Configuration Guide - SPU (V100R003C00 - 02)

Quidway S9300 Terabit Routing Switch V100R003C00
Configuration Guide - SPU

Issue Date 02 2010-07-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com
Website: Email:
Issue 02 (2010-07-15)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch Configuration Guide - SPU
About This Document
About This Document

Intended Audience
This document provides the concepts, configuration procedures, and configuration examples supported by the S9300 SPU. This document is intended for:
l l l l
Data configuration engineers Commissioning engineers Network monitoring engineers System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description
DANGER
Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury. Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points of the main text.
WARNING
CAUTION
TIP
NOTE
Issue 02 (2010-07-15)
iii
About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows. Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected. Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
[ x | y | ... ]* &<1-n> #
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.
Updates in Issue 02 (2010-07-15)

Compared with issue 01, the changes of this version are as follows. The application of firewall load balance is added.
Updates in Issue 01 (2010-04-30)

Initial commercial release.
iv
Issue 02 (2010-07-15)
Contents
Contents
About This Document...................................................................................................................iii 1 Configuration Differences Between SPU and S9300..........................................................1-1
1.1 Configuration Differences...............................................................................................................................1-3 1.2 Basic Configuration Differences.....................................................................................................................1-3 1.3 Ethernet Configuration Differences................................................................................................................1-4 1.4 IP Service Configuration Differences.............................................................................................................1-5 1.5 IP Routing Configuration Differences............................................................................................................1-7 1.6 QoS Configuration Differences.....................................................................................................................1-10 1.7 Security Configuration Differences..............................................................................................................1-11 1.8 Reliability Configuration Differences...........................................................................................................1-13 1.9 Device Management Configuration Differences...........................................................................................1-14 1.10 Network Management Differences.............................................................................................................1-15 1.11 VPN Configuration Differences..................................................................................................................1-18
2 SPU Pre-Configuration.............................................................................................................2-1
2.1 Overview of the SPU Pre-Configuration........................................................................................................2-2 2.2 Configuring a Service Type............................................................................................................................2-3 2.2.1 Establishing the Configuration Task......................................................................................................2-3 2.2.2 Configuring a Service Type...................................................................................................................2-3 2.2.3 Checking the Configuration...................................................................................................................2-4 2.3 Configuring Layer 2 Flow Import...................................................................................................................2-4 2.3.1 Establishing the Configuration Task......................................................................................................2-4 2.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated...........................................................2-6 2.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated....................................................2-6 2.4 Configuring Layer 3 Flow Import...................................................................................................................2-6 2.4.1 Establishing the Configuration Task......................................................................................................2-7 2.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated...........................................................2-9 2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated....................................................2-9 2.5 Configuring Traffic Mirroring........................................................................................................................2-9 2.5.1 Establishing the Configuration Task......................................................................................................2-9 2.5.2 Configuring Traffic Mirroring.............................................................................................................2-10
3 Firewall Configuration..............................................................................................................3-1
3.1 Firewall Overview...........................................................................................................................................3-3 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. v
Contents
3.2 Firewall Features Supported by the SPU........................................................................................................ 3-3 3.3 Configuring Zones...........................................................................................................................................3-9 3.3.1 Establishing the Configuration Task....................................................................................................3-10 3.3.2 Creating a Zone....................................................................................................................................3-10 3.3.3 Adding an Interface to the Zone...........................................................................................................3-11 3.3.4 Creating an Interzone...........................................................................................................................3-11 3.3.5 Enabling Firewall in the Interzone.......................................................................................................3-12 3.3.6 Checking the Configuration.................................................................................................................3-12 3.4 Configuring the Packet Filtering Firewall.....................................................................................................3-13 3.4.1 Establishing the Configuration Task....................................................................................................3-13 3.4.2 Configuring ACL-based Packet Filtering in an Interzone....................................................................3-14 3.4.3 Checking the Configuration.................................................................................................................3-14 3.5 Configuring the Blacklist..............................................................................................................................3-15 3.5.1 Establishing the Configuration Task....................................................................................................3-15 3.5.2 Enabling the Blacklist Function...........................................................................................................3-16 3.5.3 Adding IP Addresses to the Blacklist Manually..................................................................................3-16 3.5.4 Checking the Configuration.................................................................................................................3-17 3.6 Configuring the Whitelist..............................................................................................................................3-17 3.6.1 Establishing the Configuration Task....................................................................................................3-18 3.6.2 Adding Entries to the Whitelist............................................................................................................3-18 3.6.3 Checking the Configuration.................................................................................................................3-19 3.7 Configuring ASPF.........................................................................................................................................3-19 3.7.1 Establishing the Configuration Task....................................................................................................3-20 3.7.2 Configuring ASPF Detection...............................................................................................................3-20 3.7.3 Checking the Configuration.................................................................................................................3-21 3.8 Configuring Port Mapping............................................................................................................................3-21 3.8.1 Establishing the Configuration Task....................................................................................................3-21 3.8.2 Configuring Port Mapping...................................................................................................................3-22 3.8.3 Checking the Configuration.................................................................................................................3-23 3.9 Configuring the Aging Time of the Firewall Session Table.........................................................................3-23 3.9.1 Establishing the Configuration Task....................................................................................................3-23 3.9.2 Configuring the Aging Time of the Firewall Session Table................................................................3-24 3.9.3 Checking the Configuration.................................................................................................................3-24 3.10 Configuring the Transparent Firewall.........................................................................................................3-25 3.10.1 Establishing the Configuration Task..................................................................................................3-25 3.10.2 Configuring the Transparent Firewall................................................................................................3-26 3.10.3 Checking the Configuration...............................................................................................................3-27 3.11 Configuring the Attack Defense Function..................................................................................................3-27 3.11.1 Establishing the Configuration Task..................................................................................................3-28 3.11.2 Enabling the Attack Defense Function...............................................................................................3-28 3.11.3 Setting the Parameters of Flood Attack Defense................................................................................3-31 3.11.4 Configuring Large ICMP Packet Attack Defense..............................................................................3-32 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Contents
3.11.5 Setting Parameters of Scanning Attack Defense................................................................................3-32 3.11.6 Checking the Configuration...............................................................................................................3-33 3.12 Configuring Traffic Statistics and Monitoring............................................................................................3-33 3.12.1 Establishing the Configuration Task..................................................................................................3-34 3.12.2 Enabling Traffic Statistics and Monitoring........................................................................................3-35 3.12.3 Setting the Session Thresholds...........................................................................................................3-36 3.12.4 Checking the Configuration...............................................................................................................3-37 3.13 Configuring the Log Function.....................................................................................................................3-39 3.13.1 Establishing the Configuration Task..................................................................................................3-39 3.13.2 Enabling the Log Function on the Firewall........................................................................................3-40 3.13.3 Setting the Parameters of Logs...........................................................................................................3-40 3.13.4 Checking the Configuration...............................................................................................................3-41 3.14 Maintaining the Firewall.............................................................................................................................3-42 3.14.1 Displaying the Firewall Configuration...............................................................................................3-42 3.14.2 Clearing the Statistics of the Firewall................................................................................................3-43 3.15 Configuration Examples..............................................................................................................................3-43 3.15.1 Example for Configuring the ACL-based Packet Filtering Firewall.................................................3-44 3.15.2 Example for Configuring ASPF and Port Mapping...........................................................................3-47 3.15.3 Example for Configuring the Blacklist..............................................................................................3-51 3.15.4 Example for Configuring the Transparent Firewall...........................................................................3-55
4 NAT Configuration....................................................................................................................4-1
4.1 NAT Overview................................................................................................................................................4-2 4.2 NAT Features Supported by the SPU.............................................................................................................4-3 4.3 Configuring NAT............................................................................................................................................4-6 4.3.1 Establishing the Configuration Task......................................................................................................4-7 4.3.2 Configuring an Address Pool.................................................................................................................4-8 4.3.3 Associating an ACL with an Address Pool............................................................................................4-8 4.3.4 Configuring Easy IP...............................................................................................................................4-9 4.3.5 Configuring an Internal NAT Server.....................................................................................................4-9 4.3.6 Configuring Static NAT.......................................................................................................................4-10 4.3.7 Enabling NAT ALG.............................................................................................................................4-10 4.3.8 Configuring DNS Mapping..................................................................................................................4-11 4.3.9 Configuring Twice NAT......................................................................................................................4-11 4.3.10 Checking the Configuration...............................................................................................................4-12 4.4 Configuration Examples................................................................................................................................4-14 4.4.1 Example for Configuring the NAT Server...........................................................................................4-14 4.4.2 Example for Configuring Static NAT..................................................................................................4-18 4.4.3 Example for Configuring Outbound NAT...........................................................................................4-21 4.4.4 Example for Configuring Twice NAT.................................................................................................4-25
5 IPSec Configuration...................................................................................................................5-1
5.1 IPSec Overview...............................................................................................................................................5-2 5.2 IPSec Features Supported by the SPU............................................................................................................5-3 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. vii
Contents
5.3 Establishing an IPSec Tunnel Manually.........................................................................................................5-4 5.3.1 Establishing the Configuration Task......................................................................................................5-4 5.3.2 Defining Data Flows to Be Protected.....................................................................................................5-5 5.3.3 Configuring an IPSec Proposal..............................................................................................................5-6 5.3.4 Configuring an IPSec Policy..................................................................................................................5-7 5.3.5 (Optional) Configuring an IPSec Policy Template................................................................................5-8 5.3.6 Setting the Global Lifetime of SAs........................................................................................................5-9 5.3.7 Applying an IPSec Policy Group to an Sub-interface..........................................................................5-10 5.3.8 Checking the Configuration.................................................................................................................5-10 5.4 Establishing an IPSec Tunnel Through IKE Negotiation.............................................................................5-10 5.4.1 Establishing the Configuration Task....................................................................................................5-11 5.4.2 Defining Data Flows to Be Protected...................................................................................................5-12 5.4.3 Configuring the Local Host Name Used in IKE Negotiation..............................................................5-13 5.4.4 Configuring an IKE Proposal...............................................................................................................5-13 5.4.5 Configuring an IKE Peer......................................................................................................................5-14 5.4.6 Configuring an IPSec Proposal............................................................................................................5-16 5.4.7 Configuring an IPSec Policy................................................................................................................5-17 5.4.8 (Optional) Configuring an IPSec Policy Template..............................................................................5-18 5.4.9 (Optional) Setting Optional Parameters...............................................................................................5-19 5.4.10 Applying an IPSec policy to an Sub-interface...................................................................................5-20 5.4.11 Checking the Configuration...............................................................................................................5-21 5.5 Maintaining IPSec.........................................................................................................................................5-21 5.5.1 Displaying the IPSec Configuration.....................................................................................................5-21 5.5.2 Clearing IPSec Information..................................................................................................................5-22 5.6 Configuration Examples................................................................................................................................5-22 5.6.1 Example for Establishing an SA Manually..........................................................................................5-23 5.6.2 Example for Establishing an SA Through IKE Negotiation................................................................5-29
6 NetStream Configuration.........................................................................................................6-1
6.1 Overview of NetStream...................................................................................................................................6-2 6.2 NetStream Features Supported by the SPU.....................................................................................................6-3 6.3 Collecting IPv4 Traffic Statistics....................................................................................................................6-4 6.3.1 Establishing the Configuration Task......................................................................................................6-4 6.3.2 Enabling NetStream on an Interface......................................................................................................6-5 6.3.3 (Optional) Configuring the Version of Exported Packets......................................................................6-5 6.3.4 Setting the Destination Address of the Statistics...................................................................................6-6 6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag...................................................6-6 6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic..............................................6-7 6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic................................................6-7 6.3.8 Checking the Configuration...................................................................................................................6-8 6.4 Collecting IPv6 Traffic Statistics....................................................................................................................6-8 6.4.1 Establishing the Configuration Task......................................................................................................6-8 6.4.2 Enabling NetStream on an Interface......................................................................................................6-9 viii Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Contents
6.4.3 Setting the Destination Address of the Statistics................................................................................... 6-9 6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag.................................................6-10 6.4.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-11 6.4.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-11 6.4.7 Checking the Configuration.................................................................................................................6-11 6.5 Collecting MPLS Traffic Statistics...............................................................................................................6-12 6.5.1 Establishing the Configuration Task....................................................................................................6-12 6.5.2 Enabling NetStream on an Interface....................................................................................................6-13 6.5.3 (Optional) Configuring the Version of Exported Packets....................................................................6-13 6.5.4 Setting the Destination Address of the Statistics.................................................................................6-14 6.5.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic............................................6-14 6.5.6 (Optional) Configuring the Active Aging Time of the Original Traffic..............................................6-15 6.5.7 Checking the Configuration.................................................................................................................6-15 6.6 Configuring the Aggregation Statistics About Traffic..................................................................................6-15 6.6.1 Establishing the Configuration Task....................................................................................................6-16 6.6.2 Enabling NetStream on an Interface....................................................................................................6-16 6.6.3 Configuring the Aggregation Function................................................................................................6-17 6.6.4 (Optional) Configuring the Version of Exported Packets....................................................................6-17 6.6.5 (Optional) Configuring the Export of Statistics...................................................................................6-18 6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic.....................................6-19 6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic.......................................6-19 6.6.8 Checking the Configuration.................................................................................................................6-19 6.7 Configuring the Flexible NetStream Feature................................................................................................6-19 6.7.1 Establishing the Configuration Task....................................................................................................6-20 6.7.2 Creating a Record and Entering the Record View...............................................................................6-20 6.7.3 Configuring Aggregation Key Words of Records................................................................................6-21 6.7.4 (Optional) Configuring the Exported Traffic Statistics........................................................................6-21 6.7.5 Enabling Flexible NetStream on Interfaces..........................................................................................6-22 6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface......................................6-22 6.7.7 Checking the Configuration.................................................................................................................6-23 6.8 Example for Configuring NetStream............................................................................................................6-23 6.8.1 Example for Configuring IPv4 Traffic Statistics.................................................................................6-23 6.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic.....................................................6-26 6.8.3 Example for Configuring Flexible NetStream Traffic Statistics..........................................................6-32
7 Load Balancing Configuration................................................................................................7-1

7.1 Load Balancing Overview...............................................................................................................................7-2 7.2 Load Balancing Features Supported by the SPU............................................................................................7-5 7.3 Configuring Egress Link Load Balancing.....................................................................................................7-13 7.3.1 Establishing the Configuration Task....................................................................................................7-14 7.3.2 (Optional) Configuring an NAT Address Pool....................................................................................7-15 7.3.3 (Optional) Configuring Link Health Detection....................................................................................7-16 7.3.4 Configuring a Link...............................................................................................................................7-18 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. ix
Contents
Quidway S9300 Terabit Routing Switch Configuration Guide - SPU 7.3.5 Configuring a Link Group....................................................................................................................7-19 7.3.6 Configuring a Layer 7 Classifier..........................................................................................................7-21 7.3.7 Configuring a Load Balancing Action.................................................................................................7-22 7.3.8 Configuring an ACL.............................................................................................................................7-23 7.3.9 (Optional) Configuring a Connection Parameter Profile.....................................................................7-24 7.3.10 Configuring a Layer 3 Classifier........................................................................................................7-25 7.3.11 Configuring a Load Balancing Policy................................................................................................7-26 7.3.12 Applying the Load Balancing Policy.................................................................................................7-27 7.3.13 Checking the Configuration...............................................................................................................7-27
7.4 Configuring Server Load Balancing.............................................................................................................7-28 7.4.1 Establishing the Configuration Task....................................................................................................7-29 7.4.2 (Optional) Configuring an NAT Address Pool....................................................................................7-30 7.4.3 (Optional) Configuring Server Health Detection.................................................................................7-31 7.4.4 Configuring a Server............................................................................................................................7-35 7.4.5 Configuring a Server Group.................................................................................................................7-37 7.4.6 (Optional) Configuring Session Stickiness..........................................................................................7-40 7.4.7 Configuring a Layer 7 Classifier..........................................................................................................7-42 7.4.8 Configuring a Load Balancing Action.................................................................................................7-43 7.4.9 Configuring an ACL.............................................................................................................................7-44 7.4.10 (Optional) Configuring a Connection Parameter Profile...................................................................7-45 7.4.11 (Optional) Configuring an HTTP Parameter Profile..........................................................................7-46 7.4.12 Configuring a Layer 3 Classifier........................................................................................................7-46 7.4.13 Configuring a Load Balancing Policy................................................................................................7-48 7.4.14 Applying the Load Balancing Policy.................................................................................................7-49 7.4.15 Checking the Configuration...............................................................................................................7-49 7.5 Configuring Firewall Load Balancing...........................................................................................................7-50 7.6 Configuration Examples................................................................................................................................7-54 7.6.1 Example for Configuring Egress Link Load Balancing.......................................................................7-54 7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode.......................................7-62 7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode........................................7-72 7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode........................................7-83 7.6.5 Example for Configuring Session Stickiness.......................................................................................7-95 7.6.6 Example for Configuring Standard Firewall Load Balancing............................................................7-107
8 Dual-System HSB Configuration............................................................................................8-1

8.1 Dual-System HSB Overview..........................................................................................................................8-2 8.2 Dual-System HSB Features Supported by the SPU........................................................................................8-2 8.3 Configuring Dual-System HSB.......................................................................................................................8-3 8.3.1 Establishing the Configuration Task......................................................................................................8-4 8.3.2 Enabling Dual-System HSB...................................................................................................................8-5 8.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized.................................8-5 8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets.............................................................................................................................................................8-6 x Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
Contents
8.3.5 Checking the Configuration...................................................................................................................8-7 8.4 Maintaining Dual-System HSB.......................................................................................................................8-7 8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules........................8-7 8.5 Configuration Examples of Dual-System HSB...............................................................................................8-7 8.5.1 Example for Configuring Dual-System HSB on the S9300...................................................................8-8 8.5.2 Example for Configuring Dual-System HSB Between S9300s...........................................................8-17
Issue 02 (2010-07-15)
xi
Figures
Figures
Figure 2-1 Mapping between interfaces on the S9300 and SPU..........................................................................2-2 Figure 2-2 Importing Layer 2 flows if interfaces are aggregated.........................................................................2-5 Figure 2-3 Importing Layer 2 flows if interfaces are not aggregated...................................................................2-6 Figure 2-4 Importing flows at Layer 3 if interfaces are aggregated.....................................................................2-8 Figure 2-5 Importing flows at Layer 3 if interfaces are not aggregated...............................................................2-8 Figure 3-1 Limiting the number of sessions initiated by external server.............................................................3-6 Figure 3-2 Networking of ACL-based packet filtering......................................................................................3-44 Figure 3-3 Networking of ASPF and port mapping...........................................................................................3-48 Figure 3-4 Networking of blacklist configuration..............................................................................................3-52 Figure 3-5 Networking of transparent firewall configuration............................................................................3-55 Figure 4-1 Networking of NAT............................................................................................................................4-2 Figure 4-2 Networking of PAT............................................................................................................................4-4 Figure 4-3 Networking of twice NAT..................................................................................................................4-5 Figure 4-4 Networking diagram for configuring the NAT server......................................................................4-15 Figure 4-5 Networking diagram for configuring static NAT.............................................................................4-18 Figure 4-6 Networking diagram for configuring outbound NAT......................................................................4-22 Figure 4-7 Networking diagram for configuring twice NAT.............................................................................4-25 Figure 5-1 Packets format in transport mode.......................................................................................................5-2 Figure 5-2 Packets format in tunnel mode...........................................................................................................5-3 Figure 5-3 Networking diagram for establishing an SA manually.....................................................................5-23 Figure 5-4 Networking for establishing an SA through IKE negotiation..........................................................5-29 Figure 6-1 Diagram of NetStream data collection and analysis...........................................................................6-2 Figure 6-2 Networking diagram for configuring NetStream..............................................................................6-23 Figure 6-3 Networking diagram of NetStream aggregation...............................................................................6-27 Figure 6-4 Networking diagram for configuring Flexible NetStream................................................................6-32 Figure 7-1 Typical networking of egress link load balancing..............................................................................7-6 Figure 7-2 Typical networking of server load balancing in DNAT mode...........................................................7-8 Figure 7-3 Typical networking of server load balancing in DMAC mode..........................................................7-9 Figure 7-4 Typical networking of firewall load balancing.................................................................................7-11 Figure 7-5 Networking of standard firewall load balancing..............................................................................7-12 Figure 7-6 Networking of transparent firewall load balancing..........................................................................7-12 Figure 7-7 Networking for combining firewall load balancing and server load balancing................................7-12 Figure 7-8 Networking diagram for configuring egress link load balancing.....................................................7-55 Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. xiii
Figures
Quidway S9300 Terabit Routing Switch Configuration Guide - SPU Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode....................7-63 Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode...................7-73 Figure 7-11 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-84 Figure 7-12 Networking diagram for configuring Layer 7 server load balancing in DNAT mode...................7-96 Figure 7-13 Networking for configuring standard firewall load balancing.....................................................7-108
Figure 8-1 Networking of dual-system HSB........................................................................................................8-2 Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300...............................................8-8 Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s........................................8-18
xiv
Issue 02 (2010-07-15)
1 Configuration Differences Between SPU and S9300
Configuration Differences Between SPU and S9300
About This Chapter

Read this chapter before configuring the SPU. This chapter helps you understand the functions and features of the SPU and find the location of each feature in the manual. 1.1 Configuration Differences This section describes the differences between the configurations of the SPU and the S9300. 1.2 Basic Configuration Differences This section describes the differences between the basic configurations of SPU and S9300. 1.3 Ethernet Configuration Differences This section describes the differences between the Ethernet configurations of SPU and S9300. 1.4 IP Service Configuration Differences This section describes the differences between the IP service configurations of SPU and S9300. 1.5 IP Routing Configuration Differences This section describes the differences between the IP routing configurations of SPU and S9300. 1.6 QoS Configuration Differences This section describes the differences between the QoS configurations of SPU and S9300. 1.7 Security Configuration Differences This section describes the differences between the security configurations of SPU and S9300. 1.8 Reliability Configuration Differences This section describes the differences between the reliability configurations of SPU and S9300. 1.9 Device Management Configuration Differences This section describes the differences between the device management configurations of SPU and S9300. 1.10 Network Management Differences
Issue 02 (2010-07-15) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-1
This section describes the differences between the network management configurations of SPU and S9300. 1.11 VPN Configuration Differences This section describes the differences between the VPN configurations of SPU and S9300.
1-2
Issue 02 (2010-07-15)
1.1 Configuration Differences

This section describes the differences between the configurations of the SPU and the S9300.
Functions of the SPU

The functions exclusively provided by the SPU include firewall, NAT, IPSec, NetStream, load balancing, and dual-system hot standby. This manual will describe the functions exclusively provided by the SPU in the following chapters.
Functions of the SPU and the S9300

The method of configuring these functions is the same as that on the S9300. The differences are as follows:
l
On the S9300, these commands are run on the Ethernet interface, GE interface, XGE interface, or VLANIF interface. On the SPU, these commands are run on the XGE interface, Eth-Trunk containing XGE interfaces, XGE sub-interface, or sub-interface of the EthTrunk containing XGE interfaces. For example: On the S9300, the arp expire-time expire-time command is used on the VLANIF interface. On the SPU, the arp expire-time expire-time command is used on the XGE interface.
All the commands of the SPU do not support the slot slot-id parameter. For example: The command of the S9300 is display bfd ttl [ slot slot-id ]. The command of the SPU is display bfd ttl.
The SPU does not support the IPv6- or MPLS-related functions or parameters.
NOTE
For details about the common functions, see S9300 configuration guide.
1.2 Basic Configuration Differences

This section describes the differences between the basic configurations of SPU and S9300.
NOTE
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences.
Feature CLI Overview How to Use Interfaces
Sub-feature SPU supports all sub-feature of the CLI Overview. SPU supports all sub-feature of the How to Use Interfaces.
Difference See Common Differences. See Common Differences.
Issue 02 (2010-07-15)
1-3
Feature Basic configurations
Sub-feature Basic Configuration Introduction Configuring the Basic System Environment Configuring Basic User Environment Displaying System Status Messages
Difference See Common Differences. The SPU does not support the setting of system clock. See Common Differences. See Common Differences. See Common Differences. See Common Differences.
User Management File System Management
SPU supports all sub-feature of the User Management. SPU supports all sub-feature of the File System Management. SPU supports all sub-feature of the Management of Configuration Files.
Management of Configuration Files
See Common Differences.

NOTE The SPU configuration file must be backed up on both the SPU and the S9300.
FTP and TFTP Telnet and SSH
SPU supports all sub-feature of the FTP and TFTP. SPU supports all sub-feature of the Telnet and SSH.
See Common Differences. See Common Differences.
1.3 Ethernet Configuration Differences

This section describes the differences between the Ethernet configurations of SPU and S9300.
NOTE
Feature Ethernet interface
Sub-feature Configuring basic attributes of the Ethernet interface Configuring advanced attributes of the Ethernet interface
Difference The SPU supports only (Optional) Configuring the Description. The SPU supports only (Optional) Assigning an IP Address to an Ethernet Sub-interface.
1-4
Issue 02 (2010-07-15)
Feature Link aggregation
Sub-feature Configuring Link Aggregation in Manual Load Balancing Mode Configuration example: Example for Configuring Link Aggregation in Manual Load Balancing Mode Configuring an Eth-Trunk Sub-interface
Difference An Eth-Trunk of the SPU contains a maximum of 2 member interfaces. By default, the maximum number of interfaces that determine bandwidth of the Eth-Trunk is 2.
VLAN
Configuring Sub-interfaces to Implement Layer-3 Communication Configuration example: Example for Implementing Communication Between VLANs Through Subinterfaces
ARP
Configuring ARP Configuration example: Example for Configuring ARP Configuring Routed Proxy ARP Configuration example: Example for Configuring Routed Proxy ARP Configuring ARPing-IP Maintaining ARP
1.4 IP Service Configuration Differences

This section describes the differences between the IP service configurations of SPU and S9300.
NOTE
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table lists all the IP service features of the SPU.
Issue 02 (2010-07-15)
1-5
Feature IP address configuratio n
Sub-feature IP address unnumbered Configuration example: Example for Configuring a Tunnel Interface to Borrow the IP Address of a Loopback Interface
Configuration Task Establishing the Configuration Task Setting the Primary IP Address Setting the Unnumbered IP Address Checking the Configuration -
Difference Not supported by the SPU.
DHCP IP session
Configuring IP Session IP performance optimization Configuration example: Example for Disabling the Sending of ICMP Redirection Packets Example for Disabling the Sending of ICMP Host Unreachable Packets Example for Optimizing System Performance by Discarding Certain ICMP Packets IP performance optimization IP performance maintenance
Not supported by the SPU. The SPU supports only the (Optional) Binding a VPN Instance to an Interface. Not supported by the SPU.
IP performanc e
Enabling an Interface to Check the Source IP Addresses of Packets Setting ICMP Parameters (Optional) Setting the Load Balancing Mode of IP Packet Forwarding
Checking the Configuration Monitoring the Running Status of IP Performance
1-6
Issue 02 (2010-07-15)
Feature IP unicast PBR
Sub-feature Configuration example
Configuration Task Example for Configuring PBR Based on the Protocol Type Example for Configuring PBR Based on the Packet Length Example for Configuring Flowbased PBR
Difference See Common Differences.
UDP Helper DNS Basic IPv6 configuratio ns IPv6 DNS IPv6 over IPv4 IPv4 over IPv6
Not supported by the SPU. Not supported by the SPU. Not supported by the SPU.
Not supported by the SPU. Not supported by the SPU. Not supported by the SPU.
1.5 IP Routing Configuration Differences

This section describes the differences between the IP routing configurations of SPU and S9300.
NOTE
Feature IP Routing Overview
Sub-feature SPU supports all sub-feature of the IP Routing Overview.
Issue 02 (2010-07-15)
1-7
Feature Static route
Sub-feature Configuring an IPv4 Static Route Configuration example: Example for Configuring Static Routes Configuring BFD for IPv4 Static Routes in the Public Network Configuration example: Example for Configuring BFD for IPv4 Static Routes
Difference The SPU does not support IPv6-related configurations.
The SPU does not support IPv6-related configurations.
RIP Configuration OSPF Configuration IS-IS Configuration BGP
SPU supports all sub-feature of the RIP Configuration. SPU supports all sub-feature of the OSPF Configuration. SPU supports all sub-feature of the IS-IS Configuration. Configuring Basic BGP Functions Configuration example: Example for Configuring Basic BGP Functions Configuring BGP Route Attributes Configuring BGP Filters Configuration example: Example for Configuring AS-Path Filter Controlling the Advertisement of BGP Routing Information Controlling the Import of Routing Information Configuration example: Example for Configuring BGP to Interact With an IGP Configuring BGP Route Dampening Configuring Parameters of a BGP Peer Connection
See Common Differences. See Common Differences. See Common Differences. The SPU does not support IPv6-related configurations.
1-8
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring BGP Tracking Configuring BGP Load Balancing Configuration example: Example for Configuring BGP Load Balancing and Setting the MED Configuring a BGP Confederation Configuration example: Example for Configuring a BGP Confederation Configuring a BGP Route Reflector Configuration example: Example for Configuring a BGP RR Configuring BGP Accounting Configuration example: Example for Configuring the BGP Accounting Configuring BFD for BGP Configuration example: Example for Configuring BFD for BGP Configuring BGP Auto FRR Configuration example: Example for Configuring BGP Auto FRR Configuring a BGP Peer Group Configuration example: Example for Configuring the BGP Community Attribute Configuring BGP GR
Difference
Issue 02 (2010-07-15)
1-9
Feature
Sub-feature Configuring BGP Security Configuration example: Example for Configuring BGP GTSM
Difference
Routing policy
Configuring the IP-Prefix List Configuring the RoutePolicy Applying Filters to Received Routes Applying Filters to Advertised Routes Configuration example: Example for Filtering the Received and Advertised Routes Applying Filters to Imported Routes Configuration example: Example for Applying a Routing Policy to the Imported Routes Controlling the Valid Time of the Routing policy
The SPU does not support the configurations related to IPv6, MPLS, FRR, and VPN.
1.6 QoS Configuration Differences

This section describes the differences between the QoS configurations of SPU and S9300.
NOTE
Feature Class-based QoS Configuration
Sub-feature Configuring Priority Mapping Based on Simple Traffic Classification
1-10
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring Complex Traffic Classification Configuration example:

l
Difference In Creating a Traffic Classifier Based on Layer 3 Information, SPU does not support :
l
Example for Re-marking the Priorities Based on Complex Traffic Classification Example for Re-marking the Priorities Based on Complex Traffic Classification Example for Filtering Packets Based On Complex Traffic Classification
if-match cvlan-8021p { 8021pvalue } &<1-8> if-match discard if-match inbound-interface interface-type interface-number if-match vlan-8021p 8021p-value &<1-8>
l l
Configuring a Traffic Behavior Maintaining Class-based QoS
SPU does not support the URPF. In Clearing the Flow-based Traffic Statistics, only the inbound interface supports: reset traffic policy statistics { global | vlan vlan-id } See Common Differences.
Traffic Policing and Traffic Shaping Configuration
SPU supports all sub-feature of the Traffic Policing and Traffic Shaping Configuration.
1.7 Security Configuration Differences

This section describes the differences between the security configurations of SPU and S9300.
NOTE
Feature AAA and user management
Sub-feature AAA scheme RADIUS server template HWTACACS server template Service scheme
Difference See Common Differences. See Common Differences. See Common Differences. See Common Differences.
1-11
Issue 02 (2010-07-15)
Feature
Sub-feature Domain Local user management AAA and user management maintenance AAA and User Management Configuration Configuration example: Example for Configuring RADIUS Authentication and Accounting AAA and User Management Configuration Configuration example: Example for Configuring HWTACACS Authentication, Accounting, and Authorization
Difference See Common Differences. See Common Differences. See Common Differences. See Common Differences.
ACL
ACL Reflective ACL ACL maintenance Configuring a Basic ACL Configuration example: Example for Configuring a Basic ACL Configuring an Advanced ACL Configuration example: Example for Configuring an Advanced ACL Configuring a Layer 2 ACL Configuration example: Example for Configuring a Layer 2 ACL
The SPU does not support named ACLs or user-defined ACLs. The reflective ACLs can be bound only in the system view of the SPU. The ACL6 statistics on the SPU cannot be cleared. See Common Differences.
1-12
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring Reflective ACL Configuration example: Example for Configuring the Reflective ACL Function
Difference The reflective ACLs can be bound only in the system view of the SPU.
Attack defense configuration
Attack defense policy configuration
On the SPU, only the CAR can be configured in the attack defense policy view, and the attack defense policy can be only bound globally.
1.8 Reliability Configuration Differences

This section describes the differences between the reliability configurations of SPU and S9300.
NOTE
Feature BFD
Sub-feature Configuring Single-Hop BFD Configuration example: Example for Configuring Single-Hop BFD on a VLANIF Interface
Difference The SPU does not support (Optional) Setting the Multicast IP Address of BFD or detection of IPv6 links. In Creating a BFD Session, only the BFD detection for Layer 3 interfaces is supported: bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instancename ] interface interface-type interface-number [ source-ip source-ip ] The SPU does not support the static BFD6 session with automatically negotiated discriminators. The SPU does not support the static BFD6 session with automatically negotiated discriminators. See Common Differences. The SPU does not support the multi-hop packet TTL.
Configuring a Static BFD Session with Automatically Negotiated Discriminators Setting the BFD Session-Up Delay Adjusting the BFD Detection Parameters Setting the Global TTL Value
Issue 02 (2010-07-15)
1-13
Feature
Sub-feature Setting the Interval for Sending Trap Messages
Difference See Common Differences. See Common Differences.
VRRP
Configuring a VRRP Backup Group Configuration example: Example for Configuring VRRP in Master/Backup Mode Example for Configuring VRRP in Load Balancing Mode Configuring VRRP to Track the Interface Status Configuring VRRP to Track the Interface Status Configuration example: Example for Configuring VRRP Fast Switchover Configuring VRRP Authentication Optimizing the VRRP Performance
1.9 Device Management Configuration Differences

This section describes the differences between the device management configurations of SPU and S9300.
NOTE
1-14
Issue 02 (2010-07-15)
Feature Displaying the Device Status
Sub-feature Displaying the Status of the SPU
Difference The SPU only supports:

l
Displaying Information About the S9300 Displaying the Version Displaying the CPU Usage Displaying the Interface Status Displaying Alarm Information Displaying Diagnostic Information
l l l l l
Information Center Configuration
Configuring the Information Center (Optional) Configuring Information Output Modes Configuration example: Configuration Examples
See Common Differences. See Common Differences. See Common Differences.
Hardware Management Rebooting
Resetting the LPU Rebooting the S9300
See Common Differences. The SPU does not support

l
(Optional) Rebooting the S9300 Immediately by Pressing the Power Button
Debugging and Diagnosis
Debugging the S9300 Configuration example: Configuration Examples
1.10 Network Management Differences

This section describes the differences between the network management configurations of SPU and S9300.
NOTE
Before performing the configurations in this chapter, perform the operations in 2 SPU PreConfiguration. The following table describes the feature-specific differences. For the common differences, see 1.1 Configuration Differences. The SPU supports only the SNMP, ping, and Tracert functions.
Issue 02 (2010-07-15)
1-15
Feature SNMP
Sub-feature Configuring Basic Functions of SNMPv1 Configuring Basic Functions of SNMPv2c Configuring CommunityName-based Access Control in SNMPv1 Configuring CommunityName-based Access Control in SNMPv2c Configuration example: Example for Specifying an NMS to Manage the Switch Configuring MIB-Viewbased Access Control in SNMPv1 Configuring MIB-Viewbased Access Control in SNMPv2c Configuring Basic Functions of SNMPv3 Configuring Group-based Access Control in SNMPv3 Configuring User-based Access Control in SNMPv3 Configuring Authentication and Encryption Functions in SNMPv3 Configuring MIB-Viewbased Access Control in SNMPv3 Configuration example: Example for Configuring Different NMSs to Access the Switch Example for Configuring Different NMSs to Access the Switch (Inform Mode)
Difference See Common Differences. See Common Differences. See Common Differences.
See Common Differences. See Common Differences. See Common Differences. See Common Differences.
1-16
Issue 02 (2010-07-15)
Feature
Sub-feature Configuring SNMP Maintenance Information Configuration example: Example for Specifying an NMS to Manage the Switch Configuring the Maximum Size of the SNMP Packet Configuring Batch Statistics Collection Configuration example: Example for Configuring Batch Statistics Collection Configuring the Trap Function Configuration example: Example for Specifying an NMS to Manage the Switch Example for Configuring Different NMSs to Access the Switch Example for Configuring Alarm Messages to Be Sent to the Huawei NMS Propagating Alarms in the Inform Mode Configuration example: Example for Configuring Different NMSs to Access the Switch (Inform Mode) Enabling the Extended Error Code Function on the SNMP Agent Configuration example: Example for Enabling the Extended Error Code Function on the SNMP Agent Configuring the SET Response Message Caching Function Configuring the Constant Interface Index Feature
Issue 02 (2010-07-15)
1-17
Feature Ping and Tracert
Sub-feature Performing Ping and Tracert Operations Configuration example: Example for Performing Ping and Tracert Operations
1.11 VPN Configuration Differences

This section describes the differences between the VPN configurations of SPU and S9300.
NOTE
Feature GRE protocol
Sub-feature GRE tunnel Configuration example: Example for Configuring Static Routes on the GRE Tunnel Example for Configuring the Dynamic Routing Protocol on the GRE Tunnel
Difference When the destination address of the tunnel is configured in Configuring a Tunnel Interface, the destination address cannot be set to the IP address of a VPN instance.
BGP/MPLS IP VPN
VPN instance Basic BGP/MPLS IP VPN
The SPU supports only Creating a VPN Instance. The SPU supports only Binding an Interface with a VPN Instance. For the configuration of mutual access between local VPNs, see Example for Configuring Mutual Access for Local VPNs on SPU Board.
1-18
Issue 02 (2010-07-15)
2 SPU Pre-Configuration
2
About This Chapter
SPU Pre-Configuration
To use the SPU on the S9300, configure the S9300 and SPU in advance. 2.1 Overview of the SPU Pre-Configuration This topic describes the connection of virtual XGE interfaces between the SPU and the S9300. 2.2 Configuring a Service Type When using the SPU, you must ensure that the service type of the SPU is consistent with the type of the service actually processed by the SPU. If the original service type of the SPU is inconsistent with the required type, you need to change the service type, and then restart the SPU to make the change take effect. 2.3 Configuring Layer 2 Flow Import The S9300 and SPU are deployed in VLAN networking. After the interfaces that need to communicate with each other are grouped into the same VLAN, interworking at Layer 2 can be implemented. 2.4 Configuring Layer 3 Flow Import After two groups of virtual XGE interfaces that are connected between the SPU and S9300 are added to the same network segment, the communicating on layer 3 can be implemented. 2.5 Configuring Traffic Mirroring When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or traffic mirroring mode.
Issue 02 (2010-07-15)
2-1
2.1 Overview of the SPU Pre-Configuration

This topic describes the connection of virtual XGE interfaces between the SPU and the S9300.
Connection Mode
If the SPU is inserted into slot 5 on the S9300, virtual connections are set up between XGE 5/0/0 on the S9300 and XGE 0/0/1 on the SPU and between XGE 5/0/1 on the S9300 and XGE 0/0/2 on the SPU. All the traffic that is forwarded or mirrored to XGE 5/0/0 and XGE 5/0/1 through flow import are processed by the SPU, as shown in Figure 2-1. Figure 2-1 Mapping between interfaces on the S9300 and SPU
XGE5/0/0 XGE5/0/1 XGE0/0/1 XGE0/0/2
Switch
Flow Import Mode on the SPU

The SPU can process the following services:
l l l l
Firewall Load Balance IPSec NetStream
When the SPU is used for the first time, the service type is not configured. You must configure the corresponding service type. When firewalls, load balancing, and IPSec are used, data interworking between the S9300 and the SPU is implemented through Layer 2 or Layer 3 flow import. When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or traffic mirroring mode. The preceding four services cannot be enabled concurrently. That is, at a certain moment, only one service can be used. You can install multiple SPUs on the S9300 to provide different types of services.
2-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
2.2 Configuring a Service Type

When using the SPU, you must ensure that the service type of the SPU is consistent with the type of the service actually processed by the SPU. If the original service type of the SPU is inconsistent with the required type, you need to change the service type, and then restart the SPU to make the change take effect. 2.2.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring a service type. 2.2.2 Configuring a Service Type The SPU can process four types of services to meet different service requirements. 2.2.3 Checking the Configuration You can check the current service type before and after configuring the service type of the SPU.
2.2.1 Establishing the Configuration Task

This topic describes the pre-configuration task and data preparations for configuring a service type.
Applicable Environment
When using the SPU, you need to select a service type. Currently, the SPU can process the following services:
l l l l
Firewall Load Balance IPSec NetStream
Pre-configuration Tasks
You have logged in to the SPU successfully.
Data Preparation
To configure a service type, you need the following data. No. 1 Data Number of the type of the service to be processed by the SPU
2.2.2 Configuring a Service Type

The SPU can process four types of services to meet different service requirements.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 Run:

set service-type type
The service type of the SPU is configured.

NOTE
After a service type is changed, the original service configurations do not take effect any more. The configurations of the new service type take effect after the SPU is restarted.
----End
2.2.3 Checking the Configuration

You can check the current service type before and after configuring the service type of the SPU.
Procedure
l Run the display service-type command in the system view, and you can check the service type of the SPU.
----End
2.3 Configuring Layer 2 Flow Import

The S9300 and SPU are deployed in VLAN networking. After the interfaces that need to communicate with each other are grouped into the same VLAN, interworking at Layer 2 can be implemented. 2.3.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring Layer 2 flow import. 2.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated When firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increase bandwidth on interfaces. 2.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated Add interfaces on the LPU and virtual XGE interfaces on the S9300 to the same VLAN. Configure virtual XGE sub-interfaces on the SPU to allow packets from certain VLANs to pass.

This topic describes the pre-configuration task and data preparations for configuring Layer 2 flow import.
When firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic to the SPU for processing. When traffic is forwarded at Layer 2:
l
For the firewall, and load balance services
The SPU aggregates two groups of virtual XGE service interfaces as an Eth-Trunk interface, thus providing higher bandwidth. The SPU can also add interfaces on the LPUs and virtual XGE interfaces on the S9300 to the same VLAN and configure the virtual XGE sub-interfaces on the SPU to allow the packets from the certain VLANs to pass.
For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfaces on the LPUs and virtual XGE interfaces on the S9300 to the same VLAN and configure the virtual XGE sub-interfaces on the SPU to allow the packets from the certain VLANs to pass.
When using firewalls, and load balancing, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.
l
Importing Layer 2 flows if interfaces are aggregated As shown in Figure 2-2, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregated as Eth-Trunk interfaces, you need to add GE 3/0/0, Eth-Trunk 0, and Eth-Trunk 1 to the same VLAN. Figure 2-2 Importing Layer 2 flows if interfaces are aggregated
XGE5/0/0 GE3/0/0 GE3/0/1
XGE0/0/1
Eth-Trunk 0 Eth-Trunk 1 Eth-Trunk XGE5/0/1 XGE0/0/2
Switch
Importing Layer 2 flows if interfaces are not aggregated As shown in Figure 2-3, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If interfaces are not aggregated, you need to add GE 3/0/0, XGE 5/0/0, and XGE 0/0/1 to the same VLAN.
Issue 02 (2010-07-15)
2-5
Figure 2-3 Importing Layer 2 flows if interfaces are not aggregated
GE3/0/0 GE3/0/1
XGE5/0/0 XGE0/0/1
Switch
Ensure that the S9300 has been installed with SPU and the SPU runs normally.
Data Preparation
To configure Layer 2 flow import, you need the following data. No. 1 2 3 4 Data Number of the Eth-Trunk interface Number of the slot to which the SPU is inserted ID of the VLAN to which interfaces belong Number of the slot to which the LPU is inserted
2.3.2 Configuring Layer 2 Flow Import If Interfaces Are Aggregated

When firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increase bandwidth on interfaces.
2.3.3 Configuring Layer 2 Flow Import If Interfaces Are Not Aggregated

Add interfaces on the LPU and virtual XGE interfaces on the S9300 to the same VLAN. Configure virtual XGE sub-interfaces on the SPU to allow packets from certain VLANs to pass.
2.4 Configuring Layer 3 Flow Import

After two groups of virtual XGE interfaces that are connected between the SPU and S9300 are added to the same network segment, the communicating on layer 3 can be implemented.
2.4.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring Layer 3 flow import. 2.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated When firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increase bandwidth on interfaces. 2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated Assign IP addresses for VLANIF interfaces on the S9300 and XGE sub-interfaces on the SPU to forward traffic at Layer 3.

This topic describes the pre-configuration task and data preparations for configuring Layer 3 flow import.
When firewalls, load balancing, and IPSec are used, the LPU of the S9300 forwards traffic to the SPU for processing. When traffic is forwarded at Layer 3:
l
For the firewall and load balance services
The SPU can aggregate two groups of virtual XGE service interfaces as an Eth-Trunk interface, thus providing higher bandwidth. The SPU can also add interfaces on the LPUs and virtual XGE interfaces on the S9300 to VLANs and configure IP addresses for VLANIF interfaces and the XGE subinterfaces on the SPU to implement Layer 3 forwarding.
For the IPSec service, the SPU does not aggregate interfaces, but directly adds interfaces to the VLAN and configure IP addresses for VLANIF interfaces to implement Layer 3 forwarding.
When using firewalls and load balancing, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces.
l
Importing flows at Layer 3 if interfaces are aggregated As shown in Figure 2-4, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If two groups of XGE interfaces on the S9300 and SPU are aggregated as Eth-Trunk interfaces, you need to add Eth-Trunk 0 and Eth-Trunk 1 to the same VLAN and configure the IP address of the sub-interface in Eth-Trunk 1 and the IP address of the VLANIF interface which Eth-Trunk 0 belongs to.
NOTE
The two IP addresses share the same network segment.
Issue 02 (2010-07-15)
2-7
Figure 2-4 Importing flows at Layer 3 if interfaces are aggregated
GE3/0/0 VLANIF1060 13.1.1.1/24 GE3/0/1 VLAN1052
Eth-Trunk 0 VLANIF1051 14.14.1.2/24 VLAN1052 XGE5/0/0 XGE5/0/1
Eth-Trunk 1.1 14.14.1.1/24 Eth-Trunk Eth-Trunk 1.2 12.12.1.1/24
XGE0/0/1
XGE0/0/2
Switch
Importing flows at Layer 3 if interfaces are not aggregated As shown in Figure 2-5, GE 3/0/0 on the LPU forwards traffic to the SPU for processing. After processing the traffic, the SPU forwards it to GE 3/0/1. Then GE 3/0/1 forwards the traffic to the LPU. If interfaces are not aggregated, you need to add XGE 5/0/0 and XGE 0/0/1 to the same VLAN and configure the IP address of the sub-interface in XGE 0/0/1 and the IP address of the VLANIF interface which XGE 5/0/0 belongs to.
NOTE
The two IP addresses share the same network segment.
Figure 2-5 Importing flows at Layer 3 if interfaces are not aggregated
XGE5/0/0 VLANIF1051 14.14.1.2/24 XGE0/0/1.1 GE3/0/0 VLAN1052 VLANIF1060 14.14.1.1/24 13.1.1.1/24 GE3/0/0 VLAN1052 XGE0/0/1.2 12.12.1.1/24
Switch
Check that the SPU is installed on the S9300.
Data Preparation
To configure Layer 3 flow import, you need the following data. No. 1 2 3 4 Data Number of the Eth-Trunk interface Ethernet interface number and sub-interface number IP address and mask of the sub-interface Range of IDs of the VLANs to which interfaces belong
2.4.2 Configuring Layer 3 Flow Import If Interfaces Are Aggregated

When firewalls, load balancing, and IPSec are used, you are advised to aggregate two groups of virtual XGE service interfaces on the S9300 and SPU as Eth-Trunk interfaces to increase bandwidth on interfaces.
2.4.3 Configuring Layer 3 Flow Import If Interfaces Are Not Aggregated

Assign IP addresses for VLANIF interfaces on the S9300 and XGE sub-interfaces on the SPU to forward traffic at Layer 3.
2.5 Configuring Traffic Mirroring

When NetStream is used, traffic on the S9300 is mirrored to the SPU in port mirroring or traffic mirroring mode. 2.5.1 Establishing the Configuration Task This topic describes the pre-configuration task and data preparations for configuring traffic mirroring. 2.5.2 Configuring Traffic Mirroring To mirror traffic to the SPU, perform the following configurations on the S9300.

This topic describes the pre-configuration task and data preparations for configuring traffic mirroring.
When NetStream is used, the LPU of the S9300 mirrors traffic to the SPU for traffic classification and traffic statistics.
Check that the SPU is installed on the S9300.
Data Preparation
To configure traffic mirroring, you need the following data. No. 1 2 3 4 5 6 7 Data Type and number of an observing interface Mirrored interface (Optional) Direction of the traffic to be mirrored (Optional) Defined name of the traffic behavior and corresponding parameters (Optional) Number, matching order, and rule of an ACL (Optional) Defined name and rule of a traffic identifier (Optional) Name of a traffic policy
2.5.2 Configuring Traffic Mirroring

To mirror traffic to the SPU, perform the following configurations on the S9300.
Context
When NetStream is used, traffic on the S9300 is mirrored to the master CPU on the SPU in port mirroring or traffic mirroring mode. All configurations are performed on the S9300.
Procedure
l Configuring port mirroring 1. Run:
system-view
The system view is displayed. 2. Run:

observe-port [ observe-port-index ] interface interface-type interfacenumber
The local observing interface is configured, which is the virtual XGE interface corresponding to the master CPU on the SPU. 3. Run:
interface interface-type interface-number
The view of the mirrored interface to be observed is displayed. 4. Run:

port-mirroring to observe-port observe-port-index { both | inbound | outbound }
The port mirroring function is configured to mirror the traffic that is imported or exported through this interface to the observing interface configured in step 2. l
2-10
Configuring traffic mirroring

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2010-07-15)
1.
Run:
system-view

observe-port [ observe-port-index ] interface interface-type interfacenumber
The local observing interface is configured, which is the virtual XGE interface corresponding to the master CPU on the SPU. 3. Run:
acl [ number ] acl-number [ match-order { auto | config } ]
An ACL is created and the ACL view is displayed. 4. Run:

rule [ rule-id ] { deny | permit } [ fragment | source { source-address source-wildcard | any } | time-range time-name ] *
A rule is added in this ACL view. Only the traffic that matches the permit rule can be mirrored to the observing interface. 5. Run:
quit
Exit from the ACL view. 6. Run:

traffic classifier classifier-name [ operator { and | or } ] [ precedence precedence-value ]
A traffic classifier is created and the traffic classifier view is displayed. 7. Run:
if-match[ ipv6 ] acl acl-number
The rule for classifying traffic based on the ACL is configured. 8. Run:
quit
Exit from the traffic classifier view. 9. Run:

traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed. 10. Run:
mirroring to observing-port observe-port-index
The traffic that meets the rule is configured to be mirrored to the observing interface configured in step 2. 11. Run:
quit
Exit from the traffic behavior view. 12. Run:

traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed.

