request, the
proxy ARP-enabled router replies with its own MAC address to the host. The host sends
packets to the router, and the router forwards the packets to the specific destination.
Gratuitous ARP
Gratuitous ARP enables a device to send an ARP Request packet to its own IP address.
Gratuitous ARP provides the following functions:
l IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the
device has a unique IP address. If the device receives an ARP reply packet in response to
a gratuitous ARP request packet, there is an IP address conflict.
l New MAC address advertising: If a device has its NIC replaced and its MAC address is
changed, the device sends a gratuitous ARP to notify all hosts of the MAC address
update before the ARP entry aging time elapses.
Authorized ARP
Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the
MAC and IP addresses of the client after assigning an IP address to the client.
l Authorized ARP entries
Authorized ARP entries do not age. After a DHCP server logs out DHCP clients, the
DHCP server automatically deletes their authorized ARP entries from an ARP table.
Authorized ARP entries have higher priorities than dynamic ARP entries, but lower than
static ARP entries. A new authorized ARP entry overrides a duplicate dynamic ARP
entry, but not a duplicate static ARP entry. The authorized ARP entry can be overridden
by a duplicate static ARP entry.
l Working mechanism
Authorized ARP combines the ARP and DHCP working mechanisms. The authorized
ARP function is only available on devices with the DHCP server function enabled when
the DHCP server and client reside on the same network segment. Authorized ARP is not
applicable to DHCP relay scenarios.
The authorized ARP mechanism is as follows:
a. A DHCP client broadcasts a DHCPDISCOVER message. After receiving this
message, a DHCP server replies with a DHCPOFFER message carrying network
parameters, including an IP address.
b. If many DHCP servers send DHCPOFFER messages to the client at the same time,
the client accepts the first DHCPOFFER message. The client then broadcasts a
DHCPREQUEST message to all DHCP servers. The DHCPREQUEST message
contains the MAC address of the DHCP client and IP address request.
c. After the selected DHCP server receives the DHCPREQUEST message, the DHCP
server sends a DHCPACK message to the client. The message contains network
parameters, including the assigned IP address. Meanwhile, the DHCP server
automatically adds an authorized ARP entry that contains the IP and MAC
addresses of the DHCP client.
d. The DHCP server uses the authorized ARP entry to prevent DHCP clients from
dynamically learning MAC addresses in invalid ARP responses. An attacker forges
the IP or MAC address of a valid DHCP client to originate an ARP request. Upon
receipt, the DHCP server (gateway) finds that the IP or MAC address in the request
does not match an authorized ARP entry and sends no response. The attacker,
therefore, cannot access the network, which improves network security. The address
of the DHCP server is the same as the gateway address when the DHCP server and
client reside on the network segment.
Prerequisites
Before configuring ARP, complete the following tasks:
l Configuring the link layer protocol parameters for the interface and ensuring that the
status of the link layer protocol on the interface is Up
l Configuring the network layer protocol for the interface
Context
A static ARP entry is manually added. It does not age and cannot be overwritten by a dynamic
ARP entry. Static ARP entries are valid provided that the device works properly.
Static ARP entries improve communication security. Static ARP entries ensure
communication between a local device and a specified device using the specified MAC
address. Attack packets cannot modify the mapping between IP and MAC addresses in static
ARP entries.
Static ARP is used in the following situations:
l For the packets whose destination IP address is on another network segment, static ARP
can help these packets traverse a gateway of the local network segment so that the
gateway can forward the packets to their destination.
l When you need to filter out some packets with illegitimate destination IP addresses,
static ARP can bind these illegitimate addresses to a nonexistent MAC address.
If static ARP and the Virtual Router Redundancy Protocol (VRRP) are enabled on a device
simultaneously, the virtual IP address of the VRRP backup group configured on the VLANIF
interface cannot be the IP address contained in the static ARP entries; otherwise, incorrect
host routes are generated and packets cannot be normally forwarded.
NOTE
Step 2 Run:
arp static ip-address mac-address
----End
----End
----End
l Run the display arp statistics { all | interface interface-type interface-number | slot
slot-id } command to check the statistics for ARP entries.
----End
4.10.3.2 Enabling a Device to Learn Multicast MAC Addresses and Generate ARP
Entries
If a device is enabled to learn multicast MAC addresses, it can generate ARP entries after
receiving ARP packets carrying multicast MAC addresses as source MAC addresses. This
section describes how to enable a device to learn multicast MAC addresses and generate ARP
entries.
Prerequisites
Before enabling a device to learn multicast MAC addresses, complete the following tasks:
l Connect interfaces and set their physical parameters to ensure that the physical interface
status is Up.
l Configure link layer protocol parameters for interfaces to ensure that the link layer
protocol on the interfaces is Up.
Context
A MAC address corresponding to an IP address may be a multicast MAC address. In this
case, a network administrator has to configure a static ARP entry. A device can generate
dynamic ARP entries if enabled to learn multicast MAC addresses. This way reduces a
network administrator's workload of configuring static ARP entries and reduces network
operation and maintenance costs.
Procedure
l Globally enable a device to learn multicast MAC addresses and generate dynamic ARP
entries.
a. Run:
system-view
NOTE
If a device is globally enabled to learn multicast MAC addresses, the interfaces of this
device are enabled to learn multicast MAC addresses.
l Enable an interface to learn multicast MAC addresses.
a. Run:
system-view
b. Run:
interface interface-type interface-number
By default, if a device is globally enabled to learn multicast MAC addresses, all the
device interfaces are enabled to learn multicast MAC addresses. If a device is
globally disabled from learning multicast MAC addresses, all the device interfaces
are disabled from learning multicast MAC addresses.
NOTE
If the undo arp learning multicast enable command is run on a specific interface, the
interface is disabled from learning multicast MAC addresses but uses the global
configuration in the configuration file.
l Disable an interface from learning multicast MAC addresses after a device has been
globally enabled to learn multicast MAC addresses. The interface does not use the global
configuration.
a. Run:
system-view
----End
Context
If the device needs to update ARP entries frequently, reduce the aging timeout period of ARP
entries and increase the aging detection frequency.
Procedure
Step 1 Run:
system-view
The interface to send an ARP aging detection packet in unicast mode is set.
By default, an interface sends the last ARP aging detection packet in broadcast mode, and the
rest ARP aging detection packets are sent in unicast mode.
Step 6 Run:
arp learning multicast enable
----End
Follow-up Procedure
Run the display arp interface command to view all ARP entries on an interface.
<sysname> display arp interface GigabitEthernet 1/0/2
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I GE1/0/2
192.168.1.1 0000-0a41-0200 15 D GE1/0/2
-------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
If the TYPE field is I in an ARP entry, the entry contains the mapping between the local IP
and MAC addresses of the interface. If the EXPIRE (M) field is null, the entry does not age.
If the TYPE field is D, the entry is dynamically learned and ages in 15 minutes.
Prerequisites
Before configuring delayed deletion of dynamic ARP entries, create a VLANIF interface.
Context
When a VLANIF interface serves as a gateway, the network planners usually deploy a ring or
dual-homing network to improve network reliability. If a faulty link causes an interface in a
VLAN to go Down, the device immediately deletes dynamic ARP entries learned by the
interface and updates and relearns ARP entries through newly sent user traffic. However, if
many users are connected to the gateway, user traffic may be interrupted for a long time due
to the affected performance in relearning ARP entries.
To minimize the service interruption time and accelerate user traffic convergence, network
administrators can enable the device to delete dynamic ARP entries after a delay if an
interface in a VLAN goes Down. After this function is enabled, the device does not
immediately delete dynamic ARP entries learned by the interface after it goes Down. Instead,
it sends ARP detection packets and then deletes or updates ARP entries depending on whether
it receives ARP reply packets within the ARP aging time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface vlanif vlan-id
Step 3 Run:
arp purge slowly
NOTE
To update ARP entries, a better alternative to ARP aging mechanism is associating MAC entries with
ARP entries, because the device learns MAC entries faster. Therefore, to accelerate user traffic
convergence, you are advised to enable ARP entry delayed deletion and associate MAC entries with
ARP entries.
----End
Follow-up Procedure
Run the display this command to check the configurations for delayed deletion of dynamic
ARP entries on a specified VLANIF interface.
[sysname-Vlanif1] display this
#
interface Vlanif233
arp purge slowly
ip address 10.1.1.1 255.255.255.0
#
Prerequisites
Before configuring ARP automatic scanning and fixed ARP, create a VLANIF interface.
Context
To improve communication security, network administrators generally configure static ARP
entries on a small-sized LAN. However, if a gateway has multiple users attached, a network
administrator has to configure static ARP entries for each user. Current networks use dynamic
ARP for communication.
Dynamic ARP helps reduce a network administrator's workload but has its own limitations.
Dynamic ARP entries can be overwritten by subsequent ARP entries and are vulnerable to
network attacks. Therefore, dynamic ARP cannot provide reliability for network
communications.
ARP automatic scanning is generally used with fixed ARP to defend against network attacks:
l After ARP automatic scanning is configured, a device automatically scans all its
neighbor devices on a LAN. The device sends ARP request packets to its neighbor
devices, obtains the MAC addresses of its neighbor devices, and generates dynamic ARP
entries.
l After fixed ARP is configured, the device converts these dynamic ARP entries to static
ARP entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
NOTE
Before you configure ARP automatic scanning and fixed ARP, run the display arp all command to
check all ARP entries of the device. This allows you to compare the number and types of ARP entries
before and after ARP automatic scanning and fixed ARP are configured.
<sysname> display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
192.168.50.207 781d-ba56-355e I - GE0/0/0
192.168.56.2 781d-ba56-355e I - Vlanif2
1.1.1.1 781d-ba56-355e I - Vlanif30
------------------------------------------------------------------------------
Total:3 Dynamic:0 Static:0 Interface:3 Remote:0
Step 3 Run:
arp scan [ start-ip-address to end-ip-address ]
NOTE
After you configure ARP automatic scanning and before you configure fixed ARP, run the display arp
all command to check all ARP entries of the device. If only the number of ARP entries increases, the
ARP automatic scanning configuration takes effect.
<sysname> display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
192.168.50.207 781d-ba56-355e I - GE0/0/0
192.168.56.2 781d-ba56-355e I - Vlanif2
1.1.1.1 781d-ba56-355e I - Vlanif30
1.1.1.2 000b-09f7-4869 D-1 GE1/0/4
30/-
1.1.1.3 000b-09f7-4868 D-1 GE1/0/2
30/-
------------------------------------------------------------------------------
Total:5 Dynamic:2 Static:0 Interface:3 Remote:0
Step 4 Run:
arp fixup
----End
Follow-up Procedure
After the configuration is complete, run the display arp all command to check the
configurations of ARP automatic scanning and fixed ARP and compare the number and types
of ARP entries before and after ARP automatic scanning and fixed ARP are configured.
<sysname> display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
192.168.50.207 781d-ba56-355e I - GE0/0/0
192.168.56.2 781d-ba56-355e I - Vlanif2
1.1.1.1 781d-ba56-355e I - Vlanif30
1.1.1.2 000b-09f7-4869 S-- GE1/0/4
30/-
1.1.1.3 000b-09f7-4868 S-- GE1/0/2
30/-
------------------------------------------------------------------------------
Total:5 Dynamic:0 Static:2 Interface:3 Remote:0
Prerequisites
Before configuring routed proxy ARP, complete the following tasks:
l Configuring the physical parameters for the interface and ensuring that the status of the
physical layer of the interface is Up
l Configuring the link layer parameters for the interface and ensuring that the status of the
link layer protocol on the interface is Up
Context
The two physical networks of an enterprise are in different subnets of the same IP network,
and are separated by a device. You need to enable the proxy ARP on the device interface
connected to the physical networks. This enables communication between the two networks.
Network IDs of subnet hosts must be the same. You do not need to configure default gateways
for hosts.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
The interfaces supporting routed proxy ARP include Ethernet interfaces, Ethernet sub-
interfaces, GE interfaces, GE sub-interfaces, Eth-Trunk interfaces, Eth-Trunk sub-interfaces,
and VLANIF interfaces.
Step 3 Run:
ip address ip-address { mask | mask-length }
----End
Prerequisites
Before configuring proxy ARP within a VLAN, complete the following tasks:
l Configuring the VLAN
l Configuring user isolation in the VLAN
Context
If two users are in the same VLAN but they are isolated from each other, to ensure the two
users can communicate, you need to enable proxy ARP within the VLAN on the interface
associated with the VLAN.
Procedure
Step 1 Run:
system-view
Step 4 Run:
arp-proxy inner-sub-vlan-proxy enable
----End
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 4.1.1 Overview.
Context
If an ARP entry matches the source IP address of ARP packets, the device updates this
dynamic ARP entry, regardless of the learning of gratuitous ARP packets.
Procedure
Step 1 Access the system view.
system-view
----End
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 4.1.1 Overview.
Context
A device functions as a gateway to send gratuitous ARP packets (using the IP address of the
gateway as the destination IP address) to update the gateway MAC address of valid ARP
entries, which ensures that packets are forwarded to the gateway and prevents malicious
obtaining by attackers.
Procedure
Step 1 Access the system view.
system-view
After this function is enabled, the device sends gratuitous ARP packets every 60 seconds by
default. To customize the interval, set interval.
----End
Context
Perform the following steps on the FW that needs to be configured with ARP security
features:
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp learning strict
After the arp learning strict command is run, the FW learns only reply packets for the ARP
request packets sent itself.
----End
Context
Perform the following steps on the FW whose ARP entries are to be prevented from being
attacked:
Procedure
Step 1 Run:
system-view
NOTE
l If the key word force-enable of the command is selected, the FW learns only reply packets for the
ARP request packets sent itself.
l If the key word force-disable of the command is selected, the strict ARP entry learning function on
the interface is disabled.
l If the key word trust of the command is selected, the strict ARP entry learning function on the
interface is disabled and the global ARP entry learning function is enabled.
----End
Context
Perform the following steps on the FW that needs to be configured with ARP security
features:
Procedure
Step 1 Run:
system-view
----End
Context
Perform the following steps on the FW that needs to be configured with ARP attack defense:
Procedure
Step 1 Run:
system-view
Step 2 Run:
arp anti-attack log-trap-timer time
----End
NOTE
Static ARP entries cannot be restored after being deleted. Exercise caution when you delete static ARP
entries.
Table 4-56 list the commands to clearing ARP entries. You need to perform this action in the
user view.
Clear ARP entries in the reset arp { all | dynamic ip ip-address [ vpn-instance vpn-
ARP mapping table. instance-name ] | interface interface-type interface-number
[ ip ip-address ] | slot slot-id | static }
Networking Requirements
A FW shown in Figure 4-76 connects departments of a company, and each department joins
different VLANs. Hosts in the headquarters office and a file backup server are allocated
manually configured IP addresses. Hosts in departments dynamically obtain IP addresses
using DHCP.
Hosts in the marketing department can access the Internet and are often attacked by ARP
packets. Attackers attack the FW and modify dynamic ARP entries on the FW. As a result,
communication between hosts in the headquarters and external devices is interrupted, and
hosts in departments fail to access the file backup server. The company requires that static
ARP entries be configured on the FW. Static ARP allows hosts in the headquarters to
communicate with external devices and hosts in departments to access the file backup server.
Trust PC_A
GE1/0/2
10.10.10.10/24 10.10.1.1/24
GE1/0/3 0021-97cf-2238
Marketing GE1/0/4 VLAN10
VLAN20 10.10.1.20/24
Headquarters
department office
GE1/0/5
VLAN30 FW
10.10.2.0/24 10.10.1.0/24
VLAN 20 VLAN 10
R&D
department
10.10.3.0/24
VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
This example describes only ARP-related configurations, but not other configurations, such as DHCP.
1. Configure static ARP entries of hosts in the headquarters on the FW to prevent ARP
attack packets from altering ARP entries, which prevents communication interruptions.
2. Configure static ARP entries of the file backup server on the FW to prevent ARP attack
packets from altering ARP entries, which prevents failures in accessing the file backup
server.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters.
# Create VLAN 10.
<FW> system-view
[FW] vlan 10
[FW-vlan-10] quit
# Configure static ARP entries for hosts in the headquarters. The following example uses the
configuration on PC_A(configuration on other PCs is omitted). In the static ARP entry, PC_A
IP address 10.10.1.1 is mapped to the MAC address 0021-97cf-2238, and the VLAN ID is 10.
[FW] arp static 10.10.1.1 0021-97cf-2238 vid 10
Step 2 Configure a static ARP entry for the file backup server.
# Configure an IP address for GigabitEthernet 1/0/2.
[FW] interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2] ip address 10.10.10.10 255.255.255.0
[FW-GigabitEthernet1/0/2] quit
# Configure a static ARP entry for the file backup server to map the IP address 10.10.10.1/24
to the MAC address 0025-1185-8C21.
[FW] arp static 10.10.10.1 0025-1185-8C21
----End
Configuration Verification
1. Run the display arp static command on the FW to view static ARP entries.
[FW] display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN
------------------------------------------------------------------------------
10.10.10.1 0025-1185-8c21 S--
10.10.1.1 0021-97cf-2238 S--
10
10.10.2.1 0021-97cf-2239 S--
20
10.10.3.1 0021-97cf-2240 S--
30
------------------------------------------------------------------------------
Total:4 Dynamic:0 Static:4 Interface:0
Configuration Script
#
sysname FW
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 10.10.1.20 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.10.10 255.255.255.0
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type access
port default vlan 10
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
#
arp static 10.10.10.1 0025-1185-8C21
arp static 10.10.1.1 0021-97cf-2238 vid 10
arp static 10.10.2.1 0021-97cf-2239 vid 20
arp static 10.10.3.1 0021-97cf-2240 vid 30
#
return
4.10.5.2 Example for Configuring ARP Automatic Scanning and Fixed ARP
This section describes how to configure ARP automatic scanning and fixed ARP. The
configuration enables a device to rapidly generate dynamic ARP entries and convert the
dynamic ARP entries to static ARP entries. This process ensures reliable and secure network
operations.
Networking Requirements
On a small-sized LAN, a network administrator configures static ARP entries on a gateway to
ensure network communications security. However, once a device MAC address is changed,
the network administrator has to reconfigure a static ARP entry on the gateway, which
increases network operation and maintenance costs.
If the network adapters of HostA, HostB, HostC, and HostD are replaced, the existing static
ARP entries for these devices on the PE become invalid on the network shown in Figure
4-77. To solve this problem and ensure network security, you can configure ARP automatic
scanning and fixed ARP on the PE. The two functions enable the PE to rapidly learn the MAC
address of each host, generate dynamic ARP entries, and convert the dynamic ARP entries to
static ARP entries.
Figure 4-77 Networking for ARP automatic scanning and fixed ARP configurations
PE
VLAN4
VLANIF4
GE1/0/1 GE1/0/2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VLAN, create a VLANIF interface, and configure an IP address for the
VLANIF interface.
2. Configure ARP automatic scanning on the VLANIF interface.
3. Configure fixed ARP on the VLANIF interface.
Data Preparation
To complete the configuration, you need the following data:
l VLAN ID (4)
l Types and numbers of the interfaces (GE 1/0/1 and GE 1/0/2) that join the VLAN
l IP address (10.1.1.1/24) of the VLANIF interface
l IP addresses of HostA (10.1.1.2/24), HostB (10.1.1.3/24), HostC (10.1.1.4/24), and
HostD (10.1.1.5/24)
Procedure
Step 1 Configure an IP address for each host.
# Assign 10.1.1.2/24 to HostA.
# Assign 10.1.1.3/24 to HostB.
# Assign 10.1.1.4/24 to HostC.
# Assign 10.1.1.5/24 to HostD.
Step 2 Configure a VLAN and create a VLANIF interface.
<FW> system-view
[FW] sysname PE
[PE] interface GigabitEthernet 1/0/1
[PE-GigabitEthernet1/0/1] portswitch
[PE-GigabitEthernet1/0/1] quit
[PE] interface GigabitEthernet 1/0/2
[PE-GigabitEthernet1/0/2] portswitch
[PE-GigabitEthernet1/0/2] quit
[PE] vlan 4
[PE-vlan4] port GigabitEthernet 1/0/1 to 1/0/2
[PE-vlan4] quit
[PE] interface vlanif 4
[PE-Vlanif4] ip address 10.1.1.1 255.255.255.0
[PE-Vlanif4] quit
Run the display arp all command to view the ARP entries on the PE. The ARP entries on the
VLANIF interface are displayed only.
[PE] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN
------------------------------------------------------------------------------
10.1.1.1 0018-82d4-04c3 I - Vlanif4
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:0 Interface:1
----End
Configuration Files
Configuration file of PE
#
sysname PE
#
vlan batch 4
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port hybrid pvid vlan 4
undo port hybrid vlan 1
port hybrid untagged vlan 4
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port hybrid pvid vlan 4
undo port hybrid vlan 1
port hybrid untagged vlan 4
#
Networking Requirements
Branches A and B of a company shown in Figure 4-78 are located in different cities. Multiple
routing devices are deployed between branches, and routes are reachable. IP addresses of the
routing devices are on the same network segment 10.10.0.0/16. Branches A and B belong to
different broadcast domains and cannot communicate on a LAN. Hosts of branches with
default gateway addresses cannot communicate across network segments.
The company requires that branches A and B communicate without changing host
configurations.
Trust Trust
GE1/0/3 GE1/0/3
Branch A 10.10.1.1/24 10.10.2.1/24 Branch B
FW_A FW_B
Host_A Host_B
10.10.1.2/16 10.10.2.2/16
0021-97cf-2238 0025-1185-8C21
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
This example describes only ARP-related configurations, but not configurations, such as routes between
branches A and B.
1. Enable proxy ARP on the interface of FW_A connected to branch A.
2. Enable proxy ARP on the interface of FW_B connected to branch B.
3. Configure routes to ensure that FW_A and branch B are reachable to each other, and
FW_B and branch A are reachable to reach other.
Procedure
Step 1 Configure FW_A.
# Configure an IP address for GigabitEthernet 1/0/3.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ip address 10.10.1.1 255.255.255.0
----End
Configuration Verification
# Select host_A in branch A and select host_B in branch B. Run the ping command on
host_A to ping host_B. The ping is successful.
C:\Documents and Settings\Administrator>ping 10.10.2.2
# View the ARP table of host_A. You can see that the MAC address of host_B is the MAC
address of GigabitEthernet 1/0/3 on FW_A.
C:\Documents and Settings\Administrator>arp -a
Interface: 10.10.1.2 --- 0x3
Internet Address Physical Address Type
10.10.1.1 00-22-a1-01-b5-db dynamic
10.10.2.2 00-22-a1-01-b5-db dynamic
# View the ARP table of host_B. You can see that the MAC address of host_A is the MAC
address of GigabitEthernet 1/0/3 on FW_B.
C:\Documents and Settings\Administrator>arp -a
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
interface GigabitEthernet1/0/3
ip address 10.10.1.1 255.255.255.0
arp-proxy enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
return
Symptom
Figure 4-79 shows the typical networking, The connection and configuration of physical links
are correct. The interface is in Up state, but cannot ping the remote device.
GE1/0/3
FW Router
Possible Causes
VLAN attributes are incorrect.
Fault Diagnosis
Yes
Yes Is it a Vlanif No Check the ARP entries of the
Are remote ARP entries
learned? interface? specified Vlanif interface
No
Yes
Yes
Procedure
Step 1 Run the display arp command and check whether remote ARP entries are learned.
<FW> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
10.1.196.208 0018-8239-1e63 I GE1/0/3
10.1.196.20 0021-97cf-cfc1 16 D GE1/0/3
10.1.196.4 001e-90a0-154f 16 D GE1/0/3
If ARP packets are correctly sent and received, the following information is displayed.
*0.1090420 FW ARP/7/arp_send:Send an ARP Packet, operation : 1, send
er_eth_addr : 0018-8239-1e63,sender_ip_addr : 10.1.196.208, target_eth_addr :
00e0-4c84-0b04, target_ip_addr : 10.1.196.2
If the remote end can be pinged, both request and reply packets are displayed. If a fault
occurs, only the request packets are displayed, or none of the request or reply packets is
displayed.
If packets are properly sent and received by the upper layer, run the debugging ethernet
packet arp interface GigabitEthernet 1/0/3 command and check whether packets are
properly sent at the data link layer.
<FW> debugging ethernet packet arp interface GigabitEthernet 1/0/3
<FW> terminal monitor
Info:Current terminal monitor is on
<FW> terminal debugging
Info:Current terminal debugging is on
The previous information shows that ARP request packets are properly sent at the data link
layer. Go to Step 3.
Step 3 Check whether statistics about sent and received packets are correct.
Run the display this interface command in the interface view or the display interface
interface-type interface-number command in any view to view packet statistics.
NOTE
Collect information, preserve the faulty scenario, and contact technical support personnel in either of the
following situations:
l ARP entries on the main processing unit (MPU) of the Vlanif interface are inconsistent with those
on a line interface processing unit (LPU).
l ARP entries are consistent but host routes are not updated.
Step 5 Check whether ICMP packets are properly sent and received.
1. Run the debugging ip packet acl acl-number command in the user view and check
information about both sent and received IP packets.
2. Run the debugging ip icmp command and collect more information to locate the fault.
----End
4.10.7.1 Specifications
This section describes the related specifications of ARP.
Function Specifications
Function Description Supported or Not
Deleting ARP entries Static, dynamic, and all Supported by all models.
ARP entries can be deleted.
Strict ARP learning Strict ARP learning can be Supported by all models.
configured to allow a device
to learn the response packets
only to the ARP requests
sent from this interface or
device.
Performance Specifications
Function Specifications
l RFC 1042: Standard for the Transmission of IP Datagrams over IEEE 802 Networks
4.11 VLAN
This section describes virtual local area network (VLAN) concepts and how to configure a
VLAN, as well as provides configuration examples.
4.11.1 Overview
The virtual local area network (VLAN) technology adds a VLAN tag to the traditional
Ethernet frame header to identify the VLAN in a data packet.
Definition
A LAN is divided into several logical "LANs" (VLANs), with each VLAN functioning as a
broadcast domain.
Objective
The following problems occur in a traditional LAN:
l Conflicts occur if more than one node attempts to send messages at the same time.
l The information from any node is sent to all other nodes. A method is required to send a
message that is destined for a node or multiple nodes, instead of all nodes.
l Information security is reduced because all hosts share the same transmission channel.
With the growth of computers on a network, the collisions increase, and network efficiency
deteriorates. As a result, collision areas form in the network. The Ethernet network uses the
Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to detect collisions, which
cannot completely remove the collision impact.
The Ethernet network is also a broadcast network. If a large number of computers send
information at the same time, broadcast traffic consumes a great deal of bandwidth.
Therefore, two problems occur in the traditional network: collision area and broadcast area. In
addition, the traditional network cannot ensure information security.
To expand a traditional LAN to accommodate more computers and to prevent collisions, the
following methods are introduced:
l Bridge
l Layer 2 switch
Bridges and switches forward information from an inbound interface to an outbound interface
in switching mode. Collisions occurs only on ports and do not affect the shared media.
NOTE
The introduction of switches into the networking solves the problem of the collision area
using the Layer 2 rapid switching. This, however, does not ensure information security caused
by the broadcast domain problem.
To reduce broadcast storms, the hosts that do not need to access each other must be isolated
from each other. Routers select a route based on IP addresses. Therefore, using a router to
connect two network segments can effectively control the broadcast problems. Routers,
however, are costly. In this case, the VLAN is introduced.
The VLAN technology divides a LAN into logical "LANs" (VLANs), with each VLAN
functioning as a broadcast area. Hosts in each VLAN communicate with each other in the
same way as hosts in a LAN. VLANs cannot interact with each other directly. Therefore,
broadcast packets are transmitted within a single VLAN.
VLANs can improve data security. For example, different enterprise clients rent a building
and require developing their own LANs. The total cost of LANs is high. If all clients share a
LAN, information security cannot be guaranteed.
VLANs allow different clients to share a LAN and improves information security.
Router
VLAN-A
VLAN-B
VLAN-C
As shown in Figure 4-81, the network is a typical VLAN application. Three switches are
placed at sites. This is more or less the same as different floors in a building. Each switch is
connected to three PCs. These PCs belong to three VLANs, which are enclosed by dashed
blocks. Each VLAN corresponds to an enterprise client.
4.11.2 Mechanism
This section describes the virtual local area network (VLAN) mechanism.
Link Types
VLAN links are classified into the following types:
l Access links: connect switches to hosts. The access links shown in Figure 4-83 connect
switches to PCs and transmit untagged Ethernet frames.
l Trunk links: connect switches. The trunk links shown in Figure 4-83 connect switches
and transmit tagged Ethernet frames.
Access Link
Trunk Link
VLAN2
VLAN3
Port Types
Ports only on some devices can identify VLAN frames defined in 802.1q. Based on their
ability of identifying VLAN frames, the ports are classified into the following types:
l Access ports
Access ports are switch ports that connect hosts only along access links. An access port
has the following characteristics:
– Only allows frames tagged with access port PVIDs to pass through. A PVID is a
default VLAN ID.
– Adds the port PVID to untagged frames that it receives.
– Sends untagged Ethernet frames to the peer device.
l Trunk ports
Trunk ports connect a local switch to other switches. In other words, trunk ports can only
connect to trunk links. A trunk port has the following characteristics:
– Allows tagged frames of many VLANs to pass through.
– Only removes a tag with a default VLAN ID from a frame before sending the
frame.
l Hybrid ports
Hybrid ports are switch ports that connect a local switch to hosts and to other switches.
Hybrid ports can be connected to both access and trunk links. A hybrid port allows
tagged frames of different VLANs to pass through and removes tags from some VLAN
frames before forwarding the frames.
VLAN Classification
VLANs can be classified into the following types:
l Port-based VLANs
A computer belongs to a VLAN that is connected to a network device port on the
computer. This method allows hosts to be easily grouped into VLANs. If a host of a
VLAN is moved to another place, the VLAN needs to be reconfigured.
l MAC address-based VLANs
Devices are allocated to VLANs based on MAC addresses of network interface cards.
VLAN settings remain even if hosts are moved to other places. All hosts within a VLAN
must be configured.
l Network layer protocol-based VLANs
Devices are allocated to VLANs based on network layer protocols. For example, hosts
running IP are grouped into a VLAN, and hosts running IPX are grouped into another
VLAN.
The FW supports only port-based VLANs.
Access port 1. Checks whether the frame carries a Removes the PVID from
VLAN tag: the frame before sending
l If the frame does not carry a VLAN it.
tag, the port adds its PVID to the
frame and goes to step 2.
l If the frame carries a VLAN tag with a
PVID, the device goes to step 2. If the
tag does not contain a PVID, the port
discards the frame.
2. The device selects an outbound port based
on the destination MAC address and
VLAN ID carried in the frame.
Trunk port 1. Checks whether the frame carries a Checks the VLAN
VLAN tag: attribute of the port:
l If the frame is not tagged, the port l If the frame carries a
adds its PVID to the frame and goes to VLAN tag that
step 2. contains the port
l If the frame carries a VLAN tag, the PVID, the port
port checks whether the VLAN ID in removes the tag from
the tag is permitted. If the VLAN ID is the frame before
permitted, the switch goes to step 2. If sending the frame.
the VLAN ID is not permitted, the port l If the frame carries a
discards the frame. VLAN tag that does
2. The device selects an outbound port based not contain the port
on the destination MAC address and PVID, and the port
VLAN ID carried in the frame. supports the VLAN
ID, the port sends the
frame as it is. If the
port does not support
the VLAN tag with a
non-PVID, the port
discards the frame.
Hybrid port 1. Checks whether the frame carries a Checks the VLAN
VLAN tag: attribute of the port:
l If the frame is not tagged, the port l If the port supports
adds its PVID to the frame and goes to the tagged frame, the
step 2. port checks which
l If the frame carries a VLAN tag, the type of outgoing
port checks whether the VLAN ID in frame can be sent:
the tag is permitted. If the VLAN ID is – If it permits
permitted, the device goes to step 2. If untagged outgoing
the VLAN ID is not permitted, the port frames, the port
discards the frame. removes the tag
2. The device selects an outbound port based from the frame
on the destination MAC address and before sending the
VLAN ID carried in the frame. frame.
NOTE – If it permits tagged
Trunk and hybrid ports use the same rules to outgoing frames, it
process received data frames. sends the frame as
it is.
l If the port does not
support tagged
frames, the port
discards it.
NOTE
If a hybrid port permits
untagged frames, the
hybrid port removes the
VLAN Tag field the same
as the PVID Tag field from
a frame before sending it.
If a hybrid port permits
tagged frames, the hybrid
port still removes the
VLAN Tag field the same
as the PVID Tag field from
a frame before sending it.
Intra-VLAN Communication
Hosts on a VLAN in the same area can directly communicate with each other. Hosts on the
same VLAN but in different areas (with multiple devices between them) can communicate
with each other using trunk links.
Figure 4-84 shows that hosts in the same department of an enterprise communicate with each
other across two FWs. Each department belongs to a specific VLAN. You can configure trunk
links to isolate service data of different departments to ensure data communication within a
department.
FW_A FW_B
Trunk Link
Inter-VLAN Communication
Hosts of different VLANs use VLAN interfaces or Ethernet subinterfaces to communicate
with each other.
VLANIF100 VLANIF200
VLAN100 VLAN200
– Layer 2 Ethernet interfaces connect the FW to PCs and are added to separate
VLANs.
– Each interface on the FW can be connected to a single PC, which causes low data
transmission efficiency.
l Inter-VLAN communication using Ethernet subinterfaces
Unlike VLAN interfaces, Ethernet subinterfaces on a switch connect multiple PCs to a
single interface of a FW to implement inter-VLAN communication.
Figure 4-86 shows hosts of two departments attached to a FW. Hosts in one department
belong to VLAN5, and host in the other department belong to VLAN6. You can
configure two subinterfaces on a single physical interface and add these subinterfaces to
separate VLANs. This approach allows VLANs to communicate with each other using a
single physical interface on a FW.
FW
GE1/0/0
GE1/0/0.1 VLAN5
GE1/0/0.2 VLAN6
Switch
VLAN5 VLAN6
GE1/0/1.2 are added into the same VLAN (VLAN300, for example). The following uses
VLAN100–to-VLAN200 access to show how USG processes packets.
FW receives packets from VLAN100 hosts through GE1/0/1.1, strips VLAN tags from
the packets, and broadcasts the packets in VLAN200. After finding the destination host
in VLAN200, the device forwards the packets through GE1/0/1.2 with a VLAN tag
(VLAN200).
FW
GE1/0/1
GE1/0/1.1 VLAN100
GE1/0/1.2 VLAN200
Switch
VLAN100 VLAN200
Context
After VLANs are configured based on ports, the VLANs can process tagged and untagged
frames in the following manners:
l After receiving an untagged frame, a port adds the PVID to the frame, searches the MAC
address table for an outbound port, and sends the tagged frame from the outbound port.
l After a port receives a tagged frame, it checks the VLAN ID carried in the frame:
– If the port allows frames with the specified VLAN ID to pass through, it forwards
the frame.
– If the port does not allow frames with the specified VLAN ID to pass through, it
discards the frame.
The configuration roadmap is as follows:
1. Create VLANs.
Procedure
Step 1 Run:
system-view
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been
created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan
batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then
run the vlan vlan-id command to enter the view of a specified VLAN.
Step 3 Run:
quit
The input port format must be correct. The port number following to must be greater than the port
number before to. If a group of ports are specified, ensure that these ports are of the same type and
all specified ports exist.
In one port command, a maximum of 10 groups of ports can be specified by using to.
l For trunk ports:
– Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add the port to specified VLANs.
– (Optional) Run the port trunk pvid vlan vlan-id vlan-id command to specify the
default VLAN for a trunk port.
l For hybrid ports:
– Run either of the following commands to add a port to VLANs in untagged or
tagged mode:
n Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |
all } command to add a port to VLANs in untagged mode.
In untagged mode, a port removes tags from frames and then forwards the
frames. This is applicable to scenarios in which Layer 2 Ethernet ports are
connected to terminals.
n Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
command to add a port to VLANs in tagged mode.
In tagged mode, a port forwards frames without removing their tags. This is
applicable to scenarios in which Layer 2 Ethernet ports are connected to
switches.
– (Optional) Run the port hybrid pvid vlan vlan-id command to specify the default
VLAN of a hybrid port.
By default, as for the USG6000V, after an interface is switched to a Layer 2 interface,
the IDs of the VLAN that the interface is added and the default VLAN of the interface
are both 1.
----End
Context
You can create a VLANIF interface on a configured VLAN. The VLANIF interface functions
as a Layer 3 physical interface to implement Layer 3 features, such as IP address settings and
data communications among different VLANs.
Inter-VLAN communication through VLANIF interfaces applies only when the hosts in each
VLAN are located in different network segments. If the hosts of VLANs are located in the
same network segment, inter-VLAN communication can be implemented through Layer 2
interfaces. For details, see 4.11.3.4 Configuring Inter-VLAN Communication Using Layer
2 Subinterfaces.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create a VLANIF interface and access the VLANIF interface view.
interface vlanif vlan-id
If a VLANIF interface already exists, the VLANIF interface view is directly displayed after
this command is run.
Before you create a VLANIF interface, the VLAN must exist.
----End
Context
The most direct method for inter-VLAN communication is connecting VLANs to different
Layer 3 interfaces to route the packets between VLANs. However, this method requires
physical interfaces. In contrast, creating Ethernet subinterfaces can avoid the use of more
physical interfaces.
Ethernet and Eth-Trunk interfaces support subinterfaces.
You can configure multiple subinterfaces on a single physical interface and ensure that each
subinterface is assigned to a specific VLAN. VLANs can communicate after being connected
to only as single physical interface.
Inter-VLAN communication through Layer 3 subinterfaces applies only when the hosts in
each VLAN are located in different network segments. If the hosts of VLANs are located in
the same network segment, inter-VLAN communication can be implemented through Layer 2
interfaces. For details, see 4.11.3.4 Configuring Inter-VLAN Communication Using Layer
2 Subinterfaces.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create a subinterface and access the subinterface view.
interface interface-type interface-number.subinterface-number
Step 3 Set the encryption type and the VLAN ID of the subinterface.
vlan-type dot1q vlan-id
Step 4 Assign an IP address to the subinterface.
ip address ip-address { mask | mask-length } [ sub ]
The subinterface and its main interface can be on the same primary network segment but must
use different subnet masks.
----End
Context
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk
interfaces. Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Run the system-view command to access the system view.
Step 4 Add the subinterfaces created in Step 3 to a same VLAN so that the subinterfaces can
communicate.
1. Run the vlan vlan-id command to create a VLAN and access the VLAN view.
2. Run the port interface-type interface-number.subinterface-number command to add the
subinterfaces created in Step 3 to a same VLAN.
Subinterfaces must be added to the same VLAN to communicate with each other.
----End
You can display the configuration information of VLAN by running the commands listed in
the following table in all views.
Operation Command
Display the information about interfaces of display port vlan [ interface-type interface-
the VLAN number ]
Networking Requirements
It is required that on the network shown in Figure 4-88, employees in the same group be able
to communicate with each other, whereas employees in different groups not communicate
with each other.
Figure 4-88 Networking diagram for dividing a LAN into VLANs based on ports
FW
GE1/0/1 GE1/0/4
GE1/0/2 GE1/0/3
Group 1 Group 2
VLAN 2 VLAN 3
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l Number of each port connecting a switch to a PC
l ID of each VLAN
Procedure
Step 1 Create VLANs.
<FW> system-view
[Switch] vlan batch 2 3
Ping a PC in group 2 from a PC in group 1. The ping fails. PCs in the same group can ping
each other successfully.
----End
Configuration Files
#
sysname FW
#
vlan batch 2 3
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type access
port default vlan 2
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type access
port default vlan 3
#
interface GigabitEthernet1/0/4
portswitch
undo shutdown
port link-type access
port default vlan 3
#
return
4.11.6.1 Specifications
This section describes VLAN specifications.
