configuration guide - spu(v100r003c00_02)

Quidway S9300 Terabit Routing SwitchV100R003C00

Configuration Guide - SPU

Issue 02

Date 2010-07-15

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2010-07-15) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

Intended AudienceThis document provides the concepts, configuration procedures, and configuration examplessupported by the S9300 SPU.

This document is intended for:

l Data configuration engineers

l Commissioning engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU About This Document


iii

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated byvertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated byvertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated byvertical bars. A minimum of one item or a maximum of allitems can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated byvertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Update HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Updates in Issue 02 (2010-07-15)Compared with issue 01, the changes of this version are as follows.

The application of firewall load balance is added.

Updates in Issue 01 (2010-04-30)Initial commercial release.

About This DocumentQuidway S9300 Terabit Routing Switch


iv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

Contents

About This Document...................................................................................................................iii

1 Configuration Differences Between SPU and S9300..........................................................1-11.1 Configuration Differences...............................................................................................................................1-31.2 Basic Configuration Differences.....................................................................................................................1-31.3 Ethernet Configuration Differences................................................................................................................1-41.4 IP Service Configuration Differences.............................................................................................................1-51.5 IP Routing Configuration Differences............................................................................................................1-71.6 QoS Configuration Differences.....................................................................................................................1-101.7 Security Configuration Differences..............................................................................................................1-111.8 Reliability Configuration Differences...........................................................................................................1-131.9 Device Management Configuration Differences...........................................................................................1-141.10 Network Management Differences.............................................................................................................1-151.11 VPN Configuration Differences..................................................................................................................1-18

2 SPU Pre-Configuration.............................................................................................................2-12.1 Overview of the SPU Pre-Configuration........................................................................................................2-22.2 Configuring a Service Type............................................................................................................................2-3

2.2.1 Establishing the Configuration Task......................................................................................................2-32.2.2 Configuring a Service Type...................................................................................................................2-32.2.3 Checking the Configuration...................................................................................................................2-4

2.3 Configuring Layer 2 Flow Import...................................................................................................................2-42.3.1 Establishing the Configuration Task......................................................................................................2-42.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated...........................................................2-62.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated....................................................2-6

2.4 Configuring Layer 3 Flow Import...................................................................................................................2-62.4.1 Establishing the Configuration Task......................................................................................................2-72.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated...........................................................2-92.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated....................................................2-9

2.5 Configuring Traffic Mirroring........................................................................................................................2-92.5.1 Establishing the Configuration Task......................................................................................................2-92.5.2 Configuring Traffic Mirroring.............................................................................................................2-10

3 Firewall Configuration..............................................................................................................3-13.1 Firewall Overview...........................................................................................................................................3-3

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU Contents


v

3.2 Firewall Features Supported by the SPU........................................................................................................ 3-33.3 Configuring Zones...........................................................................................................................................3-9

3.3.1 Establishing the Configuration Task....................................................................................................3-103.3.2 Creating a Zone....................................................................................................................................3-103.3.3 Adding an Interface to the Zone...........................................................................................................3-113.3.4 Creating an Interzone...........................................................................................................................3-113.3.5 Enabling Firewall in the Interzone.......................................................................................................3-123.3.6 Checking the Configuration.................................................................................................................3-12

3.4 Configuring the Packet Filtering Firewall.....................................................................................................3-133.4.1 Establishing the Configuration Task....................................................................................................3-133.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................3-143.4.3 Checking the Configuration.................................................................................................................3-14

3.5 Configuring the Blacklist..............................................................................................................................3-153.5.1 Establishing the Configuration Task....................................................................................................3-153.5.2 Enabling the Blacklist Function...........................................................................................................3-163.5.3 Adding IP Addresses to the Blacklist Manually..................................................................................3-163.5.4 Checking the Configuration.................................................................................................................3-17

3.6 Configuring the Whitelist..............................................................................................................................3-173.6.1 Establishing the Configuration Task....................................................................................................3-183.6.2 Adding Entries to the Whitelist............................................................................................................3-183.6.3 Checking the Configuration.................................................................................................................3-19

3.7 Configuring ASPF.........................................................................................................................................3-193.7.1 Establishing the Configuration Task....................................................................................................3-203.7.2 Configuring ASPF Detection...............................................................................................................3-203.7.3 Checking the Configuration.................................................................................................................3-21

3.8 Configuring Port Mapping............................................................................................................................3-213.8.1 Establishing the Configuration Task....................................................................................................3-213.8.2 Configuring Port Mapping...................................................................................................................3-223.8.3 Checking the Configuration.................................................................................................................3-23

3.9 Configuring the Aging Time of the Firewall Session Table.........................................................................3-233.9.1 Establishing the Configuration Task....................................................................................................3-233.9.2 Configuring the Aging Time of the Firewall Session Table................................................................3-243.9.3 Checking the Configuration.................................................................................................................3-24

3.10 Configuring the Transparent Firewall.........................................................................................................3-253.10.1 Establishing the Configuration Task..................................................................................................3-253.10.2 Configuring the Transparent Firewall................................................................................................3-263.10.3 Checking the Configuration...............................................................................................................3-27

3.11 Configuring the Attack Defense Function..................................................................................................3-273.11.1 Establishing the Configuration Task..................................................................................................3-283.11.2 Enabling the Attack Defense Function...............................................................................................3-283.11.3 Setting the Parameters of Flood Attack Defense................................................................................3-313.11.4 Configuring Large ICMP Packet Attack Defense..............................................................................3-32

ContentsQuidway S9300 Terabit Routing Switch


vi Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

3.11.5 Setting Parameters of Scanning Attack Defense................................................................................3-323.11.6 Checking the Configuration...............................................................................................................3-33

3.12 Configuring Traffic Statistics and Monitoring............................................................................................3-333.12.1 Establishing the Configuration Task..................................................................................................3-343.12.2 Enabling Traffic Statistics and Monitoring........................................................................................3-353.12.3 Setting the Session Thresholds...........................................................................................................3-363.12.4 Checking the Configuration...............................................................................................................3-37

3.13 Configuring the Log Function.....................................................................................................................3-393.13.1 Establishing the Configuration Task..................................................................................................3-393.13.2 Enabling the Log Function on the Firewall........................................................................................3-403.13.3 Setting the Parameters of Logs...........................................................................................................3-403.13.4 Checking the Configuration...............................................................................................................3-41

3.14 Maintaining the Firewall.............................................................................................................................3-423.14.1 Displaying the Firewall Configuration...............................................................................................3-423.14.2 Clearing the Statistics of the Firewall................................................................................................3-43

3.15 Configuration Examples..............................................................................................................................3-433.15.1 Example for Configuring the ACL-based Packet Filtering Firewall.................................................3-443.15.2 Example for Configuring ASPF and Port Mapping...........................................................................3-473.15.3 Example for Configuring the Blacklist..............................................................................................3-513.15.4 Example for Configuring the Transparent Firewall...........................................................................3-55

4 NAT Configuration....................................................................................................................4-14.1 NAT Overview................................................................................................................................................4-24.2 NAT Features Supported by the SPU.............................................................................................................4-34.3 Configuring NAT............................................................................................................................................4-6

4.3.1 Establishing the Configuration Task......................................................................................................4-74.3.2 Configuring an Address Pool.................................................................................................................4-84.3.3 Associating an ACL with an Address Pool............................................................................................4-84.3.4 Configuring Easy IP...............................................................................................................................4-94.3.5 Configuring an Internal NAT Server.....................................................................................................4-94.3.6 Configuring Static NAT.......................................................................................................................4-104.3.7 Enabling NAT ALG.............................................................................................................................4-104.3.8 Configuring DNS Mapping..................................................................................................................4-114.3.9 Configuring Twice NAT......................................................................................................................4-114.3.10 Checking the Configuration...............................................................................................................4-12

4.4 Configuration Examples................................................................................................................................4-144.4.1 Example for Configuring the NAT Server...........................................................................................4-144.4.2 Example for Configuring Static NAT..................................................................................................4-184.4.3 Example for Configuring Outbound NAT...........................................................................................4-214.4.4 Example for Configuring Twice NAT.................................................................................................4-25

5 IPSec Configuration...................................................................................................................5-15.1 IPSec Overview...............................................................................................................................................5-25.2 IPSec Features Supported by the SPU............................................................................................................5-3



vii

5.3 Establishing an IPSec Tunnel Manually.........................................................................................................5-45.3.1 Establishing the Configuration Task......................................................................................................5-45.3.2 Defining Data Flows to Be Protected.....................................................................................................5-55.3.3 Configuring an IPSec Proposal..............................................................................................................5-65.3.4 Configuring an IPSec Policy..................................................................................................................5-75.3.5 (Optional) Configuring an IPSec Policy Template................................................................................5-85.3.6 Setting the Global Lifetime of SAs........................................................................................................5-95.3.7 Applying an IPSec Policy Group to an Sub-interface..........................................................................5-105.3.8 Checking the Configuration.................................................................................................................5-10

5.4 Establishing an IPSec Tunnel Through IKE Negotiation.............................................................................5-105.4.1 Establishing the Configuration Task....................................................................................................5-115.4.2 Defining Data Flows to Be Protected...................................................................................................5-125.4.3 Configuring the Local Host Name Used in IKE Negotiation..............................................................5-135.4.4 Configuring an IKE Proposal...............................................................................................................5-135.4.5 Configuring an IKE Peer......................................................................................................................5-145.4.6 Configuring an IPSec Proposal............................................................................................................5-165.4.7 Configuring an IPSec Policy................................................................................................................5-175.4.8 (Optional) Configuring an IPSec Policy Template..............................................................................5-185.4.9 (Optional) Setting Optional Parameters...............................................................................................5-195.4.10 Applying an IPSec policy to an Sub-interface...................................................................................5-205.4.11 Checking the Configuration...............................................................................................................5-21

5.5 Maintaining IPSec.........................................................................................................................................5-215.5.1 Displaying the IPSec Configuration.....................................................................................................5-215.5.2 Clearing IPSec Information..................................................................................................................5-22

5.6 Configuration Examples................................................................................................................................5-225.6.1 Example for Establishing an SA Manually..........................................................................................5-235.6.2 Example for Establishing an SA Through IKE Negotiation................................................................5-29

6 NetStream Configuration.........................................................................................................6-16.1 Overview of NetStream...................................................................................................................................6-26.2 NetStream Features Supported by the SPU.....................................................................................................6-36.3 Collecting IPv4 Traffic Statistics....................................................................................................................6-4

6.3.1 Establishing the Configuration Task......................................................................................................6-46.3.2 Enabling NetStream on an Interface......................................................................................................6-56.3.3 (Optional) Configuring the Version of Exported Packets......................................................................6-56.3.4 Setting the Destination Address of the Statistics...................................................................................6-66.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag...................................................6-66.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic..............................................6-76.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic................................................6-76.3.8 Checking the Configuration...................................................................................................................6-8

6.4 Collecting IPv6 Traffic Statistics....................................................................................................................6-86.4.1 Establishing the Configuration Task......................................................................................................6-86.4.2 Enabling NetStream on an Interface......................................................................................................6-9



viii Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

6.4.3 Setting the Destination Address of the Statistics................................................................................... 6-96.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag.................................................6-106.4.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-116.4.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-116.4.7 Checking the Configuration.................................................................................................................6-11

6.5 Collecting MPLS Traffic Statistics...............................................................................................................6-126.5.1 Establishing the Configuration Task....................................................................................................6-126.5.2 Enabling NetStream on an Interface....................................................................................................6-136.5.3 (Optional) Configuring the Version of Exported Packets....................................................................6-136.5.4 Setting the Destination Address of the Statistics.................................................................................6-146.5.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-146.5.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-156.5.7 Checking the Configuration.................................................................................................................6-15

6.6 Configuring the Aggregation Statistics About Traffic..................................................................................6-156.6.1 Establishing the Configuration Task....................................................................................................6-166.6.2 Enabling NetStream on an Interface....................................................................................................6-166.6.3 Configuring the Aggregation Function................................................................................................6-176.6.4 (Optional) Configuring the Version of Exported Packets....................................................................6-176.6.5 (Optional) Configuring the Export of Statistics...................................................................................6-186.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic.....................................6-196.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic.......................................6-196.6.8 Checking the Configuration.................................................................................................................6-19

6.7 Configuring the Flexible NetStream Feature................................................................................................6-196.7.1 Establishing the Configuration Task....................................................................................................6-206.7.2 Creating a Record and Entering the Record View...............................................................................6-206.7.3 Configuring Aggregation Key Words of Records................................................................................6-216.7.4 (Optional) Configuring the Exported Traffic Statistics........................................................................6-216.7.5 Enabling Flexible NetStream on Interfaces..........................................................................................6-226.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface......................................6-226.7.7 Checking the Configuration.................................................................................................................6-23

6.8 Example for Configuring NetStream............................................................................................................6-236.8.1 Example for Configuring IPv4 Traffic Statistics.................................................................................6-236.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic.....................................................6-266.8.3 Example for Configuring Flexible NetStream Traffic Statistics..........................................................6-32

7 Load Balancing Configuration................................................................................................7-17.1 Load Balancing Overview...............................................................................................................................7-27.2 Load Balancing Features Supported by the SPU............................................................................................7-57.3 Configuring Egress Link Load Balancing.....................................................................................................7-13

7.3.1 Establishing the Configuration Task....................................................................................................7-147.3.2 (Optional) Configuring an NAT Address Pool....................................................................................7-157.3.3 (Optional) Configuring Link Health Detection....................................................................................7-167.3.4 Configuring a Link...............................................................................................................................7-18



ix

7.3.5 Configuring a Link Group....................................................................................................................7-197.3.6 Configuring a Layer 7 Classifier..........................................................................................................7-217.3.7 Configuring a Load Balancing Action.................................................................................................7-227.3.8 Configuring an ACL.............................................................................................................................7-237.3.9 (Optional) Configuring a Connection Parameter Profile.....................................................................7-247.3.10 Configuring a Layer 3 Classifier........................................................................................................7-257.3.11 Configuring a Load Balancing Policy................................................................................................7-267.3.12 Applying the Load Balancing Policy.................................................................................................7-277.3.13 Checking the Configuration...............................................................................................................7-27

7.4 Configuring Server Load Balancing.............................................................................................................7-287.4.1 Establishing the Configuration Task....................................................................................................7-297.4.2 (Optional) Configuring an NAT Address Pool....................................................................................7-307.4.3 (Optional) Configuring Server Health Detection.................................................................................7-317.4.4 Configuring a Server............................................................................................................................7-357.4.5 Configuring a Server Group.................................................................................................................7-377.4.6 (Optional) Configuring Session Stickiness..........................................................................................7-407.4.7 Configuring a Layer 7 Classifier..........................................................................................................7-427.4.8 Configuring a Load Balancing Action.................................................................................................7-437.4.9 Configuring an ACL.............................................................................................................................7-447.4.10 (Optional) Configuring a Connection Parameter Profile...................................................................7-457.4.11 (Optional) Configuring an HTTP Parameter Profile..........................................................................7-467.4.12 Configuring a Layer 3 Classifier........................................................................................................7-467.4.13 Configuring a Load Balancing Policy................................................................................................7-487.4.14 Applying the Load Balancing Policy.................................................................................................7-497.4.15 Checking the Configuration...............................................................................................................7-49

7.5 Configuring Firewall Load Balancing...........................................................................................................7-507.6 Configuration Examples................................................................................................................................7-54

7.6.1 Example for Configuring Egress Link Load Balancing.......................................................................7-547.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode.......................................7-627.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode........................................7-727.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode........................................7-837.6.5 Example for Configuring Session Stickiness.......................................................................................7-957.6.6 Example for Configuring Standard Firewall Load Balancing............................................................7-107

8 Dual-System HSB Configuration............................................................................................8-18.1 Dual-System HSB Overview..........................................................................................................................8-28.2 Dual-System HSB Features Supported by the SPU........................................................................................8-28.3 Configuring Dual-System HSB.......................................................................................................................8-3

8.3.1 Establishing the Configuration Task......................................................................................................8-48.3.2 Enabling Dual-System HSB...................................................................................................................8-58.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized.................................8-58.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting HeartbeatPackets.............................................................................................................................................................8-6



x Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

8.3.5 Checking the Configuration...................................................................................................................8-78.4 Maintaining Dual-System HSB.......................................................................................................................8-7

8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules........................8-78.5 Configuration Examples of Dual-System HSB...............................................................................................8-7

8.5.1 Example for Configuring Dual-System HSB on the S9300...................................................................8-88.5.2 Example for Configuring Dual-System HSB Between S9300s...........................................................8-17



xi

Figures

Figure 2-1 Mapping between interfaces on the S9300 and SPU..........................................................................2-2Figure 2-2 Importing Layer 2 flows if interfaces are aggregated.........................................................................2-5Figure 2-3 Importing Layer 2 flows if interfaces are not aggregated...................................................................2-6Figure 2-4 Importing flows at Layer 3 if interfaces are aggregated.....................................................................2-8Figure 2-5 Importing flows at Layer 3 if interfaces are not aggregated...............................................................2-8Figure 3-1 Limiting the number of sessions initiated by external server.............................................................3-6Figure 3-2 Networking of ACL-based packet filtering......................................................................................3-44Figure 3-3 Networking of ASPF and port mapping...........................................................................................3-48Figure 3-4 Networking of blacklist configuration..............................................................................................3-52Figure 3-5 Networking of transparent firewall configuration............................................................................3-55Figure 4-1 Networking of NAT............................................................................................................................4-2Figure 4-2 Networking of PAT............................................................................................................................4-4Figure 4-3 Networking of twice NAT..................................................................................................................4-5Figure 4-4 Networking diagram for configuring the NAT server......................................................................4-15Figure 4-5 Networking diagram for configuring static NAT.............................................................................4-18Figure 4-6 Networking diagram for configuring outbound NAT......................................................................4-22Figure 4-7 Networking diagram for configuring twice NAT.............................................................................4-25Figure 5-1 Packets format in transport mode.......................................................................................................5-2Figure 5-2 Packets format in tunnel mode...........................................................................................................5-3Figure 5-3 Networking diagram for establishing an SA manually.....................................................................5-23Figure 5-4 Networking for establishing an SA through IKE negotiation..........................................................5-29Figure 6-1 Diagram of NetStream data collection and analysis...........................................................................6-2Figure 6-2 Networking diagram for configuring NetStream..............................................................................6-23Figure 6-3 Networking diagram of NetStream aggregation...............................................................................6-27Figure 6-4 Networking diagram for configuring Flexible NetStream................................................................6-32Figure 7-1 Typical networking of egress link load balancing..............................................................................7-6Figure 7-2 Typical networking of server load balancing in DNAT mode...........................................................7-8Figure 7-3 Typical networking of server load balancing in DMAC mode..........................................................7-9Figure 7-4 Typical networking of firewall load balancing.................................................................................7-11Figure 7-5 Networking of standard firewall load balancing..............................................................................7-12Figure 7-6 Networking of transparent firewall load balancing..........................................................................7-12Figure 7-7 Networking for combining firewall load balancing and server load balancing................................7-12Figure 7-8 Networking diagram for configuring egress link load balancing.....................................................7-55

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU Figures


xiii

Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode....................7-63Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode...................7-73Figure 7-11 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-84Figure 7-12 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-96Figure 7-13 Networking for configuring standard firewall load balancing.....................................................7-108Figure 8-1 Networking of dual-system HSB........................................................................................................8-2Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300...............................................8-8Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s........................................8-18

FiguresQuidway S9300 Terabit Routing Switch


xiv Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

1 Configuration Differences Between SPU andS9300

About This Chapter

Read this chapter before configuring the SPU. This chapter helps you understand the functionsand features of the SPU and find the location of each feature in the manual.

1.1 Configuration DifferencesThis section describes the differences between the configurations of the SPU and the S9300.

1.2 Basic Configuration DifferencesThis section describes the differences between the basic configurations of SPU and S9300.

1.3 Ethernet Configuration DifferencesThis section describes the differences between the Ethernet configurations of SPU and S9300.

1.4 IP Service Configuration DifferencesThis section describes the differences between the IP service configurations of SPU andS9300.

1.5 IP Routing Configuration DifferencesThis section describes the differences between the IP routing configurations of SPU andS9300.

1.6 QoS Configuration DifferencesThis section describes the differences between the QoS configurations of SPU and S9300.

1.7 Security Configuration DifferencesThis section describes the differences between the security configurations of SPU and S9300.

1.8 Reliability Configuration DifferencesThis section describes the differences between the reliability configurations of SPU andS9300.

1.9 Device Management Configuration DifferencesThis section describes the differences between the device management configurations of SPUand S9300.

1.10 Network Management Differences

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 1 Configuration Differences Between SPU and S9300


1-1

This section describes the differences between the network management configurations ofSPU and S9300.

1.11 VPN Configuration DifferencesThis section describes the differences between the VPN configurations of SPU and S9300.

1 Configuration Differences Between SPU and S9300Quidway S9300 Terabit Routing Switch


1-2 Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

Issue 02 (2010-07-15)

1.1 Configuration DifferencesThis section describes the differences between the configurations of the SPU and the S9300.

Functions of the SPU

The functions exclusively provided by the SPU include firewall, NAT, IPSec, NetStream, loadbalancing, and dual-system hot standby.

This manual will describe the functions exclusively provided by the SPU in the followingchapters.

Functions of the SPU and the S9300

The method of configuring these functions is the same as that on the S9300. The differences areas follows:

l On the S9300, these commands are run on the Ethernet interface, GE interface, XGEinterface, or VLANIF interface. On the SPU, these commands are run on the XGE interface,Eth-Trunk containing XGE interfaces, XGE sub-interface, or sub-interface of the Eth-Trunk containing XGE interfaces. For example:

On the S9300, the arp expire-time expire-time command is used on the VLANIF interface.

On the SPU, the arp expire-time expire-time command is used on the XGE interface.

l All the commands of the SPU do not support the slot slot-id parameter. For example:

The command of the S9300 is display bfd ttl [ slot slot-id ].

The command of the SPU is display bfd ttl.l The SPU does not support the IPv6- or MPLS-related functions or parameters.

NOTE

For details about the common functions, see S9300 configuration guide.

1.2 Basic Configuration DifferencesThis section describes the differences between the basic configurations of SPU and S9300.

NOTE

Before performing the configurations in this chapter, perform the operations in 2 SPU Pre-Configuration.

The following table describes the feature-specific differences. For the common differences, see 1.1Configuration Differences.

Feature Sub-feature Difference

CLI Overview SPU supports all sub-featureof the CLI Overview.

See Common Differences.

How to Use Interfaces SPU supports all sub-featureof the How to Use Interfaces.




1-3


Basic configurations Basic ConfigurationIntroduction


Configuring the BasicSystem Environment

The SPU does not support thesetting of system clock.

Configuring Basic UserEnvironment


Displaying System StatusMessages


User Management SPU supports all sub-featureof the User Management.


File System Management SPU supports all sub-featureof the File SystemManagement.


Management ofConfiguration Files

SPU supports all sub-featureof the Management ofConfiguration Files.

See Common Differences.NOTE

The SPU configuration filemust be backed up on both theSPU and the S9300.

FTP and TFTP SPU supports all sub-featureof the FTP and TFTP.


Telnet and SSH SPU supports all sub-featureof the Telnet and SSH.


1.3 Ethernet Configuration DifferencesThis section describes the differences between the Ethernet configurations of SPU and S9300.

NOTE




Ethernet interface Configuring basic attributesof the Ethernet interface

The SPU supports only (Optional)Configuring the Description.

Configuring advancedattributes of the Ethernetinterface

The SPU supports only (Optional)Assigning an IP Address to an EthernetSub-interface.




Issue 02 (2010-07-15)


Link aggregation Configuring LinkAggregation in ManualLoad Balancing ModeConfiguration example:Example for ConfiguringLink Aggregation in ManualLoad Balancing Mode

An Eth-Trunk of the SPU contains amaximum of 2 member interfaces.By default, the maximum number ofinterfaces that determine bandwidth ofthe Eth-Trunk is 2.

Configuring an Eth-TrunkSub-interface


VLAN Configuring Sub-interfacesto Implement Layer-3CommunicationConfiguration example:Example for ImplementingCommunication BetweenVLANs Through Sub-interfaces


ARP Configuring ARPConfiguration example:Example for ConfiguringARP


Configuring Routed ProxyARPConfiguration example:Example for ConfiguringRouted Proxy ARP


Configuring ARPing-IP See Common Differences.

Maintaining ARP See Common Differences.

1.4 IP Service Configuration DifferencesThis section describes the differences between the IP service configurations of SPU andS9300.

NOTE


The following table lists all the IP service features of the SPU.



1-5

Feature Sub-feature ConfigurationTask

Difference

IP addressconfiguration

IP addressunnumberedConfigurationexample:Example forConfiguring aTunnel Interface toBorrow the IPAddress of aLoopback Interface

Establishing theConfiguration TaskSetting the PrimaryIP AddressSetting theUnnumbered IPAddressChecking theConfiguration

Not supported by the SPU.

DHCP - - Not supported by the SPU.

IP session Configuring IPSession

- The SPU supports only the(Optional) Binding a VPNInstance to an Interface.

IPperformance

IP performanceoptimizationConfigurationexample:Example forDisabling theSending of ICMPRedirection PacketsExample forDisabling theSending of ICMPHost UnreachablePacketsExample forOptimizing SystemPerformance byDiscarding CertainICMP Packets

Enabling anInterface to Checkthe Source IPAddresses of PacketsSetting ICMPParameters(Optional) Settingthe Load BalancingMode of IP PacketForwarding

Not supported by the SPU.

IP performanceoptimization

Checking theConfiguration


IP performancemaintenance

Monitoring theRunning Status of IPPerformance





Issue 02 (2010-07-15)

Feature Sub-feature ConfigurationTask

Difference

IP unicastPBR

Configurationexample

Example forConfiguring PBRBased on theProtocol TypeExample forConfiguring PBRBased on the PacketLengthExample forConfiguring Flow-based PBR


UDP Helper - - Not supported by the SPU.

DNS - - Not supported by the SPU.

Basic IPv6configurations

- - Not supported by the SPU.

IPv6 DNS - - Not supported by the SPU.

IPv6 overIPv4


IPv4 overIPv6


1.5 IP Routing Configuration DifferencesThis section describes the differences between the IP routing configurations of SPU andS9300.

NOTE




IP RoutingOverview

SPU supports all sub-featureof the IP Routing Overview.




1-7


Static route Configuring an IPv4 StaticRouteConfiguration example:Example for ConfiguringStatic Routes

The SPU does not support IPv6-relatedconfigurations.

Configuring BFD for IPv4Static Routes in the PublicNetworkConfiguration example:Example for ConfiguringBFD for IPv4 Static Routes


RIPConfiguration

SPU supports all sub-featureof the RIP Configuration.


OSPFConfiguration

SPU supports all sub-featureof the OSPF Configuration.


IS-ISConfiguration

SPU supports all sub-featureof the IS-IS Configuration.


BGP Configuring Basic BGPFunctionsConfiguration example:Example for ConfiguringBasic BGP Functions


Configuring BGP RouteAttributesConfiguring BGP FiltersConfiguration example:Example for ConfiguringAS-Path Filter

Controlling theAdvertisement of BGPRouting InformationControlling the Import ofRouting InformationConfiguration example:Example for ConfiguringBGP to Interact With an IGP

Configuring BGP RouteDampening

Configuring Parameters of aBGP Peer Connection




Issue 02 (2010-07-15)


Configuring BGP Tracking

Configuring BGP LoadBalancingConfiguration example:Example for ConfiguringBGP Load Balancing andSetting the MED

Configuring a BGPConfederationConfiguration example:Example for Configuring aBGP Confederation

Configuring a BGP RouteReflectorConfiguration example:Example for Configuring aBGP RR

Configuring BGPAccountingConfiguration example:Example for Configuringthe BGP Accounting

Configuring BFD for BGPConfiguration example:Example for ConfiguringBFD for BGP

Configuring BGP Auto FRRConfiguration example:Example for ConfiguringBGP Auto FRR

Configuring a BGP PeerGroupConfiguration example:Example for Configuringthe BGP CommunityAttribute

Configuring BGP GR



1-9


Configuring BGP SecurityConfiguration example:Example for ConfiguringBGP GTSM

Routing policy Configuring the IP-PrefixList

The SPU does not support theconfigurations related to IPv6, MPLS,FRR, and VPN.

Configuring the Route-Policy

Applying Filters toReceived RoutesApplying Filters toAdvertised RoutesConfiguration example:Example for Filtering theReceived and AdvertisedRoutes

Applying Filters toImported RoutesConfiguration example:Example for Applying aRouting Policy to theImported Routes

Controlling the Valid Timeof the Routing policy

1.6 QoS Configuration DifferencesThis section describes the differences between the QoS configurations of SPU and S9300.

NOTE




Class-based QoSConfiguration

Configuring PriorityMapping Based on SimpleTraffic Classification





Issue 02 (2010-07-15)


Configuring ComplexTraffic ClassificationConfiguration example:l Example for Re-marking

the Priorities Based onComplex TrafficClassification

l Example for Re-markingthe Priorities Based onComplex TrafficClassification

l Example for FilteringPackets Based OnComplex TrafficClassification

In Creating a Traffic Classifier Based onLayer 3 Information, SPU does notsupport :l if-match cvlan-8021p { 8021p-

value } &<1-8>l if-match discard

l if-match inbound-interfaceinterface-type interface-number

l if-match vlan-8021p 8021p-value&<1-8>

Configuring a TrafficBehavior

SPU does not support the URPF.

Maintaining Class-basedQoS

In Clearing the Flow-based TrafficStatistics, only the inbound interfacesupports: reset traffic policy statistics{ global | vlan vlan-id }

Traffic Policingand TrafficShapingConfiguration

SPU supports all sub-featureof the Traffic Policing andTraffic ShapingConfiguration.


1.7 Security Configuration DifferencesThis section describes the differences between the security configurations of SPU and S9300.

NOTE




AAA and usermanagement

AAA scheme See Common Differences.

RADIUS server template See Common Differences.

HWTACACS servertemplate


Service scheme See Common Differences.



1-11


Domain See Common Differences.

Local user management See Common Differences.

AAA and user managementmaintenance


AAA and User ManagementConfigurationConfiguration example:Example for ConfiguringRADIUS Authenticationand Accounting


AAA and User ManagementConfigurationConfiguration example:Example for ConfiguringHWTACACSAuthentication,Accounting, andAuthorization


ACL ACL The SPU does not support named ACLsor user-defined ACLs.

Reflective ACL The reflective ACLs can be bound onlyin the system view of the SPU.

ACL maintenance The ACL6 statistics on the SPU cannotbe cleared.

Configuring a Basic ACLConfiguration example:Example for Configuring aBasic ACL


Configuring an AdvancedACLConfiguration example:Example for Configuring anAdvanced ACL


Configuring a Layer 2 ACLConfiguration example:Example for Configuring aLayer 2 ACL





Issue 02 (2010-07-15)


Configuring ReflectiveACLConfiguration example:Example for Configuringthe Reflective ACLFunction

The reflective ACLs can be bound onlyin the system view of the SPU.

Attack defenseconfiguration

Attack defense policyconfiguration

On the SPU, only the CAR can beconfigured in the attack defense policyview, and the attack defense policy can beonly bound globally.

1.8 Reliability Configuration DifferencesThis section describes the differences between the reliability configurations of SPU andS9300.

NOTE




BFD Configuring Single-HopBFDConfiguration example:Example for ConfiguringSingle-Hop BFD on aVLANIF Interface

The SPU does not support (Optional)Setting the Multicast IP Address of BFDor detection of IPv6 links.In Creating a BFD Session, only the BFDdetection for Layer 3 interfaces issupported: bfd cfg-name bind peer-ippeer-ip [ vpn-instance vpn-instance-name ] interface interface-typeinterface-number [ source-ip source-ip ]

Configuring a Static BFDSession with AutomaticallyNegotiated Discriminators

The SPU does not support the staticBFD6 session with automaticallynegotiated discriminators.

Setting the BFD Session-UpDelay

The SPU does not support the staticBFD6 session with automaticallynegotiated discriminators.

Adjusting the BFDDetection Parameters


Setting the Global TTLValue

The SPU does not support the multi-hoppacket TTL.



1-13


Setting the Interval forSending Trap Messages


VRRP Configuring a VRRPBackup GroupConfiguration example:Example for ConfiguringVRRP in Master/BackupModeExample for ConfiguringVRRP in Load BalancingMode


Configuring VRRP to Trackthe Interface Status


Configuring VRRP to Trackthe Interface StatusConfiguration example:Example for ConfiguringVRRP Fast Switchover


Configuring VRRPAuthentication


Optimizing the VRRPPerformance


1.9 Device Management Configuration DifferencesThis section describes the differences between the device management configurations of SPUand S9300.

NOTE






Issue 02 (2010-07-15)


Displaying theDevice Status

Displaying the Status of theSPU

The SPU only supports:l Displaying Information About the

S9300l Displaying the Version

l Displaying the CPU Usage

l Displaying the Interface Status

l Displaying Alarm Information

l Displaying Diagnostic Information

InformationCenterConfiguration

Configuring the InformationCenter


(Optional) ConfiguringInformation Output Modes


Configuration example:Configuration Examples


HardwareManagement

Resetting the LPU See Common Differences.

Rebooting Rebooting the S9300 The SPU does not supportl (Optional) Rebooting the S9300

Immediately by Pressing the PowerButton

Debugging andDiagnosis

Debugging the S9300Configuration example:Configuration Examples


1.10 Network Management DifferencesThis section describes the differences between the network management configurations ofSPU and S9300.

NOTE



The SPU supports only the SNMP, ping, and Tracert functions.



1-15


SNMP Configuring BasicFunctions of SNMPv1


Configuring BasicFunctions of SNMPv2c


Configuring Community-Name-based Access Controlin SNMPv1


Configuring Community-Name-based Access Controlin SNMPv2cConfiguration example:Example for Specifying anNMS to Manage the Switch


Configuring MIB-View-based Access Control inSNMPv1


Configuring MIB-View-based Access Control inSNMPv2c


Configuring BasicFunctions of SNMPv3


Configuring Group-basedAccess Control in SNMPv3


Configuring User-basedAccess Control in SNMPv3


Configuring Authenticationand Encryption Functions inSNMPv3


Configuring MIB-View-based Access Control inSNMPv3Configuration example:Example for ConfiguringDifferent NMSs to Accessthe SwitchExample for ConfiguringDifferent NMSs to Accessthe Switch (Inform Mode)





Issue 02 (2010-07-15)


Configuring SNMPMaintenance InformationConfiguration example:Example for Specifying anNMS to Manage the Switch


Configuring the MaximumSize of the SNMP Packet


Configuring Batch StatisticsCollectionConfiguration example:Example for ConfiguringBatch Statistics Collection


Configuring the TrapFunctionConfiguration example:Example for Specifying anNMS to Manage the SwitchExample for ConfiguringDifferent NMSs to Accessthe SwitchExample for ConfiguringAlarm Messages to Be Sentto the Huawei NMS


Propagating Alarms in theInform ModeConfiguration example:Example for ConfiguringDifferent NMSs to Accessthe Switch (Inform Mode)


Enabling the Extended ErrorCode Function on theSNMP AgentConfiguration example:Example for Enabling theExtended Error CodeFunction on the SNMPAgent


Configuring the SETResponse Message CachingFunction


Configuring the ConstantInterface Index Feature




1-17


Ping and Tracert Performing Ping and TracertOperationsConfiguration example:Example for PerformingPing and Tracert Operations


1.11 VPN Configuration DifferencesThis section describes the differences between the VPN configurations of SPU and S9300.

NOTE




GRE protocol GRE tunnelConfiguration example:Example for ConfiguringStatic Routes on the GRETunnelExample for Configuringthe Dynamic RoutingProtocol on the GRE Tunnel

When the destination address of thetunnel is configured in Configuring aTunnel Interface, the destination addresscannot be set to the IP address of a VPNinstance.

BGP/MPLS IPVPN

VPN instance The SPU supports only Creating a VPNInstance.

Basic BGP/MPLS IP VPN The SPU supports only Binding anInterface with a VPN Instance.For the configuration of mutual accessbetween local VPNs, see Example forConfiguring Mutual Access for LocalVPNs on SPU Board.




Issue 02 (2010-07-15)

2 SPU Pre-Configuration

About This Chapter

To use the SPU on the S9300, configure the S9300 and SPU in advance.

2.1 Overview of the SPU Pre-ConfigurationThis topic describes the connection of virtual XGE interfaces between the SPU and the S9300.

2.2 Configuring a Service TypeWhen using the SPU, you must ensure that the service type of the SPU is consistent with thetype of the service actually processed by the SPU. If the original service type of the SPU isinconsistent with the required type, you need to change the service type, and then restart the SPUto make the change take effect.

2.3 Configuring Layer 2 Flow ImportThe S9300 and SPU are deployed in VLAN networking. After the interfaces that need tocommunicate with each other are grouped into the same VLAN, interworking at Layer 2 can beimplemented.

2.4 Configuring Layer 3 Flow ImportAfter two groups of virtual XGE interfaces that are connected between the SPU and S9300 areadded to the same network segment, the communicating on layer 3 can be implemented.

2.5 Configuring Traffic MirroringWhen NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or trafficmirroring mode.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 2 SPU Pre-Configuration


2-1

2.1 Overview of the SPU Pre-ConfigurationThis topic describes the connection of virtual XGE interfaces between the SPU and the S9300.

Connection Mode

If the SPU is inserted into slot 5 on the S9300, virtual connections are set up between XGE 5/0/0on the S9300 and XGE 0/0/1 on the SPU and between XGE 5/0/1 on the S9300 and XGE 0/0/2on the SPU. All the traffic that is forwarded or mirrored to XGE 5/0/0 and XGE 5/0/1 throughflow import are processed by the SPU, as shown in Figure 2-1.

Figure 2-1 Mapping between interfaces on the S9300 and SPU

Switch

XGE5/0/0

XGE5/0/1 XGE0/0/2

XGE0/0/1

Flow Import Mode on the SPU

The SPU can process the following services:

l Firewall

l Load Balance

l IPSec

l NetStream

When the SPU is used for the first time, the service type is not configured. You must configurethe corresponding service type.

When firewalls, load balancing, and IPSec are used, data interworking between the S9300 andthe SPU is implemented through Layer 2 or Layer 3 flow import.

When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or trafficmirroring mode.

The preceding four services cannot be enabled concurrently. That is, at a certain moment, onlyone service can be used.

You can install multiple SPUs on the S9300 to provide different types of services.

2 SPU Pre-ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

2.2 Configuring a Service TypeWhen using the SPU, you must ensure that the service type of the SPU is consistent with thetype of the service actually processed by the SPU. If the original service type of the SPU isinconsistent with the required type, you need to change the service type, and then restart the SPUto make the change take effect.

2.2.1 Establishing the Configuration TaskThis topic describes the pre-configuration task and data preparations for configuring a servicetype.

2.2.2 Configuring a Service TypeThe SPU can process four types of services to meet different service requirements.

2.2.3 Checking the ConfigurationYou can check the current service type before and after configuring the service type of the SPU.

2.2.1 Establishing the Configuration TaskThis topic describes the pre-configuration task and data preparations for configuring a servicetype.

Applicable Environment

When using the SPU, you need to select a service type. Currently, the SPU can process thefollowing services:

l Firewall

l Load Balance

l IPSec

l NetStream

Pre-configuration Tasks

You have logged in to the SPU successfully.

Data Preparation

To configure a service type, you need the following data.

No. Data

1 Number of the type of the service to be processed by the SPU

2.2.2 Configuring a Service TypeThe SPU can process four types of services to meet different service requirements.



2-3

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:set service-type type

The service type of the SPU is configured.

NOTE

After a service type is changed, the original service configurations do not take effect any more.

The configurations of the new service type take effect after the SPU is restarted.

----End

2.2.3 Checking the ConfigurationYou can check the current service type before and after configuring the service type of the SPU.

Procedurel Run the display service-type command in the system view, and you can check the service

type of the SPU.

----End

2.3 Configuring Layer 2 Flow ImportThe S9300 and SPU are deployed in VLAN networking. After the interfaces that need tocommunicate with each other are grouped into the same VLAN, interworking at Layer 2 can beimplemented.

2.3.1 Establishing the Configuration TaskThis topic describes the pre-configuration task and data preparations for configuring Layer 2flow import.

2.3.2 Configuring Layer 2 Flow Import If Interfaces Are AggregatedWhen firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups ofvirtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increasebandwidth on interfaces.

2.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not AggregatedAdd interfaces on the LPU and virtual XGE interfaces on the S9300 to the same VLAN.Configure virtual XGE sub-interfaces on the SPU to allow packets from certain VLANs to pass.





Issue 02 (2010-07-15)


When firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic tothe SPU for processing.

When traffic is forwarded at Layer 2:

l For the firewall, and load balance services

– The SPU aggregates two groups of virtual XGE service interfaces as an Eth-Trunkinterface, thus providing higher bandwidth.

– The SPU can also add interfaces on the LPUs and virtual XGE interfaces on theS9300 to the same VLAN and configure the virtual XGE sub-interfaces on the SPU toallow the packets from the certain VLANs to pass.

l For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfaceson the LPUs and virtual XGE interfaces on the S9300 to the same VLAN and configurethe virtual XGE sub-interfaces on the SPU to allow the packets from the certain VLANsto pass.

When using firewalls, and load balancing, you are advised to aggregate two groups of virtualXGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.

l Importing Layer 2 flows if interfaces are aggregated

As shown in Figure 2-2, GE 3/0/0 on the LPU forwards traffic to the SPU for processing.After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards thetraffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregatedas Eth-Trunk interfaces, you need to add GE 3/0/0, Eth-Trunk 0, and Eth-Trunk 1 to thesame VLAN.

Figure 2-2 Importing Layer 2 flows if interfaces are aggregated

Switch

XGE5/0/0

XGE5/0/1XGE0/0/2

XGE0/0/1

GE3/0/0Eth-Trunk

Eth-Trunk 0 Eth-Trunk 1

GE3/0/1

l Importing Layer 2 flows if interfaces are not aggregated

As shown in Figure 2-3, GE 3/0/0 on the LPU forwards traffic to the SPU for processing.After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards thetraffic to the LPU. If interfaces are not aggregated, you need to add GE 3/0/0, XGE 5/0/0,and XGE 0/0/1 to the same VLAN.



2-5

Figure 2-3 Importing Layer 2 flows if interfaces are not aggregated

Switch

XGE5/0/0 XGE0/0/1GE3/0/0

GE3/0/1

Pre-configuration TasksEnsure that the S9300 has been installed with SPU and the SPU runs normally.

Data PreparationTo configure Layer 2 flow import, you need the following data.

No. Data

1 Number of the Eth-Trunk interface

2 Number of the slot to which the SPU is inserted

3 ID of the VLAN to which interfaces belong

4 Number of the slot to which the LPU is inserted


2.3.3 Configuring Layer 2 Flow Import If Interfaces Are NotAggregated

Add interfaces on the LPU and virtual XGE interfaces on the S9300 to the same VLAN.Configure virtual XGE sub-interfaces on the SPU to allow packets from certain VLANs to pass.

2.4 Configuring Layer 3 Flow ImportAfter two groups of virtual XGE interfaces that are connected between the SPU and S9300 areadded to the same network segment, the communicating on layer 3 can be implemented.




Issue 02 (2010-07-15)



2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not AggregatedAssign IP addresses for VLANIF interfaces on the S9300 and XGE sub-interfaces on the SPUto forward traffic at Layer 3.


Applicable EnvironmentWhen firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic tothe SPU for processing.

When traffic is forwarded at Layer 3:l For the firewall and load balance services

– The SPU can aggregate two groups of virtual XGE service interfaces as an Eth-Trunkinterface, thus providing higher bandwidth.

– The SPU can also add interfaces on the LPUs and virtual XGE interfaces on theS9300 to VLANs and configure IP addresses for VLANIF interfaces and the XGE sub-interfaces on the SPU to implement Layer 3 forwarding.

l For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfacesto the VLAN and configure IP addresses for VLANIF interfaces to implement Layer 3forwarding.

When using firewalls and load balancing, you are advised to aggregate two groups of virtualXGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.

l Importing flows at Layer 3 if interfaces are aggregatedAs shown in Figure 2-4, GE 3/0/0 on the LPU forwards traffic to the SPU for processing.After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards thetraffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregatedas Eth-Trunk interfaces, you need to add Eth-Trunk 0 and Eth-Trunk 1 to the same VLANand configure the IP address of the sub-interface in Eth-Trunk 1 and the IP address of theVLANIF interface which Eth-Trunk 0 belongs to.

NOTE

The two IP addresses share the same network segment.



2-7

Figure 2-4 Importing flows at Layer 3 if interfaces are aggregated

Switch

XGE5/0/0

XGE5/0/1XGE0/0/2

XGE0/0/1

Eth-Trunk

Eth-Trunk 0VLANIF1051 14.14.1.2/24

VLAN1052 Eth-Trunk 1.114.14.1.1/24

Eth-Trunk 1.212.12.1.1/24

GE3/0/0VLANIF106013.1.1.1/24

GE3/0/1VLAN1052

l Importing flows at Layer 3 if interfaces are not aggregated

As shown in Figure 2-5, GE 3/0/0 on the LPU forwards traffic to the SPU for processing.After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards thetraffic to the LPU. If interfaces are not aggregated, you need to add XGE 5/0/0 and XGE0/0/1 to the same VLAN and configure the IP address of the sub-interface in XGE 0/0/1and the IP address of the VLANIF interface which XGE 5/0/0 belongs to.

NOTE

The two IP addresses share the same network segment.

Figure 2-5 Importing flows at Layer 3 if interfaces are not aggregated

Switch

XGE5/0/0VLANIF1051 14.14.1.2/24

VLAN1052GE3/0/0

VLANIF106013.1.1.1/24

GE3/0/0VLAN1052

XGE0/0/1.114.14.1.1/24

XGE0/0/1.212.12.1.1/24


Check that the SPU is installed on the S9300.




Issue 02 (2010-07-15)

Data PreparationTo configure Layer 3 flow import, you need the following data.

No. Data

1 Number of the Eth-Trunk interface

2 Ethernet interface number and sub-interface number

3 IP address and mask of the sub-interface

4 Range of IDs of the VLANs to which interfaces belong


2.4.3 Configuring Layer 3 Flow Import If Interfaces Are NotAggregated

Assign IP addresses for VLANIF interfaces on the S9300 and XGE sub-interfaces on the SPUto forward traffic at Layer 3.

2.5 Configuring Traffic MirroringWhen NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or trafficmirroring mode.

2.5.1 Establishing the Configuration TaskThis topic describes the pre-configuration task and data preparations for configuring trafficmirroring.

2.5.2 Configuring Traffic MirroringTo mirror traffic to the SPU, perform the following configurations on the S9300.

2.5.1 Establishing the Configuration TaskThis topic describes the pre-configuration task and data preparations for configuring trafficmirroring.

Applicable EnvironmentWhen NetStream is used, the LPU of the S9300 mirrors traffic to the SPU for traffic classificationand traffic statistics.

Pre-configuration TasksCheck that the SPU is installed on the S9300.



2-9

Data PreparationTo configure traffic mirroring, you need the following data.

No. Data

1 Type and number of an observing interface

2 Mirrored interface

3 (Optional) Direction of the traffic to be mirrored

4 (Optional) Defined name of the traffic behavior and corresponding parameters

5 (Optional) Number, matching order, and rule of an ACL

6 (Optional) Defined name and rule of a traffic identifier

7 (Optional) Name of a traffic policy

2.5.2 Configuring Traffic MirroringTo mirror traffic to the SPU, perform the following configurations on the S9300.

ContextWhen NetStream is used, traffic on the S9300 is mirrored to the master CPU on the SPU in portmirroring or traffic mirroring mode. All configurations are performed on the S9300.

Procedurel Configuring port mirroring

1. Run:system-view

The system view is displayed.2. Run:

observe-port [ observe-port-index ] interface interface-type interface-number

The local observing interface is configured, which is the virtual XGE interfacecorresponding to the master CPU on the SPU.

3. Run:interface interface-type interface-number

The view of the mirrored interface to be observed is displayed.4. Run:

port-mirroring to observe-port observe-port-index { both | inbound | outbound }

The port mirroring function is configured to mirror the traffic that is imported orexported through this interface to the observing interface configured in step 2.

l Configuring traffic mirroring




Issue 02 (2010-07-15)

1. Run:system-view


observe-port [ observe-port-index ] interface interface-type interface-number

The local observing interface is configured, which is the virtual XGE interfacecorresponding to the master CPU on the SPU.

3. Run:acl [ number ] acl-number [ match-order { auto | config } ]

An ACL is created and the ACL view is displayed.4. Run:

rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-name ] *

A rule is added in this ACL view. Only the traffic that matches the permit rule canbe mirrored to the observing interface.

5. Run:quit

Exit from the ACL view.6. Run:

traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ]

A traffic classifier is created and the traffic classifier view is displayed.7. Run:

if-match[ ipv6 ] acl acl-number

The rule for classifying traffic based on the ACL is configured.8. Run:

quit

Exit from the traffic classifier view.9. Run:

traffic behavior behavior-name

A traffic behavior is created and the traffic behavior view is displayed.10. Run:

mirroring to observing-port observe-port-index

The traffic that meets the rule is configured to be mirrored to the observing interfaceconfigured in step 2.

11. Run:quit

Exit from the traffic behavior view.12. Run:

traffic policy policy-name

A traffic policy is created and the traffic policy view is displayed.



2-11

13. Run:classifier classifier-name behavior behavior-name

The traffic classifier is bound to the traffic behavior.14. Run:

quit

Exit from the traffic policy view.15. Run:

interface interface-type interface-number

The interface view is displayed.16. Run:

traffic-policy policy-name { inbound | outbound }

The traffic policy is applied to the interface.

----End




Issue 02 (2010-07-15)

3 Firewall Configuration

About This Chapter

The attack defense system is to set up a line of defense between the internal and external networksso that the internal network is protected against attacks from the external network. Generally,firewalls are deployed between the internal and external networks to prevent attacks.

3.1 Firewall OverviewA firewall discards the undesired packets and protects the mainframes and key resources on theinternal network.

3.2 Firewall Features Supported by the SPUThe firewall features supported by the SPU include ACL-based packet filtering, blacklist,whitelist, ASPF, port mapping, transparent firewall, virtual firewall, attack defense, trafficstatistics and monitoring, and logs.

3.3 Configuring ZonesAll the security policies of the firewall are enforced based on zones.

3.4 Configuring the Packet Filtering FirewallThe packet filtering firewall filters packets by using an ACL.

3.5 Configuring the BlacklistYou can add entries to the blacklist manually or configure a dynamic blacklist. If you choosethe dynamic blacklist, you need to enable IP address scanning and port scanning defense functionon the attack defense module of the SPU. When the SPU detects that the connection rate of anIP address or a port exceeds the threshold, the SPU considers that a scanning attack occurs, andthen adds the source IP address to the blacklist. Then all the packets from this source IP addressare filtered out.

3.6 Configuring the WhitelistThe whitelist is applicable to the network where some devices send valid service packets thatlook like IP address scanning attack or port scanning attack. The whitelist prevents these devicesfrom being added to the blacklist.

3.7 Configuring ASPFThe ASPF function can detect the sessions that attempt to traverse the application layer and denythe undesired packets. In addition, ASPF enables the application protocols that cannot traversefirewalls function normally.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 3 Firewall Configuration


3-1

3.8 Configuring Port MappingPort mapping defines new port numbers for different application-layer protocols, thus protectingthe server against the service specific attacks.

3.9 Configuring the Aging Time of the Firewall Session Table

3.10 Configuring the Transparent FirewallA transparent firewall forwards packets to the destination VLAN at Layer 2 according to theconfiguration of VLAN bridge instance, rather than routes.

3.11 Configuring the Attack Defense FunctionThe attack defense function of the SPU prevents the attacks to the CPU. It ensures that the serveroperates normally even when it is attacked.

3.12 Configuring Traffic Statistics and MonitoringThe SPU supports the traffic statistics and monitoring at the system level, zone level, and IPaddress level.

3.13 Configuring the Log FunctionThe logs on the firewall include session logs, statistics logs, attack defense logs, and blacklistlogs.

3.14 Maintaining the Firewall

3.15 Configuration ExamplesThis section provides several configuration examples of firewall.

3 Firewall ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

3.1 Firewall OverviewA firewall discards the undesired packets and protects the mainframes and key resources on theinternal network.

In a building, a firewall is designed to prevent fire from spreading across one place to the otherplaces. Similarly, a firewall on the network prevents hazards on the Internet from spreading tothe internal network.

Located at the network boundary, a firewall prevents unauthorized access to the protectednetwork and allows the internal users to securely access the Web service across the Internet orsend and receive emails.

Both the packets from the Internet to the internal network and the packets from the internalnetwork to the Internet pass through the firewall, therefore, the firewall is a guard that can discardthe undesired packets.

The firewall can also be used to protect the mainframes and key resources (like data) on theinternal network. The firewall filters the access to the protected data, even the internal access tothe data.

The firewall also serves as an authority control gateway to restrict the access to the Internet, forexample, it allows the specified internal users to access the Internet. The modern firewalls alsoprovide other functions, such as identity authentication and security processing (packetencryption).

The firewall of SPU has the following functions:

l ACL-based packet filtering: filters packets through an ACL.

l ASPF: filters packets at the application layer.

l Blacklist: filters packets based on source IP addresses.

l Whitelist: prevents the specified IP addresses from being added to the blacklist and filterspackets based on source IP addresses.

l Port mapping: defines new port numbers for different application-layer protocols, thusprotecting the server against the service specific attacks.

l Attack defense: detects various network attacks and takes measures to protect the internalnetwork against attacks.

l Traffic statistics and monitoring: monitors traffic volume, detects the connections betweeninternal and external networks, and carries out calculation and analysis.

3.2 Firewall Features Supported by the SPUThe firewall features supported by the SPU include ACL-based packet filtering, blacklist,whitelist, ASPF, port mapping, transparent firewall, virtual firewall, attack defense, trafficstatistics and monitoring, and logs.

Security ZoneThe security zone, also referred to as a zone, is the basis of firewall. All the security policies areenforced based on the zones.



3-3

A zone is an interface or a group of multiple interfaces. The users in a zone have the same securityattributes. Each zone has a unique security priority. That is, the priorities of any two zones aredifferent. The

SPU considers that the data transmission within a zone is reliable; therefore, it does not enforceany security policy on the intra-zone data transmission. The SPU verifies the data and enforcesthe security policies only when the data flows from one zone to another.

Interzone

Any two zones form an interzone. Each interzone has an independent interzone view. Mostfirewall configurations are performed in the interzone views.

Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering canbe configured. The configured filtering policy is then enforced on the data transmission betweenzone1 and zone2.

Direction

In an interzone, data is transmitted in inbound direction or outbound direction.l Inbound: indicates that data flows from a zone with lower priority to a zone with higher

priority.l Outbound: indicates that data flows from a zone with higher priority to a zone with lower

priority.

ACL-based Packet Filtering

ACL-based packet filtering is used to analyze the information of the packets to be forwarded,including source/destination IP addresses, source/destination port numbers, and IP protocolnumber. The SPU compares the packet information with the ACL rules and determines whetherto forward or discard the packets.

In addition, the SPU can filter the fragmented IP packets to prevent the non-initial fragmentattack.

ASPF

ASPF is applied to the application layer, that is, ASPF is the status-based packet filtering. ASPFdetects the application-layer sessions that attempt to pass the firewall, and discards undesiredpackets.

The ACL-based packet filtering firewall detects packets at the network and transport layers. TheASPF function and the common packet filtering firewall can be used together to enforce thesecurity policies on an internal network.

The SPU performs ASPF for the File Transfer Protocol (FTP) and Hyper Text Transport Protocol(HTTP) packets.

Blacklist

A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklistuses simpler matching fields to implement high-speed packet filtering. Thus the packets fromcertain IP addresses can be filtered out.




Issue 02 (2010-07-15)

The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors,the firewall detects an attack from an IP address. Then the firewall adds the IP address of theattacker to the blacklist so that all the packets from the attacker are discarded.

Whitelist

The whitelist prevents the specified IP addresses from being added to the blacklist and filterspackets based on source IP addresses. The IP addresses in the whitelist will not be added to thestatic or dynamic blacklist. An entry in the whitelist is represented by the source VPN and IPaddress.

The whitelist is applicable to the network where some devices send valid service packets thatlook like IP address scanning attack or port scanning attack. The whitelist prevents these devicesfrom being added to the blacklist.

The entries of the whitelist on the SPU can only be manually added.

Port Mapping

The application-layer protocols use well-known ports for communication. Port mapping definesnew port numbers for different application-layer protocols, thus protecting the server against theservice specific attacks.

Port mapping applies to service-sensitive features such as ASPF and Network AddressTranslation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet providesthe FTP service through port 2121. When accessing the FTP server through a NAT server, usersmust use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identifythe FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol.After port mapping, the NAT server can identify the FTP packets that use port 2121 and sendthe FTP packets to the FTP server. In this way, users can access the FTP server.

Virtual Firewall

Recently, more small-scale private networks have been established. Most of these privatenetworks belong to small-scale enterprises. Such enterprises have the following requirements:

l They require high security.

l They cannot afford a private security device.

Logically, the SPU can be divided into multiple virtual firewalls to serve multiple small-scaleprivate networks. By using the virtual firewall function, an ISP can lease the network securityservices to the enterprises.

A virtual firewall integrates a VPN instance and a security instance. It provides a private routingplane and security service for the virtual firewall users.The VPN instance and the securityinstance are as follows:l VPN instance: provides independent VPN routes for the users under each virtual firewall.

These VPN routes are used to forward the packets received by each virtual firewall.l Security instance: provides independent security services for the users under each virtual

firewall. The security instance contains private interfaces, zones, interzones, ACL rules,and NAT rules. In addition, it provides the security services such as address binding,blacklist, address translation, packet filtering, traffic statistics and monitoring, attackdefense, ASPF, and NAT for the users under the virtual firewalls.



3-5

Firewall LogThe firewall records the behaviors and status of the firewall in real time. For example, the attackdefense measures and the detection of malicious attacks are recorded in the firewall log.

The firewall logs are categorized into the following types:l Session log: sent to the log server in real time.

l Blacklist log: sent to the information center in real time.

l Attack log and statistics log: sent to the information center periodically.