13. Run:
classifier classifier-name behavior behavior-name
The traffic classifier is bound to the traffic behavior. 14. Run:

quit
Exit from the traffic policy view. 15. Run:

interface interface-type interface-number
The interface view is displayed. 16. Run:

traffic-policy policy-name { inbound | outbound }
The traffic policy is applied to the interface. ----End
2-12
Issue 02 (2010-07-15)
3 Firewall Configuration
3
About This Chapter
Firewall Configuration
The attack defense system is to set up a line of defense between the internal and external networks so that the internal network is protected against attacks from the external network. Generally, firewalls are deployed between the internal and external networks to prevent attacks. 3.1 Firewall Overview A firewall discards the undesired packets and protects the mainframes and key resources on the internal network. 3.2 Firewall Features Supported by the SPU The firewall features supported by the SPU include ACL-based packet filtering, blacklist, whitelist, ASPF, port mapping, transparent firewall, virtual firewall, attack defense, traffic statistics and monitoring, and logs. 3.3 Configuring Zones All the security policies of the firewall are enforced based on zones. 3.4 Configuring the Packet Filtering Firewall The packet filtering firewall filters packets by using an ACL. 3.5 Configuring the Blacklist You can add entries to the blacklist manually or configure a dynamic blacklist. If you choose the dynamic blacklist, you need to enable IP address scanning and port scanning defense function on the attack defense module of the SPU. When the SPU detects that the connection rate of an IP address or a port exceeds the threshold, the SPU considers that a scanning attack occurs, and then adds the source IP address to the blacklist. Then all the packets from this source IP address are filtered out. 3.6 Configuring the Whitelist The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. 3.7 Configuring ASPF The ASPF function can detect the sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables the application protocols that cannot traverse firewalls function normally.
3.8 Configuring Port Mapping Port mapping defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. 3.9 Configuring the Aging Time of the Firewall Session Table 3.10 Configuring the Transparent Firewall A transparent firewall forwards packets to the destination VLAN at Layer 2 according to the configuration of VLAN bridge instance, rather than routes. 3.11 Configuring the Attack Defense Function The attack defense function of the SPU prevents the attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.12 Configuring Traffic Statistics and Monitoring The SPU supports the traffic statistics and monitoring at the system level, zone level, and IP address level. 3.13 Configuring the Log Function The logs on the firewall include session logs, statistics logs, attack defense logs, and blacklist logs. 3.14 Maintaining the Firewall 3.15 Configuration Examples This section provides several configuration examples of firewall.
3-2
Issue 02 (2010-07-15)
3.1 Firewall Overview

A firewall discards the undesired packets and protects the mainframes and key resources on the internal network. In a building, a firewall is designed to prevent fire from spreading across one place to the other places. Similarly, a firewall on the network prevents hazards on the Internet from spreading to the internal network. Located at the network boundary, a firewall prevents unauthorized access to the protected network and allows the internal users to securely access the Web service across the Internet or send and receive emails. Both the packets from the Internet to the internal network and the packets from the internal network to the Internet pass through the firewall, therefore, the firewall is a guard that can discard the undesired packets. The firewall can also be used to protect the mainframes and key resources (like data) on the internal network. The firewall filters the access to the protected data, even the internal access to the data. The firewall also serves as an authority control gateway to restrict the access to the Internet, for example, it allows the specified internal users to access the Internet. The modern firewalls also provide other functions, such as identity authentication and security processing (packet encryption). The firewall of SPU has the following functions:
l l l l
ACL-based packet filtering: filters packets through an ACL. ASPF: filters packets at the application layer. Blacklist: filters packets based on source IP addresses. Whitelist: prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses. Port mapping: defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. Attack defense: detects various network attacks and takes measures to protect the internal network against attacks. Traffic statistics and monitoring: monitors traffic volume, detects the connections between internal and external networks, and carries out calculation and analysis.
3.2 Firewall Features Supported by the SPU

The firewall features supported by the SPU include ACL-based packet filtering, blacklist, whitelist, ASPF, port mapping, transparent firewall, virtual firewall, attack defense, traffic statistics and monitoring, and logs.
Security Zone
The security zone, also referred to as a zone, is the basis of firewall. All the security policies are enforced based on the zones.
A zone is an interface or a group of multiple interfaces. The users in a zone have the same security attributes. Each zone has a unique security priority. That is, the priorities of any two zones are different. The SPU considers that the data transmission within a zone is reliable; therefore, it does not enforce any security policy on the intra-zone data transmission. The SPU verifies the data and enforces the security policies only when the data flows from one zone to another.
Interzone
Any two zones form an interzone. Each interzone has an independent interzone view. Most firewall configurations are performed in the interzone views. Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering can be configured. The configured filtering policy is then enforced on the data transmission between zone1 and zone2.
Direction
In an interzone, data is transmitted in inbound direction or outbound direction.
l
Inbound: indicates that data flows from a zone with lower priority to a zone with higher priority. Outbound: indicates that data flows from a zone with higher priority to a zone with lower priority.
ACL-based Packet Filtering

ACL-based packet filtering is used to analyze the information of the packets to be forwarded, including source/destination IP addresses, source/destination port numbers, and IP protocol number. The SPU compares the packet information with the ACL rules and determines whether to forward or discard the packets. In addition, the SPU can filter the fragmented IP packets to prevent the non-initial fragment attack.
ASPF
ASPF is applied to the application layer, that is, ASPF is the status-based packet filtering. ASPF detects the application-layer sessions that attempt to pass the firewall, and discards undesired packets. The ACL-based packet filtering firewall detects packets at the network and transport layers. The ASPF function and the common packet filtering firewall can be used together to enforce the security policies on an internal network. The SPU performs ASPF for the File Transfer Protocol (FTP) and Hyper Text Transport Protocol (HTTP) packets.
Blacklist
A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklist uses simpler matching fields to implement high-speed packet filtering. Thus the packets from certain IP addresses can be filtered out.
The firewall can add IP addresses to the blacklist dynamically. By judging the packet behaviors, the firewall detects an attack from an IP address. Then the firewall adds the IP address of the attacker to the blacklist so that all the packets from the attacker are discarded.
Whitelist
The whitelist prevents the specified IP addresses from being added to the blacklist and filters packets based on source IP addresses. The IP addresses in the whitelist will not be added to the static or dynamic blacklist. An entry in the whitelist is represented by the source VPN and IP address. The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. The entries of the whitelist on the SPU can only be manually added.
Port Mapping
The application-layer protocols use well-known ports for communication. Port mapping defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. Port mapping applies to service-sensitive features such as ASPF and Network Address Translation (NAT). For example, the FTP server 10.10.10.10 on an enterprise intranet provides the FTP service through port 2121. When accessing the FTP server through a NAT server, users must use port 2121. By default, port 21 is used for FTP packets. The FTP server cannot identify the FTP packets that use port 21. In this case, you need to map port 2121 to the FTP protocol. After port mapping, the NAT server can identify the FTP packets that use port 2121 and send the FTP packets to the FTP server. In this way, users can access the FTP server.
Virtual Firewall
Recently, more small-scale private networks have been established. Most of these private networks belong to small-scale enterprises. Such enterprises have the following requirements:
l l
They require high security. They cannot afford a private security device.
Logically, the SPU can be divided into multiple virtual firewalls to serve multiple small-scale private networks. By using the virtual firewall function, an ISP can lease the network security services to the enterprises. A virtual firewall integrates a VPN instance and a security instance. It provides a private routing plane and security service for the virtual firewall users.The VPN instance and the security instance are as follows:
l
VPN instance: provides independent VPN routes for the users under each virtual firewall. These VPN routes are used to forward the packets received by each virtual firewall. Security instance: provides independent security services for the users under each virtual firewall. The security instance contains private interfaces, zones, interzones, ACL rules, and NAT rules. In addition, it provides the security services such as address binding, blacklist, address translation, packet filtering, traffic statistics and monitoring, attack defense, ASPF, and NAT for the users under the virtual firewalls.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-5
Issue 02 (2010-07-15)
Firewall Log
The firewall records the behaviors and status of the firewall in real time. For example, the attack defense measures and the detection of malicious attacks are recorded in the firewall log. The firewall logs are categorized into the following types:
l l l
Session log: sent to the log server in real time. Blacklist log: sent to the information center in real time. Attack log and statistics log: sent to the information center periodically.
These logs help you find out the security risk, detect the attempts to violate the security policies, and learn the type of a network attack. The real-time log is also used to detect the intrusion that is underway.
Traffic Statistics and Monitoring

A firewall not only monitors data traffic, but also detects the setup of connections between internal and external networks, generates statistics, and analyzes the data. The firewall can analyze the logs by using special software after events occur. The firewall also has analysis functions that enable it to analyze data in real time. By checking whether the number of TCP/UDP sessions initiated from external networks to the internal network exceeds the threshold, the firewall decides whether to restrict new sessions from external networks to the internal network or restrict new sessions from an IP address in the internal network. If the firewall finds that the number of sessions in the system exceeds the threshold, it speeds up the aging of sessions. This ensures that new sessions are set up. In this way, DoS attack can be prevented if the system is too busy. Figure 3-1 shows an application of the firewall. The IP address-based statistics function is enabled for the packets from external networks to the internal network. If the number of TCP sessions initiated by external networks to Web server 129.9.0.1 exceeds the threshold, the SPU forbids external networks to initiate new sessions until the number of sessions is smaller than the threshold. Figure 3-1 Limiting the number of sessions initiated by external server Switch Ethernet Internal network
TCP connection Web server 129.9.0.1
Attack Defense
With the attack defense feature, the SPU can detect various network attacks and protect the internal network against attacks.
Network attacks are classified into three types: DoS attacks, scanning and snooping attacks, and malformed packet attacks.
l
DoS attack Denial of service (DoS) attack is an attack to a system with a large number of data packets. This prevents the system from receiving requests from authorized users or suspends the host. DoS attackers include SYN Flood attack and Fraggle attack. DoS attacks are different from other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or routers.
Scanning and snooping attack Scanning and snooping attack is to identify the existing systems on the network through ping scanning (including ICMP and TCP scanning), and then find out potential targets. Through TCP scanning, the attackers can know the operating system and the monitored services. By scanning and snooping, an attacker can generally know the service type and security vulnerability of the system and prepare for further intrusion to the system.
Malformed packet attack Malformed packet attack is to send malformed IP packets to the system. Under such an attack, the system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.
The typical attacks on networks are as follows.
Land Attack
Land attack is to set the source and destination addresses of a TCP SYN packet to the IP address of the attacked target. The target then sends the SYN-ACK message to its own IP address, and an ACK message is sent back to the target. This forms a null session. Every null session exists until it times out. The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.
Smurf Attack
A simple Smurf attack is used to attack a network. The attacker sends an ICMP request to the broadcast address of the network. All the hosts on the network then respond to the request and the network is congested. The traffic caused by Smurf attack is one or two orders of magnitude higher than the traffic caused by ping of large packets. An advanced Smurf attack targets hosts. The attacker changes the source address of an ICMP request to the IP address of the target host. The host then crashes. To send the attack packet, certain traffic and duration are needed so as to really wage the attack. Theoretically speaking, the attack effect is more obvious when there are more hosts on the network. Fraggle attack is another form of the Smurf attack.
WinNuke Attack
WinNuke attack is to send an out-of-band (OOB) data packet to the NetBIOS port (139) of the target host running the Windows operating system. The NetBIOS fragment then overlaps and the host crashes. An Internet Group Management Protocol (IGMP) fragment packet can also damage the target host because the IGMP packet is not fragmented. An attack occurs when a host receives an IGMP packet.
SYN Flood Attack

The TCP/IP protocol stack only permits a limited number of TCP connections due to resource restriction. SYN Flood attacks just utilize this characteristic. The attacker forges a SYN packet
whose source address is forged or nonexistent and originates a connection to the server. Upon receipt of this packet, the server replies with SYN-ACK. Because there is no receiver of the SYN-ACK packet, a half-connection is caused. If the attacker sends a large number of such packets, a lot of half-connections are produced on the attacked host and the resources of the attacked host will be exhausted; therefore, normal users cannot access the host till the halfconnections expire. If the connections can be created without restriction, SYN Flood has similar influence. That is, it will consume the system resources such as memory.
ICMP and UDP Flood Attack

ICMP and UDP Flood attacker sends a large number of ICMP packets (such as ping packets) and UDP packets to the target host in a short time and requests for responses. The host is then overloaded and cannot process valid tasks.
IP Sweeping and Port Scanning Attack

IP address sweeping and port scanning attacker detects the IP addresses and ports of the target hosts by using scanning tools. The attacker then determines the hosts that exist on the target network according to the response. The attacker can then find the ports that provide services.
Ping of Death Attack

The length field of an IP packet is 16 bits, indicating that the maximum length of an IP packet is 65535. If the data field of an ICMP Echo Request packet is longer than 65507, the length of the ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is greater than 65535. Upon receiving the packet, routers or systems will crash, stop responding, or restart due to improper processing of the packet. The so-called "Ping of Death" is an attack to the system waged by sending some oversize ICMP packets.
ICMP-Redirect and ICMP-Unreachable Attack

A network device sends an ICMP-redirect packet to the hosts on the same subnet, requesting the hosts to change the route. However, some malicious attackers cross a network segment and send a fraudulent ICMP-redirect packet to the hosts of another network. In this way, the attackers change the routing table of the hosts and thus cause interference to the normal IP packet forwarding of the hosts. Another type of attack is sending an ICMP-unreachable packet. After receiving the ICMPunreachable packets of a network (code is 0) or a host (code is 1), some systems consider the subsequent packets sent to this destination as unreachable. The systems then disconnect the destination from the host.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment of the original packet contained in this fragment. Some systems running TCP/IP may stop running when receiving a forged fragment containing an overlap offset. The Teardrop attack uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with
a generated character string. Similar to the ICMP packet attack, the two UDP ports generate many invalid response packets, which occupy the network bandwidth. The attacker can send a UDP packet to the destination network. The source address of the UDP packet is the IP address of the host to be attacked and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. Then, all the systems enabled with this function return packets to the target host. In this case, the high traffic volume blocks the network or the host stops responding. In addition, the systems without this function generate ICMP-unreachable packets, which also consume bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO, the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset, Length, Dont Fragment (DF), and MF. If the previous fields conflict and are not processed appropriately, the equipment may stop running. In the following cases, the fields conflict:
l l
DF bit and MF bit are set at the same time or fragment offset is not 0. The value of DF is 0, but the total values of Fragment Offset and Length is larger than 65535.
In addition, the device must directly discard the fragment packet with the destination as itself. This is because more fragments results in heavy load in packet caching and assembling.
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To Live (TTL) becomes 0 and an ICMP port-unreachable packet. In this way, the attacker can know the network architecture.
3.3 Configuring Zones

All the security policies of the firewall are enforced based on zones. 3.3.1 Establishing the Configuration Task Before configuring a zone, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.3.2 Creating a Zone Before configuring a firewall, you need to create the related zones. Then you can deploy security services according to the security priorities of the zones. 3.3.3 Adding an Interface to the Zone You can add interfaces to the specified zone. 3.3.4 Creating an Interzone To enable the firewall to filter packets or application-layer services in the specified interzone, you must create the interzone first. 3.3.5 Enabling Firewall in the Interzone The configured firewall functions take effect only after the firewall is enabled in the interzone. 3.3.6 Checking the Configuration
After configuring the zones and interzone, you can view information about the zones and interzone.

Before configuring a zone, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Before configuring the firewall, you need to configure the zones. Then you can configure the firewall based on zones or interzones.
Before configuring a zone, complete the following task:
l
Configuring the interfaces that you want to add to the zone
Data Preparation
To configure the zone, you need the following data. No. 1 2 3 Data Name of the zone Priority of the zone Interfaces that you want to add to the zone
3.3.2 Creating a Zone

Before configuring a firewall, you need to create the related zones. Then you can deploy security services according to the security priorities of the zones.
Procedure
Step 1 Run:
system-view

firewall zone zone-name
A zone is created. The SPU can be configured with up to 255 zones, and no default zone is provided. Step 3 Run:
priority security-priority
The priority of the zone is set.

You must configure a priority for a zone before making other configurations. The priority cannot be changed. The priority ranges from 0 to 254. The priorities of the zones cannot be the same. A greater value indicates a higher priority. ----End
3.3.3 Adding an Interface to the Zone

You can add interfaces to the specified zone.
Prerequisite
The zone has been created through the firewall zone command.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number.subinterface
The interface view is displayed. Only the XGE sub-interfaces and Eth-Trunk sub-interfaces of the SPU can be added to a zone. Step 3 Run:
zone zone-name
The interface is added to the zone. Each zone has up to 1024 interfaces, and an interface can be added to only one zone. ----End
3.3.4 Creating an Interzone

To enable the firewall to filter packets or application-layer services in the specified interzone, you must create the interzone first.
Procedure
Step 1 Run:
system-view

firewall interzone zone-name1 zone-name2
An interzone is created. You need to specify two existing zones for the interzone. ----End
3.3.5 Enabling Firewall in the Interzone

The configured firewall functions take effect only after the firewall is enabled in the interzone.
Procedure
Step 1 Run:
system-view

The interzone view is displayed. The zones zone-name1 and zone-name2 have been created through the firewall zone command. Step 3 Run:
firewall enable
The firewall is enabled. By default, the firewall function is disabled in an interzone. ----End

After configuring the zones and interzone, you can view information about the zones and interzone.
Procedure
l l Run the display firewall zone [ zone-name ] [ interface | priority ] command to view information about the zones. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about the interzone.
----End
Example
Run the display firewall zone [ zone-name ] [ interface | priority ] command, and you can view information about the zones, for example:
<Quidway> display firewall zone zone zone1 priority is 10 interface of the zone is (total number 1): XGigabitEthernet0/0/1.1 total number is : 1
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view information about the interzone, for example:
<Quidway> display firewall interzone interzone zone2 zone1
3-12
Issue 02 (2010-07-15)

firewall enable packet-filter default deny inbound packet-filter default permit outbound total number is : 1
3.4 Configuring the Packet Filtering Firewall

The packet filtering firewall filters packets by using an ACL. 3.4.1 Establishing the Configuration Task Before configuring the ACL-based packet filtering firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.4.2 Configuring ACL-based Packet Filtering in an Interzone You can specify the direction to which the ACL is applied and the default processing mode of the packets that do not match the ACL rules. 3.4.3 Checking the Configuration After the ACL-based packet filtering firewall is configured, you can view information about ACL-based packet filtering.

Before configuring the ACL-based packet filtering firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
When data is transmitted between two zones, the ACL-based packet filtering firewall enforces the packet filtering policies according to the ACL rules. The ACLs for filtering packet include the basic ACL, advanced ACL, and Layer 2 ACL.
Before configuring ACL-based packet filtering, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL, advanced ACL, or Layer 2 ACL and configuring ACL rules
Data Preparation
To configure ACL-based packet filtering, you need the following data. No. 1 2 3 Data Zone names ACL number Packet direction to which the ACL is applied
Issue 02 (2010-07-15)
3-13
3.4.2 Configuring ACL-based Packet Filtering in an Interzone

You can specify the direction to which the ACL is applied and the default processing mode of the packets that do not match the ACL rules.
Procedure
Step 1 Run:
system-view

The interzone view is displayed. Step 3 Run:

packet-filter acl-number { inbound | outbound }
The ACL-based packet filtering is configured. You can configure ACL-based packet filtering in the interzone for the inbound or outbound packets. Step 4 (Optional) Run:
packet-filter default { deny | permit } { inbound | outbound }
The default processing mode of the unmatched packets is configured. In the initial settings of the system, the outbound unmatched packets are allowed, and the inbound unmatched packets are denied. If an ACL is applied to the inbound packets or outbound packets of an interzone, the packets are filtered according to the ACL rules. If packets do not match the ACL, the default processing mode is used.
NOTE
When Layer 2 ACL is applied to the interzone, the non-Ethernet packets that do not match the ACL are discarded.
----End

After the ACL-based packet filtering firewall is configured, you can view information about ACL-based packet filtering.
Procedure
l l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view information about packet filtering. Run the display acl acl-number command to view the ACL configuration.
----End
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view information about packet filtering, for example:
<Quidway> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 2012 inbound total number is : 1
Run the display acl acl-number command, and you can view the ACL configuration.
<Quidway> display acl 2010 Basic ACL 2010, 1 rule Acl's step is 5 rule 5 permit vpn-instance vpnnat (0 times matched)
3.5 Configuring the Blacklist

You can add entries to the blacklist manually or configure a dynamic blacklist. If you choose the dynamic blacklist, you need to enable IP address scanning and port scanning defense function on the attack defense module of the SPU. When the SPU detects that the connection rate of an IP address or a port exceeds the threshold, the SPU considers that a scanning attack occurs, and then adds the source IP address to the blacklist. Then all the packets from this source IP address are filtered out. 3.5.1 Establishing the Configuration Task Before configuring the blacklist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.5.2 Enabling the Blacklist Function To make the entries added to the blacklist manually or dynamically effective, you must enable the blacklist function first. 3.5.3 Adding IP Addresses to the Blacklist Manually After an IP address is added to the blacklist, the firewall denies the packets from this IP address until this entry ages. 3.5.4 Checking the Configuration After the blacklist is configured, you can view information about the blacklist.

Before configuring the blacklist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
The blacklist can filter out the packets sent from a specified IP address to a zone. An IP address can be added to the blacklist manually or automatically. When the attack defense module of the firewall detects an attack through the packet behavior, the firewall adds the source IP address of the packet to the blacklist. Thus, all the packets from this IP address are filtered out.
Before configuring the blacklist, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Enabling IP address scanning attack defense or port scanning attack defense if a dynamic blacklist is used
Data Preparation
To configure the blacklist, you need the following data. No. 1 2 Data IP address that you want to add to the blacklist (the VPN instance can be included) (Optional) Aging time of blacklist entries
3.5.2 Enabling the Blacklist Function

To make the entries added to the blacklist manually or dynamically effective, you must enable the blacklist function first.
Procedure
Step 1 Run:
system-view

firewall blacklist enable
The blacklist function is enabled. By default, the blacklist function is disabled. ----End
3.5.3 Adding IP Addresses to the Blacklist Manually

After an IP address is added to the blacklist, the firewall denies the packets from this IP address until this entry ages.
Procedure
Step 1 Run:
system-view

firewall blacklist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]
An entry is added to the blacklist. When adding an entry to the blacklist, you can set the IP address, aging time, and VPN instance. The aging time refers to the period in which the IP address is effective after it is added to the blacklist. When the IP address expires, it is released from the blacklist. If the aging time is not specified, the IP address is always valid in the blacklist. An IP address can be added to the blacklist regardless of whether the blacklist is enabled or not. That is, even though the blacklist is not enabled, you can add entries, but the entries are invalid. You can add up to 4096 entries to a blacklist.
NOTE
The blacklist entries without the aging time are written to the configuration file. The entries configured with aging time are not written to the configuration file, but you can view them by using the display firewall blacklist command.
----End

After the blacklist is configured, you can view information about the blacklist.
Procedure
l Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name ] command to view information about the blacklist.
----End
Example
Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command, and you can view information about the blacklist, for example:
<Quidway> display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance -----------------------------------------------------------------------10.1.1.1 Manual 100 -----------------------------------------------------------------------total number is : 1
3.6 Configuring the Whitelist

The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. 3.6.1 Establishing the Configuration Task Before configuring the whitelist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
3.6.2 Adding Entries to the Whitelist The entries in the whitelist take effect without enabling the whitelist function. 3.6.3 Checking the Configuration After the whitelist is configured, you can view information about the whitelist.

Before configuring the whitelist, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
The whitelist is applicable to the network where some devices send valid service packets that look like IP address scanning attack or port scanning attack. The whitelist prevents these devices from being added to the blacklist. If you add the VPN and IP address of a host to the whitelist, the firewall does not check the packets sent by the host that look like IP address scanning or port scanning attack, or add the IP address to the blacklist.
Before configuring the whitelist, complete the following tasks:
l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone
Data Preparation
To configure the whitelist, you need the following data. No. 1 2 Data IP address that you want add to the whitelist (the VPN instance can be included) (Optional) Aging time of whitelist entries
3.6.2 Adding Entries to the Whitelist

The entries in the whitelist take effect without enabling the whitelist function.
Procedure
Step 1 Run:
system-view

firewall whitelist ip-address [ vpn-instance vpn-instance-name ] [ expire-time minutes ]
An entry is added to the whitelist.

By running this command, you can add an entry to the whitelist manually. You can specify the IP address, aging time, and VPN instance when adding the entry. The aging time refers to the period in which the IP address is effective after it is added to the whitelist. When the IP address expires, it is released from the whitelist. If the aging time is not specified, the IP address is always valid in the whitelist. You can create up to 1024 entries in the whitelist. ----End

After the whitelist is configured, you can view information about the whitelist.
Procedure
l Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name ] command to view information about the whitelist.
----End
Example
Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpninstance vpn-instance-name } command, and you can view information about the whitelist, for example:
<Quidway> display firewall whitelist all Firewall Whitelist Items : -----------------------------------------------------------------------IP-Address Expire-Time(m) Vpn-Instance -----------------------------------------------------------------------1.1.1.1 3 vpn1 1.1.1.2 Permanent vpn2 1.1.1.3 6 -----------------------------------------------------------------------total number is : 3
3.7 Configuring ASPF

The ASPF function can detect the sessions that attempt to traverse the application layer and deny the undesired packets. In addition, ASPF enables the application protocols that cannot traverse firewalls function normally. 3.7.1 Establishing the Configuration Task Before configuring ASPF, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.7.2 Configuring ASPF Detection ASPF can detect and filter the FTP and HTTP packets at the application layer. 3.7.3 Checking the Configuration After ASPF is configured, you can view information about ASPF.
Issue 02 (2010-07-15)
3-19

Before configuring ASPF, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
When data is transmitted between two zones, ASPF checks the packets at the application layer and discards the unmatched packets.
Before configuring ASPF, complete the following tasks:
l l
Data Preparation
To configure ASPF, you need the following data. No. 1 2 3 Data Names of the two zones Type of the application protocol (Optional) Aging time of the session table for each application layer protocol
3.7.2 Configuring ASPF Detection

ASPF can detect and filter the FTP and HTTP packets at the application layer.
Procedure
Step 1 Run:
system-view


detect aspf { all | ftp | http [ activex-blocking | java-blocking ] }
ASPF is configured. Generally, the application-layer protocol packets are exchanged between the two parties in communication, so the direction does not need to be configured. The SPU automatically checks the packets in the two directions.
By default, ASPF is not configured in the interzone. ----End

After ASPF is configured, you can view information about ASPF.
Procedure
l Run the display firewall interzone [ zone-name1 zone-name2 ] command to view ASPF information of the interzone.
----End
Example
Run the display firewall interzone [ zone-name1 zone-name2 ] command, and you can view the ASPF information of the interzone, for example:
<Quidway> display firewall interzone interzone zone2 zone1 firewall enable packet-filter default deny inbound packet-filter default permit outbound detect aspf ftp total number is : 1
3.8 Configuring Port Mapping

Port mapping defines new port numbers for different application-layer protocols, thus protecting the server against the service specific attacks. 3.8.1 Establishing the Configuration Task Before configuring port mapping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.8.2 Configuring Port Mapping Port mapping is to map protocols to ports based on a basic ACL. 3.8.3 Checking the Configuration After port mapping is configured, you can view information about port mapping.

Before configuring port mapping, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Through port mapping, the firewall can identify packets of the application-layer protocols that use the non-well-known ports. The port mapping function can be applied to the features sensitive to application-layer protocols, such as ASPF. Port mapping is applicable to the application-layer protocols such as FTP, DNS, and HTTP. Port mapping is implemented based on the ACL. Only the packets matching an ACL rule are mapped. Port mapping employs the basic ACL (2000 to 2999). In the ACL-based packet filtering,
the SPU matches the destination IP address of the packet with the IP address configured in the basic ACL rule.
NOTE
Port mapping is applied only to the data within the interzone; therefore, when configuring port mapping, you must configure the zones and interzone.
Before configuring port mapping, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating the basic ACL and configuring ACL rules
Data Preparation
To configure port mapping, you need the following data. No. 1 2 3 Data Type of application-layer protocol User-defined port to be mapped Number of the basic ACL
3.8.2 Configuring Port Mapping

Port mapping is to map protocols to ports based on a basic ACL.
Procedure
Step 1 Run:
system-view

port-mapping { dns | ftp | http } port port-number acl acl-number
Port mapping is configured. You can map multiple ports to a protocol, or map a port to multiple protocols. The mappings, however, must be distinguished by the ACL. That is, packets matching different ACL rules use different mapping entries.
NOTE
Port mapping identifies the protocol type of the packets destined for an IP address (such as the IP address of a WWW server); therefore, when configuring the basic ACL rules, you need to match the destination IP addresses of the packets with the source IP addresses defined in ACL rules.
----End

After port mapping is configured, you can view information about port mapping.
Procedure
l Run the display port-mapping [ dns | ftp | http | port port-number ] command to view information about port mapping.
----End
Example
Run the display port-mapping [ dns | ftp | http | port port-number ] command, and you can view information about port mapping, for example:
<Quidway> display port-mapping dns ------------------------------------------------Service Port Acl Type ------------------------------------------------dns 53 system defined -------------------------------------------------
3.9 Configuring the Aging Time of the Firewall Session Table

3.9.1 Establishing the Configuration Task Before configuring the aging time of the firewall session table, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.9.2 Configuring the Aging Time of the Firewall Session Table If a session entry is not used within the specified period, the session becomes invalid. 3.9.3 Checking the Configuration After the aging time of the firewall session table is set, you can view the aging time.

Before configuring the aging time of the firewall session table, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
The SPU creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. The aging time is set for the session table of the firewall. If a record in the session table does not match any packet within the aging time, the system deletes the record. To change the aging time of the sessions of a protocol, you can set the aging time of the firewall session table.
Before configuring the aging time of the firewall session table, complete the following tasks:
l l
Data Preparation
To set the aging time of the firewall session table, you need the following data. No. 1 Data Aging time of the session table of each application-layer protocol
3.9.2 Configuring the Aging Time of the Firewall Session Table

If a session entry is not used within the specified period, the session becomes invalid.
Procedure
Step 1 Run:
system-view

firewall-nat session { dns | ftp-ctrl | ftp-data | http | icmp | tcp | tcp-proxy | udp } aging-time time-value
The aging time of the firewall session table is set. By default, the aging time of each protocol is as follows:
l l l l l l l l
DNS: 120 seconds FTP-ctrl: 120 seconds FTP-data: 120 seconds HTTP: 120 seconds ICMP: 20 seconds TCP: 600 seconds TCP-proxy: 10 seconds UDP: 40 seconds
NOTE
In general, you do not need to change the aging time of a session table.
----End

After the aging time of the firewall session table is set, you can view the aging time.
Procedure
l Run the display firewall-nat session aging-time command to view the aging time of the firewall session table.
----End
Example
Run the display firewall-nat session aging-time command, and you can view the aging time of the firewall session table, for example:
<Quidway> display firewall-nat session aging-time --------------------------------------------tcp protocol timeout : 600 (s) tcp-proxy timeout : 10 (s) udp protocol timeout : 40 (s) icmp protocol timeout : 20 (s) dns protocol timeout : 120 (s) http protocol timeout : 120 (s) ftp-ctrl protocol timeout : 120 (s) ftp-data protocol timeout : 120 (s) ---------------------------------------------
3.10 Configuring the Transparent Firewall

A transparent firewall forwards packets to the destination VLAN at Layer 2 according to the configuration of VLAN bridge instance, rather than routes. 3.10.1 Establishing the Configuration Task Before configuring the transparent firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.10.2 Configuring the Transparent Firewall The transparent firewall filters packets based on source MAC addresses, destination MAC addresses, and Ethernet types. 3.10.3 Checking the Configuration After the transparent firewall is configured, you can view information about the transparent firewall.

Before configuring the transparent firewall, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
When a firewall works as a transparent firewall (also called bridge firewall), the interfaces of the firewall cannot be configured with IP addresses or NAT. The zone where the interfaces reside is the Layer 2 zone. All the external users connected to the interfaces of the Layer 2 zone belong to the same subnet. When transmitting packets between the interfaces of the Layer 2 zone, the SPU searches for an outbound interface according to the MAC addresses of packets. In this case, the SPU functions as a transparent bridge. Different from the bridge, the SPU forwards the received IP packets to
the upper layer, and then determines whether to allow the packets to pass according to the session table or ACL rules. In addition, the SPU provides the attack defense functions. The SPU in transparent mode supports the functions such as ACL-based packet filtering, ASPF detection, attack defense check, and traffic monitoring.
Before configuring the transparent firewall, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Configuring the VLAN on the interface
Data Preparation
To configure the transparent firewall, you need the following data. No. 1 2 Data VLAN bridge instance ID Number of the interface bound to the VLAN bridge instance
3.10.2 Configuring the Transparent Firewall

The transparent firewall filters packets based on source MAC addresses, destination MAC addresses, and Ethernet types.
Procedure
Step 1 Run:
system-view

inter-vlan-bridge instance instance-id
The VLAN bridge instance is created. By default, no VLAN bridge instance is created. Step 3 (Optional) Run:
description description
The description of the VLAN bridge instance is set. The default description is "inter-vlan-bridge instance-id." Step 4 Run:
quit
Return to the system view.

Step 5 Run:
The sub-interface view is displayed. Step 6 Run:

l2 binding inter-vlan-bridge instance instance-id
The sub-interface is bound to the VLAN bridge instance. A VLAN bridge instance can be bound to up to two sub-interfaces and the two sub-interfaces must belong to the same main interface. That is, a VLAN bridge instance contains up to two member interfaces. When no VLAN is configured on the sub-interface, the sub-interface cannot be bound to the VLAN bridge instance. Only one VLAN can be configured on the sub-interface where you want to bind the VLAN bridge instance. If a sub-interface is configured with IP address or NAT, the interface cannot be bound to a VLAN bridge instance. ----End

After the transparent firewall is configured, you can view information about the transparent firewall.
Procedure
l Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to view information about the transparent firewall.
----End
Example
Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command, and you can view information about the transparent firewall. # View information about all VLAN bridge instances.
<Quidway> display inter-vlan-bridge instance Instance ID Member1 Member2 --------------------------------------------------------------------2 XGigabitEthernet0/0/1.1 NULL 3 XGigabitEthernet0/0/1.2 XGigabitEthernet0/0/1.3
3.11 Configuring the Attack Defense Function

The attack defense function of the SPU prevents the attacks to the CPU. It ensures that the server operates normally even when it is attacked. 3.11.1 Establishing the Configuration Task Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.11.2 Enabling the Attack Defense Function
3.11.3 Setting the Parameters of Flood Attack Defense 3.11.4 Configuring Large ICMP Packet Attack Defense 3.11.5 Setting Parameters of Scanning Attack Defense 3.11.6 Checking the Configuration After the attack defense is configured, you can view information about attack defense.

Before configuring the attack defense function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
On the SPU, you can enable the attack defense function for the protected area. The protected area may be zones or IP addresses.
Before configuring the attack defense function, complete the following tasks:
l l
Data Preparation
To configure the attack defense function, you need the following data. No. 1 2 Data Attack type, a specified type or all types Zones or IP addresses (the VPN instance may be included) to be protected against Flood attacks (ICMP Flood, SYN Flood, and UDP Flood), and maximum session rate Status of the TCP proxy that prevents SYN Flood attacks, including always enabled, always disabled, or auto enabled (automatically enabled when the session rate exceeds the threshold) Timeout of blacklist and maximum session rate to prevent scanning attacks (IP address sweeping and port scanning) Maximum packet length to prevent large ICMP packet attack
4 5
3.11.2 Enabling the Attack Defense Function
3-28
Issue 02 (2010-07-15)
Context
Steps 2-19 are optional and can be performed in any sequence. You can select these steps to defend different types of attacks.
Procedure
Step 1 Run:
system-view

firewall defend all enable
All the attack defense functions are enabled. Step 3 Run:

firewall defend fraggle enable
The Fraggle attack defense is enabled. Step 4 Run:

firewall defend icmp-flood enable
The ICMP Flood attack defense is enabled. After the parameters of ICMP Flood attack defense are set, you must enable the ICMP Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 5 Run:
firewall defend icmp-redirect enable
The ICMP Redirect attack defense is enabled. Step 6 Run:

firewall defend icmp-unreachable enable
The ICMP Unreachable attack defense is enabled. Step 7 Run:

firewall defend ip-fragment enable
The IP-Fragment attack defense is enabled. Step 8 Run:

firewall defend ip-sweep enable
The IP address sweeping attack defense is enabled. After the parameters of IP address sweeping attack defense are set, you must enable the IP address sweeping attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 9 Run:
firewall defend land enable
The Land attack defense is enabled.

Step 10 Run:
firewall defend large-icmp enable
The large ICMP packet attack defense is enabled. After the maximum length of ICMP packets is set, you must enable the large ICMP packet attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 11 Run:
firewall defend ping-of-death enable
The Ping of Death attack defense is enabled. Step 12 Run:

firewall defend port-scan enable
The port scanning attack defense is enabled. After the parameters of port scanning attack defense are set, you must enable the port scanning attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 13 Run:
firewall defend smurf enable
The Smurf attack defense is enabled. Step 14 Run:

firewall defend syn-flood enable
The SYN Flood attack defense is enabled. After the parameters of SYN Flood attack defense are set, you must enable the SYN Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures. Step 15 Run:
firewall defend tcp-flag enable
The TCP flag attack defense is enabled. Step 16 Run:

firewall defend teardrop enable
The Teardrop attack defense is enabled. Step 17 Run:

firewall defend tracert enable
The Tracert attack defense is enabled. Step 18 Run:

firewall defend udp-flood enable
The UDP Flood attack defense is enabled. After the parameters of UDP Flood attack defense are set, you must enable the UDP Flood attack defense function; otherwise, the SPU does not detect the attack packets or take attack defense measures.
Step 19 Run:
firewall defend winnuke enable
The WinNuke attack defense is enabled. By default, no attack defense function is enabled. ----End
3.11.3 Setting the Parameters of Flood Attack Defense

Context
Steps 2-4 are optional and can be performed in any sequence. You can select these steps to defend different types of Flood attacks.
Procedure
Step 1 Run:
system-view

firewall defend icmp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ max-rate rate-value ] [ flow-rate rate-value ]
The parameters of ICMP Flood attack defense are set. Step 3 Run:
firewall defend syn-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value | tcp-proxy { auto | off | on } ]
The parameters of SYN Flood attack defense are set. Step 4 Run:
firewall defend udp-flood { ip ip-address [ vpn-instance vpn-instance-name ] | zone zone-name } [ flow-rate rate-value | max-rate rate-value ]
The parameters of UDP Flood attack defense are set. To prevent the Flood attacks, you need to specify the zones or IP addresses to be protected; otherwise, the attack defense parameters are invalid. You can also specify the maximum session rate. When the session rate exceeds the limit, the SPU considers that an attack occurs and takes measures. For Flood attack defense, the priority of IP addresses is higher than the priority of zones. If Flood attack defense is enable for both a specified IP address and the zone where the IP address resides, then the attack defense for the IP address takes effect. If you cancel the attack defense for the IP address, the attack defense for the zone takes effect. By default, the maximum session rate for Flood attacks is 1000 pps, and the TCP proxy is enabled for the SYN Flood attack defense. For the Flood attack defense, you can specify up to 4096 IP addresses to protect. ----End
3.11.4 Configuring Large ICMP Packet Attack Defense

Procedure
Step 1 Run:
system-view

firewall defend large-icmp max-length length
The parameter of large ICMP packet attack defense is set. For the large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum packet length. When the length of an ICMP packet exceeds the limit, the SPU considers that an attack occurs and discards the packet. By default, the maximum length of ICMP packet is 4000 bytes. ----End
3.11.5 Setting Parameters of Scanning Attack Defense

Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps to defend different types of scanning attacks.
Procedure
Step 1 Run:
system-view

firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters of IP address sweep attack defense are set. Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters of port scanning attack defense are set. For scanning attack defense, the following two parameters need to be set:
l
Maximum session rate: When the session rate of an IP address or a port exceeds the limit, the SPU considers that a scanning attack occurs, and then adds the IP address to the blacklist and denies the new sessions from the IP address or port. Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the SPU deletes the IP address from the blacklist and allows the new sessions from the IP address or port.
3-32
By default, the maximum session rate for IP address sweeping and port scanning attack defense is 4000 pps, and the blacklist timeout is 20 minutes. ----End

After the attack defense is configured, you can view information about attack defense.
Procedure
l Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view information about attack defense.
----End
Example
Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command, and you can view information about attack defense. # View the status of each attack defense function.
<Quidway> display firewall defend flag -------------------------------Type Flag -------------------------------land : disable smurf : disable fraggle : disable winnuke : disable syn-flood : disable udp-flood : disable icmp-flood : disable icmp-redirect : disable icmp-unreachable : disable ip-sweep : disable port-scan : disable tracert : disable ping-of-death : disable teardrop : disable tcp-flag : disable ip-fragment : disable large-icmp : disable --------------------------------
# View the configuration of IP address sweep attack defense.

<Quidway> display firewall defend ip-sweep defend-flag : disable max-rate : 4000 (pps) blacklist-expire-time : 20 (m)
3.12 Configuring Traffic Statistics and Monitoring

The SPU supports the traffic statistics and monitoring at the system level, zone level, and IP address level.
3.12.1 Establishing the Configuration Task Before configuring traffic statistics and monitoring, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.12.2 Enabling Traffic Statistics and Monitoring You can enable the traffic statistics and monitoring at the system level, zone level, or IP address level according to the actual situation. 3.12.3 Setting the Session Thresholds You can set the session thresholds for the system-level, zone-level, or IP address-level traffic statistics and monitoring according to the actual situation. 3.12.4 Checking the Configuration After the traffic statistics and monitoring is configured, you can view information about traffic statistics and monitoring.

Before configuring traffic statistics and monitoring, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
System-level traffic statistics and monitoring takes effect on all the data flows in interzones that are enabled with the firewall feature. That is, the SPU collects statistics of the ICMP, TCP, TCP proxy, and UDP sessions in the interzones. When the number of sessions exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring takes effect on the data flows between zones. That is, the SPU counts the total number of TCP and UDP sessions between the local zone and other zones. When the number of sessions exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The zone-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the SPU counts and monitors the sessions initiated by local zone. The outbound direction means that the SPU counts and monitors the sessions destined for this zone. The IP address-based traffic statistics and monitoring is to count and monitor the TCP and UDP sessions set up by an IP address in the zone. When the number of sessions set up by an IP address exceeds the threshold, the SPU restricts the sessions until the number of sessions is less than the threshold. The IP address-based traffic statistics and monitoring can be configured in the inbound or outbound direction. The inbound direction means that the SPU counts and monitors the sessions initiated by the IP address in the local zone. The outbound direction means that the SPU counts and monitors the sessions destined for this IP address.
Before configuring traffic statistics and monitoring, complete the following tasks:
l l
Data Preparation
To configure traffic statistics and monitoring, you need the following data.
No. 1 2 3
Data Type of sessions to be monitored, including TCP and UDP Session threshold Direction of traffic statistics and monitoring
3.12.2 Enabling Traffic Statistics and Monitoring

You can enable the traffic statistics and monitoring at the system level, zone level, or IP address level according to the actual situation.
Procedure
l Enabling system-level traffic statistics and monitoring 1. Run:
system-view

firewall statistics system enable
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. l Enabling zone-level traffic statistics and monitoring 1. Run:
system-view

The zone view is displayed. 3. Run:

statistics zone enable { inzone | outzone }
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. l Enabling IP address-level traffic statistics and monitoring 1. Run:
system-view


statistics ip enable { inzone | outzone }
Issue 02 (2010-07-15)
3-35
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. ----End
3.12.3 Setting the Session Thresholds

You can set the session thresholds for the system-level, zone-level, or IP address-level traffic statistics and monitoring according to the actual situation.
Procedure
l Setting the session thresholds for system-level traffic statistics and monitoring 1. Run:
system-view

firewall statistics system enable
The system-level traffic statistics and monitoring is enabled. By default, the system-level traffic statistics and monitoring is disabled. 3. Run:
firewall statistics system connect-number { frag | icmp | tcp | tcp-proxy | udp } high high-threshold low low-threshold
The session thresholds for the system-level traffic statistics and monitoring are set. For the system-level traffic statistics, you can set the threshold for each type of session. For example, you can set the threshold for TCP sessions to 500000. When the number of TCP sessions in all interzones exceeds 500000, the SPU denies all the new TCP sessions in the interzone and reports an alarm to the information center. If traffic volume falls below 75% of the threshold, the SPU generates the recovery log and sends the log to the information center. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. l Setting the session thresholds for zone-level traffic statistics and monitoring 1. Run:
system-view


statistics zone enable { inzone | outzone }
The zone-level traffic statistics and monitoring is enabled. By default, the zone-level traffic statistics and monitoring is disabled. 4.
3-36
Run:
statistics connect-number zone { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the zone-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold of inbound TCP sessions to 500000. When the number of TCP sessions initiated by this zone exceeds 500000, the SPU denies new TCP sessions from this zone. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. l Setting the session thresholds for IP address-level traffic statistics and monitoring 1. Run:
system-view


statistics ip enable { inzone | outzone }
The IP address-level traffic statistics and monitoring is enabled. By default, the IP address-level traffic statistics and monitoring is disabled. 4. Run:
statistics connect-number ip { inzone | outzone } { icmp | tcp | udp } high high-threshold low low-threshold
The session thresholds for the IP address-level traffic statistics and monitoring are set. You can set the thresholds for TCP and UDP sessions in the inbound and outbound directions respectively. For example, you can set the threshold for inbound TCP sessions to 10000. When the number of TCP sessions initiated from an IP address in the local zone exceeds 10000, the SPU denies new TCP sessions from this IP address. By default, the upper threshold and lower threshold for each type of protocol packets are 500000 and 450000. ----End

After the traffic statistics and monitoring is configured, you can view information about traffic statistics and monitoring.
Procedure
l l Run the display firewall statistics system command to view information about the systemlevel traffic statistics and monitoring. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view information about the zone-level traffic statistics and monitoring.
Issue 02 (2010-07-15)
Run the display firewall statistics zone-ip zone-name command to view information about the IP address-level traffic statistics and monitoring.
----End
Example
Run the display firewall statistics system command, and you can view information about the system-level traffic statistics and monitoring, for example:
<Quidway> display firewall statistics system -------------------------------------------------------------------Global system statistics config information -------------------------------------------------------------------Is enable 0 <enable : 1 disable : 0 > ---------------------------------High---------------------Low------Tcp connect-number 500000 450000 Udp connect-number Icmp connect-number Tcp-proxy connect-number Frag connect-number 500000 500000 500000 500000 450000 450000 450000 450000
--------------------------------------------------------------------
Run the display firewall statistics zone zone-name { inzone | outzone } all command, and you can view information about the zone-level traffic statistics and monitoring. # View the inbound packet statistics of zone1.
<Quidway> system-view [Quidway] display firewall statistics zone zone1 inzone all ZoneID:0 Direction:IN InTcpSetupTotal-----------------0 InTcpTearTotal------------------0 InUdpSetupTotal-----------------0 InUdpTearTotal------------------0 InIcmpSetupTotal----------------0 InIcmpTearTotal-----------------0
Run the display firewall statistics zone-ip zone-name command, and you can view information about the IP address-level traffic statistics and monitoring. # View the configuration of traffic monitoring in zone2.
<Quidway> display firewall statistics zone-ip zone2 ------------------------------------------------------------------Zone statistics config information -------------------------------------------------------------------Zone in enable 0 <enable : 1 disable : 0> ---------------------------------High---------------------Low------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Icmp connect-number 500000 450000 -------------------------------------------------------------------Zone out enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number Icmp connect-number 500000 500000 450000 450000
3-38
Issue 02 (2010-07-15)
-------------------------------------------------------------------Ip in enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Icmp connect-number 500000 450000 -------------------------------------------------------------------Ip out enable 0 <enable : 1 disable : 0> -------------------------------------------------------------------Tcp connect-number 500000 450000 Udp connect-number 500000 450000
Icmp connect-number 500000 450000 --------------------------------------------------------------------
3.13 Configuring the Log Function

The logs on the firewall include session logs, statistics logs, attack defense logs, and blacklist logs. 3.13.1 Establishing the Configuration Task Before configuring the log function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 3.13.2 Enabling the Log Function on the Firewall 3.13.3 Setting the Parameters of Logs The parameters of logs include the session log host, conditions of recording session logs, and interval for exporting logs. 3.13.4 Checking the Configuration After the log function is configured on the firewall, you can view information about the logs.

Before configuring the log function, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
The logs record the behaviors and status of the firewall to help you find out the security risk, analyze the attempts to violate the security policies, and detect the network attacks.
Before configuring the logs, complete the following tasks:
l l l
Configuring zones and adding interfaces to the zones Configuring the interzone and enabling the firewall function in the interzone Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure the log function, you need the following data.
No. 1 2 3 4
Data Type of the log IP address and port number of the session log host, and the source IP address and source port number that the SPU uses to communicate with the session log host Conditions of recording session logs, including the ACL number and the direction (Optional) Interval for exporting the attack defense logs or statistics logs
3.13.2 Enabling the Log Function on the Firewall

Procedure
Step 1 Run:
system-view

firewall log { all | blacklist | defend | session | statistics } enable
The log function is enabled on the firewall. The log function can be enabled according to log types or enabled for all types of logs by using the all parameter. By default, the log function is disabled on a firewall. Step 3 Run:
firewall log session nat enable
The NAT session log is enabled. Before running the firewall log session nat enable command, you must run the firewall log session enable command. By default, the NAT session log is disabled. ----End
3.13.3 Setting the Parameters of Logs

The parameters of logs include the session log host, conditions of recording session logs, and interval for exporting logs.
Context
The session logs are exported to a log host in real time; therefore, you need to configure the log host first. To configure the log host, you need to configure the IP address and port number of the log host and the IP address and port number that the SPU uses to communicate with the log host.
An ACL is referenced in the interzone view to help decide the sessions to be recorded in the logs. The ACLs can be configured for the inbound and outbound traffic respectively.
Procedure
Step 1 Run:
system-view

firewall log binary-log host host-ip-address host-port source source-ip-address source-port [ vpn-instance vpn-instance-name ]
The session log host is configured. By default, no session log host is configured. Step 3 (Optional) Run:
firewall log session out-of-band enable
The SPU exports the session logs to the session log host through the outband interface (Ethernet 0/0/0). By default, the logs are not exported through Ethernet 0/0/0. Step 4 (Optional) Run:
firewall log { blacklist | defend | session | statistics } log-interval time
The interval for exporting logs is set. By default, logs are exported every 30 seconds. Step 5 Run:

session-log acl-number { inbound | outbound }
The conditions of recording session logs are configured. By default, no condition is configured in an interzone for recording session logs. ----End

After the log function is configured on the firewall, you can view information about the logs.
Procedure
l Run the display firewall log configuration command to view information about the logs on the firewall.
----End
Example
Run the display firewall log configuration command, and you can view information about the logs on the firewall, for example:
<Quidway> display firewall log configuration defend log : status : enabled log-interval : 30 s statistics log : status : enabled log-interval : 30 s blacklist log : status : enabled log-interval : 30 s session log : status : enabled log-interval : 30 s out-of-band status : disabled nat-session : disabled binary-log host : host source ----:-----:--
VPN instance-name ---
3.14 Maintaining the Firewall

3.14.1 Displaying the Firewall Configuration 3.14.2 Clearing the Statistics of the Firewall
3.14.1 Displaying the Firewall Configuration

Procedure
l l l l l l l Run the display firewall zone [ zone-name | interface | priority ] command to view the configurations of all zones or the specified zone. Run the display firewall interzone [ zone-name1 zone-name2 ] command to view the configurations of the interzone. Run the display firewall blacklist configuration command to view the status of the blacklist function. Run the display firewall blacklist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the blacklist entries. Run the display firewall whitelist { all | ip-address [ vpn-instance vpn-instance-name ] | vpn-instance vpn-instance-name } command to view the whitelist entries. Run the display firewall statistics system command to view the system-level traffic statistics. Run the system-view command to enter the system view, and then run the display firewall statistics zone zone-name { inzone | outzone } all command to view the zone-level traffic statistics and traffic monitoring information. Run the display firewall statistics zone-ip zone-name command to view the status of traffic monitoring function and session thresholds for each protocol.
3-42
l l l l
Run the display firewall-nat session aging-time command to view the timeout of entries in the session table. Run the display inter-vlan-bridge instance [ instance-id [ verbose ] ] command to view information about the VLAN bridge instance. Run the display port-mapping [ dns | ftp | http | port port-number ] command to view the mappings between application-layer protocols and ports. Run the display firewall defend { flag | { icmp-flood | syn-flood | udp-flood } [ ip [ ipaddress [ vpn-instance vpn-instance-name ] ] | zone [ zone-name ] ] | other-attack-type } command to view the status and configuration of the attack defense functions. Run the display firewall log configuration command to view the global configuration of the log function.
----End
3.14.2 Clearing the Statistics of the Firewall

Context
To clearly view the communication packets of a device within the specified period, you can clear the previous packet statistics on the device first. Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps to clear different types of packet statistics.
Procedure
Step 1 Run:
system-view

clear firewall statistics system normal
The statistics about communication packets are cleared. Step 3 Run:

clear firewall statistics zone zone-name
The statistics about communication packets in the zone are cleared. ----End
3.15 Configuration Examples

This section provides several configuration examples of firewall. 3.15.1 Example for Configuring the ACL-based Packet Filtering Firewall This example shows the application of the ACL-based packet filtering firewall on a network. The firewall filters packets according to the source/destination IP addresses and source/ destination port numbers of packets. In this way, the security of the packets is improved. 3.15.2 Example for Configuring ASPF and Port Mapping
This example shows the application of ASPF and port mapping on a network. The SPU can detect the packets of the specified application-layer protocols and discard the undesired packets. 3.15.3 Example for Configuring the Blacklist This example shows the application of the blacklist on a network. By using a blacklist, the SPU can prevent the attacks initiated by certain IP addresses. 3.15.4 Example for Configuring the Transparent Firewall This example shows the application of the transparent firewall on a network. The SPU forwards packets to the destination VLAN through Layer 2 according to the configuration of the VLAN bridge instance.
3.15.1 Example for Configuring the ACL-based Packet Filtering Firewall

This example shows the application of the ACL-based packet filtering firewall on a network. The firewall filters packets according to the source/destination IP addresses and source/ destination port numbers of packets. In this way, the security of the packets is improved.
Networking Requirements
As shown in Figure 3-2, Eth-Trunk0.1 of the SPU is connected to an internal network with high security, and Eth-Trunk0.2 is connected to the external network with low security. The SPU must filter the communication packets between the internal network and the external network. The requirements are as follows:
l
A host (202.39.2.3) on the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server on the internal network.
The SPU is installed in slot 5 of the S9300. Figure 3-2 Networking of ACL-based packet filtering VLAN 10 XGE5/0/0 Eth-Trunk0.1 FTP Server WWW Server 129.38.1.2 129.38.1.4 XGE5/0/1 Eth-Trunk0.2 VLAN 20
GE1/0/10 Switch
GE1/0/11 202.39.2.3
Internal Network Telnet Server 129.38.1.3
Configuration Roadmap
The configuration roadmap is as follows:
1. 2. 3. 4. 5.
Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone.
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Configure the S9300 as follows:
[Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/10 [Quidway-GigabitEthernet1/0/10] port link-type access [Quidway-GigabitEthernet1/0/10] port default vlan 10 [Quidway-GigabitEthernet1/0/10] quit [Quidway] vlan 20 [Quidway-vlan20] quit [Quidway] interface gigabitethernet 1/0/11 [Quidway-GigabitEthernet1/0/11] port link-type access [Quidway-GigabitEthernet1/0/11] port default vlan 20 [Quidway-GigabitEthernet1/0/11] quit [Quidway] interface Eth-Trunk 0 [Quidway-Eth-Trunk0] port link-type trunk [Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk0] quit
2.
Configure the SPU as follows:

[Quidway] sysname SPU [SPU] interface Eth-trunk0 [SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/1 [SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/2 [SPU-Eth-trunk0] quit [SPU] interface Eth-trunk0.1 [SPU-Eth-trunk0.1] control-vid 10 dot1q-termination [SPU-Eth-trunk0.1] dot1q termination vid 10 [SPU-Eth-trunk0.1] ip address 129.38.1.1 255.255.255.0 [SPU-Eth-trunk0.1] arp broadcast enable [SPU-Eth-trunk0.1] quit [SPU] interface Eth-trunk0.2 [SPU-Eth-trunk0.2] control-vid 20 dot1q-termination [SPU-Eth-trunk0.2] dot1q termination vid 20 [SPU-Eth-trunk0.2] ip address 202.38.160.1 255.255.0.0 [SPU-Eth-trunk0.2] arp broadcast enable [SPU-Eth-trunk0.2] quit
Step 2 Configure zones and the interzone on the SPU.

[SPU] firewall zone trust [SPU-zone-trust] priority 100 [SPU-zone-trust] quit [SPU] firewall zone untrust [SPU-zone-untrust] priority 1 [SPU-zone-untrust] quit [SPU] firewall interzone trust untrust [SPU-interzone-trust-untrust] firewall enable [SPU-interzone-trust-untrust] quit
Step 3 Add the interfaces of the SPU to zones.

[SPU] interface Eth-trunk0.1 [SPU-Eth-trunk0.1] zone trust [SPU-Eth-trunk0.1] quit
Issue 02 (2010-07-15)
3-45
[SPU] interface Eth-trunk0.2 [SPU-Eth-trunk0.2] zone untrust [SPU-Eth-trunk0.2] quit
Step 4 Configure an ACL on the SPU.

[SPU] acl 3102 [SPU-acl-adv-3102] 0.0.0.0 [SPU-acl-adv-3102] 0.0.0.0 [SPU-acl-adv-3102] 0.0.0.0 [SPU-acl-adv-3102] [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 rule deny ip quit
Step 5 Configure packet filtering on the SPU.

[SPU] firewall interzone trust untrust [SPU-interzone-trust-untrust] packet-filter 3102 inbound [SPU-interzone-trust-untrust] quit
Step 6 Verify the configuration. After the configuration, only the specified host (202.39.2.3) can access the server on the internal network. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default deny inbound packet-filter default permit outbound packet-filter 3102 inbound
----End
Configuration Files
l
Configuration file of the SPU

# sysname SPU # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # firewall zone trust priority 100 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable packet-filter 3102 inbound # interface Eth-trunk0 # interface XGigabitEthernet 0/0/1 Eth-trunk0 # interface XGigabitEthernet 0/0/2 Eth-trunk0 #
3-46
Issue 02 (2010-07-15)

interface Eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 ip address 129.38.1.1 255.255.255.0 zone trust # interface Eth-trunk0.2 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.160.1 255.255.0.0 zone untrust # return l
Configuration file of the S9300

# vlan batch 10 20 # interface GigabitEthernet1/0/10 port link-type access port default vlan 10 # interface GigabitEthernet1/0/11 port link-type trunk port trunk allow-pass vlan 20 # interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 10 20 # interface XGigabitEthernet 5/0/0 Eth-Trunk 0 # interface XGigabitEthernet 5/0/1 Eth-Trunk 0 # return
3.15.2 Example for Configuring ASPF and Port Mapping

This example shows the application of ASPF and port mapping on a network. The SPU can detect the packets of the specified application-layer protocols and discard the undesired packets.
As shown in Figure 3-3, Eth-Trunk0.1 of the SPU is connected to an internal network with high security, and Eth-Trunk0.2 is connected to the external network with low security. The SPU must filter the communication packets and perform ASPF check between the internal network and the external network. The requirements are as follows:
l
A host (202.39.2.3) on the external network is allowed to access the server in the internal network. Other hosts are not allowed to access the server on the internal network. The SPU checks the FTP status of the connections and filters the undesired packets. The packets from the external host are sent to the FTP server through port 2121, which is used as the port of the FTP protocol.
l l l
The SPU is installed in slot 5 of the S9300.
Issue 02 (2010-07-15)
3-47
Figure 3-3 Networking of ASPF and port mapping VLAN 10 XGE5/0/0 Eth-Trunk0.1 FTP Server WWW Server 129.38.1.2 129.38.1.4 XGE5/0/1 Eth-Trunk0.2 VLAN 20
GE1/0/10 Switch
GE1/0/11 202.39.2.3
Internal Network Telnet Server 129.38.1.3
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Configure an ACL. Configure ACL-based packet filtering in the interzone. Configure ASPF in the interzone. Map port 2121 to the HTTP protocol.
Procedure
[Quidway] vlan 10 [Quidway-vlan10] quit [Quidway] interface gigabitethernet 1/0/10 [Quidway-GigabitEthernet1/0/10] port link-type access [Quidway-GigabitEthernet1/0/10] port default vlan 10 [Quidway-GigabitEthernet1/0/10] quit [Quidway] vlan 20 [Quidway-vlan20] quit [Quidway] interface gigabitethernet 1/0/11 [Quidway-GigabitEthernet1/0/11] port link-type access [Quidway-GigabitEthernet1/0/11] port default vlan 20 [Quidway-GigabitEthernet1/0/11] quit [Quidway] interface Eth-Trunk 0 [Quidway-Eth-Trunk0] port link-type trunk [Quidway-Eth-Trunk0] port trunk allow-pass vlan 10 20 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk0] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk0] quit
2.