Function Specifications
Function Description Supported or Not
Layer-2 port-based VLAN The following Layer-2 port Supported by all models.
types are supported:
l Access
l Trunk
l Hybrid
4.12.1 Overview
IPv6 Neighbor Discovery (ND) defines a group of messages and processes for discovering
neighboring nodes. The IPv6 Secure Neighbor Discovery (SEND) protocol is an enhancement
of IPv6 ND.
Definition
The IPv6 NDP uses Internet Control Message Protocol version 6 (ICMPv6) messages to
discover neighbors. NDP functions include IPv4 Address Resolution Protocol (ARP), ICMP
router discovery (RD), and ICMP redirection.
SEND uses a set of new ND options to implement the authorization delegation discovery
process, address ownership proof mechanism, and message verification, which secures
neighbor discovery.
Purpose
ND enables the address auto-configuration and information interaction between different
nodes of one link on the IPv6 network.
ND does not provide any security mechanisms and is vulnerable to the following threats:
l NS/NA spoofing
Neighbor Solicitation/Advertisement Spoofing (NS/NA spoofing) is similar to IPv4 ARP
spoofing. An attacker sends NS/NA messages containing a forged link-layer address to
update the neighbor cache of a target node. Consequently, the target node sends packets
to the forged address.
l DAD attack
On networks where the hosts obtain their addresses using stateless address
autoconfiguration, an attacker can respond every duplicate address detection (DAD)
attempt made by the host to launch an attack. If the attacker claims the address, the host
will never be able to obtain an address.
l Redirect attack
An attacker uses the link-layer address of the default gateway of a target node as a source
address to send a Redirect message to the target node. The message carries a nonexistent
next-hop address for the target node. Upon receiving the messagept, the target node
sends packets to the nonexistent next-hop address. As a result, the packets fail to reach
their destinations.
l Parameter spoofing
An attacker impersonates a local router and sends a forged Router Advertisement (RA)
message to a target node. The forged RA message contains a fake network prefix with a
set autonomous flag. After the message arrives, the target node performs stateless
address autoconfiguration and uses the fake prefix to generate an IPv6 address. When the
target node uses this IPv6 address as a source address to communicate with other hosts,
the traffic destined for the target node is discarded by the local router.
l Replay attack
An attacker obtains valid messages and replays them later to send expired messages to a
target node.
SEND effectively defends against these security threats to secure neighbor discovery.
4.12.2 Mechanism
This section describes the IPv6 ND and SEND mechanisms.
4.12.2.1 IPv6 ND
IPv6 neighbor discovery (ND) uses ICMPv6 messages to implement address resolution,
verify neighbor reachability, detect duplicate addresses, discover routers and prefixes,
automatically assign addresses, and perform the redirection function.
Before assigning an IPv6 address to a single node, a router checks whether the address is
available and unique and perform either of the following operations:
l If the node is a host, the router notifies the host of the ideal next-hop address for
forwarding messages to a specific destination address.
l If the node is another router, the router advertises its address, address prefix, and other
parameters to the router.
Before forwarding a IPv6 message, the node verifies the data link layer address of its
neighbor node and its reachability.
The IPv6 ND mechanism provides five types of ICMPv6 messages:
l Router solicitation (RS): After startup, a host sends an RS message to a router.
l Router advertisement (RA): A router replies with an RS message with an RA message to
a host and periodically sends RA messages carrying prefixes and some flag bits.
l Neighbor solicitation (NS): An IPv6 node sends NS messages to obtain data link layer
addresses of neighbors, check neighbor reachability, and perform address conflict
detection.
l Neighbor advertisement (NA): An IPv6 node responds NS messages with NA messages.
The IPv6 node also sends NA messages if the data link layer changes.
l Redirect: After a router finds that a received message carries the same inbound and
outbound interface name, the router sends Redirect messages to instruct a host to select a
better next hop.
Neighbor Solicitation
IPv6 source: 3000::1
Dest: ff02::1:ff 00:0002
Link source: 00e0-fe20-1f66
Dest: 3333-ff00-0002
Neighbor Advertisement
IPv6 source: 3000::2
Dest: 3000::1
Link source: 00e0-fe20-1f67
Dest: 00e0-fe20-1f66
1. If an IPv6 address is specified for a node, the node sends the NS message to check
whether the address is used by any neighbor.
2. When receiving the message, a neighbor node checks whether the same IPv6 address
exists. If the local IPv6 address exists, the neighbor node replies a NA message that
contains the IPv6 address to the source node.
3. After the source node receives the reply message from the neighbor, the source node
considers that the IPv6 address is used by the neighbor. If the source node does not
receive the reply message from the neighbor, the IPv6 address is available.
Neighbor Discovery
The IPv6 ND function, similar to the IPv4 Address Resolution Protocol (ARP) function,
resolves neighbor addresses and detect neighbor reachability using NS and NA messages.
To obtain the data link layer address of another node on the same local link, a node sends an
ICMPv6 NS message of Type 135, which is similar to an IPv4 ARP request message. The
ICMPv6 NS message is transmitted using a multicast address, not a broadcast address. Only
the solicited node that has an IP address with the lest significant 24 bits the same as that of the
multicast address can receive the NS message, which minimizes broadcast storms. The
destination node adds its data link layer address to an NA message.
The NS message is also used to check the reachability of the neighbor with a known data link
layer address. The IPv6 NA message is sent in response to the IPv6 NS message. After
receiving the ICMPv6 NS message, the destination node replies with an ICMPv6 NA message
of Type 136 on the local link. After the ICMPv6 NA message is received, the source and
destination nodes can communicate. A node also sends an NA message if its data link layer
address on the local link is changed.
Router Discovery
The RD function locates neighbor routing devices and learns the prefixes and parameters for
address autoconfiguration. The IPv6 RD function is implemented using the following
mechanism:
l Router solicitation
When no unicast address is specified for a host (for example, when the system is just
restarted), the host sends an RS message. The RS message helps the router quickly
implement autoconfiguration without waiting for an RA message sent by the IPv6
routing device. The IPv6 RS message is an ICMPv6 message of Type 133.
l Router advertisement
After IPv6 RA is configured on interfaces of a routing device, the routing device
periodically sends an RA message. After receiving an RS message from an IPv6 node on
the local link, a routing device replies with an RA message. The IPv6 RA message is
sent to the multicast address (FF02::1) of all nodes or to the IPv6 unicast address of the
node that sends the RS message. The IPv6 RA message is an ICMPv6 message of Type
134. The IPv6 RA message includes the following contents:
– Whether address autoconfiguration is enabled or disabled
– Supported autoconfiguration type, stateless or stateful
– One or multiple local link prefixes: The nodes on the local link can implement
address autoconfiguration using these prefixes.
– Lifecycle of an advertised prefix of the local link
– Whether the router that sends an RA message can serve as a default routing device.
If the router serves as a default routing device, the time (in seconds) for the router
serving as the default routing device is included.
– Other information about the host, including the hop limit and MTU specified for
messages initiated by the host.
The IPv6 node on the local link receives an RA message and obtains the default routing
device, prefix list, and other settings.
Address Autoconfiguration
By using RA messages and identifying each prefix, a routing device can instruct the host how
to implement the address autoconfiguration. For example, the routing device can configure
the host to use the stateful address setting or stateless address autoconfiguration.
If the stateless address autoconfiguration is used and an RA message arrives, the host
automatically generates an IPv6 address by using the prefix and local interface ID carried in
the message and sets the default routing device.
Redirection
A redirection message notifies a host of the ideal next-hop IPv6 address to the destination.
Similar to IPv4, the IPv6 routing device sends a redirection message to only redirect the
message to a better routing device. The node that receives the redirection message sends
subsequent messages to the new routing device. The routing device sends the redirection
message only for the unicast flow. The redirection message is only sent to and processed by
the node (host) that initiates the redirection message.
CGA
A CGA is an IPv6 address that a node uses a public key and the hash algorithm to generate. A
node discards packets that fail CGA authentication to defend against spoofing attacks. CGAs
are used with the RSA signature mechanism to protect packet integrity.
The procedure for generating a CGA and an RSA signature on a node is as follows:
After receiving a packet with CGA and RSA options, a node authenticates the packet as
follows:
1. Obtains the CGA parameter data structure from the CGA option.
2. Computes a hash value based on the CGA parameters data structure, with the least
significant 64 bits as the network ID.
3. Checks whether the generated network ID matches that in the source IP address of the
packet.
4. Obtains the public key from the CGA parameter data structure to authenticate the RSA
signature.
After a CGA is generated, ND packets to be sent by the interface must meet the following
requirements:
l NS (excluding DAD messages), NA, RA, and Redirect messages carry CGAs as source
addresses.
l NS, NA, RA, and Redirect messages carry the following options:
– CGA option: contains the CGA parameter data structure.
– RSA option: contains signatures.
– Timestamp option: the current time of the device.
l The NS message carries the Nonce option that contains a random number. The NA
message responding to the NS message also carries the same Nonce option.
Timestamp
A SEND-enabled node uses timestamps carried in ND messages to defend against replay
attacks during non-NS/NA message transmission. After SEND is enabled, a node maintains
the Delta and Fuzz parameters, After receiving ND messages, the node checks for message
mis-sequence on RFC 3971 and discards incorrect messages.
Nonce
Nonce is a random value that serves as a label of a current session. Nonce is used to defend
against replay attacks during NS/NA message transactions. A node generates a random value
and adds it to NS messages before sending the NS messages to request link-layer addresses of
other nodes. After receiving the NS messages, the receivers send NA messages that carry the
same random value in the received NS messages.
Router Authorization
To prevent attackers from sending packets in the name of routers, SEND introduces CPS and
CPA messages to verify router identities.
Routers must apply for certificates from the Certificate Authority (CA). The certificates
contain routers' identity information, public keys, and CA digital signatures.
Prerequisites
Before configuring a static neighbor, configure the IPv6 address for an interface.
Procedure
Step 1 Access the system view.
system-view
Static neighbors can be configured for Ethernet, GE,and Eth-Trunk interfaces and their sub-
interfaces. You can configure up to 300 neighbors on each interface.
----End
Follow-up Procedure
Run the display ipv6 neighbors command to check the cache of the neighbor information
containing neighbors' IPv6 addresses and the specified interfaces.
<sysname> display ipv6 neighbors gigabitethernet 1/0/0
--------------------------------------------------------
IPv6 Address : 2001:DB8::2
Link-layer : 00e0-fc89-fe6e State : STALE
Interface : GE1/0/0 Age : 00h19m12s
VLAN : - CEVLAN: -
VPN name : vpn1 Is Router: TRUE
Secure FLAG : UN-SECURE
---------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
Run the display ipv6 interface command to view the interval at which RA messages are
advertised.
<sysname> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state :
UP
Global unicast
address(es):
3000::1, subnet is
3000::/64
Joined group
address(es):
FF02::1:FF00:1
FF02::2
FF02::1
FF02::1:FF48:3EF
MTU is 1500
bytes
Procedure
Step 1 Run:
system-view
When the maximum interval is less than 9 seconds, the minimum interval is set to the same
value as the maximum interval.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
RA messages are configured not to carry the default prefix generated based on the interface
IPv6 address.
By default, RA messages carry the default prefix generated based on the interface IPv6
address.
Step 4 Run:
ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | ipv6-prefix/ipv6-prefix-
length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-link ]
The prefix configuring using the ipv6 nd ra prefix command takes precedence over the
default prefix generated based on the interface IPv6 address. An RA message can carry a
maximum of 10 prefixes. If exactly 10 prefixes have been manually configured, the default
prefix will not be carried.
NOTE
If stateless address allocation is used, you must specify the prefix length as 64. Otherwise, the address
does not take effect, and RA messages will be discarded.
----End
Context
Duplicate Address Detect (DAD) is a process of IPv6 automatic address configuration. You
can configure the number of DAD messages which are sent continuously.
Set the interval of sending Neighbor Solicitation (NS) messages on the device.
Neighbor Unreachability Detection (NUD) checks the reachability of neighbors.
The MTU of the interface determines whether to fragment IP packets on the interface.
Procedure
Step 1 Run:
system-view
NOTE
l If the ipv6 nd ra hop-limit command has been run on an interface, the hop limit for an Router
Advertisement(RA) message uses the value configured on the interface.
l If the ipv6 nd ra hop-limit command has not been run on an interface, the hop limit for an RA
message uses the value configured globally, that is, the value configured in the ipv6 nd hop-limit
command.
Step 5 Run:
ipv6 nd ra router-lifetime ra-lifetime
NOTE
l When the ipv6 nd ra command is run to set the interval for advertising RA messages, the interval
must be less than or equal to the life duration.
l By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds.
l By default, the life duration of RA messages is 1800 seconds. If the prefix is configured, the
duration is still 1800 seconds.
Step 6 Run:
ipv6 nd dad attempts value
Step 7 Run:
ipv6 nd ns retrans-timer interval
The maximum number of dynamic neighbor entries that can be learned by a specified
interface is configured.
By default, an interface can learn a maximum of 1024 dynamic neighbor entries.
NOTE
You can set a maximum number of neighbor entries that can be learned by a VLANIF interface
dynamically using the ipv6 nd neighbor-limit command. The ipv6 nd neighbor-limit command takes
effect only on a VLANIF interface.
----End
Context
If a host is connected to multiple routers, the host must select a router to forward packets
based on the destination addresses of packets. The FW can advertise the default router priority
and specified route information to the host so that the host can select a proper forwarding
router based on the destination addresses of packets.
After receiving the RA packets carrying the route information, the host updates its routing
table. When sending packets to another device, the host queries the routing table and selects a
proper route to send packets.
When receiving the RA packets that carry the priority of default routers, the host updates its
default router table. When sending packets to another device, if there is no route to be
selected, the host queries the default router table. Then, the host selects a router with the
highest priority on the local link to send packets. If the router is faulty, the host selects another
router in descending order of priority.
Procedure
Step 1 Run:
system-view
----End
Context
A device uses neighbor advertisement (NA) packets to establish neighbor entries, which does
not comply with RFC 4861. To comply with RFC 4861, enable IPv6 ND strict learning. After
you enable IPv6 ND strict learning on a device, the device uses NA packets only in response
to neighbor solicitation (NS) packets to establish neighbor entries.
Procedure
l Enable IPv6 ND strict learning globally.
a. Run:
system-view
NOTE
This command applies only to VLANIF interfaces, Eth-Trunk interfaces and Eth-trunk sub-
interfaces.
c. Run:
ipv6 nd learning strict { force-disable | force-enable | trust }
----End
4.12.3.8 Setting an Aging Time for Neighbor Entries in the Stale State
This section describes how to set an aging time for neighbor entries in the stale state. A short
aging time allows the device to delete neighbor entries in the stale state quickly.
Procedure
l Set an aging time for a neighbor entry in the stale state in the system view.
a. Run:
system-view
The default aging time of neighbor entries in the stale state is 1200s in the system
view.
l Set an aging time for a neighbor entry in the stale state in the interface view.
a. Run:
system-view
An aging time is set for a neighbor entry in the stale state on the interface.
By default, no aging time is set for neighbor entries in the stale state in the interface
view, and all interfaces use the global configuration.
----End
Context
The procedure for generating the CGA and RSA signature on a node is as follows:
After receiving a packet with CGA and RSA options, a node authenticates the packet as
follows:
1. Obtains the CGA parameters data structure from the CGA option.
2. Computes the hash value based on the CGA parameters data structure, with the last 64-
bit of the value as a network ID.
3. Check whether the generated network ID matches that in the source IP address of the
packet.
4. Obtains the public key from the CGA parameters data structure to authenticate the RSA
signature.
After CGAs are generated, the interface sends ND packets based on the following rules:
l The CGA is a source IP address of the NS (excluding DAD messages), NA, RA, and
Redirect messages sent by the interface.
l The NS, NA, RA, and Redirect messages sent by the interface all carry the following
information:
– CGA option: contains the CGA parameters data structure
– RSA option: contains signatures.
– Timestamp option: represents the current time of the device.
l The NS message sent by the interface carries the Nonce option containing a random
number. The NA message replied by the interface also carries the Nonce option
containing the Nonce value in the received NS message.
NOTE
Procedure
Step 1 Access the system view.
system-view
NOTICE
After the command is executed, you are prompted to enter the length of host key. To enhance
security, the length of host key is recommended to be longer than 1024 bits.
Step 4 Run:
ipv6 security rsakey-pair key-label
The RSA key pair is bound to the interface to generate a CGA address.
Step 5 Run:
ipv6 security modifier sec-level sec-value [ modifier-value ]
The modifier value and security level are configured for the CGA address.
The modifier value can be manually configured only when the security level of the CGA
address is 0.
Step 6 Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga
Or
ipv6 address ipv6-address link-local cga
----End
Follow-up Procedure
Run the ipv6 nd security strict command to enable the strict security mode on the interface.
NOTE
If a local device is enabled with the strict security mode whereas the remote device is not, the local
device considers the messages sent by the remote device invalid and discards them.
Context
When working in strict security mode, an interface regards the received ND message insecure
and discards it in the following cases:
l The rate of processing the received ND message exceeds the rate limit of the system.
l The key length in the received ND message is out of the length range allowed on the
interface.
l The difference between the receive time and the send time of the ND message is out of
the time range allowed on the interface.
NOTE
On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device A
regards the ND messages sent from device B insecure and rejects them.
Procedure
Step 1 Run:
system-view
Step 3 Run:
interface interface-type interface-number
Step 6 Run:
ipv6 nd security strict
----End
4.12.5 Maintaining ND
After configuring IPv6 ND, you can run the display commands to view the related
configuration. You can also clear configuration information if necessary.
Display IPv6 neighbor display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-
information in the type interface-number ]
cache.
Table 4-60 list the commands run in the user view to reset IPv6.
Clear IPv6 neighbor reset ipv6 neighbors { all | dynamic | static | vid vlan-id
entries in the cache. [ interface-type interface-number ] | interface-type interface-
number [ dynamic | static ] }
Networking Requirements
FW_A and FW_B are connected on the network shown in Figure 4-90. GigabitEthernet 1/0/1
on FW_A automatically obtains an IPv6 address to communicate with FW_B.
FW_A FW_B
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable stateless address autoconfiguration on FW_A to enable GigabitEthernet 1/0/1 to
automatically obtain an IPv6 address.
2. Configure a global unicast address on FW_B and enable RA advertisement to use an RA
message to advertise an IPv6 prefix to FW_A.
Procedure
Step 1 Configure FW_A.
# Enable IPv6.
<FW> system-view
[FW] sysname FW_A
[FW_A] ipv6
----End
Configuration Verification
1. Display the IPv6 address of GigabitEthernet 1/0/1. The IPv6 address prefix is 3001::/64.
Run the display this ipv6 interface command to view the IPv6 address of
GigabitEthernet 1/0/1.
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] display this ipv6 interface
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state :
UP
IPv6 is enabled, link-local address is
FE80::200:5EFF:FEB5:400
Global unicast
address(es):
3001::200:5EFF:FEB5:400, subnet is
3001::/64
Joined group
address(es):
FF02::1:FFB5:400
FF02::2
FF02::1
MTU is 1500
bytes
ND DAD is enabled, number of DAD attempts:
1
ND reachable time is 30000
milliseconds
ND retransmit interval is 1000
milliseconds
Hosts use stateless autoconfig for addresses
2. Display default routes in the IPv6 FIB table. The destination address is ::.
# Run the display ipv6 fib command to view the default routes in the IPv6 FIB table.
[FW_A] display ipv6 fib
IPv6 FIB
Table:
Total number of Routes :
5
Destination: :: PrefixLength : 0
Nexthop : FE80::200:5EFF:FE87:4003 Flag :
GSU
Label : NULL Tunnel Token :
0
PortIndex : 1 Tunnel ID :
0
TimeStamp : Date- 17:10:2011, Time- 14:40:14 reference :
1
Interface : GigabitEthernet1/0/1
IP6Token :
0x0
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
ipv6
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address auto link-local
ipv6 address autoconfig
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
security-policy
rule name policy_sec_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
#
return
4.12.7.1 Specifications
This section describes the specifications of neighbor discovery.
Function Specifications
Function Description Supported or Not
Duplicate address detection DAD checks the availability Supported by all models.
(DAD) of IPv6 addresses.
4.13 IP Performance
This section describes IP performance parameter concepts and how to configure the
parameters.
4.13.1 Overview
On specific networks, IPv4/IPv6 parameters must be adjusted to achieve optimal network
performance.
IPv4 Performance
You can achieve better performance by adjusting parameters of some IPv4 features in
different application scenarios.
IPv4 performance optimization can be performed only after a device is enabled with specific
functions, such as the interface maximum transmission unit (MTU), Internet Control Message
Protocol (ICMP) function, and TCP attributes.
ICMP messages are used by either the IP layer or the higher layer protocol (TCP or UDP).
ICMP error messages require your attention.
IPv6 Performance
Because 32-bit IPv4 addresses may be exhausted, 128-bit IPv6 addresses are increasingly
used. Most IPv6 applications are the same as IPv4 applications. Only some commands,
interface configurations, and parts of applications are different.
IPv6 PMTU
The problem that different networks have different maximum transmission units (MTU) can
be solved in the following ways:
Context
IP spoofing enables an attacker changes its own IP address into that of an intranet user or a
trusted external user to obtain information without authorization.
Source IP address verification: After receiving an IP packet, an interface verifies the source IP
address of the packet. If the source IP address does not belong to the network segment on
which the interface resides, the packet is discarded; otherwise, the packet is allowed to pass.
Source IP address verification helps defend against IP spoofing attacks.
Procedure
Step 1 Access the system view.
system-view
----End
Context
When a network device transmits a packet, if the Maximum Transfer Unit (MTU) configured
on the device is shorter than the length of the packet, the packet is fragmented before
transmission. In an ideal case, fragment packets are transmitted in a fixed order. During actual
transmission, the initial fragment packet may not be the first to reach the FW.
To ensure that sessions work normally, the FW supports the fragment cache function by
default. After the fragment cache function is enabled, the system caches the follow-up
fragment packets that reach the firewall earlier than the initial fragment packet. When the
initial fragment packet reaches, the system forwards all the fragment packets. A maximum of
eight follow-up fragment packets can be cached before the initial fragment packet arrives.
You can configure direct forwarding of fragment packets on the FW according to the actual
network situations, instead of caching the fragment packets.
Procedure
Step 1 Run:
system-view
Step 2 Run:
firewall fragment-forward enable
After direct forwarding of fragment packets is enabled, the FW directly forwards fragment
packets rather than caches them.
----End
Context
If the device is allowed to receive and forward broadcast packets with destination IP
addresses on the specific network where the interface resides, a hacker can use these packets
to attack the network system. By default, the device cannot receive or forward broadcast
packets with the destination IP addresses on the network segment, on which the interface
resides.
Procedure
Step 1 Access the system view.
system-view
----End
Context
The MTU of the interface has the effects on whether to fragment the packets on the interface.
The default MTU value varies with the interface type. Use the display interface command to
find out the value used.
NOTE
After configuring the MTU on an interface, you must restart the interface; otherwise, the configuration
cannot take effect. To restart the interface, run the restart command or the shutdown and then undo
shutdown commands.
Procedure
Step 1 Access the system view.
system-view
The MTU can be configured on Ethernet, GE, and Eth-Trunk interfaces and their sub-
interfaces, and POS interfaces.
----End
Context
The TCP attributes are as follows:
l SYN-WAIT timer
TCP starts the SYN-WAIT timer before sending SYN packets. If no response packets are
received after the SYN-WAIT timer expires, a TCP connection is terminated.
l FIN-WAIT timer
The FIN-WAIT timer starts after a TCP connection changes from FIN_WAIT_1 to
FIN_WAIT_2. If no FIN packets are received after the FIN-WAIT timer expires, a TCP
connection is terminated. If FIN packets are received, the TCP connection changes to the
TIME_WAIT state. If non-FIN packets are received, TCP restarts the SYN-WAIT timer
upon receiving the last non-FIN packet and terminates the TCP connection after the
SYN-WAIT timer expires.
l TCP sliding window size
The TCP sliding window size is size of the buffer for sent and received packets on a TCP
socket.
l MSS
The MSS of a TCP packet is the maximum length allowed for a TCP packet sent from
the peer end to the local end. After a TCP connection is established, both ends notify
each other of their MSSs in TCP packets. After recording the peer end's MSS, the local
end only sends TCP packets smaller than the MSS. If a TCP packet from the peer end is
smaller than the local end's MSS, the packet is not segmented; otherwise, the peer end
must send the packet after segmenting it.
NOTICE
Modifying TCP attributes greatly affects the packet forwarding. Exercise caution when
performing this operation. Unless otherwise specified, use the default values.
Procedure
Step 1 Access the system view.
system-view
The MSS is equal to the interface MTU deducted by 40 bytes (20-byte IP header and 20-byte
TCP header). If Point-to-Point Protocol over Ethernet (PPPoE) dialup is used, additional 8
bytes (PPPoE header) must be deducted. The interface MTU deducted by 48 bytes is the MSS
value.
For example:
If the interface MTU changes from 1500 bytes to 1450 bytes, the new MSS must be 1410
bytes (1450-20-20).
If the interface MTU is 1500 and PPPoE dialup is used, the MSS must be set to 1452 bytes
(1500-20-20-8).
NOTE
The firewall tcp-mss command only takes effect on subsequent TCP connections, not established ones.
----End
Context
ICMPv6 error packets can be classifiedinto the following types:
Procedure
Step 1 Access the system view.
system-view
Step 2 Set the capacity of the token bucket and refreshing cycle for sending ICMPv6 error packets.
ipv6 icmp-error { bucket bucket-size | ratelimit interval } *
----End
Context
For details on the SYN-Wait timer, FIN-Wait timer, and buffer size of TCP attributes, see
Configuring TCP Attributes.
Procedure
Step 1 Access the system view.
system-view
The default size of the TCP IPv6 packet sending/receiving buffer is 8 KB.
----End
----End
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shutdown
command in the interface view to make the configuration take effect.
Run the display ipv6 interface command to view the current IPv6 MTU on the interface.
<sysname> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
----End
Follow-up Procedure
Run the display ipv6 pathmtu static command to view information about static PMTU
entries.
<sysname> display ipv6 pathmtu static
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type FF
2001:1::1:2 0 1500 - Static No
-------------------------------------------------------------------------------
Static: 1
----End
Follow-up Procedure
Run the display ipv6 pathmtu dynamic command to view information about the dynamic
PMTU entries.
<sysname> display ipv6 pathmtu dynamic
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
FF
fe80::12 0 1300 40 Dynamic
YES
-------------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
Display current socket display ip socket [ monitor ] [ task-id task-id socket-id socket-
information. id | sock-type socket-type ]
Action Command
4.13.5.1 Specifications
This section describes the specifications of IP performance.
Function Specifications
Function Description Supported or Not
Performance Specifications
Function Specifications
5 Routing
IS-IS supports multiple types networking layer protocols, including IPv6. In an IPv6 network,
you can implement interconnection by configuring IS-IS.
5.10 BGP
BGP is used between ASs to transmit routing information on large-scale and complex
networks.
5.11 BGP4+
BGP4+, which is applicable to the large-scale IPv6 network with a complicated structure, is
used between ASs to transmit routing information.
5.12 Routing Policy
Routing policies are used to filter routes to change the path through which network traffic
passes.
5.1.1 Overview
Routing is the basic element of data communication networks. It is the process of selecting
paths on a network along which packets are sent from a source to a destination.
Routes are classified into the following types based on the destination address:
l Network segment route: The destination is a network segment. The subnet mask of an
IPv4 destination address is less than 32 bits or the prefix length of an IPv6 destination
address is less than 128 bits.
l Host route: The destination is a host. The subnet mask of an IPv4 destination address is
32 bits or the prefix length of an IPv6 destination address is 128 bits.
Routes are classified into the following types based on whether the destination is directly
connected to a router:
l Direct route: The router is directly connected to the network where the destination is
located.
l Indirect route: The router is indirectly connected to the network where the destination is
located.
Routes are classified into the following types based on the destination address type:
l Unicast route: The destination address is a unicast address.
l Multicast route: The destination address is a multicast address.
devices are deployed. The configurations of dynamic routes are complex. Dynamic routes
have higher requirements on the system than static ones and consume network resources and
system resources.
Each entry in the FIB table contains the physical or logical interface through which a packet is
sent to a network segment or a host, and then it can reach the next router. Besides, the entry
also indicates that the packet can be directly sent to a destination host in the directly
connected network.
Routing Table
Each router maintains the protocol routing table for each protocol and a local core routing
table (or routing management table).
l Protocol routing table
A protocol routing table stores the routing information discovered by the protocol.
A routing protocol can import and advertise the routes that are discovered by other
protocols. For example, if a router that runs the Open Shortest Path First (OSPF)
protocol needs to use OSPF to advertise direct routes, static routes, or Intermediate
System-Intermediate System (IS-IS) routes, the router must import the routes to the
OSPF routing table.
l Local core routing table
A router uses the local core routing table to store protocol routes and preferred routes.
The router then delivers the preferred routes to the FIB table to guide the packets
forwarding.
The router selects routes according to the priorities of protocols and costs in the routing
table. You can run the display ip routing-table command to view the local core routing
table of a router.
NOTE
The router that supports the Layer 3 Virtual Private Network (L3VPN) maintains a local core
routing table for each VPN instance.
– The network address of the destination host or the router is obtained through the
"AND" operation on the destination address and network mask. For example, if the
destination address is 10.1.1.1 and the mask is 255.255.255.0, the address of the
network where the host or the router resides is 10.1.1.0.
– The network mask is composed of several consecutive 1s. These 1s can be
expressed either in the dotted decimal notation or in the number of consecutive 1s
in the mask. For example, the network mask can be expressed either as
255.255.255.0 or as 24.
l Proto: indicates the protocol through which routes are learned.
l Pre: indicates the preference added to the IP routing table for a route. To the same
destination, multiple routes with different next hops and outgoing interfaces exist. These
routes may be discovered by different routing protocols, or they may just be the
manually configured static routes. The route with the highest preference (the smallest
value) is selected as the optimal route.
l Cost: indicates the route cost. When multiple routes to the same destination have the
same preference, the route with the smallest cost is selected as the optimal route.
NOTE
Preference is used to compare the preferences of various routing protocols, while cost is used to
compare the preferences of different routes of the same routing protocol.
l NextHop: indicates the IP address of the next router that an IP packet passes through.
l Interface: indicates the outgoing interface through which an IP packet is forwarded.
According to the destination, the routes can be divided into the following types:
l Subnet route: The destination is a subnet.
l Host route: The destination is a host.
In addition, based on whether the destination is directly connected to the router or not, routes
fall into the following types:
l Direct route: The router is directly connected to the network in which the destination
resides.
l Indirect route: The router is not directly connected to the network in which the
destination resides.
You can set a default route to reduce the number of entries in the routing table. All the packets
that fail to match entries in the routing table are forwarded through this default route. For
example, in the preceding routing table, the route whose destination address is 0.0.0.0/0 is a
default route.
As shown in Figure 5-1, FW_A is connected with three networks, so it has three IP addresses
and three physical interfaces. Figure 5-1 shows the routing table of FW_A.
10.10.0.0/8
GE2/0/0 GE3/0/0
10.2.2.1/24 10.3.3.1/24
FW_A
Router_C Router_D
10.2.2.2/24 10.3.3.2/24
10.20.0.0/8 10.30.0.0/8
NOTE
The complete routing table contains active routes and inactive routes. The brief routing table contains
only active routes. You can run the display ip routing-table verbose command to view the complete
routing table.
After receiving a packet that carries the destination address 10.1.2.1, a router searches the
following table:
FIB Table:
Total number of Routes : 5
Destination/Mask Nexthop Flag TimeStamp Interface
TunnelID
0.0.0.0/0 10.0.0.2 SU t[37] GigabitEthernet1/0/0
0x0
172.16.0.0/16 10.0.0.2 DU t[37] GigabitEthernet1/0/0
0x0
10.0.0.0/8 10.2.0.2 DU t[9992] GigabitEthernet1/0/1
0x0
10.1.0.0/16 10.0.0.2 DU t[9992] GigabitEthernet1/0/1
0x0
192.168.1.0/24 10.2.0.1 U t[9992] GigabitEthernet1/0/1
0x0
The FW performs the "AND" operation on the destination address 10.1.2.1 and the masks 0,
8, 16, and obtains the network segment addresses: 0.0.0.0/0, 10.0.0.0/8, and 10.1.0.0/16. The
three addresses match the three entries, namely, 0.0.0.0/0, 10.0.0.0/8, and 10.1.0.0/16. At last,
the FW chooses the 10.1.0.0/16 entry according to the longest match and forwards the packet
through Pos 2/0/0.
Routing protocols (including the static route) can learn different routes to the same
destination, but not all routes are optimal. Only one routing protocol at one time determines
the optimal route to a destination. To select the optimal route, each routing protocols
(including the static route) is configured with a preference (the smaller the value, the higher
the preference). When multiple routing information sources coexist, the route with the highest
preference is selected as the optimal route (the smaller the value is, the higher the preference
is). Table 5-1 lists the routing protocols and the default preferences of routes found by each
protocol.
In Table 5-1, 0 indicates the direct route, and 255 indicates any route learned from unreliable
sources.
DIRECT 0
OSPF 10
IS-IS 15
STATIC 60
RIP 100
IBGP 255
EBGP 255
Except for direct routes, you can manually configure a routing protocol's preference. In
addition, the preference for each static route can be distinct from the other routes.
The FW also defines the external preference and internal preference. External preference is
the preference set by a user for each routing protocol. Table 5-1 shows the default external
preference.
If different routing protocols are configured with the same preference, the system determines
which routes discovered by these routing protocols become the preferred routes through an
internal preference. Table 5-2 shows the internal preferences of routing protocols.
DIRECT 0
OSPF 10
IS-IS Level-1 15
IS-IS Level-2 18
STATIC 60
UNR 65
RIP 100
IBGP 200
EBGP 20
For example, two routes, an OSPF route and a static route, can reach the destination
10.1.1.0/24, and the preferences of both routes are set to 5. In this case, the FW determines the
optimal route according to the internal preferences listed in Table 5-2. The internal preference
value 10 of OSPF is higher than the internal preference value 60 of the static route. Therefore,
the system selects the route discovered by OSPF as the optimal route.
Different routing protocols may discover different routes because they use different
algorithms. If multiple routing protocols run on a large network, the routing protocols need to
re-advertise the routes they discover.
Each routing protocol can import the routes discovered by other routing protocols, direct
routes, and static routes using its mechanism.
l Path length
The path length is the most common factor affecting the route metric. Link-state routing
protocols allow you to assign a link cost for each link to identify the path length of a
link. In this case, the path length is the sum of link costs of all the links that packets pass
through. Distance-vector routing protocols use the hop count to identify the path length.
The hop count is the number of devices that packets pass through from the source to the
destination. For example, the hop count from a router to its directly connected network is
0, and the hop count from a router to a network that can be reached through another
router is 1. The rest can be deduced in the same manner.
l Network bandwidth
The network bandwidth is the transmission capability of a link. For example, a 10-
Gigabit link has a higher transmission capability than a 1-Gigabit link. Although
bandwidth defines the maximum transmission rate of a link, routes over high-bandwidth
links are not necessarily better than routes over low-bandwidth links. For example, when
a high-bandwidth link is congested, forwarding packets over this link will require more
time.
l Load
The load is the degree to which a network resource is busy. You can calculate the load by
calculating the CPU usage and packets processed per second. Monitoring the CPU usage
and packets processed per second continually helps learn about network usage.
l Communication cost
The communication cost measures the operating cost of a route over a link. The
communication cost is another important indicator, especially if you do not care about
network performance but the operating expenditure.
The FW supports the multi-route mode. Users can configure multiple routes with the same
destination and the same preference. If the destinations and costs of the multiple routes
discovered by a routing protocol are the same, you can implement load balancing among the
routes. To implement load balancing, run the maximum load-balancing number command in
each protocol view. The load balancing is classified into the following types:
l Packet-by-packet
When the packet-by-packet load balancing is configured, FW at the network layer
forward packets to the same destination through various equal-cost paths. That is, FW
always choose the next hop address that is different from the last one to send packets.
Figure 5-2 shows the networking for the packet-by-packet load balancing.
GE1/0/0 RouterB
RouterC
In the illustration, FW sends packets to the destination address 10.1.1.0/24. Packets P1,
P2, P3, P4, P5, and P6 need to be forwarded to the destination. To balance the load, FW
sends packets to the destination address by alternating between the two interfaces, as
follows:
– P1 through GE1/0/0
– P2 through GE1/0/1
– P3 through GE1/0/0
– P4 through GE1/0/1
– P5 through GE1/0/0
– P6 through GE1/0/1
l Session-by-session
When session-by-session load balancing is configured, FW forward packets according to
the source address, destination address, source port, destination port, and protocol
contained in the packets. When the five factors are the same, FW always choose the
same next hop address as the last one used to send the packets. Figure 5-3 shows
networking for session-by-session load balancing.
RouterB
GE1/0/0
10.1.1.0/24
P1-P6 10.1.1.0/24
FW 10.2.1.0/24
10.2.1.0/24
P1-P6 RouterD
GE1/0/1
RouterC
In real application, the protocols that support load balancing are RIP, OSPF, BGP, and IS-IS.
Besides, static routes also support load balancing.
Definition
Routes can be set with different convergence priorities, such as critical, high, medium, and
low. The system performs route convergence based on the convergence priorities and a
convergence rule. In other words, the system schedules the convergence of routes with
different convergence priorities in proportion to a weighting scheme.
Purpose
With the integration of network services, the services must be differentiated. As required by
operators, the routes for key services, such as Voice over IP (VoIP), video conferences, should
converge as fast as possible, while the routes for common services can be converged
relatively slowly. To improve network reliability, the system converges routes in a manner
based on their convergence priorities.
Principle
Table 5-3 shows the default convergence priorities of public routes. The routing protocols
first compute and deliver routes of high convergence priorities to the system. By default, the
system converges routes according to the scheduling weight values assigned to the
convergence priorities in the proportions of critical:high:medium:low = 8:4:2:1. You can re-
configure the scheduling weight values as required.
Direct High
Static Medium
RIP Low
BGP Low
NOTE
For private routes, only 32-bit host routes of OSPF and IS-IS can be identified as medium and all other
routes are identifies as low.
----End
Step 2 View details on OSPFv2 routes on the OSPFv2 Route List page.
Parameter Description
Type The value can be Stub, Rtr, Net, SNet, ASB, ASE, GM, or
NSSA.
Step 3 Click of "Precess ID: ID Route ID: ID" to view details of the OSPF routing table.
Parameter Description
----End
Step 2 In OSPFv3 Route List, check the details about OSPFv3 routes.
Parameter Description
Next Hop Indicates the next hop pointing to the destination address.
----End
Step 2 View details on BGP routes on the BGP Route List page.
Parameter Description
Status Indicates the BGP route status, such as valid and optimal.
PrefVal Indicates the preferred value of the route learned from the peer.
----End
Context
NOTE
You can view only the active routes in the routing table.
Procedure
Step 1 Choose Network > Route > Routing Table.
Step 2 Configure the search conditions.
Parameter Description
Protocol/Destination (Mask) Select the protocol type when you query routes by
protocol.
l All: Query routes of all protocols.
l Direct: Query only the direct routes.
l Static: Query only the static routes.
l UNR: Query only the UNR routes.
l BGP: Query only the BGP routes.
l OSPF: Query only the OSPF routes.
l RIP: Query only the RIP routes.
Enter the destination IP address and mask when you
query routes by destination address and mask. If you
do not enter a mask, the route to a specific host is
displayed.
----End
need to reset connections to set up the normal neighbor relationship after you specify the
router IDs.
Context
The global router ID to be configured must be different from other router IDs on the network.
Generally, the router ID is set to the IP address of an interface on the router.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Run the router id router-id command configure the global router ID.
