exemplos config h3c

7/21/2019 Exemplos Config H3C

http://slidepdf.com/reader/full/exemplos-config-h3c 1/92

Firewall Blacklist Configuration Examples

Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com

Table of Contents

1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1

4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure.........................................................................错误！未定义书签

4.4 Complete Configuration..........................................................................错误！未定义书签




Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 5


1 Feature Introduction

Blacklist is a filtering method according to the source IP address of packets. The zone

for blacklist to match is very simple, which enables quick filtering of packets, so as to

effectively shield the packets sent from a specific IP address. The most important

feature of blacklist is that SecBlade can dynamically add or delete a blacklist. When

detecting that a specific IP address attempts to attack according to the packet action,

SecBlade can modify blacklist list to filter the packet sent from this IP address..

2 Versions Applicable

Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and

newer versions do not support.)

Hardware versions: LSB1FW8DB0, LSB2FW8DB0.

3 Precautions

By default, the firewall does not forward any packets. To enable the firewall to forward

packets, you need to execute the firewall packet-filter default permit command

4 Configuration Examples

4.1 Network Requirements

In the network shown in Figure 4-1, assume that the firewall board is seated in slot 4

of the S9500 switch. The internal host and the external host reside in the Trust zone

and the Untrust zone of the firewall respectively. Now it is required that all the packets

sourced from the external host be filtered within 100 minutes. The IP address of the

external network host is 202.0.0.1.





4.2 Networking Diagram

Figure 4-1 Networking diagram of blacklist of firewall

4.3 Configuration Procedure

# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30. <S9500> syst em- vi ew

[ S9500] vl an 10

[ S9500- vl an10] por t E2/ 1/ 2

[ S9500] vl an 50

[ S9500- vl an50] por t E3/ 1/ 1

[ S9500] vl an 30

# Configure IP addresses for the internal VLAN interfaces. [ S9500] i nt er f ace vl an- i nt er f ace 10

[ S9500- Vl an- i nt erf ace10] i p addr ess 10. 0. 0. 1 24

[ S9500] i nt er f ace vl an- i nt er f ace 30


# Configure a route, setting the next hop of the external network packets to the

SecBlade firewall.

[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254

# Configure the SecBlade module. Configure VLAN 50 as security-vlan. [ S9500] secbl ade modul e t est

[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 30

[ S9500- secbl ade- t est] secur i t y- vl an 50

[ S9500- secbl ade- t est ] map t o sl ot 4

# Enter SecBlade view, configure the interconnecting sub-interface and external

network sub-interface of the SecBlade (by default, the username and password are

SecBlade, case sensitive).





<S9500> secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

<SecBl ade_FW> syst em- vi ew

[ SecBl ade_FW] i nt er f ace Gi gabi t Et her net 0/ 0. 50

[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] vl an- t ype dot 1q vi d 50

[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] i p addr ess 50. 0. 0. 254 24

[ SecBl ade_FW] i nter f ace g0/ 0. 30



# Add the interconnecting sub-interface to the trust zone and the external network

sub-interface to the untrust zone. [ SecBl ade_FW] f i r ewal l zone t r ust

[ SecBl ade_FW- zone- t r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 30

[ SecBl ade_FW] f i r ewal l zone unt r ust

[ SecBl ade_FW- zone- unt r ust ] add i nt erf ace Gi gabi t Et hernet 0/ 0. 50

# Configure the routes, the next hop of the internal network packet is S9500, and the

next hop of external network packet is the router. [ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 50. 0. 0. 1

[ SecBl ade_FW] i p r out e-s t at i c 10. 0. 0. 0 24 30. 0. 0. 1

# In the SecBlade view, configure the blacklist. [ SecBl ade_FW] f i r ewal l bl ackl i st 202. 0. 0. 1 t i meout 100[ SecBl ade_FW] f i r ewal l bl ackl i st enabl e

4.4 Complete Configuration #

vl an 10

#

vl an 30

#

vl an 50

#

i nt er f ace vl an- i nt er f ace 10

i p address 10. 0. 0. 1 24

#


i p address 30. 0. 0. 1 24

#

i nt er f ace Et her net 2/ 1/ 2

por t access vl an 10





#



#

i p r out e- st ati c 0. 0. 0. 0 0 30. 0. 0. 254 pr eference 60

#

secbl ade modul e t est

secbl ade- i nt er f ace vl an- i nt er f ace 30

secur i t y-vl an 50

map t o sl ot 4

# Enter SecBlade view (by default, the username and password are SecBlade, case

sensitive). secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system

# Configure the sub-interface and its zone.

i nt er f ace Gi gabi t Et her net 0/ 0. 50

vl an- t ype dot1q vi d 50

i p addr ess 50. 0. 0. 254 24

qui t

i nt er f ace g0/ 0. 30


i p addr ess 30. 0. 0. 254 24

qui t

f i rewal l zone unt r ust

add i nt erf ace Gi gabi t Et hernet 0/ 0. 50

qui t

# Configure the routes. i p r out e- st at i c 0. 0. 0. 0 0 50. 0. 0. 1

i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1

# Configure client address to blacklist entry. f i r ewal l bl ackl i st 202. 0. 0. 1 t i meout 100

# Enable the blacklist function. f i rewal l bl ackl i st enabl e



Firewall Route Mode Configuration Examples


Table of Contents

1 Versions App licable ...................................................................................................................... 1 2 Precautions .................................................................................................................................... 1 3 Conf iguration Examples ............................................................................................................... 1

3.1 Network Requirements ......................................................................................................... 1 3.2 Networking Diagram ............................................................................................................. 2 3.3 Configuration Procedure....................................................................................................... 2 3.4 Complete Configuration ........................................................................................................ 3








newer versions do not support.)


2 Precautions


packets, you need to execute the firewall packet-filter default permit command.



In the network shown in Figure 3-1, assume that the firewall is seated in slot 4 of the

S9500 switch and is operating in route mode. All the gateways of both the internal

host and external host are on the firewall. In this case, you can configure no Layer 3

interfaces and the S9500 switch can act as a Layer 2-only device. All the Layer 3

forwarding operations are carried out by the firewall.





S9500

Firewall

E2/1/2

E3/1/3

Vlan 50

Trust zone

PC 50.1.1.1/24

Untrust zonePC 60 .1.1.1/24

Vid 60 G0/0.60

60.1.1.254/24

Vid 50 G0/0.50

50.1.1.254/24

Vlan60

Figure 3-1 Networking diagram of route mode of firewall


# Add internal VLAN 50 and external VLAN 60.

<S9500> syst em- vi ew

[ S9500] vl an 50

[ S9500- vl an50] por t E2/ 1/ 2

[ S9500] vl an 60

[ S9500- vl an60] por t E3/ 1/ 3

# Configure SecBlade module, and configure internal VLAN 50 and external VLAN60as safe.

[ S9500] secbl ade modul e t est

[ S9500- secbl ade- t est] secur i t y- vl an 50 60


# Enter SecBlade view, configure the sub-interface and add it to the corresponding

zone (by default, the username and password are SecBlade, case sensitive).


user : SecBl ade

password: SecBl ade


# In SecBlade view, configure the firewall mode as route mode, configure and add the

IP address of the interface to the corresponding zone.

[ SecBl ade_FW] f i r ewal l mode r out e




[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 60








[ SecBl ade_FW] f i r ewal l zone t r ust




3.4 Complete Configuration

#

vl an 50

#

vl an 60

#



#



#


secur i t y- vl an 50 60

map t o sl ot 4


sensitive).

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system

# Configure firewall mode.

f i r ewal l mode rout e

# Configure the sub-interface and zone.



i p addr ess 50. 1. 1. 254 24

qui t



i p addr ess 60. 1. 1. 254 24

qui t

f i rewal l zone tr ust






qui t



qui t



Transparent Firewall Configuration Examples


Table of Contents









When the firewall is in transparent mode (also known as bridging mode), neither

interface can be configured with IP address. The interface is in 2-stratum safe zone,

in the same sub-network as the external user connecting corresponding interface of

2-stratum zone is. When forwarding packet between interfaces of 2-stratum zone, it is

required to find the interface according to the MAC address of packet. Now SecBlade

is a transparent bridge.



newer versions do not support).

Hardware versions: LSB1FW8DB0, LSB2FW8DB0

3 Precautions

By default, the firewall does not forward any packets. To enable the firewall to

forward packets, you need to execute the firewall packet-filter default permit

command.

The security-VLAN IDs on different firewall boards cannot be the same.



In the network shown in Figure 4-1, the firewall is in transparent mode. Apply a MAC

address-based ACL to the firewall to permit the host in Trust Zone to access the

resources in DMZ Zone and Untrust Zone. Use the blacklist to filter all the packets

sent by host PC_B, which resides in Untrust Zone. The MAC address of PC_A is

000f-1f7e-fec5, while the IP address of PC_B is 10.0.0.50.






Figure 4-1 Networking diagram of transparent firewall


# Add internal VLAN 10. External VLAN 50 and DMZ VLAN 60.

<S9500> syst em- vi ew

[ S9500] vl an 10

[ S9500- vl an10] por t E2/ 1/ 1

[ S9500] vl an 50

[ S9500- vl an50] por t E2/ 1/ 2

[ S9500] vl an 60

[ S9500- vl an60] por t E2/ 1/ 3

# Configure the SecBlade module, and configure the three VLANs as security VLANs.


[ S9500- secbl ade- t est] secur i t y- vl an 10 50 60


# Enter SecBlade view, configure the sub-interface and connect it to thecorresponding zone (by default, the username and password are SecBlade, case

sensitive.)


user : SecBl ade

password: SecBl ade


# In SecBlade view, configure firewall mode as transparent, add the interface to the

corresponding zone.

[ SecBl ade_FW] f i r ewal l mode t r anspar ent






[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 10] vl an- t ype dot1q vi d 10









[ SecBl ade_FW] f i r ewal l zone DMZ

[ SecBl ade_FW- zone- DMZ] add i nter f ace Gi gabi t Ethernet 0/ 0. 60

# In SecBlade view, configure the blacklist and ACL.

[ SecBl ade_FW] acl number 4000

[ SecBl ade_FW- acl - ethernetf r ame- 4000] r ul e permi t sour ce- mac 000f - 1f 7e-

f ec5 0000- 0000- 0000


[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 50] f i r ewal et her net- f r ame-f i l t er 4000

outbound


[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 60] f i r ewal et her net- f r ame-f i l t er 4000

outbound

[ SecBl ade_FW] f i r ewal l bl ackl i st i t em 10. 0. 0. 50 t i meout 60[ SecBl ade_FW] f i r ewal l bl ackl i st enabl e


#

vl an 10

#

vl an 50

#

vl an 60

#



#



#







#


secur i t y- vl an 10 50 60

map t o sl ot 4


sensitive).

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system

# Configure the firewall mode.

f i r ewal l mode t r ansparent

# Configure the sub-interface and zones.



qui t



qui t



qui tf i rewal l zone tr ust


qui t



qui t

f i r ewal l zone DMZ


qui t

# Configure the MAC-based ACL rule.

acl number 4000

r ul e permi t source- mac 000f - 1f 7e- f ec5 0000- 0000- 0000

qui t

# Configure frame filter.


f i r ewal et her net- f r ame-f i l t er 4000 out bound


f i r ewal et her net- f r ame-f i l t er 4000 out bound





# Configure the address of PC_B to the blacklist entry.

f i r ewal l bl ackl i st 10. 0. 0. 50 t i meout 60

# Enable the blacklist function.

f i rewal l bl ackl i st enabl e



ASPF Configuration Examples


Table of Contents









ASPF (Application Specific Packet Filter) can enhance the firewall capability on CMW

platform, providing the filtering function for packets at application layer. It is a high

level communication filtering, detecting application layer protocol information and

supervising the status of application layer protocol that provides connection. For all

the connections, the state information about each connection will be maintained by

ASPF and used to dynamically decide if a data packet is permitted to pass firewall ordiscarded.