These logs help you find out the security risk, detect the attempts to violate the security policies,and learn the type of a network attack. The real-time log is also used to detect the intrusion thatis underway.

Traffic Statistics and MonitoringA firewall not only monitors data traffic, but also detects the setup of connections betweeninternal and external networks, generates statistics, and analyzes the data. The firewall cananalyze the logs by using special software after events occur. The firewall also has analysisfunctions that enable it to analyze data in real time.

By checking whether the number of TCP/UDP sessions initiated from external networks to theinternal network exceeds the threshold, the firewall decides whether to restrict new sessionsfrom external networks to the internal network or restrict new sessions from an IP address in theinternal network. If the firewall finds that the number of sessions in the system exceeds thethreshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In thisway, DoS attack can be prevented if the system is too busy.

Figure 3-1 shows an application of the firewall. The IP address-based statistics function isenabled for the packets from external networks to the internal network. If the number of TCPsessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, theSPU forbids external networks to initiate new sessions until the number of sessions is smallerthan the threshold.

Figure 3-1 Limiting the number of sessions initiated by external server

EthernetInternalnetwork

Web server129.9.0.1

Switch

TCPconnection

Attack DefenseWith the attack defense feature, the SPU can detect various network attacks and protect theinternal network against attacks.




Issue 02 (2010-07-15)

Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, andmalformed packet attacks.l DoS attack

Denial of service (DoS) attack is an attack to a system with a large number of data packets.This prevents the system from receiving requests from authorized users or suspends thehost. DoS attackers include SYN Flood attack and Fraggle attack. DoS attacks are differentfrom other attacks because DoS attackers do not search for the ingress of a network butprevent authorized users from accessing resources or routers.

l Scanning and snooping attackScanning and snooping attack is to identify the existing systems on the network throughping scanning (including ICMP and TCP scanning), and then find out potential targets.Through TCP scanning, the attackers can know the operating system and the monitoredservices. By scanning and snooping, an attacker can generally know the service type andsecurity vulnerability of the system and prepare for further intrusion to the system.

l Malformed packet attackMalformed packet attack is to send malformed IP packets to the system. Under such anattack, the system crashes when processing the malformed IP packets. Malformed packetattacks include Ping of Death and Teardrop.

The typical attacks on networks are as follows.

Land AttackLand attack is to set the source and destination addresses of a TCP SYN packet to the IP addressof the attacked target. The target then sends the SYN-ACK message to its own IP address, andan ACK message is sent back to the target. This forms a null session. Every null session existsuntil it times out. The responses to the Land attack vary according to the targets. For instance,many UNIX hosts crash while Windows NT hosts slow down.

Smurf AttackA simple Smurf attack is used to attack a network. The attacker sends an ICMP request to thebroadcast address of the network. All the hosts on the network then respond to the request andthe network is congested. The traffic caused by Smurf attack is one or two orders of magnitudehigher than the traffic caused by ping of large packets.

An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMPrequest to the IP address of the target host. The host then crashes. To send the attack packet,certain traffic and duration are needed so as to really wage the attack. Theoretically speaking,the attack effect is more obvious when there are more hosts on the network. Fraggle attack isanother form of the Smurf attack.

WinNuke AttackWinNuke attack is to send an out-of-band (OOB) data packet to the NetBIOS port (139) of thetarget host running the Windows operating system. The NetBIOS fragment then overlaps andthe host crashes. An Internet Group Management Protocol (IGMP) fragment packet can alsodamage the target host because the IGMP packet is not fragmented. An attack occurs when ahost receives an IGMP packet.

SYN Flood AttackThe TCP/IP protocol stack only permits a limited number of TCP connections due to resourcerestriction. SYN Flood attacks just utilize this characteristic. The attacker forges a SYN packet



3-7

whose source address is forged or nonexistent and originates a connection to the server. Uponreceipt of this packet, the server replies with SYN-ACK. Because there is no receiver of theSYN-ACK packet, a half-connection is caused. If the attacker sends a large number of suchpackets, a lot of half-connections are produced on the attacked host and the resources of theattacked host will be exhausted; therefore, normal users cannot access the host till the half-connections expire. If the connections can be created without restriction, SYN Flood has similarinfluence. That is, it will consume the system resources such as memory.

ICMP and UDP Flood AttackICMP and UDP Flood attacker sends a large number of ICMP packets (such as ping packets)and UDP packets to the target host in a short time and requests for responses. The host is thenoverloaded and cannot process valid tasks.

IP Sweeping and Port Scanning AttackIP address sweeping and port scanning attacker detects the IP addresses and ports of the targethosts by using scanning tools. The attacker then determines the hosts that exist on the targetnetwork according to the response. The attacker can then find the ports that provide services.

Ping of Death AttackThe length field of an IP packet is 16 bits, indicating that the maximum length of an IP packetis 65535. If the data field of an ICMP Echo Request packet is longer than 65507, the length ofthe ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is greaterthan 65535. Upon receiving the packet, routers or systems will crash, stop responding, or restartdue to improper processing of the packet. The so-called "Ping of Death" is an attack to the systemwaged by sending some oversize ICMP packets.

ICMP-Redirect and ICMP-Unreachable AttackA network device sends an ICMP-redirect packet to the hosts on the same subnet, requestingthe hosts to change the route. However, some malicious attackers cross a network segment andsend a fraudulent ICMP-redirect packet to the hosts of another network. In this way, the attackerschange the routing table of the hosts and thus cause interference to the normal IP packetforwarding of the hosts.

Another type of attack is sending an ICMP-unreachable packet. After receiving the ICMP-unreachable packets of a network (code is 0) or a host (code is 1), some systems consider thesubsequent packets sent to this destination as unreachable. The systems then disconnect thedestination from the host.

Teardrop AttackThe More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segmentof the original packet contained in this fragment. Some systems running TCP/IP may stoprunning when receiving a forged fragment containing an overlap offset. The Teardrop attackuses the flaw of some systems that do not check the validity of fragment information.

Fraggle AttackAfter receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses.Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with




Issue 02 (2010-07-15)

a generated character string. Similar to the ICMP packet attack, the two UDP ports generatemany invalid response packets, which occupy the network bandwidth.

The attacker can send a UDP packet to the destination network. The source address of the UDPpacket is the IP address of the host to be attacked and its destination address is the broadcastaddress or network address of the host's subnet. The destination port number of the packet is 7or 19. Then, all the systems enabled with this function return packets to the target host. In thiscase, the high traffic volume blocks the network or the host stops responding. In addition, thesystems without this function generate ICMP-unreachable packets, which also consumebandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,the systems generate response packets continuously and cause serious damage.

IP-Fragment AttackIn an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset,Length, Don’t Fragment (DF), and MF.

If the previous fields conflict and are not processed appropriately, the equipment may stoprunning. In the following cases, the fields conflict:l DF bit and MF bit are set at the same time or fragment offset is not 0.

l The value of DF is 0, but the total values of Fragment Offset and Length is larger than65535.

In addition, the device must directly discard the fragment packet with the destination as itself.This is because more fragments results in heavy load in packet caching and assembling.

Tracert AttackTracert attack traces the path of an ICMP timeout packet returned when the value of Time ToLive (TTL) becomes 0 and an ICMP port-unreachable packet. In this way, the attacker can knowthe network architecture.

3.3 Configuring ZonesAll the security policies of the firewall are enforced based on zones.

3.3.1 Establishing the Configuration TaskBefore configuring a zone, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.

3.3.2 Creating a ZoneBefore configuring a firewall, you need to create the related zones. Then you can deploy securityservices according to the security priorities of the zones.

3.3.3 Adding an Interface to the ZoneYou can add interfaces to the specified zone.

3.3.4 Creating an InterzoneTo enable the firewall to filter packets or application-layer services in the specified interzone,you must create the interzone first.

3.3.5 Enabling Firewall in the InterzoneThe configured firewall functions take effect only after the firewall is enabled in the interzone.

3.3.6 Checking the Configuration



3-9

After configuring the zones and interzone, you can view information about the zones andinterzone.

3.3.1 Establishing the Configuration TaskBefore configuring a zone, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.

Applicable EnvironmentBefore configuring the firewall, you need to configure the zones. Then you can configure thefirewall based on zones or interzones.

Pre-configuration TasksBefore configuring a zone, complete the following task:

l Configuring the interfaces that you want to add to the zone

Data PreparationTo configure the zone, you need the following data.

No. Data

1 Name of the zone

2 Priority of the zone

3 Interfaces that you want to add to the zone

3.3.2 Creating a ZoneBefore configuring a firewall, you need to create the related zones. Then you can deploy securityservices according to the security priorities of the zones.

Procedure



Step 2 Run:firewall zone zone-name

A zone is created.

The SPU can be configured with up to 255 zones, and no default zone is provided.

Step 3 Run:priority security-priority

The priority of the zone is set.




Issue 02 (2010-07-15)

You must configure a priority for a zone before making other configurations. The priority cannotbe changed. The priority ranges from 0 to 254. The priorities of the zones cannot be the same.A greater value indicates a higher priority.

----End

3.3.3 Adding an Interface to the ZoneYou can add interfaces to the specified zone.

PrerequisiteThe zone has been created through the firewall zone command.

Procedure



Step 2 Run:interface interface-type interface-number.subinterface

The interface view is displayed.

Only the XGE sub-interfaces and Eth-Trunk sub-interfaces of the SPU can be added to a zone.

Step 3 Run:zone zone-name

The interface is added to the zone.

Each zone has up to 1024 interfaces, and an interface can be added to only one zone.

----End

3.3.4 Creating an InterzoneTo enable the firewall to filter packets or application-layer services in the specified interzone,you must create the interzone first.

Procedure



Step 2 Run:firewall interzone zone-name1 zone-name2

An interzone is created.

You need to specify two existing zones for the interzone.

----End



3-11

3.3.5 Enabling Firewall in the InterzoneThe configured firewall functions take effect only after the firewall is enabled in the interzone.

Procedure




The interzone view is displayed.

The zones zone-name1 and zone-name2 have been created through the firewall zone command.

Step 3 Run:firewall enable

The firewall is enabled.

By default, the firewall function is disabled in an interzone.

----End

3.3.6 Checking the ConfigurationAfter configuring the zones and interzone, you can view information about the zones andinterzone.

Procedurel Run the display firewall zone [ zone-name ] [ interface | priority ] command to view

information about the zones.l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view

information about the interzone.

----End

ExampleRun the display firewall zone [ zone-name ] [ interface | priority ] command, and you can viewinformation about the zones, for example:

<Quidway> display firewall zonezone zone1 priority is 10 interface of the zone is (total number 1): XGigabitEthernet0/0/1.1

total number is : 1

Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can viewinformation about the interzone, for example:

<Quidway> display firewall interzoneinterzone zone2 zone1




Issue 02 (2010-07-15)

firewall enable packet-filter default deny inbound packet-filter default permit outbound

total number is : 1

3.4 Configuring the Packet Filtering FirewallThe packet filtering firewall filters packets by using an ACL.

3.4.1 Establishing the Configuration TaskBefore configuring the ACL-based packet filtering firewall, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.

3.4.2 Configuring ACL-based Packet Filtering in an InterzoneYou can specify the direction to which the ACL is applied and the default processing mode ofthe packets that do not match the ACL rules.

3.4.3 Checking the ConfigurationAfter the ACL-based packet filtering firewall is configured, you can view information aboutACL-based packet filtering.

3.4.1 Establishing the Configuration TaskBefore configuring the ACL-based packet filtering firewall, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.

Applicable EnvironmentWhen data is transmitted between two zones, the ACL-based packet filtering firewall enforcesthe packet filtering policies according to the ACL rules. The ACLs for filtering packet includethe basic ACL, advanced ACL, and Layer 2 ACL.

Pre-configuration TasksBefore configuring ACL-based packet filtering, complete the following tasks:

l Configuring zones and adding interfaces to the zones

l Configuring the interzone and enabling the firewall function in the interzone

l Creating the basic ACL, advanced ACL, or Layer 2 ACL and configuring ACL rules

Data PreparationTo configure ACL-based packet filtering, you need the following data.

No. Data

1 Zone names

2 ACL number

3 Packet direction to which the ACL is applied



3-13

3.4.2 Configuring ACL-based Packet Filtering in an InterzoneYou can specify the direction to which the ACL is applied and the default processing mode ofthe packets that do not match the ACL rules.

Procedure





Step 3 Run:packet-filter acl-number { inbound | outbound }

The ACL-based packet filtering is configured.

You can configure ACL-based packet filtering in the interzone for the inbound or outboundpackets.

Step 4 (Optional) Run:packet-filter default { deny | permit } { inbound | outbound }

The default processing mode of the unmatched packets is configured.

In the initial settings of the system, the outbound unmatched packets are allowed, and the inboundunmatched packets are denied.

If an ACL is applied to the inbound packets or outbound packets of an interzone, the packetsare filtered according to the ACL rules. If packets do not match the ACL, the default processingmode is used.

NOTE

When Layer 2 ACL is applied to the interzone, the non-Ethernet packets that do not match the ACL arediscarded.

----End

3.4.3 Checking the ConfigurationAfter the ACL-based packet filtering firewall is configured, you can view information aboutACL-based packet filtering.

Procedurel Run the display firewall interzone [ zone-name1 zone-name2 ] command to view

information about packet filtering.

l Run the display acl acl-number command to view the ACL configuration.

----End




Issue 02 (2010-07-15)

ExampleRun the display firewall interzone [ zone-name1 zone-name2 ] command, and you can viewinformation about packet filtering, for example:

<Quidway> display firewall interzoneinterzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 2012 inbound

total number is : 1

Run the display acl acl-number command, and you can view the ACL configuration.

<Quidway> display acl 2010Basic ACL 2010, 1 ruleAcl's step is 5 rule 5 permit vpn-instance vpnnat (0 times matched)

3.5 Configuring the BlacklistYou can add entries to the blacklist manually or configure a dynamic blacklist. If you choosethe dynamic blacklist, you need to enable IP address scanning and port scanning defense functionon the attack defense module of the SPU. When the SPU detects that the connection rate of anIP address or a port exceeds the threshold, the SPU considers that a scanning attack occurs, andthen adds the source IP address to the blacklist. Then all the packets from this source IP addressare filtered out.

3.5.1 Establishing the Configuration TaskBefore configuring the blacklist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data.

3.5.2 Enabling the Blacklist FunctionTo make the entries added to the blacklist manually or dynamically effective, you must enablethe blacklist function first.

3.5.3 Adding IP Addresses to the Blacklist ManuallyAfter an IP address is added to the blacklist, the firewall denies the packets from this IP addressuntil this entry ages.

3.5.4 Checking the ConfigurationAfter the blacklist is configured, you can view information about the blacklist.

3.5.1 Establishing the Configuration TaskBefore configuring the blacklist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data.

Applicable EnvironmentThe blacklist can filter out the packets sent from a specified IP address to a zone. An IP addresscan be added to the blacklist manually or automatically.

When the attack defense module of the firewall detects an attack through the packet behavior,the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets fromthis IP address are filtered out.



3-15

Pre-configuration TasksBefore configuring the blacklist, complete the following tasks:



l Enabling IP address scanning attack defense or port scanning attack defense if a dynamicblacklist is used

Data PreparationTo configure the blacklist, you need the following data.

No. Data

1 IP address that you want to add to the blacklist (the VPN instance can be included)

2 (Optional) Aging time of blacklist entries

3.5.2 Enabling the Blacklist FunctionTo make the entries added to the blacklist manually or dynamically effective, you must enablethe blacklist function first.

Procedure



Step 2 Run:firewall blacklist enable

The blacklist function is enabled.

By default, the blacklist function is disabled.

----End

3.5.3 Adding IP Addresses to the Blacklist ManuallyAfter an IP address is added to the blacklist, the firewall denies the packets from this IP addressuntil this entry ages.

Procedure



Step 2 Run:




Issue 02 (2010-07-15)

firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

An entry is added to the blacklist.

When adding an entry to the blacklist, you can set the IP address, aging time, and VPN instance.The aging time refers to the period in which the IP address is effective after it is added to theblacklist. When the IP address expires, it is released from the blacklist. If the aging time is notspecified, the IP address is always valid in the blacklist.

An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not.That is, even though the blacklist is not enabled, you can add entries, but the entries are invalid.

You can add up to 4096 entries to a blacklist.

NOTE

The blacklist entries without the aging time are written to the configuration file. The entries configuredwith aging time are not written to the configuration file, but you can view them by using the display firewallblacklist command.

----End

3.5.4 Checking the ConfigurationAfter the blacklist is configured, you can view information about the blacklist.

Procedurel Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] |

vpn-instance vpn-instance-name ] command to view information about the blacklist.

----End

ExampleRun the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command, and you can view information about the blacklist, forexample:

<Quidway> display firewall blacklist allFirewall Blacklist Items :------------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance------------------------------------------------------------------------10.1.1.1 Manual 100------------------------------------------------------------------------ total number is : 1

3.6 Configuring the WhitelistThe whitelist is applicable to the network where some devices send valid service packets thatlook like IP address scanning attack or port scanning attack. The whitelist prevents these devicesfrom being added to the blacklist.

3.6.1 Establishing the Configuration TaskBefore configuring the whitelist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data.



3-17

3.6.2 Adding Entries to the WhitelistThe entries in the whitelist take effect without enabling the whitelist function.

3.6.3 Checking the ConfigurationAfter the whitelist is configured, you can view information about the whitelist.

3.6.1 Establishing the Configuration TaskBefore configuring the whitelist, familiarize yourself with the applicable environment, completethe pre-configuration tasks, and obtain the required data.

Applicable EnvironmentThe whitelist is applicable to the network where some devices send valid service packets thatlook like IP address scanning attack or port scanning attack. The whitelist prevents these devicesfrom being added to the blacklist.

If you add the VPN and IP address of a host to the whitelist, the firewall does not check thepackets sent by the host that look like IP address scanning or port scanning attack, or add the IPaddress to the blacklist.

Pre-configuration TasksBefore configuring the whitelist, complete the following tasks:



Data PreparationTo configure the whitelist, you need the following data.

No. Data

1 IP address that you want add to the whitelist (the VPN instance can be included)

2 (Optional) Aging time of whitelist entries

3.6.2 Adding Entries to the WhitelistThe entries in the whitelist take effect without enabling the whitelist function.

ProcedureStep 1 Run:

system-view


Step 2 Run:firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]

An entry is added to the whitelist.




Issue 02 (2010-07-15)

By running this command, you can add an entry to the whitelist manually. You can specify theIP address, aging time, and VPN instance when adding the entry. The aging time refers to theperiod in which the IP address is effective after it is added to the whitelist. When the IP addressexpires, it is released from the whitelist. If the aging time is not specified, the IP address is alwaysvalid in the whitelist.

You can create up to 1024 entries in the whitelist.

----End

3.6.3 Checking the ConfigurationAfter the whitelist is configured, you can view information about the whitelist.

Procedurel Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] |

vpn-instance vpn-instance-name ] command to view information about the whitelist.

----End

Example

Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command, and you can view information about the whitelist, forexample:

<Quidway> display firewall whitelist allFirewall Whitelist Items :------------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance------------------------------------------------------------------------1.1.1.1 3 vpn11.1.1.2 Permanent vpn21.1.1.3 6 ------------------------------------------------------------------------ total number is : 3

3.7 Configuring ASPFThe ASPF function can detect the sessions that attempt to traverse the application layer and denythe undesired packets. In addition, ASPF enables the application protocols that cannot traversefirewalls function normally.

3.7.1 Establishing the Configuration TaskBefore configuring ASPF, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.

3.7.2 Configuring ASPF DetectionASPF can detect and filter the FTP and HTTP packets at the application layer.

3.7.3 Checking the ConfigurationAfter ASPF is configured, you can view information about ASPF.



3-19

3.7.1 Establishing the Configuration TaskBefore configuring ASPF, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.

Applicable EnvironmentWhen data is transmitted between two zones, ASPF checks the packets at the application layerand discards the unmatched packets.

Pre-configuration TasksBefore configuring ASPF, complete the following tasks:



Data PreparationTo configure ASPF, you need the following data.

No. Data

1 Names of the two zones

2 Type of the application protocol

3 (Optional) Aging time of the session table for each application layer protocol

3.7.2 Configuring ASPF DetectionASPF can detect and filter the FTP and HTTP packets at the application layer.

Procedure





Step 3 Run:detect aspf { all | ftp | http [ activex-blocking | java-blocking ] }

ASPF is configured.

Generally, the application-layer protocol packets are exchanged between the two parties incommunication, so the direction does not need to be configured. The SPU automatically checksthe packets in the two directions.




Issue 02 (2010-07-15)

By default, ASPF is not configured in the interzone.

----End

3.7.3 Checking the ConfigurationAfter ASPF is configured, you can view information about ASPF.

Procedurel Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF

information of the interzone.

----End

ExampleRun the display firewall interzone [ zone-name1 zone-name2 ] command, and you can viewthe ASPF information of the interzone, for example:<Quidway> display firewall interzoneinterzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound detect aspf ftp

total number is : 1

3.8 Configuring Port MappingPort mapping defines new port numbers for different application-layer protocols, thus protectingthe server against the service specific attacks.

3.8.1 Establishing the Configuration TaskBefore configuring port mapping, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data.

3.8.2 Configuring Port MappingPort mapping is to map protocols to ports based on a basic ACL.

3.8.3 Checking the ConfigurationAfter port mapping is configured, you can view information about port mapping.

3.8.1 Establishing the Configuration TaskBefore configuring port mapping, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data.

Applicable EnvironmentThrough port mapping, the firewall can identify packets of the application-layer protocols thatuse the non-well-known ports. The port mapping function can be applied to the features sensitiveto application-layer protocols, such as ASPF. Port mapping is applicable to the application-layerprotocols such as FTP, DNS, and HTTP.

Port mapping is implemented based on the ACL. Only the packets matching an ACL rule aremapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering,



3-21

the SPU matches the destination IP address of the packet with the IP address configured in thebasic ACL rule.

NOTE

Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping,you must configure the zones and interzone.

Pre-configuration TasksBefore configuring port mapping, complete the following tasks:



l Creating the basic ACL and configuring ACL rules

Data PreparationTo configure port mapping, you need the following data.

No. Data

1 Type of application-layer protocol

2 User-defined port to be mapped

3 Number of the basic ACL

3.8.2 Configuring Port MappingPort mapping is to map protocols to ports based on a basic ACL.

Procedure



Step 2 Run:port-mapping { dns | ftp | http } port port-number acl acl-number

Port mapping is configured.

You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings,however, must be distinguished by the ACL. That is, packets matching different ACL rules usedifferent mapping entries.

NOTE

Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP addressof a WWW server); therefore, when configuring the basic ACL rules, you need to match the destinationIP addresses of the packets with the source IP addresses defined in ACL rules.

----End




Issue 02 (2010-07-15)

3.8.3 Checking the ConfigurationAfter port mapping is configured, you can view information about port mapping.

Procedurel Run the display port-mapping [ dns | ftp | http | port port-number ] command to view

information about port mapping.

----End

ExampleRun the display port-mapping [ dns | ftp | http | port port-number ] command, and you canview information about port mapping, for example:

<Quidway> display port-mapping dns ------------------------------------------------- Service Port Acl Type ------------------------------------------------- dns 53 system defined -------------------------------------------------

3.9 Configuring the Aging Time of the Firewall SessionTable

3.9.1 Establishing the Configuration TaskBefore configuring the aging time of the firewall session table, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.

3.9.2 Configuring the Aging Time of the Firewall Session TableIf a session entry is not used within the specified period, the session becomes invalid.

3.9.3 Checking the ConfigurationAfter the aging time of the firewall session table is set, you can view the aging time.

3.9.1 Establishing the Configuration TaskBefore configuring the aging time of the firewall session table, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.

Applicable EnvironmentThe SPU creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP,to record the connection status of the protocol. The aging time is set for the session table of thefirewall. If a record in the session table does not match any packet within the aging time, thesystem deletes the record.

To change the aging time of the sessions of a protocol, you can set the aging time of the firewallsession table.

Pre-configuration TasksBefore configuring the aging time of the firewall session table, complete the following tasks:



3-23



Data Preparation

To set the aging time of the firewall session table, you need the following data.

No. Data

1 Aging time of the session table of each application-layer protocol

3.9.2 Configuring the Aging Time of the Firewall Session TableIf a session entry is not used within the specified period, the session becomes invalid.

Procedure



Step 2 Run:firewall-nat session { dns | ftp-ctrl | ftp-data | http | icmp | tcp | tcp-proxy | udp } aging-time time-value

The aging time of the firewall session table is set.

By default, the aging time of each protocol is as follows:

l DNS: 120 seconds

l FTP-ctrl: 120 seconds

l FTP-data: 120 seconds

l HTTP: 120 seconds

l ICMP: 20 seconds

l TCP: 600 seconds

l TCP-proxy: 10 seconds

l UDP: 40 seconds

NOTE

In general, you do not need to change the aging time of a session table.

----End

3.9.3 Checking the ConfigurationAfter the aging time of the firewall session table is set, you can view the aging time.




Issue 02 (2010-07-15)

Procedurel Run the display firewall-nat session aging-time command to view the aging time of the

firewall session table.

----End

Example

Run the display firewall-nat session aging-time command, and you can view the aging timeof the firewall session table, for example:

<Quidway> display firewall-nat session aging-time--------------------------------------------- tcp protocol timeout : 600 (s) tcp-proxy timeout : 10 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp-ctrl protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s)---------------------------------------------

3.10 Configuring the Transparent FirewallA transparent firewall forwards packets to the destination VLAN at Layer 2 according to theconfiguration of VLAN bridge instance, rather than routes.

3.10.1 Establishing the Configuration TaskBefore configuring the transparent firewall, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.

3.10.2 Configuring the Transparent FirewallThe transparent firewall filters packets based on source MAC addresses, destination MACaddresses, and Ethernet types.

3.10.3 Checking the ConfigurationAfter the transparent firewall is configured, you can view information about the transparentfirewall.

3.10.1 Establishing the Configuration TaskBefore configuring the transparent firewall, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.


When a firewall works as a transparent firewall (also called bridge firewall), the interfaces ofthe firewall cannot be configured with IP addresses or NAT. The zone where the interfaces resideis the Layer 2 zone. All the external users connected to the interfaces of the Layer 2 zone belongto the same subnet.

When transmitting packets between the interfaces of the Layer 2 zone, the SPU searches for anoutbound interface according to the MAC addresses of packets. In this case, the SPU functionsas a transparent bridge. Different from the bridge, the SPU forwards the received IP packets to



3-25

the upper layer, and then determines whether to allow the packets to pass according to the sessiontable or ACL rules. In addition, the SPU provides the attack defense functions.

The SPU in transparent mode supports the functions such as ACL-based packet filtering, ASPFdetection, attack defense check, and traffic monitoring.

Pre-configuration TasksBefore configuring the transparent firewall, complete the following tasks:



l Configuring the VLAN on the interface

Data PreparationTo configure the transparent firewall, you need the following data.

No. Data

1 VLAN bridge instance ID

2 Number of the interface bound to the VLAN bridge instance

3.10.2 Configuring the Transparent FirewallThe transparent firewall filters packets based on source MAC addresses, destination MACaddresses, and Ethernet types.

Procedure



Step 2 Run:inter-vlan-bridge instance instance-id

The VLAN bridge instance is created.

By default, no VLAN bridge instance is created.

Step 3 (Optional) Run:description description

The description of the VLAN bridge instance is set.

The default description is "inter-vlan-bridge instance-id."

Step 4 Run:quit

Return to the system view.




Issue 02 (2010-07-15)


The sub-interface view is displayed.

Step 6 Run:l2 binding inter-vlan-bridge instance instance-id

The sub-interface is bound to the VLAN bridge instance.

A VLAN bridge instance can be bound to up to two sub-interfaces and the two sub-interfacesmust belong to the same main interface. That is, a VLAN bridge instance contains up to twomember interfaces.

When no VLAN is configured on the sub-interface, the sub-interface cannot be bound to theVLAN bridge instance. Only one VLAN can be configured on the sub-interface where you wantto bind the VLAN bridge instance.

If a sub-interface is configured with IP address or NAT, the interface cannot be bound to a VLANbridge instance.

----End

3.10.3 Checking the ConfigurationAfter the transparent firewall is configured, you can view information about the transparentfirewall.

Procedurel Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to view

information about the transparent firewall.

----End

ExampleRun the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command, and you canview information about the transparent firewall.

# View information about all VLAN bridge instances.

<Quidway> display inter-vlan-bridge instanceInstance ID Member1 Member2---------------------------------------------------------------------2 XGigabitEthernet0/0/1.1 NULL3 XGigabitEthernet0/0/1.2 XGigabitEthernet0/0/1.3

3.11 Configuring the Attack Defense FunctionThe attack defense function of the SPU prevents the attacks to the CPU. It ensures that the serveroperates normally even when it is attacked.

3.11.1 Establishing the Configuration TaskBefore configuring the attack defense function, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.

3.11.2 Enabling the Attack Defense Function



3-27

3.11.3 Setting the Parameters of Flood Attack Defense

3.11.4 Configuring Large ICMP Packet Attack Defense

3.11.5 Setting Parameters of Scanning Attack Defense

3.11.6 Checking the ConfigurationAfter the attack defense is configured, you can view information about attack defense.

3.11.1 Establishing the Configuration TaskBefore configuring the attack defense function, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.


On the SPU, you can enable the attack defense function for the protected area. The protectedarea may be zones or IP addresses.


Before configuring the attack defense function, complete the following tasks:



Data Preparation

To configure the attack defense function, you need the following data.

No. Data

1 Attack type, a specified type or all types

2 Zones or IP addresses (the VPN instance may be included) to be protected againstFlood attacks (ICMP Flood, SYN Flood, and UDP Flood), and maximum sessionrate

3 Status of the TCP proxy that prevents SYN Flood attacks, including alwaysenabled, always disabled, or auto enabled (automatically enabled when the sessionrate exceeds the threshold)

4 Timeout of blacklist and maximum session rate to prevent scanning attacks (IPaddress sweeping and port scanning)

5 Maximum packet length to prevent large ICMP packet attack

3.11.2 Enabling the Attack Defense Function




Issue 02 (2010-07-15)

ContextSteps 2-19 are optional and can be performed in any sequence. You can select these steps todefend different types of attacks.

Procedure



Step 2 Run:firewall defend all enable

All the attack defense functions are enabled.

Step 3 Run:firewall defend fraggle enable

The Fraggle attack defense is enabled.

Step 4 Run:firewall defend icmp-flood enable

The ICMP Flood attack defense is enabled.

After the parameters of ICMP Flood attack defense are set, you must enable the ICMP Floodattack defense function; otherwise, the SPU does not detect the attack packets or take attackdefense measures.

Step 5 Run:firewall defend icmp-redirect enable

The ICMP Redirect attack defense is enabled.

Step 6 Run:firewall defend icmp-unreachable enable

The ICMP Unreachable attack defense is enabled.

Step 7 Run:firewall defend ip-fragment enable

The IP-Fragment attack defense is enabled.

Step 8 Run:firewall defend ip-sweep enable

The IP address sweeping attack defense is enabled.

After the parameters of IP address sweeping attack defense are set, you must enable the IPaddress sweeping attack defense function; otherwise, the SPU does not detect the attack packetsor take attack defense measures.

Step 9 Run:firewall defend land enable

The Land attack defense is enabled.



3-29

Step 10 Run:firewall defend large-icmp enable

The large ICMP packet attack defense is enabled.

After the maximum length of ICMP packets is set, you must enable the large ICMP packet attackdefense function; otherwise, the SPU does not detect the attack packets or take attack defensemeasures.

Step 11 Run:firewall defend ping-of-death enable

The Ping of Death attack defense is enabled.

Step 12 Run:firewall defend port-scan enable

The port scanning attack defense is enabled.

After the parameters of port scanning attack defense are set, you must enable the port scanningattack defense function; otherwise, the SPU does not detect the attack packets or take attackdefense measures.

Step 13 Run:firewall defend smurf enable

The Smurf attack defense is enabled.

Step 14 Run:firewall defend syn-flood enable

The SYN Flood attack defense is enabled.

After the parameters of SYN Flood attack defense are set, you must enable the SYN Flood attackdefense function; otherwise, the SPU does not detect the attack packets or take attack defensemeasures.

Step 15 Run:firewall defend tcp-flag enable

The TCP flag attack defense is enabled.

Step 16 Run:firewall defend teardrop enable

The Teardrop attack defense is enabled.

Step 17 Run:firewall defend tracert enable

The Tracert attack defense is enabled.

Step 18 Run:firewall defend udp-flood enable

The UDP Flood attack defense is enabled.

After the parameters of UDP Flood attack defense are set, you must enable the UDP Flood attackdefense function; otherwise, the SPU does not detect the attack packets or take attack defensemeasures.




Issue 02 (2010-07-15)

Step 19 Run:firewall defend winnuke enable

The WinNuke attack defense is enabled.

By default, no attack defense function is enabled.

----End

3.11.3 Setting the Parameters of Flood Attack Defense

ContextSteps 2-4 are optional and can be performed in any sequence. You can select these steps to defenddifferent types of Flood attacks.

Procedure



Step 2 Run:firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] [ flow-rate rate-value ]

The parameters of ICMP Flood attack defense are set.

Step 3 Run:firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value | tcp-proxy { auto | off | on } ]

The parameters of SYN Flood attack defense are set.

Step 4 Run:firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value ]

The parameters of UDP Flood attack defense are set.

To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected;otherwise, the attack defense parameters are invalid. You can also specify the maximum sessionrate. When the session rate exceeds the limit, the SPU considers that an attack occurs and takesmeasures.

For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Floodattack defense is enable for both a specified IP address and the zone where the IP address resides,then the attack defense for the IP address takes effect. If you cancel the attack defense for theIP address, the attack defense for the zone takes effect.

By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabledfor the SYN Flood attack defense.

For the Flood attack defense, you can specify up to 4096 IP addresses to protect.

----End



3-31

3.11.4 Configuring Large ICMP Packet Attack Defense

Procedure



Step 2 Run:firewall defend large-icmp max-length length

The parameter of large ICMP packet attack defense is set.

For the large ICMP packet attack defense, only one parameter needs to be set, namely, themaximum packet length. When the length of an ICMP packet exceeds the limit, the SPUconsiders that an attack occurs and discards the packet.

By default, the maximum length of ICMP packet is 4000 bytes.

----End

3.11.5 Setting Parameters of Scanning Attack Defense

ContextStep 2 and step 3 are optional and can be performed in any sequence. You can select these stepsto defend different types of scanning attacks.

Procedure



Step 2 Run:firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }

The parameters of IP address sweep attack defense are set.

Step 3 Run:firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }

The parameters of port scanning attack defense are set.

For scanning attack defense, the following two parameters need to be set:

l Maximum session rate: When the session rate of an IP address or a port exceeds the limit,the SPU considers that a scanning attack occurs, and then adds the IP address to the blacklistand denies the new sessions from the IP address or port.

l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, theSPU deletes the IP address from the blacklist and allows the new sessions from the IP addressor port.




Issue 02 (2010-07-15)

By default, the maximum session rate for IP address sweeping and port scanning attack defenseis 4000 pps, and the blacklist timeout is 20 minutes.

----End

3.11.6 Checking the ConfigurationAfter the attack defense is configured, you can view information about attack defense.

Procedurel Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-

address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command to view information about attack defense.

----End

ExampleRun the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command, and you can view information about attack defense.

# View the status of each attack defense function.

<Quidway> display firewall defend flag-------------------------------- Type Flag-------------------------------- land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable--------------------------------

# View the configuration of IP address sweep attack defense.

<Quidway> display firewall defend ip-sweep

defend-flag : disable max-rate : 4000 (pps) blacklist-expire-time : 20 (m)

3.12 Configuring Traffic Statistics and MonitoringThe SPU supports the traffic statistics and monitoring at the system level, zone level, and IPaddress level.



3-33

3.12.1 Establishing the Configuration TaskBefore configuring traffic statistics and monitoring, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.

3.12.2 Enabling Traffic Statistics and MonitoringYou can enable the traffic statistics and monitoring at the system level, zone level, or IP addresslevel according to the actual situation.

3.12.3 Setting the Session ThresholdsYou can set the session thresholds for the system-level, zone-level, or IP address-level trafficstatistics and monitoring according to the actual situation.

3.12.4 Checking the ConfigurationAfter the traffic statistics and monitoring is configured, you can view information about trafficstatistics and monitoring.

3.12.1 Establishing the Configuration TaskBefore configuring traffic statistics and monitoring, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.

Applicable EnvironmentSystem-level traffic statistics and monitoring takes effect on all the data flows in interzones thatare enabled with the firewall feature. That is, the SPU collects statistics of the ICMP, TCP, TCPproxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold,the SPU restricts the sessions until the number of sessions is less than the threshold.

The zone-based traffic statistics and monitoring takes effect on the data flows between zones.That is, the SPU counts the total number of TCP and UDP sessions between the local zone andother zones. When the number of sessions exceeds the threshold, the SPU restricts the sessionsuntil the number of sessions is less than the threshold. The zone-based traffic statistics andmonitoring can be configured in the inbound or outbound direction. The inbound direction meansthat the SPU counts and monitors the sessions initiated by local zone. The outbound directionmeans that the SPU counts and monitors the sessions destined for this zone.

The IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDPsessions set up by an IP address in the zone. When the number of sessions set up by an IP addressexceeds the threshold, the SPU restricts the sessions until the number of sessions is less than thethreshold. The IP address-based traffic statistics and monitoring can be configured in the inboundor outbound direction. The inbound direction means that the SPU counts and monitors thesessions initiated by the IP address in the local zone. The outbound direction means that theSPU counts and monitors the sessions destined for this IP address.

Pre-configuration TasksBefore configuring traffic statistics and monitoring, complete the following tasks:



Data PreparationTo configure traffic statistics and monitoring, you need the following data.




Issue 02 (2010-07-15)

No. Data

1 Type of sessions to be monitored, including TCP and UDP

2 Session threshold

3 Direction of traffic statistics and monitoring

3.12.2 Enabling Traffic Statistics and MonitoringYou can enable the traffic statistics and monitoring at the system level, zone level, or IP addresslevel according to the actual situation.

Procedurel Enabling system-level traffic statistics and monitoring

1. Run:system-view


firewall statistics system enable

The system-level traffic statistics and monitoring is enabled.

By default, the system-level traffic statistics and monitoring is disabled.l Enabling zone-level traffic statistics and monitoring

1. Run:system-view


firewall zone zone-name

The zone view is displayed.3. Run:

statistics zone enable { inzone | outzone }

The zone-level traffic statistics and monitoring is enabled.

By default, the zone-level traffic statistics and monitoring is disabled.l Enabling IP address-level traffic statistics and monitoring

1. Run:system-view




statistics ip enable { inzone | outzone }



3-35

The IP address-level traffic statistics and monitoring is enabled.

By default, the IP address-level traffic statistics and monitoring is disabled.

----End

3.12.3 Setting the Session ThresholdsYou can set the session thresholds for the system-level, zone-level, or IP address-level trafficstatistics and monitoring according to the actual situation.

Procedurel Setting the session thresholds for system-level traffic statistics and monitoring

1. Run:system-view


firewall statistics system enable

The system-level traffic statistics and monitoring is enabled.

By default, the system-level traffic statistics and monitoring is disabled.3. Run:

firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold

The session thresholds for the system-level traffic statistics and monitoring are set.

For the system-level traffic statistics, you can set the threshold for each type of session.For example, you can set the threshold for TCP sessions to 500000. When the numberof TCP sessions in all interzones exceeds 500000, the SPU denies all the new TCPsessions in the interzone and reports an alarm to the information center. If trafficvolume falls below 75% of the threshold, the SPU generates the recovery log andsends the log to the information center.

By default, the upper threshold and lower threshold for each type of protocol packetsare 500000 and 450000.

l Setting the session thresholds for zone-level traffic statistics and monitoring1. Run:

system-view




statistics zone enable { inzone | outzone }

The zone-level traffic statistics and monitoring is enabled.

By default, the zone-level traffic statistics and monitoring is disabled.4. Run:




Issue 02 (2010-07-15)

statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

The session thresholds for the zone-level traffic statistics and monitoring are set.

You can set the thresholds for TCP and UDP sessions in the inbound and outbounddirections respectively. For example, you can set the threshold of inbound TCPsessions to 500000. When the number of TCP sessions initiated by this zone exceeds500000, the SPU denies new TCP sessions from this zone.


l Setting the session thresholds for IP address-level traffic statistics and monitoring1. Run:

system-view




statistics ip enable { inzone | outzone }

The IP address-level traffic statistics and monitoring is enabled.

By default, the IP address-level traffic statistics and monitoring is disabled.4. Run:

statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold

The session thresholds for the IP address-level traffic statistics and monitoring are set.

You can set the thresholds for TCP and UDP sessions in the inbound and outbounddirections respectively. For example, you can set the threshold for inbound TCPsessions to 10000. When the number of TCP sessions initiated from an IP address inthe local zone exceeds 10000, the SPU denies new TCP sessions from this IP address.


----End

3.12.4 Checking the ConfigurationAfter the traffic statistics and monitoring is configured, you can view information about trafficstatistics and monitoring.

Procedurel Run the display firewall statistics system command to view information about the system-

level traffic statistics and monitoring.l Run the system-view command to enter the system view, and then run the display firewall

statistics zone zone-name { inzone | outzone } all command to view information aboutthe zone-level traffic statistics and monitoring.



3-37

l Run the display firewall statistics zone-ip zone-name command to view information aboutthe IP address-level traffic statistics and monitoring.

----End

ExampleRun the display firewall statistics system command, and you can view information about thesystem-level traffic statistics and monitoring, for example:

<Quidway> display firewall statistics system-------------------------------------------------------------------- Global system statistics config information -------------------------------------------------------------------- Is enable 0 <enable : 1 disable : 0 > ---------------------------------High---------------------Low------- Tcp connect-number 500000 450000

Udp connect-number 500000 450000

Icmp connect-number 500000 450000

Tcp-proxy connect-number 500000 450000

Frag connect-number 500000 450000

--------------------------------------------------------------------

Run the display firewall statistics zone zone-name { inzone | outzone } all command, and youcan view information about the zone-level traffic statistics and monitoring.

# View the inbound packet statistics of zone1.

<Quidway> system-view[Quidway] display firewall statistics zone zone1 inzone allZoneID:0 Direction:INInTcpSetupTotal-----------------0InTcpTearTotal------------------0InUdpSetupTotal-----------------0InUdpTearTotal------------------0InIcmpSetupTotal----------------0InIcmpTearTotal-----------------0

Run the display firewall statistics zone-ip zone-name command, and you can view informationabout the IP address-level traffic statistics and monitoring.

# View the configuration of traffic monitoring in zone2.

<Quidway> display firewall statistics zone-ip zone2------------------------------------------------------------------- Zone statistics config information -------------------------------------------------------------------- Zone in enable 0 <enable : 1 disable : 0> ---------------------------------High---------------------Low------- Tcp connect-number 500000 450000


Icmp connect-number 500000 450000 -------------------------------------------------------------------- Zone out enable 0 <enable : 1 disable : 0>-------------------------------------------------------------------- Tcp connect-number 500000 450000


Icmp connect-number 500000 450000




Issue 02 (2010-07-15)

-------------------------------------------------------------------- Ip in enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------- Tcp connect-number 500000 450000


Icmp connect-number 500000 450000 -------------------------------------------------------------------- Ip out enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------- Tcp connect-number 500000 450000


Icmp connect-number 500000 450000 --------------------------------------------------------------------

3.13 Configuring the Log FunctionThe logs on the firewall include session logs, statistics logs, attack defense logs, and blacklistlogs.

3.13.1 Establishing the Configuration TaskBefore configuring the log function, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data.

3.13.2 Enabling the Log Function on the Firewall

3.13.3 Setting the Parameters of LogsThe parameters of logs include the session log host, conditions of recording session logs, andinterval for exporting logs.

3.13.4 Checking the ConfigurationAfter the log function is configured on the firewall, you can view information about the logs.

3.13.1 Establishing the Configuration TaskBefore configuring the log function, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data.

Applicable EnvironmentThe logs record the behaviors and status of the firewall to help you find out the security risk,analyze the attempts to violate the security policies, and detect the network attacks.

Pre-configuration TasksBefore configuring the logs, complete the following tasks:



l Creating a basic ACL or an advanced ACL and configuring ACL rules

Data PreparationTo configure the log function, you need the following data.



3-39

No. Data

1 Type of the log

2 IP address and port number of the session log host, and the source IP address andsource port number that the SPU uses to communicate with the session log host

3 Conditions of recording session logs, including the ACL number and the direction

4 (Optional) Interval for exporting the attack defense logs or statistics logs

3.13.2 Enabling the Log Function on the Firewall

Procedure



Step 2 Run:firewall log { all | blacklist | defend | session | statistics } enable

The log function is enabled on the firewall.

The log function can be enabled according to log types or enabled for all types of logs by usingthe all parameter.

By default, the log function is disabled on a firewall.

Step 3 Run:firewall log session nat enable

The NAT session log is enabled.

Before running the firewall log session nat enable command, you must run the firewall logsession enable command.

By default, the NAT session log is disabled.

----End

3.13.3 Setting the Parameters of LogsThe parameters of logs include the session log host, conditions of recording session logs, andinterval for exporting logs.

Context

The session logs are exported to a log host in real time; therefore, you need to configure the loghost first. To configure the log host, you need to configure the IP address and port number ofthe log host and the IP address and port number that the SPU uses to communicate with the loghost.




Issue 02 (2010-07-15)

An ACL is referenced in the interzone view to help decide the sessions to be recorded in thelogs. The ACLs can be configured for the inbound and outbound traffic respectively.

Procedure



Step 2 Run:firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]

The session log host is configured.

By default, no session log host is configured.

Step 3 (Optional) Run:firewall log session out-of-band enable

The SPU exports the session logs to the session log host through the outband interface (Ethernet0/0/0).

By default, the logs are not exported through Ethernet 0/0/0.

Step 4 (Optional) Run:firewall log { blacklist | defend | session | statistics } log-interval time

The interval for exporting logs is set.

By default, logs are exported every 30 seconds.



Step 6 Run:session-log acl-number { inbound | outbound }

The conditions of recording session logs are configured.

By default, no condition is configured in an interzone for recording session logs.

----End

3.13.4 Checking the ConfigurationAfter the log function is configured on the firewall, you can view information about the logs.

Procedurel Run the display firewall log configuration command to view information about the logs

on the firewall.

----End



3-41

Example

Run the display firewall log configuration command, and you can view information about thelogs on the firewall, for example:

<Quidway> display firewall log configurationdefend log : status : enabled log-interval : 30 sstatistics log : status : enabled log-interval : 30 sblacklist log : status : enabled log-interval : 30 ssession log : status : enabled log-interval : 30 s out-of-band status : disabled nat-session : disabledbinary-log host : host source VPN instance-name ----:-- ----:-- ---

3.14 Maintaining the Firewall

3.14.1 Displaying the Firewall Configuration

3.14.2 Clearing the Statistics of the Firewall

3.14.1 Displaying the Firewall Configuration

Procedurel Run the display firewall zone [ zone-name | interface | priority ] command to view the

configurations of all zones or the specified zone.

l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view theconfigurations of the interzone.

l Run the display firewall blacklist configuration command to view the status of theblacklist function.

l Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] |vpn-instance vpn-instance-name } command to view the blacklist entries.

l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] |vpn-instance vpn-instance-name } command to view the whitelist entries.

l Run the display firewall statistics system command to view the system-level trafficstatistics.

l Run the system-view command to enter the system view, and then run the display firewallstatistics zone zone-name { inzone | outzone } all command to view the zone-level trafficstatistics and traffic monitoring information.

l Run the display firewall statistics zone-ip zone-name command to view the status of trafficmonitoring function and session thresholds for each protocol.




Issue 02 (2010-07-15)

l Run the display firewall-nat session aging-time command to view the timeout of entriesin the session table.

l Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to viewinformation about the VLAN bridge instance.

l Run the display port-mapping [ dns | ftp | http | port port-number ] command to viewthe mappings between application-layer protocols and ports.

l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ip-address [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type }command to view the status and configuration of the attack defense functions.

l Run the display firewall log configuration command to view the global configuration ofthe log function.

----End

3.14.2 Clearing the Statistics of the Firewall

ContextTo clearly view the communication packets of a device within the specified period, you can clearthe previous packet statistics on the device first.

Step 2 and step 3 are optional and can be performed in any sequence. You can select these stepsto clear different types of packet statistics.

Procedure



Step 2 Run:clear firewall statistics system normal

The statistics about communication packets are cleared.

Step 3 Run:clear firewall statistics zone zone-name

The statistics about communication packets in the zone are cleared.

----End

3.15 Configuration ExamplesThis section provides several configuration examples of firewall.

3.15.1 Example for Configuring the ACL-based Packet Filtering FirewallThis example shows the application of the ACL-based packet filtering firewall on a network.The firewall filters packets according to the source/destination IP addresses and source/destination port numbers of packets. In this way, the security of the packets is improved.

3.15.2 Example for Configuring ASPF and Port Mapping



3-43

This example shows the application of ASPF and port mapping on a network. The SPU candetect the packets of the specified application-layer protocols and discard the undesired packets.

3.15.3 Example for Configuring the BlacklistThis example shows the application of the blacklist on a network. By using a blacklist, theSPU can prevent the attacks initiated by certain IP addresses.

3.15.4 Example for Configuring the Transparent FirewallThis example shows the application of the transparent firewall on a network. The SPU forwardspackets to the destination VLAN through Layer 2 according to the configuration of the VLANbridge instance.

3.15.1 Example for Configuring the ACL-based Packet FilteringFirewall

This example shows the application of the ACL-based packet filtering firewall on a network.The firewall filters packets according to the source/destination IP addresses and source/destination port numbers of packets. In this way, the security of the packets is improved.

Networking RequirementsAs shown in Figure 3-2, Eth-Trunk0.1 of the SPU is connected to an internal network with highsecurity, and Eth-Trunk0.2 is connected to the external network with low security. The SPUmust filter the communication packets between the internal network and the external network.The requirements are as follows:l A host (202.39.2.3) on the external network is allowed to access the server in the internal

network.l Other hosts are not allowed to access the server on the internal network.

The SPU is installed in slot 5 of the S9300.

Figure 3-2 Networking of ACL-based packet filtering

Telnet Server

FTP Server129.38.1.2

202.39.2.3

WWW Server

InternalNetwork

Switch

129.38.1.4

129.38.1.3

XGE5/0/0

XGE5/0/1

Eth-Trunk0.1

Eth-Trunk0.2

VLAN 10

VLAN 20

GE1/0/10 GE1/0/11

Configuration RoadmapThe configuration roadmap is as follows:




Issue 02 (2010-07-15)

1. Import flows from the S9300 to the SPU.2. Configure zones and the interzone.3. Add interfaces to the zones.4. Configure an ACL.5. Configure ACL-based packet filtering in the interzone.

Procedure

Step 1 Import flows from the S9300 to the SPU.1. Configure the S9300 as follows:

[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 1/0/10[Quidway-GigabitEthernet1/0/10] port link-type access[Quidway-GigabitEthernet1/0/10] port default vlan 10[Quidway-GigabitEthernet1/0/10] quit[Quidway] vlan 20[Quidway-vlan20] quit[Quidway] interface gigabitethernet 1/0/11[Quidway-GigabitEthernet1/0/11] port link-type access[Quidway-GigabitEthernet1/0/11] port default vlan 20[Quidway-GigabitEthernet1/0/11] quit[Quidway] interface Eth-Trunk 0[Quidway-Eth-Trunk0] port link-type trunk[Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20[Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0[Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1[Quidway-Eth-Trunk0] quit

2. Configure the SPU as follows:[Quidway] sysname SPU[SPU] interface Eth-trunk0[SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/1[SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/2[SPU-Eth-trunk0] quit[SPU] interface Eth-trunk0.1[SPU-Eth-trunk0.1] control-vid 10 dot1q-termination[SPU-Eth-trunk0.1] dot1q termination vid 10[SPU-Eth-trunk0.1] ip address 129.38.1.1 255.255.255.0 [SPU-Eth-trunk0.1] arp broadcast enable[SPU-Eth-trunk0.1] quit[SPU] interface Eth-trunk0.2[SPU-Eth-trunk0.2] control-vid 20 dot1q-termination[SPU-Eth-trunk0.2] dot1q termination vid 20[SPU-Eth-trunk0.2] ip address 202.38.160.1 255.255.0.0[SPU-Eth-trunk0.2] arp broadcast enable[SPU-Eth-trunk0.2] quit

Step 2 Configure zones and the interzone on the SPU.[SPU] firewall zone trust[SPU-zone-trust] priority 100[SPU-zone-trust] quit[SPU] firewall zone untrust[SPU-zone-untrust] priority 1[SPU-zone-untrust] quit[SPU] firewall interzone trust untrust[SPU-interzone-trust-untrust] firewall enable[SPU-interzone-trust-untrust] quit

Step 3 Add the interfaces of the SPU to zones.[SPU] interface Eth-trunk0.1[SPU-Eth-trunk0.1] zone trust[SPU-Eth-trunk0.1] quit



3-45

[SPU] interface Eth-trunk0.2[SPU-Eth-trunk0.2] zone untrust[SPU-Eth-trunk0.2] quit

Step 4 Configure an ACL on the SPU.[SPU] acl 3102[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[SPU-acl-adv-3102] rule deny ip[SPU-acl-adv-3102] quit

Step 5 Configure packet filtering on the SPU.[SPU] firewall interzone trust untrust[SPU-interzone-trust-untrust] packet-filter 3102 inbound[SPU-interzone-trust-untrust] quit

Step 6 Verify the configuration.

After the configuration, only the specified host (202.39.2.3) can access the server on the internalnetwork.

Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and theresult is as follows:

[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound

----End

Configuration Filesl Configuration file of the SPU

# sysname SPU#acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip#firewall zone trust priority 100#firewall zone untrust priority 1#firewall interzone trust untrust firewall enablepacket-filter 3102 inbound#interface Eth-trunk0#interface XGigabitEthernet 0/0/1Eth-trunk0#interface XGigabitEthernet 0/0/2Eth-trunk0#




Issue 02 (2010-07-15)

interface Eth-trunk0.1 control-vid 10 dot1q-terminationdot1q termination vid 10ip address 129.38.1.1 255.255.255.0zone trust#interface Eth-trunk0.2control-vid 20 dot1q-terminationdot1q termination vid 20ip address 202.38.160.1 255.255.0.0zone untrust#return

l Configuration file of the S9300# vlan batch 10 20#interface GigabitEthernet1/0/10 port link-type access port default vlan 10#interface GigabitEthernet1/0/11 port link-type trunk port trunk allow-pass vlan 20 #interface Eth-Trunk 0port link-type trunkport trunk allow-pass vlan 10 20#interface XGigabitEthernet 5/0/0Eth-Trunk 0#interface XGigabitEthernet 5/0/1Eth-Trunk 0# return

3.15.2 Example for Configuring ASPF and Port MappingThis example shows the application of ASPF and port mapping on a network. The SPU candetect the packets of the specified application-layer protocols and discard the undesired packets.

Networking RequirementsAs shown in Figure 3-3, Eth-Trunk0.1 of the SPU is connected to an internal network with highsecurity, and Eth-Trunk0.2 is connected to the external network with low security. The SPUmust filter the communication packets and perform ASPF check between the internal networkand the external network. The requirements are as follows:l A host (202.39.2.3) on the external network is allowed to access the server in the internal

network.l Other hosts are not allowed to access the server on the internal network.

l The SPU checks the FTP status of the connections and filters the undesired packets.

l The packets from the external host are sent to the FTP server through port 2121, which isused as the port of the FTP protocol.




3-47

Figure 3-3 Networking of ASPF and port mapping

Telnet Server

FTP Server129.38.1.2

202.39.2.3

WWW Server

InternalNetwork

Switch

129.38.1.4

129.38.1.3

XGE5/0/0

XGE5/0/1

Eth-Trunk0.1

Eth-Trunk0.2

VLAN 10

VLAN 20

GE1/0/10 GE1/0/11


1. Import flows from the S9300 to the SPU.2. Configure zones and the interzone.3. Add interfaces to the zones.4. Configure an ACL.5. Configure ACL-based packet filtering in the interzone.6. Configure ASPF in the interzone.7. Map port 2121 to the HTTP protocol.

ProcedureStep 1 Import flows from the S9300 to the SPU.

1. Configure the S9300 as follows:[Quidway] vlan 10[Quidway-vlan10] quit[Quidway] interface gigabitethernet 1/0/10[Quidway-GigabitEthernet1/0/10] port link-type access[Quidway-GigabitEthernet1/0/10] port default vlan 10[Quidway-GigabitEthernet1/0/10] quit[Quidway] vlan 20[Quidway-vlan20] quit[Quidway] interface gigabitethernet 1/0/11[Quidway-GigabitEthernet1/0/11] port link-type access[Quidway-GigabitEthernet1/0/11] port default vlan 20[Quidway-GigabitEthernet1/0/11] quit[Quidway] interface Eth-Trunk 0[Quidway-Eth-Trunk0] port link-type trunk[Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20[Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0[Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1[Quidway-Eth-Trunk0] quit

2. Configure the SPU as follows:[Quidway] sysname SPU[SPU] interface Eth-trunk0




Issue 02 (2010-07-15)

[SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/1[SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/2[SPU-Eth-trunk0] quit[SPU] interface Eth-trunk0.1[SPU-Eth-trunk0.1] control-vid 10 dot1q-termination[SPU-Eth-trunk0.1] dot1q termination vid 10[SPU-Eth-trunk0.1] ip address 129.38.1.1 255.255.255.0 [SPU-Eth-trunk0.1] arp broadcast enable[SPU-Eth-trunk0.1] quit[SPU] interface Eth-trunk0.2[SPU-Eth-trunk0.2] control-vid 20 dot1q-termination[SPU-Eth-trunk0.2] dot1q termination vid 20[SPU-Eth-trunk0.2] ip address 202.38.160.1 255.255.0.0[SPU-Eth-trunk0.2] arp broadcast enable[SPU-Eth-trunk0.2] quit


Step 3 Add the interfaces of the SPU to zones.[SPU] interface Eth-trunk0.1[SPU-Eth-trunk0.1] zone trust[SPU-Eth-trunk0.1] quit[SPU] interface Eth-trunk0.2[SPU-Eth-trunk0.2] zone untrust[SPU-Eth-trunk0.2] quit

Step 4 Configure ACLs on the SPU.[SPU] acl 2102[SPU-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0[SPU-acl-basic-2102] quit [SPU] acl 3102[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0[SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0[SPU-acl-adv-3102] rule deny ip[SPU-acl-adv-3102] quit

Step 5 Configure packet filtering on the SPU.[SPU] firewall interzone trust untrust[SPU-interzone-trust-untrust] packet-filter 3102 inbound[SPU-interzone-trust-untrust] quit

Step 6 Configure ASPF on the SPU.[SPU-interzone-trust-untrust] detect aspf ftp[SPU-interzone-trust-untrust] quit

Step 7 Configure port mapping on the SPU.[SPU] port-mapping ftp port 2121 acl 2102


Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and theresult is as follows:[SPU] display firewall interzone trust untrust interzone trust untrust



3-49

firewall enable packet-filter default permit outbound packet-filter 3102 inbound packet-filter default permit inbound detect aspf ftp

Run the display port-mapping { dns | ftp | http | port port-number } command on the SPU,and the result is as follows:

[SPU] display port-mapping ftp ------------------------------------------------- Service Port Acl Type ------------------------------------------------- ftp 21 system defined ftp 2121 2102 user defined -------------------------------------------------

----End


# sysname SPU#acl number 2102 rule 5 permit source 129.38.1.2 0#acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip# firewall zone trust priority 100#firewall zone untrust priority 1#firewall interzone trust untrust firewall enabledetect aspf ftppacket-filter 3102 inbound#port-mapping ftp port 2121 acl 2102#interface Eth-trunk0#interface XGigabitEthernet 0/0/1Eth-trunk0#interface XGigabitEthernet 0/0/2Eth-trunk0# interface Eth-trunk0.1 control-vid 10 dot1q-terminationdot1q termination vid 10ip address 129.38.1.1 255.255.255.0zone trust#interface Eth-trunk0.2control-vid 20 dot1q-terminationdot1q termination vid 20ip address 202.38.160.1 255.255.0.0zone untrust#return




Issue 02 (2010-07-15)

l Configuration file of the S9300# vlan batch 10 20#interface GigabitEthernet1/0/10 port link-type access port default vlan 10#interface GigabitEthernet1/0/11 port link-type trunk port trunk allow-pass vlan 20 #interface Eth-Trunk 0port link-type trunkport trunk allow-pass vlan 10 20#interface XGigabitEthernet 5/0/0Eth-Trunk 0#interface XGigabitEthernet 5/0/1Eth-Trunk 0# return

3.15.3 Example for Configuring the BlacklistThis example shows the application of the blacklist on a network. By using a blacklist, theSPU can prevent the attacks initiated by certain IP addresses.

Networking RequirementsAs shown in Figure 3-4, Eth-Trunk1.1 of the SPU is connected to an internal network with highsecurity, and Eth-Trunk1.2 is connected to the external network with low security.

The SPU needs to apply the IP address sweeping defense and blacklist policies to the packetsfrom the Internet to the enterprise intranet. If the SPU finds that an IP address attacks theenterprise intranet through IP address sweeping, it adds the IP address to the blacklist. Themaximum session rate is 5000 pps, and the blacklist timeout is 30 minutes.

When the SPU detects that IP address 202.39.1.2 attacks the enterprise intranet multiple times,you can add the IP address to the blacklist manually. Then the IP address will always be in theblacklist.

The SPU is installed in slot 5 of the S9300. The flows on the S9300 need to be imported to theSPU through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.



3-51

Figure 3-4 Networking of blacklist configuration

Switch

Enterprise Network

ServerXGE5/0/0

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 102

GE2/0/1 GE2/0/2


1. Import flows from the S9300 to the SPU.2. Configure zones and the interzone.3. Add interfaces to the zones.4. Enable the blacklist function.5. Add entries to the blacklist.6. Enable the defense against IP address sweeping or port scanning attack.7. Configure the maximum session rate and blacklist timeout for the defense against IP address

sweeping or port scanning attack.

Procedure

Step 1 Import flows from the S9300 to the SPU.1. Configure the S9300 as follows:

<Quidway> system-view[Quidway] vlan batch 101 to 102[Quidway] interface GigabitEthernet2/0/1[Quidway-GigabitEthernet2/0/1] port link-type trunk[Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101[Quidway-GigabitEthernet2/0/1] quit[Quidway] interface GigabitEthernet2/0/2[Quidway-GigabitEthernet2/0/2] port link-type trunk[Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102[Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1[Quidway-Eth-Trunk1] port link-type trunk[Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102[Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0[Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1[Quidway-Eth-Trunk1] quit

2. Configure the SPU as follows:<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/1[SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/2[SPU-Eth-Trunk1] quit




Issue 02 (2010-07-15)

[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip address 201.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] ip address 202.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit


Step 3 Add the interfaces of the SPU to zones.[SPU] interface Eth-Trunk1.1[SPU-Eth-Trunk1.1] zone trust[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk1.2[SPU-Eth-Trunk1.2] zone untrust[SPU-Eth-Trunk1.2] quit

Step 4 Enable the blacklist function.[SPU] firewall blacklist enable

Step 5 Add an entry to the blacklist.[SPU] firewall blacklist 202.39.1.2

Step 6 Enable the IP address sweeping and port scanning attack defense.[SPU] firewall defend ip-sweep enable[SPU] firewall defend port-scan enable

Step 7 Configure the maximum session rate and blacklist timeout for the defense against IP addresssweeping or port scanning attack.[SPU] firewall defend ip-sweep max-rate 5000[SPU] firewall defend ip-sweep blacklist-expire-time 30[SPU] firewall defend port-scan max-rate 5000 [SPU] firewall defend port-scan blacklist-expire-time 30



[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound

Run the display firewall blacklist all command on the SPU, and the result is as follows:

[SPU] display firewall blacklist allFirewall Blacklist Items :------------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance



3-53

------------------------------------------------------------------------202.39.1.2 Manual Permanent------------------------------------------------------------------------ total number is : 1

----End


# sysname SPU# interface Eth-Trunk1#interface XGigabitEthernet0/0/1eth-trunk 1#interface XGigabitEthernet0/0/2eth-trunk 1# firewall zone trust priority 100#firewall zone untrust priority 1#firewall interzone trust untrust firewall enable#firewall blacklist enablefirewall blacklist 202.39.1.2firewall defend ip-sweep enablefirewall defend port-scan enablefirewall defend ip-sweep max-rate 5000firewall defend ip-sweep blacklist-expire-time 30firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-expire-time 30 #interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 201.0.0.1 255.255.255.0 arp broadcast enablezone trust#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.0.0.1 255.255.255.0 arp broadcast enablezone untrust return

l Configuration file of the S9300#vlan batch 101 to 102#interface GigabitEthernet2/0/1port link-type trunkport trunk allow-pass vlan 101#interface GigabitEthernet2/0/2port link-type trunkport trunk allow-pass vlan 102#interface Eth-Trunk 1port link-type trunkport trunk allow-pass vlan 101 to 102




Issue 02 (2010-07-15)

# interface XGigabitEthernet5/0/0eth-trunk 1interface XGigabitEthernet5/0/1eth-trunk 1#return

3.15.4 Example for Configuring the Transparent FirewallThis example shows the application of the transparent firewall on a network. The SPU forwardspackets to the destination VLAN through Layer 2 according to the configuration of the VLANbridge instance.

Networking RequirementsAs shown in Figure 3-5, PC A and PC B are in different VLANs. The VLAN bridge instanceis configured between the VLANs. The SPU performs Layer 2 forwarding. PC A in the trustzone can access the resources in the untrust zone. The MAC address of PC A is 000f-1f7e-fec5.


Figure 3-5 Networking of transparent firewall configuration

GE2/0/2

PC Buntrustzone

trustzone PC A000f-1f7e-fec5 Switch

XGE5/0/0

GE2/0/1

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 102


1. Import flows from the S9300 to the SPU.2. Configure zones and the interzone.3. Add interfaces to the zones.4. Add interfaces to VLANs.5. Configure the VLAN bridge instance.6. Bind the VLAN bridge instance to sub-interfaces.7. Configure an ACL.8. Configure packet filtering.



3-55

Procedure

Step 1 Import flows from the S9300 to the SPU.1. Import flows from the S9300 to the SPU.

<Quidway> system-view[Quidway] vlan batch 101 to 102[Quidway] interface GigabitEthernet2/0/1[Quidway-GigabitEthernet2/0/1] port link-type trunk[Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101[Quidway-GigabitEthernet2/0/1] quit[Quidway] interface GigabitEthernet2/0/2[Quidway-GigabitEthernet2/0/2] port link-type trunk[Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102[Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1[Quidway-Eth-Trunk1] port link-type trunk[Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102[Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0[Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1[Quidway-Eth-Trunk1] quit

2. Configure the SPU as follows:<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/1[SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/2[SPU-Eth-Trunk1] quit[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit


Step 3 Add the interfaces of the SPU to zones.[SPU] interface Eth-Trunk1.1[SPU-Eth-Trunk1.1] zone trust[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk1.2[SPU-Eth-Trunk1.2] zone untrust[SPU-Eth-Trunk1.2] quit

Step 4 Configure the VLAN bridge instance on the SPU.[SPU] inter-vlan-bridge instance 127

Step 5 Bind the VLAN bridge instance to the sub-interfaces of the SPU.[SPU] interface Eth-Trunk1.1 [SPU-Eth-Trunk1.1] l2 binding inter-vlan-bridge instance 127[SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] l2 binding inter-vlan-bridge instance 127




Issue 02 (2010-07-15)

Step 6 Configure an ACL.[SPU] acl 4101[SPU-acl-L2-4101] rule permit source-mac 000f-1f7e-fec5 l2-protocol ip [SPU-acl-L2-4101] quit

Step 7 Configure packet filtering.[SPU] firewall interzone trust untrust[SPU-interzone-trust-untrust] packet-filter 4101 outbound[SPU-interzone-trust-untrust] quit



[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound

----End


# sysname SPU# interface Eth-Trunk 1#interface XGigabitEthernet0/0/1eth-trunk 1#interface XGigabitEthernet0/0/2eth-trunk 1# firewall zone trust priority 100#firewall zone untrust priority 1#acl 4101rule permit source-mac 000f-1f7e-fec5 l2-protocol ip#firewall interzone trust untrust firewall enablepacket-filter 4101 outbound #inter-vlan-bridge instance 127#

interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 arp broadcast enablel2 binding inter-vlan-bridge instance 127zone trust#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 arp broadcast enablel2 binding inter-vlan-bridge instance 127zone untrust



3-57

# return

l Configuration file of the S9300# vlan batch 101 to 102#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 102#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface XGigabitEthernet5/0/0 eth-trunk 1#interface XGigabitEthernet5/0/1 eth-trunk 1#return




Issue 02 (2010-07-15)

4 NAT Configuration

About This Chapter

Network Address Translation (NAT) can translate private and public addresses. The shortageof IPv4 address can be solved and the topology of the private network can be shielded. Thenetwork security is thus improved.

4.1 NAT OverviewNAT enables hosts on a private network to access the public network.

4.2 NAT Features Supported by the SPUThe SPU supports the following NAT features: static NAT, Port Address Translation (PAT),internal server, NAT Application Level Gateway (ALG), Easy IP, twice NAT, and NAT multi-instance.

4.3 Configuring NATTo implement communication between the private network and the public network throughNAT, you can use Easy IP for a single user and the address pool for multiple users.

4.4 Configuration ExamplesThis section provides several configuration examples of NAT.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 4 NAT Configuration


4-1

4.1 NAT OverviewNAT enables hosts on a private network to access the public network.

Private Network Address and Public Network AddressA private network address, which is also called a private address, is the IP address of an internalnetwork or a host. A public network address, which is also called a public address, is a uniqueIP address on the Internet. The Internet Assigned Number Authority (IANA) defines thefollowing IP addresses as private addresses:

l Class A: 10.0.0.0-10.255.255.255l Class B: 172.16.0.0-172.31.255.255l Class C: 192.168.0.0-192.168.255.255

After planning the scale of the intranet, an enterprise chooses the proper private address segmentfor the intranet. The private address segments of enterprises can overlap each other. If an intranetdoes not use the IP address in the defined private address segments, errors may occur duringcommunication with other networks.

Principle of NATAs shown in Figure 4-1, the private address must be translated when a host on a private networkaccesses the Internet or interworks with the hosts on a public network.

Figure 4-1 Networking of NAT

PC WWW client PC10.1.1.10 10.1.1.48 ........

Internal network

External network203.196.3.23

WWW Server

202.18.245.251

SPU

The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. Thehost 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public networkin Web mode.

The host sends a data packet, and uses port 6084 as the source port and port 80 as the destinationport. After the address is translated, the source address/port of the packet is changed to

4 NAT ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

203.196.3.23:32814, and the destination address/port remains unchanged. The SPU maintainsa mapping table between addresses and ports.

After the Web server responds to the host, the SPU translates the destination IP address/port inthe returned data packet to 10.1.1.48:6084. In this manner, the host on the private network canaccess the server on the public network.

4.2 NAT Features Supported by the SPUThe SPU supports the following NAT features: static NAT, Port Address Translation (PAT),internal server, NAT Application Level Gateway (ALG), Easy IP, twice NAT, and NAT multi-instance.

Static NATStatic NAT maps a private address to a public address. That is, the number of private addressesis equal to the number of public addresses. Static NAT cannot save public addresses, but canshield the topology of the private network.

When a packet is sent from a private network to the public network, static NAT translates thesource IP address of the packet to a public address. When the public network returns a response,static NAT translates the destination IP address of the response packet to the private address.

PATPAT, which is also called network address port translation (NAPT), maps a public address tomultiple private addresses. Therefore, the public addresses are saved. PAT translates source IPaddresses of packets from hosts that reside on the private network to a public address. Thetranslated port numbers of these packets are different, and the private addresses can share apublic address.

A mapping table between private addresses and ports is configured for PAT. Before packetsfrom different private addresses are sent to the public network, the PAT-enabled device replacesthe source addresses with the same public address. The source port numbers of the packets,however, are replaced with different port numbers. When the public network returns responsepackets to private networks, the PAT-enabled device translates the destination IP addresses toprivate addresses according to the port numbers. Figure 4-2 shows the networking of PAT.



4-3

Figure 4-2 Networking of PAT

192.168.1.2

Datagram 1Src IP: 192.168.1.3Src Port:23








192.168.1.3 SPU

PAT

Internal Server

NAT can shield internal hosts. In applications, users on the public network may need to accessthe internal hosts. For example, users on the public network need to access a Web server or afile transfer protocol (FTP) server.

You can add internal servers flexibly through NAT. For example, use 202.110.10.10 or even202.110.10.12:8080 as the public address of the Web server, 202.110.10.11 as the public addressof the FTP server. You can also provide multiple identical servers such as Web servers forexternal users.

You can configure an internal server and map the corresponding public address and port to theinternal server. In this manner, hosts on the public network can access the internal server.

Easy IP

Easy IP takes the public IP address of the interface as the source address after NAT is performed.In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.

NAT ALG

If NAT is configured, application protocols that are exclusive with NAT cannot work normally.Special processing is required. Packets of protocols that contain the IP address and/or portnumber in the payload, which affects interaction of protocols.

The NAT ALG function is used for NAT traversal of special protocols. It implements transparenttransmission and relay of packets of a special protocol by replacing the IP address and portnumber in the payload. Currently, the NAT ALG of the SPU supports the domain name system(DNS) and FTP.




Issue 02 (2010-07-15)

Twice NAT

The basic NAT technology translates only the source or destination address of packets, whereasthe twice NAT technology translates both the source and destination addresses of packets. Thetwice NAT technology is applicable to the scenario where IP addresses of hosts on private andpublic networks are overlapped. As shown in Figure 4-3, the IP address of PC1 on the privatenetwork is the same as the IP address of PC3 on the public network. If PC2 on the private networksends a packet to PC3, the packet will be incorrectly forwarded to PC1. On the SPU, the twiceNAT technology configures the mapping between the overlapped address pool and the temporaryaddress pool based on basic NAT. The overlapped IP address is translated to a unique temporaryaddress so that packets can be forwarded correctly.

Figure 4-3 Networking of twice NAT

PC 110.0.0.1/24

PC 210.0.0.1/24

Switch

DNS Server

PC 3

www.web.com10.0.0.1/24

You can configure twice NAT on the SPU as follows:

Configure basic NAT (many-to-many NAT). Configure an NAT address pool that contains IPaddresses 200.0.0.1 to 200.0.0.100 and apply it to the interface of the WAN.

Configure the mapping between a group of overlapped addresses and the temporary addresses:10.0.0.0 to 3.0.0.0.

The mapping indicates that one overlapped address pool maps one temporary address pool. Thetranslation rule is as follows:

Temporary address = Start IP address in the temporary address pool + (Overlapped IP address- Start IP address in the overlapped address pool)

Overlapped address = Start IP address in the overlapped address pool + (Temporary IP address- Start IP address in the temporary address pool)

When PC2 on the private network accesses PC3 on the public network through the domain name,the packet is processed as follows:

1. PC2 sends a DNS request for resolving the domain name being www.web.com of the Webserver. After the DNS server resolves the DNS request, the SPU receives the responsepacket of the DNS server. The SPU resolves the address 10.0.0.1 in the payload of theresponse packet and detects that the address is the overlapped address (it matches theoverlapped address pool). Then the SPU translates the address 10.0.0.1 to the temporaryaddress 3.0.0.1. The SPU translates the destination address of the response packet throughbasic NAT and then sends it to PC2.



4-5

2. PC2 uses the temporary address 3.0.0.1 corresponding to www.web.com to access thepublic network. When a packet reaches the SPU, the SPU translates the source address ofthe packet through basic NAT and then translates the destination address (that is, temporaryaddress) of the packet to the overlapped address 10.0.0.1.

3. PC2 sends the packet to the outbound interface of the WAN. The packet is then forwardedto PC3 hop by hop.

4. When the packet sent from PC3 to PC2 reaches the SPU, the SPU checks the source address10.0.0.1, which is the overlapped address (it matches the overlapped address pool). Thenthe SPU translates the source address to the temporary address 3.0.0.1. The SPU translatesthe destination address of the response packet through basic NAT and then sends it to PC2.

Source Address Associated with the VPN Before NAT Is PerformedThe SPU enabled with NAT allows users on private networks to access the public network andusers of different VPNs to access the public network through the same egress. In addition, usersin the VPNs with the same IP address can access the public network.

NAT Server Associated with the VPNThe SPU enabled with NAT supports association between the VPN and the NAT server andallows users on the public network to access hosts in the VPN. It is applied to the scenario whereIP addresses of multiple VPNs are overlapped.

4.3 Configuring NATTo implement communication between the private network and the public network throughNAT, you can use Easy IP for a single user and the address pool for multiple users.

4.3.1 Establishing the Configuration TaskBefore configuring NAT, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.

4.3.2 Configuring an Address PoolWhen multiple users on the private network access the public network, you can configure theNAT address pool.

4.3.3 Associating an ACL with an Address PoolThe ACL controls internal users who can access public networks through NAT so that theadministrator can implement refined management for internal users.

4.3.4 Configuring Easy IPEasy IP takes the IP address of the interface as the source address of data packets matching anACL. If VRRP virtual address exists on the interface, the virtual address is used for networkaddress translation.

4.3.5 Configuring an Internal NAT ServerIf a server is deployed on the private network, the security of the server can be improved andattacks of users from the public network can be prevented. In addition, normal users can accessthe server.

4.3.6 Configuring Static NATStatic NAT maps a private address to a public address. Static NAT cannot save public addresses,but can shield the topology of the private network.




Issue 02 (2010-07-15)

4.3.7 Enabling NAT ALGIf NAT is used for protocol packets encapsulated into IP data packets, errors may occur. TheNAT ALG function can normally translate the protocol packets.

4.3.8 Configuring DNS MappingOn the private network, different servers such as the FTP server and Web server are deployed,but no DNS server is deployed. If hosts on the private network want to differentiate and accesscorresponding servers through domain names, you can configure DNS mapping.

4.3.9 Configuring Twice NATTwice NAT refers to translation of source and destination IP addresses of a data packet. It isapplied to the situation where IP addresses of internal hosts and external hosts are overlapped.

4.3.10 Checking the ConfigurationAfter NAT is configured, you can view information about NAT.

4.3.1 Establishing the Configuration TaskBefore configuring NAT, familiarize yourself with the applicable environment, complete thepre-configuration tasks, and obtain the required data.


NAT needs to be configured at the juncture between the private network and the public network.Private and public addresses can be translated through NAT.


Before configuring NAT, complete the following task:

l Creating a basic ACL or an advanced ACL and configuring ACL rules

Data Preparation

To configure NAT, you need the following data.

No. Data

1 Number of the public address pool, start IP address, and end IP address

2 Number of the basic ACL or advanced ACL

3 Information about the internal server, including the protocol type, public address,public port number, private address (the VPN instance may be included), andprivate port number (optional)

4 Information about static NAT, including the protocol type, public address, publicport number, private address (the VPN instance may be included), private portnumber (optional), and subnet mask

5 Index of the overlapped address pool and temporary address pool, start IP address,address pool length, and VPN instance (optional)

6 Domain name, public address, and public port number



4-7

4.3.2 Configuring an Address PoolWhen multiple users on the private network access the public network, you can configure theNAT address pool.

Procedure



Step 2 Run:nat address-group group-index start-address end-address

A public address pool is configured.

A public address pool is a set of public addresses. When NAT is performed on the internal datapackets, the SPU selects an IP address from the address pool as the source address.

The public address pools are numbered with numerals. Up to 1024 address pools can beconfigured.

By default, no public address pool is configured on the SPU.

----End

4.3.3 Associating an ACL with an Address PoolThe ACL controls internal users who can access public networks through NAT so that theadministrator can implement refined management for internal users.

Procedure



Step 2 Run:interface interface-type interface-number.subnumber


Step 3 Run:nat outbound acl-number address-group group-index [ no-pat ]

An ACL rule is associated with an address pool.

After an ACL is associated with an address pool, the SPU translates source addresses of datapackets matching the ACL to an IP address in the address pool. On the same interface, differentIP address can be translated and associated. Up to 16 IP addresses can be configured on eachinterface.

no-pat indicates one-to-one NAT, that is, only the IP address in a datagram is translated and theport number is not translated

----End




Issue 02 (2010-07-15)

4.3.4 Configuring Easy IPEasy IP takes the IP address of the interface as the source address of data packets matching anACL. If VRRP virtual address exists on the interface, the virtual address is used for networkaddress translation.

Procedure





Step 3 Run:nat outbound acl-number

Easy IP is configured.

----End

4.3.5 Configuring an Internal NAT ServerIf a server is deployed on the private network, the security of the server can be improved andattacks of users from the public network can be prevented. In addition, normal users can accessthe server.

Procedure





Step 3 Run:l nat server protocol { protocol-number | tcp | udp } global global-address global-

port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ]l nat server [ protocol { protocol-number | icmp | tcp | udp } ] global global-

address inside host-address [ vpn-instance vpn-instance-name ]

The internal NAT server is configured.

After the internal NAT server is configured, users on the public network can access servers onthe private network. When a host on the public network sends a connection request to the publicaddress (global-address) of the internal NAT server, the NAT server translates the destinationaddress of the request to a private address (host-address). The request is then forwarded to theserver on the private network.



4-9

Up to 1024 NAT servers and NAT static can be configured on the SPU and up to 64 NAT serversand NAT static can be configured on each interface.

NOTE

When configuring the internal NAT server, ensure that global-address and host-address are different fromIP addresses of interfaces and IP addresses in the user address pool.

----End

4.3.6 Configuring Static NATStatic NAT maps a private address to a public address. Static NAT cannot save public addresses,but can shield the topology of the private network.

Procedure





Step 3 Run:l nat static protocol { protocol-number | tcp | udp } global global-address global-

port inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ]

l nat static [ protocol { protocol-number | icmp | tcp | udp } ] global global-address inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ]

Static NAT is configured.

NOTE

When configuring static NAT, ensure that global-address and host-address are different from IP addressesof interfaces and IP addresses in the user address pool.

----End

4.3.7 Enabling NAT ALGIf NAT is used for protocol packets encapsulated into IP data packets, errors may occur. TheNAT ALG function can normally translate the protocol packets.

Procedure



Step 2 Run:nat alg { all | dns | ftp } enable

The NAT ALG function is enabled.




Issue 02 (2010-07-15)

After the NAT ALG function is enabled for an application protocol, packets of the applicationprotocol can traverse the public network through NAT. Otherwise, the application protocolcannot work normally.

all indicates that NAT traversal can be used for DNS and FTP.

----End

4.3.8 Configuring DNS MappingOn the private network, different servers such as the FTP server and Web server are deployed,but no DNS server is deployed. If hosts on the private network want to differentiate and accesscorresponding servers through domain names, you can configure DNS mapping.

Procedure



Step 2 Run:nat dns-map domain-name global-address global-port {tcp | udp }

The mapping from domain names to public IP addresses, port numbers, and protocol types isconfigured.

Up to 64 mapping entries can be configured on the SPU.

----End

4.3.9 Configuring Twice NATTwice NAT refers to translation of source and destination IP addresses of a data packet. It isapplied to the situation where IP addresses of internal hosts and external hosts are overlapped.

ContextWhen IP addresses of internal hosts and external hosts are overlapped, you need to configurethe mapping between the overlapped address pool and the temporary address pool. After themapping is configured, the overlapped address is translated to a unique temporary address. Thepackets can be forwarded correctly. In addition, you need to configure NAT outbound toimplement twice NAT.

Procedure



Step 2 Run:nat overlap-address map-index overlappool-startaddress temppool-startaddress pool-length length [ inside-vpn-instance inside-vpn-instance-name]

Twice NAT is configured.



4-11

The overlapped address pool and temporary address pool are sets of consecutive IP addresses.The lengths of the two address pools are the same and up to 255 IP addresses can be configuredin the two address pools.

Up to 128 mapping entries between the overlapped address pool and the temporary address poolcan be configured globally.

When the VPN instance of the configuration is deleted, the configuration of twice NAT is alsodeleted.

----End

4.3.10 Checking the ConfigurationAfter NAT is configured, you can view information about NAT.

Procedurel Run the display nat alg command to check whether the NAT ALG function is enabled.l Run the display nat address-group [ group-index ] [ verbose ] command to check the

configuration of the NAT address pool.l Run the display nat dns-map [ domain-name ] command to check information about DNS

mapping.l Run the display nat outbound [ acl acl-number | address-group group-index |

interface { xgigabitEthernet | eth-trunk } interface-number.subnumber ] command tocheck information about NAT outbound.

l Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name } command to check information about twice NAT.

l Run the display nat server [ global global-address | inside host-address [ vpn-instancevpn-instance-name ] | interface interface-type interface-number.subnumber ] command tocheck the configuration of the NAT server.

l Run the display nat static [ global global-address | inside host-address [ vpn-instancevpn-instance-name ] | interface interface-type interface-name ] command to check theconfiguration of static NAT.

----End

Example# Display the configuration of NAT ALG.

<Quidway> system-view[Quidway] display nat algNAT Application Level Gateway Information:---------------------------------- Application Status---------------------------------- ftp Disabled dns Disabled----------------------------------

# Display the configuration of DNS mapping.

<Quidway> system-view[Quidway] display nat dns-map -------------------------------------------------------------------- Domain name IP address Port Protocol




Issue 02 (2010-07-15)

-------------------------------------------------------------------- huawei 10.10.10.1 2012 tcp -------------------------------------------------------------------- DNS-Mapping : 1

# Display the configuration of outbound NAT.

<Quidway> system-view[Quidway] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP Type ----------------------------------------------------------------- XGigabitEthernet0/0/1.1 2010 0.0.0.0 easyip ----------------------------------------------------------------- Total : 1

# Display all the NAT address pools.

<Quidway> display nat address-groupNAT Address-Group Information: -------------------------------------- Index Start-address End-address -------------------------------------- 1 201.1.1.1 201.1.1.10 2 10.10.10.10 10.10.10.15 -------------------------------------- Total : 2

Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpn-instance-name } command, and you can view the mapping between the overlapped address pooland the temporary address pool. For example:

# Display the configuration of all the overlapped address pools.

<Quidway> system-view[Quidway] display nat overlap-address allNat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------- Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------- 1 10.2.2.2 3.3.10.10 255 cmml ------------------------------------------------------------------------------- Total : 1

Run the display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number.subnumber ] command, and youcan view the configuration of the NAT server. For example:

# Display the configuration of all NAT servers.

<Quidway> system-view[Quidway] display nat server Nat Server Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 210.10.10.1 21(smtp) Inside IP/Port : 10.10.10.1 25(smtp) Protocol : 6(tcp) VPN instance-name : ----

Total : 1

Run the display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-name ] command, and you can view theconfiguration of static NAT. For example:

# Display the global configuration of static NAT.



4-13

<Quidway> system-view[Quidway] display nat static Static Nat Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 212.10.10.1 21(smtp) Inside IP/Port : 100.10.10.1 25(smtp) Protocol : 6(tcp) VPN instance-name : ---- Netmask : 255.255.255.0

Total : 1

4.4 Configuration ExamplesThis section provides several configuration examples of NAT.

4.4.1 Example for Configuring the NAT Server

4.4.2 Example for Configuring Static NAT

4.4.3 Example for Configuring Outbound NAT

4.4.4 Example for Configuring Twice NAT

4.4.1 Example for Configuring the NAT Server

Networking RequirementsAs shown in Figure 4-4, the intranet of company A is connected to the WAN through NATenabled on the SPU. Company A provides the Web server for servers on the public network toaccess. The private IP address of the Web server is 192.168.20.2:8080 and its public address is202.169.10.5.

The intranet of company B is connected to the WAN through NAT enabled on the SPU. On theVPN, company B provides the FTP server for users on the public network who want to accessthe intranet of company B. The private IP address of the FTP server is 10.0.0.3 and its publicaddress is 202.169.10.33.





Issue 02 (2010-07-15)

Figure 4-4 Networking diagram for configuring the NAT server

VLAN 101GE2/0/1

A公司WWW Server192.168.20.2

VLAN 103GE2/0/3

VLAN 102GE2/0/2

202.169.10.2/24

XGE5/0/0

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 102

Switch

B公司FTP Server10.0.0.3/24

Configuration Roadmap

The configuration roadmap is as follows:

1. Import flows from the S9300 to the SPU through NAT.

2. Configure the internal server.

3. Enable the NAT ALG function for FTP.

Procedure

Step 1 Import flows from the S9300 to the SPU through NAT.

1. Import flows from the S9300 to the SPU.<S9300> system-view[S9300] vlan batch 101 to 103[S9300] interface Eth-Trunk 1[S9300-Eth-Trunk1] port link-type trunk[S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103[S9300-Eth-Trunk1] quit[S9300] interface GigabitEthernet2/0/1[S9300-GigabitEthernet2/0/1] port link-type trunk[S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101[S9300-GigabitEthernet2/0/1] quit[S9300] interface GigabitEthernet2/0/2[S9300-GigabitEthernet2/0/2] port link-type trunk[S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102[S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3[S9300-GigabitEthernet2/0/2] port link-type trunk[S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103[S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0[S9300-XgigabitEthernet5/0/0] eth-trunk 1[S9300-XgigabitEthernet5/0/0] quit[S9300] interface XGigabitEthernet5/0/1[S9300-XgigabitEthernet5/0/1] eth-trunk 1[S9300-XgigabitEthernet5/0/1] quit



4-15

2. On the SPU, set IP addresses of interfaces and add interfaces to VLANs.<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] quit[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip vpn-instance vpn_b[SPU-vpn-instance-vpn_b] route-distinguisher 0:1[SPU-vpn-instance-vpn_b] quitSPU] interface Eth-Trunk 1.3[SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 103[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b[SPU-Eth-Trunk1.2] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 1[SPU-XGigabitEthernet0/0/1] quit[SPU] interface XGigabitEthernet0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 1[SPU-XGigabitEthernet0/0/2] quit

Step 2 Configure the internal server on the SPU.[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080[SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b

Step 3 On the SPU, enable the NAT ALG function for FTP.[SPU] nat alg ftp enable


Run the display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number.subnumber ] command on theSPU, and you can view the following information:

[SPU] display nat server Nat Server Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.5 80(www) Inside IP/Port : 192.168.20.2 8080 Protocol : 6(tcp) VPN instance-name : ----

Global IP/Port : 202.169.10.33 21(ftp) Inside IP/Port : 10.0.0.3 21(ftp) Protocol : 6(tcp) VPN instance-name : vpn_b

Total : 2

----End




Issue 02 (2010-07-15)


# sysname SPU#ip vpn-instance vpn_broute-distinguisher 0:1# Nat alg ftp enable#interface Eth-Trunk1#interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b#interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-trunk 1#interface XGigabitEthernet0/0/2 eth-trunk 1#ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2#Return

l Configuration file of the S9300# sysname S9300# vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1



4-17

#interface XGigabitEthernet5/0/1 eth-trunk 1#return

4.4.2 Example for Configuring Static NAT

Networking RequirementsAs shown in Figure 4-5, the intranet of company A is connected to the WAN through NATenabled on the SPU. Company A provides two Web servers for users on the public network whowant to access the intranet of company A. The private IP addresses of Web servers are in therange of 192.168.20.2:8080 to 192.168.20.3:8080 (the network segment is 192.168.20.2 and themask is 255.255.255.254). The public addresses are in the range of 202.169.10.2 to 202.169.10.3(the network segment is 202.169.10.2 and the mask is 255.255.255.254). A private address mapsa public address.

The intranet of company B is connected to the WAN through NAT enabled on the SPU. On theVPN, company B provides four FTP servers for users on the public network who want to accessthe intranet of company B. The private IP addresses of FTP servers are in the range of 10.0.0.0to 10.0.0.3 (the network segment is 10.0.0.0 and the mask is 255.255.255.252). The publicaddresses are in the range of 202.169.10.32 to 202.169.10.35 (the network segment is202.169.10.32 and the mask is 255.255.255.252).

The SPU is installed in slot 5 on the S9300.

Figure 4-5 Networking diagram for configuring static NAT

VLAN 101GE2/0/1

VLAN 102GE2/0/2

202.169.10.2/24

B公司FTP Server

10.0.0.0~3/24

VLAN 103GE2/0/3

A公司 WWW Server192.168.20.2 192.168.20.3

XGE5/0/0

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 102

Switch


1. Import flows from the S9300 to the SPU through NAT.




Issue 02 (2010-07-15)

2. Configure static NAT.

Procedure

Step 1 Import flows from the S9300 to the SPU through NAT.1. Import flows from the S9300 to the SPU.

<S9300> system-view[S9300] vlan batch 101 to 103[S9300] interface Eth-Trunk 1[S9300-Eth-Trunk1] port link-type trunk[S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103[S9300-Eth-Trunk1] quit[S9300] interface GigabitEthernet2/0/1[S9300-GigabitEthernet2/0/1] port link-type trunk[S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101[S9300-GigabitEthernet2/0/1] quit[S9300] interface GigabitEthernet2/0/2[S9300-GigabitEthernet2/0/2] port link-type trunk[S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102[S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3[S9300-GigabitEthernet2/0/2] port link-type trunk[S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103[S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0[S9300-XgigabitEthernet5/0/0] eth-trunk 1[S9300-XgigabitEthernet5/0/0] quit[S9300] interface XGigabitEthernet5/0/1[S9300-XgigabitEthernet5/0/1] eth-trunk 1[S9300-XgigabitEthernet5/0/1] quit

2. On the SPU, set IP addresses of interfaces and add interfaces to VLANs.<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] quit[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip vpn-instance vpn_b[SPU-vpn-instance-vpn_b] route-distinguisher 0:1[SPU-vpn-instance-vpn_b] quitSPU] interface Eth-Trunk 1.3[SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 103[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b[SPU-Eth-Trunk1.2] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 1[SPU-XGigabitEthernet0/0/1] quit[SPU] interface XGigabitEthernet0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 1[SPU-XGigabitEthernet0/0/2] quit

Step 2 Configure static NAT on the SPU.



4-19

[SPU] interface Eth-Trunk1.2[SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254[SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.32 ftp inside 10.0.0.2 ftp vpn-instance vpn_b netmask 255.255.255.252[SPU-Eth-Trunk1.2] quit


Run the display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-name ] command on the SPU, and youcan view the following information:[SPU] display nat static Static Nat Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.2 80(www) Inside IP/Port : 192.168.20.2 8080 Protocol : 6(tcp) VPN instance-name : ---- Netmask : 255.255.255.254

Global IP/Port : 202.169.10.32 21(ftp) Inside IP/Port : 10.0.0.2 21(ftp) Protocol : 6(tcp) VPN instance-name : vpn_b Netmask : 255.255.255.252

Total : 2

----End


# sysname SPU#system-view ip vpn-instance vpn_broute-distinguisher 0:1#interface Eth-Trunk1#interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enablenat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254nat static protocol tcp global 202.169.10.32 ftp inside 10.0.0.2 ftp vpn-instance vpn_b netmask 255.255.255.252#interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1




Issue 02 (2010-07-15)

eth-trunk 1#interface XGigabitEthernet0/0/2 eth-trunk 1#ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2#Return

l Configuration file of the S9300# sysname S9300# vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1#interface XGigabitEthernet5/0/1 eth-trunk 1#return

4.4.3 Example for Configuring Outbound NAT

Networking RequirementsAs shown in Figure 4-6, the intranet of company A is connected to the WAN through NATenabled on the SPU to access the Web server on the WAN. To ensure the security of the intranetof company A, you need to replace IP addresses in the public address pool (202.169.10.100 to202.169.10.200) with IP addresses of hosts of company A on the network segment 192.168.20.0so that hosts of company A can access servers on the WAN.

The intranet of company B is connected to the WAN through NAT enabled on the SPU to accessthe FTP server on the WAN. On the VPN, public IP addresses of company B is insufficient. Toensure the security of the intranet of company B, you need to replace IP addresses in the publicaddress pool (202.169.10.80 to 202.169.10.83) with IP addresses of hosts of company A on thenetwork segment 10.0.0.0 so that hosts of company B can access servers on the WAN.

The SPU is installed in slot 5 on the S9300 and GE 2/0/1 and GE 2/0/2 import traffic to the SPU.



4-21

Figure 4-6 Networking diagram for configuring outbound NAT

VLAN 101GE2/0/1

VLAN 102GE2/0/2

202.169.10.2/24

VPN B公司PC 1...PC n10.0.0.2/24

VLAN 103GE2/0/3

A公司PC 1...PC n

192.168.20.2

XGE5/0/0

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 102

Switch



1. Import flows from the S9300 to the SPU through NAT.2. Configure outbound NAT.

Procedure

Step 1 Import flows from the S9300 to the SPU through NAT.1. Import flows from the S9300 to the SPU.


2. On the SPU, set IP addresses of interfaces and add interfaces to VLANs.




Issue 02 (2010-07-15)

<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] quit[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 102[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip vpn-instance vpn_b[SPU-vpn-instance-vpn_b] route-distinguisher 0:1[SPU-vpn-instance-vpn_b] quitSPU] interface Eth-Trunk 1.3[SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 103[SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b[SPU-Eth-Trunk1.2] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 1[SPU-XGigabitEthernet0/0/1] quit[SPU] interface XGigabitEthernet0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 1[SPU-XGigabitEthernet0/0/2] quit

Step 2 Configure outbound NAT on the SPU.[SPU] nat address-group 1 202.169.10.100 202.169.10.200 [SPU] nat address-group 2 202.169.10.80 202.169.10.83 [SPU] acl 2000[SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255[SPU-acl-basic-2000] quit[SPU] acl 2001[SPU-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 vpn-instance vpn_b[SPU-acl-basic-2000] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat[SPU-Eth-Trunk1.2] nat outbound 2001 address-group 2 [SPU-Eth-Trunk1.2] quit


Run the display nat outbound [ acl acl-number | address-group group-index | interface{ xgigabitEthernet | eth-trunk } interface-number.subnumber ] command on the SPU, and youcan view the following information:

[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP Type ----------------------------------------------------------------- Eth-Trunk1.2 2000 1 no-pat Eth-Trunk1.2 2001 2 pat ----------------------------------------------------------------- Total : 2

----End



4-23


# sysname SPU#ip vpn-instance vpn_broute-distinguisher 0:1#acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255#acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 vpn-instance vpn_b# nat address-group 1 202.169.10.100 202.169.10.200 nat address-group 2 202.169.10.80 202.169.10.83# interface Eth-Trunk1#interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enablenat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 #interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-trunk 1#interface XGigabitEthernet0/0/2 eth-trunk 1#ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2#Return

l Configuration file of the S9300# sysname S9300# vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102#




Issue 02 (2010-07-15)

interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1#interface XGigabitEthernet5/0/1 eth-trunk 1#return

4.4.4 Example for Configuring Twice NAT

Networking Requirements

The common NAT technology translates only the source or destination address of packets,whereas the twice NAT technology translates both the source and destination addresses ofpackets. The twice NAT technology is applicable to the scenario where IP addresses of hosts onprivate and public networks are overlapped. As shown in Figure 4-7, the IP address of PC1 onthe private network is the same as the IP address of host A on the public network. If PC1 on theprivate network sends a packet to host A, the packet will be incorrectly forwarded to PC2. Onthe SPU, the twice NAT technology configures the mapping between the overlapped addresspool and the temporary address pool based on common NAT. The overlapped IP address istranslated to a unique temporary address so that packets can be forwarded correctly.

The SPU is installed in slot 5 of the SPU.

Figure 4-7 Networking diagram for configuring twice NAT

PC 1

VLAN 101GE2/0/1

VLAN 103GE2/0/3

202.169.10.2/24

VPN B公司PC 2

192.168.20.2/24

VLAN 102GE2/0/2

VPN A公司

192.168.20.2/24 Host A192.168.20.2/24

DNS Server

www.Server.com

PC 1

XGE5/0/0

XGE5/0/1

Eth-Trunk1.1

Eth-Trunk1.2

VLAN 101

VLAN 103

Switch



1. Import flows from the SPU to the SPU through NAT.



4-25

2. Configure the mapping between the overlapped address pool and the temporary addresspool.

3. Configure common NAT outbound.

Procedure

Step 1 Import flows from the SPU to the SPU through NAT.1. Import flows from the SPU to the SPU.


2. On the SPU, set IP addresses of interfaces and add interfaces to VLANs.<SPU> system-view[SPU] interface Eth-Trunk 1[SPU-Eth-Trunk1] quit[SPU] ip vpn-instance vpna[SPU-vpn-instance-vpna] route-distinguisher 1:1[SPU-vpn-instance-vpna] quit[SPU] ip vpn-instance vpnb[SPU-vpn-instance-vpnb] route-distinguisher 2:2[SPU-vpn-instance-vpnb] quit[SPU] interface Eth-Trunk 1.1[SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination[SPU-Eth-Trunk1.1] dot1q termination vid 101[SPU-Eth-Trunk1.1] ip binding vpn-instance vpna [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable[SPU-Eth-Trunk1.1] quit[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination[SPU-Eth-Trunk1.2] dot1q termination vid 103[SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable[SPU-Eth-Trunk1.2] quit[SPU] interface Eth-Trunk 1.3[SPU-Eth-Trunk1.3] control-vid 102 dot1q-termination[SPU-Eth-Trunk1.3] dot1q termination vid 102[SPU-Eth-Trunk1.3] ip binding vpn-instance vpnb[SPU-Eth-Trunk1.3] ip address 192.168.25.1 255.255.255.0 [SPU-Eth-Trunk1.3] arp broadcast enable[SPU-Eth-Trunk1.3] quit[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 1[SPU-XGigabitEthernet0/0/1] quit




Issue 02 (2010-07-15)

[SPU] interface XGigabitEthernet0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 1[SPU-XGigabitEthernet0/0/2] quit

Step 2 Configure DNS mapping on the SPU so that the IP address of host A returned from the DNSserver to PC1 is translated to a unique temporary address.[SPU] nat alg dns enable [SPU] nat dns-map www.Server.com 192.168.20.2 80 tcp

Step 3 Configure the mapping between the overlapped address pool and the temporary address pool onthe SPU.[SPU] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpn-instance vpna

Step 4 Configure the static route from the temporary address pool to Eth-Trunk 1.2 on the SPU.[SPU] ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2

Step 5 On the outbound sub-interface Eth-Trunk1.2 of the SPU, configure NAT outbound for host A.1. Create an ACL and configure an ACL rule to allow packets of host A to pass through.

[SPU] acl 3180 [SPU--acl-adv-3180] rule permit ip vpn-instance vpna source 192.168.20.1 0.0.0.255[SPU--acl-adv-3180] quit

2. Configure the NAT address pool for outbound NAT.[SPU] nat address-group 1 160.160.0.2 160.160.0.254

3. On the outbound sub-interface Eth-Trunk1.2, configure outbound NAT for host A.[SPU] interface Eth-Trunk 1.2[SPU-Eth-Trunk1.2] nat outbound 3180 address-group 1 [SPU-Eth-Trunk1.2] quit


Run the display nat overlap-address all command on the SPU, and you can view the mappingbetween the overlapped address pool and the temporary address pool.

[SPU] display nat overlap-address allNat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------- Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------- 0 192.168.20.2 202.169.100.2 254 vpna ------------------------------------------------------------------------------- Total : 1

Run the display nat outbound command on the SPU, and you can view information aboutoutbound NAT.

[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------- Interface Acl Address-group/IP Type ----------------------------------------------------------------- Eth-Trunk1.2 3180 1 pat ----------------------------------------------------------------- Total : 1

----End


# sysname SPU



4-27

# system-view interface Eth-Trunk1#ip vpn-instance vpnaroute-distinguisher 1:1ip vpn-instance vpnbroute-distinguisher 2:2#interface Eth-Trunk1.1control-vid 101 dot1q-terminationdot1q termination vid 101ip binding vpn-instance vpnaip address 192.168.20.1 255.255.255.0arp broadcast enable#interface Eth-Trunk1.2control-vid 103 dot1q-terminationdot1q termination vid 103ip address 202.169.10.1 255.255.255.0arp broadcast enable# interface XGigabitEthernet0/0/1eth-trunk 1#interface XGigabitEthernet0/0/2eth-trunk 1#nat alg dns enablenat dns-map www.Server.com 192.168.20.2 80 tcp#nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpn-instance vpna#ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2#acl 3180 rule permit ip vpn-instance vpna source 192.168.20.1 0.0.0.255#nat address-group 1 160.160.0.1 160.160.0.255# interface Eth-Trunk1.2nat outbound 3180 address-group 1 #return

l Configuration file of the S9300# sysname S9300# vlan batch 101 to 103#interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103#interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101#interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102# interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103# interface XGigabitEthernet5/0/0 eth-trunk 1




Issue 02 (2010-07-15)

#interface XGigabitEthernet5/0/1 eth-trunk 1#return



4-29

5 IPSec Configuration

About This Chapter

This chapter describes how to ensure confidentiality and integrity of data and prevent replay ofdata packets on a network through data encryption and data source authentication at the IP layer.Internet Key Exchange (IKE) provides the mechanism of negotiating keys and establishingsecurity associations (SAs) to simplify the usage and management of IPSec.

5.1 IPSec OverviewThe IP Security (IPSec) protocol family is a series of protocols defined by the InternetEngineering Task Force (IETF). This protocol family provides high quality, interoperable, andcryptology-based security for IP packets. Communicating parties can encrypt data andauthenticate the data source at the IP layer to ensure confidentiality and integrity of data andprevent replay of data packets on a network.

5.2 IPSec Features Supported by the SPUThe SPU supports IPSec tunnel established in manual mode or IKE negotiation mode.

5.3 Establishing an IPSec Tunnel ManuallyYou can establish IPSec tunnels manually when the network topology is simple.

5.4 Establishing an IPSec Tunnel Through IKE NegotiationIKE provides an automatic protection mechanism to distribute keys, authenticate the identity,and set up SAs on an insecure network.

5.5 Maintaining IPSecThis section describes how to display the IPSec configuration and clear the IPSec statistics.

5.6 Configuration ExamplesThis section provides several configuration examples of IPSec.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 5 IPSec Configuration


5-1

5.1 IPSec OverviewThe IP Security (IPSec) protocol family is a series of protocols defined by the InternetEngineering Task Force (IETF). This protocol family provides high quality, interoperable, andcryptology-based security for IP packets. Communicating parties can encrypt data andauthenticate the data source at the IP layer to ensure confidentiality and integrity of data andprevent replay of data packets on a network.

IPSec implements the preceding functions through two security protocols: AuthenticationHeader (AH) protocol and Encapsulating Security Payload (ESP). IKE provides the mechanismof negotiating keys and establishing and maintaining SAs to simplify the usage and managementof IPSec.

IPSec involves the following terms:

l Security Association (SA)– An SA is a set of conventions adopted by the communicating parties. For example, it

determines the security protocol (AH, ESP, or both), encapsulation mode (transportmode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protectcertain flow, and the lifetime of the shared key. SA is the basis and essence of IPSec.

– An SA is unidirectional, so you need to configure at least two SAs to protect data flowsin bidirectional communication. If two peers need to communicate through both AHand ESP, each peer needs to establish two SAs for the two protocols.

– An SA is identified by three parameters: Security Parameter Index (SPI), destination IPaddress, and security protocol ID (AH or ESP).

l Encapsulation mode– Transport mode: AH or ESP is inserted behind the IP header but before all transport-

layer protocols or all other IPSec protocols, as shown in Figure 5-1.– Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP

header, as shown in Figure 5-2.

Figure 5-1 Packets format in transport mode

Mode

Protocoltransport

AH

ESP

AH-ESP

ESP data ESPTail ESP Auth dataIP Header TCP Header

IP Header AH dataTCP Header

ESP data ESP Tail ESP Auth dataIP Header TCP HeaderAH

5 IPSec ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

Figure 5-2 Packets format in tunnel mode

Mode

Protocoltunnel

AH

ESP

AH-ESP

new IP Header AH dataTCP Headerraw IP Header

new IPHeader ESP dataTCP Headerraw IP

Header ESP Tail ESP Auth data

ESP dataESP TailESP Auth datanew IP Header TCP HeaderAH raw IP Header

l Authentication algorithm and encryption algorithm

– IPSec can use the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm(SHA-1) for authentication. The MD5 algorithm computes faster than the SHA-1algorithm, whereas the SHA-1 algorithm is more secure than the MD5 algorithm.

– IPSec can use the DES, Triple Data Encryption Standard (3DES), and AdvancedEncryption Standard (AES) algorithms for encryption. The ASE algorithm encryptsplain text by using a key of 128 bits, 192 bits, or 256 bits.

l Negotiation mode

IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKEnegotiation mode (isakmp).

5.2 IPSec Features Supported by the SPUThe SPU supports IPSec tunnel established in manual mode or IKE negotiation mode.

The SPU implements the IPSec functions described in "IPSec Overview."

IPSec peers can adopt various security protection measures (authentication, encryption, or both)on different data flows.

The IPSec configuration roadmap is as follows:

1. Define data flows to be protected by using an ACL.

2. Configure an IPSec proposal to specify the security protocol, authentication algorithm,encryption algorithm, and encapsulation mode.

3. Configure an IPSec policy or an IPSec policy group to specify the association between dataflows and the IPSec proposal (protection measures for the data flows), SA negotiationmode, peer IP address (start and end points of the protection path), required key, and SAlifetime.

4. Apply the IPSec policy on an interface of the switch.

In addition, IPSec supports MPLS VPN access. You can implement this function by:

l Associating a VPN instance with an AS

l Configuring the switch as a PE and associating the VPN instance with the PE interfaceconnected to the CE



5-3

5.3 Establishing an IPSec Tunnel ManuallyYou can establish IPSec tunnels manually when the network topology is simple.

5.3.1 Establishing the Configuration TaskBefore establishing an IPSec tunnel manually, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.

5.3.2 Defining Data Flows to Be ProtectedIPSec can protect different data flows. In actual applications, you need to configure an ACL todefine the data flows to be protected and apply the ACL to a security policy to protect the dataflows.

5.3.3 Configuring an IPSec ProposalBoth ends of the tunnel must be configured with the same security protocol, authenticationalgorithm, encryption algorithm, and packet encapsulation mode.

5.3.4 Configuring an IPSec PolicyAfter establishing an IPSec tunnel manually, you need to configure an IPSec policy for thetunnel.

5.3.5 (Optional) Configuring an IPSec Policy Template

5.3.6 Setting the Global Lifetime of SAs

5.3.7 Applying an IPSec Policy Group to an Sub-interfaceA manually configured IPSec policy group can be applied to only one Sub-interface.

5.3.8 Checking the ConfigurationAfter an IPSec tunnel is established manually, you can check information about the SA, IPSecproposal, and IPSec policy.

5.3.1 Establishing the Configuration TaskBefore establishing an IPSec tunnel manually, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data.


Data flows must be authenticated to ensure data transmission security. In the scenariosdemanding high security, data flows must be authenticated and encrypted. In such a scenario,you can configure IPSec on the device that initiates the IPSec service and the device thatterminates the IPSec service.

You can establish IPSec tunnels manually when the network topology is simple.


Before establishing an IPSec tunnel manually, complete the following tasks:

l Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensurethat the link-layer protocol on the interfaces is Up

l Configuring routes between the source and the destination




Issue 02 (2010-07-15)

Data Preparation

To establish an IPSec tunnel manually, you need the following data.

No. Data

1 Parameters of an advanced ACL

2 IPSec proposal name, security protocol, authentication algorithm of AH,authentication algorithm and encryption algorithm of ESP, and packetencapsulation mode

3 Name and sequence number of the IPSec policy, local and peer IP addresses ofthe tunnel, inbound and outbound SPIs of AH, inbound and outbound SPIs ofESP, inbound and outbound authentication keys of AH (character strings),inbound and outbound authentication keys of ESP (character strings), inboundand outbound authentication keys of AH (hexadecimal numbers), inbound andoutbound authentication keys of ESP (hexadecimal numbers), inbound andoutbound encryption keys of ESP (hexadecimal numbers), (optional) VPNinstance name

4 Type and number of the interface to which the IPSec policy group is applied

NOTE

You can use the AH or ESP protocol according to the actual situation.


Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { config | auto } ]

An advanced ACL is created and the ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmp-code ]

An ACL rule is configured.



5-5

NOTE

l The ACL must be configured to match the data flows accurately. It is recommended that you set theaction of the ACL rule to permit for the data flows that need to be protected.

l You need to create different ACLs and IPSec policies for the data flows with different requirementsfor security.

----End


Procedure



Step 2 Run:ipsec proposal proposal-name

An IPSec proposal is created and the IPSec proposal view is displayed.

Step 3 (Optional) Run:transform { ah | esp | ah-esp }

The security protocol is configured.

By default, the ESP protocol defined by RFC 2406 is used.

Step 4 (Optional) Run:ah authentication-algorithm { md5 | sha1 }

The authentication algorithm used by AH is configured.

Step 5 (Optional) Run:esp authentication-algorithm [ md5 | sha1 ]

The authentication algorithm used by ESP is configured.

By default, both ESP and AH use the MD5 authentication algorithm.

You can configure the authentication and encryption algorithms only after selecting a securityprotocol through the transform command. For example, if ESP is selected, you can configurethe authentication and encryption algorithms for ESP rather than AH.

Step 6 (Optional) Run:esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]

The encryption algorithm used by ESP is configured.

By default, ESP uses the DES encryption algorithm.

Step 7 (Optional) Run:encapsulation-mode { transport | tunnel }

The packet encapsulation mode is configured.




Issue 02 (2010-07-15)

By default, the tunnel mode is used.

----End

5.3.4 Configuring an IPSec PolicyAfter establishing an IPSec tunnel manually, you need to configure an IPSec policy for thetunnel.

Context

CAUTIONWhen configuring SA parameters SPI, string authentication key (string-key), hexadecimalauthentication key (authentication-hex), and hexadecimal encryption key (encryption-hex) ontwo ends of an IPSec tunnel, ensure that the inbound parameters on the local end are the sameas the outbound parameters on the remote end, and the outbound parameters on the local endare the same as the inbound parameters on the remote end.

Procedure



Step 2 Run:ipsec policy policy-name seq-number manual

An IPSec policy is created.

An IPSec policy group can contain up to 400 IPSec policies. By default, no IPSec policy exists.

Step 3 Run:security acl acl-number

An ACL is applied to the IPSec policy.

An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy,the last configured ACL takes effect.

Step 4 Run:proposal proposal-name

An IPSec proposal is applied to the IPSec policy.

An IPSec policy can use only one proposal. If an IPSec proposal has been applied to the IPSecpolicy, you must cancel the existing proposal before applying a new one to the IPSec policy. Inaddition, the IPSec proposals applied on the two ends of a tunnel must be configured with thesame security protocol, algorithm, and packet encapsulation mode.

Step 5 Run:tunnel local ip-address



5-7

The IP address of the local end of the tunnel is configured.

Step 6 Run:tunnel remote ip-address

The IP address of the remote end of the tunnel is configured.

Step 7 Run:sa spi { inbound | outbound } { ah | esp } spi-number

The SPI of the SA is configured.

When configuring an SA, you need to to set both inbound parameters and outbound parameters.

To manually create an IPSec tunnel, you need to use the sa spi command together with the sastring-key, sa authentication-hex, or sa encryption-hex command.

The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the localend must be the same as the outbound SPI of the remote end, and the outbound SPI of the localend must be the same as the inbound SPI of the remote end.

CAUTIONUse the same key format on the two ends. For example, if the key on one end is a character stringbut the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.If you configure the keys in different formats, the last configured key takes effect.

Step 8 Run:sa authentication-hex { inbound | outbound } { ah | esp } hex-key

The authentication key (a hexadecimal number) of the security protocol is configured.

Step 9 Run:sa string-key { inbound | outbound } { ah | esp } string-key

The authentication key (a character string) of the security protocol is configured.

Step 10 Run:sa encryption-hex { inbound | outbound } esp hex-key

The encryption key (a hexadecimal number) of ESP is configured.

Step 11 (Optional) Run:sa binding vpn-instance vpn-instance-name

A VPN instance is associated with the SA.

----End

5.3.5 (Optional) Configuring an IPSec Policy Template

ContextNOTE

The IPSec policy created through an IPSec policy template cannot be used to initiate an SA negotiationbut can respond to an SA negotiation.




Issue 02 (2010-07-15)

Procedure



Step 2 Run:ipsec policy-template template-name seq-number

An IPSec policy template is created and the IPSec policy template view is displayed.


An ACL is applied to the IPSec policy template.

Step 4 Run:proposal proposal-name1 [ proposal-name2... proposal-name6 ]

The specified IPSec proposals are applied to the IPSec policy template.

Step 5 Run:sa duration { traffic-based kilobytes | time-based seconds }

The SA lifetime is set.

Step 6 Run:ipsec policy policy-name seq-number isakmp template template-name

The IPSec policy template is used to create an IPSec policy.

----End

5.3.6 Setting the Global Lifetime of SAs

Procedure



Step 2 Run:ipsec sa global-duration { traffic-based kilobytes | time-based seconds }

The global SA lifetime is set.

NOTE

l The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs thathave been established. The new global lifetime will be used to establish new SAs during IKEnegotiation.

l By default, the time-based global lifetime is 3600 seconds; the traffic-based global lifetime is 1843200kilobytes.

----End



5-9

5.3.7 Applying an IPSec Policy Group to an Sub-interfaceA manually configured IPSec policy group can be applied to only one Sub-interface.


system-view



The Sub-interface view is displayed.

Step 3 Run:ipsec policy policy-name

An IPSec policy group is applied to the Sub-interface.

An Sub-interface can use only one IPSec policy group. An IPSec policy group that establishesan SA through IKE negotiation can be applied to multiple Sub-interfaces, whereas an IPSecpolicy group that is used to establish an SA manually can be applied only to one Sub-interface.If the applied IPSec policy establishes an SA in manual mode, the SA is generated immediately.

----End

5.3.8 Checking the ConfigurationAfter an IPSec tunnel is established manually, you can check information about the SA, IPSecproposal, and IPSec policy.

PrerequisiteThe configurations required to establish an IPSec tunnel manually are complete.

Procedurel Run the display ipsec sa command to view information about the SA.l Run the display ipsec proposal [ name proposal-name ] command to view information

about the IPSec proposal.l Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view

information about the IPSec policy.

----End

5.4 Establishing an IPSec Tunnel Through IKE NegotiationIKE provides an automatic protection mechanism to distribute keys, authenticate the identity,and set up SAs on an insecure network.

5.4.1 Establishing the Configuration TaskBefore establishing an IPSec tunnel through IEK negotiation, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.




Issue 02 (2010-07-15)


5.4.3 Configuring the Local Host Name Used in IKE NegotiationThe local ID type used in IKE negotiation must the same as remote ID type.

5.4.4 Configuring an IKE ProposalYou can create multiple IKE proposals with different priority levels. The two ends must haveat least one matching IKE proposal for IKE negotiation.

5.4.5 Configuring an IKE Peer


5.4.7 Configuring an IPSec PolicyAfter configuring an IKE peer, you need to apply it to the IPSec policy. Then the two ends canstart IKE negotiation.

5.4.8 (Optional) Configuring an IPSec Policy TemplateAn IPSec policy template can be used to configure multiple IPSec policies, thus reducing theworkload of establishing multiple IPSec tunnels.

5.4.9 (Optional) Setting Optional ParametersThis section describes how to set optional parameters for IKE negotiation.

5.4.10 Applying an IPSec policy to an Sub-interfaceAn Sub-interface can adopt only one IPSec policy group. An IPSec policy group created throughIKE negotiation can be applied to multiple Sub-interfaces.

5.4.11 Checking the ConfigurationAfter an IPSec tunnel is established through IKE negotiation, you can view information aboutthe SA, configuration of the IKE peer, and configuration of the IKE proposal.

5.4.1 Establishing the Configuration TaskBefore establishing an IPSec tunnel through IEK negotiation, familiarize yourself with theapplicable environment, complete the pre-configuration tasks, and obtain the required data.

Application Environment

Data flows must be authenticated to ensure data transmission security. In the scenariosdemanding high security, data flows must be authenticated and encrypted. In such a scenario,you can configure IPSec on the device that initiates the IPSec service and the device thatterminates the IPSec service.

When the network topology is complex, you can establish IPSec tunnels through IKEnegotiation.


Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:



5-11

l Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensurethat the link-layer protocol on the interfaces is Up

l Configuring routes between the source and the destination

Data PreparationTo establish an IPSec tunnel through IKE negotiation, you need to the following data.

No. Data

1 Parameters of an advanced ACL

2 Priority of the IKE proposal, encryption algorithm, authentication algorithm, andauthentication method used in IKE negotiation, identifier of the Diffie-Hellmangroup, and SA lifetime

3 IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, pre-shared key, remote address, (optional) VPN instance bound to the IPSec tunnel,and remote host name

4 Security proposal name, security protocol, authentication algorithm of AH,authentication algorithm and encryption algorithm of ESP, and packetencapsulation mode

5 Name and sequence number of the IPSec policy, (optional) Perfect ForwardSecrecy (PFS) feature used in IKE negotiation

6 (Optional) Name of the IPSec policy template

7 (Optional) Local address of the IPSec policy group, time-based global SAlifetime, traffic-based global SA lifetime, interval for sending keepalive packets,timeout inertial of keepalive packets, and interval for sending NAT update packets

8 Type and number of the interface to which the IPSec policy is applied

NOTE

You can use the AH or ESP protocol according to the actual situation.


Procedure



Step 2 Run:acl [ number ] acl-number [ match-order { config | auto }]




Issue 02 (2010-07-15)

An advanced ACL is created and the ACL view is displayed.

Step 3 Run:rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmp-code ]

An ACL rule is configured.

----End

5.4.3 Configuring the Local Host Name Used in IKE NegotiationThe local ID type used in IKE negotiation must the same as remote ID type.

Procedure



Step 2 Run:ike local-name router-name

The local host name used in the IKE negotiation is configured.

The local host name and the remote host name configured when you configure an IKE peer areboth case sensitive.

----End

5.4.4 Configuring an IKE ProposalYou can create multiple IKE proposals with different priority levels. The two ends must haveat least one matching IKE proposal for IKE negotiation.

Procedure



Step 2 Run:ike proposal proposal-number

An IKE proposal is created and the IKE proposal view is displayed.

The IKE negotiation succeeds only when the two ends use the IKE proposals with the samesettings.

Step 3 Run:encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }

The encryption algorithm is configured.



5-13

Step 4 (Optional) Run:authentication-method pre-share

Pre-shared key authentication is configured.

When pre-shared key authentication is configured, you must set the same pre-shared key on theIKE peers.

Step 5 Run:authentication-algorithm { md5 | sha1 }

The authentication algorithm is configured.

When pre-shared key authentication is configured, an authenticator must be configured.

Step 6 (Optional) Run:dh { group1 | group2 }

The Diffie-Hellman group is specified.

Step 7 (Optional) Run:prf { hmac-md5 | hmac-sha1 }

The algorithm used to generate the pseudo random number is specified.

Step 8 Run:sa duration interval


If the lifetime expires, the ISAKMP SA is automatically updated.

You can set the lifetime only for the SAs established through IKE negotiation. The lifetime ofmanually created SAs is not limited. That is, the manually created SAs are always effective.

----End

5.4.5 Configuring an IKE Peer

Procedure



Step 2 Run:ike peer peer-name [ v1 | v2 ]

An IKE peer is created and the IKE peer view is displayed.

Step 3 Run:exchange-mode { main | aggressive }

The IKE negotiation mode is configured.

In aggressive mode, the local ID type must be set to name in step 5. In main mode, the local IDtype must be set to ip.




Issue 02 (2010-07-15)

Step 4 Run:ike-proposal proposal-number

An IKE proposal is configured.

Step 5 (Optional) Run:local-id-type { ip | name }

The local ID type is configured.

By default, the IP address of the local end is used as the local ID.

Step 6 (Optional) Run:local-address address

The IP address to the local end of IKE negotiation is configured.

Step 7 (Optional) Run:ike local-name router-name

The local host name used in the IKE negotiation is configured.

After the local ID type is set to name, you need to set the local host name.

The local host name and the remote host name configured when you configure an IKE peer areboth case sensitive.

Step 8 (Optional) Run:peer-id-type { ip | name }

The Peer ID type is configured.

By default, the IP address of the local end is used as the local ID.

The peer-id-type command is valid only when IKEv2 is used.

Step 9 (Optional) Run:nat traversal

NAT traversal is enabled.

When NAT traversal is enabled, exchange-mode must be set to aggressive and local-id-typemust be set to name.

Step 10 Run:pre-shared-key key-string

The pre-shared key used by the local end and remote peer is configured.

If pre-shared key authentication is configured, you need to configure a pre-shared key for eachremote peer. The two ends of an IPSec tunnel must be configured with the same pre-shared key.

If pre-shared key authentication is configured, an authenticator must be configured.

Step 11 Run:remote-address [ vpn-instance vpn-instance-name ] ip-address

The IP address of the remote peer is configured.

Step 12 (Optional) Run:sa binding vpn-instance vpn-instance-name

A VPN instance is associated with the SA.



5-15

By specifying the VPN instance that the remote end of the IPSec tunnel belongs to, you canimplement multi-instance IPSec connections. The configuration takes effect only on the initiatorof the tunnel. The initiator needs to obtain the outbound interface when sending packets. Thiscommand specifies the VPN that the remote end of the IPSec tunnel belongs to. According tothe VPN, the tunnel initiator can obtain the outbound interface and send packets through theoutbound interface. The packets received by the remote peer contain the VPN attribute, so youdo not need to specify the VPN on the remote peer.

Step 13 Run:remote-name name

The remote host name is configured (it is used only when the name authentication is used inaggressive mode).

----End


Procedure



Step 2 Run:ipsec proposal proposal-name

An IPSec proposal is created and the IPSec proposal view is displayed.

Step 3 (Optional) Run:transform { ah | esp | ah-esp }

The security protocol is configured.

By default, the ESP protocol defined by RFC 2406 is used.

Step 4 (Optional) Run:ah authentication-algorithm { md5 | sha1 }

The authentication algorithm used by AH is configured.

By default, AH uses the MD5 authentication algorithm.

Step 5 (Optional) Run:esp authentication-algorithm [ md5 | sha1 ]

The authentication algorithm used by ESP is configured.

By default, ESP uses the MD5 authentication algorithm.

Step 6 (Optional) Run:esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }

The encryption algorithm used by ESP is configured.




Issue 02 (2010-07-15)

By default, EPS uses the EDS encryption algorithm.

Step 7 (Optional) Run:encapsulation-mode { transport | tunnel }

The packet encapsulation mode is configured.

By default, the security protocol uses the tunnel mode to encapsulate IP packets.

----End

5.4.7 Configuring an IPSec PolicyAfter configuring an IKE peer, you need to apply it to the IPSec policy. Then the two ends canstart IKE negotiation.

Procedure



Step 2 Run:ipsec policy policy-name seq-number isakmp

An IPSec policy is created.

Step 3 Run:proposal proposal-name&<1-6>

An IPSec proposal is applied to the IPSec policy.

An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the sameparameter settings first.


An ACL is applied to the IPSec policy.

Step 5 Run:sa trigger-mode { auto | traffic-based }

The SA triggering mode is configured.

After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggeringmode. In automatic triggering mode, the IPSec SA is established immediately after IKEnegotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established onlyafter packets are received.

By default, the automatic triggering mode is used.

Step 6 (Optional) Run:sa duration { traffic-based kilobytes | time-based interval }




5-17

l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smallervalue as the SA lifetime.

l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally setSA lifetime.

Step 7 Run:ike-peer peer-name

An IKE peer is applied to the IPSec policy.

Step 8 (Optional) Run:pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.

If PFS is specified on the local end, you also need to specify PFS on the remote peer. The Diffie-Hellman group specified on the two ends must be the same; otherwise, the negotiation fails.

----End

5.4.8 (Optional) Configuring an IPSec Policy TemplateAn IPSec policy template can be used to configure multiple IPSec policies, thus reducing theworkload of establishing multiple IPSec tunnels.

Procedure



Step 2 Run:ipsec policy-template policy-template-name seq-number

An IPSec policy template is created.

Step 3 (Optional) Run:security acl acl-number

An ACL is applied to the IPSec policy template.

Step 4 Run:proposal proposal-name&<1-6>

An IPSec proposal is applied to the IPSec policy template.

An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the sameparameter settings first.

Step 5 (Optional) Run:sa duration { traffic-based kilobytes | time-based interval }


Step 6 Run:ike-peer peer-name




Issue 02 (2010-07-15)

An IKE peer is applied to the IPSec policy template.

Step 7 (Optional) Run:pfs { dh-group1 | dh-group2 }

The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.

By default, the PFS feature is not used in IKE negotiation.

----End

5.4.9 (Optional) Setting Optional ParametersThis section describes how to set optional parameters for IKE negotiation.

Procedure



Step 2 Run:ipsec sa global-duration { time-based interval | traffic-based kilobytes }

The global SA lifetime is set.

You can set the lifetime only for the SAs established through IKE negotiation. The lifetime ofmanually created SAs is not limited. That is, the manually created SAs are always effective.

If the SA lifetime is not set in an IPSec policy, the global lifetime is used.

The new global lifetime does not affect the IPSec policies that have their own lifetime or theSAs that have been established. The new global lifetime will be used to establish new SAs duringIKE negotiation.

Step 3 Run:ike sa heartbeat-timer interval interval

The interval for sending heartbeat packets is set.

Step 4 Run:ike sa heartbeat-timer timeout interval

The timeout interval of heartbeat packets is set.

If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeatpackets must be set on the other end.

On a network, packet loss rarely occurs consecutively more than three times. Therefore, thetimeout interval of heartbeat packets on one end can be set to three times the interval for sendingheartbeat packets on the other end.

Step 5 Run:ike sa nat-keepalive-timer interval interval

The interval for sending NAT update packets is set.

Step 6 Run:ipsec anti-replay { enable | disable }



5-19

The anti-replay function is enabled.

Step 7 Run:ike peer peer-name [ v1 | v2 ]

The IKE peer view is displayed.

Step 8 Run:local-address address

The IP address of the local end is configured.

Step 9 Run following commands to configure the dead peer detection (DPD) function.l Run:

dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }The idle time for DPD, retransmission interval of DPD packets, and maximum number ofretransmissions are set.

l Run:dpd msg { seq-hash-notify | seq-notify-hash }The sequence of payload in DPD packets is configured.

l Run:dpd type { on-demand | periodic }The DPD mode is configured.

----End

5.4.10 Applying an IPSec policy to an Sub-interfaceAn Sub-interface can adopt only one IPSec policy group. An IPSec policy group created throughIKE negotiation can be applied to multiple Sub-interfaces.


system-view


Step 2 (Optional) Run:ipsec policy policy-name seq-number isakmp template template-name

The IPSec policy template is used to create an IPSec policy.


The Sub-interface view is displayed.

Step 4 Run:ipsec policy policy-name

An IPSec policy group is applied to the Sub-interface.

Only one IPSec policy group can be applied on an Sub-interface. An IPSec policy group can beapplied to multiple Sub-interfaces.

After the configuration, the packets transmitted between two ends of the IPSec tunnel triggerthe establishment of an SA through the IKE negotiation. In automatic triggering mode, the SA




Issue 02 (2010-07-15)

is established immediately after the IKE negotiation succeeds. In traffic-based triggering mode,the SA is established only after data flows matching the IPSec policy are sent from the Sub-interface. After IKE negotiation succeeds and the SA is established, the data flows between twoends of the tunnel are encrypted and then transmitted.

----End

5.4.11 Checking the ConfigurationAfter an IPSec tunnel is established through IKE negotiation, you can view information aboutthe SA, configuration of the IKE peer, and configuration of the IKE proposal.

Prerequisite

The configurations required to establish an IPSec tunnel through IKE negotiation are complete.

Procedurel Run the display ike sa command.

l Run the display ike peer [ name peer-name ] [ verbose ] command.

l Run the display ike proposal command.

----End

5.5 Maintaining IPSecThis section describes how to display the IPSec configuration and clear the IPSec statistics.

5.5.1 Displaying the IPSec ConfigurationYou can run the following display commands to view information about the SA, establishedIPSec tunnel, and statistics about IPSec packets.

5.5.2 Clearing IPSec InformationThis section describes how to clear the statistics about IPSec and IKE packets, information aboutSAs, and information about the IPSec tunnels established through IKE negotiation.

5.5.1 Displaying the IPSec ConfigurationYou can run the following display commands to view information about the SA, establishedIPSec tunnel, and statistics about IPSec packets.

Prerequisite

The configurations of IPSec are complete.

Procedurel Run the display ipsec sa [ brief | duration | hardware { { ah | esp } [ inbound |

outbound ] spi spi-value peerip peer-ip-address | peer-table value } | policy policy-name [ seq-number ] | peerip peer-ip-address ] command to view information about theSA.



5-21

l Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phase-number | verbose ] command to view information about the established IPSec tunnel.

l Run the display ipsec statistics { ah | esp } command to view the statistics about IPSecpackets.

l Run the display ike statistics { all | msg | v2 } command to view the statistics about IKEpackets.

----End

5.5.2 Clearing IPSec InformationThis section describes how to clear the statistics about IPSec and IKE packets, information aboutSAs, and information about the IPSec tunnels established through IKE negotiation.

Context

CAUTIONThe statistics cannot be restored if cleared. So, use the following commands with caution.

Procedurel Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics

about IPSec packets.

l Run the reset ike statistics { all | msg } command in the user view to clear the statisticsabout IKE packets.

l Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] |parameters dest-address { ah | esp } spi ] command in the user view to clear an SA.

l Run the reset ike sa { all | conn-id connection-id } command in the user view to delete aspecified IPSec tunnel or all established IPSec tunnels.

----End

5.6 Configuration ExamplesThis section provides several configuration examples of IPSec.

5.6.1 Example for Establishing an SA ManuallyYou can establish SAs manually when the network topology is simple. When there are a largenumber of devices on the network, it is difficult to establish SAs manually, and network securitycannot be ensured.

5.6.2 Example for Establishing an SA Through IKE NegotiationSAs are usually established through IKE negotiation when the network is complicated. IKEautomatically establishes an SA and performs key exchange to improve efficiency of SAestablishment and ensure network security.




Issue 02 (2010-07-15)

5.6.1 Example for Establishing an SA ManuallyYou can establish SAs manually when the network topology is simple. When there are a largenumber of devices on the network, it is difficult to establish SAs manually, and network securitycannot be ensured.

Networking RequirementsAs shown in Figure 5-3, an IPSec tunnel is established between SwitchA and SwitchB to protectdata flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSectunnel uses ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm.

The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks.

Figure 5-3 Networking diagram for establishing an SA manually

SwitchBSwitchA Internet

10.1.1.2/24

PC A PC B

10.1.2.2/24

GE1/0/12 GE1/0/12

GE1/0/11 GE1/0/11

202.38.168.2/24

202.38.163.1/24

XGE5/0/0 XGE0/0/1.1VLAN 20

XGE0/0/1.2202.38.165.2/24

202.38.162.1/24XGE5/0/0 XGE0/0/1.1VLAN 20

XGE0/0/1.2

VLAN 20

VLAN 10

VLAN 20

VLAN 30

VLAN 10 VLAN 30


1. Import flows from the Switches to the SPUs.2. Configure ACLs to define the data flows to be protected.3. Configure static routes between the SPUs of SwitchA and SwitchB.4. Configure PSec proposals.5. Configure PSec policies and apply the ACLs and IPSec proposals to the IPSec policies.6. Apply the IPSec policies to interfaces of the SPUs.

Procedure

Step 1 Import flows from SwitchA and SwitchB to the SPUs.1. Configure SwitchA.

<Quidway> system-view[Quidway] sysname SwitchA



5-23

[SwitchA] vlan 10[SwitchA-vlan10] quit[SwitchA] interface gigabitethernet 1/0/11[SwitchA-GigabitEthernet1/0/11] port link-type access[SwitchA-GigabitEthernet1/0/11] port default vlan 10[SwitchA-GigabitEthernet1/0/11] quit[SwitchA] vlan 20[SwitchA-vlan20] quit[SwitchA] interface gigabitethernet 1/0/12[SwitchA-GigabitEthernet1/0/12] port link-type trunk[SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan 20[SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass vlan 1[SwitchA-GigabitEthernet1/0/12] quit[SwitchA] interface XGigabitEthernet5/0/0[SwitchA-XGigabitEthernet5/0/0] port link-type trunk[SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan 10 20[SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1[SwitchA-XGigabitEthernet5/0/0] quit

2. Configure the SPU on SwitchA.<Quidway> system-view[Quidway] sysname SPU[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.163.1 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit[SPU] interface XGigabitEthernet 0/0/1.2[SPU-XGigabitEthernet0/0/1.2] control-vid 10 dot1q-termination[SPU-XGigabitEthernet0/0/1.2] dot1q termination vid 10[SPU-XGigabitEthernet0/0/1.2] ip address 202.38.163.2 255.255.255.0[SPU-XGigabitEthernet0/0/1.2] arp broadcast enable[SPU-XGigabitEthernet0/0/1.2] quit

3. Configure SwitchB.<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan 30[SwitchB-vlan30] quit[SwitchB] interface gigabitethernet 1/0/11[SwitchB-GigabitEthernet1/0/11] port link-type access[SwitchB-GigabitEthernet1/0/11] port default vlan 30[SwitchB-GigabitEthernet1/0/11] quit[SwitchB] vlan 20[SwitchB-vlan20] quit[SwitchB] interface gigabitethernet 1/0/12[SwitchB-GigabitEthernet1/0/12] port link-type trunk[SwitchB-GigabitEthernet1/0/12] port trunk allow-pass vlan 20[SwitchB-GigabitEthernet1/0/12] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet1/0/12] quit[SwitchB] interface XGigabitEthernet5/0/0[SwitchB-XGigabitEthernet5/0/0] port link-type trunk[SwitchB-XGigabitEthernet5/0/0] port trunk allow-pass vlan 30 20[SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1[SwitchB-XGigabitEthernet5/0/0] quit

4. Configure the SPU on SwitchB.<Quidway> system-view[Quidway] sysname SPU[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.1 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit[SPU] interface XGigabitEthernet 0/0/1.2[SPU-XGigabitEthernet0/0/1.1] control-vid 30 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 30[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.2 255.255.255.0




Issue 02 (2010-07-15)

[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit

Step 2 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected.

# Configure an ACL on the SPU of SwitchA.

[SPU] acl number 3101[SPU-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[SPU-acl-adv-3101] quit

# Configure an ACL on the SPU of SwitchB.


Step 3 Configure static routes between the SPUs of SwitchA and SwitchB.

# Configure a static route to the remote peer on the SPU of SwitchA.

[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1

# Configure a static route to the remote peer on the SPU of SwitchB.

[SPU] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1

Ping PC B from PC A. The ping succeeds.

Step 4 Create IPSec proposals on the SPUs of SwitchA and SwitchB.

# Configure an IPSec proposal on the SPU of SwitchA.

[SPU] ipsec proposal tran1[SPU-ipsec-proposal-tran1] encapsulation-mode tunnel[SPU-ipsec-proposal-tran1] transform esp[SPU-ipsec-proposal-tran1] esp encryption-algorithm des[SPU-ipsec-proposal-tran1] esp authentication-algorithm sha1[SPU-ipsec-proposal-tran1] quit

# Configure an IPSec proposal on SwitchB.


Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view theconfiguration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec proposalNumber of Proposals: 1

IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES

Step 5 Create IPSec policies on the SPUs of SwitchA and SwitchB.

# Configure an IPSec policy on the SPU of SwitchA.

[SPU] ipsec policy map1 10 manual[SPU-ipsec-policy-manual-map1-10] security acl 3101



5-25

[SPU-ipsec-policy-manual-map1-10] proposal tran1[SPU-ipsec-policy-manual-map1-10] tunnel remote 202.38.162.1[SPU-ipsec-policy-manual-map1-10] tunnel local 202.38.163.1[SPU-ipsec-policy-manual-map1-10] sa spi outbound esp 12345[SPU-ipsec-policy-manual-map1-10] sa spi inbound esp 54321[SPU-ipsec-policy-manual-map1-10] sa string-key outbound esp abcdefg[SPU-ipsec-policy-manual-map1-10] sa string-key inbound esp gfedcba[SPU-ipsec-policy-manual-map1-10] quit

# Configure an IPSec policy on SwitchB.

[SPU] ipsec policy use1 10 manual[SPU-ipsec-policyl-manual-use1-10] security acl 3101[SPU-ipsec-policyl-manual-use1-10] proposal tran1[SPU-ipsec-policyl-manual-use1-10] tunnel remote 202.38.163.1[SPU-ipsec-policyl-manual-use1-10] tunnel local 202.38.162.1[SPU-ipsec-policyl-manual-use1-10] sa spi outbound esp 54321[SPU-ipsec-policyl-manual-use1-10] sa spi inbound esp 12345[SPU-ipsec-policyl-manual-use1-10] sa string-key outbound esp gfedcba[SPU-ipsec-policyl-manual-use1-10] sa string-key inbound esp abcdefg[SPU-ipsec-policyl-manual-use1-10] quit

Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view theconfiguration of the IPSec policies. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec policy===========================================IPsec Policy Group: "map1"Using local-address: {(null)}Using interface: {}===========================================

SequenceNumber: 10 Security data flow: 3101 Tunnel local address: 202.38.163.1 Tunnel remote address: 202.38.162.1 Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:

Step 6 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB.

# Apply the IPSec policy to the SPU interface on SwitchA.

[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] ipsec policy map1[SPU-XGigabitEthernet0/0/1.1] quit

# Apply the IPSec policy to the SPU interface on SwitchB.

[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] ipsec policy use1[SPU-XGigabitEthernet0/0/1.1] quit




Issue 02 (2010-07-15)

Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view theconfiguration. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec sa===============================Interface: XGigabitEthernet0/0/1.1 Path MTU: 1500===============================

----------------------------- IPsec policy name: "map1" Sequence number: 10 Mode: Manual ----------------------------- Encapsulation mode: Tunnel Tunnel local : 202.38.163.1 Tunnel remote: 202.38.162.1 DSCP value: 0

[Outbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA

[Inbound ESP SAs] SPI: 54321 (0xd431) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA


After the configuration is complete, PC A can ping PC B. Run the display ipsec statistics espcommand, and you can view statistics about data packets.

----End

Configuration Filesl Configuration of the SPU on SwitchA

#sysname SPU#acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg#interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.163.1 255.255.255.0 ipsec policy map1 arp broadcast enable#interface XGigabitEthernet0/0/1.2 control-vid 10 dot1q-termination dot1q termination vid 10



5-27

ip address 202.38.163.2 255.255.255.0 arp broadcast enable# ip route-static 10.1.2.0 255.255.255.0 202.38.162.1# return

l Configuration file of SwitchA#sysname SwitchA# vlan batch 10 20#interface GigabitEthernet1/0/11 port link-type access port default vlan 10#interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 #interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20# return

l Configuration of the SPU on SwitchB#sysname SPU#acl number 3101 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba#interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20ip address 202.38.162.1 255.255.255.0 ipsec policy map1 arp broadcast enable#interface XGigabitEthernet0/0/1.2 control-vid 30 dot1q-termination dot1q termination vid 30ip address 202.38.162.2 255.255.255.0 arp broadcast enable# ip route-static 10.1.1.0 255.255.255.0 202.38.163.1# return

l Configuration file of SwitchB#sysname SwitchB




Issue 02 (2010-07-15)

# vlan batch 20 30#interface GigabitEthernet1/0/11 port link-type access port default vlan 30#interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 #interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30# return

5.6.2 Example for Establishing an SA Through IKE NegotiationSAs are usually established through IKE negotiation when the network is complicated. IKEautomatically establishes an SA and performs key exchange to improve efficiency of SAestablishment and ensure network security.

Networking RequirementsAs shown in Figure 5-4, an IPSec tunnel is established between SwitchA an dSwitchB. ThisIPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B(10.1.2.x). The IPSec tunnel uses ESP protocol, DES encryption algorithm, and SHA-1authentication algorithm.

The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks.

Figure 5-4 Networking for establishing an SA through IKE negotiation

SwitchBSwitchA Internet

10.1.1.2/24

PC A PC B

10.1.2.2/24

GE1/0/12 GE1/0/12

GE1/0/11 GE1/0/11

202.38.168.2/24

202.38.163.1/24

XGE5/0/0 XGE0/0/1.1VLAN 20

XGE0/0/1.2202.38.165.2/24

202.38.162.1/24XGE5/0/0 XGE0/0/1.1VLAN 20

XGE0/0/1.2

VLAN 20

VLAN 10

VLAN 20

VLAN 30

VLAN 10 VLAN 30




5-29

1. Import flows on the Switches to the SPUs.2. Configure IKE proposal.3. Specify the local host ID and IKE peer required in IKE negotiation.4. Configure ACLs to define the data flows to be protected.5. Configure static routes between the SPUs of SwitchA and SwitchB.6. Configure IPSec proposals.7. Configure IPSec policies and apply the ACLs and IPSec proposals to the IPSec policies.8. Apply the IPSec policies to interfaces of the SPUs.

Procedure

Step 1 Import flows on SwitchA and SwitchB to the SPUs.1. Configure SwitchA.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] vlan 10[SwitchA-vlan10] quit[SwitchA] interface gigabitethernet 1/0/11[SwitchA-GigabitEthernet1/0/11] port link-type access[SwitchA-GigabitEthernet1/0/11] port default vlan 10[SwitchA-GigabitEthernet1/0/11] quit[SwitchA] vlan 20[SwitchA-vlan20] quit[SwitchA] interface gigabitethernet 1/0/12[SwitchA-GigabitEthernet1/0/12] port link-type trunk[SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan 20[SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass vlan 1[SwitchA-GigabitEthernet1/0/12] quit[SwitchA] interface XGigabitEthernet5/0/0[SwitchA-XGigabitEthernet5/0/0] port link-type trunk[SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan 10 20[SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1[SwitchA-XGigabitEthernet5/0/0] quit

2. Configure the SPU on SwitchA.<Quidway> system-view[Quidway] sysname SPU[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.163.1 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit[SPU] interface XGigabitEthernet 0/0/1.2[SPU-XGigabitEthernet0/0/1.1] control-vid 10 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 10[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.163.2 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit

3. Configure SwitchB.<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] vlan 30[SwitchB-vlan30] quit[SwitchB] interface gigabitethernet 1/0/11[SwitchB-GigabitEthernet1/0/11] port link-type access[SwitchB-GigabitEthernet1/0/11] port default vlan 30[SwitchB-GigabitEthernet1/0/11] quit[SwitchB] vlan 20[SwitchB-vlan20] quit[SwitchB] interface gigabitethernet 1/0/12




Issue 02 (2010-07-15)

[SwitchB-GigabitEthernet1/0/12] port link-type trunk[SwitchB-GigabitEthernet1/0/12] port trunk allow-pass vlan 20[SwitchB-GigabitEthernet1/0/12] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet1/0/12] quit[SwitchB] interface XGigabitEthernet5/0/0[SwitchB-XGigabitEthernet5/0/0] port link-type trunk[SwitchB-XGigabitEthernet5/0/0] port trunk allow-pass vlan 30 20[SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1[SwitchB-XGigabitEthernet5/0/0] quit

4. Configure the SPU on SwitchB.<Quidway> system-view[Quidway] sysname SPU[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.1 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit[SPU] interface XGigabitEthernet 0/0/1.2[SPU-XGigabitEthernet0/0/1.1] control-vid 30 dot1q-termination[SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 30[SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.2 255.255.255.0[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable[SPU-XGigabitEthernet0/0/1.1] quit

Step 2 Configure the IKE proposal on SPUs of SwitchA and SwitchB.

# Configure the IKE proposal on SPU of SwitchA.

[SPU] ike proposal 1[SPU-ike-proposal-1] encryption-algorithm aes-cbc-128[SPU-ike-proposal-1] authentication-algorithm md5[SPU-ike-proposal-1] quit

# Configure the IKE proposal on SPU of SwitchB.

[SPU] ike proposal 1[SPU-ike-proposal-1] encryption-algorithm aes-cbc-128[SPU-ike-proposal-1] authentication-algorithm md5[SPU-ike-proposal-1] quit

Step 3 Configure the local IDs and IKE peers on SPUs of SwitchA and SwitchB.

# Configure the local ID and IKE peer on the SPU of SwitchA.

[SPU] ike local-name huawei01[SPU] ike peer spub v1[SPU-ike-peer-spub] exchange-mode aggressive[SPU-ike-peer-spub] ike-proposal 1[SPU-ike-peer-spub] local-id-type name[SPU-ike-peer-spub] pre-shared-key huawei[SPU-ike-peer-spub] remote-name huawei02[SPU-ike-peer-spub] remote-address 202.38.162.1[SPU-ike-peer-spub] local-address 202.38.163.1[SPU-ike-peer-spub] quit

NOTE

In aggressive mode, you need to configure the IP address of the remote peer (remote-adress).

# Configure the local ID and IKE peer on the SPU of SwitchB.

[SPU] ike local-name huawei02[SPU] ike peer spua v1[SPU-ike-peer-spua] exchange-mode aggressive[SPU-ike-peer-spua] ike-proposal 1[SPU-ike-peer-spua] local-id-type name[SPU-ike-peer-spua] pre-shared-key huawei[SPU-ike-peer-spua] remote-name huawei01



5-31

[SPU-ike-peer-spua] remote-address 202.38.163.1[SPU-ike-peer-spua] local-address 202.38.162.1[SPU-ike-peer-spua] quit

Run the display ike peer command on the SPUs of SwitchA and SwitchB to view theconfiguration of the IKE peers. Take the display on the SPU of SwitchA as an example.

[SPU] display ike peer name spub verbose---------------------------------------- IKE Peer : spub Exchange mode : aggressive on phase 1 Pre-shared-key : huawei Local id type : name DPD : Disable DPD mode : Periodic DPD idle time : 20 DPD retrans int : 5 DPD retry limit : 5 Peer ip address : 202.38.162.1 VPN name : Local ip address : 202.38.163.1 Remote name : huawei02 Nat-traversal : Disable Configured IKE ver : VERSION ONE----------------------------------------

Negotiated IKE ver: VERSION ONE----------------------------------------

Step 4 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected.

# Configure an ACL on the SPU of SwitchA.


# Configure an ACL on the SPU of SwitchB.


Step 5 Configure static routes between the SPUs of SwitchA and SwitchB.

Configure the SPU on SwitchA.

[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1[SPU] ip route-static 202.38.162.1 255.255.255.0 202.38.163.1

Configure the SPU on SwitchB.

[SPU] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1[SPU] ip route-static 202.38.163.1 255.255.255.0 202.38.162.1

Step 6 Create IPSec proposals on the SPUs of SwitchA and SwitchB.

# Configure an IPSec proposal on the SPU of SwitchA.


# Configure an IPSec proposal on SwitchB.




Issue 02 (2010-07-15)


Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view theconfiguration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec proposalNumber of Proposals: 1

IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES

Step 7 Create IPSec policies on the SPUs of SwitchA and SwitchB.

# Configure an IPSec policy on the SPU of SwitchA.

[SPU] ipsec policy map1 10 isakmp[SPU-ipsec-policy-isakmp-map1-10] ike-peer spub[SPU-ipsec-policy-isakmp-map1-10] proposal tran1[SPU-ipsec-policy-isakmp-map1-10] security acl 3101[SPU-ipsec-policy-isakmp-map1-10] quit

# Configure an IPSec policy on SwitchB.

[SPU] ipsec policy use1 10 isakmp[SPU-ipsec-policy-isakmp-use1-10] ike-peer spua[SPU-ipsec-policy-isakmp-use1-10] proposal tran1[SPU-ipsec-policy-isakmp-use1-10] security acl 3101[SPU-ipsec-policy-isakmp-use1-10] quit

Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view theconfiguration of the IPSec policies. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec policy===========================================IPsec Policy Group: "map1"Using local-address: {(null)}Using interface: {}===========================================

SequenceNumber: 10 Security data flow: 3101 IKE-peer name: spub Perfect forward secrecy: None Proposal name: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic

Step 8 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB.

# Apply the IPSec policy to the SPU interface on SwitchA.

[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] ipsec policy map1[SPU-XGigabitEthernet0/0/1.1] quit

# Apply the IPSec policy to the SPU interface on SwitchB.

[SPU] interface XGigabitEthernet 0/0/1.1[SPU-XGigabitEthernet0/0/1.1] ipsec policy use1[SPU-XGigabitEthernet0/0/1.1] quit



5-33

Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view theconfiguration. Take the display on the SPU of SwitchA as an example.

[SPU] display ipsec sa===============================Interface: XGigabitEthernet 0/0/1.1 path MTU: 1500=============================== ----------------------------- IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------- Connection id: 3 encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436528/3575 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3835455224 (0xe49c66f8) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: N


After the configuration is complete, PC A can ping PC B. The data transmitted between PC Aand PC B is encrypted.

Run the display ike sa command on an SPU, and the following information is displayed:

[SPU] display ike sa Conn-ID Peer VPN Flag(s) Phase version -------------------------------------------------------------- 14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSEC Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

----End

Configuration Filesl Configuration of the SPU on SwitchA

#sysname SPU#system-view#ike local-name huawei01#ike proposal 1 encryption-algorithm aes-cbc-192 authentication-algorithm md5# #ike peer spub v1 exchange-mode aggressive ike-proposal 1 pre-shared-key huawei local-id-type name




Issue 02 (2010-07-15)

remote-name huawei02 remote-address 202.38.162.1 local-address 202.38.163.1#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1#acl number 3101 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255# ip route-static 10.1.2.0 255.255.255.0 202.38.162.1ip route-static 202.38.162.1 255.255.255.0 202.38.163.1#interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.163.1 255.255.255.0 ipsec policy map1 arp broadcast enable #interface XGigabitEthernet0/0/1.2 control-vid 10 dot1q-termination dot1q termination vid 10 ip address 202.38.163.2 255.255.255.0 arp broadcast enable# return

l Configuration file of SwitchA#sysname SwitchA# vlan batch 10 20#interface GigabitEthernet1/0/11 port link-type access port default vlan 10#interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 #interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20# return

l Configuration of the SPU on SwitchB#sysname SPU#system-view# ike local-name huawei02#ike proposal 1 encryption-algorithm aes-cbc-192 authentication-algorithm md5#ike peer spua v1 exchange-mode aggressiveike-proposal 1



5-35

pre-shared-key huawei local-id-type name remote-name huawei01 remote-address 202.38.163.1local-address 202.38.162.1#ipsec proposal tran1 esp authentication-algorithm sha1#ipsec policy use1 10 isakmp security acl 3101 ike-peer spua proposal tran1#acl number 3101 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255# ip route-static 10.1.1.0 255.255.255.0 202.38.163.1ip route-static 202.38.163.1 255.255.255.0 202.38.162.1#interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.162.1 255.255.255.0 ipsec policy use1 arp broadcast enable#interface XGigabitEthernet0/0/1.2 control-vid 30 dot1q-termination dot1q termination vid 30 ip address 202.38.162.2 255.255.255.0 arp broadcast enable#return

l Configuration file of SwitchB#sysname SwitchB# vlan batch 20 30#interface GigabitEthernet1/0/11 port link-type access port default vlan 30#interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 #interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30# return




Issue 02 (2010-07-15)

6 NetStream Configuration

About This Chapter

This chapter describes working principle of the NetStream and provides configuration examples.

6.1 Overview of NetStreamThis section describes the working principle of NetStream.

6.2 NetStream Features Supported by the SPUThis section describes the NetStream features supported by the SPU.

6.3 Collecting IPv4 Traffic StatisticsThis section describes how to collect statistics about IPv4 traffic passing through an interface.


6.5 Collecting MPLS Traffic StatisticsThis section describes how to collect statistics about MPLS traffic passing through an interface.

6.6 Configuring the Aggregation Statistics About TrafficThis section describes how to configure the statistics about IPv4 and MPLS aggregation trafficpassing an interface.

6.7 Configuring the Flexible NetStream FeatureThis section describes how to configure the Flexible NetStream feature to flexibly createNetStream statistics according to records.

6.8 Example for Configuring NetStreamThis section provides several configuration examples of NetStream.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 6 NetStream Configuration


6-1

6.1 Overview of NetStreamThis section describes the working principle of NetStream.

Concepts of NetStreamNetStream is a technology of collecting and advertising statistics about network traffic. Itclassifies and collects statistics about the communication traffic and resource usage on thenetwork. NetStream also manages the network and conducts charging based on the service typesand QoS. NetStream involves three types of devices:

l Netstream Data Exporter (NDE)The NDE collects and sends traffic statistics.

l Netstream Collector (NSC)The NSC receives and stores the traffic statistics sent by the NDE.

l Netstream Data Analyse (NDA)The NDA analyzes the traffic statistics. The analysis result provides the basis for networkaccounting, network planning, network monitoring, and application monitoring andanalysis.

NetStream ApplicationDue to the connectionless-oriented feature of the IP network, communications among differenttypes of services are realized by the transmission of IP packets from one terminal to another.Such IP packets constitute a data stream of a particular service on the network. Most data streamson the network are ephemeral and bidirectional. Based on the destination IP address, source IPaddress, destination port number, source port number, protocol number, Type of Service (ToS),and inbound and outbound interfaces of packets, NetStream identifies different streams andcollects statistics for each stream. The switch sends the collected traffic statistics regularly tothe NSC for further processing and then sends the statistics to the NDA for data analysis. Thereport generated based on the analysis result is the basis for accounting and network planning.As shown in Figure 6-1.

Figure 6-1 Diagram of NetStream data collection and analysis

SwitchA

SwitchB

NSC

NSC

NDA

NOTE

The NetStream function is implemented by the SPU of the switch.

6 NetStream ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

6.2 NetStream Features Supported by the SPUThis section describes the NetStream features supported by the SPU.

Packet Sampling Types

SPU supports the fixed-packets sampling, random-packets sampling, fix-time sampling, andrandom-time sampling.

Versions of Original Traffic and Aggregation Traffic

At present, the SPU supports the statistics about the original traffic, aggregation traffic andFlexible traffic.

l The version of the exported packets of the original traffic is V5 or V9. By default, theversion of exported statistics packets is V5 and the version of exported IPv6 statisticspackets is V9. To export statistics about MPLS traffic, set the version to V9.

l The version of the exported packets of the aggregation traffic is V8 or V9. By default, theversion number of the exported packets of IPv4 aggregation traffic is V8 and that of MPLSaggregation traffic is V9.

l The version of the exported packets of the Flexible traffic is V9.

Statistics Aggregation

The SPU supports the aggregation based on as, as-tos, protocol-port, protocol-port-tos, mpls-label, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix,and prefix-tos.

Aging Types

The SPU supports the following aging types:

l Aging depending on the inactive aging time:

After the inactive aging time is set, the traffic is aged if the SPU does not receive any packetof the traffic in a certain period. Then the statistics collection is ended and the result is sentto the NSC.

l Aging depending on the active aging time:

After the active aging time is set, the traffic is aged within a certain period since the firstpacket of the traffic is collected. Then the statistics collection is ended and the result is sentto the NSC.

l Aging depending on the FIN or RST flag in the TCP streams :

If the traffic received by the SPU contains the FIN or RST flag of TCP packets, the trafficis aged. Then the statistics collection is ended and the result is sent to the NSC.

l Aging depending on byte overflow

If the number of bytes in the statistics reaches a certain value, the traffic is aged. Thisfunction is enabled by default.



6-3

Flexible Netstream

Flexible NetStream provides users with a flexible way to collect NetStream statistics. You cancollect traffic statistics based on the protocol type, DSCP field, source IP address, destinationIP address, source port number, destination port number, or traffic label as required. The SPUcan send the traffic statistics on an interface to the NSC.


6.3.1 Establishing the Configuration Task

6.3.2 Enabling NetStream on an Interface

6.3.3 (Optional) Configuring the Version of Exported Packets

6.3.4 Setting the Destination Address of the Statistics

6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag

6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic

6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic




You need to configure the NetStream on an interface to collect statistics about inbound andoutbound IPv4 packets respectively. The statistics result is sent to the Network ManagementSystem (NMS). By analyzing the traffic statistics, the NMS can obtain the traffic situation onthe network and thus performs effective network management.


Before configuring the statistics about the original traffic, complete the following tasks:

l Setting physical parameters on an interface

l Setting the link-layer parameters of the interface

l Configuring port mirroring on the Switch to import the flows to the SPU

Data Preparation

To configure NetStream, you need the following data.

No. Data

1 Name and number of the interface on whichtraffic statistics need to be collected




Issue 02 (2010-07-15)

No. Data

2 Version of the exported packets of theNetStream traffic statistics

3 IP addresses and port numbers of the NSC


Procedure



Step 2 Run:interface xgigabitethernet interface-number

The XGigabitEthernet interface view is displayed.

Step 3 (Optional) Run:ip netstream sampler { fix-packets packet-interval | random-packets packet-interval | fix-time time-interval | random-time time-interval } inbound

The packet sampling ratio is set on the XGigabitEthernet interface.

By default, the packet sampling ratio on the XGigabitEthernet interface is 1.

Step 4 Run:ip netstream inbound

The NetStream function is enabled on the interface to collect statistics about IPv4 unicast traffic.

By default, NetStream is disabled for the IPv4 traffic.

Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1.

----End


Procedure



Step 2 Run:ip netstream export version version [ origin-as | peer-as ] [ bgp-nexthop ]

The version of exported packets is configured.

By default, the version of exported packets is v5, the AS option is none, and the statistics do notcontain the information about the BGP nexthop.



6-5

NOTE

At present, only the packets of v9 contain the information about the BGP nexthop.

----End


ContextYou cannot export the NetStream statistics without the pre-configured source and destinationaddresses.

Procedure



Step 2 (Optional) Run:ip netstream export source ip-address

The source address for exporting statistics is configured.

By default, the source address of the exported packets carrying the NetStream statistics is0.0.0.0.

Step 3 Run:ip netstream export host ip-address port-number

The destination IP address of the exported statistics, that is, the IP address of the NSC, isconfigured.

If multiple destination addresses are configured, the statistics are exported to multiple NSCs.

You can configure up to 2 destination addresses to implement the backup between 2 NSCs.

----End

6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RSTFlag

ContextThe TCP traffic can be aged according to the FIN or RST flag. If the traffic received by theSPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is endedand the result is sent to the NSC.

Procedure






Issue 02 (2010-07-15)

Step 2 Run:ip netstream tcp-flag enable

The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header.

By default, the TCP traffic is not aged according to the FIN or RST flag.

NOTE

If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.

----End

6.3.6 (Optional) Configuring the Inactive Aging Time of theOriginal Traffic

ContextAfter the inactive aging time of the original traffic is configured, if the SPU does not receiveany data packets from the original traffic for the specified period, the SPU considers that thisoriginal traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.

Procedure



Step 2 Run:ip netstream timeout inactive inactive-interval

The inactive aging time of the original traffic is set.

By default, the inactive aging time of the original traffic is 30s.

----End

6.3.7 (Optional) Configuring the Active Aging Time of the OriginalTraffic

Procedure



Step 2 Run:ip netstream timeout active active-interval

The active aging time of the original traffic is set.

By default, the active aging time of the original traffic is 30 minutes.

----End



6-7


PrerequisiteThe configurations of the NetStream function are complete.

Procedure

Step 1 Run the display ip netstream all command to view the NetStream configuration.

----End





6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag






You need to configure the NetStream on an interface to collect statistics about inbound andoutbound IPv6 packets respectively. The statistics result is sent to the Network ManagementSystem (NMS). By analyzing the traffic statistics, the NMS can obtain the traffic situation onthe network and thus performs effective network management.


Before configuring the statistics about the original traffic, complete the following tasks:




Data Preparation

To configure NetStream, you need the following data.




Issue 02 (2010-07-15)

No. Data





Procedure








Step 4 Run:ipv6 netstream inbound


By default, NetStream is disabled for the IPv6 traffic.


----End


ContextYou cannot export the NetStream statistics without the pre-configured source and destinationaddresses.

Procedure




6-9


Step 2 (Optional) Run:ipv6 netstream export source ip-address



Step 3 Run:ipv6 netstream export host ip-address port-number




----End

6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RSTFlag

ContextThe TCP traffic can be aged according to the FIN or RST flag. If the traffic received by theSPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is endedand the result is sent to the NSC.

Procedure



Step 2 Run:ip netstream tcp-flag enable

The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header.

By default, the TCP traffic is not aged according to the FIN or RST flag.

NOTE

If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.

----End




Issue 02 (2010-07-15)


ContextAfter the inactive aging time of the original traffic is configured, if the SPU does not receiveany data packets from the original traffic for the specified period, the SPU considers that thisoriginal traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.

Procedure



Step 2 Run:ipv6 netstream timeout inactive inactive-interval



----End


Procedure



Step 2 Run:ipv6 netstream timeout active active-interval



----End



Procedure

Step 1 Run the display ipv6 netstream all command to view the NetStream configuration.

----End



6-11

ExampleView the NetStream configuration.

[Quidway]display ipv6 netstream allsystem ipv6 netstream timeout inactive 300 ipv6 netstream export source 6.6.6.1 ipv6 netstream export host 5.0.132.2 10 ipv6 netstream export host 1.1.1.1 20 ip netstream record test0 match ipv4 source-port match ipv6 source-address match ipv6 destination-address collect counter packets collect counter bytes collect interface input collect interface output

6.5 Collecting MPLS Traffic StatisticsThis section describes how to collect statistics about MPLS traffic passing through an interface.



6.5.3 (Optional) Configuring the Version of Exported PacketsTo export statistics packets of MPLS traffic, set the version of exported packets to V9.






Applicable EnvironmentIn an MPLS network, you can collect the statistics of incoming and outgoing traffic on the MPLSnetwork by configuring NetStream. This can provide references for traffic analysis andaccounting in the network.

Pre-configuration TasksBefore configuring the statistics about the original traffic, complete the following tasks:




Data PreparationTo configure NetStream, you need the following data.




Issue 02 (2010-07-15)

No. Data





Procedure








Step 4 Run:ip netstream mpls inbound

The statistics function of MPLS is enabled.

By default, NetStream is disabled for the MPLS traffic.


----End

6.5.3 (Optional) Configuring the Version of Exported PacketsTo export statistics packets of MPLS traffic, set the version of exported packets to V9.

Procedure



Step 2 Run:ip netstream export version 9 [ origin-as | peer-as ] [ bgp-nexthop ]



6-13

The version of exported statistics packets is set to V9.

By default, the version of exported packets is v5, the AS option is none, and the statistics do notcontain the information about the BGP nexthop.

----End


Context

You cannot export the NetStream statistics without the pre-configured source and destinationaddresses.

Procedure






Step 3 Run:ip netstream export host ip-address port-number




----End


Context

After the inactive aging time of the original traffic is configured, if the SPU does not receiveany data packets from the original traffic for the specified period, the SPU considers that thisoriginal traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.

Procedure





Issue 02 (2010-07-15)


Step 2 Run:ip netstream timeout inactive inactive-interval



----End


Procedure



Step 2 Run:ip netstream timeout active active-interval



----End



Procedure


----End

6.6 Configuring the Aggregation Statistics About TrafficThis section describes how to configure the statistics about IPv4 and MPLS aggregation trafficpassing an interface.



6.6.3 Configuring the Aggregation Function


6.6.5 (Optional) Configuring the Export of Statistics



6-15

6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic

6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic



Applicable EnvironmentWhen the NetStream function is configured, a mode of collecting statistics about aggregationtraffic must be configured to classify statistics about packets according to certain rules.

Pre-configuration TasksBefore configuring NetStream for aggregation traffic, complete the following tasks:




Data PreparationTo complete the configuration, you need the following data.

No. Data


2 Version number of exported packets of theNetStream traffic statistics




system-view









Issue 02 (2010-07-15)




To enable the NetStream function for MPLS traffic, run the ip netstream mpls inboundcommand.

By default, NetStream is disabled for IPv4 or MPLS traffic.


----End

6.6.3 Configuring the Aggregation Function

Procedure



Step 2 Run:ip netstream aggregation { as | as-tos | destination-prefix | destination-prefix-tos | mpls-label | prefix | prefix-tos | protocol-port | protocol-port-tos | source-prefix | source-prefix-tos }

The NetStream aggregation view is displayed.

Step 3 Run:enable

The aggregation mode is enabled.

NOTE

To collect statistics about the MPLS aggregation traffic passing an interface, enable the mpls-label mode.

----End


Procedure





Step 3 (Optional) Run:



6-17

export version version

The version of the exported packets is configured.

By default, the version of the exported packets is V8.

NOTE

When the mpls-label mode is enabled, the version of exported packets cannot be set. The default versionV9 is used.

----End

6.6.5 (Optional) Configuring the Export of Statistics

Procedure







Step 4 (Optional) Run:ip netstream export host ip-address port-number

The destination address for exporting statistics is configured.

The destination NSC address of the exported statistics can be configured in either the systemview or the NetStream aggregation view.

The priority of the destination NSC address configured in the NetStream aggregation view ishigher than that configured in the system view. After the destination NSC address is successfullyconfigured,

l Original traffic can only be sent to the destination NSC address configured in the systemview.

l Aggregation traffic is sent to the destination NSC address configured in the NetStreamaggregation view.

If no destination NSC address is configured in the NetStream aggregation view, aggregationtraffic is sent to the destination NSC address configured in the system view.

----End




Issue 02 (2010-07-15)

6.6.6 (Optional) Configuring the Inactive Aging Time of theAggregation Traffic

Procedure



Step 2 Run:ip netstream aggregation timeout inactive inactive-interval

The inactive aging time of the aggregation traffic is set.

By default, the inactive aging time of the aggregation traffic is 30s.

----End

6.6.7 (Optional) Configuring the Active Aging Time of theAggregation Traffic

Procedure



Step 2 Run:ip netstream aggregation timeout active active-interval

The active aging time of the aggregation traffic is set.

By default, the active aging time of the aggregation traffic is 30 minutes.

----End


PrerequisiteAll configurations are complete.

Procedure


----End

6.7 Configuring the Flexible NetStream FeatureThis section describes how to configure the Flexible NetStream feature to flexibly createNetStream statistics according to records.



6-19


6.7.2 Creating a Record and Entering the Record View

6.7.3 Configuring Aggregation Key Words of Records

6.7.4 (Optional) Configuring the Exported Traffic Statistics

6.7.5 Enabling Flexible NetStream on Interfaces

6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface



Applicable EnvironmentTo collect statistics on packets based on the protocol type, DSCP field, source IP address,destination IP address, source port number, destination port number, or traffic label on thenetwork, you can configure Flexible NetStream.

Pre-configuration TasksBefore configuring Flexible NetStream, complete the following task:

l Setting physical parameters on interfaces



Data PreparationTo complete the configuration, you need the following data.

No. Data



6.7.2 Creating a Record and Entering the Record View

Procedure



Step 2 Run:ip netstream record record-name




Issue 02 (2010-07-15)

A record is created and the record view is displayed.

----End

6.7.3 Configuring Aggregation Key Words of Records

Procedure




The record view is displayed.

Step 3 (Optional) Run:match ipv4 { protocol | tos | source-address | destination-address | source-port | destination-port }

The IPv4 aggregation key words of records are configured.

Step 4 (Optional) Run:match ipv6 { protocol | tc | source-address | destination-address | source-port | destination-port | flow-label }

The IPv6 aggregation key words of records are configured.

----End

6.7.4 (Optional) Configuring the Exported Traffic Statistics

Procedure




The record view is displayed.

Step 3 Run:collect counter { bytes | packets }

The mode of exporting traffic statistics is configured.

Step 4 Run:collect interface { input | output }

The traffic statistics sent to the NSC contain the indexes of the inbound interface and outboundinterface of the flows.

----End



6-21

6.7.5 Enabling Flexible NetStream on Interfaces

Procedure





Step 3 Run:port ip netstream record record-name

The record is applied to the interface.

NOTE

Only one record can be configured on a XGE interface. To modify the record in the same interface view,you must first delete the existing configuration by running the undo port ip netstream record command.

----End

6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio onan Interface

Procedure




The XGE interface view is displayed.


The packet sampling ratio is set on the XGE interface.


The NetStream function is enabled for the IPv4 traffic on the XGE interface.

Step 5 Run:ipv6 netstream inbound

The NetStream function is enabled for the IPv6 traffic on the XGE interface.

----End




Issue 02 (2010-07-15)


PrerequisiteAll configurations are complete.

Procedure

Step 1 Run the display ip netstream all and display ipv6 netstream all commands to view theNetStream configuration.

----End

6.8 Example for Configuring NetStreamThis section provides several configuration examples of NetStream.

6.8.1 Example for Configuring IPv4 Traffic Statistics

6.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic

6.8.3 Example for Configuring Flexible NetStream Traffic Statistics

6.8.1 Example for Configuring IPv4 Traffic Statistics


As shown in Figure 6-2, the enterprise network is connected to the access Switch B of the carrierthrough Switch A and the NetStream traffic statistics function is enabled on Switch B. The carriercollects traffic statistics on the packets sent and received by GE 1/0/0 of Switch B. The trafficstatistics serve as the basis for network accounting.

Figure 6-2 Networking diagram for configuring NetStream

GE1/0/0VLANIF 10010.1.1.1/24

GE1/0/0VLANIF 10010.1.1.2/24

GE2/0/0VLANIF 20010.2.1.1/24

UserNetwork NSC&NDA

10.2.1.2/24

SwitchBSwitchA

XGE4/0/0 XGE0/0/1

VLAN101XGE0/0/2.2

22.22.22.1/24

XGE4/0/1VLANIF101

22.22.22.2/24



6-23


1. Set IP addresses for interfaces on Switch A and Switch B.2. Mirror the traffic on Switch B to the SPU.3. Enable the NetStream on the SPU to collect statistics about the inbound traffic.4. Configure the SPU to export statistics to the NSC and configure the source address of the

statistics.5. Set the aging mode and aging time of packets.

Data PreparationTo complete the configuration, you need the following data:

l IP address of each interface

l Address and port number of the NSC and source address contained in the packets

Procedure

Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-2. Theconfiguration procedure is not mentioned here.

Step 2 Mirror the traffic on Switch B to the SPU.

# Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.

<Quidway> system-view[Quidway] sysname SwitchB [SwitchB] observe-port 1 interface xgigabitEthernet4/0/0[SwitchB] interface gigabitethernet1/0/0[SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound

NOTE

The SPU is located in slot 4.

Step 3 Enable the NetStream on the SPU to collect traffic statistics on the inbound interface.

# Enable the NetStream on XGigabitEthernet0/0/1 of the SPU to collect traffic statistics on theinbound interface.

<Quidway> system-view[Quidway] sysname SPU[SPU] interface xgigabitethernet0/0/1[SPU-XGigabitEthernet0/0/1] ip netstream inbound

Step 4 Set the SPU to export statistics to the NSC. You must also configure the source address of thestatistics.

Configure the SPU to export statistics to the NSC with the IP address 10.2.1.2 and UDP port6000.

[SPU] ip netstream export host 10.2.1.2 6000

Set the source address of the traffic statistics exported by SPU.

[SPU] ip netstream export source 10.2.1.1

Step 5 Set the aging mode and aging time of the original traffic.




Issue 02 (2010-07-15)

# Set the inactive aging time of the original traffic to 100 seconds.[SPU] ip netstream timeout inactive 100

# Set the aging of the original traffic according to the FIN flag in the TCP packet header.[SPU] ip netstream tcp-flag enable


# After the configurations, run the display ip netstream all command in the user view of theSPU to check the configurations.

<SPU> display ip netstream allsystemip netstream export host 10.2.1.2 6000ip netstream export source 10.2.1.1ip netstream timeout inactive 100ip netstream tcp-flag enable

XGigabitEthernet0/0/1 ip netstream inbound

----End

Configuration FilesConfiguration file of Switch A

#sysname SwitchA#vlan 100#interface Vlanif 100 ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100#return

Configuration file of Switch B

On the MPU:

# sysname SwitchB#vlan batch 100 to 101 200#observe-port 1 interface XGigabitEthernet4/0/0#interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 # interface Vlanif 200 ip address 10.2.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 port-mirroring to observe-port 1 inbound

# interface GigabitEthernet2/0/0



6-25

port hybrid pvid vlan 200 port hybrid untagged vlan 200 #interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101# return

On the SPU:

#sysname SPU#ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000 ip netstream timeout inactive 100 ip netstream tcp-flag enable

#interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable# ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2#interface XGigabitEthernet0/0/1 ip netstream inbound#return

6.8.2 Example for Configuring NetStream of IPv4 AggregationTraffic

Networking RequirementsAs shown in Figure 6-3, the NetStream function is configured on Switch B to collect statisticson the traffic from the user network to different ISPs. The traffic statistics serve as the basis foraccounting.




Issue 02 (2010-07-15)

Figure 6-3 Networking diagram of NetStream aggregation

UserNetwork

NSC&NDA10.4.1.2/24

ISP1 ISP2

GE1/0/0

GE3/0/0

GE2/0/0GE1/0/0

GE1/0/0 GE2/0/0

GE1/0/1

SwitchASwitchB

SwitchC SwitchD

XGE4/0/0 XGE0/0/1

VLAN101XGE0/0/2.2

22.22.22.1/24

XGE4/0/1VLANIF101

22.22.22.2/24

Switch Physical interface VLANIF interface IP addressSwitch A GigabitEthernet1/0/0 VLANIF30 10.1.1.1/24Switch B GigabitEthernet1/0/0 VLANIF10 10.2.1.1/24

GigabitEthernet2/0/0 VLANIF20 10.3.1.1/24GigabitEthernet3/0/0 VLANIF30 10.1.1.2/24GigabitEthernet1/0/1 VLANIF40 10.4.1.1/24

Switch C GigabitEthernet1/0/0 VLANIF10 10.2.1.2/24Switch D GigabitEthernet2/0/0 VLANIF20 10.3.1.2/24


1. Configure a reachable route between the user network and access network.2. Configure reachable routes between the access network and ISP 1, and between the access

network between ISP 2.3. Configure the NetStream function on the SPU of SwitchB.


l IP addresses of interfaces

l OSPF process ID



6-27

l BGP process ID

l IP address and port number of the NSC

l Packet sampling ratio

l Version number of exported packets

Procedure

Step 1 Set IP addresses for interfaces on Switch A and Switch B. The configuration procedure is notmentioned here.

Step 2 Configure the IGP route between Switch A and Switch B.

# Configure the dynamic route on Switch A.

<Quidway> system-view[Quidway] sysname SwitchA[SwitchA] ospf router-id 1.1.1.1[SwitchA-ospf-1] area 0[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255

# Configure the dynamic routing protocol on Switch B.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] ospf router-id 2.2.2.2[SwitchB-ospf-1] area 0[SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255[SwitchB-ospf-1-area-0.0.0.0] network 10.2.1.1 0.0.0.255[SwitchB-ospf-1-area-0.0.0.0] network 10.3.1.1 0.0.0.255[SwitchB-ospf-1-area-0.0.0.0] quit[SwitchB-ospf-1] quit

Step 3 # Set up dynamic BGP peer relations between Switch B and Switch C.

# Configure Switch B

[SwitchB] bgp 65001[SwitchB-bgp] router-id 2.2.2.2[SwitchB-bgp] peer 10.2.1.2 as-number 65002[SwitchB-bgp] ipv4-family unicast[SwitchB-bgp-af-ipv4] import-route ospf 1[SwitchB-bgp-af-ipv4]quit[SwitchB-bgp]quit

# Configure Switch C

<Quidway> system-view[Quidway] sysname SwitchC[SwitchC] bgp 65002[SwitchC-bgp] route-id 3.3.3.3[SwitchC-bgp] peer 10.2.1.1 as-number 65001

Step 4 # Set up dynamic BGP peer relations between Switch B and Switch D.

# Configure Switch B

[SwitchB] bgp 65001[SwitchB-bgp] router-id 2.2.2.2[SwitchB-bgp] peer 10.3.1.2 as-number 65003[SwitchB-bgp]quit

# Configure Switch D

<Quidway> system-view[Quidway] sysname SwitchD




Issue 02 (2010-07-15)

[SwitchD] bgp 65003[SwitchD-bgp] router-id 4.4.4.4 [SwitchD-bgp] peer 10.3.1.1 as-number 65001

Step 5 Configure the NetStream function on the SPU.

# Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.[SwitchB] observe-port 1 interface xgigabitEthernet4/0/0[SwitchB] interface gigabitethernet1/0/0[SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound

NOTE


# Set the version number of exported packets for the aggregation traffic on the SPU.

<Quidway> system-view[Quidway] sysname SPU[SPU] ip netstream aggregation as[SPU-aggregation-as] enable[SPU-aggregation-as] export version 9[SPU-aggregation-as] ip netstream export host 10.4.1.2 6000[SPU-aggregation-as] ip netstream export source 10.4.1.1[SPU-aggregation-as] quit

# Configure NetStream on the inbound interface and set the packet sampling ratio on the SPU.

[SPU] interface xgigabitethernet0/0/1[SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound[SPU-XGigabitEthernet0/0/1] ip netstream inbound[SPU-XGigabitEthernet0/0/1] quit[SPU] quit


# After successful configurations, run the display ip netstream all command in the user viewof the SPU to check the configurations.

<SPU> display ip netstream all

ip netstream aggregation as enable export version 9 ip netstream export source 10.4.1.1 ip netstream export host 10.4.1.2 6000

XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound

----End

Configuration FilesConfiguration file of Switch A.# sysname SwitchA# vlan batch 30#interface Vlanif30 ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30



6-29

#ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.1.1.0 0.0.0.255#return

Configuration file of Switch B.

On the MPU:# sysname SwitchB# vlan batch 10 20 30 40 101#observe-port 1 interface XGigabitEthernet4/0/0#interface Vlanif10 ip address 10.2.1.1 255.255.255.0#interface Vlanif20 ip address 10.3.1.1 255.255.255.0#interface Vlanif30 ip address 10.1.1.2 255.255.255.0#interface Vlanif40 ip address 10.4.1.1 255.255.255.0#interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 #interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10 port-mirroring to observe-port 1 inbound #interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid untagged vlan 20#interface GigabitEthernet3/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30#interface GigabitEthernet1/0/1 port hybrid pvid vlan 40 port hybrid untagged vlan 40#interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101#bgp 65001 router-id 2.2.2.2 peer 10.2.1.2 as-number 65002 peer 10.3.1.2 as-number 65003 # ipv4-family unicast undo synchronization import-route ospf 1 peer 10.2.1.2 enable peer 10.3.1.2 enable#ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 network 10.3.1.0 0.0.0.255




Issue 02 (2010-07-15)

#return

On the SPU:#sysname SPU#interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable#ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2#ip netstream aggregation asenableexport version 9ip netstream export host 10.4.1.2 6000ip netstream export source 10.4.1.1#interface xgigabitethernet 0/0/1ip netstream sampler fix-packets 100 inboundip netstream inbound#return

Configuration file of Switch C.# sysname SwitchC# vlan batch 10#interface Vlanif10 ip address 10.2.1.2 255.255.255.0#interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10#bgp 65002 router-id 3.3.3.3 peer 10.2.1.1 as-number 65001 # ipv4-family unicast undo synchronization import-route ospf 1 peer 10.2.1.1 enable#returnConfiguration file of Switch D.# sysname SwitchD# vlan batch 20#interface Vlanif20 ip address 10.3.1.2 255.255.255.0#interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid untagged vlan 20#bgp 65003 router-id 4.4.4.4 peer 10.3.1.1 as-number 65001 # ipv4-family unicast undo synchronization



6-31

import-route ospf 1 peer 10.3.1.1 enable#return

6.8.3 Example for Configuring Flexible NetStream Traffic Statistics

Networking RequirementsAs shown in Figure 6-4, the enterprise network is connected to Switch B of the carrier throughSwitch A. The Flexible NetStream feature is enabled on GE1/0/0 of Switch B. Then you cancollect statistics on the inbound and outbound traffic on an interface based on the destination IPaddress aggregation and destination port aggregation. The statistics can be sent to the NSC.

Figure 6-4 Networking diagram for configuring Flexible NetStream

GE1/0/0VLANIF 10010.1.1.1/24

GE1/0/0VLANIF 10010.1.1.2/24

GE2/0/0VLANIF 20010.2.1.1/24

UserNetwork NSC&NDA

10.2.1.2/24

SwitchBSwitchA

XGE4/0/0 XGE0/0/1

VLAN101XGE0/0/2.2

22.22.22.1/24

XGE4/0/1VLANIF101

22.22.22.2/24

Configuration RoadmapThe configuration roadmap is as follows.

1. Set IP addresses for interfaces on Switch A and Switch B.2. Mirror the traffic on GE 1/0/0 of Switch B to the SPU.3. Enable the Flexible NetStream feature on the SPU.4. Enable the Flexible NetStream feature on GE1/0/0 of Switch B.


l IP address of each interface

l Version of the exported packets

l Address and port number of the NSC and the source address contained in the packets

l Traffic statistics to be sent to the NSC




Issue 02 (2010-07-15)

Procedure

Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-4. Theconfiguration procedure is not mentioned here.

Step 2 Mirror the traffic on Switch B to the SPU.

# Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.

<Quidway> system-view[Quidway] sysname SwitchB[SwitchB] observe-port 1 interface xgigabitEthernet4/0/0[SwitchB] interface gigabitethernet1/0/0[SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound

NOTE


Step 3 Enable the Flexible NetStream feature on the SPU.

Create a record named test and enter the test view.

<Quidway> system-view[Quidway] sysname SPU[SPU] ip netstream record test[SPU-record-test]

# Configure aggregation key words of the test record.

[SPU-record-test] match ipv4 destination-address[SPU-record-test] match ipv4 destination-port

# Configure the SPU to send the inbound and outbound interface indexes in the test record tothe NSC.

[SPU-record-test] collect interface input[SPU-record-test] collect interface output

# Send the number of packets and bytes of the inbound and outbound traffic to the NSC.[SPU-record-test] collect counter bytes[SPU-record-test] collect counter packets[SPU-record-test] quit

Step 4 Enable the Flexible NetStream feature on XGigabitEthernet0/0/1.

# Set the fixed-packets sampling ratio on XGigabitEthernet0/0/1 to 100.

[SPU] interface xgigabitethernet0/0/1[SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound

# Enable the Flexible NetStream feature on XGigabitEthernet0/0/1.[SPU-XGigabitEthernet0/0/1] port ip netstream record test

# Enable the NetStream function on XGigabitEthernet0/0/1.[SPU-XGigabitEthernet0/0/1] ip netstream inbound[SPU-XGigabitEthernet0/0/1] quit

Step 5 Set the source address, destination port number, and destination address for exporting packets.

# Set the destination address and destination port number for exporting packets.[SPU] ip netstream export host 10.2.1.2 6000

# Configure the source address for exporting packets.[SPU] ip netstream export source 10.2.1.1




6-33

# After successful configurations, run the display ip netstream all command in the user viewof the SPU to check the configurations.

<SPU> display ip netstream allsystem ip netstream export host 10.2.1.2 6000 ip netstream export source 10.2.1.1

XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound port ip netstream record test

# View the traffic statistics.

<SPU> display ip netstream statistic=====Netstream statistics:===== Origin ingress entries : 30000 Origin ingress packets : 30000 Origin ingress octets : 1380000 Origin egress entries : 0 Origin egress packets : 0 Origin egress octets : 0 Origin total entries : 30000 Agility ingress entries : 30000 Agility ingress packets : 30000 Agility ingress octets : 3960000 Agility egress entries : 0 Agility egress packets : 0 Agility egress octets : 0 Agility total entries : 30000 Handle origin entries : 29035 Handle agility entries : 29050 Handle As aggre entries : 1 Handle ProtPort aggre entries : 1 Handle SrcPrefix aggre entries : 118 Handle DstPrefix aggre entries : 1 Handle Prefix aggre entries : 118 Handle AsTos aggre entries : 1 Handle ProtPortTos aggre entries : 1 Handle SrcPreTos aggre entries : 118 Handle DstPreTos aggre entries : 1 Handle PreTos aggre entries : 118 Handle MplsTbl aggre entries : 0

----End

Configuration Files

Configuration file of Switch A.

#sysname SwitchA#vlan 100#interface Vlanif 100 ip address 10.1.1.1 255.255.255.0#interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100#return

Configuration file of Switch B




Issue 02 (2010-07-15)

On the MPU:

# sysname SwitchB# vlan batch 100 to 101 200# observe-port 1 interface XGigabitEthernet4/0/0#interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 # interface Vlanif 200 ip address 10.2.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 #interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 port-mirroring to observe-port 1 inbound # interface GigabitEthernet2/0/0 port hybrid pvid vlan 200 port hybrid untagged vlan 200 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101#return

On the SPU:

#sysname SPU#interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable# ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2#ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000#interface XGigabitEthernet0/0/1 ip netstream sampler fix-packets 100 inbound port ip netstream record test ip netstream inbound #ip netstream record test match ipv4 destination-address match ipv4 destination-port collect counter packets collect counter bytes collect interface input collect interface output #return



6-35

7 Load Balancing Configuration

About This Chapter

Load balancing is a cluster technology that load balances special services such as networkservices and network traffic among multiple links or network devices, for example, servers andfirewalls. The load balancing technology improves the service processing capabilities ofnetworks and ensures high reliability of services.

7.1 Load Balancing OverviewThis section describes the background, classification, and basic concepts of load balancing.

7.2 Load Balancing Features Supported by the SPUThe load balancing features supported by the SPU and the implementation principle are asfollows.

7.3 Configuring Egress Link Load BalancingOn the network where multiple ISP egresses exist, you can configure egress link load balancingso that the link can be selected dynamically and the reliability of services is improved.

7.4 Configuring Server Load BalancingIn the networking where multiple servers are deployed such as the data center, you can configureserver load balancing to load balance network services among multiple servers for processing.In this manner, service processing capabilities of servers are improved.

7.5 Configuring Firewall Load BalancingOn a network where multiple firewalls exist, you can load balance network traffic amongfirewalls in a group. In this manner, the burden of each single firewall is reduced and the networkprocessing capability is improved.

7.6 Configuration ExamplesThis section provides several configuration examples. A configuration example includes thenetworking requirements, configuration roadmap, operation procedure, and configuration files.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 7 Load Balancing Configuration


7-1

7.1 Load Balancing OverviewThis section describes the background, classification, and basic concepts of load balancing.

BackgroundWith rapid development of the Internet, increasing users and diversified services propose highrequirements for the network performance. To improve the overall performance of the network,the network bandwidth needs to be increased and the performance of network devices such asservers and firewalls needs to be enhanced. You can use high-performance servers or increasethe link bandwidth to improve the network performance, whereas the investments are greatlywasted.

To solve the problem, the load balancing technology is introduced. By performing a loadbalancing algorithm, the load balancing technology evenly distributes services to multiplenetwork devices or links so that the overall performance of the network is improved.

The load balancing technology has the following advantages:

l High reliabilityWhen one or more network devices or links are faulty, the system automatically switchesservices to normal network devices or links so that services are not interrupted. This reducesnetwork faults and improves the reliability of service processing.

l High performanceThe load balancing technology evenly distributes services to multiple network devices sothat processing capabilities of network devices are integrated. These network devicesfunction as a large network device. The capability of the system for processing services isthus improved.

l ExtensibilityBy using the load balancing technology, you can add network devices or links to a group,meeting requirements of increasing services. In addition, the service quality is ensured.

ClassificationThe load balancing modes are classified based on different factors:

l Physical location:Load balancing is classified into global and local load balancing.– Local load balancing is performed among servers in a server group in the same physical

location.– Global load balancing is performed among the server groups that are located in different

physical locations and adopt different network structures. Global load balancing isapplied to the following scenario: An enterprise or a group has server sites in multipleareas and load balancing users can access the nearest server through an IP address or adomain name so that they can obtain the fastest access speed.

l Load balancing objectLoad balancing is classified into link load balancing, server load balancing, and firewallload balancing.– Link load balancing indicates that load balancing is performed among different links.

7 Load Balancing ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

– Server load balancing indicates that load balancing is performed among differentservers.

– Firewall load balancing indicates that load balancing is performed among differentfirewalls.

l Load balancing technology

Load balancing is classified into DNS-based load balancing and network-based loadbalancing.

– The DNS-based load balancing technology returns different IP address lists withdifferent sequences and allocates user requests to different servers by setting themapping between multiple IP addresses and a domain name on the Domain Name Server(DNS) server.

– The network-based load balancing technology provides services for users through avirtual IP address. Each network device has a real IP address; the load balancing deviceprovides the mapping between the virtual IP address and real IP addresses and loadbalances services to different network devices.

NOTE

This document introduces the configuration of load balancing based on the object.

Basic Conceptsl Load balancing

Load balancing is a group technology that load balances special services such as networkservices and network traffic among multiple links or network devices, for example, serversand firewalls. This improves the service processing capability and ensures high reliabilityof services.

l Load balancing member

A load balancing member refers to the entity that provides actual services for users and isconfigured on the load balancing device, for example, the server, firewall, or link.

l Load balancing group

A load balancing group refers to a set of network devices or links that provide the sameservice for users. A set of servers is called a server group; a set of firewalls is called afirewall group; a set of links is called a link group.

l Load balancing member instance

A load balancing member can join multiple load balancing groups and the mapping betweena load balancing member and a load balancing group is called load balancing memberinstance. If the load balancing member is a server, the corresponding instance is calledserver instance; if the load balancing member is a firewall, the corresponding instance iscalled firewall instance; if the load balancing member is a link, the corresponding instanceis called link instance.

l VIP

The virtual IP address is used by the server and firewall load balancing technologies.Multiple servers or firewalls share a public IP address. Users accessing the servers orfirewalls through the public IP address, whereas the servers or firewalls use differentinternal IP addresses. The SPU distributes the traffic destined for the virtual IP address toeach real server according to the load balancing policy.

l Load balancing algorithm



7-3

The load balancing algorithm is used by the load balancing device to select a load balancingmember for providing the best services for users. The SPU supports the following loadbalancing algorithms:

– Weighted round robin (WRR) algorithm

In the WRR algorithm, the SPU makes load balancing decisions according to thepriorities and weights of load balancing members. The SPU selects load balancingmembers with higher priorities for providing services according to the weights. Theload balancing member with a greater weight can be selected with a greater possibilityand can be allocated with more services. After a load balancing member is selected, theSPU determines whether the member can be used according to the bandwidth limit,connection quantity limit, and connection rate limit. If no load balancing member withhigher priority can be used, the SPU selects the load balancing member among loadbalancing members with lower priorities according to the WRR algorithm.

The WRR algorithm solves the problem of different performance among servers ordifferent bandwidth among links. It is applied to the scenario where the performance ofservers in a server group is different or the bandwidth of links in a link group is different.

– Least connection algorithm

Actually, the SPU uses the weight and least connection algorithm.

In the least connection algorithm, the SPU makes load balancing decisions accordingto the priority, weight, and number of active connections of a load balancing member.The SPU selects load balancing members with higher priorities for providing services,and often selects the load balancing member with the smallest number of activeconnections or the smallest weight. After a load balancing member is selected, theSPU determines whether the member can be used according to the bandwidth limit,connection quantity limit, and connection rate limit. If no load balancing member withhigher priority can be used, the SPU selects the load balancing member among loadbalancing members with lower priorities according to the weight and least connectionalgorithm.

The least connection algorithm can smoothly distribute the requests of connections withgreat difference between durations to each server or link. It is applied to the scenariowhere the performance of servers in a server group is different or the bandwidth of linksin a link group is different and the difference between durations of the connectionsinitiated by different users are great.

– Hash algorithm based on the IP address

In the hash algorithm based on the IP address, the SPU hashes the source IP address,the destination IP address, or source and destination IP addresses and makes loadbalancing decisions according to the hash value. After a load balancing member isselected, the SPU determines whether the member can be used according to thebandwidth limit, connection quantity limit, and connection rate limit. If the loadbalancing member cannot be used, the SPU selects the next load balancing memberaccording to the hash value.

The hash algorithm can map the following requests to the same server or link:

– Requests with the same source IP address

– Requests with the same destination IP address

– Requests with the same source and destination IP addresses

– Requests whose source IP addresses are located in the same network segment

– Requests whose destination IP addresses are located in the same network segment




Issue 02 (2010-07-15)

– Requests whose source and destination IP addresses are located in the same networksegment

The hash algorithm is applied to the scenario where requests from a user are distributedto the same server or link, and is also applied to server load balancing. It is applied tothe scenario where all requests from a user are distributed to a server or a link. It is alsoapplied to firewall load balancing.

– Hash algorithm based on the HTTP URL

In the hash algorithm based on the HTTP URL, the SPU hashes the URL carried inHTTP request packets and makes load balancing decisions according to the hash value.After a load balancing member is selected, the SPU determines whether the membercan be used according to the bandwidth limit, connection quantity limit, and connectionrate limit. If the load balancing member cannot be used, the SPU selects the next loadbalancing member according to the hash value.

l Health detection

Health detection indicates that the load balancing device periodically detects the servicestatus of real servers or links to collect corresponding information and isolate abnormalservers or links. The SPU can detect whether servers or links run normally.

l Session stickiness

Session stickiness indicates that connection requests of a user in a period are sent to thesame server for processing.

l Firewall load balancing

Based on load balancing of network devices, the firewall load balancing technology ensuresthe bidirectional traffic of a session passes through the same firewall.

Firewall load balancing has the following characteristics:

– Reducing or even removing the bottleneck of the firewall (enhancing the performanceand extensibility of the network)

– Enhancing firewall availability and network security

Firewall load balancing is classified into the following types:

– Standard firewall load balancing

– Transparent firewall load balancing

7.2 Load Balancing Features Supported by the SPUThe load balancing features supported by the SPU and the implementation principle are asfollows.

Egress Link Load Balancing

To prevent the network availability degradation caused by the fault on the ISP's egress deviceand address the problem of network access failure due to insufficient bandwidth, an enterpriseleases two or multiple Internet Service Provider (ISP) egresses. The enterprise encounters theproblem about properly using multiple ISP egresses. That is, the resources should be efficientlyused by the enterprise. Traditional policy-based routing (PBR) can relieve the impact of theproblem, but PBR is difficult to configure. In addition, the PBR is inflexible, which cannotdynamically adapt to the network structure change. The PBR cannot distribute packets accordingto the bandwidth. As a result, the link with the high throughput cannot be fully used.



7-5

By using the dynamic load balancing algorithm, multiple egress links share the traffic. Thealgorithm is easily configured and adapts to the network structure change. The precedingproblem can be solved. Figure 7-1 shows the typical networking of egress link load balancing.

Figure 7-1 Typical networking of egress link load balancing

ISP3

ISP2

ISP1

IPNetwork

Switch

RouterA

RouterB

RouterC

Enterprisenetwork

Server on theexternal network

As shown in Figure 7-1, Switch is the load balancing device and distributes the traffic sent fromthe internal network to the external network to multiple links. One ISP gateway corresponds toone link. The egress link load balancing process is as follows:

1. Users on the internal network send requests to servers on the external network.

2. When the request packets pass through Switch, Switch selects a link according to theconfigured load balancing algorithm, weights, priorities, and inbound/outbound bandwidthlimits, and forwards the request packets to the selected link.

3. After receiving the response packets of servers on the external network, Switch forwardsthe response packets to the users on the internal network.

The egress link load balancing supported by the SPU has the following characteristics:

l Load balancing algorithm

It supports the WRR algorithm, least connection algorithm, and hash algorithm based onthe IP address.

l Link bandwidth threshold

The link bandwidth threshold can be set for the inbound or outbound traffic. When thebandwidth threshold or the percentage of the bandwidth threshold is exceeded, the loadbalancing device does not select the ISP link.

l Link health detection

After an Internet Control Message Protocol (ICMP) probe is configured on the SPU, theSPU periodically sends probing packets to the link gateway to detect the connectivitybetween nodes along the link.

l Forwarding mode




Issue 02 (2010-07-15)

The forwarding mode can be DNAT or DMAC in server load balancing. In egress link loadbalancing, the SPU supports the redirection mode.

Server Load BalancingWith the fast development of the Internet and services, the network-based data access trafficincreases rapidly. In particular, the traffic of access to data centers, large enterprises, and portalwebsites reaches 10 Gbit/s. In addition, servers provide rich information for access users throughapplications such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), andSimple Mail Transfer Protocol (SMTP). The servers are flooded by the data gradually. Besides,most websites especially e-commerce websites provide the around-clock non-stop service. Inthis case, any service interruption or key data loss in communication will result in commercialloss. These require high performance and high reliability for application services.

With the development of network technologies, the server processing speed and memory accessspeed cannot meet requirements of network bandwidth and application service increase. Thenetwork bandwidth increase brings in the increase of users, whereas server resources areseriously consumed. The servers become the network bottleneck. Simply upgrading thehardware of servers is expensive and is of poor extensibility. The problems such as single-pointfaults on networks cannot be solved.

By using the dynamic load balancing algorithm, the server load balancing technology properlyallocates network services to servers in a server group. This reduces the burden of a single serverand improves the reliability of the server. You only need to add a server to a server group, withoutchanging the existing network structure or stopping existing services.

In server load balancing, the forwarding mode is classified into DNAT and DMAC. The processof the two modes is the same. The SPU provides a virtual IP address. After users request servicesthrough the virtual IP address, the SPU allocates the requests to real servers according to theload balancing algorithm. The differences between the processing modes are described asfollows: In DNAT mode, when allocating service requests, the SPU translates the destinationIP address of service request packets, namely, the IP address of a real server, and forwards themto real servers through routes. In MAC mode, when allocating service requests, the SPU replacesthe destination MAC address of the service request packets with the MAC address of a realserver without changing the destination IP address. Then the SPU forwards the packets to thereal server.

l Server load balancing in DNAT modeIn DNAT mode, the networking is flexible. The backup servers can be located in differentphysical positions and on different LANs. Figure 7-2 shows the typical networking.



7-7

Figure 7-2 Typical networking of server load balancing in DNAT mode

IPNetwork

Host Switch

ServerA

ServerB

ServerC

VIP

IPA

IPB

IPC

As shown in Figure 7-2, multiple servers provide services through the virtual IP address.Switch functions as the load balancing device and is responsible for allocating user requeststo multiple servers. The process of server load balancing in DNAT mode is as follows:

1. Users send requests to the virtual IP address.2. Switch classifies packets at Layer 3 or Layer 7 according to service traffic features

and selects a load balancing group. Then Switch selects a real server according to theconfigured load balancing algorithm, weights, priorities, inbound/outboundbandwidth limits, connection quantity limits, and connection rate limits, and uses NATto replace the destination IP address of the request packets with the IP address of thereal server. Switch sends the request packets to the real server.

3. The real server sends the response packets to Switch through a route. Before returningthe response packets to users, Switch changes the source IP address of the responsepackets to the virtual IP address. Then Switch sends the response packets to users.The load balancing process is complete.

l Server load balancing in DMAC modeIn DMAC mode, only request packets of users pass through the load balancing device. Theresponse packets of a server does not pass through the load balancing device. This reducesthe burden of the load balancing device and prevents the load balancing device being thebottleneck. Figure 7-3 shows the typical networking.




Issue 02 (2010-07-15)

Figure 7-3 Typical networking of server load balancing in DMAC mode

Host

SwitchA ServerA

ServerB

ServerC

SwitchB

IPNetwork

VIP

IPA

IPB

IPC

As shown in Figure 7-3, multiple servers provide services through the virtual IP address.Switch A functions as the load balancing device and is responsible for allocating userrequests to multiple servers. Switch B functions as a common switch and is responsible forforwarding user requests to the load balancing device or returning response packets ofservers to users. The process of server load balancing in DMAC mode is as follows:

1. Users send requests to Switch B.2. Switch B forwards the received request packets to Switch A.3. After receiving the response packets, Switch A classifies packets at Layer 3 or Layer

7 according to service traffic features and selects a load balancing group. Then SwitchA selects a real server according to the configured load balancing algorithm, weights,priorities, inbound/outbound bandwidth limits, connection quantity limits, andconnection rate limits, and replaces the destination MAC address of the requestpackets (the destination IP address is still the virtual IP address) with the MAC addressof the real server. Switch A sends the request packets to the real server.

4. The real server sends the response packets to Switch B, and Switch B sends theresponse packets to users. The load balancing process is complete.

The server load balancing supported by the SPU has the following characteristics:l Load balancing algorithm

It supports the WRR algorithm, least connection algorithm, hash algorithm based on theIP address, and hash algorithm based on the URL in HTTP packets.

l Server health detectionYou can configure different probes on the load balancing device to detect the health statusof servers according to different services. Currently, the SPU supports ICMP, TransmassionControl Protocol (TCP), User Datagram Protocol (UDP), and HTTP probes.

l Forwarding modeIn server load balancing, the SPU supports DNAT and DMAC modes.

l Session stickinessSession stickiness indicates that multiple connections of an application layer session aredirected to a server.



7-9

Server load balancing supported by the SPU can identify users and send the same type ofrequests of a user to a server for processing, meeting the requirements of a user whosemultiple connections of a session are processed by a server in e-commerce.

l Active/Standby switchover between serversWhen the selected server is Down, to ensure that user request packets are forwarded, theSPU can switch user requests to an available backup server. This ensures high reliabilityof services.The SPU provides the following functions of active/standby switchover between servers:– When the master server is unavailable, the SPU randomly selects an available backup

server from multiple backup servers.– If all the backup servers are unavailable, the SPU sends user requests to another master

server again.– Users is unware of the active/standby switchover between servers.

l Active/Standby switchover between server groupsThe SPU supports the active/standby switchover between servers and between servergroups. If the threshold for the master server group to remain active and the threshold forswitching services from the master server group to the backup server group are set, whenthe percentage of active servers in the master server group is smaller than or equal to thethreshold for the master server group to remain active and active servers are available inthe backup server group, the SPU switches user requests to the backup server group. Whenthe percentage of active servers in the original master server group is greater than thethreshold for switching services from the master server group to the backup server group,the master server group is recovered to provide services.If the threshold for the master server group to remain active and the threshold for switchingservices from the master server group to the backup server group are not specified, theSPU switches user requests between server groups. If all the servers in the master servergroup are faulty, the SPU switches user requests to a backup server group automatically.When a server in the master server group becomes active, the SPU switches user requeststo the master server group again.

l Server protectionThe SPU protects servers by limiting the number of servers or server instances, connectionrate, and inbound/outbound bandwidth.

Firewall Load BalancingAs the guard of the network, the firewall is very important for the network. However, itencounters the following problem: A firewall needs to check each packet carefully. As a result,the forwarding performance of the firewall is low and it becomes the bottleneck on the network.In this case, if the existing devices are replaced to improve the forwarding performance,resources are wasted. In addition, when the service volume increases, the devices need to bereplaced frequently. The costs on the device replacement are high.

The firewall load balancing technology takes firewalls as servers and creates a firewall group.Then it properly allocates network traffic to firewalls in a firewall group by using the dynamicload balancing algorithm. This reduces the burden of a single firewall and improves the reliabilityof the firewall.

Compared with server load balancing, firewall load balancing is applied to bidirectional traffic.Ensure that bidirectional traffic of sessions passes through the same firewall.

Figure 7-4 shows the typical networking of firewall load balancing.




Issue 02 (2010-07-15)

Figure 7-4 Typical networking of firewall load balancing

IPNetwork

IPNetwork

HostA HostBSwitchA SwitchB

FirewallA

FirewallB

As shown in Figure 7-4, Switch A and Switch B function as load balancing devices and areresponsible for allocating traffic of user requests to multiple firewalls. Load balancing devicesare classified into level-1 and level-2 load balancing devices. Level-1 load balancing devicesload balance traffic on the firewalls, and level-2 load balancing devices ensure that the inboundand outbound traffic traverses the same firewall. As shown in Figure 7-4, if traffic is sent fromHost A to Host B, Switch A is the level-1 load balancing device and Switch B is the level-2 loadbalancing device; if traffic is sent from Host B to Host A, then Switch B is the level-1 loadbalancing device and Switch A is the level-2 load balancing device. The firewall load balancingprocess is as follows:

1. Host A sends a request to Host B.2. After receiving the request packet of Host A, Switch A selects a firewall (assume that

Firewall A is used) according to the load balancing algorithm and forwards the requestpackets to Firewall A.

3. Firewall A forwards the request packet to Switch B.4. As the level-2 load balancing device, Switch B records the firewall forwarding the request

packet and forwards the request packet to the destination (Host B shown in Figure 7-4).5. After receiving the response packet of Host B, Switch B forwards the response packet to

Firewall A according to the record.6. Firewall A forwards the response packet to Switch A and Switch A returns the received

response packet to Host A.

According to different networking modes, firewalls are classified into standard firewalls andtransparent firewalls.l Each standard firewall, which is similar to a server, has an IP address. The standard firewall

can be detected by other devices on networks, as shown in Figure 7-5.



7-11

Figure 7-5 Networking of standard firewall load balancing

IPNetwork

HostASwitchA

SwitchB

FirewallA

FirewallB

VIP

10.10.10.1

10.10.10.2

10.10.11.1

10.10.11.2

IPNetwork

HostB

l Transparent firewalls have no IP addresses and cannot be detected by other devices on a

network. They are connected to level-1 and level-2 load balancing devices, as shown inFigure 7-6.

Figure 7-6 Networking of transparent firewall load balancing

IPNetwork

HostASwitchA

SwitchB

FirewallA

FirewallB

VIP

10.10.10.1

10.10.20.1

10.10.11.1

10.10.21.1

IPNetwork

HostB

In actual applications, firewall load balancing is used with server load balancing. Figure 7-7shows the typical networking of firewall load balancing.

Figure 7-7 Networking for combining firewall load balancing and server load balancing

IPNetwork

HostA SwitchA SwitchB

FirewallA

FirewallB

ServerA

ServerB

ServerC

VIP

IPA

IPB

IPC




Issue 02 (2010-07-15)

The process of combined load balancing is actually the combination of firewall load balancingand server load balancing. The combined load balancing prevents the firewalls from being thebottleneck on the network and improves the performance and availability of network servicessuch as HTTP.

7.3 Configuring Egress Link Load BalancingOn the network where multiple ISP egresses exist, you can configure egress link load balancingso that the link can be selected dynamically and the reliability of services is improved.

7.3.1 Establishing the Configuration TaskBefore configuring egress link load balancing, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This helps youcomplete the configuration task quickly and accurately.

7.3.2 (Optional) Configuring an NAT Address PoolTo ensure that response packets still pass through the SPU when user requests pass through linksof different ISPs, you need to configure an NAT address pool for translating source addressesthrough NAT.

7.3.3 (Optional) Configuring Link Health DetectionIn egress link load balancing, the SPU needs to detect the link status so that it can determinewhether to use the link when making load balancing decisions.

7.3.4 Configuring a LinkThis section describes how to create a link and set link parameters, including the IP address ofthe gateway corresponding to the link, connection quantity limit, bandwidth limit, bandwidththreshold, weight, and priority.

7.3.5 Configuring a Link GroupThis section describes how to create a link group to bind links and set parameters of the linkgroup, including the probe, load balancing algorithm, and packet forwarding mode.

7.3.6 Configuring a Layer 7 ClassifierThis section describes how to create a Layer 7 classifier and configure a matching rule.

7.3.7 Configuring a Load Balancing ActionThis section describes how to create a load balancing action profile and specify an action.

7.3.8 Configuring an ACLThis section describes how to configure an ACL to identify the traffic of various services.

7.3.9 (Optional) Configuring a Connection Parameter ProfileThis section describes how to configure a connection parameter profile to set the aging time ofthe TCP or UDP traffic forwarding table.


7.3.11 Configuring a Load Balancing PolicyThis section describes how to create a load balancing policy, and bind the Layer 3 classifier tothe load balancing policy.

7.3.12 Applying the Load Balancing PolicyA load balancing policy takes effect only after being applied.



7-13

7.3.13 Checking the ConfigurationAfter egress link load balancing is configured successfully, check whether the configurationsare correct and valid.

7.3.1 Establishing the Configuration TaskBefore configuring egress link load balancing, familiarize yourself with the applicableenvironment, complete the pre-configuration tasks, and obtain the required data. This helps youcomplete the configuration task quickly and accurately.

Applicable EnvironmentOn a network where an enterprise leases two or multiple ISP egresses from which enterpriseusers can access the public network through the private network, you can configure egress linkload balancing. When an enterprise user accesses the external network, the SPU selects a linkaccording to the priorities, weights, or bandwidths of egress links. In this manner, the egresslinks are properly used, the risk on the reliability caused by egress faults is prevented, and theproblem of network access caused by insufficient bandwidth is solved.

Pre-configuration TasksBefore configuring egress link load balancing, complete the following tasks:

l Setting link layer parameters for the interfaces and ensuring that the status of the link layerprotocol on the interfaces is Up

l Setting network layer parameters for the interfaces and ensuring that the routes betweendevices are available

l Performing the task of 2 SPU Pre-Configuration

Data PreparationTo configure egress link load balancing, you need the following data.

No. Data

1 (Optional) NAT address pool index and network segment

2 Name, type, and related parameters of the probe

3 Name and related parameters of the link, including the description (optional), ISPgateway IP address, priority (optional), weight (optional), and bandwidth (optional)

4 Name and parameters of the link group, including the description, load balancingalgorithm, forwarding mode, action performed when the member fails, thresholdfor switching services from the master server group to the backup server group,probe bound to the server group, member, and NAT address pool index of themember instance

5 Parameters of the Layer 7 classifier, including the classifier name and matching rule

6 Name and parameters of the load balancing action profile, including the descriptionand action

7 Parameters of the advanced ACL, including the ACL number, and matching rule




Issue 02 (2010-07-15)

No. Data

8 Parameters of the Layer 3 classifier, including the classifier name and the ACL andLayer 7 classifier bound to the Layer 3 classifier

9 (Optional) Name and parameters of the connection parameter profile, including theaging time of the TCP or UDP traffic forwarding table

10 Parameters of the load balancing policy, including the load balancing policy nameand Layer 3 classifier bound to the load balancing policy

11 Object where the load balancing policy is applied (type and number of an interface)


Context

The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancingmember instance.

Procedure




An NAT address pool is configured.

Up to 1024 NAT address pools can be configured.

By default, no NAT address pool is configured.

The IP address of the outbound interface must be different from any IP address in the NATaddress pool that is bound to the Layer 3 classifier referenced by the load balancing policy onthe outbound interface.l If the IP address of the outbound interface is the same as an IP address in the NAT address

pool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT addresspool.

l After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool,if the IP address that is to be assigned to the outbound interface is the same as an IP addressin the NAT address pool, the system displays the information that the IP address cannot beset.

----End



7-15

7.3.3 (Optional) Configuring Link Health DetectionIn egress link load balancing, the SPU needs to detect the link status so that it can determinewhether to use the link when making load balancing decisions.

Context

In egress link load balancing, the SPU detects the link status through an ICMP probe. The ICMPprobe sends ICMP Echo request packets to the ISP gateway at the probing interval.

When a link group is bound to only one probe, the health status of a link member is detectedaccording to the following principles:l If the link member is in Down state, the probe sends probing packets at an interval specified

by fail-interval interval.– If the probe receives response packets of the ISP gateway for the consecutive number

of times specified by fail-retrycount times in the timeout interval, it marks the linkmember in Up state.

– Otherwise, the link member retains to be in Down state.

l If the link member is in Up state, the probe sends probing packets at an interval specifiedby interval interval.– If the probe does not receive response packets of the ISP gateway for the consecutive

number of times specified by retry-count times in the timeout interval, it marks the linkmember in Down state.

– Otherwise, the link member retains to be in Up state.

When a link group is bound to multiple probes, the health status of a link member is detectedaccording to the following principles:l When the probe mode is fail-on-all, the link member is considered as Down when all the

probes bound to the link group detect that the link member is in Down state.l When the probe mode is fail-on-one, the link member is considered as Down when a probe

bound to the link group detects that the link member is in Down state.

Procedure



Step 2 Run:load-balance ip interface interface-type interface-number

The IP address of a sub-interface is obtained and used as the source IP address of probing packetsof a probe.

The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.

NOTE

l When running the load-balance ip interface command, you can select the specified interface only ifan XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface has been created.

l A probe does not send probing packets if the specified interface is not configured with an IP address.




Issue 02 (2010-07-15)

Step 3 Run:load-balance probe probe-name icmp

An ICMP probe is created and the ICMP probe view is displayed.

When creating a probe, you must specify the probe type. When you enter the view of the createdprobe, you can choose not to specify the probe type.

Up to 1024 probes can be created.

By default, an ICMP probe is not configured.


The description of a probe is configured.

By default, no description is configured for a probe.

Step 5 (Optional) Run:interval interval

The probing interval of a probe is set.

The probing interval of a probe indicates the interval for sending probing packets to detect thehealth status of a link. The probing interval of a probe must be greater than the timeout intervalof a probe.

By default, the probing interval of a probe is 15s.

Step 6 (Optional) Run:time-out time-out

The timeout interval of a probe is set.

The timeout interval of a probe must be smaller than the probing interval of a probe and theinterval for a probe to detect that a server member is Down.

By default, the timeout interval of a probe is 10s.

Step 7 (Optional) Run:retry-count times

The retry count of a probe is set when a link member is in Up state.

By default, The retry count of a probe is 3 when a link member is in Up state.

Step 8 (Optional) Run:fail-interval interval

The interval for a probe to detect that a link member is Down is set.

After the link becomes invalid, the SPU sends probing packets at this interval to detect linkrecovery. This interval must be greater than the timeout interval of a probe.

By default, the interval for a probe to detect that a link member is Down is 60s.

Step 9 (Optional) Run:fail-retrycount times

The retry count for a probe to detect link recovery is set.



7-17

By default, the retry count for a probe to detect link recovery is 3.

----End

7.3.4 Configuring a LinkThis section describes how to create a link and set link parameters, including the IP address ofthe gateway corresponding to the link, connection quantity limit, bandwidth limit, bandwidththreshold, weight, and priority.


system-view


Step 2 Run:load-balance member member-name

A link is created and the load balancing member view is displayed.

Up to 1024 links can be created.

By default, no link is configured.

Step 3 (Optional) Run:description text

The description of a link is configured.

By default, no description is configured for a link.

Step 4 Run:ip address ip-address

The IP address of the gateway corresponding to the link is set.

By default, the IP address of the gateway corresponding to the link is not set.

Step 5 (Optional) Run:rate-limit { bandwidth { inbound | outbound } band-limit [ threshold threshold-value ] | connection conn-limit }

The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limitof the link are set.

After selecting a link through the load balancing algorithm, the system compares the usedbandwidth and the connection rate with the bandwidth limit and connection rate limit. If thebandwidth limit or connection rate limit is reached, the system does not select the link.

By default, the connection rate of a link is not limited, the inbound/outbound bandwidth limit is1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%.

Step 6 (Optional) Run:priority level

The priority of the link is set.

The greater value of level represents a higher priority of the link. Therefore, the link can beselected with a greater probability.




Issue 02 (2010-07-15)

By default, the priority of a link is 8.

Step 7 (Optional) Run:weight weight-value

The weight of the link is set.

By default, the weight of a link is 8.

----End

7.3.5 Configuring a Link GroupThis section describes how to create a link group to bind links and set parameters of the linkgroup, including the probe, load balancing algorithm, and packet forwarding mode.

Procedure



Step 2 Run:load-balance group group-name

A link group is created and the link group view is displayed.

Up to 1024 load balancing groups can be created, including link groups, server groups, andfirewall groups.

By default, no link group is configured.

Step 3 Run:probe probe-name

A probe of the link group is configured.

By default, a link group is not configured with any probe.

Before using this command, you must run the load-balance probe probe-name [ icmp | tcp |udp | http ] command to create a probe.

Step 4 Run:probe-mode { fail-on-all | fail-on-one } The probe mode is set.

By default, the probe mode is fail-on-one. In fail-on-one mode, the S9300 considers a link tobe invalid when a probe detects that the link is in Down state.

If the probe mode is set to fail-on-all, the S9300 considers a link to be invalid only when all theprobes detect that the link is in Down state.

Step 5 Run:forward-mode redirect

The packet forwarding mode is set to redirection.

In egress link load balancing, the packet forwarding mode must be set to redirection. Inredirection mode, the SPU forwards internal enterprise user traffic through the device egresscorresponding to the link gateway.



7-19

Step 6 (Optional) Run:load-balance method { { hash address { destination | source | both } [ netmask ] } | { hash url [ begin-pattern expression1 ] [ end-pattern expression2 ] } | leastconns | roundrobin }

The load balancing algorithm is set.

NOTEIn egress link load balancing, only the WRR algorithm, the least connection algorithm, and the hashalgorithm based on the IP address are supported.

By default, the SPU adopts the WRR algorithm.

Step 7 Run:member member-name

A link is add to the link group and the link instance view is displayed.

Step 8 (Optional) Run:member port port-number

The port number of a load balancing member instance is configured.

By default, the port number of a load balancing member instance is not configured.

When the load balancing member instance is in inservice or inservice standby state, you cannotconfigure the port number.


The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limitof the link instance are set.

When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a linkinstance and a link are set simultaneously, both the values of the link instance and the link takeeffect. For example, the bandwidth limit of a link is 200 kbit/s and link instance A and linkinstance B are configured on the link. The bandwidth limit of link instance A is 200 kbit/s andthe bandwidth limit of link instance B is 100 kbit/s. When selecting a link, the S9300 needs toconsider the bandwidth limit of the link instance and link. That is, the total bandwidth of linkinstance A and link instance B cannot exceed the bandwidth of the link.

By default, the connection rate of a link instance is not limited, the inbound/outbound bandwidthlimit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%.


The priority of the link instance is set.

When the priorities of a link instance and a link are set simultaneously, the priority of the linkinstance takes effect.

If the priority of the link instance is not set, the SPU uses the priority of the link. If the priorityof the link is not set, the SPU adopts the default value.

NOTEThe link priority is only valid for the WRR algorithm and the least connection algorithm.




Issue 02 (2010-07-15)

By default, the priority of a link instance is 8.


The weight of the link instance is set.

When the weights of a link instance and a link are set simultaneously, the weight of the linkinstance takes effect.

If the weight of the link instance is not set, the SPU uses the weight of the link. If the weight ofthe link is not set, the SPU adopts the default value.

NOTEThe weight is only valid for the WRR algorithm and the least connection algorithm.

By default, the weight of a link instance is 8.

Step 12 (Optional) Run:nat outbound address-group group-index [ no-pat ]

An NAT address pool is configured in the link instance for translating source IP addressesthrough NAT.

no-pat indicates that PAT is not performed. That is, only the IP address of packets is translatedthrough NAT. The port number, however, is not translated.

When NAT for translating source IP addresses is enabled simultaneously in a link instance anda Layer 3 classifier, NAT for translating source IP addresses enabled in the link instance takeseffect.

By default, NAT for translating source IP addresses in a link instance is disabled.

Step 13 Run:inservice

The link is enabled.

----End


ContextOn the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer7 services. In egress link load balancing, the matching rule of a Layer 7 classifier must be set toany.

Procedure



Step 2 Run:load-balance l7classifier l7classifier-name [ and | or ]



7-21

A Layer 7 classifier is created and the Layer 7 classifier view is displayed.

By default, no Layer 7 classifier is configured.

When you create a Layer 7 classifier, if and or oris not specified, the default matching mode isand.

In egress link load balancing, the matching rule of a Layer 7 classifier can be set to only matchany. Therefore, any packet is matched regardless of whether the matching mode is and or or.

NOTEWhen you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode mustbe the same as the one used when the Layer 7 classifier is created.

Step 3 (Optional) Run:match any

The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched.

after the matching rule is set to any, the traffic that is load balanced is processed at Layer 3 andLayer 4. In this case, the load balancing algorithms for Layer 7 services including the hashalgorithm based on the URL cannot be configured.

By default, the matching rule of a Layer 7 classifier is any.

----End


Procedure



Step 2 Run:load-balance action action-name

A load balancing action profile is created and the load balancing action profile view is displayed.

Step 3 Run the following command as required.l Run:

drop

The action is set to drop.l Run:

forward

The action is set to forward.l Run:

group master-group-name [ backup backup-group-name ]

The action is set to load balance.l Run:

stickygroup stickygroup-name




Issue 02 (2010-07-15)

The action is set to the sticky operation.

By default, the action is forward.

----End


ContextIn egress link load balancing, the SPU can use only the source IP address, destination IP address,protocol type, source port number and destination port number to define ACL rules.

Procedure



Step 2 Run:acl [ number ] [ match-order { config | auto } ]

An ACL is created and the ACL view is displayed.

In egress link load balancing, the value of number ranges from 3000 to 3999. That is, advancedACLs are used.

A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, thelatest ACL takes effect.

By default, no ACL is created.

Step 3 (Optional) Run:step step-value

The step between ACL rule IDs is set.

By default, the step between ACL rule IDs is 5.

Step 4 Run the following command as required:l When the parameter protocol is specified as the Internet Control Message Protocol (ICMP),

the command format is as follows:– rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-

wildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmp-code } | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] *

– undo rule rule-id

l When the parameter protocol is specified as the Transmission Control Protocol (TCP) or theUser Datagram Protocol (UDP), the command format is as follows:– rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address

destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp |



7-23

fragment | precedence precedence | source { source-address source-wildcard | any } |source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *

– undo rule rule-idl When the parameter protocol is specified as another protocol rather than TCP, UDP, or

ICMP, the command format is as follows:– rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf }

[ destination { destination-address destination-wildcard | any } | dscp dscp |fragment | precedence precedence | source { source-address source-wildcard | any } |time-range time-name | tos tos ] *


By default, no rule is defined in an ACL.

----End


ContextTo prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need toset the aging time to periodically age the TCP or UDP traffic forwarding entries that have beenidle for a long time.

Procedure



Step 2 Run:load-balance parameter connection profile-name

A connection parameter profile is created and the connection parameter profile view is displayed.

Up to 1024 connection parameter profiles can be created.

By default, no connection parameter profile is created.

Step 3 Run:tcp aging-time aging-time

The aging time of the TCP traffic forwarding table is set.

By default, the aging time of the TCP traffic forwarding table is 3600s.

Step 4 Run:udp aging-time aging-time

The aging time of the UDP traffic forwarding table is set.

By default, the aging time of the UDP traffic forwarding table is 120s.

----End




Issue 02 (2010-07-15)


Procedure



Step 2 Run:load-balance l3classifier l3classifier-name


By default, no Layer 3 classifier is created.

Step 3 Run:if-match acl acl-number

An ACL is bound to the Layer 3 classifier.

A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number commandis run for multiple times in the same Layer 3 classifier view, the latest configuration takes effect.

By default, no ACL is bound to a Layer 3 classifier.

Step 4 Run:l7classifier l7classifier-name action action-name

The Layer 7 classifier and action are bound to the Layer 3 classifier.

The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packetswith the rule in a Layer 7 classifier.

By default, a Layer 3 classifier is not bound to any Layer 7 classifier and action.

Step 5 (Optional) Run:icmp-reply

The SPU is configured to respond ping requests of users.

In egress link load balancing, if the SPU is required to respond to ping requests of users, youneed to use the icmp-reply command.

NOTE

l If the SPU is required to respond to ping requests of users, ping request packets of users must matchthe ACL in the Layer 3 classifier.

l If the ACL in the Layer 3 classifier for matching the source and destination IP addresses is set toany, the SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, youneed to configure the ACL in a Layer 3 classifier with caution.

By default, the SPU does not respond to ping requests of users.

Step 6 (Optional) Run:parameter connection profile-name

A connection parameter profile is bound to the Layer 3 classifier.



7-25

A connection parameter profile can be bound to one or more Layer 3 classifiers.

By default, no connection parameter profile is bound to a Layer 3 classifier.

Step 7 (Optional) Run:nat outbound address-group number [ no-pat ]

An NAT address pool is bound to the Layer 3 classifier.

no-pat indicates that PAT is not performed. That is, only the source IP address of packets istranslated through NAT. The source port number, however, is not translated.

An NAT address pool takes effect only after being bound to a Layer 3 classifier or a link instance.If an NAT address pool is bound to a Layer 3 classifier and a link instance, the NAT addresspool bound to the link instance takes effect.

An NAT address pool can be bound to multiple Layer 3 classifiers, whereas the same interfaceprocessing mode must be used. That is, if an NAT address pool is bound to a Layer 3 classifierin no-pat mode, other Layer 3 classifiers must be bound to the NAT address pool in no-patmode rather than in pat mode.

By default, no NAT address pool is bound to a Layer 3 classifier.

----End


Procedure



Step 2 Run:load-balance policy policy-name

A load balancing policy is created and the load balancing policy view is displayed.

Up to 1024 load balancing policies can be created.

By default, no load balancing policy is configured.

Step 3 Run:l3classifier l3classifier-name

A Layer 3 classifier is bound to the load balancing policy.

A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximumof 1024 service applications.

By default, no Layer 3 classifier is bound to a load balancing policy.

----End




Issue 02 (2010-07-15)


Context

A load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaceson the SPU.

Procedure





Step 3 Run:service load-balance policy policy-name

The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface.

After the load balancing policy is applied, the SPU takes actions defined in the load balancingpolicy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policyon the XGE sub-interface.

By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface.

Step 4 (Optional) Run:service load-balance arp-response nat address-group group-index

The NAT address pool is enabled to respond to ARP requests on the sub-interface.

By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface.

When the NAT address pool is used for source IP address translation, if the IP address of theoutbound interface of the SPU is in the same network segment as any IP address of the NATaddress pool, you need to run the service load-balance arp-response nat address-group group-index command on the outbound interface. If the service load-balance arp-response nataddress-group group-index command is not used on the outbound sub-interface, the NATaddress pool cannot be enabled to respond to ARP requests on the outbound sub-interface.

Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface.

----End




7-27

Procedurel Run the display load-balance member [ name member-name | all ] command to check

the configuration of the load balancing member.l Run the display load-balance probe [ name probe-name [ group name group-name

member name member-name ] | all ] command to check the configuration of the probe.l Run the display load-balance group [ name group-name | all ] command to check the

configuration of the load balancing group.l Run the display load-balance group name group-name member name member-name

[ verbose ] command to check the configuration of the load balancing member instance.l Run the display load-balance l7classifier [ name l7classifier-name | all ] command to

check the configuration of the Layer 7 classifier.l Run the display load-balance action [ name action-name | all ] command to check the

configuration of the load balancing action profile.l Run the display load-balance l3classifier [ name l3classifier-name | all ] command to

check the configuration of the Layer 3 classifier.l Run the display load-balance policy [ name policy-name | all ] command to check the

configuration of the load balancing policy.l Run the display load-balance parameter connection [ name connection-name | all ]

command to check the configuration of the connection parameter profile.l Run the display load-balance parameter http [ name http-name | all ] command to check

the configuration of the HTTP parameter profile.

----End

7.4 Configuring Server Load BalancingIn the networking where multiple servers are deployed such as the data center, you can configureserver load balancing to load balance network services among multiple servers for processing.In this manner, service processing capabilities of servers are improved.

7.4.1 Establishing the Configuration TaskBefore configuring server load balancing, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.


7.4.3 (Optional) Configuring Server Health DetectionIn server load balancing, the SPU needs to detect the health status of each server. Therefore, theSPU can determine whether to select a server for making load balancing decisions.

7.4.4 Configuring a ServerThis section describes how to set the IP address and related parameters for each server on theSPU so that the SPU can communicate with each server.

7.4.5 Configuring a Server GroupThis section describes how to create a server group and set related parameters. This makesconfiguration and management be convenient.




Issue 02 (2010-07-15)

7.4.6 (Optional) Configuring Session StickinessSession stickiness indicates that multiple connections of a session are directed to the same serverin a specified period. In this case, the SPU does not make load balancing decisions.





7.4.11 (Optional) Configuring an HTTP Parameter ProfileThis section describes how to configure an HTTP parameter profile and set related parametersfor processing HTTP packets, including the maximum parsing length and the functions of per-packet rebalance.





7.4.1 Establishing the Configuration TaskBefore configuring server load balancing, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.


In the networking such as the data center, a server needs to process a large number of userrequests. The processing capabilities of a single server is limited and is bound to be thebottleneck. By using server load balancing, you can properly distribute network services tomultiple servers for processing. This reduces the burden of a single server, improves the serviceprocessing capabilities, and ensures the high reliability of services. To upgrade the network orimprove the server performance, you simply need to add servers to a server group, withoutchanging the current network structure and stopping existing services.


Before configuring server load balancing, complete the following tasks:



7-29




Data PreparationTo configure server load balancing, you need the following data.

No. Data

1 (Optional) NAT address pool index and network segment

2 (Optional) Name, type, and related parameters of the probe

3 Name and related parameters of the server, including the description, server IPaddress, weight, and bandwidth

4 Name and related parameters of the server group, including the description, loadbalancing algorithm, forwarding mode, action when the server group fails, thresholdfor switching the master server group to the backup server group, bound probe,member, member instance port number, and NAT address pool index

5 (Optional) Name and related parameters of the sticky group, including the description,aging time, and static sticky entries

6 Related parameters of the Layer 7 classifier, including the classifier name andmatching rule

7 Name and related parameters of the load balancing action profile, including thedescription and action

8 Related parameters of the advanced ACL, including the ACL number, matchingsequence, and matching rule

9 Related parameters of the Layer 3 classifier, including the classifier name and theACL and Layer 7 classifier bound to the Layer 3 classifier

10 (Optional) Name and related parameters of the connection parameter profile, includingthe aging time of the TCP or UDP traffic forwarding table

11 (Optional) Name and related parameters of the HTTP parameter profile, including themaximum parsing length of HTTP packets and the functions of per-packet rebalance

12 Related parameters of the load balancing policy, including the load balancing policyname and bound Layer 3 classifier

13 Object that the load balancing profile is applied to





Issue 02 (2010-07-15)

Context

The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancingmember instance.

Procedure




An NAT address pool is configured.

Up to 1024 NAT address pools can be configured.

By default, no NAT address pool is configured.

The IP address of the outbound interface must be different from any IP address in the NATaddress pool that is bound to the Layer 3 classifier referenced by the load balancing policy onthe outbound interface.

l If the IP address of the outbound interface is the same as an IP address in the NAT addresspool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT addresspool.

l After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool,if the IP address that is to be assigned to the outbound interface is the same as an IP addressin the NAT address pool, the system displays the information that the IP address cannot beset.

----End

7.4.3 (Optional) Configuring Server Health DetectionIn server load balancing, the SPU needs to detect the health status of each server. Therefore, theSPU can determine whether to select a server for making load balancing decisions.

Context

When a server group is bound to only a probe, the health status of a server member is detectedaccording to the following principles:

l If the server member is in Down state, the probe sends probing packets at intervals specifiedby fail-interval interval.

– If the probe receives response packets of the ISP gateway for the consecutive numberof times specified by fail-retrycount times in the timeout interval, it marks the the servermember in Up state.

– Otherwise, the server member retains to be in Down state.

l If the server member is in Up state, the probe sends probing packets at intervals specifiedby interval interval.



7-31

– If the probe does not receive response packets of the ISP gateway for the consecutivenumber of times specified by fail-retrycount times in the timeout interval, it marks theserver member in Down state.

– Otherwise, the server member retains to be in Up state.

When a server group is bound to multiple probes, the health status of a server member is detectedaccording to the following principles:

l When the probe mode is fail-on-all, the server member is considered as Down when allthe probes bound to the server group detect that the server member is in Down state.

l When the probe mode is fail-on-one, the server member is considered as Down when aprobe bound to the server group detects that the server member is in Down state.

In server load balancing, the SPU supports ICMP, TCP, UDP, and HTTP probes.

l ICMP probe

An ICMP probe sends ICMP Echo request packets to a server in a server group.

If the SPU consecutively receives ICMP Reply packets of the server for the specifiednumber of times in the specified period, it considers the probing to be successful and setsthe server to Up. Otherwise, the SPU considers the probing to be failed. Then the SPUdetermines whether to set the server to Down according to the probe mode set on the servergroup.

l TCP probe

A TCP probe initiates a request for establishing a TCP connection to an interface of a serverin a server group.

If the SPU consecutively receives response packets of the server for the specified numberof times in the specified period and the data carried in the response packets is the same asthe expected response data, it considers the probing to be successful and sets the server toUp. If the SPU does not consecutively receive response packets of the server for thespecified number of times in the specified time or the data carried in the response packetsis different from the expected response data , it considers the probing to be failed. Then theSPU determines whether to set the server to Down according to the probe mode set on theserver group.

l UDP probe

A UDP probe sends UDP request packets to an interface of a server in a server group.

If the SPU consecutively receives ICMP Host packets or Port Unreachable packets of theserver for the specified number of times in the specified time, it considers the probing tobe failed and determines whether to set the server to Down according to the probe modeset on the server group. If the SPU consecutively receives response packets of the serverfor the specified number of times in the specified time and the data carried in the responsepackets is the same as the expected response data, it considers the probing to be successfuland sets the server to Up.

l HTTP probe

An HTTP probe establishes a TCP connection with an HTTP interface of a server in a servergroup, and then sends HTTP requests.

If the SPU consecutively receives response packets of the server for the specified numberof times and the return status code is the same as the expected response data, it sets theserver to Up. If the SPU does not consecutively receive response packets of the server forthe specified number of times in the specified time or the return status code carried in theresponse packets is different from the expected response data, it considers the probing to




Issue 02 (2010-07-15)

be failed. Then the SPU determines whether to set the server to Down according to theprobe mode set on the server group.

NOTE

When the probe mode is AND, the SPU sets a server to Down only if the probing of all probes fails. Whenthe probe mode is OR, the SPU sets a server to Down if the probing of a probe fails.

Procedure



Step 2 Run:load-balance ip interface interface-type interface-number

The IP address of a sub-interface is obtained and used as the source IP address of probing packetsof a probe.

The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.

NOTE

l When running the load-balance ip interface command, you can select the specified interface only ifan XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface is specified.

l A probe does not send probing packets if the specified interface is not configured with an IP address.

Step 3 Run:load-balance probe probe-name [ http | icmp | udp | tcp ]

A probe is created or the probe view is displayed.

When creating a probe, you must specify the probe type. When you enter the view of the createdprobe, you can choose not to specify the probe type.

Up to 1024 probes can be created, including ICMP probes, TCP probes, UDP probes, and HTTPprobes.

By default, no probe is configured.


The description of the probe is configured.

By default, no description is configured for a probe.

Step 5 (Optional) Run:interval interval

The probing interval of a probe is set.

The probing interval of a probe indicates the interval for sending probing packets to detect thehealth status of a server. The probing interval of a probe must be greater than the timeout intervalof a probe.

By default, the probing interval of a probe is 15s.

Step 6 (Optional) Run:time-out time-out



7-33

The timeout interval of a probe is set.

The timeout interval of a probe must be smaller than the probing interval of a probe and theinterval for a probe to detect that a server member is Down.

NOTE

After a TCP connection is established, if packets of the TCP connection fail to be transmitted, the systemuses the TCP retransmission mechanism. It is recommended that the timeout interval of TCP probes begreater than the timeout interval of TCP transmission. By default, the timeout interval of TCP transmissionis 6s. If multiple probes are configured, it is recommended that the timeout interval of probes be greaterthan or equal to the default value.

By default, the timeout interval of a probe is 10s.

Step 7 (Optional) Run:retry-count times

The retry count of a probe is set when a server member is in Up state.

By default, the retry count of a probe is 3 when a server member is in Up state.

Step 8 (Optional) Run:fail-interval interval

The interval for a probe to detect that a server member is Down is set.

The interval for a probe to detect that a server member is Down must be greater than the timeoutinterval of a probe.

By default, the interval for a probe to detect that a server member is Down is 60s.

Step 9 (Optional) Run:fail-retrycount times

The retry count for a probe to detect server recovery is set.

By default, the retry count for a probe to detect server recovery is 3.

Step 10 (Optional) Run the following command as required.l For a TCP probe or a UDP probe, do as follows:

– Run:send-data dataThe sent data of a TCP probe or a UDP probe is set.

– Run:expect-data dataThe expected response data of a TCP probe or a UDP probe is set.

A TCP probe or a UDP probe determines whether a server member works normally bycomparing the sent data and the expected response data. If the response data from the servermember is the same as the expected response data, it indicates that the server member worksnormally. If the server member does not respond or the response data is different from theexpected response data, it indicates that the server member works abnormally.By default, the sent data or the expected response data of a TCP probe or a UDP probe is notset.

l For an HTTP probe, do as follows:– Run:

request method { get | head } url url




Issue 02 (2010-07-15)

The HTTP request method and the URL used by the HTTP probe are configured.The difference between the GET method and Head method is as follows: the entire pagecorresponding to the URL is obtained by using the GET method, whereas the header ofthe corresponding to the URL is obtained by using the Head method.By default, the HTTP request method is GET and no URL is used.

– Run:user user-name [ password password ]The user name and password of an HTTP request are set.By default, the user name and password of an HTTP request are not set.

– Run:header { accept | accept-charset } header-value valueThe Accept field or the Accept-Charset field in an HTTP request packet header is set.By default, the SPU does not set the Accept field or the Accept-Charset field in an HTTPrequest packet header.

– Run:expect status-code min min-number max max-numberThe range of the expected return status code is set.By default, the expected return status code is 200.

Step 11 (Optional) Run:destination port port-number

The destination port number of a probe is configured.

By default, the destination port number of a probe is the port number of a load balancing memberinstance through the member port port-number command. If the port number of a load balancingmember instance is not configured, the destination port number of a probe is the default portnumber. For example, TCP and HTTP probes use destination port 80 and UDP probes usedestination port 53. ICMP probes have no destination port number.

If a TCP probe, a UDP probe, or an HTTP probe is bound to a load balancing group, thedestination port number of the probe cannot be changed.

----End

7.4.4 Configuring a ServerThis section describes how to set the IP address and related parameters for each server on theSPU so that the SPU can communicate with each server.

Procedure



Step 2 Run:load-balance member member-name

A server is created and the load balancing member view is displayed.

Up to 1024 servers can be created.



7-35

By default, no server is configured.


The description of the server is configured.

By default, no description is configured for a server.

Step 4 Run:ip address ip-address

The IP address of the server is set.

By default, no IP address of a server is specified.

Step 5 (Optional) Run:conn-limit max limit

The maximum number of connections of the server is set.

When the number of connections of a server exceeds the set value, the SPU does not send userrequests to the server for processing.

NOTE

The maximum number of connections can be set in a server instance. If the maximum number ofconnections of a server and a server instance is set, the SPU checks whether the value reaches the limitednumber of connections of the server instance. If yes, the SPU rejects new connections. Then the SPUcompares the value with the limited number of connections of the server. If yes, the SPU rejects newconnections.

By default, the maximum number of connections of a server is 4000000.


The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limitof the server are set.

After selecting a server through the load balancing algorithm, the SPU compares the currentbandwidth and the number of connections with the bandwidth limit and connection rate limit.If the bandwidth limit or connection rate limit is reached, the SPU does not select the server.

By default, the connection rate of a server is not limited, the inbound/outbound bandwidth limitis 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%.


The priority of the server is set.

The greater value represents a higher priority of the server so that the server can be selected witha greater possibility.

By default, the priority of a server is 8.


The weight of the server is set.




Issue 02 (2010-07-15)

By default, the weight of a server is 8.

NOTEIf the priority and weight of a server instance are not set, the SPU uses the priority and weight of a server.If the priority and weight of the server is not set, the SPU adopts the default values.

----End

7.4.5 Configuring a Server GroupThis section describes how to create a server group and set related parameters. This makesconfiguration and management be convenient.

Procedure



Step 2 Run:load-balance group group-name

A server group is created and the server group view is displayed.

Up to 1024 load balancing groups can be created, including link groups, server groups, andfirewall groups.

By default, no server group is configured.

Step 3 Run:probe probe-name

A probe of the server group is configured.

By default, no probe is configured for a server group.

Step 4 Run:probe-mode { fail-on-all | fail-on-one }The probe mode is set.

By default, the probe mode is fail-on-one. In fail-on-one mode, a server is considered as Downwhen all the probes bound to the server group detect that the server member is in Down state.

When the probe mode is fail-on-one, the server member is considered as Down when a probebound to the server group detects that the server member is in Down state.

Step 5 Run:failaction { purge | reassign }

The action performed when a server fails is set.

By default, no action is taken when a server fails.

If the action is set to purge, when the master server fails, the connections of the master serverare removed and not switched to a backup server. If the action is set to reassign, when the masterserver fails, all the connections of the master server are switched to a backup server.

Step 6 Run:switch-threshold percent1 restore-threshold percent2

The threshold for switching services from the master server to the backup server is set.



7-37

percent1 specifies the threshold for the master server group to remain active and percent2specifies the threshold for the backup server group to remain active. When the percentage ofactive servers in the master server group is smaller than or equal to the value of percent1, theSPU switches services to the backup server group. When the percentage of active servers in themaster server group is greater than the value of percent2, the master server group is recoveredand starts to provide services.

By default, the thresholds for the master and backup server groups to remain active are 0. In thiscase, if all the servers in the master server group are invalid, the SPU automatically switchesservices to the backup server group. If a server in the master server group becomes active, theSPU switches services back to the master server group.

Step 7 Run:forward-mode dnat

The packet forwarding mode is set to DNAT.

Or, run

forward-mode dmac

The packet forwarding mode is set to DMAC.

In server load balancing, the packet forwarding mode can be set to DNAT or DMAC. In DNATmode, the SPU changes the destination IP address of packets to the IP address of a server beforeforwarding them. In DMAC mode, the SPU changes the destination MAC address of packets tothe MAC address of a server before forwarding them. The destination IP address of the packets,however, remains unchanged.

Step 8 Run:load-balance method { { hash address { destination | source | both } [ netmask ] } | { hash url [ begin-pattern expression1 ] [ end-pattern expression2 ] } | leastconns | roundrobin }

The load balancing algorithm is set.

By default, the WRR algorithm is used for load balancing.

Step 9 Run:member member-name

A server is bound to the server group and the server instance view is displayed.


The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limitof the server instance are set.

By default, the connection rate of a server instance is not limited, the inbound/outboundbandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%.

When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a serverinstance and a server are set simultaneously, both the values of the server instance and the servertake effect. For example, the bandwidth limit of a server is 200 kbit/s and server instance A andserver instance B are configured on the server. The bandwidth limit of server instance A is 200kbit/s and the bandwidth limit of server instance B is 100 kbit/s. When selecting a link, the S9300needs to consider the bandwidth limit of the server instance and server. That is, the totalbandwidth of server instance A and link server B cannot exceed the bandwidth of the server.




Issue 02 (2010-07-15)

Step 11 (Optional) Run:conn-limit max limit

The maximum number of connections of the server instance is set.

When the number of connections of a server instance exceeds the set value, the SPU does notsend user requests to the server instance for processing.

NOTEIf the maximum numbers of connections of a server and a server instance are set, the SPU checks whetherthe value reaches the maximum number of connections of the server instance. If yes, the SPU rejects newconnections. Then the SPU compares the value with the maximum number of connections of the server.If yes, the SPU rejects new connections.

By default, the maximum number of connections of a server instance is 4000000.


The priority of the server instance is set.

When the priorities of a server instance and a server are set simultaneously, the priority of theserver instance takes effect.

If the priority of a server instance is not set, the SPU uses the priority of a server. If the priorityof the server is not set, the SPU adopts the default value.

NOTEThe priority is only valid for the WRR algorithm and the least connection algorithm.

By default, the priority of a server instance is 8.


The weight of the server instance is set.

When the weights of a server instance and a server are set simultaneously, the weight of theserver instance takes effect.

If the weight of a server instance is not set, the SPU uses the weight of a server. If the weight ofthe server is not set, the SPU adopts the default value.

NOTEThe weight is only valid for the WRR algorithm and the least connection algorithm.

By default, the weight of a server instance is 8.

Step 14 (Optional) Run:backup-member member-name

The backup member of the server instance is configured.

By default, no backup member is configured for a server instance.

A server instance can contain up to three backup members. Before configuring a backup member,ensure that the backup member is added to the server group.

Step 15 (Optional) Run:nat outbound address-group group-index [ no-pat ]



7-39

An NAT address pool is configured in the server instance for translating source IP addressesthrough NAT.


When NAT for translating source IP addresses is enabled simultaneously in a server instanceand a Layer 3 classifier, NAT for translating source IP addresses enabled in the server instancetakes effect.

By default, NAT for translating source IP addresses is disabled in a server instance.

NOTEIf the forwarding mode is set to DMAC, the NAT address pool does not need to be configured in a serverinstance or a Layer 3 classifier.

Step 16 Run:inservice

The server is enabled.

----End

7.4.6 (Optional) Configuring Session StickinessSession stickiness indicates that multiple connections of a session are directed to the same serverin a specified period. In this case, the SPU does not make load balancing decisions.

Context

Session stickiness is often applicable to e-commerce. Multiple connections of a user needs tobe processed by only a server when the user shops online. In this case, the SPU is required toidentify users and send requests of a user to the same server for processing.

The SPU uses sticky groups to configure and manage related attributes of session stickiness. Ifsession stickiness is configured, after the SPU sends the first request of a user to a selected server,the subsequent requests of the user are sent to the same server. The SPU thus does not makeload balancing decisions.

The SPU supports static and dynamic stickiness:l When packets of a session match static sticky entries, the stickiness corresponding to the

session is called static stickiness. Static stickiness takes effect as long as static sticky entriesexist.

l When packets of a session match dynamic sticky entries, the stickiness corresponding tothe session is called dynamic stickiness. Dynamic stickiness takes effect only in the agingtime. After dynamic sticky entries age, stickiness becomes invalid.

The SPU supports session stickiness at the network layer and the application layer.

Procedure






Issue 02 (2010-07-15)

Step 2 Run:load-balance stickygroup stickygroup-name mask net-mask { source-ip | destination-ip | both-ip }

A sticky group is created and the sticky group view is displayed.

Up to 1024 sticky groups can be created.

By default, no sticky group is created.


The description of the sticky group is configured.

By default, no description is configured for a sticky group.

Step 4 Run:group master-group-name [ backup backup-group-name ]

A server group is bound to the sticky group.

The name of a backup load balancing group must be different from the name of the master loadbalancing group.

If the Layer 3 classifier bound to the sticky group is bound to a load balance policy, you cannotmodify the server group bound to the sticky group.

By default, no server group is bound to a sticky group.

Step 5 (Optional) Run:time-out time

The aging time of dynamic sticky entries is set.

The dynamic sticky entries generated on a sticky group age after the aging time expires andnever take effect.

By default, the aging time of dynamic sticky entries is 1440 minutes.

Step 6 (Optional) Run:static client { destination dest-ip-address | source src-ip-address [ destination dest-ip-address ] } member member-name

A static sticky entry is configured.

The SPU supports static sticky entries based on the source IP address, the destination IP address,or the source and destination IP addresses. Up to 4096 static sticky entries can be created.l When source src-ip-address is specified, it indicates that a static sticky entry based on the

source IP address is configured. When the packets with the source IP address specified bysrc-ip-address match the static sticky entry, the packets are sent to the server specified bymember-name.

l When destination dest-ip-address is specified, it indicates that a static sticky entry based onthe destination IP address is configured. When the packets with the destination IP addressspecified by dest-ip-address match the static sticky entry, the packets are sent to the serverspecified by member-name.

l When source src-ip-address and destination dest-ip-address are specified, it indicates thata static sticky entry based on the source and destination IP addresses is configured. Whenthe packets with the source IP address specified by src-ip-address and the destination IP



7-41

address specified by dest-ip-address match the static sticky entry, the packets are sent to theserver specified by member-name.

NOTE

When configuring static sticky entries, pay attention to the following points:

l Only one static sticky entry of a sticky group can be created on a network segment.

l Before configuring stickiness, you need to use the load-balance group command to create thecorresponding server group and bind the server group to the sticky group. In addition, the server groupmust contain servers.

By default, no static sticky entry is configured for a sticky group.

----End


ContextOn the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer7 services. The SPU first matches packets with the ACL in a Layer 3 classifier to match packets,and then the matching rule in a Layer 7 classifier bound to the Layer 3 classifier no matterwhether Layer 3 or Layer 7 load balancing is used. Therefore, you must configure the Layer 7classifier for Layer 3 or Layer 7 load balancing. In Layer 3 load balancing, the matching rule ofa Layer 7 classifier must be set to any.

Procedure



Step 2 Run:load-balance l7classifier l7classifier-name [ and | or ]


By default, no Layer 7 classifier is configured.

When you create a Layer 7 classifier, if the matching mode is set to and, the matching issuccessful only when all the rules are matched; if the matching mode is set to or, the matchingis successful in the case that any rule is matched; if the matching mode is set to and or or, thedefault matching mode is and.

NOTEWhen you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode mustbe the same as the one used when the Layer 7 classifier is created.

Step 3 Run the following command as required:l Run:

match anyThe matching rule of the Layer 7 classifier is set to any, that is, any packet is matched.

l Run:




Issue 02 (2010-07-15)

rule [ rule-number ] match http url url [ method { method-name | get | head | post } ]The Layer 7 classifier is set to match the HTTP URL.

l Run:rule [ rule-number ] match l7classifier l7classifier-nameAnother Layer 7 classifier is nested to the Layer 7 classifier.By default, the matching rule of a Layer 7 classifier is any.NOTE

When configuring a matching rule, pay attention to the following points:

l If other matching rules are configured in the Layer 7 classifier, you cannot set the matching rule toany. If the matching rule of a Layer 7 classifier is set to any, you cannot configure other matchingrules. In addition, the traffic that is load balanced is processed at Layer 3 and Layer 4. In this case, theload balancing algorithms for Layer 7 services including the hash algorithm based on the URL cannotbe configured.

l A Layer 7 classifier can be nested by another Layer 7 classifier if the matching rule of a Layer 7 classifieris set to the nesting rule.

l A Layer 7 classifier can be nested by up to eight Layer 7 classifiers.

Step 4 Run:case-insensitive

Case sensitivity is disabled. After this command is run, the SPU does not distinguish uppercaseand lowercase letters when parsing HTTP packets.

By default, the SPU distinguishes uppercase and lowercase letters when parsing HTTP packets.

----End


Procedure



Step 2 Run:load-balance action action-name

A load balancing action profile is created and the load balancing action profile view is displayed.

Step 3 Run the following command as required.l Run:

dropThe action is set to drop.

l Run:forwardThe action is set to forward.

l Run:group master-group-name [ backup backup-group-name ]



7-43

The action is set to load balance.l Run:

stickygroup stickygroup-name

The action is set to the sticky operation.

By default, the action is forward.

----End


Procedure



Step 2 Run:acl [ number ] [ match-order { config | auto } ]

An ACL is created and the ACL view is displayed.

In server load balancing, the value of number ranges from 3000 to 3999. That is, advanced ACLsare used.

A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, thelatest ACL takes effect.

By default, no ACL is created.

Step 3 (Optional) Run:step step-value

The step between ACL rule IDs is set.

By default, the step between ACL rule IDs is 5.

Step 4 Run the following command as required:l When the parameter protocol is specified as the Internet Control Message Protocol (ICMP),

the command format is as follows:– rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destination-

wildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmp-code } | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] *


l When the parameter protocol is specified as the Transmission Control Protocol (TCP) or theUser Datagram Protocol (UDP), the command format is as follows:– rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address

destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp |fragment | precedence precedence | source { source-address source-wildcard | any } |source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *




Issue 02 (2010-07-15)


l When the parameter protocol is specified as another protocol rather than TCP, UDP, orICMP, the command format is as follows:– rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf }

[ destination { destination-address destination-wildcard | any } | dscp dscp |fragment | precedence precedence | source { source-address source-wildcard | any } |time-range time-name | tos tos ] *


By default, no rule is defined in an ACL.

----End


Context

To prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need toset the aging time to periodically age the TCP or UDP traffic forwarding entries that have beenidle for a long time.

Procedure



Step 2 Run:load-balance parameter connection profile-name

A connection parameter profile is created and the connection parameter profile view is displayed.

Up to 1024 connection parameter profiles can be created.

By default, no connection parameter profile is created.

Step 3 Run:tcp aging-time aging-time

The aging time of the TCP traffic forwarding table is set.

By default, the aging time of the TCP traffic forwarding table is 3600s.

Step 4 Run:udp aging-time aging-time

The aging time of the UDP traffic forwarding table is set.

By default, the aging time of the UDP traffic forwarding table is 120s.

----End



7-45

7.4.11 (Optional) Configuring an HTTP Parameter ProfileThis section describes how to configure an HTTP parameter profile and set related parametersfor processing HTTP packets, including the maximum parsing length and the functions of per-packet rebalance.

Context

Case sensitivity indicates that the SPU distinguishes uppercase and lowercase letters whenparsing HTTP packets.

Per-packet rebalance indicates that the SPU makes load balancing decisions again and selectsanother server for each HTTP request packet even if the quintuple is the same.

Procedure



Step 2 Run:load-balance parameter http profile-name

An HTTP parameter profile is created and the HTTP parameter profile view is displayed.

Up to 1024 HTTP parameter profiles can be created.

By default, no HTTP parameter profile is created.

Step 3 Run:max-parse-length length-value

The maximum parsing length of HTTP packets is set.

By default, the maximum parsing length of HTTP packets is 1024 bytes.

Step 4 Run:rebalance per-request

Each HTTP request is rebalanced.

By default, the SPU does not rebalance newly received HTTP requests.

----End


Context

To classify packets according to the quintuple, you need to create and configure a Layer 3classifier.




Issue 02 (2010-07-15)

Procedure



Step 2 Run:load-balance l3classifier l3classifier-name


By default, no Layer 3 classifier is created.

Step 3 Run:if-match acl acl-number

An ACL is bound to the Layer 3 classifier.

A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number commandis run for multiple times in the same Layer 3 classifier view, the latest one takes effect.

By default, no ACL is bound to a Layer 3 classifier.

Step 4 Run:l7classifier l7classifier-name action action-name

The Layer 7 classifier and action are bound to the Layer 3 classifier.

The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packetswith the rule in a Layer 7 classifier.

By default, a Layer 3 classifier is not bound to the Layer 7 classifier and action.

Step 5 (Optional) Run:icmp-reply

The SPU is configured to respond to ping requests of users.

The SPU provides services through a virtual IP address. Users send service requests to the virtualIP address, but the SPU does not respond to ICMP packets. If the SPU is required to respond toping requests, you need to use the icmp-reply command in the Layer 7 classifier view.

CAUTIONl If the SPU is required to respond to ping requests of users, ping request packets of users must

match the ACL in the Layer 3 classifier.l If the ACL in the Layer 3 classifier for matching the destination address is set to any, the

SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, youneed to configure the ACL in a Layer 3 classifier with caution.

By default, the SPU does not respond to ping requests of users.

Step 6 (Optional) Run:parameter connection profile-name

A connection parameter profile is bound to the Layer 3 classifier.



7-47

A connection parameter profile can be bound to one or more Layer 3 classifiers.

By default, no connection parameter profile is bound to a Layer 3 classifier.

Step 7 (Optional) Run:parameter http profile-name

An HTTP parameter profile is bound to the Layer 3 classifier.

An HTTP parameter profile can be bound to one or more Layer 3 classifiers.

By default, no HTTP parameter profile is bound to a Layer 3 classifier.

Step 8 (Optional) Run:nat outbound address-group number [ no-pat ]

An NAT address pool is bound to the Layer 3 classifier.


The NAT address pool takes effect only after it is bound to a Layer 3 classifier or a serverinstance. If an NAT address pool is bound to a Layer 3 classifier and a server instancesimultaneously, the NAT address pool bound to the server instance takes effect.

When the forwarding mode of a server group is set to transparent transmission, the NAT functiondoes not take effect even if a Layer 3 classifier or a server instance is bound to the NAT addresspool.

By default, no NAT address pool is bound to a Layer 3 classifier.

----End


Procedure



Step 2 Run:load-balance policy policy-name

A load balancing policy is created and the load balancing policy view is displayed.

Up to 1024 load balancing policies can be created.

By default, no load balancing policy is configured.

Step 3 Run:l3classifier l3classifier-name

A Layer 3 classifier is bound to the load balancing policy.

A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximumof 1024 service applications.




Issue 02 (2010-07-15)

By default, no Layer 3 classifier is bound to a load balancing policy.

----End


ContextA load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaceson the SPU.


system-view




Step 3 Run:service load-balance policy policy-name

The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface.

After the load balancing policy is applied, the SPU takes actions defined in the load balancingpolicy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policyon the XGE sub-interface.

By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface.

Step 4 (Optional) Run:service load-balance arp-response nat address-group group-index

The NAT address pool is enabled to respond to ARP requests on the sub-interface.

By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface.

When the NAT address pool is used for source IP address translation, if the IP address of theoutbound interface of the SPU is in the same network segment as any IP address of the NATaddress pool, you need to run the service load-balance arp-response nat address-group group-index command on the outbound interface. If the service load-balance arp-response nataddress-group group-index command is not used on the outbound sub-interface, the NATaddress pool cannot be enabled to respond to ARP requests on the outbound sub-interface.

Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface.

----End




7-49

Procedurel Run the display load-balance member [ name member-name | all ] command to check

the configuration of the load balancing member.l Run the display load-balance probe [ name probe-name [ group name group-name

member name member-name ] | all ] command to check the configuration of the probe.l Run the display load-balance group [ name group-name | all ] command to check the

configuration of the load balancing group.l Run the display load-balance group name group-name member name member-name

[ verbose ] command to check the configuration of the load balancing member instance.l Run the display load-balance l7classifier [ name l7classifier-name | all ] command to

check the configuration of the Layer 7 classifier.l Run the display load-balance action [ name action-name | all ] command to check the

configuration of the load balancing action profile.l Run the display load-balance l3classifier [ name l3classifier-name | all ] command to

check the configuration of the Layer 3 classifier.l Run the display load-balance policy [ name policy-name | all ] command to check the

configuration of the load balancing policy.l Run the display load-balance parameter connection [ name connection-name | all ]

command to check the configuration of the connection parameter profile.l Run the display load-balance parameter http [ name http-name | all ] command to check

the configuration of the HTTP parameter profile.

----End

7.5 Configuring Firewall Load BalancingOn a network where multiple firewalls exist, you can load balance network traffic amongfirewalls in a group. In this manner, the burden of each single firewall is reduced and the networkprocessing capability is improved.

Applicable EnvironmentAs the guard of a network, the firewall is important on the network. However, it encounters thefollowing problem: A firewall needs to check each packet carefully. As a result, the forwardingperformance of the firewall is low and the firewall becomes the bottleneck on the network. Ifexisting devices are replaced to improve the forwarding performance, hardware resources arewasted. In addition, when the service volume increases, the devices need to be replacedfrequently. The costs on the device replacement are high.

You can create a firewall group to reduce the burden of each single firewall and improve thenetwork processing capability. In the scenario where firewall load balancing is configured, loadbalancing devices are classified into level-1 and level-2 devices. Level-1 devices perform firwallload balancing; level-2 devices ensure that any traffic received through a firewall is sent backthrough the same firewall.

The firewall load balancing technology takes firewalls as servers.

Pre-configuration TasksBefore configuring firewall load balancing, complete the following tasks:




Issue 02 (2010-07-15)




Data PreparationTo configure firewall load balancing, you need the following data.

l Level-1 load balancing device

No. Data


2 Name and parameters of the firewall, including the description, server IP address,weight, and bandwidth

3 Name and firewall group parameters, including the description, load balancingalgorithm, forwarding mode (fixed as DMAC), action performed when thefirewall group fails, threshold for switching the master firewall group to thebackup firewall group, bound probe, member, and member instance port number

4 (Optional) Name and sticky group parameters, including the description, agingtime, and static sticky entries

5 Parameters of the Layer 7 classifier, including the classifier name and matchingrule

6 Name and parameters of the load balancing action profile, including thedescription and action

7 Parameters of the advanced ACL, including the ACL number, matchingsequence, and matching rule

8 Parameters of the Layer 3 classifier, including the classifier name and the ACLand Layer 7 classifier bound to the Layer 3 classifier

9 (Optional) Name and parameters of the connection parameter profile, includingthe aging time of the TCP or UDP traffic forwarding table

10 (Optional) Name and related parameters of the HTTP parameter profile, includingthe maximum parsing length of HTTP packets and the function of enabling per-packet rebalance


12 Object where the load balancing policy is applied


No. Data

1 (Optional) NAT address pool index and address network segment



7-51

No. Data


3 Name and related parameters of the server, including the description, server IPaddress, weight, and bandwidth

4 Name and related parameters of the server group, including the description, loadbalancing algorithm, forwarding mode, action performed when the server groupfails, threshold for switching the master server group to the backup server group,bound probe, member, member instance port number, and NAT address poolindex

5 (Optional) Name and related parameters of the sticky group, including thedescription, aging time, and static sticky entries

6 Parameters of the Layer 7 classifier, including the classifier name and matchingrule

7 Name and parameters of the load balancing action profile, including thedescription and action

8 Parameters of the advanced ACL, including the ACL number, matchingsequence, and matching rule

9 Parameters of the Layer 3 classifier, including the classifier name and the ACLand Layer 7 classifier bound to the Layer 3 classifier

10 (Optional) Name and parameters of the connection parameter profile, includingthe aging time of the TCP or UDP traffic forwarding table

11 (Optional) Name and related parameters of the HTTP parameter profile, includingthe maximum parsing length of HTTP packets and the function of enabling per-packet rebalance


13 Object where the load balancing policy is applied

Configuration InstructionsIn the firewall load balancing technology, firewalls function as servers. The configurationprocedure of firewall load balancing is similar to that of server load balancing, and the differenceis described in the following two tables. For details about the configuration procedure, see 7.4Configuring Server Load Balancing.


No. Step Reference

1 (Optional) Configure firewallhealth detection.

7.4.3 (Optional) Configuring ServerHealth Detection (Only the ICMP probe issupported)




Issue 02 (2010-07-15)

No. Step Reference

2 Configure the firewalls. 7.4.4 Configuring a Server

3 Configure a firewall group. 7.4.5 Configuring a Server Group(DMAC must be used as the forwardingmode)

4 (Optional) Configure sessionstickiness.

7.4.6 (Optional) Configuring SessionStickiness

5 Configure a Layer 7 classifier. 7.4.7 Configuring a Layer 7 Classifier

6 Configure a load balancingaction.

7.4.8 Configuring a Load BalancingAction

7 Configure an ACL. 7.4.9 Configuring an ACL

8 (Optional) Configure aconnection parameter profile.

7.4.10 (Optional) Configuring aConnection Parameter Profile

9 (Optional) Configure an HTTPparameter profile.

7.4.11 (Optional) Configuring an HTTPParameter Profile


11 Configure a load balancingpolicy.

7.4.13 Configuring a Load BalancingPolicy

12 Apply the load balancing policy. 7.4.14 Applying the Load BalancingPolicy

13 Check the configuration. 7.4.15 Checking the Configuration


No. Step Reference

1 (Optional) Configure an NATaddress pool.

7.4.2 (Optional) Configuring an NATAddress Pool

2 (Optional) Configure serverhealth detection.

7.4.3 (Optional) Configuring ServerHealth Detection

3 Configure a server. 7.4.4 Configuring a Server

4 Configure a server group 7.4.5 Configuring a Server Group

5 (Optional) Configure sessionstickiness.

7.4.6 (Optional) Configuring SessionStickiness


7 Configure a load balancingaction.

7.4.8 Configuring a Load BalancingAction

8 Configure an ACL. 7.4.9 Configuring an ACL



7-53

No. Step Reference

9 (Optional) Configure aconnection parameter profile.

7.4.10 (Optional) Configuring aConnection Parameter Profile

10 (Optional) Configure an HTTPparameter profile.

7.4.11 (Optional) Configuring an HTTPParameter Profile


12 Configure a load balancingpolicy.

7.4.13 Configuring a Load BalancingPolicy

13 Apply the load balancing policy. 7.4.14 Applying the Load BalancingPolicy (you need to run the mac-stickyenable command to enable MAC addressstickiness)

14 Check the configuration. 7.4.15 Checking the Configuration

7.6 Configuration ExamplesThis section provides several configuration examples. A configuration example includes thenetworking requirements, configuration roadmap, operation procedure, and configuration files.

7.6.1 Example for Configuring Egress Link Load BalancingThis section describes how to configure egress link load balancing to improve the servicereliability.

7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC ModeThis section describes how to configure Layer 3 server load balancing in DMAC mode toimprove service processing capabilities of servers.

7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT ModeThis section describes how to configure Layer 3 server load balancing in NAT mode to improveservice processing capabilities of servers.

7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT ModeThis example describes how to configure Layer 7 server load balancing in DNAT mode toimprove service processing capabilities of servers.

7.6.5 Example for Configuring Session StickinessThis section provides an example for configuring session stickiness. With the session stickinessfunction, requests of the same type of users are processed by the same server, meeting e-commerce requirements of internal network users.

7.6.6 Example for Configuring Standard Firewall Load BalancingIn this example, standard firewall load balancing is configured to improve the service processingcapability of the firewall.

7.6.1 Example for Configuring Egress Link Load BalancingThis section describes how to configure egress link load balancing to improve the servicereliability.




Issue 02 (2010-07-15)

Networking RequirementsAs shown in Figure 7-8, an enterprise leases two egresses: ISP1 and ISP2. The link bandwidthof ISP1 is 100 Mbit/s and the link bandwidth of ISP2 is 300 Mbit/s. The network delay of ISP2is shorter than that of ISP1. The requirements are as follows:l The link is selected preferentially when an enterprise user accesses the external network.

l Another link is selected automatically when a link becomes invalid or the link limit isexceeded.

l NAT for translating source IP addresses is enabled.

The enterprise user is connected to GE 3/0/0 of the Switch and the SPU is installed in slot 5 ofthe Switch.

RouterA is connected to GE 3/0/1 of the Switch and RouterB is connected to GE 3/0/2 of theSwitch.

The data flows entering the SPU pass through the primary CPU. That is, the data flows arereceived and sent by GE 5/0/0.

The source IP address of the enterprise user is located on 192.168.1.1/24 and the destination IPaddress of the external network that the enterprise user needs to visit is located on 60.60.60.1/24.

Figure 7-8 Networking diagram for configuring egress link load balancing

ISP2

ISP1

Switch

RouterA

RouterB

20.20.20.1/24

30.30.30.1/24

XGE5/0/0

GE3/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2

VLAN12

Enterpriseuser

Externalnetwork

60.60.60.1/24


1. Configure traffic importing.2. Configure two links connected to ISP1 and ISP2 respectively.3. Configure link health detection for detecting the links connected to ISP1 and ISP2.



7-55

4. Configure a link group, bind the link group to the links connected to ISP1 and ISP2, andadopt the WRR algorithm.

5. Configure a Layer 7 classifier and set the matching rule to any.6. Configure a load balancing action profile.7. Configure an ACL.8. Configure a Layer 3 classifier.9. Configure a load balancing policy.10. Apply the load balancing policy to the interface of the internal network.

Data PreparationTo complete the configuration, you need the following data:l Network segment of the NAT address pooll Names of the links connected to ISP1 and ISP2, IP addresses, connection quantity limits,

connection rate limits, bandwidth limits, bandwidth thresholds, and weightsl Name, type, and related parameters of the probel Link group name and load balancing algorithml Name and matching rule of the Layer 7 classifierl Name and action of the load balancing action profilel Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifierl Name of the load balancing policy and interface where the load balancing policy is applied

ProcedureStep 1 Configure traffic importing on the Switch.

1. Import traffic to the SPU on the Switch.<Switch> system-view[Switch] vlan batch 12 13 14[Switch] interface gigabitethernet 3/0/0[Switch-GigabitEthernet3/0/0] port link-type trunk[Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12[Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/0] quit[Switch] interface gigabitethernet 3/0/1[Switch-GigabitEthernet3/0/1] port link-type trunk[Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13[Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/1] quit[Switch] interface gigabitethernet 3/0/2[Switch-GigabitEthernet3/0/2] port link-type trunk[Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14[Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/2] quit[Switch] interface xgigabitethernet5/0/0[Switch-XGigabitEthernet5/0/0] port link-type trunk[Switch-XGigabitEthernet5/0/0] port trunk allow-pass vlan 12 to 14[Switch-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1[Switch-XGigabitEthernet5/0/0] quit

2. Configure an NAT address pool on the SPU.<Quidway> system-view[Quidway] sysname SPU

# Configure an NAT address pool with the index being 2 and the network segment rangingfrom 20.20.20.3 to 20.20.20.200.




Issue 02 (2010-07-15)

[SPU] nat address-group 2 20.20.20.3 20.20.20.200

# Configure an NAT address pool with the index being 3 and the network segment rangingfrom 30.30.30.3 to 30.30.30.200.

[SPU] nat address-group 3 30.30.30.3 30.30.30.2003. Add an interface to a VLAN on the SPU.

[SPU] interface xgigabitethernet 0/0/1.12[SPU-XGigabitEthernet0/0/1.12] control-vid 12 dot1q-termination[SPU-XGigabitEthernet0/0/1.12] dot1q termination vid 12[SPU-XGigabitEthernet0/0/1.12] ip address 10.10.10.1 255.255.255.0[SPU-XGigabitEthernet0/0/1.12] arp broadcast enable[SPU-XGigabitEthernet0/0/1.12] quit[SPU] interface xgigabitethernet 0/0/1.13[SPU-XGigabitEthernet0/0/1.13] control-vid 13 dot1q-termination[SPU-XGigabitEthernet0/0/1.13] dot1q termination vid 13[SPU-XGigabitEthernet0/0/1.13] ip address 20.20.20.2 255.255.255.0[SPU-XGigabitEthernet0/0/1.13] arp broadcast enable[SPU-XGigabitEthernet0/0/1.13] service load-balance arp-response nat address-group 2[SPU-XGigabitEthernet0/0/1.13] quit[SPU] interface xgigabitethernet 0/0/1.14[SPU-XGigabitEthernet0/0/1.14] control-vid 14 dot1q-termination[SPU-XGigabitEthernet0/0/1.14] dot1q termination vid 14[SPU-XGigabitEthernet0/0/1.14] ip address 30.30.30.2 255.255.255.0[SPU-XGigabitEthernet0/0/1.14] arp broadcast enable[SPU-XGigabitEthernet0/0/1.14] service load-balance arp-response nat address-group 3[SPU-XGigabitEthernet0/0/1.14] quit

Step 2 Configure links.

# Create and configure the link isp1 connected to ISP1.

[SPU] load-balance member isp1[SPU-lb-member-isp1] ip address 20.20.20.1[SPU-lb-member-isp1] weight 30[SPU-lb-member-isp1] conn-limit max 10000[SPU-lb-member-isp1] rate-limit connection 1500[SPU-lb-member-isp1] rate-limit bandwidth inbound 100 threshold 80[SPU-lb-member-isp1] rate-limit bandwidth outbound 100 threshold 80[SPU-lb-member-isp1] quit

# Create and configure the link isp2 connected to ISP2.

[SPU] load-balance member isp2[SPU-lb-member-isp2] ip address 30.30.30.1[SPU-lb-member-isp2] weight 90[SPU-lb-member-isp2] conn-limit max 20000[SPU-lb-member-isp2] rate-limit connection 3000[SPU-lb-member-isp2] rate-limit bandwidth inbound 300 threshold 80[SPU-lb-member-isp2] rate-limit bandwidth outbound 300 threshold 80[SPU-lb-member-isp2] quit

Step 3 Configure link health detection.

# Set the IP address of XGE 0/0/1.2 to 100.100.100.201/24 and use the interface for obtainingthe source IP address of probing packets of a probe.

[SPU] interface xgigabitethernet 0/0/1.2[SPU-XGigabitEthernet0/0/1.2] control-vid 2 dot1q-termination[SPU-XGigabitEthernet0/0/1.2] dot1q termination vid 2[SPU-XGigabitEthernet0/0/1.2] ip address 100.100.100.201 24[SPU-XGigabitEthernet0/0/1.2] quit[SPU] load-balance ip interface xgigabitethernet 0/0/1.2

# Create the ICMP probe probe1, and set the timeout interval of the response of probe1 to 10,the probing interval of probe1 to 20, and the probing interval after the linjk fails to 20.



7-57

[SPU] load-balance probe probe1 icmp[SPU-lb-probe-probe1] time-out 10[SPU-lb-probe-probe1] interval 20[SPU-lb-probe-probe1] fail-interval 20[SPU-lb-probe-probe1] quit

Step 4 Configure a link group.

# Create the link group named linkgroup1, adopt the WRR algorithm, set the forwarding modeto redirection, bind isp1 and isp2 to probe1, and bind NAT address pool 2 and NAT addresspool 3 to the link instance.

[SPU] load-balance group linkgroup1[SPU-lb-group-linkgroup1] forward-mode redirect[SPU-lb-group-linkgroup1] load-balance method roundrobin[SPU-lb-group-linkgroup1] probe probe1[SPU-lb-group-linkgroup1] member isp1[SPU-lb-group-linkgroup1-member-isp1] nat outbound address-group 2[SPU-lb-group-linkgroup1-member-isp1] inservice[SPU-lb-group-linkgroup1-member-isp1] quit[SPU-lb-group-linkgroup1] member isp2[SPU-lb-group-linkgroup1-member-isp2] nat outbound address-group 3[SPU-lb-group-linkgroup1-member-isp2] inservice[SPU-lb-group-linkgroup1-member-isp2] quit[SPU-lb-group-linkgroup1] quit

Step 5 Configure a Layer 7 classifier.

# Create the Layer 7 classifier named l7cls1 and set the matching rule to any.

[SPU] load-balance l7classifier l7cls1[SPU-lb-l7classifier-l7cls1] match any[SPU-lb-l7classifier-l7cls1] quit

Step 6 Configure a load balancing action profile.

# Create the load balancing action profile named act1, set the action to load balance, andconfigure the load balancing group linkgroup1.

[SPU] load-balance action act1[SPU-lb-action-act1] group linkgroup1[SPU-lb-action-act1] quit

Step 7 Configure an ACL.

# Create ACL 3000 to permit the packets from 60.60.60.1/24 to pass through.

[SPU] acl number 3000[SPU-acl-adv-3000] rule permit ip destination 60.60.60.1 0.0.0.255[SPU-acl-adv-3000] quit


# Create the Layer 3 classifier named l3cls1, bind the Layer 7 classifier l7cls1 to the loadbalancing action profile act1, and configure the matching rule to match ACL 3000.

[SPU] load-balance l3classifier l3cls1[SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1[SPU-lb-l3classifier-l3cls1] if-match acl 3000[SPU-lb-l3classifier-l3cls1] quit

Step 9 Configure a load balancing policy.

# Create the load balancing policy named lbp1, and bind the Layer 3 classifier l3cls1 to the loadbalancing policy named lbp1.




Issue 02 (2010-07-15)

[SPU] load-balance policy lbp1[SPU-lb-policy-lbp1] l3classifier l3cls1[SPU-lb-policy-lbp1] quit

Step 10 Apply the load balancing policy.

# Apply the load balancing policy lbp1 to XGigabitEthernet 0/0/1.12.

[SPU] interface xgigabitethernet0/0/1.12[SPU-XGigabitEthernet0/0/1.12] service load-balance policy lbp1[SPU-XGigabitEthernet0/0/1.12] quit


# View the configuration of links.

[SPU] display load-balance member name isp1 Member name : isp1Description : -IP : 20.20.20.1Max connection : 10000Max connection rate : 1500Inbound max bandwidth rate : 100(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 100(kbps)Outbound threshold : 80%Weight : 30Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : linkgroup1[SPU] display load-balance member name isp2Member name : isp2Description : -IP : 30.30.30.1Max connection : 20000Max connection rate : 3000Inbound max bandwidth rate : 300(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 300(kbps)Outbound threshold : 80%Weight : 90Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : linkgroup1

# View the configuration of the link group.

[SPU] display load-balance group name linkgroup1Group name : linkgroup1Description : -Method : roundrobinForward mode : redirectSwitch threshold : 0%Restore threshold : 0%Fail action : defaultProbe mode : fail-on-oneProbe name : probe1

Action name : act1

Member instance name: isp1 isp2

# View the configuration of the link instance.



7-59

[SPU] display load-balance group name linkgroup1 member name isp1 verboseGroup name : linkgroup1Member name : isp1Inservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max threshold : 100%Weight : 30Priority : 8NAT ID : 2Pat : Yes

Member instance ID : 0 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name linkgroup1 member name isp2 verboseGroup name : linkgroup1Member name : isp2Inservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max threshold : 100%Weight : 90Priority : 8NAT ID : 3Pat : Yes

Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)

# View the configuration of the Layer 7 classifier.

[SPU] display load-balance l7classifier name l7cls1L7 classifier name : l7cls1Description : -Match mode : AndMatch type : AnyCase flag : Sensitive

# View the configuration of the load balancing action.

[SPU] display load-balance action name act1Action name : act1Description : -Action type : load-balanceGroup name : linkgroup1




Issue 02 (2010-07-15)


[SPU] display load-balance l3classifier name l3cls1L3 classifier name : l3cls1Description : -Acl : 3000ICMP reply : DisableNAT ID : -Pat : -Connection parameter name : -HTTP parameter name : -L7 classifier name : l7cls1L7 action name : act1

# View the configuration of the load balancing policy.

[SPU] display load-balance policy name lbp1Policy name : lbp1Description : -Bound interface : XGigabitEthernet0/0/1.12Numbers of L3 classifier : 1

L3 classifier name : l3cls1 Action type : load-balance Current group name : linkgroup1

# Simulate an enterprise user to access a website, and then view related information about linkinstances isp1 and isp2 on the SPU. You can view the packet statistics about isp1 and isp2. Theratio of packets about isp1 and isp2 is 1:3, indicating that user packets are load balanced onISP1 and ISP2 according to the link weight and load balancing in WRR mode is implemented.

[SPU] display load-balance group name linkgroup1 member name isp1 verbose[SPU] display load-balance group name linkgroup1 member name isp2 verbose

----End


# sysname SPU#acl number 3000 rule 5 permit ip destination 60.60.60.0 0.0.0.255# nat address-group 2 20.20.20.3 20.20.20.200 nat address-group 3 30.30.30.3 30.30.30.200#interface XGigabitEthernet0/0/1.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0#interface XGigabitEthernet0/0/1.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 arp broadcast enable service load-balance policy lbp1#interface XGigabitEthernet0/0/1.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.2 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#



7-61

interface XGigabitEthernet0/0/1.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 30.30.30.2 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 3#load-balance probe probe1 icmp interval 20 fail-interval 20#load-balance member isp1 ip address 20.20.20.1 weight 30 conn-limit max 10000 rate-limit connection 1500 rate-limit bandwidth inbound 100 threshold 80 rate-limit bandwidth outbound 100 threshold 80#load-balance member isp2 ip address 30.30.30.1 weight 90 conn-limit max 20000 rate-limit connection 3000 rate-limit bandwidth inbound 300 threshold 80 rate-limit bandwidth outbound 300 threshold 80#load-balance group linkgroup1 forward-mode redirect member isp1 inservice member isp2 inservice probe probe1#load-balance action act1 group linkgroup1#load-balance l7classifier l7cls1 match any#load-balance ip interface XGigabitEthernet0/0/1.2#load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000#load-balance policy lbp1 l3classifier l3cls1#return

7.6.2 Example for Configuring Layer 3 Server Load Balancing inDMAC Mode

This section describes how to configure Layer 3 server load balancing in DMAC mode toimprove service processing capabilities of servers.

Networking RequirementsAs shown in Figure 7-9, an internal network user accesses external network servers. There arefour servers, which constitute a server group. The load balancing group provides DNS servicesthrough a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is20.20.20.200:80, and the IP addresses of the four servers of Server A, Server B, Server C, andServer D are 20.20.20.1:80, 20.20.20.2:4002, 20.20.20.3:80, and 20.20.20.4:8080. The




Issue 02 (2010-07-15)

processing capabilities of each server such as the CPU, memory, and performance are different.Server C is the backup server of Server A and Server D is the backup server of Server B. Therequirements are as follows:l The server with greater processing capabilities receives more service requests.

l Switch B returns the response packets of servers to users.

l After the master server fails, the load balancing device randomly selects an available serverfrom backup servers.

Switch B is connected to GE 3/0/0 and GE 3/0/1 of Switch A and the SPU is installed in slot 5of Switch A.

The destination IP address of the external network that the user wants to access is 60.60.60.1/24.

Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode

Internet

Host

SwitchA

ServerA ServerB ServerC ServerD20.20.20.1:80 20.20.20.2:4002 20.20.20.3:80 20.20.20.4:8080

10.10.10.2/24

GE3/0/0SwitchB

XGE5/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2

GE3/0/1VIP 20.20.20.200:80


1. Configure traffic importing.2. Configure four servers to communicate with the four servers.3. Configure a probe to detect the health status of the four servers.4. Configure a server group and bind the server group to the four servers.5. Configure a Layer 7 classifier.



7-63

6. Configure a load balancing action profile.7. Configure an advanced ACL.8. Configure a Layer 3 classifier.9. Configure a load balancing policy.10. Apply the load balancing policy to a sub-interface.

Data PreparationTo complete the configuration, you need the following data:l Server names, connection quantity limits, connection rate limits, and bandwidth rate limits

l Name and related parameters of the probe

l Server group name, load balancing algorithm, and forwarding mode

l Name and matching rule of the Layer 7 classifier

l Name and action of the load balancing action profile

l Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier

l Name of the load balancing policy and interface where the load balancing policy is applied

Procedure

Step 1 Configure traffic importing on SwitchA.1. Import traffic to the SPU on SwitchA.

<Switch> system-view[Switch] interface gigabitethernet 3/0/0[Switch-GigabitEthernet3/0/0] port link-type trunk[Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12[Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/0] quit[Switch] interface gigabitethernet 3/0/1[Switch-GigabitEthernet3/0/1] port link-type trunk[Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13[Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/1] quit[Switch] interface eth-trunk 0[Switch-Eth-Trunk0] port link-type trunk[Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 13[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1[Switch-Eth-Trunk0] quit[Switch] interface xgigabitethernet5/0/0[Switch-XGigabitEthernet5/0/0] eth-trunk 0[Switch-XGigabitEthernet5/0/0] quit[Switch] interface xgigabitethernet5/0/1[Switch-XGigabitEthernet5/0/1] eth-trunk 0[Switch-XGigabitEthernet5/0/1] quit

2. Add an interface to a VLAN on the SPU.<Quidway> system-view[Quidway] sysname SPU[SPU] interface eth-trunk 0[SPU-Eth-Trunk0] quit[SPU] interface xgigabitethernet 0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface xgigabitethernet 0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 0[SPU-XGigabitEthernet0/0/2] quit[SPU] interface eth-trunk 0.12[SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination




Issue 02 (2010-07-15)

[SPU-Eth-Trunk0.12] dot1q termination vid 12[SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0[SPU-Eth-Trunk0.12] arp broadcast enable[SPU-Eth-Trunk0.12] quit[SPU] interface eth-trunk 0.13[SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination[SPU-Eth-Trunk0.13] dot1q termination vid 13[SPU-Eth-Trunk0.13] ip address 20.20.20.5 255.255.255.0[SPU-Eth-Trunk0.13] arp broadcast enable[SPU-Eth-Trunk0.13] quit

Step 2 Configure servers.

# Create servers servera, serverb, serverc, and serverd and configure them to communicatewith real servers, that is, Server A, Server B, Server C, and Server D.[SPU] load-balance member servera[SPU-lb-member-servera] ip address 20.20.20.1[SPU-lb-member-servera] weight 80[SPU-lb-member-servera] conn-limit max 8000[SPU-lb-member-servera] rate-limit connection 800[SPU-lb-member-servera] rate-limit bandwidth inbound 800 threshold 80[SPU-lb-member-servera] rate-limit bandwidth outbound 800 threshold 80[SPU-lb-member-servera] quit[SPU] load-balance member serverb[SPU-lb-member-serverb] ip address 20.20.20.2[SPU-lb-member-serverb] weight 60[SPU-lb-member-serverb] conn-limit max 6000[SPU-lb-member-serverb] rate-limit connection 600[SPU-lb-member-serverb] rate-limit bandwidth inbound 600 threshold 80[SPU-lb-member-serverb] rate-limit bandwidth outbound 600 threshold 80[SPU-lb-member-serverb] quit[SPU] load-balance member serverc[SPU-lb-member-serverc] ip address 20.20.20.3[SPU-lb-member-serverc] weight 40[SPU-lb-member-serverc] conn-limit max 4000[SPU-lb-member-serverc] rate-limit connection 400[SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80[SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80[SPU-lb-member-serverc] quit[SPU] load-balance member serverd[SPU-lb-member-serverd] ip address 20.20.20.4[SPU-lb-member-serverd] weight 20[SPU-lb-member-serverd] conn-limit max 2000[SPU-lb-member-serverd] rate-limit connection 200[SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80[SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80[SPU-lb-member-serverd] quit

Step 3 Configure health detection.

# Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtainingthe source IP address of probing packets of a probe.[SPU] interface eth-trunk 0.2[SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination[SPU-Eth-Trunk0.2] dot1q termination vid 2[SPU-Eth-Trunk0.2] ip address 100.100.100.201 24[SPU-Eth-Trunk0.2] quit[SPU] load-balance ip interface eth-trunk 0.2

# Create the TCP probe named probe1, and set the timeout interval of the response of probe1,the probing interval of probe1, the probing interval after probe1 fails, the sent data, and theexpected response data.[SPU] load-balance probe probe1 tcp[SPU-lb-probe-probe1] time-out 10[SPU-lb-probe-probe1] interval 20



7-65

[SPU-lb-probe-probe1] fail-interval 20[SPU-lb-probe-probe1] send-data hello[SPU-lb-probe-probe1] expect-data hello[SPU-lb-probe-probe1] quit

Step 4 Configure a server group.

# Create the server group named servergroup1, bind servergroup1 to servera, serverb,serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DMAC, andadopt the WRR algorithm.

[SPU] load-balance group servergroup1[SPU-lb-group-servergroup1] forward-mode dmac[SPU-lb-group-servergroup1] load-balance method roundrobin[SPU-lb-group-servergroup1] probe probe1[SPU-lb-group-servergroup1] failaction reassign[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] member port 80[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPU-lb-group-servergroup1-member-serverb] member port 4002[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] member port 80[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] member port 8080[SPU-lb-group-servergroup1-member-serverd] quit[SPU-lb-group-servergroup1] quit

# Configure the master and backup relationship and enable servera, serverb, serverc, andserverd.

[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] backup-member serverc[SPU-lb-group-servergroup1-member-servera] inservice[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPU-lb-group-servergroup1-member-serverb] backup-member serverd[SPU-lb-group-servergroup1-member-serverb] inservice[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] inservice standby[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] inservice standby[SPU-lb-group-servergroup1-member-serverd] quit


# Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packetis matched.

[SPU] load-balance l7classifier l7cls1 or[SPU-lb-l7classifier-l7cls1] match any[SPU-lb-l7classifier-l7cls1] quit


# Create the load balancing action profile named act1 and set the action to load balance inservergroup1.

[SPU] load-balance action act1[SPU-lb-action-act1] group servergroup1[SPU-lb-action-act1] quit





Issue 02 (2010-07-15)

# Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.200/24to pass through.



# Create the Layer 3 classifier named l3cls1, set the matching rule to match ACL 3000, bindl3cls1 to l7cls1 and act1.

[SwitchA] load-balance l3classifier l3cls1[SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1[SPU-lb-l3classifier-l3cls1] if-match acl 3000[SPU-lb-l3classifier-l3cls1] quit


# Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.



# Apply the load balancing policy to Eth-Trunk 0.12 of SPU.

[SPU] interface eth-trunk 0.12[SPU-Eth-Trunk0.12] service load-balance policy lbp1[SPU-Eth-Trunk0.12] quit


# View the configurations of servers.

[SPU] display load-balance member name serveraMember name : serveraDescription : -IP : 20.20.20.1Max connection : 8000Max connection rate : 800Inbound max bandwidth rate : 800(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 800(kbps)Outbound threshold : 80%Weight : 80Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverbMember name : serverbDescription : -IP : 20.20.20.2Max connection : 6000Max connection rate : 600Inbound max bandwidth rate : 600(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 600(kbps)Outbound threshold : 80%Weight : 60Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0



7-67

Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name servercMember name : servercDescription : -IP : 20.20.20.3Max connection : 4000Max connection rate : 400Inbound max bandwidth rate : 400(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 400(kbps)Outbound threshold : 80%Weight : 40Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverdMember name : serverdDescription : -IP : 20.20.20.4Max connection : 2000Max connection rate : 200Inbound max bandwidth rate : 200(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 200(kbps)Outbound threshold : 80%Weight : 20Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1

# View the configuration of the server group.

[SPU] display load-balance group name servergroup1Group name : servergroup1Description : -Method : roundrobinForward mode : dmacSwitch threshold : 0%Restore threshold : 0%Fail action : defaultProbe mode : fail-on-oneProbe name : probe1

Action name : act1

Member instance name: servera serverb serverc serverd

# View the configuration of the load balancing member instance.

[SPU] display load-balance group name servergroup1 member name serveraGroup name : servergroup1Member name : serveraInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max bandwidth threshold : 100%




Issue 02 (2010-07-15)

Weight : 80Priority : 8NAT ID : -Pat : -

Backup member instance name : serverc[SPU] display load-balance group name servergroup1 member name serverbGroup name : servergroup1Member name : serverbInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max bandwidth threshold : 100%Weight : 60Priority : 8NAT ID : -Pat : -

Backup member instance name : serverd[SPU] display load-balance group name servergroup1 member name servercGroup name : servergroup1Member name : servercInservice type : inservice standbyPort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max bandwidth threshold : 100%Weight : 40Priority : 8NAT ID : -Pat : -[SPU] display load-balance group name servergroup1 member name serverdGroup name : servergroup1Member name : serverdInservice type : inservice standbyPort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 8000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 8000(kbps)Outbound max bandwidth threshold : 100%Weight : 20Priority : 8NAT ID : -Pat : -


[SPU] display load-balance l7classifier name l7cls1L7 classifier name : l7cls1Description : -Match mode : AndMatch type : AnyCase flag : Sensitive


[SPU] display load-balance action name act1Action name : act1Description : -Action type : load-balanceGroup name : servergroup1



7-69


[SPU] display load-balance l3classifier name l3cls1L3 classifier name : l3cls1Description : -Acl : 3000ICMP reply : DisableNAT ID : -Pat : -Connection parameter name : -HTTP parameter name : -L7 classifier name : l7cls1L7 action name : act1


[SPU] display load-balance policy name lbp1Policy name : lbp1Description : -Bound interface : Eth-Trunk 0.12Numbers of L3 classifier : 1

L3 classifier name : l3cls1 Action type : load-balance Current group name : servergroup1

# Simulate the internal network user at 10.10.10.2 to access the virtual IP address20.20.20.200/24, and then view related information about servera, serverb, serverc, andserverd on SPU. You can view the packet statistics about server instances servera andserverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets areload balanced between Server A and Server B in WRR mode.

[SPU] display load-balance group name servergroup1 member name servera verbose[SPU] display load-balance group name servergroup1 member name serverb verbose[SPU] display load-balance group name servergroup1 member name serverc verbose[SPU] display load-balance group name servergroup1 member name serverd verbose

# Disconnect the link between SPU and Server A, simulate the internal network user at10.10.10.2 to access the virtual IP address 20.20.20.200/24, and then view related informationabout servera, serverb, serverc, and serverd on SPU. You can view the packet statistics aboutserver instances servera and serverb, indicating that user packets are switched to Server C afterServer A is faulty.


----End


# sysname SPU# vlan batch 1 12 13#acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255#interface Eth-Trunk0#interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2




Issue 02 (2010-07-15)

ip address 100.100.100.201 255.255.255.0#interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable#interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.5 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-trunk 0#interface XGigabitEthernet0/0/2 eth-trunk 0#load-balance probe probe1 tcp interval 20 fail-interval 20 send-data hello expect-data hello#load-balance member servera ip address 20.20.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80#load-balance member serverb ip address 20.20.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80#load-balance member serverc ip address 20.20.20.3 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80#load-balance member serverd ip address 20.20.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80#load-balance group servergroup1 failaction reassign forward-mode dmac member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc



7-71

inservice standby member serverd inservice standby probe probe1#load-balance action act1 group servergroup1#load-balance l7classifier l7cls1 match any#load-balance ip interface Eth-Trunk 0.2#load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000#load-balance policy lbp1 l3classifier l3cls1#return

7.6.3 Example for Configuring Layer 3 Server Load Balancing inDNAT Mode

This section describes how to configure Layer 3 server load balancing in NAT mode to improveservice processing capabilities of servers.

Networking RequirementsAs shown in Figure 7-10, a user accesses servers. There are four servers, which constitute twoserver groups. The load balancing group provides DNS services through a virtual IP address.The user IP address is 10.10.10.2; the virtual IP address is 20.20.20.2:80; the servers with IPaddresses being 192.168.20.1 and 192.168.20.2 are located in a server group; the servers withIP addresses being 192.168.20.3 and 192.168.20.4 are located in a server group. The processingcapabilities of each server such as the CPU, memory, and performance are different. Therequirements are as follows:l The server with greater processing capabilities receives more service requests.

l The return traffic of servers passes through the load balancing device.

l Services can be automatically switched between the master server and the backup serverto ensure successful network access.

The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 ofthe Switch.

GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB,ServerC, and ServerD respectively.




Issue 02 (2010-07-15)

Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode

Internet

Host

Switch


10.10.10.2/24

GE3/0/0 XGE5/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2VIP 20.20.20.2:80



1. Configure traffic importing.

2. Configure an NAT address pool.

3. Configure four servers to communicate with four real servers.

4. Configure a probe to detect the health status of the two server groups.

5. Configure the master and backup server groups and bind the master and backup servergroups to the four servers.

6. Configure a Layer 7 classifier.

7. Configure the load balancing action profile and configure the master and backuprelationship between servers.

8. Configure an advanced ACL.


10. Configure a load balancing policy.

11. Apply the load balancing policy to a sub-interface.



7-73

Data PreparationTo complete the configuration, you need the following data:l Network segment and index of the NAT address pool

l Server names, connection quantity limits, connection rate limits, and bandwidth rate limits




l Load balancing action profile name, action, and master and backup server groups

l Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier


Procedure

Step 1 Configure traffic importing on the Switch.1. Import traffic to the SPU on the Switch.

<Switch> system-view[Switch] vlan batch 12 to 16[Switch] interface gigabitethernet 3/0/0[Switch-GigabitEthernet3/0/0] port link-type trunk[Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12[Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/0] quit[Switch] interface gigabitethernet 3/0/1[Switch-GigabitEthernet3/0/1] port link-type trunk[Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13[Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/1] quit[Switch] interface gigabitethernet 3/0/2[Switch-GigabitEthernet3/0/2] port link-type trunk[Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14[Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/2] quit[Switch] interface gigabitethernet 3/0/3[Switch-GigabitEthernet3/0/3] port link-type trunk[Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan 15[Switch-GigabitEthernet3/0/3] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/3] quit[Switch] interface gigabitethernet 3/0/4[Switch-GigabitEthernet3/0/4] port link-type trunk[Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan 16[Switch-GigabitEthernet3/0/4] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/4] quit[Switch] interface eth-trunk 0[Switch-Eth-Trunk0] port link-type trunk[Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1[Switch-Eth-Trunk0] quit[Switch] interface xgigabitethernet5/0/0[Switch-XGigabitEthernet5/0/0] eth-trunk 0[Switch-XGigabitEthernet5/0/0] quit[Switch] interface xgigabitethernet5/0/1[Switch-XGigabitEthernet5/0/1] eth-trunk 0[Switch-XGigabitEthernet5/0/1] quit

2. Add an interface to a VLAN on the Switch, and configure an NAT address pool.<Quidway> system-view[Quidway] sysname SPU[SPU] nat address-group 2 100.100.100.2 100.100.100.200[SPU] interface eth-trunk 0




Issue 02 (2010-07-15)

[SPU-Eth-Trunk0] quit[SPU] interface xgigabitethernet 0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface xgigabitethernet 0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 0[SPU-XGigabitEthernet0/0/2] quit[SPU] interface eth-trunk 0.12[SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination[SPU-Eth-Trunk0.12] dot1q termination vid 12[SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0[SPU-Eth-Trunk0.12] arp broadcast enable[SPU-Eth-Trunk0.12] quit[SPU] interface eth-trunk 0.13[SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination[SPU-Eth-Trunk0.13] dot1q termination vid 13[SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0[SPU-Eth-Trunk0.13] arp broadcast enable[SPU-Eth-Trunk0.13] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.13] quit[SPU] interface eth-trunk 0.14[SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination[SPU-Eth-Trunk0.14] dot1q termination vid 14[SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0[SPU-Eth-Trunk0.14] arp broadcast enable[SPU-Eth-Trunk0.14] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.14] quit[SPU] interface eth-trunk 0.15[SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination[SPU-Eth-Trunk0.15] dot1q termination vid 15[SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0[SPU-Eth-Trunk0.15] arp broadcast enable[SPU-Eth-Trunk0.15] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.15] quit[SPU] interface eth-trunk 0.16[SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination[SPU-Eth-Trunk0.16] dot1q termination vid 16[SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0[SPU-Eth-Trunk0.16] arp broadcast enable[SPU-Eth-Trunk0.16] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.16] quit


# Create servers, that is, servera, serverb, serverc, and serverd, and configure them tocommunicate with Server A, Server B, Server C, and Server D.[SPU] load-balance member servera[SPU-lb-member-servera] ip address 10.10.50.2[SPU-lb-member-servera] weight 80[SPU-lb-member-servera] conn-limit max 8000[SPU-lb-member-servera] rate-limit connection 800[SPU-lb-member-servera] rate-limit bandwidth inbound 800 threshold 80[SPU-lb-member-servera] rate-limit bandwidth outbound 800 threshold 80[SPU-lb-member-servera] quit[SPU] load-balance member serverb[SPU-lb-member-serverb] ip address 10.10.20.2[SPU-lb-member-serverb] weight 60[SPU-lb-member-serverb] conn-limit max 6000[SPU-lb-member-serverb] rate-limit connection 600[SPU-lb-member-serverb] rate-limit bandwidth inbound 600 threshold 80[SPU-lb-member-serverb] rate-limit bandwidth outbound 600 threshold 80[SPU-lb-member-serverb] quit[SPU] load-balance member serverc[SPU-lb-member-serverc] ip address 10.10.30.2[SPU-lb-member-serverc] weight 40[SPU-lb-member-serverc] conn-limit max 4000[SPU-lb-member-serverc] rate-limit connection 400[SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80[SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80



7-75

[SPU-lb-member-serverc] quit[SPU] load-balance member serverd[SPU-lb-member-serverd] ip address 10.10.40.2[SPU-lb-member-serverd] weight 20[SPU-lb-member-serverd] conn-limit max 2000[SPU-lb-member-serverd] rate-limit connection 200[SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80[SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80[SPU-lb-member-serverd] quit


# Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtainingthe source IP address of probing packets of a probe.

[SPU] interface eth-trunk 0.2[SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination[SPU-Eth-Trunk0.2] dot1q termination vid 2[SPU-Eth-Trunk0.2] ip address 100.100.100.201 24[SPU-Eth-Trunk0.2] quit[SPU] load-balance ip interface Eth-Trunk 0.2

# Create the TCP probe named probe1, and set the timeout interval of the response of probe1,the probing interval of probe1, the probing interval after probe1 fails, the sent data, and theexpected response data.

[SPU] load-balance probe probe1 tcp[SPU-lb-probe-probe1] time-out 10[SPU-lb-probe-probe1] interval 20[SPU-lb-probe-probe1] fail-interval 20[SPU-lb-probe-probe1] send-data hello[SPU-lb-probe-probe1] expect-data hello[SPU-lb-probe-probe1] quit


# Create server groups named servergroup1 and servergroup2, bind servergroup1 toservera and serverb and bind servergroup2 to serverc and serverd, bind servergroup2 toprobe1, set the forwarding mode to DNAT, and adopt the WRR algorithm.

[SPU] load-balance group servergroup1[SPU-lb-group-servergroup1] forward-mode dnat[SPU-lb-group-servergroup1] load-balance method roundrobin[SPU-lb-group-servergroup1] probe probe1[SPU-lb-group-servergroup1] switch-threshold 80 restore-threshold 80[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] member port 80[SPU-lb-group-servergroup1-member-servera] inservice[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPU-lb-group-servergroup1-member-serverb] member port 4002[SPU-lb-group-servergroup1-member-serverb] inservice[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] quit[SPU] load-balance group servergroup2[SPU-lb-group-servergroup2] forward-mode dnat[SPU-lb-group-servergroup2] load-balance method roundrobin[SPU-lb-group-servergroup2] probe probe1[SPU-lb-group-servergroup2] member serverc[SPU-lb-group-servergroup2-member-serverc] member port 80[SPU-lb-group-servergroup2-member-serverc] inservice[SPU-lb-group-servergroup2-member-serverc] quit[SPU-lb-group-servergroup2] member serverd[SPU-lb-group-servergroup2-member-serverd] member port 8080[SPU-lb-group-servergroup2-member-serverd] inservice[SPU-lb-group-servergroup2-member-serverd] quit[SPU-lb-group-servergroup2] quit




Issue 02 (2010-07-15)


# Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packetis matched.

[SPU] load-balance l7classifier l7cls1 or[SPU-lb-l7classifier-l7cls1] match any[SPU-lb-l7classifier-l7cls1] quit


# Create the load balancing action profile named act1 and set the action to load balance inservergroup1.

[SPU] load-balance action act1[SPU-lb-action-act1] group servergroup1 backup servergroup2[SPU-lb-action-act1] quit


# Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.1/24 topass through.



# Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3000, bind l3cls1 tol7cls1 and act1.

[SPU] load-balance l3classifier l3cls1[SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1[SPU-lb-l3classifier-l3cls1] if-match acl 3000[SPU-lb-l3classifier-l3cls1] nat outbound address-group 2[SPU-lb-l3classifier-l3cls1] quit





# Apply the load balancing policy to Eth-Trunk 0.12 of the SPU.




[SPU] display load-balance member name serveraMember name : serveraDescription : -IP : 10.10.50.2Max connection : 8000Max connection rate : 800Inbound max bandwidth rate : 800(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 800(kbps)Outbound threshold : 80%



7-77

Weight : 80Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverbMember name : serverbDescription : -IP : 10.10.20.2Max connection : 6000Max connection rate : 600Inbound max bandwidth rate : 600(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 600(kbps)Outbound threshold : 80%Weight : 60Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name servercMember name : servercDescription : -IP : 10.10.30.2Max connection : 4000Max connection rate : 400Inbound max bandwidth rate : 400(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 400(kbps)Outbound threshold : 80%Weight : 40Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup2[SPU] display load-balance member name serverdMember name : serverdDescription : -IP : 10.10.40.2Max connection : 2000Max connection rate : 200Inbound max bandwidth rate : 200(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 200(kbps)Outbound threshold : 80%Weight : 20Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup2


[SPU] display load-balance group name servergroup1Group name : servergroup1Description : -Method : roundrobinForward mode : dnatSwitch threshold : 80%Restore threshold : 80%Fail action : defaultProbe mode : fail-on-one




Issue 02 (2010-07-15)

Probe name : probe1

Action name : act1

Member instance name: servera serverb[SPU] display load-balance group name servergroup2Group name : servergroup2Description : -Method : roundrobinForward mode : dnatSwitch threshold : 0%Restore threshold : 0%Fail action : defaultProbe mode : fail-on-oneProbe name : probe1

Action name : act1

Member instance name: serverc serverd

# View the configuration of the server instance.

[SPU] display load-balance group name servergroup1 member name serveraGroup name : servergroup1Member name : serveraInservice type : inservicePort : 80Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max bandwidth threshold : 100%Weight : 80Priority : 8NAT ID : -Pat : -[SPU] display load-balance group name servergroup1 member name serverbGroup name : servergroup1Member name : serverbInservice type : inservice standbyPort : 4002Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max bandwidth threshold : 100%Weight : 60Priority : 8NAT ID : -Pat : -[SPU] display load-balance group name servergroup2 member name servercGroup name : servergroup2Member name : servercInservice type : inservicePort : 80Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max bandwidth threshold : 100%Weight : 40Priority : 8NAT ID : -Pat : -



7-79

[SPU] display load-balance group name servergroup2 member name serverdGroup name : servergroup2Member name : serverdInservice type : inservicePort : 8080Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max bandwidth threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max bandwidth threshold : 100%Weight : 20Priority : 8NAT ID : -Pat : -


[SPU] display load-balance l7classifier name l7cls1L7 classifier name : l7cls1Description : -Match mode : OrMatch type : AnyCase flag : Sensitive


[SPU] display load-balance action name act1Action name : act1Description : -Action type : load-balanceGroup name : servergroup1Backup name : servergroup2


[SPU] display load-balance l3classifier name l3cls1L3 classifier name : l3cls1Description : -Acl : 3000ICMP Reply : DisableNAT ID : 2Pat : YesConnection Parameter Name : -HTTP Parameter Name : -L7 Classifier Name : l7cls1L7 Action Name : act1




# Simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24,and then view related information about servera, serverb, serverc, and serverd on the SPU.You can view the packet statistics about server instances servera and serverb. The ratio ofpackets about servera and serverb is 4:3, indicating that user packets are transmitted throughservergroup1 and load balanced between Server A and Server B in WRR mode.

[SPU] display load-balance group name servergroup1 member name servera verbose[SPU] display load-balance group name servergroup1 member name serverb verbose[SPU] display load-balance group name servergroup2 member name serverc verbose




Issue 02 (2010-07-15)

[SPU] display load-balance group name servergroup2 member name serverd verbose

# Disconnect the link between the SPU and Server A, simulate the internal network user at10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related informationabout servera, serverb, serverc, and serverd on the SPU. You can view the packet statisticsabout server instances serverc and serverd, indicating that user packets are switched toservergroup2 after Server A of servergroup1 is faulty. The packets are load balanced betweenServer C and Server D according to a ratio.


# Recover the link between the SPU and Server A, simulate the internal network user at10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related informationabout servera, serverb, serverc, and serverd on SPUA. You can view that packet statisticsabout server instances servera and serverb increase, whereas packet statistics about serverinstances serverc and serverd do not increase. That is, user packets are switched back toservergroup1 after Server A of servergroup1 is recovered, and are load balanced betweenServer A and Server B according to a ratio.


----End


# sysname SPU#acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255# nat address-group 2 100.100.100.2 100.100.100.200#interface Eth-Trunk0#interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0#interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable#interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0



7-81

arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface XGigabitEthernet0/0/1 eth-trunk 0#interface XGigabitEthernet0/0/2 eth-trunk 0#load-balance probe probe1 tcp interval 20 fail-interval 20 send-data hello expect-data hello#load-balance member servera ip address 10.10.50.2 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80#load-balance member serverb ip address 10.10.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80#load-balance member serverc ip address 10.10.30.2 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80#load-balance member serverd ip address 10.10.40.2 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80#load-balance group servergroup1 switch-threshold 80 restore-threshold 80 forward-mode dnat member servera member port 80 inservice member serverb member port 4002




Issue 02 (2010-07-15)

inservice probe probe1#load-balance group servergroup2 forward-mode dnat member serverc member port 80 inservice member serverd member port 8080 inservice probe probe1#load-balance action act1 group servergroup1 backup servergroup2#load-balance l7classifier l7cls1 or match any#load-balance ip interface Eth-Trunk 0.2#load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000#load-balance policy lbp1 l3classifier l3cls1#return

7.6.4 Example for Configuring Layer 7 Server Load Balancing inDNAT Mode

This example describes how to configure Layer 7 server load balancing in DNAT mode toimprove service processing capabilities of servers.

Networking RequirementsAs shown in Figure 7-11, a user accesses servers. There are four servers, which constitute aserver group. The load balancing group provides HTTP services through a virtual IP address.The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addressesof the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, andperformance are different. Server C is the backup server of Server A and Server D is the backupserver of Server B. The requirements are as follows:l The server with greater processing capabilities receives more service requests.







7-83


Internet

Host

Switch


10.10.10.2/24

GE3/0/0 XGE5/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2VIP 20.20.20.2:80


1. Configure traffic importing.2. Configure an NAT address pool.3. Configure four servers to communicate with four real servers.4. Configure a probe to detect the health status of the four servers.5. Configure a load balancing group and bind the load balancing group to the four load

balancing members.6. Configure a Layer 7 classifier.7. Configure a load balancing action profile and specify an action.8. Configure an advanced ACL.9. Configure a Layer 3 classifier.10. Configure a load balancing policy.11. Apply the load balancing policy to a sub-interface.





Issue 02 (2010-07-15)

l Network segment and index of the NAT address pool




l Name and related parameters of the sticky group






1. Import traffic to the SPU on the Switch.<Switch> system-view[Switch] vlan batch 12 to 16[Switch] interface gigabitethernet 3/0/0[Switch-GigabitEthernet3/0/0] port link-type trunk[Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12[Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/0] quit[Switch] interface gigabitethernet 3/0/1[Switch-GigabitEthernet3/0/1] port link-type trunk[Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13[Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/1] quit[Switch] interface gigabitethernet 3/0/2[Switch-GigabitEthernet3/0/2] port link-type trunk[Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14[Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/2] quit[Switch] interface gigabitethernet 3/0/3[Switch-GigabitEthernet3/0/3] port link-type trunk[Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan 15[Switch-GigabitEthernet3/0/3] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/3] quit[Switch] interface gigabitethernet 3/0/4[Switch-GigabitEthernet3/0/4] port link-type trunk[Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan 16[Switch-GigabitEthernet3/0/4] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/4] quit[Switch] interface eth-trunk 0[Switch-Eth-Trunk0] port link-type trunk[Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1[Switch-Eth-Trunk0] quit[Switch] interface xgigabitethernet5/0/0[Switch-XGigabitEthernet5/0/0] eth-trunk 0[Switch-XGigabitEthernet5/0/0] quit[Switch] interface xgigabitethernet5/0/1[Switch-XGigabitEthernet5/0/1] eth-trunk 0[Switch-XGigabitEthernet5/0/1] quit

2. Configure an NAT address pool on the SPU.<Quidway> system-view[Quidway] sysname SPU[SPU] nat address-group 2 100.100.100.2 100.100.100.200

3. Add an interface to a VLAN on the SPU.[SPU] interface eth-trunk 0[SPU-Eth-Trunk0] quit



7-85

[SPU] interface xgigabitethernet 0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface xgigabitethernet 0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 0[SPU-XGigabitEthernet0/0/2] quit[SPU] interface eth-trunk 0.12[SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination[SPU-Eth-Trunk0.12] dot1q termination vid 12[SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0[SPU-Eth-Trunk0.12] arp broadcast enable[SPU-Eth-Trunk0.12] quit[SPU] interface eth-trunk 0.13[SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination[SPU-Eth-Trunk0.13] dot1q termination vid 13[SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0[SPU-Eth-Trunk0.13] arp broadcast enable[SPU-Eth-Trunk0.13] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.13] quit[SPU] interface eth-trunk 0.14[SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination[SPU-Eth-Trunk0.14] dot1q termination vid 14[SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0[SPU-Eth-Trunk0.14] arp broadcast enable[SPU-Eth-Trunk0.14] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.14] quit[SPU] interface eth-trunk 0.15[SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination[SPU-Eth-Trunk0.15] dot1q termination vid 15[SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0[SPU-Eth-Trunk0.15] arp broadcast enable[SPU-Eth-Trunk0.15] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.15] quit[SPU] interface eth-trunk 0.16[SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination[SPU-Eth-Trunk0.16] dot1q termination vid 16[SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0[SPU-Eth-Trunk0.16] arp broadcast enable[SPU-Eth-Trunk0.16] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.16] quit


# Create servers, that is, servera, serverb, serverc, and serverd, and configure them tocommunicate with ServerA, ServerB, ServerC, and ServerD.[SPU] load-balance member servera[SPU-lb-member-servera] ip address 10.10.50.2[SPU-lb-member-servera] weight 80[SPU-lb-member-servera] conn-limit max 8000[SPU-lb-member-servera] rate-limit connection 800[SPU-lb-member-servera] rate-limit bandwidth inbound 800 threshold 80[SPU-lb-member-servera] rate-limit bandwidth outbound 800 threshold 80[SPU-lb-member-servera] quit[SPU] load-balance member serverb[SPU-lb-member-serverb] ip address 10.10.20.2[SPU-lb-member-serverb] weight 60[SPU-lb-member-serverb] conn-limit max 6000[SPU-lb-member-serverb] rate-limit connection 600[SPU-lb-member-serverb] rate-limit bandwidth inbound 600 threshold 80[SPU-lb-member-serverb] rate-limit bandwidth outbound 600 threshold 80[SPU-lb-member-serverb] quit[SPU] load-balance member serverc[SPU-lb-member-serverc] ip address 10.10.30.2[SPU-lb-member-serverc] weight 40[SPU-lb-member-serverc] conn-limit max 4000[SPU-lb-member-serverc] rate-limit connection 400[SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80[SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80[SPU-lb-member-serverc] quit




Issue 02 (2010-07-15)

[SPU] load-balance member serverd[SPU-lb-member-serverd] ip address 10.10.40.2[SPU-lb-member-serverd] weight 20[SPU-lb-member-serverd] conn-limit max 2000[SPU-lb-member-serverd] rate-limit connection 200[SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80[SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80[SPU-lb-member-serverd] quit




# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, theprobing interval of probe1, the probing interval after probe1 fails, the sent data, and the expectedresponse data.

[SPU] load-balance probe probe1 http[SPU-lb-probe-probe1] time-out 10[SPU-lb-probe-probe1] interval 20[SPU-lb-probe-probe1] fail-interval 20[SPU-lb-probe-probe1] user admin password admin[SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5[SPU-lb-probe-probe1] request method head url index.html[SPU-lb-probe-probe1] expect status-code min 0 max 299[SPU-lb-probe-probe1] quit


# Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, andserverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hashalgorithm based on the HTTP URL.

[SPU] load-balance group servergroup1[SPU-lb-group-servergroup1] forward-mode dnat[SPU-lb-group-servergroup1] load-balance method hash url[SPU-lb-group-servergroup1] probe probe1[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] member port 80[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPU-lb-group-servergroup1-member-serverb] member port 4002[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] member port 80[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] member port 8080[SPU-lb-group-servergroup1-member-serverd] quit


[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] backup-member serverc[SPU-lb-group-servergroup1-member-servera] inservice[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPUA-lb-group-servergroup1-member-serverb] backup-member serverd[SPU-lb-group-servergroup1-member-serverb] inservice



7-87

[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] inservice standby[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] inservice standby[SPU-lb-group-servergroup1-member-serverd] quit


# Create the Layer 7 classifier named l7cls1 and configure the matching rule to match requestpackets with the URL being slbha[w|W](.*).

[SPU] load-balance l7classifier l7cls1 or[SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*)[SPU-lb-l7classifier-l7cls1] quit


# Create the load balancing action profile act1 and set the action to load balance inservergroup1.

[SPU] load-balance action act1[SPU-lb-action-act1] group servergroup1[SPU-lb-action-act1] quit















[SPU] display load-balance member name serveraMember name : servera




Issue 02 (2010-07-15)

Description : -IP : 10.10.50.2Max connection : 8000Max connection rate : 800Inbound max bandwidth rate : 800(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 800(kbps)Outbound threshold : 80%Weight : 80Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverbMember name : serverbDescription : -IP : 10.10.20.2Max connection : 6000Max connection rate : 600Inbound max bandwidth rate : 600(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 600(kbps)Outbound threshold : 80%Weight : 60Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name servercMember name : servercDescription : -IP : 10.10.30.2Max connection : 4000Max connection rate : 400Inbound max bandwidth rate : 400(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 400(kbps)Outbound threshold : 80%Weight : 40Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverdMember name : serverdDescription : -IP : 10.10.40.2Max connection : 2000Max connection rate : 200Inbound max bandwidth rate : 200(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 200(kbps)Outbound threshold : 80%Weight : 20Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1

# View the configuration of the probe.



7-89

[SPU] display load-balance probe name probe1Probe name : probe1Description : -Probe type : httpSource IP : 100.100.100.201Destination port : -Probe port : -Interval : 20(s)Retry count : 3Fail interval : 20(s)Fail retry count : 3Timeout : 10(s)Extra user : adminExtra password : adminExtra request type : headExtra URL : index.htmlExtra header field : Accept-CharsetExtra header value : iso-8859-5Status code : <0-299>Group name : servergroup1


[SPU] display load-balance group name servergroup1Group name : servergroup1Description : -Method : hash urlForward mode : dnatSwitch threshold : 0%Restore threshold : 0%Fail action : defaultProbe mode : fail-on-oneProbe name : probe1



[SPU] display load-balance group name servergroup1 member name servera verboseGroup name : servergroup1Member name : serveraInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 80Priority : 8NAT ID : -Pat : -

Backup member instance name : serverc





Issue 02 (2010-07-15)

[SPU] display load-balance group name servergroup1 member name serverb verboseGroup name : servergroup1Member name : serverbInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 60Priority : 8NAT ID : -Pat : -

Backup member instance name : serverd

Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name servergroup1 member name serverc verboseGroup name : servergroup1Member name : servercInservice type : inservice standbyPort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 40Priority : 8NAT ID : -Pat : -

Member instance ID : 2 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name servergroup1 member name serverd verboseGroup name : servergroup1Member name : serverdInservice type : inservice standbyPort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 20Priority : 8NAT ID : -Pat : -



7-91



[SPU] display load-balance l7classifier name l7cls1L7 classifier name : l7cls1Description : -Match mode : OrMatch type : HTTPCase flag : SensitiveHttp URL : 1 slbha[w|W](.*)


[SPU] display load-balance action name act1Action name : act1Description : -Action type : load-balanceGroup name : servergroup1


[SPU] display load-balance l3classifier name l3cls1L3 classifier name : l3cls1Description : -Acl : 3000ICMP reply : DisableNAT ID : 2Pat : YesConnection parameter name : -HTTP parameter name : -L7 classifier name : l7cls1L7 action name : act1




# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address20.20.20.2/24, and then view related information about servera, serverb, serverc, andserverd on the SPU. You can view the packet statistics about server instances servera andserverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets aretransmitted through servergroup1 and are load balanced between Server A and Server B inWRR mode.





Issue 02 (2010-07-15)

# Disconnect the link between the SPU and Server A, simulate the internal network user at10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related informationabout servera, serverb, serverc, and serverd on the SPU. You can view the packet statisticsabout server instances serverc and serverd, indicating that user packets are switched to ServerC after Server A is faulty.


----End


# sysname SPU#acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255# nat address-group 2 100.100.100.2 100.100.100.200#interface Eth-Trunk0#interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0#interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable#interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface XGigabitEthernet0/0/1



7-93

eth-trunk 0#interface XGigabitEthernet0/0/2 eth-trunk 0#load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299

#load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80#load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80#load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80#load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80#load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1#load-balance action act1 group servergroup1#load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*)#load-balance ip interface Eth-Trunk 0.2#load-balance l3classifier l3cls1




Issue 02 (2010-07-15)

l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000#load-balance policy lbp1 l3classifier l3cls1#return

7.6.5 Example for Configuring Session StickinessThis section provides an example for configuring session stickiness. With the session stickinessfunction, requests of the same type of users are processed by the same server, meeting e-commerce requirements of internal network users.

Networking RequirementsAs shown in Figure 7-12, a user accesses servers. There are four servers, which constitute aserver group. The load balancing group provides HTTP services through a virtual IP address.The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addressesof the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, andperformance are different. Server C is the backup server of Server A and Server D is the backupserver of Server B. The requirements are as follows:l The server with greater processing capabilities receives more service requests.







7-95


Internet

Host

Switch


10.10.10.2/24

GE3/0/0 XGE5/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2VIP 20.20.20.2:80


1. Configure traffic importing.2. Configure an NAT address pool.3. Configure four servers to communicate with four real servers.4. Configure a probe to detect the health status of the four servers.5. Configure a load balancing group and bind the load balancing group to the four load

balancing members.6. Configure a Layer 7 classifier.7. Configure a load balancing action profile and specify an action.8. Configure an advanced ACL.9. Configure a Layer 3 classifier.10. Configure a load balancing policy.11. Apply the load balancing policy to a sub-interface.





Issue 02 (2010-07-15)

l Network segment and index of the NAT address pool




l Name and related parameters of the sticky group






1. Import traffic to the SPU on the Switch.<Switch> system-view[Switch] vlan batch 12 to 16[Switch] interface gigabitethernet 3/0/0[Switch-GigabitEthernet3/0/0] port link-type trunk[Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12[Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/0] quit[Switch] interface gigabitethernet 3/0/1[Switch-GigabitEthernet3/0/1] port link-type trunk[Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13[Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/1] quit[Switch] interface gigabitethernet 3/0/2[Switch-GigabitEthernet3/0/2] port link-type trunk[Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14[Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/2] quit[Switch] interface gigabitethernet 3/0/3[Switch-GigabitEthernet3/0/3] port link-type trunk[Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan 15[Switch-GigabitEthernet3/0/3] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/3] quit[Switch] interface gigabitethernet 3/0/4[Switch-GigabitEthernet3/0/4] port link-type trunk[Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan 16[Switch-GigabitEthernet3/0/4] undo port trunk allow-pass vlan 1[Switch-GigabitEthernet3/0/4] quit[Switch] interface eth-trunk 0[Switch-Eth-Trunk0] port link-type trunk[Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16[Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1[Switch-Eth-Trunk0] quit[Switch] interface xgigabitethernet5/0/0[Switch-XGigabitEthernet5/0/0] eth-trunk 0[Switch-XGigabitEthernet5/0/0] quit[Switch] interface xgigabitethernet5/0/1[Switch-XGigabitEthernet5/0/1] eth-trunk 0[Switch-XGigabitEthernet5/0/1] quit

2. Configure an NAT address pool on the SPU.<Quidway> system-view[Quidway] sysname SPU[SPU] nat address-group 2 100.100.100.2 100.100.100.200

3. Add an interface to a VLAN on the SPU.[SPU] interface eth-trunk 0[SPU-Eth-Trunk0] quit



7-97

[SPU] interface xgigabitethernet 0/0/1[SPU-XGigabitEthernet0/0/1] eth-trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface xgigabitethernet 0/0/2[SPU-XGigabitEthernet0/0/2] eth-trunk 0[SPU-XGigabitEthernet0/0/2] quit[SPU] interface eth-trunk 0.12[SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination[SPU-Eth-Trunk0.12] dot1q termination vid 12[SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0[SPU-Eth-Trunk0.12] arp broadcast enable[SPU-Eth-Trunk0.12] quit[SPU] interface eth-trunk 0.13[SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination[SPU-Eth-Trunk0.13] dot1q termination vid 13[SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0[SPU-Eth-Trunk0.13] arp broadcast enable[SPU-Eth-Trunk0.13] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.13] quit[SPU] interface eth-trunk 0.14[SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination[SPU-Eth-Trunk0.14] dot1q termination vid 14[SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0[SPU-Eth-Trunk0.14] arp broadcast enable[SPU-Eth-Trunk0.14] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.14] quit[SPU] interface eth-trunk 0.15[SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination[SPU-Eth-Trunk0.15] dot1q termination vid 15[SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0[SPU-Eth-Trunk0.15] arp broadcast enable[SPU-Eth-Trunk0.15] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.15] quit[SPU] interface eth-trunk 0.16[SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination[SPU-Eth-Trunk0.16] dot1q termination vid 16[SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0[SPU-Eth-Trunk0.16] arp broadcast enable[SPU-Eth-Trunk0.16] service load-balance arp-response nat address-group 2[SPU-Eth-Trunk0.16] quit


# Create servers, that is, servera, serverb, serverc, and serverd, and configure them tocommunicate with ServerA, ServerB, ServerC, and ServerD.[SPU] load-balance member servera[SPU-lb-member-servera] ip address 10.10.50.2[SPU-lb-member-servera] weight 80[SPU-lb-member-servera] conn-limit max 8000[SPU-lb-member-servera] rate-limit connection 800[SPU-lb-member-servera] rate-limit bandwidth inbound 800 threshold 80[SPU-lb-member-servera] rate-limit bandwidth outbound 800 threshold 80[SPU-lb-member-servera] quit[SPU] load-balance member serverb[SPU-lb-member-serverb] ip address 10.10.20.2[SPU-lb-member-serverb] weight 60[SPU-lb-member-serverb] conn-limit max 6000[SPU-lb-member-serverb] rate-limit connection 600[SPU-lb-member-serverb] rate-limit bandwidth inbound 600 threshold 80[SPU-lb-member-serverb] rate-limit bandwidth outbound 600 threshold 80[SPU-lb-member-serverb] quit[SPU] load-balance member serverc[SPU-lb-member-serverc] ip address 10.10.30.2[SPU-lb-member-serverc] weight 40[SPU-lb-member-serverc] conn-limit max 4000[SPU-lb-member-serverc] rate-limit connection 400[SPU-lb-member-serverc] rate-limit bandwidth inbound 400 threshold 80[SPU-lb-member-serverc] rate-limit bandwidth outbound 400 threshold 80[SPU-lb-member-serverc] quit




Issue 02 (2010-07-15)

[SPU] load-balance member serverd[SPU-lb-member-serverd] ip address 10.10.40.2[SPU-lb-member-serverd] weight 20[SPU-lb-member-serverd] conn-limit max 2000[SPU-lb-member-serverd] rate-limit connection 200[SPU-lb-member-serverd] rate-limit bandwidth inbound 200 threshold 80[SPU-lb-member-serverd] rate-limit bandwidth outbound 200 threshold 80[SPU-lb-member-serverd] quit




# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, theprobing interval of probe1, the probing interval after probe1 fails, the sent data, and the expectedresponse data.

[SPU] load-balance probe probe1 http[SPU-lb-probe-probe1] time-out 10[SPU-lb-probe-probe1] interval 20[SPU-lb-probe-probe1] fail-interval 20[SPU-lb-probe-probe1] user admin password admin[SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5[SPU-lb-probe-probe1] request method head url index.html[SPU-lb-probe-probe1] expect status-code min 0 max 299[SPU-lb-probe-probe1] quit


# Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, andserverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hashalgorithm based on the HTTP URL.

[SPU] load-balance group servergroup1[SPU-lb-group-servergroup1] forward-mode dnat[SPU-lb-group-servergroup1] load-balance method hash url[SPU-lb-group-servergroup1] probe probe1[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] member port 80[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPU-lb-group-servergroup1-member-serverb] member port 4002[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] member port 80[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] member port 8080[SPU-lb-group-servergroup1-member-serverd] quit


[SPU-lb-group-servergroup1] member servera[SPU-lb-group-servergroup1-member-servera] backup-member serverc[SPU-lb-group-servergroup1-member-servera] inservice[SPU-lb-group-servergroup1-member-servera] quit[SPU-lb-group-servergroup1] member serverb[SPUA-lb-group-servergroup1-member-serverb] backup-member serverd[SPU-lb-group-servergroup1-member-serverb] inservice



7-99

[SPU-lb-group-servergroup1-member-serverb] quit[SPU-lb-group-servergroup1] member serverc[SPU-lb-group-servergroup1-member-serverc] inservice standby[SPU-lb-group-servergroup1-member-serverc] quit[SPU-lb-group-servergroup1] member serverd[SPU-lb-group-servergroup1-member-serverd] inservice standby[SPU-lb-group-servergroup1-member-serverd] quit

Step 5 Configure session stickiness.

# Create the sticky group named stickygroup1, configure a static sticky entry, and performstickiness for the destination IP address.

[SPU] load-balance stickygroup stickygroup1 mask 255.255.255.0 destination-ip[SPU-lb-stickygroup-stickygroup1] group servergroup1[SPU-lb-stickygroup-stickygroup1] static client destination 20.20.20.2 member servera[SPU-lb-stickygroup-stickygroup1] quit


# Create the Layer 7 classifier named l7cls1 and configure the matching rule to match requestpackets with the URL being slbha[w|W](.*).[SPU] load-balance l7classifier l7cls1 or[SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*)[SPU-lb-l7classifier-l7cls1] quit


# Create the load balancing action profile act1 and set the action to load balance inservergroup1.

[SPU] load-balance action act1[SPU-lb-action-act1] stickygroup stickygroup1[SPU-lb-action-act1] quit















Issue 02 (2010-07-15)



# View the configurations of servers.[SPU] display load-balance member name serveraMember name : serveraDescription : -IP : 10.10.50.2Max connection : 8000Max connection rate : 800Inbound max bandwidth rate : 800(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 800(kbps)Outbound threshold : 80%Weight : 80Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverbMember name : serverbDescription : -IP : 10.10.20.2Max connection : 6000Max connection rate : 600Inbound max bandwidth rate : 600(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 600(kbps)Outbound threshold : 80%Weight : 60Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name servercMember name : servercDescription : -IP : 10.10.30.2Max connection : 4000Max connection rate : 400Inbound max bandwidth rate : 400(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 400(kbps)Outbound threshold : 80%Weight : 40Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1[SPU] display load-balance member name serverdMember name : serverdDescription : -IP : 10.10.40.2Max connection : 2000Max connection rate : 200Inbound max bandwidth rate : 200(kbps)Inbound threshold : 80%Outbound max bandwidth rate : 200(kbps)Outbound threshold : 80%Weight : 20



7-101

Priority : 8Cur-connections : 0Closed-connections : 0Inbound cur-bandwidths : 0Outbound cur-bandwidths : 0Group name : servergroup1

# View the configuration of the probe.

[SPU] display load-balance probe name probe1Probe name : probe1Description : -Probe type : httpSource IP : 100.100.100.201Destination port : -Probe port : -Interval : 20(s)Retry count : 3Fail interval : 20(s)Fail retry count : 3Timeout : 10(s)Extra user : adminExtra password : adminExtra request type : headExtra URL : index.htmlExtra header field : Accept-CharsetExtra header value : iso-8859-5Status code : <0-299>Group name : servergroup1


[SPU] display load-balance group name servergroup1Group name : servergroup1Description : -Method : hash urlForward mode : dnatSwitch threshold : 0%Restore threshold : 0%Fail action : defaultProbe mode : fail-on-oneProbe name : probe1

Stickgroup name : stickygroup1



[SPU] display load-balance group name servergroup1 member name servera verboseGroup name : servergroup1Member name : serveraInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 80Priority : 8NAT ID : -Pat : -

Backup member instance name : serverc




Issue 02 (2010-07-15)

Member instance ID : 0 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name servergroup1 member name serverb verboseGroup name : servergroup1Member name : serverbInservice type : inservicePort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 60Priority : 8NAT ID : -Pat : -

Backup member instance name : serverd

Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name servergroup1 member name serverc verboseGroup name : servergroup1Member name : servercInservice type : inservice standbyPort : -Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 40Priority : 8NAT ID : -Pat : -

Member instance ID : 2 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s)[SPU] display load-balance group name servergroup1 member name serverd verboseGroup name : servergroup1Member name : serverdInservice type : inservice standbyPort : -



7-103

Max connection : 4000000Max connection rate : -Inbound max bandwidth rate : 1000000(kbps)Inbound max threshold : 100%Outbound max bandwidth rate : 1000000(kbps)Outbound max threshold : 100%Weight : 20Priority : 8NAT ID : -Pat : -


# View the configuration of stickygroup1.

[SPU] display load-balance stickygroup name stickygroup1Stickygroup name : stickygroup1Description : -Sticky method : Destination IP stickyMaster group name : servergroup1Backup group name : -Timeout : 1440(min)Mask length : 24Static sticky entry num : 1


[SPU] display load-balance l7classifier name l7cls1L7 classifier name : l7cls1Description : -Match mode : OrMatch type : HTTPCase flag : SensitiveHttp URL : 1 slbha[w|W](.*)


[SPU] display load-balance action name act1Action name : act1Description : -Action type : sticky-load-balanceStickygroup name : stickygroup1


[SPU] display load-balance l3classifier name l3cls1L3 classifier name : l3cls1Description : -Acl : 3000ICMP reply : DisableNAT ID : 2Pat : YesConnection parameter name : -HTTP parameter name : -L7 classifier name : l7cls1L7 action name : act1


[SPU] display load-balance policy name lbp1Policy name : lbp1




Issue 02 (2010-07-15)

Description : -Bound interface : Eth-Trunk 0.12Numbers of L3 classifier : 1

L3 classifier name : l3cls1 Action type : sticky-load-balance Stickygroup name : stickygroup1 Current group name : servergroup1

# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address20.20.20.2/24, and then view related information about servera, serverb, serverc, andserverd on the SPU. You can view the packet statistics about server instances servera andserverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets aretransmitted through servergroup1 and are load balanced between Server A and Server B inWRR mode.


# Disconnect the link between the SPU and Server A, simulate the internal network user at10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related informationabout servera, serverb, serverc, and serverd on the SPU. You can view the packet statisticsabout server instances serverc and serverd, indicating that user packets are switched to ServerC after Server A is faulty.


# Recover the link between the SPU and Server A, simulate the internal network user at10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related informationabout servera, serverb, serverc, and serverd on the SPU. You can view that the packet statisticsabout the server instance servera increase, indicating that Server A provides services when theuser accesses 20.20.20.2. Session stickiness is implemented.


----End


# sysname SPU#acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255# nat address-group 2 100.100.100.2 100.100.100.200#interface Eth-Trunk0#interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0#interface Eth-Trunk0.12



7-105

control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable#interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2#interface XGigabitEthernet0/0/1 eth-trunk 0#interface XGigabitEthernet0/0/2 eth-trunk 0#load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299

#load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80#load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80#load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000




Issue 02 (2010-07-15)

rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80#load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80#load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1#load-balance stickygroup stickygroup1 mask 24 destination-ip group servergroup1 static client destination 20.20.20.2 member servera#load-balance action act1 stickygroup stickygroup1#load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*)#load-balance ip interface Eth-Trunk 0.2#load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000#load-balance policy lbp1 l3classifier l3cls1#return

7.6.6 Example for Configuring Standard Firewall Load BalancingIn this example, standard firewall load balancing is configured to improve the service processingcapability of the firewall.


As shown in Figure 7-13, the user accesses the server through FWA and FWB (FWA and FWBare the two SPUs on SwitchB). FWA and FWB constitute a firewall group to provide externalservices. The IP address and VIP of the user are 20.20.20.3/24 and 3.3.3.3:80; the firewallswhose IP addresses are 7.7.61.2/24 and 10.10.61.2/24 constitute a firewall group. The processingcapabilities of each firewall including the CPU usage, memory usage, and performance aredifferent. The requirements are as follows:

l The firewall with greater processing capabilities receives more service requests.

l Any traffic received through one firewall is sent back through the same firewall.



7-107

Figure 7-13 Networking for configuring standard firewall load balancing

ServerB

SwitchASwitchC

SwitchB

ServerA

FWA

FWBHost

20.20.20.3/24VIP:3.3.3.3:80

GE1/0/25

GE1/0/26

GE1/0/27

GE4/0/6

GE4/0/7

GE4/0/2

GE4/0/3

GE1/0/22

GE1/0/23

GE1/0/28

XGE5/0/0

XGE5/0/1

XGE0/0/1

XGE0/0/2

IPNetwork

IPNetwork

Configuration RoadmapThe configuration roadmap is as follows:l SwitchA (level-1 load balancing device)

1. Configure traffic importing.2. Configure two firewalls to communicate with two real firewalls.3. Configure a firewall group, including DMAC and bundle of the preceding two

firewalls.4. Configure a Layer 7 classifier.5. Configure a load balancing action profile and bind it to the firewall group.6. Configure an advanced ACL.7. Configure a Layer 3 classifier.8. Configure a load balancing policy.9. Apply the load balancing policy to a sub-interface.

l SwitchB (firewall device)

1. Import traffic to the firewall.2. Configure security zones and interzone.3. Add sub-interfaces to security zones.

l SwitchC (level-2 load balancing device)

1. Configure traffic importing.2. Configure a NAT address pool.3. Configure two servers to communicate with two real servers.4. Configure a server group and bind it to the two servers.




Issue 02 (2010-07-15)

5. Configure a Layer 7 classifier.6. Configure a load balancing action profile and specify an action.7. Configure an advanced ACL.8. Configure a Layer 3 classifier.9. Configure a load balancing policy.10. Apply the load balancing policy to a sub-interface and enable MAC address stickiness.

Data PreparationTo complete the configuration, you need the following data:l SwitchA (level-1 load balancing device)

– Firewall names

– Firewall group name and forwarding mode

– Name and matching rule of the Layer 7 classifier

– Name and action of the load balancing action profile

– Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3classifier

– Name of the load balancing policy and interface where the load balancing policy isapplied

l SwitchB (firewall device)– Security zone names

– Interface where security zones are applied

l SwitchC (level-2 load balancing device)– Network segment and index of the NAT address pool

– Server name

– Server group name and forwarding mode

– Name and matching rule of the Layer 7 classifier

– Name and action of the load balancing action profile

– Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3classifier

– Name of the load balancing policy and interface where the load balancing policy isapplied

Procedurel Configure SwitchA.

1. Configure traffic importing on SwitchA.

(1) Import traffic to the SPU on SwitchA.<Quidway> system-view [Quidway] sysname SwitchA[SwitchA] vlan batch 400 600 700 [SwitchA] interface Eth-Trunk 0[SwitchA-Eth-Trunk0] port link-type trunk[SwitchA-Eth-Trunk0] port trunk allow-pass vlan 400 600 700[SwitchA-Eth-Trunk0] quit[SwitchA] interface GigabitEthernet1/0/25



7-109

[SwitchA-GigabitEthernet1/0/25] port link-type trunk[SwitchA-GigabitEthernet1/0/25] undo port trunk allow-pass vlan 1[SwitchA-GigabitEthernet1/0/25] port trunk allow-pass vlan 400[SwitchA-GigabitEthernet1/0/25] quit[SwitchA] interface GigabitEthernet1/0/26[SwitchA-GigabitEthernet1/0/26] port link-type trunk[SwitchA-GigabitEthernet1/0/26] undo port trunk allow-pass vlan 1[SwitchA-GigabitEthernet1/0/26] port trunk allow-pass vlan 600[SwitchA-GigabitEthernet1/0/26] quit[SwitchA] interface GigabitEthernet1/0/27[SwitchA-GigabitEthernet1/0/27] port link-type trunk[SwitchA-GigabitEthernet1/0/27] undo port trunk allow-pass vlan 1[SwitchA-GigabitEthernet1/0/27] port trunk allow-pass vlan 700[SwitchA-GigabitEthernet1/0/27] quit[SwitchA] interface XGigabitEthernet5/0/0[SwitchA-XGigabitEthernet5/0/0] eth-Trunk 0[SwitchA-XGigabitEthernet5/0/0] quit[SwitchA] interface XGigabitEthernet5/0/1[SwitchA-XGigabitEthernet5/0/1] eth-Trunk 0[SwitchA-XGigabitEthernet5/0/1] quit

(2) Add inbound and outbound interfaces to a VLAN on the SPU.<Quidway> system-view [Quidway] sysname SPU [SPU] interface Eth-Trunk 0[SPU-Eth-Trunk0] quit[SPU] interface Eth-Trunk0.5[SPU-Eth-Trunk0.5] control-vid 400 dot1q-termination[SPU-Eth-Trunk0.5] dot1q termination vid 400[SPU-Eth-Trunk0.5] ip address 20.20.20.1 255.255.255.0[SPU-Eth-Trunk0.5] arp broadcast enable[SPU-Eth-Trunk0.5] quit[SPU] interface Eth-Trunk0.6[SPU-Eth-Trunk0.6] control-vid 600 dot1q-termination[SPU-Eth-Trunk0.6] dot1q termination vid 600[SPU-Eth-Trunk0.6] ip address 7.7.61.1 255.255.255.0[SPU-Eth-Trunk0.6] arp broadcast enable[SPU-Eth-Trunk0.6] quit[SPU] interface Eth-Trunk0.7[SPU-Eth-Trunk0.7] control-vid 700 dot1q-termination[SPU-Eth-Trunk0.7] dot1q termination vid 700[SPU-Eth-Trunk0.7] ip address 10.10.61.1 255.255.255.0[SPU-Eth-Trunk0.7] arp broadcast enable[SPU-Eth-Trunk0.7] quit[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-Trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface XGigabitEthernet0/0/2[SPU-XGigabitEthernet0/0/2] eth-Trunk 0[SPU-XGigabitEthernet0/0/2] quit

2. Configure the firewall on the SPU of SwitchA.

# Create firewalls s11 and s21 and configure them to communicate with real firewallss11 and s21.

[SPU] load-balance member s11[SPU] load-balance member s11[SPU-lb-member-s11] ip address 7.7.61.2[SPU-lb-member-s11] weight 15[SPU-lb-member-s11] priority 15[SPU-lb-member-s11] quit[SPU] load-balance member s21[SPU-lb-member-s21] ip address 10.10.61.2[SPU-lb-member-s21] weight 30[SPU-lb-member-s21] priority 15[SPU-lb-member-s21] quit

3. Configure a firewall group on the SPU of SwitchA.




Issue 02 (2010-07-15)

# Create the firewall group sg11, bind sg11 to firewalls s11 and s21, and set theforwarding mode to DMAC.

[SPU] load-balance group sg11[SPU-lb-group-sg11] forward-mode dmac[SPU-lb-group-sg11] member s11[SPU-lb-group-sg11-member-s11] inservice[SPU-lb-group-sg11-member-s11] quit[SPU-lb-group-sg11] member s21[SPU-lb-group-sg11-member-s21] inservice[SPU-lb-group-sg11-member-s21] quit[SPU-lb-group-sg11] quit


# Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is,any packet is matched.

[SPU] load-balance l7classifier l7cls1 and[SPU-lb-l7classifier-l7cls1] match any[SPU-lb-l7classifier-l7cls1] quit

5. Configure a load balancing action profile.

# Create the load balancing action profile act1 and set the action to load balance insg11.

[SPU] load-balance action act1[SPU-lb-action-act1] group sg11[SPU-lb-action-act1] quit

6. Configure an ACL.

# Create ACL 3005 to permit the packets with the destination IP address (VIP) being3.3.3.3/24 to pass through.



# Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3005, andbind l3cls1 to l7cls1 and act1.

[SPU] load-balance l3classifier l3cls1[SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1[SPU-lb-l3classifier-l3cls1] if-match acl 3005[SPU-lb-l3classifier-l3cls1] quit




9. Apply the load balancing policy.

# Apply the load balancing policy to the sub-interface of the SPU.

[SPU] interface Eth-Trunk0.5[SPU-Eth-Trunk0.5] service load-balance policy lbp1[SPU-Eth-Trunk0.5] quit

l Configure SwitchB.1. Configure traffic importing on SwitchB.



7-111

(1) Import traffic from SwitchB to SPUA, that is, FWA. SPUA is installed in slot 8.<Quidway> system-view [Quidway] sysname SwitchB[SwitchB] vlan batch 600 800[SwitchB] interface Eth-Trunk 0[SwitchB-Eth-Trunk0] port link-type trunk[SwitchB-Eth-Trunk0] port trunk allow-pass vlan 600 800[SwitchB-Eth-Trunk0] quit[SwitchB] interface GigabitEthernet4/0/6[SwitchB-GigabitEthernet4/0/6] port link-type trunk[SwitchB-GigabitEthernet4/0/6] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet4/0/6] port trunk allow-pass vlan 600[SwitchB-GigabitEthernet4/0/6] quit[SwitchB] interface GigabitEthernet4/0/2[SwitchB-GigabitEthernet4/0/2] port link-type trunk[SwitchB-GigabitEthernet4/0/2] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet4/0/2] port trunk allow-pass vlan 800[SwitchB-GigabitEthernet4/0/2] quit[SwitchB] interface XGigabitEthernet8/0/0[SwitchB-XGigabitEthernet8/0/0] eth-Trunk 0[SwitchB-XGigabitEthernet8/0/0] quit[SwitchB] interface XGigabitEthernet8/0/1[SwitchB-XGigabitEthernet8/0/1] eth-Trunk 0[SwitchB-XGigabitEthernet8/0/1] quit

(2) Import traffic from SwitchB to SPUB, that is, FWB. SPUB is installed in slot 11.[SwitchB] vlan batch 700 900[SwitchB] interface Eth-Trunk 1[SwitchB-Eth-Trunk1] port link-type trunk[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 700 900[SwitchB-Eth-Trunk1] quit[SwitchB] interface GigabitEthernet4/0/7[SwitchB-GigabitEthernet4/0/7] port link-type trunk[SwitchB-GigabitEthernet4/0/7] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet4/0/7] port trunk allow-pass vlan 700[SwitchB-GigabitEthernet4/0/7] quit[SwitchB] interface GigabitEthernet4/0/3[SwitchB-GigabitEthernet4/0/3] port link-type trunk[SwitchB-GigabitEthernet4/0/3] undo port trunk allow-pass vlan 1[SwitchB-GigabitEthernet4/0/3] port trunk allow-pass vlan 900[SwitchB-GigabitEthernet4/0/3] quit[SwitchB] interface XGigabitEthernet11/0/0[SwitchB-XGigabitEthernet11/0/0] eth-Trunk 1[SwitchB-XGigabitEthernet11/0/0] quit[SwitchB] interface XGigabitEthernet11/0/1[SwitchB-XGigabitEthernet11/0/1] eth-Trunk 1[SwitchB-XGigabitEthernet11/0/1] quit

(3) Add inbound and outbound interfaces to the VLAN on SPUA and configure staticroutes to import traffic to the SPU of SwitchC.<Quidway> system-view [Quidway] sysname SPUA[SPUA] interface Eth-Trunk 0[SPUA-Eth-Trunk0] quit[SPUA] interface Eth-Trunk0.5[SPUA-Eth-Trunk0.5] control-vid 600 dot1q-termination[SPUA-Eth-Trunk0.5] dot1q termination vid 600[SPUA-Eth-Trunk0.5] ip address 7.7.61.2 255.255.255.0[SPUA-Eth-Trunk0.5] arp broadcast enable[SPUA-Eth-Trunk0.5] quit[SPUA] interface Eth-Trunk0.6[SPUA-Eth-Trunk0.6] control-vid 800 dot1q-termination[SPUA-Eth-Trunk0.6] dot1q termination vid 800[SPUA-Eth-Trunk0.6] ip address 11.11.61.1 255.255.255.0[SPUA-Eth-Trunk0.6] arp broadcast enable[SPUA-Eth-Trunk0.6] quit[SPUA] interface XGigabitEthernet0/0/1[SPUA-XGigabitEthernet0/0/1] eth-Trunk 0[SPUA-XGigabitEthernet0/0/1] quit




Issue 02 (2010-07-15)

[SPUA] interface XGigabitEthernet0/0/2[SPUA-XGigabitEthernet0/0/2] eth-Trunk 0[SPUA-XGigabitEthernet0/0/2] quit[SPUA] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2[SPUA] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1

(4) Add inbound and outbound interfaces to the VLAN on SPUB and configure staticroutes to import traffic to the SPU of SwitchC.<Quidway> system-view [Quidway] sysname SPUB[SPUB] interface Eth-Trunk 0[SPUB-Eth-Trunk0] quit[SPUB] interface Eth-Trunk 0.5[SPUB-Eth-Trunk0.5] control-vid 700 dot1q-termination[SPUB-Eth-Trunk0.5] dot1q termination vid 700[SPUB-Eth-Trunk0.5] ip address 10.10.61.2 255.255.255.0[SPUB-Eth-Trunk0.5] arp broadcast enable[SPUB-Eth-Trunk0.5] quit[SPUB] interface Eth-Trunk 0.6[SPUB-Eth-Trunk0.6] control-vid 900 dot1q-termination[SPUB-Eth-Trunk0.6] dot1q termination vid 900[SPUB-Eth-Trunk0.6] ip address 12.12.61.1 255.255.255.0[SPUB-Eth-Trunk0.6] arp broadcast enable[SPUB-Eth-Trunk0.6] quit[SPUB] interface XGigabitEthernet0/0/1[SPUB-XGigabitEthernet0/0/1] eth-Trunk 0[SPUB-XGigabitEthernet0/0/1] quit[SPUB] interface XGigabitEthernet0/0/2[SPUB-XGigabitEthernet0/0/2] eth-Trunk 0[SPUB-XGigabitEthernet0/0/2] quit[SPUB] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2[SPUB] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1

2. Configure firewalls on SPUA and SPUB on SwitchB.

# Configure the security zone and the interzone on SPUA.[SPUA] firewall zone a[SPUA-zone-a] priority 20[SPUA-zone-a] quit[SPUA] firewall zone b[SPUA-zone-b] priority 50[SPUA-zone-b] quit[SPUA] firewall interzone b a[SPUA-interzone-b-a] firewall enable[SPUA-interzone-b-a] packet-filter default permit inbound[SPUA-interzone-b-a] quit

# Configure the security zone and the interzone on SPUB.[SPUB] firewall zone a[SPUB-zone-a] priority 20[SPUB-zone-a] quit[SPUB] firewall zone b[SPUB-zone-b] priority 50[SPUB-zone-b] quit[SPUB] firewall interzone b a[SPUB-interzone-a-b] firewall enable[SPUB-interzone-a-b] packet-filter default permit inbound[SPUB-interzone-a-b] quit

3. Apply security zones to sub-interfaces of SPUA and SPUB on SwitchB.

# Apply security zones to sub-interfaces of SPUA.[SPUA] interface Eth-Trunk 0.5[SPUA-Eth-Trunk0.5] zone a[SPUA-Eth-Trunk0.5] quit[SPUA] interface Eth-Trunk 0.6[SPUA-Eth-Trunk0.6] zone b[SPUA-Eth-Trunk0.6] quit



7-113

# Apply security zones to sub-interfaces of SPUB.[SPUB] interface Eth-Trunk 0.5[SPUB-Eth-Trunk0.5] zone a[SPUB-Eth-Trunk0.5] quit[SPUB] interface Eth-Trunk 0.6[SPUB-Eth-Trunk0.6] zone b[SPUB-Eth-Trunk0.6] quit

l Configure SwitchC.1. Configure traffic importing on SwitchC.

(1) Import traffic from SwitchC to the SPU. The SPU is installed in slot 2.<Quidway> system-view [Quidway] sysname SwitchC[SwitchC] vlan batch 800 900 1000 [SwitchC] interface Eth-Trunk 1[SwitchC-Eth-Trunk1] port link-type trunk[SwitchC-Eth-Trunk1] port trunk allow-pass vlan 800 900 1000[SwitchC-Eth-Trunk1] quit[SwitchC] interface GigabitEthernet1/0/22[SwitchC-GigabitEthernet1/0/22] port link-type trunk[SwitchC-GigabitEthernet1/0/22] undo port trunk allow-pass vlan 1[SwitchC-GigabitEthernet1/0/22] port trunk allow-pass vlan 800[SwitchC-GigabitEthernet1/0/22] quit[SwitchC] interface GigabitEthernet1/0/23[SwitchC-GigabitEthernet1/0/23] port link-type trunk[SwitchC-GigabitEthernet1/0/23] undo port trunk allow-pass vlan 1[SwitchC-GigabitEthernet1/0/23] port trunk allow-pass vlan 900[SwitchC-GigabitEthernet1/0/23] quit[SwitchC] interface GigabitEthernet1/0/28[SwitchC-GigabitEthernet1/0/28] port link-type trunk[SwitchC-GigabitEthernet1/0/28] undo port trunk allow-pass vlan 1[SwitchC-GigabitEthernet1/0/28] port trunk allow-pass vlan 1000[SwitchC-GigabitEthernet1/0/28] quit[SwitchC] interface XGigabitEthernet2/0/0[SwitchC-XGigabitEthernet2/0/0] eth-Trunk 1[SwitchC-XGigabitEthernet2/0/0] quit[SwitchC] interface XGigabitEthernet2/0/1[SwitchC-XGigabitEthernet2/0/1] eth-Trunk 1[SwitchC-XGigabitEthernet2/0/1] quit

(2) Add inbound and outbound interfaces to a VLAN on the SPU.<Quidway> system-view [Quidway] sysname SPU [SPU] interface Eth-Trunk 0[SPU-Eth-Trunk0] quit[SPU] interface Eth-Trunk 0.8[SPU-Eth-Trunk0.8] control-vid 800 dot1q-termination[SPU-Eth-Trunk0.8] dot1q termination vid 800[SPU-Eth-Trunk0.8] ip address 11.11.61.2 255.255.255.0[SPU-Eth-Trunk0.8] arp broadcast enable[SPU-Eth-Trunk0.8] quit[SPU] interface Eth-Trunk 0.9[SPU-Eth-Trunk0.9] control-vid 900 dot1q-termination[SPU-Eth-Trunk0.9] dot1q termination vid 900[SPU-Eth-Trunk0.9] ip address 12.12.61.2 255.255.255.0[SPU-Eth-Trunk0.9] arp broadcast enable[SPU-Eth-Trunk0.9] quit[SPU] interface Eth-Trunk 0.10[SPU-Eth-Trunk0.10] control-vid 1000 dot1q-termination[SPU-Eth-Trunk0.10] dot1q termination vid 1000[SPU-Eth-Trunk0.10] ip address 100.100.100.1 255.255.255.0[SPU-Eth-Trunk0.10] arp broadcast enable[SPU-Eth-Trunk0.10] quit[SPU] interface XGigabitEthernet0/0/1[SPU-XGigabitEthernet0/0/1] eth-Trunk 0[SPU-XGigabitEthernet0/0/1] quit[SPU] interface XGigabitEthernet0/0/2




Issue 02 (2010-07-15)

[SPU-XGigabitEthernet0/0/2] eth-Trunk 0[SPU-XGigabitEthernet0/0/2] quit

2. Configure a NAT address pool on the SPU.[SPU] nat address-group 2 33.33.33.33 33.33.33.250

3. Configure servers.

# Create the servers s31 and s32 and configure them to communicate with real serverss31 and s32.

[SPU] load-balance member s31[SPU-lb-member-s31] ip address 100.100.100.8[SPU-lb-member-s31] quit[SPU] load-balance member s32[SPU-lb-member-s32] ip address 100.100.100.10[SPU-lb-member-s32] quit

4. Configure a server group.

# Configure a server group sg31 and bind s31 and s32 to sg31.

[SPU] load-balance group sg31[SPU-lb-group-sg31] member s31[SPU-lb-group-sg31-member-s31] inservice[SPU-lb-group-sg31-member-s31 quit[SPU-lb-group-sg31] member s32[SPU-lb-group-sg31-member-s32] inservice[SPU-lb-group-sg31-member-s32] quit[SPU-lb-group-sg31] quit


# Create the Layer 7 classifier named l7cls1 and configure the matching rule to matchrequest packets with the URL being html.[SPU] load-balance l7classifier l7 and[SPU-lb-l7classifier-l7] rule 1 match http url html[SPU-lb-l7classifier-l7] quit

6. Configure a load balancing action profile.

# Create the load balancing action profile act3 and set the action to load balance insg31.[SPU] load-balance action act3[SPU-lb-action-act3] group sg31[SPU-lb-action-act3] quit

7. Configure an ACL.

# Create ACL 3007 to permit the packets with the destination IP address being3.3.3.3/24 to pass through.[SPU] acl number 3007[SPU-acl-adv-3007] rule permit ip destination 3.3.3.3 0.0.0.255[SPU-acl-adv-3007] quit


# Create the Layer 3 classifier l3, set the matching rule to match ACL 3007, and bindl3 to l7 and act3.[SPU] load-balance l3classifier l3[SPU-lb-l3classifier-l3] l7classifier l7 action act3[SPU-lb-l3classifier-l3] nat outbound address-group 2[SPU-lb-l3classifier-l3] if-match acl 3007[SPU-lb-l3classifier-l3] quit


# Create the load balancing policy named lp and bind lp to l3.



7-115

[SPU] load-balance policy lp[SPU-lb-policy-lp] l3classifier l3[SPU-lb-policy-lp] quit

10. Apply the load balancing policy and enable MAC address stickiness.

# Apply the load balancing policy to a sub-interface of the SPU and enable MACaddress stickiness.[SPU] interface Eth-Trunk 0.8[SPU-Eth-Trunk0.8] service load-balance policy lp[SPU-Eth-Trunk0.8] mac-sticky enable[SPU-Eth-Trunk0.8] quit[SPU] interface Eth-Trunk 0.9[SPU-Eth-Trunk0.9] service load-balance policy lp[SPU-Eth-Trunk0.9] mac-sticky enable[SPU-Eth-Trunk0.9] quit

l Verify the configuration.

# Simulate the internal network user at 20.20.20.3 to access the VIP 3.3.3.3/24 and viewinformation about the firewall instances s11 and s21 on the SPU of SwitchC. You can findthat there are packet statistics on s11 and s21 and the packet ratio is 1:2, indicating that userpackets are load balanced on s11 and s21.[SPU] display load-balance group name sg11 member name s11 verbose[SPU] display load-balance group name sg11 member name s21 verbose

# Disable FWA, simulate the internal network user at 20.20.20.3 to access the VIP3.3.3.3/24 and view information about firewall instances s11 and s21 on the SPU. You canfind that there are only packet statistics on s21, indicating that user packets are switched toFWB after FWA is faulty.[SPU] display load-balance group name sg11 member name s11 verbose[SPU] display load-balance group name sg11 member name s21 verbose

----End

Configuration Filesl Configuration file of SwitchA

# vlan batch 1 400 600 700#interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 400 to 600 700 # interface GigabitEthernet1/0/25 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 400 # interface GigabitEthernet1/0/26 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 # interface GigabitEthernet1/0/27 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 700 # interface XGigabitEthernet5/0/0 eth-Trunk 0#




Issue 02 (2010-07-15)

interface XGigabitEthernet5/0/1 eth-Trunk 0#return

l Configuration file of the SPU on SwitchA#acl number 3005 rule permit ip destination 3.3.3.3 0.0.0.255 #interface Eth-Trunk 0#interface Eth-Trunk0.5 control-vid 400 dot1q-termination dot1q termination vid 400 ip address 20.20.20.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk0.6 control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.1 255.255.255.0 arp broadcast enable#interface Eth-Trunk0.7 control-vid 700 dot1q-termination dot1q termination vid 700 ip address 10.10.61.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-Trunk 0#interface XGigabitEthernet0/0/2 eth-Trunk 0#load-balance member s11 ip address 7.7.61.2 weight 15 priority 15#load-balance member s21 ip address 10.10.61.2 weight 30 priority 15#load-balance group sg11 forward-mode dmac member s11 inservice member s21 inservice#load-balance action act1 group sg11#load-balance l7classifier l7cls1 and match any#load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3005#load-balance policy lbp1 l3classifier l3cls1#interface Eth-Trunk0.5 service load-balance policy lbp1#



7-117

return

l Configuration file of SwitchB# vlan batch 600 700 800 900#interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 600 800 #interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 700 900 # interface GigabitEthernet4/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet4/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 900 # interface GigabitEthernet4/0/6 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 # interface GigabitEthernet4/0/7 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 700 # interface XGigabitEthernet8/0/0 eth-Trunk 0# interface XGigabitEthernet8/0/1 eth-Trunk 0# interface XGigabitEthernet11/0/0 eth-Trunk 1# interface XGigabitEthernet11/0/1 eth-Trunk 1#return

l Configuration file of SPUA on SwitchB#acl number 3300 rule 5 permit ip #firewall zone a priority 20#firewall zone b priority 50#firewall interzone b a firewall enable packet-filter default permit inbound#interface Eth-Trunk 0#interface Eth-Trunk0.5




Issue 02 (2010-07-15)

control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.2 255.255.255.0 arp broadcast enable zone a#interface Eth-Trunk0.6 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.1 255.255.255.0 arp broadcast enable zone b#interface XGigabitEthernet0/0/1 eth-Trunk 0#interface XGigabitEthernet0/0/2 eth-Trunk 0# ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1#return

l Configuration file of SPUB on SwitchB#acl number 3300 rule 5 permit ip #firewall zone a priority 20#firewall zone b priority 50#firewall interzone b a firewall enable packet-filter default permit inbound#interface Eth-Trunk 0#interface Eth-Trunk 0.5 control-vid 700 dot1q-termination dot1q termination vid 700 ip address 10.10.61.2 255.255.255.0 arp broadcast enable zone a#interface Eth-Trunk 0.6 control-vid 900 dot1q-termination dot1q termination vid 900 ip address 12.12.61.1 255.255.255.0 arp broadcast enable zone b#interface XGigabitEthernet0/0/1 eth-Trunk 0#interface XGigabitEthernet0/0/2 eth-Trunk 0# ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1#return

l Configuration file of SwitchC# vlan batch 800 900 1000



7-119

#interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 800 900 1000 # interface GigabitEthernet1/0/22 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet1/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 900 # interface GigabitEthernet1/0/28 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 1000 # interface XGigabitEthernet2/0/0 eth-Trunk 1# interface XGigabitEthernet2/0/1 eth-Trunk 1# return

l Configuration file of the SPU on SwitchC#acl number 3007 rule 5 permit ip # nat address-group 2 33.33.33.33 33.33.33.250#interface Eth-Trunk 0#interface Eth-Trunk 0.8 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.2 255.255.255.0 arp broadcast enable#interface Eth-Trunk 0.9 control-vid 900 dot1q-termination dot1q termination vid 900 ip address 12.12.61.2 255.255.255.0 arp broadcast enable#interface Eth-Trunk 0.10 control-vid 1000 dot1q-termination dot1q termination vid 1000 ip address 100.100.100.1 255.255.255.0 arp broadcast enable#interface XGigabitEthernet0/0/1 eth-Trunk 0#interface XGigabitEthernet0/0/2 eth-Trunk 0#load-balance member s31 ip address 100.100.100.8#load-balance member s32 ip address 100.100.100.10#




Issue 02 (2010-07-15)

load-balance group sg31 member s31 inservice member s32 inservice#load-balance action act3 group sg31#load-balance l7classifier l7 and rule 1 match http url html#load-balance l3classifier l3 l7classifier l7 action act3 nat outbound address-group 2 if-match acl 3007#load-balance policy lp l3classifier l3#interface Eth-Trunk 0.8 service load-balance policy lp mac-sticky enable#interface Eth-Trunk 0.9 service load-balance policy lp mac-sticky enable#return



7-121

8 Dual-System HSB Configuration

About This Chapter

Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty,services are interrupted on the network. The reliability of firewalls greatly affects highavailability (HA) of the network. Through dual-system hot standby (HSB), the session table canbe synchronized between two firewalls in real time. If a firewall is faulty, user sessions are notinterrupted. The HA of user connections is thus improved.

8.1 Dual-System HSB OverviewThis section describes basic concepts of dual-system HSB.

8.2 Dual-System HSB Features Supported by the SPUThis section describes the dual-system HSB features supported by the SPU.

8.3 Configuring Dual-System HSBThis section describes the application and configuration of dual-system HSB.

8.4 Maintaining Dual-System HSBThis section describes how to maintain dual-system HSB.

8.5 Configuration Examples of Dual-System HSBThis section provides several configuration examples of dual-system HSB.

Quidway S9300 Terabit Routing SwitchConfiguration Guide - SPU 8 Dual-System HSB Configuration


8-1

8.1 Dual-System HSB OverviewThis section describes basic concepts of dual-system HSB.

Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty,services are interrupted on the network. The reliability of firewalls greatly affects HA of thenetwork.

Through dual-system HSB, the session table can be synchronized between two firewalls in realtime. If a firewall is faulty, user sessions are not interrupted. The HA of user connections is thusimproved.

NOTEA firewall can be enabled with dual-system HSB. That is, dual-system HSB can be enabled on theS9300 that supports the firewall function. The dual system and S9300 are hereinafter referred to as the FW.

To ensure HA of a user network and prevent firewall faults from affecting communicationbetween security zones, the Virtual Router Redundancy Protocol (VRRP) is enabled betweenfirewalls and the firewall status is synchronized between firewalls. As shown in Figure 8-1,FWA and FWB constitute a VRRP backup group that function as a virtual FW.l A host on the LAN only learns the IP address of the virtual FW, but does not learn IP

addresses of interfaces of FWA and FWB in the VRRP backup group.l A host on the LAN sets the default next hop address as the IP address of the virtual FW.

Then the host on the LAN communicates with other networks through the virtual FW.l In the VRRP backup group, one device is in active state, which is the master device such

as FWA shown in Figure 8-1. The other device is in backup state, which is the backupdevice such as FWB shown in Figure 8-1.

Figure 8-1 Networking of dual-system HSB

Network

FWA: Master

FWB: Backup

PC

VRRPBackupgroup

ServerInternalnetwork VRRP

Backupgroup

8.2 Dual-System HSB Features Supported by the SPUThis section describes the dual-system HSB features supported by the SPU.

8 Dual-System HSB ConfigurationQuidway S9300 Terabit Routing Switch



Issue 02 (2010-07-15)

Supporting the Setup of the Channel Through Which Dual-System HSB Data IsSynchronized and the Heartbeat Detection Mechanism

l The channel through which dual-system HSB data is synchronized is configured betweenthe active and standby modules.

l When the setup of the channel through which dual-system HSB data is synchronized fails,alarms are reported and logs are recorded.

l The interval for sending heartbeat packets and the number of times for retransmittingheartbeat packets can be set on the TCP channel between the active and standby modules.

l TCP connections can be set up between the active and standby modules.

l The VRRP module supports smooth switchback.

Status Information Synchronization in Batchesl After the channel through which dual-system HSB data is synchronized is set up, firewalls

need to synchronize the status information in batches.l Only the status information associated with the VRRP master device of the active firewall

needs to be synchronized to the standby firewall. The active firewall instructs batch backupat the forwarding layer.

l The remote backup protocol of firewalls is supported.

l The upper-layer information between firewalls can be backed up.

l The active and standby modules of a firewall monitor the VRRP status.

l The forwarding backup module can back up the traffic forwarding table to the peer firewall.

l When the peer firewall receives the synchronized status information,– it generates the local status information.

– it updates the number of TCP, UDP, and ICMP connections for the source anddestination IP addresses.

– it updates the NAT address allocation table.

Dual-System HSB Durationl A firewall is powered on; the VRRP management group selects the master and backup

devices; the traffic between security zones is filtered by the firewall. This process takesless than 10s.

l The VRRP management group is switched; the traffic between security zones is filtered bythe firewall and user sessions are not interrupted. This process takes less than 2s.

l The process of firewalls synchronizing all the status information in batches takes less than15s.

l The delay in synchronizing the status information between two HSB firewalls is less than1s.

8.3 Configuring Dual-System HSBThis section describes the application and configuration of dual-system HSB.




8-3

Before configuring dual-system HSB, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.

8.3.2 Enabling Dual-System HSBYou need to configure HSB actions only after dual-system HSB is enabled.

8.3.3 Creating the Channel Through Which Dual-System HSB Data Is SynchronizedA channel through which dual-system HSB data is synchronized is required to back up packetsin batches between the active and standby modules; therefore, you need to create the channelthrough which dual-system HSB data is synchronized.

8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times forRetransmitting Heartbeat PacketsIf a protocol stack does not detect a TCP connection that has been interrupted for a long time,you can set the interval for sending heartbeat packets and the number of times for retransmittingheartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peerend in the period (product of the interval for sending heartbeat packets by the number of timesfor retransmitting heartbeat packets), it receives an exception notification message andreestablishes a channel.

8.3.5 Checking the ConfigurationAfter dual-system HSB between firewalls is configured successfully, you can check whether theconfiguration is correct and valid.

8.3.1 Establishing the Configuration TaskBefore configuring dual-system HSB, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the required data. This helps you complete theconfiguration task quickly and accurately.


To ensure HA of a user network and prevent firewall faults from affecting communicationbetween security zones, VRRP is enabled between firewalls that function as a virtual firewall,and the firewall status is synchronized between firewalls. In this manner, HSB is implementedbetween two firewalls and HA of user connections is ensured.


Before configuring dual-system HSB, complete the following tasks:

l Setting the firewall service on the S9300

l Setting IP address of the sub-interface configured with the firewall service

l Configurating VRRP between firewalls

Data Preparation

To configure dual-system HSB, you need the following data.

No. Data

1 Number and IP address of the Eth-Trunk of the local firewall




Issue 02 (2010-07-15)

No. Data

2 Number and IP address of the Eth-Trunk of the peer firewall

3 ID and virtual IP address of the VRRP backup group

4 Priorities of local and peer firewalls in the VRRP backup group

8.3.2 Enabling Dual-System HSBYou need to configure HSB actions only after dual-system HSB is enabled.

ContextWhen two devices are deployed at the egress of the network to protect the security of the internalnetwork, you need to configure dual-system HSB. The channel through which dual-system HSBis synchronized can be set up only after dual-system HSB is enabled.


system-view


Step 2 Run:hot-standby enable

Dual-system HSB is enabled.

By default, dual-system HSB is disabled.

----End

8.3.3 Creating the Channel Through Which Dual-System HSB DataIs Synchronized

A channel through which dual-system HSB data is synchronized is required to back up packetsin batches between the active and standby modules; therefore, you need to create the channelthrough which dual-system HSB data is synchronized.

ContextYou need to create a TCP channel and a UDP channel between the local firewall and the peerfirewall. The source and destination IP addresses and port numbers of the two channels are thesame. The data to be backed up is sent to the peer device through the two channels. TCP packetsare sent through the TCP channel and UDP packets are sent through the UDP channel. In thismanner, dual-system HSB is implemented.

NOTEDuring the creation of the TCP tunnel, the firewall automatically creates the UDP tunnel.

To modify the parameters of the channel through which dual-system HSB data is synchronized,you must delete the previous configuration and then re-set the parameters.



8-5


system-view


Step 2 Run:hot-standby-group local local-ip-address peer peer-ip-address src-data-port src-port-number dst-data-port dst-port-number [ vpn-instance vpn-instance-name ]

A TCP channel is created. The UDP channel is created automatically.

l By default, the source and destination IP addresses of the channel through which dual-systemHSB data is synchronized are 0.0.0.0, and the source and destination port numbers are 0.

l The parameters of the channel through which dual-system HSB data is synchronized mustbe set at the local end and the peer end. The source IP address, destination IP address, sourceport, and destination port at the local end correspond to the destination IP address, source IPaddress, destination port, and source port at the remote end.

l The parameters of the channel through which dual-system HSB data is synchronized takeeffect only after dual-system HSB is enabled.

----End

8.3.4 Setting the Interval for Sending Heartbeat Packets and theNumber of Times for Retransmitting Heartbeat Packets

If a protocol stack does not detect a TCP connection that has been interrupted for a long time,you can set the interval for sending heartbeat packets and the number of times for retransmittingheartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peerend in the period (product of the interval for sending heartbeat packets by the number of timesfor retransmitting heartbeat packets), it receives an exception notification message andreestablishes a channel.


system-view


Step 2 Run:hot-standby-group detect fail-count fail-count interval interval

The interval for sending heartbeat packets and the number of times for retransmitting heartbeatpackets of the channel between firewalls are set.

l By default, the interval for sending heartbeat packets is 10s and the number of times forretransmitting heartbeat packets is 6.

l You need to set the interval for sending heartbeat packets and the number of times forretransmitting heartbeat packets at the local end and the peer end. You are advised to set thesame values of the two parameters at the two ends.

l The interval for sending heartbeat packets and the number of times for retransmittingheartbeat packets take effect only after dual-system HSB is enabled.

----End




Issue 02 (2010-07-15)

8.3.5 Checking the ConfigurationAfter dual-system HSB between firewalls is configured successfully, you can check whether theconfiguration is correct and valid.

Procedurel Run the display hot-standby configuration command, and you can view the configuration

of dual-system HSB, including:– The local and peer IP addresses, port numbers of the channel through which dual-system

HSB data is synchronized.– The interval for transmitting heartbeat packets, number of times for retransmitting

heartbeat packets.– The TCP connection status, packet transmission status.

– The dual-system HSB status.

– The status of active and standby devices.

----End

8.4 Maintaining Dual-System HSBThis section describes how to maintain dual-system HSB.

8.4.1 Checking the Connectivity of the Channel Between the Active and Standby ModulesDuring the running of dual-system HSB, if the active/standby switchover cannot be performed,you can check the connectivity of the channel between the active and standby modules. Thishelps you analyze the cause of the fault and locate the fault.

8.4.1 Checking the Connectivity of the Channel Between the Activeand Standby Modules

During the running of dual-system HSB, if the active/standby switchover cannot be performed,you can check the connectivity of the channel between the active and standby modules. Thishelps you analyze the cause of the fault and locate the fault.

Procedure

Step 1 Run the display hot-standby configuration command on the SPU to check whether the valueof TCP State is CONNECT.

If the value of TCP State is INITIAL or CONNECTING or LISTENING, it indicates thatthe channel between the active and standby modules is faulty. The possible cause is that thecable connected to the channel between the active and standby modules is removed or the dataconfiguration of the channel between the active and standby modules is incorrect.

----End

8.5 Configuration Examples of Dual-System HSBThis section provides several configuration examples of dual-system HSB.



8-7

8.5.1 Example for Configuring Dual-System HSB on the S9300This section describes how to configure dual-system HSB on the S9300 to improve the servicereliability.

8.5.2 Example for Configuring Dual-System HSB Between S9300sThis section describes how to configure dual-system HSB between S9300s to improve theservice reliability.

8.5.1 Example for Configuring Dual-System HSB on the S9300This section describes how to configure dual-system HSB on the S9300 to improve the servicereliability.

Networking RequirementsA firewall board is taken as an independent device. As shown in Figure 8-2, firewall boardsSPU A and SPU B are installed on the same S9300 to implement the dual-system HSB function.

Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300

Eth-Trunk1

XGE0/0/1

Eth-Trunk0.2XGE0/0/2

IP：11.0.0.3/24VRRP IP：11.0.0.1dot1q：11 SPUB

Backup

XGE0/0/1


IP：13.0.0.3/24

dot1q：13VLAN13

SPUAMasterEth-Trunk0

XGE0/0/1


IP：11.0.0.2/24VRRP IP：11.0.0.1dot1q：11

XGE0/0/1


IP：13.0.0.2/24

dot1q：13VLAN13

Channel:

Outboundinterface:

Outboundinterface:

Channel:

XGE3/0/0XGE3/0/1

VLAN10/11/13

Eth-Trunk0

Interface:

IP：10.0.0.9/24VLANIF10

VLAN10/11/13

XGE5/0/0XGE5/0/1

Eth-Trunk1IP：10.0.0.9/24VLANIF10

Interface:

XGE0/0/1


IP：10.0.0.2/24VRRP IP：10.0.0.1dot1q：10

Inboundinterface:

XGE0/0/1


IP：10.0.0.3/24VRRP IP：10.0.0.1dot1q：10

Inboundinterface:

Internal network

Network

FW

VLAN18VLANIF18

GE2/0/10IP：18.0.0.1/24

Server

PCAIP：18.0.0.2/24

PCBIP：11.0.0.9/24

VLAN11GE2/0/11

Interface:

Interface:




Issue 02 (2010-07-15)

BoardType

Interface Type VLANType

VLANIF

IPAddress

Eth-Trunk

Dot1q

VID

VirtualIP

Priority

LPU GigabitEthernet2/0/10

VLAN 18

VLANIF18

18.0.0.1/24

NA NA

NA

NA NA

GigabitEthernet2/0/11

VLAN 11

NA NA NA NA

NA

NA NA

MPU XGigabitEthernet3/0/0

VLAN 10VLAN 11VLAN 13

VLANIF10

10.0.0.9/24

Eth-Trunk 0

NA

NA

NA NA

XGigabitEthernet3/0/1


Eth-Trunk 1


SPUA

XGigabitEthernet0/0/1XGigabitEthernet0/0/2

NA NA 10.0.0.2/24

Eth-Trunk0.1

10 10

10.0.0.1/24

120


NA 11.0.0.2/24

Eth-Trunk0.2

11 11

11.0.0.1/24


VLAN 13

13.0.0.2/24

Eth-Trunk0.3

13 NA

NA NA

SPUB


NA 10.0.0.3/24

Eth-Trunk0.1

10 10

10.0.0.1/24

110


NA 11.0.0.3/24

Eth-Trunk0.2

11 11

11.0.0.1/24



8-9

BoardType


VLANIF

IPAddress

Eth-Trunk

Dot1q

VID

VirtualIP

Priority


VLAN 13

13.0.0.3/24

Eth-Trunk0.3

13 NA

NA NA


1. Check the service type of SPUs.2. Configure interfaces of the LPU.3. Configure a static route on the MPU.4. Configure interfaces of SPUs.5. Configure VRRP.6. Configure static routes on SPUs.7. Configure dual-system HSB between SPU A and SPU B.8. Check whether VRRP negotiation is correct and whether the channel through which dual-

system HSB data is synchronized is set up successfully.9. Save the configuration.

Data PreparationTo complete the configuration, you need the following data (Figure 8-2 shows the detailed data):l GE interfaces, VLAN IDs, VLANIF interfaces, and IP addresses of the LPU

l XGE interfaces, VLAN IDs, VLANIF interfaces, IP addresses, and bound Eth-Trunks ofthe MPU

l XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A

l XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B

l ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B

Procedure

Step 1 Check the service type of the SPUs.

# Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is thefirewall service in the system view.

<S9300> system-view[S9300] display service-typeThe service type is Firewall!

# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to thefirewall service, and then restart SPU A and SPU B after the change.




Issue 02 (2010-07-15)

[S9300] set service-type 1The service type will be available after you restart the board, please restart!

Step 2 Configure interfaces of the LPU.

NOTEBy default, GE 2/0/10, GE 2/0/11, XGE 3/0/0, XGE 3/0/1, XGE 5/0/0, and XGE 5/0/1 allow packets ofVLAN 1 to pass through.

# Log in to the MPU to create VLAN 10, VLAN 11, and VLAN 13, configure VLANIF 18 onGE 2/0/10 of the LPU, and set parameters of GE 2/0/10 and GE 2/0/11. Then bind XGE 3/0/0and XGE 3/0/1 of the MPU to Eth-Trunk 0, and bind XGE 5/0/0 and XGE 5/0/1 of the MPU toEth-Trunk 1.

[MPU] vlan 10[MPU-VLAN10] quit[MPU] vlan 11[MPU-VLAN11] quit[MPU] vlan 13[MPU-VLAN13] quit[MPU] vlan 18[MPU-VLAN18] quit[MPU] interface vlanif 18[MPU-Vlanif18] ip address 18.0.0.1 24[MPU-Vlanif18] quit[MPU] interface gigabitethernet 2/0/10[MPU-GigabitEthernet2/0/10] port link-type trunk[MPU-GigabitEthernet2/0/10] port trunk allow-pass vlan 18[MPU-GigabitEthernet2/0/10] undo port trunk allow-pass vlan 1[MPU-GigabitEthernet2/0/10] quit[MPU] interface gigabitethernet 2/0/11[MPU-GigabitEthernet2/0/11] port link-type trunk[MPU-GigabitEthernet2/0/11] port trunk allow-pass vlan 11[MPU-GigabitEthernet2/0/11] undo port trunk allow-pass vlan 1[MPU-GigabitEthernet2/0/11] quit[MPU] interface vlanif 10[MPU-VLANIF10] ip address 10.0.0.9 24[MPU-VLANIF10] quit[MPU] interface eth-trunk0[MPU-Eth-Trunk0] port link-type trunk[MPU-Eth-Trunk0] port trunk allow-pass vlan 10 to 11[MPU-Eth-Trunk0] port trunk allow-pass vlan 13[MPU-Eth-Trunk0] undo port trunk allow-pass vlan 1[MPU-Eth-Trunk0] quit[MPU] interface eth-trunk1[MPU-Eth-Trunk1] port link-type trunk[MPU-Eth-Trunk1] port trunk allow-pass vlan 10 to 11[MPU-Eth-Trunk1] port trunk allow-pass vlan 13[MPU-Eth-Trunk1] undo port trunk allow-pass vlan 1[MPU-Eth-Trunk1] quit[MPU] interface xgigabitethernet 3/0/0[MPU-XGigabitEthernet3/0/0] eth-trunk 0[MPU-XGigabitEthernet3/0/0] quit[MPU] interface xgigabitethernet 3/0/1[MPU-XGigabitEthernet3/0/1] eth-trunk 0[MPU-XGigabitEthernet3/0/1] quit[MPU] interface xgigabitethernet 5/0/0[MPU-XGigabitEthernet5/0/0] eth-trunk 1[MPU-XGigabitEthernet5/0/0] quit[MPU] interface xgigabitethernet 5/0/1[MPU-XGigabitEthernet5/0/1] eth-trunk 1[MPU-XGigabitEthernet5/0/1] quit

Step 3 Configure a static route on the MPU.

# Log in to the MPU to configure a static route.

[MPU] ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1



8-11

Step 4 Configure interfaces of SPUs.

# Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to Eth-Trunk 0.

[S9300] interface eth-trunk0[S9300-Eth-Trunk0] quit[S9300] interface xgigabitethernet 0/0/1[S9300-XGigabitEthernet0/0/1] eth-trunk 0[S9300-XGigabitEthernet0/0/1] quit[S9300] interface xgigabitethernet 0/0/2[S9300-XGigabitEthernet0/0/2] eth-trunk 0[S9300-XGigabitEthernet0/0/2] quit

Step 5 Configure VRRP.

# Log in to SPU A.

l Set the IP address of Eth-Trunk 0.1 to 10.0.0.2/24, add Eth-Trunk 0.1 to VRRP backup group10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priorityof VRRP backup group 10 to 120.


l Set the IP address of Eth-Trunk 0.3 to 13.0.0.2/24 and set parameters of Eth-Trunk 0.3.[S9300-A] interface eth-trunk0.1[S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination[S9300-A-Eth-Trunk0.1] dot1q termination vid 10[S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10[S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24[S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1[S9300-A-Eth-Trunk0.1] admin-vrrp vrid 10[S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120[S9300-A-Eth-Trunk0.1] arp broadcast enable[S9300-A-Eth-Trunk0.1] quit[S9300-A] interface eth-trunk0.2[S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination[S9300-A-Eth-Trunk0.2] dot1q termination vid 11[S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11[S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24[S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1[S9300-A-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown[S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120[S9300-A-Eth-Trunk0.2] arp broadcast enable[S9300-A-Eth-Trunk0.2] quit[S9300-A] interface eth-trunk0.3[S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination[S9300-A-Eth-Trunk0.3] dot1q termination vid 13[S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24[S9300-A-Eth-Trunk0.3] arp broadcast enable[S9300-A-Eth-Trunk0.3] quit

# Log in to SPU B.



l Set the IP address of Eth-Trunk 0.3 to 13.0.0.3/24 and set parameters of Eth-Trunk 0.3.




Issue 02 (2010-07-15)

[S9300-B] interface eth-trunk0.1[S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination[S9300-B-Eth-Trunk0.1] dot1q termination vid 10[S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10[S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24[S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1[S9300-B-Eth-Trunk0.1] admin-vrrp vrid 10[S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110[S9300-B-Eth-Trunk0.1] arp broadcast enable[S9300-B-Eth-Trunk0.1] quit[S9300-B] interface eth-trunk0.2[S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination[S9300-B-Eth-Trunk0.2] dot1q termination vid 11[S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11[S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24[S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1[S9300-B-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown[S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110[S9300-B-Eth-Trunk0.2] arp broadcast enable[S9300-B-Eth-Trunk0.2] quit[S9300-B] interface eth-trunk0.3[S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination[S9300-B-Eth-Trunk0.3] dot1q termination vid 13[S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24[S9300-B-Eth-Trunk0.3] arp broadcast enable[S9300-B-Eth-Trunk0.3] quit

Step 6 Configure static routes on SPUs.

# Log in to SPU A to configure a static route.

[S9300-A] ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9

# Log in to SPU B to configure a static route.

[S9300-B] ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9

Step 7 Configure the channel between SPU A and SPU B.

# Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3,the source port number to 3001, and the destination port number to 4001 for the channel throughwhich dual-system HSB data is synchronized.

[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-data-port 4001[S9300] hot-standby enable

# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2,the source port number to 4001, and the destination port number to 3001 for the channel throughwhich dual-system HSB data is synchronized.

[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-data-port 3001[S9300] hot-standby enable


NOTE

l If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates thatVRRP negotiation is correct.

l If the value of TCP State of the SPU is CONNECT, it indicates that the channel between SPU A andSPU B is set up successfully.

# Log in to SPU A to check whether VRRP negotiation is correct and whether the channelbetween SPU A and SPU B is set up successfully.



8-13

[S9300-A] display vrrpEth-Trunk0.1|Virtual Router 10State : MasterVirtual IP : 10.0.0.1PriorityRun : 120PriorityConfig : 120MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0164Check TTL : YESConfig type : admin-vrrpConfig track link-bfd down-number : 0

Eth-Trunk0.2|Virtual Router 11State : MasterVirtual IP : 11.0.0.1PriorityRun : 120PriorityConfig : 120MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0165Check TTL : YESConfig type : member-vrrpConfig track link-bfd down-number : 0[S9300-A] display hot-standby configuration------------------HOT-STANDBY CONFIGURATION--------------------Local IP Address : 13.0.0.2Peer IP Address : 13.0.0.3Source port : 3001Destination port : 4001Vpn Instance name : NULLKeep Alive Time : 10Fail Count : 6Delete State : NOUsed State : YESEnable State : YESTCP State : CONNECTMaster Backup State : STARTSlave Backup State : STARTPacket State : INITIAL

# Log in to SPU B to check whether VRRP negotiation is correct and whether the channelbetween SPU A and SPU B is set up successfully.[S9300-B] display vrrpEth-Trunk0.1|Virtual Router 10State : BackupVirtual IP : 10.0.0.1PriorityRun : 110PriorityConfig : 110MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0164Check TTL : YESConfig type : admin-vrrpConfig track link-bfd down-number : 0

Eth-Trunk0.2|Virtual Router 11




Issue 02 (2010-07-15)

State : BackupVirtual IP : 11.0.0.1PriorityRun : 110PriorityConfig : 110MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0165Check TTL : YESConfig type : member-vrrpConfig track link-bfd down-number : 0[S9300-B] display hot-standby configuration------------------HOT-STANDBY CONFIGURATION--------------------Local IP Address : 13.0.0.3Peer IP Address : 13.0.0.2Source port : 4001Destination port : 3001Vpn Instance name : NULLKeep Alive Time : 10Fail Count : 6Delete State : NOUsed State : YESEnable State : YESTCP State : CONNECTMaster Backup State : STARTSlave Backup State : STARTPacket State : INITIAL

Step 9 Save the configuration.

# Log in to the MPU and run the following command in the user view to save the configuration:

<MPU> save

# Log in to the SPU and run the following command in the user view to save the configuration:

<S9300> save

----End

Configuration Filesl Configuration file of the MPU

#vlan batch 1 10 to 11 13 18#interface vlanif 18 ip address 18.0.0.1 24#interface gigabitethernet 2/0/10 port link-type trunk port trunk allow-pass vlan 18 undo port trunk allow-pass vlan 1#interface gigabitethernet 2/0/11 port link-type trunk port trunk allow-pass vlan 11 undo port trunk allow-pass vlan 1#interface vlanif 10 ip address 10.0.0.9 24#interface eth-trunk0 port link-type trunk port trunk allow-pass vlan 10 to 11



8-15

port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1#interface eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 to 11 port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1#interface xgigabitethernet3/0/0 eth-trunk 0#interface xgigabitethernet3/0/1 eth-trunk 0#interface xgigabitethernet5/0/0 eth-trunk 1#interface xgigabitethernet5/0/1 eth-trunk 1#ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1#return#save

l Configuration file of S9300 A#interface eth-trunk0#interface xgigabitethernet0/0/1 eth-trunk 0interface xgigabitethernet0/0/2 eth-trunk 0#interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.2 24 vrrp vrid 10 virtual-ip 10.0.0.1 admin-vrrp vrid 10 vrrp vrid 10 priority 120 arp broadcast enable#interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.2 24 vrrp vrid 11 virtual-ip 11.0.0.1 vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown vrrp vrid 11 priority 120 arp broadcast enable#interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.2 24 arp broadcast enable#ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9#hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-data-port 4001hot-standby enable#return




Issue 02 (2010-07-15)

#save

l Configuration file of S9300 B#interface eth-trunk0#interface xgigabitethernet0/0/1 eth-trunk 0interface xgigabitethernet0/0/2 eth-trunk 0#interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 admin-vrrp vrid 10 vrrp vrid 10 priority 110 arp broadcast enable#interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown vrrp vrid 11 priority 110 arp broadcast enable#interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.3 24 arp broadcast enable#ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9#hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-data-port 3001hot-standby enable#return#save

8.5.2 Example for Configuring Dual-System HSB Between S9300sThis section describes how to configure dual-system HSB between S9300s to improve theservice reliability.

Networking RequirementsA firewall board is taken as an independent device. As shown in Figure 8-3, firewall boardsSPU A and SPU B are installed on two different S9300s and are connected to interfaces GE2/0/13 of LPU A and LPU B through cables to implement the dual-system HSB function.



8-17

Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s

Eth-Trunk0

SPUA

XGE0/0/1


IP：10.0.0.2/24VRRP IP：10.0.0.1dot1q：10

XGE0/0/1


IP：11.0.0.2/24VRRP IP：11.0.0.1dot1q：11

XGE3/0/0

VLAN10/11/13

XGE3/0/1Eth-Trunk0 XGE0/0/1


IP：13.0.0.2/24

dot1q：13VLAN13

Interface:

Inboundinterface:

Outboundinterface:

Channel:

XGE3/0/0

VLAN10/11/13

XGE3/0/1

Eth-Trunk0

Eth-Trunk0

SPUB

XGE0/0/1


IP：10.0.0.3/24VRRP IP：10.0.0.1dot1q：10

XGE0/0/1


IP：11.0.0.3/24VRRP IP：11.0.0.1dot1q：11

XGE0/0/1


IP：13.0.0.3/24

dot1q：13VLAN13

Interface:Channel:

Inboundinterface:

Outboundinterface:

Network

FWA：Master

FWB：Backup

PC

GE2/0/10VLAN10

GE2/0/11VLAN11

GE2/0/10VLAN10

GE2/0/11VLAN11

GE2/0/13VLAN13

Internal networkServer

BoardType


IPAddress

Eth-Trunk

Dot1q

VID VirtualIPAddress

Priority

LPUA


VLAN10

NA Eth-Trunk 1

NA NA NA NA


VLAN11

Eth-Trunk 2


VLAN13

NA

LPUB


VLAN10

Eth-Trunk 1


VLAN11

Eth-Trunk 2




Issue 02 (2010-07-15)

BoardType


IPAddress

Eth-Trunk

Dot1q

VID VirtualIPAddress

Priority


VLAN13

NA

MPU A


VLAN10VLAN11VLAN13

Eth-Trunk 0


MPU B



SPUA


NA 10.0.0.2/24

Eth-Trunk 0.1

10 10 10.0.0.1/24

120


NA 11.0.0.2/24

Eth-Trunk 0.2

11 11 11.0.0.1/24


VLAN13

13.0.0.2/24

Eth-Trunk 0.3

13 NA NA NA

SPUB


NA 10.0.0.3/24

Eth-Trunk 0.1

10 10 10.0.0.1/24

110


NA 11.0.0.3/24

Eth-Trunk 0.2

11 11 11.0.0.1/24


VLAN13

13.0.0.3/24

Eth-Trunk0.3

13 NA NA NA




8-19

1. Check whether interfaces of LPUs are in Up state.2. Check the service type of the SPUs.3. Configure interfaces of the LPUs.4. Configure a TCP link.5. Configure interfaces of SPUs.6. Configure VRRP.7. Configure the channel between SPU A and SPU B.8. Check whether VRRP negotiation is correct and whether the channel between SPU A and

SPU B is set up successfully.9. Save the configuration.

Data PreparationTo complete the configuration, you need the following data (Figure 8-3 shows the detailed data):l GE interfaces, VLAN IDs, and bound Eth-Trunks of LPU A and LPU B

l GE interfaces, VLAN IDs, and bound Eth-Trunks of MPU A and MPU B

l XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A

l XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B

l ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B

ProcedureStep 1 Check whether interfaces of LPUs are in Up state.

# Log in to MPU A and MPU B to check whether interfaces GE 2/0/13 of LPU A and LPU Bare in Up state. If interfaces GE 2/0/13 of LPU A and LPU B are in Down state, use cables toconnect LPU A and LPU B of the two firewalls.

[MPU] display interface briefGigabitEthernet2/0/10 up up 0% 0% 0 0GigabitEthernet2/0/11 up up 0% 0% 0 0GigabitEthernet2/0/12 down down 0% 0% 0 0GigabitEthernet2/0/13 up up 0% 0% 0 0igabitEthernet2/0/14 down down 0% 0% 0 0GigabitEthernet2/0/15 down down 0% 0% 0 0GigabitEthernet2/0/16 down down 0% 0% 0 0

Step 2 Check the service type of the SPUs.

# Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is thefirewall service in the system view.<S9300> system-view[S9300] display service-typeThe service type is Firewall!

# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to thefirewall service, and then restart SPU A and SPU B after the change.




Issue 02 (2010-07-15)

[S9300] set service-type 1The serivce type will be availble after you restart the board, please restart!

Step 3 Configure interfaces of the LPUs.

NOTEBy default, GE 2/0/10, GE 2/0/11, GE 2/0/13, XGE 3/0/0, and XGE 3/0/1 allow packets of VLAN 1 topass through.

# Log in to MPU A and MPU B to create VLAN 10, VLAN 11, and VLAN 13, bind GE 2/0/10on LPU A and GE 2/0/11 on LPU B to Eth-Trunk 1 and Eth-Trunk 2 respectively, and bind XGE3/0/0 on MPU A and XGE 3/0/1 on MPU B to Eth-Trunk 0.

[MPU] vlan 10[MPU-VLAN10] quit[MPU] vlan 11[MPU-VLAN11] quit[MPU] vlan 13[MPU-VLAN13] quit[MPU] vlan 18[MPU-VLAN18] quit[MPU] interface eth-trunk0[MPU-Eth-Trunk0] port link-type trunk[MPU-Eth-Trunk0] port trunk allow-pass vlan 10 to 11[MPU-Eth-Trunk0] port trunk allow-pass vlan 13[MPU-Eth-Trunk0] undo port trunk allow-pass vlan 1[MPU-Eth-Trunk0] quit[MPU] interface eth-trunk1[MPU-Eth-Trunk1] port link-type trunk[MPU-Eth-Trunk1] port trunk allow-pass vlan 10[MPU-Eth-Trunk1] undo port trunk allow-pass vlan 1[MPU-Eth-Trunk1] quit[MPU] interface eth-trunk2[MPU-Eth-Trunk2] port link-type trunk[MPU-Eth-Trunk2] port trunk allow-pass vlan 11[MPU-Eth-Trunk2] undo port trunk allow-pass vlan 1[MPU-Eth-Trunk2] quit[MPU] interface gigabitethernet 2/0/10[MPU-GigabitEthernet2/0/10] eth-trunk 1[MPU-GigabitEthernet2/0/10] quit[MPU] interface gigabitethernet 2/0/11[MPU-GigabitEthernet2/0/11] eth-trunk 2[MPU-GigabitEthernet2/0/11] quit[MPU] interface xgigabitethernet 3/0/0[MPU-XGigabitEthernet3/0/0] eth-trunk 0[MPU-XGigabitEthernet3/0/0] quit[MPU] interface xgigabitethernet 3/0/1[MPU-XGigabitEthernet3/0/1] eth-trunk 0[MPU-XGigabitEthernet3/0/1] quit

Step 4 Configure a TCP link.

# Log in to MPU A and MPU B to configure interfaces GE 2/0/13 as interfaces of the TCP link.

[MPU] interface gigabitethernet 2/0/13[MPU-GigabitEthernet2/0/13] port link-type trunk[MPU-GigabitEthernet2/0/13] port trunk allow-pass vlan 13[MPU-GigabitEthernet2/0/13] undo port trunk allow-pass vlan 1[MPU-GigabitEthernet2/0/13] quit

Step 5 Configure interfaces of SPUs.

# Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to Eth-Trunk 0.

[S9300] interface eth-trunk0[S9300-Eth-Trunk0] quit[S9300] interface xgigabitethernet 0/0/1



8-21

[S9300-XGigabitEthernet0/0/1] eth-trunk 0[S9300-XGigabitEthernet0/0/1] quit[S9300] interface xgigabitethernet 0/0/2[S9300-XGigabitEthernet0/0/2] eth-trunk 0[S9300-XGigabitEthernet0/0/2] quit

Step 6 Configure VRRP.

# Log in to SPU A.



l Set the IP address of Eth-Trunk 0.3 to 13.0.0.2/24 and set parameters of Eth-Trunk 0.3.[S9300-A] interface eth-trunk0.2[S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination[S9300-A-Eth-Trunk0.2] dot1q termination vid 11[S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11[S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24[S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1[S9300-A-Eth-Trunk0.2] admin-vrrp vrid 11[S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120[S9300-A-Eth-Trunk0.2] arp broadcast enable[S9300-A-Eth-Trunk0.2] quit[S9300-A] interface eth-trunk0.1[S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination[S9300-A-Eth-Trunk0.1] dot1q termination vid 10[S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10[S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24[S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1[S9300-A-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown[S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120[S9300-A-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3[S9300-A-Eth-Trunk0.1] arp broadcast enable[S9300-A-Eth-Trunk0.1] quit[S9300-A] interface eth-trunk0.3[S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination[S9300-A-Eth-Trunk0.3] dot1q termination vid 13[S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24[S9300-A-Eth-Trunk0.3] arp broadcast enable[S9300-A-Eth-Trunk0.3] quit

# Log in to SPU B.



l Set the IP address of Eth-Trunk 0.3 to 13.0.0.3/24 and set parameters of Eth-Trunk 0.3.[S9300-B] interface eth-trunk0.2[S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination[S9300-B-Eth-Trunk0.2] dot1q termination vid 11[S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11[S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24[S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1[S9300-B-Eth-Trunk0.2] admin-vrrp vrid 11[S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110




Issue 02 (2010-07-15)

[S9300-B-Eth-Trunk0.2] arp broadcast enable[S9300-B-Eth-Trunk0.2] quit[S9300-B] interface eth-trunk0.1[S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination[S9300-B-Eth-Trunk0.1] dot1q termination vid 10[S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10[S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24[S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1[S9300-B-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown[S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110[S9300-B-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3[S9300-B-Eth-Trunk0.1] arp broadcast enable[S9300-B-Eth-Trunk0.1] quit[S9300-B] interface eth-trunk0.3[S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination[S9300-B-Eth-Trunk0.3] dot1q termination vid 13[S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24[S9300-B-Eth-Trunk0.3] arp broadcast enable[S9300-B-Eth-Trunk0.3] quit

Step 7 Configure the channel between SPU A and SPU B.

# Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3,the source port number to 3001, and the destination port number to 4001 for the channel throughwhich dual-system HSB data is synchronized.

[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-data-port 4001[S9300] hot-standby enable[S9300] hot-standby-group detect fail-count 20 interval 1

# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2,the source port number to 4001, and the destination port number to 3001 for the channel throughwhich dual-system HSB data is synchronized.

[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-data-port 3001[S9300] hot-standby enable[S9300] hot-standby-group detect fail-count 20 interval 1

Step 8 Verify the configuration.NOTE

l If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates thatVRRP negotiation is correct.

l If the value of TCP State of the SPUs is CONNECT, it indicates that the channel between SPU A andSPU B is set up successfully.

# Log in to SPU A to check whether VRRP negotiation is correct and whether the channelbetween SPU A and SPU B is set up successfully.

[S9300-A] display vrrpEth-Trunk0.1|Virtual Router 10State : MasterVirtual IP : 10.0.0.1PriorityRun : 120PriorityConfig : 120MasterPriority : 120Preempt : YESDelay Time : 3TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0164Check TTL : YESConfig type : member-vrrp



8-23

Config track link-bfd down-number : 0

Eth-Trunk0.2|Virtual Router 11State : MasterVirtual IP : 11.0.0.1PriorityRun : 120PriorityConfig : 120MasterPriority : 120Preempt : YESDelay Time : 3TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0165Check TTL : YESConfig type : admin-vrrpConfig track link-bfd down-number : 0[S9300-A] display hot-standby configuration------------------HOT-STANDBY CONFIGURATION--------------------Local IP Address : 13.0.0.2Peer IP Address : 13.0.0.3Source port : 3001Destination port : 4001Vpn Instance name : NULLKeep Alive Time : 1Fail Count : 20Delete State : NOUsed State : YESEnable State : YESTCP State : CONNECTMaster Backup State : STARTSlave Backup State : STARTPacket State : INITIAL

# Log in to SPU B to check whether VRRP negotiation is correct and whether the channelbetween SPU A and SPU B is set up successfully.

[S9300-B] display vrrpEth-Trunk0.1|Virtual Router 10State : BackupVirtual IP : 10.0.0.1PriorityRun : 110PriorityConfig : 110MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0164Check TTL : YESConfig type : member-vrrpConfig track link-bfd down-number : 0

Eth-Trunk0.2|Virtual Router 11State : BackupVirtual IP : 11.0.0.1PriorityRun : 110PriorityConfig : 110MasterPriority : 120Preempt : YESDelay Time : 0TimerRun : 1TimerConfig : 1Auth Type : NONEVirtual Mac : 0000-5e00-0165Check TTL : YESConfig type : admin-vrrpConfig track link-bfd down-number : 0




Issue 02 (2010-07-15)

[S9300-B] display hot-standby configuration------------------HOT-STANDBY CONFIGURATION--------------------Local IP Address : 13.0.0.3Peer IP Address : 13.0.0.2Source port : 4001Destination port : 3001Vpn Instance name : NULLKeep Alive Time : 1Fail Count : 20Delete State : NOUsed State : YESEnable State : YESTCP State : CONNECTMaster Backup State : STARTSlave Backup State : STARTPacket State : INITIAL

Step 9 Save the configuration.

# Log in to the MPU and run the following command in the user view to save the configuration:

<MPU> save

# Log in to the SPU and run the following command in the user view to save the configuration:

<S9300> save

----End

Configuration Filesl Configuration file of MPU A and MPU B

#vlan batch 1 10 to 11 13 18#interface eth-trunk0 port link-type trunk port trunk allow-pass vlan 10 to 11 port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1#interface eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 undo port trunk allow-pass vlan 1#interface eth-trunk2 port link-type trunk port trunk allow-pass vlan 11 undo port trunk allow-pass vlan 1#interface gigabitethernet2/0/10 eth-trunk 1#interface gigabitethernet2/0/11 eth-trunk 2#interface xgigabitethernet3/0/0 eth-trunk 0#interface xgigabitethernet3/0/1 eth-trunk 0#interface gigabitethernet2/0/13 port link-type trunk port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1#



8-25

return#save

l Configuration file of S9300 A#interface eth-trunk0#interface xgigabitethernet0/0/1 eth-trunk 0interface xgigabitethernet0/0/2 eth-trunk 0#interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.2 24 vrrp vrid 11 virtual-ip 11.0.0.1 admin-vrrp vrid 11 vrrp vrid 11 priority 120 arp broadcast enable#interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.2 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown vrrp vrid 10 priority 120 vrrp vrid 10 preempt-mode timer delay 3 arp broadcast enable#interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.2 24 arp broadcast enable#hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-data-port 4001hot-standby enablehot-standby-group detect fail-count 20 interval 1#return#save

l Configuration file of S9300 B#interface eth-trunk0#interface xgigabitethernet0/0/1 eth-trunk 0interface xgigabitethernet0/0/2 eth-trunk 0#interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 admin-vrrp vrid 11 vrrp vrid 11 priority 110 arp broadcast enable#interface eth-trunk0.1 control-vid 10 dot1q-termination




Issue 02 (2010-07-15)

dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown vrrp vrid 10 priority 110 vrrp vrid 10 preempt-mode timer delay 3 arp broadcast enable#interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.3 24 arp broadcast enable#hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-data-port 3001hot-standby enablehot-standby-group detect fail-count 20 interval 1#return#save



8-27

configuration guide - spu(v100r003c00_02)

Documents