By default, the global router ID is not configured.
----End
Follow-up Procedure
Run the display router id command to query the configured router ID.
<FW> system-view
[FW] router id 10.1.1.1
[FW] display router id
RouterID:1.1.1.1
Context
Before applying a routing policy, you should set the matching rules, that is, filters. Compared
with an ACL, an IP prefix list is more flexible. When the IP prefix list is used to filter routes,
it matches the destination address of a route.
A prefix list is identified by its list name. Each prefix list can include multiple entries. Each
entry can independently specify the matching range of a network prefix form and identify it
with an index number. For example, the following is a prefix list named abcd:
#
ip ip-prefix abcd index 10 permit 10.1.0.0 16
ip ip-prefix abcd index 20 permit 10.2.0.0 16
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length
[ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
A prefix list is configured.
The range of mask length can be specified as mask-length <= greater-equal-value <= less-
equal-value <= 32. If only greater-equal is specified, the range of the prefix is from greater-
equal-value to 32; if only less-equal is specified, the range of the prefix is from [ mask-length
to less-equal-value ].
During the matching, the system checks entries identified by the index number in the
ascending order. Once an entry meets the condition, it means that all entries pass the IP-prefix
filtering. The system does not match other entries.
If all entries are in deny mode, no routes can pass this filtering list. You are recommended to
define an permit 0.0.0.0/0 less-equal 32 entry after the multiple entries in the deny mode,
thus allowing all the other routes to pass the IP-Prefix filtering.
NOTE
l If more than one IP-Prefix entry is defined, at least one entry should be in permit matching mode.
----End
Context
The IPv6 IP-prefix list is identified by the list name. Each prefix list contains multiple entries.
Each entry independently specifies a matching range in the format of network prefixes, and
uses the index number for identification.
During the matching, the system checks every entry in turn according to the index number in
an ascending order. As long as the routing information matches one entry, the filtering list is
passed, and other entries are no longer matched.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip ipv6-prefix ipv6-prefix-name [ index index-number ] { permit | deny } ipv6-address
prefix-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
An IPv6 prefix list is configured.
A prefix list is identified by its list name. Each prefix list can include multiple entries. Each
entry can independently specify the matching range of a network prefix form and identify it
with an index number. For example, the following is a prefix list named abcd:
#
ip ipv6-prefix abcd index 10 permit 1:: 64
ip ipv6-prefix abcd index 20 permit 2:: 64
During the matching, the system checks entries identified by the index number in the
ascending order. Once an entry meets the condition, it means that all entries pass the IP-prefix
filtering. The system does not match other entries.
If all entries are in deny mode, no routes can pass this filtering list. You are recommended to
define an permit :: 0 less-equal 128 entry after the multiple entries in the deny mode, thus
allowing all the other IPv6 routes to pass the IP-Prefix filtering.
NOTE
If more than one IP-Prefix entry is defined, at least one entry should be in permit matching mode.
----End
Display the routes to the specified display ip routing-table ip-address [ mask | mask-
destination IP address. length ] [ longer-match ] [ verbose ]
Display the routes defined in the display ip routing-table acl acl-number [ verbose ]
specified basic ACL.
Action Command
Display the route learned using the display ip routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Display the routes to the specified display ipv6 routing-table ipv6-address prefix-
destination IP address. length [ longer-match ] [ verbose ]
Display the routes to the addresses display ipv6 routing-table ipv6-address1 prefix-
in the specified destination IP length ipv6-address2 prefix-length } [ verbose ]
address range.
Display the routes defined in the display ipv6 routing-table acl acl-number
specified basic ACL. [ verbose ]
Display the route filtered by the display ipv6 routing-table ip-prefix ipv6-prefix-
specified prefix list. name [ verbose ]
Display the route learned using the display ipv6 routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Action Command
Clearing Routes
If you need to manually add a route, perform the following actions to clear the dynamic
routes. Statistics on cleared routes cannot be restored. Exercise caution before you clear any
routes.
Table 5-6 lists the commands for clearing routes. Perform these actions in the user view.
Clear the statistics in the IPv4 reset ip routing-table statistics protocol [ vpn-
routing table. instance vpn-instance-name ] { all | direct | bgp |
isis | ospf | rip | unr | static }
Clear the statistics in the IPv6 reset ipv6 routing-table [ vpn-instance vpn-
routing table. instance-name ] statistics protocol { all | bgp |
direct | isis | ripng | static | ospfv3 | unr }
Checking information about the routing management module is also a measure to locate
routing faults. You can run the display commands in any view to display and verify the
configurations.
Table 5-7 lists the commands for displaying the information about the routing management
module.
Action Command
5.3.1 Overview
This section provides the definition and purpose of static route.
Definition
Static routes need to be manually configured by the administrator.
Purpose
On a simple network, the administrator just needs to configure static routes so that the
network can run properly. Properly configuring and using static routes can improve network
performance and guarantee the required bandwidth for important applications.
When a network fault occurs or the network topology changes, however, static routes cannot
automatically change and must be changed manually by the administrator.
The FW supports common static routes and the static routes associated with Virtual Private
Network (VPN) instances. The static routes associated with VPN instances are used to
manage VPN routes.
5.3.2 Mechanism
This section describes the mechanism of IP static route.
On the FW, you can run the ip route-static command to configure a static route, which
consists of the following:
l Destination Address and Mask
l Outbound Interface and Next-Hop Address
Actually, each routing entry requires a next-hop address. Before sending a packet, a device
needs to search its routing table for the route matching the destination address in the packet by
using the longest match rule. The device can find the associated link layer address to forward
the packet only after the next-hop address of the packet is specified.
l For a Point-to-Point (P2P) interface, the next-hop address is specified after you specify
the outbound interface. That is, the address of the remote interface connected to this
interface is the next-hop address. For example, when a POS interface is encapsulated
with the Point-to-Point Protocol (PPP) and obtains the remote IP address through PPP
negotiation, you need to specify only the outbound interface rather than the next-hop
address.
l Non-Broadcast Multiple-Access (NBMA) interfaces (such as an ATM interface) are
applicable to Point-to-Multipoint (P2MP) networks. Therefore, IP routes and the
mappings between IP addresses and link layer addresses are required. In this case, you
need to configure next-hop addresses.
l When configuring static routes, it is not recommended to specify the Ethernet interface
or the virtual-template (VT) interface as the outbound interface. This is because an
Ethernet interface is a broadcast interface and a VT interface can be associated with
several virtual access (VA) interfaces. If the Ethernet interface or the VT interface is
specified as the outbound interface, a unique next hop cannot be determined because
multiple next hops exist. In actual applications, to specify a broadcast interface (such as
an Ethernet interface) or a VT interface as the outbound interface, you are recommended
specify the associated next-hop address.
As shown in Figure 5-5, the network topology is simple, and network communication can be
implemented through static routes. It is required to specify an address for each physical
network, identify indirectly-connected physical networks for each router, and configure static
routes for the indirectly-connected physical networks.
2 4
FW_B
1 5
FW_A FW_C
In Figure 5-5, static routes to networks 3, 4, and 5 need to be configured on FW_A; static
routes to networks 1 and 5 need to be configured on FW_B; static routes to networks 1, 2, and
3 need to be configured on FW_C.
FW_B
Preference=60
Preference=100
FW_A FW_C
FW_D
As shown in Figure 5-7, there are two static routes with the same preference from FW_A to
FW_C. The two routes exist in the routing table and forward data at the same time.
FW_B
Preference=60
Preference=60
FW_A FW_C
FW_D
Default routes are special routes. Generally, administrators can manually configure default
static routes. Default routes can also be generated through dynamic routing protocols such as
OSPF and IS-IS.
Default routes are used only when packets to be forwarded have no matching routing entry in
a routing table. In the routing table, a default route is the route to the network 0.0.0.0 (with the
mask also being 0.0.0.0). You can check whether the default route is configured by using the
display ip routing-table command.
If the destination address of a packet does not match any entry in the routing table, the packet
is sent through a default route. If no default route exists and the destination address of the
packet does not match any entry in the routing table, the packet is discarded. An Internet
Control Message Protocol (ICMP) packet is then sent, informing the originating host that the
destination host or network is unreachable.
Different from dynamic routing protocols, static routes do not have a detection mechanism.
As a result, when a fault occurs on the network, the administrator needs to handle it.
Bidirectional Forwarding Detection (BFD) for static route is introduced to bind a static route
to a BFD session so that the BFD session can detect the status of the link where the static
route resides.
After BFD for static route is configured, each static route can be bound to a BFD session.
l If the BFD session on the link of a static route detects that the link changes from Up to
Down, BFD reports it to the system. Then, the system deletes the route from the IP
routing table.
l When a BFD session is established on the link of a static route or the BFD session
changes from Down to Up, BFD reports it to the system. Then, the system adds the route
to the IP routing table.
l Single-hop detection
For a non-iterated static route, the configured outbound interface and next-hop address
are the information about the directly connected next hop. In this case, the outbound
interface bound to the BFD session is the outbound interface of the static route, and the
peer address is the next-hop address of the static route.
l Multi-hop detection
For an iterated static route, only the next-hop address is configured. Therefore, the
directly connected next-hop and outbound interface need to be iterated. In this case, the
peer address of the BFD session is the original next-hop address of the static route, and
the outbound interface is not specified. Generally, the original next hop to be iterated is
an indirect next hop. Therefore, multi-hop detection is performed on the static routes that
support route iteration.
Step 2 Under Configure Default Priority, enter the default priority for static routes in Default
Priority.
----End
Parameter Description
Parameter Description
Reliability Detection Reliability Detection for the static route. You can
select the mode from the followings:
l No Detection
l Binding BFD
l Binding IP-Link
Parameter Description
----End
Context
When configuring an IPv4 static route, you need to learn the following information:
l Destination address and mask
In the ip route-static command, the IPv4 destination address is in dotted decimal
notation. The mask can be in dotted decimal notation or can be represented by the mask
length, namely, the number of consecutive "1"s in the mask.
l Outbound interface and next hop address
When configuring a static route, you can specify either interface-type interface-number
or nexthop-address. Whether to specify the outbound interface or the next hop address
depends on the actual situation.
Actually, all routing entries must specify the next hop addresses. When sending a packet,
the router first searches the matched route in the routing table according to the
destination address. The link layer can find the corresponding link layer address and
forward the packet only when the next hop address is specified.
When specifying the outbound interface, note the following:
– For Point-to-Point (P2P) interfaces, if the outbound interface is specified, it
indicates that the next hop address is specified. The address of the peer interface
connected to this interface is the next hop address. For example, when a POS
interface is Point-to-Point Protocol (PPP) encapsulated, the peer IP address is
obtained through PPP negotiation. In this case, you need to specify only the
outbound interface.
– NBMA interface such as ATM interface supports Point-to-Multipoint (P2MP)
networks. In this case, you need to configure IP routes and set up the reroute table
on the link layer, namely, the mapping between IP addresses and link layer
addresses. In this case, the next hop IP address needs to be configured.
– When configuring static routes, you are recommended not to specify the Ethernet
interface as the outbound interface. The Ethernet interface is a broadcast interface .
In this case, multiple next hops occur and a unique next hop cannot be determined.
To specify a broadcast interface such as an Ethernet interface or an NBMA interface
as the outbound interface, you need to specify the next hop address of this interface.
l Other attributes
You can set different preferences for the static routes. This enables you to apply the RM
policy flexibly. For example, when configuring multiple routes to the same destination
address, you can set the same preference for these routes to implement load balancing.
You can also set different preferences to implement routing redundancy.
While configuring a static route by using the ip route-static command, if you set the
destination address and the mask to all "0"s (0.0.0.0 0.0.0.0), it indicates that a default
route is configured.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
l ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type
interface-number [ nexthop-address ] } [ preference preference | tag tag ] * [ track
{ bfd-session bfd-name | ip-link link-name | nqa admin-name test-name } | permanent ]
[ description text ]
l ip route-static ip-address { mask | mask-length } interface-type interface-number
[ nexthop-address ] [ preference preference | tag tag ] * ldp-sync [ description text ]
l ip route-static ip-address { mask | mask-length } vpn-instance vpn-instance-name
nexthop-address [ preference preference | tag tag ] * [ track { bfd-session bfd-name |
ip-link link-name | nqa admin-name test-name } | permanent ] [ description text ]
l ip route-static ip-address { mask | mask-length } vpn-instance vpn-instance-name
nexthop-address [ recursive-lookup host-route ] [ preference preference | tag tag ] *
[ inherit-cost | permanent ] [ description text ]
l ip route-static ip-address { mask | mask-length } nexthop-address [ recursive-lookup
host-route ] [ preference preference | tag tag ] * [ inherit-cost | permanent ]
[ description text ]
A static route is configured.
By default, no static route is configured.
Step 3 Run:
ip route-static default-preference preference
The default preference is set for the static route.
By default, the preference of the static route is 60.
When a static route is configured, the default preference is used if no preference is explicitly
specified. The new default preference is valid for only the added static routes.
----End
Context
Do as follows on the router to be configured with static FWs:
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
l ipv6 route-static dest-ipv6-address prefix-length interface-type interface-number
[ nexthop-ipv6-address ] [ preference preference | tag tag ] * [ description text ]
l ipv6 route-static dest-ipv6-address prefix-length nexthop-ipv6-address [ preference
preference | tag tag ] * [ inherit-cost ] [ description text ]
An IPv6 static route is configured.
When configuring a static route, you need to specify either the outbound interface or the next-
hop address according to the actual situation. If the outbound interface is a PPP interface, you
can simply specify the outbound interface. If the outbound interface is a broadcast interface,
you must also specify the next-hop address in addition to specifying the outbound interface.
NOTICE
Static routes with an outgoing interface do not support recursive routing.
----End
Follow-up Procedure
To view the configurations of IPv6 static routes, you can execute the following commands.
l Run the display ipv6 routing-table command to check brief information about the IPv6
routing table.
l Run the display ipv6 routing-table verbose command to check detailed information
about the IPv6 routing table.
l Run the display ipv6 routing-table protocol static command to check information of
the static IPv6 routes.
Context
Note the following when configuring unicast static routes:
l When the destination IP address and the mask are both 0.0.0.0, the configured route is
the default route.
l For the configuration of different preferences, different RM policies are adopted. For
example, to configure multiple routes to the same destination, load balancing is
performed if the routes have the same preference. Route backup is performed if the
routes have different preferences.
l To configure a static route, specify the egress or the next hop address as required. For the
interface that supports the resolution from network address to the link layer address or
the address of the point-to-point (P2P) interface, specify the egress or the next hop
address.
l Specify the next hop address if the type of the egress is broadcast.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
l ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type
interface-number [ nexthop-address ] } [ preference preference | tag tag ] * track bfd-
session bfd-name [ description text ]
l ip route-static ip-address { mask | mask-length } vpn-instance vpn-instance-name
nexthop-address [ preference preference | tag tag ] * track bfd-session bfd-name
[ description text ]
----End
Follow-up Procedure
To view the configurations of BFD for static routes, you can execute the following
commands.
l Run the display bfd session { all | discriminator discr-value } [ verbose ] [ slot slot-
id ] command to check the BFD sessions.
You can view the BFD session only after the parameters of the BFD session are
configured and the BFD session is set up.
l Run the display current-configuration | include bfd command to check the
configuration of BFD for static routes.
Table 5-8 shows the commands for checking the static route configuration.
Table 5-8 Checking the IPv4 and IPv6 static route information
Action Command
Networking Requirements
Figure 5-8 shows the IP addresses and masks of each FW interface and host. Static routes
must be configured to ensure the communication between any two hosts.
PC2
10.1.2.2/24
GE1/0/3
10.1.2.1/24
GE1/0/1 GE1/0/2
10.1.5.2/24 10.1.4.5/30
FW_B
FW_A FW_C
GE1/0/1 GE1/0/1
10.1.5.1/24 10.1.4.6/30
GE1/0/2 GE1/0/2
10.1.1.1/24 10.1.3.1/24
PC1 PC3
10.1.1.2/24 10.1.3.2/24
Item Data
Item Data
Configuration Roadmap
Perform the following procedures to configure IPv4 static routes:
Procedure
Step 1 Configure FW_A.
# Configure IP addresses for the interfaces and assign the interfaces to security zones.
<FW_A> system-view
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ip address 10.1.5.1 255.255.255.0
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/2
[FW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[FW_A-GigabitEthernet1/0/2] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 1/0/1
[FW_A-zone-trust] add interface GigabitEthernet 1/0/2
[FW_A-zone-trust] quit
Configure the default gateways of the host PC1, PC2, and PC3 to 10.1.1.1, 10.1.2.1, and
10.1.3.1 respectively. (The specific configuration command varies with host system. The
configuration details are not mentioned in this section.)
----End
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.5.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 10.1.5.2
#
security-policy
rule name sec_policy_1
source-zone trust
destination-zone trust
source-address 10.1.1.0 24
destination-address 10.1.2.0 24
destination-address 10.1.3.0 24
action permit
rule name sec_policy_2
source-zone trust
destination-zone trust
source-address 10.1.2.0 24
source-address 10.1.3.0 24
destination-address 10.1.1.0 24
action permit
#
return
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
ip route-static 10.1.1.0 255.255.255.0 10.1.5.1
ip route-static 10.1.3.0 255.255.255.0 10.1.4.6
#
security-policy
rule name sec_policy_1
source-zone trust
destination-zone trust
source-address 10.1.2.0 24
destination-address 10.1.1.0 24
destination-address 10.1.3.0 24
action permit
rule name sec_policy_2
source-zone trust
destination-zone trust
source-address 10.1.1.0 24
source-address 10.1.3.0 24
destination-address 10.1.2.0 24
action permit
#
return
5.3.7.1 Specifications
This section describes static route specifications.
Function Specifications
Function Description Supported or Not
5.4 RIP
This section describes Routing Information Protocol (RIP) concepts and how to configure
RIP, as well as provides configuration examples.
5.4.1 Overview
The Routing Information Protocol (RIP) applies to small and simply structured networks. RIP
is a routing protocol based on the distance vector and uses hop counts to measure distances to
destinations. There are two RIP versions: RIP-1 and RIP-2.
Definition
RIP is a simple Interior Gateway Protocol (IGP) and works based on the Distance-Vector
(DV) algorithm. It exchanges routing information using User Datagram Protocol (UDP)
packets. RIP uses port 520.
Purpose
As an earliest IGP, RIP is used in small and simply structured networks such as campus
networks and regional networks. Unlike static routes, RIP automatically adapts to network
topology changes.
Implementing RIP is simple. Configuring and maintaining RIP are easier than the Open
Shortest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS)
protocols. Therefore, RIP is widely used.
5.4.2 Mechanism
This section describes the RIP mechanism.
5.4.2.1 RIP-1
RIP version 1 (RIP-1) is a classful (as opposed to classless) routing protocol. It supports the
advertisement of protocol packets only in broadcast mode. Figure 5-9 shows the packet
format. A RIP packet can carry a maximum of 25 entries. RIP is based on UDP, and a RIP-1
data packet cannot be longer than 512 bytes. The RIP-1 protocol packet does not carry any
mask, so it can identify only the routes of the natural network segment such as Class A, Class
B, and Class C. Therefore, RIP-1 does not support route aggregation or discontinuous subnet.
5.4.2.2 RIP-2
RIP version 2 (RIP-2), is a classless routing protocol. Figure 5-10 shows the packet format.
5.4.2.3 Timers
RIP mainly uses the following three timers:
l Update timer: triggers the sending of update packets every 30s.
l Age timer: sets and keeps track of the 180-second time limit. If a RIP router does not
receive an update packet from any of its neighbors within the aging time, the RIP router
detects the route as unreachable.
l Garbage-Collect timer: determines when to delete a packet entry. If the route is no longer
valid after the timer expires, the entry is removed from the RIP routing table.
The three timers work together in the following way:
The advertisement of RIP routing update is triggered by the update timer every 30 seconds.
Each entry is associated with the age timer and garbage-collect timer. When a route is learned
and added in the routing table, the age timer is initialized. If no Update packet is received
from the neighbor for 180 seconds, the metric value of the route is set to 16 (to specify the
route as unreachable). At the same time, the garbage-collect timer is initialized. If no Update
packet is received for 120 seconds, the entry is deleted after the garbage-collect timer expires.
The network to
10.4.0.0 fails. The network to
10.4.0.0 fails.
10.1.0.0
10.2.0.0 RouterB
E0 S0 S0
RouterA S1
10.3.0.0
S0
E0 The network to
10.4.0.0 fails.
RouterC
10.4.0.0
In the example in Figure 5-11, when network 10.4.0.0 is unreachable, RouterC learns the
information first. Usually, the route update message is sent to neighbors every 30s. If the
update message of RouterB is sent to RouterC when RouterC is waiting for the route update
message, RouterC learns the faulty route to network 10.4.0.0 from RouterB. In this case, the
routes from RouterB or RouterC to network 10.4.0.0 point to RouterC or RouterB
respectively, which forms a route loop. If RouterC detects a network fault and immediately
sends a route update message to RouterB before the new update interval reaches RouterB. The
routing table of RouterB is updated in time, and routing loops are avoided.
Another scenario that triggers updates is when the next hop of the route is unavailable because
the link is faulty. The local device needs to notify neighboring device about the
routes'unreachability. The local device sets the cost the route to 16 and advertising the route.
This is also called route-withdrawal.
RIP-2 route convergence can improve extensibility and efficiency and minimize the routing
table of a large-scale network.
Parameter Description
Update Interval Indicates the interval of updating packets regularly in the RIP
route.
Garbage Collection Indicates the interval for collecting RIP garbage routes.
Duration
Enable Default Route Configures the default route for the situation that packets
cannot find corresponding routing entries in the routing table.
Default Route Cost Indicates the metric value of the default route.
This parameter is available when Enable Default Route is
enabled.
Source Address Verifies the source IP address of a received RIP route update
Verification packet.
Host Route Indicates that host routes can be added to the routing table.
If the new RIP process is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Network Settings.
If the new network segment is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Interface Settings.
Advanced Settings
Receiving of RIP Packets Indicates that the interface is allowed to receive RIP update
packets.
Sending of RIP Packets Indicates that the interface is allowed to send RIP update
packets.
Parameter Description
Anti-Loop Mechanism Split Horizon: indicates that the interface does not send the
routes received by the interface.
Poison Reverse: RIP learns the route of the packet from an
interface, sets the route cost to 16 (unreachable), and sends the
packet to the neighbor router through the original interface.
Sending Mode The RIP-2 packets can be transferred in two modes: broadcast
and multicast.
Receiving Offset Indicates the metric value added when the interface receives
routes.
Sending Offset Indicates the metric value added when the interface sends
routes.
Sending Interval Indicates the interval for the interface to send update packets.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced Settings > Route Import.
Parameter Description
Process ID The routing protocol process ID needs to be specified when the route type
is ospf, rip, or isis.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced Settings > Route Filter.
Filter Type Indicate the route filter type of the RIP. After this parameter is
set, it cannot be changed.
l Import: indicates that the RIP filters received routing
information.
l Export: indicates that the RIP filters advertised routing
information.
Route Type Advertise routes by the route type based filtering. This
parameter is required when the filter type is export. After this
parameter is set, it cannot be changed.
Process ID Specifies the process ID for OSPF, RIP, and ISIS. After this
parameter is set, it cannot be changed.
Interface Name Advertises routes by the egress based filtering. After this
parameter is set, it cannot be changed.
Either route type based filtering or egress based filtering can be
selected.
Parameter Description
Source Address Indicates the source IP address for filtering routes or the name
of the source address/address group.
You can select an existed address/address group or create a
new address/address group.
Schedule Indicates the time range during which route filtering takes
effect.
You can select an existed time range or create a new time
range.
Action Indicates the action taken by the device towards the route.
l permit: indicates the action configured by the policy is
performed on the route.
l deny: indicates that the action configured by the policy is
not performed on the route.
If the new route filtering policy is displayed on the page, the operation succeeds.
----End
To use the RIP as a routing protocol on a network that does not support broadcasting or
multicasting, you need to specify a RIP peer manually.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced Settings > Peer Settings.
If the new RIP peer is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced Settings > Passive Interface.
----End
Prerequisites
Before enabling RIP, complete the following tasks:
l Configuring the link layer protocol
l Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
Context
If you run RIP-related commands in the interface view before enabling RIP, the
configurations take effect only after RIP is enabled.
Perform the following steps on the FW to be enabled with RIP:
Procedure
Step 1 Run:
system-view
rip [ process-id ]
RIP supports multi-instance. To associate RIP processes with VPN instances, you can run the
rip [ process-id ] vpn-instance vpn-instance-name command.
NOTE
For easy management and effective control, RIP supports multi-process and multi-instance. The multi-
process feature allows a set of interfaces to be associated with a specific RIP process and an interface
can be associated with only one RIP process. This ensures that the specific RIP process performs all the
protocol operations only on this set of interfaces. Therefore, multiple RIP processes can work on a single
router and each process is responsible for a unique set of interfaces. In addition, the routing data is
independent between RIP processes; however, routes can be imported between processes.
For the routers that support the VPN, each RIP process is associated with a specific VPN instance. In
this case, all the interfaces attached to the RIP process should be associated with the RIP-process-related
VPN instance.
----End
Context
By default, after RIP is enabled, it is disabled on all interfaces.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
Step 3 Run:
network network-address
NOTE
----End
Context
Perform the following steps on the RIP FW.
Procedure
l Configuring the Global RIP Version Number
a. Run:
system-view
The RIP version number of the packets received by the interface is specified.
NOTE
By default, an interface receives both RIPv1 and RIPv2 packets but sends only RIPv1
packets. When configuring RIPv2 on an interface, you can specify the mode in which the
interface sends packets. If no RIP version number is configured in the interface view, the
global RIP version is used. The RIP version set on an interface takes precedence over the
global RIP version.
The RIP-1 protocol poses a security risk, and therefore the RIP-2 protocol is recommended.
----End
Context
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
Step 3 Run:
default-route originate [ cost cost | tag tag | { match default | route-policy
route-policy-name [ advertise-tag ] } [ avoid-learning ] ] *
RIP is configured to generate a default route only if route permitted by the route policy is
present as active in the routing table.
----End
Context
Perform the following steps on the RIP FW:
Procedure
l Disable an interface from sending RIP Update packets in a RIP process (with a high
priority).
a. Run:
system-view
NOTE
You can run the silent-interface all command to disable all RIP interfaces from sending RIP
Update packets.
The silent-interface command takes precedence over the rip output command configured
in the interface view. By default, an interface can both send and receive RIP Update packets.
l Disable an interface from sending RIP Update packets in the interface view (with a low
priority).
a. Run:
system-view
Context
Route summarization indicates that multiple subnet routes on the same natural network
segment are summarized into one route with the natural mask when being advertised to other
network segments. Therefore, route summarization reduces the network traffic and the size of
the routing table.
Route summarization is enabled for RIP-2 by default, but is invalid for RIP-1. To broadcast
all subnet routes, you can disable RIP-2 automatic route summarization.
NOTE
Route summarization is invalid when poison reverse is configured. When the summarized routes are
sent outside the natural network boundary, poison reverse in related views needs to be disabled.
Procedure
l Enable RIP-2 automatic route summarization
a. Run:
system-view
RIP-2 is configured.
d. Run:
summary [ always ]
The summary command is used in the RIP view to enable classful network-based route
summarization.
l Configure RIP-2 to advertise the summary address
a. Run:
system-view
NOTE
----End
Context
By default, an interface is allowed to receive RIP Update packets.
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
----End
Context
In certain situations, a FW may receive a large number of host routes from the same network
segment. These routes are not required in route addressing, but consume many network
resources. You can configure the FW to refuse to accept host routes by disabling RIP from
accepting host routes.
By default, host routes are added to the routing table.
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
Step 3 Run:
undo host-route
NOTE
undo host-route command will not be effective in RIP version 2. By default, RIP version 2 always
supports host-route.
----End
Context
The FW can filter routing information. To filter the imported and advertised routes, you can
configure inbound and outbound routing policies by specifying ACLs and IP prefix lists.
You can also configure the FW to receive RIP packets only from a specified neighbor.
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
Step 3 Depending on type of desired filtering, run one of following commands to configure RIP to
filter the received routes:
l Based on the basic ACL:
Run filter-policy acl-number import [ interface-type interface-number ], the learned
routing information is filtered based on an ACL.
l Based on the IP prefix:
----End
Prerequisites
Before configuring RIP to import external routes, complete the following tasks:
l Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
l Establishing the RIP Neighbor Relationship
Context
To access a device running a non-RIP protocol, an RIP-capable device needs to import routes
of the non-RIP protocol into the RIP network.
All the following commands can set the cost of the imported route, which are listed in
descending order of priorities.
l Run the apply cost command to set the cost of a route.
l Run the import-route (RIP)command to set the cost of the imported route.
l Run the default-cost (RIP) command to set the cost of the default route.
Procedure
Step 1 Run:
system-view
NOTE
Import of IBGP routes in RIP process can lead to routing loops. Administrator should take care of
routing loops before configuring permit-ibgp.
----End
Context
The additional metric is added to the original metric of the RIP route.
l The rip metricin command is used to add an additional metric to an incoming route.
After this route is added to the routing table, its metric in the routing table
changes.Running this command affects route selection on the local device and other
devices on the network.
l The rip metricout command is used to add an additional metric to an outgoing route.
When this route is advertised, an additional metric is added to this route, but the metric
of the route in the routing table does not change. Running this command does not affect
route selection on the local device or other devices on the network.
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
You can specify the value of the metricin to be added to the RIP route that passes the filtering policy by
specifying value1 through an ACL or an IP prefix list. If a RIP route does not pass the filtering, its
metric is not incremented.
You can specify the value of the metricout to be added to the RIP route that passes the filtering policy by
specifying value1 through an ACL or an IP prefix list. If a RIP route does not pass the filtering, its
metric is increased by 1.
----End
Context
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
Step 3 Run:
preference { preference | route-policy route-policy-name } *
----End
Context
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
NOTE
When the number of equal-cost routes is greater than number specified in the maximum load-
balancing command, valid routes are selected for load balancing based on the following criteria:
1. Interface index: If routes have the same priorities, routes with higher interface index values are
selected for load balancing.
2. Next hop IP address: If routes have the same priorities and interface index values, routes with larger
IP address are selected for load balancing.
----End
Context
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
NOTE
By default, the Update timer is 30s; the Age timer is 180s; the Garbage-collect timer is four
times the Update timer, namely, 120s.
In practice, the Garbage-collect timer is not fixed. If the Update timer is set to 30s, the
Garbage-collect timer may range from 90s to 120s.
Before permanently deleting an unreachable route from the routing table, RIP advertises this
route (with the metric being set to 16) by periodically sending Update packets four times.
Subsequently, all the neighbors know that this route is unreachable. Because a route may not
always become unreachable at the beginning of an Update period, the Garbage-collect timer is
actually three or four times the Update timer.
----End
5.4.4.6.2 Setting the Interval for Sending Packets and the Maximum Number of the Sent
Packets
By setting the interval for sending RIP Update packets and the maximum number of Update
packets to be sent each time, you can effectively control the memory used by a FW to process
RIP Update packets.
Context
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
The interval for sending Update packets and the maximum number of packets sent each time
are set on the interface.
----End
Context
l The principle of split horizon is that a route learned by RIP on an interface is not sent to
neighbors from the interface. This reduces bandwidth consumption and avoids route
loops.
l The principle of poison reverse is that RIP sets the cost of the route learned from an
interface of a neighbor to 16 (to specify the route as unreachable) and then sends the
route from the interface back to the neighbor. In this way, RIP can delete useless routes
from the routing table of the neighbor and also avoid route loops.
If both split horizon and poison reverse are configured, only poison reverse takes effect.
On Non-Broadcast Multi-Access (NBMA) networks such as frame relay (FR) and X.25
networks, split horizon is disabled by default.
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
----End
Context
Perform the following steps on the RIP FW:
Procedure
l Configuring the Zero Field Check for RIPv1 Packets
a. Run:
system-view
b. Run:
rip [ process-id ]
Context
Generally, RIP sends packets by using broadcast or multicast addresses. If RIP needs to run
on the links that do not support the forwarding of broadcast or multicast packets, you need to
configure the devices at both ends of the link as each other's neighbor.
Perform the following steps on the RIP FW:
Procedure
Step 1 Run:
system-view
Step 2 Run:
rip [ process-id ]
----End
Context
RIP-2 supports the following authentication modes:
l Simple authentication
l MD5 authentication
l HMAC-SHA256 authentication
l Keychain authentication
In simple authentication mode, the unencrypted authentication key is sent in every RIP-2
packet. Therefore, simple authentication does not guarantee security, and cannot meet the
requirements for high security.
NOTICE
When configuring an authentication password, select the ciphertext mode becasue the
password is saved in configuration files in plaintext if you select plaintext mode, which has a
high risk. To ensure device security, change the password periodically.
Procedure
Step 1 Run:
system-view
The MD5 type must be specified if MD5 authentication is configured. The usual type supports private
standard authentication packets, and the nonstandard type supports IETF standard authentication
packets.
When configuring an authentication password, select the ciphertext mode because the simple password
is saved in configuration file if you select the simple text mode, which poses a high risk. To improve
device security, change the password periodically.
----End
Prerequisites
Before configuring RIP GR, complete the following tasks:
l Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
l Establishing the RIP Neighbor Relationship, establish the neighbor relationship
successfully
Context
To avoid traffic interruption and route flapping caused by master/slave switchover, you can
enable RIP graceful restart (GR). GR is a technology used to ensure normal traffic forwarding
and non-stop forwarding of key services during the restart of routing protocols.
After a RIP process is restarted through GR, the Restarter and the Helper re-establish the
neighbor relationship and update the routing table and forwarding table. This ensures non-
stop traffic forwarding and stabilizes the network topology. During RIP GR, except the
neighbor of the device where master/slave switchover occurs, other FWs do not detect the
route change.
NOTE
In practice, you can configure RIP GR on the device with two main control boards to prevent service
forwarding from being affected by the fault on one main control board.
Procedure
Step 1 Run:
system-view
RIP GR is enabled.
When most FWs on a network do not support RIP GR, setting wait-time time to a larger
value is recommended. This ensures that the Restart FW has enough time to learn correct
routes.
----End
Follow-up Procedure
If the Restarter finishes GR within the GR period specified by period period, the Restarter
automatically exits from GR. Otherwise, the Restarter is forced to exit from GR.
Prerequisites
Before configuring BFD for RIP, complete the following tasks:
l Assigning an IP address to each interface to ensure reachability between neighboring
nodes at the network layer
l Establishing the RIP Neighbor Relationship
Context
Generally, RIP uses timers to receive and send Update messages to maintain neighbor
relationships. If a RIP device does not receive an Update message from a neighbor after the
Age timer expires, the RIP device will announce that this neighbor goes Down. The default
value of the Age timer is 180s. If a link fault occurs, RIP can detect this fault after 180s. If
high-rate data services are deployed on a network, a great deal of data will be lost during the
aging time.
BFD provides millisecond-level fault detection. It can rapidly detect faults in protected links
or nodes and report them to RIP. This speeds up RIP processes's response to network topology
changes and achieves rapid RIP route convergence.
In BFD for RIP, BFD session establishment is triggered by RIP. When establishing a neighbor
relationship, RIP will send detection parameters of the neighbor to BFD. Then, a BFD session
will be established based on these detection parameters. If a link fault occurs, the local RIP
process will receive a neighbor unreachable message within seconds. Then, the local RIP
device will delete routing entries in which the neighbor relationship is Down and use the
backup path to transmit messages.
Either of the following methods can be used to configure BFD for RIP:
l Enable BFD in a RIP process: This method is recommended when BFD for RIP needs
to be enabled on most RIP interfaces.
l Enable BFD on RIP interfaces: This method is recommended when BFD for RIP needs
to be enabled on a small number of RIP interfaces.
Procedure
l Enable BFD in a RIP process.
a. Run:
system-view
If BFD is enabled globally, RIP will use default BFD parameters to establish BFD
sessions on all the interfaces where RIP neighbor relationships are in the Up state.
f. Optional: Run:
The values of BFD parameters used to establish the BFD session are set.
BFD parameter values are determined by the actual network situation and network
reliability requirement.
n If links have a high reliability requirement, reduce the interval at which BFD
packets are sent.
n If links have a low reliability requirement, increase the interval at which BFD
packets are sent.
Running the bfd all-interfaces command changes BFD session parameters on all
RIP interfaces. The default detection multiplier and interval at which BFD packets
are sent are recommended.
g. (Optional) Perform the following operations to prevent an interface in the RIP
process from establishing a BFD session:
n Run the quit command to return to the system view.
n Run the interface interface-type interface-number command to enter the view
of a specified interface.
n Run the rip bfd block command to prevent the interface from establishing a
BFD session.
l Enable BFD on RIP interfaces.
a. Run:
system-view
The values of BFD parameters used to establish the BFD session are set.
----End
Prerequisites
Before configuring the network management function in RIP, complete the following tasks:
l Configuring IP addresses for interfaces to ensure that neighboring nodes are reachable at
the network layer
l Establishing the RIP Neighbor Relationship
Procedure
Step 1 Run:
system-view
----End
Clearing RIP
To clear RIP running information, run the following commands in the user view.
Clear RIP process reset rip process-id statistics [ interface { all | interface-type
statistics. interface-number [ neighbor neighbor-ip-address ] } ]
Networking Requirements
As shown in Figure 5-12, it is required that RIP be enabled on all interfaces of FW_A,
FW_B, FW_C, and FW_D and the routers interconnect with each other through RIP-2.
FW_C
GE1/0/0
172.16.1.2/24
GE2/0/0
172.16.1.1/24
GE1/0/0 GE3/0/0
192.168.1.1/24 10.1.1.2/24
GE1/0/0 GE3/0/0
192.168.1.2/24 10.1.1.1/24
FW_A FW_B FW_D
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the IP address of each interface to make the network layers accessible.
2. Enable RIP on each FW and configure basic RIP functions.
3. Configure RIP-2 on each FW and check the subnet masks.
Data Preparation
l RIP network segment 192.168.1.0 on FW_A
l RIP network segment 192.168.1.0, 172.16.0.0, and 10.0.0.0 on FW_B
l RIP network segment 172.16.0.0 on FW_C
l RIP network segment 10.0.0.0 on FW_D
l RIP-2 on FW_A, FW_B, FW_C, and FW_D
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Configure basic RIP functions.
# Configure FW_A.
[FW_A] rip
[FW_A-rip-1] network 192.168.1.0
[FW_A-rip-1] quit
# Configure FW_B.
[FW_B] rip
[FW_B-rip-1] network 192.168.1.0
[FW_B-rip-1] network 172.16.0.0
[FW_B-rip-1] network 10.0.0.0
[FW_B-rip-1] quit
# Configure FW_C.
[FW_C] rip
[FW_C-rip-1] network 172.16.0.0
[FW_C-rip-1] quit
# Configure FW_D.
[FW_D] rip
[FW_D-rip-1] network 10.0.0.0
[FW_D-rip-1] quit
From the routing table, you can view that the routes advertised by RIP-1 use natural masks.
Step 3 Configure the RIP version number.
# Configure RIP-2 on FW_A.
[FW_A] rip
[FW_A-rip-1] version 2
[FW_A-rip-1] quit
From the routing table, you can view that the routes advertised by RIP-2 contain accurate
subnet masks.
----End
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
rip 1
version 2
network 192.168.1.0
#
return
#
return
Networking Requirements
As shown in Figure 5-13, two RIP processes, RIP 100 and RIP 200, run on FW_B. FW_B
exchanges routing information with FW_A through RIP 100. FW_B exchanges routing
information with FW_C through RIP 200.
It is required that the two processes of FW_B import the RIP routes from each other. The cost
of the imported RIP 200 routes defaults to 3.
It is required that a filtering policy be configured on FW_B to filter out the imported RIP 200
route 192.168.4.0/24 and prevent it from being advertised to FW_A.