[Quidway] sysname SPU [SPU] interface Eth-trunk0
3-48
Issue 02 (2010-07-15)

[SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/1 [SPU-Eth-trunk0] trunkport XGigabitEthernet 0/0/2 [SPU-Eth-trunk0] quit [SPU] interface Eth-trunk0.1 [SPU-Eth-trunk0.1] control-vid 10 dot1q-termination [SPU-Eth-trunk0.1] dot1q termination vid 10 [SPU-Eth-trunk0.1] ip address 129.38.1.1 255.255.255.0 [SPU-Eth-trunk0.1] arp broadcast enable [SPU-Eth-trunk0.1] quit [SPU] interface Eth-trunk0.2 [SPU-Eth-trunk0.2] control-vid 20 dot1q-termination [SPU-Eth-trunk0.2] dot1q termination vid 20 [SPU-Eth-trunk0.2] ip address 202.38.160.1 255.255.0.0 [SPU-Eth-trunk0.2] arp broadcast enable [SPU-Eth-trunk0.2] quit


[SPU] interface Eth-trunk0.1 [SPU-Eth-trunk0.1] zone trust [SPU-Eth-trunk0.1] quit [SPU] interface Eth-trunk0.2 [SPU-Eth-trunk0.2] zone untrust [SPU-Eth-trunk0.2] quit
Step 4 Configure ACLs on the SPU.

[SPU] acl 2102 [SPU-acl-basic-2102] rule permit source 129.38.1.2 0.0.0.0 [SPU-acl-basic-2102] quit [SPU] acl 3102 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.2 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.3 0.0.0.0 [SPU-acl-adv-3102] rule permit tcp source 202.39.2.3 0.0.0.0 destination 129.38.1.4 0.0.0.0 [SPU-acl-adv-3102] rule deny ip [SPU-acl-adv-3102] quit
Step 5 Configure packet filtering on the SPU.

[SPU] firewall interzone trust untrust [SPU-interzone-trust-untrust] packet-filter 3102 inbound [SPU-interzone-trust-untrust] quit
Step 6 Configure ASPF on the SPU.

[SPU-interzone-trust-untrust] detect aspf ftp [SPU-interzone-trust-untrust] quit
Step 7 Configure port mapping on the SPU.

[SPU] port-mapping ftp port 2121 acl 2102
Step 8 Verify the configuration. Run the display firewall interzone [ zone-name1 zone-name2 ] command on the SPU, and the result is as follows:
[SPU] display firewall interzone trust untrust interzone trust untrust
Issue 02 (2010-07-15)
3-49
firewall enable packet-filter default permit outbound packet-filter 3102 inbound packet-filter default permit inbound detect aspf ftp
Run the display port-mapping { dns | ftp | http | port port-number } command on the SPU, and the result is as follows:
[SPU] display port-mapping ftp ------------------------------------------------Service Port Acl Type ------------------------------------------------ftp 21 system defined ftp 2121 2102 user defined -------------------------------------------------
----End
Configuration Files
l

# sysname SPU # acl number 2102 rule 5 permit source 129.38.1.2 0 # acl number 3102 rule 5 permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 rule 10 permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 rule 15 permit tcp source 202.39.2.3 0 destination 129.38.1.4 0 rule 20 deny ip # firewall zone trust priority 100 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable detect aspf ftp packet-filter 3102 inbound # port-mapping ftp port 2121 acl 2102 # interface Eth-trunk0 # interface XGigabitEthernet 0/0/1 Eth-trunk0 # interface XGigabitEthernet 0/0/2 Eth-trunk0 # interface Eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 ip address 129.38.1.1 255.255.255.0 zone trust # interface Eth-trunk0.2 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.160.1 255.255.0.0 zone untrust # return
3-50
Issue 02 (2010-07-15)

l

# vlan batch 10 20 # interface GigabitEthernet1/0/10 port link-type access port default vlan 10 # interface GigabitEthernet1/0/11 port link-type trunk port trunk allow-pass vlan 20 # interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 10 20 # interface XGigabitEthernet 5/0/0 Eth-Trunk 0 # interface XGigabitEthernet 5/0/1 Eth-Trunk 0 # return
3.15.3 Example for Configuring the Blacklist

This example shows the application of the blacklist on a network. By using a blacklist, the SPU can prevent the attacks initiated by certain IP addresses.
As shown in Figure 3-4, Eth-Trunk1.1 of the SPU is connected to an internal network with high security, and Eth-Trunk1.2 is connected to the external network with low security. The SPU needs to apply the IP address sweeping defense and blacklist policies to the packets from the Internet to the enterprise intranet. If the SPU finds that an IP address attacks the enterprise intranet through IP address sweeping, it adds the IP address to the blacklist. The maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes. When the SPU detects that IP address 202.39.1.2 attacks the enterprise intranet multiple times, you can add the IP address to the blacklist manually. Then the IP address will always be in the blacklist. The SPU is installed in slot 5 of the S9300. The flows on the S9300 need to be imported to the SPU through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.
Issue 02 (2010-07-15)
3-51
Figure 3-4 Networking of blacklist configuration
Server
VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 102
Enterprise Network
GE2/0/1 Switch
GE2/0/2
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Enable the blacklist function. Add entries to the blacklist. Enable the defense against IP address sweeping or port scanning attack. Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning attack.
Procedure
<Quidway> system-view [Quidway] vlan batch 101 to 102 [Quidway] interface GigabitEthernet2/0/1 [Quidway-GigabitEthernet2/0/1] port link-type trunk [Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [Quidway-GigabitEthernet2/0/1] quit [Quidway] interface GigabitEthernet2/0/2 [Quidway-GigabitEthernet2/0/2] port link-type trunk [Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1 [Quidway-Eth-Trunk1] port link-type trunk [Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk1] quit
2.

<SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/1 [SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/2 [SPU-Eth-Trunk1] quit
3-52
Issue 02 (2010-07-15)

[SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 201.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 102 [SPU-Eth-Trunk1.2] ip address 202.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit


[SPU] interface Eth-Trunk1.1 [SPU-Eth-Trunk1.1] zone trust [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] zone untrust [SPU-Eth-Trunk1.2] quit
Step 4 Enable the blacklist function.

[SPU] firewall blacklist enable
Step 5 Add an entry to the blacklist.

[SPU] firewall blacklist 202.39.1.2
Step 6 Enable the IP address sweeping and port scanning attack defense.
[SPU] firewall defend ip-sweep enable [SPU] firewall defend port-scan enable
Step 7 Configure the maximum session rate and blacklist timeout for the defense against IP address sweeping or port scanning attack.
[SPU] [SPU] [SPU] [SPU] firewall firewall firewall firewall defend defend defend defend ip-sweep max-rate 5000 ip-sweep blacklist-expire-time 30 port-scan max-rate 5000 port-scan blacklist-expire-time 30
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound
Run the display firewall blacklist all command on the SPU, and the result is as follows:
[SPU] display firewall blacklist all Firewall Blacklist Items : -----------------------------------------------------------------------IP-Address Reason Expire-Time(m) VPN-Instance
Issue 02 (2010-07-15)
3-53
-----------------------------------------------------------------------202.39.1.2 Manual Permanent -----------------------------------------------------------------------total number is : 1
----End
Configuration Files
l

# sysname SPU # interface Eth-Trunk1 # interface XGigabitEthernet0/0/1 eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # firewall zone trust priority 100 # firewall zone untrust priority 1 # firewall interzone trust untrust firewall enable # firewall blacklist enable firewall blacklist 202.39.1.2 firewall defend ip-sweep enable firewall defend port-scan enable firewall defend ip-sweep max-rate 5000 firewall defend ip-sweep blacklist-expire-time 30 firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-expire-time 30 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 201.0.0.1 255.255.255.0 arp broadcast enable zone trust # interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.0.0.1 255.255.255.0 arp broadcast enable zone untrust return

# vlan batch 101 to 102 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 101 to 102
3-54
Issue 02 (2010-07-15)

# interface eth-trunk interface eth-trunk # return
XGigabitEthernet5/0/0 1 XGigabitEthernet5/0/1 1
3.15.4 Example for Configuring the Transparent Firewall

This example shows the application of the transparent firewall on a network. The SPU forwards packets to the destination VLAN through Layer 2 according to the configuration of the VLAN bridge instance.
As shown in Figure 3-5, PC A and PC B are in different VLANs. The VLAN bridge instance is configured between the VLANs. The SPU performs Layer 2 forwarding. PC A in the trust zone can access the resources in the untrust zone. The MAC address of PC A is 000f-1f7e-fec5. The SPU is installed in slot 5 of the S9300. Figure 3-5 Networking of transparent firewall configuration
trust zone
GE2/0/1
GE2/0/2 PC B Switch
PC A 000f-1f7e-fec5
untrust zone
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8.
Issue 02 (2010-07-15)
Import flows from the S9300 to the SPU. Configure zones and the interzone. Add interfaces to the zones. Add interfaces to VLANs. Configure the VLAN bridge instance. Bind the VLAN bridge instance to sub-interfaces. Configure an ACL. Configure packet filtering.
Procedure
Step 1 Import flows from the S9300 to the SPU. 1. Import flows from the S9300 to the SPU.
<Quidway> system-view [Quidway] vlan batch 101 to 102 [Quidway] interface GigabitEthernet2/0/1 [Quidway-GigabitEthernet2/0/1] port link-type trunk [Quidway-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [Quidway-GigabitEthernet2/0/1] quit [Quidway] interface GigabitEthernet2/0/2 [Quidway-GigabitEthernet2/0/2] port link-type trunk [Quidway-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [Quidway-GigabitEthernet2/0/2] quit [Quidway] interface Eth-Trunk 1 [Quidway-Eth-Trunk1] port link-type trunk [Quidway-Eth-Trunk1] port trunk allow-pass vlan 101 to 102 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/0 [Quidway-Eth-Trunk1] trunkport XGigabitEthernet 5/0/1 [Quidway-Eth-Trunk1] quit
2.

<SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/1 [SPU-Eth-Trunk1] trunkport XGigabitEthernet 0/0/2 [SPU-Eth-Trunk1] quit [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 102 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit


[SPU] interface Eth-Trunk1.1 [SPU-Eth-Trunk1.1] zone trust [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] zone untrust [SPU-Eth-Trunk1.2] quit
Step 4 Configure the VLAN bridge instance on the SPU.

[SPU] inter-vlan-bridge instance 127
Step 5 Bind the VLAN bridge instance to the sub-interfaces of the SPU.
[SPU] interface Eth-Trunk1.1 [SPU-Eth-Trunk1.1] l2 binding inter-vlan-bridge [SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] l2 binding inter-vlan-bridge instance 127 instance 127
3-56
Issue 02 (2010-07-15)
Step 6 Configure an ACL.

[SPU] acl 4101 [SPU-acl-L2-4101] rule permit source-mac 000f-1f7e-fec5 l2-protocol ip [SPU-acl-L2-4101] quit
Step 7 Configure packet filtering.

[SPU] firewall interzone trust untrust [SPU-interzone-trust-untrust] packet-filter 4101 outbound [SPU-interzone-trust-untrust] quit
[SPU] display firewall interzone trust untrust interzone trust untrust firewall enable packet-filter default permit outbound packet-filter default permit inbound
----End
Configuration Files
l

# sysname SPU # interface Eth-Trunk 1 # interface XGigabitEthernet0/0/1 eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # firewall zone trust priority 100 # firewall zone untrust priority 1 # acl 4101 rule permit source-mac 000f-1f7e-fec5 l2-protocol ip # firewall interzone trust untrust firewall enable packet-filter 4101 outbound # inter-vlan-bridge instance 127 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 arp broadcast enable l2 binding inter-vlan-bridge instance 127 zone trust # interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 arp broadcast enable l2 binding inter-vlan-bridge instance 127 zone untrust
Issue 02 (2010-07-15)
3-57
# return l

# vlan batch 101 to 102 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 102 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface XGigabitEthernet5/0/0 eth-trunk 1 # interface XGigabitEthernet5/0/1 eth-trunk 1 # return
3-58
Issue 02 (2010-07-15)
4 NAT Configuration
4
About This Chapter
NAT Configuration
Network Address Translation (NAT) can translate private and public addresses. The shortage of IPv4 address can be solved and the topology of the private network can be shielded. The network security is thus improved. 4.1 NAT Overview NAT enables hosts on a private network to access the public network. 4.2 NAT Features Supported by the SPU The SPU supports the following NAT features: static NAT, Port Address Translation (PAT), internal server, NAT Application Level Gateway (ALG), Easy IP, twice NAT, and NAT multiinstance. 4.3 Configuring NAT To implement communication between the private network and the public network through NAT, you can use Easy IP for a single user and the address pool for multiple users. 4.4 Configuration Examples This section provides several configuration examples of NAT.
Issue 02 (2010-07-15)
4-1
4 NAT Configuration
4.1 NAT Overview

NAT enables hosts on a private network to access the public network.
Private Network Address and Public Network Address

A private network address, which is also called a private address, is the IP address of an internal network or a host. A public network address, which is also called a public address, is a unique IP address on the Internet. The Internet Assigned Number Authority (IANA) defines the following IP addresses as private addresses:
l l l
Class A: 10.0.0.0-10.255.255.255 Class B: 172.16.0.0-172.31.255.255 Class C: 192.168.0.0-192.168.255.255
After planning the scale of the intranet, an enterprise chooses the proper private address segment for the intranet. The private address segments of enterprises can overlap each other. If an intranet does not use the IP address in the defined private address segments, errors may occur during communication with other networks.
Principle of NAT
As shown in Figure 4-1, the private address must be translated when a host on a private network accesses the Internet or interworks with the hosts on a public network. Figure 4-1 Networking of NAT
PC 10.1.1.10
WWW client 10.1.1.48
PC ........
SPU 203.196.3.23 WWW Server 202.18.245.251
Internal network External network
The private network uses network segment 10.0.0.0 and its public address is 203.196.3.23. The host 10.1.1.48 on the private network accesses the server 202.18.245.251 on the public network in Web mode. The host sends a data packet, and uses port 6084 as the source port and port 80 as the destination port. After the address is translated, the source address/port of the packet is changed to
4 NAT Configuration
203.196.3.23:32814, and the destination address/port remains unchanged. The SPU maintains a mapping table between addresses and ports. After the Web server responds to the host, the SPU translates the destination IP address/port in the returned data packet to 10.1.1.48:6084. In this manner, the host on the private network can access the server on the public network.
4.2 NAT Features Supported by the SPU

The SPU supports the following NAT features: static NAT, Port Address Translation (PAT), internal server, NAT Application Level Gateway (ALG), Easy IP, twice NAT, and NAT multiinstance.
Static NAT
Static NAT maps a private address to a public address. That is, the number of private addresses is equal to the number of public addresses. Static NAT cannot save public addresses, but can shield the topology of the private network. When a packet is sent from a private network to the public network, static NAT translates the source IP address of the packet to a public address. When the public network returns a response, static NAT translates the destination IP address of the response packet to the private address.
PAT
PAT, which is also called network address port translation (NAPT), maps a public address to multiple private addresses. Therefore, the public addresses are saved. PAT translates source IP addresses of packets from hosts that reside on the private network to a public address. The translated port numbers of these packets are different, and the private addresses can share a public address. A mapping table between private addresses and ports is configured for PAT. Before packets from different private addresses are sent to the public network, the PAT-enabled device replaces the source addresses with the same public address. The source port numbers of the packets, however, are replaced with different port numbers. When the public network returns response packets to private networks, the PAT-enabled device translates the destination IP addresses to private addresses according to the port numbers. Figure 4-2 shows the networking of PAT.
Issue 02 (2010-07-15)
4-3
4 NAT Configuration
Figure 4-2 Networking of PAT

PAT
Datagram 1 Src IP: 192.168.1.3 Src Port:23 Datagram 2 Src IP: 192.168.1.3 Src Port:80 192.168.1.3 Datagram 1 Src IP: 202.169.10.1 Src Port:10023 Datagram 2 Src IP: 202.169.10.1 Src Port:10080
SPU
192.168.1.2 Datagram 3 Src IP: 192.168.1.2 Src Port:23 Datagram 4 Src IP: 192.168.1.2 Src Port:80 Datagram 3 Src IP: 202.169.10.1 Src Port:11023 Datagram 4 Src IP: 202.169.10.1 Src Port:11080
Internal Server
NAT can shield internal hosts. In applications, users on the public network may need to access the internal hosts. For example, users on the public network need to access a Web server or a file transfer protocol (FTP) server. You can add internal servers flexibly through NAT. For example, use 202.110.10.10 or even 202.110.10.12:8080 as the public address of the Web server, 202.110.10.11 as the public address of the FTP server. You can also provide multiple identical servers such as Web servers for external users. You can configure an internal server and map the corresponding public address and port to the internal server. In this manner, hosts on the public network can access the internal server.
Easy IP
Easy IP takes the public IP address of the interface as the source address after NAT is performed. In addition, it uses the Access Control List (ACL) to control the private addresses to be translated.
NAT ALG
If NAT is configured, application protocols that are exclusive with NAT cannot work normally. Special processing is required. Packets of protocols that contain the IP address and/or port number in the payload, which affects interaction of protocols. The NAT ALG function is used for NAT traversal of special protocols. It implements transparent transmission and relay of packets of a special protocol by replacing the IP address and port number in the payload. Currently, the NAT ALG of the SPU supports the domain name system (DNS) and FTP.
4 NAT Configuration
Twice NAT
The basic NAT technology translates only the source or destination address of packets, whereas the twice NAT technology translates both the source and destination addresses of packets. The twice NAT technology is applicable to the scenario where IP addresses of hosts on private and public networks are overlapped. As shown in Figure 4-3, the IP address of PC1 on the private network is the same as the IP address of PC3 on the public network. If PC2 on the private network sends a packet to PC3, the packet will be incorrectly forwarded to PC1. On the SPU, the twice NAT technology configures the mapping between the overlapped address pool and the temporary address pool based on basic NAT. The overlapped IP address is translated to a unique temporary address so that packets can be forwarded correctly. Figure 4-3 Networking of twice NAT
PC 1 10.0.0.1/24
Switch PC 2 10.0.0.1/24
PC 3 www.web.com 10.0.0.1/24 DNS Server
You can configure twice NAT on the SPU as follows: Configure basic NAT (many-to-many NAT). Configure an NAT address pool that contains IP addresses 200.0.0.1 to 200.0.0.100 and apply it to the interface of the WAN. Configure the mapping between a group of overlapped addresses and the temporary addresses: 10.0.0.0 to 3.0.0.0. The mapping indicates that one overlapped address pool maps one temporary address pool. The translation rule is as follows: Temporary address = Start IP address in the temporary address pool + (Overlapped IP address - Start IP address in the overlapped address pool) Overlapped address = Start IP address in the overlapped address pool + (Temporary IP address - Start IP address in the temporary address pool) When PC2 on the private network accesses PC3 on the public network through the domain name, the packet is processed as follows: 1. PC2 sends a DNS request for resolving the domain name being www.web.com of the Web server. After the DNS server resolves the DNS request, the SPU receives the response packet of the DNS server. The SPU resolves the address 10.0.0.1 in the payload of the response packet and detects that the address is the overlapped address (it matches the overlapped address pool). Then the SPU translates the address 10.0.0.1 to the temporary address 3.0.0.1. The SPU translates the destination address of the response packet through basic NAT and then sends it to PC2.
Issue 02 (2010-07-15)
4 NAT Configuration
2.
PC2 uses the temporary address 3.0.0.1 corresponding to www.web.com to access the public network. When a packet reaches the SPU, the SPU translates the source address of the packet through basic NAT and then translates the destination address (that is, temporary address) of the packet to the overlapped address 10.0.0.1. PC2 sends the packet to the outbound interface of the WAN. The packet is then forwarded to PC3 hop by hop. When the packet sent from PC3 to PC2 reaches the SPU, the SPU checks the source address 10.0.0.1, which is the overlapped address (it matches the overlapped address pool). Then the SPU translates the source address to the temporary address 3.0.0.1. The SPU translates the destination address of the response packet through basic NAT and then sends it to PC2.
3. 4.
Source Address Associated with the VPN Before NAT Is Performed

The SPU enabled with NAT allows users on private networks to access the public network and users of different VPNs to access the public network through the same egress. In addition, users in the VPNs with the same IP address can access the public network.
NAT Server Associated with the VPN

The SPU enabled with NAT supports association between the VPN and the NAT server and allows users on the public network to access hosts in the VPN. It is applied to the scenario where IP addresses of multiple VPNs are overlapped.
4.3 Configuring NAT

To implement communication between the private network and the public network through NAT, you can use Easy IP for a single user and the address pool for multiple users. 4.3.1 Establishing the Configuration Task Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 4.3.2 Configuring an Address Pool When multiple users on the private network access the public network, you can configure the NAT address pool. 4.3.3 Associating an ACL with an Address Pool The ACL controls internal users who can access public networks through NAT so that the administrator can implement refined management for internal users. 4.3.4 Configuring Easy IP Easy IP takes the IP address of the interface as the source address of data packets matching an ACL. If VRRP virtual address exists on the interface, the virtual address is used for network address translation. 4.3.5 Configuring an Internal NAT Server If a server is deployed on the private network, the security of the server can be improved and attacks of users from the public network can be prevented. In addition, normal users can access the server. 4.3.6 Configuring Static NAT Static NAT maps a private address to a public address. Static NAT cannot save public addresses, but can shield the topology of the private network.
4 NAT Configuration
4.3.7 Enabling NAT ALG If NAT is used for protocol packets encapsulated into IP data packets, errors may occur. The NAT ALG function can normally translate the protocol packets. 4.3.8 Configuring DNS Mapping On the private network, different servers such as the FTP server and Web server are deployed, but no DNS server is deployed. If hosts on the private network want to differentiate and access corresponding servers through domain names, you can configure DNS mapping. 4.3.9 Configuring Twice NAT Twice NAT refers to translation of source and destination IP addresses of a data packet. It is applied to the situation where IP addresses of internal hosts and external hosts are overlapped. 4.3.10 Checking the Configuration After NAT is configured, you can view information about NAT.

Before configuring NAT, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
NAT needs to be configured at the juncture between the private network and the public network. Private and public addresses can be translated through NAT.
Before configuring NAT, complete the following task:
l
Creating a basic ACL or an advanced ACL and configuring ACL rules
Data Preparation
To configure NAT, you need the following data. No. 1 2 3 Data Number of the public address pool, start IP address, and end IP address Number of the basic ACL or advanced ACL Information about the internal server, including the protocol type, public address, public port number, private address (the VPN instance may be included), and private port number (optional) Information about static NAT, including the protocol type, public address, public port number, private address (the VPN instance may be included), private port number (optional), and subnet mask Index of the overlapped address pool and temporary address pool, start IP address, address pool length, and VPN instance (optional) Domain name, public address, and public port number
5 6
Issue 02 (2010-07-15)
4-7
4 NAT Configuration
4.3.2 Configuring an Address Pool

When multiple users on the private network access the public network, you can configure the NAT address pool.
Procedure
Step 1 Run:
system-view

nat address-group group-index start-address end-address
A public address pool is configured. A public address pool is a set of public addresses. When NAT is performed on the internal data packets, the SPU selects an IP address from the address pool as the source address. The public address pools are numbered with numerals. Up to 1024 address pools can be configured. By default, no public address pool is configured on the SPU. ----End
4.3.3 Associating an ACL with an Address Pool

The ACL controls internal users who can access public networks through NAT so that the administrator can implement refined management for internal users.
Procedure
Step 1 Run:
system-view

interface interface-type interface-number.subnumber
The interface view is displayed. Step 3 Run:

nat outbound acl-number address-group group-index [ no-pat ]
An ACL rule is associated with an address pool. After an ACL is associated with an address pool, the SPU translates source addresses of data packets matching the ACL to an IP address in the address pool. On the same interface, different IP address can be translated and associated. Up to 16 IP addresses can be configured on each interface. no-pat indicates one-to-one NAT, that is, only the IP address in a datagram is translated and the port number is not translated ----End
4 NAT Configuration
4.3.4 Configuring Easy IP

Easy IP takes the IP address of the interface as the source address of data packets matching an ACL. If VRRP virtual address exists on the interface, the virtual address is used for network address translation.
Procedure
Step 1 Run:
system-view


nat outbound acl-number
Easy IP is configured. ----End
4.3.5 Configuring an Internal NAT Server

If a server is deployed on the private network, the security of the server can be improved and attacks of users from the public network can be prevented. In addition, normal users can access the server.
Procedure
Step 1 Run:
system-view


l l nat server protocol { protocol-number | tcp | udp } global global-address globalport inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] nat server [ protocol { protocol-number | icmp | tcp | udp } ] global globaladdress inside host-address [ vpn-instance vpn-instance-name ]
The internal NAT server is configured. After the internal NAT server is configured, users on the public network can access servers on the private network. When a host on the public network sends a connection request to the public address (global-address) of the internal NAT server, the NAT server translates the destination address of the request to a private address (host-address). The request is then forwarded to the server on the private network.
4 NAT Configuration
Up to 1024 NAT servers and NAT static can be configured on the SPU and up to 64 NAT servers and NAT static can be configured on each interface.
NOTE
When configuring the internal NAT server, ensure that global-address and host-address are different from IP addresses of interfaces and IP addresses in the user address pool.
----End
4.3.6 Configuring Static NAT

Static NAT maps a private address to a public address. Static NAT cannot save public addresses, but can shield the topology of the private network.
Procedure
Step 1 Run:
system-view


l nat static protocol { protocol-number | tcp | udp } global global-address globalport inside host-address [ host-port ] [ vpn-instance vpn-instance-name ] [ netmask mask ] nat static [ protocol { protocol-number | icmp | tcp | udp } ] global globaladdress inside host-address [ vpn-instance vpn-instance-name ] [ netmask mask ]
Static NAT is configured.

NOTE
When configuring static NAT, ensure that global-address and host-address are different from IP addresses of interfaces and IP addresses in the user address pool.
----End
4.3.7 Enabling NAT ALG

If NAT is used for protocol packets encapsulated into IP data packets, errors may occur. The NAT ALG function can normally translate the protocol packets.
Procedure
Step 1 Run:
system-view

nat alg { all | dns | ftp } enable
The NAT ALG function is enabled.

4 NAT Configuration
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the public network through NAT. Otherwise, the application protocol cannot work normally. all indicates that NAT traversal can be used for DNS and FTP. ----End
4.3.8 Configuring DNS Mapping

On the private network, different servers such as the FTP server and Web server are deployed, but no DNS server is deployed. If hosts on the private network want to differentiate and access corresponding servers through domain names, you can configure DNS mapping.
Procedure
Step 1 Run:
system-view

nat dns-map domain-name global-address global-port {tcp | udp }
The mapping from domain names to public IP addresses, port numbers, and protocol types is configured. Up to 64 mapping entries can be configured on the SPU. ----End
4.3.9 Configuring Twice NAT

Twice NAT refers to translation of source and destination IP addresses of a data packet. It is applied to the situation where IP addresses of internal hosts and external hosts are overlapped.
Context
When IP addresses of internal hosts and external hosts are overlapped, you need to configure the mapping between the overlapped address pool and the temporary address pool. After the mapping is configured, the overlapped address is translated to a unique temporary address. The packets can be forwarded correctly. In addition, you need to configure NAT outbound to implement twice NAT.
Procedure
Step 1 Run:
system-view

nat overlap-address map-index overlappool-startaddress temppool-startaddress poollength length [ inside-vpn-instance inside-vpn-instance-name]
Twice NAT is configured.

4 NAT Configuration
The overlapped address pool and temporary address pool are sets of consecutive IP addresses. The lengths of the two address pools are the same and up to 255 IP addresses can be configured in the two address pools. Up to 128 mapping entries between the overlapped address pool and the temporary address pool can be configured globally. When the VPN instance of the configuration is deleted, the configuration of twice NAT is also deleted. ----End

After NAT is configured, you can view information about NAT.
Procedure
l l l l Run the display nat alg command to check whether the NAT ALG function is enabled. Run the display nat address-group [ group-index ] [ verbose ] command to check the configuration of the NAT address pool. Run the display nat dns-map [ domain-name ] command to check information about DNS mapping. Run the display nat outbound [ acl acl-number | address-group group-index | interface { xgigabitEthernet | eth-trunk } interface-number.subnumber ] command to check information about NAT outbound. Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command to check information about twice NAT. Run the display nat server [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-number.subnumber ] command to check the configuration of the NAT server. Run the display nat static [ global global-address | inside host-address [ vpn-instance vpn-instance-name ] | interface interface-type interface-name ] command to check the configuration of static NAT.
l l
----End
Example
# Display the configuration of NAT ALG.
<Quidway> system-view [Quidway] display nat alg NAT Application Level Gateway Information: ---------------------------------Application Status ---------------------------------ftp Disabled dns Disabled ----------------------------------
# Display the configuration of DNS mapping.

<Quidway> system-view [Quidway] display nat dns-map -------------------------------------------------------------------Domain name IP address Port Protocol
4-12
Issue 02 (2010-07-15)
4 NAT Configuration
-------------------------------------------------------------------huawei 10.10.10.1 2012 tcp -------------------------------------------------------------------DNS-Mapping : 1
# Display the configuration of outbound NAT.

<Quidway> system-view [Quidway] display nat outbound NAT Outbound Information: ----------------------------------------------------------------Interface Acl Address-group/IP Type ----------------------------------------------------------------XGigabitEthernet0/0/1.1 2010 0.0.0.0 easyip ----------------------------------------------------------------Total : 1
# Display all the NAT address pools.

<Quidway> display nat address-group NAT Address-Group Information: -------------------------------------Index Start-address End-address -------------------------------------1 201.1.1.1 201.1.1.10 2 10.10.10.10 10.10.10.15 -------------------------------------Total : 2
Run the display nat overlap-address { map-index | all | inside-vpn-instance inside-vpninstance-name } command, and you can view the mapping between the overlapped address pool and the temporary address pool. For example: # Display the configuration of all the overlapped address pools.
<Quidway> system-view [Quidway] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------1 10.2.2.2 3.3.10.10 255 cmml ------------------------------------------------------------------------------Total : 1
Run the display nat server [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-number.subnumber ] command, and you can view the configuration of the NAT server. For example: # Display the configuration of all NAT servers.
<Quidway> system-view [Quidway] display nat server Nat Server Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 210.10.10.1 Inside IP/Port : 10.10.10.1 Protocol : 6(tcp) VPN instance-name : ---Total : 1
21(smtp) 25(smtp)
Run the display nat static [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-name ] command, and you can view the configuration of static NAT. For example: # Display the global configuration of static NAT.
4 NAT Configuration
<Quidway> system-view [Quidway] display nat static Static Nat Information: Interface : XGigabitEthernet0/0/1.1 Global IP/Port : 212.10.10.1 Inside IP/Port : 100.10.10.1 Protocol : 6(tcp) VPN instance-name : ---Netmask : 255.255.255.0 Total : 1
21(smtp) 25(smtp)

This section provides several configuration examples of NAT. 4.4.1 Example for Configuring the NAT Server 4.4.2 Example for Configuring Static NAT 4.4.3 Example for Configuring Outbound NAT 4.4.4 Example for Configuring Twice NAT
4.4.1 Example for Configuring the NAT Server

As shown in Figure 4-4, the intranet of company A is connected to the WAN through NAT enabled on the SPU. Company A provides the Web server for servers on the public network to access. The private IP address of the Web server is 192.168.20.2:8080 and its public address is 202.169.10.5. The intranet of company B is connected to the WAN through NAT enabled on the SPU. On the VPN, company B provides the FTP server for users on the public network who want to access the intranet of company B. The private IP address of the FTP server is 10.0.0.3 and its public address is 202.169.10.33. The SPU is installed in slot 5 of the S9300.
4-14
Issue 02 (2010-07-15)
4 NAT Configuration
Figure 4-4 Networking diagram for configuring the NAT server VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 102 GE2/0/1 VLAN 101 GE2/0/2 VLAN 102 202.169.10.2/24 GE2/0/3 Switch VLAN 103
A WWW Server 192.168.20.2
10.0.0.3/24
B FTP Server
The configuration roadmap is as follows: 1. 2. 3. Import flows from the S9300 to the SPU through NAT. Configure the internal server. Enable the NAT ALG function for FTP.
Procedure
Step 1 Import flows from the S9300 to the SPU through NAT. 1. Import flows from the S9300 to the SPU.
<S9300> system-view [S9300] vlan batch 101 to 103 [S9300] interface Eth-Trunk 1 [S9300-Eth-Trunk1] port link-type trunk [S9300-Eth-Trunk1] port trunk allow-pass vlan 101 to 103 [S9300-Eth-Trunk1] quit [S9300] interface GigabitEthernet2/0/1 [S9300-GigabitEthernet2/0/1] port link-type trunk [S9300-GigabitEthernet2/0/1] port trunk allow-pass vlan 101 [S9300-GigabitEthernet2/0/1] quit [S9300] interface GigabitEthernet2/0/2 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 102 [S9300-GigabitEthernet2/0/2] quit [S9300] interface GigabitEthernet2/0/3 [S9300-GigabitEthernet2/0/2] port link-type trunk [S9300-GigabitEthernet2/0/2] port trunk allow-pass vlan 103 [S9300-GigabitEthernet2/0/2] quit [S9300] interface XGigabitEthernet5/0/0 [S9300-XgigabitEthernet5/0/0] eth-trunk 1 [S9300-XgigabitEthernet5/0/0] quit [S9300] interface XGigabitEthernet5/0/1 [S9300-XgigabitEthernet5/0/1] eth-trunk 1 [S9300-XgigabitEthernet5/0/1] quit
Issue 02 (2010-07-15)
4-15
4 NAT Configuration
2.
On the SPU, set IP addresses of interfaces and add interfaces to VLANs.

<SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] quit [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 102 [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] ip vpn-instance vpn_b [SPU-vpn-instance-vpn_b] route-distinguisher 0:1 [SPU-vpn-instance-vpn_b] quit SPU] interface Eth-Trunk 1.3 [SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 103 [SPU-Eth-Trunk1.3] ip binding vpn-instance vpn_b [SPU-Eth-Trunk1.2] ip address 10.0.0.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 1 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit
Step 2 Configure the internal server on the SPU.

[SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 [SPU-Eth-Trunk1.2] nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpn-instance vpn_b
Step 3 On the SPU, enable the NAT ALG function for FTP.
[SPU] nat alg ftp enable
Step 4 Verify the configuration. Run the display nat server [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-number.subnumber ] command on the SPU, and you can view the following information:
[SPU] display nat server Nat Server Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.5 Inside IP/Port : 192.168.20.2 Protocol : 6(tcp) VPN instance-name : ---Global IP/Port Inside IP/Port Protocol : 6(tcp) VPN instance-name Total : 2 : 202.169.10.33 : 10.0.0.3 : vpn_b
80(www) 8080
21(ftp) 21(ftp)
----End
4 NAT Configuration
Configuration Files
l

# sysname SPU # ip vpn-instance vpn_b route-distinguisher 0:1 # Nat alg ftp enable # interface Eth-Trunk1 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat server protocol tcp global 202.169.10.5 www inside 192.168.20.2 8080 nat server protocol tcp global 202.169.10.33 ftp inside 10.0.0.3 ftp vpninstance vpn_b # interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 # Return

# sysname S9300 # vlan batch 101 to 103 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 # interface XGigabitEthernet5/0/0 eth-trunk 1
Issue 02 (2010-07-15)
4-17
4 NAT Configuration
# interface XGigabitEthernet5/0/1 eth-trunk 1 # return
4.4.2 Example for Configuring Static NAT

As shown in Figure 4-5, the intranet of company A is connected to the WAN through NAT enabled on the SPU. Company A provides two Web servers for users on the public network who want to access the intranet of company A. The private IP addresses of Web servers are in the range of 192.168.20.2:8080 to 192.168.20.3:8080 (the network segment is 192.168.20.2 and the mask is 255.255.255.254). The public addresses are in the range of 202.169.10.2 to 202.169.10.3 (the network segment is 202.169.10.2 and the mask is 255.255.255.254). A private address maps a public address. The intranet of company B is connected to the WAN through NAT enabled on the SPU. On the VPN, company B provides four FTP servers for users on the public network who want to access the intranet of company B. The private IP addresses of FTP servers are in the range of 10.0.0.0 to 10.0.0.3 (the network segment is 10.0.0.0 and the mask is 255.255.255.252). The public addresses are in the range of 202.169.10.32 to 202.169.10.35 (the network segment is 202.169.10.32 and the mask is 255.255.255.252). The SPU is installed in slot 5 on the S9300. Figure 4-5 Networking diagram for configuring static NAT
A WWW Server 192.168.20.2 192.168.20.3
GE2/0/1 VLAN 101 GE2/0/3 VLAN 103 B FTP Server 10.0.0.0~3/24
GE2/0/2 VLAN 102 202.169.10.2/24 Switch
The configuration roadmap is as follows: 1.
4-18
Import flows from the S9300 to the SPU through NAT.

4 NAT Configuration
2.
Configure static NAT.
Procedure
2.

Step 2 Configure static NAT on the SPU.

4 NAT Configuration
[SPU] interface Eth-Trunk1.2 [SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254 [SPU-Eth-Trunk1.2] nat static protocol tcp global 202.169.10.32 ftp inside 10.0.0.2 ftp vpn-instance vpn_b netmask 255.255.255.252 [SPU-Eth-Trunk1.2] quit
Step 3 Verify the configuration. Run the display nat static [ global global-address | inside host-address [ vpn-instance vpninstance-name ] | interface interface-type interface-name ] command on the SPU, and you can view the following information:
[SPU] display nat static Static Nat Information: Interface : Eth-Trunk1.2 Global IP/Port : 202.169.10.2 Inside IP/Port : 192.168.20.2 Protocol : 6(tcp) VPN instance-name : ---Netmask : 255.255.255.254 Global IP/Port : 202.169.10.32 Inside IP/Port : 10.0.0.2 Protocol : 6(tcp) VPN instance-name : vpn_b Netmask : 255.255.255.252 Total : 2
80(www) 8080
21(ftp) 21(ftp)
----End
Configuration Files
l

# sysname SPU # system-view ip vpn-instance vpn_b route-distinguisher 0:1 # interface Eth-Trunk1 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat static protocol tcp global 202.169.10.2 www inside 192.168.20.2 8080 netmask 255.255.255.254 nat static protocol tcp global 202.169.10.32 ftp inside 10.0.0.2 ftp vpninstance vpn_b netmask 255.255.255.252 # interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1
4-20
Issue 02 (2010-07-15)
4 NAT Configuration
eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 # Return l

# sysname S9300 # vlan batch 101 to 103 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 # interface XGigabitEthernet5/0/0 eth-trunk 1 # interface XGigabitEthernet5/0/1 eth-trunk 1 # return
4.4.3 Example for Configuring Outbound NAT

As shown in Figure 4-6, the intranet of company A is connected to the WAN through NAT enabled on the SPU to access the Web server on the WAN. To ensure the security of the intranet of company A, you need to replace IP addresses in the public address pool (202.169.10.100 to 202.169.10.200) with IP addresses of hosts of company A on the network segment 192.168.20.0 so that hosts of company A can access servers on the WAN. The intranet of company B is connected to the WAN through NAT enabled on the SPU to access the FTP server on the WAN. On the VPN, public IP addresses of company B is insufficient. To ensure the security of the intranet of company B, you need to replace IP addresses in the public address pool (202.169.10.80 to 202.169.10.83) with IP addresses of hosts of company A on the network segment 10.0.0.0 so that hosts of company B can access servers on the WAN. The SPU is installed in slot 5 on the S9300 and GE 2/0/1 and GE 2/0/2 import traffic to the SPU.
Issue 02 (2010-07-15)
4-21
4 NAT Configuration
Figure 4-6 Networking diagram for configuring outbound NAT VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 102
A PC 1...PC n 192.168.20.2
GE2/0/1 GE2/0/2 VLAN 102 VLAN 101 GE2/0/3 202.169.10.2/24 VLAN 103 Switch VPN B PC 1...PC n 10.0.0.2/24
The configuration roadmap is as follows: 1. 2. Import flows from the S9300 to the SPU through NAT. Configure outbound NAT.
Procedure
2.
4-22

4 NAT Configuration
Step 2 Configure outbound NAT on the SPU.

[SPU] nat address-group 1 202.169.10.100 202.169.10.200 [SPU] nat address-group 2 202.169.10.80 202.169.10.83 [SPU] acl 2000 [SPU-acl-basic-2000] rule 5 permit source 192.168.20.0 0.0.0.255 [SPU-acl-basic-2000] quit [SPU] acl 2001 [SPU-acl-basic-2001] rule 5 permit source 10.0.0.0 0.0.0.255 vpn-instance vpn_b [SPU-acl-basic-2000] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] nat outbound 2000 address-group 1 no-pat [SPU-Eth-Trunk1.2] nat outbound 2001 address-group 2 [SPU-Eth-Trunk1.2] quit
Step 3 Verify the configuration. Run the display nat outbound [ acl acl-number | address-group group-index | interface { xgigabitEthernet | eth-trunk } interface-number.subnumber ] command on the SPU, and you can view the following information:
[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------Interface Acl Address-group/IP Type ----------------------------------------------------------------Eth-Trunk1.2 2000 1 no-pat Eth-Trunk1.2 2001 2 pat ----------------------------------------------------------------Total : 2
----End
Issue 02 (2010-07-15)
4-23
4 NAT Configuration
Configuration Files
l

# sysname SPU # ip vpn-instance vpn_b route-distinguisher 0:1 # acl number 2000 rule 5 permit source 192.168.20.0 0.0.0.255 # acl number 2001 rule 5 permit source 10.0.0.0 0.0.0.255 vpn-instance vpn_b # nat address-group 1 202.169.10.100 202.169.10.200 nat address-group 2 202.169.10.80 202.169.10.83 # interface Eth-Trunk1 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 192.168.20.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk1.2 control-vid 102 dot1q-termination dot1q termination vid 102 ip address 202.169.10.1 255.255.255.0 arp broadcast enable nat outbound 2000 address-group 1 no-pat nat outbound 2001 address-group 2 # interface Eth-Trunk1.3 control-vid 103 dot1q-termination dot1q termination vid 103 ip binding vpn-instance vpn_b ip address 10.0.0.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # ip route-static vpn-instance vpn_b 0.0.0.0 0.0.0.0 Eth-Trunk 1.2 202.169.10.2 # Return

# sysname S9300 # vlan batch 101 to 103 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 #
4-24
Issue 02 (2010-07-15)

interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 # interface XGigabitEthernet5/0/0 eth-trunk 1 # interface XGigabitEthernet5/0/1 eth-trunk 1 # return
4 NAT Configuration
4.4.4 Example for Configuring Twice NAT

The common NAT technology translates only the source or destination address of packets, whereas the twice NAT technology translates both the source and destination addresses of packets. The twice NAT technology is applicable to the scenario where IP addresses of hosts on private and public networks are overlapped. As shown in Figure 4-7, the IP address of PC1 on the private network is the same as the IP address of host A on the public network. If PC1 on the private network sends a packet to host A, the packet will be incorrectly forwarded to PC2. On the SPU, the twice NAT technology configures the mapping between the overlapped address pool and the temporary address pool based on common NAT. The overlapped IP address is translated to a unique temporary address so that packets can be forwarded correctly. The SPU is installed in slot 5 of the SPU. Figure 4-7 Networking diagram for configuring twice NAT VLAN 101 XGE5/0/0 Eth-Trunk1.1 XGE5/0/1 Eth-Trunk1.2 VLAN 103
VPN A PC 1 192.168.20.2/24 PC 1
www.Server.com Host A 192.168.20.2/24
GE2/0/1 GE2/0/3 VLAN 101 VLAN 103 GE2/0/2 Switch 202.169.10.2/24 VLAN 102 VPN B PC 2 192.168.20.2/24
DNS Server
The configuration roadmap is as follows: 1.
Issue 02 (2010-07-15)
Import flows from the SPU to the SPU through NAT.

4 NAT Configuration
2. 3.
Configure the mapping between the overlapped address pool and the temporary address pool. Configure common NAT outbound.
Procedure
Step 1 Import flows from the SPU to the SPU through NAT. 1. Import flows from the SPU to the SPU.
2.

<SPU> system-view [SPU] interface Eth-Trunk 1 [SPU-Eth-Trunk1] quit [SPU] ip vpn-instance vpna [SPU-vpn-instance-vpna] route-distinguisher 1:1 [SPU-vpn-instance-vpna] quit [SPU] ip vpn-instance vpnb [SPU-vpn-instance-vpnb] route-distinguisher 2:2 [SPU-vpn-instance-vpnb] quit [SPU] interface Eth-Trunk 1.1 [SPU-Eth-Trunk1.1] control-vid 101 dot1q-termination [SPU-Eth-Trunk1.1] dot1q termination vid 101 [SPU-Eth-Trunk1.1] ip binding vpn-instance vpna [SPU-Eth-Trunk1.1] ip address 192.168.20.1 255.255.255.0 [SPU-Eth-Trunk1.1] arp broadcast enable [SPU-Eth-Trunk1.1] quit [SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] control-vid 103 dot1q-termination [SPU-Eth-Trunk1.2] dot1q termination vid 103 [SPU-Eth-Trunk1.2] ip address 202.169.10.1 255.255.255.0 [SPU-Eth-Trunk1.2] arp broadcast enable [SPU-Eth-Trunk1.2] quit [SPU] interface Eth-Trunk 1.3 [SPU-Eth-Trunk1.3] control-vid 102 dot1q-termination [SPU-Eth-Trunk1.3] dot1q termination vid 102 [SPU-Eth-Trunk1.3] ip binding vpn-instance vpnb [SPU-Eth-Trunk1.3] ip address 192.168.25.1 255.255.255.0 [SPU-Eth-Trunk1.3] arp broadcast enable [SPU-Eth-Trunk1.3] quit [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 1 [SPU-XGigabitEthernet0/0/1] quit
4-26
Issue 02 (2010-07-15)

[SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 1 [SPU-XGigabitEthernet0/0/2] quit
4 NAT Configuration
Step 2 Configure DNS mapping on the SPU so that the IP address of host A returned from the DNS server to PC1 is translated to a unique temporary address.
[SPU] nat alg dns enable [SPU] nat dns-map www.Server.com 192.168.20.2 80 tcp
Step 3 Configure the mapping between the overlapped address pool and the temporary address pool on the SPU.
[SPU] nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpninstance vpna
Step 4 Configure the static route from the temporary address pool to Eth-Trunk 1.2 on the SPU.
[SPU] ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2
Step 5 On the outbound sub-interface Eth-Trunk1.2 of the SPU, configure NAT outbound for host A. 1. Create an ACL and configure an ACL rule to allow packets of host A to pass through.
[SPU] acl 3180 [SPU--acl-adv-3180] rule permit ip vpn-instance vpna source 192.168.20.1 0.0.0.255 [SPU--acl-adv-3180] quit
2. 3.
Configure the NAT address pool for outbound NAT.

[SPU] nat address-group 1 160.160.0.2 160.160.0.254
On the outbound sub-interface Eth-Trunk1.2, configure outbound NAT for host A.

[SPU] interface Eth-Trunk 1.2 [SPU-Eth-Trunk1.2] nat outbound 3180 address-group 1 [SPU-Eth-Trunk1.2] quit
Step 6 Verify the configuration. Run the display nat overlap-address all command on the SPU, and you can view the mapping between the overlapped address pool and the temporary address pool.
[SPU] display nat overlap-address all Nat Overlap Address Pool To Temp Address Pool Map Information: ------------------------------------------------------------------------------Id Overlap-Address Temp-Address Pool-Length Inside-VPN-Instance-Name ------------------------------------------------------------------------------0 192.168.20.2 202.169.100.2 254 vpna ------------------------------------------------------------------------------Total : 1
Run the display nat outbound command on the SPU, and you can view information about outbound NAT.
[SPU] display nat outbound NAT Outbound Information: ----------------------------------------------------------------Interface Acl Address-group/IP Type ----------------------------------------------------------------Eth-Trunk1.2 3180 1 pat ----------------------------------------------------------------Total : 1
----End
Configuration Files
l

# sysname SPU
Issue 02 (2010-07-15)
4-27
4 NAT Configuration

# system-view interface Eth-Trunk1 # ip vpn-instance vpna route-distinguisher 1:1 ip vpn-instance vpnb route-distinguisher 2:2 # interface Eth-Trunk1.1 control-vid 101 dot1q-termination dot1q termination vid 101 ip binding vpn-instance vpna ip address 192.168.20.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk1.2 control-vid 103 dot1q-termination dot1q termination vid 103 ip address 202.169.10.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-trunk 1 # interface XGigabitEthernet0/0/2 eth-trunk 1 # nat alg dns enable nat dns-map www.Server.com 192.168.20.2 80 tcp # nat overlap-address 0 192.168.20.2 202.169.100.2 pool-length 254 inside-vpninstance vpna # ip route-static vpn-instance vpna 202.169.100.2 24 Eth-Trunk1.2 202.169.10.2 # acl 3180 rule permit ip vpn-instance vpna source 192.168.20.1 0.0.0.255 # nat address-group 1 160.160.0.1 160.160.0.255 # interface Eth-Trunk1.2 nat outbound 3180 address-group 1 # return

# sysname S9300 # vlan batch 101 to 103 # interface Eth-Trunk1 port link-type trunk port trunk allow-pass vlan 101 to 103 # interface GigabitEthernet2/0/1 port link-type trunk port trunk allow-pass vlan 101 # interface GigabitEthernet2/0/2 port link-type trunk port trunk allow-pass vlan 102 # interface GigabitEthernet2/0/3 port link-type trunk port trunk allow-pass vlan 103 # interface XGigabitEthernet5/0/0 eth-trunk 1
4-28
Issue 02 (2010-07-15)

# interface XGigabitEthernet5/0/1 eth-trunk 1 # return
4 NAT Configuration
Issue 02 (2010-07-15)
4-29
5 IPSec Configuration
5
About This Chapter
IPSec Configuration
This chapter describes how to ensure confidentiality and integrity of data and prevent replay of data packets on a network through data encryption and data source authentication at the IP layer. Internet Key Exchange (IKE) provides the mechanism of negotiating keys and establishing security associations (SAs) to simplify the usage and management of IPSec. 5.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. Communicating parties can encrypt data and authenticate the data source at the IP layer to ensure confidentiality and integrity of data and prevent replay of data packets on a network. 5.2 IPSec Features Supported by the SPU The SPU supports IPSec tunnel established in manual mode or IKE negotiation mode. 5.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple. 5.4 Establishing an IPSec Tunnel Through IKE Negotiation IKE provides an automatic protection mechanism to distribute keys, authenticate the identity, and set up SAs on an insecure network. 5.5 Maintaining IPSec This section describes how to display the IPSec configuration and clear the IPSec statistics. 5.6 Configuration Examples This section provides several configuration examples of IPSec.
Issue 02 (2010-07-15)
5-1
5.1 IPSec Overview

The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets. Communicating parties can encrypt data and authenticate the data source at the IP layer to ensure confidentiality and integrity of data and prevent replay of data packets on a network. IPSec implements the preceding functions through two security protocols: Authentication Header (AH) protocol and Encapsulating Security Payload (ESP). IKE provides the mechanism of negotiating keys and establishing and maintaining SAs to simplify the usage and management of IPSec. IPSec involves the following terms:
l
Security Association (SA)
An SA is a set of conventions adopted by the communicating parties. For example, it determines the security protocol (AH, ESP, or both), encapsulation mode (transport mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect certain flow, and the lifetime of the shared key. SA is the basis and essence of IPSec. An SA is unidirectional, so you need to configure at least two SAs to protect data flows in bidirectional communication. If two peers need to communicate through both AH and ESP, each peer needs to establish two SAs for the two protocols. An SA is identified by three parameters: Security Parameter Index (SPI), destination IP address, and security protocol ID (AH or ESP). Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 5-1. Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP header, as shown in Figure 5-2. Figure 5-1 Packets format in transport mode Mode Protocol AH ESP AH-ESP IP Header AH TCP Header data ESP Tail ESP Auth data transport
Encapsulation mode
IP Header ESP TCP Header data
IP Header AH ESP TCP Header data ESP Tail ESP Auth data
5-2
Issue 02 (2010-07-15)
Figure 5-2 Packets format in tunnel mode

Mode Protocol AH ESP new IP Header AH raw IP Header TCP Header data new IP Header ESP raw IP Header TCP Header dataESP Tail ESP Auth data tunnel
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
Authentication algorithm and encryption algorithm
IPSec can use the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1) for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, whereas the SHA-1 algorithm is more secure than the MD5 algorithm. IPSec can use the DES, Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) algorithms for encryption. The ASE algorithm encrypts plain text by using a key of 128 bits, 192 bits, or 256 bits.
Negotiation mode IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE negotiation mode (isakmp).
5.2 IPSec Features Supported by the SPU

The SPU supports IPSec tunnel established in manual mode or IKE negotiation mode. The SPU implements the IPSec functions described in "IPSec Overview." IPSec peers can adopt various security protection measures (authentication, encryption, or both) on different data flows. The IPSec configuration roadmap is as follows: 1. 2. 3. Define data flows to be protected by using an ACL. Configure an IPSec proposal to specify the security protocol, authentication algorithm, encryption algorithm, and encapsulation mode. Configure an IPSec policy or an IPSec policy group to specify the association between data flows and the IPSec proposal (protection measures for the data flows), SA negotiation mode, peer IP address (start and end points of the protection path), required key, and SA lifetime. Apply the IPSec policy on an interface of the switch. In addition, IPSec supports MPLS VPN access. You can implement this function by:
l l
4.
Associating a VPN instance with an AS Configuring the switch as a PE and associating the VPN instance with the PE interface connected to the CE
Issue 02 (2010-07-15)
5.3 Establishing an IPSec Tunnel Manually

You can establish IPSec tunnels manually when the network topology is simple. 5.3.1 Establishing the Configuration Task Before establishing an IPSec tunnel manually, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. 5.3.2 Defining Data Flows to Be Protected IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows. 5.3.3 Configuring an IPSec Proposal Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. 5.3.4 Configuring an IPSec Policy After establishing an IPSec tunnel manually, you need to configure an IPSec policy for the tunnel. 5.3.5 (Optional) Configuring an IPSec Policy Template 5.3.6 Setting the Global Lifetime of SAs 5.3.7 Applying an IPSec Policy Group to an Sub-interface A manually configured IPSec policy group can be applied to only one Sub-interface. 5.3.8 Checking the Configuration After an IPSec tunnel is established manually, you can check information about the SA, IPSec proposal, and IPSec policy.

Before establishing an IPSec tunnel manually, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Data flows must be authenticated to ensure data transmission security. In the scenarios demanding high security, data flows must be authenticated and encrypted. In such a scenario, you can configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service. You can establish IPSec tunnels manually when the network topology is simple.
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure that the link-layer protocol on the interfaces is Up Configuring routes between the source and the destination
5-4
Data Preparation
To establish an IPSec tunnel manually, you need the following data. No. 1 2 Data Parameters of an advanced ACL IPSec proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode Name and sequence number of the IPSec policy, local and peer IP addresses of the tunnel, inbound and outbound SPIs of AH, inbound and outbound SPIs of ESP, inbound and outbound authentication keys of AH (character strings), inbound and outbound authentication keys of ESP (character strings), inbound and outbound authentication keys of AH (hexadecimal numbers), inbound and outbound authentication keys of ESP (hexadecimal numbers), inbound and outbound encryption keys of ESP (hexadecimal numbers), (optional) VPN instance name Type and number of the interface to which the IPSec policy group is applied
NOTE
You can use the AH or ESP protocol according to the actual situation.
5.3.2 Defining Data Flows to Be Protected

IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows.
Procedure
Step 1 Run:
system-view

acl [ number ] acl-number [ match-order { config | auto } ]
An advanced ACL is created and the ACL view is displayed. Step 3 Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range timename | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmpcode ]
An ACL rule is configured.

NOTE
l l
The ACL must be configured to match the data flows accurately. It is recommended that you set the action of the ACL rule to permit for the data flows that need to be protected. You need to create different ACLs and IPSec policies for the data flows with different requirements for security.
----End
5.3.3 Configuring an IPSec Proposal

Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode.
Procedure
Step 1 Run:
system-view

ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is configured. By default, the ESP protocol defined by RFC 2406 is used. Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is configured. Step 5 (Optional) Run:

esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is configured. By default, both ESP and AH use the MD5 authentication algorithm. You can configure the authentication and encryption algorithms only after selecting a security protocol through the transform command. For example, if ESP is selected, you can configure the authentication and encryption algorithms for ESP rather than AH. Step 6 (Optional) Run:
esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]
The encryption algorithm used by ESP is configured. By default, ESP uses the DES encryption algorithm. Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured.