3 Precautions





In the network shown in Figure 4-1, configure an ASPF policy on the SecBlade to

detect FTP traffic that passes the firewall. Requirement: Response packets of the FTP

connection requests initiated by internal network users are permitted to enter the

internal network; while other packets are denied. This example is suitable for cases

where local users access a remote network.






Figure 4-1 Networking diagram of ASPF of firewall


# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30.

[ S9500] vl an 10

[ S9500- vl an10] por t E2/ 1/ 2

[ S9500] vl an 50

[ S9500- vl an50] por t E3/ 1/ 1

[ S9500] vl an 30

# Configure the internal VLAN, interconnect VLAN and configure interface address.





# Configure the routes, the next hop of external network packets is firewall SecBlade.

[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254

# Configure SecBlade module, configure VLAN 50 as security-VLAN and

interconnecting VLAN as VLAN 30.





# Enter SecBlade view, configure interconnecting sub-interface VLAN 30 and external

network sub-interface VLAN 50 (by default, the username and password are

SecBlade, case sensitive.)






user : SecBl ade

password: SecBl ade

<SecBl ade_FW> syst em



[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] i p addr ess 50. 0. 0. 254 24




# Add the interconnecting sub-interface to the trust zone and the external network

sub-interface to the untrust zone


[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 30


[ SecBl ade_FW - zone- unt r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 50

# Configure the routes, the next hop of external network packets is the router, the

next hop of internal network packets is the S9500.



# In SecBlade view, configure the ACL and ASPF policy to detect FTP packets.

[ SecBl ade_FW] f i r ewal l packet - f i l t er enabl e

[ SecBl ade_FW] acl number 3111[ SecBl ade_FW- acl - adv- 3111] r ul e deny i p

[ SecBl ade_FW] aspf - pol i cy 1

[ SecBl ade_FW - aspf - pol i cy-1] det ect f t p agi ng- t i me 3000

# In SecBlade view, enable ASPF policy on the external network sub-interface.


[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] f i r ewal l aspf 1 out bound

[ SecBl ade_FW- Gi gabi t Et her net 0/ 0. 50] i nt er f ace Gi gabi t Et her net 0/ 0. 50

[ SecBl ade_FW- Gi gabi t Et her net 0/ 0. 50] f i r ewal l packet - f i l t er 3111i nbound


#

vl an 10

#

vl an 30

#

vl an 50

#






i p address 10. 0. 0. 1 24

#


i p address 30. 0. 0. 1 24

#



#



#

i p r out e-s t at i c 0. 0. 0. 0 0 30. 0. 0. 254 pr ef er ence 60

#

secbl ade modul e t estsecbl ade- i nt er f ace vl an- i nt er f ace 30


map t o sl ot 4


sensitive).

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system




i p addr ess 50. 0. 0. 254 24

qui t



i p addr ess 30. 0. 0. 254 24

qui tf i rewal l zone tr ust


qui t



qui t

# Configure the routes.

i p r out e- st at i c 0. 0. 0. 0 0 50. 0. 0. 1

i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1





# Configure the ACL and ASPF policy.

f i rewal l packet - f i l ter enabl e

acl number 3111

r ul e deny i p

qui t

aspf - pol i cy 1

detect f t p agi ng- t i me 3000

# Apply the ASPF policy on the interface.


f i r ewal l aspf 1 out bound

# Apply ACL 3111 on the external network sub-interface.


f i r ewal l packet - f i l t er 3111 i nbound



Firewall NAT Configuration Examples


Table of Contents









Network Address Translation (NAT) is the process in which the IP address in an IP

data header is translated into another IP address. In actual applications, NAT is used

to enable private networks to access exterior networks. With a small number of IP

addresses representing a large number of private IP addresses, this can effectively

cut down the consumption of available IP addresses.





3 Precautions





In the network shown in Figure 4-1, users access the Internet through the address

translation function of the Firewall. The company provides WWW and FTP services

outside. The internal address of the FTP server is 192.168.2.3/24, that of the WWW

server is 192.168.2.2/24. It is desired that the two servers can be accessed through

the same external IP address. Internal network segment 192.168.3.0/24 can access

the Internet while PCs in other network segments can not access the Internet. An

external PC can access the internal servers. The company has 10 valid external IP




addresses ranging from 202.115.1.1 to 202.115.1.10. Use 202.115.1.1 as the external

IP address of the company.


PC 192.168.3.2/24

S9500

Firewall

WWW 192.168.2.2/24

Vlan 3192.168.3.1/24

E2/1/2

E3/1/1Vlan50

50.1.1.1/24

Vid 200 G0/0.200

202.115.1.1/24 untrust

Vid 50 G0/0.50

50.1.1.2/24 trust Vlan200

Vlan 2192.168.2.1/24E2/1/1

FTP 192.168.2.3/24

Internet

Figure 4-1 NAT networking diagram of firewall


# Add internal VLAN 2 and VLAN 3, external VLAN 200 and SecBlade Interface

VLAN 50.

[ S9500] vl an 2

[ S9500- vl an2] port E2/ 1/ 1

[ S9500] vl an 3

[ S9500- vl an3] port E2/ 1/ 2

[ S9500] vl an 200

[ S9500- vl an200] port E3/ 1/ 1

[ S9500] vl an 50

# Configure the address of the internal VLAN interface.


[ S9500- Vl an- i nt erf ace2] i p address 192. 168. 2. 1 24





# Configure the default route, specify the next hop of the packet to the external

network as the SecBlade firewall.






[ S9500] i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2

# Configure the SecBlade module, configure VLAN 200 as security-vlan.


[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 50[ S9500- secbl ade- t est] secur i t y- vl an 200



sensitive.)


user : SecBl ade

password: SecBl ade

# Configure the interconnect sub-interface VLAN 50 and external sub-interface VLAN

200 of SecBlade, add interconnecting sub-interface to the trust zone and external

network sub-interface to the untrust zone.





[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] vl an- t ype dot 1q vi d 200

[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] i p address 202. 115. 1. 1 24


[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 50[ SecBl ade_FW] f i r ewal l zone unt r ust


# Configure the routes. The next hop of the external network route is the router, and

the next hop of the internal network route is the S9500.


[ SecBl ade_FW] i p rout e-s t at i c 192. 168. 2. 0 24 50. 1. 1. 1

[ SecBl ade_FW] i p rout e-s t at i c 192. 168. 3. 0 24 50. 1. 1. 1

# In SecBlade view, configure the NAT address pool.

[ SecBl ade_FW] nat address- group 1 202. 115. 1. 2 202. 115. 1. 10

# In SecBlade view, configure the ACL rule, specify the internal network users who

can access through NAT and bind NAT on the interface.


[ SecBl ade_FW - acl - basi c- 2001] r ul e per mi t sour ce 192. 168. 2. 0 0. 0. 0. 255

[ SecBl ade_FW - acl - basi c- 2001] r ul e per mi t sour ce 192. 168. 3. 0 0. 0. 0. 255

[ SecBl ade_FW - acl - basi c- 2001] r ul e deny sour ce any

[ SecBl ade_FW] i nter f ace Gi gabi t Ethernet 0/ 0. 200

[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] nat out bound 2001 addr ess- group 1





# Configure the internal servers to provide services to external network users.

[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] nat ser ver prot ocol t cp gl obal

202. 115. 1. 1 i nsi de 192. 168. 2. 3 f t p

[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] nat ser ver prot ocol t cp gl obal

202. 115. 1. 1 i nsi de 192. 168. 2. 2 www


#

vl an 2

#

vl an 3

#

vl an 50#

vl an 200

#

i nt er f ace vl an- i nt erf ace 2

i p address 192. 168. 2. 1 24

#


i p address 192. 168. 3. 1 24

#


i p address 50. 1. 1. 1 24

#



#



#

i nt er f ace Et her net 3/ 1/ 1por t access vl an 200

#

i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2 pr ef er ence 60

#



secur i t y- vl an 200

map t o sl ot 2






sensitive.)

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system




i p addr ess 50. 1. 1. 2 24

qui t

i nt erf ace g0/ 0. 200


i p address 202. 115. 1. 1 24

qui t



qui t



qui t


i p r out e- st at i c 0. 0. 0. 0 0 202. 115. 1. 2

i p rout e- st at i c 192. 168. 2. 0 24 50. 1. 1. 1

i p rout e- st at i c 192. 168. 3. 0 24 50. 1. 1. 1

# Configure the address pool and ACL.

nat address- group 1 202. 115. 1. 2 202. 115. 1. 10

acl number 2001

r ul e permi t sour ce 192. 168. 2. 0 0. 0. 0. 255

r ul e permi t sour ce 192. 168. 3. 0 0. 0. 0. 255

r ul e deny sour ce any

qui t

i nt erf ace Gi gabi t Et hernet 0/ 0. 200

nat out bound 2001 address- group 1

# Configure the inside server.


nat server prot ocol t cp gl obal 202. 115. 1. 1 i nsi de 192. 168. 2. 3 f t p

nat server pr otocol t cp gl obal 202. 115. 1. 1 i nsi de 192. 168. 2. 2 www



Packet Filtering Firewall Configuration Examples


Table of Contents









Application of packet filter in SecBlade can add the packet filtering function for

SecBlade. For packets to be forwarded by SecBlade, SecBlade first gets the header

information of the packets, including the protocol number of the upper layer protocol

that the IP layer loads, the source address, destination address, source port and

destination port of the packet. Then SecBlade compares them with the ACL rule and

decides to either forward or discard the packet according to the result.





3 Precautions





In the network shown in Figure 4-1, users access the Internet through SecBlade of

the 9500 series switch. The company provides WWW and FTP services outside. The

IP address of the WWW server is 20.0.0.1 and the IP address of the FTP server

address is 20.0.0.2. Only a specific external PC is permitted to access the two

servers. Other resources of the internal network are inaccessible to external users.

Assume that the IP address of the external user is 203.1.1.1.






Figure 4-1 Networking diagram of packet filter of firewall


# Add internal VLAN 20 and VLAN 3, external VLAN 200 and SecBlade Interface

VLAN 50.

[ S9500] vl an 20

[ S9500- vl an20] por t E2/ 1/ 1

[ S9500] vl an 3

[ S9500- vl an3] port E2/ 1/ 2

[ S9500] vl an 200

[ S9500- vl an200] port E3/ 1/ 1

[ S9500] vl an 50

# Configure the IP address of internal VLAN interface.







# Configure the routes. The next hop of the outbound packets is the SecBlade firewall.

[ S9500] i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2

# Configure module SecBlade, and configure VLAN 200 as security-vlan.










sensitive.)<S9500> secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

# Configure the sub-interface. SecBlade interconnects sub-interface VLAN 50 and

external sub-interface VLAN 200. Add the interconnected sub-interface to the trust

zone and external sub-interface to the untrust zone



[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] i p addr ess 50. 1. 1. 2 24[ SecBl ade_FW] i nter f ace g0/ 0. 200

[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] vl an- t ype dot 1q vi d 200

[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] i p address 202. 115. 1. 1 24

[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 50



# Configure the routes. The next hop of the internal network packets is the router, and

the next hop of the internal network is the S9500.

[ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 202. 115. 1. 2[ SecBl ade_FW] i p r out e-s t at i c 20. 0. 0. 0 24 50. 1. 1. 1


# In SecBlade view, configure the ACL rule, designate specific user to access the

internal user.

[ SecBl ade_FW] f i r ewal l packet - f i l t er enabl e


[ SecBl ade_FW- acl - adv- 3002] r ul e permi t t cp source 203. 1. 1. 1 0

desti nati on 20. 0. 0. 1 0 desti nati on- por t eq 80

[ SecBl ade_FW- acl - adv- 3002] r ul e permi t t cp source 203. 1. 1. 1 0desti nati on 20. 0. 0. 2 0 desti nati on- por t eq 25

[ SecBl ade_FW- acl - adv- 3002] r ul e deny i p

[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 200] f i r ewal l packet - f i l t er 3002

i nbound


#

vl an 20

#





vl an 50

#

vl an 200

#


i p address 15. 0. 0. 2 24

#


i p address 20. 0. 0. 254 24

#


i p address 50. 1. 1. 1 24

#

i nt er f ace Et her net 2/ 1/ 1por t access vl an 20





#

i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2 pr ef er ence 60

#



secur i t y- vl an 200

map t o sl ot 4

# Enter SecBlade configure the SecBlade (by default, the username and password

are SecBlade, case sensitive.)

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system




i p addr ess 50. 1. 1. 2 24

qui t

i nt erf ace g0/ 0. 200


i p address 202. 115. 1. 1 24

qui t







qui t



qui t


i p r out e- st at i c 0. 0. 0. 0 0 202. 115. 1. 2

i p r out e- st at i c 20. 0. 0. 0 24 50. 1. 1. 1

i p r out e- st at i c 15. 0. 0. 0 24 50. 1. 1. 1

# Configure ACL.

f i rewal l packet - f i l ter enabl e

acl number 3002

# Configuration rule allows only specific external users to access the internal server

from external network, not other resources of the internal network.

r ul e permi t t cp sour ce 203. 1. 1. 1 0 dest i nat i on 20. 0. 0. 1 0 desti nati on-

por t eq 80

r ul e permi t t cp sour ce 203. 1. 1. 1 0 dest i nat i on 20. 0. 0. 2 0 desti nati on-

por t eq 25

r ul e deny i p

# Apply the rule ACL 3002 to the inbound data stream of the external sub-interface.


f i r ewal l packet - f i l t er 3002 i nbound



Address Binding Configuration Examples


Table of Contents









Binding MAC with IP address refers that SecBlade can form an association relation

between specific IP address and MAC address. For packets claimed to have been

sent from this IP address, if their MAC address is not the one in the designated

relation pair, SecBlade will discard them. The packets sent to this IP address will be

sent to this MAC address forcibly when passing SecBlade. This is an effective

protection method to avoid false attack by IP address.





3 Precautions





In the network shown in Figure 4-1, Server and Client are in the Trust zone and the

Untrust zone of the firewall. The IP address of Client is 50.0.0.1, the corresponding

MAC address is 00e0-fc00-0100. Configure address-binding on SecBlade to ensure

that packets complying with the binding relation can pass the firewall. The destination

MAC address of the packets sent to 50.0.0.1 is 00e0-fc00-0100.






Figure 4-1 Networking diagram of address-binding of firewall


# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30.

[ S9500] vl an 10

[ S9500- vl an10] por t E2/ 1/ 2

[ S9500] vl an 50

[ S9500- vl an50] por t E2/ 1/ 1

[ S9500] vl an 30

# Configure the address for interconnecting the internal VLAN, the VLAN where theserver exists, SecBlade and VLAN





# Configure the routes. The next hop of external network packets is firewall SecBlade.

[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254

# Configure the SecBlade module, configure the external network VLAN as the

security VLAN, enter the SecBlade view (by default, the username and password are

SecBlade, case sensitive.)






user : SecBl ade

password: SecBl ade

<SecBl ade_FW> syst em





# Enter SecBlade view, configure the sub-interface and connect it to the

corresponding zone.











# Configure the routes. The next hop of the internal network packet is the S9500.


# In SecBlade view, configure address-binding, configure client IP address and MAC

address to the address-binding relation.

[ SecBl ade_FW] f i r ewal l mac- bi ndi ng 50. 0. 0. 1 00e0- f c00- 0100

[ SecBl ade_FW] f i r ewal l mac- bi ndi ng enabl e


#

vl an 10

#

vl an 50

#

vl an 30

#


i p address 10. 0. 0. 1 24

#

i nt er f ace vl an- i nt er f ace 30i p address 30. 0. 0. 1 24

#



#



#

i p r out e- st ati c 0. 0. 0. 0 0 30. 0. 0. 254 pr eference 60

#








map t o sl ot 4


sensitive.)

secbl ade sl ot 4

user : SecBl ade

password: SecBl ade

system



vl an- t ype dot1q vi d 50i p addr ess 50. 0. 0. 254 24

qui t



i p addr ess 30. 0. 0. 254 24

qui t



qui t



qui t


i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1

# Configure client IP address and MAC address to the address-binding relation.

f i r ewal l mac- bi ndi ng 50. 0. 0. 1 00e0- f c00- 0100

# Enable the address-binding function.

f i r ewal l mac- bi ndi ng enabl e



PING Optimization Configuration Examples


Table of Contents

1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 2

4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram.................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Information ..................................................................................................... 3







Ping is a tool of testing the link connectivity. Ping test failure does not affect the

transmission of service packets. Therefore, the priority of ping test packets is normally

low. As a result of that, when the CPU is busy handling services or is attacked by a

large amount of packets, the ping packets may experience serious delay or failure.

Some applications are very sensitive to the delay and failure of ping packets. To

guarantee the smooth operation of these applications, we can redirect the pingpackets to a separate channel to CPU for higher processing priority.




Hardware version: S9500 whole series hardware versions.

3 Precautions

When configuring the packet redirection, do not specify an entire network

segment for matching the destination IP address of the ICMP packets to be

redirected. Otherwise, ICMP packets destined for other devices will also be

redirected to the CPU, which will not only increase the CPU load, but also

disable the S9500 from pinging other devices.

When the system is not being attacked, the non-fragmented packet has a

smaller delay in ping test. If the application does not require a specifically small

delay and high stability, do not configure any additional packet redirection.

Only the non-fragmented packets on the common VLAN interfaces will be

guaranteed a small delay after redirection. For fragmented packets or packets

destined for VPLS-enabled interfaces, the redirection can guarantee a higher

stability, but little improvement on delay.

Currently, only the delay of passive ping meets the requirement, but the delay of

active ping cannot.




When a line processing unit (LPU) is attacked by a large amount of ping packets,

the stability of the ping test on the LPU cannot be guaranteed.



In the network shown in Figure 4-1, the S9500 is connected to the GSR through its

port G1/1/1, and is connected to the L2 switch through its port G2/1/1. It requires that

the responses to ping packets from ports G1/1/1 and G2/1/1 for the S9500 loopback

interface 10.0.0.0, upstream virtual interface 20.0.0.1 and downstream 30.0.0.1 must

be stable and reliable.

4.2 Network Diagram

GSR

S9500

L2Switch

G1/1/1

G2/1/1

20.0.0.1/24

30.0.0.1/24

Loop

10.0.0.1/24

Figure 4-1 Ping optimization network diagram


# Configure the ACL rule for ICMP request packets with the destination IP address

matching 10.0.0.1, 20.0.0.1 and 30.0.0.1.

<H3C> syst em- vi ew

[ H3C] acl number 3000

[ H3C- acl - adv- 3000] r ul e 0 permi t i cmp desti nati on 10. 0. 0. 1 0 i cmp- t ype

echo


echo


echo

# Apply the rule on the ingress interface.






[ h3c- Gi gabi t Et hernet 1/ 1/ 1] t r af f i c- r edi r ect i n i p- gr oup 3000 cpu

[ h3c- Gi gabi t Et hernet 2/ 1/ 1] t r af f i c- r edi r ect i n i p- gr oup 3000 cpu

4.4 Configuration Information

#

acl number 3000

r ul e 0 permi t i cmp dest i nat i on 10. 0. 0. 1 0 i cmp- t ype echo



#

i nt er f ace Gi gabi t Et her net 1/ 1/ 1

t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 0 system- i ndex 2 cpu



#





#



Portal Configuration Examples


Table of Contents


4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram .................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Procedure..................................................................................................... 11







Portal is also known as portal web. Portal authentication is also known as Web

authentication. The advantages of Portal are:

No need to install client software;

New service has high supporting capacity; through the portal function for Portal.

authentication, Carrier can place information query and online shopping to Portal.

The rationale of Portal: Unauthenticated user can access the specific web server only,

any other access will be redirected to Portal server unconditionally; user cannot

access Internet until the authentication is passed.




Hardware version: S9500 whole series hardware versions.

3 Precautions

Note that CAMS and DHCP Server must always stay connected to the switch;

On DHCP Server, configure the IP address that can allocate 192.169.1.1/24 and

192.169.2.1/24;

If iNode is used on the client, the listening port of the CAMS must be port 80. After the configuration on CAMS, click “Enable Configuration”;

You cannot use Portal and 802.1x at the same time. If 802.1x is enabled, you

cannot enable portal on the vlan interface;

Board NAM is required if to jointly use the portal and traffic accounting function.





4.1 Network Requirements Applicable to cases, such as school or some ISPs where authentication is

required;

No need to use client software. Using IE navigator can complete the

authentication.

4.2 Network Diagram

DHCP Server

202.103.0.2

Radius Server

202.103.0.1

PC

S9500

DHCP relay

G3/2/4

PortalVLAN 192

30.0.2.2

Figure 4-1 Portal network diagram


I. Configure the Switch

Configuring the DHCP Relay.

1) Global configuration

[ S9500] por t al met hod r edhcp

[ S9500] port al server por t al 1 i p 202. 103. 0. 1 key hel l o ur l

ht t p: / / 202. 103. 0. 1/ por t al

The portal method redhcp comannd designates the authentication method of

portal is re-authentication;

The portal server portal1 ip 202.103.0.1 key hello url http://202.103.0.1/portal

command designates the portal service name is portal1, the ip of portal server is

202.103.0.1. The key between the portal server and the switch is hello, and the

redirected URL address at authentication of user is http://202.103.0.1/portal.

2) Configure the vlan interface

# Configure the IP of vlan interface






[ S9500] i nt er f ace Vl an- i nt erf ace 192


[ S9500- Vl an- i nt erf ace192] i p address 192. 169. 2. 1 24 sub

# In the Vlan interface View. Designate this switch as DHCP RELAY[ S9500- Vl an- i nt erf ace192] dhcp sel ect r el ay

# In the Vlan interface view, configure the IP address of DHCP Server

[ S9500- Vl an- i nt erf ace192] i p r el ay addr ess 30. 0. 2. 2

# In the Vlan interface view. Enable DHCP security entry-check function.

[ S9500- Vl an- i nt erf ace192] dhcp r el ay secur i t y addr ess- check enabl e

# In the Vlan interface view, enable Portal

[ S9500- Vl an- i nt er f ace192] por t al por t al 1

3) Configure the Radius scheme

# In system view, create the radius scheme

[ S9500] r adi us scheme por t al

New Radi us scheme added.