GE 2/0/0
192.168.0.1/24
GE 2/0/0
GE 1/0/0 GE 1/0/0 192.168.3.1/24
192.168.1.1/24 192.168.2.2/24
GE 1/0/0 GE 2/0/0 GE 3/0/0
192.168.1.2/24 192.168.2.1/24 192.168.4.1/24
FW_A FW_C
FW_B
RIP 100 RIP 200
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable RIP 100 and RIP 200 on each FW and specify the network segments.
2. Configure the two processes on FW_B to import the routes from each other and set the
default cost of the imported RIP 200 routes to 3.
3. Configure an ACL on FW_B to filter the routes imported from RIP 200.
Data Preparation
To complete the configuration, you need the following data:
l RIP 100 on FW_A and the network segment 192.168.1.0 and 192.168.0.0
l RIP 100 and RIP 200 on FW_B and the network segment 192.168.1.0 and 192.168.2.0
l RIP 200 on FW_C and the network segment 192.168.2.0, 192.168.3.0, and 192.168.4.0
l Default cost of the imported RIP 200 routes as 3; ACL 2000 to deny the route with the
source network segment of 192.168.4.0 and import RIP100 routes to RIP 200
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Configure basic RIP functions.
# Enable RIP process 100 on FW_A.
[FW_A] rip 100
[FW_A-rip-100] network 192.168.0.0
[FW_A-rip-100] network 192.168.1.0
[FW_A-rip-100] quit
# Enable the two RIP processes, process 100 and process 200, on FW_B.
[FW_B] rip 100
[FW_B-rip-100] network 192.168.1.0
[FW_B-rip-100] quit
[FW_B] rip 200
[FW_B-rip-200] network 192.168.2.0
[FW_B-rip-200] quit
# Check the routing table of FW_A after the routes are imported.
[FW_A] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
# Filter out the imported route 192.168.4.0/24 of RIP 200 on FW_B according to the ACL
rule.
[FW_B] rip 100
[FW_B-rip-100] filter-policy 2000 export
[FW_B-rip-100] quit
----End
Configuration Scripts
Configuration script for FW_A:
#
sysname FW_A
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
rip 100
network 192.168.0.0
network 192.168.1.0
#
return
5.4.7.1 Specifications
This section describes RIP specifications.
Function Specifications
Function Description Supported or Not
Disabling interfaces from The interfaces only receive Supported by all models.
sending RIP Update packets RIP packets to update the
RIP routing table.
Importing external routes Direct, static, OSPF, and Supported by all models.
BGP routes can be imported
to the RIP routing table.
Using routing policies to ACLs and prefix lists can be Supported by all models.
filter routes used to filter RIP routes.
Performance Specifications
Function Specifications
5.5 RIPng
RIPng is mainly applied to small and simply-structured IPv6 networks. RIPng is a routing
protocol based on the distance vector and adopts the hop count to measure the distance to the
destination.
5.5.1 Overview
RIPng, also called RIP next generation, is the RIP-2 extension used on IPv4 networks. RIP
and RIPng share many concepts.
Definition
RIPng, based on the Distance Vector (D-V) algorithm, is a routing protocol that measures the
distance (metric or cost) to a destination host by Hop Count (HC). RIPng defines that the HC
from a router to its directly connected network is 0, and the HC from a router to a network
that is reachable through another router is 1, and so on. When the HC reaches 16, the
destination network or host is defined as unreachable.
RIPng is derived from RIP and applies to IPv6 networks. Unlike RIP, RIPng has the following
characteristics:
l UDP port number
RIPng uses UDP port number 521 (RIP uses UDP port number 520) to send and receive
routing information.
l Multicast address
RIPng uses FF02::9 as the multicast address on a RIPng router in the local link scope.
l Prefix length
RIPng uses a 128-bit (the mask length) prefix in a destination address.
l Next hop address
RIPng uses a 128-bit IPv6 address.
l Source address
RIPng uses link-local address FE80::/10 as a source address used to send RIPng Update
packets.
Objective
RIPng is developed by extending RIP and supports IPv6.
5.5.2 Mechanism
This section describes the RIPng mechanism.
Timer
RIPng uses the following three timers:
l Update timer: The timer triggers the sending of update packets every 30 seconds. This
timer synchronizes RIPng routes on the network.
l Age timer: If a RIPng router does not receive any update packet from its neighbors in the
aging time, the RIPng router considers the route to its neighbors unreachable.
l Garbage-Collect timer: If the route is no longer valid after the timer times out, the entry
is removed from the RIPng routing table.
The following describes the relationship among the three timers:
The advertisement of RIPng routing update is triggered by the update timer every 30 seconds.
Each entry is associated with two timers, the age timer and the garbage-collect timer. When a
route is learned and installed in the routing table, the age timer is initialized. If no Update
packet is received from the neighbor for 180 seconds, the metric of the route is set to 16. At
the same time, the garbage-collect timer is initialized. If no Update packet is received for 120
seconds, the entry is deleted after the garbage-collect timer times out.
Split Horizon
The principle of split horizon is that a route learnt by RIPng on an interface is not sent to
neighbors from the interface. This reduces bandwidth consumption and avoids route loops.
123::45/64
RouterA RouterB
123::45/64
As shown in Figure 5-14, RouterB sends a route to network 123::45 to RouterA and RouterA
does not send the route back to RouterB.
Poison Reverse
The principle of poison reverse is that RIPng sets the cost of the route learnt from an interface
of a neighbor to 16 (specifying the route as unreachable) and then sends the route from the
interface to the neighbor. In this way, RIPng can delete useless routes from the routing table
of the neighbor.
RouterA RouterB
123::0/64
metric=16
As shown in Figure 5-15, if poison reverse is not configured, RouterB sends RouterA a route
that is learnt from RouterA. The cost of the route from RouterA to network 123::0/64 is 1.
When the route from RouterA to network 123::0/64 becomes unreachable and RouterB does
not receive the update packet from RouterA and thus keeps sending RouterA the route from
RouterA to network 123::0/64, a route loop occurs.
If RouterA sends RouterB a message that the route is unreachable after receiving a route from
RouterB, Router_B no longer learns the reachable route from RouterA, thus avoiding route
loops.
If both poison reverse and split horizon are configured, simple split horizon (the route learnt
from an interface is not sent back through the interface) is replaced by poison reverse.
Triggered Update
Triggered update occurs when local routing information changes and then the local router
immediately notifies its neighbors of the changes of routing information by sending the
triggered update packet.
Triggered update shortens the network convergence time. When local routing information
changes, the local router immediately notifies its neighbors of the changes of routing
information rather than waiting for periodical update.
As shown in Figure 5-16, when network 123::0 is unreachable, RouterC learns the
information first. Usually, the route update message is periodically sent to neighbors. For
example, RIPng sends the route update message every 30s. If the update message of RouterB
is sent to RouterC when RouterC is waiting for the route update message, RouterC learns the
faulty route to network 123::0 from RouterB. In this case, the routes from RouterB or
RouterC to network 123::0 point to RouterC or RouterB respectively, thus forming a route
loop. If RouterC detects a network fault and immediately sends a route update message to
Router B before the new update interval reaches. Consequently, the routing table of Router B
is updated in time, and routing loops are avoided.
There is another mode of triggering updates: The next hop of the route is unavailable because
the link is faulty. The local router needs to notify neighboring router about the unreachability
of this route. This is done by setting the cost of the route as 16 and advertising the route. This
is also called route-withdrawal.
Route Aggregation
RIPng route aggregation is implemented by aggregating all routes advertised on an interface
according to the longest match rule.
RIPng route aggregation can improve extendibility and efficiency and minimize the routing
table of a large-scale network.
For example, RIPng advertises two routes, 11:11:11::24 Metric=2 and 11:11:12::34 Metric=3,
from an interface, and the aggregation route configured on the interface is 11::0/16. In this
manner, the finally advertised route is 11::0/16 Metric=2.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ripng [ process-id ]
RIPng is enabled and the RIPng view is displayed.
When only one RIPng process is run, process-id is not specified. That is, process-id defaults
to 1.
After the RIPng process is cancelled, the ripng process-id enable command needs to be
reconfigured on an interface.
Step 3 (Optional) Run:
description
Descriptions for RIPng processes are configured.
----End
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
The interface is at the network side of the router. That is, the router is connected with other
routers through the interface. To enable the router to learn the routes of the network segment
where the interface resides, ensure that the link status of the interface is Up.
Step 3 Run:
ripng process-id enable
RIPng is enabled on the specified interface.
NOTE
In the interface view, this command cannot be executed if IPv6 is not enabled.
If multiple interfaces on a router connect other routers, repeatedly perform Step 2 and Step 3.
----End
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ripng default-route { only | originate } [ cost cost ]
RIPng is configured to advertise the default route.
The default RIPng route that is generated is advertised forcibly through the route update
packet from the specified interface. The advertising does not consider whether this route is in
the IPv6 routing table.
By default, the RIPng process does not advertise the default route. You need to configure
RIPng to advertise the default route according to the actual networking.
l only: indicates that only the default IPv6 route (::/0) is advertised to suppress the
advertising of other routes.
l originate: indicates that only the default IPv6 route (::/0) is advertised without affecting
the advertising of other routes.
l cost: specifies the cost of the default route.
----End
Context
When a device running RIPng is connected to a network running other routing protocols, you
can run the undo ripng output command on the interface that connects the device to the
network to prevent the interface from sending useless packets to the network.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
undo ripng output
The interface is disabled from sending RIPng packets.
By default, an interface is allowed to send RIPng packets.
----End
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ripng [ process-id ]
RIPng is enabled and the RIPng view is displayed.
RIPng can filter the routes to be sent based on an IPv6 ACL, route-policy or an IPv6 prefix
list. Only the routes that meet the match conditions are advertised to neighbors. If protocol is
not specified in the command, all the routing information to be advertised will be filtered,
including the imported routes and local RIPng routes (directly connected routes).
----End
Context
This configuration is to configure the RIPng router to advertise the summarized IPv6 prefix
rather than specific routes on an interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
----End
Context
When a device running RIPng is connected to a network running other routing protocols, you
can run the undo ripng input command on the interface that connects the device to the
network to prevent the interface from receiving useless packets from the network.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
----End
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ripng [ process-id ]
RIPng can filter the received routes based on an IPv6 ACL, route-policy or an IPv6 prefix list.
Only the routes that meet the match conditions are added in the RIPng routing table.
----End
Context
To access a device running a non-RIPng protocol, an RIPng-capable device needs to import
routes of the non-RIPng protocol into the RIPng network.
All the following commands can set the cost of the imported route, which are listed in
descending order of priorities.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ripng [ process-id ]
default-cost cost
The default cost is set for the external routes imported by RIPng.
If no cost is specified, this command can be used to set the default cost for the external routes
imported by RIPng from other routing protocols.
Step 4 Run:
----End
Context
Each routing protocol has its preference, according to which a routing policy selects the
optimal route. The RIPng preference can be set manually. The greater the value is, the lower
the preference is.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ripng [ process-id ]
Step 3 Run:
----End
Context
The additional route metric is the metric (hop count) to be added to the original metric of a
RIPng route.
l The ripng metricin command is used to configure a device to add an additional metric
to a received route before the device adds the route to its routing table, causing the
metric of the route in the routing table to change. Running this command affects route
selection on the device and other devices.
l The ripng metricout command is used to configure a device to add an additional metric
to a route before the device advertises the route, keeping the metric of the route in the
routing table unchanged. Running this command does not affect route selection on the
local device but will affect route selection of other devices.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ripng metricin value
The metric added to a received route is set.
Step 4 Run:
ripng metricout { value | { acl6-number | ipv6-prefix ipv6-prefix-name } value1 }
The metric added to a sent route is set.
You can specify the value of the metric to be added to the RIPng route that passes the filtering
policy by specifying value1 through an IPv6 ACL or an IPv6 prefix list. If a RIPng route does
not pass the filtering, its metric is increased by 1.
NOTE
If the router connects to other RIPng routers through multiple interfaces, repeatedly perform Step 2 to
Step 4 until metrics of all links are set.
----End
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ripng [ process-id ]
RIPng is enabled and the RIPng view is displayed.
Step 3 Run:
maximum load-balancing number
The maximum number of equal-cost routes is set.
----End
Context
NOTE
Route flapping occurs if the values of the four RIPng timers are set improperly. The relationship
between the values is as follows: update < age, update < garbage-collect. For example, if the update time
is longer than the aging time, and a RIPng route changes within the update time, the router cannot
inform its neighbors of the change on time.
By default, the Update timer is 30s; the Age timer is 180s; the Garbage-collect timer is 120s.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ripng [ process-id ]
Step 3 Run:
----End
5.5.3.6.2 Setting the Interval for Sending Update Packets and the Maximum Number of
Packets Sent Each Time
By setting the interval for sending packets and the maximum number of packets to be sent
each time, you can optimize the RIPng performance.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
----End
Context
Poison reverse is another method of preventing routing loops by enabling the router to
advertise a route as unreachable back through the interface from which the route is learned.
Poison reverse is another method of preventing routing loops by enabling the router to
advertise a route as unreachable back through the interface from which the route is learned.
If both split horizon and poison reverse are configured, only poison reverse takes effect.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run the following command as required:
l Run:
ripng split-horizon
Split horizon is enabled.
l Run:
ripng poison-reverse
Poison reverse is enabled.
----End
Context
Certain fields in the header of the RIPng packet must be set to 0, which is also called the zero
field. After the zero field check for the RIPng packet is enabled, but the value in the zero field
of the packet header is not 0, the packet is discarded without processing.
If all the packets are regarded to be reliable, this check is not needed, thus saving the
processing time for the system.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ripng [ process-id ]
Step 3 Run:
checkzero
----End
Operation Command
Clearing RIPng
NOTICE
RIPng information cannot be restored after it is cleared. Exercise caution when running the
commands.
Operation Command
Reset statistics on the reset ripng process-id statistics [ interface { all | interface-type
counters maintained a interface-number [ neighbor neighbor-ipv6-address ] } ]
RIPng process.
Networking Requirements
As shown in Figure 5-17, the research and development department of an enterprise works
with an ISP to deploy an IPv6 network. The research and development department is dual-
homed to an ISP router and accesses the IPv6 network through the ISP router.
l The enterprise deploys two FWs on the intranet border to dual-home the research and
development department to the IPv6 network, which improves network reliability. FWs
use link-local addresses to communicate with the ISP router.
l The FWs and ISP router run RIPng to learn IPv6 network routes and advertise routes to
the IPv6 network.
GE1/0/3
Trust 2000::1/64 Untrust
GE1
Auto /0/1
Link FE8
loca 0:
l F:FE :222:A1
03:6 F
Research 079 IPv6
2000::/64 RIPng 1F Network
2:A
80 ::22 607A
FE E03 :
0/1 cal F:F
1 / ISP Router
GE Linklo
u t o
A
GE1/0/3
2000:2/64
FW_A
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign IP addresses to FW interfaces and add the interfaces to security zones.
2. Configure RIPng on the FWs.
3. Configure security policies on the FWs so that the devices of the research and
development department can access the IPv6 network.
Procedure
Step 1 Configure FW_A.
1. Configure GigabitEthernet 1/0/1.
# Assign an IPv6 address to GigabitEthernet 1/0/1.
<FW_A> system-view
[FW_A] ipv6
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ipv6 enable
[FW_A-GigabitEthernet1/0/1] ipv6 address auto link-local
[FW_A-GigabitEthernet1/0/1] quit
3. Configure RIPng.
[FW_A] ripng 1
[FW_A-ripng-1] quit
[FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/1] ripng 1 enable
[FW_A-GigabitEthernet1/0/1] quit
[FW_A] interface GigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ripng 1 enable
[FW_A-GigabitEthernet1/0/3] quit
4. Configure security policies so that devices in the research and development department
can exchange RIPng packets and access the IPv6 network.
The following example provides basic security policy parameters. You can set other
parameters as necessary.
[FW_A] security-policy
[FW_A-policy-security] rule name policy_sec_1
[FW_A-policy-security-rule-policy_sec_1] source-zone local untrust
[FW_A-policy-security-rule-policy_sec_1] destination-zone untrust local
[FW_A-policy-security-rule-policy_sec_1] action permit
[FW_A-policy-security-rule-policy_sec_1] quit
[FW_A-policy-security] rule name policy_sec_2
[FW_A-policy-security-rule-policy_sec_2] source-zone trust
[FW_A-policy-security-rule-policy_sec_2] source-address 2000:: 64
[FW_A-policy-security-rule-policy_sec_2] destination-zone untrust
[FW_A-policy-security-rule-policy_sec_2] action permit
[FW_A-policy-security-rule-policy_sec_2] quit
[FW_A-policy-security] quit
3. Configure RIPng.
[FW_B] ripng 1
[FW_B-ripng-1] quit
[FW_B] interface GigabitEthernet 1/0/1
[FW_B-GigabitEthernet1/0/1] ripng 1 enable
[FW_B-GigabitEthernet1/0/1] quit
[FW_B] interface GigabitEthernet 1/0/3
[FW_B-GigabitEthernet1/0/3] ripng 1 enable
[FW_B-GigabitEthernet1/0/3] quit
4. Configure security policies so that devices in the research and development department
can exchange RIPng packets and access the IPv6 network.
The following example provides basic security policy parameters. You can set other
parameters as necessary.
[FW_B] security-policy
[FW_B-policy-security] rule name policy_sec_1
[FW_B-policy-security-rule-policy_sec_1] source-zone local untrust
[FW_B-policy-security-rule-policy_sec_1] destination-zone untrust local
[FW_B-policy-security-rule-policy_sec_1] action permit
[FW_B-policy-security-rule-policy_sec_1] quit
[FW_B-policy-security] rule name policy_sec_2
[FW_B-policy-security-rule-policy_sec_2] source-zone trust
[FW_B-policy-security-rule-policy_sec_2] source-address 2000:: 64
[FW_B-policy-security-rule-policy_sec_2] destination-zone untrust
[FW_B-policy-security-rule-policy_sec_2] action permit
[FW_B-policy-security-rule-policy_sec_2] quit
[FW_B-policy-security] quit
----End
Configuration Verification
The following example uses the display on FW_A.
l Check the IPv6 status of GigabitEthernet 1/0/1.
[FW_A] display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state :
UP
IPv6 protocol current state :
UP
IPv6 is enabled, link-local address is
FE80::222:A1FF:FE00:2
No global unicast address
configured
Joined group
address(es):
FF02::9
FF02::1:FF00:2
FF02::2
FF02::1
MTU is 1500
bytes
ND DAD is enabled, number of DAD attempts:
1
ND reachable time is 30000
milliseconds
ND retransmit interval is 1000
milliseconds
Hosts use stateless autoconfig for addresses
The preceding command output shows that the IPv6 status of GigabitEthernet 1/0/1 is
UP.
----------------------------------------------------------------
The preceding command output shows that RIPng-enabled FW_A has learned routes
with destination addresses 3000::/64, 3001::/64, and 3002::/64 and next-hop address
FE80::222:A1FF:FE03:607A.
l Check whether PCs in the research and development department can use IPv6 addresses
to access the IPv6 network.
– If they can access the IPv6 network, the configuration is successful.
– If they cannot access the IPv6 network, modify the configuration and try again.
Configuration Scripts
Configuration script for FW_A:
#
ipv6
#
sysname FW_A
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address auto link-local
ripng 1 enable
#
interface GigabitEthernet1/0/3
ipv6 enable
ipv6 address 2000::2 64
ripng 1 enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ripng 1
#
security-policy
rule name policy_sec_1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name policy_sec_2
source-zone trust
destination-zone untrust
source-address 2000:: 64
action permit
#
return
5.5.6 Reference
This section provides reference information about RIPng.
5.5.6.1 Specifications
This section describes RIPng specifications.
Function Specifications
Function Description Supported or Not
Configuring poison reverse RIPng sets the cost of the Supported by all models
on an interface route learned from an
interface to 16 (indicating
that the route is
unreachable) and then sends
the route through this
interface to the neighbor. In
this way, RIPng can delete
useless routes from the
routing table of the
neighbor.
Imported Route The routes that RIPng can Supported by all models
import include direct, static,
OSPFv3, IS-ISv6, RIPng,
and BGP4+ routes.
Zero field check In RIPng packets, there are Supported by all models
some fields whose values
must be 0. These fields are
also called zero fields. After
zero field check is enabled
for RIPng packets, the
packets whose zero fields
are not zero will be
discarded.
Update timer and its value The update timer Supported by all models
setting periodically triggers the
sending of update packets.
Age timer and its value If a RIPng router does not Supported by all models
setting receive any update packet
from its neighbors in the
aging time, the RIP router
considers the route to its
neighbors unreachable and
starts the Garbage-Collect
timer.
Garbage Collection timer If a routing device does not Supported by all models
and its value setting receive any update packet
for an unreachable route
from the same neighbor
within the garbage-collect
time, the device will delete
the route from its routing
table.
5.6 OSPF
This section describes the basic concepts and configuration of Open Shortest Path First
(OSPF) and provides OSPF configuration examples.
5.6.1 Overview
Open Shortest Path First (OSPF) applies to large IPv4 networks. OSPF is a routing protocol
based on link status. Compared with distance vector-based routing protocols, OSPF delivers a
higher convergence rate and supports larger network scale.
Definition
OSPF is an internal network gateway protocol developed by the Internet Engineering Task
Force (IETF) on the basis of link status. OSPF version 2 (RFC 2328) is for IPv4. OSPF does
not belong to any vendors or organizations and uses the Shortest Path First (SPF) algorithm to
calculate routes. The area concept is used in OSPF to help reduce the consumption of the
router CPU and memory resources by route selecting protocols and reduce communications
traffic. Large and hierarchical networks can be established using OSPF.
Objective
As the routers on the network increase, the Routing Information Protocol (RIP) cannot
support large networks due to routing loops and limited hop numbers. The IETF develops
OSPF to support the large network deployment.
5.6.2 Mechanism
This section describes the OSPF mechanism.
Packet Function
Database Description (DD) packet DD packets carry brief information about the local
Link State Database (LSDB) and are used to
synchronize the LSDBs of two routers.
Link State Request (LSR) packet LSR packets are used to request the required LSAs
from neighbors.
LSR packets are sent only after DD packets are
exchanged successfully.
Link State Update (LSU) packet LSU packets are used to send the required LSAs to
neighbors.
Link State Acknowledgment LSAck packets are used to acknowledge the received
(LSAck) packet LSAs.
LSA Type
Router-LSA (Type1) Describes the link state and link cost of a router. It is
generated by each router and advertised in the area to which
the router belongs.
Network-LSA (Type2) Describes the link state of all routers in the local network
segment. It is generated by a designated router (DR) and
advertised in the area to which the DR belongs.
LSA Function
Router Type
Figure 5-18 lists the types of common routers in OSPF.
Area Border Router (ABR) An ABR can belong to two or more areas, and one of the
areas must be a backbone area.
An ABR is used to connect the backbone area and non-
backbone areas. It can be physically or logically connected
to the backbone area.
Router Description
Type1 external route Because of the high reliability of Type1 external routes,
the calculated cost of external routes equals that of AS
internal routes, and can be compared with the cost of
OSPF routes.
That is, the cost of a Type1 external route equals the cost
of the route from the router to the corresponding ASBR
plus the cost of the route from the ASBR to the
destination.
Type2 external route Because of the low reliability of Type2 external routes,
their costs are considered greater than the cost of any
internal path to an ASBR.
Thus, the cost of a Type2 external route equals the cost of
the route from the ASBR to the destination.
Area Type
Common area OSPF areas are common areas by default. Common areas include
standard areas and backbone areas.
l A standard area is the most common area and transmits intra-
area routes, inter-area routes, and external routes.
l A backbone area connects all the other OSPF areas. It is usually
named Area 0.
Totally stub area Allows the Type3 default routes advertised by an ABR, and denies
the routes outside an AS and inter-area routes.
Stub area Allows inter-area routes, which is different from a totally stub area.
NSSA Imports routes outside an AS, which is different from a stub area.
An ASBR advertises Type7 LSAs in the local area.
Non-Broadcast If the link layer protocol is frame relay (FR), ATM, or X.25,
Multiple Access OSPF defaults the network type to NBMA.
(NBMA) In this type of networks, protocol packets, such as Hello packets,
DD packets, LSR packets, LSU packets, and LSAck packets, are
transmitted in unicast mode.
Network Description
Point-to-Multipoint Regardless of the link layer protocol, OSPF does not default the
(P2MP) network type to P2MP. A P2MP network must be forcibly
changed from other network types. The common practice is to
change a non-fully connected NBMA network to a P2MP
network.
In this type of networks,
l Hello packets are transmitted in multicast mode through the
multicast address 224.0.0.5.
l Other protocol packets, such as DD packets, LSR packets,
LSU packets, and LSAck packets, are transmitted in unicast
mode.
Point-to-point (P2P) If the link layer protocol is PPP, HDLC, or LAPB, OSPF
defaults the network type to P2P.
In this type of networks, protocol packets, such as Hello packets,
DD packets, LSR packets, LSU packets, and LSAck packets, are
transmitted in multicast mode through the multicast address
224.0.0.5.
Table 5-20 Differences between inter-area LSA learning and route learning
Inter-area LSA Route Learning
Learning
Filters the incoming Filters only the calculated routes in LSAs to determine
LSAs of an area whether these routes are added to the local routing table.
directly.
External routes are imported, l If the number of imported routes is smaller than the
and then restriction on the configured maximum number of imported routes, no
number of imported routes is processing is performed.
configured. l If the number of imported routes is greater than the
configured maximum number of imported routes, the
imported Type5 or Type7 LSAs are deleted, and then
the LSAs of a maximum number of routes allowed are
regenerated.
The number of routes to be If new routes are to be imported, these routes are not
imported is greater than the imported.
configured maximum number If the routes are to be deleted, the following situations
of imported routes. occur:
l If the routes to be deleted are the imported routes, the
routes are re-imported.
l If the routes to be deleted are the routes that are not
imported, these routes are ignored.
The number of routes to be The imported Type5 or Tpye7 LSAs are deleted, and then
imported is greater than the routes are re-imported. Further processing is performed
configured maximum number according to the relationship between the number of
of imported routes, and imported routes and configured maximum number of
restriction on the number of imported routes.
imported routes is
reconfigured after routes are
imported.
When OSPF calculates external routes, routing loops may occur because RFC 2328 and RFC
1583 define different routing rules. To prevent routing loops, RFC 2328 introduces the RFC
1583 compatibility feature.
l After RFC 1583 compatibility is enabled, OSPF adopts the routing rules defined in RFC
1583.
l When RFC 1583 compatibility is disabled, OSPF adopts the routing rules defined in
RFC 2328.
OSPF calculates external routes according to Type5 LSAs. After the router enabled with RFC
1583 compatibility receives a Type5 LSA:
l The router selects the route to the ASBR that generates the LSA or to the forwarding
address that is specified by the LSA.
l The router selects the external route to the same destination.
By default, OSPF is compatible with RFC 1583.
Table 5-22 describes external route calculations performed when RFC 1583 compatibility is
enabled and disabled.
Table 5-22 Differences in the routing rules adopted when RFC 1583 compatibility is enabled
and disabled
Routing Rules Adopted Routing Rules Adopted When RFC 1583
When RFC 1583 Compatibility Is Disabled
Compatibility Is Enabled
As shown in Figure 5-19, RouterA and RouterE, functioning as ASBRs, import the route
(with the cost 2) to the external network Network 1 and advertise Type 5 LSAs of Network 1.
RouterB adopts the routing rules defined in RFC 1583, and RouterC adopts the routing rules
defined in RFC 2328.
According to the routing rules described in Table 5-22, during the calculation of the route to
Network 1, RouterB prefers the cost-least route, namely, RouterB -> RouterC -> RouterD ->
RouterE -> Network 1, whereas RouterC prefers the intra-area route with the least cost of a
non-backbone area, namely, RouterC -> RouterB -> RouterA -> Network 1.
In this manner, the next hop of the route from RouterB to Network 1 is RouterC, whereas the
next hop of the route from RouterC to Network 1 is RouterB. As a result, a routing loop
occurs.
After RFC 1583 compatibility is enabled on RouterC, RouterC selects the least-cost route to
Network 1, namely, RouterC -> RouterD -> RouterE -> Network 1, whose next hop is not
RouterB. Consequently, routing loops are avoided.
Down
Attempt Init
Loading
Full
Unstable state
Stable state
State change direction
Down This is the initial state of a neighbor conversation. This state indicates that a
router has not received any Hello packets from its neighbors within a dead
interval.
Attempt In the Attempt state, a router periodically sends Hello packets to manually
configured neighbors.
NOTE
This state applies only to non-broadcast multiple access (NBMA) interfaces.
Init This state indicates that a router has received Hello packets from its neighbors
but the neighbors did not receive Hello packets from the router.
2-way This state indicates that a router has received Hello packets from its neighbors
and neighbor relationships have been established between the routers.
If no adjacency needs to be established, the neighbors remain in the 2-way
state. If adjacencies need to be established, the neighbors enter the Exstart
state.
Exstart In the Exstart state, routers establish a master/slave relationship to ensure that
DD packets are sequentially exchanged.
Loading In the Loading state, a router sends Link State Request (LSR) packets to its
neighbors to request their LSAs for LSDB synchronization.
OSPF Meaning
Neighbo
r State
Full In the Full state, a router establishes adjacencies with its neighbors and all
LSDBs have been synchronized.
NOTE
The neighbor state of the local router may be different from that of the remote router. For example, the
neighbor state of the local router is Full, but the neighbor state of the remote router is Loading.
Adjacency Establishment
Adjacencies can be established in either of the following situations:
l Two routers have established a neighbor relationship and communicate for the first time.
l The designated router (DR) or backup designated router (BDR) on a network segment
changes.
On a broadcast network, the DR and BDR establish adjacencies with each router on the same
network segment, but DR others establish only neighbor relationships.
1.1.1.1 2.2.2.2
Down Hello (DR = 1.1.1.1, Neighbors Seen = 0) Down
Hello (DR = 2.2.2.2, Neighbors Seen = 1.1.1.1)
Init
Neighbor Hello (DR = 2.2.2.2, Neighbors Seen = 2.2.2.2)
Neighbor
DD (Seq=X, I=1, M=1, Master)
Exstart
DD (Seq=Y, I=1, M=1, Master)
Exchange Exstart
DD (Seq=Y, I=0, M=1, Slave)
Exchange
DD (Seq=Y+1, I=0, M=1, Master)
DD (Seq=Y+1, I=0, M=1, Slave)
LSR
LSU
LSAck
……
DD (Seq=Y+n, I=0, M=0, Master)
DD (Seq=Y+n, I=0, M=0, Slave)
Loading Full
LSR
LSU
Full LSAck
3. LSDB synchronization
a. After Router A receives the last DD packet, it finds that many LSAs in Router B's
LSDB do not exist in its own LSDB, so Router A's status changes to Loading. After
Router B receives the last DD packet from Router A, Router B's status directly
changes to Full, because Router B's LSDB already contains all LSAs of Router A.
b. Router A sends an LSR packet for updating LSAs to Router B. Router B returns an
LSU packet to Router A. After Router A receives the packet, it sends an LSAck
packet for acknowledgement.
The preceding procedures continue until the LSAs in Router A's LSDB are the same as
those in Router B's LSDB. Router A's status changes to Full. After Router A and Router
B exchange DD packets and update all LSAs, they establish an adjacency.
Adjacency establishment on an NBMA network
The adjacency establishment process on an NBMA network is similar to that on a broadcast
network. The blue part shown in Figure 5-22 highlights the differences from a broadcast
network.
On an NBMA network, all routers establish adjacencies only with the DR and BDR.
1.1.1.1 2.2.2.2
Down Down
Hello (DR = 2.2.2.2, Neighbors Seen = 0)
Init Attempt
Hello (DR = 2.2.2.2, Neighbors Seen = 2.2.2.2)
Init
DD (Seq=X, I=1, M=1, Master)
Exstart
DD (Seq=Y, I=1, M=1, Master)
Exchange Exstart
DD (Seq=Y, I=0, M=1, Slave)
Exchange
DD (Seq=Y+1, I=0, M=1, Master)
DD (Seq=Y+1, I=0, M=1, Slave)
LSR
LSU
LSAck
……
DD (Seq=Y+n, I=0, M=0, Master)
DD (Seq=Y+n, I=0, M=0, Slave)
Loading Full
LSR
LSU
Full LSAck
fields of 2.2.2.2. Router B has been discovered but its router ID is greater than that
of Router A, and therefore Router A agrees that Router B is a DR.
NOTE
The following procedures are not performed for DR others on an NBMA network.
2. Master/Slave relationship negotiation and DD packet exchange
The procedures for negotiating a master/slave relationship and exchanging DD packets
on an NBMA network are the same as those on a broadcast network.
3. LSDB synchronization
The procedure for synchronizing LSDBs on an NBMA network is the same as that on a
broadcast network.
Adjacency establishment on a point-to-point (P2P)/point-to-multipoint (P2MP) network
The adjacency establishment process on a P2P/P2MP network is similar to that on a broadcast
network. On a P2P/P2MP network, however, no DR or BDR needs to be elected and DD
packets are transmitted in multicast mode.
Route Calculation
OSPF uses an LSA to describe the network topology. A Type 1 LSA describes the attributes
of a link between routers. A router transforms its LSDB into a weighted, directed graph,
which reflects the topology of the entire AS. All routers in the same area have the same graph.
Figure 5-23 shows a weighted, directed graph.
Router A Router B
Cost = 1 1
A B
Cost = 2 Cost = 5
2 5
An LSDB is transformed into C
a weighted, directed graph.
Router C
Cost = 3 3
Router D D
Based on the graph, each router uses an SPF algorithm to calculate an SPT with itself as the
root. The SPT shows routes to nodes in the AS. Figure 5-24 shows an SPT.
1 1 1 1
A B A B A B A B
2 2 2 2
C C C C
3 3 3 3
D D D D
When a router's LSDB changes, the router recalculates a shortest path. Frequent SPF
calculations consume a large amount of resources and affect router efficiency. Changing the
interval between SPF calculations can prevent resource consumption caused by frequent
LSDB changes. The default interval between SPF calculations is 5 seconds.
Open Shortest Path First (OSPF) packets are encapsulated into IP packets. The OSPF protocol
number is 89. OSPF packets are classified into the following types:
l Hello packet
l Database Description (DD) packet
l Link State Request (LSR) packet
l Link State Update (LSU) packet
l Link State Acknowledgment (LSAck) packet
0 7 15 31
Version Type Packet length
Router ID
Area ID
Checksum AuType
Authentication
Packet 16 bits Length of the OSPF packet containing the packet header, in
length bytes.
Area ID 32 bits ID of the area to which the router that sends the OSPF packet
belongs.
Checksum 16 bits Checksum of the OSPF packet that does not contain the
Authentication field.
Authenticati 64 bits This field has different meanings for different AuType values:
on l 0: This field is not defined.
l 1: This field defines password information.
l 2: This field contains the key ID, MD5 authentication data
length, and sequence number.
NOTE
MD5 authentication data is added to an OSPF packet and is not included in the Authentication field.
Hello Packet
Hello packets are commonly used packets, which are periodically sent on OSPF interfaces to
establish and maintain neighbor relationships. A Hello packet includes information about the
designated router (DR), backup designated router (BDR), timers, and known neighbors.
Figure 5-26 shows the format of a Hello packet.
0 7 15 31
Version Type=1 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Network Mask
HelloInterval Options Rtr Pri
RouterDeadInterval
Designated Router
Backup Designated Router
Neighbor
…
Network 32 bits Mask of the network on which the interface that sends the
Mask Hello packet resides.
RouterDeadI 32 bits Dead interval. If a router does not receive any Hello packets
nterval from its neighbors within a specified dead interval, the
neighbors are considered Down.
Table 5-26 lists the address types, interval types, and default intervals used when Hello
packets are transmitted on different networks.
NOTE
To establish neighbor relationships between routers on the same network segment, you must set the
same HelloInterval, PollInterval, and RouterDeadInterval values for the routers. PollInterval applies
only to NBMA networks.
DD Packet
During an adjacency initialization, two routers use DD packets to describe their own link state
databases (LSDBs) for LSDB synchronization. A DD packet contains the header of each LSA
in an LSDB. An LSA header uniquely identifies an LSA. The LSA header occupies only a
small portion of the LSA, which reduces the amount of traffic transmitted between routers. A
neighbor can use the LSA header to check whether it already has the LSA. When two routers
exchange DD packets, one functions as the master and the other functions as the slave. The
master defines a start sequence number. The master increases the sequence number by one
each time it sends a DD packet. After the slave receives a DD packet, it uses the sequence
number carried in the DD packet for acknowledgement.
Figure 5-27 shows the format of a DD packet.
0 7 15 31
Version Type=2 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Interface MTU Options 0000 I M M/S
DD sequence number
Designated Router
LSA Headers...
Interface 16 bits Maximum length of the DD packet sent by the interface with
MTU packet fragmentation disabled.
DD sequence 32 bits Sequence number of the DD packet. The master and slave use
number the sequence number to ensure that DD packets are correctly
transmitted.
LSR Packet
After two routers exchange DD packets, they send LSR packets to request each other's LSAs.
The LSR packets contain the summaries of the requested LSAs. Figure 5-28 shows the
format of an LSR packet.
0 7 15 31
Version Type=3 Packet length
Router ID
Area ID
Checksum AuType
Authentication
LS type
Link State ID
Advertising Router
...
Link State 32 bits This field together with the LS type field describes an LSA in
ID an AS.
NOTE
The LS type, Link State ID, and Advertising Router fields can uniquely identify an LSA. If two LSAs
have the same LS type, Link State ID, and Advertising Router fields, a router uses the LS sequence
number, LS checksum, and LS age fields to obtain a required LSA.
LSU Packet
A router uses an LSU packet to transmit LSAs requested by its neighbors or to flood its own
updated LSAs. The LSU packet contains a set of LSAs. For multicast and broadcast networks,
LSU packets are multicast to flood LSAs. To ensure reliable LSA flooding, a router uses an
LSAck packet to acknowledge the LSAs contained in an LSU packet that is received from a
neighbor. If an LSA fails to be acknowledged, the router retransmits the LSA to the neighbor.
Figure 5-29 shows the format of an LSU packet.
0 7 15 31
Version Type=4 Packet length
Router ID
Area ID
Checksum AuType
Authentication
Number of LSAs
LSA...
LSAck Packet
A router uses an LSAck packet to acknowledge the LSAs contained in a received LSU packet.
The LSAs can be acknowledged using LSA headers. LSAck packets can be transmitted over
different links in unicast or multicast mode. Figure 5-30 shows the format of an LSAck
packet.
0 7 15 31
Version Type=5 Packet length
Router ID
Area ID
Checksum AuType
Authentication
LSAs Headers
0 15 23 31
LS age Options LS type
Link State ID
Advertising Router
LS sequence number
LS checksum length
LS age 16 bits Time that elapses after the LSA is generated, in seconds. The
value of this field continually increases regardless of whether
the LSA is transmitted over a link or saved in an LSDB.
Link State 32 bits This field together with the LS type field describes an LSA in
ID an AS.
LS sequence 32 bits Sequence number of the LSA. Neighbors can use this field to
number identify the latest LSA.
length 16 bits Length of the LSA including the LSA header, in bytes.
Router-LSA
A router-LSA describes the link status and cost of a router. Router-LSAs are generated by a
router and advertised within the area to which the router belongs. Figure 5-32 shows the
format of a router-LSA.
0 15 23 31
LS age Options LS type=1
Link State ID
Advertising Router
LS sequence number
LS checksum length
0 V E B 0 # links
Link ID
Link Data
Type # TOS metric
...
TOS 0 TOS metric
Link ID
Link Data
...
Link State 32 bits Router ID of the router that generates the LSA.