By default, the tunnel mode is used. ----End
5.3.4 Configuring an IPSec Policy

After establishing an IPSec tunnel manually, you need to configure an IPSec policy for the tunnel.
Context
CAUTION
When configuring SA parameters SPI, string authentication key (string-key), hexadecimal authentication key (authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound parameters on the remote end, and the outbound parameters on the local end are the same as the inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view

ipsec policy policy-name seq-number manual
An IPSec policy is created. An IPSec policy group can contain up to 400 IPSec policies. By default, no IPSec policy exists. Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy. An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy, the last configured ACL takes effect. Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy. An IPSec policy can use only one proposal. If an IPSec proposal has been applied to the IPSec policy, you must cancel the existing proposal before applying a new one to the IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must be configured with the same security protocol, algorithm, and packet encapsulation mode. Step 5 Run:
tunnel local ip-address
Issue 02 (2010-07-15)
5-7
The IP address of the local end of the tunnel is configured. Step 6 Run:
tunnel remote ip-address
The IP address of the remote end of the tunnel is configured. Step 7 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured. When configuring an SA, you need to to set both inbound parameters and outbound parameters. To manually create an IPSec tunnel, you need to use the sa spi command together with the sa string-key, sa authentication-hex, or sa encryption-hex command. The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local end must be the same as the inbound SPI of the remote end.
CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up. If you configure the keys in different formats, the last configured key takes effect. Step 8 Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (a hexadecimal number) of the security protocol is configured. Step 9 Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (a character string) of the security protocol is configured. Step 10 Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (a hexadecimal number) of ESP is configured. Step 11 (Optional) Run:
sa binding vpn-instance vpn-instance-name
A VPN instance is associated with the SA. ----End
5.3.5 (Optional) Configuring an IPSec Policy Template

Context
NOTE
The IPSec policy created through an IPSec policy template cannot be used to initiate an SA negotiation but can respond to an SA negotiation.
5-8
Issue 02 (2010-07-15)
Procedure
Step 1 Run:
system-view

ipsec policy-template template-name seq-number
An IPSec policy template is created and the IPSec policy template view is displayed. Step 3 Run:
An ACL is applied to the IPSec policy template. Step 4 Run:

proposal proposal-name1 [ proposal-name2... proposal-name6 ]
The specified IPSec proposals are applied to the IPSec policy template. Step 5 Run:
sa duration { traffic-based kilobytes | time-based seconds }
The SA lifetime is set. Step 6 Run:

ipsec policy policy-name seq-number isakmp template template-name
The IPSec policy template is used to create an IPSec policy. ----End
5.3.6 Setting the Global Lifetime of SAs

Procedure
Step 1 Run:
system-view

ipsec sa global-duration { traffic-based kilobytes | time-based seconds }
The global SA lifetime is set.

NOTE
The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation. By default, the time-based global lifetime is 3600 seconds; the traffic-based global lifetime is 1843200 kilobytes.
----End
5.3.7 Applying an IPSec Policy Group to an Sub-interface

A manually configured IPSec policy group can be applied to only one Sub-interface.
Procedure
Step 1 Run:
system-view

The Sub-interface view is displayed. Step 3 Run:

ipsec policy policy-name
An IPSec policy group is applied to the Sub-interface. An Sub-interface can use only one IPSec policy group. An IPSec policy group that establishes an SA through IKE negotiation can be applied to multiple Sub-interfaces, whereas an IPSec policy group that is used to establish an SA manually can be applied only to one Sub-interface. If the applied IPSec policy establishes an SA in manual mode, the SA is generated immediately. ----End

After an IPSec tunnel is established manually, you can check information about the SA, IPSec proposal, and IPSec policy.
Prerequisite
The configurations required to establish an IPSec tunnel manually are complete.
Procedure
l l l Run the display ipsec sa command to view information about the SA. Run the display ipsec proposal [ name proposal-name ] command to view information about the IPSec proposal. Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view information about the IPSec policy.
----End
5.4 Establishing an IPSec Tunnel Through IKE Negotiation

IKE provides an automatic protection mechanism to distribute keys, authenticate the identity, and set up SAs on an insecure network. 5.4.1 Establishing the Configuration Task Before establishing an IPSec tunnel through IEK negotiation, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
5.4.2 Defining Data Flows to Be Protected IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows. 5.4.3 Configuring the Local Host Name Used in IKE Negotiation The local ID type used in IKE negotiation must the same as remote ID type. 5.4.4 Configuring an IKE Proposal You can create multiple IKE proposals with different priority levels. The two ends must have at least one matching IKE proposal for IKE negotiation. 5.4.5 Configuring an IKE Peer 5.4.6 Configuring an IPSec Proposal Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. 5.4.7 Configuring an IPSec Policy After configuring an IKE peer, you need to apply it to the IPSec policy. Then the two ends can start IKE negotiation. 5.4.8 (Optional) Configuring an IPSec Policy Template An IPSec policy template can be used to configure multiple IPSec policies, thus reducing the workload of establishing multiple IPSec tunnels. 5.4.9 (Optional) Setting Optional Parameters This section describes how to set optional parameters for IKE negotiation. 5.4.10 Applying an IPSec policy to an Sub-interface An Sub-interface can adopt only one IPSec policy group. An IPSec policy group created through IKE negotiation can be applied to multiple Sub-interfaces. 5.4.11 Checking the Configuration After an IPSec tunnel is established through IKE negotiation, you can view information about the SA, configuration of the IKE peer, and configuration of the IKE proposal.

Before establishing an IPSec tunnel through IEK negotiation, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data.
Application Environment
Data flows must be authenticated to ensure data transmission security. In the scenarios demanding high security, data flows must be authenticated and encrypted. In such a scenario, you can configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service. When the network topology is complex, you can establish IPSec tunnels through IKE negotiation.
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
Issue 02 (2010-07-15)
5-11
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure that the link-layer protocol on the interfaces is Up Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data. No. 1 2 Data Parameters of an advanced ACL Priority of the IKE proposal, encryption algorithm, authentication algorithm, and authentication method used in IKE negotiation, identifier of the Diffie-Hellman group, and SA lifetime IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel, and remote host name Security proposal name, security protocol, authentication algorithm of AH, authentication algorithm and encryption algorithm of ESP, and packet encapsulation mode Name and sequence number of the IPSec policy, (optional) Perfect Forward Secrecy (PFS) feature used in IKE negotiation (Optional) Name of the IPSec policy template (Optional) Local address of the IPSec policy group, time-based global SA lifetime, traffic-based global SA lifetime, interval for sending keepalive packets, timeout inertial of keepalive packets, and interval for sending NAT update packets Type and number of the interface to which the IPSec policy is applied
5 6 7
NOTE
You can use the AH or ESP protocol according to the actual situation.
5.4.2 Defining Data Flows to Be Protected

IPSec can protect different data flows. In actual applications, you need to configure an ACL to define the data flows to be protected and apply the ACL to a security policy to protect the data flows.
Procedure
Step 1 Run:
system-view

acl [ number ] acl-number [ match-order { config | auto }]
5-12
Issue 02 (2010-07-15)
An advanced ACL is created and the ACL view is displayed. Step 3 Run:
rule [ rule-id ] { deny | permit } protocol [ destination { destination-address destination-wildcard | any } | dscp dscp| fragment | logging | precedence precedence | source { source-ip-address source-wildcard | any } | time-range timename | tos tos | vpn-instance vpn-instance-name ]* [ icmp-type icmp-type icmpcode ]
An ACL rule is configured. ----End
5.4.3 Configuring the Local Host Name Used in IKE Negotiation

The local ID type used in IKE negotiation must the same as remote ID type.
Procedure
Step 1 Run:
system-view

ike local-name router-name
The local host name used in the IKE negotiation is configured. The local host name and the remote host name configured when you configure an IKE peer are both case sensitive. ----End
5.4.4 Configuring an IKE Proposal

You can create multiple IKE proposals with different priority levels. The two ends must have at least one matching IKE proposal for IKE negotiation.
Procedure
Step 1 Run:
system-view

ike proposal proposal-number
An IKE proposal is created and the IKE proposal view is displayed. The IKE negotiation succeeds only when the two ends use the IKE proposals with the same settings. Step 3 Run:
encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aescbc-256 }
The encryption algorithm is configured.

Step 4 (Optional) Run:

authentication-method pre-share
Pre-shared key authentication is configured. When pre-shared key authentication is configured, you must set the same pre-shared key on the IKE peers. Step 5 Run:
authentication-algorithm { md5 | sha1 }
The authentication algorithm is configured. When pre-shared key authentication is configured, an authenticator must be configured. Step 6 (Optional) Run:
dh { group1 | group2 }
The Diffie-Hellman group is specified. Step 7 (Optional) Run:

prf { hmac-md5 | hmac-sha1 }
The algorithm used to generate the pseudo random number is specified. Step 8 Run:
sa duration interval
The SA lifetime is set. If the lifetime expires, the ISAKMP SA is automatically updated. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. ----End
5.4.5 Configuring an IKE Peer

Procedure
Step 1 Run:
system-view

ike peer peer-name [ v1 | v2 ]
An IKE peer is created and the IKE peer view is displayed. Step 3 Run:
exchange-mode { main | aggressive }
The IKE negotiation mode is configured. In aggressive mode, the local ID type must be set to name in step 5. In main mode, the local ID type must be set to ip.
Step 4 Run:
ike-proposal proposal-number
An IKE proposal is configured. Step 5 (Optional) Run:

local-id-type { ip | name }
The local ID type is configured. By default, the IP address of the local end is used as the local ID. Step 6 (Optional) Run:
local-address address
The IP address to the local end of IKE negotiation is configured. Step 7 (Optional) Run:
ike local-name router-name
The local host name used in the IKE negotiation is configured. After the local ID type is set to name, you need to set the local host name. The local host name and the remote host name configured when you configure an IKE peer are both case sensitive. Step 8 (Optional) Run:
peer-id-type { ip | name }
The Peer ID type is configured. By default, the IP address of the local end is used as the local ID. The peer-id-type command is valid only when IKEv2 is used. Step 9 (Optional) Run:
nat traversal
NAT traversal is enabled. When NAT traversal is enabled, exchange-mode must be set to aggressive and local-id-type must be set to name. Step 10 Run:
pre-shared-key key-string
The pre-shared key used by the local end and remote peer is configured. If pre-shared key authentication is configured, you need to configure a pre-shared key for each remote peer. The two ends of an IPSec tunnel must be configured with the same pre-shared key. If pre-shared key authentication is configured, an authenticator must be configured. Step 11 Run:
remote-address [ vpn-instance vpn-instance-name ] ip-address
The IP address of the remote peer is configured. Step 12 (Optional) Run:

sa binding vpn-instance vpn-instance-name
A VPN instance is associated with the SA.

By specifying the VPN instance that the remote end of the IPSec tunnel belongs to, you can implement multi-instance IPSec connections. The configuration takes effect only on the initiator of the tunnel. The initiator needs to obtain the outbound interface when sending packets. This command specifies the VPN that the remote end of the IPSec tunnel belongs to. According to the VPN, the tunnel initiator can obtain the outbound interface and send packets through the outbound interface. The packets received by the remote peer contain the VPN attribute, so you do not need to specify the VPN on the remote peer. Step 13 Run:
remote-name name
The remote host name is configured (it is used only when the name authentication is used in aggressive mode). ----End
5.4.6 Configuring an IPSec Proposal

Both ends of the tunnel must be configured with the same security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode.
Procedure
Step 1 Run:
system-view

ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed. Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is configured. By default, the ESP protocol defined by RFC 2406 is used. Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is configured. By default, AH uses the MD5 authentication algorithm. Step 5 (Optional) Run:
esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is configured. By default, ESP uses the MD5 authentication algorithm. Step 6 (Optional) Run:
esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }
The encryption algorithm used by ESP is configured.

By default, EPS uses the EDS encryption algorithm. Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured. By default, the security protocol uses the tunnel mode to encapsulate IP packets. ----End
5.4.7 Configuring an IPSec Policy

After configuring an IKE peer, you need to apply it to the IPSec policy. Then the two ends can start IKE negotiation.
Procedure
Step 1 Run:
system-view

ipsec policy policy-name seq-number isakmp
An IPSec policy is created. Step 3 Run:

proposal proposal-name&<1-6>
An IPSec proposal is applied to the IPSec policy. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 4 Run:
An ACL is applied to the IPSec policy. Step 5 Run:

sa trigger-mode { auto | traffic-based }
The SA triggering mode is configured. After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering mode. In automatic triggering mode, the IPSec SA is established immediately after IKE negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only after packets are received. By default, the automatic triggering mode is used. Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set.

l
In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller value as the SA lifetime. In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set SA lifetime.
Step 7 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy. Step 8 (Optional) Run:

pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. ----End
5.4.8 (Optional) Configuring an IPSec Policy Template

An IPSec policy template can be used to configure multiple IPSec policies, thus reducing the workload of establishing multiple IPSec tunnels.
Procedure
Step 1 Run:
system-view

ipsec policy-template policy-template-name seq-number
An IPSec policy template is created. Step 3 (Optional) Run:

An ACL is applied to the IPSec policy template. Step 4 Run:

proposal proposal-name&<1-6>
An IPSec proposal is applied to the IPSec policy template. An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals. During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same parameter settings first. Step 5 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set. Step 6 Run:

ike-peer peer-name
5-18
Issue 02 (2010-07-15)
An IKE peer is applied to the IPSec policy template. Step 7 (Optional) Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured. By default, the PFS feature is not used in IKE negotiation. ----End
5.4.9 (Optional) Setting Optional Parameters

This section describes how to set optional parameters for IKE negotiation.
Procedure
Step 1 Run:
system-view

ipsec sa global-duration { time-based interval | traffic-based kilobytes }
The global SA lifetime is set. You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of manually created SAs is not limited. That is, the manually created SAs are always effective. If the SA lifetime is not set in an IPSec policy, the global lifetime is used. The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation. Step 3 Run:
ike sa heartbeat-timer interval interval
The interval for sending heartbeat packets is set. Step 4 Run:

ike sa heartbeat-timer timeout interval
The timeout interval of heartbeat packets is set. If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat packets must be set on the other end. On a network, packet loss rarely occurs consecutively more than three times. Therefore, the timeout interval of heartbeat packets on one end can be set to three times the interval for sending heartbeat packets on the other end. Step 5 Run:
ike sa nat-keepalive-timer interval interval
The interval for sending NAT update packets is set. Step 6 Run:
ipsec anti-replay { enable | disable }
Issue 02 (2010-07-15)
5-19
The anti-replay function is enabled. Step 7 Run:

ike peer peer-name [ v1 | v2 ]
The IKE peer view is displayed. Step 8 Run:

local-address address
The IP address of the local end is configured. Step 9 Run following commands to configure the dead peer detection (DPD) function. l Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of retransmissions are set. l Run:
dpd msg { seq-hash-notify | seq-notify-hash }
The sequence of payload in DPD packets is configured. l Run:

dpd type { on-demand | periodic }
The DPD mode is configured. ----End
5.4.10 Applying an IPSec policy to an Sub-interface

An Sub-interface can adopt only one IPSec policy group. An IPSec policy group created through IKE negotiation can be applied to multiple Sub-interfaces.
Procedure
Step 1 Run:
system-view
The system view is displayed. Step 2 (Optional) Run:

ipsec policy policy-name seq-number isakmp template template-name
The IPSec policy template is used to create an IPSec policy. Step 3 Run:
The Sub-interface view is displayed. Step 4 Run:

ipsec policy policy-name
An IPSec policy group is applied to the Sub-interface. Only one IPSec policy group can be applied on an Sub-interface. An IPSec policy group can be applied to multiple Sub-interfaces. After the configuration, the packets transmitted between two ends of the IPSec tunnel trigger the establishment of an SA through the IKE negotiation. In automatic triggering mode, the SA
is established immediately after the IKE negotiation succeeds. In traffic-based triggering mode, the SA is established only after data flows matching the IPSec policy are sent from the Subinterface. After IKE negotiation succeeds and the SA is established, the data flows between two ends of the tunnel are encrypted and then transmitted. ----End

After an IPSec tunnel is established through IKE negotiation, you can view information about the SA, configuration of the IKE peer, and configuration of the IKE proposal.
Prerequisite
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l l l Run the display ike sa command. Run the display ike peer [ name peer-name ] [ verbose ] command. Run the display ike proposal command.
----End
5.5 Maintaining IPSec

This section describes how to display the IPSec configuration and clear the IPSec statistics. 5.5.1 Displaying the IPSec Configuration You can run the following display commands to view information about the SA, established IPSec tunnel, and statistics about IPSec packets. 5.5.2 Clearing IPSec Information This section describes how to clear the statistics about IPSec and IKE packets, information about SAs, and information about the IPSec tunnels established through IKE negotiation.
5.5.1 Displaying the IPSec Configuration

You can run the following display commands to view information about the SA, established IPSec tunnel, and statistics about IPSec packets.
Prerequisite
The configurations of IPSec are complete.
Procedure
l Run the display ipsec sa [ brief | duration | hardware { { ah | esp } [ inbound | outbound ] spi spi-value peerip peer-ip-address | peer-table value } | policy policyname [ seq-number ] | peerip peer-ip-address ] command to view information about the SA.
Issue 02 (2010-07-15)
l l l
Run the display ike sa [ v2 ] [ conn-id connid | peer-name peername | phase phasenumber | verbose ] command to view information about the established IPSec tunnel. Run the display ipsec statistics { ah | esp } command to view the statistics about IPSec packets. Run the display ike statistics { all | msg | v2 } command to view the statistics about IKE packets.
----End
5.5.2 Clearing IPSec Information

This section describes how to clear the statistics about IPSec and IKE packets, information about SAs, and information about the IPSec tunnels established through IKE negotiation.
Context
CAUTION
The statistics cannot be restored if cleared. So, use the following commands with caution.
Procedure
l l l l Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics about IPSec packets. Run the reset ike statistics { all | msg } command in the user view to clear the statistics about IKE packets. Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters dest-address { ah | esp } spi ] command in the user view to clear an SA. Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a specified IPSec tunnel or all established IPSec tunnels.
----End

This section provides several configuration examples of IPSec. 5.6.1 Example for Establishing an SA Manually You can establish SAs manually when the network topology is simple. When there are a large number of devices on the network, it is difficult to establish SAs manually, and network security cannot be ensured. 5.6.2 Example for Establishing an SA Through IKE Negotiation SAs are usually established through IKE negotiation when the network is complicated. IKE automatically establishes an SA and performs key exchange to improve efficiency of SA establishment and ensure network security.
5.6.1 Example for Establishing an SA Manually

You can establish SAs manually when the network topology is simple. When there are a large number of devices on the network, it is difficult to establish SAs manually, and network security cannot be ensured.
As shown in Figure 5-3, an IPSec tunnel is established between SwitchA and SwitchB to protect data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks. Figure 5-3 Networking diagram for establishing an SA manually
VLAN 20 VLAN 10 202.38.163.1/24 VLAN 20 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2 202.38.168.2/24 VLAN 10 SwitchA GE1/0/11 10.1.1.2/24 GE1/0/12
VLAN 20 VLAN 30 VLAN 20 202.38.162.1/24 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.2 202.38.165.2/24 VLAN 30 GE1/0/12 SwitchB GE1/0/11 10.1.2.2/24
Internet
PC A
PC B
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Import flows from the Switches to the SPUs. Configure ACLs to define the data flows to be protected. Configure static routes between the SPUs of SwitchA and SwitchB. Configure PSec proposals. Configure PSec policies and apply the ACLs and IPSec proposals to the IPSec policies. Apply the IPSec policies to interfaces of the SPUs.
Procedure
Step 1 Import flows from SwitchA and SwitchB to the SPUs. 1. Configure SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA
Issue 02 (2010-07-15)
5-23

[SwitchA] vlan 10 [SwitchA-vlan10] quit [SwitchA] interface gigabitethernet 1/0/11 [SwitchA-GigabitEthernet1/0/11] port link-type access [SwitchA-GigabitEthernet1/0/11] port default vlan 10 [SwitchA-GigabitEthernet1/0/11] quit [SwitchA] vlan 20 [SwitchA-vlan20] quit [SwitchA] interface gigabitethernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/12] quit [SwitchA] interface XGigabitEthernet5/0/0 [SwitchA-XGigabitEthernet5/0/0] port link-type trunk [SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchA-XGigabitEthernet5/0/0] quit
20 vlan 1
10 20 vlan 1
2.
Configure the SPU on SwitchA.

<Quidway> system-view [Quidway] sysname SPU [SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination [SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20 [SPU-XGigabitEthernet0/0/1.1] ip address 202.38.163.1 255.255.255.0 [SPU-XGigabitEthernet0/0/1.1] arp broadcast enable [SPU-XGigabitEthernet0/0/1.1] quit [SPU] interface XGigabitEthernet 0/0/1.2 [SPU-XGigabitEthernet0/0/1.2] control-vid 10 dot1q-termination [SPU-XGigabitEthernet0/0/1.2] dot1q termination vid 10 [SPU-XGigabitEthernet0/0/1.2] ip address 202.38.163.2 255.255.255.0 [SPU-XGigabitEthernet0/0/1.2] arp broadcast enable [SPU-XGigabitEthernet0/0/1.2] quit
3.
Configure SwitchB.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan 30 [SwitchB-vlan30] quit [SwitchB] interface gigabitethernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type access [SwitchB-GigabitEthernet1/0/11] port default vlan 30 [SwitchB-GigabitEthernet1/0/11] quit [SwitchB] vlan 20 [SwitchB-vlan20] quit [SwitchB] interface gigabitethernet 1/0/12 [SwitchB-GigabitEthernet1/0/12] port link-type trunk [SwitchB-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchB-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchB-GigabitEthernet1/0/12] quit [SwitchB] interface XGigabitEthernet5/0/0 [SwitchB-XGigabitEthernet5/0/0] port link-type trunk [SwitchB-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchB-XGigabitEthernet5/0/0] quit
20 vlan 1
30 20 vlan 1
4.
Configure the SPU on SwitchB.

<Quidway> system-view [Quidway] sysname SPU [SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] control-vid 20 dot1q-termination [SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 20 [SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.1 255.255.255.0 [SPU-XGigabitEthernet0/0/1.1] arp broadcast enable [SPU-XGigabitEthernet0/0/1.1] quit [SPU] interface XGigabitEthernet 0/0/1.2 [SPU-XGigabitEthernet0/0/1.1] control-vid 30 dot1q-termination [SPU-XGigabitEthernet0/0/1.1] dot1q termination vid 30 [SPU-XGigabitEthernet0/0/1.1] ip address 202.38.162.2 255.255.255.0
5-24
Issue 02 (2010-07-15)

[SPU-XGigabitEthernet0/0/1.1] arp broadcast enable [SPU-XGigabitEthernet0/0/1.1] quit
Step 2 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected. # Configure an ACL on the SPU of SwitchA.
[SPU] acl number 3101 [SPU-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [SPU-acl-adv-3101] quit
# Configure an ACL on the SPU of SwitchB.

Step 3 Configure static routes between the SPUs of SwitchA and SwitchB. # Configure a static route to the remote peer on the SPU of SwitchA.
[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1
# Configure a static route to the remote peer on the SPU of SwitchB.

[SPU] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1
Ping PC B from PC A. The ping succeeds. Step 4 Create IPSec proposals on the SPUs of SwitchA and SwitchB. # Configure an IPSec proposal on the SPU of SwitchA.
[SPU] ipsec proposal tran1 [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
# Configure an IPSec proposal on SwitchB.

Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec proposal Number of Proposals: 1 IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES
Step 5 Create IPSec policies on the SPUs of SwitchA and SwitchB. # Configure an IPSec policy on the SPU of SwitchA.
[SPU] ipsec policy map1 10 manual [SPU-ipsec-policy-manual-map1-10] security acl 3101
Issue 02 (2010-07-15)
5-25
[SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10] [SPU-ipsec-policy-manual-map1-10]

proposal tran1 tunnel remote 202.38.162.1 tunnel local 202.38.163.1 sa spi outbound esp 12345 sa spi inbound esp 54321 sa string-key outbound esp abcdefg sa string-key inbound esp gfedcba quit
# Configure an IPSec policy on SwitchB.

[SPU] ipsec policy use1 10 manual [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] [SPU-ipsec-policyl-manual-use1-10] security acl 3101 proposal tran1 tunnel remote 202.38.163.1 tunnel local 202.38.162.1 sa spi outbound esp 54321 sa spi inbound esp 12345 sa string-key outbound esp gfedcba sa string-key inbound esp abcdefg quit
Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec policy =========================================== IPsec Policy Group: "map1" Using local-address: {(null)} Using interface: {} =========================================== SequenceNumber: 10 Security data flow: 3101 Tunnel local address: 202.38.163.1 Tunnel remote address: 202.38.162.1 Proposal name:tran1 Inbound AH setting: AH SPI: AH string-key: AH authentication hex key: Inbound ESP setting: ESP SPI: 54321 (0xd431) ESP string-key: gfedcba ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: AH string-key: AH authentication hex key: Outbound ESP setting: ESP SPI: 12345 (0x3039) ESP string-key: abcdefg ESP encryption hex key: ESP authentication hex key:
Step 6 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB. # Apply the IPSec policy to the SPU interface on SwitchA.
[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy map1 [SPU-XGigabitEthernet0/0/1.1] quit
# Apply the IPSec policy to the SPU interface on SwitchB.

[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy use1 [SPU-XGigabitEthernet0/0/1.1] quit
5-26
Issue 02 (2010-07-15)
Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view the configuration. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec sa =============================== Interface: XGigabitEthernet0/0/1.1 Path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" Sequence number: 10 Mode: Manual ----------------------------Encapsulation mode: Tunnel Tunnel local : 202.38.163.1 DSCP value: 0
Tunnel remote: 202.38.162.1
[Outbound ESP SAs] SPI: 12345 (0x3039) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA [Inbound ESP SAs] SPI: 54321 (0xd431) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 No duration limit for this SA
Step 7 Verify the configuration. After the configuration is complete, PC A can ping PC B. Run the display ipsec statistics esp command, and you can view statistics about data packets. ----End
Configuration Files
l
Configuration of the SPU on SwitchA

# sysname SPU # acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.163.1 tunnel remote 202.38.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg # interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.163.1 255.255.255.0 ipsec policy map1 arp broadcast enable # interface XGigabitEthernet0/0/1.2 control-vid 10 dot1q-termination dot1q termination vid 10
Issue 02 (2010-07-15)
5-27

ip address 202.38.163.2 255.255.255.0 arp broadcast enable # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 # return
Configuration file of SwitchA

# sysname SwitchA # vlan batch 10 20 # interface GigabitEthernet1/0/11 port link-type access port default vlan 10 # interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 # interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # return
Configuration of the SPU on SwitchB

# sysname SPU # acl number 3101 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 manual security acl 3101 proposal tran1 tunnel local 202.38.162.1 tunnel remote 202.38.163.1 sa spi inbound esp 12345 sa string-key inbound esp abcdefg sa spi outbound esp 54321 sa string-key outbound esp gfedcba # interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.162.1 255.255.255.0 ipsec policy map1 arp broadcast enable # interface XGigabitEthernet0/0/1.2 control-vid 30 dot1q-termination dot1q termination vid 30 ip address 202.38.162.2 255.255.255.0 arp broadcast enable # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 # return
Configuration file of SwitchB

# sysname SwitchB
5-28
Issue 02 (2010-07-15)

# vlan batch 20 30 # interface GigabitEthernet1/0/11 port link-type access port default vlan 30 # interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 # interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 # return
5.6.2 Example for Establishing an SA Through IKE Negotiation

SAs are usually established through IKE negotiation when the network is complicated. IKE automatically establishes an SA and performs key exchange to improve efficiency of SA establishment and ensure network security.
As shown in Figure 5-4, an IPSec tunnel is established between SwitchA an dSwitchB. This IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec tunnel uses ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm. The SPUs of SwitchA and SwitchB are inserted in slot 5 of their subracks. Figure 5-4 Networking for establishing an SA through IKE negotiation
VLAN 20 VLAN 10 202.38.163.1/24 VLAN 20 XGE0/0/1.1 XGE5/0/0 XGE0/0/1.2 202.38.168.2/24 VLAN 10 SwitchA GE1/0/11 10.1.1.2/24 GE1/0/12
VLAN 20 VLAN 30 VLAN 20 202.38.162.1/24 XGE5/0/0 XGE0/0/1.1 XGE0/0/1.2 202.38.165.2/24 VLAN 30 GE1/0/12 SwitchB GE1/0/11 10.1.2.2/24
Internet
PC A
PC B
1. 2. 3. 4. 5. 6. 7. 8.
Import flows on the Switches to the SPUs. Configure IKE proposal. Specify the local host ID and IKE peer required in IKE negotiation. Configure ACLs to define the data flows to be protected. Configure static routes between the SPUs of SwitchA and SwitchB. Configure IPSec proposals. Configure IPSec policies and apply the ACLs and IPSec proposals to the IPSec policies. Apply the IPSec policies to interfaces of the SPUs.
Procedure
Step 1 Import flows on SwitchA and SwitchB to the SPUs. 1. Configure SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan 10 [SwitchA-vlan10] quit [SwitchA] interface gigabitethernet 1/0/11 [SwitchA-GigabitEthernet1/0/11] port link-type access [SwitchA-GigabitEthernet1/0/11] port default vlan 10 [SwitchA-GigabitEthernet1/0/11] quit [SwitchA] vlan 20 [SwitchA-vlan20] quit [SwitchA] interface gigabitethernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/12] quit [SwitchA] interface XGigabitEthernet5/0/0 [SwitchA-XGigabitEthernet5/0/0] port link-type trunk [SwitchA-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchA-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchA-XGigabitEthernet5/0/0] quit
20 vlan 1
10 20 vlan 1
2.
Configure the SPU on SwitchA.

3.
Configure SwitchB.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan 30 [SwitchB-vlan30] quit [SwitchB] interface gigabitethernet 1/0/11 [SwitchB-GigabitEthernet1/0/11] port link-type access [SwitchB-GigabitEthernet1/0/11] port default vlan 30 [SwitchB-GigabitEthernet1/0/11] quit [SwitchB] vlan 20 [SwitchB-vlan20] quit [SwitchB] interface gigabitethernet 1/0/12
5-30
Issue 02 (2010-07-15)

[SwitchB-GigabitEthernet1/0/12] port link-type trunk [SwitchB-GigabitEthernet1/0/12] port trunk allow-pass vlan [SwitchB-GigabitEthernet1/0/12] undo port trunk allow-pass [SwitchB-GigabitEthernet1/0/12] quit [SwitchB] interface XGigabitEthernet5/0/0 [SwitchB-XGigabitEthernet5/0/0] port link-type trunk [SwitchB-XGigabitEthernet5/0/0] port trunk allow-pass vlan [SwitchB-XGigabitEthernet5/0/0] undo port trunk allow-pass [SwitchB-XGigabitEthernet5/0/0] quit
20 vlan 1
30 20 vlan 1
4.

Step 2 Configure the IKE proposal on SPUs of SwitchA and SwitchB. # Configure the IKE proposal on SPU of SwitchA.
[SPU] ike proposal 1 [SPU-ike-proposal-1] encryption-algorithm aes-cbc-128 [SPU-ike-proposal-1] authentication-algorithm md5 [SPU-ike-proposal-1] quit
# Configure the IKE proposal on SPU of SwitchB.

[SPU] ike proposal 1 [SPU-ike-proposal-1] encryption-algorithm aes-cbc-128 [SPU-ike-proposal-1] authentication-algorithm md5 [SPU-ike-proposal-1] quit
Step 3 Configure the local IDs and IKE peers on SPUs of SwitchA and SwitchB. # Configure the local ID and IKE peer on the SPU of SwitchA.
[SPU] ike local-name huawei01 [SPU] ike peer spub v1 [SPU-ike-peer-spub] exchange-mode aggressive [SPU-ike-peer-spub] ike-proposal 1 [SPU-ike-peer-spub] local-id-type name [SPU-ike-peer-spub] pre-shared-key huawei [SPU-ike-peer-spub] remote-name huawei02 [SPU-ike-peer-spub] remote-address 202.38.162.1 [SPU-ike-peer-spub] local-address 202.38.163.1 [SPU-ike-peer-spub] quit
NOTE
In aggressive mode, you need to configure the IP address of the remote peer (remote-adress).
# Configure the local ID and IKE peer on the SPU of SwitchB.

[SPU] ike local-name huawei02 [SPU] ike peer spua v1 [SPU-ike-peer-spua] exchange-mode aggressive [SPU-ike-peer-spua] ike-proposal 1 [SPU-ike-peer-spua] local-id-type name [SPU-ike-peer-spua] pre-shared-key huawei [SPU-ike-peer-spua] remote-name huawei01
Issue 02 (2010-07-15)
5-31
[SPU-ike-peer-spua] remote-address 202.38.163.1 [SPU-ike-peer-spua] local-address 202.38.162.1 [SPU-ike-peer-spua] quit
Run the display ike peer command on the SPUs of SwitchA and SwitchB to view the configuration of the IKE peers. Take the display on the SPU of SwitchA as an example.
[SPU] display ike peer name spub verbose ---------------------------------------IKE Peer : spub Exchange mode : aggressive on phase 1 Pre-shared-key : huawei Local id type : name DPD : Disable DPD mode : Periodic DPD idle time : 20 DPD retrans int : 5 DPD retry limit : 5 Peer ip address : 202.38.162.1 VPN name : Local ip address : 202.38.163.1 Remote name : huawei02 Nat-traversal : Disable Configured IKE ver : VERSION ONE ---------------------------------------Negotiated IKE ver: VERSION ONE ----------------------------------------
Step 4 Configure ACLs on the SPUs of SwitchA and SwitchB to define the data flows to be protected. # Configure an ACL on the SPU of SwitchA.
# Configure an ACL on the SPU of SwitchB.

Step 5 Configure static routes between the SPUs of SwitchA and SwitchB. Configure the SPU on SwitchA.
[SPU] ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 [SPU] ip route-static 202.38.162.1 255.255.255.0 202.38.163.1

[SPU] ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 [SPU] ip route-static 202.38.163.1 255.255.255.0 202.38.162.1
Step 6 Create IPSec proposals on the SPUs of SwitchA and SwitchB. # Configure an IPSec proposal on the SPU of SwitchA.
# Configure an IPSec proposal on SwitchB.


[SPU] ipsec proposal tran1 [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1] [SPU-ipsec-proposal-tran1]
encapsulation-mode tunnel transform esp esp encryption-algorithm des esp authentication-algorithm sha1 quit
Run the display ipsec proposal command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec proposals. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec proposal Number of Proposals: 1 IPsec Proposal Name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption DES
Step 7 Create IPSec policies on the SPUs of SwitchA and SwitchB. # Configure an IPSec policy on the SPU of SwitchA.
[SPU] ipsec policy map1 10 isakmp [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] [SPU-ipsec-policy-isakmp-map1-10] ike-peer spub proposal tran1 security acl 3101 quit
# Configure an IPSec policy on SwitchB.

[SPU] ipsec policy use1 10 isakmp [SPU-ipsec-policy-isakmp-use1-10] [SPU-ipsec-policy-isakmp-use1-10] [SPU-ipsec-policy-isakmp-use1-10] [SPU-ipsec-policy-isakmp-use1-10] ike-peer spua proposal tran1 security acl 3101 quit
Run the display ipsec policy command on the SPUs of SwitchA and SwitchB to view the configuration of the IPSec policies. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec policy =========================================== IPsec Policy Group: "map1" Using local-address: {(null)} Using interface: {} =========================================== SequenceNumber: 10 Security data flow: 3101 IKE-peer name: spub Perfect forward secrecy: None Proposal name: tran1 IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic
Step 8 Apply the IPSec policies to the interfaces of the SPUs on SwitchA and SwitchB. # Apply the IPSec policy to the SPU interface on SwitchA.
[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy map1 [SPU-XGigabitEthernet0/0/1.1] quit
# Apply the IPSec policy to the SPU interface on SwitchB.

[SPU] interface XGigabitEthernet 0/0/1.1 [SPU-XGigabitEthernet0/0/1.1] ipsec policy use1 [SPU-XGigabitEthernet0/0/1.1] quit
Issue 02 (2010-07-15)
5-33
Run the display ipsec sa command on the SPUs of SwitchA and SwitchB to view the configuration. Take the display on the SPU of SwitchA as an example.
[SPU] display ipsec sa =============================== Interface: XGigabitEthernet 0/0/1.1 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------Connection id: 3 encapsulation mode: tunnel tunnel local : 202.38.163.1 tunnel remote: 202.38.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436528/3575 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 3835455224 (0xe49c66f8) proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3575 max sent sequence-number: 5 udp encapsulation used for nat traversal: N
Step 9 Verify the configuration. After the configuration is complete, PC A can ping PC B. The data transmitted between PC A and PC B is encrypted. Run the display ike sa command on an SPU, and the following information is displayed:
[SPU] display ike sa Conn-ID Peer VPN Flag(s) Phase version -------------------------------------------------------------14 202.38.162.1 0 RD|ST 1 IPSEC 16 202.38.162.1 0 RD|ST 2 IPSEC Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
----End
Configuration Files
l
Configuration of the SPU on SwitchA

# sysname SPU # system-view # ike local-name huawei01 # ike proposal 1 encryption-algorithm aes-cbc-192 authentication-algorithm md5 # # ike peer spub v1 exchange-mode aggressive ike-proposal 1 pre-shared-key huawei local-id-type name
5-34
Issue 02 (2010-07-15)
remote-name huawei02 remote-address 202.38.162.1 local-address 202.38.163.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1 # acl number 3101 rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # ip route-static 10.1.2.0 255.255.255.0 202.38.162.1 ip route-static 202.38.162.1 255.255.255.0 202.38.163.1 # interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.163.1 255.255.255.0 ipsec policy map1 arp broadcast enable # interface XGigabitEthernet0/0/1.2 control-vid 10 dot1q-termination dot1q termination vid 10 ip address 202.38.163.2 255.255.255.0 arp broadcast enable # return l

# sysname SwitchA # vlan batch 10 20 # interface GigabitEthernet1/0/11 port link-type access port default vlan 10 # interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 # interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 10 20 # return
Configuration of the SPU on SwitchB

# sysname SPU # system-view # ike local-name huawei02 # ike proposal 1 encryption-algorithm aes-cbc-192 authentication-algorithm md5 # ike peer spua v1 exchange-mode aggressive ike-proposal 1
Issue 02 (2010-07-15)
5-35

pre-shared-key huawei local-id-type name remote-name huawei01 remote-address 202.38.163.1 local-address 202.38.162.1 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy use1 10 isakmp security acl 3101 ike-peer spua proposal tran1 # acl number 3101 rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 # ip route-static 10.1.1.0 255.255.255.0 202.38.163.1 ip route-static 202.38.163.1 255.255.255.0 202.38.162.1 # interface XGigabitEthernet0/0/1.1 control-vid 20 dot1q-termination dot1q termination vid 20 ip address 202.38.162.1 255.255.255.0 ipsec policy use1 arp broadcast enable # interface XGigabitEthernet0/0/1.2 control-vid 30 dot1q-termination dot1q termination vid 30 ip address 202.38.162.2 255.255.255.0 arp broadcast enable # return

# sysname SwitchB # vlan batch 20 30 # interface GigabitEthernet1/0/11 port link-type access port default vlan 30 # interface GigabitEthernet1/0/12 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 # interface XGigabitEthernet5/0/0 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 20 30 # return
5-36
Issue 02 (2010-07-15)
6 NetStream Configuration
6
About This Chapter
NetStream Configuration
This chapter describes working principle of the NetStream and provides configuration examples. 6.1 Overview of NetStream This section describes the working principle of NetStream. 6.2 NetStream Features Supported by the SPU This section describes the NetStream features supported by the SPU. 6.3 Collecting IPv4 Traffic Statistics This section describes how to collect statistics about IPv4 traffic passing through an interface. 6.4 Collecting IPv6 Traffic Statistics This section describes how to collect statistics about IPv6 traffic passing through an interface. 6.5 Collecting MPLS Traffic Statistics This section describes how to collect statistics about MPLS traffic passing through an interface. 6.6 Configuring the Aggregation Statistics About Traffic This section describes how to configure the statistics about IPv4 and MPLS aggregation traffic passing an interface. 6.7 Configuring the Flexible NetStream Feature This section describes how to configure the Flexible NetStream feature to flexibly create NetStream statistics according to records. 6.8 Example for Configuring NetStream This section provides several configuration examples of NetStream.
Issue 02 (2010-07-15)
6-1
6.1 Overview of NetStream

This section describes the working principle of NetStream.
Concepts of NetStream
NetStream is a technology of collecting and advertising statistics about network traffic. It classifies and collects statistics about the communication traffic and resource usage on the network. NetStream also manages the network and conducts charging based on the service types and QoS. NetStream involves three types of devices:
l
Netstream Data Exporter (NDE) The NDE collects and sends traffic statistics. Netstream Collector (NSC) The NSC receives and stores the traffic statistics sent by the NDE. Netstream Data Analyse (NDA) The NDA analyzes the traffic statistics. The analysis result provides the basis for network accounting, network planning, network monitoring, and application monitoring and analysis.
NetStream Application
Due to the connectionless-oriented feature of the IP network, communications among different types of services are realized by the transmission of IP packets from one terminal to another. Such IP packets constitute a data stream of a particular service on the network. Most data streams on the network are ephemeral and bidirectional. Based on the destination IP address, source IP address, destination port number, source port number, protocol number, Type of Service (ToS), and inbound and outbound interfaces of packets, NetStream identifies different streams and collects statistics for each stream. The switch sends the collected traffic statistics regularly to the NSC for further processing and then sends the statistics to the NDA for data analysis. The report generated based on the analysis result is the basis for accounting and network planning. As shown in Figure 6-1. Figure 6-1 Diagram of NetStream data collection and analysis
SwitchA
NSC
NDA SwitchB
NOTE
NSC
The NetStream function is implemented by the SPU of the switch.
6-2
Issue 02 (2010-07-15)
6.2 NetStream Features Supported by the SPU

This section describes the NetStream features supported by the SPU.
Packet Sampling Types

SPU supports the fixed-packets sampling, random-packets sampling, fix-time sampling, and random-time sampling.
Versions of Original Traffic and Aggregation Traffic

At present, the SPU supports the statistics about the original traffic, aggregation traffic and Flexible traffic.
l
The version of the exported packets of the original traffic is V5 or V9. By default, the version of exported statistics packets is V5 and the version of exported IPv6 statistics packets is V9. To export statistics about MPLS traffic, set the version to V9. The version of the exported packets of the aggregation traffic is V8 or V9. By default, the version number of the exported packets of IPv4 aggregation traffic is V8 and that of MPLS aggregation traffic is V9. The version of the exported packets of the Flexible traffic is V9.
Statistics Aggregation
The SPU supports the aggregation based on as, as-tos, protocol-port, protocol-port-tos, mplslabel, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos.
Aging Types
The SPU supports the following aging types:
l
Aging depending on the inactive aging time: After the inactive aging time is set, the traffic is aged if the SPU does not receive any packet of the traffic in a certain period. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on the active aging time: After the active aging time is set, the traffic is aged within a certain period since the first packet of the traffic is collected. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on the FIN or RST flag in the TCP streams : If the traffic received by the SPU contains the FIN or RST flag of TCP packets, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Aging depending on byte overflow If the number of bytes in the statistics reaches a certain value, the traffic is aged. This function is enabled by default.
Issue 02 (2010-07-15)
6-3
Flexible Netstream
Flexible NetStream provides users with a flexible way to collect NetStream statistics. You can collect traffic statistics based on the protocol type, DSCP field, source IP address, destination IP address, source port number, destination port number, or traffic label as required. The SPU can send the traffic statistics on an interface to the NSC.
6.3 Collecting IPv4 Traffic Statistics

This section describes how to collect statistics about IPv4 traffic passing through an interface. 6.3.1 Establishing the Configuration Task 6.3.2 Enabling NetStream on an Interface 6.3.3 (Optional) Configuring the Version of Exported Packets 6.3.4 Setting the Destination Address of the Statistics 6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag 6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic 6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic 6.3.8 Checking the Configuration

You need to configure the NetStream on an interface to collect statistics about inbound and outbound IPv4 packets respectively. The statistics result is sent to the Network Management System (NMS). By analyzing the traffic statistics, the NMS can obtain the traffic situation on the network and thus performs effective network management.
Before configuring the statistics about the original traffic, complete the following tasks:
l l l
Setting physical parameters on an interface Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To configure NetStream, you need the following data. No. 1 Data Name and number of the interface on which traffic statistics need to be collected
6-4
No. 2 3
Data Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC
6.3.2 Enabling NetStream on an Interface

Procedure
Step 1 Run:
system-view

interface xgigabitethernet interface-number
The XGigabitEthernet interface view is displayed. Step 3 (Optional) Run:

ip netstream sampler { fix-packets packet-interval | random-packets packetinterval | fix-time time-interval | random-time time-interval } inbound
The packet sampling ratio is set on the XGigabitEthernet interface. By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
ip netstream inbound
The NetStream function is enabled on the interface to collect statistics about IPv4 unicast traffic. By default, NetStream is disabled for the IPv4 traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
6.3.3 (Optional) Configuring the Version of Exported Packets

Procedure
Step 1 Run:
system-view

ip netstream export version version [ origin-as | peer-as ] [ bgp-nexthop ]
The version of exported packets is configured. By default, the version of exported packets is v5, the AS option is none, and the statistics do not contain the information about the BGP nexthop.
NOTE
At present, only the packets of v9 contain the information about the BGP nexthop.
----End
6.3.4 Setting the Destination Address of the Statistics

Context
You cannot export the NetStream statistics without the pre-configured source and destination addresses.
Procedure
Step 1 Run:
system-view

ip netstream export source ip-address
The source address for exporting statistics is configured. By default, the source address of the exported packets carrying the NetStream statistics is 0.0.0.0. Step 3 Run:
ip netstream export host ip-address port-number
The destination IP address of the exported statistics, that is, the IP address of the NSC, is configured. If multiple destination addresses are configured, the statistics are exported to multiple NSCs. You can configure up to 2 destination addresses to implement the backup between 2 NSCs. ----End
6.3.5 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag
Context
The TCP traffic can be aged according to the FIN or RST flag. If the traffic received by the SPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
ip netstream tcp-flag enable
The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header. By default, the TCP traffic is not aged according to the FIN or RST flag.
NOTE
If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.
----End
6.3.6 (Optional) Configuring the Inactive Aging Time of the Original Traffic
Context
After the inactive aging time of the original traffic is configured, if the SPU does not receive any data packets from the original traffic for the specified period, the SPU considers that this original traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view

ip netstream timeout inactive inactive-interval
The inactive aging time of the original traffic is set. By default, the inactive aging time of the original traffic is 30s. ----End
6.3.7 (Optional) Configuring the Active Aging Time of the Original Traffic
Procedure
Step 1 Run:
system-view

ip netstream timeout active active-interval
The active aging time of the original traffic is set. By default, the active aging time of the original traffic is 30 minutes. ----End

Prerequisite
The configurations of the NetStream function are complete.
Procedure
Step 1 Run the display ip netstream all command to view the NetStream configuration. ----End
6.4 Collecting IPv6 Traffic Statistics

This section describes how to collect statistics about IPv6 traffic passing through an interface. 6.4.1 Establishing the Configuration Task 6.4.2 Enabling NetStream on an Interface 6.4.3 Setting the Destination Address of the Statistics 6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag 6.4.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic 6.4.6 (Optional) Configuring the Active Aging Time of the Original Traffic 6.4.7 Checking the Configuration

You need to configure the NetStream on an interface to collect statistics about inbound and outbound IPv6 packets respectively. The statistics result is sent to the Network Management System (NMS). By analyzing the traffic statistics, the NMS can obtain the traffic situation on the network and thus performs effective network management.
l l l
Data Preparation
To configure NetStream, you need the following data.
6-8
Issue 02 (2010-07-15)
No. 1 2 3
Data Name and number of the interface on which traffic statistics need to be collected Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC

Procedure
Step 1 Run:
system-view


ipv6 netstream inbound
The NetStream function is enabled on the interface to collect statistics about IPv6 unicast traffic. By default, NetStream is disabled for the IPv6 traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End

Context
Procedure
Step 1 Run:
system-view
Issue 02 (2010-07-15)
6-9

ipv6 netstream export source ip-address
ipv6 netstream export host ip-address port-number
6.4.4 (Optional) Aging the TCP Traffic According to Its FIN or RST Flag
Context
The TCP traffic can be aged according to the FIN or RST flag. If the traffic received by the SPU contains the TCP FIN or RST flag, the traffic is aged. Then the statistics collection is ended and the result is sent to the NSC.
Procedure
Step 1 Run:
system-view

ip netstream tcp-flag enable
The TCP traffic will be aged according to its FIN or RST flag in the TCP packet header. By default, the TCP traffic is not aged according to the FIN or RST flag.
NOTE
If multiple aging conditions are configured on the SPU, the traffic ages when it meets any condition.
----End
6-10
Issue 02 (2010-07-15)
Context
Procedure
Step 1 Run:
system-view

ipv6 netstream timeout inactive inactive-interval
Procedure
Step 1 Run:
system-view

ipv6 netstream timeout active active-interval

Prerequisite
Procedure
Step 1 Run the display ipv6 netstream all command to view the NetStream configuration. ----End
Example
View the NetStream configuration.
[Quidway]display ipv6 netstream all system ipv6 netstream timeout inactive 300 ipv6 netstream export source 6.6.6.1 ipv6 netstream export host 5.0.132.2 10 ipv6 netstream export host 1.1.1.1 20 ip netstream record test0 match ipv4 source-port match ipv6 source-address match ipv6 destination-address collect counter packets collect counter bytes collect interface input collect interface output
6.5 Collecting MPLS Traffic Statistics

This section describes how to collect statistics about MPLS traffic passing through an interface. 6.5.1 Establishing the Configuration Task 6.5.2 Enabling NetStream on an Interface 6.5.3 (Optional) Configuring the Version of Exported Packets To export statistics packets of MPLS traffic, set the version of exported packets to V9. 6.5.4 Setting the Destination Address of the Statistics 6.5.5 (Optional) Configuring the Inactive Aging Time of the Original Traffic 6.5.6 (Optional) Configuring the Active Aging Time of the Original Traffic 6.5.7 Checking the Configuration

In an MPLS network, you can collect the statistics of incoming and outgoing traffic on the MPLS network by configuring NetStream. This can provide references for traffic analysis and accounting in the network.
l l l
Data Preparation
To configure NetStream, you need the following data.
No. 1 2 3
Data Name and number of the interface on which traffic statistics need to be collected Version of the exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC

Procedure
Step 1 Run:
system-view


ip netstream mpls inbound
The statistics function of MPLS is enabled. By default, NetStream is disabled for the MPLS traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End

To export statistics packets of MPLS traffic, set the version of exported packets to V9.
Procedure
Step 1 Run:
system-view

ip netstream export version 9 [ origin-as | peer-as ] [ bgp-nexthop ]
Issue 02 (2010-07-15)
6-13
The version of exported statistics packets is set to V9. By default, the version of exported packets is v5, the AS option is none, and the statistics do not contain the information about the BGP nexthop. ----End

Context
Procedure
Step 1 Run:
system-view

Context
Procedure
Step 1 Run:
system-view
6-14
Issue 02 (2010-07-15)

ip netstream timeout inactive inactive-interval
Procedure
Step 1 Run:
system-view

ip netstream timeout active active-interval

Prerequisite
Procedure
6.6 Configuring the Aggregation Statistics About Traffic

This section describes how to configure the statistics about IPv4 and MPLS aggregation traffic passing an interface. 6.6.1 Establishing the Configuration Task 6.6.2 Enabling NetStream on an Interface 6.6.3 Configuring the Aggregation Function 6.6.4 (Optional) Configuring the Version of Exported Packets 6.6.5 (Optional) Configuring the Export of Statistics
6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic 6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic 6.6.8 Checking the Configuration

When the NetStream function is configured, a mode of collecting statistics about aggregation traffic must be configured to classify statistics about packets according to certain rules.
Before configuring NetStream for aggregation traffic, complete the following tasks:
l l l
Data Preparation
To complete the configuration, you need the following data. No. 1 2 3 Data Name and number of the interface on which traffic statistics need to be collected Version number of exported packets of the NetStream traffic statistics IP addresses and port numbers of the NSC

Procedure
Step 1 Run:
system-view


The packet sampling ratio is set on the XGigabitEthernet interface.

By default, the packet sampling ratio on the XGigabitEthernet interface is 1. Step 4 Run:
The NetStream function is enabled on the interface to collect statistics about IPv4 unicast traffic. To enable the NetStream function for MPLS traffic, run the ip netstream mpls inbound command. By default, NetStream is disabled for IPv4 or MPLS traffic. Currently, NetStream can be enabled on only XGigabitEthernet 0/0/1. ----End
6.6.3 Configuring the Aggregation Function

Procedure
Step 1 Run:
system-view

ip netstream aggregation { as | as-tos | destination-prefix | destination-prefixtos | mpls-label | prefix | prefix-tos | protocol-port | protocol-port-tos | sourceprefix | source-prefix-tos }
The NetStream aggregation view is displayed. Step 3 Run:

enable
The aggregation mode is enabled.

NOTE
To collect statistics about the MPLS aggregation traffic passing an interface, enable the mpls-label mode.
----End

Procedure
Step 1 Run:
system-view

The NetStream aggregation view is displayed. Step 3 (Optional) Run:

export version version
The version of the exported packets is configured. By default, the version of the exported packets is V8.
NOTE
When the mpls-label mode is enabled, the version of exported packets cannot be set. The default version V9 is used.
----End
6.6.5 (Optional) Configuring the Export of Statistics

Procedure
Step 1 Run:
system-view

The NetStream aggregation view is displayed. Step 3 (Optional) Run:

The source address for exporting statistics is configured. Step 4 (Optional) Run:
The destination address for exporting statistics is configured. The destination NSC address of the exported statistics can be configured in either the system view or the NetStream aggregation view. The priority of the destination NSC address configured in the NetStream aggregation view is higher than that configured in the system view. After the destination NSC address is successfully configured,
l
Original traffic can only be sent to the destination NSC address configured in the system view. Aggregation traffic is sent to the destination NSC address configured in the NetStream aggregation view. If no destination NSC address is configured in the NetStream aggregation view, aggregation traffic is sent to the destination NSC address configured in the system view.
----End
6-18
Issue 02 (2010-07-15)
6.6.6 (Optional) Configuring the Inactive Aging Time of the Aggregation Traffic
Procedure
Step 1 Run:
system-view

ip netstream aggregation timeout inactive inactive-interval
The inactive aging time of the aggregation traffic is set. By default, the inactive aging time of the aggregation traffic is 30s. ----End
6.6.7 (Optional) Configuring the Active Aging Time of the Aggregation Traffic
Procedure
Step 1 Run:
system-view

ip netstream aggregation timeout active active-interval
The active aging time of the aggregation traffic is set. By default, the active aging time of the aggregation traffic is 30 minutes. ----End

Prerequisite
All configurations are complete.
Procedure
6.7 Configuring the Flexible NetStream Feature

This section describes how to configure the Flexible NetStream feature to flexibly create NetStream statistics according to records.
6.7.1 Establishing the Configuration Task 6.7.2 Creating a Record and Entering the Record View 6.7.3 Configuring Aggregation Key Words of Records 6.7.4 (Optional) Configuring the Exported Traffic Statistics 6.7.5 Enabling Flexible NetStream on Interfaces 6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface 6.7.7 Checking the Configuration

To collect statistics on packets based on the protocol type, DSCP field, source IP address, destination IP address, source port number, destination port number, or traffic label on the network, you can configure Flexible NetStream.
Before configuring Flexible NetStream, complete the following task:
l l l
Setting physical parameters on interfaces Setting the link-layer parameters of the interface Configuring port mirroring on the Switch to import the flows to the SPU
Data Preparation
To complete the configuration, you need the following data. No. 1 2 Data Name and number of the interface on which traffic statistics need to be collected IP addresses and port numbers of the NSC
6.7.2 Creating a Record and Entering the Record View

Procedure
Step 1 Run:
system-view

ip netstream record record-name
6-20
Issue 02 (2010-07-15)
A record is created and the record view is displayed. ----End
6.7.3 Configuring Aggregation Key Words of Records

Procedure
Step 1 Run:
system-view

The record view is displayed. Step 3 (Optional) Run:

match ipv4 { protocol | tos | source-address | destination-address | source-port | destination-port }
The IPv4 aggregation key words of records are configured. Step 4 (Optional) Run:
match ipv6 { protocol | tc | source-address | destination-address | source-port | destination-port | flow-label }
The IPv6 aggregation key words of records are configured. ----End
6.7.4 (Optional) Configuring the Exported Traffic Statistics

Procedure
Step 1 Run:
system-view

The record view is displayed. Step 3 Run:

collect counter { bytes | packets }
The mode of exporting traffic statistics is configured. Step 4 Run:

collect interface { input | output }
The traffic statistics sent to the NSC contain the indexes of the inbound interface and outbound interface of the flows. ----End
6.7.5 Enabling Flexible NetStream on Interfaces

Procedure
Step 1 Run:
system-view

The XGigabitEthernet interface view is displayed. Step 3 Run:

port ip netstream record record-name
The record is applied to the interface.

NOTE
Only one record can be configured on a XGE interface. To modify the record in the same interface view, you must first delete the existing configuration by running the undo port ip netstream record command.
----End
6.7.6 Enabling NetStream and Setting the Packet Sampling Ratio on an Interface
Procedure
Step 1 Run:
system-view

The XGE interface view is displayed. Step 3 (Optional) Run:

The packet sampling ratio is set on the XGE interface. Step 4 Run:
The NetStream function is enabled for the IPv4 traffic on the XGE interface. Step 5 Run:
ipv6 netstream inbound
The NetStream function is enabled for the IPv6 traffic on the XGE interface. ----End

Prerequisite
All configurations are complete.
Procedure
Step 1 Run the display ip netstream all and display ipv6 netstream all commands to view the NetStream configuration. ----End
6.8 Example for Configuring NetStream

This section provides several configuration examples of NetStream. 6.8.1 Example for Configuring IPv4 Traffic Statistics 6.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic 6.8.3 Example for Configuring Flexible NetStream Traffic Statistics
6.8.1 Example for Configuring IPv4 Traffic Statistics

As shown in Figure 6-2, the enterprise network is connected to the access Switch B of the carrier through Switch A and the NetStream traffic statistics function is enabled on Switch B. The carrier collects traffic statistics on the packets sent and received by GE 1/0/0 of Switch B. The traffic statistics serve as the basis for network accounting. Figure 6-2 Networking diagram for configuring NetStream GE2/0/0 VLANIF 200 10.2.1.1/24 NSC&NDA 10.2.1.2/24 GE1/0/0 VLANIF 100 10.1.1.2/24
XGE4/0/0
User Network
GE1/0/0 VLANIF 100 10.1.1.1/24
SwitchA
SwitchB
XGE0/0/1
XGE4/0/1 VLAN101 VLANIF101 XGE0/0/2.2 22.22.22.2/24 22.22.22.1/24
Issue 02 (2010-07-15)
6-23
The configuration roadmap is as follows: 1. 2. 3. 4. 5. Set IP addresses for interfaces on Switch A and Switch B. Mirror the traffic on Switch B to the SPU. Enable the NetStream on the SPU to collect statistics about the inbound traffic. Configure the SPU to export statistics to the NSC and configure the source address of the statistics. Set the aging mode and aging time of packets.
Data Preparation
To complete the configuration, you need the following data:
l l
IP address of each interface Address and port number of the NSC and source address contained in the packets
Procedure
Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-2. The configuration procedure is not mentioned here. Step 2 Mirror the traffic on Switch B to the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
The SPU is located in slot 4.
Step 3 Enable the NetStream on the SPU to collect traffic statistics on the inbound interface. # Enable the NetStream on XGigabitEthernet0/0/1 of the SPU to collect traffic statistics on the inbound interface.
<Quidway> system-view [Quidway] sysname SPU [SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream inbound
Step 4 Set the SPU to export statistics to the NSC. You must also configure the source address of the statistics. Configure the SPU to export statistics to the NSC with the IP address 10.2.1.2 and UDP port 6000.
[SPU] ip netstream export host 10.2.1.2 6000
Set the source address of the traffic statistics exported by SPU.

[SPU] ip netstream export source 10.2.1.1
Step 5 Set the aging mode and aging time of the original traffic.
# Set the inactive aging time of the original traffic to 100 seconds.
[SPU] ip netstream timeout inactive 100
# Set the aging of the original traffic according to the FIN flag in the TCP packet header.
[SPU] ip netstream tcp-flag enable
Step 6 Verify the configuration. # After the configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all system ip netstream export host 10.2.1.2 6000 ip netstream export source 10.2.1.1 ip netstream timeout inactive 100 ip netstream tcp-flag enable XGigabitEthernet0/0/1 ip netstream inbound
----End
Configuration Files
Configuration file of Switch A
# sysname SwitchA # vlan 100 # interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return
Configuration file of Switch B On the MPU:

# sysname SwitchB # vlan batch 100 to 101 200 # observe-port 1 interface XGigabitEthernet4/0/0 # interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 # interface Vlanif 200 ip address 10.2.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 port-mirroring to observe-port 1 inbound # interface GigabitEthernet2/0/0
Issue 02 (2010-07-15)
6-25
port hybrid pvid vlan 200 port hybrid untagged vlan 200 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 # return
On the SPU:
# sysname SPU # ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000 ip netstream timeout inactive 100 ip netstream tcp-flag enable # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # interface XGigabitEthernet0/0/1 ip netstream inbound # return
6.8.2 Example for Configuring NetStream of IPv4 Aggregation Traffic

As shown in Figure 6-3, the NetStream function is configured on Switch B to collect statistics on the traffic from the user network to different ISPs. The traffic statistics serve as the basis for accounting.
6-26
Issue 02 (2010-07-15)
Figure 6-3 Networking diagram of NetStream aggregation
XGE4/0/0
XGE0/0/1
NSC&NDA 10.4.1.2/24
GE1/0/1 User Network GE3/0/0 GE1/0/0 SwitchA GE1/0/0 GE2/0/0
SwitchB GE1/0/0 SwitchC ISP1 GE2/0/0 SwitchD ISP2
Switch Switch A Switch B
Physical interface GigabitEthernet1/0/0 GigabitEthernet1/0/0 GigabitEthernet2/0/0 GigabitEthernet3/0/0 GigabitEthernet1/0/1
VLANIF interface VLANIF30 VLANIF10 VLANIF20 VLANIF30 VLANIF40 VLANIF10 VLANIF20
IP address 10.1.1.1/24 10.2.1.1/24 10.3.1.1/24 10.1.1.2/24 10.4.1.1/24 10.2.1.2/24 10.3.1.2/24
Switch C Switch D
GigabitEthernet1/0/0 GigabitEthernet2/0/0
The configuration roadmap is as follows: 1. 2. 3. Configure a reachable route between the user network and access network. Configure reachable routes between the access network and ISP 1, and between the access network between ISP 2. Configure the NetStream function on the SPU of SwitchB.
Data Preparation
l l
IP addresses of interfaces OSPF process ID

Issue 02 (2010-07-15)
l l l l
BGP process ID IP address and port number of the NSC Packet sampling ratio Version number of exported packets
Procedure
Step 1 Set IP addresses for interfaces on Switch A and Switch B. The configuration procedure is not mentioned here. Step 2 Configure the IGP route between Switch A and Switch B. # Configure the dynamic route on Switch A.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] ospf router-id 1.1.1.1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
# Configure the dynamic routing protocol on Switch B.

<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] ospf router-id 2.2.2.2 [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 10.2.1.1 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 10.3.1.1 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit
Step 3 # Set up dynamic BGP peer relations between Switch B and Switch C. # Configure Switch B
[SwitchB] bgp 65001 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 10.2.1.2 as-number 65002 [SwitchB-bgp] ipv4-family unicast [SwitchB-bgp-af-ipv4] import-route ospf 1 [SwitchB-bgp-af-ipv4]quit [SwitchB-bgp]quit
# Configure Switch C
<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] bgp 65002 [SwitchC-bgp] route-id 3.3.3.3 [SwitchC-bgp] peer 10.2.1.1 as-number 65001
Step 4 # Set up dynamic BGP peer relations between Switch B and Switch D. # Configure Switch B
[SwitchB] bgp 65001 [SwitchB-bgp] router-id 2.2.2.2 [SwitchB-bgp] peer 10.3.1.2 as-number 65003 [SwitchB-bgp]quit
# Configure Switch D
<Quidway> system-view [Quidway] sysname SwitchD
6-28
Issue 02 (2010-07-15)

[SwitchD] bgp 65003 [SwitchD-bgp] router-id 4.4.4.4 [SwitchD-bgp] peer 10.3.1.1 as-number 65001
Step 5 Configure the NetStream function on the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
[SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
# Set the version number of exported packets for the aggregation traffic on the SPU.
<Quidway> system-view [Quidway] sysname SPU [SPU] ip netstream aggregation as [SPU-aggregation-as] enable [SPU-aggregation-as] export version 9 [SPU-aggregation-as] ip netstream export host 10.4.1.2 6000 [SPU-aggregation-as] ip netstream export source 10.4.1.1 [SPU-aggregation-as] quit
# Configure NetStream on the inbound interface and set the packet sampling ratio on the SPU.
[SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound [SPU-XGigabitEthernet0/0/1] ip netstream inbound [SPU-XGigabitEthernet0/0/1] quit [SPU] quit
Step 6 Verify the configuration. # After successful configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all ip netstream aggregation as enable export version 9 ip netstream export source 10.4.1.1 ip netstream export host 10.4.1.2 6000 XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound
----End
Configuration Files
Configuration file of Switch A.
# sysname SwitchA # vlan batch 30 # interface Vlanif30 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30
Issue 02 (2010-07-15)
6-29
# ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 # return
Configuration file of Switch B. On the MPU:

# sysname SwitchB # vlan batch 10 20 30 40 101 # observe-port 1 interface XGigabitEthernet4/0/0 # interface Vlanif10 ip address 10.2.1.1 255.255.255.0 # interface Vlanif20 ip address 10.3.1.1 255.255.255.0 # interface Vlanif30 ip address 10.1.1.2 255.255.255.0 # interface Vlanif40 ip address 10.4.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10 port-mirroring to observe-port 1 inbound # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid untagged vlan 20 # interface GigabitEthernet3/0/0 port hybrid pvid vlan 30 port hybrid untagged vlan 30 # interface GigabitEthernet1/0/1 port hybrid pvid vlan 40 port hybrid untagged vlan 40 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 # bgp 65001 router-id 2.2.2.2 peer 10.2.1.2 as-number 65002 peer 10.3.1.2 as-number 65003 # ipv4-family unicast undo synchronization import-route ospf 1 peer 10.2.1.2 enable peer 10.3.1.2 enable # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 network 10.3.1.0 0.0.0.255
6-30
Issue 02 (2010-07-15)

# return
On the SPU:
# sysname SPU # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # ip netstream aggregation as enable export version 9 ip netstream export host 10.4.1.2 6000 ip netstream export source 10.4.1.1 # interface xgigabitethernet 0/0/1 ip netstream sampler fix-packets 100 inbound ip netstream inbound # return
Configuration file of Switch C.

# sysname SwitchC # vlan batch 10 # interface Vlanif10 ip address 10.2.1.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # bgp 65002 router-id 3.3.3.3 peer 10.2.1.1 as-number 65001 # ipv4-family unicast undo synchronization import-route ospf 1 peer 10.2.1.1 enable # return
Configuration file of Switch D.

# sysname SwitchD # vlan batch 20 # interface Vlanif20 ip address 10.3.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 port hybrid pvid vlan 20 port hybrid untagged vlan 20 # bgp 65003 router-id 4.4.4.4 peer 10.3.1.1 as-number 65001 # ipv4-family unicast undo synchronization
Issue 02 (2010-07-15)
6-31
import-route ospf 1 peer 10.3.1.1 enable # return
6.8.3 Example for Configuring Flexible NetStream Traffic Statistics

As shown in Figure 6-4, the enterprise network is connected to Switch B of the carrier through Switch A. The Flexible NetStream feature is enabled on GE1/0/0 of Switch B. Then you can collect statistics on the inbound and outbound traffic on an interface based on the destination IP address aggregation and destination port aggregation. The statistics can be sent to the NSC. Figure 6-4 Networking diagram for configuring Flexible NetStream GE2/0/0 VLANIF 200 10.2.1.1/24 NSC&NDA 10.2.1.2/24 GE1/0/0 VLANIF 100 10.1.1.2/24
XGE4/0/0
User Network
GE1/0/0 VLANIF 100 10.1.1.1/24
SwitchA
SwitchB
XGE0/0/1
The configuration roadmap is as follows. 1. 2. 3. 4. Set IP addresses for interfaces on Switch A and Switch B. Mirror the traffic on GE 1/0/0 of Switch B to the SPU. Enable the Flexible NetStream feature on the SPU. Enable the Flexible NetStream feature on GE1/0/0 of Switch B.
Data Preparation
l l l l
IP address of each interface Version of the exported packets Address and port number of the NSC and the source address contained in the packets Traffic statistics to be sent to the NSC
6-32
Procedure
Step 1 Set the IP addresses for the interfaces of Switch A and Switch B as shown in Figure 6-4. The configuration procedure is not mentioned here. Step 2 Mirror the traffic on Switch B to the SPU. # Mirror the traffic on GigabitEthernet1/0/0 of Switch B to XGigabitEthernet4/0/0.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] observe-port 1 interface xgigabitEthernet4/0/0 [SwitchB] interface gigabitethernet1/0/0 [SwitchB-GigabitEthernet1/0/0] port-mirroring to observe-port 1 inbound
NOTE
Step 3 Enable the Flexible NetStream feature on the SPU. Create a record named test and enter the test view.
<Quidway> system-view [Quidway] sysname SPU [SPU] ip netstream record test [SPU-record-test]
# Configure aggregation key words of the test record.

[SPU-record-test] match ipv4 destination-address [SPU-record-test] match ipv4 destination-port
# Configure the SPU to send the inbound and outbound interface indexes in the test record to the NSC.
[SPU-record-test] collect interface input [SPU-record-test] collect interface output
# Send the number of packets and bytes of the inbound and outbound traffic to the NSC.
[SPU-record-test] collect counter bytes [SPU-record-test] collect counter packets [SPU-record-test] quit
Step 4 Enable the Flexible NetStream feature on XGigabitEthernet0/0/1. # Set the fixed-packets sampling ratio on XGigabitEthernet0/0/1 to 100.
[SPU] interface xgigabitethernet0/0/1 [SPU-XGigabitEthernet0/0/1] ip netstream sampler fix-packets 100 inbound
# Enable the Flexible NetStream feature on XGigabitEthernet0/0/1.

[SPU-XGigabitEthernet0/0/1] port ip netstream record test
# Enable the NetStream function on XGigabitEthernet0/0/1.

[SPU-XGigabitEthernet0/0/1] ip netstream inbound [SPU-XGigabitEthernet0/0/1] quit
Step 5 Set the source address, destination port number, and destination address for exporting packets. # Set the destination address and destination port number for exporting packets.
[SPU] ip netstream export host 10.2.1.2 6000
# Configure the source address for exporting packets.

[SPU] ip netstream export source 10.2.1.1
Step 6 Verify the configuration.

# After successful configurations, run the display ip netstream all command in the user view of the SPU to check the configurations.
<SPU> display ip netstream all system ip netstream export host 10.2.1.2 6000 ip netstream export source 10.2.1.1 XGigabitEthernet0/0/1 ip netstream inbound ip netstream sampler fix-packets 100 inbound port ip netstream record test
# View the traffic statistics.

<SPU> display ip netstream statistic =====Netstream statistics:===== Origin ingress entries : 30000 Origin ingress packets : 30000 Origin ingress octets : 1380000 Origin egress entries : 0 Origin egress packets : 0 Origin egress octets : 0 Origin total entries : 30000 Agility ingress entries : 30000 Agility ingress packets : 30000 Agility ingress octets : 3960000 Agility egress entries : 0 Agility egress packets : 0 Agility egress octets : 0 Agility total entries : 30000 Handle origin entries : 29035 Handle agility entries : 29050 Handle As aggre entries : 1 Handle ProtPort aggre entries : 1 Handle SrcPrefix aggre entries : 118 Handle DstPrefix aggre entries : 1 Handle Prefix aggre entries : 118 Handle AsTos aggre entries : 1 Handle ProtPortTos aggre entries : 1 Handle SrcPreTos aggre entries : 118 Handle DstPreTos aggre entries : 1 Handle PreTos aggre entries : 118 Handle MplsTbl aggre entries : 0
----End
Configuration Files
Configuration file of Switch A.
# sysname SwitchA # vlan 100 # interface Vlanif 100 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 # return
Configuration file of Switch B

On the MPU:
# sysname SwitchB # vlan batch 100 to 101 200 # observe-port 1 interface XGigabitEthernet4/0/0 # interface Vlanif 100 ip address 10.1.1.2 255.255.255.0 # interface Vlanif 200 ip address 10.2.1.1 255.255.255.0 # interface Vlanif 101 ip address 22.22.22.2 255.255.255.0 # interface GigabitEthernet1/0/0 port hybrid pvid vlan 100 port hybrid untagged vlan 100 port-mirroring to observe-port 1 inbound # interface GigabitEthernet2/0/0 port hybrid pvid vlan 200 port hybrid untagged vlan 200 # interface XGigabitEthernet4/0/1 port hybrid pvid vlan 101 port hybrid tagged vlan 101 # return
On the SPU:
# sysname SPU # interface XGigabitEthernet0/0/2.2 control-vid 101 dot1q-termination dot1q termination vid 101 ip address 22.22.22.1 255.255.255.0 arp broadcast enable # ip route-static 10.2.1.0 255.255.255.0 XGigabitEthernet0/0/2.2 22.22.22.2 # ip netstream export source 10.2.1.1 ip netstream export host 10.2.1.2 6000 # interface XGigabitEthernet0/0/1 ip netstream sampler fix-packets 100 inbound port ip netstream record test ip netstream inbound # ip netstream record test match ipv4 destination-address match ipv4 destination-port collect counter packets collect counter bytes collect interface input collect interface output # return
Issue 02 (2010-07-15)
6-35
7 Load Balancing Configuration
7
About This Chapter
Load Balancing Configuration
Load balancing is a cluster technology that load balances special services such as network services and network traffic among multiple links or network devices, for example, servers and firewalls. The load balancing technology improves the service processing capabilities of networks and ensures high reliability of services. 7.1 Load Balancing Overview This section describes the background, classification, and basic concepts of load balancing. 7.2 Load Balancing Features Supported by the SPU The load balancing features supported by the SPU and the implementation principle are as follows. 7.3 Configuring Egress Link Load Balancing On the network where multiple ISP egresses exist, you can configure egress link load balancing so that the link can be selected dynamically and the reliability of services is improved. 7.4 Configuring Server Load Balancing In the networking where multiple servers are deployed such as the data center, you can configure server load balancing to load balance network services among multiple servers for processing. In this manner, service processing capabilities of servers are improved. 7.5 Configuring Firewall Load Balancing On a network where multiple firewalls exist, you can load balance network traffic among firewalls in a group. In this manner, the burden of each single firewall is reduced and the network processing capability is improved. 7.6 Configuration Examples This section provides several configuration examples. A configuration example includes the networking requirements, configuration roadmap, operation procedure, and configuration files.
Issue 02 (2010-07-15)
7-1
7.1 Load Balancing Overview

This section describes the background, classification, and basic concepts of load balancing.
Background
With rapid development of the Internet, increasing users and diversified services propose high requirements for the network performance. To improve the overall performance of the network, the network bandwidth needs to be increased and the performance of network devices such as servers and firewalls needs to be enhanced. You can use high-performance servers or increase the link bandwidth to improve the network performance, whereas the investments are greatly wasted. To solve the problem, the load balancing technology is introduced. By performing a load balancing algorithm, the load balancing technology evenly distributes services to multiple network devices or links so that the overall performance of the network is improved. The load balancing technology has the following advantages:
l
High reliability When one or more network devices or links are faulty, the system automatically switches services to normal network devices or links so that services are not interrupted. This reduces network faults and improves the reliability of service processing.
High performance The load balancing technology evenly distributes services to multiple network devices so that processing capabilities of network devices are integrated. These network devices function as a large network device. The capability of the system for processing services is thus improved.
Extensibility By using the load balancing technology, you can add network devices or links to a group, meeting requirements of increasing services. In addition, the service quality is ensured.
Classification
The load balancing modes are classified based on different factors:
l
Physical location: Load balancing is classified into global and local load balancing.
Local load balancing is performed among servers in a server group in the same physical location. Global load balancing is performed among the server groups that are located in different physical locations and adopt different network structures. Global load balancing is applied to the following scenario: An enterprise or a group has server sites in multiple areas and load balancing users can access the nearest server through an IP address or a domain name so that they can obtain the fastest access speed.
Load balancing object Load balancing is classified into link load balancing, server load balancing, and firewall load balancing.
Link load balancing indicates that load balancing is performed among different links.
7-2
Server load balancing indicates that load balancing is performed among different servers. Firewall load balancing indicates that load balancing is performed among different firewalls.
Load balancing technology Load balancing is classified into DNS-based load balancing and network-based load balancing.
The DNS-based load balancing technology returns different IP address lists with different sequences and allocates user requests to different servers by setting the mapping between multiple IP addresses and a domain name on the Domain Name Server (DNS) server. The network-based load balancing technology provides services for users through a virtual IP address. Each network device has a real IP address; the load balancing device provides the mapping between the virtual IP address and real IP addresses and load balances services to different network devices.
NOTE
This document introduces the configuration of load balancing based on the object.
Basic Concepts
l
Load balancing Load balancing is a group technology that load balances special services such as network services and network traffic among multiple links or network devices, for example, servers and firewalls. This improves the service processing capability and ensures high reliability of services.
Load balancing member A load balancing member refers to the entity that provides actual services for users and is configured on the load balancing device, for example, the server, firewall, or link.
Load balancing group A load balancing group refers to a set of network devices or links that provide the same service for users. A set of servers is called a server group; a set of firewalls is called a firewall group; a set of links is called a link group.
Load balancing member instance A load balancing member can join multiple load balancing groups and the mapping between a load balancing member and a load balancing group is called load balancing member instance. If the load balancing member is a server, the corresponding instance is called server instance; if the load balancing member is a firewall, the corresponding instance is called firewall instance; if the load balancing member is a link, the corresponding instance is called link instance.
VIP The virtual IP address is used by the server and firewall load balancing technologies. Multiple servers or firewalls share a public IP address. Users accessing the servers or firewalls through the public IP address, whereas the servers or firewalls use different internal IP addresses. The SPU distributes the traffic destined for the virtual IP address to each real server according to the load balancing policy.
Load balancing algorithm

Issue 02 (2010-07-15)
The load balancing algorithm is used by the load balancing device to select a load balancing member for providing the best services for users. The SPU supports the following load balancing algorithms:
Weighted round robin (WRR) algorithm In the WRR algorithm, the SPU makes load balancing decisions according to the priorities and weights of load balancing members. The SPU selects load balancing members with higher priorities for providing services according to the weights. The load balancing member with a greater weight can be selected with a greater possibility and can be allocated with more services. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If no load balancing member with higher priority can be used, the SPU selects the load balancing member among load balancing members with lower priorities according to the WRR algorithm. The WRR algorithm solves the problem of different performance among servers or different bandwidth among links. It is applied to the scenario where the performance of servers in a server group is different or the bandwidth of links in a link group is different.
Least connection algorithm Actually, the SPU uses the weight and least connection algorithm. In the least connection algorithm, the SPU makes load balancing decisions according to the priority, weight, and number of active connections of a load balancing member. The SPU selects load balancing members with higher priorities for providing services, and often selects the load balancing member with the smallest number of active connections or the smallest weight. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If no load balancing member with higher priority can be used, the SPU selects the load balancing member among load balancing members with lower priorities according to the weight and least connection algorithm. The least connection algorithm can smoothly distribute the requests of connections with great difference between durations to each server or link. It is applied to the scenario where the performance of servers in a server group is different or the bandwidth of links in a link group is different and the difference between durations of the connections initiated by different users are great.
Hash algorithm based on the IP address In the hash algorithm based on the IP address, the SPU hashes the source IP address, the destination IP address, or source and destination IP addresses and makes load balancing decisions according to the hash value. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If the load balancing member cannot be used, the SPU selects the next load balancing member according to the hash value. The hash algorithm can map the following requests to the same server or link:

Requests with the same source IP address Requests with the same destination IP address Requests with the same source and destination IP addresses Requests whose source IP addresses are located in the same network segment Requests whose destination IP addresses are located in the same network segment
7-4
Requests whose source and destination IP addresses are located in the same network segment
The hash algorithm is applied to the scenario where requests from a user are distributed to the same server or link, and is also applied to server load balancing. It is applied to the scenario where all requests from a user are distributed to a server or a link. It is also applied to firewall load balancing.
Hash algorithm based on the HTTP URL In the hash algorithm based on the HTTP URL, the SPU hashes the URL carried in HTTP request packets and makes load balancing decisions according to the hash value. After a load balancing member is selected, the SPU determines whether the member can be used according to the bandwidth limit, connection quantity limit, and connection rate limit. If the load balancing member cannot be used, the SPU selects the next load balancing member according to the hash value.
Health detection Health detection indicates that the load balancing device periodically detects the service status of real servers or links to collect corresponding information and isolate abnormal servers or links. The SPU can detect whether servers or links run normally.
Session stickiness Session stickiness indicates that connection requests of a user in a period are sent to the same server for processing.
Firewall load balancing Based on load balancing of network devices, the firewall load balancing technology ensures the bidirectional traffic of a session passes through the same firewall. Firewall load balancing has the following characteristics:
Reducing or even removing the bottleneck of the firewall (enhancing the performance and extensibility of the network) Enhancing firewall availability and network security Standard firewall load balancing Transparent firewall load balancing
Firewall load balancing is classified into the following types:

7.2 Load Balancing Features Supported by the SPU

The load balancing features supported by the SPU and the implementation principle are as follows.
Egress Link Load Balancing

To prevent the network availability degradation caused by the fault on the ISP's egress device and address the problem of network access failure due to insufficient bandwidth, an enterprise leases two or multiple Internet Service Provider (ISP) egresses. The enterprise encounters the problem about properly using multiple ISP egresses. That is, the resources should be efficiently used by the enterprise. Traditional policy-based routing (PBR) can relieve the impact of the problem, but PBR is difficult to configure. In addition, the PBR is inflexible, which cannot dynamically adapt to the network structure change. The PBR cannot distribute packets according to the bandwidth. As a result, the link with the high throughput cannot be fully used.
By using the dynamic load balancing algorithm, multiple egress links share the traffic. The algorithm is easily configured and adapts to the network structure change. The preceding problem can be solved. Figure 7-1 shows the typical networking of egress link load balancing. Figure 7-1 Typical networking of egress link load balancing
RouterA ISP1 Server on the external network Enterprise network Switch RouterB ISP2 IP Network
ISP3 RouterC
As shown in Figure 7-1, Switch is the load balancing device and distributes the traffic sent from the internal network to the external network to multiple links. One ISP gateway corresponds to one link. The egress link load balancing process is as follows: 1. 2. Users on the internal network send requests to servers on the external network. When the request packets pass through Switch, Switch selects a link according to the configured load balancing algorithm, weights, priorities, and inbound/outbound bandwidth limits, and forwards the request packets to the selected link. After receiving the response packets of servers on the external network, Switch forwards the response packets to the users on the internal network.
3.
The egress link load balancing supported by the SPU has the following characteristics:
l
Load balancing algorithm It supports the WRR algorithm, least connection algorithm, and hash algorithm based on the IP address.
Link bandwidth threshold The link bandwidth threshold can be set for the inbound or outbound traffic. When the bandwidth threshold or the percentage of the bandwidth threshold is exceeded, the load balancing device does not select the ISP link.
Link health detection After an Internet Control Message Protocol (ICMP) probe is configured on the SPU, the SPU periodically sends probing packets to the link gateway to detect the connectivity between nodes along the link.
Forwarding mode
7-6
The forwarding mode can be DNAT or DMAC in server load balancing. In egress link load balancing, the SPU supports the redirection mode.
Server Load Balancing

With the fast development of the Internet and services, the network-based data access traffic increases rapidly. In particular, the traffic of access to data centers, large enterprises, and portal websites reaches 10 Gbit/s. In addition, servers provide rich information for access users through applications such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). The servers are flooded by the data gradually. Besides, most websites especially e-commerce websites provide the around-clock non-stop service. In this case, any service interruption or key data loss in communication will result in commercial loss. These require high performance and high reliability for application services. With the development of network technologies, the server processing speed and memory access speed cannot meet requirements of network bandwidth and application service increase. The network bandwidth increase brings in the increase of users, whereas server resources are seriously consumed. The servers become the network bottleneck. Simply upgrading the hardware of servers is expensive and is of poor extensibility. The problems such as single-point faults on networks cannot be solved. By using the dynamic load balancing algorithm, the server load balancing technology properly allocates network services to servers in a server group. This reduces the burden of a single server and improves the reliability of the server. You only need to add a server to a server group, without changing the existing network structure or stopping existing services. In server load balancing, the forwarding mode is classified into DNAT and DMAC. The process of the two modes is the same. The SPU provides a virtual IP address. After users request services through the virtual IP address, the SPU allocates the requests to real servers according to the load balancing algorithm. The differences between the processing modes are described as follows: In DNAT mode, when allocating service requests, the SPU translates the destination IP address of service request packets, namely, the IP address of a real server, and forwards them to real servers through routes. In MAC mode, when allocating service requests, the SPU replaces the destination MAC address of the service request packets with the MAC address of a real server without changing the destination IP address. Then the SPU forwards the packets to the real server.
l
Server load balancing in DNAT mode In DNAT mode, the networking is flexible. The backup servers can be located in different physical positions and on different LANs. Figure 7-2 shows the typical networking.
Issue 02 (2010-07-15)
7-7
Figure 7-2 Typical networking of server load balancing in DNAT mode ServerA IPA
Host IP Network
Switch VIP ServerB IPB
ServerC IPC
As shown in Figure 7-2, multiple servers provide services through the virtual IP address. Switch functions as the load balancing device and is responsible for allocating user requests to multiple servers. The process of server load balancing in DNAT mode is as follows: 1. 2. Users send requests to the virtual IP address. Switch classifies packets at Layer 3 or Layer 7 according to service traffic features and selects a load balancing group. Then Switch selects a real server according to the configured load balancing algorithm, weights, priorities, inbound/outbound bandwidth limits, connection quantity limits, and connection rate limits, and uses NAT to replace the destination IP address of the request packets with the IP address of the real server. Switch sends the request packets to the real server. The real server sends the response packets to Switch through a route. Before returning the response packets to users, Switch changes the source IP address of the response packets to the virtual IP address. Then Switch sends the response packets to users. The load balancing process is complete.
3.
Server load balancing in DMAC mode In DMAC mode, only request packets of users pass through the load balancing device. The response packets of a server does not pass through the load balancing device. This reduces the burden of the load balancing device and prevents the load balancing device being the bottleneck. Figure 7-3 shows the typical networking.
7-8
Issue 02 (2010-07-15)
Figure 7-3 Typical networking of server load balancing in DMAC mode SwitchA ServerA IPA VIP IP Network SwitchB ServerC IPC ServerB IPB
Host
As shown in Figure 7-3, multiple servers provide services through the virtual IP address. Switch A functions as the load balancing device and is responsible for allocating user requests to multiple servers. Switch B functions as a common switch and is responsible for forwarding user requests to the load balancing device or returning response packets of servers to users. The process of server load balancing in DMAC mode is as follows: 1. 2. 3. Users send requests to Switch B. Switch B forwards the received request packets to Switch A. After receiving the response packets, Switch A classifies packets at Layer 3 or Layer 7 according to service traffic features and selects a load balancing group. Then Switch A selects a real server according to the configured load balancing algorithm, weights, priorities, inbound/outbound bandwidth limits, connection quantity limits, and connection rate limits, and replaces the destination MAC address of the request packets (the destination IP address is still the virtual IP address) with the MAC address of the real server. Switch A sends the request packets to the real server. The real server sends the response packets to Switch B, and Switch B sends the response packets to users. The load balancing process is complete.
4.
The server load balancing supported by the SPU has the following characteristics:
l
Load balancing algorithm It supports the WRR algorithm, least connection algorithm, hash algorithm based on the IP address, and hash algorithm based on the URL in HTTP packets.
Server health detection You can configure different probes on the load balancing device to detect the health status of servers according to different services. Currently, the SPU supports ICMP, Transmassion Control Protocol (TCP), User Datagram Protocol (UDP), and HTTP probes.
Forwarding mode In server load balancing, the SPU supports DNAT and DMAC modes. Session stickiness Session stickiness indicates that multiple connections of an application layer session are directed to a server.
Issue 02 (2010-07-15)
7-9
Server load balancing supported by the SPU can identify users and send the same type of requests of a user to a server for processing, meeting the requirements of a user whose multiple connections of a session are processed by a server in e-commerce.
l
Active/Standby switchover between servers When the selected server is Down, to ensure that user request packets are forwarded, the SPU can switch user requests to an available backup server. This ensures high reliability of services. The SPU provides the following functions of active/standby switchover between servers:
When the master server is unavailable, the SPU randomly selects an available backup server from multiple backup servers. If all the backup servers are unavailable, the SPU sends user requests to another master server again. Users is unware of the active/standby switchover between servers.
Active/Standby switchover between server groups The SPU supports the active/standby switchover between servers and between server groups. If the threshold for the master server group to remain active and the threshold for switching services from the master server group to the backup server group are set, when the percentage of active servers in the master server group is smaller than or equal to the threshold for the master server group to remain active and active servers are available in the backup server group, the SPU switches user requests to the backup server group. When the percentage of active servers in the original master server group is greater than the threshold for switching services from the master server group to the backup server group, the master server group is recovered to provide services. If the threshold for the master server group to remain active and the threshold for switching services from the master server group to the backup server group are not specified, the SPU switches user requests between server groups. If all the servers in the master server group are faulty, the SPU switches user requests to a backup server group automatically. When a server in the master server group becomes active, the SPU switches user requests to the master server group again.
Server protection The SPU protects servers by limiting the number of servers or server instances, connection rate, and inbound/outbound bandwidth.
Firewall Load Balancing

As the guard of the network, the firewall is very important for the network. However, it encounters the following problem: A firewall needs to check each packet carefully. As a result, the forwarding performance of the firewall is low and it becomes the bottleneck on the network. In this case, if the existing devices are replaced to improve the forwarding performance, resources are wasted. In addition, when the service volume increases, the devices need to be replaced frequently. The costs on the device replacement are high. The firewall load balancing technology takes firewalls as servers and creates a firewall group. Then it properly allocates network traffic to firewalls in a firewall group by using the dynamic load balancing algorithm. This reduces the burden of a single firewall and improves the reliability of the firewall. Compared with server load balancing, firewall load balancing is applied to bidirectional traffic. Ensure that bidirectional traffic of sessions passes through the same firewall. Figure 7-4 shows the typical networking of firewall load balancing.
Figure 7-4 Typical networking of firewall load balancing FirewallA
HostA IP Network
SwitchA
SwitchB IP Network
HostB
FirewallB
As shown in Figure 7-4, Switch A and Switch B function as load balancing devices and are responsible for allocating traffic of user requests to multiple firewalls. Load balancing devices are classified into level-1 and level-2 load balancing devices. Level-1 load balancing devices load balance traffic on the firewalls, and level-2 load balancing devices ensure that the inbound and outbound traffic traverses the same firewall. As shown in Figure 7-4, if traffic is sent from Host A to Host B, Switch A is the level-1 load balancing device and Switch B is the level-2 load balancing device; if traffic is sent from Host B to Host A, then Switch B is the level-1 load balancing device and Switch A is the level-2 load balancing device. The firewall load balancing process is as follows: 1. 2. Host A sends a request to Host B. After receiving the request packet of Host A, Switch A selects a firewall (assume that Firewall A is used) according to the load balancing algorithm and forwards the request packets to Firewall A. Firewall A forwards the request packet to Switch B. As the level-2 load balancing device, Switch B records the firewall forwarding the request packet and forwards the request packet to the destination (Host B shown in Figure 7-4). After receiving the response packet of Host B, Switch B forwards the response packet to Firewall A according to the record. Firewall A forwards the response packet to Switch A and Switch A returns the received response packet to Host A.
3. 4. 5. 6.
According to different networking modes, firewalls are classified into standard firewalls and transparent firewalls.
l
Each standard firewall, which is similar to a server, has an IP address. The standard firewall can be detected by other devices on networks, as shown in Figure 7-5.
Issue 02 (2010-07-15)
7-11
Figure 7-5 Networking of standard firewall load balancing
FirewallA HostA IP Network 10.10.10.2 10.10.11.2 FirewallB VIP 10.10.10.1 SwitchA 10.10.11.1 SwitchB IP Network HostB
Transparent firewalls have no IP addresses and cannot be detected by other devices on a network. They are connected to level-1 and level-2 load balancing devices, as shown in Figure 7-6. Figure 7-6 Networking of transparent firewall load balancing
FirewallA HostA IP Network 10.10.20.1 10.10.21.1 FirewallB VIP 10.10.10.1 SwitchA 10.10.11.1 SwitchB IP Network HostB
In actual applications, firewall load balancing is used with server load balancing. Figure 7-7 shows the typical networking of firewall load balancing. Figure 7-7 Networking for combining firewall load balancing and server load balancing FirewallA ServerA IPA HostA IP Network SwitchA VIP SwitchB ServerB IPB
ServerC IPC FirewallB

The process of combined load balancing is actually the combination of firewall load balancing and server load balancing. The combined load balancing prevents the firewalls from being the bottleneck on the network and improves the performance and availability of network services such as HTTP.
7.3 Configuring Egress Link Load Balancing

On the network where multiple ISP egresses exist, you can configure egress link load balancing so that the link can be selected dynamically and the reliability of services is improved. 7.3.1 Establishing the Configuration Task Before configuring egress link load balancing, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. 7.3.2 (Optional) Configuring an NAT Address Pool To ensure that response packets still pass through the SPU when user requests pass through links of different ISPs, you need to configure an NAT address pool for translating source addresses through NAT. 7.3.3 (Optional) Configuring Link Health Detection In egress link load balancing, the SPU needs to detect the link status so that it can determine whether to use the link when making load balancing decisions. 7.3.4 Configuring a Link This section describes how to create a link and set link parameters, including the IP address of the gateway corresponding to the link, connection quantity limit, bandwidth limit, bandwidth threshold, weight, and priority. 7.3.5 Configuring a Link Group This section describes how to create a link group to bind links and set parameters of the link group, including the probe, load balancing algorithm, and packet forwarding mode. 7.3.6 Configuring a Layer 7 Classifier This section describes how to create a Layer 7 classifier and configure a matching rule. 7.3.7 Configuring a Load Balancing Action This section describes how to create a load balancing action profile and specify an action. 7.3.8 Configuring an ACL This section describes how to configure an ACL to identify the traffic of various services. 7.3.9 (Optional) Configuring a Connection Parameter Profile This section describes how to configure a connection parameter profile to set the aging time of the TCP or UDP traffic forwarding table. 7.3.10 Configuring a Layer 3 Classifier This section describes how to create a Layer 3 classifier and configure a matching rule. 7.3.11 Configuring a Load Balancing Policy This section describes how to create a load balancing policy, and bind the Layer 3 classifier to the load balancing policy. 7.3.12 Applying the Load Balancing Policy A load balancing policy takes effect only after being applied.
7.3.13 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid.

Before configuring egress link load balancing, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately.
On a network where an enterprise leases two or multiple ISP egresses from which enterprise users can access the public network through the private network, you can configure egress link load balancing. When an enterprise user accesses the external network, the SPU selects a link according to the priorities, weights, or bandwidths of egress links. In this manner, the egress links are properly used, the risk on the reliability caused by egress faults is prevented, and the problem of network access caused by insufficient bandwidth is solved.
Before configuring egress link load balancing, complete the following tasks:
l
Setting link layer parameters for the interfaces and ensuring that the status of the link layer protocol on the interfaces is Up Setting network layer parameters for the interfaces and ensuring that the routes between devices are available Performing the task of 2 SPU Pre-Configuration
Data Preparation
To configure egress link load balancing, you need the following data. No. 1 2 3 4 Data (Optional) NAT address pool index and network segment Name, type, and related parameters of the probe Name and related parameters of the link, including the description (optional), ISP gateway IP address, priority (optional), weight (optional), and bandwidth (optional) Name and parameters of the link group, including the description, load balancing algorithm, forwarding mode, action performed when the member fails, threshold for switching services from the master server group to the backup server group, probe bound to the server group, member, and NAT address pool index of the member instance Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, and matching rule
5 6 7
7-14
No. 8 9 10 11
Data Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied (type and number of an interface)
7.3.2 (Optional) Configuring an NAT Address Pool

To ensure that response packets still pass through the SPU when user requests pass through links of different ISPs, you need to configure an NAT address pool for translating source addresses through NAT.
Context
The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancing member instance.
Procedure
Step 1 Run:
system-view

An NAT address pool is configured. Up to 1024 NAT address pools can be configured. By default, no NAT address pool is configured. The IP address of the outbound interface must be different from any IP address in the NAT address pool that is bound to the Layer 3 classifier referenced by the load balancing policy on the outbound interface.
l
If the IP address of the outbound interface is the same as an IP address in the NAT address pool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT address pool. After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool, if the IP address that is to be assigned to the outbound interface is the same as an IP address in the NAT address pool, the system displays the information that the IP address cannot be set.
----End
7.3.3 (Optional) Configuring Link Health Detection

In egress link load balancing, the SPU needs to detect the link status so that it can determine whether to use the link when making load balancing decisions.
Context
In egress link load balancing, the SPU detects the link status through an ICMP probe. The ICMP probe sends ICMP Echo request packets to the ISP gateway at the probing interval. When a link group is bound to only one probe, the health status of a link member is detected according to the following principles:
l
If the link member is in Down state, the probe sends probing packets at an interval specified by fail-interval interval.
If the probe receives response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the link member in Up state. Otherwise, the link member retains to be in Down state.
If the link member is in Up state, the probe sends probing packets at an interval specified by interval interval.
If the probe does not receive response packets of the ISP gateway for the consecutive number of times specified by retry-count times in the timeout interval, it marks the link member in Down state. Otherwise, the link member retains to be in Up state.
When a link group is bound to multiple probes, the health status of a link member is detected according to the following principles:
l
When the probe mode is fail-on-all, the link member is considered as Down when all the probes bound to the link group detect that the link member is in Down state. When the probe mode is fail-on-one, the link member is considered as Down when a probe bound to the link group detects that the link member is in Down state.
Procedure
Step 1 Run:
system-view

load-balance ip interface interface-type interface-number
The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe. The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.
NOTE
l l
When running the load-balance ip interface command, you can select the specified interface only if an XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface has been created. A probe does not send probing packets if the specified interface is not configured with an IP address.
7-16
Issue 02 (2010-07-15)
Step 3 Run:
load-balance probe probe-name icmp
An ICMP probe is created and the ICMP probe view is displayed. When creating a probe, you must specify the probe type. When you enter the view of the created probe, you can choose not to specify the probe type. Up to 1024 probes can be created. By default, an ICMP probe is not configured. Step 4 (Optional) Run:
The description of a probe is configured. By default, no description is configured for a probe. Step 5 (Optional) Run:
interval interval
The probing interval of a probe is set. The probing interval of a probe indicates the interval for sending probing packets to detect the health status of a link. The probing interval of a probe must be greater than the timeout interval of a probe. By default, the probing interval of a probe is 15s. Step 6 (Optional) Run:
time-out time-out
The timeout interval of a probe is set. The timeout interval of a probe must be smaller than the probing interval of a probe and the interval for a probe to detect that a server member is Down. By default, the timeout interval of a probe is 10s. Step 7 (Optional) Run:
retry-count times
The retry count of a probe is set when a link member is in Up state. By default, The retry count of a probe is 3 when a link member is in Up state. Step 8 (Optional) Run:
fail-interval interval
The interval for a probe to detect that a link member is Down is set. After the link becomes invalid, the SPU sends probing packets at this interval to detect link recovery. This interval must be greater than the timeout interval of a probe. By default, the interval for a probe to detect that a link member is Down is 60s. Step 9 (Optional) Run:
fail-retrycount times
The retry count for a probe to detect link recovery is set.

By default, the retry count for a probe to detect link recovery is 3. ----End
7.3.4 Configuring a Link

This section describes how to create a link and set link parameters, including the IP address of the gateway corresponding to the link, connection quantity limit, bandwidth limit, bandwidth threshold, weight, and priority.
Procedure
Step 1 Run:
system-view

load-balance member member-name
A link is created and the load balancing member view is displayed. Up to 1024 links can be created. By default, no link is configured. Step 3 (Optional) Run:
description text
The description of a link is configured. By default, no description is configured for a link. Step 4 Run:
ip address ip-address
The IP address of the gateway corresponding to the link is set. By default, the IP address of the gateway corresponding to the link is not set. Step 5 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold value ] | connection conn-limit } threshold-
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the link are set. After selecting a link through the load balancing algorithm, the system compares the used bandwidth and the connection rate with the bandwidth limit and connection rate limit. If the bandwidth limit or connection rate limit is reached, the system does not select the link. By default, the connection rate of a link is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 6 (Optional) Run:
priority level
The priority of the link is set. The greater value of level represents a higher priority of the link. Therefore, the link can be selected with a greater probability.
By default, the priority of a link is 8. Step 7 (Optional) Run:

weight weight-value
The weight of the link is set. By default, the weight of a link is 8. ----End
7.3.5 Configuring a Link Group

This section describes how to create a link group to bind links and set parameters of the link group, including the probe, load balancing algorithm, and packet forwarding mode.
Procedure
Step 1 Run:
system-view

load-balance group group-name
A link group is created and the link group view is displayed. Up to 1024 load balancing groups can be created, including link groups, server groups, and firewall groups. By default, no link group is configured. Step 3 Run:
probe probe-name
A probe of the link group is configured. By default, a link group is not configured with any probe. Before using this command, you must run the load-balance probe probe-name [ icmp | tcp | udp | http ] command to create a probe. Step 4 Run:probe-mode { fail-on-all | fail-on-one } The probe mode is set. By default, the probe mode is fail-on-one. In fail-on-one mode, the S9300 considers a link to be invalid when a probe detects that the link is in Down state. If the probe mode is set to fail-on-all, the S9300 considers a link to be invalid only when all the probes detect that the link is in Down state. Step 5 Run:
forward-mode redirect
The packet forwarding mode is set to redirection. In egress link load balancing, the packet forwarding mode must be set to redirection. In redirection mode, the SPU forwards internal enterprise user traffic through the device egress corresponding to the link gateway.

load-balance method { { hash address { destination | source | both } [ netmask ] } | { hash url [ begin-pattern expression1 ] [ end-pattern expression2 ] } | leastconns | roundrobin }
The load balancing algorithm is set.

NOTE
In egress link load balancing, only the WRR algorithm, the least connection algorithm, and the hash algorithm based on the IP address are supported.
By default, the SPU adopts the WRR algorithm. Step 7 Run:

member member-name
A link is add to the link group and the link instance view is displayed. Step 8 (Optional) Run:
member port port-number
The port number of a load balancing member instance is configured. By default, the port number of a load balancing member instance is not configured. When the load balancing member instance is in inservice or inservice standby state, you cannot configure the port number. Step 9 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold thresholdvalue ] | connection conn-limit }
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the link instance are set. When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a link instance and a link are set simultaneously, both the values of the link instance and the link take effect. For example, the bandwidth limit of a link is 200 kbit/s and link instance A and link instance B are configured on the link. The bandwidth limit of link instance A is 200 kbit/s and the bandwidth limit of link instance B is 100 kbit/s. When selecting a link, the S9300 needs to consider the bandwidth limit of the link instance and link. That is, the total bandwidth of link instance A and link instance B cannot exceed the bandwidth of the link. By default, the connection rate of a link instance is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 10 (Optional) Run:
priority level
The priority of the link instance is set. When the priorities of a link instance and a link are set simultaneously, the priority of the link instance takes effect. If the priority of the link instance is not set, the SPU uses the priority of the link. If the priority of the link is not set, the SPU adopts the default value.
NOTE
The link priority is only valid for the WRR algorithm and the least connection algorithm.
7-20
Issue 02 (2010-07-15)
By default, the priority of a link instance is 8. Step 11 (Optional) Run:

weight weight-value
The weight of the link instance is set. When the weights of a link instance and a link are set simultaneously, the weight of the link instance takes effect. If the weight of the link instance is not set, the SPU uses the weight of the link. If the weight of the link is not set, the SPU adopts the default value.
NOTE
The weight is only valid for the WRR algorithm and the least connection algorithm.
By default, the weight of a link instance is 8. Step 12 (Optional) Run:

nat outbound address-group group-index [ no-pat ]
An NAT address pool is configured in the link instance for translating source IP addresses through NAT. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. When NAT for translating source IP addresses is enabled simultaneously in a link instance and a Layer 3 classifier, NAT for translating source IP addresses enabled in the link instance takes effect. By default, NAT for translating source IP addresses in a link instance is disabled. Step 13 Run:
inservice
The link is enabled. ----End
7.3.6 Configuring a Layer 7 Classifier

This section describes how to create a Layer 7 classifier and configure a matching rule.
Context
On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. In egress link load balancing, the matching rule of a Layer 7 classifier must be set to any.
Procedure
Step 1 Run:
system-view

load-balance l7classifier l7classifier-name [ and | or ]
Issue 02 (2010-07-15)
7-21
A Layer 7 classifier is created and the Layer 7 classifier view is displayed. By default, no Layer 7 classifier is configured. When you create a Layer 7 classifier, if and or oris not specified, the default matching mode is and. In egress link load balancing, the matching rule of a Layer 7 classifier can be set to only match any. Therefore, any packet is matched regardless of whether the matching mode is and or or.
NOTE
When you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode must be the same as the one used when the Layer 7 classifier is created.

match any
The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched. after the matching rule is set to any, the traffic that is load balanced is processed at Layer 3 and Layer 4. In this case, the load balancing algorithms for Layer 7 services including the hash algorithm based on the URL cannot be configured. By default, the matching rule of a Layer 7 classifier is any. ----End
7.3.7 Configuring a Load Balancing Action

This section describes how to create a load balancing action profile and specify an action.
Procedure
Step 1 Run:
system-view

load-balance action action-name
A load balancing action profile is created and the load balancing action profile view is displayed. Step 3 Run the following command as required.
l
Run:
drop
The action is set to drop.

l
Run:
forward
The action is set to forward.

l
Run:
group master-group-name [ backup backup-group-name ]
The action is set to load balance.

l
Run:
stickygroup stickygroup-name
7-22
Issue 02 (2010-07-15)
The action is set to the sticky operation. By default, the action is forward. ----End
7.3.8 Configuring an ACL

This section describes how to configure an ACL to identify the traffic of various services.
Context
In egress link load balancing, the SPU can use only the source IP address, destination IP address, protocol type, source port number and destination port number to define ACL rules.
Procedure
Step 1 Run:
system-view

acl [ number ] [ match-order { config | auto } ]
An ACL is created and the ACL view is displayed. In egress link load balancing, the value of number ranges from 3000 to 3999. That is, advanced ACLs are used. A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, the latest ACL takes effect. By default, no ACL is created. Step 3 (Optional) Run:
step step-value
The step between ACL rule IDs is set. By default, the step between ACL rule IDs is 5. Step 4 Run the following command as required:
l
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destinationwildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any } | timerange time-name | tos tos ] * undo rule rule-id
When the parameter protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp |
Issue 02 (2010-07-15)
fragment | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *
l
undo rule rule-id
When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] * undo rule rule-id
By default, no rule is defined in an ACL. ----End
7.3.9 (Optional) Configuring a Connection Parameter Profile

This section describes how to configure a connection parameter profile to set the aging time of the TCP or UDP traffic forwarding table.
Context
To prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need to set the aging time to periodically age the TCP or UDP traffic forwarding entries that have been idle for a long time.
Procedure
Step 1 Run:
system-view

load-balance parameter connection profile-name
A connection parameter profile is created and the connection parameter profile view is displayed. Up to 1024 connection parameter profiles can be created. By default, no connection parameter profile is created. Step 3 Run:
tcp aging-time aging-time
The aging time of the TCP traffic forwarding table is set. By default, the aging time of the TCP traffic forwarding table is 3600s. Step 4 Run:
udp aging-time aging-time
The aging time of the UDP traffic forwarding table is set. By default, the aging time of the UDP traffic forwarding table is 120s. ----End

Procedure
Step 1 Run:
system-view

load-balance l3classifier l3classifier-name
A Layer 3 classifier is created and the Layer 3 classifier view is displayed. By default, no Layer 3 classifier is created. Step 3 Run:
if-match acl acl-number
An ACL is bound to the Layer 3 classifier. A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number command is run for multiple times in the same Layer 3 classifier view, the latest configuration takes effect. By default, no ACL is bound to a Layer 3 classifier. Step 4 Run:
l7classifier l7classifier-name action action-name
The Layer 7 classifier and action are bound to the Layer 3 classifier. The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packets with the rule in a Layer 7 classifier. By default, a Layer 3 classifier is not bound to any Layer 7 classifier and action. Step 5 (Optional) Run:
icmp-reply
The SPU is configured to respond ping requests of users. In egress link load balancing, if the SPU is required to respond to ping requests of users, you need to use the icmp-reply command.
NOTE
l l
If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier. If the ACL in the Layer 3 classifier for matching the source and destination IP addresses is set to any, the SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, you need to configure the ACL in a Layer 3 classifier with caution.
By default, the SPU does not respond to ping requests of users. Step 6 (Optional) Run:
parameter connection profile-name
A connection parameter profile is bound to the Layer 3 classifier.

A connection parameter profile can be bound to one or more Layer 3 classifiers. By default, no connection parameter profile is bound to a Layer 3 classifier. Step 7 (Optional) Run:
nat outbound address-group number [ no-pat ]
An NAT address pool is bound to the Layer 3 classifier. no-pat indicates that PAT is not performed. That is, only the source IP address of packets is translated through NAT. The source port number, however, is not translated. An NAT address pool takes effect only after being bound to a Layer 3 classifier or a link instance. If an NAT address pool is bound to a Layer 3 classifier and a link instance, the NAT address pool bound to the link instance takes effect. An NAT address pool can be bound to multiple Layer 3 classifiers, whereas the same interface processing mode must be used. That is, if an NAT address pool is bound to a Layer 3 classifier in no-pat mode, other Layer 3 classifiers must be bound to the NAT address pool in no-pat mode rather than in pat mode. By default, no NAT address pool is bound to a Layer 3 classifier. ----End
7.3.11 Configuring a Load Balancing Policy

This section describes how to create a load balancing policy, and bind the Layer 3 classifier to the load balancing policy.
Procedure
Step 1 Run:
system-view

load-balance policy policy-name
A load balancing policy is created and the load balancing policy view is displayed. Up to 1024 load balancing policies can be created. By default, no load balancing policy is configured. Step 3 Run:
l3classifier l3classifier-name
A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications. By default, no Layer 3 classifier is bound to a load balancing policy. ----End
7.3.12 Applying the Load Balancing Policy

A load balancing policy takes effect only after being applied.
Context
A load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaces on the SPU.
Procedure
Step 1 Run:
system-view


service load-balance policy policy-name
The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface. After the load balancing policy is applied, the SPU takes actions defined in the load balancing policy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policy on the XGE sub-interface. By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk subinterface. Step 4 (Optional) Run:
service load-balance arp-response nat address-group group-index
The NAT address pool is enabled to respond to ARP requests on the sub-interface. By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface. When the NAT address pool is used for source IP address translation, if the IP address of the outbound interface of the SPU is in the same network segment as any IP address of the NAT address pool, you need to run the service load-balance arp-response nat address-group groupindex command on the outbound interface. If the service load-balance arp-response nat address-group group-index command is not used on the outbound sub-interface, the NAT address pool cannot be enabled to respond to ARP requests on the outbound sub-interface. Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End

After egress link load balancing is configured successfully, check whether the configurations are correct and valid.
Procedure
l l l l l l l l l l Run the display load-balance member [ name member-name | all ] command to check the configuration of the load balancing member. Run the display load-balance probe [ name probe-name [ group name group-name member name member-name ] | all ] command to check the configuration of the probe. Run the display load-balance group [ name group-name | all ] command to check the configuration of the load balancing group. Run the display load-balance group name group-name member name member-name [ verbose ] command to check the configuration of the load balancing member instance. Run the display load-balance l7classifier [ name l7classifier-name | all ] command to check the configuration of the Layer 7 classifier. Run the display load-balance action [ name action-name | all ] command to check the configuration of the load balancing action profile. Run the display load-balance l3classifier [ name l3classifier-name | all ] command to check the configuration of the Layer 3 classifier. Run the display load-balance policy [ name policy-name | all ] command to check the configuration of the load balancing policy. Run the display load-balance parameter connection [ name connection-name | all ] command to check the configuration of the connection parameter profile. Run the display load-balance parameter http [ name http-name | all ] command to check the configuration of the HTTP parameter profile.
----End
7.4 Configuring Server Load Balancing

In the networking where multiple servers are deployed such as the data center, you can configure server load balancing to load balance network services among multiple servers for processing. In this manner, service processing capabilities of servers are improved. 7.4.1 Establishing the Configuration Task Before configuring server load balancing, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. 7.4.2 (Optional) Configuring an NAT Address Pool To ensure that response packets still pass through the SPU when user requests pass through links of different ISPs, you need to configure an NAT address pool for translating source addresses through NAT. 7.4.3 (Optional) Configuring Server Health Detection In server load balancing, the SPU needs to detect the health status of each server. Therefore, the SPU can determine whether to select a server for making load balancing decisions. 7.4.4 Configuring a Server This section describes how to set the IP address and related parameters for each server on the SPU so that the SPU can communicate with each server. 7.4.5 Configuring a Server Group This section describes how to create a server group and set related parameters. This makes configuration and management be convenient.
7.4.6 (Optional) Configuring Session Stickiness Session stickiness indicates that multiple connections of a session are directed to the same server in a specified period. In this case, the SPU does not make load balancing decisions. 7.4.7 Configuring a Layer 7 Classifier This section describes how to create a Layer 7 classifier and configure a matching rule. 7.4.8 Configuring a Load Balancing Action This section describes how to create a load balancing action profile and specify an action. 7.4.9 Configuring an ACL This section describes how to configure an ACL to identify the traffic of various services. 7.4.10 (Optional) Configuring a Connection Parameter Profile This section describes how to configure a connection parameter profile to set the aging time of the TCP or UDP traffic forwarding table. 7.4.11 (Optional) Configuring an HTTP Parameter Profile This section describes how to configure an HTTP parameter profile and set related parameters for processing HTTP packets, including the maximum parsing length and the functions of perpacket rebalance. 7.4.12 Configuring a Layer 3 Classifier This section describes how to create a Layer 3 classifier and configure a matching rule. 7.4.13 Configuring a Load Balancing Policy This section describes how to create a load balancing policy, and bind the Layer 3 classifier to the load balancing policy. 7.4.14 Applying the Load Balancing Policy A load balancing policy takes effect only after being applied. 7.4.15 Checking the Configuration After egress link load balancing is configured successfully, check whether the configurations are correct and valid.

Before configuring server load balancing, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately.
In the networking such as the data center, a server needs to process a large number of user requests. The processing capabilities of a single server is limited and is bound to be the bottleneck. By using server load balancing, you can properly distribute network services to multiple servers for processing. This reduces the burden of a single server, improves the service processing capabilities, and ensures the high reliability of services. To upgrade the network or improve the server performance, you simply need to add servers to a server group, without changing the current network structure and stopping existing services.
Before configuring server load balancing, complete the following tasks:

l l l
Data Preparation
To configure server load balancing, you need the following data. No. 1 2 3 4 Data (Optional) NAT address pool index and network segment (Optional) Name, type, and related parameters of the probe Name and related parameters of the server, including the description, server IP address, weight, and bandwidth Name and related parameters of the server group, including the description, load balancing algorithm, forwarding mode, action when the server group fails, threshold for switching the master server group to the backup server group, bound probe, member, member instance port number, and NAT address pool index (Optional) Name and related parameters of the sticky group, including the description, aging time, and static sticky entries Related parameters of the Layer 7 classifier, including the classifier name and matching rule Name and related parameters of the load balancing action profile, including the description and action Related parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Related parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and related parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the functions of per-packet rebalance Related parameters of the load balancing policy, including the load balancing policy name and bound Layer 3 classifier Object that the load balancing profile is applied to
5 6 7 8 9 10 11 12 13
7.4.2 (Optional) Configuring an NAT Address Pool

To ensure that response packets still pass through the SPU when user requests pass through links of different ISPs, you need to configure an NAT address pool for translating source addresses through NAT.
Context
The NAT address pool takes effect only when it is bound to a Layer 3 classifier or a load balancing member instance.
Procedure
Step 1 Run:
system-view

An NAT address pool is configured. Up to 1024 NAT address pools can be configured. By default, no NAT address pool is configured. The IP address of the outbound interface must be different from any IP address in the NAT address pool that is bound to the Layer 3 classifier referenced by the load balancing policy on the outbound interface.
l
If the IP address of the outbound interface is the same as an IP address in the NAT address pool, the Layer 3 classifier or the load balancing instance cannot be bound to the NAT address pool. After the Layer 3 classifier or the load balancing instance is bound to the NAT address pool, if the IP address that is to be assigned to the outbound interface is the same as an IP address in the NAT address pool, the system displays the information that the IP address cannot be set.
----End
7.4.3 (Optional) Configuring Server Health Detection

In server load balancing, the SPU needs to detect the health status of each server. Therefore, the SPU can determine whether to select a server for making load balancing decisions.
Context
When a server group is bound to only a probe, the health status of a server member is detected according to the following principles:
l
If the server member is in Down state, the probe sends probing packets at intervals specified by fail-interval interval.
If the probe receives response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the the server member in Up state. Otherwise, the server member retains to be in Down state.
If the server member is in Up state, the probe sends probing packets at intervals specified by interval interval.
Issue 02 (2010-07-15)
If the probe does not receive response packets of the ISP gateway for the consecutive number of times specified by fail-retrycount times in the timeout interval, it marks the server member in Down state. Otherwise, the server member retains to be in Up state.
When a server group is bound to multiple probes, the health status of a server member is detected according to the following principles:
l
When the probe mode is fail-on-all, the server member is considered as Down when all the probes bound to the server group detect that the server member is in Down state. When the probe mode is fail-on-one, the server member is considered as Down when a probe bound to the server group detects that the server member is in Down state.
In server load balancing, the SPU supports ICMP, TCP, UDP, and HTTP probes.
l
ICMP probe An ICMP probe sends ICMP Echo request packets to a server in a server group. If the SPU consecutively receives ICMP Reply packets of the server for the specified number of times in the specified period, it considers the probing to be successful and sets the server to Up. Otherwise, the SPU considers the probing to be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
TCP probe A TCP probe initiates a request for establishing a TCP connection to an interface of a server in a server group. If the SPU consecutively receives response packets of the server for the specified number of times in the specified period and the data carried in the response packets is the same as the expected response data, it considers the probing to be successful and sets the server to Up. If the SPU does not consecutively receive response packets of the server for the specified number of times in the specified time or the data carried in the response packets is different from the expected response data , it considers the probing to be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
UDP probe A UDP probe sends UDP request packets to an interface of a server in a server group. If the SPU consecutively receives ICMP Host packets or Port Unreachable packets of the server for the specified number of times in the specified time, it considers the probing to be failed and determines whether to set the server to Down according to the probe mode set on the server group. If the SPU consecutively receives response packets of the server for the specified number of times in the specified time and the data carried in the response packets is the same as the expected response data, it considers the probing to be successful and sets the server to Up.
HTTP probe An HTTP probe establishes a TCP connection with an HTTP interface of a server in a server group, and then sends HTTP requests. If the SPU consecutively receives response packets of the server for the specified number of times and the return status code is the same as the expected response data, it sets the server to Up. If the SPU does not consecutively receive response packets of the server for the specified number of times in the specified time or the return status code carried in the response packets is different from the expected response data, it considers the probing to
7-32
Issue 02 (2010-07-15)
be failed. Then the SPU determines whether to set the server to Down according to the probe mode set on the server group.
NOTE
When the probe mode is AND, the SPU sets a server to Down only if the probing of all probes fails. When the probe mode is OR, the SPU sets a server to Down if the probing of a probe fails.
Procedure
Step 1 Run:
system-view

load-balance ip interface interface-type interface-number
The IP address of a sub-interface is obtained and used as the source IP address of probing packets of a probe. The interface type can be XGE sub-interface, loopback interface, or Eth-Trunk sub-interface.
NOTE
l l
When running the load-balance ip interface command, you can select the specified interface only if an XGE sub-interface, a loopback interface, or an Eth-Trunk sub-interface is specified. A probe does not send probing packets if the specified interface is not configured with an IP address.
Step 3 Run:
load-balance probe probe-name [ http | icmp | udp | tcp ]
A probe is created or the probe view is displayed. When creating a probe, you must specify the probe type. When you enter the view of the created probe, you can choose not to specify the probe type. Up to 1024 probes can be created, including ICMP probes, TCP probes, UDP probes, and HTTP probes. By default, no probe is configured. Step 4 (Optional) Run:
The description of the probe is configured. By default, no description is configured for a probe. Step 5 (Optional) Run:
interval interval
The probing interval of a probe is set. The probing interval of a probe indicates the interval for sending probing packets to detect the health status of a server. The probing interval of a probe must be greater than the timeout interval of a probe. By default, the probing interval of a probe is 15s. Step 6 (Optional) Run:
time-out time-out
Issue 02 (2010-07-15)
7-33
The timeout interval of a probe is set. The timeout interval of a probe must be smaller than the probing interval of a probe and the interval for a probe to detect that a server member is Down.
NOTE
After a TCP connection is established, if packets of the TCP connection fail to be transmitted, the system uses the TCP retransmission mechanism. It is recommended that the timeout interval of TCP probes be greater than the timeout interval of TCP transmission. By default, the timeout interval of TCP transmission is 6s. If multiple probes are configured, it is recommended that the timeout interval of probes be greater than or equal to the default value.
By default, the timeout interval of a probe is 10s. Step 7 (Optional) Run:

retry-count times
The retry count of a probe is set when a server member is in Up state. By default, the retry count of a probe is 3 when a server member is in Up state. Step 8 (Optional) Run:
fail-interval interval
The interval for a probe to detect that a server member is Down is set. The interval for a probe to detect that a server member is Down must be greater than the timeout interval of a probe. By default, the interval for a probe to detect that a server member is Down is 60s. Step 9 (Optional) Run:
fail-retrycount times
The retry count for a probe to detect server recovery is set. By default, the retry count for a probe to detect server recovery is 3. Step 10 (Optional) Run the following command as required.
l
For a TCP probe or a UDP probe, do as follows:
Run:
send-data data
The sent data of a TCP probe or a UDP probe is set.
Run:
expect-data data
The expected response data of a TCP probe or a UDP probe is set. A TCP probe or a UDP probe determines whether a server member works normally by comparing the sent data and the expected response data. If the response data from the server member is the same as the expected response data, it indicates that the server member works normally. If the server member does not respond or the response data is different from the expected response data, it indicates that the server member works abnormally. By default, the sent data or the expected response data of a TCP probe or a UDP probe is not set.
l
For an HTTP probe, do as follows:
Run:
request method { get | head } url url
7-34
Issue 02 (2010-07-15)
The HTTP request method and the URL used by the HTTP probe are configured. The difference between the GET method and Head method is as follows: the entire page corresponding to the URL is obtained by using the GET method, whereas the header of the corresponding to the URL is obtained by using the Head method. By default, the HTTP request method is GET and no URL is used.
Run:
user user-name [ password password ]
The user name and password of an HTTP request are set. By default, the user name and password of an HTTP request are not set.
Run:
header { accept | accept-charset } header-value value
The Accept field or the Accept-Charset field in an HTTP request packet header is set. By default, the SPU does not set the Accept field or the Accept-Charset field in an HTTP request packet header.
Run:
expect status-code min min-number max max-number
The range of the expected return status code is set. By default, the expected return status code is 200. Step 11 (Optional) Run:
destination port port-number
The destination port number of a probe is configured. By default, the destination port number of a probe is the port number of a load balancing member instance through the member port port-number command. If the port number of a load balancing member instance is not configured, the destination port number of a probe is the default port number. For example, TCP and HTTP probes use destination port 80 and UDP probes use destination port 53. ICMP probes have no destination port number. If a TCP probe, a UDP probe, or an HTTP probe is bound to a load balancing group, the destination port number of the probe cannot be changed. ----End
7.4.4 Configuring a Server

This section describes how to set the IP address and related parameters for each server on the SPU so that the SPU can communicate with each server.
Procedure
Step 1 Run:
system-view

load-balance member member-name
A server is created and the load balancing member view is displayed. Up to 1024 servers can be created.
By default, no server is configured. Step 3 (Optional) Run:

description text
The description of the server is configured. By default, no description is configured for a server. Step 4 Run:
ip address ip-address
The IP address of the server is set. By default, no IP address of a server is specified. Step 5 (Optional) Run:
conn-limit max limit
The maximum number of connections of the server is set. When the number of connections of a server exceeds the set value, the SPU does not send user requests to the server for processing.
NOTE
The maximum number of connections can be set in a server instance. If the maximum number of connections of a server and a server instance is set, the SPU checks whether the value reaches the limited number of connections of the server instance. If yes, the SPU rejects new connections. Then the SPU compares the value with the limited number of connections of the server. If yes, the SPU rejects new connections.
By default, the maximum number of connections of a server is 4000000. Step 6 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold value ] | connection conn-limit } threshold-
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the server are set. After selecting a server through the load balancing algorithm, the SPU compares the current bandwidth and the number of connections with the bandwidth limit and connection rate limit. If the bandwidth limit or connection rate limit is reached, the SPU does not select the server. By default, the connection rate of a server is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. Step 7 (Optional) Run:
priority level
The priority of the server is set. The greater value represents a higher priority of the server so that the server can be selected with a greater possibility. By default, the priority of a server is 8. Step 8 (Optional) Run:
weight weight-value
The weight of the server is set.

By default, the weight of a server is 8.

NOTE
If the priority and weight of a server instance are not set, the SPU uses the priority and weight of a server. If the priority and weight of the server is not set, the SPU adopts the default values.
----End
7.4.5 Configuring a Server Group

This section describes how to create a server group and set related parameters. This makes configuration and management be convenient.
Procedure
Step 1 Run:
system-view

load-balance group group-name
A server group is created and the server group view is displayed. Up to 1024 load balancing groups can be created, including link groups, server groups, and firewall groups. By default, no server group is configured. Step 3 Run:
probe probe-name
A probe of the server group is configured. By default, no probe is configured for a server group. Step 4 Run:probe-mode { fail-on-all | fail-on-one }The probe mode is set. By default, the probe mode is fail-on-one. In fail-on-one mode, a server is considered as Down when all the probes bound to the server group detect that the server member is in Down state. When the probe mode is fail-on-one, the server member is considered as Down when a probe bound to the server group detects that the server member is in Down state. Step 5 Run:
failaction { purge | reassign }
The action performed when a server fails is set. By default, no action is taken when a server fails. If the action is set to purge, when the master server fails, the connections of the master server are removed and not switched to a backup server. If the action is set to reassign, when the master server fails, all the connections of the master server are switched to a backup server. Step 6 Run:
switch-threshold percent1 restore-threshold percent2
The threshold for switching services from the master server to the backup server is set.
percent1 specifies the threshold for the master server group to remain active and percent2 specifies the threshold for the backup server group to remain active. When the percentage of active servers in the master server group is smaller than or equal to the value of percent1, the SPU switches services to the backup server group. When the percentage of active servers in the master server group is greater than the value of percent2, the master server group is recovered and starts to provide services. By default, the thresholds for the master and backup server groups to remain active are 0. In this case, if all the servers in the master server group are invalid, the SPU automatically switches services to the backup server group. If a server in the master server group becomes active, the SPU switches services back to the master server group. Step 7 Run:
forward-mode dnat
The packet forwarding mode is set to DNAT. Or, run

forward-mode dmac
The packet forwarding mode is set to DMAC. In server load balancing, the packet forwarding mode can be set to DNAT or DMAC. In DNAT mode, the SPU changes the destination IP address of packets to the IP address of a server before forwarding them. In DMAC mode, the SPU changes the destination MAC address of packets to the MAC address of a server before forwarding them. The destination IP address of the packets, however, remains unchanged. Step 8 Run:
load-balance method { { hash address { destination | source | both } [ netmask ] } | { hash url [ begin-pattern expression1 ] [ end-pattern expression2 ] } | leastconns | roundrobin }
The load balancing algorithm is set. By default, the WRR algorithm is used for load balancing. Step 9 Run:
member member-name
A server is bound to the server group and the server instance view is displayed. Step 10 (Optional) Run:
rate-limit { bandwidth { inbound | outbound } band-limit [ threshold thresholdvalue ] | connection conn-limit }
The bandwidth limit, bandwidth threshold for receiving new traffic, and connection rate limit of the server instance are set. By default, the connection rate of a server instance is not limited, the inbound/outbound bandwidth limit is 1000000 kbit/s, and the inbound/outbound bandwidth threshold is 100%. When the values of the bandwidth limit, connection rate limit, or bandwidth threshold of a server instance and a server are set simultaneously, both the values of the server instance and the server take effect. For example, the bandwidth limit of a server is 200 kbit/s and server instance A and server instance B are configured on the server. The bandwidth limit of server instance A is 200 kbit/s and the bandwidth limit of server instance B is 100 kbit/s. When selecting a link, the S9300 needs to consider the bandwidth limit of the server instance and server. That is, the total bandwidth of server instance A and link server B cannot exceed the bandwidth of the server.

conn-limit max limit
The maximum number of connections of the server instance is set. When the number of connections of a server instance exceeds the set value, the SPU does not send user requests to the server instance for processing.
NOTE
If the maximum numbers of connections of a server and a server instance are set, the SPU checks whether the value reaches the maximum number of connections of the server instance. If yes, the SPU rejects new connections. Then the SPU compares the value with the maximum number of connections of the server. If yes, the SPU rejects new connections.
By default, the maximum number of connections of a server instance is 4000000. Step 12 (Optional) Run:
priority level
The priority of the server instance is set. When the priorities of a server instance and a server are set simultaneously, the priority of the server instance takes effect. If the priority of a server instance is not set, the SPU uses the priority of a server. If the priority of the server is not set, the SPU adopts the default value.
NOTE
The priority is only valid for the WRR algorithm and the least connection algorithm.
By default, the priority of a server instance is 8. Step 13 (Optional) Run:

weight weight-value
The weight of the server instance is set. When the weights of a server instance and a server are set simultaneously, the weight of the server instance takes effect. If the weight of a server instance is not set, the SPU uses the weight of a server. If the weight of the server is not set, the SPU adopts the default value.
NOTE
The weight is only valid for the WRR algorithm and the least connection algorithm.
By default, the weight of a server instance is 8. Step 14 (Optional) Run:

backup-member member-name
The backup member of the server instance is configured. By default, no backup member is configured for a server instance. A server instance can contain up to three backup members. Before configuring a backup member, ensure that the backup member is added to the server group. Step 15 (Optional) Run:
nat outbound address-group group-index [ no-pat ]
Issue 02 (2010-07-15)
7-39
An NAT address pool is configured in the server instance for translating source IP addresses through NAT. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. When NAT for translating source IP addresses is enabled simultaneously in a server instance and a Layer 3 classifier, NAT for translating source IP addresses enabled in the server instance takes effect. By default, NAT for translating source IP addresses is disabled in a server instance.
NOTE
If the forwarding mode is set to DMAC, the NAT address pool does not need to be configured in a server instance or a Layer 3 classifier.
Step 16 Run:
inservice
The server is enabled. ----End
7.4.6 (Optional) Configuring Session Stickiness

Session stickiness indicates that multiple connections of a session are directed to the same server in a specified period. In this case, the SPU does not make load balancing decisions.
Context
Session stickiness is often applicable to e-commerce. Multiple connections of a user needs to be processed by only a server when the user shops online. In this case, the SPU is required to identify users and send requests of a user to the same server for processing. The SPU uses sticky groups to configure and manage related attributes of session stickiness. If session stickiness is configured, after the SPU sends the first request of a user to a selected server, the subsequent requests of the user are sent to the same server. The SPU thus does not make load balancing decisions. The SPU supports static and dynamic stickiness:
l
When packets of a session match static sticky entries, the stickiness corresponding to the session is called static stickiness. Static stickiness takes effect as long as static sticky entries exist. When packets of a session match dynamic sticky entries, the stickiness corresponding to the session is called dynamic stickiness. Dynamic stickiness takes effect only in the aging time. After dynamic sticky entries age, stickiness becomes invalid.
The SPU supports session stickiness at the network layer and the application layer.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
load-balance stickygroup stickygroup-name mask net-mask { ip | both-ip } source-ip | destination-
A sticky group is created and the sticky group view is displayed. Up to 1024 sticky groups can be created. By default, no sticky group is created. Step 3 (Optional) Run:
description text
The description of the sticky group is configured. By default, no description is configured for a sticky group. Step 4 Run:
A server group is bound to the sticky group. The name of a backup load balancing group must be different from the name of the master load balancing group. If the Layer 3 classifier bound to the sticky group is bound to a load balance policy, you cannot modify the server group bound to the sticky group. By default, no server group is bound to a sticky group. Step 5 (Optional) Run:
time-out time
The aging time of dynamic sticky entries is set. The dynamic sticky entries generated on a sticky group age after the aging time expires and never take effect. By default, the aging time of dynamic sticky entries is 1440 minutes. Step 6 (Optional) Run:
static client { destination dest-ip-address | source src-ip-address [ destination dest-ip-address ] } member member-name
A static sticky entry is configured. The SPU supports static sticky entries based on the source IP address, the destination IP address, or the source and destination IP addresses. Up to 4096 static sticky entries can be created.
l
When source src-ip-address is specified, it indicates that a static sticky entry based on the source IP address is configured. When the packets with the source IP address specified by src-ip-address match the static sticky entry, the packets are sent to the server specified by member-name. When destination dest-ip-address is specified, it indicates that a static sticky entry based on the destination IP address is configured. When the packets with the destination IP address specified by dest-ip-address match the static sticky entry, the packets are sent to the server specified by member-name. When source src-ip-address and destination dest-ip-address are specified, it indicates that a static sticky entry based on the source and destination IP addresses is configured. When the packets with the source IP address specified by src-ip-address and the destination IP
Issue 02 (2010-07-15)
address specified by dest-ip-address match the static sticky entry, the packets are sent to the server specified by member-name.
NOTE
When configuring static sticky entries, pay attention to the following points:
l l
Only one static sticky entry of a sticky group can be created on a network segment. Before configuring stickiness, you need to use the load-balance group command to create the corresponding server group and bind the server group to the sticky group. In addition, the server group must contain servers.
By default, no static sticky entry is configured for a sticky group. ----End

Context
On the SPU, Layer 7 classification indicates that packets are classified based on URLs of Layer 7 services. The SPU first matches packets with the ACL in a Layer 3 classifier to match packets, and then the matching rule in a Layer 7 classifier bound to the Layer 3 classifier no matter whether Layer 3 or Layer 7 load balancing is used. Therefore, you must configure the Layer 7 classifier for Layer 3 or Layer 7 load balancing. In Layer 3 load balancing, the matching rule of a Layer 7 classifier must be set to any.
Procedure
Step 1 Run:
system-view

load-balance l7classifier l7classifier-name [ and | or ]
A Layer 7 classifier is created and the Layer 7 classifier view is displayed. By default, no Layer 7 classifier is configured. When you create a Layer 7 classifier, if the matching mode is set to and, the matching is successful only when all the rules are matched; if the matching mode is set to or, the matching is successful in the case that any rule is matched; if the matching mode is set to and or or, the default matching mode is and.
NOTE
When you enter the Layer 7 classifier view, you can specify and or or. The specified matching mode must be the same as the one used when the Layer 7 classifier is created.
Step 3 Run the following command as required:

l
Run:
match any
The matching rule of the Layer 7 classifier is set to any, that is, any packet is matched.
l
Run:
7-42
rule [ rule-number ] match http url url [ method { method-name | get | head | post } ]
The Layer 7 classifier is set to match the HTTP URL.

l
Run:
rule [ rule-number ] match l7classifier l7classifier-name
Another Layer 7 classifier is nested to the Layer 7 classifier. By default, the matching rule of a Layer 7 classifier is any.
NOTE
When configuring a matching rule, pay attention to the following points:

l
If other matching rules are configured in the Layer 7 classifier, you cannot set the matching rule to any. If the matching rule of a Layer 7 classifier is set to any, you cannot configure other matching rules. In addition, the traffic that is load balanced is processed at Layer 3 and Layer 4. In this case, the load balancing algorithms for Layer 7 services including the hash algorithm based on the URL cannot be configured. A Layer 7 classifier can be nested by another Layer 7 classifier if the matching rule of a Layer 7 classifier is set to the nesting rule. A Layer 7 classifier can be nested by up to eight Layer 7 classifiers.
l l
Step 4 Run:
case-insensitive
Case sensitivity is disabled. After this command is run, the SPU does not distinguish uppercase and lowercase letters when parsing HTTP packets. By default, the SPU distinguishes uppercase and lowercase letters when parsing HTTP packets. ----End
7.4.8 Configuring a Load Balancing Action

This section describes how to create a load balancing action profile and specify an action.
Procedure
Step 1 Run:
system-view

load-balance action action-name
A load balancing action profile is created and the load balancing action profile view is displayed. Step 3 Run the following command as required.
l
Run:
drop
The action is set to drop.

l
Run:
forward
The action is set to forward.

l
Run:
Issue 02 (2010-07-15)
7-43
The action is set to load balance.

l
Run:
stickygroup stickygroup-name
The action is set to the sticky operation. By default, the action is forward. ----End
7.4.9 Configuring an ACL

This section describes how to configure an ACL to identify the traffic of various services.
Procedure
Step 1 Run:
system-view

acl [ number ] [ match-order { config | auto } ]
An ACL is created and the ACL view is displayed. In server load balancing, the value of number ranges from 3000 to 3999. That is, advanced ACLs are used. A Layer 3 classifier can be bound to only one ACL. If the ACL is configured repeatedly, the latest ACL takes effect. By default, no ACL is created. Step 3 (Optional) Run:
step step-value
The step between ACL rule IDs is set. By default, the step between ACL rule IDs is 5. Step 4 Run the following command as required:
l
When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:
rule [ rule-id ] { deny | permit } icmp [ destination { destination-address destinationwildcard | any } | dscp dscp | fragment | icmp-type { icmp-name | icmp-type icmpcode } | precedence precedence | source { source-address source-wildcard | any } | timerange time-name | tos tos ] * undo rule rule-id
When the parameter protocol is specified as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), the command format is as follows:
rule [ rule-id ] { deny | permit } { tcp | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq | gt | lt | range } port | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | source-port { eq | gt | lt | range } port | time-range time-name | tos tos ] *
7-44

l
undo rule rule-id
When the parameter protocol is specified as another protocol rather than TCP, UDP, or ICMP, the command format is as follows:
rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | dscp dscp | fragment | precedence precedence | source { source-address source-wildcard | any } | time-range time-name | tos tos ] * undo rule rule-id
By default, no rule is defined in an ACL. ----End
7.4.10 (Optional) Configuring a Connection Parameter Profile

This section describes how to configure a connection parameter profile to set the aging time of the TCP or UDP traffic forwarding table.
Context
To prevent resources of the TCP or UDP traffic forwarding table being exhausted, you need to set the aging time to periodically age the TCP or UDP traffic forwarding entries that have been idle for a long time.
Procedure
Step 1 Run:
system-view

load-balance parameter connection profile-name
A connection parameter profile is created and the connection parameter profile view is displayed. Up to 1024 connection parameter profiles can be created. By default, no connection parameter profile is created. Step 3 Run:
tcp aging-time aging-time
The aging time of the TCP traffic forwarding table is set. By default, the aging time of the TCP traffic forwarding table is 3600s. Step 4 Run:
udp aging-time aging-time
The aging time of the UDP traffic forwarding table is set. By default, the aging time of the UDP traffic forwarding table is 120s. ----End
7.4.11 (Optional) Configuring an HTTP Parameter Profile

This section describes how to configure an HTTP parameter profile and set related parameters for processing HTTP packets, including the maximum parsing length and the functions of perpacket rebalance.
Context
Case sensitivity indicates that the SPU distinguishes uppercase and lowercase letters when parsing HTTP packets. Per-packet rebalance indicates that the SPU makes load balancing decisions again and selects another server for each HTTP request packet even if the quintuple is the same.
Procedure
Step 1 Run:
system-view

load-balance parameter http profile-name
An HTTP parameter profile is created and the HTTP parameter profile view is displayed. Up to 1024 HTTP parameter profiles can be created. By default, no HTTP parameter profile is created. Step 3 Run:
max-parse-length length-value
The maximum parsing length of HTTP packets is set. By default, the maximum parsing length of HTTP packets is 1024 bytes. Step 4 Run:
rebalance per-request
Each HTTP request is rebalanced. By default, the SPU does not rebalance newly received HTTP requests. ----End

Context
To classify packets according to the quintuple, you need to create and configure a Layer 3 classifier.
Procedure
Step 1 Run:
system-view

load-balance l3classifier l3classifier-name
A Layer 3 classifier is created and the Layer 3 classifier view is displayed. By default, no Layer 3 classifier is created. Step 3 Run:
if-match acl acl-number
An ACL is bound to the Layer 3 classifier. A Layer 3 classifier can be bound to only one ACL. If the if-match acl acl-number command is run for multiple times in the same Layer 3 classifier view, the latest one takes effect. By default, no ACL is bound to a Layer 3 classifier. Step 4 Run:
l7classifier l7classifier-name action action-name
The Layer 7 classifier and action are bound to the Layer 3 classifier. The SPU first matches packets with the ACL in a Layer 3 classifier, and then matches packets with the rule in a Layer 7 classifier. By default, a Layer 3 classifier is not bound to the Layer 7 classifier and action. Step 5 (Optional) Run:
icmp-reply
The SPU is configured to respond to ping requests of users. The SPU provides services through a virtual IP address. Users send service requests to the virtual IP address, but the SPU does not respond to ICMP packets. If the SPU is required to respond to ping requests, you need to use the icmp-reply command in the Layer 7 classifier view.
CAUTION
l
If the SPU is required to respond to ping requests of users, ping request packets of users must match the ACL in the Layer 3 classifier. If the ACL in the Layer 3 classifier for matching the destination address is set to any, the SPU responds to any ping request of users. In this case, the ACL is invalid. Therefore, you need to configure the ACL in a Layer 3 classifier with caution.
By default, the SPU does not respond to ping requests of users. Step 6 (Optional) Run:
parameter connection profile-name
A connection parameter profile is bound to the Layer 3 classifier.

A connection parameter profile can be bound to one or more Layer 3 classifiers. By default, no connection parameter profile is bound to a Layer 3 classifier. Step 7 (Optional) Run:
parameter http profile-name
An HTTP parameter profile is bound to the Layer 3 classifier. An HTTP parameter profile can be bound to one or more Layer 3 classifiers. By default, no HTTP parameter profile is bound to a Layer 3 classifier. Step 8 (Optional) Run:
nat outbound address-group number [ no-pat ]
An NAT address pool is bound to the Layer 3 classifier. no-pat indicates that PAT is not performed. That is, only the IP address of packets is translated through NAT. The port number, however, is not translated. The NAT address pool takes effect only after it is bound to a Layer 3 classifier or a server instance. If an NAT address pool is bound to a Layer 3 classifier and a server instance simultaneously, the NAT address pool bound to the server instance takes effect. When the forwarding mode of a server group is set to transparent transmission, the NAT function does not take effect even if a Layer 3 classifier or a server instance is bound to the NAT address pool. By default, no NAT address pool is bound to a Layer 3 classifier. ----End
7.4.13 Configuring a Load Balancing Policy

This section describes how to create a load balancing policy, and bind the Layer 3 classifier to the load balancing policy.
Procedure
Step 1 Run:
system-view

load-balance policy policy-name
A load balancing policy is created and the load balancing policy view is displayed. Up to 1024 load balancing policies can be created. By default, no load balancing policy is configured. Step 3 Run:
l3classifier l3classifier-name
A Layer 3 classifier is bound to the load balancing policy. A load balancing policy can be bound to up to eight Layer 3 classifiers to support a maximum of 1024 service applications.
By default, no Layer 3 classifier is bound to a load balancing policy. ----End
7.4.14 Applying the Load Balancing Policy

A load balancing policy takes effect only after being applied.
Context
A load balancing policy can be applied to only XGE sub-interfaces or Eth-Trunk sub-interfaces on the SPU.
Procedure
Step 1 Run:
system-view


service load-balance policy policy-name
The load balancing policy is applied to an XGE sub-interface or an Eth-Trunk sub-interface. After the load balancing policy is applied, the SPU takes actions defined in the load balancing policy for the VLAN packets matching the Layer 3 classifier bound to the load balancing policy on the XGE sub-interface. By default, no load balancing policy is applied to an XGE sub-interface or an Eth-Trunk subinterface. Step 4 (Optional) Run:
service load-balance arp-response nat address-group group-index
The NAT address pool is enabled to respond to ARP requests on the sub-interface. By default, an NAT address pool is not enabled to respond to ARP requests on a sub-interface. When the NAT address pool is used for source IP address translation, if the IP address of the outbound interface of the SPU is in the same network segment as any IP address of the NAT address pool, you need to run the service load-balance arp-response nat address-group groupindex command on the outbound interface. If the service load-balance arp-response nat address-group group-index command is not used on the outbound sub-interface, the NAT address pool cannot be enabled to respond to ARP requests on the outbound sub-interface. Up to eight NAT address pools can be enabled to respond to ARP requests on a sub-interface. ----End

After egress link load balancing is configured successfully, check whether the configurations are correct and valid.
Procedure
l l l l l l l l l l Run the display load-balance member [ name member-name | all ] command to check the configuration of the load balancing member. Run the display load-balance probe [ name probe-name [ group name group-name member name member-name ] | all ] command to check the configuration of the probe. Run the display load-balance group [ name group-name | all ] command to check the configuration of the load balancing group. Run the display load-balance group name group-name member name member-name [ verbose ] command to check the configuration of the load balancing member instance. Run the display load-balance l7classifier [ name l7classifier-name | all ] command to check the configuration of the Layer 7 classifier. Run the display load-balance action [ name action-name | all ] command to check the configuration of the load balancing action profile. Run the display load-balance l3classifier [ name l3classifier-name | all ] command to check the configuration of the Layer 3 classifier. Run the display load-balance policy [ name policy-name | all ] command to check the configuration of the load balancing policy. Run the display load-balance parameter connection [ name connection-name | all ] command to check the configuration of the connection parameter profile. Run the display load-balance parameter http [ name http-name | all ] command to check the configuration of the HTTP parameter profile.
----End
7.5 Configuring Firewall Load Balancing

On a network where multiple firewalls exist, you can load balance network traffic among firewalls in a group. In this manner, the burden of each single firewall is reduced and the network processing capability is improved.
As the guard of a network, the firewall is important on the network. However, it encounters the following problem: A firewall needs to check each packet carefully. As a result, the forwarding performance of the firewall is low and the firewall becomes the bottleneck on the network. If existing devices are replaced to improve the forwarding performance, hardware resources are wasted. In addition, when the service volume increases, the devices need to be replaced frequently. The costs on the device replacement are high. You can create a firewall group to reduce the burden of each single firewall and improve the network processing capability. In the scenario where firewall load balancing is configured, load balancing devices are classified into level-1 and level-2 devices. Level-1 devices perform firwall load balancing; level-2 devices ensure that any traffic received through a firewall is sent back through the same firewall. The firewall load balancing technology takes firewalls as servers.
Before configuring firewall load balancing, complete the following tasks:

l
Data Preparation
To configure firewall load balancing, you need the following data.
l
Level-1 load balancing device No. 1 2 3 Data (Optional) Name, type, and related parameters of the probe Name and parameters of the firewall, including the description, server IP address, weight, and bandwidth Name and firewall group parameters, including the description, load balancing algorithm, forwarding mode (fixed as DMAC), action performed when the firewall group fails, threshold for switching the master firewall group to the backup firewall group, bound probe, member, and member instance port number (Optional) Name and sticky group parameters, including the description, aging time, and static sticky entries Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the function of enabling perpacket rebalance Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied
4 5 6 7 8 9 10
11 12
Level-2 load balancing device No. 1 Data (Optional) NAT address pool index and address network segment
Issue 02 (2010-07-15)
No. 2 3 4
Data (Optional) Name, type, and related parameters of the probe Name and related parameters of the server, including the description, server IP address, weight, and bandwidth Name and related parameters of the server group, including the description, load balancing algorithm, forwarding mode, action performed when the server group fails, threshold for switching the master server group to the backup server group, bound probe, member, member instance port number, and NAT address pool index (Optional) Name and related parameters of the sticky group, including the description, aging time, and static sticky entries Parameters of the Layer 7 classifier, including the classifier name and matching rule Name and parameters of the load balancing action profile, including the description and action Parameters of the advanced ACL, including the ACL number, matching sequence, and matching rule Parameters of the Layer 3 classifier, including the classifier name and the ACL and Layer 7 classifier bound to the Layer 3 classifier (Optional) Name and parameters of the connection parameter profile, including the aging time of the TCP or UDP traffic forwarding table (Optional) Name and related parameters of the HTTP parameter profile, including the maximum parsing length of HTTP packets and the function of enabling perpacket rebalance Parameters of the load balancing policy, including the load balancing policy name and Layer 3 classifier bound to the load balancing policy Object where the load balancing policy is applied
5 6 7 8 9 10 11
12 13
Configuration Instructions
In the firewall load balancing technology, firewalls function as servers. The configuration procedure of firewall load balancing is similar to that of server load balancing, and the difference is described in the following two tables. For details about the configuration procedure, see 7.4 Configuring Server Load Balancing.
l
Level-1 load balancing device No. 1 Step (Optional) Configure firewall health detection. Reference 7.4.3 (Optional) Configuring Server Health Detection (Only the ICMP probe is supported)
7-52
Issue 02 (2010-07-15)
No. 2 3
Step Configure the firewalls. Configure a firewall group.
Reference 7.4.4 Configuring a Server 7.4.5 Configuring a Server Group (DMAC must be used as the forwarding mode) 7.4.6 (Optional) Configuring Session Stickiness 7.4.7 Configuring a Layer 7 Classifier 7.4.8 Configuring a Load Balancing Action 7.4.9 Configuring an ACL 7.4.10 (Optional) Configuring a Connection Parameter Profile 7.4.11 (Optional) Configuring an HTTP Parameter Profile 7.4.12 Configuring a Layer 3 Classifier 7.4.13 Configuring a Load Balancing Policy 7.4.14 Applying the Load Balancing Policy 7.4.15 Checking the Configuration
4 5 6 7 8 9 10 11 12 13
(Optional) Configure session stickiness. Configure a Layer 7 classifier. Configure a load balancing action. Configure an ACL. (Optional) Configure a connection parameter profile. (Optional) Configure an HTTP parameter profile. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy. Check the configuration.
Level-2 load balancing device No. 1 2 3 4 5 6 7 8 Step (Optional) Configure an NAT address pool. (Optional) Configure server health detection. Configure a server. Configure a server group (Optional) Configure session stickiness. Configure a Layer 7 classifier. Configure a load balancing action. Configure an ACL. Reference 7.4.2 (Optional) Configuring an NAT Address Pool 7.4.3 (Optional) Configuring Server Health Detection 7.4.4 Configuring a Server 7.4.5 Configuring a Server Group 7.4.6 (Optional) Configuring Session Stickiness 7.4.7 Configuring a Layer 7 Classifier 7.4.8 Configuring a Load Balancing Action 7.4.9 Configuring an ACL
Issue 02 (2010-07-15)
7-53
No. 9 10 11 12 13
Step (Optional) Configure a connection parameter profile. (Optional) Configure an HTTP parameter profile. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy.
Reference 7.4.10 (Optional) Configuring a Connection Parameter Profile 7.4.11 (Optional) Configuring an HTTP Parameter Profile 7.4.12 Configuring a Layer 3 Classifier 7.4.13 Configuring a Load Balancing Policy 7.4.14 Applying the Load Balancing Policy (you need to run the mac-sticky enable command to enable MAC address stickiness) 7.4.15 Checking the Configuration
14
Check the configuration.

This section provides several configuration examples. A configuration example includes the networking requirements, configuration roadmap, operation procedure, and configuration files. 7.6.1 Example for Configuring Egress Link Load Balancing This section describes how to configure egress link load balancing to improve the service reliability. 7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode This section describes how to configure Layer 3 server load balancing in DMAC mode to improve service processing capabilities of servers. 7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode This section describes how to configure Layer 3 server load balancing in NAT mode to improve service processing capabilities of servers. 7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode This example describes how to configure Layer 7 server load balancing in DNAT mode to improve service processing capabilities of servers. 7.6.5 Example for Configuring Session Stickiness This section provides an example for configuring session stickiness. With the session stickiness function, requests of the same type of users are processed by the same server, meeting ecommerce requirements of internal network users. 7.6.6 Example for Configuring Standard Firewall Load Balancing In this example, standard firewall load balancing is configured to improve the service processing capability of the firewall.
7.6.1 Example for Configuring Egress Link Load Balancing

This section describes how to configure egress link load balancing to improve the service reliability.
As shown in Figure 7-8, an enterprise leases two egresses: ISP1 and ISP2. The link bandwidth of ISP1 is 100 Mbit/s and the link bandwidth of ISP2 is 300 Mbit/s. The network delay of ISP2 is shorter than that of ISP1. The requirements are as follows:
l l
The link is selected preferentially when an enterprise user accesses the external network. Another link is selected automatically when a link becomes invalid or the link limit is exceeded. NAT for translating source IP addresses is enabled.
The enterprise user is connected to GE 3/0/0 of the Switch and the SPU is installed in slot 5 of the Switch. RouterA is connected to GE 3/0/1 of the Switch and RouterB is connected to GE 3/0/2 of the Switch. The data flows entering the SPU pass through the primary CPU. That is, the data flows are received and sent by GE 5/0/0. The source IP address of the enterprise user is located on 192.168.1.1/24 and the destination IP address of the external network that the enterprise user needs to visit is located on 60.60.60.1/24. Figure 7-8 Networking diagram for configuring egress link load balancing
XGE5/0/0 XGE5/0/1
XGE0/0/1 XGE0/0/2
ISP1 RouterA 20.20.20.1/24
60.60.60.1/24
GE3/0/0
Enterprise user
External network
VLAN12 Switch RouterB 30.30.30.1/24 ISP2
The configuration roadmap is as follows: 1. 2. 3.
Issue 02 (2010-07-15)
Configure traffic importing. Configure two links connected to ISP1 and ISP2 respectively. Configure link health detection for detecting the links connected to ISP1 and ISP2.
4. 5. 6. 7. 8. 9.
Configure a link group, bind the link group to the links connected to ISP1 and ISP2, and adopt the WRR algorithm. Configure a Layer 7 classifier and set the matching rule to any. Configure a load balancing action profile. Configure an ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
10. Apply the load balancing policy to the interface of the internal network.
Data Preparation
l l l l l l l l
Network segment of the NAT address pool Names of the links connected to ISP1 and ISP2, IP addresses, connection quantity limits, connection rate limits, bandwidth limits, bandwidth thresholds, and weights Name, type, and related parameters of the probe Link group name and load balancing algorithm Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on the Switch. 1. Import traffic to the SPU on the Switch.
<Switch> system-view [Switch] vlan batch 12 13 14 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan 12 [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan 13 [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan 14 [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass vlan 1 [Switch-GigabitEthernet3/0/2] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] port link-type trunk [Switch-XGigabitEthernet5/0/0] port trunk allow-pass vlan 12 to 14 [Switch-XGigabitEthernet5/0/0] undo port trunk allow-pass vlan 1 [Switch-XGigabitEthernet5/0/0] quit
2.
Configure an NAT address pool on the SPU.

<Quidway> system-view [Quidway] sysname SPU
# Configure an NAT address pool with the index being 2 and the network segment ranging from 20.20.20.3 to 20.20.20.200.

# Configure an NAT address pool with the index being 3 and the network segment ranging from 30.30.30.3 to 30.30.30.200.
3.
Add an interface to a VLAN on the SPU.

[SPU] interface xgigabitethernet 0/0/1.12 [SPU-XGigabitEthernet0/0/1.12] control-vid 12 dot1q-termination [SPU-XGigabitEthernet0/0/1.12] dot1q termination vid 12 [SPU-XGigabitEthernet0/0/1.12] ip address 10.10.10.1 255.255.255.0 [SPU-XGigabitEthernet0/0/1.12] arp broadcast enable [SPU-XGigabitEthernet0/0/1.12] quit [SPU] interface xgigabitethernet 0/0/1.13 [SPU-XGigabitEthernet0/0/1.13] control-vid 13 dot1q-termination [SPU-XGigabitEthernet0/0/1.13] dot1q termination vid 13 [SPU-XGigabitEthernet0/0/1.13] ip address 20.20.20.2 255.255.255.0 [SPU-XGigabitEthernet0/0/1.13] arp broadcast enable [SPU-XGigabitEthernet0/0/1.13] service load-balance arp-response nat addressgroup 2 [SPU-XGigabitEthernet0/0/1.13] quit [SPU] interface xgigabitethernet 0/0/1.14 [SPU-XGigabitEthernet0/0/1.14] control-vid 14 dot1q-termination [SPU-XGigabitEthernet0/0/1.14] dot1q termination vid 14 [SPU-XGigabitEthernet0/0/1.14] ip address 30.30.30.2 255.255.255.0 [SPU-XGigabitEthernet0/0/1.14] arp broadcast enable [SPU-XGigabitEthernet0/0/1.14] service load-balance arp-response nat addressgroup 3 [SPU-XGigabitEthernet0/0/1.14] quit
Step 2 Configure links. # Create and configure the link isp1 connected to ISP1.
[SPU] load-balance member isp1 [SPU-lb-member-isp1] ip address [SPU-lb-member-isp1] weight 30 [SPU-lb-member-isp1] conn-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] rate-limit [SPU-lb-member-isp1] quit 20.20.20.1 max 10000 connection 1500 bandwidth inbound 100 threshold 80 bandwidth outbound 100 threshold 80
# Create and configure the link isp2 connected to ISP2.

[SPU] load-balance member isp2 [SPU-lb-member-isp2] ip address [SPU-lb-member-isp2] weight 90 [SPU-lb-member-isp2] conn-limit [SPU-lb-member-isp2] rate-limit [SPU-lb-member-isp2] rate-limit [SPU-lb-member-isp2] rate-limit [SPU-lb-member-isp2] quit 30.30.30.1 max 20000 connection 3000 bandwidth inbound 300 threshold 80 bandwidth outbound 300 threshold 80
Step 3 Configure link health detection. # Set the IP address of XGE 0/0/1.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface xgigabitethernet 0/0/1.2 [SPU-XGigabitEthernet0/0/1.2] control-vid 2 dot1q-termination [SPU-XGigabitEthernet0/0/1.2] dot1q termination vid 2 [SPU-XGigabitEthernet0/0/1.2] ip address 100.100.100.201 24 [SPU-XGigabitEthernet0/0/1.2] quit [SPU] load-balance ip interface xgigabitethernet 0/0/1.2
# Create the ICMP probe probe1, and set the timeout interval of the response of probe1 to 10, the probing interval of probe1 to 20, and the probing interval after the linjk fails to 20.

[SPU] load-balance probe probe1 icmp [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] quit
Step 4 Configure a link group. # Create the link group named linkgroup1, adopt the WRR algorithm, set the forwarding mode to redirection, bind isp1 and isp2 to probe1, and bind NAT address pool 2 and NAT address pool 3 to the link instance.
[SPU] load-balance group linkgroup1 [SPU-lb-group-linkgroup1] forward-mode redirect [SPU-lb-group-linkgroup1] load-balance method roundrobin [SPU-lb-group-linkgroup1] probe probe1 [SPU-lb-group-linkgroup1] member isp1 [SPU-lb-group-linkgroup1-member-isp1] nat outbound address-group 2 [SPU-lb-group-linkgroup1-member-isp1] inservice [SPU-lb-group-linkgroup1-member-isp1] quit [SPU-lb-group-linkgroup1] member isp2 [SPU-lb-group-linkgroup1-member-isp2] nat outbound address-group 3 [SPU-lb-group-linkgroup1-member-isp2] inservice [SPU-lb-group-linkgroup1-member-isp2] quit [SPU-lb-group-linkgroup1] quit
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any.
[SPU] load-balance l7classifier l7cls1 [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1, set the action to load balance, and configure the load balancing group linkgroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group linkgroup1 [SPU-lb-action-act1] quit
Step 7 Configure an ACL. # Create ACL 3000 to permit the packets from 60.60.60.1/24 to pass through.
[SPU] acl number 3000 [SPU-acl-adv-3000] rule permit ip destination 60.60.60.1 0.0.0.255 [SPU-acl-adv-3000] quit
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier named l3cls1, bind the Layer 7 classifier l7cls1 to the load balancing action profile act1, and configure the matching rule to match ACL 3000.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind the Layer 3 classifier l3cls1 to the load balancing policy named lbp1.

[SPU] load-balance policy lbp1 [SPU-lb-policy-lbp1] l3classifier l3cls1 [SPU-lb-policy-lbp1] quit
Step 10 Apply the load balancing policy. # Apply the load balancing policy lbp1 to XGigabitEthernet 0/0/1.12.
[SPU] interface xgigabitethernet0/0/1.12 [SPU-XGigabitEthernet0/0/1.12] service load-balance policy lbp1 [SPU-XGigabitEthernet0/0/1.12] quit
Step 11 Verify the configuration. # View the configuration of links.

[SPU] display load-balance member name isp1 Member name : isp1 Description : IP : 20.20.20.1 Max connection : 10000 Max connection rate : 1500 Inbound max bandwidth rate : 100(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 100(kbps) Outbound threshold : 80% Weight : 30 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : linkgroup1 [SPU] display load-balance member name isp2 Member name : isp2 Description : IP : 30.30.30.1 Max connection : 20000 Max connection rate : 3000 Inbound max bandwidth rate : 300(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 300(kbps) Outbound threshold : 80% Weight : 90 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : linkgroup1
# View the configuration of the link group.

[SPU] display load-balance group name linkgroup1 Group name : linkgroup1 Description : Method : roundrobin Forward mode : redirect Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Action name : act1
Member instance name: isp1 isp2
# View the configuration of the link instance.

[SPU] display load-balance group name linkgroup1 member name isp1 verbose Group name : linkgroup1 Member name : isp1 Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max threshold : 100% Weight : 30 Priority : 8 NAT ID : 2 Pat : Yes Member instance ID : 0 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: 1 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)
linkgroup1 member name isp2 verbose linkgroup1 isp2 inservice 4000000 8000(kbps) 100% 8000(kbps) 100% 90 8 3 Yes
# View the configuration of the Layer 7 classifier.

[SPU] display load-balance l7classifier name l7cls1 L7 classifier name : l7cls1 Description : Match mode : And Match type : Any Case flag : Sensitive
# View the configuration of the load balancing action.

[SPU] display load-balance action name act1 Action name : act1 Description : Action type : load-balance Group name : linkgroup1
7-60
Issue 02 (2010-07-15)

[SPU] display load-balance l3classifier name l3cls1 L3 classifier name : l3cls1 Description : Acl : 3000 ICMP reply : Disable NAT ID : Pat : Connection parameter name : HTTP parameter name : L7 classifier name : l7cls1 L7 action name : act1
# View the configuration of the load balancing policy.

[SPU] display load-balance Policy name : Description : Bound interface : Numbers of L3 classifier : L3 classifier name Action type Current group name policy name lbp1 lbp1 XGigabitEthernet0/0/1.12 1
: l3cls1 : load-balance : linkgroup1
# Simulate an enterprise user to access a website, and then view related information about link instances isp1 and isp2 on the SPU. You can view the packet statistics about isp1 and isp2. The ratio of packets about isp1 and isp2 is 1:3, indicating that user packets are load balanced on ISP1 and ISP2 according to the link weight and load balancing in WRR mode is implemented.
[SPU] display load-balance group name linkgroup1 member name isp1 verbose [SPU] display load-balance group name linkgroup1 member name isp2 verbose
----End
Configuration Files
l

# sysname SPU # acl number 3000 rule 5 permit ip destination 60.60.60.0 0.0.0.255 # nat address-group 2 20.20.20.3 20.20.20.200 nat address-group 3 30.30.30.3 30.30.30.200 # interface XGigabitEthernet0/0/1.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0 # interface XGigabitEthernet0/0/1.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 arp broadcast enable service load-balance policy lbp1 # interface XGigabitEthernet0/0/1.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.2 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 2 #
Issue 02 (2010-07-15)
7-61
interface XGigabitEthernet0/0/1.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 30.30.30.2 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group 3 # load-balance probe probe1 icmp interval 20 fail-interval 20 # load-balance member isp1 ip address 20.20.20.1 weight 30 conn-limit max 10000 rate-limit connection 1500 rate-limit bandwidth inbound 100 threshold 80 rate-limit bandwidth outbound 100 threshold 80 # load-balance member isp2 ip address 30.30.30.1 weight 90 conn-limit max 20000 rate-limit connection 3000 rate-limit bandwidth inbound 300 threshold 80 rate-limit bandwidth outbound 300 threshold 80 # load-balance group linkgroup1 forward-mode redirect member isp1 inservice member isp2 inservice probe probe1 # load-balance action act1 group linkgroup1 # load-balance l7classifier l7cls1 match any # load-balance ip interface XGigabitEthernet0/0/1.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.2 Example for Configuring Layer 3 Server Load Balancing in DMAC Mode
This section describes how to configure Layer 3 server load balancing in DMAC mode to improve service processing capabilities of servers.
As shown in Figure 7-9, an internal network user accesses external network servers. There are four servers, which constitute a server group. The load balancing group provides DNS services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.200:80, and the IP addresses of the four servers of Server A, Server B, Server C, and Server D are 20.20.20.1:80, 20.20.20.2:4002, 20.20.20.3:80, and 20.20.20.4:8080. The
processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. Switch B returns the response packets of servers to users. After the master server fails, the load balancing device randomly selects an available server from backup servers.
Switch B is connected to GE 3/0/0 and GE 3/0/1 of Switch A and the SPU is installed in slot 5 of Switch A. The destination IP address of the external network that the user wants to access is 60.60.60.1/24. Figure 7-9 Networking diagram for configuring Layer 3 server load balancing in DMAC mode
10.10.10.2/24 Host
XGE5/0/0 XGE5/0/1
XGE0/0/1 XGE0/0/2 Internet
GE3/0/0 GE3/0/1 SwitchA
SwitchB VIP 20.20.20.200:80
ServerA 20.20.20.1:80
ServerB 20.20.20.2:4002
ServerC 20.20.20.3:80
ServerD 20.20.20.4:8080
The configuration roadmap is as follows: 1. 2. 3. 4. 5.
Issue 02 (2010-07-15)
Configure traffic importing. Configure four servers to communicate with the four servers. Configure a probe to detect the health status of the four servers. Configure a server group and bind the server group to the four servers. Configure a Layer 7 classifier.
6. 7. 8. 9.
Configure a load balancing action profile. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
10. Apply the load balancing policy to a sub-interface.
Data Preparation
l l l l l l l
Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
Step 1 Configure traffic importing on SwitchA. 1. Import traffic to the SPU on SwitchA.
<Switch> system-view [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 13 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
2.

<Quidway> system-view [Quidway] sysname SPU [SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination
7-64
Issue 02 (2010-07-15)
[SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 20.20.20.5 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] quit
Step 2 Configure servers. # Create servers servera, serverb, serverc, and serverd and configure them to communicate with real servers, that is, Server A, Server B, Server C, and Server D.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] quit 20.20.20.1 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 20.20.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 20.20.20.3 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80 20.20.20.4 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
Step 3 Configure health detection. # Set the IP address of Eth-Trunk 0.2 to 100.100.100.201/24 and use the interface for obtaining the source IP address of probing packets of a probe.
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface eth-trunk 0.2
# Create the TCP probe named probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 tcp [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20
Issue 02 (2010-07-15)
7-65

[SPU-lb-probe-probe1] [SPU-lb-probe-probe1] [SPU-lb-probe-probe1] [SPU-lb-probe-probe1] fail-interval 20 send-data hello expect-data hello quit
Step 4 Configure a server group. # Create the server group named servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DMAC, and adopt the WRR algorithm.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dmac [SPU-lb-group-servergroup1] load-balance method roundrobin [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] failaction reassign [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit [SPU-lb-group-servergroup1] quit
# Configure the master and backup relationship and enable servera, serverb, serverc, and serverd.
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1-member-servera] [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] [SPU-lb-group-servergroup1-member-serverd] backup-member serverc inservice quit backup-member serverd inservice quit inservice standby quit inservice standby quit
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 [SPU-lb-action-act1] quit
Step 7 Configure an ACL.

# Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.200/24 to pass through.
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier named l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SwitchA] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] quit
Step 9 Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
Step 10 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of SPU.
[SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] service load-balance policy lbp1 [SPU-Eth-Trunk0.12] quit
Step 11 Verify the configuration. # View the configurations of servers.

[SPU] display load-balance member name servera Member name : servera Description : IP : 20.20.20.1 Max connection : 8000 Max connection rate : 800 Inbound max bandwidth rate : 800(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 800(kbps) Outbound threshold : 80% Weight : 80 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverb Member name : serverb Description : IP : 20.20.20.2 Max connection : 6000 Max connection rate : 600 Inbound max bandwidth rate : 600(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 600(kbps) Outbound threshold : 80% Weight : 60 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0
Issue 02 (2010-07-15)
7-67
Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverc Member name : serverc Description : IP : 20.20.20.3 Max connection : 4000 Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverd Member name : serverd Description : IP : 20.20.20.4 Max connection : 2000 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1
# View the configuration of the server group.

[SPU] display load-balance group name servergroup1 Group name : servergroup1 Description : Method : roundrobin Forward mode : dmac Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Action name : act1
Member instance name: servera serverb serverc serverd
# View the configuration of the load balancing member instance.

[SPU] display load-balance group name servergroup1 member name servera Group name : servergroup1 Member name : servera Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100%
7-68
Issue 02 (2010-07-15)

Weight Priority NAT ID Pat : : : : 80 8 -
Backup member instance name : serverc [SPU] display load-balance group name servergroup1 member name serverb Group name : servergroup1 Member name : serverb Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 60 Priority : 8 NAT ID : Pat : Backup member instance name : serverd [SPU] display load-balance group name servergroup1 member name serverc Group name : servergroup1 Member name : serverc Inservice type : inservice standby Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 40 Priority : 8 NAT ID : Pat : [SPU] display load-balance group name servergroup1 member name serverd Group name : servergroup1 Member name : serverd Inservice type : inservice standby Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 8000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 8000(kbps) Outbound max bandwidth threshold : 100% Weight : 20 Priority : 8 NAT ID : Pat : -

[SPU] display load-balance l7classifier name l7cls1 L7 classifier name : l7cls1 Description : Match mode : And Match type : Any Case flag : Sensitive

[SPU] display load-balance action name act1 Action name : act1 Description : Action type : load-balance Group name : servergroup1
Issue 02 (2010-07-15)
7-69

[SPU] display load-balance l3classifier name l3cls1 L3 classifier name : l3cls1 Description : Acl : 3000 ICMP reply : Disable NAT ID : Pat : Connection parameter name : HTTP parameter name : L7 classifier name : l7cls1 L7 action name : act1

[SPU] display load-balance Policy name : Description : Bound interface : Numbers of L3 classifier : L3 classifier name Action type Current group name policy name lbp1 lbp1 Eth-Trunk 0.12 1
: l3cls1 : load-balance : servergroup1
# Simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.200/24, and then view related information about servera, serverb, serverc, and serverd on SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are load balanced between Server A and Server B in WRR mode.
[SPU] [SPU] [SPU] [SPU] display display display display load-balance load-balance load-balance load-balance group group group group name name name name servergroup1 servergroup1 servergroup1 servergroup1 member member member member name name name name servera serverb serverc serverd verbose verbose verbose verbose
# Disconnect the link between SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.200/24, and then view related information about servera, serverb, serverc, and serverd on SPU. You can view the packet statistics about server instances servera and serverb, indicating that user packets are switched to Server C after Server A is faulty.
----End
Configuration Files
l

# sysname SPU # vlan batch 1 12 13 # acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255 # interface Eth-Trunk0 # interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2
7-70
Issue 02 (2010-07-15)

ip address 100.100.100.201 255.255.255.0 # interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable # interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 20.20.20.5 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 tcp interval 20 fail-interval 20 send-data hello expect-data hello # load-balance member servera ip address 20.20.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 20.20.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 20.20.20.3 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 20.20.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 failaction reassign forward-mode dmac member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc
Issue 02 (2010-07-15)
7-71

inservice standby member serverd inservice standby probe probe1 # load-balance action act1 group servergroup1 # load-balance l7classifier l7cls1 match any # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.3 Example for Configuring Layer 3 Server Load Balancing in DNAT Mode
This section describes how to configure Layer 3 server load balancing in NAT mode to improve service processing capabilities of servers.
As shown in Figure 7-10, a user accesses servers. There are four servers, which constitute two server groups. The load balancing group provides DNS services through a virtual IP address. The user IP address is 10.10.10.2; the virtual IP address is 20.20.20.2:80; the servers with IP addresses being 192.168.20.1 and 192.168.20.2 are located in a server group; the servers with IP addresses being 192.168.20.3 and 192.168.20.4 are located in a server group. The processing capabilities of each server such as the CPU, memory, and performance are different. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. Services can be automatically switched between the master server and the backup server to ensure successful network access.
The Switch is connected to the Internet through GE 3/0/0 and the SPU is installed in slot 5 of the Switch. GE 3/0/1, GE 3/0/2, GE 3/0/3, and GE 3/0/4 of the Switch are connected to ServerA, ServerB, ServerC, and ServerD respectively.
7-72
Issue 02 (2010-07-15)
Figure 7-10 Networking diagram for configuring Layer 3 server load balancing in DNAT mode
10.10.10.2/24 Host
Internet
GE3/0/0 Switch VIP 20.20.20.2:80
XGE5/0/0 XGE0/0/1 XGE5/0/1 XGE0/0/2
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the two server groups. Configure the master and backup server groups and bind the master and backup server groups to the four servers. Configure a Layer 7 classifier. Configure the load balancing action profile and configure the master and backup relationship between servers. Configure an advanced ACL. Configure a Layer 3 classifier.
10. Configure a load balancing policy. 11. Apply the load balancing policy to a sub-interface.
Issue 02 (2010-07-15)
7-73
Data Preparation
l l l l l l l l
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and matching rule of the Layer 7 classifier Load balancing action profile name, action, and master and backup server groups Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
<Switch> system-view [Switch] vlan batch 12 to 16 [Switch] interface gigabitethernet 3/0/0 [Switch-GigabitEthernet3/0/0] port link-type trunk [Switch-GigabitEthernet3/0/0] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/0] undo port trunk allow-pass [Switch-GigabitEthernet3/0/0] quit [Switch] interface gigabitethernet 3/0/1 [Switch-GigabitEthernet3/0/1] port link-type trunk [Switch-GigabitEthernet3/0/1] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/1] undo port trunk allow-pass [Switch-GigabitEthernet3/0/1] quit [Switch] interface gigabitethernet 3/0/2 [Switch-GigabitEthernet3/0/2] port link-type trunk [Switch-GigabitEthernet3/0/2] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/2] undo port trunk allow-pass [Switch-GigabitEthernet3/0/2] quit [Switch] interface gigabitethernet 3/0/3 [Switch-GigabitEthernet3/0/3] port link-type trunk [Switch-GigabitEthernet3/0/3] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/3] undo port trunk allow-pass [Switch-GigabitEthernet3/0/3] quit [Switch] interface gigabitethernet 3/0/4 [Switch-GigabitEthernet3/0/4] port link-type trunk [Switch-GigabitEthernet3/0/4] port trunk allow-pass vlan [Switch-GigabitEthernet3/0/4] undo port trunk allow-pass [Switch-GigabitEthernet3/0/4] quit [Switch] interface eth-trunk 0 [Switch-Eth-Trunk0] port link-type trunk [Switch-Eth-Trunk0] port trunk allow-pass vlan 12 to 16 [Switch-Eth-Trunk0] undo port trunk allow-pass vlan 1 [Switch-Eth-Trunk0] quit [Switch] interface xgigabitethernet5/0/0 [Switch-XGigabitEthernet5/0/0] eth-trunk 0 [Switch-XGigabitEthernet5/0/0] quit [Switch] interface xgigabitethernet5/0/1 [Switch-XGigabitEthernet5/0/1] eth-trunk 0 [Switch-XGigabitEthernet5/0/1] quit
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.
Add an interface to a VLAN on the Switch, and configure an NAT address pool.
<Quidway> system-view [Quidway] sysname SPU [SPU] nat address-group 2 100.100.100.2 100.100.100.200 [SPU] interface eth-trunk 0
7-74
Issue 02 (2010-07-15)
[SPU-Eth-Trunk0] quit [SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with Server A, Server B, Server C, and Server D.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
Issue 02 (2010-07-15)
7-75

[SPU-lb-member-serverc] quit [SPU] load-balance member serverd [SPU-lb-member-serverd] ip address [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] quit
10.10.40.2 max 2000 connection 200 bandwidth inbound 200 threshold 80 bandwidth outbound 200 threshold 80
[SPU] interface eth-trunk 0.2 [SPU-Eth-Trunk0.2] control-vid 2 dot1q-termination [SPU-Eth-Trunk0.2] dot1q termination vid 2 [SPU-Eth-Trunk0.2] ip address 100.100.100.201 24 [SPU-Eth-Trunk0.2] quit [SPU] load-balance ip interface Eth-Trunk 0.2
# Create the TCP probe named probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 tcp [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] send-data hello [SPU-lb-probe-probe1] expect-data hello [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create server groups named servergroup1 and servergroup2, bind servergroup1 to servera and serverb and bind servergroup2 to serverc and serverd, bind servergroup2 to probe1, set the forwarding mode to DNAT, and adopt the WRR algorithm.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method roundrobin [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] switch-threshold 80 restore-threshold 80 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] inservice [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] quit [SPU] load-balance group servergroup2 [SPU-lb-group-servergroup2] forward-mode dnat [SPU-lb-group-servergroup2] load-balance method roundrobin [SPU-lb-group-servergroup2] probe probe1 [SPU-lb-group-servergroup2] member serverc [SPU-lb-group-servergroup2-member-serverc] member port 80 [SPU-lb-group-servergroup2-member-serverc] inservice [SPU-lb-group-servergroup2-member-serverc] quit [SPU-lb-group-servergroup2] member serverd [SPU-lb-group-servergroup2-member-serverd] member port 8080 [SPU-lb-group-servergroup2-member-serverd] inservice [SPU-lb-group-servergroup2-member-serverd] quit [SPU-lb-group-servergroup2] quit
7-76
Issue 02 (2010-07-15)
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile named act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 backup servergroup2 [SPU-lb-action-act1] quit
Step 7 Configure an ACL. # Create ACL 3000 to permit the packets with the destination IP address being 20.20.20.1/24 to pass through.
Step 8 Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3000, bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3000 [SPU-lb-l3classifier-l3cls1] nat outbound address-group 2 [SPU-lb-l3classifier-l3cls1] quit
Step 10 Apply the load balancing policy. # Apply the load balancing policy to Eth-Trunk 0.12 of the SPU.

[SPU] display load-balance member name servera Member name : servera Description : IP : 10.10.50.2 Max connection : 8000 Max connection rate : 800 Inbound max bandwidth rate : 800(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 800(kbps) Outbound threshold : 80%
Issue 02 (2010-07-15)
7-77
Weight : 80 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverb Member name : serverb Description : IP : 10.10.20.2 Max connection : 6000 Max connection rate : 600 Inbound max bandwidth rate : 600(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 600(kbps) Outbound threshold : 80% Weight : 60 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverc Member name : serverc Description : IP : 10.10.30.2 Max connection : 4000 Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup2 [SPU] display load-balance member name serverd Member name : serverd Description : IP : 10.10.40.2 Max connection : 2000 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup2

[SPU] display load-balance group name servergroup1 Group name : servergroup1 Description : Method : roundrobin Forward mode : dnat Switch threshold : 80% Restore threshold : 80% Fail action : default Probe mode : fail-on-one
7-78
Issue 02 (2010-07-15)

Probe name Action name : probe1 : act1
Member instance name: servera serverb [SPU] display load-balance group name servergroup2 Group name : servergroup2 Description : Method : roundrobin Forward mode : dnat Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Action name : act1
Member instance name: serverc serverd
# View the configuration of the server instance.

[SPU] display load-balance group name servergroup1 member name servera Group name : servergroup1 Member name : servera Inservice type : inservice Port : 80 Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max bandwidth threshold : 100% Weight : 80 Priority : 8 NAT ID : Pat : [SPU] display load-balance group name servergroup1 member name serverb Group name : servergroup1 Member name : serverb Inservice type : inservice standby Port : 4002 Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max bandwidth threshold : 100% Weight : 60 Priority : 8 NAT ID : Pat : [SPU] display load-balance group name servergroup2 member name serverc Group name : servergroup2 Member name : serverc Inservice type : inservice Port : 80 Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max bandwidth threshold : 100% Weight : 40 Priority : 8 NAT ID : Pat : -
Issue 02 (2010-07-15)
7-79
[SPU] display load-balance group name servergroup2 member name serverd Group name : servergroup2 Member name : serverd Inservice type : inservice Port : 8080 Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max bandwidth threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max bandwidth threshold : 100% Weight : 20 Priority : 8 NAT ID : Pat : -

[SPU] display load-balance l7classifier name l7cls1 L7 classifier name : l7cls1 Description : Match mode : Or Match type : Any Case flag : Sensitive

[SPU] display load-balance action name act1 Action name : act1 Description : Action type : load-balance Group name : servergroup1 Backup name : servergroup2

[SPU] display load-balance l3classifier name l3cls1 L3 classifier name : l3cls1 Description : Acl : 3000 ICMP Reply : Disable NAT ID : 2 Pat : Yes Connection Parameter Name : HTTP Parameter Name : L7 Classifier Name : l7cls1 L7 Action Name : act1

# Simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and load balanced between Server A and Server B in WRR mode.
[SPU] display load-balance group name servergroup1 member name servera verbose [SPU] display load-balance group name servergroup1 member name serverb verbose [SPU] display load-balance group name servergroup2 member name serverc verbose
7-80
Issue 02 (2010-07-15)
[SPU] display load-balance group name servergroup2 member name serverd verbose
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to servergroup2 after Server A of servergroup1 is faulty. The packets are load balanced between Server C and Server D according to a ratio.
# Recover the link between the SPU and Server A, simulate the internal network user at 10.10.10.2 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on SPUA. You can view that packet statistics about server instances servera and serverb increase, whereas packet statistics about server instances serverc and serverd do not increase. That is, user packets are switched back to servergroup1 after Server A of servergroup1 is recovered, and are load balanced between Server A and Server B according to a ratio.
----End
Configuration Files
l

# sysname SPU # acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255 # nat address-group 2 100.100.100.2 100.100.100.200 # interface Eth-Trunk0 # interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0 # interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable # interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0
Issue 02 (2010-07-15)
7-81
arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 tcp interval 20 fail-interval 20 send-data hello expect-data hello # load-balance member servera ip address 10.10.50.2 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 10.10.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 10.10.30.2 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 10.10.40.2 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 switch-threshold 80 restore-threshold 80 forward-mode dnat member servera member port 80 inservice member serverb member port 4002
7-82
Issue 02 (2010-07-15)

inservice probe probe1 # load-balance group servergroup2 forward-mode dnat member serverc member port 80 inservice member serverd member port 8080 inservice probe probe1 # load-balance action act1 group servergroup1 backup servergroup2 # load-balance l7classifier l7cls1 or match any # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.4 Example for Configuring Layer 7 Server Load Balancing in DNAT Mode
This example describes how to configure Layer 7 server load balancing in DNAT mode to improve service processing capabilities of servers.
As shown in Figure 7-11, a user accesses servers. There are four servers, which constitute a server group. The load balancing group provides HTTP services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addresses of the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and 192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. After the master server fails, the load balancing device randomly selects an available server from backup servers.
Issue 02 (2010-07-15)
7-83
10.10.10.2/24 Host
Internet
GE3/0/0 Switch VIP 20.20.20.2:80
XGE5/0/0 XGE0/0/1 XGE5/0/1 XGE0/0/2
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the four servers. Configure a load balancing group and bind the load balancing group to the four load balancing members. Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier.
Data Preparation

l l l l l l l l l
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and related parameters of the sticky group Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name and matching rule of the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.

<Quidway> system-view [Quidway] sysname SPU [SPU] nat address-group 2 100.100.100.2 100.100.100.200
3.

[SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit
Issue 02 (2010-07-15)
7-85
[SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with ServerA, ServerB, ServerC, and ServerD.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
7-86
Issue 02 (2010-07-15)

[SPU] load-balance member serverd [SPU-lb-member-serverd] ip address [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] quit
# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 http [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] user admin password admin [SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5 [SPU-lb-probe-probe1] request method head url index.html [SPU-lb-probe-probe1] expect status-code min 0 max 299 [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hash algorithm based on the HTTP URL.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method hash url [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice
Issue 02 (2010-07-15)
7-87

[SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] [SPU-lb-group-servergroup1-member-serverd] quit
inservice standby quit inservice standby quit
Step 5 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being slbha[w|W](.*).
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*) [SPU-lb-l7classifier-l7cls1] quit
Step 6 Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] group servergroup1 [SPU-lb-action-act1] quit

[SPU] display load-balance member name servera Member name : servera
7-88
Issue 02 (2010-07-15)

Description : IP : 10.10.50.2 Max connection : 8000 Max connection rate : 800 Inbound max bandwidth rate : 800(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 800(kbps) Outbound threshold : 80% Weight : 80 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverb Member name : serverb Description : IP : 10.10.20.2 Max connection : 6000 Max connection rate : 600 Inbound max bandwidth rate : 600(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 600(kbps) Outbound threshold : 80% Weight : 60 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverc Member name : serverc Description : IP : 10.10.30.2 Max connection : 4000 Max connection rate : 400 Inbound max bandwidth rate : 400(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 400(kbps) Outbound threshold : 80% Weight : 40 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1 [SPU] display load-balance member name serverd Member name : serverd Description : IP : 10.10.40.2 Max connection : 2000 Max connection rate : 200 Inbound max bandwidth rate : 200(kbps) Inbound threshold : 80% Outbound max bandwidth rate : 200(kbps) Outbound threshold : 80% Weight : 20 Priority : 8 Cur-connections : 0 Closed-connections : 0 Inbound cur-bandwidths : 0 Outbound cur-bandwidths : 0 Group name : servergroup1
# View the configuration of the probe.
Issue 02 (2010-07-15)
7-89

[SPU] display load-balance probe name probe1 Probe name : probe1 Description : Probe type : http Source IP : 100.100.100.201 Destination port : Probe port : Interval : 20(s) Retry count : 3 Fail interval : 20(s) Fail retry count : 3 Timeout : 10(s) Extra user : admin Extra password : admin Extra request type : head Extra URL : index.html Extra header field : Accept-Charset Extra header value : iso-8859-5 Status code : <0-299> Group name : servergroup1

[SPU] display load-balance group name servergroup1 Group name : servergroup1 Description : Method : hash url Forward mode : dnat Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Member instance name: servera serverb serverc serverd

[SPU] display load-balance group name servergroup1 member name servera verbose Group name : servergroup1 Member name : servera Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 80 Priority : 8 NAT ID : Pat : Backup member instance name Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: : serverc 0 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)
7-90
Issue 02 (2010-07-15)
[SPU] display load-balance group name servergroup1 member name serverb verbose Group name : servergroup1 Member name : serverb Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 60 Priority : 8 NAT ID : Pat : Backup member instance name : serverd
Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : 2 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat :
servergroup1 member name serverc verbose servergroup1 serverc inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 40 8 -
servergroup1 member name serverd verbose servergroup1 serverd inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 20 8 -
Issue 02 (2010-07-15)
7-91
Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths:
3 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)

[SPU] display load-balance l7classifier name l7cls1 L7 classifier name : l7cls1 Description : Match mode : Or Match type : HTTP Case flag : Sensitive Http URL : 1 slbha[w|W](.*)

[SPU] display load-balance action name act1 Action name : act1 Description : Action type : load-balance Group name : servergroup1

[SPU] display load-balance l3classifier name l3cls1 L3 classifier name : l3cls1 Description : Acl : 3000 ICMP reply : Disable NAT ID : 2 Pat : Yes Connection parameter name : HTTP parameter name : L7 classifier name : l7cls1 L7 action name : act1

# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and are load balanced between Server A and Server B in WRR mode.
7-92
Issue 02 (2010-07-15)
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to Server C after Server A is faulty.
----End
Configuration Files
l

# sysname SPU # acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255 # nat address-group 2 100.100.100.2 100.100.100.200 # interface Eth-Trunk0 # interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0 # interface Eth-Trunk0.12 control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable # interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface XGigabitEthernet0/0/1
Issue 02 (2010-07-15)
7-93
eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299 # load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000 rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1 # load-balance action act1 group servergroup1 # load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*) # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1
7-94
Issue 02 (2010-07-15)

l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.5 Example for Configuring Session Stickiness

This section provides an example for configuring session stickiness. With the session stickiness function, requests of the same type of users are processed by the same server, meeting ecommerce requirements of internal network users.
As shown in Figure 7-12, a user accesses servers. There are four servers, which constitute a server group. The load balancing group provides HTTP services through a virtual IP address. The user IP address is 10.10.10.2, the virtual IP address is 20.20.20.2:80, and the IP addresses of the four servers are 192.168.20.1:80, 192.168.20.2:4002, 192.168.20.3:80, and 192.168.20.4:8080. The processing capabilities of each server such as the CPU, memory, and performance are different. Server C is the backup server of Server A and Server D is the backup server of Server B. The requirements are as follows:
l l l
The server with greater processing capabilities receives more service requests. The return traffic of servers passes through the load balancing device. After the master server fails, the load balancing device randomly selects an available server from backup servers.
Issue 02 (2010-07-15)
7-95
10.10.10.2/24 Host
Internet
GE3/0/0 Switch VIP 20.20.20.2:80
XGE5/0/0 XGE0/0/1 XGE5/0/1 XGE0/0/2
ServerA 10.10.50.2:80
ServerB 10.10.20.2:4002
ServerC 10.10.30.2:80
ServerD 10.10.40.2:8080
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure an NAT address pool. Configure four servers to communicate with four real servers. Configure a probe to detect the health status of the four servers. Configure a load balancing group and bind the load balancing group to the four load balancing members. Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier.
Data Preparation

l l l l l l l l l
Network segment and index of the NAT address pool Server names, connection quantity limits, connection rate limits, and bandwidth rate limits Name and related parameters of the probe Server group name, load balancing algorithm, and forwarding mode Name and related parameters of the sticky group Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name and matching rule of the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
Procedure
12 vlan 1
13 vlan 1
14 vlan 1
15 vlan 1
16 vlan 1
2.

<Quidway> system-view [Quidway] sysname SPU [SPU] nat address-group 2 100.100.100.2 100.100.100.200
3.

[SPU] interface eth-trunk 0 [SPU-Eth-Trunk0] quit
Issue 02 (2010-07-15)
7-97
[SPU] interface xgigabitethernet 0/0/1 [SPU-XGigabitEthernet0/0/1] eth-trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface xgigabitethernet 0/0/2 [SPU-XGigabitEthernet0/0/2] eth-trunk 0 [SPU-XGigabitEthernet0/0/2] quit [SPU] interface eth-trunk 0.12 [SPU-Eth-Trunk0.12] control-vid 12 dot1q-termination [SPU-Eth-Trunk0.12] dot1q termination vid 12 [SPU-Eth-Trunk0.12] ip address 10.10.10.1 255.255.255.0 [SPU-Eth-Trunk0.12] arp broadcast enable [SPU-Eth-Trunk0.12] quit [SPU] interface eth-trunk 0.13 [SPU-Eth-Trunk0.13] control-vid 13 dot1q-termination [SPU-Eth-Trunk0.13] dot1q termination vid 13 [SPU-Eth-Trunk0.13] ip address 10.10.50.1 255.255.255.0 [SPU-Eth-Trunk0.13] arp broadcast enable [SPU-Eth-Trunk0.13] service load-balance arp-response nat [SPU-Eth-Trunk0.13] quit [SPU] interface eth-trunk 0.14 [SPU-Eth-Trunk0.14] control-vid 14 dot1q-termination [SPU-Eth-Trunk0.14] dot1q termination vid 14 [SPU-Eth-Trunk0.14] ip address 10.10.20.1 255.255.255.0 [SPU-Eth-Trunk0.14] arp broadcast enable [SPU-Eth-Trunk0.14] service load-balance arp-response nat [SPU-Eth-Trunk0.14] quit [SPU] interface eth-trunk 0.15 [SPU-Eth-Trunk0.15] control-vid 15 dot1q-termination [SPU-Eth-Trunk0.15] dot1q termination vid 15 [SPU-Eth-Trunk0.15] ip address 10.10.30.1 255.255.255.0 [SPU-Eth-Trunk0.15] arp broadcast enable [SPU-Eth-Trunk0.15] service load-balance arp-response nat [SPU-Eth-Trunk0.15] quit [SPU] interface eth-trunk 0.16 [SPU-Eth-Trunk0.16] control-vid 16 dot1q-termination [SPU-Eth-Trunk0.16] dot1q termination vid 16 [SPU-Eth-Trunk0.16] ip address 10.10.40.1 255.255.255.0 [SPU-Eth-Trunk0.16] arp broadcast enable [SPU-Eth-Trunk0.16] service load-balance arp-response nat [SPU-Eth-Trunk0.16] quit
address-group
address-group
address-group
address-group
Step 2 Configure servers. # Create servers, that is, servera, serverb, serverc, and serverd, and configure them to communicate with ServerA, ServerB, ServerC, and ServerD.
[SPU] load-balance member servera [SPU-lb-member-servera] ip address [SPU-lb-member-servera] weight 80 [SPU-lb-member-servera] conn-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] rate-limit [SPU-lb-member-servera] quit [SPU] load-balance member serverb [SPU-lb-member-serverb] ip address [SPU-lb-member-serverb] weight 60 [SPU-lb-member-serverb] conn-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] rate-limit [SPU-lb-member-serverb] quit [SPU] load-balance member serverc [SPU-lb-member-serverc] ip address [SPU-lb-member-serverc] weight 40 [SPU-lb-member-serverc] conn-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] rate-limit [SPU-lb-member-serverc] quit 10.10.50.2 max 8000 connection 800 bandwidth inbound 800 threshold 80 bandwidth outbound 800 threshold 80 10.10.20.2 max 6000 connection 600 bandwidth inbound 600 threshold 80 bandwidth outbound 600 threshold 80 10.10.30.2 max 4000 connection 400 bandwidth inbound 400 threshold 80 bandwidth outbound 400 threshold 80
7-98
Issue 02 (2010-07-15)

[SPU] load-balance member serverd [SPU-lb-member-serverd] ip address [SPU-lb-member-serverd] weight 20 [SPU-lb-member-serverd] conn-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] rate-limit [SPU-lb-member-serverd] quit
# Create the HTTP probe probe1, and set the timeout interval of the response of probe1, the probing interval of probe1, the probing interval after probe1 fails, the sent data, and the expected response data.
[SPU] load-balance probe probe1 http [SPU-lb-probe-probe1] time-out 10 [SPU-lb-probe-probe1] interval 20 [SPU-lb-probe-probe1] fail-interval 20 [SPU-lb-probe-probe1] user admin password admin [SPU-lb-probe-probe1] header accept-charset header-value iso-8859-5 [SPU-lb-probe-probe1] request method head url index.html [SPU-lb-probe-probe1] expect status-code min 0 max 299 [SPU-lb-probe-probe1] quit
Step 4 Configure a server group. # Create the server group servergroup1, bind servergroup1 to servera, serverb, serverc, and serverd, bind servergroup1 to probe1, set the forwarding mode to DNAT, and adopt the hash algorithm based on the HTTP URL.
[SPU] load-balance group servergroup1 [SPU-lb-group-servergroup1] forward-mode dnat [SPU-lb-group-servergroup1] load-balance method hash url [SPU-lb-group-servergroup1] probe probe1 [SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] member port 80 [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPU-lb-group-servergroup1-member-serverb] member port 4002 [SPU-lb-group-servergroup1-member-serverb] quit [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] member port 80 [SPU-lb-group-servergroup1-member-serverc] quit [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] member port 8080 [SPU-lb-group-servergroup1-member-serverd] quit
[SPU-lb-group-servergroup1] member servera [SPU-lb-group-servergroup1-member-servera] backup-member serverc [SPU-lb-group-servergroup1-member-servera] inservice [SPU-lb-group-servergroup1-member-servera] quit [SPU-lb-group-servergroup1] member serverb [SPUA-lb-group-servergroup1-member-serverb] backup-member serverd [SPU-lb-group-servergroup1-member-serverb] inservice
Issue 02 (2010-07-15)
7-99

[SPU-lb-group-servergroup1-member-serverb] [SPU-lb-group-servergroup1] member serverc [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1-member-serverc] [SPU-lb-group-servergroup1] member serverd [SPU-lb-group-servergroup1-member-serverd] [SPU-lb-group-servergroup1-member-serverd] quit
inservice standby quit inservice standby quit
Step 5 Configure session stickiness. # Create the sticky group named stickygroup1, configure a static sticky entry, and perform stickiness for the destination IP address.
[SPU] load-balance stickygroup stickygroup1 mask 255.255.255.0 destination-ip [SPU-lb-stickygroup-stickygroup1] group servergroup1 [SPU-lb-stickygroup-stickygroup1] static client destination 20.20.20.2 member servera [SPU-lb-stickygroup-stickygroup1] quit
Step 6 Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being slbha[w|W](.*).
[SPU] load-balance l7classifier l7cls1 or [SPU-lb-l7classifier-l7cls1] rule match http url slbha[w|W](.*) [SPU-lb-l7classifier-l7cls1] quit
Step 7 Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in servergroup1.
[SPU] load-balance action act1 [SPU-lb-action-act1] stickygroup stickygroup1 [SPU-lb-action-act1] quit


[SPU] display load-balance member Member name Description IP Max connection Max connection rate Inbound max bandwidth rate Inbound threshold Outbound max bandwidth rate Outbound threshold Weight Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name [SPU] display load-balance member Member name Description IP Max connection Max connection rate Inbound max bandwidth rate Inbound threshold Outbound max bandwidth rate Outbound threshold Weight Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name [SPU] display load-balance member Member name Description IP Max connection Max connection rate Inbound max bandwidth rate Inbound threshold Outbound max bandwidth rate Outbound threshold Weight Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name [SPU] display load-balance member Member name Description IP Max connection Max connection rate Inbound max bandwidth rate Inbound threshold Outbound max bandwidth rate Outbound threshold Weight name servera : servera : : 10.10.50.2 : 8000 : 800 : 800(kbps) : 80% : 800(kbps) : 80% : 80 : 8 : 0 : 0 : 0 : 0 : servergroup1 name serverb : serverb : : 10.10.20.2 : 6000 : 600 : 600(kbps) : 80% : 600(kbps) : 80% : 60 : 8 : 0 : 0 : 0 : 0 : servergroup1 name serverc : serverc : : 10.10.30.2 : 4000 : 400 : 400(kbps) : 80% : 400(kbps) : 80% : 40 : 8 : 0 : 0 : 0 : 0 : servergroup1 name serverd : serverd : : 10.10.40.2 : 2000 : 200 : 200(kbps) : 80% : 200(kbps) : 80% : 20
Issue 02 (2010-07-15)
7-101

Priority Cur-connections Closed-connections Inbound cur-bandwidths Outbound cur-bandwidths Group name : : : : : :

8 0 0 0 0 servergroup1
# View the configuration of the probe.

[SPU] display load-balance probe name probe1 Probe name : probe1 Description : Probe type : http Source IP : 100.100.100.201 Destination port : Probe port : Interval : 20(s) Retry count : 3 Fail interval : 20(s) Fail retry count : 3 Timeout : 10(s) Extra user : admin Extra password : admin Extra request type : head Extra URL : index.html Extra header field : Accept-Charset Extra header value : iso-8859-5 Status code : <0-299> Group name : servergroup1

[SPU] display load-balance group name servergroup1 Group name : servergroup1 Description : Method : hash url Forward mode : dnat Switch threshold : 0% Restore threshold : 0% Fail action : default Probe mode : fail-on-one Probe name : probe1 Stickgroup name : stickygroup1
Member instance name: servera serverb serverc serverd

[SPU] display load-balance group name servergroup1 member name servera verbose Group name : servergroup1 Member name : servera Inservice type : inservice Port : Max connection : 4000000 Max connection rate : Inbound max bandwidth rate : 1000000(kbps) Inbound max threshold : 100% Outbound max bandwidth rate : 1000000(kbps) Outbound max threshold : 100% Weight : 80 Priority : 8 NAT ID : Pat : Backup member instance name : serverc
7-102
Issue 02 (2010-07-15)

Member instance ID : 0 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Backup member instance name
servergroup1 member name serverb verbose servergroup1 serverb inservice 4000000 1000000(kbps) 100% 1000000(kbps) 100% 60 8 -
: serverd
Member instance ID : 1 Status : up Inbound bytes : 0 Outbound bytes : 0 Inbound packets : 0 Outbound packets : 0 Cur-connection : 0 Closed-connections : 0 Inbound Cur-bandwidths : 0(bytes/s) Outbound Cur-bandwidths: 0(bytes/s) [SPU] display load-balance group name Group name : Member name : Inservice type : Port : Max connection : Max connection rate : Inbound max bandwidth rate : Inbound max threshold : Outbound max bandwidth rate : Outbound max threshold : Weight : Priority : NAT ID : Pat : Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: [SPU] display load-balance Group name Member name Inservice type Port 2 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s) group name : : : :
servergroup1 member name serverc verbose servergroup1 serverc inservice standby 4000000 1000000(kbps) 100% 1000000(kbps) 100% 40 8 -
servergroup1 member name serverd verbose servergroup1 serverd inservice standby -
Issue 02 (2010-07-15)
7-103

Max connection Max connection rate Inbound max bandwidth rate Inbound max threshold Outbound max bandwidth rate Outbound max threshold Weight Priority NAT ID Pat Member instance ID : Status : Inbound bytes : Outbound bytes : Inbound packets : Outbound packets : Cur-connection : Closed-connections : Inbound Cur-bandwidths : Outbound Cur-bandwidths: : : : : : : : : : : 3 up 0 0 0 0 0 0 0(bytes/s) 0(bytes/s)

4000000 1000000(kbps) 100% 1000000(kbps) 100% 20 8 -
# View the configuration of stickygroup1.

[SPU] display load-balance stickygroup name stickygroup1 Stickygroup name : stickygroup1 Description : Sticky method : Destination IP sticky Master group name : servergroup1 Backup group name : Timeout : 1440(min) Mask length : 24 Static sticky entry num : 1

[SPU] display load-balance l7classifier name l7cls1 L7 classifier name : l7cls1 Description : Match mode : Or Match type : HTTP Case flag : Sensitive Http URL : 1 slbha[w|W](.*)

[SPU] display load-balance action name act1 Action name : act1 Description : Action type : sticky-load-balance Stickygroup name : stickygroup1

[SPU] display load-balance l3classifier name l3cls1 L3 classifier name : l3cls1 Description : Acl : 3000 ICMP reply : Disable NAT ID : 2 Pat : Yes Connection parameter name : HTTP parameter name : L7 classifier name : l7cls1 L7 action name : act1

[SPU] display load-balance policy name lbp1 Policy name : lbp1
7-104
Issue 02 (2010-07-15)

Description : Bound interface : Eth-Trunk 0.12 Numbers of L3 classifier : 1 L3 classifier name Action type Stickygroup name Current group name : : : : l3cls1 sticky-load-balance stickygroup1 servergroup1
# Simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances servera and serverb. The ratio of packets about servera and serverb is 4:3, indicating that user packets are transmitted through servergroup1 and are load balanced between Server A and Server B in WRR mode.
# Disconnect the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view the packet statistics about server instances serverc and serverd, indicating that user packets are switched to Server C after Server A is faulty.
# Recover the link between the SPU and Server A, simulate the internal network user at 10.10.10.2/24 to access the virtual IP address 20.20.20.2/24, and then view related information about servera, serverb, serverc, and serverd on the SPU. You can view that the packet statistics about the server instance servera increase, indicating that Server A provides services when the user accesses 20.20.20.2. Session stickiness is implemented.
----End
Configuration Files
l

# sysname SPU # acl number 3000 rule 5 permit ip destination 20.20.20.0 0.0.0.255 # nat address-group 2 100.100.100.2 100.100.100.200 # interface Eth-Trunk0 # interface Eth-Trunk0.2 control-vid 2 dot1q-termination dot1q termination vid 2 ip address 100.100.100.201 255.255.255.0 # interface Eth-Trunk0.12
Issue 02 (2010-07-15)
7-105
control-vid 12 dot1q-termination dot1q termination vid 12 ip address 10.10.10.1 255.255.255.0 service load-balance policy lbp1 arp broadcast enable # interface Eth-Trunk0.13 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 10.10.50.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.14 control-vid 14 dot1q-termination dot1q termination vid 14 ip address 10.10.20.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.15 control-vid 15 dot1q-termination dot1q termination vid 15 ip address 10.10.30.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface Eth-Trunk0.16 control-vid 16 dot1q-termination dot1q termination vid 16 ip address 10.10.40.1 255.255.255.0 arp broadcast enable service load-balance arp-response nat address-group # interface XGigabitEthernet0/0/1 eth-trunk 0 # interface XGigabitEthernet0/0/2 eth-trunk 0 # load-balance probe probe1 http interval 20 fail-interval 20 user admin password admin header Accept-Charset header-value iso-8859-5 request method head url index.html expect status-code min 0 max 299 # load-balance member servera ip address 192.168.20.1 weight 80 conn-limit max 8000 rate-limit connection 800 rate-limit bandwidth inbound 800 threshold 80 rate-limit bandwidth outbound 800 threshold 80 # load-balance member serverb ip address 192.168.20.2 weight 60 conn-limit max 6000 rate-limit connection 600 rate-limit bandwidth inbound 600 threshold 80 rate-limit bandwidth outbound 600 threshold 80 # load-balance member serverc ip address 192.168.20.3 weight 40 conn-limit max 4000
7-106
Issue 02 (2010-07-15)
rate-limit connection 400 rate-limit bandwidth inbound 400 threshold 80 rate-limit bandwidth outbound 400 threshold 80 # load-balance member serverd ip address 192.168.20.4 weight 20 conn-limit max 2000 rate-limit connection 200 rate-limit bandwidth inbound 200 threshold 80 rate-limit bandwidth outbound 200 threshold 80 # load-balance group servergroup1 forward-mode dnat member servera backup-member serverc inservice member serverb backup-member serverd inservice member serverc inservice standby member serverd inservice standby probe probe1 # load-balance stickygroup stickygroup1 mask 24 destination-ip group servergroup1 static client destination 20.20.20.2 member servera # load-balance action act1 stickygroup stickygroup1 # load-balance l7classifier l7cls1 or rule 1 match http url slbha[w|W](.*) # load-balance ip interface Eth-Trunk 0.2 # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 nat outbound address-group 2 if-match acl 3000 # load-balance policy lbp1 l3classifier l3cls1 # return
7.6.6 Example for Configuring Standard Firewall Load Balancing

In this example, standard firewall load balancing is configured to improve the service processing capability of the firewall.
As shown in Figure 7-13, the user accesses the server through FWA and FWB (FWA and FWB are the two SPUs on SwitchB). FWA and FWB constitute a firewall group to provide external services. The IP address and VIP of the user are 20.20.20.3/24 and 3.3.3.3:80; the firewalls whose IP addresses are 7.7.61.2/24 and 10.10.61.2/24 constitute a firewall group. The processing capabilities of each firewall including the CPU usage, memory usage, and performance are different. The requirements are as follows:
l l
The firewall with greater processing capabilities receives more service requests. Any traffic received through one firewall is sent back through the same firewall.
Issue 02 (2010-07-15)
Figure 7-13 Networking for configuring standard firewall load balancing
XGE5/0/0
XGE0/0/1
XGE5/0/1 XGE0/0/2 GE4/0/6 GE1/0/26 IP GE1/0/25 Network SwitchA GE1/0/27 Host 20.20.20.3/24 GE4/0/7 VIP:3.3.3.3:80 FWA GE4/0/2 GE1/0/22 IP Network ServerA
FWB
SwitchC GE1/0/23 GE4/0/3
GE1/0/28
ServerB
SwitchB
l
SwitchA (level-1 load balancing device) 1. 2. 3. 4. 5. 6. 7. 8. 9. Configure traffic importing. Configure two firewalls to communicate with two real firewalls. Configure a firewall group, including DMAC and bundle of the preceding two firewalls. Configure a Layer 7 classifier. Configure a load balancing action profile and bind it to the firewall group. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy. Apply the load balancing policy to a sub-interface. Import traffic to the firewall. Configure security zones and interzone. Add sub-interfaces to security zones. Configure traffic importing. Configure a NAT address pool. Configure two servers to communicate with two real servers. Configure a server group and bind it to the two servers.
SwitchB (firewall device) 1. 2. 3.
SwitchC (level-2 load balancing device) 1. 2. 3. 4.
7-108
5. 6. 7. 8. 9.
Configure a Layer 7 classifier. Configure a load balancing action profile and specify an action. Configure an advanced ACL. Configure a Layer 3 classifier. Configure a load balancing policy.
10. Apply the load balancing policy to a sub-interface and enable MAC address stickiness.
Data Preparation
l
SwitchA (level-1 load balancing device)

Firewall names Firewall group name and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied Security zone names Interface where security zones are applied Network segment and index of the NAT address pool Server name Server group name and forwarding mode Name and matching rule of the Layer 7 classifier Name and action of the load balancing action profile Name of the Layer 3 classifier and ACL and Layer 7 classifier bound to the Layer 3 classifier Name of the load balancing policy and interface where the load balancing policy is applied
SwitchB (firewall device)

SwitchC (level-2 load balancing device)

Procedure
l Configure SwitchA. 1. Configure traffic importing on SwitchA. (1) Import traffic to the SPU on SwitchA.
<Quidway> system-view [Quidway] sysname SwitchA [SwitchA] vlan batch 400 600 700 [SwitchA] interface Eth-Trunk 0 [SwitchA-Eth-Trunk0] port link-type trunk [SwitchA-Eth-Trunk0] port trunk allow-pass vlan 400 600 700 [SwitchA-Eth-Trunk0] quit [SwitchA] interface GigabitEthernet1/0/25
Issue 02 (2010-07-15)
7-109

[SwitchA-GigabitEthernet1/0/25] port link-type trunk [SwitchA-GigabitEthernet1/0/25] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/25] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/25] quit [SwitchA] interface GigabitEthernet1/0/26 [SwitchA-GigabitEthernet1/0/26] port link-type trunk [SwitchA-GigabitEthernet1/0/26] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/26] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/26] quit [SwitchA] interface GigabitEthernet1/0/27 [SwitchA-GigabitEthernet1/0/27] port link-type trunk [SwitchA-GigabitEthernet1/0/27] undo port trunk allow-pass [SwitchA-GigabitEthernet1/0/27] port trunk allow-pass vlan [SwitchA-GigabitEthernet1/0/27] quit [SwitchA] interface XGigabitEthernet5/0/0 [SwitchA-XGigabitEthernet5/0/0] eth-Trunk 0 [SwitchA-XGigabitEthernet5/0/0] quit [SwitchA] interface XGigabitEthernet5/0/1 [SwitchA-XGigabitEthernet5/0/1] eth-Trunk 0 [SwitchA-XGigabitEthernet5/0/1] quit
vlan 1 400
vlan 1 600
vlan 1 700
(2) Add inbound and outbound interfaces to a VLAN on the SPU.

<Quidway> system-view [Quidway] sysname SPU [SPU] interface Eth-Trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface Eth-Trunk0.5 [SPU-Eth-Trunk0.5] control-vid 400 dot1q-termination [SPU-Eth-Trunk0.5] dot1q termination vid 400 [SPU-Eth-Trunk0.5] ip address 20.20.20.1 255.255.255.0 [SPU-Eth-Trunk0.5] arp broadcast enable [SPU-Eth-Trunk0.5] quit [SPU] interface Eth-Trunk0.6 [SPU-Eth-Trunk0.6] control-vid 600 dot1q-termination [SPU-Eth-Trunk0.6] dot1q termination vid 600 [SPU-Eth-Trunk0.6] ip address 7.7.61.1 255.255.255.0 [SPU-Eth-Trunk0.6] arp broadcast enable [SPU-Eth-Trunk0.6] quit [SPU] interface Eth-Trunk0.7 [SPU-Eth-Trunk0.7] control-vid 700 dot1q-termination [SPU-Eth-Trunk0.7] dot1q termination vid 700 [SPU-Eth-Trunk0.7] ip address 10.10.61.1 255.255.255.0 [SPU-Eth-Trunk0.7] arp broadcast enable [SPU-Eth-Trunk0.7] quit [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-Trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2 [SPU-XGigabitEthernet0/0/2] eth-Trunk 0 [SPU-XGigabitEthernet0/0/2] quit
2.
Configure the firewall on the SPU of SwitchA. # Create firewalls s11 and s21 and configure them to communicate with real firewalls s11 and s21.
[SPU] load-balance member s11 [SPU] load-balance member s11 [SPU-lb-member-s11] ip address 7.7.61.2 [SPU-lb-member-s11] weight 15 [SPU-lb-member-s11] priority 15 [SPU-lb-member-s11] quit [SPU] load-balance member s21 [SPU-lb-member-s21] ip address 10.10.61.2 [SPU-lb-member-s21] weight 30 [SPU-lb-member-s21] priority 15 [SPU-lb-member-s21] quit
3.
7-110
Configure a firewall group on the SPU of SwitchA.

# Create the firewall group sg11, bind sg11 to firewalls s11 and s21, and set the forwarding mode to DMAC.
[SPU] load-balance group sg11 [SPU-lb-group-sg11] forward-mode dmac [SPU-lb-group-sg11] member s11 [SPU-lb-group-sg11-member-s11] inservice [SPU-lb-group-sg11-member-s11] quit [SPU-lb-group-sg11] member s21 [SPU-lb-group-sg11-member-s21] inservice [SPU-lb-group-sg11-member-s21] quit [SPU-lb-group-sg11] quit
4.
Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and set the matching rule to any. That is, any packet is matched.
[SPU] load-balance l7classifier l7cls1 and [SPU-lb-l7classifier-l7cls1] match any [SPU-lb-l7classifier-l7cls1] quit
5.
Configure a load balancing action profile. # Create the load balancing action profile act1 and set the action to load balance in sg11.
[SPU] load-balance action act1 [SPU-lb-action-act1] group sg11 [SPU-lb-action-act1] quit
6.
Configure an ACL. # Create ACL 3005 to permit the packets with the destination IP address (VIP) being 3.3.3.3/24 to pass through.
7.
Configure a Layer 3 classifier. # Create the Layer 3 classifier l3cls1, set the matching rule to match ACL 3005, and bind l3cls1 to l7cls1 and act1.
[SPU] load-balance l3classifier l3cls1 [SPU-lb-l3classifier-l3cls1] l7classifier l7cls1 action act1 [SPU-lb-l3classifier-l3cls1] if-match acl 3005 [SPU-lb-l3classifier-l3cls1] quit
8.
Configure a load balancing policy. # Create the load balancing policy named lbp1, and bind l3cls1 to lbp1.
9.
Apply the load balancing policy. # Apply the load balancing policy to the sub-interface of the SPU.
[SPU] interface Eth-Trunk0.5 [SPU-Eth-Trunk0.5] service load-balance policy lbp1 [SPU-Eth-Trunk0.5] quit
Configure SwitchB. 1. Configure traffic importing on SwitchB.

Issue 02 (2010-07-15)
(1) Import traffic from SwitchB to SPUA, that is, FWA. SPUA is installed in slot 8.
<Quidway> system-view [Quidway] sysname SwitchB [SwitchB] vlan batch 600 800 [SwitchB] interface Eth-Trunk 0 [SwitchB-Eth-Trunk0] port link-type trunk [SwitchB-Eth-Trunk0] port trunk allow-pass vlan 600 800 [SwitchB-Eth-Trunk0] quit [SwitchB] interface GigabitEthernet4/0/6 [SwitchB-GigabitEthernet4/0/6] port link-type trunk [SwitchB-GigabitEthernet4/0/6] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/6] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/6] quit [SwitchB] interface GigabitEthernet4/0/2 [SwitchB-GigabitEthernet4/0/2] port link-type trunk [SwitchB-GigabitEthernet4/0/2] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/2] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/2] quit [SwitchB] interface XGigabitEthernet8/0/0 [SwitchB-XGigabitEthernet8/0/0] eth-Trunk 0 [SwitchB-XGigabitEthernet8/0/0] quit [SwitchB] interface XGigabitEthernet8/0/1 [SwitchB-XGigabitEthernet8/0/1] eth-Trunk 0 [SwitchB-XGigabitEthernet8/0/1] quit [SwitchB] vlan batch 700 900 [SwitchB] interface Eth-Trunk 1 [SwitchB-Eth-Trunk1] port link-type trunk [SwitchB-Eth-Trunk1] port trunk allow-pass vlan 700 900 [SwitchB-Eth-Trunk1] quit [SwitchB] interface GigabitEthernet4/0/7 [SwitchB-GigabitEthernet4/0/7] port link-type trunk [SwitchB-GigabitEthernet4/0/7] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/7] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/7] quit [SwitchB] interface GigabitEthernet4/0/3 [SwitchB-GigabitEthernet4/0/3] port link-type trunk [SwitchB-GigabitEthernet4/0/3] undo port trunk allow-pass [SwitchB-GigabitEthernet4/0/3] port trunk allow-pass vlan [SwitchB-GigabitEthernet4/0/3] quit [SwitchB] interface XGigabitEthernet11/0/0 [SwitchB-XGigabitEthernet11/0/0] eth-Trunk 1 [SwitchB-XGigabitEthernet11/0/0] quit [SwitchB] interface XGigabitEthernet11/0/1 [SwitchB-XGigabitEthernet11/0/1] eth-Trunk 1 [SwitchB-XGigabitEthernet11/0/1] quit
vlan 1 600
vlan 1 800
(2) Import traffic from SwitchB to SPUB, that is, FWB. SPUB is installed in slot 11.
vlan 1 700
vlan 1 900
(3) Add inbound and outbound interfaces to the VLAN on SPUA and configure static routes to import traffic to the SPU of SwitchC.
<Quidway> system-view [Quidway] sysname SPUA [SPUA] interface Eth-Trunk 0 [SPUA-Eth-Trunk0] quit [SPUA] interface Eth-Trunk0.5 [SPUA-Eth-Trunk0.5] control-vid 600 dot1q-termination [SPUA-Eth-Trunk0.5] dot1q termination vid 600 [SPUA-Eth-Trunk0.5] ip address 7.7.61.2 255.255.255.0 [SPUA-Eth-Trunk0.5] arp broadcast enable [SPUA-Eth-Trunk0.5] quit [SPUA] interface Eth-Trunk0.6 [SPUA-Eth-Trunk0.6] control-vid 800 dot1q-termination [SPUA-Eth-Trunk0.6] dot1q termination vid 800 [SPUA-Eth-Trunk0.6] ip address 11.11.61.1 255.255.255.0 [SPUA-Eth-Trunk0.6] arp broadcast enable [SPUA-Eth-Trunk0.6] quit [SPUA] interface XGigabitEthernet0/0/1 [SPUA-XGigabitEthernet0/0/1] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/1] quit
7-112
Issue 02 (2010-07-15)
[SPUA] interface XGigabitEthernet0/0/2 [SPUA-XGigabitEthernet0/0/2] eth-Trunk 0 [SPUA-XGigabitEthernet0/0/2] quit [SPUA] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 [SPUA] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1
(4) Add inbound and outbound interfaces to the VLAN on SPUB and configure static routes to import traffic to the SPU of SwitchC.
<Quidway> system-view [Quidway] sysname SPUB [SPUB] interface Eth-Trunk 0 [SPUB-Eth-Trunk0] quit [SPUB] interface Eth-Trunk 0.5 [SPUB-Eth-Trunk0.5] control-vid 700 dot1q-termination [SPUB-Eth-Trunk0.5] dot1q termination vid 700 [SPUB-Eth-Trunk0.5] ip address 10.10.61.2 255.255.255.0 [SPUB-Eth-Trunk0.5] arp broadcast enable [SPUB-Eth-Trunk0.5] quit [SPUB] interface Eth-Trunk 0.6 [SPUB-Eth-Trunk0.6] control-vid 900 dot1q-termination [SPUB-Eth-Trunk0.6] dot1q termination vid 900 [SPUB-Eth-Trunk0.6] ip address 12.12.61.1 255.255.255.0 [SPUB-Eth-Trunk0.6] arp broadcast enable [SPUB-Eth-Trunk0.6] quit [SPUB] interface XGigabitEthernet0/0/1 [SPUB-XGigabitEthernet0/0/1] eth-Trunk 0 [SPUB-XGigabitEthernet0/0/1] quit [SPUB] interface XGigabitEthernet0/0/2 [SPUB-XGigabitEthernet0/0/2] eth-Trunk 0 [SPUB-XGigabitEthernet0/0/2] quit [SPUB] ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2 [SPUB] ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1
2.
Configure firewalls on SPUA and SPUB on SwitchB. # Configure the security zone and the interzone on SPUA.
[SPUA] firewall zone a [SPUA-zone-a] priority 20 [SPUA-zone-a] quit [SPUA] firewall zone b [SPUA-zone-b] priority 50 [SPUA-zone-b] quit [SPUA] firewall interzone b a [SPUA-interzone-b-a] firewall enable [SPUA-interzone-b-a] packet-filter default permit inbound [SPUA-interzone-b-a] quit
# Configure the security zone and the interzone on SPUB.

[SPUB] firewall zone a [SPUB-zone-a] priority 20 [SPUB-zone-a] quit [SPUB] firewall zone b [SPUB-zone-b] priority 50 [SPUB-zone-b] quit [SPUB] firewall interzone b a [SPUB-interzone-a-b] firewall enable [SPUB-interzone-a-b] packet-filter default permit inbound [SPUB-interzone-a-b] quit
3.
Apply security zones to sub-interfaces of SPUA and SPUB on SwitchB. # Apply security zones to sub-interfaces of SPUA.
[SPUA] interface Eth-Trunk 0.5 [SPUA-Eth-Trunk0.5] zone a [SPUA-Eth-Trunk0.5] quit [SPUA] interface Eth-Trunk 0.6 [SPUA-Eth-Trunk0.6] zone b [SPUA-Eth-Trunk0.6] quit
Issue 02 (2010-07-15)
7-113
# Apply security zones to sub-interfaces of SPUB.

[SPUB] interface Eth-Trunk 0.5 [SPUB-Eth-Trunk0.5] zone a [SPUB-Eth-Trunk0.5] quit [SPUB] interface Eth-Trunk 0.6 [SPUB-Eth-Trunk0.6] zone b [SPUB-Eth-Trunk0.6] quit
Configure SwitchC. 1. Configure traffic importing on SwitchC. (1) Import traffic from SwitchC to the SPU. The SPU is installed in slot 2.
<Quidway> system-view [Quidway] sysname SwitchC [SwitchC] vlan batch 800 900 1000 [SwitchC] interface Eth-Trunk 1 [SwitchC-Eth-Trunk1] port link-type trunk [SwitchC-Eth-Trunk1] port trunk allow-pass vlan 800 900 1000 [SwitchC-Eth-Trunk1] quit [SwitchC] interface GigabitEthernet1/0/22 [SwitchC-GigabitEthernet1/0/22] port link-type trunk [SwitchC-GigabitEthernet1/0/22] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/22] port trunk allow-pass vlan 800 [SwitchC-GigabitEthernet1/0/22] quit [SwitchC] interface GigabitEthernet1/0/23 [SwitchC-GigabitEthernet1/0/23] port link-type trunk [SwitchC-GigabitEthernet1/0/23] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/23] port trunk allow-pass vlan 900 [SwitchC-GigabitEthernet1/0/23] quit [SwitchC] interface GigabitEthernet1/0/28 [SwitchC-GigabitEthernet1/0/28] port link-type trunk [SwitchC-GigabitEthernet1/0/28] undo port trunk allow-pass vlan 1 [SwitchC-GigabitEthernet1/0/28] port trunk allow-pass vlan 1000 [SwitchC-GigabitEthernet1/0/28] quit [SwitchC] interface XGigabitEthernet2/0/0 [SwitchC-XGigabitEthernet2/0/0] eth-Trunk 1 [SwitchC-XGigabitEthernet2/0/0] quit [SwitchC] interface XGigabitEthernet2/0/1 [SwitchC-XGigabitEthernet2/0/1] eth-Trunk 1 [SwitchC-XGigabitEthernet2/0/1] quit
(2) Add inbound and outbound interfaces to a VLAN on the SPU.