# Configure the IP address and port of the primary authentication/accounting server

[ S9500- r adi us- port al ] pr i mary aut hent i cat i on 202. 103. 0. 1 1812

[ S9500- r adi us- por t al ] pr i mary account i ng 202. 103. 0. 1 1813

# Configure the negotiation key between the switch and the radius server

[ S9500- r adi us- por t al ] key aut hent i cat i on hel l o[ S9500- r adi us- port al ] key account i ng hel l o

# Configure the username from the switch to the radius server without a domain

[ S9500- r adi us- por t al ] user - name- f ormat wi t hout - domai n

4) Configure ISP domain

# In system view, create ISP domain

[ S9500] domai n port al

New Domai n added.

Desi gnat e t he domai n name as r adi us- scheme of “port al ”

[ S9500- i sp- port al ] r adi us- scheme port al

Configuring the DHCP Server.

# Creating a DHCP Address Pool

[ S9500] dhcp ser ver i p- pool dhcp_di r ect

[ S9500- dhcp- dhcp_di r ect ] net work 192. 169. 1. 0 mask 255. 255. 266. 0

[ S9500- dhcp- dhcp_di r ect ] gateway- l i st 192. 169. 1. 1

[ S9500- dhcp- dhcp_di r ect ] qui t

[ S9500] dhcp ser ver i p- pool dhcp_second

[ S9500- dhcp- dhcp_second] net work 192. 169. 2. 0 mask 255. 255. 255. 0




[ S9500- dhcp-dhcp_second] gateway- l i st 192. 169. 2. 1

[ S9500- dhcp- dhcp_ second] qui t

II. Configure CAMS (Radius&Portal server)

The following Configurations are carried out on CAMS 2.10-R0208/CAMS

V200R001B02D027 version.

1) Configure Access Device

On the CAMS menu, click System Management->System Configuration->Access

Device Configuration. The window below appears:

Figure 4-2 Add access device

Ensure the address of the VLAN interface connecting the switch and CAMS

ranges between Start IP address and End IP address, indicating that CAMS

trusts the switches within this range of IP addresses;

Configure the same shared key and the key in the Radius scheme on the switch

as “hello”;

For service type, select “LAN Access Service”;

Configure Port List as “1812,1813”, indicating the port on which Radius server

monitors Radius packet;

Configure Protocol Type as “Extensible Protocol”.

Now the configuration of Access Device is complete.

2) Configure the Portal component

# Configure service information

On the CAMS menu, click Component Management->Portal Component->Server

Info. The window below appears:





Figure 4-3 Manage portal server information

Configure the primary IP address of the server as Portal Server address of

“202.103.0.1”;

For Listening Port Number, use the default value of “50100”;

Configure Portal Homepage as “http://202.103.0.1/portal” that is selected when

setting up CAMS Portal component;

Other configurations are to defaulted value;Click OK. The configuration of Portal Server Info Management now is complete.

# Configure IP Address Group

On the CAMS menu, click Component Management->Portal Component->IP

Address Group. The window below appears:

Add IP Address Group

Figure 4-4 Add IP address group (1)

Enter “direct” for Name, Start IP is “192.169.1.1” and End IP is “192.169.1.254”.





Add IP Address Group

Figure 4-5 Add IP address group (2)

Enter “second” for Name, Start IP is “192.169.2.1” and End IP is “192.169.2.254”.

Now the configuration of IP Address Group is complete.

# Configure Device Info

On the CAMS menu, click Component Management->Portal Component->Device


Figure 4-6 Add device information

Device Name is “S9500”;

Configure IP Address as the IP address of the switch of “202.103.0.2”;

Version is “Portal 2.0”;

Key is “hello”; Reallocate IP Address is “Yes”;

For other options, select the default value, click Add to complete Add Device Info.

Now the configuration of Add Device Info is complete.

# Configure Port Info

On the CAMS menu, click Component Management->Portal Component->Device






Figure 4-7 Manage port information

Click Port Info Management, and click Add:

Figure 4-8 Add port group

Port group is “direct”;

Select “s9500-vlan-03-0002” for Start and “s9500-vlan-03-4094” for End. The

configuration must be in a fixed format of sysname-vlan-slotid-vlanid. Of them,

configure sysname as the sysname of the device, and configure vlan as the fixed

“vlan”. For slotid, configure it as the slotid of the vlan internal port that enables

portal (it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in

Start vlan, for End port, fill in End vlan. This is to ensure that the vlan interface

that enables portal is within the range of this vlan.). Here vlan ranges from 0002

to 4094;

For IP address group, select “direct” from the dropdown menu;

For other options, select the default value;

Click OK to complete the configuration of “direct” for Add Port Group. To add another

port group, repeat the above process;

Figure 4-9 Add port group





Port group is “second”;

Select “s9500-vlan-03-0002” for Start and “s9500-vlan-03-4094” for End. The

configuration must be in a fixed format of sysname-vlan-slot-vlanid. Of them,

configure sysname as the sysname of the device, and configure vlan as the fixed

“vlan”. For slot, configure it as the slot of the vlan internal port that enables portal

(it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in Start

vlan, for End port, fill in End vlan. This is to ensure that the vlan interface that

enables portal is within the range of this vlan.). Here vlan ranges from 0002 to

4094;

For IP address group, select “second” from the dropdown menu;

For other options, select the default value;

Click OK. The configuration of “second” for Add Port Group now is complete.

# Validate Configuration

On the CAMS menu, click Component Management->Portal Component->Validate

Configuration.

Figure 4-10 Validate configuration

Click Validate Configuration. The configuration of Portal Components now is

complete;

3) Other Adds

# Add Accounting Policy

On the CAMS menu, click User Management->Bill Management-> Accounting

Policy. The window below appears:





Figure 4-11 Add accounting policy

Configure Name as “Portal”;

Configure Description as “For Portal”;

Configure Service Type as “LAN Access”;

Configure Subtype as “Ordinary”;

Configure Policy Template as “Normal usage”;

Click Next:

Figure 4-12 Set accounting attributes

Accounting Type is “By duration”; Unit of Usage is “hour”;

Default Rate is 1 dollar/1 hour;

Click OK. The configuration of Accounting Policy now is complete;

# Add Service

On the CAMS menu, click User Management->Service Management->Configure

Service. The window below appears:





Figure 4-13 Add service

Configure Service Name as “portal”;

Configure Accounting Policy as “Portal”;

Configure Security Policy as “Do not use security policy”;

For other options, select the default value. Add Service now is complete.

# Add Account

On the CAMS menu, click User Management-> Account User and Add Account:

Figure 4-14 Add account

Account is “portaluser”;

Configure Password as “111111”;

Configure Full Name as “PortalUser”;

Configure Account Type as “Prepaid Account”;

Configure Prepaid Money as “8000” dollar;

Tick “Portal” under “Service Information”;

Click OK. The configuration of Add “portaluser” Account now is complete.






The above is a typical configuration process of Portal re-authentication. After that,

user can use Portal authentication normally.


Configurations on DHCP Relay

#

por t al met hod r edhcp

por t al ser ver por t al 1 i p 202. 103. 0. 1 key hel l o ur l

ht t p: / / 202. 103. 0. 1/ por t al

#

i nt er f ace vl an- i nt er f ace192

i p address 192. 169. 1. 1 255. 255. 255. 0

i p address 192. 169. 2. 1 255. 255. 255. 0 subi p r el ay addr ess 30. 0. 2. 2

dhcp sel ect r el ay

dhcp r el ay secur i t y address- check enabl e

#

r adi us scheme port al

pr i mary authent i cati on 202. 103. 0. 1

pri mary account i ng 202. 103. 0. 1

key aut hent i cat i on hel l o

key account i ng hel l o

username- f ormat wi t hout - domai n

#

domai n por t al

scheme r adi us- scheme port al

vl an- assi gnment - mode i nteger

access- l i mi t di sabl e

st at e acti ve

i dl e- cut di sabl e

sel f - serv i ce- ur l di sabl e

#

Configurations on DHCP Server

#

dhcp ser ver i p- pool di r ect

net work 192. 169. 1. 0 mask 255. 255. 255. 0

gat eway- l i st 192. 169. 1. 1

#

dhcp ser ver i p- pool second

net work 192. 169. 2. 0 mask 255. 255. 255. 0

gat eway- l i st 192. 169. 2. 1



SecBlade VPN Configuration Examples


Table of Contents


4.1 Network Requirements ......................................................................................................... 1 4.2 Network Diagram.................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3







The SecBlade VPN module supports various VPN services, in which the IPSec (IP

Security) protocol suite provides high quality, interoperable and cryptography-based

security for IP packets. The communication parties on the IP network uses encryption,

data source authentication and other methods to ensure the privacy, integrity, validity

and anti-replay of the data in network transmission.

Terms used in this chapter:

Authentication header (AH): The AH protocol provides data source authentication,

data integrity and anti-replay functions. However, AH does not encrypt the IP packets

to be protected.

Encapsulating security payload (ESP): This protocol provides all functions of the AH

protocol, plus the encryption function for IP packets.




Hardware versions: LSB1IPSEC8DB0、LSB2IPSEC8DB0

3 Precautions

N/A



As shown in Figure 4-1, the private network packets of VLAN 76 and VLAN 77 are

encrypted by the IPSec boards installed on the S9505 devices, so that they can be

transmitted securely.





4.2 Network Diagram

Figure 4-1 IPSec network diagram


1) Configure the S9505_1:

# Configure VLANs and assign the ports connecting the PCs and the ports

connecting the two S9505 devices to their respective VLANs.

<S9500_1> syst em- vi ew

[ S9505_1] vl an 50

[ S9505_1- vl an50] por t Et her net 2/ 1/ 1

[ S9505_1- vl an50] qui t

[ S9505_1] vl an 77

[ S9505_1- vl an77] por t Et her net 2/ 1/ 2[ S9505_1- vl an77] qui t

# Configure the SecBlade module, configure VLAN 50 and VLAN 77 as security-vlan,

and map the SecBlade module to the IPSec board inserted in slot 3.

[ S9505_1] secbl ade modul e t est

[ S9505_1-secbl ade- t est ] secur i t y- vl an 50

[ S9505_1-secbl ade- t est ] secur i t y- vl an 77

[ S9505_1- secbl ade- t est ] map t o sl ot 3

2) Configure the SecBlade on the S9505_1:

# Configure the IP address of the interface.

[ SecBl ade_VPN] i nt erf ace Gi gabi t Et hernet 0/ 0. 50

[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] i p address 172. 16. 50. 2 24

[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] vl an- t ype dot1q vi d 50

[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0] qui t


[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] i p address 10. 13. 77. 2 24

[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] vl an- t ype dot1q vi d 77

[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0] qui t

# Configure the ACL rule.





[ SecBl ade_VPN] acl number 3000

[ SecBl ade_VPN- acl - adv- 3000] r ul e permi t i p sour ce 10. 13. 77. 0 0. 0. 0. 255

desti nati on 10. 13. 76. 0 0. 0. 0. 255

[ SecBl ade_VPN- acl - adv- 3000] qui t

# Configure the IPSec IKE.

[ SecBl ade_VPN] i ke peer peer

[ SecBl ade_VPN- i ke- peer- peer] pre- shar ed- key vpn

[ SecBl ade_VPN- i ke- peer- peer] r emote- addr ess 172. 16. 50. 1

[ SecBl ade_VPN] qui t

# Configure the IPSec protocol.

[ SecBl ade_VPN Rout er] i psec proposal h3c

[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] encapsul at i on- mode tunnel

[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] t r ansf orm ah- esp

[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] ah aut hent i cat i on- al gor i t hm sha1

[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] esp encrypt i on- al gor i t hm 3des

[ SecBl ade_VPN Rout er - i psec- pr oposal - t r an] esp aut hent i cat i on- al gor i t hm

sha1

# Configure the IPSec policy.

[ SecBl ade_VPN] i psec pol i cy h3cpol i cy 10 i sakmp

[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] i ke- peer peer

[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] pr oposal h3c

[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] secur i t y acl 3000

[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] qui t

# Apply the security policy on the subinterface of the public network.


[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0. 50] i psec pol i cy h3cpol i cy

[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0. 50] qui t

# Configure the static route.

[ SecBl ade_VPN] i p r out e- st ati c 10. 13. 76. 0 255. 255. 255. 0 172. 16. 50. 1

3) Configure the S9505_2:

Refer to the configurations on the S9505_1.

4) Configure the SecBlade on the S9505_2:

Refer to the SecBlade configurations on the S9505_1.


1) Configurations on the S9505_1.

Key configurations:

#






secur i t y- vl an 50 77

map t o sl ot 3

#

2) SecBlade configurations on the S9505_1:

#

sysname SecBl ade_VPN

#

r adi us scheme syst em

#

domai n syst em

#

i ke peer peer

pre- shared- key vpnr emote- address 172. 16. 50. 1

#

i psec pr oposal h3c

#

i psec pol i cy h3cpol i cy 10 i sakmp

secur i t y acl 3000

pf s dh- group1

i ke- peer peer

proposal h3c

#

acl number 3000

r ul e 0 permi t i p sour ce 10. 13. 77. 0 0. 0. 0. 255 desti nati on 10. 13. 76. 0

0. 0. 0. 255

#

i nter f ace Aux0

async mode f l ow

#

i nt er f ace Et her net 0/ 1

#i nt er f ace Et her net 0/ 2

#


#

i nt er f ace Gi gabi t Et her net 0/ 0

#


i p address 172. 16. 50. 2 255. 255. 255. 0


i psec pol i cy h3cpol i cy





#


i p address 10. 13. 77. 2 255. 255. 255. 0


#

i nt erf ace Encrypt 1/ 0

#

i nter f ace NULL0

#

i p r out e- st ati c 10. 13. 76. 0 255. 255. 255. 0 172. 16. 50. 1 pref erence 60

#

user- i nt er f ace con 0

user- i nt er f ace aux 0

aut hent i cat i on- mode passworduser - i nt er f ace vty 0 4

aut hent i cat i on- mode none

#

return

3) Configurations on the S9505_2.

Key configurations:

#


secur i t y- vl an 50 76map t o sl ot 1

#

4) SecBlade configurations on the S9505_2:

#

sysname SecBl ade_VPN

#

r adi us scheme syst em

#

domai n syst em

#

i ke peer peer

pre- shared- key vpn

r emote- address 172. 16. 50. 2

l ocal - addr ess 172. 16. 50. 1

#

i psec pr oposal h3c

#

i psec pol i cy h3cpol i cy 10 i sakmp

secur i t y acl 3000





pf s dh- group1

i ke- peer peer

proposal h3c

#

acl number 3000

r ul e 0 permi t i p sour ce 10. 13. 76. 0 0. 0. 0. 255 desti nati on 10. 13. 77. 0

0. 0. 0. 255

#

i nter f ace Aux0

async mode f l ow

#


#

i nt er f ace Et her net 0/ 2#


#

i nt er f ace Gi gabi t Et her net 0/ 0

#


i p address 172. 16. 50. 1 255. 255. 255. 0


i psec pol i cy h3cpol i cy

#


i p address 10. 13. 76. 2 255. 255. 255. 0


#

i nt erf ace Encrypt 1/ 0

shut down

#

i nter f ace NULL0

#i p r out e- st ati c 10. 13. 77. 0 255. 255. 255. 0 172. 16. 50. 2 pref erence 60

#

user- i nt er f ace con 0

user- i nt er f ace aux 0

aut hent i cat i on- mode password

user - i nt er f ace vty 0 4

aut hent i cat i on- mode none

user pr i vi l ege l evel 3

#



VPN NAT Comprehensive Networking Configuration Examples


Table of Contents

1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Conf iguration Requirements ........................................................................................................ 1 4 Conf iguration Examples ............................................................................................................... 4

4.1 Network Requirements ......................................................................................................... 4 4.2 Network Diagram.................................................................................................................. 5 4.3 Configuration Procedure....................................................................................................... 5





VPN NAT Comprehensive Networking

Configuration Examples


MPLS L3VPN, inheriting the advantages of IP routing technology and integrating fast

forwarding and flexible networking of MPLS technology, has been applied widely.

Especially in a relatively large enterprise network, MPLS L3VPN enables clearer

network architecture, easier maintenance, more stable performance and more secureaccess.

Together with NAT function, MPLS L3VPN hides the private network side to the public

network and enables address reuse, thus enhancing network security and saving

user investment.


Software versions: S9500-CMW310-R1628 and newer versions.

Hardware version:

1) Interface boards that support MPLS VPN

2) NAT board

Type Description

LSB1NATB0 NAT board

3 Configuration Requirements

When advertising the default route in the MP-BGP on the device P, you must use

the network command.

As a valid address, the address of the address pool must be unique within the

network. Do not assign this address to any host or switch within the network (it is

allowed but not recommended to assign it to the interface binding the NAT on the

switch). In network deployment, make sure that the address of the address pool

is in the same network segment as the public network address.





Only assign export-rt for the route corresponding to the public network address in

the VPN. No need to advertise the private network address routes or import them

to other VPNs, and no need to assign the export-rt for the private network

address routes. This needs to be done by routing policies.

In this networking example, you are recommended to use the CE devices for

network layer access, to reduce the routing and ARP loads on the PE devices,

thus ensuring the network maintainability.

When configuring the QACL redirection, specify accurate rules so that only the

traffic which needs to be translated is redirected to the NAT board.

When configuring QACL redirection and binding VLAN interface to VPN, make

sure that you bind the VLAN interface to VPN first, and then redirect QACL

packets. Reversely, delete the QACL redirection first, and then delete the VLAN

interface binding to VPN.

To inherit the security of MPLS VPN, if you want to segregate two VPNs, youcan configure a black hole route between these two VPNs, for which you can

aggregate the routes to simplify the configuration complexity. Or, you can

segregate the network by other means.

In the network diagram below, the core layer takes into consideration the

redundancy of the physical link. However, you can simplify the core layer

network layout and deployment according to your actual situation.

To ensure the compatibility of the software installed on the devices on the

network, you must use the software version R1628 or later.

In this chapter, the device P also acts as a provider edger (PE) device, with a

VPN created on it. If the VPN needs NAT processing, you need to bind NAT to

each VLAN interface connected to the public network for the VPN, which will use

multiple address pools and require complicated configurations and more

maintenance work. Therefore, you are recommended to avoid using the device P

as a PE. However, if the VPN does not need NAT processing, you do not need

to bind NAT and can use the device P as a PE with no problem.

When configuring the internal server, make sure that you configure the internal

server to the upstream port of the PE. You cannot map two different public

network addresses to one private network address (this can be solved by

configuring two private to public network address mappings on the internalserver), or map one public network address to multiple private network

addresses. When configuring link backup, you can create link backup by

configuring multiple public network addresses for the internal server. But note

that when one link goes down, the internal server configured on this link no

longer supports services requiring the ALG function, which can only be

performed by another public network address. However, services that do not

require the ALG function (such as WWW) can continue (provided that the route

of the public network address of the internal server can be advertised through

another link).





In the internal server applications, the access request within a local VPN to the

public network address of the internal server is not supported. The VPN can only

access the private network address of the internal server, and traffic for such

access will not involve NAT processing. Similarly, access requests from other

local VPNs to the public network address of the internal server is also not

supported. But you can configure the binding of VPN1 internal server and VPN2

NAT on the upstream interface, to enable the VPN2 private network address

access the public network address of VPN1 internal server for NAT services and

services on the internal server. Therefore, for VPNs to access the internal server,

you can configure the NAT binding in all VPNs to enable them access the public

network address of the internal server.

In the internal server applications, you can configure the internal server on the

upstream interface on PE to allow both the public and private network addresses

of the same remote VPN and other remote VPNs to perform services on theinternal server by accessing its public network address (note that for cross-VPN

access, you need to advertise the public network address of the internal server

to other VPNs).

In the NAT applications, you can have the link backup by binding two different

NAT address pools on two egress interfaces with the same NAT rule. But you

cannot bind the same NAT address to different egress interfaces. Note that when

one link goes down, its NAT table entries are not deleted immediately. The old

traffic will still be translated using these entries and forwarded via another link.

New traffic will be translated by the NAT table entries of another link. Therefore,

if an application has multiple sessions, it might happen that this application is

mapped to several public network addresses, which may be denied service in

the client/server mode. This problem will be resolved after the aging time of NAT

table entries of the downed link expires (210 seconds by default).

When a packet matching multiple NAT bindings, the binding with the highest

priority will be adopted. The larger the ACL number in the NAT binding, the

higher the NAT binding priority.






4.1 Network RequirementsUsers in VPN1 and VPN2 need to access all servers on the network and access the

Internet. Some of the users use public network addresses (201.1.x.0/24), others use

private network addresses (10.x.0.0/16). When users with private network addresses

access hosts or servers not on the same CE side), the packets must be processed by

NAT. Servers with private network addresses must be mapped to public network

addresses by the NAT server before they can be accessed by public network users.

Note:

In the network shown in Figure 4-1, the P devices and PE devices need to be NAT-

capable and thus need to be S9500 series switches.




4.2 Network Diagram

201.1.101.11/24

Primary Link


MPLS

BGP

PE1PE2

VLAN10G3/1/2internet_vpnrt:65000:0

201.1.10.1/24NAT5:VPN1

VLAN20

G3/1/2internet_vpnrt:65000:0

201.1.20.1/24NAT3:VPN1

VLAN101G3/1/1

VPN1rt:65000:1

201.1.101.1/24

VLAN102

G3/1/2VPN2

rt:65000:2201.1.102.1/24

CE1CE2 CE3 CE4

201.1.204.11/24201.1.203.12/24

P2 ( Slavereflector )

P1 ( Master

reflector )

F/W

CE5 CE6

10 .102.0.11/16

10.204.0.11/24

10.105.0.11/16 201.1.105.11/24 201 .1.106.11/24 201.1.106.12/24

VLAN203G3/1/1VPN1

rt:65000:1

201.1.203.1/24

VLAN204

G3/1/2VPN2

rt:65000:2201.1.204.1/24

VLAN 105G3/1/1VPN1

rt:65000:1201.1.105.1/24

VLAN205G3/1/1VPN1

rt:65000:1

201.1.205.1/24

VLAN106G3/1/3

server_vpnrt:65000:3

201.1.106.1/24NAT4:VPN1

VLAN206G3/1/3

server_vpnrt:65000:3

201.1.206.1/24NAT2:VPN1

VLAN11G3/1/3

201.1.11.2/24NAT1:VPN1

NAT2:VPN2Server2:VPN2

VLAN11

G3/2/1201.1.11.1/24NAT1:VPN1

VLAN12G3/2/2

201.1.12.1/24NAT2:VPN1

VLAN22G3/2/3

201.1.22.1/24

NAT1:VPN1

VLAN30

G3/2/4 G3/2/5201.1.30.1/24

NAT3:VPN1

VLAN12G3/2/3

IP:201.1.12.2/24NAT2:VPN2

VLAN22G3/2/4

201.1.22.2/24NAT1:VPN2

VLAN 30G3/2/4 G3/2/5201.1.30.2/24NAT4:VPN1

10.X.0.0/16201.1.X.0/24

Secondary LinkGeneral Link

PC

Global IPPrivate IP

Link Aggregation

Paradigm

Internet

Server

10.102.0.12/16

10.101.0.11/16 201.1.102.11/24

201.1.203.11/24

Figure 4-1 VPN NAT comprehensive network diagram


I. Configuration Design

1) Configurations on P1.

Create the Internet_VPN and configure a route for it. Advertise this route and

import the VPN routes on all PE devices in the access layer.





Create a VLAN for the Internet_VPN and configure VPN binding and the IP

address for it.

Create VPN1 and configure a routing policy for it. Advertise only the public

network address route of the 202.0.0.0/8 network segment. Do not advertise the

private network address route of the 10.0.0.0/8 network segment. Import routes

advertised by the Internet_VPN, Server_VPN and VPN2.

Create a VLAN for VPN1 and configure VPN binding and the IP address for it.

Configure a black hole route for VPN1 to control the communication between

VPNs (optional).

Create the Server_VPN and configure a route for it. Advertise this route and

import the VPN routes on all PE devices in the access layer.

Create a VLAN for Server_VPN and configure VPN binding and the IP address

for it.

Create a VLAN which connects P1 and other devices. Configure the link aggregation between P1 and P2 (optional).

Configure the loopback interface (for establishing the BGP neighbor).

Enable routing protocols such as OSPF, and advertise the route.

Configure MP-BGP, and create a peer of P2.

Configure P1 to be the master BGP reflector (configure P1 to be the master

reflector for both BGP and MP-BGP at the same time).

Configure MP-BGP, create a peer of all PE devices, and advertise a default

route to all VPN in the Internet_VPN.

Advertise the VPN1 route to other VPN and remote ends through MP-BGP.

Configure NAT binding on all egress interfaces of VPN1 on P1, to perform NAT

translation for outbound packets from VPN1 with private network addresses. The

egress interfaces include VLAN 10, 11, 12, 30 and 106.


Configure NAT binding on all egress interfaces of VPN1 on P2, to perform NAT

translation for outbound packets from VPN1 with private network addresses. The

egress interfaces include VLAN 20, 22, 30 and 206.

The configurations on P2 and P1 are basically the same. The only different is

that there is no VLAN interfaces between P2 and PE1, so no need to configure

NAT binding for VPN1. Note that when configuring the P2 reflector, you mustconfigure the same reflector cluster-id as P1.

3) Configurations on PE1.

For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer

to the configurations on P1. Note that only advertise the 201.1.101.0/24 public

network segment routes through the routing policy. Do not advertise the

10.101.0.0/16 private network segment routes.

The configurations on VPN2 are the same for VPN1. Note that only advertise the

201.1.102.0/24 public network segment routes through the routing policy. Do not

advertise the 10.102.0.0/16 private network segment routes.





Configure the VPN2 internal server on the upstream VLAN interface on PE1, and

allow other VPNs to access the VPN2 internal server 10.12.0.12.

Configure the NAT binding for the internal server.


For the VPN1 creation and configurations on OSPF, MPLS and BGP, refer to the

configurations on P1.

The configurations on VPN2 are the same as VPN1. In addition, configure NAT

binding on VLAN 12 and 22 to have address translation for the private network

segment 10.204.0.0/24 and to have link backup.

II. Configuration Procedure


# Create the Internet_VPN, configure a route for it, and import VPN1 (65000:1), VPN2

(65000:2), Server_VPN (65000:3) and the export route of the Internet_VPN (65000:0).

[ P1] i p vpn- i nst ance I nt er net _VPN

[ P1- vpn- I nt er net_VPN] r out e-di st i ngui sher 65000: 0

[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 0 both

[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 1 i mpor t - ext communi t y



[ P1- vpn- I nt er net _VPN] qui t

# Create VLAN 10 and bind the Internet_VPN.

[ P1] vl an 10

[ P1- vl an10] por t Gi gabi t Et her net 3/ 1/ 2

[ P1- vl an10] qui t

[ P1] i nt vl an 10

[ P1- Vl an- i nt erf ace10] i p bi ndi ng vpn- i nst ance I nt er net _VPN

[ P1- Vl an- i nt erf ace10] i p addr ess 201. 1. 10. 1 255. 255. 255. 0

[ P1- Vl an- i nt erf ace10] qui t

# Create VPN1, import Internet_VPN, Server_VPN, VPN2 and the export route of the

same VPN.

[ P1] i p vpn- i nst ance VPN1

[ P1- vpn- VPN] r out e- di st i ngui sher 65000: 1

[ P1- vpn- VPN] vpn- t arget 65000: 0 i mpor t - ext communi t y




[ P1- vpn- VPN] qui t

# Configure the ACL used by the rt-policy of VPN1. Assign the routes after matching

the ACL.

[ P1] acl number 2013





[ P1- acl - basi c- 2013] r ul e permi t sour ce 201. 1. 105. 0 0. 255. 255. 255

[ P1- acl - basi c-2013] qui t

# Configure the rt-policy of VPN1 export-rt. Assign only route 65000:1 for

201.1.105.0/24. Do not assign 10.0.0.0/16. So only the routes on the 201 networksegment are advertised.

[ P1] r out e- pol i cy vpn1 per mi t node 0

[ P1- r out e- pol i cy] i f - mat ch acl 2013

[ P1- r out e- pol i cy] appl y extcommuni t y r t 65000: 1 addi t i ve

[ P1- rout e- pol i cy] qui t

[ P1] i p vpn- i nst ance VPN1

[ P1- vpn- VPN1] export r out e- pol i cy vpn1

[ P1- vpn- VPN1] qui t

# Create VLAN 105 and bind VPN1.[ P1] vl an 105

[ P1- vl an105] port Gi gabi t Et hernet 3/ 1/ 1


[ P1] i nt vl an 105

[ P1- Vl an- i nt erf ace105] i p bi ndi ng vpn- i nst ance VPN1


[ P1- Vl an- i nt er f ace105] qui t

# Configure a black hole route for VPN1.

[ P1] i p r out e- st ati c vpn- i nstance VPN1 201. 1. 0. 0 16 NULL 0 bl ackhol e

Note:

Because VPN1 learns the default route of the Internet_VPN, so packets not matching

the exact route will be forwarded to the Internet_VPN by default. And because the

Internet_VPN has routes of all VPNs, VPN1 can access all other VPNs. For security

reason, the user does not want hosts in VPN1 to be able to access all other VPNs by

default. So, the user can configure a black hole route to shield all other VPNs to

VPN1 by default. In the network diagram above, DIP:201.1.0.0/16 is configured as the

black hole route to prevent VPN1 from accessing other VPNs. Note that in this

configuration, the Internet address 201.1.0.0/16 will no longer be accessible.

# Create the Server_VPN.

The configurations for the Server_VPN are the same as the Internet_VPN.

# Create VLANs connecting P1 and other devices, including VLAN 11, 12 and 30.

[ P1] vl an 11

[ P1- vl an11] por t Gi gabi t Et her net 3/ 1/ 3






[ P1] i nt vl an 11


The configurations for other VLANs are the same as VLAN 11.# Configure the link aggregation (optional).

[ P1] l i nk- aggr egat i on Gi gabi t Et hernet 3/ 2/ 4 t o Gi gabi t Et hernet 3/ 2/ 5 bot h

# Configure the loopback interface for establishing the BGP neighbor.

[ P1] i nter f ace LoopBack 0

[ P1- LoopBack0] i p addr ess 201. 255. 98. 1 32

[ P1- LoopBack0] qui t

# Enable the routing protocol OSPF, and advertise the routes of the local segment

interface and the loopback interface.

[ P1] r out er i d 201. 255. 98. 1

[ P1] ospf 200

[ P1- ospf - 200] area 0

[ P1- ospf - 200- ar ea- 0. 0. 0. 0] network 201. 1. 11. 0 0. 0. 0. 255




[ P1- ospf - 200- ar ea- 0. 0. 0. 0] qui t

[ P1- ospf - 200] qui t

# Enable the MPLS protocol on P1 and on the VLANs connecting P1 and other PE

switches.

[ P1] mpl s l sr - i d 201. 255. 98. 1

[ P1] mpl s

[ P1- mpl s] qui t

[ P1] mpl s l dp

[ P1] i nt vl an 11

[ P1- Vl an- i nt erf ace11] mpl s

[ P1- Vl an- i nt erf ace11] mpl s l dp enabl e

[ P1- Vl an- i nt er f ace11] qui t

The configurations on VLAN 12 and 30 are the same as VLAN 11.

# Configure a peer of P2.

[ P1] bgp 65000

[ P1- bgp] group PtoP i nter nal

[ P1- bgp] peer Pt oP connect- i nter f ace LoopBack0

[ P1- bgp] peer 201. 255. 98. 2 group Pt oP

Note: 201.255.98.2 is the IP address of interface LoopBack0 on P2.

# Configure a peer of PE1 and a peer of PE2.





[ P1- bgp] group 65000 i nternal

[ P1- bgp] peer 65000 connect - i nter f ace LoopBack0

[ P1- bgp] peer 201. 255. 98. 11 group 65000

[ P1- bgp] peer 201. 255. 98. 12 group 65000

Note: 201.255.98.11 and 201.255.98.12 are the IP addresses of interface LoopBack0

on PE1 and PE2 respectively.

# Configure the BGP reflector.

[ P1- bgp] r ef l ector cl uster- i d 201. 255. 98. 1

[ P1- bgp] peer 65000 ref l ect- cl i ent

# Configure MP-BGP peers.

[ P1- bgp] i pv4- f ami l y vpnv4

[ P1- bgp- af - vpn] peer PtoP enabl e

[ P1- bgp- af - vpn] peer 201. 255. 98. 2 gr oup Pt oP

[ P1- bgp- af - vpn] peer 65000 enabl e

[ P1- bgp- af - vpn] r ef l ector cl ust er - i d 201. 255. 98. 1

[ P1- bgp- af - vpn] peer 65000 r ef l ect- cl i ent

[ P1- bgp- af - vpn] peer 201. 255. 98. 11 gr oup 65000

[ P1- bgp- af - vpn] peer 201. 255. 98. 12 gr oup 65000

[ P1- bgp- af - vpn] qui t

[ P1- bgp] qui t

# Configure the default route of Internet_VPN to the public network and advertise it.

201.1.10.6 is the IP address of the interface between F/W and P1.

[ P1] i p rout e- st at i c vpn- i nst ance I nt er net _VPN 0. 0. 0. 0 0 201. 1. 10. 6

[ P1] bgp 65000

[ P1- bgp] i pv4- f ami l y vpn- i nst ance I nt ernet _VPN

[ P1- bgp- af - vpn- i nst ance] net work 0. 0. 0. 0

[ P1- bgp- af - vpn- i nst ance] qui t

# Import routes of other protocols (including NAT routes) into VPN1 and advertise

them through MP-BGP.

[ P1- bgp] i pv4- f ami l y vpn- i nstance VPN1

[ P1- bgp- af - vpn- i nst ance] i mpor t - r out e di r ect

[ P1- bgp- af - vpn- i nst ance] i mpor t - r out e st at i c

[ P1- bgp- af - vpn- i nst ance] i mport - r out e nat

[ P1- bgp] qui t

Note: If the address pool address used by NAT binding is the same as the local

network segment in the VPN1, you do not need to advertise the NAT routes.

# Configure the rule used by NAT binding. If the rule is to be applicable to VPN1,

VPN1 must be configured in this rule.




VPN NAT Comprehensive Networking Configuration Examples [ P1- acl - adv- 3000] r ul e per mi t i p vpn- i nstance VPN1 sour ce 10. 105. 0. 0

0. 0. 255. 255

[ P1- acl - adv-3000] qui t

# Configure the address pool address.[ P1] nat address - group 100 201. 1. 105. 100 201. 1. 105. 110

# Configure the maximum numbers of users and links allowed for VPN1 in NAT

address translation (the maximum number of users should be configured according to

the actual user number of VPN1).

[ P1] nat vpn l i mi t vpn- i nst ance VPN1 1000 500000

# Configure NAT binding on the interface VLAN 11 between P1 and PE1.

[ P1] i nt vl an 11

[ P1- Vl an- i nter f ace11] nat out bound 3000 address- group 100 sl ot 6

Note: The NAT configurations on other egress interfaces on P1 are the same as

VLAN 11. But the address pool used by NAT binding cannot be the same as that used

on VLAN 11. In this network diagram shown above, the VLANs that you need to

configure for NAT binding include VLAN 10, 12, 30 and 106.

# Configure QACL redirection on the ingress interface corresponding to VPN1, to

redirect the packets which need NAT translation to the NAT board.


[ P1- acl - adv- 2001] r ul e permi t sour ce 10. 105. 0. 0 0. 0. 255. 255


[ P1] i nt er f ace Gi gabi t Et her net 3/ 1/ 1

[ P1- Gi gabi t Et her net 3/ 1/ 1] t r af f i c- r edi r ect i nbound i p- gr oup 2001 sl ot 6

desi gnated- vl an 105

[ P1- Gi gabi t Et her net 3/ 1/ 1] qui t

Caution:

You must configure the VPN binding on the corresponding VLAN before you

configure QACL redirection on the port. The ACL rule of redirecting to the NAT board

cannot contain the key word vpn-instance. The redirection to the NAT board

configuration under the port must contain the argument designated-vlan, with its value

being the VLAN to which the port belongs.



Configurations on P2 are similar to those on P1. Please refer to the section above.

Note that when configuring the reflector on P2, configure the same reflector cluster-id

as P1.






# For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer to

the configurations on P1. The difference between P1 and PE1 is the peer

configuration. PE1 does not need to configure a reflector. It only needs to enable thepeer of P1 and P2 in ipv4-family vpnv4 in BGP view.

# The NAT configuration on VPN2 are the same as VPN1.

# Configure the internal server to allow other VPNs to access the internal server of

VPN2 10.102.0.12 for WWW and FTP services.

[ PE1] i nt vl an 11

[ PE1- Vl an- i nt erf ace11] nat ser ver pr otocol t cp gl obal 201. 1. 102. 12 www

i nsi de vpn2 10. 102. 0. 12 www sl ot 6

[ PE1- Vl an- i nt er f ace11] nat server prot ocol t cp gl obal 201. 1. 102. 12 f t p

i nsi de vpn2 10. 102. 0. 12 f t p sl ot 6[ PE1- Vl an- i nt er f ace11] qui t

# Configure the NAT binding for the internal server.


[ P1- acl - adv- 3112] r ul e permi t i p vpn- i nstance VPN1 sour ce 10. 102. 0. 12

0. 0. 0. 0


[ P1] nat address - group 12 201. 1. 102. 12 201. 1. 102. 12

[ P1] i nt vl an 11

[ PE1- Vl an- i nt erf ace11] nat out bound 3112 addr ess- gr oup 12 sl ot 6

Note:

You can only configure one address for the address pool in the NAT binding, and

this address must be the same as the GlobalIP of the NAT server.

If there are other NAT binding rules that may permit NAT translation for this server,

you must configure the maximum ACL Number to ensure that this NAT binding

has the highest priority.

The NAT server can only be accessed through the binding interface. Hosts on

other interfaces are not permitted to access it.


# The configurations on PE2 are similar to PE1. The difference is that for PE2 NAT

binding needs to be configured on egress interfaces of two VLANs (VLAN 12 and 22).

5) Configurations on CE.

Omitted. It is only required to enable layer 3 routing protocols. For detailed operations,

refer to H3C S9500 Series Routing Switches Configuration Manual.



Selective QinQ Configuration Examples


Table of Contents









Although common QinQ can expand a VLAN and implement simple layer-2 VPN

function, but a port can only be configured the fixed outer TAG, which cannot meet the

requirement that different VLAN TAGs should be added to different service users. For

example, VLANs 100~200 are users of a service, requiring outer tag 10; VLANs

201~300 are users of another service, requiring outer tag 20; while services of VLANs

10~20 want no tags. Such requirements cannot be satisfied by QinQ.

Selective QinQ implements flexible configuration by configuring special ACL rules and

adding our designated VLAN tag to ACL rule-compliant packets or by changing the

VLAN tags of incoming packets into our designated VLAN tag.



Hardware versions: Type-D service boards of the S9500 series switches

3 Precautions

The selective QinQ function is supported by only the type-D boards.

As a selective QinQ-enabled port only permits packets with modified VLAN tags,

you need to disable the VLAN filtering function on a port so that the packets of

different VLANs can be handled on the port. To enable the outer VLAN tags of the response packets of the packets

processed by the selective QinQ function to be removed on the outbound port

(the port connected to DSLAM), make sure the port is a hybrid port and the

corresponding VLAN of the outer tag is in the untagged mode.





4.1 Network RequirementsIn the network shown in Figure 4-1, SLAM isolates the users through the VLANs.

VLAN 1000 through VLAN 2999 are for common network access services. It is

desired that VLAN 101 tag be inserted to the packets of these VLANs as the outer

VLAN tag after the packets reach the S9500 switch. The packers are then passed to

BRAS for being processed. VLAN 2000 through VLAN 2999 are for VIP users and

require QoS services. VLAN 102 tag is inserted to the packets of these VLANs as the

outer VLAN tag after the packets reach the S9500 switch. The packets are then

passed to BRAS for being processed. The BTV traffic is passed to DSLAM through

VLAN 3000 by GSR. DSLAM duplicates the multicast flow and then passes it to theuser VLANs.

To implement the above services, for the packets reaching port g2/1/1, the S9500

needs to insert VLAN 101 tag to packets of VLAN 1000 through VLAN 1999 and then

passes the packets to BRAS through VLAN 101; it also needs to insert VLAN 102 tag

to packets of VLAN 2000 through VLAN 2999 and then passes them to BRAS through

VLAN 102. For packets of VLAN 3000, no VLAN tag is inserted and they can be

forwarded through layer-2 multicast in VLAN 3000. To implement this, you can use

the selective QinQ function on the S9500 switch.


Figure 4-1 Networking diagram of the selective QinQ configuration







1) Configure DSLAM.

On DSLAM, configure the access users to be mapped to VLAN 1000 through VLAN

2999. Configure the multicast VLAN 3000, and multicast sub-VLANs VLAN 1000

through VLAN 2999. Connect the uplink port to the S9500 switch, permitting VLAN

1000 through VLAN 3000.

2) Configure S9500.

# Configure the ACL rules that match VLAN 1000 through VLAN 1999 and VLAN

2000 through VLAN 2999.

[ S9500] acl number 4000

[ S9500- acl - l i nk- 4000] r ul e 0 permi t i ngr ess 1000 to 1999

[ S9500] - acl - l i nk- 4000] r ul e 1 permi t i ngr ess 2000 t o 2999

# Create VLAN 101, VLAN 102, and VLAN 3000.

[ S9500]vl an 101 102 3000

# Configure the port connected to DSLAM as follows: permit packets of VLAN 101,

VLAN 102, and VLAN 3000; disable the VLAN filtering attribute; insert VLAN 101 tag

to packets matching rule 0 of ACL 4000; insert VLAN 102 tag to packets matching rule

1 of ACL 4000.

[ S9500] i nt er f ace Gi gabi t Et her net 2/ 1/ 1

[ S9500- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype hybr i d

[ S9500- Gi gabi t Ethernet2/ 1/ 1] port hybr i d vl an 101 102 unt agged

[ S9500- Gi gabi t Ethernet2/ 1/ 1] por t hybr i d vl an 3000 t agged

[ S9500- Gi gabi t Et her net 2/ 1/ 1] vl an fi l t er di sabl e

[ S9500- Gi gabi t Et her net 2/ 1/ 1] t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 r ul e

0 nest ed- vl an 101

[ S9500] - Gi gabi t Et her net 2/ 1/ 1] t r af f i c- r edi r ect i nbound l i nk- gr oup 4000

r ul e 1 nest ed- vl an 102

# Configure the ports connected to GSR and BRAS respectively.

[ S9500] i nt erf ace g2/ 1/ 2

[ S9500- Gi gabi t Et her net 2/ 1/ 2] por t l i nk- t ype t r unk

[ S9500- Gi gabi t Et hernet 2/ 1/ 2] por t t r unk per mi t vl an 3000

[ S9500- Gi gabi t Et her net 2/ 1/ 2] i nt er f ace g2/ 1/ 3

[ S9500- Gi gabi t Et her net 2/ 1/ 3] por t l i nk- t ype t r unk

[ S9500- Gi gabi t Et hernet 2/ 1/ 3] por t t r unk per mi t vl an 101 102

# Enable Layer 2 multicast on VLAN 3000.

[ S9500] i gmp- snoopi ng enabl e

[ S9500] vl an 3000

[ S9500- vl an3000] i gmp- snoopi ng enabl e

3) Configure BRAS and GSR.





Configure BRAS to handle packets with dual VLAN tags and to terminate PPPOE

packets. Configure GSR to enable layer-3 multicast, serving as the multicast router.


#

i gmp- snoopi ng enabl e

#

acl number 4000

r ul e 0 per mi t i ngr ess 1000 t o 1999 egress any

r ul e 1 per mi t i ngr ess 2000 t o 2999 egress any

#

vl an 1

#

vl an 101

#

vl an 102

#

vl an 3000

i gmp- snoopi ng enabl e

#


por t l i nk-t ype hybri d

por t hybri d vl an 3000 t agged

por t hybri d vl an 1 101 102 unt agged

vl an f i l t er di sabl e

t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 r ul e 0 system- i ndex 1 nest ed-

vl an 101

t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 rul e 1 syst em- i ndex 2 nest ed- vl an

102

#


por t l i nk-t ype t r unk

por t t r unk per mi t vl an 1 3000

#



por t t r unk permi t vl an 1 101 102



VRRP Configuration Examples

Table of Contents









Virtual Router Redundancy Protocol (VRRP) is a fault tolerance protocol. As shown in

the following figure, generally a default route is set for every host in a network (the next

hop of the default route in the figure is 10.100.10.1). The packets from hosts to the

external network are sent to the layer-3 Switch through the default route for

communications between hosts and the external network. When the Switch fails, all the

hosts in the segment that take the Switch as the next hop of the default routedisconnect the communication with the outside.

Figure 1-1 Networking diagram of the LAN

VRRP was put forward to solve above mentioned problems. It is specially designed for

multicast or broadcast-supported LANs like Ethernet. VRRP organizes a group of

switches (including a Master switch and several Backup switches) into a virtual router.

This group of switches is called a backup group.





Figure 1-2 Virtual router

A virtual switch has its own IP address of 10.100.10.1 (this IP address can be the same

as the interface address of a switch in the backup group). Also, the switches in the

backup group have their own IP addresses (e.g., the Master IP address is 10.100.10.2,

and the Backup IP address is 10.100.10.3). The hosts in LAN are only aware that the IP

address of the virtual router is 10.100.10.1 (usually known as the virtual IP address of

the backup group), but not aware that the specific IP address of the Master switch is

10.100.10.2 and the IP address of the Backup switch is 10.100.10.3. They specify the

IP address 10.100.10.1 of the virtual router as the next hop of their own default routes.

So, the hosts in LAN communicate with other networks through this virtual router. Whenthe Master switch in the backup group fails, the Backup switch with the highest priority

takes over its work and becomes the new Master to provide routing services for the

hosts in LAN, implementing uninterrupted communications with external networks.



Hardware versions: The full series of hardware versions of the S9500 series switches.

Networking Diagram

3 Precautions

For the backup routers of the same VRRP backup group, the VRRP group hello

time must be consistent, or the VRRP group operates improperly.





The VRRP work mode in the same VRRP backup group must be identical, i.e.,

either in the preemptive mode or in the non-preemptive mode.

Before configuring a VRRP group, make sure the vrrp ping-enable function is

enabled. Otherwise, the VRRP virtual address cannot be pinged through.

A VRRP monitoring port can monitor VLAN interface address only, but not a

specific port.

Do not modify the hello time of a VRRP group unless absolutely needed. If multiple

VRRP groups exist, set their hello times to prime numbers (such as 2, 3, 5, 7, etc)

to excessive CPU load.



In the network shown in Figure 4-1, S9500-A S9500-B have multiple Layer 2 switches

attached to them. Assume that the IP address of the interface of VLAN 2 created on

S9500-A is 2.1.1.1, the IP address of the interface of VLAN 2 created on S9500-B is

2.1.1.2, the address of the virtual router is 2.1.1.3. Host A can access the Internet if the

gateway address is set to 2.1.1.3 on it.

This network is typical for VRRP. You can use the two Layer-3 switches (S9500-A and

S9500-B) to form multiple VRRP backup groups. For example, you can have Layer 2

devices to connect to the virtual address 2.1.1.3, through which the hosts can access

the Internet through the virtual gateway 2.1.1.3. When either of S9500-A and S9500-B

fails, the other device can take over the work and ensure continued traffic.







Figure 4-1 Networking diagram of VRRP


S9500-A and S9500-B form two virtual backup groups, In VLAN 2, S9500-A acts as

Master and S9500-B as Backup; in VLAN 3, S9500-B acts as Master and S9500-A as

Backup. Configure S9500-A to monitor the virtual interface of VLAN 8. When the virtual

interface of VLAN 8 is unavailable, S9500-A decreases the priority of the VLAN 2 VRRP

group, so that S9500-A becomes Backup. Configure S9500-B to monitor the virtual

interface of VLAN 9. When the virtual interface of VLAN 9 is unavailable, S9500-B

decreases the priority of the VLAN 3 VRRP group, so that S9500-B becomes Backup.

1) Configure S9500-A.

# Configure MSTP instances.

[ S9500- A] st p enabl e

[ S9500- A] st p non- f l oodi ng

[ S9500- A] st p regi on- conf i gur at i on

[ S9500- A- mst - r egi on] r egi on- name vr r p

[ S9500- A- mst - r egi on] i nst ance 2 vl an 2

[ S9500- A- mst - r egi on] i nst ance 3 vl an 3

[ S9500- A- mst - r egi on] act i ve regi on- conf i gur at i on

[ S9500- A- mst - r egi on] qui t

[ S9500- A] st p i nstance 2 r oot pr i mary

[ S9500- A] st p i nstance 3 r oot secondary




[ S9500- A] i nt er f ace Gi gabi t Et her net 3/ 1/ 1

[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] st p di sabl e

# Create VLANs and their interface IP addresses.

<S9500- A> syst em- vi ew[ S9500- A] vl an 2

[ S9500- A- vl an2] i nt er f ace Vl an- i nt er f ace 2

[ S9500- A- Vl an- i nt er f ace2] i p addr ess 2. 1. 1. 1 8

[ S9500- A- Vl an- i nt er f ace2] qui t

[ S9500- A] vl an 3

[ S9500- A- vl an3] i nt er f ace vl an 3



[ S9500- A] vl an 8

[ S9500- A- vl an8] i nt er f ace vl an 8



# Add ports to VLANs.


[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] port access vl an 8

[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] qui t


[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype t r unk

[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] undo port t r unk permi t vl an 1

[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] port t r unk permi t vl an 2 t o 3



[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] por t l i nk- t ype t r unk

[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] undo port t r unk permi t vl an 1

[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] port t r unk permi t vl an 2



[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] por t l i nk- t ype t r unk[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] undo port t r unk permi t vl an 1

[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] port t r unk permi t vl an 3


# Configure the VRRP backup group.

[ S9500- A- Vl an- i nt er f ace2] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3

[ S9500- A- Vl an- i nt er f ace2] i nt er f ace vl an 3


[ S9500- A] i nt er f ace vl an 3

[ S9500- A- Vl an- i nt er f ace3] vrr p vr i d 1 vi r t ual - i p 3. 1. 1. 3





# Configure the priority and hello time of the VRRP backup group (optional).

[ S9500- A- Vl an- i nt er f ace2] vrr p vri d 1 pr i or i t y 130

[ S9500- A- Vl an- i nt er f ace2] vrr p vr i d 1 t i mer adver t i se 2

# Configure the monitoring interface to monitor the virtual interface of VLAN 8.

[ S9500- A- Vl an- i nt erf ace2] vrr p vri d 1 t r ack Vl an- i nt er f ace 8 r educed 40

2) Configure S9500-B

# Configure MSTP instances.

[ S9500- B] st p enabl e

[ S9500- B] st p non- f l oodi ng

[ S9500- B] st p regi on- conf i gur at i on

[ S9500- B- mst - r egi on] r egi on- name vr r p

[ S9500- B- mst - r egi on] i nst ance 2 vl an 2

[ S9500- B- mst - r egi on] i nst ance 3 vl an 3

[ S9500- B- mst - r egi on] act i ve r egi on- conf i gur at i on

[ S9500- B- mst - r egi on] qui t

[ S9500- B] st p i nstance 3 r oot pr i mary

[ S9500- B] st p i nstance 2 r oot secondary

[ S9500- B] i nt er f ace Gi gabi t Et her net 3/ 1/ 1

[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] st p di sabl e

# Create VLANs and their interface IP addresses.

<S9500- B> syst em- vi ew

[ S9500- B] vl an 2

[ S9500- B- vl an2] i nt er f ace Vl an- i nt er f ace 2

[ S9500- B- Vl an- i nt er f ace2] i p addr ess 2. 1. 1. 2 8

[ S9500- B- Vl an- i nt er f ace2] qui t

[ S9500- B] vl an 3

[ S9500- B- vl an3] i nt erf ace vl an 3



[ S9500- B] vl an 9

[ S9500- B- vl an9] i nt er f ace vl an 9



# Add ports to VLANs.


[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] port access vl an 9

[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] qui t


[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype t r unk

[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] undo port t r unk permi t vl an 1





[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] port t r unk permi t vl an 2 t o 3





[ S9500- B- Gi gabi t Et her net 2/ 1/ 2] port t r unk permi t vl an 3





[ S9500- B- Gi gabi t Et her net 2/ 1/ 3] port t r unk permi t vl an 2


# Configure the VRRP backup group.

[ S9500- B- Vl an- i nt er f ace2] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3

[ S9500- B- Vl an- i nt er f ace2] i nt er f ace vl an 3

[ S9500- B- Vl an- i nt er f ace3] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3

# Configure the priority and hello time of the VRRP backup group (optional).

[ S9500- B- Vl an- i nt er f ace3] vrr p vri d 1 pr i or i t y 130

[ S9500- B- Vl an- i nt er f ace3] i nt er f ace vl an 2

[ S9500- B- Vl an- i nt er f ace2] vrr p vr i d 1 t i mer adver t i se 2

# Configure the monitoring interface to monitor the virtual interface of VLAN 9.

[ S9500- B- Vl an- i nt erf ace3] vrr p vri d 1 t r ack Vl an- i nt er f ace 9 r educed 40

3) Configure L2SW-A

[ L2SW- A] i vl an 2

[ L2SW- A] i nt er f ace Et hernet 0/ 1

[ L2SW- A- Et her net 0/ 1] por t l i nk- t ype t r unk

[ L2SW- A- Et her net0/ 1] undo por t t r unk per mi t vl an 1

[ L2SW- A- Et her net0/ 1] por t t r unk per mi t vl an 2

[ L2SW- A- Et her net0/ 1] qui t

[ L2SW- A] i nt er f ace Et hernet 0/ 2

[ L2SW- A- Et her net 0/ 2] por t l i nk- t ype t r unk

[ L2SW- A- Et her net0/ 2] undo por t t r unk per mi t vl an 1

[ L2SW- A- Et her net0/ 2] por t t r unk per mi t vl an 2

[ L2SW- A- Et her net0/ 2] qui t

[ L2SW- A] i nt erf ace Et her net 0/ 3

[ L2SW- A- Et her net0/ 3] por t access vl an 2

4) Configure L2SW-B

[ L2SW- B] vl an 3

[ L2SW- B] i nt erf ace Et her net 0/ 1

[ L2SW- B- Et her net 0/ 1] por t l i nk- t ype t r unk

[ L2SW- B- Et her net0/ 1] undo por t t r unk per mi t vl an 1





[ L2SW- B- Et her net0/ 1] por t t r unk per mi t vl an 3

[ L2SW- B- Et her net0/ 1] qui t


[ L2SW- B- Et her net 0/ 2] por t l i nk- t ype t r unk

[ L2SW- B- Et her net0/ 2] undo por t t r unk per mi t vl an 1

[ L2SW- B- Et her net0/ 2] por t t r unk per mi t vl an 3

[ L2SW- B- Et her net0/ 2] qui t


[ L2SW- B- Et her net0/ 3] por t access vl an 3


1) Configure S9500-A.

#

vl an 2

#

vl an 3

#

i nt er f ace Vl an- i nt erf ace2

i p addr ess 2. 1. 1. 1 255. 0. 0. 0

vrr p vr i d 1 vi rt ual - i p 2. 1. 1. 3

vrr p vr i d 1 pr i or i t y 130

vrr p vr i d 1 t i mer adver t i se 2

vrr p vri d 1 t r ack Vl an- i nt er f ace9 r educed 40

#


i p addr ess 3. 1. 1. 1 255. 0. 0. 0


#



undo por t t r unk per mi t vl an 1

por t t r unk per mi t vl an 2 to 3

#




por t t r unk per mi t vl an 2

#









#


st p di sabl e


#

st p i nst ance 2 root pr i mar y

st p i nstance 3 r oot secondar y

st p enabl e

st p r egi on- conf i gur at i on

r egi on- name vr r p

i nst ance 2 vl an 2


acti ve r egi on- conf i gurat i on

#

2) Configure S9500-B.


#

vl an 2

#

vl an 3

#


i p addr ess 2. 1. 1. 2 255. 0. 0. 0


vr r p vr i d 1 t i mer adver t i se 2


i p addr ess 3. 1. 1. 2 255. 0. 0. 0


vr rp vr i d 1 pri ori t y 130

vrr p vri d 1 t r ack Vl an- i nt erf ace9 r educed 40

#




por t t r unk per mi t vl an 2 to 3





#








#


st p di sabl e


#

st p i nst ance 3 root pr i mar y

st p i nstance 2 r oot secondar y

st p enabl e

st p r egi on- conf i gur at i on

r egi on- name vr r p



acti ve r egi on- conf i gurat i on

3) Configure L2SW-A.

#

vl an 2

#





#





#



#

4) Configure L2SW-B.


#vl an 3

#





#








#



#

exemplos config h3c

Documents