ID
V (Virtual 1 bit If the router that generates the LSA is located at one end of a
Link) virtual link, this field is set to 1. In other cases, this field is set
to 0.
E (External) 1 bit If the router that generates the LSA is an autonomous system
boundary router (ASBR), this field is set to 1. In other cases,
this field is set to 0.
B (Border) 1 bit If the router that generates the LSA is an area border router
(ABR), this field is set to 1. In other cases, this field is set to
0.
Link ID 32 bits Object to which the router is connected. This field has
different meanings for different link types:
l 1: router ID
l 2: interface IP address of the designated router (DR)
l 3: network segment or subnet number
l 4: router ID of the neighbor on a virtual link
Link Data 32 bits Link data. This field has different meanings for different link
types:
l 1: interface index
l 3: subnet mask
l 2 and 4: interface address of the router
Type 8 bits Type of the router link. The values are as follows:
l 1: The router is connected to another router in point-to-
point (P2P) mode.
l 2: The router is connected to a transport network.
l 3: The router is connected to a stub network.
l 4: The router is connected to another router over a virtual
link.
Network-LSA
A network-LSA describes the link status of all routers on the local network segment.
Network-LSAs are generated by a DR on a broadcast or non-broadcast multiple access
(NBMA) network and advertised within the area to which the DR belongs. Figure 5-33 shows
the format of a network-LSA.
0 15 23 31
LS age Options LS type=2
Link State ID
Advertising Router
LS sequence number
LS checksum length
Network Mask
Attached Router
...
Attached 32 bits Router IDs of all routers on the broadcast or NBMA network,
Router including the router ID of the DR
Summary-LSA
A network-summary-LSA describes routes on a network segment in an area. The routes are
advertised to other areas.
An ASBR-summary-LSA describes routes to the ASBR in an area. The routes are advertised
to all areas except the area to which the ASBR belongs.
The two types of summary-LSAs have the same format and are generated by an ABR. Figure
5-34 shows the format of a summary-LSA.
0 15 23 31
LS age Options LS type=3 or 4
Link State ID
Advertising Router
LS sequence number
LS checksum length
Network Mask
0 metric
TOS TOS metric
...
NOTE
When a default route is advertised, both the Link State ID and Network Mask fields are set to 0.0.0.0.
Table 5-35 describes ASBR-summary-LSA fields.
AS-External-LSA
An AS-external-LSA describes AS external routes. AS-external-LSAs are generated by an
ASBR. Among the five types of LSAs, only AS-external-LSAs can be advertised to all areas
except stub areas and not-so-stubby areas (NSSAs). Figure 5-35 shows the format of an AS-
external-LSA.
0 15 23 31
LS age Options LS type=5
Link State ID
Advertising Router
LS sequence number
LS checksum length
Network Mask
E 0 metric
Forwarding Address
External Route Tag
E TOS TOS metric
Forwarding Address
External Route Tag
...
Forwarding 32 bits Packets destined for the advertised destination address are
Address forwarded to the address specified by this field.
External 32 bits Tag added to the external route. This field can be used to
Route Tag manage external routes. OSPF itself does not use this field.
NOTE
When AS-external-LSAs are used to advertise default routes, both the Link State ID and Network Mask
fields are set to 0.0.0.0.
Backbone Area
After an OSPF network is divided into different areas, not all areas are equal. Among areas,
one area with area ID as 0 is called the backbone area. The backbone area is responsible for
forwarding the routes between areas. The routing information between the non-backbone
areas must be forwarded through the backbone area.
OSPF defines two rules for a backbone area as below:
l Connectivity must be available between non-backbone areas and the backbone area.
l Connectivity must be available over the backbone area.
Virtual Link
In actual applications, the physical connectivity between the backbone area and non-backbone
areas cannot be ensured due to various reasons. The problem can be solved by the
configuration of an OSPF virtual link.
Virtual link refers to a logical channel established between two ABRs through a non-
backbone area. The virtual link must be configured on both ends of a link. The transmit area
refers to the area that provides an internal route of a non-backbone area for the two ends of a
virtual link.
As shown in Figure 5-37, Area 2 is not directly connected to the backbone area. A virtual link
is configured on ABRs to provide the connectivity between Area 2 and the backbone area.
The virtual link also serves as a backup link. If a link fault occurs on the backbone area, the
virtual link provides the logical connectivity for the backbone area, as shown in Figure 5-38.
Virtual Link
ABR ABR
Area0
The virtual link is similar to a point-to-point connection between two ABRs. Similar to
physical interfaces, the interfaces on the virtual link can be configured with parameters such
as the Hello interval.
When OSPF packets are transmitted between two ABRs, these packets are transparent for the
intermediate routers enabled with OSPF. That is, the intermediate routers forward the packets
as common IP packets without resolving them after detect that they are not the destinations of
the packets.
Stub Area
A stub area is a special area where the ABRs do not flood the received routes outside the AS.
In stub areas, the size of the routing tables of the routers and the routing information in
transmission are reduced.
A stub area is an optional configuration. Not all areas can be configured as stub areas.
Generally, a stub area is a non-backbone area with only one ABR and is located at the AS
boundary.
To ensure the reachability to a destination outside the AS, the ABR in the stub area originates
a default route and advertises it to the non-ABR routers in the stub area.
NSSA
A new type of an area, Not-So-Stubby Area (NSSA), and a new type of an LSA, NSSA-LSA
(or Type 7 LSA) are defined in RFC 1587.
As the NSSA is derived from the stub area, it resembles the stub area in many ways. Type 5
LSA is not allowed in the NSSA. The Type 7 LSA is generated by the ASBR in the NSSA,
and is flooded only in the NSSA. When a Type 7 LSA reaches the ABR of the NSSA, the
ABR translates the Type 7 LSA into an AS-External-LSA and floods it to the other areas. The
ABR translating LSAs is also called the translator.
As shown in Figure 5-39, the AS that runs OSPF contains three areas, area 0, area 1, and area
2. The other two ASs run RIP. Area 1 is configured as the NSSA. After Area 1 transmits the
received RIP routes to the ASBR in the NSSA, the ASBR originates Type 7 LSAs and floods
them in Area 1. When Type 7 LSAs reach the ABR in the NSSA, the ABR translates them
into Type 5 LSAs, and then floods them to Area 0 and Area 2.
On the other hand, the RIP routes in the AS that runs RIP in Area 2 are transmitted in the AS
by Type 5 LSAs originated by ASBR in Area 2. Type 5 LSAs do not reach Area 1 because
Area 1 is an NSSA.
Similar to the stub area, an NSSA cannot be configured with virtual links.
l Totally stub area: allows the Type3 default routes advertised by ABR but not inter-area
routes or those outside ASs.
l Stub area: different from the totally stub area, the stub area allows inter-area routes.
l NSSA area: different from the stub area, the NSSA area allows the import of external
routes into the AS. The ASBR advertises Type 7 LSA to the NSSA area.
l Totally NSSA area: different from the stub area, the NSSA area does not allow inter-area
routes.
5.6.2.6 OSPF GR
This section described the related concepts and the implementation process of OSPF GR.
OSPF graceful restart (GR) allows packets to be forwarded during OSPF restart. OSPF GR
ensures service continuity and improves network reliability.
Background
When the router restarts or performs a master/slave main control board switchover, it
immediately ages all routing entries in the forwarding information base (FIB), which causes
route interruptions. An adjacent router deletes the router from its neighbor list and notifies
other routers of the restart or switchover. As a result, shortest path first (SPF) calculations are
performed on the entire network again. If the router recovers in a short time, a neighbor
relationship is reestablished. Frequent neighbor relationship changes cause route flapping.
To resolve this issue and avoid unnecessary SPF calculations, enable OSPF GR. After you
enable OSPF GR on the router, the router restarts OSPF in GR mode and notifies an adjacent
router that it will recover immediately. In this situation, the adjacent router does not delete the
OSPF GR-enabled router from its neighbor list and other routers do not detect that the OSPF
RouterC
RouterA RouterB
GR
Restarter Helper
RouterD
Related Concepts
l GR
GR is one of high availability (HA) technologies, which comprise a set of
comprehensive technologies, such as fault-tolerant redundancy, link protection, faulty
node recovery, and traffic engineering. GR, a fault-tolerant redundancy technology, has
been widely used for router upgrades and master/slave main control board switchovers.
GR ensures proper traffic forwarding and service continuity during a routing protocol
restart.
GR is classified into the following types by status:
– Totally GR: When a neighbor of a router does not support GR, the router leaves the
GR state.
– Partly GR: When a neighbor of a router does not support GR, only the router's
interface connected to this neighbor leaves the GR state.
GR is classified into the following types based on the implementation mode:
– Planned GR: allows you to configure the router to restart or perform a master/slave
main control board switchover. The restarter sends a grace link state advertisement
(LSA) before the restart or master/slave main control board switchover.
– Unplanned GR: allows the router to restart or perform a master/slave main control
board switchover when the router fails. The router immediately performs a master/
slave main control board switchover without sending a grace LSA. When the slave
main control board goes Up, the router enters the GR state.
l Grace LSA
When the router enters or leaves the GR state, it sends grace LSAs to notify its neighbors
of the GR period, cause, and interface address.
l Restarter
A restarter is a restarting router that can be configured to support totally or partly GR.
l Helper
A helper helps a restarter maintain routing information and can be configured to support
planned or unplanned GR. A policy can also be configured to enable the helper to
selectively support GR.
l GR period
A GR period is the time during which a GR is performed. The GR period cannot exceed
1800 seconds. A router can leave the GR state without waiting for GR to expire.
Implementation
Table 5-37 describes differences between master/slave main control board switchovers with
OSPF GR enabled and disabled.
Table 5-37 Differences between master/slave main control board switchovers with OSPF GR
enabled and disabled
Item Master/Slave Main Master/Slave Main Control Board
Control Board Switchover with OSPF GR Enabled
Switchover with OSPF
GR Disabled
Route The entire network detects Except the neighbors of the router on which
flapping route changes, and route a master/slave main control board
flapping occurs for a short switchover occurred, other routers do not
period of time. detect route changes.
Impact on Packets are lost during No packets are lost during forwarding, and
services forwarding, and services services are not affected.
are interrupted.
Restarter Helper
Grace-LSA
Enter GR Updates the GR period
Grace-LSAs
Send Hello packets, negotiate, exchange
DD packets, and synchronize LSDB
Full
Flush Grace-LSA
Exit GR successfully Exit the Helper successfully
During the GR, the helper retains a neighbor relationship with the restarter. Other routers
do not detect the master/slave main control board switchover performed by the restarter.
2. The restarter stays in the GR state.
a. The restarter and helper establish an OSPF adjacency.
b. The helper checks the restarter status. If the restarter status is Down, the helper
considers that the restarter can restore services within a specified GR period. Before
the specified GR period expires, the helper does not terminate sessions or delete the
topology or routing information obtained from the restarter.
c. When the restarter recovers, it sends a packet to the helper. After the restarter
receives a response, it reestablishes a neighbor relationship with the helper.
d. The restarter establishes a session with the helper to obtain topology or routing
information and uses the information to calculate its own routing table.
A master/slave main control board switchover or restarter restart can be manually
performed or automatically triggered by faults. During the master/slave main control
board switchover or restarter restart, the restarter does not delete the routing information
from its routing table or FIB or reset its interface boards. This process ensures service
continuity.
3. The restarter leaves the GR state.
– If the GR is successful, the restarter reestablishes a neighbor relationship with the
helper before the GR period expires. After the helper receives a grace LSA with an
aging time of 3600 seconds from the restarter, the status of the neighbor relationship
between the helper and restarter changes to Full.
– If the GR fails, several cases occur on the restarter and helper.
The following conditions occur on the restarter:
n The GR expires, and the neighbor relationship does not recover completely.
n Type 1 or Type 2 LSAs sent by the helper cause the restarter to fail to perform
a bidirectional check.
n The status of the interface that functions as the restarter changes.
n The restarter receives 1-way Hello packets from the helper.
n The restarter receives grace LSAs generated by another router on the same
network segment.
NOTE
Only one router can perform a GR on the same network segment at the same time.
n Different designated routers (DRs) or backup designated routers (BDRs) are
elected among the restarter and neighbors on the same network segment due to
topology changes.
The following conditions occur on the helper:
n The helper does not receive grace LSAs from the restarter before the neighbor
relationship expires.
n The status of the interface that functions as the helper changes.
n The helper receives LSAs, which are different from the LSAs in its own link
state database (LSDB), from other routers. You can configure the helper not to
perform a strict LSA check to avoid this issue.
n The helper receives grace LSAs from two routers on the same network
segment at the same time.
n The neighbor relationships between the helper and other routers change.
Classification of Authentication
According to the types of packets, the authentication is classified into the following:
l Area authentication
This authentication is configured in the OSPF area view and applies to the packets
received by all the interfaces in the OSPF area.
l Interface authentication
This authentication is configured in the interface view and applies to all the packets
received by the interface.
According to the authentication modes of packets, the authentication is classified into the
following:
l Non-authentication
Authentication is not required.
l Simple authentication
The authenticated party directly adds the configured password to packets for
authentication. This imposes security threats.
l MD5 authentication
The authenticated party encrypts the configured password using a Message Digest 5
(MD5) algorithm and adds the ciphertext password to packets for authentication. This
authentication mode improves password security. The MD5 algorithms supported
includes MD5 and HMAC-MD5.
l Keychain authentication
A keychain consists of multiple authentication keys, each of which contains an ID and a
password. Each key has the lifecycle. According to the life cycle of the key, you can
dynamically select different authentication keys from the keychain. A keychain can
dynamically select the authentication key to enhance attack defense.
Keychain provides authentication protection for OSPF by dynamically changing
algorithms and keys to improve the security of OSPF.
l HMAC-SHA256 authentication
The HMAC-SHA256 algorithm use to encrypt a password before adding the password to
the packet, which improves password security.
OSPF carries authentication types in packet headers and authentication information in packet
tails.
The authentication types include:
l 0: Non-authentication
l 1: Simple authentication
l 2: Ciphertext authentication
Application Environment
RouterD RouterE
Definition
Bidirectional Forwarding Detection (BFD) is a mechanism to detect communication faults
between forwarding engines.
To be specific, BFD detects connectivity of a data protocol on the same path between two
systems. The path can be a physical link, a logical link, or a tunnel.
In BFD for OSPF, a BFD session is associated with OSPF. The BFD session fast detects a link
fault and then notifies OSPF of the fault. This speeds up OSPF's response to the change of the
network topology.
Purpose
The link fault or the topology change may cause routers to recalculate routes. Therefore, the
convergence of routing protocols must be sped up to improve the network performance.
Link faults are unavoidable. Therefore, a feasible solution is required to detect faults faster
and notify the faults to routing protocols immediately. If BFD is associated with routing
protocols, once a link fault occurs, BFD can speed up the convergence of routing protocols.
Not associated with BFD An OSPF Dead timer At the second level
expires. By default, the
timeout period of the timer
is 40s.
Associated with BFD A BFD session goes Down. At the millisecond level
Principle
FW_A FW_B
GE3/0/0
172.16.1.1/24
GE2/0/0 GE2/0/0
GE1/0/0 3.3.3.1/24 3.3.3.2/24
GE1/0/0
1.1.1.1/24 2.2.2.2/24
GE1/0/0 GE2/0/0
1.1.1.2/24 2.2.2.1/24
Area0
FW_C
Precautions
To establish OSPF neighboring relationship, devices need to exchange DD packets.
Therefore, you need to configure a security policy on the FW to permit the OSPF packets
between the Local zone and the security zone where the neighboring device resides.
Otherwise, the OSPF neighboring relationship fails to be established.
Parameter Description
SPF Calculation Interval The shortest path first (SPF) calculation period of an OSPF
route.
If the network topology keeps changing, the immediate
calculation of the shortest path affects the efficiency of a
router.
By adjusting the minimum interval between two contiguous
SPF calculations, the influence of network topology changes is
reduced.
You can change the value of this parameter based on the actual
network condition.
Internal Priority Indicates the default route priority of the OSPF routing
protocol.
ASE Priority Indicates the default route priority of the OSPF routing
protocol outside the AS.
Sending Interval Indicates the interval for sending the BFD packets.
Receiving Interval Indicates the interval for receiving the BFD packets.
Default Route Advertises the default route in the OSPF route area. In this
case, active default routes of other OSPF processes must exist
in the routing table of the device.
You can specify this parameter when you need to import the
default route to the OSPF area.
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Basic Configuration > Area Settings.
Parameter Description
Parameter Description
Default Cost Indicates the cost of the default routes sent to the Stub area or
the NSSA area through OSPF.
This item is required when you set Area Type to Stub or
NSSA.
Stub Area Setting This parameter enables a stub area to be a totally stub area, and
denies Type3 LSAs from entering the stub area that connects to
the ABR. This reduces the number of LSAs sent to the stub
area.
This item is required when you set Area Type to Stub.
NSSA Settings If the area is an NSSA, you can perform the following
configurations:
l Advertise default route to NSSA: indicates that the default
Type-7 LSA is generated. On the ABR, the default Type-7
LSA is generated no matter whether the route 0.0.0.0 exists
in the routing table. On the ASBR, the default Type-7 LSA
is generated when the route 0.0.0.0 exists in the routing
table.
l Do not import external routes: indicates that the external
routes imported to the ASBR are not advertised to the
NSSA area.
l Totally NSSA: indicates that inter-area routes (Type-3
LSAs) are not imported to the totally NSSA. The ABR
automatically generates a default Type-3 LSA and
advertises it in the entire NSSA.
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Basic Configuration > Network
Settings.
Step 4 Click Add.
The device supports both masks and inverse masks. For example, after mask 255.255.128.0 is entered,
the system automatically identifies and displays the corresponding inverse mask 0.0.127.255.
----End
Step 3 In the OSPFv2 Process ID:ID navigation tree, choose Basic Configuration > Interface
Settings.
MTU Enables the interface to use the actual MTU value when it
sends DD packets.
Usually, the establishment of a peer relationship requires that
the Hello and Dead timers at the two ends of a link have same
values respectively and do not compare the MTU values of the
ports.
The MTU negotiation can be enabled for this function. Then if
the MTU values of the ports are different, a peer relationship
cannot be established.
Parameter Description
Authentication Mode Indicates the mode in which the OSPF interface authenticates
packets.
l NONE: indicates that interface authentication is not
configured.
l Simple: indicates simple authentication.
l MD5: indicates MD5 authentication.
l HMAC-MD5: indicates HMAC-MD5 authentication.
l HMAC-SHA256: indicates HMAC-SHA256
authentication.
If authentication mode and password are configured both on an
OSPF area and interface, the settings on the interface take
precedence.
Parameter Description
Advanced Settings
Transmission Delay Indicates the delay of transmitting the LSA on the interface.
The LSA in the local router LSDB is aging with time (its value
is increased by 1 every second); however, the network
transmission process does not age with time; therefore, you are
advised to add the latency to the LSA aging period before
sending the LSA. This is especially important for a low-speed
network.
Hello Packet Interval Indicates the interval for sending Hello packets.
A shorter interval for sending Hello packets results in a faster
speed in detecting network topology changes and larger cost on
system resources.
Polling Interval Indicates the interval for sending polling Hello packets.
This parameter defines the interval for sending polling Hello
packets from an NBMA interface to peer routers with a Down
state.
Retransmission Interval After a router sends an LSA to its peer router, it waits for a
confirmation packet sent by the peer router. If no confirmation
packet is received within this interval, the router resends the
LSA.
This parameter defines the interval for resending an LSA.
Parameter Description
Sending Interval Indicates the interval for sending the BFD packets.
Receiving Interval Indicates the interval for receiving the BFD packets.
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Advanced Settings > Route Import.
If the new route import configuration is displayed on the page, the operation succeeds.
----End
NOTE
Step 3 In the OSPFv2 Process ID:ID navigation tree, choose Advanced Settings > Virtual Link.
Peer Router ID Indicates the ID of the peer router of the virtual link.
Transit Area Indicates the OSPF area which the virtual link goes through.
Advanced Settings
Transmission Delay Indicates the delay of transmitting the LSA on the interface.
The LSA in the local router LSDB is aging with time (its value
is increased by 1 every second); however, the network
transmission process does not age with time; therefore, you are
advised to add the latency to the LSA aging period before
sending the LSA. This is especially important for a low-speed
network.
Hello Packet Interval Indicates the interval for sending Hello packets.
A shorter interval for sending Hello packets results in a faster
speed in detecting network topology changes and larger cost on
system resources.
Parameter Description
Retransmission Interval After a router sends an LSA to its peer router, it waits for a
confirmation packet sent by the peer router. If no confirmation
packet is received within this interval, the router resends the
LSA.
This parameter defines the interval for resending an LSA.
Parameter Description
If the new virtual link is displayed on the page, the operation succeeds.
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Advanced Settings > Route Summary.
Parameter Description
Area Indicates the area where the local device to be configured with
the route aggregation resides.
This parameter is available when Summary Type is ABR.
Parameter Description
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Advanced Settings > Passive Interface.
----End
Step 3 In the OSPF Process ID:ID navigation tree, choose Advanced Settings > Route Filter.
Parameter Description
Filter Type Indicate the route filter type of the OSPF. After this parameter
is set, it cannot be changed.
l Import: indicates the filtering of the routes calculated by
OSPF. Only the routes that match the filtering rules are
added to the routing table.
l Export: indicates the filtering of the routes imported by
OSPF. Only the routes that match the filtering rules are
advertised.
Route Type Advertise routes based on the route type based filtering.
This parameter is required when the Filter Type is Export.
After this parameter is set, it cannot be changed.
If NONE is selected, OSPF filters all the imported routing
information.
Process ID Specifies the process ID for OSPF, RIP, and ISIS. After this
parameter is set, it cannot be changed.
Filter Mode Indicates the route filter mode. You can configure the mode to
either of the following:
l IP-Prefix: sets a matching rule based on the IP prefix list. It
is used for filtering routes according to the prefixes of
destination IP addresses.
l ACL: sets a matching rule based on the ACL. It is used for
filtering routes according to destination IP addresses.
Source Address Indicates the source IP address for filtering routes or the name
of the source address/address group.
You can select an existed address/address group or create a
new address/address group.
Schedule Indicates the time range during which route filtering takes
effect.
You can select an existed time range or create a new time
range.
Parameter Description
Action Indicates the action taken by the device towards the route.
l permit: indicates the action configured by the policy is
performed on the route.
l deny: indicates that the action configured by the policy is
not performed on the route.
If the new route filtering policy is displayed on the page, the operation succeeds.
----End
Context
To ensure the stability of OSPF, you should determine the division of router IDs and manually
configure them when planning the network. When configuring router ID manually, you
should ensure that the router IDs of any two routers in a single AS are different. Generally, the
router ID is configured to be consistent with the IP address of an interface of this router.
The FW supports OSPF multi-processes. When multiple OSPF processes are enabled on a
FW, you must specify different process IDs. OSPF process ID is a local concept, with no
effect on its packet exchange with other routers. Therefore, different FWs can also exchange
packets, even with different process IDs.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
The FW supports OSPF multi-instance. To configure OSPF in a VPN instance, run the ospf
[ process-id | router-id router-id | vpn-instance vpn-instance-name ] * command. If the VPN
instance is specified, the OSPF process belongs to the specified instance. Otherwise, the
OSPF process belongs to the global instance.
NOTE
The ID of the OSPF process is unique, including the OSPF multi-instance. That is, the process ID of the
OSPF multi-instance cannot be identical with the previously specified one.
----End
Context
Network segments mentioned in this section refer to the network segments where interfaces
running OSPF reside.
A network segment can belong to only one area. In other words, you need to specify an area
for each interface running OSPF.
Most configurations should be based on the area. Wrong configuration may disable
information transmission between the neighboring routers, and even lead to congestion or
self-loop of the routing information.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
area area-id
Step 4 Run:
OSPF can run on an interface only when the following conditions are satisfied:
l Mask length of the IP address of an interface is not shorter than that in the network
command.
l Master IP address of an interface must belong to the network segment specified by the
network command.
NOTE
The address segment of the MPU management interface GigabitEthernet 0/0/0 cannot be released to the
OSPF area through the network command.
For a loopback interface, by default, OSPF advertises its IP address in 32-bit host route,
regardless of the mask length of the IP address on the interface. To advertise the segment
route of the loopback interface, configure the network type as NBMA or broadcast in the
interface view.
----End
Context
After area partition, the number of LSAs in the network decreases, and the OSPF extensibility
is enhanced. To reduce its routing table size and the number of LSAs, you can configure some
non-backbone areas on the AS border as stub area.
You must use the stub command to configure the area with Stub functions on the FWs that
are connected to the stub area.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF process view is displayed.
Step 3 Run:
area area-id
The OSPF area view is displayed.
Step 4 Run:
stub [ no-summary ]
----End
Context
Stub areas cannot import external routes, thus leading to the concept of NSSA area. In NSSA
area, Type7 LSA transmission is allowed. Originated by ASBR in NSSA area, Type7 LSA is
transformed to AS-External LSA when it reaches the ABR of NSSA, and is further advertised
to other areas.
You must use the nssa command to configure the NSSA area with NSSA attribute on the
routers connected to the NSSA area.
The parameters in the nssa command are valid only when you configure the command on
ABRs.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF process view is displayed.
Step 3 Run:
area area-id
The OSPF area view is displayed.
Step 4 Run:
nssa [ { default-route-advertise | suppress-default-route } | flush-waiting-timer interval-
value | no-import-route | no-summary | set-n-bit | suppress-forwarding-address |
translator-always | translator-interval interval-value | zero-address-forwarding |
translator-strict ] *
Step 5 Run:
default-cost cost
----End
Context
After area partition, the OSPF routes between non-backbone areas are updated with the help
of the backbone area. OSPF stipulates that all the non-backbone areas should maintain the
connectivity with the backbone area, and the backbone area should maintain its own
connectivity.
However, in practical applications, the physical connectivity cannot be ensured due to the
network topology restrictions. OSPF virtual link can be configured to solve this problem.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
area area-id
Step 4 Run:
You must configure this command at the peer end of the virtual link.
----End
Follow-up Procedure
After virtual links are created, different default MTUs may be used on devices provided by
different vendors. To ensure consistency, the MTU is set to 0 by default when the interface
sends DD packets. For details, see Configuring the MTU in DD Packets.
Context
You can choose whether to advertise the aggregated route, and configure the cost of the
aggregated Link State Advertisement (LSA).
This command is applicable only to ABRs and is used for the route aggregation in an area.
The ABR transmits only an aggregated route to other areas. Route aggregation refers to that
the ABR can aggregate routes with the same prefix, and send only one route to other areas.
You can configure multiple network segments in an area. OSPF can thus aggregate multiple
network segments.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
area area-id
The OSPF area view is displayed.
Step 4 Run:
abr-summary ip-address mask [ cost { cost | inherit-minimum } | [ advertise [ generate-
null0-route ] | not-advertise | generate-null0-route [ advertise ] ] ] *
ABR route aggregation of OSPF is configured.
This command is valid for ABRs only.
----End
Context
You can choose whether to advertise the aggregated route, and set the cost of the aggregated
route. When a lot of routes are imported, users can set the delay for advertising aggregated
routes. In this way, the aggregated route information advertised each time contains more valid
routes and the incorrect routing information caused by network flapping is avoided.
The command can be configured in the Autonomous System Border Router (ASBR). The
command is used to aggregate the imported external routers in the aggregation address range.
If the area is NSSA area, this command can also be configured on the ABR. ABR aggregates
the LSA that is switched from Type-7 to Type-5.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
asbr-summary ip-address mask [ [ not-advertise | generate-null0-route ] | tag tag | cost
cost | distribute-delay interval ] *
ASBR route aggregation of OSPF is configured.
This command is valid for ASBRs only.
not-advertise: Indicates that the aggregated route is not advertised. If the parameter is not
specified, the aggregated route is advertised.
distribute-delay: Specifies the delay for advertising the summarized route.
----End
Context
OSPF is a dynamic routing protocol based on the link state, and routing information is hidden
in the link state. Therefore, the filter-policy import command cannot be used to filter the
advertised and received LSAs. You can then run the filter-policy import command to filter
the routes calculated by OSPF. Only the routes that match the filtering rules are added to the
routing table.
The filter-policy import command is used to filter only the routes that match OSPF and are
installed to the local routing table. Routes that do not pass the filtering are neither added to the
OSPF routing table nor advertised. Therefore, whether the received routes pass the filtering or
not, the LSDB is not affected.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name
[ secondary ] } import
Routing filtering function is configured to filter the routes received.
----End
Context
After filtering conditions are set for the incoming or outgoing Type 3 LSAs (Summary LSAs)
in an area, only the Type 3 LSAs that meet the filtering conditions can be received or
advertised.
NOTE
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF process view is displayed.
Step 3 Run:
area area-id
Step 4 Run:
----End
Context
OSPF can ensure loop-free intra-area routes and inter-area routes; however, OSPF cannot
prevent external routes from loops. Therefore, you should be cautious when configuring
OSPF to import external routes.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
Step 4 (Optional)Run:
You can configure OSPF to filter the routing information of a protocol or a process by
specifying the parameter direct, static, unr, bgp, rip [ process-id ], isis [ process-id ], ospf
[ process-id ]. If direct, static, unr, bgp, rip [ process-id ], isis [ process-id ], ospf [ process-
id ] is not specified, OSPF filters all the imported routing information.
NOTE
l The import-route command cannot be used to import the default routes of external routes.
l OSPF filters the imported routes; that is, OSPF transforms only eligible external routes to Type5
LSAs and advertises them.
----End
Context
If the default route is imported to the OSPF routing domain and an OSPF router within it is
configured with a static default route, you need to set the precedence of static default route
lower than that of the imported default route. Otherwise, the default route may not be assigned
the highest priority in the routing table.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
When always is selected, you can import a default route to OSPF forcibly; otherwise, the
routes can be imported only when local default routes exist.
When summary is selected, you must first enable VPN; otherwise, the route cannot be
aggregated.
----End
Context
When OSPF imports external routes, you can configure the default values for some additional
parameters, such as the cost, number of routes, tag, and type. The route tag is used to tag the
protocol related information. For example, it is used to differentiate the number of the ASs
when OSPF receives BGP.
By default, the metric of the external routes imported by OSPF is 1; a maximum of
2147483647 routes can be imported each time; the type of the imported external routes is
Type 2; the default tag value of the imported routes is 1.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
default { cost { cost | inherit-metric } | limit limit | tag tag | type type } *
The default values are configured for parameters related to importing routes (cost, number of
routes, tag, and type).
NOTE
You can run one of the following commands to set the cost of the imported route. The following
commands are listed in the descending order of priorities.
l Run the apply cost command to set the cost of a route.
l Run the import-route (OSPF) command to set the cost of the imported route.
l Run the default command to set the default cost of the imported route.
----End
Context
To configure the cost of an OSPF link, you can directly configure the cost of an OSPF
interface.
If you do not set the cost of the OSPF interface directly, OSPF calculates the cost according to
the bandwidth of the interface. The calculation formula is as follows: cost of the interface =
bandwidth reference value/interface bandwidth. The integer of the calculated result is the cost
of the interface. If the result is smaller than 1, the cost value is 1. You can indirectly change
the cost of the interface by changing the bandwidth reference value.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospf cost value
The cost of OSPF interfaces is configured.
----End
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
maximum load-balancing number
The maximum number of equal-cost routes is set.
----End
Context
Multiple dynamic routing protocol may run on a router at the same time. Thus, there is the
problem of routing information sharing and routing selection among routing protocols. The
system sets the priority for each routing protocol. When different protocols detect the same
route, the route with a higher priority is selected.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
----End
Context
The nexthop command selects the next hop with the highest priority from the equal-cost
routes calculated by OSPF. The smaller the weight is, the higher the routing priority is. By
default, the weight value is 255, indicating that load is balanced between the equal-cost
routes.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
----End
Context
By default, the network type of an interface is determined by the physical interface. The
network type of Ethernet interface is broadcast, that of the serial interface and POS interface
(encapsulated with PPP or HDLC) is p2p, and that of ATM interface and Frame-relay
interface is nbma.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
Step 3 Run:
After a new network type is configured for the interface, the original network type is
automatically replaced.
NOTE
Generally, the network types of two OSPF interfaces on the both ends of the link must be identical.
Otherwise, the two interfaces cannot set up the neighbor relationship. Only when the network type of
one OSPF interface is broadcast and the network type of the other OSPF interface is P2P, the two
interfaces can still set up the neighbor relationship. The broadcast interface can learn the correct OSPF
routing information, but the P2P interface cannot learn the OSPF routing information from the peer.
----End
Context
For NBMA networks, if there are no directly reachable links between two routers, you can
configure the interface type to P2MP. If the router in NBMA networks has only one peer, you
can change the interface type to P2P.
Some special configurations are needed for NBMA networks. Because a router cannot detect
neighbor routers by broadcasting hello packets, you must manually configure the IP addresses
of its adjacent routers for this interface and their election rights.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
peer ip-address [ dr-priority priority ]
A neighbor is configured for the NBMA network.
----End
Context
When configuring broadcast networks or NBMA networks, you can specify the DR priority
for each interface to affect the DR/BDR election in the network. The greater the value is, the
higher the priority is.
By default, the priority of the interface that candidates for the DR is 1.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospf dr-priority priority
DR priorities are set for OSPF interfaces.
After the DR priority is changed, you can re-elect a DR or BDR through the following
methods, which, however, will result in the interruption of the OSPF neighbor relationship
between routers and therefore are used only when necessary.
l Restarting all routers.
l Running the shutdown and undo shutdown commands on the interface on which the
OSPF neighbor relationship is set up.
----End
Context
NOTICE
l Both Hello and Dead timer are restored to the default settings after the network type is
changed.
l It is necessary to keep the consistency of the Hello timers between OSPF neighbors.
l Note that the value of the Hello timer is inversely proportional to route convergence speed
and network load.
l For the same interface, the dead time should be at least four times as long as the interval of
Hello packets.
l Do not set the LSA retransmission interval too small. Otherwise, unnecessary
retransmission may be caused. It must be greater than the time for a packet to be
transmitted a round between two routers.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type { interface-number | interface-number.subinterface-number }
----End
Context
It takes time to transmit OSPF packets on a link; therefore, the delay is added to the aging
time of the LSAs before transmission.
By default, the delay is 1 second.
NOTICE
On low-speed links, you should focus on this configuration.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
----End
Context
Complied with the OSPF protocol, the LSA update interval is five seconds. This prevents the
flapping of network connection or routes from occupying too much bandwidth and resource.
In a stable network or a network that requires fast routing aggregation, you can set the LSA
update interval to 0. Thus, once the topology or routes change, the change can be advertised to
the network through LSA immediately. The speed of route aggregation on the network is
increased.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
By default, the intelligent timer is enabled. The interval for updating LSAs is expressed in
milliseconds. The maximum interval is 5000 milliseconds (ms), the initial interval is 500 ms,
and the Holdtime interval is 1000 ms. After an intelligent timer is enabled, the interval for
updating LSAs is as follows:
1. The initial interval for updating LSAs is specified by the parameter start-interval.
2. The interval for updating LSAs for the nth (n≥2) time is equal to hold-interval * 2(n-1).
3. When the interval specified by hold-interval * 2(n-1) reaches the maximum interval
specified by max-interval, OSPF updates LSAs at the maximum interval for three
consecutive times. Then, go back to Step 3.a, and OSPF updates LSAs at the initial
interval specified by start-interval.
----End
Context
In a stable network or a network that requires fast routing aggregation, you can set the LSA
receive interval to 0. Thus, once the topology or routes change, the change can be advertised
immediately. The speed of route aggregation on the network is increased.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
lsa-arrival-interval { interval | intelligent-timer max-interval start-interval hold-interval }
The interval for receiving LSA is set.
By default, the intelligent timer is enabled. The interval for receiving LSAs is expressed in
milliseconds. The maximum interval for receiving LSAs is 1000 ms, the initial interval is 500
ms, and the Holdtime interval is 500 ms. After an intelligent timer is enabled, the interval for
receiving LSAs is as follows:
1. The initial interval for receiving LSAs is specified by the parameter start-interval.
2. The interval for receiving LSAs for the nth (n≥2) time is equal to hold-interval * 2(n-1).
3. When the interval specified by hold-interval * 2(n-1) reaches the maximum interval
specified by max-interval, OSPF receives LSAs at the maximum interval for three
consecutive times. Then, go back to Step 3.a, and OSPF receives LSAs at the initial
interval specified by start-interval.
----End
Context
When the OSPF LSDB changes, the shortest path need be recalculated. Frequent network
changes occupy many system resources and affect the efficiency of routers. You can configure
an intelligent timer and rationally set the interval for the SPF calculation to avoid excessive
router memory and bandwidth resources from being occupied.
Adjusting the SPF calculation interval, however, can restrain the resource consumption due to
frequent network changes.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
spf-schedule-interval { interval1 | intelligent-timer max-interval start-interval hold-interval
| millisecond interval2 }
The interval for SPF calculation is set.
By default, the intelligent timer is enabled. The interval for the SPF calculation is expressed
in milliseconds. The maximum interval for the SPF calculation is 10000 ms, the initial
interval is 500 ms, and the Holdtime interval is 1000 ms. After an intelligent timer is enabled,
the interval for the SPF calculation is as follows:
1. The initial interval for the SPF calculation is specified by the parameter start-interval.
2. The interval for the SPF calculation for the nth (n≥2) time is equal to hold-interval ×
2(n-1).
3. When the interval specified by hold-interval × 2(n-1) reaches the maximum interval
specified by max-interval, OSPF performs the SPF calculation at the maximum interval
for three consecutive times. Then, go back to Step 3.a, and OSPF performs the SPF
calculation at the initial interval specified by start-interval.
----End
5.6.5.6.6 Suppressing the Interface from Receiving and Sending OSPF Packets
You can configure the interface so that the receiving and sending of OSPF packets are
prohibited, and thus the networking adaptability of OSPF is enhanced and system resource
consumption is reduced.
Context
To prevent OSPF routing information from being acquired by the routers on a certain
network, and prevent the local router from receiving the route updates advertised by other
routers, use the silent-interface command to suppress the interface from receiving and
sending OSPF packets.
Different processes can suppress the same interface from sending and receiving OSPF
packets, but the silent-interface command is valid only for the OSPF interface on which the
specified process has been enabled, and has no effect on the interface of other processes.
After an OSPF interface is set to be in silent status, the interface can still advertise its direct
route. However, the Hello packets of the interface are blocked, and no neighbor relationship
can be established on the interface. Hence, the OSPF capability to adapt to the networking is
enhanced, which in turn reduces the consumption of system resources.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
silent-interface { all | interface-type interface-number }
The interface is suppressed from receiving and sending OSPF packets.
----End
Context
Stub router is used to control the traffic. It informs other OSPF routers on the network not to
use it as a transit point, but still route to it.
Among the Router LSAs generated by the Stub router, all the metric of links are set equal to
or larger than 65535.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
stub-router [ on-startup [ interval ] ]
A Stub router is configured.
NOTICE
Stub router has nothing to do with the stub area.
----End
Context
Generally, an interface replaces the actual MTU value with 0 when sending DD packets. After
this command is configured, the interface fills in the Interface MTU field of the DD packets
with the actual MTU value.
NOTICE
After the MTU value in a DD packet is configured, the neighbor relationship is reestablished.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
Step 3 Run:
ospf mtu-enable
The interface is enabled to fill in the MTU value in a DD packet when sending the DD
packets.
----End
Context
NOTE
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospf [ process-id ]
The OSPF view is displayed.
Step 3 Run:
lsdb-overflow-limit number
The maximum number of external LSAs in LSDB is configured.
----End
Context
RFC 2328 and RFC 1583 define the route selection rule differently. After OSPF is enabled on
the FW, specify a route selection rule based on the FW configuration. The FW complies with
the route selection rule defined in RFC 1583 by default. If the neighboring device complies
with the route selection rule defined in RFC 2328, configure the local FW to comply with that
defined in RFC 2328. This allows all devices in the OSPF area to comply with the same route
selection rule.