<Quidway> system-view [Quidway] sysname SPU [SPU] interface Eth-Trunk 0 [SPU-Eth-Trunk0] quit [SPU] interface Eth-Trunk 0.8 [SPU-Eth-Trunk0.8] control-vid 800 dot1q-termination [SPU-Eth-Trunk0.8] dot1q termination vid 800 [SPU-Eth-Trunk0.8] ip address 11.11.61.2 255.255.255.0 [SPU-Eth-Trunk0.8] arp broadcast enable [SPU-Eth-Trunk0.8] quit [SPU] interface Eth-Trunk 0.9 [SPU-Eth-Trunk0.9] control-vid 900 dot1q-termination [SPU-Eth-Trunk0.9] dot1q termination vid 900 [SPU-Eth-Trunk0.9] ip address 12.12.61.2 255.255.255.0 [SPU-Eth-Trunk0.9] arp broadcast enable [SPU-Eth-Trunk0.9] quit [SPU] interface Eth-Trunk 0.10 [SPU-Eth-Trunk0.10] control-vid 1000 dot1q-termination [SPU-Eth-Trunk0.10] dot1q termination vid 1000 [SPU-Eth-Trunk0.10] ip address 100.100.100.1 255.255.255.0 [SPU-Eth-Trunk0.10] arp broadcast enable [SPU-Eth-Trunk0.10] quit [SPU] interface XGigabitEthernet0/0/1 [SPU-XGigabitEthernet0/0/1] eth-Trunk 0 [SPU-XGigabitEthernet0/0/1] quit [SPU] interface XGigabitEthernet0/0/2
7-114
Issue 02 (2010-07-15)

[SPU-XGigabitEthernet0/0/2] eth-Trunk 0 [SPU-XGigabitEthernet0/0/2] quit
2. 3.
Configure a NAT address pool on the SPU.

Configure servers. # Create the servers s31 and s32 and configure them to communicate with real servers s31 and s32.
[SPU] load-balance member s31 [SPU-lb-member-s31] ip address 100.100.100.8 [SPU-lb-member-s31] quit [SPU] load-balance member s32 [SPU-lb-member-s32] ip address 100.100.100.10 [SPU-lb-member-s32] quit
4.
Configure a server group. # Configure a server group sg31 and bind s31 and s32 to sg31.
[SPU] load-balance group sg31 [SPU-lb-group-sg31] member s31 [SPU-lb-group-sg31-member-s31] inservice [SPU-lb-group-sg31-member-s31 quit [SPU-lb-group-sg31] member s32 [SPU-lb-group-sg31-member-s32] inservice [SPU-lb-group-sg31-member-s32] quit [SPU-lb-group-sg31] quit
5.
Configure a Layer 7 classifier. # Create the Layer 7 classifier named l7cls1 and configure the matching rule to match request packets with the URL being html.
[SPU] load-balance l7classifier l7 and [SPU-lb-l7classifier-l7] rule 1 match http url html [SPU-lb-l7classifier-l7] quit
6.
Configure a load balancing action profile. # Create the load balancing action profile act3 and set the action to load balance in sg31.
[SPU] load-balance action act3 [SPU-lb-action-act3] group sg31 [SPU-lb-action-act3] quit
7.
Configure an ACL. # Create ACL 3007 to permit the packets with the destination IP address being 3.3.3.3/24 to pass through.
8.
Configure a Layer 3 classifier. # Create the Layer 3 classifier l3, set the matching rule to match ACL 3007, and bind l3 to l7 and act3.
[SPU] load-balance l3classifier l3 [SPU-lb-l3classifier-l3] l7classifier l7 action act3 [SPU-lb-l3classifier-l3] nat outbound address-group 2 [SPU-lb-l3classifier-l3] if-match acl 3007 [SPU-lb-l3classifier-l3] quit
9.
Configure a load balancing policy. # Create the load balancing policy named lp and bind lp to l3.
Issue 02 (2010-07-15)
7-115

[SPU] load-balance policy lp [SPU-lb-policy-lp] l3classifier l3 [SPU-lb-policy-lp] quit
10. Apply the load balancing policy and enable MAC address stickiness. # Apply the load balancing policy to a sub-interface of the SPU and enable MAC address stickiness.
[SPU] interface Eth-Trunk 0.8 [SPU-Eth-Trunk0.8] service load-balance policy lp [SPU-Eth-Trunk0.8] mac-sticky enable [SPU-Eth-Trunk0.8] quit [SPU] interface Eth-Trunk 0.9 [SPU-Eth-Trunk0.9] service load-balance policy lp [SPU-Eth-Trunk0.9] mac-sticky enable [SPU-Eth-Trunk0.9] quit
Verify the configuration. # Simulate the internal network user at 20.20.20.3 to access the VIP 3.3.3.3/24 and view information about the firewall instances s11 and s21 on the SPU of SwitchC. You can find that there are packet statistics on s11 and s21 and the packet ratio is 1:2, indicating that user packets are load balanced on s11 and s21.
[SPU] display load-balance group name sg11 member name s11 verbose [SPU] display load-balance group name sg11 member name s21 verbose
# Disable FWA, simulate the internal network user at 20.20.20.3 to access the VIP 3.3.3.3/24 and view information about firewall instances s11 and s21 on the SPU. You can find that there are only packet statistics on s21, indicating that user packets are switched to FWB after FWA is faulty.
[SPU] display load-balance group name sg11 member name s11 verbose [SPU] display load-balance group name sg11 member name s21 verbose
----End
Configuration Files
l

# vlan batch 1 400 600 700 # interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 400 to 600 700 # interface GigabitEthernet1/0/25 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 400 # interface GigabitEthernet1/0/26 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 # interface GigabitEthernet1/0/27 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 700 # interface XGigabitEthernet5/0/0 eth-Trunk 0 #
7-116
Issue 02 (2010-07-15)

interface XGigabitEthernet5/0/1 eth-Trunk 0 # return l
Configuration file of the SPU on SwitchA

# acl number 3005 rule permit ip destination 3.3.3.3 0.0.0.255 # interface Eth-Trunk 0 # interface Eth-Trunk0.5 control-vid 400 dot1q-termination dot1q termination vid 400 ip address 20.20.20.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk0.6 control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.1 255.255.255.0 arp broadcast enable # interface Eth-Trunk0.7 control-vid 700 dot1q-termination dot1q termination vid 700 ip address 10.10.61.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-Trunk 0 # interface XGigabitEthernet0/0/2 eth-Trunk 0 # load-balance member s11 ip address 7.7.61.2 weight 15 priority 15 # load-balance member s21 ip address 10.10.61.2 weight 30 priority 15 # load-balance group sg11 forward-mode dmac member s11 inservice member s21 inservice # load-balance action act1 group sg11 # load-balance l7classifier l7cls1 and match any # load-balance l3classifier l3cls1 l7classifier l7cls1 action act1 if-match acl 3005 # load-balance policy lbp1 l3classifier l3cls1 # interface Eth-Trunk0.5 service load-balance policy lbp1 #
Issue 02 (2010-07-15)
7-117

return l

# vlan batch 600 700 800 900 # interface Eth-Trunk 0 port link-type trunk port trunk allow-pass vlan 600 800 # interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 700 900 # interface GigabitEthernet4/0/2 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet4/0/3 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 900 # interface GigabitEthernet4/0/6 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 600 # interface GigabitEthernet4/0/7 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 700 # interface XGigabitEthernet8/0/0 eth-Trunk 0 # interface XGigabitEthernet8/0/1 eth-Trunk 0 # interface XGigabitEthernet11/0/0 eth-Trunk 1 # interface XGigabitEthernet11/0/1 eth-Trunk 1 # return
Configuration file of SPUA on SwitchB

# acl number 3300 rule 5 permit ip # firewall zone a priority 20 # firewall zone b priority 50 # firewall interzone b a firewall enable packet-filter default permit inbound # interface Eth-Trunk 0 # interface Eth-Trunk0.5
7-118
Issue 02 (2010-07-15)
control-vid 600 dot1q-termination dot1q termination vid 600 ip address 7.7.61.2 255.255.255.0 arp broadcast enable zone a # interface Eth-Trunk0.6 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.1 255.255.255.0 arp broadcast enable zone b # interface XGigabitEthernet0/0/1 eth-Trunk 0 # interface XGigabitEthernet0/0/2 eth-Trunk 0 # ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk0.6 11.11.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk0.5 7.7.61.1 # return l
Configuration file of SPUB on SwitchB

# acl number 3300 rule 5 permit ip # firewall zone a priority 20 # firewall zone b priority 50 # firewall interzone b a firewall enable packet-filter default permit inbound # interface Eth-Trunk 0 # interface Eth-Trunk 0.5 control-vid 700 dot1q-termination dot1q termination vid 700 ip address 10.10.61.2 255.255.255.0 arp broadcast enable zone a # interface Eth-Trunk 0.6 control-vid 900 dot1q-termination dot1q termination vid 900 ip address 12.12.61.1 255.255.255.0 arp broadcast enable zone b # interface XGigabitEthernet0/0/1 eth-Trunk 0 # interface XGigabitEthernet0/0/2 eth-Trunk 0 # ip route-static 3.3.3.0 255.255.255.0 Eth-Trunk 0.6 12.12.61.2 ip route-static 20.20.20.0 255.255.255.0 Eth-Trunk 0.5 10.10.61.1 # return
Configuration file of SwitchC

# vlan batch 800 900 1000
Issue 02 (2010-07-15)
7-119

# interface Eth-Trunk 1 port link-type trunk port trunk allow-pass vlan 800 900 1000 # interface GigabitEthernet1/0/22 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 800 # interface GigabitEthernet1/0/23 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 900 # interface GigabitEthernet1/0/28 port link-type trunk undo port trunk allow-pass vlan 1 port trunk allow-pass vlan 1000 # interface XGigabitEthernet2/0/0 eth-Trunk 1 # interface XGigabitEthernet2/0/1 eth-Trunk 1 # return l
Configuration file of the SPU on SwitchC

# acl number 3007 rule 5 permit ip # nat address-group 2 33.33.33.33 33.33.33.250 # interface Eth-Trunk 0 # interface Eth-Trunk 0.8 control-vid 800 dot1q-termination dot1q termination vid 800 ip address 11.11.61.2 255.255.255.0 arp broadcast enable # interface Eth-Trunk 0.9 control-vid 900 dot1q-termination dot1q termination vid 900 ip address 12.12.61.2 255.255.255.0 arp broadcast enable # interface Eth-Trunk 0.10 control-vid 1000 dot1q-termination dot1q termination vid 1000 ip address 100.100.100.1 255.255.255.0 arp broadcast enable # interface XGigabitEthernet0/0/1 eth-Trunk 0 # interface XGigabitEthernet0/0/2 eth-Trunk 0 # load-balance member s31 ip address 100.100.100.8 # load-balance member s32 ip address 100.100.100.10 #
7-120
Issue 02 (2010-07-15)

load-balance group sg31 member s31 inservice member s32 inservice # load-balance action act3 group sg31 # load-balance l7classifier l7 and rule 1 match http url html # load-balance l3classifier l3 l7classifier l7 action act3 nat outbound address-group 2 if-match acl 3007 # load-balance policy lp l3classifier l3 # interface Eth-Trunk 0.8 service load-balance policy lp mac-sticky enable # interface Eth-Trunk 0.9 service load-balance policy lp mac-sticky enable # return
Issue 02 (2010-07-15)
7-121
8 Dual-System HSB Configuration
Dual-System HSB Configuration
About This Chapter

Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty, services are interrupted on the network. The reliability of firewalls greatly affects high availability (HA) of the network. Through dual-system hot standby (HSB), the session table can be synchronized between two firewalls in real time. If a firewall is faulty, user sessions are not interrupted. The HA of user connections is thus improved. 8.1 Dual-System HSB Overview This section describes basic concepts of dual-system HSB. 8.2 Dual-System HSB Features Supported by the SPU This section describes the dual-system HSB features supported by the SPU. 8.3 Configuring Dual-System HSB This section describes the application and configuration of dual-system HSB. 8.4 Maintaining Dual-System HSB This section describes how to maintain dual-system HSB. 8.5 Configuration Examples of Dual-System HSB This section provides several configuration examples of dual-system HSB.
Issue 02 (2010-07-15)
8-1
8.1 Dual-System HSB Overview

This section describes basic concepts of dual-system HSB. Firewalls are the nodes that the traffic must pass through on a network. If firewalls are faulty, services are interrupted on the network. The reliability of firewalls greatly affects HA of the network. Through dual-system HSB, the session table can be synchronized between two firewalls in real time. If a firewall is faulty, user sessions are not interrupted. The HA of user connections is thus improved.
NOTE
A firewall can be enabled with dual-system HSB. That is, dual-system HSB can be enabled on the S9300 that supports the firewall function. The dual system and S9300 are hereinafter referred to as the FW.
To ensure HA of a user network and prevent firewall faults from affecting communication between security zones, the Virtual Router Redundancy Protocol (VRRP) is enabled between firewalls and the firewall status is synchronized between firewalls. As shown in Figure 8-1, FWA and FWB constitute a VRRP backup group that function as a virtual FW.
l
A host on the LAN only learns the IP address of the virtual FW, but does not learn IP addresses of interfaces of FWA and FWB in the VRRP backup group. A host on the LAN sets the default next hop address as the IP address of the virtual FW. Then the host on the LAN communicates with other networks through the virtual FW. In the VRRP backup group, one device is in active state, which is the master device such as FWA shown in Figure 8-1. The other device is in backup state, which is the backup device such as FWB shown in Figure 8-1.
Figure 8-1 Networking of dual-system HSB PC FWA: Master
Network Internal network
Server
VRRP Backup group
FWB: Backup
VRRP Backup group
8.2 Dual-System HSB Features Supported by the SPU

This section describes the dual-system HSB features supported by the SPU.
8-2
Issue 02 (2010-07-15)
Supporting the Setup of the Channel Through Which Dual-System HSB Data Is Synchronized and the Heartbeat Detection Mechanism
l
The channel through which dual-system HSB data is synchronized is configured between the active and standby modules. When the setup of the channel through which dual-system HSB data is synchronized fails, alarms are reported and logs are recorded. The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets can be set on the TCP channel between the active and standby modules. TCP connections can be set up between the active and standby modules. The VRRP module supports smooth switchback.
l l
Status Information Synchronization in Batches

l
After the channel through which dual-system HSB data is synchronized is set up, firewalls need to synchronize the status information in batches. Only the status information associated with the VRRP master device of the active firewall needs to be synchronized to the standby firewall. The active firewall instructs batch backup at the forwarding layer. The remote backup protocol of firewalls is supported. The upper-layer information between firewalls can be backed up. The active and standby modules of a firewall monitor the VRRP status. The forwarding backup module can back up the traffic forwarding table to the peer firewall. When the peer firewall receives the synchronized status information,

l l l l l
it generates the local status information. it updates the number of TCP, UDP, and ICMP connections for the source and destination IP addresses. it updates the NAT address allocation table.
Dual-System HSB Duration

l
A firewall is powered on; the VRRP management group selects the master and backup devices; the traffic between security zones is filtered by the firewall. This process takes less than 10s. The VRRP management group is switched; the traffic between security zones is filtered by the firewall and user sessions are not interrupted. This process takes less than 2s. The process of firewalls synchronizing all the status information in batches takes less than 15s. The delay in synchronizing the status information between two HSB firewalls is less than 1s.
8.3 Configuring Dual-System HSB

This section describes the application and configuration of dual-system HSB. 8.3.1 Establishing the Configuration Task
Before configuring dual-system HSB, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately. 8.3.2 Enabling Dual-System HSB You need to configure HSB actions only after dual-system HSB is enabled. 8.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized A channel through which dual-system HSB data is synchronized is required to back up packets in batches between the active and standby modules; therefore, you need to create the channel through which dual-system HSB data is synchronized. 8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets If a protocol stack does not detect a TCP connection that has been interrupted for a long time, you can set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peer end in the period (product of the interval for sending heartbeat packets by the number of times for retransmitting heartbeat packets), it receives an exception notification message and reestablishes a channel. 8.3.5 Checking the Configuration After dual-system HSB between firewalls is configured successfully, you can check whether the configuration is correct and valid.

Before configuring dual-system HSB, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the required data. This helps you complete the configuration task quickly and accurately.
To ensure HA of a user network and prevent firewall faults from affecting communication between security zones, VRRP is enabled between firewalls that function as a virtual firewall, and the firewall status is synchronized between firewalls. In this manner, HSB is implemented between two firewalls and HA of user connections is ensured.
Before configuring dual-system HSB, complete the following tasks:
l l l
Setting the firewall service on the S9300 Setting IP address of the sub-interface configured with the firewall service Configurating VRRP between firewalls
Data Preparation
To configure dual-system HSB, you need the following data. No. 1
8-4
Data Number and IP address of the Eth-Trunk of the local firewall

No. 2 3 4
Data Number and IP address of the Eth-Trunk of the peer firewall ID and virtual IP address of the VRRP backup group Priorities of local and peer firewalls in the VRRP backup group
8.3.2 Enabling Dual-System HSB

You need to configure HSB actions only after dual-system HSB is enabled.
Context
When two devices are deployed at the egress of the network to protect the security of the internal network, you need to configure dual-system HSB. The channel through which dual-system HSB is synchronized can be set up only after dual-system HSB is enabled.
Procedure
Step 1 Run:
system-view

hot-standby enable
Dual-system HSB is enabled. By default, dual-system HSB is disabled. ----End
8.3.3 Creating the Channel Through Which Dual-System HSB Data Is Synchronized
A channel through which dual-system HSB data is synchronized is required to back up packets in batches between the active and standby modules; therefore, you need to create the channel through which dual-system HSB data is synchronized.
Context
You need to create a TCP channel and a UDP channel between the local firewall and the peer firewall. The source and destination IP addresses and port numbers of the two channels are the same. The data to be backed up is sent to the peer device through the two channels. TCP packets are sent through the TCP channel and UDP packets are sent through the UDP channel. In this manner, dual-system HSB is implemented.
NOTE
During the creation of the TCP tunnel, the firewall automatically creates the UDP tunnel.
To modify the parameters of the channel through which dual-system HSB data is synchronized, you must delete the previous configuration and then re-set the parameters.
Procedure
Step 1 Run:
system-view

hot-standby-group local local-ip-address peer peer-ip-address src-data-port srcport-number dst-data-port dst-port-number [ vpn-instance vpn-instance-name ]
A TCP channel is created. The UDP channel is created automatically.

l
By default, the source and destination IP addresses of the channel through which dual-system HSB data is synchronized are 0.0.0.0, and the source and destination port numbers are 0. The parameters of the channel through which dual-system HSB data is synchronized must be set at the local end and the peer end. The source IP address, destination IP address, source port, and destination port at the local end correspond to the destination IP address, source IP address, destination port, and source port at the remote end. The parameters of the channel through which dual-system HSB data is synchronized take effect only after dual-system HSB is enabled.
----End
8.3.4 Setting the Interval for Sending Heartbeat Packets and the Number of Times for Retransmitting Heartbeat Packets
If a protocol stack does not detect a TCP connection that has been interrupted for a long time, you can set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets on the firewall. If the firewall does not receive heartbeat packets from the peer end in the period (product of the interval for sending heartbeat packets by the number of times for retransmitting heartbeat packets), it receives an exception notification message and reestablishes a channel.
Procedure
Step 1 Run:
system-view

hot-standby-group detect fail-count fail-count interval interval
The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets of the channel between firewalls are set.
l
By default, the interval for sending heartbeat packets is 10s and the number of times for retransmitting heartbeat packets is 6. You need to set the interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets at the local end and the peer end. You are advised to set the same values of the two parameters at the two ends. The interval for sending heartbeat packets and the number of times for retransmitting heartbeat packets take effect only after dual-system HSB is enabled.
----End

After dual-system HSB between firewalls is configured successfully, you can check whether the configuration is correct and valid.
Procedure
l Run the display hot-standby configuration command, and you can view the configuration of dual-system HSB, including:
The local and peer IP addresses, port numbers of the channel through which dual-system HSB data is synchronized. The interval for transmitting heartbeat packets, number of times for retransmitting heartbeat packets. The TCP connection status, packet transmission status. The dual-system HSB status. The status of active and standby devices.
----End
8.4 Maintaining Dual-System HSB

This section describes how to maintain dual-system HSB. 8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules During the running of dual-system HSB, if the active/standby switchover cannot be performed, you can check the connectivity of the channel between the active and standby modules. This helps you analyze the cause of the fault and locate the fault.
8.4.1 Checking the Connectivity of the Channel Between the Active and Standby Modules
During the running of dual-system HSB, if the active/standby switchover cannot be performed, you can check the connectivity of the channel between the active and standby modules. This helps you analyze the cause of the fault and locate the fault.
Procedure
Step 1 Run the display hot-standby configuration command on the SPU to check whether the value of TCP State is CONNECT. If the value of TCP State is INITIAL or CONNECTING or LISTENING, it indicates that the channel between the active and standby modules is faulty. The possible cause is that the cable connected to the channel between the active and standby modules is removed or the data configuration of the channel between the active and standby modules is incorrect. ----End
8.5 Configuration Examples of Dual-System HSB

This section provides several configuration examples of dual-system HSB.
8.5.1 Example for Configuring Dual-System HSB on the S9300 This section describes how to configure dual-system HSB on the S9300 to improve the service reliability. 8.5.2 Example for Configuring Dual-System HSB Between S9300s This section describes how to configure dual-system HSB between S9300s to improve the service reliability.
8.5.1 Example for Configuring Dual-System HSB on the S9300

This section describes how to configure dual-system HSB on the S9300 to improve the service reliability.
A firewall board is taken as an independent device. As shown in Figure 8-2, firewall boards SPU A and SPU B are installed on the same S9300 to implement the dual-system HSB function. Figure 8-2 Networking diagram for configuring dual-system HSB on the S9300
Interface: XGE3/0/0 XGE3/0/1 Eth-Trunk0 IP10.0.0.9/24 VLANIF10 VLAN10/11/13 Inbound Outbound interface: XGE0/0/1 interface: XGE0/0/1 XGE0/0/2 XGE0/0/2 Eth-Trunk0.1 Eth-Trunk0.2 IP10.0.0.2/24 IP11.0.0.2/24 VRRP IP10.0.0.1 VRRP IP11.0.0.1 dot1q10 dot1q11 Eth-Trunk0
SPUA Master Channel: XGE0/0/1 XGE0/0/2 Eth-Trunk0.3 IP13.0.0.2/24 VLAN13 dot1q13
Interface:XGE5/0/0 XGE5/0/1 Eth-Trunk1 IP10.0.0.9/24 VLANIF10 VLAN10/11/13
Inbound Outbound interface: XGE0/0/1 interface: XGE0/0/1 XGE0/0/2 XGE0/0/2 Eth-Trunk0.1 Eth-Trunk0.2 IP10.0.0.3/24 IP11.0.0.3/24 VRRP IP10.0.0.1 VRRP IP11.0.0.1 dot1q10 dot1q11 Eth-Trunk1
Channel: XGE0/0/1 XGE0/0/2 Eth-Trunk0.3 IP13.0.0.3/24 VLAN13 dot1q13 SPUB Backup
Server
Interface: GE2/0/10 IP18.0.0.1/24 VLANIF18 VLAN18 Interface: GE2/0/11 VLAN11
Network
PCA IP18.0.0.2/24
8-8
Internal network
FW PCB IP11.0.0.9/24
Issue 02 (2010-07-15)
Boar d Typ e LPU
Interface Type
VL AN Typ e VLA N 18
VL AN IF VL AN IF 18 NA VL AN IF 10
IP Addr ess 18.0.0 .1/24
EthTrunk
D ot 1q N A
V I D N A
Virtual IP
Priorit y
GigabitEthernet 2/0/10
NA
NA
NA
GigabitEthernet 2/0/11 MPU XGigabitEthern et3/0/0 XGigabitEthern et3/0/1 XGigabitEthern et5/0/0 XGigabitEthern et5/0/1 SPU A XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 SPU B XGigabitEthern et0/0/1 XGigabitEthern et0/0/2 XGigabitEthern et0/0/1 XGigabitEthern et0/0/2
VLA N 11 VLA N 10 VLA N 11 VLA N 13
NA 10.0.0 .9/24
NA EthTrunk 0
N A N A
N A N A
NA NA
NA NA
EthTrunk 1
NA
NA
10.0.0 .2/24
EthTrunk 0.1
10
1 0
10.0.0.1 /24
120
NA
11.0.0 .2/24
EthTrunk 0.2
11
1 1
11.0.0.1 /24
VLA N 13
13.0.0 .2/24
EthTrunk 0.3
13
N A
NA
NA
NA
10.0.0 .3/24
EthTrunk 0.1
10
1 0
10.0.0.1 /24
110
NA
11.0.0 .3/24
EthTrunk 0.2
11
1 1
11.0.0.1 /24
Issue 02 (2010-07-15)
8-9
Boar d Typ e
Interface Type
VL AN Typ e VLA N 13
VL AN IF
IP Addr ess 13.0.0 .3/24
EthTrunk
D ot 1q 13
V I D N A
Virtual IP
Priorit y
XGigabitEthern et0/0/1 XGigabitEthern et0/0/2
EthTrunk 0.3
NA
NA
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Check the service type of SPUs. Configure interfaces of the LPU. Configure a static route on the MPU. Configure interfaces of SPUs. Configure VRRP. Configure static routes on SPUs. Configure dual-system HSB between SPU A and SPU B. Check whether VRRP negotiation is correct and whether the channel through which dualsystem HSB data is synchronized is set up successfully. Save the configuration.
Data Preparation
To complete the configuration, you need the following data (Figure 8-2 shows the detailed data):
l l
GE interfaces, VLAN IDs, VLANIF interfaces, and IP addresses of the LPU XGE interfaces, VLAN IDs, VLANIF interfaces, IP addresses, and bound Eth-Trunks of the MPU XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B
l l l
Procedure
Step 1 Check the service type of the SPUs. # Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is the firewall service in the system view.
<S9300> system-view [S9300] display service-type The service type is Firewall!
# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to the firewall service, and then restart SPU A and SPU B after the change.
[S9300] set service-type 1 The service type will be available after you restart the board, please restart!
Step 2 Configure interfaces of the LPU.

NOTE
By default, GE 2/0/10, GE 2/0/11, XGE 3/0/0, XGE 3/0/1, XGE 5/0/0, and XGE 5/0/1 allow packets of VLAN 1 to pass through.
# Log in to the MPU to create VLAN 10, VLAN 11, and VLAN 13, configure VLANIF 18 on GE 2/0/10 of the LPU, and set parameters of GE 2/0/10 and GE 2/0/11. Then bind XGE 3/0/0 and XGE 3/0/1 of the MPU to Eth-Trunk 0, and bind XGE 5/0/0 and XGE 5/0/1 of the MPU to Eth-Trunk 1.
[MPU] vlan 10 [MPU-VLAN10] quit [MPU] vlan 11 [MPU-VLAN11] quit [MPU] vlan 13 [MPU-VLAN13] quit [MPU] vlan 18 [MPU-VLAN18] quit [MPU] interface vlanif 18 [MPU-Vlanif18] ip address 18.0.0.1 24 [MPU-Vlanif18] quit [MPU] interface gigabitethernet 2/0/10 [MPU-GigabitEthernet2/0/10] port link-type trunk [MPU-GigabitEthernet2/0/10] port trunk allow-pass vlan [MPU-GigabitEthernet2/0/10] undo port trunk allow-pass [MPU-GigabitEthernet2/0/10] quit [MPU] interface gigabitethernet 2/0/11 [MPU-GigabitEthernet2/0/11] port link-type trunk [MPU-GigabitEthernet2/0/11] port trunk allow-pass vlan [MPU-GigabitEthernet2/0/11] undo port trunk allow-pass [MPU-GigabitEthernet2/0/11] quit [MPU] interface vlanif 10 [MPU-VLANIF10] ip address 10.0.0.9 24 [MPU-VLANIF10] quit [MPU] interface eth-trunk0 [MPU-Eth-Trunk0] port link-type trunk [MPU-Eth-Trunk0] port trunk allow-pass vlan 10 to 11 [MPU-Eth-Trunk0] port trunk allow-pass vlan 13 [MPU-Eth-Trunk0] undo port trunk allow-pass vlan 1 [MPU-Eth-Trunk0] quit [MPU] interface eth-trunk1 [MPU-Eth-Trunk1] port link-type trunk [MPU-Eth-Trunk1] port trunk allow-pass vlan 10 to 11 [MPU-Eth-Trunk1] port trunk allow-pass vlan 13 [MPU-Eth-Trunk1] undo port trunk allow-pass vlan 1 [MPU-Eth-Trunk1] quit [MPU] interface xgigabitethernet 3/0/0 [MPU-XGigabitEthernet3/0/0] eth-trunk 0 [MPU-XGigabitEthernet3/0/0] quit [MPU] interface xgigabitethernet 3/0/1 [MPU-XGigabitEthernet3/0/1] eth-trunk 0 [MPU-XGigabitEthernet3/0/1] quit [MPU] interface xgigabitethernet 5/0/0 [MPU-XGigabitEthernet5/0/0] eth-trunk 1 [MPU-XGigabitEthernet5/0/0] quit [MPU] interface xgigabitethernet 5/0/1 [MPU-XGigabitEthernet5/0/1] eth-trunk 1 [MPU-XGigabitEthernet5/0/1] quit
18 vlan 1
11 vlan 1
Step 3 Configure a static route on the MPU. # Log in to the MPU to configure a static route.
[MPU] ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1
Issue 02 (2010-07-15)
8-11
Step 4 Configure interfaces of SPUs. # Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to EthTrunk 0.
[S9300] interface eth-trunk0 [S9300-Eth-Trunk0] quit [S9300] interface xgigabitethernet 0/0/1 [S9300-XGigabitEthernet0/0/1] eth-trunk 0 [S9300-XGigabitEthernet0/0/1] quit [S9300] interface xgigabitethernet 0/0/2 [S9300-XGigabitEthernet0/0/2] eth-trunk 0 [S9300-XGigabitEthernet0/0/2] quit
Step 5 Configure VRRP. # Log in to SPU A.

l
Set the IP address of Eth-Trunk 0.1 to 10.0.0.2/24, add Eth-Trunk 0.1 to VRRP backup group 10, set the virtual IP address of VRRP backup group 10 to 10.0.0.1/24, and set the priority of VRRP backup group 10 to 120. Set the IP address of Eth-Trunk 0.2 to 11.0.0.2/24, add Eth-Trunk 0.2 to VRRP backup group 11, set the virtual IP address of VRRP backup group 11 to 11.0.0.1/24, and set the priority of VRRP backup group 11 to 120. Set the IP address of Eth-Trunk 0.3 to 13.0.0.2/24 and set parameters of Eth-Trunk 0.3.
[S9300-A] interface eth-trunk0.1 [S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-A-Eth-Trunk0.1] dot1q termination vid 10 [S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-A-Eth-Trunk0.1] admin-vrrp vrid 10 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120 [S9300-A-Eth-Trunk0.1] arp broadcast enable [S9300-A-Eth-Trunk0.1] quit [S9300-A] interface eth-trunk0.2 [S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-A-Eth-Trunk0.2] dot1q termination vid 11 [S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown [S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120 [S9300-A-Eth-Trunk0.2] arp broadcast enable [S9300-A-Eth-Trunk0.2] quit [S9300-A] interface eth-trunk0.3 [S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-A-Eth-Trunk0.3] dot1q termination vid 13 [S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24 [S9300-A-Eth-Trunk0.3] arp broadcast enable [S9300-A-Eth-Trunk0.3] quit
# Log in to SPU B.
l
8-12
[S9300-B] interface eth-trunk0.1 [S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-B-Eth-Trunk0.1] dot1q termination vid 10 [S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-B-Eth-Trunk0.1] admin-vrrp vrid 10 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110 [S9300-B-Eth-Trunk0.1] arp broadcast enable [S9300-B-Eth-Trunk0.1] quit [S9300-B] interface eth-trunk0.2 [S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-B-Eth-Trunk0.2] dot1q termination vid 11 [S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown [S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110 [S9300-B-Eth-Trunk0.2] arp broadcast enable [S9300-B-Eth-Trunk0.2] quit [S9300-B] interface eth-trunk0.3 [S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-B-Eth-Trunk0.3] dot1q termination vid 13 [S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24 [S9300-B-Eth-Trunk0.3] arp broadcast enable [S9300-B-Eth-Trunk0.3] quit
Step 6 Configure static routes on SPUs. # Log in to SPU A to configure a static route.
[S9300-A] ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9
# Log in to SPU B to configure a static route.

[S9300-B] ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9
Step 7 Configure the channel between SPU A and SPU B. # Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3, the source port number to 3001, and the destination port number to 4001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 [S9300] hot-standby enable
# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2, the source port number to 4001, and the destination port number to 3001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 [S9300] hot-standby enable

NOTE
l l
If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates that VRRP negotiation is correct. If the value of TCP State of the SPU is CONNECT, it indicates that the channel between SPU A and SPU B is set up successfully.
# Log in to SPU A to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.

[S9300-A] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number
: : : : : : : : : : : : : :
Master 10.0.0.1 120 120 120 YES 0 1 1 NONE 0000-5e00-0164 YES admin-vrrp 0
Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 0 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : member-vrrp Config track link-bfd down-number : 0 [S9300-A] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.2 Peer IP Address : 13.0.0.3 Source port : 3001 Destination port : 4001 Vpn Instance name : NULL Keep Alive Time : 10 Fail Count : 6 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
# Log in to SPU B to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-B] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11
: : : : : : : : : : : : : :
Backup 10.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0164 YES admin-vrrp 0
8-14
Issue 02 (2010-07-15)
State : Backup Virtual IP : 11.0.0.1 PriorityRun : 110 PriorityConfig : 110 MasterPriority : 120 Preempt : YES Delay Time : 0 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : member-vrrp Config track link-bfd down-number : 0 [S9300-B] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name : NULL Keep Alive Time : 10 Fail Count : 6 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
Step 9 Save the configuration. # Log in to the MPU and run the following command in the user view to save the configuration:
<MPU> save
# Log in to the SPU and run the following command in the user view to save the configuration:
<S9300> save
----End
Configuration Files
l
Configuration file of the MPU

# vlan batch 1 10 to 11 13 18 # interface vlanif 18 ip address 18.0.0.1 24 # interface gigabitethernet 2/0/10 port link-type trunk port trunk allow-pass vlan 18 undo port trunk allow-pass vlan 1 # interface gigabitethernet 2/0/11 port link-type trunk port trunk allow-pass vlan 11 undo port trunk allow-pass vlan 1 # interface vlanif 10 ip address 10.0.0.9 24 # interface eth-trunk0 port link-type trunk port trunk allow-pass vlan 10 to 11
Issue 02 (2010-07-15)
8-15
port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 # interface eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 to 11 port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 # interface xgigabitethernet3/0/0 eth-trunk 0 # interface xgigabitethernet3/0/1 eth-trunk 0 # interface xgigabitethernet5/0/0 eth-trunk 1 # interface xgigabitethernet5/0/1 eth-trunk 1 # ip route-static 11.0.0.9 255.0.0.0 vlanif10 10.0.0.1 # return # save l
Configuration file of S9300 A

# interface eth-trunk0 # interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 # interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.2 24 vrrp vrid 10 virtual-ip 10.0.0.1 admin-vrrp vrid 10 vrrp vrid 10 priority 120 arp broadcast enable # interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.2 24 vrrp vrid 11 virtual-ip 11.0.0.1 vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown vrrp vrid 11 priority 120 arp broadcast enable # interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.2 24 arp broadcast enable # ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9 # hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 hot-standby enable # return
8-16
Issue 02 (2010-07-15)

# save l
Configuration file of S9300 B

# interface eth-trunk0 # interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 # interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 admin-vrrp vrid 10 vrrp vrid 10 priority 110 arp broadcast enable # interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 vrrp vrid 11 track admin-vrrp interface eth-trunk0.1 vrid 10 unflowdown vrrp vrid 11 priority 110 arp broadcast enable # interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.3 24 arp broadcast enable # ip route-static 18.0.0.2 255.0.0.0 eth-trunk0.1 10.0.0.9 # hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 hot-standby enable # return # save
8.5.2 Example for Configuring Dual-System HSB Between S9300s

This section describes how to configure dual-system HSB between S9300s to improve the service reliability.
A firewall board is taken as an independent device. As shown in Figure 8-3, firewall boards SPU A and SPU B are installed on two different S9300s and are connected to interfaces GE 2/0/13 of LPU A and LPU B through cables to implement the dual-system HSB function.
Issue 02 (2010-07-15)
8-17
Figure 8-3 Networking diagram for configuring dual-system HSB between S9300s
Inbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.1 IP10.0.0.2/24 VRRP IP10.0.0.1 dot1q10 Eth-Trunk0 SPUA Outbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.2 IP11.0.0.2/24 VRRP IP11.0.0.1 dot1q11
Interface:XGE3/0/0 XGE3/0/1 Eth-Trunk0 VLAN10/11/13
Channel: XGE0/0/1 XGE0/0/2 Eth-Trunk0.3 IP13.0.0.2/24 VLAN13 dot1q13
PC
FWAMaster
VLAN10 GE2/0/10 VLAN11 GE2/0/11 VLAN13 GE2/0/13
Network
Internal network Server
VLAN10 GE2/0/10
VLAN11 GE2/0/11
FWBBackup
Inbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.1 IP10.0.0.3/24 VRRP IP10.0.0.1 dot1q10 Eth-Trunk0 Outbound interface: XGE0/0/1 XGE0/0/2 Eth-Trunk0.2 IP11.0.0.3/24 VRRP IP11.0.0.1 dot1q11
Interface: XGE3/0/0 XGE3/0/1 Eth-Trunk0 VLAN10/11/13
Channel: XGE0/0/1 XGE0/0/2 Eth-Trunk0.3 IP13.0.0.3/24 VLAN13 SPUB dot1q13
Boar d Typ e LPU A
Interface Type
VLA N Type VLAN 10 VLAN 11 VLAN 13 VLAN 10 VLAN 11
IP Addr ess NA
EthTrunk
Dot 1q
VID
Virtual IP Addres s NA
Pri ori ty NA
GigabitEthernet2 /0/10 GigabitEthernet2 /0/11 GigabitEthernet2 /0/13
EthTrunk 1 EthTrunk 2 NA EthTrunk 1 EthTrunk 2
NA
NA
LPU B
GigabitEthernet2 /0/10 GigabitEthernet2 /0/11
8-18
Issue 02 (2010-07-15)
Boar d Typ e
Interface Type
VLA N Type VLAN 13 VLAN 10 VLAN 11 VLAN 13
IP Addr ess
EthTrunk
Dot 1q
VID
Virtual IP Addres s
Pri ori ty
GigabitEthernet2 /0/13 MP UA XGigabitEtherne t3/0/0 XGigabitEtherne t3/0/1 MP UB XGigabitEtherne t3/0/0 XGigabitEtherne t3/0/1 SPU A XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 SPU B XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2 XGigabitEtherne t0/0/1 XGigabitEtherne t0/0/2
NA EthTrunk 0
NA
10.0.0 .2/24
EthTrunk 0.1
10
10
10.0.0.1 /24
120
NA
11.0.0 .2/24
EthTrunk 0.2
11
11
11.0.0.1 /24
VLAN 13
13.0.0 .2/24
EthTrunk 0.3
13
NA
NA
NA
NA
10.0.0 .3/24
EthTrunk 0.1
10
10
10.0.0.1 /24
110
NA
11.0.0 .3/24
EthTrunk 0.2
11
11
11.0.0.1 /24
VLAN 13
13.0.0 .3/24
EthTrunk0.3
13
NA
NA
NA
1. 2. 3. 4. 5. 6. 7. 8. 9.
Check whether interfaces of LPUs are in Up state. Check the service type of the SPUs. Configure interfaces of the LPUs. Configure a TCP link. Configure interfaces of SPUs. Configure VRRP. Configure the channel between SPU A and SPU B. Check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully. Save the configuration.
Data Preparation
To complete the configuration, you need the following data (Figure 8-3 shows the detailed data):
l l l l l
GE interfaces, VLAN IDs, and bound Eth-Trunks of LPU A and LPU B GE interfaces, VLAN IDs, and bound Eth-Trunks of MPU A and MPU B XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU A XGE interfaces, IP addresses, bound Eth-Trunks, and dot1q values of SPU B ID and virtual IP address of the VRRP backup group and priorities of SPU A and SPU B
Procedure
Step 1 Check whether interfaces of LPUs are in Up state. # Log in to MPU A and MPU B to check whether interfaces GE 2/0/13 of LPU A and LPU B are in Up state. If interfaces GE 2/0/13 of LPU A and LPU B are in Down state, use cables to connect LPU A and LPU B of the two firewalls.
[MPU] display interface brief GigabitEthernet2/0/10 0 GigabitEthernet2/0/11 0 GigabitEthernet2/0/12 0 GigabitEthernet2/0/13 0 igabitEthernet2/0/14 0 GigabitEthernet2/0/15 0 GigabitEthernet2/0/16 0
up up down up down down down
up up down up down down down
0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0% 0% 0%
0 0 0 0 0 0 0
Step 2 Check the service type of the SPUs. # Log in to SPU A and SPU B to check whether the service type of SPU A and SPU B is the firewall service in the system view.
<S9300> system-view [S9300] display service-type The service type is Firewall!
# If yes, proceed to the next step. If not, change the service type of SPU A and SPU B to the firewall service, and then restart SPU A and SPU B after the change.
[S9300] set service-type 1 The serivce type will be availble after you restart the board, please restart!
Step 3 Configure interfaces of the LPUs.

NOTE
By default, GE 2/0/10, GE 2/0/11, GE 2/0/13, XGE 3/0/0, and XGE 3/0/1 allow packets of VLAN 1 to pass through.
# Log in to MPU A and MPU B to create VLAN 10, VLAN 11, and VLAN 13, bind GE 2/0/10 on LPU A and GE 2/0/11 on LPU B to Eth-Trunk 1 and Eth-Trunk 2 respectively, and bind XGE 3/0/0 on MPU A and XGE 3/0/1 on MPU B to Eth-Trunk 0.
[MPU] vlan 10 [MPU-VLAN10] quit [MPU] vlan 11 [MPU-VLAN11] quit [MPU] vlan 13 [MPU-VLAN13] quit [MPU] vlan 18 [MPU-VLAN18] quit [MPU] interface eth-trunk0 [MPU-Eth-Trunk0] port link-type trunk [MPU-Eth-Trunk0] port trunk allow-pass vlan [MPU-Eth-Trunk0] port trunk allow-pass vlan [MPU-Eth-Trunk0] undo port trunk allow-pass [MPU-Eth-Trunk0] quit [MPU] interface eth-trunk1 [MPU-Eth-Trunk1] port link-type trunk [MPU-Eth-Trunk1] port trunk allow-pass vlan [MPU-Eth-Trunk1] undo port trunk allow-pass [MPU-Eth-Trunk1] quit [MPU] interface eth-trunk2 [MPU-Eth-Trunk2] port link-type trunk [MPU-Eth-Trunk2] port trunk allow-pass vlan [MPU-Eth-Trunk2] undo port trunk allow-pass [MPU-Eth-Trunk2] quit [MPU] interface gigabitethernet 2/0/10 [MPU-GigabitEthernet2/0/10] eth-trunk 1 [MPU-GigabitEthernet2/0/10] quit [MPU] interface gigabitethernet 2/0/11 [MPU-GigabitEthernet2/0/11] eth-trunk 2 [MPU-GigabitEthernet2/0/11] quit [MPU] interface xgigabitethernet 3/0/0 [MPU-XGigabitEthernet3/0/0] eth-trunk 0 [MPU-XGigabitEthernet3/0/0] quit [MPU] interface xgigabitethernet 3/0/1 [MPU-XGigabitEthernet3/0/1] eth-trunk 0 [MPU-XGigabitEthernet3/0/1] quit
10 to 11 13 vlan 1
10 vlan 1
11 vlan 1
Step 4 Configure a TCP link. # Log in to MPU A and MPU B to configure interfaces GE 2/0/13 as interfaces of the TCP link.
[MPU] interface gigabitethernet 2/0/13 [MPU-GigabitEthernet2/0/13] port link-type trunk [MPU-GigabitEthernet2/0/13] port trunk allow-pass vlan 13 [MPU-GigabitEthernet2/0/13] undo port trunk allow-pass vlan 1 [MPU-GigabitEthernet2/0/13] quit
Step 5 Configure interfaces of SPUs. # Log in to SPU A and SPU B to create Eth-Trunk 0 and bind XGE 0/0/1 and XGE 0/0/2 to EthTrunk 0.
[S9300] interface eth-trunk0 [S9300-Eth-Trunk0] quit [S9300] interface xgigabitethernet 0/0/1
Issue 02 (2010-07-15)
8-21

[S9300-XGigabitEthernet0/0/1] eth-trunk 0 [S9300-XGigabitEthernet0/0/1] quit [S9300] interface xgigabitethernet 0/0/2 [S9300-XGigabitEthernet0/0/2] eth-trunk 0 [S9300-XGigabitEthernet0/0/2] quit
Step 6 Configure VRRP. # Log in to SPU A.

l
[S9300-A] interface eth-trunk0.2 [S9300-A-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-A-Eth-Trunk0.2] dot1q termination vid 11 [S9300-A-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-A-Eth-Trunk0.2] ip address 11.0.0.2 24 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-A-Eth-Trunk0.2] admin-vrrp vrid 11 [S9300-A-Eth-Trunk0.2] vrrp vrid 11 priority 120 [S9300-A-Eth-Trunk0.2] arp broadcast enable [S9300-A-Eth-Trunk0.2] quit [S9300-A] interface eth-trunk0.1 [S9300-A-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-A-Eth-Trunk0.1] dot1q termination vid 10 [S9300-A-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-A-Eth-Trunk0.1] ip address 10.0.0.2 24 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown [S9300-A-Eth-Trunk0.1] vrrp vrid 10 priority 120 [S9300-A-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3 [S9300-A-Eth-Trunk0.1] arp broadcast enable [S9300-A-Eth-Trunk0.1] quit [S9300-A] interface eth-trunk0.3 [S9300-A-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-A-Eth-Trunk0.3] dot1q termination vid 13 [S9300-A-Eth-Trunk0.3] ip address 13.0.0.2 24 [S9300-A-Eth-Trunk0.3] arp broadcast enable [S9300-A-Eth-Trunk0.3] quit
# Log in to SPU B.
l
[S9300-B] interface eth-trunk0.2 [S9300-B-Eth-Trunk0.2] control-vid 11 dot1q-termination [S9300-B-Eth-Trunk0.2] dot1q termination vid 11 [S9300-B-Eth-Trunk0.2] dot1q vrrp vid 11 [S9300-B-Eth-Trunk0.2] ip address 11.0.0.3 24 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 virtual-ip 11.0.0.1 [S9300-B-Eth-Trunk0.2] admin-vrrp vrid 11 [S9300-B-Eth-Trunk0.2] vrrp vrid 11 priority 110
8-22
Issue 02 (2010-07-15)
[S9300-B-Eth-Trunk0.2] arp broadcast enable [S9300-B-Eth-Trunk0.2] quit [S9300-B] interface eth-trunk0.1 [S9300-B-Eth-Trunk0.1] control-vid 10 dot1q-termination [S9300-B-Eth-Trunk0.1] dot1q termination vid 10 [S9300-B-Eth-Trunk0.1] dot1q vrrp vid 10 [S9300-B-Eth-Trunk0.1] ip address 10.0.0.3 24 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 virtual-ip 10.0.0.1 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown [S9300-B-Eth-Trunk0.1] vrrp vrid 10 priority 110 [S9300-B-Eth-Trunk0.1] vrrp vrid 10 preempt-mode timer delay 3 [S9300-B-Eth-Trunk0.1] arp broadcast enable [S9300-B-Eth-Trunk0.1] quit [S9300-B] interface eth-trunk0.3 [S9300-B-Eth-Trunk0.3] control-vid 13 dot1q-termination [S9300-B-Eth-Trunk0.3] dot1q termination vid 13 [S9300-B-Eth-Trunk0.3] ip address 13.0.0.3 24 [S9300-B-Eth-Trunk0.3] arp broadcast enable [S9300-B-Eth-Trunk0.3] quit
Step 7 Configure the channel between SPU A and SPU B. # Log in to SPU A to set the source IP address to 13.0.0.2, the destination IP address to 13.0.0.3, the source port number to 3001, and the destination port number to 4001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 [S9300] hot-standby enable [S9300] hot-standby-group detect fail-count 20 interval 1
# Log in to SPU B to set the source IP address to 13.0.0.3, the destination IP address to 13.0.0.2, the source port number to 4001, and the destination port number to 3001 for the channel through which dual-system HSB data is synchronized.
[S9300] hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 [S9300] hot-standby enable [S9300] hot-standby-group detect fail-count 20 interval 1

NOTE
l l
If the value of State of SPU A is Master and the value of State of SPU B is Backup, it indicates that VRRP negotiation is correct. If the value of TCP State of the SPUs is CONNECT, it indicates that the channel between SPU A and SPU B is set up successfully.
# Log in to SPU A to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-A] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type
: : : : : : : : : : : : :
Master 10.0.0.1 120 120 120 YES 3 1 1 NONE 0000-5e00-0164 YES member-vrrp
Issue 02 (2010-07-15)
8-23

Config track link-bfd down-number : 0
Eth-Trunk0.2|Virtual Router 11 State : Master Virtual IP : 11.0.0.1 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES Delay Time : 3 TimerRun : 1 TimerConfig : 1 Auth Type : NONE Virtual Mac : 0000-5e00-0165 Check TTL : YES Config type : admin-vrrp Config track link-bfd down-number : 0 [S9300-A] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.2 Peer IP Address : 13.0.0.3 Source port : 3001 Destination port : 4001 Vpn Instance name : NULL Keep Alive Time : 1 Fail Count : 20 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
# Log in to SPU B to check whether VRRP negotiation is correct and whether the channel between SPU A and SPU B is set up successfully.
[S9300-B] display vrrp Eth-Trunk0.1|Virtual Router 10 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number Eth-Trunk0.2|Virtual Router 11 State Virtual IP PriorityRun PriorityConfig MasterPriority Preempt Delay Time TimerRun TimerConfig Auth Type Virtual Mac Check TTL Config type Config track link-bfd down-number
: : : : : : : : : : : : : : : : : : : : : : : : : : : :
Backup 10.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0164 YES member-vrrp 0 Backup 11.0.0.1 110 110 120 YES 0 1 1 NONE 0000-5e00-0165 YES admin-vrrp 0
8-24
Issue 02 (2010-07-15)
[S9300-B] display hot-standby configuration ------------------HOT-STANDBY CONFIGURATION-------------------Local IP Address : 13.0.0.3 Peer IP Address : 13.0.0.2 Source port : 4001 Destination port : 3001 Vpn Instance name : NULL Keep Alive Time : 1 Fail Count : 20 Delete State : NO Used State : YES Enable State : YES TCP State : CONNECT Master Backup State : START Slave Backup State : START Packet State : INITIAL
Step 9 Save the configuration. # Log in to the MPU and run the following command in the user view to save the configuration:
<MPU> save
# Log in to the SPU and run the following command in the user view to save the configuration:
<S9300> save
----End
Configuration Files
l
Configuration file of MPU A and MPU B

# vlan batch 1 10 to 11 13 18 # interface eth-trunk0 port link-type trunk port trunk allow-pass vlan 10 to 11 port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 # interface eth-trunk1 port link-type trunk port trunk allow-pass vlan 10 undo port trunk allow-pass vlan 1 # interface eth-trunk2 port link-type trunk port trunk allow-pass vlan 11 undo port trunk allow-pass vlan 1 # interface gigabitethernet2/0/10 eth-trunk 1 # interface gigabitethernet2/0/11 eth-trunk 2 # interface xgigabitethernet3/0/0 eth-trunk 0 # interface xgigabitethernet3/0/1 eth-trunk 0 # interface gigabitethernet2/0/13 port link-type trunk port trunk allow-pass vlan 13 undo port trunk allow-pass vlan 1 #
Issue 02 (2010-07-15)
8-25

return # save l
Configuration file of S9300 A

# interface eth-trunk0 # interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 # interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.2 24 vrrp vrid 11 virtual-ip 11.0.0.1 admin-vrrp vrid 11 vrrp vrid 11 priority 120 arp broadcast enable # interface eth-trunk0.1 control-vid 10 dot1q-termination dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.2 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown vrrp vrid 10 priority 120 vrrp vrid 10 preempt-mode timer delay 3 arp broadcast enable # interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.2 24 arp broadcast enable # hot-standby-group local 13.0.0.2 peer 13.0.0.3 src-data-port 3001 dst-dataport 4001 hot-standby enable hot-standby-group detect fail-count 20 interval 1 # return # save
Configuration file of S9300 B

# interface eth-trunk0 # interface xgigabitethernet0/0/1 eth-trunk 0 interface xgigabitethernet0/0/2 eth-trunk 0 # interface eth-trunk0.2 control-vid 11 dot1q-termination dot1q termination vid 11 dot1q vrrp vid 11 ip address 11.0.0.3 24 vrrp vrid 11 virtual-ip 11.0.0.1 admin-vrrp vrid 11 vrrp vrid 11 priority 110 arp broadcast enable # interface eth-trunk0.1 control-vid 10 dot1q-termination
8-26
Issue 02 (2010-07-15)
dot1q termination vid 10 dot1q vrrp vid 10 ip address 10.0.0.3 24 vrrp vrid 10 virtual-ip 10.0.0.1 vrrp vrid 10 track admin-vrrp interface eth-trunk0.2 vrid 11 unflowdown vrrp vrid 10 priority 110 vrrp vrid 10 preempt-mode timer delay 3 arp broadcast enable # interface eth-trunk0.3 control-vid 13 dot1q-termination dot1q termination vid 13 ip address 13.0.0.3 24 arp broadcast enable # hot-standby-group local 13.0.0.3 peer 13.0.0.2 src-data-port 4001 dst-dataport 3001 hot-standby enable hot-standby-group detect fail-count 20 interval 1 # return # save
Issue 02 (2010-07-15)
8-27

Configuration Guide - SPU (V100R003C00 - 02)

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Configuration Guide - SPU (V100R003C00 - 02)

Caricato da

Copyright:

Formati disponibili

Quidway S9300 Terabit Routing Switch V100R003C00

Configuration Guide - SPU

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

About This Document

About This Document

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

About This Document

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Updates in Issue 02 (2010-07-15)

Updates in Issue 01 (2010-04-30)

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

7 Load Balancing Configuration................................................................................................7-1

8 Dual-System HSB Configuration............................................................................................8-1

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

1 Configuration Differences Between SPU and S9300

Configuration Differences Between SPU and S9300

About This Chapter

1 Configuration Differences Between SPU and S9300

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

1 Configuration Differences Between SPU and S9300

1.1 Configuration Differences

Functions of the SPU

Functions of the SPU and the S9300

1.2 Basic Configuration Differences

Feature CLI Overview How to Use Interfaces

Difference See Common Differences. See Common Differences.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

1 Configuration Differences Between SPU and S9300

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

Feature Basic configurations

User Management File System Management

Management of Configuration Files

See Common Differences.

FTP and TFTP Telnet and SSH

See Common Differences. See Common Differences.

1.3 Ethernet Configuration Differences

Feature Ethernet interface

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch Configuration Guide - SPU

1 Configuration Differences Between SPU and S9300

Feature Link aggregation

See Common Differences. See Common Differences.

See Common Differences.

See Common Differences.

See Common Differences. See Common Differences.

1.4 IP Service Configuration Differences

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.