HCNP-IENetwork Performance Lab Guide V1.6 162 Pages Firewall QOS
May 8, 2017 | Author: Chua Hian Koon | Category: N/A
Short Description
HCNP IENetwork Performance Lab Guide V1.6 162 Pages Firewall QOS...
Description
HCNP-IENP
Huawei Certification
HCNP-R&S-IENP Improving Enterprise Network Performance Lab Guide
Huawei Technologies Co.,Ltd
HUAWEI TECHNOLOGIES
HCNP-IENP
Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, expressed or implied.
Huawei Certification HCNP-IENP Improving Enterprise Network Performance Lab Guide
Edition 1.6
HUAWEI TECHNOLOGIES
HCNP-IENP
Huawei Certification System Relying on its strong technical and professional training system, in accordance with different customers at different levels of ICT technology, Huawei certification is committed to provide customs with authentic, professional certification. Based on characteristics of ICT technologies and customers’needs at different levels, Huawei certification provides customers with certification system of four levels. HCNA (Huawei Certification Network Associate) is primary for IP network maintenance engineers, and any others who want to build an understanding of the IP network. HCNA certification covers the TCP/IP basics, routing, switching and other common foundational knowledge of IP networks, together with Huawei communications products, versatile routing platform VRP characteristics and basic maintenance. HCNP-Enterprise (Huawei Certification Datacom Professional-Enterprise) is aimed at enterprise-class network maintenance engineers, network design engineers, and any others who want to grasp in depth routing, switching, network adjustment and optimization technologies. HCNP-Enterprise consists of IESN (Implement Enterprise Switch Network), IERN (Implement Enterprise Routing Network), and IENP (Improving Enterprise Network performance), which includes advanced IPv4 routing and switching technology principles, network security, high availability and QoS, as well as the configuration of Huawei products. HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is designed to endue engineers with a variety of IP technologies and proficiency in the maintenance, diagnostics and troubleshooting of Huawei products, which equips engineers with competence in planning, design and optimization of large-scale IP networks.
HUAWEI TECHNOLOGIES
HCNP-IENP
Referenced icon
Router
L3 Switch
L2 Switch
Firewall
Serial line
Ethernet line
HUAWEI TECHNOLOGIES
Net cloud
HCNP-IENP
Lab environment specification The Lab environment is suggested below:
Identifier
Device
OS version
R1
AR 2220
Version 5.90 ( V200R001C01SPC300)
R2
AR 2220
Version 5.90 ( V200R001C01SPC300)
R3
AR 2220
Version 5.90 ( V200R001C01SPC300)
R4
AR 1220
Version 5.90 ( V200R001C01SPC300)
R5
AR 1220
Version 5.90 ( V200R001C01SPC300)
S1
S5700-28C-EI-24S
Version 5.70 (V100R006C00SPC800)
S2
S5700-28C-EI-24S
Version 5.70 (V100R006C00SPC800)
S3
S3700-28TP-EI-AC
Version 5.70 (V100R006C00SPC800)
S4
S3700-28TP-EI-AC
Version 5.70 (V100R006C00SPC800)
FW1
Eudemon 200E-X2
Version 5.30 (V100R005C00SPC100)
FW2
Eudemon 200E-X2
Version 5.30 (V100R005C00SPC100)
HUAWEI TECHNOLOGIES
HCNP-IENP
CONTENTS Chapter 1 Implementing firewall functions and features ................................................................... 1 Lab 1-1 Security Zone Configuration and Configurations for Other Basic Functions on a Firewall .. 1 Lab 1-2 IPSec VPN Configuration on a Eudemon Firewall ............................................................. 23 Lab 1-3 Attack Defense Configuration on a Firewall ..................................................................... 46 Lab 1-4 NAT Configuration on a Eudemon Firewall ...................................................................... 61 Lab 1-5 Dual-System Hot Backup Configuration for Eudemon Firewalls ....................................... 77 Chapter 2 QoS and traffic flow management ................................................................................. 106 Lab 2-1 QoS ................................................................................................................................ 106 Lab 2-2 Traffic Control Based on the Traffic Policy ..................................................................... 127 Chapter 3 Integrated Lab Assessment ............................................................................................ 144 Lab 3-1 Integrated Lab-1 (Optional) ........................................................................................... 144 Lab 3-2 Integrated Lab2 (Optional)............................................................................................. 150
HUAWEI TECHNOLOGIES
HCNP-IENP Chapter 1 Implementing firewall functions and features
Chapter 1 Implementing firewall functions and features Lab 1-1 Security Zone Configuration and Configurations for Other Basic Functions on a Firewall Learning Objectives The objectives of this lab are to learn and understand:
Security zone configuration for the firewall
Packet filtering configuration in the interzone
Static and dynamic blacklist configurations
Packet filtering configuration at the application layer
HC Series
HUAWEI TECHNOLOGIES
1
HCNP-IENP Chapter 1 Implementing firewall functions and features
Topology
Figure 1-1 Zone configuration
Scenario Assume that you are a network administrator of an enterprise. The headquarters network consists of an internal zone (trusted), an external zone (untrusted), and a server zone (DMZ). You need to use a firewall to control data and create blacklists to protect the intranet against network attacks.
Tasks Step 1 Configure IP addresses. Configure IP addresses for R1, R2, and R3. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1
2
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.10.1 24 [R1-GigabitEthernet0/0/1]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface GigabitEthernet0/0/1 [R2-GigabitEthernet0/0/1]ip address 10.0.20.1 24 [R2-GigabitEthernet0/0/1]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/1 [R3-GigabitEthernet0/0/1]ip address 10.0.30.1 24 [R3-GigabitEthernet0/0/1]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be configured with an IP address. In the lab, configure VLAN 12 on the firewall and create a VLANIF 12. Configure the VLANIF 12 IP address as the IP address of the gateway for the trusted zone. By default, the firewall configures an IP address for VLANIF 1. To prevent interference, delete the VLANIF 1 configuration. system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]vlan 12 [FW-vlan-12]quit [FW]interface vlanif 12 [FW-Vlanif12]ip address 10.0.20.254 24 [FW-Vlanif12]interface Ethernet 1/0/0 [FW-Ethernet1/0/0]port access vlan 12 [FW-Ethernet1/0/0]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.10.254 24 [FW-Ethernet0/0/0]interface ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.30.254 24 [FW-Ethernet2/0/0]quit [FW]undo interface Vlanif 1
HC Series
HUAWEI TECHNOLOGIES
3
HCNP-IENP Chapter 1 Implementing firewall functions and features
Plan VLANs for interfaces on S1. [Quidway]sysname S1 [S1]vlan batch 11 to 13 [S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]port link-type access [S1-GigabitEthernet0/0/1]port default vlan 11 [S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]port link-type access [S1-GigabitEthernet0/0/2]port default vlan 12 [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]port link-type access [S1-GigabitEthernet0/0/3]port default vlan 13 [S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 11 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22 [S1-GigabitEthernet0/0/22]port link-type access [S1-GigabitEthernet0/0/22]port default vlan 12 [S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 13
Test the connectivity on each zone on the FW. [FW]ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.20.1 PING 10.0.20.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.20.1: bytes=56 Sequence=2 ttl=255 time=1 ms
4
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.30.1 PING 10.0.30.1: 56 data bytes, press CTRL_C to break Request time out Reply from 10.0.30.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.30.1 ping statistics --5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 1/1/1 ms
Configure default routes for R1, R2, and R3. Configure static routes on the FW to implement communication among network segments to which three loopback 0 interfaces are connected. [R1]ip route-static 0.0.0.0 0 10.0.10.254 [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [FW]ip route-static 10.0.1.0 24 10.0.10.1 [FW]ip route-static 10.0.2.0 24 10.0.20.1 [FW]ip route-static 10.0.3.0 24 10.0.30.1
Test the connectivity among network segments to which three loopback 0 interfaces are connected. [R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms
HC Series
HUAWEI TECHNOLOGIES
5
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/3/4 ms [R1]ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=4 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
By default, four security zones are located on a firewall. They are local, trusted, untrusted, and DMZ zones. In this lab, we need to add interfaces to the trusted, untrusted, and DMZ zones. [FW]firewall zone dmz [FW-zone-dmz]add interface Ethernet 2/0/0 [FW-zone-dmz]firewall zone trust [FW-zone-trust]add interface Vlanif 12 [FW-zone-trust]firewall zone untrust [FW-zone-untrust]add interface Ethernet 0/0/0
By default, communication among all zones is normal. Therefore, the communication does not need to be checked. [FW]dis firewall packet-filter default all 10:28:18 2011/12/24 Firewall default packet-filter action is :
6
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features packet-filter in public: local -> trust : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null local -> untrust : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null local -> dmz : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null trust -> untrust : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null trust -> dmz : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null dmz -> untrust : inbound : default: permit; || IPv6-acl: null outbound : default: permit; || IPv6-acl: null packet-filter between VFW:
The preceding information shows that all security zones allow packets in all directions to pass through. Test connectivity between security zones. From the untrusted zone to the trusted zone: ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
From the untrusted zone to the DMZ zone:
HC Series
HUAWEI TECHNOLOGIES
7
HCNP-IENP Chapter 1 Implementing firewall functions and features ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
From the trusted zone to the untrusted zone: ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
From the trusted zone to the DMZ zone: ping -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss
8
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features round-trip min/avg/max = 3/3/5 ms
From the DMZ zone to the untrusted zone: ping -a 10.0.3.3 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
From the DMZ zone to the trusted zone: ping -a 10.0.3.3 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
Step 2 Configure interzone packet filtering. The packet filtering policy controls packet forwarding among security zones. The packet filtering policy configuration affects most devices functions. Configure a default packet filtering policy that allows packets to be sent only from the trusted zone to other security zones.
HC Series
HUAWEI TECHNOLOGIES
9
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW]firewall packet-filter default deny all [FW]firewall packet-filter default permit interzone trust untrust direction outbound [FW]firewall packet-filter default permit interzone trust dmz direction outbound [FW]firewall session link-state check
Test connectivity between security zones. From the untrusted zone to the trusted zone: [R1]ping -a 10.0.1.1 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.2.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
From the untrusted zone to the DMZ zone: [R1]ping -a 10.0.1.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.3.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
From the trusted zone to the untrusted zone: [R2]ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms 10
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms
From the trusted zone to the DMZ zone: [R2]ping -a 10.0.2.2 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
From the DMZ zone to the untrusted zone: [R3]ping -a 10.0.3.3 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
From the DMZ zone to the trusted zone: [R3]ping -a 10.0.3.3 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break
HC Series
HUAWEI TECHNOLOGIES
11
HCNP-IENP Chapter 1 Implementing firewall functions and features Request time out Request time out Request time out Request time out Request time out --- 10.0.2.2 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Configure an interzone packet filtering policy that allows packets to be sent from the untrusted zone to a specific server in the DMZ zone. The server's IP address is 10.0.3.3. Enable Telnet in the untrusted zone. Enable ICMP ping for connectivity tests. [FW]policy interzone dmz untrust inbound [FW-policy-interzone-dmz-untrust-inbound]policy 1 [FW-policy-interzone-dmz-untrust-inbound-1]policy service service-set icmp [FW-policy-interzone-dmz-untrust-inbound-1]policy destination 10.0.3.3 0 [FW-policy-interzone-dmz-untrust-inbound-1]action permit [FW-policy-interzone-dmz-untrust-inbound-1]quit [FW-policy-interzone-dmz-untrust-inbound]policy 2 [FW-policy-interzone-dmz-untrust-inbound-2]policy service service-set telnet [FW-policy-interzone-dmz-untrust-inbound-2]policy destination 10.0.3.3 0 [FW-policy-interzone-dmz-untrust-inbound-2]action permit [FW-policy-interzone-dmz-untrust-inbound-2]quit [FW-policy-interzone-dmz-untrust-inbound]policy 3 [FW-policy-interzone-dmz-untrust-inbound-3]action deny
Enable Telnet on R3 for Telnet tests. [R3]user-interface vty 0 4 [R3-ui-vty0-4]authentication-mode none
Test network connectivity. ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=2 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=4 ms
12
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=2 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/4 ms ping 10.0.30.1 PING 10.0.30.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.30.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss telnet 10.0.3.3 Press CTRL_] to quit telnet mode Trying 10.0.3.3 ... Connected to 10.0.3.3 ... quit Configuration console exit, please retry to log on The connection was closed by the remote host telnet 10.0.30.3 Press CTRL_] to quit telnet mode Trying 10.0.30.3 ...
Step 3 Configure blacklists. A blacklist identifies IP addresses and match entries to quickly filter out users with specific IP addresses. The blacklist can be dynamically added or deleted. Compared to packet filtering, the blacklist matches entries and filters out users faster and consumes fewer system resources. If a device considers a user untrusted, the device adds the user's IP address
HC Series
HUAWEI TECHNOLOGIES
13
HCNP-IENP Chapter 1 Implementing firewall functions and features
to the blacklist. Upon receiving a packet whose source IP address is the IP address in the blacklist, the device discards the packet to protect the network. The following assumes that multiple IP addresses continually scan interfaces in the untrusted zone of the enterprise network. You need to take preventive measures. The IP address 10.0.111.1 launches multiple attacks. You need to filter out packets sent from this IP address. Create a loopback interface on R1 to simulate an attack. Configure a static route for the firewall. [R1]int LoopBack 1 [R1-LoopBack1]ip address 10.0.111.1 24 [FW]ip route-static 10.0.111.0 24 10.0.10.1
Enable the defense against port scanning. The test results on port scanning attacks are automatically imported to the blacklist. [FW]firewall defend port-scan enable
Set the threshold of the scanning rate to 5000 pps. The threshold specifies the rate at which a source IP address changes IP packets that are to be sent to the destination port. If the rate is high, there is a high probability that the source IP address is scanning all ports in the destination IP address. [FW]firewall defend port-scan max-rate 5000
Set the timeout period of the blacklist to 30 minutes. The blacklist entries dynamically generated are deleted after 30 minutes. [FW]firewall defend port-scan blacklist-timeout 30
Before creating a blacklist statically, ensure that the loopback interface with the IP address of 10.0.111.1 can communicate with the loopback interface on R3. Test the connectivity. [R1]ping -a 10.0.111.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=3 ms 14
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
Create a blacklist statically and add 10.0.111.1 to the blacklist. The firewall discards packets sent from this IP address before the IP address is manually deleted from the blacklist. [FW]firewall blacklist enable [FW]firewall blacklist item 10.0.111.1
Test the connectivity. [R1]ping -a 10.0.111.1 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.3.3 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
Step 4 Configure ASPF. Application Specific Packet Filter (ASPF) functions as an important help among multi-channel protocols and NAT applications. ASPF allows an intranet to provide FTP and TFTP services to external users and prevents intranet users from downloading risky controls when they access web servers on extranets. Besides FTP and TFTP services that the enterprise provides, intranet users need to access extranet web pages. Risky java controls may exist on HC Series
HUAWEI TECHNOLOGIES
15
HCNP-IENP Chapter 1 Implementing firewall functions and features
these web pages. FTP is a predefined protocol. Devices in security zones can forward FTP packets properly after the detect ftp function is applied. TFTP packets, however, can only be forwarded after triplet ASPF is enabled. Create two ACLs. ACL 2001 defines matching rules for traffic that web servers on extranets send to the intranet and matches traffic used for blocking risky controls. [FW]acl 2001 [FW-acl-basic-2001]rule permit source 10.0.2.0 0.0.0.255 [FW-acl-basic-2001]quit
ACL 3001 defines matching rules for traffic sent to the TFTP server on the intranet. TFTP services require user-defined port number. Create a separate ACL. [FW]acl 3001 [FW-acl-adv-3001]rule permit udp destination-port eq tftp [FW-acl-adv-3001]quit
Detect FTP services in the interzone to implement proper forwarding of FTP packets. Run the detect user-define command to implement proper forwarding of TFTP packets. [FW]firewall interzone trust dmz [FW-interzone-trust-dmz]detect ftp [FW-interzone-trust-dmz]detect user-defined 3001 outbound [FW-interzone-trust-dmz]quit
Run the detect java-blocking command in the interzone to prevent the download of risky java controls. [FW]firewall interzone trust untrust [FW-interzone-trust-untrust]detect java-blocking 2001 outbound [FW-interzone-trust-untrust]quit
The ASPF function determines whether packets of some special protocols are properly forwarded. When an exception occurs on services of a special protocol, locate the problem in the following method: Run the display interzone command to view the interzone configuration. Verify the ASPF configuration. [FW]display interzone 15:42:11 2011/12/25
16
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features interzone trust untrust detect java-blocking 2001 outbound # interzone trust dmz detect ftp detect user-defined 3001 outbound #
Additional Exercises: Analyzing and Verifying How can you plan the network for an enterprise that has a large number of users and requires multiple services? What methods can simplify the configuration?
Final Configurations [R1]display current-configuration [V200R001C00SPC200] # sysname R1 # interface GigabitEthernet0/0/1 ip address 10.0.10.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # interface LoopBack1 ip address 10.0.111.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.10.254 # return [R2]display current-configuration [V200R001C00SPC200] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.20.1 255.255.255.0 #
HC Series
HUAWEI TECHNOLOGIES
17
HCNP-IENP Chapter 1 Implementing firewall functions and features interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # return [R3]display current-configuration [V200R001C00SPC200] # sysname R3 # interface GigabitEthernet0/0/1 ip address 10.0.30.1 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.30.254 # return [FW]display current-configuration # sysname FW # firewall packet-filter default deny interzone local trust direction inbound firewall packet-filter default deny interzone local trust direction outbound firewall packet-filter default deny interzone local untrust direction inbound firewall packet-filter default deny interzone local untrust direction outbound firewall packet-filter default deny interzone local dmz direction inbound firewall packet-filter default deny interzone local dmz direction outbound firewall packet-filter default deny interzone trust untrust direction inbound firewall packet-filter default deny interzone trust dmz direction inbound firewall packet-filter default deny interzone dmz untrust direction inbound firewall packet-filter default deny interzone dmz untrust direction outbound # undo firewall ipv6 session link-state check # vlan batch 1 12 # undo firewall session link-state check #
18
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features firewall defend port-scan enable firewall defend port-scan max-rate 5000 firewall defend port-scan blacklist-timeout 30 # runmode firewall # update schedule ips daily 5:51 update schedule av daily 5:51 security server domain sec.huawei.com # web-manager enable # l2fwdfast enable # acl number 2001 rule 5 permit source 10.0.2.0 0.0.0.255 # acl number 3001 rule 5 permit udp destination-port eq tftp # interface Vlanif12 ip address 10.0.20.254 255.255.255.0 # interface Cellular5/0/0 link-protocol ppp # interface Ethernet0/0/0 ip address 10.0.10.254 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 12 # interface Ethernet2/0/0 ip address 10.0.30.254 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif12
HC Series
HUAWEI TECHNOLOGIES
19
HCNP-IENP Chapter 1 Implementing firewall functions and features # firewall zone untrust set priority 5 add interface Ethernet0/0/0 # firewall zone dmz set priority 50 add interface Ethernet2/0/0 # firewall interzone trust untrust detect java-blocking 2001 outbound # firewall interzone trust dmz detect ftp detect user-defined 3001 outbound # nqa-jitter tag-version 1 # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.1 ip route-static 10.0.3.0 255.255.255.0 10.0.30.1 ip route-static 10.0.111.0 255.255.255.0 10.0.10.1 # banner enable # firewall blacklist enable firewall blacklist item 10.0.111.1 # user-interface con 0 user-interface tty 2 authentication-mode none modem both user-interface vty 0 4 # slb # cwmp # right-manager server-group # policy interzone dmz untrust inbound policy 1
20
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features action permit policy service service-set icmp policy destination 10.0.3.3 0 policy 2 action permit policy service service-set telnet policy destination 10.0.3.3 0 policy 3 action deny # return [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 11 to 13 # interface GigabitEthernet0/0/1 port link-type access port default vlan 11 # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 # interface GigabitEthernet0/0/3 port link-type access port default vlan 13 # interface GigabitEthernet0/0/21 port link-type access port default vlan 11 # interface GigabitEthernet0/0/22 port link-type access port default vlan 12 # interface GigabitEthernet0/0/23 port link-type access
HC Series
HUAWEI TECHNOLOGIES
21
HCNP-IENP Chapter 1 Implementing firewall functions and features port default vlan 13 # return
22
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Lab 1-2 IPSec VPN Configuration on a Eudemon Firewall Learning Objectives The objectives of this lab are to learn and understand:
IPSec VPN configuration on a Eudemon
GRE over IPSec VPN configuration on a Eudemon
IPSec VPN configuration on a router
GRE over IPSec VPN configuration on a router
Topology
Figure 1-2 VPN configuration for Eudemons
Scenario Assume that you are a network administrator of an enterprise. The enterprise network consists of the headquarters network, branch networks, and branch office networks. You need to configure users in the trusted zones of branch networks and branch office networks to access the trusted zone of the headquarters network. Data is encrypted and transmitted between the headquarters network and branch networks, HC Series
HUAWEI TECHNOLOGIES
23
HCNP-IENP Chapter 1 Implementing firewall functions and features
and between the headquarters network and branch office networks.
Tasks Step 1 Configure IP addresses. S1 and S2 connect the firewall to routers in the lab and require no configuration. Before the lab, reset configurations of S1 and S2 and restart S1 and S2. Configure IP addresses and masks for all routers. The mask length of each loopback interface is 24 bits. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.10.2 24 [R1-GigabitEthernet0/0/1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 24 [R1-Serial1/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface GigabitEthernet0/0/1 [R2-GigabitEthernet0/0/2]ip address 10.0.20.1 24 [R2-GigabitEthernet0/0/2]interface Serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 24 [R2-Serial1/0/0]interface Serial2/0/0 [R2-Serial2/0/0]ip address 10.0.23.2 24 [R2-Serial2/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface Serial2/0/0 [R3-Serial2/0/0]ip address 10.0.23.3 24 [R3-Serial2/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24
24
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Configure IP addresses for interfaces on FW1 and FW2. system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW1 [FW1]interface Ethernet 0/0/0 [FW1-Ethernet0/0/0]ip address 10.0.100.1 24 [FW1-Ethernet0/0/0]interface Ethernet 2/0/0 [FW1-Ethernet2/0/0]ip address 10.0.10.1 24 system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW2 [FW2]interface Ethernet 0/0/0 [FW2-Ethernet0/0/0]ip address 10.0.200.1 24 [FW2-Ethernet0/0/0]interface Ethernet 2/0/0 [FW2-Ethernet2/0/0]ip address 10.0.20.2 24
Configure trusted zones of FW1 and FW2, and add interfaces to the trusted zones. [FW1-zone-dmz]firewall zone trust [FW1-zone-dmz]add interface Ethernet 0/0/0 [FW1-zone-trust]firewall zone untrust [FW1-zone-untrust]add interface Ethernet 2/0/0 [FW2-zone-dmz]firewall zone trust [FW2-zone-dmz]add interface Ethernet 0/0/0 [FW2-zone-trust]firewall zone untrust [FW2-zone-untrust]add interface Ethernet 2/0/0
Step 2 Configuring security filtering between zones. Configure packets to transmit only from the trusted zone to the untrusted zone and from the untrusted zone to the local zone. [FW1]firewall packet-filter default permit interzone trust untrust [FW1]firewall packet-filter default permit interzone local untrust [FW2]firewall packet-filter default permit interzone trust untrust [FW2]firewall packet-filter default permit interzone local untrust
HC Series
HUAWEI TECHNOLOGIES
25
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 3 Configure routes to connect networks. Configure single-area OSPF on R1, R3, R3, FW1, and FW2. The network segments 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24, and 10.0.23.0/24 are connected. [R1]ospf 1 [R1-ospf-1]area 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2]ospf 1 [R2-ospf-1]area 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 [R3]ospf 1 [R3-ospf-1]area 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [FW1]ospf 1 [FW1-ospf-1]area 0.0.0.0 [FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [FW2]ospf 1 [FW2-ospf-1]area 0.0.0.0 [FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
Test the connectivity between network segments on FW1 and FW2. [FW1]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=253 time=40 ms Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=253 time=30 ms Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=253 time=30 ms Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=253 time=40 ms Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=253 time=30 ms --- 10.0.20.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/34/40 ms
26
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW1]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=253 time=70 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=253 time=60 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=253 time=70 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=253 time=70 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=253 time=60 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/66/70 ms [FW2]ping 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=253 time=40 ms Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=253 time=30 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=253 time=40 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=253 time=30 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=253 time=30 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/34/40 ms [FW2]ping 10.0.23.3 PING 10.0.23.3: 56 data bytes, press CTRL_C to break Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=30 ms Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=30 ms Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=30 ms Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=30 ms Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=30 ms --- 10.0.23.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/30/30 ms
The test results show that the network segments 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24, and 10.0.23.0/24 are connected.
HC Series
HUAWEI TECHNOLOGIES
27
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 4 Configure IPSec VPN between a branch network and the headquarters network. Create an ACL to identify IPSec VPN traffic between FW1 and FW2. [FW1]acl 3000 [FW1-acl-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 [FW2]acl 3000 [FW2-acl-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255
Configure static routes from a branch network to the headquarters intranet. [FW1]ip route-static 10.0.200.0 24 10.0.10.2 [FW2]ip route-static 10.0.100.0 24 10.0.20.1
Configure an IPSec proposal on FW1 and FW2. Set the encapsulation mode to tunnel mode. Use ESP to protect data. ESP uses the DES encryption algorithm and SHA1 authentication algorithm. [FW1]ipsec proposal tran1 [FW1-ipsec-proposal-tran1]encapsulation-mode tunnel [FW1-ipsec-proposal-tran1]transform esp [FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1 [FW1-ipsec-proposal-tran1]esp encryption-algorithm des [FW2]ipsec proposal tran1 [FW2-ipsec-proposal-tran1]encapsulation-mode tunnel [FW2-ipsec-proposal-tran1]transform esp [FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1 [FW2-ipsec-proposal-tran1]esp encryption-algorithm des
Configure an IKE proposal on FW1 and FW2. Set the encryption algorithm to DES and authentication algorithm to SHA1. [FW1]ike proposal 10 28
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW1-ike-proposal-10]authentication-algorithm sha1 [FW1-ike-proposal-10]encryption-algorithm des [FW2]ike proposal 10 [FW2-ike-proposal-10]authentication-algorithm sha1 [FW2-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation by default. Apply the IKE proposal and configure the preshared key and peer end's IP address on FW1 and FW2. [FW1]ike peer fw12 [FW1-ike-peer-fw12]ike-proposal 10 [FW1-ike-peer-fw12]remote-address 10.0.20.2 [FW1-ike-peer-fw12]pre-shared-key abcde [FW2]ike peer fw21 [FW2-ike-peer-fw21]ike-proposal 10 [FW2-ike-peer-fw21]remote-address 10.0.10.1 [FW2-ike-peer-fw21]pre-shared-key abcde
Configure an IPSec policy on FW1 and FW2. During the IPSec policy configuration, bind the ACL, IPSec proposal, and IKE peer to the IPSec policy. [FW1]ipsec policy map1 10 isakmp [FW1-ipsec-policy-isakmp-map1-10]security acl 3000 [FW1-ipsec-policy-isakmp-map1-10]proposal tran1 [FW1-ipsec-policy-isakmp-map1-10]ike-peer fw12 [FW2]ipsec policy map1 10 isakmp [FW2-ipsec-policy-isakmp-map1-10]security acl 3000 [FW2-ipsec-policy-isakmp-map1-10]proposal tran1 [FW2-ipsec-policy-isakmp-map1-10]ike-peer fw21
Apply IPSec policies to interfaces on FW1 and FW2. [FW1]interface Ethernet2/0/0 [FW1-Ethernet2/0/0]ipsec policy map1 [FW2]interface Ethernet2/0/0 [FW2-Ethernet2/0/0]ipsec policy map1
HC Series
HUAWEI TECHNOLOGIES
29
HCNP-IENP Chapter 1 Implementing firewall functions and features
Test the connectivity between the branch intranet and the headquarters intranet. View the established IPSec. [FW1]ping -a 10.0.100.1 10.0.200.1 PING 10.0.200.1: 56 data bytes, press CTRL_C to break Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 ms Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms --- 10.0.200.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 50/52/60 ms [FW1]display ike sa current ike sa number: 1 --------------------------------------------------------------------connection-id peer
vpn
flag
phase
doi
-------------------------------------------------------------------0x1a
10.0.20.2
0x1
0
10.0.20.2
0
RD RD|ST
v2:2
IPSEC
v2:1
IPSEC
flag meaning RD--READY
ST--STAYALIVE RL--REPLACED
TO--TIMEOUT TD--DELETING
FD--FADING
NEG--NEGOTIATING D—DPD
[FW1]display ipsec sa =============================== Interface: Ethernet2/0/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp vpn: 0 ----------------------------connection id: 9 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 0m 16s tunnel local : 10.0.10.1 flow
tunnel remote: 10.0.20.2
source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
30
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
[inbound ESP SAs] spi: 74331737 (0x46e3659) vpn: 0
said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3584 max received sequence-number: 4 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 18969668 (0x1217444) vpn: 0
said: 1 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436464/3584 max sent sequence-number: 5 udp encapsulation used for nat traversal: N
The branch intranet can communicate with the headquarters intranet. Two ESP SAs are established bidirectionally between FW1 and FW2. Data is encrypted and transmitted between the branch networks and headquarters network.
Step 5 Configure IPSec VPN between a branch office network and the headquarters network. Create an ACL to identify IPSec VPN traffic to be sent between the branch office and the headquarters. [R3]acl 3000 [R3-acl-adv-3000]rule permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 [FW2]acl 3001 [FW2-acl-adv-3001]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
Configure static routes from a branch network to the headquarters intranet. [R3]ip route-static 10.0.200.0 24 10.0.23.2 [FW2]ip route-static 10.0.3.0 24 10.0.20.1
HC Series
HUAWEI TECHNOLOGIES
31
HCNP-IENP Chapter 1 Implementing firewall functions and features
Configure an IPSec proposal on R3. Set the encapsulation mode to tunnel mode. Use ESP to protect data. ESP uses the DES encryption algorithm and SHA1 authentication algorithm. [R3]ipsec proposal tran1 [R3-ipsec-proposal-tran2]encapsulation-mode tunnel [R3-ipsec-proposal-tran2]transform esp [R3-ipsec-proposal-tran2]esp authentication-algorithm sha1 [R3-ipsec-proposal-tran2]esp encryption-algorithm des
Configure an IKE proposal on FW2 and R3. Set the encryption algorithm to DES and authentication algorithm to SHA1. [R3]ike proposal 10 [R3-ike-proposal-10]authentication-algorithm sha1 [R3-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation. Apply the IKE proposal and configure the preshared key and peer end's IP address on FW2 and R3. [FW2]ike peer fw23 [FW2-ike-peer-fw23]ike-proposal 10 [FW2-ike-peer-fw23]remote-address 10.0.23.3 [FW2-ike-peer-fw23]pre-shared-key abcde [R3]ike peer r32 v2 [R3-ike-peer-r32]ike-proposal 10 [R3-ike-peer-r32]remote-address 10.0.20.2 [R3-ike-peer-r32]pre-shared-key abcde
Configure an IPSec policy on F2W and R3. During the IPSec policy configuration, bind the ACL, IPSec proposal, and IKE peer to the IPSec policy. [FW2]ipsec policy map1 11 isakmp [FW2-ipsec-policy-isakmp-map1-11]security acl 3001 [FW2-ipsec-policy-isakmp-map1-11]proposal tran1 [FW2-ipsec-policy-isakmp-map1-11]ike-peer fw23
32
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
[R3]ipsec policy map1 10 isakmp [R3-ipsec-policy-isakmp-map2-10]security acl 3000 [R3-ipsec-policy-isakmp-map2-10]proposal tran1 [R3-ipsec-policy-isakmp-map2-10]ike-peer r32
Apply IPSec policies to interfaces on FW2 and R3. [FW2]interface Ethernet2/0/0 [FW2-Ethernet2/0/0]ipsec policy map1 [R3]interface Ethernet2/0/0 [R3-Ethernet2/0/0]ipsec policy map1
Test the connectivity between the branch office intranet and the headquarters intranet. View the established IPSec. To view the established IKE SA, use the v2 parameter in the command. [R3]ping -a 10.0.3.3 10.0.200.1 PING 10.0.200.1: 56 data bytes, press CTRL_C to break Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=48 ms Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=48 ms Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=48 ms Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=48 ms --- 10.0.200.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 48/48/50 ms [R3]display ike sa v2 Conn-ID Peer
VPN
Flag(s)
Phase
--------------------------------------------------------------2
10.0.20.2
0
RD|ST
2
1
10.0.20.2
0
RD|ST
1
Flag Description: RD--READY
ST--STAYALIVE
HRT--HEARTBEAT
RL--REPLACED
FD--FADING
LKG--LAST KNOWN GOOD SEQ NO.
TO--TIMEOUT
BCK--BACKED UP
[R3]display ipsec sa =============================== Interface: Serial2/0/0 Path MTU: 1500
HC Series
HUAWEI TECHNOLOGIES
33
HCNP-IENP Chapter 1 Implementing firewall functions and features =============================== ----------------------------IPSec policy name: "map2" Sequence number : 10 Mode
: ISAKMP
----------------------------Connection ID
: 2
Encapsulation mode: Tunnel Tunnel local
: 10.0.23.3
Tunnel remote
: 10.0.20.2
[Outbound ESP SAs] SPI: 247406703 (0xebf206f) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436380/3534 Max sent sequence-number: 5 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 155207494 (0x9404746) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887436380/3534 Max received sequence-number: 5 UDP encapsulation used for NAT traversal: N
The branch office intranet can communicate with the headquarters intranet. An IPSec VPN tunnel is established between FW2 and R3. Data is encrypted and transmitted between the branch office networks and headquarters network.
Step 6 Configure a GRE over IPSec VPN between a branch network and the headquarters network. The preceding steps configure communication among intranets.
static
routes
to
implement
As the scale of the network expands, the complexity associated with using a static route solution also increases. To solve this problem, use dynamic routing protocols to implement communication among networks. Dynamic routing protocols cannot function on IPSec tunnels. 34
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
GRE over IPSec supports dynamic routing protocols for network communication. Create a tunnel interface on FW1 and enable GRE. Add the tunnel interface to the untrusted zone of FW1. [FW1]interface tunnel 1 [FW1-Tunnel1]tunnel-protocol gre [FW1-Tunnel1]ip address 30.1.1.1 24 [FW1-Tunnel1]source 10.0.10.1 [FW1-Tunnel1]destination 10.0.20.2 [FW1-Tunnel1]firewall zone untrust [FW1-zone-untrust]add interface Tunnel 1
Create a tunnel interface on FW2 and enable GRE. Add the tunnel interface to the untrusted zone of FW2. [FW2]interface tunnel 1 [FW2-Tunnel1]tunnel-protocol gre [FW2-Tunnel1]ip address 30.1.1.2 24 [FW2-Tunnel1]source 10.0.20.2 [FW2-Tunnel1]destination 10.0.10.1 [FW2-Tunnel1]firewall zone untrust [FW2-zone-untrust]add interface Tunnel 1
Delete static routes configured in the preceding steps. Enable RIP (version 2) between a branch network and the headquarters intranet. [FW1]undo ip route-static 10.0.200.0 24 10.0.10.2 [FW1]rip [FW1-rip-1]version 2 [FW1-rip-1]network 30.0.0.0 [FW1-rip-1]network 10.0.0.0 [FW2]undo ip route-static 10.0.100.0 24 10.0.20.1 [FW2]rip [FW2-rip-1]version 2 [FW2-rip-1]network 30.0.0.0 [FW2-rip-1]network 10.0.0.0
Create an ACL and configure GRE encapsulated data packets to be encrypted by the IPSec policy on FW1 and FW2. Bind the IPSec policy to the new ACLs on FW1 and FW2.
HC Series
HUAWEI TECHNOLOGIES
35
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW1]acl 3001 [FW1-acl-adv-3001]rule permit gre source 10.0.10.1 0 destination 10.0.20.2 0 [FW1-acl-adv-3001]quit [FW1]ipsec policy map1 10 isakmp [FW1-ipsec-policy-isakmp-map1-10]security acl 3001 [FW2]acl 3002 [FW2-acl-adv-3002]rule permit gre source 10.0.20.2 0 destination 10.0.10.1 0 [FW2-acl-adv-3002]quit [FW2]ipsec policy map1 10 isakmp [FW2-ipsec-policy-isakmp-map1-10]security acl 3002
Maintain all other configuration. Test the connectivity between the branch intranet and the headquarters intranet. View the established IPSec. [FW1]ping -a 10.0.100.1 10.0.200.1 PING 10.0.200.1: 56 data bytes, press CTRL_C to break Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=60 ms Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=50 ms Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=50 ms --- 10.0.200.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 50/52/60 ms [FW1]display ipsec sa =============================== Interface: Ethernet2/0/0 path MTU: 1500 =============================== ----------------------------IPsec policy name: "map1" sequence number: 10 mode: isakmp vpn: 0 ----------------------------connection id: 26 rule number: 5 encapsulation mode: tunnel holding time: 0d 0h 5m 21s
36
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features tunnel local : 10.0.10.1 flow
tunnel remote: 10.0.20.2
source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0 [inbound ESP SAs] spi: 240396810 (0xe542a0a) vpn: 0
said: 34 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436044/3279 max received sequence-number: 9 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 208723708 (0xc70defc) vpn: 0
said: 35 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1 sa remaining key duration (bytes/sec): 1887436044/3279 max sent sequence-number: 10 udp encapsulation used for nat traversal: N
The branch intranet can communicate with the headquarters intranet. A GRE over IPSec VPN tunnel is established between FW1 and FW2. RIP routing information is transmitted between the branch network and the headquarters network.
Step 7 Configure a GRE over IPSec VPN between a branch office network and the headquarters network. Create a tunnel interface on FW2 and enable GRE. Add the tunnel interface to the untrusted zone of FW2. [FW2]interface tunnel 2 [FW2-Tunnel2]tunnel-protocol gre [FW2-Tunnel2]ip address 40.1.1.1 24 [FW2-Tunnel2]source 10.0.20.2 [FW2-Tunnel2]destination 10.0.23.3 [FW2-Tunnel2]firewall zone untrust [FW2-zone-untrust]add interface Tunnel 2
Create a tunnel interface on R3 and enable GRE. [R3]interface tunnel 0/0/1
HC Series
HUAWEI TECHNOLOGIES
37
HCNP-IENP Chapter 1 Implementing firewall functions and features [R3-Tunnel0/0/1]tunnel-protocol gre [R3-Tunnel0/0/1]ip address 40.1.1.2 24 [R3-Tunnel0/0/1]source 10.0.23.3 [R3-Tunnel0/0/1]destination 10.0.20.2
Delete static routes configured in the preceding steps. Enable RIP (version 2) between a branch office network and the headquarters intranet. [FW2]undo ip route-static 10.0.3.0 24 10.0.20.1 [FW2]rip [FW2-rip-1]version 2 [FW2-rip-1]network 40.0.0.0 [R3]undo ip route-static 10.0.200.0 24 10.0.23.2 [R3]rip [R3-rip-1]version 2 [R3-rip-1]network 40.0.0.0 [R3-rip-1]network 10.0.0.0
Create an ACL to specify GRE encapsulated packets to be encrypted by the IPSec policy on R3 and FW2. Configure an IPSec policy and bind the IPSec policy to the ACL, IPSec proposal and IKE peer. [R3]acl 3001 [R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0 [R3-acl-adv-3001]quit [R3]ipsec policy map1 20 isakmp [R3-ipsec-policy-isakmp-map1-10]security acl 3001 [R3-ipsec-policy-isakmp-map1-20]proposal tran1 [R3-ipsec-policy-isakmp-map1-20]ike-peer r32 [FW2]acl 3003 [FW2-acl-adv-3003]rule permit gre source 10.0.20.2 0 destination 10.0.23.3 0 [FW2-acl-adv-3003]quit [FW2]ipsec policy map1 20 isakmp [FW2-ipsec-policy-isakmp-map1-20]security acl 3003 [FW2-ipsec-policy-isakmp-map1-20]proposal tran1 [FW2-ipsec-policy-isakmp-map1-20]ike-peer fw23
Maintain all other configuration.
38
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Test the connectivity between the branch office intranet and the headquarters intranet. View the established IPSec. [R3]ping -a 10.0.3.3 10.0.200.1 PING 10.0.200.1: 56 data bytes, press CTRL_C to break Reply from 10.0.200.1: bytes=56 Sequence=1 ttl=255 time=56 ms Reply from 10.0.200.1: bytes=56 Sequence=2 ttl=255 time=53 ms Reply from 10.0.200.1: bytes=56 Sequence=3 ttl=255 time=54 ms Reply from 10.0.200.1: bytes=56 Sequence=4 ttl=255 time=54 ms Reply from 10.0.200.1: bytes=56 Sequence=5 ttl=255 time=54 ms --- 10.0.200.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 53/54/56 ms [R3]display ipsec sa =============================== Interface: Serial2/0/0 Path MTU: 1500 =============================== ----------------------------IPSec policy name: "map2" Sequence number : 10 Mode
: ISAKMP
----------------------------Connection ID
: 2
Encapsulation mode: Tunnel Tunnel local
: 10.0.23.3
Tunnel remote
: 10.0.20.2
[Outbound ESP SAs] SPI: 247406703 (0xebf206f) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887435120/1952 Max sent sequence-number: 20 UDP encapsulation used for NAT traversal: N [Inbound ESP SAs] SPI: 155207494 (0x9404746) Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1 SA remaining key duration (bytes/sec): 1887435120/1952 Max received sequence-number: 20 UDP encapsulation used for NAT traversal: N
The branch office network can communicate with the headquarters
HC Series
HUAWEI TECHNOLOGIES
39
HCNP-IENP Chapter 1 Implementing firewall functions and features
intranet. A GRE over IPSec VPN tunnel is established between FW2 and R3. Data is transmitted between the branch office network and the headquarters network using RIP.
Additional Exercises: Analyzing and Verifying For the IPSec configuration between the branch office network and the headquarters network described in Step 5, if R3 did not use IKEv2 to negotiate with FW2, could the IKE SA still be established?
Final Configurations [FW1]display current-configuration # sysname FW1 # acl number 3000 rule 5 permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 # acl number 3001 rule 5 permit gre source 10.0.10.1 0 destination 10.0.20.2 0 # ike proposal 10 # ike peer fw12 pre-shared-key abcde ike-proposal 10 remote-address 10.0.20.2 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3001 ike-peer fw12 proposal tran1 # interface Ethernet0/0/0 ip address 10.0.100.1 255.255.255.0 #
40
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features interface Ethernet2/0/0 ip address 10.0.10.1 255.255.255.0 ipsec policy map1 # interface Tunnel1 ip address 30.1.1.1 255.255.255.0 tunnel-protocol gre source 10.0.10.1 destination 10.0.20.2 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Ethernet0/0/0 # firewall zone untrust set priority 5 add interface Ethernet2/0/0 add interface Tunnel1 # ospf 1 area 0.0.0.0 network 10.0.10.0 0.0.0.255 # rip 1 version 2 network 30.0.0.0 network 10.0.0.0 # Return [FW2]display current-configuration # sysname FW2 # acl number 3000 rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.100.0 0.0.0.255 # acl number 3001 rule 5 permit ip source 10.0.200.0 0.0.0.255 destination 10.0.3.0 0.0.0.255 #
HC Series
HUAWEI TECHNOLOGIES
41
HCNP-IENP Chapter 1 Implementing firewall functions and features acl number 3002 rule 5 permit gre source 10.0.20.2 0 destination 10.0.10.1 0 # acl number 3003 rule 5 permit gre source 10.0.20.2 0 destination 10.0.23.3 0 # ike proposal 10 # ike peer fw21 pre-shared-key abcde ike-proposal 10 remote-address 10.0.10.1 # ike peer fw23 pre-shared-key abcde ike-proposal 10 remote-address 10.0.23.3 # ipsec proposal tran1 esp authentication-algorithm sha1 # ipsec policy map1 10 isakmp security acl 3002 ike-peer fw21 proposal tran1 # ipsec policy map1 11 isakmp security acl 3001 ike-peer c proposal tran1 # ipsec policy map1 20 isakmp security acl 3003 ike-peer fw23 proposal tran1 # interface Ethernet0/0/0 ip address 10.0.200.1 255.255.255.0 # interface Ethernet2/0/0 ip address 10.0.20.2 255.255.255.0 ipsec policy map1 #
42
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features interface Tunnel1 ip address 30.1.1.2 255.255.255.0 tunnel-protocol gre source 10.0.20.2 destination 10.0.10.1 # interface Tunnel2 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 10.0.20.2 destination 10.0.23.3 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Ethernet0/0/0 # firewall zone untrust set priority 5 add interface Ethernet2/0/0 add interface Tunnel1 add interface Tunnel2 # firewall zone dmz set priority 50 # ospf 1 area 0.0.0.0 network 10.0.20.0 0.0.0.255 # rip 1 version 2 network 30.0.0.0 network 10.0.0.0 network 40.0.0.0 # Return [R3]display current-configuration [V200R001C00SPC200] #
HC Series
HUAWEI TECHNOLOGIES
43
HCNP-IENP Chapter 1 Implementing firewall functions and features sysname R3 # acl number 3000 rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 # acl number 3001 rule 5 permit gre source 10.0.23.3 0 destination 10.0.20.2 0 # ipsec proposal tran1 esp authentication-algorithm sha1 # ike proposal 10 # ike peer r32 v2 pre-shared-key abcde ike-proposal 10 remote-address 10.0.20.2 # ipsec policy map1 10 isakmp security acl 3000 ike-peer r32 proposal tran1 # ipsec policy map1 20 isakmp security acl 3001 ike-peer r32 proposal tran1 # interface Serial2/0/0 link-protocol ppp ip address 10.0.23.3 255.255.255.0 ipsec policy map1 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 10.0.23.3 destination 10.0.20.2 # ospf 1
44
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features area 0.0.0.0 network 10.0.23.0 0.0.0.255 # rip 1 version 2 network 40.0.0.0 network 10.0.0.0 # Return
HC Series
HUAWEI TECHNOLOGIES
45
HCNP-IENP Chapter 1 Implementing firewall functions and features
Lab 1-3 Attack Defense Configuration on a Firewall Learning Objectives The objectives of this lab are to learn and understand:
Methods used to configure attack defense against traffic attacks
Methods used to configure attack defense against scanning and
snooping attacks
Methods used to configure attack defense against malformed
packet attacks
Methods used to configure attack defense against special packet
attacks
Topology
Figure 1-3 Attack defense configuration
46
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Scenario Assume that you are a network administrator of an enterprise. The enterprise network includes a firewall and a switch. R1 functions as a DHCP server, FW functions as the egress to the Internet, and S2 simulates a PC on the extranet. To improve network security, you need to apply security policies to the network and configure security policies on the firewall and the switch.
Tasks Step 1 Perform basic configurations
and configure IP
addresses. Configure IP addresses and masks for all devices. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface GigabitEthernet0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.10.1 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface GigabitEthernet0/0/1 [R2-GigabitEthernet0/0/1]ip address 10.0.10.2 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet0/0/1 [R3-GigabitEthernet0/0/1]ip address 10.0.10.3 24 system-view Enter system view, return user view with Ctrl+Z. [Quidway]sysname S1 system-view Enter system view, return user view with Ctrl+Z.
HC Series
HUAWEI TECHNOLOGIES
47
HCNP-IENP Chapter 1 Implementing firewall functions and features [Eudemon 200E]sysname FW [FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 10.0.10.254 24 [FW-Ethernet0/0/0]interface Ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 100.0.0.1 24 system-view Enter system view, return user view with Ctrl+Z. [Quidway]sysname S2 [S2]vlan 100 [S2-vlan100]quit [S2]interface GigabitEthernet 0/0/9 [S2-GigabitEthernet0/0/9]port link-type access [S2-GigabitEthernet0/0/9]port default vlan 100 [S2-GigabitEthernet0/0/9]quit [S2]interface Vlanif 100 [S2-Vlanif100]ip address 100.0.0.2 24 [S1]vlan 100 [S1-vlan100]quit [S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]port link-type access [S1-GigabitEthernet0/0/9]port default vlan 100 [S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 100
Shut down G0/0/10, G0/0/13, and G0/0/14 on S1 to prevent side impacts on the lab. [S1]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]shutdown [S1-GigabitEthernet0/0/10]interface GigabitEthernet 0/0/13 [S1-GigabitEthernet0/0/13]shutdown [S1-GigabitEthernet0/0/13]interface GigabitEthernet 0/0/14 [S1-GigabitEthernet0/0/14]shutdown
After configurations are complete, test the connectivity of direct links. [R1]ping -c 1 10.0.10.2 PING 10.0.10.2: 56 data bytes, press CTRL_C to break Reply from 10.0.10.2: bytes=56 Sequence=1 ttl=255 time=2 ms
48
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features --- 10.0.10.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms [R1]ping -c 1 10.0.10.3 PING 10.0.10.3: 56 data bytes, press CTRL_C to break Reply from 10.0.10.3: bytes=56 Sequence=1 ttl=255 time=2 ms --- 10.0.10.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms [R1]ping -c 1 10.0.10.254 PING 10.0.10.254: 56 data bytes, press CTRL_C to break Reply from 10.0.10.254: bytes=56 Sequence=1 ttl=255 time=3 ms --- 10.0.10.254 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms [FW]ping -c 1 100.0.0.2 10:47:09 2011/12/27 PING 100.0.0.2: 56 data bytes, press CTRL_C to break Reply from 100.0.0.2: bytes=56 Sequence=1 ttl=254 time=1 ms --- 100.0.0.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 2 Implement network communication. To implement network communication, configure a correct default route for each device that simulates a PC.
HC Series
HUAWEI TECHNOLOGIES
49
HCNP-IENP Chapter 1 Implementing firewall functions and features
Configure default routes for R1, R2, R3, and S2. [R1]ip route-static 0.0.0.0 0 10.0.10.254 [R2]ip route-static 0.0.0.0 0 10.0.10.254 [R3]ip route-static 0.0.0.0 0 10.0.10.254 [S2]ip route-static 0.0.0.0 0 100.0.0.1
On S2, test the connectivity among R1, R2, and R3. [S2]ping -c 1 10.0.10.1 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=254 time=1 ms --- 10.0.10.1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S2]ping -c 1 10.0.10.2 PING 10.0.10.2: 56 data bytes, press CTRL_C to break Reply from 10.0.10.2: bytes=56 Sequence=1 ttl=254 time=1 ms --- 10.0.10.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [S2]ping -c 1 10.0.10.3 PING 10.0.10.3: 56 data bytes, press CTRL_C to break Reply from 10.0.10.3: bytes=56 Sequence=1 ttl=254 time=1 ms --- 10.0.10.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
50
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 3 Configuring defense against traffic attacks. Attackers send a large amount of unnecessary data to a server. The server fails to respond to service requests from authorized users. To protect networks against such attacks, enable defense against SYN flood attacks, TCP full-connection attacks, HTTP flood attacks, UDP flood attacks, and ICMP flood attacks. Enable defense against reverse source tracing based on TCP on E2/0/0 of FW. [FW]firewall source-ip detect interface Ethernet 2/0/0 alert-rate 10000 max-rate 30000
Enable defense against TCP full-connection attacks on FW. [FW]firewall blacklist enable [FW]firewall session link-state check [FW]firewall defend tcp-illegal-session enable Warning: Configuring this command will affect the P2P service. To protect the server from TCP connection exhaustion, configure this command. Continue? [Y/N]:y
Enable defense against HTTP flood attacks on E2/0/0 of FW. [FW]firewall defend http-flood enable [FW]firewall defend http-flood source-detect interface Ethernet 2/0/0 alert-rate 10000 max-rate 30000
Enable defense against UDP flood attacks on E2/0/0 of FW. [FW]firewall defend udp-flood enable [FW] firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000
Enable defense against ICMP flood attacks on E2/0/0 of FW. [FW]firewall defend icmp-flood enable [FW]firewall defend icmp-flood interface Ethernet 2/0/0 max-rate 10000
HC Series
HUAWEI TECHNOLOGIES
51
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 4 Configure defense against scanning and snooping attacks. Attackers continually send different packets to the destination port for scanning service types and security vulnerabilities on the port. To prevent such attacks, enable defense against scanning and snooping attacks. Enable defense against scanning and snooping attacks on FW. [FW]firewall defend port-scan enable [FW]firewall defend port-scan max-rate 5000
Step 5 Configure defense against malformed packet attacks. If attackers send malformed IP packets to a user system, an exception may occur when the system processes these packets, affecting proper system operating. To prevent such attacks, enable defense against Smurf attacks, Land attacks, and Fraggle attacks. Configure DHCP snooping on the access network to improve network security. Enable Smurf attack defense on FW. [FW]firewall defend smurf enable
Enable Land attack defense on FW. [FW]firewall defend land enable
Enable Fraggle attack defense on FW. [FW]firewall defend fraggle enable
Enable IP fragment attack defense on FW. [FW]firewall defend ip-fragment enable
Enable defense against attacks from packets with invalid TCP flag bits on FW. [FW]firewall defend tcp-flag enable
52
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Use R1 as the DHCP server. [R1]dhcp enable [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]dhcp select global [R1-GigabitEthernet0/0/1]quit [R1]ip pool company [R1-ip-pool-company]network 10.0.10.0 mask 24 [R1-ip-pool-company]excluded-ip-address 10.0.10.1 [R1-ip-pool-company]gateway-list 10.0.10.254
Configure G0/0/1 of R2 and R3 to automatically obtain IP addresses. [R2]dhcp enable [R2]interface GigabitEthernet 0/0/1 [R2-GigabitEthernet0/0/1]undo ip address [R2-GigabitEthernet0/0/1]ip address dhcp-alloc Info: The operation may take a few seconds, please wait. Succeed. [R3]dhcp enable [R3]interface GigabitEthernet 0/0/1 [R3-GigabitEthernet0/0/1]undo ip address [R3-GigabitEthernet0/0/1]ip address dhcp-alloc Info: The operation may take a few seconds, please wait. Succeed.
Enable DHCP Snooping on S1 and configure interfaces as trusted interfaces. [S1]dhcp enable [S1]dhcp snooping enable [S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]dhcp snooping trusted [S1-GigabitEthernet0/0/1]inter GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]dhcp snooping enable [S1-GigabitEthernet0/0/2]inter GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]dhcp snooping enable
View the MAC addresses of G0/0/1 on R1 and E0/0/0 on FW, and configure a static user binding entry. [R1]display interface GigabitEthernet 0/0/1 GigabitEthernet0/0/1 current state : UP Line protocol current state : UP
HC Series
HUAWEI TECHNOLOGIES
53
HCNP-IENP Chapter 1 Implementing firewall functions and features Last line protocol up time : 2011-12-27 10:21:41 Description:HUAWEI, AR Series, GigabitEthernet0/0/1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 10.0.10.1/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 5489-9876-81f0 Last physical up time
: 2011-12-27 10:14:07
Last physical down time : 2011-12-27 10:13:48 Current system time: 2011-12-27 16:24:49 Port Mode: COMMON COPPER Speed : 1000, Loopback: NONE Duplex: FULL, Negotiation: ENABLE Mdi
: AUTO
Last 300 seconds input rate 704 bits/sec, 0 packets/sec Last 300 seconds output rate 0 bits/sec, 0 packets/sec Input peak rate 7392 bits/sec,Record time: 2011-12-27 10:17:53 Output peak rate 2816 bits/sec,Record time: 2011-12-27 10:17:13 Input: 12040 packets, 1641163 bytes Unicast:
0, Multicast:
0
Broadcast:
0, Jumbo:
0
Discard:
0, Total Error:
0
……output omit…… [FW]display interface Ethernet 0/0/0 Ethernet0/0/0 current state : UP Line protocol current state : UP Description : Huawei, Eudemon 200E serials, Ethernet0/0/0 Interface, Route Port The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec) Internet Address is 10.0.10.254/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a109-68b2 Media type is twisted pair, loopback not set, promiscuous mode not set 100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation Output flow-control is unsupported, input flow-control is unsupported QoS max-bandwidth : 100000 Kbps Output queue : (Urgent queue : Size/Length/Discards) 0/50/0 Output queue : (Frag queue : Size/Length/Discards) 0/1000/0 Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0 Output queue : (FIFO queue : Size/Length/Discards) 0/256/0 Last 300 seconds input rate 59.50 bytes/sec, 0.50 packets/sec Last 300 seconds output rate 0.00 bytes/sec, 0.00 packets/sec Input: 11778 packets, 1527521 bytes 478 broadcasts(4.06%), 11230 multicasts(95.35%) 0 runts, 0 giants,
54
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features 0 errors, 0 CRC, 0 collisions, 0 late collisions, 0 overruns, 0 jabbers, 0 input no buffers, 0 Resource errors, 0 other errors ……output omit…… [S1]user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0 [S1]user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2
Enable IP address anti-spoofing. [S1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]ip source check user-bind enable Info: Add permit rule for dynamic snooping bind-table, please wait a minute! [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]ip source check user-bind enable Info: Add permit rule for dynamic snooping bind-table, please wait a minute!
Configure the items in an IP packet to be checked. [S1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]ip source check user-bind check-item ip-address mac-address Info: Change permit rule for dynamic snooping bind-table, please wait a minute! [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]ip source check user-bind check-item ip-address mac-address Info: Change permit rule for dynamic snooping bind-table, please wait a minute!
Check source MAC addresses of ARP packets. [S1]arp anti-attack packet-check sender-mac
Configure defense against ARP man-in-the-middle attacks. [S1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]arp anti-attack check user-bind enable [S1-GigabitEthernet0/0/2]arp anti-attack check user-bind check-item ip-address mac-address Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a minute! [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]arp anti-attack check user-bind check-item ip-address mac-address Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a
HC Series
HUAWEI TECHNOLOGIES
55
HCNP-IENP Chapter 1 Implementing firewall functions and features minute!
Step 6 Configure defense against special packet attacks. Attackers send some seldom used valid packets to detect the network. To prevent such attacks, enable defense against large ICMP packet attacks, ICMP redirection packet attacks, and ICMP destination-unreachable packet attacks. Enable defense against large ICMP packet attacks on FW. [FW]firewall defend large-icmp enable [FW]firewall defend large-icmp max-length 3000
Enable defense against ICMP redirection packet attacks on FW. [FW]firewall defend icmp-redirect enable
Enable defense against ICMP destination-unreachable packet attacks on FW. [FW]firewall defend icmp-unreachable enable
Enable defense against attacks of IP packets with the route record option on FW. [FW]firewall defend route-record enable
Enable defense against attacks of IP packets with the source route option on FW. [FW]firewall defend source-route enable
Enable Tracert attack defense on FW. [FW]firewall defend tracert enable
Enable defense against attacks of IP packets with the timestamp option on FW. [FW]firewall defend time-stamp enable
56
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Additional Exercises: Analyzing and Verifying The firewall functions are limited on actual networks. IPS devices need to be deployed to defend against attacks at another layer. Collect information about IPS and compare the IPS to the firewall.
Final Configurations [FW]display current-configuration # sysname FW # undo firewall ipv6 session link-state check # vlan batch 1 # firewall session link-state check # firewall defend tcp-illegal-session enable firewall defend http-flood enable firewall defend port-scan enable firewall defend time-stamp enable firewall defend route-record enable firewall defend source-route enable firewall defend ip-fragment enable firewall defend tcp-flag enable firewall defend fraggle enable firewall defend tracert enable firewall defend icmp-unreachable enable firewall defend icmp-redirect enable firewall defend large-icmp enable firewall defend icmp-flood enable firewall defend udp-flood enable firewall defend smurf enable firewall defend land enable firewall defend port-scan max-rate 5000 firewall defend large-icmp max-length 3000 firewall defend http-flood source-detect interface Ethernet2/0/0 alert-rate 10000 max-rate 30000 firewall source-ip detect interface Ethernet2/0/0 alert-rate 10000 max-rate 30000
HC Series
HUAWEI TECHNOLOGIES
57
HCNP-IENP Chapter 1 Implementing firewall functions and features firewall defend icmp-flood interface Ethernet2/0/0 max-rate 10000 firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000 # runmode firewall # update schedule ips daily 5:37 update schedule av daily 5:37 security server domain sec.huawei.com # web-manager enable # l2fwdfast enable # interface Vlanif1 ip address 192.168.0.1 255.255.255.0 dhcp select interface # interface Ethernet0/0/0 ip address 10.0.10.254 255.255.255.0 # interface Ethernet2/0/0 ip address 100.0.0.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # aaa local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!! local-user admin service-type web terminal local-user admin level 3 authentication-scheme default # authorization-scheme default #
58
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features accounting-scheme default # domain default domain dot1x # # nqa-jitter tag-version 1 # banner enable # firewall blacklist enable # user-interface con 0 user-interface tty 2 authentication-mode none modem both user-interface vty 0 4 set authentication password simple Admin@123 # slb # cwmp # right-manager server-group # return [S1]display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 100 # dhcp enable dhcp snooping enable user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0 user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2 # interface GigabitEthernet0/0/1 dhcp snooping trusted #
HC Series
HUAWEI TECHNOLOGIES
59
HCNP-IENP Chapter 1 Implementing firewall functions and features interface GigabitEthernet0/0/2 dhcp snooping enable arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # interface GigabitEthernet0/0/3 dhcp snooping enable arp anti-attack check user-bind enable arp anti-attack check user-bind check-item ip-address mac-address ip source check user-bind enable ip source check user-bind check-item ip-address mac-address # interface GigabitEthernet0/0/9 port link-type access port default vlan 100 # interface GigabitEthernet0/0/10 shutdown # interface GigabitEthernet0/0/13 shutdown # interface GigabitEthernet0/0/14 shutdown # interface GigabitEthernet0/0/23 port link-type access port default vlan 100 # interface GigabitEthernet0/0/24 # return
60
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Lab 1-4 NAT Configuration on a Eudemon Firewall Learning Objectives The objectives of this lab are to learn and understand:
NAT Easy IP configuration on a Eudemon
NAPT configuration on a Eudemon
NAT Server configuration on a Eudemon
NAT configuration on a Eudemon in a zone
Topology
Figure 1-4 NAT configuration
HC Series
HUAWEI TECHNOLOGIES
61
HCNP-IENP Chapter 1 Implementing firewall functions and features
Scenario Assume that you are a network administrator of an enterprise. The headquarters network includes a trusted zone, an untrusted zone, and a DMZ zone. You need to configure users in the trusted area to access the extranet, and advertise Telnet and FTP services provided by a server with the IP address of 10.0.4.4 in the DMZ zone. The public address of the server is 1.1.1.100/24. You also need to advertise Telnet services provided by a server with the IP address of 10.0.3.3 in the trusted zone. Users in the trusted zone can access the Telnet services using 1.1.1.200/24, and cannot access services in other zones.
Tasks Step 1 Configure IP addresses. Configure IP addresses and masks for all routers. The mask length of each loopback interface is 24 bits. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 1.1.1.1 24 [R1-GigabitEthernet0/0/1]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface GigabitEthernet0/0/1 [R2-GigabitEthernet0/0/1]ip address 10.0.20.2 24 [R2-GigabitEthernet0/0/1]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet0/0/1
62
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [R3-GigabitEthernet0/0/1]ip address 10.0.20.3 24 [R3-GigabitEthernet0/0/1]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R4 [R4]interface GigabitEthernet 0/0/1 [R4-GigabitEthernet0/0/1]ip address 10.0.40.4 24 [R4-GigabitEthernet0/0/1]interface loopback 0 [R4-LoopBack0]ip address 10.0.4.4 24
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be configured with an IP address. In the lab, configure VLAN 12 on the firewall and create a VLANIF 12 interface. Configure the VLANIF 12 interface's IP address as the IP address of the gateway in the trusted zone and set the IP address to 10.0.20.254/24. By default, the firewall configures an IP address for VLANIF 1. To prevent interference, delete the VLANIF 1 configuration. system-view Enter system view, return user view with Ctrl+Z. [Eudemon 200E]sysname FW [FW]vlan 12 [FW-vlan-12]quit [FW]interface Vlanif 12 [FW-Vlanif12]ip address 10.0.20.254 24 [FW-Vlanif12]interface ethernet 1/0/0 [FW-Ethernet1/0/0]port access vlan 12 [FW-Ethernet1/0/0]undo interface Vlanif 1 [FW]interface Ethernet 0/0/0 [FW-Ethernet0/0/0]ip address 1.1.1.254 24 [FW-Ethernet0/0/0]interface ethernet 2/0/0 [FW-Ethernet2/0/0]ip address 10.0.40.254 24
Add G0/0/1 and G0/0/21 to VLAN 11. Add G0/0/2, G0/0/3, and G0/0/22 to VLAN 12. Add G0/0/4 and G0/0/23 to VLAN 13. [Quidway]sysname S1 [S1]vlan batch 11 to 13 [S1]interface GigabitEthernet 0/0/1
HC Series
HUAWEI TECHNOLOGIES
63
HCNP-IENP Chapter 1 Implementing firewall functions and features [S1-GigabitEthernet0/0/1]port link-type access [S1-GigabitEthernet0/0/1]port default vlan 11 [S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]port link-type access [S1-GigabitEthernet0/0/2]port default vlan 12 [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3 [S1-GigabitEthernet0/0/3]port link-type access [S1-GigabitEthernet0/0/3]port default vlan 12 [S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4 [S1-GigabitEthernet0/0/3]port link-type access [S1-GigabitEthernet0/0/3]port default vlan 13 [S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 11 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22 [S1-GigabitEthernet0/0/22]port link-type access [S1-GigabitEthernet0/0/22]port default vlan 12 [S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23 [S1-GigabitEthernet0/0/23]port link-type access [S1-GigabitEthernet0/0/23]port default vlan 13
Step 2 Configure static routes to connect networks. Configure default routes for R2, R3, and R4. Configure static routes to implement communication across network segments to which four loopback 0 interfaces are connected. R1 requires no static route because R1 functions as an Internet device and does not require information about the private networks in the trusted zone and DMZ zone. [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.20.254 [R4]ip route-static 0.0.0.0 0 10.0.40.254 [FW]ip route-static 10.0.2.0 24 10.0.20.2 [FW]ip route-static 10.0.3.0 24 10.0.20.3 [FW]ip route-static 10.0.4.0 24 10.0.40.4 [FW]ip route-static 0.0.0.0 0 1.1.1.1
Test connectivity of 10.0.1.0, 10.0.2.0, 10.0.3.0, and 10.0.4.0 network segments on the firewall.
64
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.2.2 PING 10.0.2.2: 56 data bytes, press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.3.3 PING 10.0.3.3: 56 data bytes, press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.3.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW]ping 10.0.4.4
HC Series
HUAWEI TECHNOLOGIES
65
HCNP-IENP Chapter 1 Implementing firewall functions and features PING 10.0.4.4: 56 data bytes, press CTRL_C to break Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.4.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms
Step 3 Add interfaces to security zones. By default, four zones locate on a firewall. They are local, trusted, untrusted, and DMZ zones. This lab uses trusted, untrusted, and DMZ zones. [FW]firewall zone dmz [FW-zone-dmz]add interface Ethernet 2/0/0 [FW-zone-dmz]firewall zone trust [FW-zone-trust]add interface Vlanif 12 [FW-zone-trust]firewall zone untrust [FW-zone-untrust]add interface Ethernet 0/0/0
By default, communication among all zones is normal. NAT is not enabled; therefore, external zones cannot communicate with inside zones and DMZ zone.
Step 4 Configure security filtering between zones. Configure packets to transmit from 10.0.2.0 and 10.0.3.0 segments in the trusted zone to the untrusted zone. Configure Telnet and FTP request packets to transmit from the untrusted zone to the 10.0.4.4 network segment in the DMZ zone. [FW]firewall session link-state check [FW]policy interzone trust untrust outbound [FW-policy-interzone-trust-untrust-outbound]policy 0 [FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255 66
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0 0.0.0.255 [FW-policy-interzone-trust-untrust-outbound-0]action permit [FW-policy-interzone-trust-untrust-outbound-0]quit [FW-policy-interzone-trust-untrust-outbound]quit [FW]policy interzone dmz untrust inbound [FW-policy-interzone-dmz-untrust-inbound]policy 0 [FW-policy-interzone-dmz-untrust-inbound-0]policy destination 10.0.4.4 0 [FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet [FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set ftp [FW-policy-interzone-dmz-untrust-inbound-0]action permit [FW-policy-interzone-dmz-untrust-inbound-0]quit
Step 5 Configure NAT Easy IP. Configure NAT Easy IP on an interface to translate the source address and bind a NAT policy to the interface. [FW]nat-policy interzone trust untrust outbound [FW-nat-policy-interzone-trust-untrust-outbound]policy 0 [FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255 [FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat [FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0
Test connectivity of the trusted zone and the untrusted zone. [R2]ping 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- 10.0.1.1 ping statistics --5 packet(s) transmitted 0 packet(s) received 100.00% packet loss [R2]ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=4 ms
HC Series
HUAWEI TECHNOLOGIES
67
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/4 ms
If you ping 10.0.1.1 from R2 directly, the ping fails. Use the extended ping. After a source IP address is specified as 10.0.2.2, the ping succeeds. This is because that the source IP address of the packet is 10.0.20.2, which is not in the NAT address range. [FW]display nat-policy interzone trust untrust outbound 10:46:37 2011/12/26 nat-policy interzone trust untrust outbound policy 0 (1 times matched) action source-nat policy service service-set ip policy source 10.0.2.0 0.0.0.255 policy destination any easy-ip Ethernet0/0/0
Step 6 Configure an address group. Configure an address group to translate the source IP address and bind a NAT policy to the address group. [FW]nat address-group 1 1.1.1.3 1.1.1.10 [FW]nat-policy interzone trust untrust outbound [FW-nat-policy-interzone-trust-untrust-outbound]policy 1 [FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0 0.0.0.255 [FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat [FW-nat-policy-interzone-trust-untrust-outbound-0]address-group 1
Test connectivity of the trusted zone and the untrusted zone. [R3]ping -a 10.0.3.3 10.0.1.1
68
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=12 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/4/12 ms
Use the extended ping. After a source IP address is specified as 10.0.3.3, the ping succeeds. [FW]display nat-policy interzone trust untrust outbound 10:52:37 2011/12/26 nat-policy interzone trust untrust outbound policy 0 (2 times matched) action source-nat policy service service-set ip policy source 10.0.2.0 0.0.0.255 policy destination any easy-ip Ethernet0/0/0 policy 1 (0 times matched) action source-nat policy service service-set ip policy source 10.0.3.0 0.0.0.255 policy destination any address-group 1
The IP address 10.0.2.0/24 and 10.0.3.0/24 in the trusted zone can access the untrusted zone.
Step 7 Advertise services provided by the intranet server with the IP address of 10.0.4.4. Map Telnet and FTP services on 10.0.4.4 to 1.1.1.100. [FW]nat server protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet
HC Series
HUAWEI TECHNOLOGIES
69
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW]nat server protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp
FTP is a multi-channel protocol, so NAT translation takes effect only after NAT ALG is configured. Configure NAT ALG between the DMZ and untrusted zones so that the server can properly provide FTP services. [FW]firewall interzone dmz untrust [FW-interzone-dmz-untrust]detect ftp
Enable Telnet and FTP on R4, and test on R1. The advertised IP address is 1.1.1.100, which is the actual destination IP address when R1 accesses services on 10.0.4.4. [R4]aaa [R4-aaa]local-user huawei password simple huawei [R4-aaa]local-user huawei service-type ftp [R4-aaa]local-user huawei ftp-directory flash: [R4-aaa]quit [R4]user-interface vty 0 4 [R4-ui-vty0-4]authentication-mode none [R4-ui-vty0-4]quit [R4]ftp server enable telnet 1.1.1.100 Press CTRL_] to quit telnet mode Trying 1.1.1.100 ... Connected to 1.1.1.100 ... quit ftp 1.1.1.200 Trying 1.1.1.200 ... Press CTRL+K to abort Connected to 1.1.1.200. 220 FTP service ready. User(1.1.1.200:(none)):huawei 331 Password required for huawei. Enter password: 230 User logged in. [R1-ftp]
Users in the untrusted zone can access Telnet and FTP services provided by 1.1.1.100/24 in the DMZ zone.
70
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 8 Configure NAT in an inside zone. Configure NAT on the server with the IP address of 10.0.3.3 and maps the address to 1.1.1.200. [FW]nat server protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet
Configure NAT to translate the source address into a public address when a user on the intranet accesses 1.1.1.200. [FW]nat-policy zone trust [FW-nat-policy-zone-trust]policy 0 [FW-nat-policy-zone-trust-0]policy source 10.0.2.0 0.0.0.255 [FW-nat-policy-zone-trust-0]policy destination 1.1.1.200 0 [FW-nat-policy-zone-trust-0]action source-nat [FW-nat-policy-zone-trust-0]address-group 1
Enable Telnet on R3, and test connectivity of the trusted area and 1.1.1.200 on R2. The advertised IP address is 1.1.1.200, which is the actual destination IP address when R2 accesses 10.0.3.3. [R3]user-interface vty 0 4 [R3-ui-vty0-4]authentication-mode none telnet -a 10.0.2.2 1.1.1.200 Press CTRL_] to quit telnet mode Trying 1.1.1.200 ... Connected to 1.1.1.200 ...
Additional Exercises: Analyzing and Verifying How do you advertise services provided by intranet servers when the firewall is connected to two carrier networks at the same time?
Final Configurations [FW]display current-configuration # sysname FW #
HC Series
HUAWEI TECHNOLOGIES
71
HCNP-IENP Chapter 1 Implementing firewall functions and features nat address-group 1 1.1.1.3 1.1.1.10 nat server 0 protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet nat server 1 protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp nat server 2 protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet # vlan batch 1 12 # firewall session link-state check # interface Vlanif12 ip address 10.0.20.254 255.255.255.0 # interface Ethernet0/0/0 ip address 1.1.1.254 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type access port access vlan 12 # interface Ethernet2/0/0 ip address 10.0.40.254 255.255.255.0 # firewall zone trust set priority 85 add interface Vlanif12 # firewall zone untrust set priority 5 add interface Ethernet0/0/0 # firewall zone dmz set priority 50 add interface Ethernet2/0/0 # firewall interzone dmz untrust detect ftp # ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.2 ip route-static 10.0.3.0 255.255.255.0 10.0.20.3 ip route-static 10.0.4.0 255.255.255.0 10.0.40.4 #
72
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features policy interzone trust untrust outbound policy 0 action permit policy source 10.0.2.0 0.0.0.255 policy source 10.0.3.0 0.0.0.255 # policy interzone dmz untrust inbound policy 0 action permit policy service service-set ftp policy service service-set telnet policy destination 10.0.4.4 0 # nat-policy interzone trust untrust outbound policy 0 action source-nat policy source 10.0.2.0 0.0.0.255 easy-ip Ethernet0/0/0 policy 1 action source-nat policy source 10.0.3.0 0.0.0.255 address-group 1 # nat-policy zone trust policy 0 action source-nat policy source 10.0.2.0 0.0.0.255 policy destination 1.1.1.200 0 address-group 1 # Return display current-configuration [V200R001C00SPC200] # sysname R1 # # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface LoopBack0
HC Series
HUAWEI TECHNOLOGIES
73
HCNP-IENP Chapter 1 Implementing firewall functions and features ip address 10.0.1.1 255.255.255.0 # Return display current-configuration [V200R001C00SPC200] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.20.2 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # Return [R3]display current-configuration [V200R001C00SPC200] # sysname R3 # interface GigabitEthernet0/0/1 ip address 10.0.20.3 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # user-interface vty 0 4 authentication-mode none # Return [R4]display current-configuration [V200R001C00SPC500] # sysname R4 ftp server enable #
74
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features # aaa local-user huawei password simple huawei local-user huawei ftp-directory flash: local-user huawei service-type ftp # interface GigabitEthernet0/0/1 ip address 10.0.40.4 255.255.255.0 # interface LoopBack0 ip address 10.0.4.4 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.40.254 # user-interface vty 0 4 authentication-mode none # Return display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 11 to 13 # interface GigabitEthernet0/0/1 port link-type access port default vlan 11 # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 # interface GigabitEthernet0/0/3 port link-type access port default vlan 12 # interface GigabitEthernet0/0/4 port link-type access port default vlan 13 # interface GigabitEthernet0/0/21
HC Series
HUAWEI TECHNOLOGIES
75
HCNP-IENP Chapter 1 Implementing firewall functions and features port link-type access port default vlan 11 # interface GigabitEthernet0/0/22 port link-type access port default vlan 12 # interface GigabitEthernet0/0/23 port link-type access port default vlan 13 # return
76
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
Lab 1-5 Dual-System Hot Backup Configuration for Eudemon Firewalls Learning Objectives The objectives of this lab are to learn and understand:
Dual-system hot backup configuration
VRRP configuration
HRP configuration
Topology
Figure 1-5a Physical topology
HC Series
HUAWEI TECHNOLOGIES
77
HCNP-IENP Chapter 1 Implementing firewall functions and features
Figure 1-5b Logical topology
Scenario Assume that you are a network administrator of an enterprise. You need to configure dual-system hot backup for the firewalls to ensure communication reliability. The current communication requires dual-system hot backup based on load balancing. When users in the trusted zone access services in the untrusted zone, packets sent from different routes are forwarded by the primary firewall to implement load balancing. When a fault occurs on the primary firewall, packets are switched to the secondary firewall to implement hot backup.
Tasks Step 1 Configure IP addresses. Configure IP addresses and masks for all routers. The mask length of each loopback interface is 24 bits. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface GigabitEthernet 0/0/2 [R1-GigabitEthernet0/0/2]ip address 10.0.10.1 24 [R1-GigabitEthernet0/0/2]interface loopback 0
78
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [R1-LoopBack0]ip address 10.0.1.1 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2 [R2]interface GigabitEthernet0/0/1 [R2-GigabitEthernet0/0/1]ip address 10.0.20.1 24 [R2-GigabitEthernet0/0/1]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/1]ip address 10.0.30.1 24 [R3-GigabitEthernet0/0/1]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R4 [R4]interface GigabitEthernet 0/0/1 [R4-GigabitEthernet0/0/1]ip address 10.0.40.1 24 [R4-GigabitEthernet0/0/1]interface loopback 0 [R4-LoopBack0]ip address 10.0.4.4 24
Configure VLAN 11, 12, 13, and 14 and corresponding VLANIF addresses for firewalls. Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be configured with an IP address. By default, the firewall configures an IP address for VLANIF 1. To prevent interference, delete the VLANIF 1 configuration. system-view [FW1]vlan batch 11 to 14 [FW1]interface vlanif 11 [FW1-Vlanif11]ip address 10.0.10.2 24 [FW1-Vlanif11]interface vlanif 12 [FW1-Vlanif12]ip address 10.0.20.2 24 [FW1-Vlanif12]interface Vlanif 13 [FW1-Vlanif13]ip address 10.0.30.2 24 [FW1-Vlanif13]interface Vlanif 14 [FW1-Vlanif14]ip address 10.0.40.2 24 [FW1-Vlanif14]interface Ethernet0/0/0
HC Series
HUAWEI TECHNOLOGIES
79
HCNP-IENP Chapter 1 Implementing firewall functions and features [FW1-Ethernet0/0/0]ip address 10.0.50.2 24 [FW1-Ethernet0/0/0]quit [FW1]undo interface vlanif 1 system-view [FW2]vlan batch 11 to 14 [FW2]interface vlanif 11 [FW2-Vlanif11]ip address 10.0.10.3 24 [FW2-Vlanif11]interface vlanif 12 [FW2-Vlanif12]ip address 10.0.20.3 24 [FW2-Vlanif12]interface Vlanif 13 [FW2-Vlanif13]ip address 10.0.30.3 24 [FW2-Vlanif13]interface Vlanif 14 [FW2-Vlanif14]ip address 10.0.40.3 24 [FW2-Vlanif14]interface Ethernet0/0/0 [FW2-Ethernet0/0/0]ip address 10.0.50.3 24 [FW2-Ethernet0/0/0]quit [FW2]undo interface vlanif 1
Plan VLANs for interfaces on switches. system-view [S1]vlan batch 11 to 14 [S1]interface GigabitEthernet 0/0/2 [S1-GigabitEthernet0/0/2]port link-type access [S1-GigabitEthernet0/0/2]port default vlan 12 [S1-GigabitEthernet0/0/2]interface gigabitEthernet 0/0/4 [S1-GigabitEthernet0/0/4]port link-type access [S1-GigabitEthernet0/0/4]port default vlan 14 system-view [S2]vlan batch 11 to 14 [S2]interface GigabitEthernet 0/0/1 [S2-GigabitEthernet0/0/1]port link-type access [S2-GigabitEthernet0/0/1]port default vlan 11 [S2-GigabitEthernet0/0/1]interface gigabitEthernet 0/0/3 [S2-GigabitEthernet0/0/3]port link-type access [S2-GigabitEthernet0/0/3]port default vlan 13
Set G0/0/9 on S1 and G0/0/9 on S2 to trunk interfaces and allow packets from VLAN 11, 12, 13, and 14 to pass through. [S1]interface GigabitEthernet 0/0/9 [S1-GigabitEthernet0/0/9]port link-type trunk
80
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features [S1-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14 [S1-GigabitEthernet0/0/9]quit [S2]interface GigabitEthernet 0/0/9 [S2-GigabitEthernet0/0/9]port link-type trunk [S2-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14 [S2-GigabitEthernet0/0/9]quit
Assign G0/0/21 and G0/0/10 on S1 and G0/0/10 and G0/0/11 on S2 to VLAN 10. This line is the firewall heartbeat line. Enable MSTP on VLAN 10 so that the default process 0 of MSTP cannot shut down G0/0/10 interfaces on S1 and S2. Set the region name of S1 and S2 both to be FW. [S1]vlan 10 [S1-vlan10]quit [S1]interface GigabitEthernet 0/0/21 [S1-GigabitEthernet0/0/21]port link-type access [S1-GigabitEthernet0/0/21]port default vlan 10 [S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/10 [S1-GigabitEthernet0/0/10]port link-type access [S1-GigabitEthernet0/0/10]port default vlan 10 [S1-GigabitEthernet0/0/10]quit [S1]stp region-configuration [S1-mst-region]region-name FW [S1-mst-region]instance 1 vlan 10 [S1-mst-region]active region-configuration [S2]vlan 10 [S2-vlan10]quit [S2]interface GigabitEthernet 0/0/11 [S2-GigabitEthernet0/0/11]port link-type access [S2-GigabitEthernet0/0/11]port default vlan 10 [S2-GigabitEthernet0/0/11]interface GigabitEthernet 0/0/10 [S2-GigabitEthernet0/0/10]port link-type access [S2-GigabitEthernet0/0/10]port default vlan 10 [S2-GigabitEthernet0/0/10]quit [S2]stp region-configuration [S2-mst-region]region-name FW [S2-mst-region]instance 1 vlan 10 [S2-mst-region]active region-configuration
HC Series
HUAWEI TECHNOLOGIES
81
HCNP-IENP Chapter 1 Implementing firewall functions and features
Set E1/0/0 on FW1 and G0/0/22 on S1 to trunk interfaces and allow packets from VLAN 11, 12, 13, and 14 to pass through.Set E1/0/0 on FW2 and G0/0/12 on S2 to trunk interfaces and allow packets from VLAN 11, 12, 13, and 14 to pass through. [FW1]interface Ethernet1/0/0 [FW1]port link-type trunk [FW1]port trunk permit vlan 11 to 14 [S1]interface GigabitEthernet 0/0/22 [S1]port link-type trunk [S1]port trunk allow-pass vlan 11 to 14 [FW2]interface Ethernet1/0/0 [FW2]port link-type trunk [FW2]port trunk permit vlan 11 to 14 [S2]interface GigabitEthernet 0/0/12 [S2]port link-type trunk [S2]port trunk allow-pass vlan 11 to 14
Test connectivity of FW1 and FW2. [FW1]ping 10.0.20.1 09:47:13 2011/12/27 PING 10.0.20.1: 56 data bytes, press CTRL_C to break Reply from 10.0.20.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW1]ping 10.0.30.1 09:47:35 2011/12/27 PING 10.0.30.1: 56 data bytes, press CTRL_C to break Reply from 10.0.30.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=2 ttl=255 time=1 ms
82
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.30.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.30.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW1]ping 10.0.40.1 09:48:01 2011/12/27 PING 10.0.40.1: 56 data bytes, press CTRL_C to break Reply from 10.0.40.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=3 ttl=255 time=190 ms Reply from 10.0.40.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.40.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/38/190 ms [FW1]ping 10.0.10.1 09:48:34 2011/12/27 PING 10.0.10.1: 56 data bytes, press CTRL_C to break Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW2]ping 10.0.10.1 03:51:04 2011/12/27 PING 10.0.10.1: 56 data bytes, press CTRL_C to break
HC Series
HUAWEI TECHNOLOGIES
83
HCNP-IENP Chapter 1 Implementing firewall functions and features Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.10.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW2]ping 10.0.20.1 03:51:23 2011/12/27 PING 10.0.20.1: 56 data bytes, press CTRL_C to break Reply from 10.0.20.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.20.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.20.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW2]ping 10.0.30.1 03:51:47 2011/12/27 PING 10.0.30.1: 56 data bytes, press CTRL_C to break Reply from 10.0.30.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.30.1: bytes=56 Sequence=5 ttl=255 time=1 ms --- 10.0.30.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/1 ms [FW2]ping 10.0.40.1
84
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features 03:52:15 2011/12/27 PING 10.0.40.1: 56 data bytes, press CTRL_C to break Reply from 10.0.40.1: bytes=56 Sequence=1 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 10.0.40.1: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 10.0.40.1: bytes=56 Sequence=5 ttl=255 time=10 ms --- 10.0.40.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/4/10 ms
Step 2 Add interfaces to security zones. By default, four zones locate on a firewall. They are local, trusted, untrusted, and DMZ zones. In the lab, add VLANIF 12 and VLANIF 13 to the trusted zone, and add VLANIF 11 and VLANIF 14 to the untrusted zone. Create a zone abc on FW1 and set the zone priority to 80. Add the heartbeat line interface E0/0/0 on FW1 to the abc zone. Perform the same operations on FW2. [FW1]firewall zone trust [FW1-zone-trust]add interface vlanif 12 [FW1-zone-trust]add interface vlanif 13 [FW1-zone-trust]firewall zone untrust [FW1-zone-untrust]add interface vlanif 11 [FW1-zone-untrust]add interface vlanif 14 [FW1-zone-untrust]firewall zone name abc [FW1-zone-abc]add interface Ethernet 0/0/0 [FW2]firewall zone trust [FW2-zone-trust]add interface vlanif 12 [FW2-zone-trust]add interface vlanif 13 [FW2-zone-trust]firewall zone untrust [FW2-zone-untrust]add interface vlanif 11 [FW2-zone-untrust]add interface vlanif 14 [FW2-zone-untrust]firewall zone name abc [FW2-zone-abc]add interface Ethernet 0/0/0
HC Series
HUAWEI TECHNOLOGIES
85
HCNP-IENP Chapter 1 Implementing firewall functions and features
Step 3 Configure a VRRP backup group. Configure a Virtual Router Redundancy Protocol (VRRP) backup group on FW1 and configure a virtual IP address for the backup group. [FW1]interface vlanif 12 [FW1-Vlanif12]vrrp vrid 12 virtual-ip 10.0.20.254 master [FW1-Vlanif12]interface vlanif 13 [FW1-Vlanif13]vrrp vrid 13 virtual-ip 10.0.30.254 slave [FW1-Vlanif13]interface vlanif 14 [FW1-Vlanif14]vrrp vrid 14 virtual-ip 10.0.40.254 master [FW1-Vlanif14]interface vlanif 11 [FW1-Vlanif11]vrrp vrid 11 virtual-ip 10.0.10.254 slave
Configure a VRRP backup group on FW2 and configure a virtual IP address for the backup group. When configuring the VRRP backup group on FW2, map the Master of FW1 to the Slave of FW2, and map the Slave of FW1 to the Master of FW2. [FW2]interface vlanif 12 [FW2-Vlanif12]vrrp vrid 12 virtual-ip 10.0.20.254 slave [FW2-Vlanif12]interface vlanif 13 [FW2-Vlanif13]vrrp vrid 13 virtual-ip 10.0.30.254 master [FW2-Vlanif13]interface vlanif 14 [FW2-Vlanif14]vrrp vrid 14 virtual-ip 10.0.40.254 slave [FW2-Vlanif14]interface vlanif 11 [FW2-Vlanif11]vrrp vrid 11 virtual-ip 10.0.10.254 master
Check the VRRP configurations of FW1 and FW2. Verify that the command outputs display VRRP group states correctly. [FW1]display vrrp 20:56:41 2011/12/28 Vlanif13 | Virtual Router 13 VRRP Group : Slave state : Backup Virtual IP : 10.0.30.254 Virtual MAC : 0000-5e00-010d Primary IP : 10.0.30.2 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100
86
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif11 | Virtual Router 11 VRRP Group : Slave state : Backup Virtual IP : 10.0.10.254 Virtual MAC : 0000-5e00-010b Primary IP : 10.0.10.2 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif14 | Virtual Router 14 VRRP Group : Master state : Backup Virtual IP : 10.0.40.254 Virtual MAC : 0000-5e00-010e Primary IP : 10.0.40.2 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif12 | Virtual Router 12 VRRP Group : Master state : Backup Virtual IP : 10.0.20.254 Virtual MAC : 0000-5e00-010c Primary IP : 10.0.20.2 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES
HC Series
Delay Time : 0
HUAWEI TECHNOLOGIES
87
HCNP-IENP Chapter 1 Implementing firewall functions and features Advertisement Timer : 1 Auth Type : NONE Check TTL : YES [FW2]display vrrp 14:32:32 2011/12/28 Vlanif11 | Virtual Router 11 VRRP Group : Master state : Master Virtual IP : 10.0.10.254 Virtual MAC : 0000-5e00-010b Primary IP : 10.0.10.3 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif14 | Virtual Router 14 VRRP Group : Slave state : Master Virtual IP : 10.0.40.254 Virtual MAC : 0000-5e00-010e Primary IP : 10.0.40.3 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif13 | Virtual Router 13 VRRP Group : Master state : Master Virtual IP : 10.0.30.254 Virtual MAC : 0000-5e00-010d Primary IP : 10.0.30.3 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120
88
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif12 | Virtual Router 12 VRRP Group : Slave state : Master Virtual IP : 10.0.20.254 Virtual MAC : 0000-5e00-010c Primary IP : 10.0.20.3 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES
Step 4 Configure an HRP backup channel. Configure a backup channel interface on FW1 and FW2 and enable Huawei Redundancy Protocol (HRP) on the interfaces. The firewall works on a dual-system hot backup network. If the inbound and outbound paths are different, run the hrp mirror session enable command to fast back up sessions. Information about sessions on the primary firewall is synchronized to the secondary firewall in a timely manner. When a fault occurs on the primary firewall, packets are forwarded by the secondary firewall, ensuring uninterrupted sessions between internal and external users. [FW1]hrp interface Ethernet0/0/0 [FW1]hrp mirror session enable [FW1]hrp enable [FW2]hrp interface Ethernet0/0/0 [FW2]hrp mirror session enable [FW2]hrp enable
After the preceding configuration is complete, HRP_M or HRP_S is
HC Series
HUAWEI TECHNOLOGIES
89
HCNP-IENP Chapter 1 Implementing firewall functions and features
added to the prompt based on the HRP status. After a backup channel is configured, the primary and secondary firewalls negotiate on the master and backup status. Check the VRRP status of the firewall. HRP_M[FW1]display vrrp 21:32:17 2011/12/28 Vlanif13 | Virtual Router 13 VRRP Group : Slave state : Backup Virtual IP : 10.0.30.254 Virtual MAC : 0000-5e00-010d Primary IP : 10.0.30.2 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif11 | Virtual Router 11 VRRP Group : Slave state : Backup Virtual IP : 10.0.10.254 Virtual MAC : 0000-5e00-010b Primary IP : 10.0.10.2 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif14 | Virtual Router 14 VRRP Group : Master state : Master Virtual IP : 10.0.40.254 Virtual MAC : 0000-5e00-010e Primary IP : 10.0.40.2 PriorityRun : 120 PriorityConfig : 100 90
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif12 | Virtual Router 12 VRRP Group : Master state : Master Virtual IP : 10.0.20.254 Virtual MAC : 0000-5e00-010c Primary IP : 10.0.20.2 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES HRP_S[FW2]display vrrp 15:08:31 2011/12/28 Vlanif11 | Virtual Router 11 VRRP Group : Master state : Master Virtual IP : 10.0.10.254 Virtual MAC : 0000-5e00-010b Primary IP : 10.0.10.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif14 | Virtual Router 14 VRRP Group : Slave state : Backup Virtual IP : 10.0.40.254 Virtual MAC : 0000-5e00-010e Primary IP : 10.0.40.3 PriorityRun : 120
HC Series
HUAWEI TECHNOLOGIES
91
HCNP-IENP Chapter 1 Implementing firewall functions and features PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif13 | Virtual Router 13 VRRP Group : Master state : Master Virtual IP : 10.0.30.254 Virtual MAC : 0000-5e00-010d Primary IP : 10.0.30.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif12 | Virtual Router 12 VRRP Group : Slave state : Backup Virtual IP : 10.0.20.254 Virtual MAC : 0000-5e00-010c Primary IP : 10.0.20.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES
Step 5 Configure packet filtering in the interzone. Run the following command to configure automatic backup on FW1. Packet filtering rules in the interzone configured on FW1 are automatically backed up to FW2.
92
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features HRP_M[FW1]hrp auto-sync config
By default, security zones are connected. When configuring the packet filtering policy in the interzone, disconnect security zones. Allow only users in the trusted zone to access services in the untrusted zones. HRP_M[FW1]firewall packet-filter default deny all HRP_M[FW1]firewall
packet-filter
default
permit
interzone
trust
untrust
interzone
trust
untrust
direction outbound HRP_M[FW1]firewall session link-state check HRP_S[FW2]firewall packet-filter default deny all HRP_S[FW2]firewall
packet-filter
default
permit
direction outbound HRP_S[FW2]firewall session link-state check
Step 6 Configure static routes to connect networks. Configure default routes for R1, R2, R3, and R4. Configure a specific static route between FW1 and FW2. [R1]ip route-static 0.0.0.0 0 10.0.10.254 [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [R4]ip route-static 0.0.0.0 0 10.0.40.254 HRP_M[FW1]ip route-static 10.0.1.0 24 10.0.10.1 HRP_M[FW1]ip route-static 10.0.2.0 24 10.0.20.2 HRP_M[FW1]ip route-static 10.0.3.0 24 10.0.30.3 HRP_M[FW1]ip route-static 10.0.4.0 24 10.0.40.4
Test connectivity of the trusted zone and the untrusted zone. [R2]ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes, press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=5 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=3 ms
HC Series
HUAWEI TECHNOLOGIES
93
HCNP-IENP Chapter 1 Implementing firewall functions and features
--- 10.0.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms [R2]ping -a 10.0.2.2 10.0.4.4 PING 10.0.4.4: 56 data bytes, press CTRL_C to break Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=254 time=5 ms Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=254 time=3 ms --- 10.0.4.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/4/5 ms [R3]ping -a 10.0.3.3 10.0.4.4 PING 10.0.4.4: 56 data bytes, press CTRL_C to break Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=254 time=5 ms Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=254 time=5 ms Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=254 time=6 ms --- 10.0.4.4 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/6 ms
Step 7 Test dual-system hot backup. By default, FW1 forwards packets from R2 and R4, and FW2 functions as the backup firewall. Simulate a fault on VLANIF 12 of FW1 during communication
94
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features
between R2 and R4. The communication functions normally. Send 20 packets from R2 to R4. During packet sending, shut down VLANIF 12 and check communication status. When running the ping command, shut down VLANIF 12 on FW1 before all packets are sent. [R2]ping -c 20 -a 10.0.2.2 10.0.4.4 HRP_S[FW1]interface vlanif 12 HRP_S[FW1-Vlanif12]shutdown
No packet is lost even when a fault is simulated on VLANIF 12 of FW1. [R2]ping -c 20 -a 10.0.2.2 10.0.4.4 PING 10.0.4.4: 56 data bytes, press CTRL_C to break Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=6 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=7 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=8 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=9 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=10 ttl=254 time=5 ms Reply from 10.0.4.4: bytes=56 Sequence=11 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=12 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=13 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=14 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=15 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=16 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=17 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=18 ttl=254 time=4 ms Reply from 10.0.4.4: bytes=56 Sequence=19 ttl=254 time=3 ms Reply from 10.0.4.4: bytes=56 Sequence=20 ttl=254 time=3 ms --- 10.0.4.4 ping statistics --20 packet(s) transmitted 20 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms
HC Series
HUAWEI TECHNOLOGIES
95
HCNP-IENP Chapter 1 Implementing firewall functions and features
Check the VRRP status on FW2. VLANIF 12 and VLANIF 14 on FW2 are in Master state. If a fault occurs on VLANIF 12 on FW1, backup VLANIF interfaces on FW2 switch to the Master status and forward packets. HRP_M[FW2]display vrrp 03:14:23 2011/12/29 Vlanif11 | Virtual Router 11 VRRP Group : Master state : Master Virtual IP : 10.0.10.254 Virtual MAC : 0000-5e00-010b Primary IP : 10.0.10.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif14 | Virtual Router 14 VRRP Group : Slave state : Master Virtual IP : 10.0.40.254 Virtual MAC : 0000-5e00-010e Primary IP : 10.0.40.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif13 | Virtual Router 13 VRRP Group : Master state : Master Virtual IP : 10.0.30.254 Virtual MAC : 0000-5e00-010d Primary IP : 10.0.30.3 PriorityRun : 120 PriorityConfig : 100
96
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES Vlanif12 | Virtual Router 12 VRRP Group : Slave state : Master Virtual IP : 10.0.20.254 Virtual MAC : 0000-5e00-010c Primary IP : 10.0.20.3 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0
Advertisement Timer : 1 Auth Type : NONE Check TTL : YES
Additional Exercises: Analyzing and Verifying If a fault occurs on the heartbeat line, what status will FW1 and FW2 have and how will packets be forwarded between the trusted zone and the untrusted zone?
Final Configurations display current-configuration [V200R001C00SPC200] # sysname R1 # interface GigabitEthernet0/0/2 ip address 10.0.10.1 255.255.255.0 # interface LoopBack0 ip address 10.0.1.1 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.10.254 #
HC Series
HUAWEI TECHNOLOGIES
97
HCNP-IENP Chapter 1 Implementing firewall functions and features return display current-configuration [V200R001C00SPC200] # sysname R2 # interface GigabitEthernet0/0/1 ip address 10.0.20.1 255.255.255.0 # interface LoopBack0 ip address 10.0.2.2 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.20.254 # return display current-configuration [V200R001C00SPC200] # sysname R3 # interface GigabitEthernet0/0/2 ip address 10.0.30.1 255.255.255.0 # interface LoopBack0 ip address 10.0.3.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.30.254 # return display current-configuration [V200R001C00SPC500] # sysname R4 # interface GigabitEthernet0/0/1 ip address 10.0.40.1 255.255.255.0 # interface LoopBack0 ip address 10.0.4.4 255.255.255.0 #
98
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features ip route-static 0.0.0.0 0.0.0.0 10.0.40.254 # return display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # vlan batch 10 to 14 # stp region-configuration region-name FW instance 1 vlan 10 active region-configuration # interface GigabitEthernet0/0/2 port link-type access port default vlan 12 # interface GigabitEthernet0/0/4 port link-type access port default vlan 14 # interface GigabitEthernet0/0/9 port link-type trunk port trunk allow-pass vlan 11 to 14 # interface GigabitEthernet0/0/10 port link-type access port default vlan 10 # interface GigabitEthernet0/0/21 port link-type access port default vlan 10 # interface GigabitEthernet0/0/22 port link-type trunk port trunk allow-pass vlan 11 to 14 # return display current-configuration
HC Series
HUAWEI TECHNOLOGIES
99
HCNP-IENP Chapter 1 Implementing firewall functions and features # !Software Version V100R006C00SPC800 sysname S2 # vlan batch 10 to 14 # stp region-configuration region-name FW instance 1 vlan 10 active region-configuration # interface GigabitEthernet0/0/1 port link-type access port default vlan 11 # interface GigabitEthernet0/0/3 port link-type access port default vlan 13 # interface GigabitEthernet0/0/9 port link-type trunk port trunk allow-pass vlan 11 to 14 # interface GigabitEthernet0/0/10 port link-type access port default vlan 10 # interface GigabitEthernet0/0/11 port link-type access port default vlan 10 # interface GigabitEthernet0/0/12 port link-type trunk port trunk allow-pass vlan 11 to 14 # return HRP_Mdisplay current-configuration # sysname FW1 # hrp mirror session enable hrp enable
100
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features hrp interface Ethernet0/0/0 # firewall packet-filter default deny interzone local trust direction inbound firewall packet-filter default deny interzone local trust direction outbound firewall packet-filter default deny interzone local untrust direction inbound firewall packet-filter default deny interzone local untrust direction outbound firewall packet-filter default deny interzone local dmz direction inbound firewall packet-filter default deny interzone local dmz direction outbound firewall packet-filter default deny interzone local abc direction inbound firewall packet-filter default deny interzone local abc direction outbound firewall packet-filter default deny interzone trust untrust direction inbound firewall packet-filter default deny interzone trust dmz direction inbound firewall packet-filter default deny interzone trust dmz direction outbound firewall packet-filter default deny interzone trust abc direction inbound firewall packet-filter default deny interzone trust abc direction outbound firewall packet-filter default deny interzone dmz untrust direction inbound firewall packet-filter default deny interzone dmz untrust direction outbound firewall packet-filter default deny interzone abc untrust direction inbound firewall packet-filter default deny interzone abc untrust direction outbound firewall packet-filter default deny interzone abc dmz direction inbound firewall packet-filter default deny interzone abc dmz direction outbound # undo firewall ipv6 session link-state check # vlan batch 1 11 to 14 # undo firewall session link-state check # # runmode firewall # interface Vlanif11 ip address 10.0.10.2 255.255.255.0 vrrp vrid 11 virtual-ip 10.0.10.254 slave # interface Vlanif12 ip address 10.0.20.2 255.255.255.0 vrrp vrid 12 virtual-ip 10.0.20.254 master # interface Vlanif13 ip address 10.0.30.2 255.255.255.0 vrrp vrid 13 virtual-ip 10.0.30.254 slave #
HC Series
HUAWEI TECHNOLOGIES
101
HCNP-IENP Chapter 1 Implementing firewall functions and features interface Vlanif14 ip address 10.0.40.2 255.255.255.0 vrrp vrid 14 virtual-ip 10.0.40.254 master # interface Ethernet0/0/0 ip address 10.0.50.2 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type trunk port trunk permit vlan 1 11 to 14 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif12 add interface Vlanif13 # firewall zone untrust set priority 5 add interface Vlanif11 add interface Vlanif14 # firewall zone dmz set priority 50 # firewall zone name abc set priority 80 add interface Ethernet0/0/0 # nqa-jitter tag-version 1 # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.1 ip route-static 10.0.3.0 255.255.255.0 10.0.30.1 ip route-static 10.0.4.0 255.255.255.0 10.0.40.1 # slb # cwmp #
102
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features right-manager server-group # return HRP_Sdisplay current-configuration # sysname FW2 # hrp mirror session enable hrp enable hrp interface Ethernet0/0/0 # firewall packet-filter default deny interzone local trust direction inbound firewall packet-filter default deny interzone local trust direction outbound firewall packet-filter default deny interzone local untrust direction inbound firewall packet-filter default deny interzone local untrust direction outbound firewall packet-filter default deny interzone local dmz direction inbound firewall packet-filter default deny interzone local dmz direction outbound firewall packet-filter default deny interzone local abc direction inbound firewall packet-filter default deny interzone local abc direction outbound firewall packet-filter default deny interzone trust untrust direction inbound firewall packet-filter default deny interzone trust dmz direction inbound firewall packet-filter default deny interzone trust dmz direction outbound firewall packet-filter default deny interzone trust abc direction inbound firewall packet-filter default deny interzone trust abc direction outbound firewall packet-filter default deny interzone dmz untrust direction inbound firewall packet-filter default deny interzone dmz untrust direction outbound firewall packet-filter default deny interzone abc untrust direction inbound firewall packet-filter default deny interzone abc untrust direction outbound firewall packet-filter default deny interzone abc dmz direction inbound firewall packet-filter default deny interzone abc dmz direction outbound # undo firewall ipv6 session link-state check # vlan batch 1 11 to 14 # undo firewall session link-state check # interface Vlanif11 ip address 10.0.10.3 255.255.255.0 vrrp vrid 11 virtual-ip 10.0.10.254 master # interface Vlanif12
HC Series
HUAWEI TECHNOLOGIES
103
HCNP-IENP Chapter 1 Implementing firewall functions and features ip address 10.0.20.3 255.255.255.0 vrrp vrid 12 virtual-ip 10.0.20.254 slave # interface Vlanif13 ip address 10.0.30.3 255.255.255.0 vrrp vrid 13 virtual-ip 10.0.30.254 master # interface Vlanif14 ip address 10.0.40.3 255.255.255.0 vrrp vrid 14 virtual-ip 10.0.40.254 slave # interface Ethernet0/0/0 ip address 10.0.50.3 255.255.255.0 # interface Ethernet1/0/0 portswitch port link-type trunk port trunk permit vlan 1 11 to 14 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif12 add interface Vlanif13 # firewall zone untrust set priority 5 add interface Vlanif11 add interface Vlanif14 # firewall zone dmz set priority 50 # firewall zone name abc set priority 80 add interface Ethernet0/0/0 # nqa-jitter tag-version 1 # ip route-static 10.0.1.0 255.255.255.0 10.0.10.1 ip route-static 10.0.2.0 255.255.255.0 10.0.20.1
104
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 1 Implementing firewall functions and features ip route-static 10.0.3.0 255.255.255.0 10.0.30.1 ip route-static 10.0.4.0 255.255.255.0 10.0.40.1 # slb # cwmp # right-manager server-group # return
HC Series
HUAWEI TECHNOLOGIES
105
HCNP-IENP Chapter 2 QoS and traffic flow management
Chapter 2 QoS and traffic flow management Lab 2-1 QoS Learning Objectives The objectives of this lab are to learn and understand:
Method used to analyze the SLA using NQA
Priority mapping and traffic policing
Traffic shaping
Congestion management based on queues and traffic classifiers
Method used to configure congestion avoidance based on WRED
Topology
Figure 2-1 QoS
106
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management
Scenario Assume that you are a network administrator of an enterprise. R1 and S1 are located in the enterprise headquarters, and R2 and S2 are located in the enterprise branch. The headquarters and branch are connected through a leased line. The internal network bandwidth increases gradually, but the leased line bandwidth does not increase. As a result, important services are delayed or some services are unavailable. You can use differentiated services and adjust QoS parameters to ensure that important service data is first sent to the destination. In the lab, S3 and S4 use NQA to exchange a large flow of generated data. R3, R4, and R5 simulate the clients and server to check whether important applications are available.
Tasks Step 1 Perform
basic
configuration
and
configure
IP
addresses. Configure IP addresses and masks for all the routers and switches S3 and S4. Set the baud rate of S1/0/0 on R1 to 72000 and configure the link of S1/0/0 as the WAN link where congestion occurs because of insufficient bandwidth. system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R1 [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 255.255.255.0 [R1-Serial1/0/0]baudrate 72000 [R1-Serial1/0/0]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip address 10.0.145.1 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R2
HC Series
HUAWEI TECHNOLOGIES
107
HCNP-IENP Chapter 2 QoS and traffic flow management [R2]interface s1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0 [R2-Serial1/0/0]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet0/0/2]ip address 10.0.34.2 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R3 [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.34.3 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R4 [R4]interface GigabitEthernet 0/0/1 [R4-GigabitEthernet0/0/1]ip address 10.0.145.4 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname R5 [R5]interface GigabitEthernet 0/0/1 [R5-GigabitEthernet0/0/1]ip address 10.0.145.5 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname S3 [S3]interface vlan [S3]interface Vlanif 1 [S3-Vlanif1]ip address 10.0.145.3 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [Huawei]sysname S4 [S4]interface Vlanif 1 [S4-Vlanif1]ip address 10.0.34.4 255.255.255.0
After the configurations are complete, test link connectivity. [R1]ping -c 1 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=36 ms --- 10.0.12.2 ping statistics ---
108
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 36/36/36 ms [R1]ping -c 1 10.0.145.3 PING 10.0.145.3: 56 data bytes, press CTRL_C to break Reply from 10.0.145.3: bytes=56 Sequence=1 ttl=255 time=35 ms --- 10.0.145.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 35/35/35 ms [R1]ping -c 1 10.0.145.4 PING 10.0.145.4: 56 data bytes, press CTRL_C to break Reply from 10.0.145.4: bytes=56 Sequence=1 ttl=255 time=6 ms --- 10.0.145.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 6/6/6 ms [R1]ping -c 1 10.0.145.5 PING 10.0.145.5: 56 data bytes, press CTRL_C to break Reply from 10.0.145.5: bytes=56 Sequence=1 ttl=255 time=6 ms --- 10.0.145.5 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 6/6/6 ms [R2]ping -c 1 10.0.34.3 PING 10.0.34.3: 56 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=56 Sequence=1 ttl=255 time=5 ms --- 10.0.34.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss
HC Series
HUAWEI TECHNOLOGIES
109
HCNP-IENP Chapter 2 QoS and traffic flow management round-trip min/avg/max = 5/5/5 ms [R2]ping -c 1 10.0.34.4 PING 10.0.34.4: 56 data bytes, press CTRL_C to break Reply from 10.0.34.4: bytes=56 Sequence=1 ttl=255 time=36 ms --- 10.0.34.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 36/36/36 ms
Step 2 Configure static routes and NQA. Configure static routes for all the routers and switches S3 and S4. [R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2 [R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1 [R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 [R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 [R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 [S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 [S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configurations are complete, test network connectivity. [S3]ping -c 1 10.0.34.4 PING 10.0.34.4: 56 data bytes, press CTRL_C to break Reply from 10.0.34.4: bytes=56 Sequence=1 ttl=252 time=40 ms --- 10.0.34.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/40/40 ms
110
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [R4]ping -c 1 10.0.34.3 PING 10.0.145.4: 56 data bytes, press CTRL_C to break Reply from 10.0.145.4: bytes=56 Sequence=1 ttl=255 time=3 ms --- 10.0.145.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms [R5]ping -c 1 10.0.34.3 PING 10.0.34.3: 56 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=56 Sequence=1 ttl=253 time=44 ms --- 10.0.34.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 44/44/44 ms
The links between S3 and S4, between R4 and R3, and between R5 and R3 are reachable, indicating that network communication is normal. Congestion easily occurs on the 72 kbit/s serial link between the headquarters and branch. Use NQA to generate traffic. S4 functions as the NQA server and S3 functions as the NQA client. Create NQA UDP and jitter test instances to simulate data traffic and voice traffic respectively. Set parameters in NQA test instances to simulate an environment where congestion does not occur if there is only data or voice traffic, and where congestion occurs if there is data and voice traffic. Configure S4 as the NQA server, and set the IP address of the interface used for monitoring UDP services to 10.0.34.4 and port number to 6000. [S4]nqa-server udpecho 10.0.34.4 6000
On S3, configure an NQA UDP test instance to simulate data traffic, and set the ToS to 28, packet size to 5800 bytes, interval at which packets are sent to 1 second, interval for the NQA test to 3 seconds, and timeout
HC Series
HUAWEI TECHNOLOGIES
111
HCNP-IENP Chapter 2 QoS and traffic flow management
interval for the NQA test to 1s, and start the NQA UDP test. [S3]nqa test-instance admin udp [S3-nqa-admin-udp]test-type udp [S3-nqa-admin-udp]destination-address ipv4 10.0.34.4 [S3-nqa-admin-udp]destination-port 6000 [S3-nqa-admin-udp]tos 28 [S3-nqa-admin-udp]datasize 5000 [S3-nqa-admin-udp]interval seconds 1 [S3-nqa-admin-udp]frequency 3 [S3-nqa-admin-udp]timeout 1 [S3-nqa-admin-udp]start now
Check the NQA UDP test result. [S3]display nqa results test-instance admin udp 1 . Test 2 result
The test is finished
Send operation times: 3
Receive response times: 3
Completion:success
RTD OverThresholds number: 0
Attempts number:1
Drop operation number:0
Disconnect operation number:0
Operation timeout number:0
System busy operation number:0
Connection fail number:0
Operation sequence errors number:0
RTT Stats errors number:0
Destination ip address:10.0.34.4 Min/Max/Average Completion Time: 930/950/943 Sum/Square-Sum Completion Time: 2830/2669900 Last Good Probe Time: 2008-01-28 23:10:02.4 Lost packet ratio: 0 %
No packet is discarded and congestion does not occur. Shut down the NQA UDP test. [S3]nqa test-instance admin udp [S3-nqa-admin-udp]stop
On S3, configure an NQA jitter test instance to simulate voice traffic, and set the ToS to 46, packet size to 90 bytes, interval at which packets are sent to 20 milliseconds, the interval for the NQA test to 3 seconds, and timeout interval for the NQA test to 1 second, and start the NQA jitter test. [S3]nqa test-instance admin jitter [S3-nqa-admin-jitter]test-type jitter [S3-nqa-admin-jitter]destination-address ipv4 10.0.34.4
112
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [S3-nqa-admin-jitter]destination-port 6000 [S3-nqa-admin-jitter]tos 46 [S3-nqa-admin-jitter]datasize 90 [S3-nqa-admin-jitter]interval milliseconds 20 [S3-nqa-admin-jitter]frequency 3 [S3-nqa-admin-jitter]timeout 1 [S3-nqa-admin-jitter]start now
Check the NQA jitter test result. [S3]display nqa results test-instance admin jitter NQA entry(admin, jitter) :testflag is active ,testtype is jitter 1 . Test 1 result
The test is finished
SendProbe:60
ResponseProbe:60
Completion:success
RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:40/70/54/3260
RTT Square Sum:179800
NumOfRTT:60
Drop operation number:0
Operation sequence errors number:0
RTT Stats errors number:0
System busy operation number:0
Operation timeout number:0
Min Positive SD:10
Min Positive DS:10
Max Positive SD:10
Max Positive DS:10
Positive SD Number:5
Positive DS Number:11
Positive SD Sum:50
Positive DS Sum:110
Positive SD Square Sum:500
Positive DS Square Sum:1100
Min Negative SD:10
Min Negative DS:10
Max Negative SD:10
Max Negative DS:20
Negative SD Number:4
Negative DS Number:10
Negative SD Sum:40
Negative DS Sum:110
Negative SD Square Sum:400
Negative DS Square Sum:1300
Min Delay SD:20
Min Delay DS:19
Avg Delay SD:27
Avg Delay DS:26
Max Delay SD:35
Max Delay DS:34
Packet Loss SD:0
Packet Loss DS:0
Packet Loss Unknown:0
jitter out value:0.0937500
jitter in value:0.2291667
NumberOfOWD:60
OWD SD Sum:1630
OWD DS Sum:1570
TimeStamp unit: ms
No packet is discarded and congestion does not occur. Shut down the NQA jitter test. [S3]nqa test-instance admin jitter [S3-nqa-admin-jitter]stop
HC Series
HUAWEI TECHNOLOGIES
113
HCNP-IENP Chapter 2 QoS and traffic flow management
Step 3 Configure priority mapping. Run the ping command to simulate traffic of less important services, and map DSCP priorities of the traffic to BE without QoS guarantee. Configure G0/0/1 and S1/0/0 on R1 to trust DSCP priorities of packets. [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]trust dscp override [R1-GigabitEthernet0/0/1]interface Serial 1/0/0 [R1-Serial1/0/0]trust dscp
Specify override in the trust command on G0/0/1 so that DSCP priorities are changed to mapped values after priority mapping is configured on R1. Run the ping command on R4 to simulate the traffic destined for R3 and set the ToS to 26. [R4]ping –tos 26 10.0.34.3
Configure priority mapping on R1 and map DSCP priority 26 to 0. [R1]qos map-table dscp-dscp [R1-maptbl-dscp-dscp]input 26 output 0
View the priority mapping information on R1. [R1]display qos map-table dscp-dscp Input DSCP
DSCP
------------------0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
10
114
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management 11
11
12
12
13
13
14
14
15
15
16
16
17
17
18
18
19
19
20
20
21
21
22
22
23
23
24
24
25
25
26
0
27
27
28
28
29
29
30
30
The preceding information shows that DSCP priority 26 is mapped to 0 and other DSCP priorities use default values.
Step 4 Configure traffic shaping and traffic policing. Start NQA UDP and jitter tests on S3 to simulate congestion on the 72 kbit/s link between the headquarters and branch. [S3]nqa test-instance admin udp [S3-nqa-admin-udp]start now [S3-nqa-admin-udp]nqa test-instance admin jitter [S3-nqa-admin-jitter]start now
On R4, run the ping command with the packet size as 700 bytes and packet count as 10 to simulate the traffic destined for R3. [R4]ping -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out
HC Series
HUAWEI TECHNOLOGIES
115
HCNP-IENP Chapter 2 QoS and traffic flow management Request time out Request time out Request time out Request time out Reply from 10.0.34.3: bytes=700 Sequence=9 ttl=253 time=1944 ms Request time out --- 10.0.34.3 ping statistics --10 packet(s) transmitted 1 packet(s) received 90.00% packet loss round-trip min/avg/max = 1944/1944/1944 ms
Congestion occurs on the link between the headquarters and branch, a large number of packets are discarded, and even the forwarded packets are delayed. R4 cannot communicate with R3. The following describes how to configure traffic policing and traffic shaping to remove congestion on the link so that R4 can communicate with R3. Configure traffic policing to remove congestion. On S1, configure traffic policing on G0/0/13 and set the CIR to 64 kbit/s. [S1]interface GigabitEthernet 0/0/13 [S1-GigabitEthernet0/0/13]qos lr inbound cir 64
View the traffic policing configuration on S1. [S1]display qos lr inbound interface GigabitEthernet 0/0/13 GigabitEthernet0/0/13 lr inbound: cir: 64 Kbps, cbs: 8000 Byte
On R4, run the ping command with the packet size as 700 bytes and packet count as 10 to simulate the traffic destined for R3. [R4]ping -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=700 Sequence=1 ttl=253 time=1412 ms Reply from 10.0.34.3: bytes=700 Sequence=2 ttl=253 time=255 ms Reply from 10.0.34.3: bytes=700 Sequence=3 ttl=253 time=736 ms Reply from 10.0.34.3: bytes=700 Sequence=4 ttl=253 time=1746 ms Reply from 10.0.34.3: bytes=700 Sequence=5 ttl=253 time=246 ms Reply from 10.0.34.3: bytes=700 Sequence=6 ttl=253 time=746 ms Reply from 10.0.34.3: bytes=700 Sequence=7 ttl=253 time=1736 ms
116
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management Reply from 10.0.34.3: bytes=700 Sequence=8 ttl=253 time=258 ms Reply from 10.0.34.3: bytes=700 Sequence=9 ttl=253 time=766 ms Reply from 10.0.34.3: bytes=700 Sequence=10 ttl=253 time=1736 ms --- 10.0.34.3 ping statistics --10 packet(s) transmitted 10 packet(s) received 0.00% packet loss round-trip min/avg/max = 246/963/1746 ms
Packets are not discarded and R4 can communicate with R3, indicating that traffic policing takes effect. Delete the traffic policing configuration from S1. [S1]interface GigabitEthernet 0/0/13 [S1-GigabitEthernet0/0/13]undo qos lr inbound
The following uses traffic shaping to remove congestion. On S3, configure traffic shaping on E0/0/13 and set the CIR to 64 kbit/s. [S3]interface Ethernet0/0/13 [S3-Ethernet0/0/13]qos lr outbound cir 64
On R4, run the ping command with the packet size as 700 bytes and packet count as 10 to simulate the traffic destined for R3. [R4]ping -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=700 Sequence=1 ttl=253 time=240 ms Reply from 10.0.34.3: bytes=700 Sequence=2 ttl=253 time=284 ms Reply from 10.0.34.3: bytes=700 Sequence=3 ttl=253 time=334 ms Reply from 10.0.34.3: bytes=700 Sequence=4 ttl=253 time=224 ms Reply from 10.0.34.3: bytes=700 Sequence=5 ttl=253 time=344 ms Reply from 10.0.34.3: bytes=700 Sequence=6 ttl=253 time=275 ms Reply from 10.0.34.3: bytes=700 Sequence=7 ttl=253 time=534 ms Reply from 10.0.34.3: bytes=700 Sequence=8 ttl=253 time=184 ms Reply from 10.0.34.3: bytes=700 Sequence=9 ttl=253 time=204 ms Reply from 10.0.34.3: bytes=700 Sequence=10 ttl=253 time=314 ms --- 10.0.34.3 ping statistics --10 packet(s) transmitted 10 packet(s) received 0.00% packet loss round-trip min/avg/max = 184/293/534 ms
HC Series
HUAWEI TECHNOLOGIES
117
HCNP-IENP Chapter 2 QoS and traffic flow management
Packets are not discarded and R4 can communicate with R3, indicating that traffic shaping takes effect. Delete the traffic shaping configuration from S3. [S3]interface Ethernet0/0/13 [S3-Ethernet0/0/13]undo qos lr outbound
On R4, run the ping command with the packet size as 700 bytes and packet count as 10 to simulate the traffic destined for R3. [R4]ping -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=700 Sequence=1 ttl=253 time=1918 ms Request time out Reply from 10.0.34.3: bytes=700 Sequence=3 ttl=253 time=1762 ms Request time out Request time out Request time out Request time out Request time out Request time out Request time out --- 10.0.34.3 ping statistics --10 packet(s) transmitted 2 packet(s) received 80.00% packet loss round-trip min/avg/max = 1762/1840/1918 ms
After the configuration is deleted, many packets are discarded and forwarded data packets are delayed. R4 cannot communicate with R3.
Step 5 Configure flow-based congestion management and congestion avoidance. To prevent network congestion on the link between the headquarters and branch, configure queue-based congestion management and congestion avoidance. On R1, create a WRED drop profile named data based on DSCP priorities and set the upper drop threshold to 90, lower drop threshold 118
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management
to 50, and maximum drop probability to 30. [R1]drop-profile data [R1-drop-profile-data]wred dscp [R1-drop-profile-data]dscp af32 low-limit 50 high-limit 90 discard-percentage 30
Create a queue profile named queue-profile1 on R1, put data traffic into WFQ queues; bind the queue profile to the WRED drop profile data, and put high-priority and delay-sensitive voice traffic to PQ queues. [R1]qos queue-profile queue-profile1 [R1-qos-queue-profile-queue-profile1]queue 3 drop-profile data [R1-qos-queue-profile-queue-profile1]schedule wfq 3 pq 5
Apply the queue profile to S1/0/0 of R1. [R1]interface Serial 1/0/0 [R1- Serial0/0/1]qos queue-profile queue-profile1
View the queue profile information. [R1]display qos queue-profile queue-profile1 Queue-profile: queue-profile1 Queue Schedule Weight Length(Bytes/Packets) Gts(CIR/CBS) ----------------------------------------------------------------3
WFQ
10
0/0
-/-
5
PQ
-
0/0
-/-
Data traffic and voice traffic enter WFQ and PQ queues respectively. View the WRED drop profile information. [R1]display drop-profile data Drop-profile[1]: data DSCP
Low-limit
High-limit Discard-percentage
----------------------------------------------------------------default
30
100
10
1
30
100
10
2
30
100
10
3
30
100
10
4
30
100
10
5
30
100
10
6
30
100
10
7
30
100
10
cs1
30
100
10
HC Series
HUAWEI TECHNOLOGIES
119
HCNP-IENP Chapter 2 QoS and traffic flow management 9
30
100
10
af11
30
100
10
11
30
100
10
af12
30
100
10
13
30
100
10
af13
30
100
10
15
30
100
10
cs2
30
100
10
17
30
100
10
af21
30
100
10
19
30
100
10
af22
30
100
10
21
30
100
10
af23
30
100
10
23
30
100
10
cs3
30
100
10
25
30
100
10
af31
30
100
10
27
30
100
10
af32
50
90
30
29
30
100
10
af33
30
100
10
31
30
100
10
cs4
30
100
10
33
30
100
10
af41
30
100
10
Parameters in the WRED drop profile data take effect, and other parameters use default values.
Step 6 Configure flow-based congestion management and congestion avoidance. To prevent network congestion on the link between the headquarters and branch, configure flow-based congestion management and congestion avoidance. Define the traffic exchanged between R4 and R3 as important traffic and perform QoS guarantee for the traffic so that R4 can communicate with R3. Delete the queue profile from S1/0/0 on R1. 120
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]undo qos queue-profile
On R4, run the ping command with the source address as 10.0.145.4, packet size as 700 bytes, and packet count as 10 to test connectivity between R4 and R3. [R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=700 Sequence=1 ttl=253 time=1279 ms Request time out Reply from 10.0.34.3: bytes=700 Sequence=3 ttl=253 time=1587 ms Reply from 10.0.34.3: bytes=700 Sequence=4 ttl=253 time=1827 ms Request time out Reply from 10.0.34.3: bytes=700 Sequence=6 ttl=253 time=1717 ms Request time out Request time out Request time out Request time out --- 10.0.34.3 ping statistics --10 packet(s) transmitted 4 packet(s) received 60.00% packet loss round-trip min/avg/max = 1279/1602/1827 ms
Congestion has occurred on the link between the headquarters and branch. A large number of packets are discarded, and R4 cannot communicate with R3. On R1, create ACL 3001 to match the traffic sent from 10.0.145.4 to 10.0.34.3. [R1]acl number 3001 [R1-acl-adv-3001]rule 0 per ip source 10.0.145.4 0.0.0.0 destination 10.0.34.3 0.0.0.0
Create a traffic classifier class-ef, reference ACL 3001 in the traffic classifier, create a traffic behavior behavior-ef, set the queue scheduling mode to EF, and set the bandwidth to 10 kbit/s. [R1]traffic classifier class-ef [R1-classifier-class-ef]if-match acl 3001 [R1-classifier-class-ef]traffic behavior behavior-ef [R1-behavior-behavior-ef]queue ef bandwidth 8
HC Series
HUAWEI TECHNOLOGIES
121
HCNP-IENP Chapter 2 QoS and traffic flow management
Create a traffic classifier class-af32 to match data traffic with the DSCP priority as AF32, set the traffic behavior as behavior-af32, set the queue scheduling mode to AF, set the bandwidth to 30 kbit/s, and bind the traffic behavior to the drop profile data. [R1]traffic classifier class-af32 [R1-classifier-class-af32]if-match dscp af32 [R-classifier-class-af321]traffic behavior behavior-af32 [R1-behavior-behavior-af32]queue af bandwidth 30 [R1-behavior-behavior-af32]drop-profile data
Create a traffic policy policy-1, associate the traffic policy with the traffic classifier class-ef and traffic behavior behavior-ef, and the traffic classifier class-af32 and traffic behavior behavior-af32, and apply the traffic policy to S1/0/0 on R1. [R1]traffic policy policy-1 [R1-trafficpolicy-policy-1]classifier class-ef behavior behavior-ef [R1-trafficpolicy-policy-1]classifier class-af32 behavior behavior-af32 [R1-trafficpolicy-policy-1]interface Serial 1/0/0 [R1-Serial1/0/0]traffic-policy policy-1 outbound
On R4, run the ping command with the source address as 10.0.145.4, packet size as 700 bytes, and packet count as 10 to test connectivity between R4 and R3. [R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3 PING 10.0.34.3: 700 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=700 Sequence=1 ttl=253 time=694 ms Reply from 10.0.34.3: bytes=700 Sequence=2 ttl=253 time=391 ms Reply from 10.0.34.3: bytes=700 Sequence=3 ttl=253 time=361 ms Reply from 10.0.34.3: bytes=700 Sequence=4 ttl=253 time=671 ms Reply from 10.0.34.3: bytes=700 Sequence=5 ttl=253 time=211 ms Reply from 10.0.34.3: bytes=700 Sequence=6 ttl=253 time=611 ms Reply from 10.0.34.3: bytes=700 Sequence=7 ttl=253 time=688 ms Reply from 10.0.34.3: bytes=700 Sequence=8 ttl=253 time=391 ms Reply from 10.0.34.3: bytes=700 Sequence=9 ttl=253 time=301 ms Reply from 10.0.34.3: bytes=700 Sequence=10 ttl=253 time=651 ms --- 10.0.34.3 ping statistics --10 packet(s) transmitted 10 packet(s) received 0.00% packet loss
122
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management round-trip min/avg/max = 211/497/694 ms
Configure traffic from R1 to R3 to enter EF queues. Then R1 can communicate with R3.
Additional Exercises: Analyzing and Verifying QoS uses differentiated services to ensure bandwidth and shorten delay for various services. Can high bandwidth improve service quality instead of QoS? After the lab, summarize the QoS process.
Final Configurations display current-configuration [V200R001C00SPC200] # sysname R1 # acl number 3001 rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0 # drop-profile data wred dscp dscp af32 low-limit 50 high-limit 90 discard-percentage 30 # qos queue-profile queue-profile1 queue 3 drop-profile data schedule wfq 3 pq 5 # qos map-table dscp-dscp input 26 output 0 # traffic classifier class-ef operator or if-match acl 3001 traffic classifier class-af32 operator or if-match dscp af32 # traffic behavior behavior-ef queue ef bandwidth 10 cbs 250 traffic behavior behavior-af32
HC Series
HUAWEI TECHNOLOGIES
123
HCNP-IENP Chapter 2 QoS and traffic flow management queue af bandwidth 30 drop-profile data traffic behavior behavir-af32 queue af bandwidth 30 # traffic policy policy-1 classifier class-ef behavior behavior-ef classifier class-af32 behavior behavior-af32 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 trust dscp traffic-policy policy-1 outbound baudrate 72000 # interface GigabitEthernet0/0/1 ip address 10.0.145.1 255.255.255.0 trust dscp override # ip route-static 10.0.34.0 255.255.255.0 10.0.12.2 # Return display current-configuration [V200R001C00SPC200] # sysname R2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.0.34.2 255.255.255.0 # ip route-static 10.0.145.0 255.255.255.0 10.0.12.1 # return display current-configuration [V200R001C00SPC200] #
124
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management sysname R3 # interface GigabitEthernet0/0/2 ip address 10.0.34.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 # return display current-configuration [V200R001C00SPC200] # sysname R4 # interface GigabitEthernet0/0/1 ip address 10.0.145.4 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 # return display current-configuration [V200R001C00SPC200] # sysname R5 # interface GigabitEthernet0/0/1 ip address 10.0.145.5 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 # return display current-configuration # !Software Version V100R006C00SPC800 sysname S3 # interface Vlanif1 ip address 10.0.145.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 #
HC Series
HUAWEI TECHNOLOGIES
125
HCNP-IENP Chapter 2 QoS and traffic flow management nqa test-instance admin udp test-type udp destination-address ipv4 10.0.34.4 destination-port 6000 tos 28 frequency 3 interval seconds 1 timeout 1 datasize 5800 start now nqa test-instance admin jitter test-type jitter destination-address ipv4 10.0.34.4 destination-port 6000 tos 46 frequency 3 interval milliseconds 20 timeout 1 datasize 90 start now # return display current-configuration # !Software Version V100R006C00SPC800 sysname S4 # interface Vlanif1 ip address 10.0.34.4 255.255.255.0 # nqa-server udpecho 10.0.34.4 6000 # ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 # Return
126
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management
Lab 2-2 Traffic Control Based on the Traffic Policy Learning Objectives The objectives of this lab are to learn and understand:
End-to-end QoS configuration
Traffic control based on the traffic policy
Topology
Figure 2-2 Traffic control based on the traffic policy
Scenario Assume that you are a network administrator of an enterprise. R1 and S1 are located in the enterprise headquarters, and R2 and S2 are located in the enterprise branch. The headquarters and branch are connected through the leased line. The required internal network bandwidth increases gradually, but the leased line bandwidth does not increase. As a result, important services are delayed or some services are unavailable. Configure end-to-end QoS and adjust QoS parameters so that important service data can be sent to the destination and the traffic policy is used to control traffic.
HC Series
HUAWEI TECHNOLOGIES
127
HCNP-IENP Chapter 2 QoS and traffic flow management
Tasks Step 1 Perform
basic
configuration
and
configure
IP
addresses. Configure IP addresses and masks for all the routers and switches S3 and S4. system-view Enter system view, return user view with Ctrl+Z. [R1]interface Serial 1/0/0 [R1-Serial1/0/0]ip address 10.0.12.1 255.255.255.0 [R1-Serial1/0/0]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]ip add 10.0.145.1 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [R2]interface Serial 1/0/0 [R2-Serial1/0/0]ip address 10.0.12.2 255.255.255.0 [R2-Serial1/0/0]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet0/0/2]ip address 10.0.34.2 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [R3]interface GigabitEthernet 0/0/2 [R3-GigabitEthernet0/0/2]ip address 10.0.34.3 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [R4]interface GigabitEthernet 0/0/1 [R4-GigabitEthernet0/0/1]ip address 10.0.145.4 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [R5]interface GigabitEthernet 0/0/1 [R5-GigabitEthernet0/0/1]ip address 10.0.145.5 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [S3]interface Vlanif 1
128
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [S3-Vlanif1]ip address 10.0.145.3 255.255.255.0 system-view Enter system view, return user view with Ctrl+Z. [S4]interface Vlanif 1 [S4-Vlanif1]ip address 10.0.34.4 255.255.255.0
After the configurations are complete, test link connectivity. [R1]ping -c 1 10.0.12.2 PING 10.0.12.2: 56 data bytes, press CTRL_C to break Reply from 10.0.12.2: bytes=56 Sequence=1 ttl=255 time=36 ms --- 10.0.12.2 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 36/36/36 ms [R1]ping -c 1 10.0.145.3 PING 10.0.145.3: 56 data bytes, press CTRL_C to break Reply from 10.0.145.3: bytes=56 Sequence=1 ttl=255 time=35 ms --- 10.0.145.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 35/35/35 ms [R1]ping -c 1 10.0.145.4 PING 10.0.145.4: 56 data bytes, press CTRL_C to break Reply from 10.0.145.4: bytes=56 Sequence=1 ttl=255 time=6 ms --- 10.0.145.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 6/6/6 ms [R1]ping -c 1 10.0.145.5 PING 10.0.145.5: 56 data bytes, press CTRL_C to break Reply from 10.0.145.5: bytes=56 Sequence=1 ttl=255 time=6 ms
HC Series
HUAWEI TECHNOLOGIES
129
HCNP-IENP Chapter 2 QoS and traffic flow management --- 10.0.145.5 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 6/6/6 ms [R2]ping -c 1 10.0.34.3 PING 10.0.34.3: 56 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=56 Sequence=1 ttl=255 time=5 ms --- 10.0.34.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 5/5/5 ms [R2]ping -c 1 10.0.34.4 PING 10.0.34.4: 56 data bytes, press CTRL_C to break Reply from 10.0.34.4: bytes=56 Sequence=1 ttl=255 time=36 ms --- 10.0.34.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 36/36/36 ms
Step 2 Configure static routes. Configure static routes for all the routers and switches S3 and S4. [R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2 [R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1 [R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 [R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 [R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 [S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
130
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configuration is complete, test network connectivity. [S3]ping -c 1 10.0.34.4 PING 10.0.34.4: 56 data bytes, press CTRL_C to break Reply from 10.0.34.4: bytes=56 Sequence=1 ttl=252 time=40 ms --- 10.0.34.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/40/40 ms [R4]ping -c 1 10.0.34.3 PING 10.0.145.4: 56 data bytes, press CTRL_C to break Reply from 10.0.145.4: bytes=56 Sequence=1 ttl=255 time=3 ms --- 10.0.145.4 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms [R5]ping -c 1 10.0.34.3 PING 10.0.34.3: 56 data bytes, press CTRL_C to break Reply from 10.0.34.3: bytes=56 Sequence=1 ttl=253 time=44 ms --- 10.0.34.3 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 44/44/44 ms
Step 3 Configure DSCP priority re-marking. Voice, video, and data services are transmitted on the enterprise network. Because the bandwidth of the leased line between the enterprise headquarters and branch does not increase, congestion occurs.
HC Series
HUAWEI TECHNOLOGIES
131
HCNP-IENP Chapter 2 QoS and traffic flow management
Configure end-to-end QoS to ensure that voice packets are sent first and bandwidth for video packets is guaranteed. Simulate voice packets between R4 and R3, video packets between R5 and R3, and data packets between S3 and S4. Perform QoS configuration for voice packets and video packets and configure BE for data packets. Mark the DSCP priority of voice packets with EF, and the DSCP priority of video packets with AF32. On S1, create ACL 3001 and ACL 3002 to match the traffic sent from R4 to R3 and the traffic sent from R5 to R3 respectively. [S1]acl number 3001 [S1-acl-adv-3001]rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0 [S1-acl-adv-3001]acl number 3002 [S1-acl-adv-3002]rule 0 permit ip source 10.0.145.5 0 destination 10.0.34.3 0
Create a traffic classifier class-voice-s1 and reference ACL 3001 in the traffic classifier. Create a traffic behavior behavior-voice-s1 and re-mark DSCP priorities with EF. Create a traffic policy policy-voice-s1 and associate the traffic classifier class-voice-s1 and traffic behavior behavior-voice-s1 with the traffic policy, and apply the traffic policy to G0/0/4 in the inbound direction. [S1]traffic classifier class-voice-s1 [S1-classifier-class-voice-s1]if-match acl 3001 [S1-classifier-class-voice-s1]traffic behavior behavior-voice-s1 [S1-behavior-behavior-voice-s1]remark dscp ef [S1-behavior-behavior-voice-s1]traffic policy policy-voice-s1 [S1-trafficpolicy-policy-voice-s1]classifier class-voice-s1 behavior behavior-voice-s1 [S1-trafficpolicy-policy-voice-s1]interface GigabitEthernet 0/0/4 [S1-GigabitEthernet0/0/4]traffic-policy policy-voice-s1 inbound
Create a traffic classifier class-video-s1 and reference ACL 3002 in the traffic classifier. Create a traffic behavior behavior-video-s1 and re-mark the DSCP priority with AF32. Create a traffic policy policy-video-s1 and associate the traffic classifier class-video-s1 and traffic behavior behavior-video-s1 with the traffic policy, and apply the traffic policy to G0/0/5 in the inbound direction. [S1]traffic classifier class-video-s1 [S1-classifier-class-video-s1]if-match acl 3002
132
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [S1-classifier-class-video-s1]traffic behavior behavior-video-s1 [S1-behavior-behavior-video-s1]remark dscp af32 [S1-behavior-behavior-video-s1]traffic policy policy-video-s1 [S1-trafficpolicy-policy-video-s1]classifier class-video-s1 behavior behavior-video-s1 [S1-trafficpolicy-policy-video-s1]interface GigabitEthernet 0/0/5 [S1-GigabitEthernet0/0/5]traffic-policy policy-video-s1 inbound
On S2, create ACL 3001 and ACL 3002 to match the traffic sent from R3 to R4 and the traffic sent from R3 to R5 respectively. [S2]acl number 3001 [S2-acl-adv-3001]rule 0 permit ip source 10.0.34.3 0 destination 10.0.145.4 0 [S2-acl-adv-3001]acl number 3002 [S2-acl-adv-3002]rule 0 permit ip source 10.0.34.3 0 destination 10.0.145.5 0
On S2, create a traffic classifier class-voice-s2 and reference ACL 3001 in the traffic classifier. Create a traffic behavior behavior-voice-s2 and re-mark the DSCP priority with EF. [S2]traffic classifier class-voice-s2 [S2-classifier-class-voice-s2]if-match acl 3001 [S2-classifier-class-voice-s2]traffic behavior behavior-voice-s2 [S2-behavior-behavior-voice-s2]remark dscp ef
On S2, create a traffic classifier class-video-s2 and reference ACL 3002 in the traffic classifier. Create a traffic behavior behavior-video-s2 and re-mark the DSCP priority with AF32. [S2]traffic classifier class-video-s2 [S2-classifier-class-video-s2]if-match acl 3002 [S2-classifier-class-video-s2]traffic behavior behavior-video-s2 [S2-behavior-behavior-video-s2]remark dscp af32
Create a traffic policy policy-voice-video-s2 and associate the traffic policy with the traffic classifier class-voice-s2 and traffic behavior behavior-voice-s2, and the traffic classifier class-video-2 and traffic behavior behavior-video-s2, and apply the traffic policy to G0/0/3 in the inbound direction. [S2]traffic policy policy-voice-video-s2 [S2-trafficpolicy-policy-voice-video-s2]classifier class-voice-s2 behavior behavior-voice-s2 [S2-trafficpolicy-policy-voice-video-s2]classifier class-video-s2 behavior behavior-video-s2
HC Series
HUAWEI TECHNOLOGIES
133
HCNP-IENP Chapter 2 QoS and traffic flow management [S2]interface GigabitEthernet 0/0/3 [S2-GigabitEthernet0/0/3]traffic-policy policy-voice-video-s2 inbound
Step 4 Configure traffic shaping and traffic policing. Configure traffic shaping on core switches of the headquarters and branch to lessen network congestion. Configure traffic shaping on G0/0/1 of S1 in the outbound direction and set the CIR to 128 kbit/s. [S1]interface GigabitEthernet 0/0/1 [S1-GigabitEthernet0/0/1]qos lr outbound cir 128
View the traffic shaping configuration. [S1]display qos lr outbound interface GigabitEthernet 0/0/1 GigabitEthernet0/0/1 lr outbound: cir: 128 Kbps, cbs: 16000 Byte
Configure traffic shaping on G0/0/2 of S2 in the outbound direction and set the CIR to 128 kbit/s. [S2]interface GigabitEthernet 0/0/2 [S2-GigabitEthernet0/0/2]qos lr outbound cir 128
View the traffic shaping configuration. [S2]display qos lr outbound interface GigabitEthernet 0/0/2 GigabitEthernet0/0/2 lr outbound: cir: 128 Kbps, cbs: 16000 Byte
Configure traffic policing on egress routers of the headquarters and branch to further lessen network congestion. Configure traffic policing on G0/0/1 of R1 in the inbound direction and set the CIR to 72 kbit/s. [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]qos car inbound cir 72
Configure traffic policing on G0/0/2 of R2 in the inbound direction and set the CIR to 72 kbit/s. [R2]interface GigabitEthernet 0/0/2
134
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management [R2-GigabitEthernet0/0/2]qos car inbound cir 72
Step 5 Configure
traffic
policy-based
congestion
management and congestion avoidance. Configure traffic policy-based congestion management and congestion avoidance on egress routers of the headquarters and branch. Ensure that voice traffic is sent first and video traffic has sufficient bandwidth. Configure G0/0/1 on R1 to trust DSCP priorities. [R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]trust dscp
On R1, create a WRED drop profile named video-r1 based on DSCP priorities and set the upper drop threshold to 90, lower drop threshold to 50, and maximum drop probability to 30. [R1]drop-profile video [R1-drop-profile-video-r1]wred dscp [R1-drop-profile-video-r1]dscp af32 low-limit 50 high-limit 90 discard-percentage 30
On R1, create a traffic classifier class-af32-r1 to match video traffic with the DSCP priority of AF32. Set the traffic behavior as behavior-af32-r1, set the queue scheduling mode to AF, the dedicated interface bandwidth to 40%, and bind the traffic behavior to the WRED drop profile video-r1. [R1]traffic classifier class-af32-r1 [R1-classifier-class-af32-r1]if-match dscp af32 [R1-classifier-class-af32-r1]traffic behavior behavior-af32-r1 [R1-behavior-behavior-af32-r1]queue af bandwidth pct 40 [R1-behavior-behavior-af32-r1]drop-profile video-r1
On R1, create a traffic classifier class-ef-r1 to match video traffic with the DSCP priority of EF. Create a traffic behavior behavior-ef-r1, and set the queue scheduling mode to EF and the dedicated interface bandwidth to 30%. [R1]traffic classifier class-ef-r1
HC Series
HUAWEI TECHNOLOGIES
135
HCNP-IENP Chapter 2 QoS and traffic flow management [R1-classifier-class-ef-r1]if-match dscp ef [R1-classifier-class-ef-r1]traffic behavior behavior-ef-r1 [R1-behavior-behavior-ef-r1]queue ef bandwidth pct 30
On R1, create a traffic policy policy-r1 and associate the traffic policy with the traffic classifier class-af32-r1 and traffic behavior behavior-af32-r1, the traffic classifier class-ef-r1 and traffic behavior behavior-ef-r1, and apply the traffic policy to S1/0/0 in the outbound direction. [R1]traffic policy policy-r1 [R1-trafficpolicy-policy-r1]classifier class-af32-r1 behavior behavior-af32-r1 [R1-trafficpolicy-policy-r1]classifier class-ef-r1 behavior behavior-ef-r1 [R1-trafficpolicy-policy-r1]interface Serial 1/0/0 [R1-Serial1/0/0]traffic-policy policy-r1 outbound
Perform similar configuration on R2. Configure G0/0/2 on R2 to trust DSCP priorities. [R2]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet0/0/2]trust dscp
On R2, create a WRED drop profile named video-r2 based on DSCP priorities and set the upper drop threshold to 90, lower drop threshold to 50, and maximum drop probability to 30. [R2]drop-profile video-r2 [R2-drop-profile-video-r2]wred dscp [R2-drop-profile-video-r2]dscp af32 low-limit 50 high-limit 90 discard-percentage 30
On R2, create a traffic classifier class-af32-r2 to match video traffic with the DSCP priority of AF32. Set the traffic behavior as behavior-af32-r2, set the queue scheduling mode to AF, the dedicated interface bandwidth to 40%, and bind the traffic behavior to the WRED drop profile video-r2. [R2]traffic classifier class-af32-r2 [R2-classifier-class-af32-r2]if-match dscp af32 [R2-classifier-class-af32-r2]traffic behavior behavior-af32-r2 [R2-behavior-behavior-af32-r2]queue af bandwidth pct 40 [R2-behavior-behavior-af32-r2]drop-profile video-r2
On R2, create a traffic classifier class-ef-r2 to match video traffic with 136
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management
the DSCP priority of EF. Set the traffic behavior as behavior-ef-r2, set the queue scheduling mode to EF and the dedicated interface bandwidth to 30%. [R2]traffic classifier class-ef-r2 [R2-classifier-class-ef-r2]if-match dscp ef [R2-classifier-class-ef-r2]traffic behavior behavior-ef-r2 [R2-behavior-behavior-ef-r2]queue ef bandwidth pct 30
On R2, create a traffic policy policy-r2 and associate the traffic policy with the traffic classifier class-af32-r2 and traffic behavior behavior-af32-r2, the traffic classifier class-ef-r2 and traffic behavior behavior-ef-r2, and apply the traffic policy to S1/0/0 in the outbound direction. [R2]traffic policy policy-r2 [R2-trafficpolicy-policy-r2]classifier class-af32-r2 behavior behavior-af32-r2 [R2-trafficpolicy-policy-r2]classifier class-ef-r2 behavior behavior-ef-r2 [R2]interface Serial 1/0/0 [R2-Serial1/0/0]traffic-policy policy-r2 outbound
Step 6 Configure traffic control based on the traffic policy. The headquarters wants to discard some video traffic with UDP port numbers 4000 to 5000. On R1, create ACL 3003 to match the traffic that is sent from R5 to R3 and has UDP ports 4000 to 5000. [R1]acl number 3003 [R1-acl-adv-3003]rule 0 permit udp source-port range 4000 5000 source 10.0.145.5 0 destination 10.0.34.3 0
On R1, create a traffic classifier class-drop and reference ACL 3003 in the traffic classifier. [R1]traffic classifier class-drop [R1-classifier-class-drop]if-match acl 3003
On R1, create a traffic behavior behavior-drop and configure the deny action in the traffic behavior. [R1]traffic behavior behavior-drop [R1-behavior-behavior-drop]deny
HC Series
HUAWEI TECHNOLOGIES
137
HCNP-IENP Chapter 2 QoS and traffic flow management
On R1, create a traffic policy policy-drop and associate the traffic policy with the traffic classifier class-drop and traffic behavior behavior-drop, and apply the traffic policy to G0/0/5 in the inbound direction. [R1]traffic policy policy-drop [R1-trafficpolicy-policy-drop]classifier class-drop behavior behavior-drop [R1-trafficpolicy-policy-drop]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet0/0/1]traffic-policy policy-drop inbound
View the traffic policy configuration. [R1]dis traffic policy user-defined policy-drop User Defined Traffic Policy Information: Policy: policy-drop Classifier: class-drop Operator: OR Behavior: behavior-drop Deny
Additional Exercises: Analyzing and Verifying After the configuration, summarize QoS policies and application scenarios.
Final Configurations display current-configuration [V200R001C00SPC200] # sysname R1 # acl number 3003 rule 0 permit udp source 10.0.145.5 0 source-port range 4000 5000 destination 10.0.34.3 0 # drop-profile video-r1 wred dscp dscp af32 low-limit 50 high-limit 90 discard-percentage 30 #
138
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management traffic classifier class-drop operator or if-match acl 3003 traffic classifier class-ef-r1 operator or if-match dscp ef traffic classifier class-af32-r1 operator or if-match dscp af32 # traffic behavior behavior-af32-r1 queue af bandwidth pct 40 drop-profile video-r1 traffic behavior behavior-ef-r1 queue ef bandwidth pct 30 traffic behavior behavior-drop deny # traffic policy policy-drop classifier class-drop behavior behavior-drop traffic policy policy-r1 classifier class-af32-r1 behavior behavior-af32-r1 classifier class-ef-r1 behavior behavior-ef-r1 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.1 255.255.255.0 traffic-policy policy-r1 outbound # interface GigabitEthernet0/0/1 ip address 10.0.145.1 255.255.255.0 trust dscp qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard traffic-policy policy-drop inbound # ip route-static 10.0.34.0 255.255.255.0 10.0.12.2 # return display current-configuration [V200R001C00SPC200] # sysname R2 # drop-profile video-r2 wred dscp
HC Series
HUAWEI TECHNOLOGIES
139
HCNP-IENP Chapter 2 QoS and traffic flow management dscp af32 low-limit 50 high-limit 90 discard-percentage 30 # traffic classifier class-ef-r2 operator or if-match dscp ef traffic classifier class-af32-r2 operator or if-match dscp af32 # traffic behavior behavior-af32-r2 queue af bandwidth pct 40 drop-profile video-r2 traffic behavior behavior-ef-r2 queue ef bandwidth pct 30 # traffic policy policy-r2 classifier class-af32-r2 behavior behavior-af32-r2 classifier class-ef-r2 behavior behavior-ef-r2 # interface Serial1/0/0 link-protocol ppp ip address 10.0.12.2 255.255.255.0 traffic-policy policy-r2 outbound # interface GigabitEthernet0/0/2 ip address 10.0.34.2 255.255.255.0 trust dscp qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard # ip route-static 10.0.145.0 255.255.255.0 10.0.12.1 # return display current-configuration [V200R001C00SPC200] # sysname R3 # interface GigabitEthernet0/0/2 ip address 10.0.34.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 # return
140
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management display current-configuration [V200R001C00SPC200] # sysname R4 # interface GigabitEthernet0/0/1 ip address 10.0.145.4 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 # return display current-configuration [V200R001C00SPC200] # sysname R5 # interface GigabitEthernet0/0/1 ip address 10.0.145.5 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 # return display current-configuration # !Software Version V100R006C00SPC800 sysname S1 # acl number 3001 rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0 acl number 3002 rule 0 permit ip source 10.0.145.5 0 destination 10.0.34.3 0 # traffic classifier class-video-s1 operator and if-match acl 3002 traffic classifier class-voice-s1 operator and if-match acl 3001 # traffic behavior behavior-video-s1 remark dscp af32 traffic behavior behavior-voice-s1 remark dscp ef
HC Series
HUAWEI TECHNOLOGIES
141
HCNP-IENP Chapter 2 QoS and traffic flow management # traffic policy policy-video-s1 classifier class-video-s1 behavior behavior-video-s1 traffic policy policy-voice-s1 classifier class-voice-s1 behavior behavior-voice-s1 # interface GigabitEthernet0/0/1 qos lr outbound cir 128 cbs 16000 # interface GigabitEthernet0/0/4 traffic-policy policy-voice-s1 inbound # interface GigabitEthernet0/0/5 traffic-policy policy-video-s1 inbound # return display current-configuration # !Software Version V100R006C00SPC800 sysname S2 # acl number 3001 rule 0 permit ip source 10.0.34.3 0 destination 10.0.145.4 0 acl number 3002 rule 0 permit ip source 10.0.34.3 0 destination 10.0.145.5 0 # traffic classifier class-video-s2 operator and if-match acl 3002 traffic classifier class-voice-s2 operator and if-match acl 3001 # traffic behavior behavior-video-s2 remark dscp af32 traffic behavior behavior-voice-s2 remark dscp ef # traffic policy policy-voice-video-s2 classifier class-voice-s2 behavior behavior-voice-s2 classifier class-video-s2 behavior behavior-video-s2 # interface GigabitEthernet0/0/2 qos lr outbound cir 128 cbs 16000
142
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 2 QoS and traffic flow management # interface GigabitEthernet0/0/3 traffic-policy policy-voice-video-s2 inbound # return display current-configuration # !Software Version V100R006C00SPC800 sysname S3 # interface Vlanif1 ip address 10.0.145.3 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.145.1 # return display current-configuration # !Software Version V100R006C00SPC800 sysname S4 # interface Vlanif1 ip address 10.0.34.4 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.0.34.2 # return
HC Series
HUAWEI TECHNOLOGIES
143
HCNP-IENP Chapter 3 Integrated Lab Assessment
Chapter 3 Integrated Lab Assessment Lab 3-1 Integrated Lab-1 (Optional) Learning Objectives The objectives of this lab are to learn and understand:
MST configuration
Route configuration between VLANs
RIP configuration
OSPF configuration
Route import configuration
Routing policy configuration
Firewall configuration
QoS configuration
144
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
Topology
Figure 3-1 Integrated lab-1
Scenario Assume that you are a network administrator of an enterprise. The enterprise network consists of the headquarters network, branch network, and branch office network. The headquarters network consists of one firewall, one router, and four switches. The firewall controls access between the internal network and external network, and the enterprise network is divided into trust, untrust, and DMZ zones. The four switches use the MST technique to implement redundancy and improve network reliability. The QoS technique is used on the switching network to control transmission of data flows. Routers on the headquarters network and branch office network are connected through leased lines and belong to the OSPF routing domain. To optimize network performance in the OSPF routing domain, the headquarters network and branch office network are configured as OSPF stub areas. Because the branch network uses RIP, route import is required at the OSPF boundary to implement interworking between the
HC Series
HUAWEI TECHNOLOGIES
145
HCNP-IENP Chapter 3 Integrated Lab Assessment
RIP routing domain and the OSPF routing domain.
Tasks This lab provides the procedure and verification method, and does not provide commands.
Step 1 Complete basic configuration and configure IP addresses. Configure IP addresses and masks for all devices and test connectivity of directly connected devices.
Step 2 Configure MST. Switches S1 and S2 are connected by an Eth-Trunk link.
Set the link type of interfaces between the switches to trunk and configure the interfaces to allow packets from VLAN 10, VLAN 20, VLAN 30, and VLAN 40 to pass through.
Create VLANs 10, 20, 30, 40, and 100 on all the switches and configure two MSTIs. VLANs 10, 20, and 100 use S1 as the root and VLANs 30 and 40 use S2 as the root.
Step 3 Configure routes between VLANs. Add G0/0/22 and G0/0/1 on S1 to VLAN 100, and add G0/0/1 on S2 to VLAN 10.
Create VLANIF interfaces for VLANs 10, 20, 30, and 40 on S1 and S2 to implement communication between VLANs.
146
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
Step 4 Configure OSPF. Configure OSPF on R1, R2, R3, R4, S1, and S2. Configure the link between R1 and R2 in OSPF area 0. Configure OSPF area 1 on the headquarters network and OSPF area 2 on the branch office network, and configure area 1 and area 2 as OSPF stub areas. Configure area 3 on the network through which R2 and R3 are connected and configure area 3 as the NSSA area. OSPF is not required on the network through which R1 and FW1 are connected.
Step 5 Configure route import. Configure RIP on R3 and R5. On R3, configure RIP and OSPF to import routes from each other. On R3, configure a routing policy to import only RIP routes from R5 in the OSPF routing domain.
On FW1, create VLAN 100 and VLANIF 100, and configure an IP address for VLANIF 100. On R1, configure a default route with the IP address of VLANIF 100 on FW1 as the next hop. Import the default route into OSPF so that R5 can learn this route.
On FW1, create a static route 10.0.0.0/16, with the IP address of G0/0/1 on R1 as the next hop so that FW1 can communicate with all the devices on the internal network.
Step 6 Configure the firewall. Add interfaces on FW1 to trust, untrust, and DMZ zones. Devices in the trust zone can access resources in all the zones, devices in the untrust zone can access only port 80 of the server at 10.0.20.1 in the DMZ zone, and devices in the DMZ zone cannot access other zones.
HC Series
HUAWEI TECHNOLOGIES
147
HCNP-IENP Chapter 3 Integrated Lab Assessment
Step 7 Optimize network performance. S4 needs to limit the rate of data packets for some users and raise the priority of data packets for other users. E0/0/1 belongs to VLAN 10 and E0/0/2 belongs to VLAN 30. Set the rate limit on E0/0/1 to 128 kbit/s, change DSCP priority for packets on E0/0/2 to 45, and configure E0/0/2 to trust DSCP.
Additional Exercises: Analyzing and Verifying Compare this lab with the original lab.
Final Configurations [R1]display current-configuration
[R2]display current-configuration
[R3]display current-configuration
[R4]display current-configuration
[R5]display current-configuration
[S1]display current-configuration
[S2]display current-configuration
[S3]display current-configuration
148
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
[S4]display current-configuration
[FW1]display current-configuration
HC Series
HUAWEI TECHNOLOGIES
149
HCNP-IENP Chapter 3 Integrated Lab Assessment
Lab 3-2 Integrated Lab2 (Optional) Learning Objectives The objectives of this lab are to learn and understand:
IBGP and EBGP configuration
BGP attribute configuration
SEP configuration
NAT and IPSec configuration on the Eudemon firewalls
End-to-end configuration on the router
Topology
Figure 3-2 Integrated lab 2
150
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
Scenario Assume that you are a network administrator of an enterprise. The enterprise headquarters and branch networks use BGP to connect to ISP1 and ISP2. The headquarters network uses AS 100, the branch network uses AS 200, ISP 1 uses AS 1, and ISP 2 uses AS 2. The link connected to ISP1 is the primary link and the link connected to ISP2 is the standby link. The Eudemon firewall is deployed between the core switching network of the enterprise headquarters and the egress router. The core switching network uses SEP to implement redundancy. An IPSec VPN is established between firewalls of the headquarters and branch networks.
Tasks Step 1 Perform
basic
configuration
and
configure
IP
addresses. Configure IP addresses and masks for physical interfaces and loopback interfaces on all routers and test connectivity. Each Loopback0 uses the 32-bit mask.
Step 2 Configure BGP. Configure IBGP and EBGP on R1, R2, R3, R4, and R5, and use physical interfaces to establish BGP peer relationships. BGP load balancing is disabled by default. To prevent the impact of BGP load balancing on route selection, enable BGP load balancing and allow packets to be load balanced on a maximum of four links.
On R1, R2, and R5, advertise their loopback interfaces' IP addresses to BGP and check the BGP routing table. R5 learns routes 12.0.1.1/32 and 12.0.2.2/32 from R3, R1 learns the route 12.0.5.5/32 from R4, and R2 learns the route 12.0.5.5/32 from R3.
HC Series
HUAWEI TECHNOLOGIES
151
HCNP-IENP Chapter 3 Integrated Lab Assessment
The enterprise headquarters and branch need to use the primary link to communicate with each other. Create a routing policy named as_path in which two values of AS 100 are added to the two routes 12.0.1.1/32 and 12.0.2.2/32 learned from R3. Check the BGP routing table. R5 learns the two routes from R4.
On R1, create a routing policy local_pref, set the local priority of the route 12.0.5.5/32 to 200, and apply the routing policy to R2. Check the routing table of R2. R2 learns the route 12.0.5.5/32 from R4.
Step 3 Configure SEP. To improve network robustness, switches S1, S2, and S3 use redundant links, forming a loop. SEP is used to provide redundancy protection. Shut down G0/0/9 and G0/0/10 on S1 and S2, E0/0/23 on S3, and E0/0/14 on S4.
Create a SEP segment and configure VLAN 100 as the control VLAN. Specify all instances as protected VLANs.
Add G0/0/13 and G0/0/14 on S1 to the SEP segment, and configure G0/0/13 as the primary edge interface and G0/0/14 as the secondary edge interface. Add interfaces on S3 and S4 to the SEP segment.
Configure S1 to block interfaces based on the interface priority.
Set the priority of E0/0/1 on S3 to 128.
Set the preemption mode on S1 where the primary edge interface resides to delayed preemption, and set the preemption delay to 30s.
152
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
After the configuration is complete, check the SEP running information. E0/0/1 on S3 should be in blocking state.
Step 4 Configure NAT on the firewall. Configure NAT on FW1. Create VLAN 10 on S1 and add G0/0/22 to VLAN 10. Create VLANIF 10 and assign the IP address 10.0.111.11/24 to VLANIF 10. Configure VLAN 10 on FW1 and create VLANIF 10. Assign IP address 10.0.111.21/24 to VLANIF 10 and use this IP address as the gateway address in the trust area. By default, an IP address is assigned to VLANIF 1. Delete this configuration to ensure lab accuracy.
On R2, advertise the route 12.0.112.0/24 into BGP. On R2, configure a default route with the next hop as the IP address of FW1 and import the default route to BGP. On FW1, configure a default route with the next hop as the IP address of R2. On S1, configure a default route with the next hop as the IP address of FW1.
On FW1, add E0/0/0 to the untrust zone, add E1/0/0 to the trust zone. Configure filtering rules between zones to allow packets sent from the network segment 10.0.111.0/24 in the trust zone to the untrust zone to pass through.
On FW1, configure Easy IP to translate the source IP address of packets sent to 10.0.111.0/24. Bind NAT to E0/0/0.
After the configuration is complete, FW1 allows the trust zone and untrust zone to communicate.
Step 5 Configure IPSec VPN on the firewall. Configure IPSec VPN on FW1 and FW2 on the headquarters and
HC Series
HUAWEI TECHNOLOGIES
153
HCNP-IENP Chapter 3 Integrated Lab Assessment
branch networks. Configure an IP address for Ethernet 2/0/0 on FW2. On FW2, add E0/0/0 to the untrust zone and add E2/0/0 to the trust zone. Configure FW1 and FW2 to allow data packets sent from the trust zone to the untrust zone to pass through, and data packets sent from the untrust zone to the local zone. Advertise the route 12.0.5.0/24 to BGP. On FW2, configure a default route with the next hop as the IP address of R5. On FW1, configure a static route to 12.0.222.0/24. On FW2, configure a static route to 10.0.111.0/24.
On FW1 and FW2, define the data flows to be protected. On FW1, configure ACL 3000 to match the traffic sent from 10.0.111.0/24 to 12.0.222.0/24. On FW2, configure ACL 3000 to match the traffic sent from 12.0.222.0/24 to 10.0.111.0/24.
On FW1 and FW2, configure IPSec proposals in which the encapsulation mode is tunnel, security protocol is ESP, and encryption algorithm is DES. On FW1 and FW2, configure IKE proposals in which the authentication algorithm is SHA1 and the encryption algorithm is DES.
On FW1 and FW2, configure IKE peers. IKE peers use IKEv2 negotiation by default.
On FW1 and FW2, configure IPSec policies. Apply IPSec policies to E0/0/0.
The IPSec VPN between FW1 and FW2 is established.
Step 6 Configure QoS. All the traffic between R1 and R5 and between R2 and R5 is transmitted from the primary link, so QoS deployment may cause
154
HUAWEI TECHNOLOGIES
HC Series
HCNP-IENP Chapter 3 Integrated Lab Assessment
congestion. Create ACL 3001 and ACL 3002 on R1 to match the traffic sent from R1 to R5 and R2 respectively.
Create a traffic classifier class_r1_r2 containing ACL 3001 and ACL 3002. Create a traffic behavior behavior_r1_r2 containing traffic shaping and set the CIR to 10000. Create a traffic policy policy_r1_r2, associate the traffic classifier and traffic behavior with the traffic policy, and apply the traffic policy to G0/0/2. Configure traffic policing on G0/0/2 and G0/0/1 of R4 and set the CIR to 8000.
Create ACL 3001 and ACL 3002 on R5 to match the traffic sent from R5 to R1 and R2 respectively.
Create a traffic classifier class_r5 containing ACL 3001 and ACL 3002. Create a traffic behavior behavior_r5 containing traffic shaping and set the CIR to 10000. Create a traffic policy policy_r5, associate the traffic classifier and traffic behavior with the traffic policy, and apply the traffic policy to G0/0/1 in the outbound direction.
Additional Exercises: Analyzing and Verifying
Final Configurations [R1]display current-configuration
[R2]display current-configuration
[R3]display current-configuration
HC Series
HUAWEI TECHNOLOGIES
155
HCNP-IENP Chapter 3 Integrated Lab Assessment [R4]display current-configuration
[R5]display current-configuration
[S1]display current-configuration
[S2]display current-configuration
[S3]display current-configuration
[S4]display current-configuration
[FW1]display current-configuration
156
HUAWEI TECHNOLOGIES
HC Series
View more...
Comments