Procedure
Step 1 Run:
system-view
The FW is configured to comply with the route selection rule defined in RFC 2328, not RFC
1583.
By default, the FW complies with route selection rule defined in RFC 1583.
----End
Context
In area authentication, all the routers in an area must use the same area authentication mode
and password. For example, the authentication mode of all devices in Area 0 is simple
authentication and the password is abc.
The interface authentication mode is used among neighbor routers to set the authentication
mode and password. Its priority is higher than that of the area authentication mode.
NOTE
By default, authentication is not configured for OSPF area or interface. Configuring area authentication
is recommended to ensure system security.
Procedure
l Configuring the Area Authentication Mode
a. Run:
system-view
All the routers in an area must agree on the same area authentication mode and
password. For example, the authentication mode of all routers in area 0 is
simple authentication, and the password is abc.
n Run:
authentication-mode keychain keychain-name
Before using the Keychain authentication, you must run the keychain command to
create a keychain. Then, run the key-id, key-string, and algorithm commands to
configure a key ID, a password, and an authentication algorithm for this keychain.
Otherwise, the OSPF authentication will fail.
l Configuring the Interface Authentication Mode
a. Run:
system-view
Before using the Keychain authentication, you must run the keychain command to
create a keychain. Then, run the key-id, key-string, and algorithm commands to
configure a key ID, a password, and an authentication algorithm for this keychain.
Otherwise, the OSPF authentication will fail.
The authentication mode and password of interfaces in the same network segment
must be consistent except the Keychain authentication mode. If the interfaces are in
different network segments, the authentication mode and password of the interfaces
can be different.
----End
Prerequisites
Before configuring OSPF GR, complete the following tasks:
l Configuring IP addresses for interfaces to ensure that neighboring routers are reachable
at the network layer.
l Establishing the OSPF Neighbor Relationship.
Context
To avoid traffic interruption and route flapping caused by the active/standby switchover, you
can enable OSPF GR.
After the OSPF process is restarted through Graceful Restart (GR), the Restarter and the
Helper reestablish the neighbor relationship, exchange routing information, synchronize the
LSDB, and update the routing table and forwarding table. These operations ensure the fast
convergence of OSPF and the stability the network topology.
NOTE
In practical applications, you can configure OSPF GR on the dual main control boards to avoid service
forwarding from being affected by the fault occurred on the main control board.
Procedure
Step 1 Run:
system-view
NOTE
When enabling or disabling the opaque LSA function, OSPF process will go down in order to
renegotiate the new capability, which means that the traffic will be affected for few seconds.
Step 4 Run:
graceful-restart
After the graceful-restart command is run to enable GR for a FW, the Helper function is also
enabled.
Step 5 Run:
graceful-restart [ period period | planned-only | partial ] *
l Set period, the GR period on the Restarter is set. By default, the restart time is 120
seconds.
l Set planned-only, the Restarter supports only the planned GR. By default, the Restarter
supports both the planned GR and unplanned GR.
l Set partial, the Restarter supports the partial GR. By default, the Restarter supports the
totally GR.
The local router can enter the Helper mode only after neighbors pass the filtering policies
of ip-prefix or acl.
2. Run:
The Helper does not check the LSAs outside the AS (AS-external LSA).
By default, the Helper supports both the planned GR and unplanned GR.
NOTE
To configure multiple parameters at the same time, run the graceful-restart [ period period |
partial | planned-only ] * helper-role { { { ip-prefix ip-prefix-name | acl-number acl-number } |
ignore-external-lsa | planned-only } * | never } command.
----End
Prerequisites
Before configuring BFD for OSPF, complete the following task:
l Configuring IP addresses for interfaces to ensure that neighboring routers are reachable
at the network layer.
l Establishing the OSPF Neighbor Relationship.
Context
After BFD for OSPF is configured, when detecting a link fault, BFD rapidly notifies the
routers on both ends of the link of the fault, triggering rapid OSPF convergence. When the
OSPF neighbor relationship goes Down, the BFD session will be dynamically deleted.
Before configuring BFD for OSPF, enable BFD globally.
Perform the following steps on the FWs between which a BFD session is to be created.
Procedure
Step 1 Run:
system-view
BFD for OSPF is configured. The default parameter values are used to create a BFD session.
If all the interfaces in a certain process are configured with BFD and their neighbor
relationships are in the Full state, OSPF creates BFD sessions with default parameter values
on all the interfaces in the process.
Step 6 (Optional) Run:
bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval transmit-
interval | detect-multiplier multiplier-value | frr-binding } *
You can skip this step. The default interval at which BFD packets are transmitted and the
default detection multiplier are recommended.
The parameters are configured based on the network status and network reliability
requirements. A short interval at which BFD packets are transmitted can be configured for a
link that has a higher requirement for reliability. A long interval at which BFD packets are
transmitted can be configured for a link that has a lower requirement for reliability.
NOTE
l Actual interval at which BFD packets are transmitted on the local router = Max { configured interval
transmit-interval at which BFD packets are transmitted on the local router, configured interval receive-
interval at which BFD packets are received on the peer router }
l Actual interval at which BFD packets are received on the local router = Max { configured interval
transmit-interval at which BFD packets are transmitted on the peer router, configured interval receive-
interval at which BFD packets are received on the local router }
l Actual time for detecting BFD packets = Actual interval at which BFD packets are received on the local
router x Configured detection multiplier multiplier-value on the peer router
For example:
l On the local router, the configured interval at which BFD packets are transmitted is 200 ms; the
configured interval at which BFD packets are received is 300 ms; the detection multiplier is 4.
l On the peer router, the configured interval at which BFD packets are transmitted is 100 ms; the interval
at which BFD packets are received is 600 ms; the detection multiplier is 5.
Then:
l On the local router, the actual interval at which BFD packets are transmitted is 600 ms calculated by
using the formula max {200 ms, 600 ms}; the interval at which BFD packets are received is 300 ms
calculated by using the formula max {100 ms, 300 ms}; the detection period is 1500 ms calculated by
multiplying 300 ms by 5.
l On the peer router, the actual interval at which BFD packets are transmitted is 300 ms calculated by
using the formula max {100 ms, 300 ms}, the actual interval at which BFD packets are received is 600
ms calculated by using the formula max {200 ms, 600 ms}, and the detection period is 2400 ms
calculated by multiplying 600 ms by 4.
After BFD for OSPF is configured, all interfaces on which neighbor relationships are Full in
the OSPF process will create BFD sessions. To prevent specific interfaces from being enabled
with BFD, disable these interfaces from dynamically creating BFD sessions.
1. Run:
quit
----End
Context
When multiple OSPF processes are enabled, you can configure OSPF MIB to select the
process to be processed, that is, configure OSPF MIB to select the process to which it is
bound.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ospf mib-binding process-id
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
snmp-agent trap enable feature-name ospf [ trap-name
{ hwospfv2intraareadripaddressconflict | hwospfv2intraarearouteridconflict |
ospfifauthfailure | ospfifconfigerror | ospfifrxbadpacket | ospfifstatechange |
ospflsdbapproachingoverflow | ospflsdboverflow | ospfmaxagelsa |
ospfnbrrestarthelperstatuschange | ospfnbrstatechange |
ospfnssatranslatorstatuschange | ospforiginatelsa | ospfrestartstatuschange |
ospftxretransmit | ospfvirtifauthfailure | ospfvirtifconfigerror |
ospfvirtifrxbadpacket | ospfvirtifstatechange | ospfvirtiftxretransmit |
ospfvirtnbrrestarthelperstatuschange | ospfvirtnbrstatechange } ]
To enable the traps of one or more events, you can specify type-name.
----End
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
ospf [ process-id ]
Step 3 Run:
----End
Clearing OSPF
NOTICE
OSPF information cannot be restored after being cleared. Exercise caution when running this
command.
After confirming the running information about the OSPF statistics, run the following
commands in the user view.
Action Command
Resetting OSPF
Networking Requirements
NOTE
As shown in Figure 5-45, all the FWs run OSPF, and the whole Autonomous System (AS) is
divided into three areas. The FW_A and FW_B serve as ABRs to forward the routes between
these areas.
After the configuration, each FWcan learn the routes from AS to all network segments.
Area0
GE1/0/0
GE2/0/0 192.168.0.2/24 GE2/0/0
192.168.1.1/24 192.168.2.1/24
GE1/0/0
FW_A 192.168.0.1/24 FW_B
GE1/0/0 GE2/0/0
Area1 Area2
192.168.1.2/24 192.168.2.2/24
FW_C FW_D
GE3/0/0 GE3/0/0
172.16.1.1/24 172.17.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Enabling OSPF on each FWand specifying the network segment in different area
2. Checking the routing list and database information
Data Preparation
To complete the configuration, you need the following data:
l The router ID of the FW_A is 1.1.1.1. the OSPF process number is 1. Network segment
192.168.0.0 is specified in Area 0, and network segment 192.168.1.0 is specified in Area
1.
l The router ID of the FW_B is 2.2.2.2. the OSPF process number is 1. Network segment
192.168.0.0 is specified in Area 0, and network segment 192.168.2.0 is specified in Area
2.
l The router ID of the FW_C is 3.3.3.3. the OSPF process number is 1. Network segment
192.168.1.0 and 172.16.1.0 are specified in Area 1.
l The router ID of the FW_D is 4.4.4.4. the OSPF process number is 1. Network segment
192.168.2.0 and 172.17.1.0. are specified in Area 2.
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
security policy. (Omitted)
Step 2 Configure basic OSPF functions on the FW_A.
# Enter the system view.
<FW_A> system-view
[FW_C] ospf
# Set the area where network segment192.168.1.0 and 172.16.1.0 reside as area 1.
[FW_C-ospf-1] area 1
[FW_C-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[FW_C-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255
# Set the area where network segment 192.168.2.0 and 172.17.1.0 reside as area 2.
[FW_D-ospf-1] area 2
[FW_D-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[FW_D-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255
Neighbors
Total Nets: 5
Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 2.2.2.2 2.2.2.2 317 48 80000003 1
Router 1.1.1.1 1.1.1.1 316 48 80000003 1
Sum-Net 172.16.1.0 1.1.1.1 250 28 80000002 2
Sum-Net 172.17.1.0 2.2.2.2 203 28 80000002 2
Sum-Net 192.168.2.0 2.2.2.2 237 28 80000003 1
Sum-Net 192.168.1.0 1.1.1.1 295 28 80000003 1
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 3.3.3.3 3.3.3.3 217 60 80000006 1
Router 1.1.1.1 1.1.1.1 289 48 80000003 1
Sum-Net 172.17.1.0 1.1.1.1 202 28 80000002 3
Sum-Net 192.168.2.0 1.1.1.1 242 28 80000002 2
Sum-Net 192.168.0.0 1.1.1.1 300 28 80000002 1
# Display the routing table of the FW_D and test the connectivity by using the ping
command.
[FW_D] display ospf routing
Total Nets: 5
Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0
[FW_D] ping 172.16.1.1
PING 172.16.1.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=253 time=62 ms
Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=253 time=16 ms
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=253 time=62 ms
Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=253 time=94 ms
Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=253 time=63 ms
----End
Configuration Script
l Configuration script of FW_A
#
sysname FW_A
#
router id 1.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
security-policy
rule name policy_sec_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name policy_sec_2
source-zone trust
destination-zone trust
action permit
#
return
Networking Requirements
As shown in Figure 5-46, all the FWs run OSPF, and the whole AS is divided into three
areas. The FW_A and FW_B serve as ABRs to forward the routes between these areas. The
FW_D serves as ASBR to import external routes (static routes).
Configure Area 1 as an NSSA area and configure the FW_C as ASBR to import external
routes (static routes). The routing information can be transmitted correctly inside the AS.
Area0
GE1/0/0
GE2/0/0 192.168.0.2/24 GE2/0/0
192.168.1.1/24 GE1/0/0 192.168.2.1/24
FW_A 192.168.0.1/24 FW_B
GE1/0/0 GE2/0/0
192.168.1.2/24 192.168.2.2/24
Area1
NSSA FW_C FW_D
GE3/0/0
GE3/0/0
172.17.1.1/24
172.16.1.1/24
Area2
ASBR
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l The router ID of the FW_A is 1.1.1.1. the OSPF process number is 1. Network segment
192.168.0.0 is specified in Area 0, and network segment 192.168.1.0 is specified in Area
1.
l The router ID of the FW_B is 2.2.2.2. the OSPF process number is 1. Network segment
192.168.0.0 is specified in Area 0, and network segment 192.168.2.0 is specified in Area
2.
l The router ID of the FW_C is 3.3.3.3. the OSPF process number is 1. Network segment
192.168.1.0 and 172.16.1.0 are specified in Area 1.
l The router ID of the FW_D is 4.4.4.4. the OSPF process number is 1. Network segment
192.168.2.0 and 172.17.1.0. are specified in Area 2.
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Configure basic OSPF functions (see 5.6.7.1 CLI Example for Configuring Basic OSPF
Functions).
Step 3 Configure the FW_D to import static routes.
# Enter the system view.
<FW_D> system-view
# Set the destination address and outbound interface of the static route to 200.0.0.0 and null0.
[FW_D] ip route-static 200.0.0.0 8 null 0
NOTE
It is recommended to configure the ABR (refers to the FW_A here) with the default-route-advertise no-
summary parameter, thus reducing the size of the routing table of the NSSA router. Other NSSA routers only
need to be configured with the nssa command.
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
NOTE
When the area where the FW_C is located is configured as a nssa area, you see a default route rather
than external routes.
Total Nets: 6
Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0
You can see an external route imported by the NSSA area on the FW_D.
----End
Configuration Script
l Configuration script of FW_A
#
sysname FW_A
#
router id 1.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa default-route-advertise no-summary
#
security-
policy
rule name
policy_sec_1
source-zone
local
source-zone trust
destination-zone
local
destination-zone trust
action permit
rule name
policy_sec_2
source-zone
trust
destination-zone trust
action permit
#
return
security-
policy
rule name
policy_sec_1
source-zone
local
source-zone trust
destination-zone
local
destination-zone trust
action permit
rule name
policy_sec_2
source-zone
trust
destination-zone trust
action permit
#
return
l Configuration script of FW_C
#
sysname FW_C
#
router id 3.3.3.3
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
ospf 1
import-route static
area 0.0.0.1
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
ip route-static 100.0.0.0 255.0.0.0 NULL0
#
security-
policy
rule name
policy_sec_1
source-zone
local
source-zone trust
destination-zone
local
destination-zone trust
action permit
rule name
policy_sec_2
source-zone
trust
destination-zone trust
action permit
#
return
l Configuration script of FW_D
#
sysname FW_D
#
router id 4.4.4.4
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet3/0/0
undo shutdown
ip address 172.17.1.1 255.255.255.0
#
ospf 1
import-route static type 1
area 0.0.0.2
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
ip route-static 200.0.0.0 255.0.0.0 NULL0
#
security-
policy
rule name
policy_sec_1
source-zone
local
source-zone trust
destination-zone
local
destination-zone trust
action permit
rule name
policy_sec_2
source-zone
trust
destination-zone trust
action permit
#
return
Networking Requirements
As shown in Figure 5-47, Area 2 does not connect with the backbone area directly. Area 1
serves as a transit area to connect Area 2 and Area 0. A virtual link is configured between the
FW_A and the FW_B.
Area1
FW_A FW_B
GE1/0/0 GE1/0/0
192.168.1.1/24 192.168.1.2/24
GE2/0/0 GE2/0/0
10.1.1.1/8 172.16.1.1/16
Virtual
Area0 Link
Area2
Configuration Roadmap
The configuration roadmap is as follows:
1. Configuring basic OSPF functions on each FW
2. Configuring the virtual connections on the FW_A and the FW_B to connect the
backbone area with the non-backbone
Data Preparation
To complete the configuration, you need the following data:
l The OSPF router ID of the FW_A is 1.1.1.1. The number of its area is Area 0 and Area
1. Network segments 192.168.1.0 and 10.0.0.0 are configured with OSPF.
l The OSPF router ID of the FW_B is 2.2.2.2. The number of its area is Area 1 and Area
2. Network segments 192.168.1.0 and 172.16.0.0 are configured with OSPF.
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Configure OSPF.
# Configure the FW_A and enter the system view.
<FW_A> system-view
# Enable OSPF on the FW_A and set the router ID for the FW_A to 1.1.1.1.
[FW_A] ospf 1 router-id 1.1.1.1
# Enable OSPF on the FW_B and set the router ID for the FW_B to 2.2.2.2.
[FW_B] ospf 1 router-id 2.2.2.2
[FW_B-ospf-1-area-0.0.0.1] quit
Total Nets: 2
Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0
NOTE
Area 2 does not connect directly to Area 0. Thus, there is no Area 2 route in the routing table of the
FW_A.
Total Nets: 3
Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
----End
Configuration Script
l Configuration script of FW_A
#
sysname FW_A
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.1.1.1 255.0.0.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet2/0/0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
vlink-peer 2.2.2.2
#
return
vlink-peer 1.1.1.1
area 0.0.0.2
network 172.16.0.0 0.0.255.255
#
return
Networking Requirements
As shown in Figure 5-48, with the highest priority 100 in the network, the FW_A is elected
as DR. With the second highest priority, the FW_C is elected as BDR. The priority of the
FW_B is 0, so the FW_B cannot be elected as DR. The priority of the FW_D is not
configured and its default value is 1.
GE1/0/0 GE1/0/0
192.168.1.1/24 192.168.1.2/24
GE1/0/0 GE1/0/0
192.168.1.3/24 192.168.1.4/24
FW_C FW_D
Configuration Roadmap
The configuration roadmap is as follows:
1. Configuring the router ID on each FW and enabling OSPF on the specified network
segment
2. Checking the DR/BDR state of each FW when the default priority is used
3. Configuring the DR priority on the interface and checking the DR/BDR state
Data Preparation
To complete the configuration, you need the following data:
l The router ID of the FW_A is 1.1.1.1 and the DR priority is 100.
l The router ID of the FW_B is 2.2.2.2 and the DR priority is 0.
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Enable OSPF.
# Configure the FW_A and enter the system view.
<FW_A> system-view
# Check the neighbor information of the FW_A, you will find the priority of DR and the
neighbor status. Now the FW_D is DR, and the FW_C is BDR.
Step 3 Configure DR priorities on the interfaces.
# Configure the FW_A and enter the system view.
<FW_A> system-view
<FW_C> system-view
NOTE
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.1 Broadcast DR 1 100 192.168.1.1 192.168.1.3
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.2 Broadcast DROther 1 0 192.168.1.1 192.168.1.3
If all neighbors are in Full state, it indicates that the FW_A forms neighboring relationships
with all its neighbors. If the neighbor stays "2-Way", it indicates neither of them are DR or
BDR. Thus, they need not to exchange LSAs.
All other neighbors are DR Others. This indicates that they are neither DR nor BDR.
----End
Networking Requirements
As shown in Figure 5-49:
1. FW_A, FW_B, FW_C, FW_D, and FW_E are interconnected to each other through
OSPF
2. FW_A, FW_B, FW_C, FW_D, and FW_E belong to Area 0.
3. Load balancing is required to transmit the traffic of FW_A to FW_E through FW_C and
FW_D.
Area0
GE1/0/0 GE2/0/0
vRouter_B
GE1/0/0 GE1/0/0
GE2/0/0 GE2/0/0 GE4/0/0
GE4/0/0 GE1/0/0 GE2/0/0
GE3/0/0 FW_C GE3/0/0
vRouter_A vRouter_E
GE1/0/0 GE2/0/0
vRouter_D
POS3/0/0 192.168.2.2/
24
GE4/0/0 172.17.1.1/2
4
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
l For FW_A, the router ID is 1.1.1.1, the OSPF process number is 1, and the network
segment of Area 0 is 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, and 172.16.1.0/24.
l For FW_B, the router ID is 2.2.2.2, the OSPF process number is 1, and the network
segment of Area 0 is 10.1.1.0/8 and 192.168.0.0/8.
l For FW_C, the router ID is 3.3.3.3, the OSPF process number is 1, and the network
segment of Area 0 is 10.1.2.0/8 and 192.168.1.0/8.
l For FW_D, the router ID is 4.4.4.4, the OSPF process number is 1, and the network
segment of Area 0 is 10.1.3.0/8 and 192.168.2.0/8.
l For FW_E, the router ID is 5.5.5.5, the OSPF process number is 1, and the network
segment of Area 0 is 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, and 172.17.1.0/24.
l The number of load balancing paths on FW_A is 2.
l The weight values of the next hop routes from FW_A to FW_B, FW_C, and FW_D are
2, 1, and 1 respectively.
Procedure
Step 1 Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the
interzone security policy. (Omitted)
Step 2 Configure basic OSPF functions. The configuration details are not mentioned here.
NOTE
The maximum number of equal-cost routes varies with products and protocols.
# View the routing table of FW_A. As shown in the routing table, FW_A has only two valid
next hops, 10.1.1.2 (FW_B) and 10.1.2.2 (FW_C). This is because the maximum number of
equal-cost routes is set to 2.
[FW_A] display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos1/0/0
10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/0
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Pos2/0/0
10.1.2.2/32 Direct 0 0 D 10.1.2.2 Pos2/0/0
10.1.3.0/24 Direct 0 0 D 10.1.2.1 Pos3/0/0
10.1.3.2/32 Direct 0 0 D 10.1.2.2 Pos3/0/0
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Pos1/0/0
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Pos2/0/0
192.168.2.0/24 OSPF 10 2 D 10.1.2.2 Pos3/0/0
172.17.1.0/24 OSPF 10 3 D 10.1.1.2 Pos1/0/0
OSPF 10 3 D 10.1.2.2 Pos2/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
As shown in the display, the priority of the route with the next hops being 10.1.2.2 and
10.1.3.2 is higher than that of the route with the next hop being 10.1.1.2. Thus, FW_A has
only two valid next hops, 10.1.2.2 (FW_C) and 10.1.3.2 (FW_D).
----End
5.6.8.1 Specifications
This section describes the specifications of OSPF.
Function Specifications
Function Description Supported or Not
Totally stub area Allows type 3 default routes Supported by all models.
released by the ABR, but
not routes outside the
autonomous system or
between areas.
Using routing policies to ACLs and prefix lists can be Supported by all models.
filter routes used to filter OSPF routes.
Importing external routes Imports direct, static, OSPF, Supported by all models.
and BGP routes to the OSPF
routing table.
No mask check for Allows neglecting the masks Supported by all models.
neighbors on point-to- in Hello packets when
multipoint networks establishing OSPF neighbor
relationships on point-to-
multipoint networks to
enhance network flexibility.
Using timers to control the Reduces external route Supported by all models.
calculation of external routes calculation workload to
enhance system efficiency.
Releasing host routes Generates host links for Supported by all models.
loopback interfaces to
release host routes, but not
subnet routes.
Allows filling the interface Filling the interface MTU Supported by all models.
MTU field in DD packets. field in DD packets leads to
the reestablishment of
neighbor relationships.
Performance Specifications
Function Specifications
Function Specifications
5.7 OSPFv3
By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of routers.
5.7.1 Overview
OSPF version 3 (OSPFv3) is a routing protocol based on link status. Compared with distance
vector-based routing protocols, OSPFv3 delivers a higher convergence rate and supports
larger networks.
Definition
OSPF is an interior gateway protocol developed by the Internet Engineering Task Force
(IETF) on the basis of link status.
Objective
OSPFv3 is a routing protocol independent of all specific network layers. To achieve the goal,
OSPFv3 router information is re-designed.
l OSPFv3 does not insert IP address-based data in packet headers in data packets and link-
state advertisements (LSAs).
l OSPFv3 utilizes information independent of network protocols to carry out key tasks
that originally require the header data of an IP packet. The tasks include identifying and
advertising LSAs that contain routing data.
5.7.2 Mechanism
This section describes OSPFv3 mechanism.
Running on IPv6, OSPFv3 (defined in RFC 2740) is an independent routing protocol whose
functions are enhanced on the basis of OSPFv2.
l OSPFv3 and OSPFv2 are the same in respect of the working principles of the Hello
message, state machine, link-state database (LSDB), flooding, and route calculation.
l OSPFv3 divides an Autonomous System (AS) into one or more logical areas and
advertises routes through LSAs.
l OSPFv3 achieves unity of routing information by exchanging OSPFv3 packets between
routers within an OSPFv3 area.
l OSPFv3 packets are encapsulated into IPv6 packets, which can be transmitted in unicast
or multicast mode.
Hello message Hello messages are sent regularly to discover and maintain
OSPFv3 neighbor relationships.
Link State Request LSR packets are sent to the neighbor to request the required
(LSR) packet LSAs.
An OSPFv3 router sends LSR packets to its neighbor only
after they exchange DD packets.
Link State Update (LSU) The LSU packet is used to transmit required LSAs to the
packet neighbor.
Link State The LSAck packet is used to acknowledge the received LSA
Acknowledgment packets.
(LSAck) packet
LSA Type
Link-LSA(Type8) Each router generates a link LSA for each link. A link LSA
describes the link-local address and IPv6 address prefix
associated with the link and the link option set in the network
LSA. It is transmitted only on the link.
Router Type
Area4
Area1
Backbone Router
Internal Router Area0
Area2
Area3
ABR
Internal router All interfaces on an internal router belong to the same OSPFv3
area.
Area border router An ABR can belong to two or more areas, but one of the areas
(ABR) must be a backbone area.
An ABR is used to connect the backbone area and the non-
backbone areas. It can be physically or logically connected to
the backbone area.
AS boundary router A router that exchanges routing information with other ASs is
(ASBR) called an ASBR.
An ASBR may not locate on the boundary of an AS. It can be
an internal router or an ABR. If an OSPFv3 router imports the
external routing information, the router is an ASBR.
Type1 external routes Because of the high reliability of Type 1 external routes, the
calculated cost of external routes is equal to that of AS internal
routes, and can be compared with the cost of OSPFv3 routes.
That is, the cost of a Type1 external route equals the cost of the
route from the router to the corresponding ASBR plus the cost
of the route from the ASBR to the destination address.
Type2 external routes Because of the low reliability of Type2 external routes, the cost
of the route from the ASBR to a destination outside the AS is
considered far greater than the cost of any internal path to an
ASBR.
Therefore, OSPFv3 only takes the cost of the route from the
ASBR to a destination outside the AS into account when
calculating route costs. That is, the cost of a Type2 external
route equals the cost of the route from the ASBR to the
destination of the route.
Area
When a large number of routers run OSPFv3, link state databases (LSDBs) become very large
and require a large amount of storage space. Large LSDBs also complicate shortest path first
(SPF) computation and are computationally intensive for the routers. Network expansion
causes the network topology to change, which results in route flapping and frequent OSPFv3
packet transmission. When a large number of OSPFv3 packets are transmitted on the network,
bandwidth usage efficiency decreases. Each change in the network topology causes all routers
on the network to recalculate routes.
OSPFv3 resolves this problem by partitioning an AS into different areas. An area is regarded
as a logical group, and each group is identified by an area ID. A router, not a link, resides at
the border of an area. A network segment or link can belong only to one area. An area must be
specified for each OSPFv3 interface.
OSPFv3 areas include common areas, stub areas, and not-so-stubby areas (NSSAs), as
described in Table 5-46.
Common By default, OSPFv3 areas are defined l The backbone area must
area as common areas. Common areas have all its devices
include: connected.
l Standard area: transmits intra-area, l All non-backbone areas must
inter-area, and external routes. remain connected to the
l Backbone area: connects to all other backbone area.
OSPFv3 areas and transmits inter-
area routes. The backbone area is
represented by area 0. Routes
between non-backbone areas must
be forwarded through the backbone
area.
Stub area A stub area is a non-backbone area with l The backbone area cannot be
only one ABR and generally resides at configured as a stub area.
the border of an AS. The area border l An autonomous system
router (ABR) in a stub area does not boundary router (ASBR)
transmit received AS external routes, cannot exist in a stub area.
which significantly decreases the Therefore, AS external
number of entries in the routing table routes cannot be advertised
on the ABR and the amount of routing within the stub area.
information to be transmitted. To
ensure the reachability of AS external l A virtual link cannot pass
routes, the ABR in the stub area through a stub area.
generates a default route and advertises
the route to non-ABRs in the stub area.
A totally stub area allows only intra-
area routes and ABR-advertised Type 3
link state advertisements (LSAs)
carrying a default route to be advertised
within the area.
Non-broadcast Multiple If the link layer protocol is frame relay, ATM, or X.25, OSPFv3
Access (NBMA) defaults the network type to NBMA.
In this type of networks, protocol packets such as Hello
messages, DD packets, LSR packets, LSU packets, and LSAck
packets, are transmitted in unicast mode.
Point-to-Multipoint Regardless of the link layer protocol, OSPFv3 does not default
(P2MP) the network type to P2MP. A P2MP network must be forcibly
changed from other network types. The common practice is to
change a non-fully connected NBMA to a P2MP network.
In this type of networks, the following situations occur:
l Hello messages are transmitted in multicast mode with the
multicast address as FF02::5.
l Other protocol packets, including DD packets, LSR packets,
LSU packets, and LSAck packets, are transmitted in unicast
mode.
Point-to-point (P2P) If the link layer protocol is PPP, HDLC, or LAPB, OSPFv3
defaults the network type to P2P.
In this type of network, the protocol packets, including Hello
messages, DD packets, LSR packets, LSU packets, and LSAck
packets, are transmitted to the multicast address FF02::5.
An ABR can summarize routes with the same prefix into one route and advertise the
summarized route in other areas.
When sending routing information to other areas, an ABR generates Type 3 LSAs based
on IPv6 prefixes. If consecutive IPv6 prefixes exist in an area and route summarization is
enabled on the ABR of the area, the IPv6 prefixes can be summarized into one prefix. If
there are multiple LSAs that have the same prefix, the ABR summarizes these LSAs and
advertises only one summarized LSA. The ABR does not advertise any specific LSAs.
l Route summarization on an ASBR
An ASBR can summarize imported routes with the same prefix into one route and then
advertise the summarized route to other areas.
After being enabled with route summarization, an ASBR summarizes imported Type 5
LSAs within the summarized address range. After route summarization, the ASBR does
not generate a separate Type 5 LSA for each specific prefix within the configured range.
Instead, the ASBR generates a Type 5 LSA for only the summarized prefix. In an NSSA,
an ASBR summarizes multiple imported Type 7 LSAs within the summarized address
range into one Type 7 LSA.
l A virtual link must be set up on both ends of the link; otherwise, it does not take effect.
l The transmit area refers to the area that provides an internal route of a non-backbone
area for both the ends of the virtual link.
In actual applications, the physical connectivity between non-backbone areas and the
backbone area cannot be ensured owing to various limitations. To solve this problem, you can
configure OSPFv3 virtual links.
The virtual link is similar to a point-to-point connection between two ABRs. Similar to
physical interfaces, the interfaces on the virtual link can be configured with parameters such
as the hello interval.
Area0 Area2
Virtual Link
ABR Area1 ABR
Transit Area
As shown in Figure 5-51, OSPFv3 packets transmitted between two ABRs are only
forwarded by the OSPFv3 devices that reside between the two ABRs. The OSPFv3 devices
detect that they are not the destinations of the packets, so they forward the packets as common
IP packets.
OSPFv3 Multi-process
OSPFv3 supports multi-process. More than one OSPFv3 process can run on the same router
because processes are independent of each other. Route interaction between different OSPFv3
processes is similar to the route interaction between different routing protocols.
An interface of a router belongs to only a certain OSPFv3 process.
When a new router is deployed in the network or a router is restarted, the network traffic may
be lost during BGP convergence. This is because IGP convergence is quicker than BGP
convergence. This problem can be solved through the association between OSPFv3 and BGP.
If a router on a BGP network recovers from a fault, BGP convergence is performed again and
certain packets may be lost during the convergence.
As shown in Figure 5-52, traffic from RouterA to RouterD traverses a BGP network.
If a fault occurs on RouterC, traffic is redirected to RouterB after rerouting. Packets are lost
when RouterC is restored to the normal status.
Therefore, when the packets destined for RouterD are transmitted from RouterA to RouterC,
they are discarded by RouterC because RouterC has no route to RouterD, as shown in Figure
5-53.
Figure 5-53 Packet loss during the restart of the device not enabled with association between
OSPFv3 and BGP
When a router enabled with association between OSPFv3 and BGP restarts, the router
advertises a message in the local OSPFv3 area to instruct other routers not to use it as a transit
router. At the same time, the router sets the largest weight value of 65535 in its LSAs to
ensure that it is not used by other routers as the transit router. The BGP route, however, can
still reach the router.
5.7.2.4 OSPFv3 GR
Graceful restart (GR) is a technology used to ensure normal traffic forwarding when a routing
protocol restarts and guarantee that key services are not affected in the process.
GR is one of the high availability (HA) technologies, which comprise a series of
comprehensive technologies such as fault-tolerant redundancy, link protection, faulty node
recovery, and traffic engineering. As a redundancy technology, GR is widely used to ensure
uninterrupted forwarding of key data in active/standby switchover and system upgrade.
If GR is not enabled, the active/standby switchover occurring owing to various causes leads to
transient interruption of data forwarding, and as a result, route flapping occurs on the whole
network. Such route flapping and service interruption are unacceptable on a large-scale
network, especially on a carrier network.
In GR mode, the forwarding plane continues to direct data forwarding once a restart occurs,
and the actions no the control plane, such as reestablishment of neighbor relationships and
route calculation, do not affect the forwarding plane. In this manner, service interruption
caused by route flapping is prevented so that the network reliability is improved.
Basic Concepts
l Grace LSA
– OSPFv3 supports GR by flooding grace LSAs on the link.
– Grace LSAs are used to inform the neighbor of the GR time, cause, and interface
instance ID when GR starts and ends.
l Router function
– A router can function as a GR restarter.
– A router can function as a GR helper.
l GR implementation
– Planned-GR: This refers to the smooth restart of OSPFv3 through the reset ospfv3
graceful-restart command. In this mode, a grace LSA is sent to the neighbor
before the restart.
– Unplanned-GR: This refers to the active/standby switchover triggered by
commands or the restart or active/standby switchover because of router faults.
Unlike planned-GR, no grace LSA is sent before the active/standby switchover in
unplanned GR mode. Instead, the switchover is directly performed. When the
standby board becomes Up, a grace LSA is sent and the GR process starts. The
following procedure is the same as that of planned GR.
GR Process
Restarter Helper
Restarter the
Grace-LSA
OSPFv3 process in
GR mode and enter Enter the Helper state
the GR state
LSAck
Responds to
LSAs with LSAcks
Restarter Helper
Grace-LSA
Mster/slave
Switchover is complete Enter the Helper state
LSAck
Responds to
LSAs with LSAcks
l On the GR restarter:
a. In planned-GR mode, when OSPFv3 is restarted through commands, the GR
restarter sends a grace LSA to all neighbors to inform them of the start of a GR
process and the period and cause of this process.
In unplanned GR mode, when a restart occurs after active/standby switchover or
owing to other causes other than commands, a grace LSA is sent to each neighbor
immediately after the standby board is Up to inform the neighbors of the start of a
GR process and the period and cause of the process.
b. The GR restarter performs negotiation with neighbors again to set up new neighbor
relationships.
c. When all the neighbor relationships between the GR restarter and the original
neighbors enter the Full state:
n The GR restarter exits from the GR process and OSPFv3 recalculates routes.
n The GR restarter updates the routing table on the main control board and the
FIBs on interface boards and deletes invalid routing entries.
n The GR restarter sends a grace LSA whose aging time is 3600 seconds to
instruct the GR helper to exit from the GR process.
Now, the GR process is complete.
d. If errors occur, the GR timer expires, or the neighbor relationship fails to enter the
Full state during a GR process, the GR restarter exits from the process and OSPFv3
is restarted in non-GR mode. In this case, packets are lost.
l On the GR helper:
a. If a router is configured to support the GR process on its neighbor, the router enters
the helper mode after receiving a grace LSA.
b. The GR helper maintains its neighbor relationship with the GR restarter, and the
status of the neighbor relationship does not change.
c. If the GR helper continues to receive grace LSAs whose GR period is different
from that on the GR helper, the GR helper updates its GR period.
d. Being informed of the successful GR process through a grace LSA whose aging
time is 3600 seconds from the GR restarter, the GR helper exits from the GR
process.
e. If errors occur during a GR process, the GR helper exits from the helper state and
deletes invalid routes after route calculation.
Table 5-48 Comparison between the GR mode and the non-GR mode
Active/Standby Switchover in Non-GR Active/Standby Switchover in GR
Mode Mode
Enabling IPv6
Choose Dashboard > System Information and enable IPv6 globally to allow the FW to
forward IPv6 packets.
Parameter Description
SPF Delay Time Delay time after which SPF calculation is performed even
though OSPFv3 receives network change notifications.
Each time the OSPFv3 link state database (LSDB) changes, a
router re-calculates the shortest path, which consumes many
network resources and adversely affects router efficiency. To
address the problems, set the SPF calculation and suppression
time.
Parameter Description
----End
Step 3 In the OSPFv3 Process ID:ID navigation tree, choose Basic Configuration > Area Settings.
Parameter Description
Default Cost Cost of the default routes sent to a stub area using OSPFv3.
This parameter is set when you set Area Type to Stub.
Stub Area Configuration Enable a stub area to be a totally stub area and deny Type 3
LSAs from entering the stub area that connects to the ABR,
which reduces the number of LSAs sent to the stub area.
Configure this parameter when you set Area Type to Stub.
----End
Step 3 In the OSPFv3 Process ID:ID navigation tree, choose Basic Configuration > Interface
Settings.
Step 4 Click Add.
MTU Check Clear the check box to disable the MTU check for DD packets.
If there are a few LSAs, the MTU value is unnecessary to
check; therefore, you can configure to ignore the MTU check
for DD packets to improve performance.
If the MTU values on both ends of a link are different,
configure this parameter to help correctly establish an OSPFv3
neighbor relationship.
Advanced Settings
DR Priority DR priority for the OSPFv3 interface. When the network type
is broadcast or NBMA, set the interface DR priority to affect
the DR/BDR selection on the network.
A larger value allows for a higher DR priority. If the priority
value is set to 0, the interface does not participate in DR
selection.
Parameter Description
----End
Step 3 In the OSPFv3 Process ID:ID navigation tree, choose Advanced Settings > Route Import.
----End
Context
OSPFv3 supports multiple processes. Multiple OSPFv3 processes running on one device are
differentiated by process IDs. OSPFv3 process ID is set when OSPFv3 is enabled and is only
locally valid. It does not affect the packet exchange with other routers.
In the format of an IPv4 address, a router ID is a 32-bit unsigned integer that uniquely
identifies a router within an AS. The router ID of OSPFv3 must be manually set. If no router
ID is set, OSPFv3 fails to run normally.
When manually setting the router ID, ensure that the router IDs of any two devices in an AS
are different. When multiple processes are enabled on a device, it is necessary to specify a
unique route ID for each process.
To ensure the stable running of OSPFv3, you need to allocate router IDs and set them in
network planning.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ]
OSPFv3 is enabled and the OSPFv3 view is displayed.
Step 3 Run:
router-id router-id
A router ID is set.
----End
Context
After enabling OSPFv3 in the system view, you need to enable OSPFv3 on the interface.
Procedure
Step 1 In the user view, run:
system-view
NOTE
When the routes to the network of the loopback interface are advertised by using OSPFv3, the prefixes
of the routes are advertised as 128-bit prefixes, regardless of the configured prefix of the loopback
address.
Step 4 Run:
ospfv3 network-type { broadcast | nbma | p2mp [ non-broadcast ] | p2p } [ instance
instance-id ]
The network type is configured of an interface.
When an interface supports multi-instances, you must specify the value of instance-id when
enabling OSPFv3 on the interface. If the value of instance-id is not specified, the default value
0 is adopted. In this case, the configured network type of an interface mismatches the actual
network type of the interface. This step is mandatory in such a case.
----End
Context
You must configure the devices in the same area based on the area. Otherwise, the neighbor
devices cannot exchange information with each other. The congestion of routing information
or routing loop is therefore caused.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ]
OSPFv3 is enabled and the OSPFv3 view is displayed.
Step 3 Run:
area area-id
The area ID can be a decimal integer or in the IPv4 address format, but it is displayed in the
IPv4 address format.
An OSPFv3 area cannot be deleted directly. Only after all the configurations in the area view
are removed and the status of the related interfaces in this area become Down, this area is
automatically removed.
----End
Context
To reduce the number of LSAs in the network and enhance OSPFv3 extensibility, define
OSPFv3 areas. For some non-backbone areas at the edge of ASs, you can define them as stub
areas for further reducing the size of the routing table and the number of LSAs.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ospfv3 [ process-id ]
Step 3 Run:
area area-id
Step 4 Run:
stub [ no-summary ]
default-cost cost
The cost value of the default route sent to the Stub area is specified.
By default, the cost of the default route sent to the Stub area is set to 1.
You should set the cost of the default route sent to the Stub area only on the ABR in the Stub
area. In addition, the specified parameter no-summary of the stub command only takes effect
on the ABR. If parameter no-summary is specified, the ABR only sends the Summary-LSA
of a default route to the area, and does not generate other Summary-LSAs. An area without
AS-external-LSAs and Summary-LSAs is called a Totally Stub area.
----End
Context
NSSAs are introduced because stub areas cannot import external routes. An NSSA allows the
transmission of Type 7 LSAs, which are generated by ASBRs in an NSSA. When reaching the
ABR that is responsible for converting Type 7 LSAs into Type 5 LSAs in the NSSA, Type 7
LSAs with the P-bit being set and the forwarding address being a non-zero address are
converted to AS-external LSAs and advertised to other areas.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ospfv3 [ process-id ]
Step 3 Run:
area area-id
Step 4 Run:
nssa [ default-route-advertise [ cost cost | type type | tag tag ] * | no-import-route | no-
summary | translator-always | translator-interval translator-interval | set-n-bit ] *
To connect routers to an NSSA, you need to run the nssa command to configure NSSA
attributes for the area to which the routers belong.
The area may be updated after NSSA attributes are configured or deleted. Thus, the NSSA
attributes can be re-configured or deleted only after the last update of NSSA attributes is
complete.
----End
Context
Similar to OSPFv2, OSPFv3 defines that the route information of non-backbone areas must
be transmitted through backbone areas. To configure OSPFv3, comply with the following
principles:
l All non-backbone areas are connected with backbone areas.
l The connectivity of the backbone area must be kept.
In actual applications, the previous principles cannot be complied with due to various
restrictions. In this case, you can solve this problem by configuring virtual links.
Corresponding to the previous two principles, virtual links can be applied in the following
cases:
l Connecting an area to the backbone area through the non-backbone area
l Connecting to the segmented backbone area through the non-backbone area
NOTICE
To configure virtual links, comply with the following principles:
l Virtual links must be configured between two ABRs.
l The Transmit area cannot be the Stub area.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
Step 3 Run:
area area-id
----End
Context
If multiple continuous network segments exist in this area, use the abr-summary command to
summarize them into one network segment. In this way, the ABR only sends an LSA after
summarization. No LSA that belongs to the summarization network segment is separately
transmitted, therefore reducing the LSDB size of other areas.
When a large number of routes are imported, use the asbr-summary command to summarize
the imported routes and set the delay for advertising the summarized route. In this manner, the
summarized route advertised each time contains more valid routing information, and network
flapping caused by incorrect routing information is avoided.
Procedure
l Configure route summarization on an ABR.
Perform the following steps on the ABR that runs OSPFv3:
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
area area-id
The OSPFv3 area view is displayed.
d. Run:
abr-summary ipv6-address prefix-length [ cost cost | not-advertise ] *
Route summarization is configured in the OSPFv3 area.
cost cost set the cost of a summarized route. By default, the cost of a summarized
route is the maximum cost among those of routes that are summarized. The value
ranges from 1 to 16777214.
If not-advertise is set, no routing information of the network segment is advertised.
l Configure route summarization on an ASBR.
Perform the following steps on the ASBR that runs OSPFv3:
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
asbr-summary ipv6-address summary-prefix-length [ cost summary-cost | tag
summary-tag | distribute-delay dist-delay-interval | not-advertise ] *
Route summarization is configured on the ASBR.
cost cost specifies the cost of a summarized route. By default, the cost of a
summarized route is the maximum cost among those of routes that are summarized.
The value ranges from 1 to 16777214.
tag tag specifies the tag used to control route advertisement. The value of this
parameter ranges from 1 to 4294967295.
If not-advertise is specified in the command, the summarized IPv6 route that
matches a specified IPv6 prefix or prefix length is not advertised.
distribute-delay interval specifies the delay for advertising a summarized route.
----End
Context
After receiving LSAs, OSPFv3 determines whether to add the calculated routes to the local
routing table according to the filtering policy.
Procedure
Step 1 Run:
system-view
----End
Context
OSPFv3 is a routing protocol based on link status, the advertised LSAs cannot be filtered
directly. Therefore, LSAs can only be filtered when OSPFv3 imports routes, and only the
routes matching the conditions can be changed into LSAs and advertised.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
Step 3 Run:
l cost: Indicates the cost of the imported route. The value is an integer ranging from 0 to
16777214.
l type: Indicates the type of the imported route. The value is 1 or 2.
import-route bgp [ permit-ibgp ] [ { cost cost | inherit-cost } | type type | tag tag | route-
policy route-policy-name ] *
NOTE
default-route-advertise [ always | cost cost | type type | tag tag | route-policy route-policy-
name [ match-any ] ] *
If the import-route command is executed on the OSPFv3 router to import external routing
information, the OSPFv3 router turns into the ASBR.
You can specify parameter protocol to filter the routing information of a certain type. If
parameter protocol is not specified, all the imported routing information of OSPFv3 is
filtered.
NOTE
The filter-policy export command only takes effect when the import-route command is executed on
the local device to import routes (that is, when the local OSPFv3 router turns into the ASBR). The
device filters the routes when OSPF imports them. The routes filtered out cannot be turned into LSAs
and advertised by OSPF. If the import-route command is not executed to import external routes
(including the OSPFv3 routes of different processes), the filter-policy export command is invalid.
----End
Context
After filtering conditions are set for the incoming or outgoing Type 3 LSAs (Inter-Area-Prefix
LSAs) in an area, only the Type 3 LSAs that meet the filtering conditions can be received or
advertised.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ] [ vpn-instance vpn-instance-name ]
OSPFv3 is enabled and the OSPFv3 view is displayed.
Step 3 Run:
area area-id
The OSPFv3 area view is displayed.
Step 4 Filter incoming or outgoing Type 3 LSAs in the area.
l Filter incoming Type 3 LSAs in the area
Run:
filter { acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name }
import
The filter incoming Type 3 LSAs in the area are filtered.
l Filter outgoing Type 3 LSAs in the area
Run:
filter { acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name }
export
The filter outgoing Type 3 LSAs in the area are filtered.
----End
Context
You can control route calculation by setting the link cost of OSPFv3 on different interfaces.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospfv3 cost cost [ instance instance-id ]
The cost of the OSPFv3 interface is specified.
By default, the cost value of the OSPFv3 interface is 1.
----End
Context
The FW supports multi-route mode, In the multi-route mode, multiple routes to the same
destination can enjoy the same priority. If no other routes to the same destination enjoy higher
priority, all the routes are accepted. The HASH algorithm is applied to select a route among
others to transfer the packets based on the source and destination IP addresses of the packets.
As a result, the load on the network is in a balance.
Setting the maximum number of equal-cost routes can restrict the number of equal-cost routes
adding to the routing table.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
Step 3 Run:
maximum load-balancing number
The maximum number of equal-cost routes is specified.
When the number of equal-cost routes is greater than number specified in the maximum
load-balancing command, valid routes are selected for load balancing based on the following
criteria:
1. Route preference: Routes with lower preferences are selected for load balancing. For
details about route preference configuration, see Step 4.
2. Interface index: If routes have the same priorities, routes with higher interface index
values are selected for load balancing.
3. Next hop IP address: If routes have the same priorities and interface index values, routes
with larger IP address are selected for load balancing.
Step 4 (Optional) Run:
nexthop router-id interface-type interface-number weight value
The route preferences are configured for load balancing.
To specify valid routes for load balancing, run the nexthop command to set the route
preference. Ensure that the preferences of valid routes to be used must be high.
The smaller the weight value, the higher the preference of the route. The default weight value
is 255, which indicates that load balancing is implemented regardless of the route preferences.
----End
Context
Hello packets are periodically sent to the neighbor router to detect and maintain the neighbor
relationship and to elect the DR and the BDR. RFC 2328 requires that the Hello timer values
of neighbors be consistent. The value of the Hello timer is inversely proportional to the route
convergence speed and network load.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospfv3 timer hello interval [ instance instance-id ]
The interval for sending Hello packets is set on the interface.
----End
Context
If a router does not receive any Hello packet from its neighbor during a specified period, the
neighbor router is considered invalid. The specified period is called the dead time of the
neighbor relationship. The dead time must be at least four times the Hello interval on an
interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
The value of seconds must be greater than the time taken to transmit a packet between two
routers.
NOTE
Do not set a value which is too small, for the interval between LSA retransmissions. Otherwise,
unnecessary retransmissions may occur.
----End
Context
The LSA ages out in the LSDB of a local router instead of in the transmission process. You
need to set the delay for an LSA before sending it. For a low-speed network, this
configuration is necessary.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospfv3 trans-delay interval [ instance instance-id ]
The delay in transmitting LSAs on the interface is set.
----End
Context
Whenever the LSDB of OSPFv3 changes, the shortest path should be recalculated.
Calculating the shortest path each time the LSDB changes consumes enormous resources and
lowers the efficiency of a router.
Adjusting the SPF delay and hold interval can suppress frequent network changes to avoid
resource consumption.
Procedure
l Configure an SPF normal timer.
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
spf timers delay-interval hold-interval
An SPF normal timer is configured.
l Configure an SPF intelligent timer.
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
spf-schedule-interval { delay-interval hold-interval | intelligent-timer max-
interval start-interval hold-interval-1
An SPF intelligent timer is configured.
NOTE
An SPF normal timer and an SPF intelligent timer are mutually exclusive.
----End
Context
When a network is unstable, control the minimum interval for receiving the same LSA
update. To prevent unnecessary LSA updates caused by network changes, by default, set the
interval for receiving the same LSA update to 1000 ms.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
lsa-arrival-interval arrival-interval
----End
Context
Setting the millisecond-level interval for generating the same LSA speeds up network
convergence. When a network becomes unstable, reduce the interval for generating the same
LSA by using an intelligent timer.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ospfv3 [ process-id ]
Step 3 Run:
----End
Context
You can use the import command to import a direct route when advertising the direct route
on a router. In this way, however, External LSA is generated, and the direct route is advertised
to the entire AS (except the Stub area), with severe influence.
To restrict the direct route advertising, you can enable OSPFv3 on the interface, and run the
silent-interface command, lest that a Hello packet is sent on the interface to establish the
neighbor relationship. In this way, the direct route is advertised as an intra-area route, which
greatly decreases the capacity of the routing table in the OSPFv3 routing area. Moreover, a
Hello packet cannot be sent between interfaces to establish the neighbor relationship, which
lessens the processing capability load of the router and CPU.
When the interface running OSPFv3 is configured in Silent state, the direct route of the
interface can be advertised as the Intra-Area-Prefix-LSA by the same router, but the OSPFv3
neighbor relationship is not established on the interface. This feature improves the networking
adaptability of OSPFv3.
Different processes can suppress the same interface from sending and receiving OSPFv3
packets, but the silent-interface command is valid only for the OSPFv3 interface on which
the specified process is enabled, and does not take effect on the interface of other processes.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
Step 3 Run:
silent-interface interface-type interface-number
The interface is suppressed from receiving and sending OSPFv3 packets.
----End
Context
On broadcast and NBMA networks, if the neighbor relationship is established between every
two routers, a large number of unnecessary LSAs is generated on the networks, thus severely
affecting network performance.
To avoid this problem, you can elect specified routers respectively as the Designated Router
(DR) and Backup Designated Router (BDR). The other routers on the network are called
DROthers.
The following functions are implemented through DR/BDR election:
l A DROther only establishes neighbor relationships with the DR and BDR, and sends
data-updating packets to the DR and BDR in multicast mode.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ospfv3 dr-priority priority [ instance instance-id ]
The DR priority of the interface is specified.
By default, the DR priority of the interface is set to 1.
The DR priority of a router interface affects the qualification of the interface for the election
of the DR. The router whose priority is 0 is not elected as the DR or BDR.
----End
Follow-up Procedure
After the DR priority is changed, you can re-elect a DR or BDR through the following
methods, which, however, will result in the interruption of the OSPFv3 neighbor relationship
between routers and therefore are used only when necessary.
l Restarting all routers.
l Running the shutdown and undo shutdown commands on the interface on which the
OSPFv3 neighbor relationship is set up.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
Step 3 Run:
NOTE
There is no correlation between the stub router configured through this command and the router in the
stub area.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
After the command is used, the interface does not check the MTU field of a received DD
packet.
----End
Context
OSPFv3 supports keychain and HMAC-SHA256 authentications. The following procedure
uses keychain authentication as an example.
Before you configure keychain authentication, run the keychain command to configure a
keychain, the key-id command to configure a key ID, the key-string command to configure a
password, and the algorithm command to configure an algorithm. If these commands are not
run, OSPFv3 authentication fails.
NOTE
By default, authentication is not configured for OSPF process, area or interface. Configuring
authentication is recommended to ensure system security.
Procedure
l Configure OSPFv3 area authentication.
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
area area-id
The OSPFv3 area view is displayed.
d. Run:
authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ]
cipher-text } | keychain keychain-name }
OSPFv3 area authentication is configured.
NOTE
If you use OSPFv3 area authentication, the authentication and password configurations on
all routers in the same area must be the same.
l Configure OSPFv3 process authentication.
a. Run:
system-view
The system view is displayed.
b. Run:
ospfv3 [ process-id ]
The OSPFv3 view is displayed.
c. Run:
authentication-mode { hmac-sha256 key-id key-id { plain plain-text | [ cipher ]
cipher-text } | keychain keychain-name }
NOTE
----End
Context
To prevent route flapping and service interruption due to the restart of OSPFv3, you can
enable OSPFv3 GR.
After OSPFv3 restarts, the GR restarter and the GR helper keep the neighbor relationship,
exchange routing information, synchronize the database, and update the routing table and the
forwarding table. OSPFv3 fast convergence is therefore realized.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospfv3 [ process-id ]
Step 3 Run:
OSPFv3 GR is enabled.
ack-time is optional. After ack-time is specified, the restarter can discover more neighbors in
the time period.
Step 4 Run:
----End
Context
When multiple OSPFv3 processes are enabled, you can configure OSPFv3 MIB to select the
process to be processed, that is, that is, configure OSPFv3 MIB to select the process to which
it is bound.
Procedure
Step 1 Run:
system-view
Step 2 Run:
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
To enable the traps of one or more events, you can specify type-name.
Step 3 Run:
----End
Viewing OSPFv3
Operation Command
Check the LSDB of display ospfv3 [ process-id ] lsdb [ area area-id ] [ originate-
an OSPFv3 process. router advertising-router-id | self-originate ] [ { router | network
| inter-router [ asbr-router asbr-router-id ] | { inter-prefix |
nssa } [ ipv6-address prefix-length ] | link | intra-prefix | grace }
[ link-state-id ] ]
Operation Command
Resetting OSPFv3
NOTICE
OSPFv3 statistics cannot be restored after they are cleared. Exercise caution when running the
reset command.
Networking Requirements
As shown in Figure 5-56, an enterprise deploys FWs to connect to the research and
development, marketing, and financial departments respectively. The enterprise also deploys a
FW on the network border as a security gateway to connect the intranet to the IPv6 network
through an ISP network.
l OSPFv3 runs on the intranet to implement connectivity between IPv6 devices across
departments.
l Routers in the department belong to a totally stub area. These routers can only use a
default route to access the IPv6 network. They cannot learn external area routes. The
totally stub area minimizes external routing information distribution and improves router
performance and Research network quality.
l FW_A and the ISP router establish an OSPFv3 neighbor relationship so that FW_A can
learn IPv6 network routes.
l Devices in all departments can access the IPv6 network through the ISP router.
Trust
Finance
2001::/64
Area1 GE1/0/3
2001::1/64
FW_B
Trust Untrust Trust Untrust
GE1/0/1
2000::2/64
FW_D FW_A
GE1/0/3
2003::1/64
Area3
Marketing
2003::/64
Trust
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure FW_A.
1. Configure an IPv6 address for each interface and assign interfaces to specific security
zones.
# Configure an IPv6 address for each interface.
<FW> system-view
[FW] sysname FW_A
[FW_A] ipv6
[FW_A] interface gigabitEthernet 1/0/1
[FW_A-GigabitEthernet1/0/0] ipv6 enable
[FW_A-GigabitEthernet1/0/0] ipv6 address 3000::1/64
[FW_A-GigabitEthernet1/0/0] quit
[FW_A] interface gigabitEthernet 1/0/3
[FW_A-GigabitEthernet1/0/3] ipv6 enable
[FW_A-GigabitEthernet1/0/3] ipv6 address 2001::1/64
[FW_A-GigabitEthernet1/0/3] quit
2. Configure an interzone security policy to allow devices to exchange OSPFv3 packets and
the R&D, marketing, and finance departments to access the IPv6 network.
NOTE
This section provides only required security policy parameters. Set other security policy parameters as
required.
[FW_A] security-policy
[FW_A-policy-security] rule name policy_sec_1
[FW_A-policy-security-rule-policy_sec_1] source-zone local trust
[FW_A-policy-security-rule-policy_sec_1] destination-zone local trust
[FW_A-policy-security-rule-policy_sec_1] action permit
[FW_A-policy-security-rule-policy_sec_1] quit
[FW_A-policy-security] rule name policy_sec_2
[FW_A-policy-security-rule-policy_sec_2] source-zone local untrust
[FW_A-policy-security-rule-policy_sec_2] destination-zone local untrust
[FW_A-policy-security-rule-policy_sec_2] action permit
[FW_A-policy-security-rule-policy_sec_2] quit
[FW_A-policy-security] rule name policy_sec_3
[FW_A-policy-security-rule-policy_sec_3] source-zone trust
[FW_A-policy-security-rule-policy_sec_3] destination-zone untrust
[FW_A-policy-security-rule-policy_sec_3] source-address 2001:: 64
[FW_A-policy-security-rule-policy_sec_3] source-address 2002:: 64
3. Configure OSPFv3.
# Enable OSPFv3 and set the router ID to 1.1.1.1.
[FW_A] ospfv3
[FW_A-ospfv3-1] router-id 1.1.1.1
[FW_A-ospfv3-1] quit
2. Configure an interzone security policy to allow devices to exchange OSPFv3 packets and
the finance department to access the R&D department, marketing department, and IPv6
network.
NOTE
This section provides only required security policy parameters. Set other security policy parameters as
required.
[FW_B] security-policy
[FW_B-policy-security] rule name policy_sec_1
[FW_B-policy-security-rule-policy_sec_1] source-zone local trust
[FW_B-policy-security-rule-policy_sec_1] destination-zone local trust
[FW_B-policy-security-rule-policy_sec_1] action permit
[FW_B-policy-security-rule-policy_sec_1] quit
[FW_B-policy-security] rule name policy_sec_2
[FW_B-policy-security-rule-policy_sec_2] source-zone local untrust
[FW_B-policy-security-rule-policy_sec_2] destination-zone local untrust
[FW_B-policy-security-rule-policy_sec_2] action permit
[FW_B-policy-security-rule-policy_sec_2] quit
[FW_B-policy-security] rule name policy_sec_3
3. Configure OSPFv3.
# Enable OSPFv3 and set the router ID to 2.2.2.2.
[FW_B] ospfv3
[FW_B-ospfv3-1] router-id 2.2.2.2
[FW_B-ospfv3-1] quit
2. Configure an interzone security policy to allow devices to exchange OSPFv3 packets and
the R&D department to access the finance department, marketing department, and IPv6
network.
NOTE
This section provides only required security policy parameters. Set other security policy parameters as
required.
[FW_C] security-policy
[FW_C-policy-security] rule name policy_sec_1
[FW_C-policy-security-rule-policy_sec_1] source-zone local trust
[FW_C-policy-security-rule-policy_sec_1] destination-zone local trust
[FW_C-policy-security-rule-policy_sec_1] action permit
[FW_C-policy-security-rule-policy_sec_1] quit
[FW_C-policy-security] rule name policy_sec_2
[FW_C-policy-security-rule-policy_sec_2] source-zone local untrust
[FW_C-policy-security-rule-policy_sec_2] destination-zone local untrust
[FW_C-policy-security-rule-policy_sec_2] action permit
[FW_C-policy-security-rule-policy_sec_2] quit
[FW_C-policy-security] rule name policy_sec_3
[FW_C-policy-security-rule-policy_sec_3] source-zone trust
[FW_C-policy-security-rule-policy_sec_3] destination-zone untrust
[FW_C-policy-security-rule-policy_sec_3] source-address 2002:: 64
[FW_C-policy-security-rule-policy_sec_3] action permit
[FW_C-policy-security-rule-policy_sec_3] quit
[FW_C-policy-security] quit
3. Configure OSPFv3.
# Enable OSPFv3 and set the router ID to 3.3.3.3.
[FW_C] ospfv3
[FW_C-ospfv3-1] router-id 3.3.3.3
[FW_C-ospfv3-1] quit
2. Configure an interzone security policy to allow devices to exchange OSPFv3 packets and
the R&D department to access the finance department, marketing department, and IPv6
network.
NOTE
This section provides only required security policy parameters. Set other security policy parameters as
required.
[FW_D] security-policy
[FW_D-policy-security] rule name policy_sec_1
[FW_D-policy-security-rule-policy_sec_1] source-zone local trust
[FW_D-policy-security-rule-policy_sec_1] destination-zone local trust
[FW_D-policy-security-rule-policy_sec_1] action permit
[FW_D-policy-security-rule-policy_sec_1] quit
[FW_D-policy-security] rule name policy_sec_2
[FW_D-policy-security-rule-policy_sec_2] source-zone local untrust
3. Configure OSPFv3.
# Enable OSPFv3 and set the router ID to 4.4.4.4.
[FW_D] ospfv3
[FW_D-ospfv3-1] router-id 4.4.4.4
[FW_D-ospfv3-1] quit
----End
Configuration Verification
1. View the OSPFv3 neighbor status on the FW. The following command output shows the
OSPFv3 neighbor status on FW_A.
[FW_A] display ospfv3 peer
2. View the OSPFv3 routing table on the FW. The following command output shows the
OSPFv3 routing table on FW_A.
[FW_A] display ospfv3 peer
The preceding command output shows that FW_A learns the network segment routes of
the R&D, marketing, and finance departments and the IPv6 routes to the Internet.
Configuration Scripts
Configuration script for FW_A:
#
ipv6
#
sysname FW_A
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
ospfv3 1 area 0.0.0.4
#
interface GigabitEthernet1/0/3
ipv6 enable
ipv6 address 2000::1 64
ospfv3 1 area 0.0.0.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ospfv3 1
router-id 10.1.1.1
#
security-policy
rule name policy_sec_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name policy_sec_2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name policy_sec_3
source-zone trust
destination-zone untrust
source-address 2001:: 64
source-address 2002:: 64
source-address 2003:: 64
action permit
#
return
interface GigabitEthernet1/0/3
ipv6 enable
ipv6 address 2001::1 64
ospfv3 1 area 0.0.0.1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ospfv3 1
router-id 10.2.2.2
#
security-policy
rule name policy_sec_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name policy_sec_2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name policy_sec_3
source-zone trust
destination-zone untrust
source-address 2001:: 64
action permit
#
return
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name policy_sec_2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
rule name policy_sec_3
source-zone trust
destination-zone untrust
source-address 2002:: 64
action permit
#
return
5.7.7 Reference
This section provides reference information about OSPFv3.
5.7.7.1 Specifications
This section describes OSPFv3 specifications.
Function Specifications
Function Description Supported or Not
Totally stub area Type3 LSAs are no longer Supported by all models
flooded in a totally stub area
and are replaced with a
default route.
Disabling the MTU check If few LSAs exist or a great Supported by all models
on DD packets difference exists between
the MTUs of the interfaces
on both ends of a link, you
can disable the local
interface from checking the
MTUs of DD packets.
Setting the interval at which The LSAs age out in the Supported by all models
an interface transmits LSAs LSDB of the local device
but do not age during
transmission. Therefore, you
need to add a certain delay
to the aging time of an LSA
before sending the LSA.
Setting the interval at which OSPFv3 routing devices use Supported by all models
an interface sends Hello Hello packet to establish and
packets maintain neighbor
relationships and
adjacencies.
Setting the interval at which After a routing device sends Supported by all models
an interface retransmits an LSA to a neighbor, it
LSAs needs to wait for the LSAck
packet of the neighbor. If the
device does not receive the
LSAck packet within the
interval for retransmitting
LSAs, it retransmits the
LSA.
False Hello packets The false Hello packet Supported by all models
function enables a routing
device to continue to
maintain its neighbor
relationships after the device
receives any valid OSPFv3
packets, enhancing network
stability.
Route import The routes that OSPFv3 can Supported by all models
import include direct, static,
OSPFv3, IS-ISv6, BGP4+,
and RIPng routes.
5.8 IS-IS
Intermediate System to Intermediate System (IS-IS) is an Interior Gateway Protocol (IGP)
and runs at the link layer. IS-IS features rapid aggregation and a hierarchical structure. IS-IS is
widely used on large-scale carrier networks.
5.8.1 Overview
Intermediate System to Intermediate System (IS-IS) is a link status protocol that uses the
shortest path first (SPF) algorithm to calculate routes.
Definition
The Intermediate System-to-Intermediate System (IS-IS) is a dynamic routing protocol
initially designed by the International Organization for Standardization (ISO) for its
Connectionless Network Protocol (CLNP).
To support IP routing, the Internet Engineering Task Force (IETF) extends and modifies IS-IS
in RFC 1195. This enables IS-IS to be applied to TCP/IP and OSI environments. This type of
IS-IS is called Integrated IS-IS or Dual IS-IS.
IS-IS stated in this document refers to Integrated IS-IS, unless otherwise stated.
Purpose
As an Interior Gateway Protocol (IGP), IS-IS is used in Autonomous Systems (ASs). IS-IS is
a link state protocol. It uses the Shortest Path First (SPF) algorithm to calculate routes.
5.8.2 Principles
This section describes ISIS principles.
IS-IS Areas
To support large-scale routing networks, Intermediate System to Intermediate System (IS-IS)
uses a two-level hierarchical structure in a routing domain. A large domain can be divided
into areas. Figure 5-57 shows an IS-IS network. The entire backbone area covers all Level-2
routers in area 1 and Level-1-2 routers in other areas. The following describes three types of
routers on the IS-IS network.
Area2
Area3
L1
L1/2
L1/2
L2
L2
backbone Area1
L2 L2
Area5
Area4
L1/2 L1
L1/2
L1
L1
L1 L1
l Level-1 router
A Level-1 router manages intra-area routing. It establishes neighbor relationships with
only the Level-1 and Level-1-2 routers in the same area. It maintains a Level-1 LSDB.
The LSDB contains routing information of the local area. A packet to a destination
outside this area is forwarded to the nearest Level-1-2 router.
l Level-2 router
A Level-2 router manages inter-area routing. It can establish neighbor relationships with
Level-2 routers or Level-1-2 routers in other areas. It maintains a Level-2 LSDB. The
LSDB contains inter-area routing information.
All Level-2 routers form the backbone network of the routing domain. They are
responsible for communications between areas. The Level-2 routers in the routing
domain must be in succession to ensure the continuity of the backbone network. Only
Level-2 routers can exchange data packets or routing information with routers outside
the routing domain.
l Level-1-2 router
A router that belongs to both a Level-1 area and a Level-2 area is called a Level-1-2
router. It can establish Level-1 neighbor relationships with Level-1 routers and Level-1-2
routers in the same area. It can also establish Level-2 neighbor relationships with Level-2
routers and Level-1-2 routers in other areas. A Level-1 router must be connected to other
areas through a Level-1-2 router.
A Level-1-2 router maintains two LSDBs: Level-1 and Level-2. The Level-1 LSDB is
used for intra-area routing and the Level-2 LSDB is used for inter-area routing.
NOTE
Level-1 routers in different areas cannot establish neighbor relationships. Level-2 routers can
establish neighbor relationships with each other, regardless of the areas to which the Level-2
routers belong.
In general, Level-1 routers are located in an area, Level-2 routers are located among areas,
and Level-1-2 routers are located between the Level-1 and Level-2 routers.
Interface level
A Level-1-2 router may need to establish only a Level-1 neighbor relationship with the
remote end and only a Level-2 neighbor relationship with the other remote end. You can set
the level of an interface to restrict the setup of adjacencies on the interface. For example, only
a Level-1 adjacency can be established on a Level-1 interface and only a Level-2 adjacency
can be established on a Level-2 interface.
IDP DSP
Area Address
l Area address
Together with the HODSP of the DSP, the IDP can identify a routing domain and the
areas in a routing domain. The combination of the IDP and HODSP is referred to as an
area address, which is equal to an area number in OSPF. An area address is used to
uniquely identify the area in the routing domain. The area addresses of routers in the
same Level-1 area must be the same.
In general, a router can be configured with only one area address. The area address of all
nodes in an area must be the same. In the implementation of a device, an IS-IS process
can be configured with a maximum of three area addresses to support seamless
combination, division, and transformation of areas.
l System ID
A system ID uniquely identifies a host or a router in an area. In the device, the fixed
length of the system ID is 48 bits (6 bytes).
In actual applications, a router ID corresponds to a system ID. If a router takes the IP
address 168.10.1.1 of Loopback 0 as its router ID, its system ID used in IS-IS can be
obtained in the following way:
– To extend each part of the IP address 168.10.1.1 to 3 digits, add 0 to the front of any
part that is shorter than 3 digits.
– Divide the extended address 168.010.001.001 into three parts, with each part
consisting of four decimal digits.
– The reconstructed address 1680.1000.1001 is the system ID.
You can specify a system ID in many ways. You need to ensure that the system ID
uniquely identifies a host or a router.
l SEL
The role of an SEL (also referred to as NSAP Selector or N-SEL) is similar to that of the
"protocol identifier" of IP. A transport protocol matches an SEL. The SEL is always "00"
in IP.
l NET
A Network Entity Title (NET) indicates the network layer information of an IS itself. It
does not contain the transport layer information (SEL = 0). A NET can be regarded as a
special NSAP. The length of the NET field is the same as that of an NSAP. Its maximum
length is 20 bytes and its minimum length is 8 bytes. When configuring IS-IS on a
router, you can configure only a NET instead of an NSAP.
In general, an IS-IS process is configured with only one NET. When an area needs to be
redefined, such as being combined with other areas or divided into sub-areas, you can
configure the router with multiple NETs to ensure the correctness of routes.
NOTE
A maximum of three area addresses can be configured in an IS-IS process, and therefore, you can
configure only a maximum of three NETs. When you configure multiple NETs, ensure that their
system IDs are the same.
The routers in an area must have the same area address.
Related Concepts
DIS and Pseudo Node
A Designated Intermediate System (DIS) is an intermediate router elected in Intermediate
System to Intermediate System (IS-IS) communication. A pseudo node simulates a virtual
node on a broadcast network and is not an actual router. In IS-IS, a pseudo node is identified
by the system ID and 1-byte circuit ID (a non-zero value) of a DIS.
The DIS is used to create and update pseudo nodes and generate the link state protocol data
units (LSPs) of pseudo nodes. The routers advertise a single link to a pseudo node and obtain
routing information about the entire network through the pseudo node. The router does not
need to exchange packets with all the other routers on the network. Using the DIS and pseudo
nodes simplifies network topology and reduces the length of LSPs generated by routers.
When the network changes, fewer LSPs are generated. As a result, the SPF consumes fewer
resources.
SPF Algorithm
The SPF algorithm, also named Dijkstra's algorithm, is used in a link-state routing protocol to
calculate the shortest paths to other nodes on a network. In the SPF algorithm, a local router
takes itself as the root and generates a shortest path tree (SPT) based on the network topology
to calculate the shortest path to every destination node on a network. In IS-IS, the SPF
algorithm runs separately in Level-1 and Level-2 databases.
Implementation
All routers on the IS-IS network communicate by performing the following steps:
l Establishment of IS-IS Neighbor Relationships
l LSDB Synchronization
l Route Calculation
Establishment of IS-IS Neighbor Relationships
On different types of networks, the modes for establishing IS-IS neighbor relationships are
different.
l Establishment of a neighbor relationship on a broadcast link
RouterC RouterD
RouterA, RouterB, RouterC, and RouterD are Level-2 routers. RouterA is newly added
to the broadcast network. Figure 5-60 shows the process of establishing the neighbor
relationship between RouterA and RouterB, the process of establishing the neighbor
relationship between RouterA and RouterC or RouterD is similar to that between
RouterA and RouterB, and is not mentioned here.
MAC:0000-c102-0103 MAC:0000-c102-0104
L2 LAN IIH
( Sys ID:RouterA neighbor:null ) neighbor RouterA
L2 LAN IIH initialized
neighbor RouterB ( Sys ID:RouterB neighbor:0000-c102-0103)
established L2 LAN IIH
( Sys id:RouterA neighbor:0000-c102-0104 )
neighbor RouterA
L2 LAN IIH established
L2 LAN IIH
on every router. A router uses every interface to send IIHs and advertises its priorities in
the IIHs to neighboring routers. The higher the priority is, the higher the probability is
that the router is elected as the DIS. If there are multiple routers with the same highest
priority on a broadcast network, the one with the highest MAC address is elected. The
DISs at different levels can be the same router or different routers.
In the DIS election procedure, IS-IS is different from Open Shortest Path First (OSPF) in
the following aspects:
– The router with the priority of 0 also takes part in the DIS election.
– When a new router that meets the requirements of being a DIS joins the broadcast
network, the router is selected as the new DIS. This change causes LSP flooding.
l Establishment of a neighbor relationship on a P2P link
The establishment of a neighbor relationship on a P2P link is different from that on a
broadcast link. A neighbor relationship on a P2P link can be established in 2-way or 3-
way mode, as shown in Table 5-54. By default, the 3-way handshake mechanism is used
to establish a neighbor relationship on a P2P link.
RouterC
RouterB( DIS)
LSP
Router C.00-00
CSNP
Router A.00-00
Router B.00-00
Router B.01-00 PSNP
Router C.00-00 Router A.00-00
Router B.00-00
Router B.01-00
LSP
Router A.00-00
Router B.00-00
Router B.01-00
In practice, the routes calculated by using the shortest path first (SPF) algorithm in
Intermediate System to Intermediate System (IS-IS) cannot meet all carrier requirements. For
example, generating too many routing entries slows down route search, or link usage is
unbalanced. Because of these problems, IS-IS routing cannot meet carriers' network planning
and traffic management requirements.
Therefore, IS-IS routing information control is needed to refine control over route selection.
IS-IS routing information control is implemented by using the following methods:
l Route Leaking
l Route Summarization
l Load Balancing
l Administrative Tag
l IS-IS Mesh Group
Route Leaking
When Level-1 and Level-2 areas both exist on an IS-IS network, all Level-1 routing
information (except for default routes) can advertise to Level-2 area while Level-2 routers do
not advertise the learned routing information about a Level-1 area and the backbone area to
any other Level-1 area. Therefore, Level-1 routers do not know the routing information
outside the local area. As a result, the Level-1 routers cannot select the optimal routes to the
destination outside the area.
Route leaking allows you to define access control lists (ACLs), routing policies, and tags on
Level-1-2 routers so that Level-1-2 routers can select eligible routes. In this manner, a
Level-1-2 router can advertise some routing information about other Level-1 areas and the
backbone area to its Level-1 area. Figure 5-62 shows the typical networking for route
leaking.
cost 50
cost 10
cost 10
cost 10
RouterE RouterF
cost 10 Level-2 Level-2
cost 10
Area20
RouterB RouterD
Level-1 Level-1-2
Area10
l Router A, Router B, Router C, and Router D belong to area 10. Router A and Router B
are Level-1 routers. Router C and Router D are Level-1-2 routers.
l Router E and Router F belong to area 20 and are Level-2 routers.
If Router A sends a packet to Router F, the optimal route should be Router A -> Router B ->
Router D -> Router E -> Router F. This is because the cost of the route is 40 (10 + 10 + 10
+ 10 = 40). On Router A, view the route along which packets are transmitted to Router F. The
selected route is Router A -> Router C -> Router E -> Router F, of which the cost is 70 (10
+ 50 + 10 = 70). The route is not an optimal route from Router A to Router F.
This is because Router A does not know the routes outside the local area, so the packets sent
by Router A to other network segments are sent through the default route generated by the
nearest Level-1-2 router.
Enable route leaking on Level-1-2 routers (Router C and Router D) and view the route from
Router A to Router F. The selected route is Router A -> Router B -> Router D -> Router E ->
Router F. The route is the optimal route from Router A to Router F.
Route Summarization
On a large-scale IS-IS network, links connected to devices within an IP address range may
alternate between Up and Down. Route summarization allows multiple routes with the same
IP prefix to be summarized into one. This function prevents route flapping and efficiently
reduces routing entries, which minimizes system resource consumption and helps route
management. Figure 5-63 shows the typical networking for route summarization.
Network1
172.1.1.0/24 172.1.1.1/24
Area20
Area10
172.1.3.1/24
Network3
172.1.3.0/24
l RouterA, RouterB, and RouterC use IS-IS to communicate with each other.
l RouterA belongs to area 20, and RouterB and RouterC belong to area 10.
l RouterA is a Level-2 router. RouterB is a Level-1-2 router. RouterC is a Level-1 router.
l RouterB maintains Level-1 and Level-2 link state databases (LSDBs) and leaks the
routes in three network segments (172.1.1.0/24, 172.1.2.0/24, and 172.1.3.0/24) in the
Level-1 area to the Level-2 area. A link fault causes the RouterC interface with the IP
address in the network segment 172.1.1.1/24 to frequently alternate between Up and
Down. The status change is advertised to the Level-2 area, triggering frequent Link State
Packet (LSP) flooding and SPF calculation on RouterA. As a result, the CPU usage on
RouterA increases and even network flapping occurs.
On RouterB, the summarization of the routes in three network segments (172.1.1.0/24,
172.1.2.0/24, and 172.1.3.0/24) in the Level-1 area to one route in network segment
172.1.0.0/16 reduces the number of routing entries on RouterB and minimizes the impact
of route flapping in the Level-1 area on route convergence in the Level-2 area.
Load Balancing
In the presence of multiple equal-cost routes on a network, load balancing improves link
usage and prevents network congestion caused by link overload. Load balancing is
implemented by distributing traffic evenly over multiple equal-cost links. Figure 5-64 shows
the typical networking for load balancing.
Area10
RouterB
L2
RouterA RouterD
L2 L2
RouterC
L2
Administrative Tag
Administrative tags carry administrative information about IP address prefixes. When the cost
type is wide, wide-compatible, or compatible and the prefix of the reachable IP address to be
advertised by IS-IS has this cost type, IS-IS adds the administrative tag to the reachability
type-length-value (TLV) in the prefix. In this manner, the administrative tag is advertised
throughout the entire IS-IS area, which implements route import or filtering.
For the routers that support the VPN, you can associate each IS-IS process with a specific
VPN instance. Therefore, you can configure multiple IS-IS processes to be associated with
multiple VPN instances at the same time.
l IS-IS multi-instance indicates that you can configure multiple IS-IS instances on the
same router.
l IS-IS multi-process indicates that you can create multiple IS-IS processes in a VPN or a
public network. As shown in Figure 5-65.
– The multi-process feature allows a set of interfaces to be associated with a specific
IS-IS process. This ensures that the specific IS-IS process performs all the protocol
operations only on the set of interfaces. Therefore, multiple IS-IS processes can
work on a single router and each process is responsible for a unique set of
interfaces.
– IS-IS multi-processes share an RM routing table. IS-IS multi-instances use the RM
routing tables of VPNs. Each VPN has its own RM routing table.
– When an IS-IS process is created, it can be associated with a VPN instance. Then,
the IS-IS process belongs to the VPN and processes events only in the VPN. The
IS-IS process is deleted when the associated VPN is deleted.
vpn1
vpn2
vpn2
vpn1
Process1
Process2 vpn2
vpn1
For easy management and effective control, IS-IS supports multi-process and multi-instance
features.
In the scenario where IS-IS is applied to users on private networks, after a VPN is created,
interfaces bound to the VPN and routes in the VPN are isolated from other VPNs and public
network data. In this case, you can adopt IS-IS multi-instance to deploy IS-IS in the VPN.
For the routers that support the VPN, each IS-IS process is associated with a specific VPN
instance. All the interfaces attached to an IS-IS process, therefore, should be associated with
the VPN instance that this IS-IS process is associated to.
At present, the VPN instance is maintained by the VPN module. Therefore, IS-IS multi-
instance is implemented by associating an IS-IS process with a VPN instance when the IS-IS
process is created.
When configuring IS-IS multi-instance and multi-process, note the following:
l When creating IS-IS multi-instances, associate an IS-IS process with a VPN instance
when the IS-IS process is created. If an IS-IS process is not associated with a VPN
instance when the IS-IS process is created, the association cannot be configured later.
l An IS-IS process that is already associated with a VPN instance cannot be associated
with another VPN instance.
l Multiple IS-IS processes can be associated with one VPN instance.
l The interfaces where IS-IS multi-instance needs to be enabled must be associated with
the same VPN instance as IS-IS.
l The IS-IS process associated with a VPN instance belongs to the VPN. Therefore, the IS-
IS process is deleted when the VPN is deleted.
l Routes from different VPNs cannot be imported to each other.
IS-IS fast convergence is an extended feature of IS-IS that is implemented to speed up the
convergence of routes. Fast convergence includes the following:
l Incremental SPF (I-SPF): recalculates only the routes of the changed nodes rather than
all the nodes when the network topology changes. This speeds up the calculation of
routes.
l Partial Route Calculation (PRC): calculates only the changed routes when the routes on
the network change.
l LSP fast flooding: speeds up the flooding of LSPs.
l Intelligent timer: is applicable to LSP generation and SPF calculation.
The first timeout period of the timer is fixed. If an event that triggers the timer happens
while the timer is set and unexpired, intelligent timer increases the interval it sets for
next time.
I-SPF
In ISO 10589, the Dijkstra algorithm was adopted to calculate routes. When a node changes
on the network, this algorithm is used to recalculate all routes. The calculation takes a long
time and consumes too many CPU resources, which affects the convergence speed.
I-SPF improves this algorithm. Except for the first time, only changed nodes instead of all
nodes are involved in calculation. The shortest path tree (SPT) generated is the same as that
generated by the previous algorithm. This decreases CPU usage and speeds up network
convergence.
PRC
Similar to I-SPF, PRC calculates only the changed routes, but it does not calculate the shortest
path. It updates routes based on the SPT calculated by I-SPF.
In route calculation, a leaf represents a route, and a node represents a router. If the SPT
changes after I-SPF calculation, PRC processes all the leaves only on the changed node. If the
SPT remains unchanged, PRC processes only the changed leaves.
For example, if IS-IS is enabled on an interface of a node, the SPT calculated by I-SPF
remains unchanged. PRC updates only the routes of this interface, consuming less CPU
resources.
PRC working with I-SPF further improves the convergence performance of the network. It is
an improvement of the original SPF algorithm.
NOTE
In the implementation of a device, only I-SPF and PRC are used to calculate IS-IS routes.
LSP fast flooding improves on the PRC mode. When the device configured with this feature
receives one or more new LSPs, before it calculates routes, it floods out the LSPs whose
amount is smaller than the specified number. Network convergence speed is significantly
improved.
Intelligent Timer
Although the route calculation algorithm is improved, the long interval for triggering route
calculation affects the convergence speed. Frequent network changes also consume too many
CPU resources. The SPF intelligent timer addresses both of these problems.
In general, an IS-IS network is stable under normal conditions. The probability of the
occurrence of many network changes is very minimal, and IS-IS does not calculate routes
frequently. The period for triggering the route calculation is very short (milliseconds). If the
topology of the network changes very often, the intelligent timer increases the interval for the
calculation times to avoid too much CPU consumption. The original mechanism uses a timer
with uniform intervals, which makes fast convergence and low CPU consumption impossible
to achieve.
The LSP generation intelligent timer is similar to the SPF intelligent timer. When the LSP
generation intelligent timer expires, the system generates a new LSP based on the current
topology. The LSP generation timer is designed as an intelligent timer to respond to
emergencies (such as the interface is Up or Down) quickly and speed up the network
convergence.
Priority-based IS-IS convergence ensures that specific routes converge first in the case of a
great number of routes. Different routes can be set with different convergence priorities.
Priority-based IS-IS convergence enables specific routes (such as routes that match the
specified IP prefix) to converge first. You can assign a high convergence priority to routes for
key services so that these routes converge quickly. This decreases impact on key services and
improves network reliability.
When the LSPs to be advertised by IS-IS contain much information, they are advertised in
multiple LSP fragments of the same system. The IS-IS LSP fragment extension attribute
allows an IS-IS router to generate more LSP fragments and carry more IS-IS information.
As defined in RFC 3786, virtual system IDs can be configured and virtual LSPs that carry
routing information can be generated for IS-IS.
Terms
l Originating system: is a router that runs the IS-IS protocol. A single IS-IS process can
advertise its LSPs as multiple "virtual" routers, and the originating system represents the
"real" IS-IS process.
l Normal system ID: is the system ID of the originating system.
l Additional system ID: assigned by network administrators, is used to generate additional
or extended LSP fragments. Up to 256 additional or extended LSP fragments can be
generated. Like the normal system ID, the additional system ID must be unique in the
routing domain.
The additional system ID, assigned by network administrators, is used to generate
additional or extended LSP fragments. Up to 256 additional or extended LSP fragments
can be generated. Like the normal system ID, the additional system ID must be unique in
the routing domain.
l Virtual system: identified by an additional system ID, is used to generate extended LSP
fragments. These fragments carry the additional system IDs in their LSP IDs.
Principle
IS-IS LSP fragments are identified by the LSP Number field in their LSP IDs. The LSP
Number field is 1 byte. An IS-IS process can generate a maximum of 256 fragments that carry
a limited number of routes (when the fragment length is 1497 bytes, a maximum of 30,000
routes can be carried). With fragment extension, more information can be carried.
With additional system IDs (up to 50 virtual systems), an IS-IS process can generate a
maximum of 13056 LSP fragments.
When a virtual system and fragment extension are configured, an IS-IS router adds the
contents that cannot be contained in the LSPs advertised by the originating system to the
LSPs of the virtual system. The router notifies other routers of the relationship between the
virtual system and itself through a special TLV.
IS Alias ID TLV
A special TLV, IS Alias ID TLV, is defined in RFC 3786.
Regardless of the operation mode, the originating system and virtual system send the LSPs
with fragment number 0 carrying the IS Alias ID TLV to indicate the originating system.
Operation Modes
Figure 1 shows the networking for the LSP fragment extension feature, which can be run in
two different modes.
RouterA 1
RouterB RouterA
RouterA 2
l The IS-IS router can run the LSP fragment extension feature in the following modes:
Mode-1: is used when some routers on the network do not support the LSP fragment
extension.
In this mode, virtual systems participate in the SPF calculation. The originating system
advertises LSPs that contain information about the links to each virtual system.
Similarly, each virtual system advertises LSPs that contain information about the links to
the originating system. This allows the virtual systems to appear to be like the actual
routers connected to the originating system on the network.
Mode-1 is a transitional mode for earlier IS-IS versions that do not support fragment
extension. In the earlier versions, IS-IS cannot identify the Alias ID TLV. The LSP sent
by a virtual system appears to be like a common IS-IS LSP.
The LSP sent by a virtual system contains the same area address and overload bit as that
in the common LSP. If the LSPs sent by a virtual system contain TLVs specified in other
features, they must be the same as those in common LSPs.
The virtual system carries neighbor information that specifies that the neighbor is the
originating system, with the metric being the maximum value minus 1. The originating
system carries neighbor information that specifies that the neighbor is the virtual system,
with the metric of 0. This ensures that the virtual system is the downstream node of the
originating system when other routers calculate routes.
As shown in Figure 5-66, RouterB does not support the LSP fragment extension;
RouterA is set to support the LSP fragment extension in mode-1; RouterA1 and
RouterA2 are virtual systems of RouterA. In this example, RouterA1 and RouterA2 send
LSPs carrying routing information of RouterA. After receiving LSPs from RouterA,
RouterA1, and RouterA2, RouterB detects that there are three individual routers at the
peer end and calculates routes normally. Because the cost of the route from RouterA to
RouterA1 and the cost of the route from RouterA to RouterA2 are both 0, the cost of the
route from RouterB to RouterA is equal to the cost of the route from RouterB to
RouterA1.
l Mode-2: is used when all routers on the network support LSP fragment extension.
In this mode, virtual systems do not participate in the SPF calculation. All routers on the
network detects that the LSPs generated by the virtual systems actually belong to the
originating system.
Working in mode-2, IS-IS identifies IS Alias ID TLV, which is used to calculate the SPT
and routes.
As shown in Figure 5-66, RouterB supports the LSP fragment extension; RouterA is set
to support the LSP fragment extension in mode-2; andRouterA1 and RouterA2 send
LSPs carrying routing information of RouterA. When receiving LSPs from RouterA1
and RouterA2, RouterB obtains IS Alias ID TLV and detects that the originating system
of RouterA1 and RouterA2 is RouterA. RouterB detects that information advertised by
RouterA1 and RouterA2 belongs to RouterA.
Whether LSP fragment extension is set to mode-1 or mode-2, LSPs in both modes can be
resolved. If LSP fragment extension is not supported, only LSPs in mode-1 can be resolved.
Table 5-56 Comparison between LSP fragment extension mode-1 and mode-2
LSP Content\Mode Mode-1 Mode-2
area Yes No
Process
After LSP fragment extension is configured, if information is lost because LSPs are of full
lengths, the system prompts that the IS-IS router should be restarted. After the router is
restarted, the originating system loads as much routing information as possible. The
remaining information is added to the LSPs of the virtual systems for transmission.
Application Environment
NOTE
If there are devices of other manufacturers on the network, LSP fragment extension must be set to
mode-1. Otherwise, devices of other manufacturers cannot identify the LSPs.
Configure the LSP fragment extension and virtual systems before you set up IS-IS neighbors
or import routes. Then you must restart the IS-IS router for the configurations to take effect. If
you set up IS-IS neighbors or import routes first, it can cause IS-IS to carry more information
than cannot be loaded through 256 fragments
The dynamic hostname exchange mechanism provides a mapping from the hostname to
system ID for IS-IS routers.
On an IS-IS router without hostname exchange, information about IS-IS neighbors and
LSDBs is represented by a system ID with 12 hexadecimal numbers, for example, aaaa.eeee.
1234. This representation is complicated and not easy to use.
To easily maintain and manage IS-IS networks easily, the dynamic hostname exchange
mechanism was introduced.
Dynamic hostname information is advertised in the form of a dynamic hostname TLV (type
137) in LSPs. The dynamic hostname exchange mechanism also provides a service to
associate a host name with the Designated IS (DIS) on a broadcast network. Then, this
mechanism advertises this association through LSPs in the form of a dynamic hostname TLV.
In the implementation of FW, routers with IS-IS dynamic hostname mapping enabled add the
Dynamic Hostname TLV (TLV type 137) that records the local host name to the LSPs they
generate before sending out the LSPs.
Dynamic Hostname TLV (TLV type 137) includes the following fields:
The Dynamic Hostname TLV is optional and can be inserted anywhere in an LSP. The
hostname value cannot be null. A router determines whether to carry the TLV in LSPs it
sends. The router that receives the LSPs determines whether to ignore the TLV or obtain the
TLV for its mapping table.
Implementation
l Matching rules
The dynamic hostname mechanism abides by the longest match rule. First, System ID
+NSEL is first compared. If that does not match, the system ID is then compared.
l Transmission of dynamic hostname
The dynamic hostname can be carried by the original LSP only.
l Transmission of DIS dynamic hostname
The DIS dynamic hostname is transmitted through the LSPs generated by the DIS.
l Priority of dynamic hostname
The dynamic hostname takes precedence over the static hostname. When both a dynamic
hostname and a static hostname are configured, the dynamic hostname replaces the static
hostname.
l Configuration and resolution of dynamic hostname
The dynamic hostname can be up to 64 bytes in length and a maximum of 255-byte
contents can be resolved.
Application Environment
In maintenance and management, the hostname is easier to identify and retain than the system
ID. After this function is configured, the hostname instead of the system ID is displayed when
you view information about IS-IS on the router.
l When an IS-IS neighbor is displayed, the system ID of the IS-IS neighbor is replaced by
the dynamic hostname. If the IS-IS neighbor is the DIS, then the system ID of the DIS is
replaced by the dynamic hostname of the neighbor.
l When an LSP in the IS-IS LSDB is displayed, the system ID in the LSP ID is replaced
by the dynamic hostname of the router that advertises the LSP.
l When details about the IS-IS LSDB are displayed, the Host Name field is included for
the LSP generated by the router where dynamic hostname exchange is enabled; the
system ID is replaced by the dynamic hostname of the IS-IS neighbor.
In the earlier ISO 10589, the greatest value of an interface metric was only 63. TLV type 128
and TLV type 130 contained information about routes; TLV type 2 contained information
about IS-IS neighbors.
As defined in RFC 3784, the value of an interface metric can be extended to 16777215, and
the metric of a route can reach 4261412864. With IS-IS wide metric enabled, TLV type 135
contains information about routes; TLV type 22 contains information about IS-IS neighbors.
l The following TLVs are used in narrow mode:
– IP Internal Reachability: carries internal routes.
– IP External Reachability: carries external routes.
– IS Neighbors: carries information about neighbors.
l The following TLVs are used in wide mode:
– Extended IP Reachability: replaces the earlier IP reachability TLV and carries
information about routes. This TLV expands the range of route cost to 4 bytes and
carries sub-TLVs.
– IS Extended Neighbors: carries information about neighbors.
NOTE
IS-IS in wide mode and IS-IS in narrow mode cannot communicate. If IS-IS in wide mode and IS-IS in
narrow mode need to communicate, you must change the mode to enable all routers on the network to
receive packets sent by other routers.
When the cost-style is set to compatible, IS-IS sends the information in narrow mode and then
in wide mode.
NOTICE
A cost-style change causes the IS-IS process to restart. Be cautious in your use of the cost-
style command.
5.8.2.10 IS-IS GR
IS-IS Graceful Restart (GR) implements non-stop forwarding by extending IS-IS to support
the GR capability. It is one of the high availability (HA) technologies. RFC 3847 defines the
IS-IS GR standard.
IS-IS is a link state routing protocol. All routers in an area must maintain the same network
topologies, that is, the same LSDBs.
After the master/slave switchover, no neighbor information is stored on the restarted router.
Thus, the first Hello packets sent by the router do not contain the neighbor list. After
receiving the Hello packets, the neighbor checks the 2-way neighbor relationship and finds
that it is not in the neighbor list of the Hello packets sent by the router. Thus, the neighbor
relationship is interrupted.
The neighbor then generates new LSPs and floods the topology changes to all other routers in
the area. Routers in the area then calculate routes based on the new LSDBs, which leads to
route interruption or routing loops.
Because no LSDB is stored on the restarted router, the router needs to synchronize its LSDB
with those of the neighbors after the master/slave switchover.
If IS-IS is not restarted in GR mode, IS-IS neighbor relationships are reset and LSPs are
regenerated and flooded. This triggers the SPF calculation in the entire area, which causes
route flapping and forwarding interruption in the area.
The IETF defined the GR standard, RFC 3847, for IS-IS. The restart of the protocol is
processed for both the reserved FIB tables and unreserved FIB tables. Thus, the route flapping
and interruption of the traffic forwarding caused by the restart can be avoided.
When a router fails, neighbors at the routing protocol layer detect that their neighbor
relationships are Down and then become Up again after a period of time. This is the flapping
of neighbor relationships. The flapping of neighbor relationships causes route flapping, which
leads to black hole routes on the restarted router or causes data services from the neighbors to
be looped on the restarted router. This decreases the reliability on the network. GR is thus
introduced to address route flapping.
To implement GR, IS-IS introduces the restart Type-Length-Value (TLV), T1 timer, T2 timer,
and T3 timer.
Restart TLV
The restart TLV is an extended part of an IS-to-IS Hello (IIH) PDU. All IIH packets of the
router that supports IS-IS GR contains the restart TLV. The restart TLV carries the parameters
for the protocol restart. Figure 5-67 shows the format of the restart TLV.
Remaining Time
Remaining Time 2 bytes Indicates the time during which the neighbor
does not reset the adjacency. The length of
the field is 2 bytes. The time is measured in
seconds. When RA is reset, the value is
mandatory.
Timers
Three timers are introduced to enhance IS-IS GR. They are T1, T2, and T3 timers.
l T1
Any interface enabled with IS-IS GR maintains a T1 timer. On a Level-1-2 router,
broadcast interfaces maintain a T1 timer for Level-1 and Level-2 neighbor relationships
respectively.
If the GR restarter has already sent an IIH packet with RR being set but does not receive
any IIH packet that carries the restart TLV and the RA set from the GR helper even after
the T1 timer expires, the GR restarter will reset the T1 timer and continues to send the
restart TLV.
If the ACK packet is received or the T1 timer expires for three times, the T1 timer is
deleted. The default value of a T1 timer is 3 seconds.
l T2
Level-1 and Level-2 LSDBs maintain separate T2 timers.
T2 is the maximum time that the system waits for the synchronization of various LSDBs.
T2 is generally 60 seconds.
l T3
The entire system maintains a T3 timer.
T3 timer can be considered as the maximum time for GR to complete.
If the T3 timer expires, GR fails.
The initial value of the T3 timer is 65535 seconds. After the IIH packets that carry the
RA are received from neighbors, the value of the T3 timer becomes the smallest value of
the Remaining Time field among the Remaining Time fields of the IIH packets.
The T3 timer applies to only restarting devices.
The following describes the process of IS-IS GR in restarting and starting modes:
IS-IS Restarting
Figure 5-68 shows the process of IS-IS restarting.
Active/standby
switchover
IIH(Restart TLV, RR=1, RA=0, SA=0)
Start T1, T2,
and T3 timers IIH(Restart TLV, RR=0, RA=1, SA=0)
Reset T3 timer
CSNP
Delete T1 timer
LSPs
Delete T2 timer
Flood LSPs Update the
Delete T3 timer and
Update the FIB table FIB table
1. After performing the protocol restart, the GR restarter performs the following actions:
IS-IS Starting
The starting device does not keep the FIB table. Thus, the starting device hopes the neighbors,
whose adjacency with itself is Up before it starts, reset their adjacency, and suppress the
neighbors from advertising their adjacency. The IS-IS starting process is different from the IS-
IS restarting process, as shown in Figure 5-69.
Starting
CSNP
Delete T1 timer
LSPs
Delete T2 timer
3. After the adjacency is re-initiated, the GR restarter re-establishes the adjacency with the
neighbors on each interface. When an adjacency set on an interface is in the Up state, the
GR restarter starts the T1 timer for the interface.
4. After the T1 timer expires, the GR restarter sends an IIH packet in which both RR and
SA are set to 1.
5. After the neighbor receives the IIH packet, it replies an IIH packet in which RR is set to
0 and RA is set to 1 and sends a CSNP.
6. After the GR restarter receives the IIH ACK packet and CSNP from the neighbor, it
deletes the T1 timer.
If the GR restarter does not receive the IIH packet or CSNP, it constantly resets the T1
timer and resends the IIH packet in which RR and SA are set to 1. If the number of the
timeouts of the T1 timer exceeds the threshold value, the GR restarter forcibly deletes
the T1 timer and turns to the normal IS-IS processing to complete LSDB
synchronization.
7. After receiving the CSNP from the helper, the GR restarter synchronizes the LSDB.
8. After the LSDB of this level is synchronized, the T2 timer is deleted.
9. After all T2 timers are deleted, the SPF calculation is started and LSPs are regenerated
and flooded.
10. So far, the IS-IS starting of the GR restarter is complete.
BFD functions as a simple "Hello" protocol. It is similar to the adjacency test of a routing
protocol in many aspects.
Two systems periodically send BFD packets on the path between them. If one system does not
receive any BFD packet from its peer within the detection period, the system considers that
the bidirectional path to its peer is faulty. Under some conditions, systems need to negotiate
the sending and receiving rates to reduce the load.
NOTE
BFD uses the local discriminator and remote discriminator to differentiate multiple BFD sessions
between the same pair of systems.
l Static BFD
In static BFD, BFD session parameters including local and remote discriminators are set
through commands, and the requests for establishing BFD sessions are manually
delivered.
l Dynamic BFD(including BFD for IPv4BFD for IPv6)
In dynamic BFD, the establishment of BFD sessions is triggered by routing protocols.
The local discriminator is dynamically assigned, and the remote discriminator is learned
by a routing protocol.
BFD-for-IPv4 sessions and BFD-for-IPv6 sessions are established separately and do not
affect each other.
In BFD for IS-IS, the establishment of a BFD session is dynamically triggered by IS-IS
instead of being performed manually. When detecting a fault, BFD notifies IS-IS of the fault
through the RM module. IS-IS then sets the status of the associated neighbor relationship to
Down, rapidly advertises the changed Link State PDU (LSP), and performs incremental SPF.
In this manner, fast route convergence is implemented.
Generally, the interval for sending Hello packets is set to 10s. The interval for advertising that
a neighbor is Down, that is, the Holddown time for keeping the neighbor relationship, is three
times the interval for sending Hello packets. If a router does not receive any Hello packet
from its neighbor within the Holddown time, the router deletes the associated neighbor
relationship.
A router can detect a neighbor fault at only the second level. As a result, a large number of
packets may be lost on a high-speed network.
BFD, which can provide link fault detection of light load and high speed (in milliseconds), is
introduced to solve the preceding problem.
BFD can provide millisecond-level fault detection. BFD does not take the place of the Hello
mechanism of IS-IS, but works with IS-IS to more quickly detect the faults that occur on
neighboring devices or links, and instructs IS-IS to recalculate routes to correctly guide packet
forwarding.
Static BFD
In static BFD, BFD session parameters including local and remote discriminators are set
through commands, and the requests for establishing BFD sessions are manually delivered.
In this mode, the creation and deletion of BFD sessions need to be triggered manually, which
is inflexible. Moreover, manual configuration errors may occur, for example, the local
discriminator and the remote discriminator are incorrectly configured, which causes the
abnormal functioning of the BFD session.
Dynamic BFD
In dynamic BFD, the establishment of BFD sessions is triggered by routing protocols.The
establishment of a BFD-for-IPv4 session is triggered by IS-IS when an IPv4 neighbor
relationship is set up.The establishment of a BFD-for-IPv6 session is triggered by IS-IS when
an IPv6 neighbor relationship is set up.
When setting up a new neighbor relationship, IS-IS sends parameters of the neighbors and
detection parameters (including source and destination IP addresses) to BFD. BFD then sets
up a session according to the received parameters. Dynamic BFD is more flexible than static
BFD.
The RM module provides related services for the association with the BFD module for IS-IS.
Through RM, IS-IS instructs BFD to set up or tear down BFD sessions by sending
notification messages. In addition, BFD events are transmitted to IS-IS through RM.
– BFD for IPv4 or BFD for IPv6 is enabled on interfaces or processes, and the status
of the neighboring router is Up (the DIS must be elected on a broadcast network).
– Neighbors can adopt IPv4 and IPv6.
l Process of setting up a BFD session
– P2P network
After the conditions for setting up a BFD session are satisfied, IS-IS instructs BFD
through RM to directly set up a BFD session between neighbors.
– Broadcast network
After the conditions for establishing BFD sessions are met, and the DIS is elected,
IS-IS instructs BFD through RM to establish a BFD session between the DIS and
each router. No BFD session is established between non-DISs.
On a broadcast network, the routers (including non-DIS routers) of the same level on the
same network segment can set up neighbor relationships. In the implementation of IS-IS
BFD, however, BFD sessions are set up between the DIS and non-DIS devices rather
than between non-DISs. On a P2P network, BFD sessions are directly set up between
neighbors.
If a Level-1-2 neighbor relationship is set up between two routers on a link, IS-IS sets up
two BFD sessions for the Level-1 neighbor and the Level-2 neighbor on a broadcast
network, but sets up only one BFD session on a P2P network.
l If the IP protocol type of neighbors includes IPv4 and IPv6, IS-IS sets up two sessions: a
BFD-for-IPv4 session and a BFD-for-IPv6 session. The IPv6 link-local addresses of the
related interfaces are used to set up the BFD-for-IPv6 session.
l Conditions for tearing down a BFD session
– P2P network
When a neighbor relationship set up on P2P interfaces by IS-IS is torn down (that
is, the neighbor relationship is not in the Up state) or when the IP protocol type of a
neighbor is deleted, IS-IS tears down the BFD session.
– Broadcast network
When a neighbor relationship set up on P2P interfaces by IS-IS is torn down (that
is, the neighbor relationship is not in the Up state)when the IP protocol type of a
neighbor is deleted, or when the DIS is re-elected, IS-IS tears down the BFD
session.
When the configurations of a dynamically established BFD session are deleted or BFD
for IS-IS is disabled on an interface, all BFD sessions to which neighbor relationships
between devices or between devices and the DIS correspond on the interface are deleted.
After dynamic BFD is globally disabled in an IS-IS process, the BFD sessions on all the
interfaces in this IS-IS process are deleted.
NOTE
BFD detects only one-hop links between IS-IS neighbors, because IS-IS establishes only one-hop
neighbor relationships.
l Response to the Down event of a BFD session
When detecting a link failure, BFD generates a Down event, and then notifies RM of the
event. RM then instructs IS-IS to deletes the neighbor relationship. IS-IS recalculates
routes to speed up route convergence on the entire network. After BFD for IPv4 informs
IS-IS of the link failure, IS-IS changes only the IPv4 route.After BFD for IPv6 notifies
IS-IS of the link failure, IS-IS changes only the IPv6 route.
When a router and its neighbor are Level-1-2 routers, they set up two neighbor
relationships, that is, the Level-1 neighbor relationship and the Level-2 neighbor
relationship. Then, IS-IS sets up two BFD sessions for the Level-1 neighbor relationship
and the Level-2 neighbor relationship. In this case, the RM module deletes the neighbor
relationship of a specific level.
Applicable Environment
NOTE
BFD needs to be configured according to the actual network environment. If timer parameters are set
improperly, network flapping may occur.
BFD for IS-IS can fast sense link changes to implement route convergence.
Primary path
Backup path
FW_C
Before configuring BFD for IS-IS IPv6, you need to configure IS-IS IPv6.
l Enable BFD globally.
l Enable BFD for IS-IS on Router A and Router B.
Thus, when the link between Router A and Router B becomes faulty, BFD can fast detect the
fault and then notify it to IS-IS. IS-IS then turns the neighbor relationship on the interface
Down and deletes the IP protocol type to which the neighbor relationship corresponds, which
triggers route calculation. In addition, IS-IS updates LSPs so that the neighbors such as
Router C can receive updated LSPs from Router B. Fast convergence of IS-IS is thus
implemented.
Background
Internet development brings more frequent data, voice, and video information exchange over
the Internet. New services, such as e-commerce, online conferencing and auctions, video on
demand, and distance learning, emerge gradually. The new services have high requirements
for network security. Carriers must guarantee that data packets are not monitored and
modified by attackers and prohibit the access of unauthorized users. Intermediate System to
Intermediate System (IS-IS) authentication applies to the area or interface where packets need
to be protected to ensure packet transmission security. Using IS-IS authentication enhances
system security and helps carriers provide safe network services.
Related Concepts
Authentication Classification
Based on the types of packets, the authentication is classified as follows:
l Interface authentication: is configured in the interface view to authenticate Level-1 and
Level-2 IS-to-IS Hello PDUs (IIHs).
l Area authentication: is configured in the IS-IS process view to authenticate Level-1
CSNPs, PSNPs, and LSPs.
l Routing domain authentication: is configured in the IS-IS process view to authenticate
Level-2 CSNPS, PSNPs, and LSPs.
Based on the authentication modes of packets, authentication is classified into the following
types:
l Explicit authentication: is a explicit authentication mode in which passwords are directly
added to packets. The security of explicit text authentication is poorer than the other two
authentication types.
l MD5 authentication: uses the MD5 algorithm to encrypt a password before adding the
password to the packet, which improves password security.
l Keychain authentication: further improves network security with configurable key chain
that changes with time.
l HMAC-SHA256 authentication: uses the HMAC-SHA256 algorithm to encrypt a
password before adding the password to the packet, which improves password security.
Implementation
IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets to
ensure network security. After receiving IS-IS packets from a remote router, a local router
discards the packets if the authentication passwords in the packets are different from the
locally configured authentication password. This mechanism protects the local router.
IS-IS provides a type-length-value (TLV) to carry authentication information. The TLV
components are as follows:
l Type: indicates the type of a packet, which is 1 byte. The value defined by ISO is 10,
while the value defined by IP is 133.
l Length: indicates the length of the authentication TLV, which is 1 byte.
l Value: indicates the contents of the authentication, including authentication type and
authenticated password, which ranges from 1 to 254 bytes.
– 0 is reserved.
– 1 indicates explicit authentication.
– 3 indicates the general authentication, and only HMAC-SHA256 authentication is
supported currently.
Interface Authentication
Authentication passwords for IIHs are saved on interfaces. The interfaces send authentication
packets with the authentication TLV. Interconnected router interfaces must be configured with
the same password.
Area Authentication
Every router in an IS-IS area must use the same authentication mode and have the same key
chain.
Every Level-2 or Level-1-2 router in an IS-IS area must use the same authentication mode and
have the same key chain.
For area authentication and routing domain authentication, you can set a router to authenticate
SNPs and LSPs separately in the following ways:
l A router sends LSPs and SNPs that carry the authentication TLV and verifies the
authentication information of the LSPs and SNPs it receives.
l A router sends LSPs that carry the authentication TLV and verifies the authentication
information of the LSPs it receives. The router sends SNPs that carry the authentication
TLV and does not verify the authentication information of the SNPs it receives.
l A router sends LSPs that carry the authentication TLV and verifies the authentication
information of the LSPs it receives. The router sends SNPs without the authentication
TLV and does not verify the authentication information of the SNPs it receives.
l A router sends LSPs and SNPs that carry the authentication TLV but does not verify the
authentication information of the LSPs and SNPs it receives.
The first eight bytes in all IS-IS PDUs are public. Figure 5-71 shows the IS-IS PDU structure.
8 Padding IIH
l P2P IIHs: Figure 5-73 shows the format of IIHs on a P2P network.
As shown in Figure 5-73, most fields in a P2P IIH are the same as those in a LAN IIH.
The P2P IIH does not have the priority and LAN ID fields, but has a local circuit ID
field. The local circuit ID indicates the local link ID.
LSP Format
LSPs are used to exchange link-state information. There are two types of LSPs: Level-1 and
Level-2. Level-1 IS-IS transmits Level-1 LSPs. Level-2 IS-IS transmits Level-2 LSPs.
Level-1-2 IS-IS can transmit both Level-1 and Level-2 LSPs.
Level-1 and Level-2 LSPs have the same format, as shown in Figure 5-74.
SNP Format
SNPs describe the LSPs in all or some of the databases and are used to synchronize and
maintain all link-state databases (LSDBs). SNPs consist of complete SNPs (CSNPs) and
partial SNPs (PSNPs).
l CSNPs carry summaries of all LSPs in LSDBs, which ensures LSDB synchronization
between neighboring routers. On a broadcast network, the designated intermediate
system (DIS) sends CSNPs at regular intervals. The default interval is 10 seconds. On a
P2P link, neighboring devices send CSNPs only when a neighbor relationship is
established for the first time.
Figure 5-75 shows the CSNP format.
Procedure
Step 1 In the user view, run:
system-view
The system view is displayed.
Step 2 Run:
isis [ process-id ]
An IS-IS process is started and the IS-IS view is displayed.
process-id identifies an IS-IS process. If process-id is not set, the system uses process 1 by
default. To associate the IS-IS process to a VPN instance, you can run the isis [ process-id ]
[ vpn-instance vpn-instance-name ] command.
Step 3 (Optional) Run:
description
Descriptions for the IS-IS process are configured.
----End
Context
You can configure a maximum of three NETs on a process of a router. The area addresses of
the NETs can be different, but their system IDs must be the same.
NET consists of three parts.
l Part one is the area ID that is variable (1 to 13 bytes), and the area IDs of the routers in
the same area are identical.
l Part two is the system ID (6 bytes) of this router, which must be unique in the whole area
and backbone area.
l Part three is the last byte "SEL", whose value must be "00".
Procedure
Step 1 In the user view,run:
system-view
The system view is displayed.
Step 2 Run:
isis [ process-id ]
The IS-IS view is displayed.
Step 3 Run:
network-entity net
An NET is configured.
NOTE
Configuring loopback interface addresses based on NETs is recommended to ensures that a NET is
unique on the network. If NETs are not unique, route flapping will easily occur.
System ID used in IS-IS can be obtained in the following way: extend each part of the IP address to 3
bits, add 0 to the front of any part that is shorter than 3 bits, divide the extended address into three parts,
with each part consisting of four decimal digits, and the reconstructed address is the system ID.
During the establishment of the Level-2 neighbor relationship, IS-IS does not check whether area
addresses are the same. During the establishment of the Level-1 neighbor relationship, area addresses
must be the same; otherwise, the Level-1 neighbor relationship cannot be established.
----End
Context
Configure the device level according to network planning requirements:
l When the level of a device is Level-1, the device establishes neighbor relationships with
only Level-1 and Level-1-2 routers in the same area and maintains only Level-1 LSDBs.
l When the level of a device is Level-2, the device can establish neighbor relationship with
Level-2 routers in the same area or different areas and with Level-1-2 routers in different
areas and maintain only Level-2 LSDB.
l When the level of a device is Level-1-2, the device can establish neighbor relationships
with Level-1 and Level-2 routers and maintain Level-1 and Level-2 LSDBs.
Procedure
Step 1 In the user view, run:
system-view
Step 2 Run:
isis [ process-id ]
Step 3 Run:
----End
Context
The methods to establish IS-IS neighbor relationships on a broadcast network and a P2P
network are different. Therefore, you need to set different IS-IS attributes for interfaces of
different types:
On a broadcast network, IS-IS needs to select the designated intermediate system (DIS). You
can set the DIS priority for IS-IS interfaces to enable the device with the highest DIS priority
to be elected as the DIS.
On a P2P network, IS-IS does not need to select the DIS. Therefore, the DIS priority does not
need to be configured for interfaces. To ensure P2P link reliability, configure IS-IS to
establish a neighbor relationship on two P2P interfaces in 3-way mode for unidirectional link
fault detection.
Procedure
l Establish an IS-IS neighbor relationship on a broadcast link.
a. Run:
system-view
After this command is run, IS-IS establishes neighbor relationships and floods LSPs
through this interface.
NOTE
Loopback interfaces are not used to establish neighbor relationships. If IS-IS is enabled on a
loopback interface, IS-IS advertises the routes of the network segment where the interface
resides through other IS-IS interfaces.
d. Run:
When two Level-1-2 devices establish IS-IS neighbor relationship, they establish
both Level-1 and Level-2 neighbor relationships. To allow the two Level-1-2
devices to establish only Level-1 or Level-2 neighbor relationship, change the level
of interfaces.
NOTE
Changing the level of an IS-IS interface is valid only when the level of the IS-IS device is
Level-1-2. If the level of the device is not Level-1-2, the level of the device determines the
level of the established neighbor relationship.
e. (Optional) Run:
The DIS priority is set for the interface. A larger value indicates a higher priority.
By default, the DIS priority of Level-1 and Level-2 broadcast interfaces is 64.
f. (Optional) Run:
When an IS-IS interface is suppressed, the interface no longer sends or receives IS-
IS packets. The routes of the network segment where the interface resides, however,
can still be advertised to other IS-IS devices within the same AS.
g. (Optional) Configure a delay for the IS-IS neighbor relationship establishment.
isis delay-peer track last-peer-expired[ delay-time
A delay is configured for the IS-IS neighbor relationship establishment.
By default, delay-interval is 60s.
If a new delay-interval is configured and it is less than the remaining time of the
ongoing delay, the new delay-interval takes effect immediately; if the new delay-
interval is greater than the remaining time of the ongoing delay, the ongoing delay
continues until the new delay-interval takes effect at the next delay.
l Establish an IS-IS neighbor relationship on a P2P link.
a. Run:
system-view
The system view is displayed.
b. Run:
interface interface-type interface-number
The interface view is displayed.
c. Run:
isis enable [ process-id ]
IS-IS is enabled on the interface.
d. Run:
isis circuit-level [ level-1 | level-1-2 | level-2 ]
The level of the interface is configured.
By default, the level of an interface is level-1-2.
e. Run:
isis circuit-type p2p
The network type of the interface is set to P2P.
By default, the network type of an interface is determined by the physical type of
the interface.
When the network type of an IS-IS interface changes, the interface configuration
changes accordingly:
n After a broadcast interface is simulated as a P2P interface using the isis
circuit-type p2p command, the interval for sending Hello packets, number of
Hello packets that IS-IS does not receive from a neighbor before the neighbor
is declared Down, interval for retransmitting LSPs on a P2P link, and various
IS-IS authentication modes are restored to the default settings; other
configurations such as the DIS priority, DIS name, and interval for sending
CSNPs on a broadcast network become invalid.
n After the undo isis circuit-type command is run to restore the default network
type of an IS-IS interface, the interval for sending Hello packets, number of
Hello packets that IS-IS does not receive from a neighbor before the neighbor
is declared Down, interval for retransmitting LSPs on a P2P link, various IS-IS
authentication modes, DIS priority, and interval for sending CSNPs on a
broadcast network are restored to the default settings.
f. Run:
isis peer-ip-ignore
isis ppp-osicp-check
By default, the OSICP negotiation status of a PPP interface does not affect the
status of an IS-IS interface.
NOTE
This command applies only to PPP interfaces and is invalid for other P2P interfaces.
After this command is run, the OSICP negotiation status of a PPP interface affects the status
of an IS-IS interface. When PPP detects that the OSI network fails, the link status of the IS-
IS interface goes Down and the routes of the network segment where the interface resides
are not advertised through LSPs.
i. (Optional) Configure a delay for the IS-IS neighbor relationship establishment.
Run:
If a new delay-interval is configured and it is less than the remaining time of the
ongoing delay, the new delay-interval takes effect immediately; if the new delay-
interval is greater than the remaining time of the ongoing delay, the ongoing delay
continues until the new delay-interval takes effect at the next delay.
----End
Context
The destination address and mask of a default route are all 0s. If the destination address of a
packet does not match any entry in the routing table of a device, the device sends the packet
along the default route. If neither the default route nor the destination address of the packet
exists in the routing table, the device discards the packet and informs the source end that the
destination address or network is unreachable.
IS-IS can generate default routes using either of the following mode: