exemplos config h3c
TRANSCRIPT
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 1/92
Firewall Blacklist Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure.........................................................................错误!未定义书签
4.4 Complete Configuration..........................................................................错误!未定义书签
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 2/92
Firewall Blacklist Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 5
Firewall Blacklist Configuration Examples
1 Feature Introduction
Blacklist is a filtering method according to the source IP address of packets. The zone
for blacklist to match is very simple, which enables quick filtering of packets, so as to
effectively shield the packets sent from a specific IP address. The most important
feature of blacklist is that SecBlade can dynamically add or delete a blacklist. When
detecting that a specific IP address attempts to attack according to the packet action,
SecBlade can modify blacklist list to filter the packet sent from this IP address..
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support.)
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, assume that the firewall board is seated in slot 4
of the S9500 switch. The internal host and the external host reside in the Trust zone
and the Untrust zone of the firewall respectively. Now it is required that all the packets
sourced from the external host be filtered within 100 minutes. The IP address of the
external network host is 202.0.0.1.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 3/92
Firewall Blacklist Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
4.2 Networking Diagram
Figure 4-1 Networking diagram of blacklist of firewall
4.3 Configuration Procedure
# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30. <S9500> syst em- vi ew
[ S9500] vl an 10
[ S9500- vl an10] por t E2/ 1/ 2
[ S9500] vl an 50
[ S9500- vl an50] por t E3/ 1/ 1
[ S9500] vl an 30
# Configure IP addresses for the internal VLAN interfaces. [ S9500] i nt er f ace vl an- i nt er f ace 10
[ S9500- Vl an- i nt erf ace10] i p addr ess 10. 0. 0. 1 24
[ S9500] i nt er f ace vl an- i nt er f ace 30
[ S9500- Vl an- i nt erf ace30] i p addr ess 30. 0. 0. 1 24
# Configure a route, setting the next hop of the external network packets to the
SecBlade firewall.
[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254
# Configure the SecBlade module. Configure VLAN 50 as security-vlan. [ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 30
[ S9500- secbl ade- t est] secur i t y- vl an 50
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view, configure the interconnecting sub-interface and external
network sub-interface of the SecBlade (by default, the username and password are
SecBlade, case sensitive).
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 4/92
Firewall Blacklist Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 5
<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
<SecBl ade_FW> syst em- vi ew
[ SecBl ade_FW] i nt er f ace Gi gabi t Et her net 0/ 0. 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] vl an- t ype dot 1q vi d 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] i p addr ess 50. 0. 0. 254 24
[ SecBl ade_FW] i nter f ace g0/ 0. 30
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 30] vl an- t ype dot 1q vi d 30
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 30] i p addr ess 30. 0. 0. 254 24
# Add the interconnecting sub-interface to the trust zone and the external network
sub-interface to the untrust zone. [ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 30
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW- zone- unt r ust ] add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
# Configure the routes, the next hop of the internal network packet is S9500, and the
next hop of external network packet is the router. [ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 50. 0. 0. 1
[ SecBl ade_FW] i p r out e-s t at i c 10. 0. 0. 0 24 30. 0. 0. 1
# In the SecBlade view, configure the blacklist. [ SecBl ade_FW] f i r ewal l bl ackl i st 202. 0. 0. 1 t i meout 100[ SecBl ade_FW] f i r ewal l bl ackl i st enabl e
4.4 Complete Configuration #
vl an 10
#
vl an 30
#
vl an 50
#
i nt er f ace vl an- i nt er f ace 10
i p address 10. 0. 0. 1 24
#
i nt er f ace vl an- i nt er f ace 30
i p address 30. 0. 0. 1 24
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 10
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 5/92
Firewall Blacklist Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 5
#
i nt er f ace Et her net 3/ 1/ 1
por t access vl an 50
#
i p r out e- st ati c 0. 0. 0. 0 0 30. 0. 0. 254 pr eference 60
#
secbl ade modul e t est
secbl ade- i nt er f ace vl an- i nt er f ace 30
secur i t y-vl an 50
map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive). secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the sub-interface and its zone.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
vl an- t ype dot1q vi d 50
i p addr ess 50. 0. 0. 254 24
qui t
i nt er f ace g0/ 0. 30
vl an- t ype dot1q vi d 30
i p addr ess 30. 0. 0. 254 24
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
# Configure the routes. i p r out e- st at i c 0. 0. 0. 0 0 50. 0. 0. 1
i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1
# Configure client address to blacklist entry. f i r ewal l bl ackl i st 202. 0. 0. 1 t i meout 100
# Enable the blacklist function. f i rewal l bl ackl i st enabl e
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 6/92
Firewall Route Mode Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Versions App licable ...................................................................................................................... 1 2 Precautions .................................................................................................................................... 1 3 Conf iguration Examples ............................................................................................................... 1
3.1 Network Requirements ......................................................................................................... 1 3.2 Networking Diagram ............................................................................................................. 2 3.3 Configuration Procedure....................................................................................................... 2 3.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 7/92
Firewall Route Mode Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 5
Firewall Route Mode Configuration Examples
1 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support.)
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
2 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command.
3 Configuration Examples
3.1 Network Requirements
In the network shown in Figure 3-1, assume that the firewall is seated in slot 4 of the
S9500 switch and is operating in route mode. All the gateways of both the internal
host and external host are on the firewall. In this case, you can configure no Layer 3
interfaces and the S9500 switch can act as a Layer 2-only device. All the Layer 3
forwarding operations are carried out by the firewall.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 8/92
Firewall Route Mode Configuration Examples
3.2 Networking Diagram
S9500
Firewall
E2/1/2
E3/1/3
Vlan 50
Trust zone
PC 50.1.1.1/24
Untrust zonePC 60 .1.1.1/24
Vid 60 G0/0.60
60.1.1.254/24
Vid 50 G0/0.50
50.1.1.254/24
Vlan60
Figure 3-1 Networking diagram of route mode of firewall
3.3 Configuration Procedure
# Add internal VLAN 50 and external VLAN 60.
<S9500> syst em- vi ew
[ S9500] vl an 50
[ S9500- vl an50] por t E2/ 1/ 2
[ S9500] vl an 60
[ S9500- vl an60] por t E3/ 1/ 3
# Configure SecBlade module, and configure internal VLAN 50 and external VLAN60as safe.
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est] secur i t y- vl an 50 60
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view, configure the sub-interface and add it to the corresponding
zone (by default, the username and password are SecBlade, case sensitive).
<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
<SecBl ade_FW> syst em- vi ew
# In SecBlade view, configure the firewall mode as route mode, configure and add the
IP address of the interface to the corresponding zone.
[ SecBl ade_FW] f i r ewal l mode r out e
[ SecBl ade_FW] i nter f ace g0/ 0. 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] i p addr ess 50. 1. 1. 254 24
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] vl an- t ype dot 1q vi d 50
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 60
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 60] i p addr ess 60. 1. 1. 254 24
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 9/92
Firewall Route Mode Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 5
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 60] vl an- t ype dot 1q vi d 60
[ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 50
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW- zone- unt r ust ] add i nt erf ace Gi gabi t Et hernet 0/ 0. 60
3.4 Complete Configuration
#
vl an 50
#
vl an 60
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 50
#
i nt er f ace Et her net 3/ 1/ 3
por t access vl an 60
#
secbl ade modul e t est
secur i t y- vl an 50 60
map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive).
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure firewall mode.
f i r ewal l mode rout e
# Configure the sub-interface and zone.
i nt er f ace g0/ 0. 50
vl an- t ype dot1q vi d 50
i p addr ess 50. 1. 1. 254 24
qui t
i nt er f ace Gi gabi t Et her net 0/ 0. 60
vl an- t ype dot1q vi d 60
i p addr ess 60. 1. 1. 254 24
qui t
f i rewal l zone tr ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 10/92
Firewall Route Mode Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 5
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 60
qui t
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 11/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 12/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 6
Transparent Firewall Configuration Examples
1 Feature Introduction
When the firewall is in transparent mode (also known as bridging mode), neither
interface can be configured with IP address. The interface is in 2-stratum safe zone,
in the same sub-network as the external user connecting corresponding interface of
2-stratum zone is. When forwarding packet between interfaces of 2-stratum zone, it is
required to find the interface according to the MAC address of packet. Now SecBlade
is a transparent bridge.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1FW8DB0, LSB2FW8DB0
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to
forward packets, you need to execute the firewall packet-filter default permit
command.
The security-VLAN IDs on different firewall boards cannot be the same.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, the firewall is in transparent mode. Apply a MAC
address-based ACL to the firewall to permit the host in Trust Zone to access the
resources in DMZ Zone and Untrust Zone. Use the blacklist to filter all the packets
sent by host PC_B, which resides in Untrust Zone. The MAC address of PC_A is
000f-1f7e-fec5, while the IP address of PC_B is 10.0.0.50.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 13/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 6
4.2 Networking Diagram
Figure 4-1 Networking diagram of transparent firewall
4.3 Configuration Procedure
# Add internal VLAN 10. External VLAN 50 and DMZ VLAN 60.
<S9500> syst em- vi ew
[ S9500] vl an 10
[ S9500- vl an10] por t E2/ 1/ 1
[ S9500] vl an 50
[ S9500- vl an50] por t E2/ 1/ 2
[ S9500] vl an 60
[ S9500- vl an60] por t E2/ 1/ 3
# Configure the SecBlade module, and configure the three VLANs as security VLANs.
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est] secur i t y- vl an 10 50 60
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view, configure the sub-interface and connect it to thecorresponding zone (by default, the username and password are SecBlade, case
sensitive.)
<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
<SecBl ade_FW> syst em- vi ew
# In SecBlade view, configure firewall mode as transparent, add the interface to the
corresponding zone.
[ SecBl ade_FW] f i r ewal l mode t r anspar ent
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 14/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 6
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 10
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 10] vl an- t ype dot1q vi d 10
[ SecBl ade_FW] i nter f ace g0/ 0. 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] vl an- t ype dot 1q vi d 50
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 60
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 60] vl an- t ype dot 1q vi d 60
[ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 10
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW- zone- unt r ust ] add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW] f i r ewal l zone DMZ
[ SecBl ade_FW- zone- DMZ] add i nter f ace Gi gabi t Ethernet 0/ 0. 60
# In SecBlade view, configure the blacklist and ACL.
[ SecBl ade_FW] acl number 4000
[ SecBl ade_FW- acl - ethernetf r ame- 4000] r ul e permi t sour ce- mac 000f - 1f 7e-
f ec5 0000- 0000- 0000
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 50] f i r ewal et her net- f r ame-f i l t er 4000
outbound
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 60
[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 60] f i r ewal et her net- f r ame-f i l t er 4000
outbound
[ SecBl ade_FW] f i r ewal l bl ackl i st i t em 10. 0. 0. 50 t i meout 60[ SecBl ade_FW] f i r ewal l bl ackl i st enabl e
4.4 Complete Configuration
#
vl an 10
#
vl an 50
#
vl an 60
#
i nt er f ace Et her net 2/ 1/ 1
por t access vl an 10
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 50
#
i nt er f ace Et her net 2/ 1/ 3
por t access vl an 60
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 15/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 6
#
secbl ade modul e t est
secur i t y- vl an 10 50 60
map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive).
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the firewall mode.
f i r ewal l mode t r ansparent
# Configure the sub-interface and zones.
i nt er f ace Gi gabi t Et her net 0/ 0. 10
vl an- t ype dot1q vi d 10
qui t
i nt er f ace g0/ 0. 50
vl an- t ype dot1q vi d 50
qui t
i nt er f ace Gi gabi t Et her net 0/ 0. 60
vl an- t ype dot1q vi d 60
qui tf i rewal l zone tr ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 10
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
f i r ewal l zone DMZ
add i nt erf ace Gi gabi t Et hernet 0/ 0. 60
qui t
# Configure the MAC-based ACL rule.
acl number 4000
r ul e permi t source- mac 000f - 1f 7e- f ec5 0000- 0000- 0000
qui t
# Configure frame filter.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
f i r ewal et her net- f r ame-f i l t er 4000 out bound
i nt er f ace Gi gabi t Et her net 0/ 0. 60
f i r ewal et her net- f r ame-f i l t er 4000 out bound
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 16/92
Transparent Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 6
# Configure the address of PC_B to the blacklist entry.
f i r ewal l bl ackl i st 10. 0. 0. 50 t i meout 60
# Enable the blacklist function.
f i rewal l bl ackl i st enabl e
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 17/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 18/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 6
ASPF Configuration Examples
1 Feature Introduction
ASPF (Application Specific Packet Filter) can enhance the firewall capability on CMW
platform, providing the filtering function for packets at application layer. It is a high
level communication filtering, detecting application layer protocol information and
supervising the status of application layer protocol that provides connection. For all
the connections, the state information about each connection will be maintained by
ASPF and used to dynamically decide if a data packet is permitted to pass firewall ordiscarded.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, configure an ASPF policy on the SecBlade to
detect FTP traffic that passes the firewall. Requirement: Response packets of the FTP
connection requests initiated by internal network users are permitted to enter the
internal network; while other packets are denied. This example is suitable for cases
where local users access a remote network.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 19/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 6
4.2 Networking Diagram
Figure 4-1 Networking diagram of ASPF of firewall
4.3 Configuration Procedure
# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30.
[ S9500] vl an 10
[ S9500- vl an10] por t E2/ 1/ 2
[ S9500] vl an 50
[ S9500- vl an50] por t E3/ 1/ 1
[ S9500] vl an 30
# Configure the internal VLAN, interconnect VLAN and configure interface address.
[ S9500] i nt er f ace vl an- i nt er f ace 10
[ S9500- Vl an- i nt erf ace10] i p addr ess 10. 0. 0. 1 24
[ S9500] i nt er f ace vl an- i nt er f ace 30
[ S9500- Vl an- i nt erf ace30] i p addr ess 30. 0. 0. 1 24
# Configure the routes, the next hop of external network packets is firewall SecBlade.
[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254
# Configure SecBlade module, configure VLAN 50 as security-VLAN and
interconnecting VLAN as VLAN 30.
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 30
[ S9500- secbl ade- t est] secur i t y- vl an 50
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view, configure interconnecting sub-interface VLAN 30 and external
network sub-interface VLAN 50 (by default, the username and password are
SecBlade, case sensitive.)
<S9500> secbl ade sl ot 4
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 20/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 6
user : SecBl ade
password: SecBl ade
<SecBl ade_FW> syst em
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] vl an- t ype dot1q vi d 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] i p addr ess 50. 0. 0. 254 24
[ SecBl ade_FW] i nter f ace g0/ 0. 30
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 30] vl an- t ype dot1q vi d 30
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 30] i p addr ess 30. 0. 0. 254 24
# Add the interconnecting sub-interface to the trust zone and the external network
sub-interface to the untrust zone
[ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 30
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW - zone- unt r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 50
# Configure the routes, the next hop of external network packets is the router, the
next hop of internal network packets is the S9500.
[ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 50. 0. 0. 1
[ SecBl ade_FW] i p r out e-s t at i c 10. 0. 0. 0 24 30. 0. 0. 1
# In SecBlade view, configure the ACL and ASPF policy to detect FTP packets.
[ SecBl ade_FW] f i r ewal l packet - f i l t er enabl e
[ SecBl ade_FW] acl number 3111[ SecBl ade_FW- acl - adv- 3111] r ul e deny i p
[ SecBl ade_FW] aspf - pol i cy 1
[ SecBl ade_FW - aspf - pol i cy-1] det ect f t p agi ng- t i me 3000
# In SecBlade view, enable ASPF policy on the external network sub-interface.
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] f i r ewal l aspf 1 out bound
[ SecBl ade_FW- Gi gabi t Et her net 0/ 0. 50] i nt er f ace Gi gabi t Et her net 0/ 0. 50
[ SecBl ade_FW- Gi gabi t Et her net 0/ 0. 50] f i r ewal l packet - f i l t er 3111i nbound
4.4 Complete Configuration
#
vl an 10
#
vl an 30
#
vl an 50
#
i nt er f ace vl an- i nt er f ace 10
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 21/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 6
i p address 10. 0. 0. 1 24
#
i nt er f ace vl an- i nt er f ace 30
i p address 30. 0. 0. 1 24
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 10
#
i nt er f ace Et her net 3/ 1/ 1
por t access vl an 50
#
i p r out e-s t at i c 0. 0. 0. 0 0 30. 0. 0. 254 pr ef er ence 60
#
secbl ade modul e t estsecbl ade- i nt er f ace vl an- i nt er f ace 30
secur i t y-vl an 50
map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive).
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the sub-interface and zones.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
vl an- t ype dot1q vi d 50
i p addr ess 50. 0. 0. 254 24
qui t
i nt er f ace g0/ 0. 30
vl an- t ype dot1q vi d 30
i p addr ess 30. 0. 0. 254 24
qui tf i rewal l zone tr ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 30
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
# Configure the routes.
i p r out e- st at i c 0. 0. 0. 0 0 50. 0. 0. 1
i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 22/92
ASPF Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 6
# Configure the ACL and ASPF policy.
f i rewal l packet - f i l ter enabl e
acl number 3111
r ul e deny i p
qui t
aspf - pol i cy 1
detect f t p agi ng- t i me 3000
# Apply the ASPF policy on the interface.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
f i r ewal l aspf 1 out bound
# Apply ACL 3111 on the external network sub-interface.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
f i r ewal l packet - f i l t er 3111 i nbound
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 23/92
Firewall NAT Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 4
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 24/92
Firewall NAT Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 6
Firewall NAT Configuration Examples
1 Feature Introduction
Network Address Translation (NAT) is the process in which the IP address in an IP
data header is translated into another IP address. In actual applications, NAT is used
to enable private networks to access exterior networks. With a small number of IP
addresses representing a large number of private IP addresses, this can effectively
cut down the consumption of available IP addresses.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, users access the Internet through the address
translation function of the Firewall. The company provides WWW and FTP services
outside. The internal address of the FTP server is 192.168.2.3/24, that of the WWW
server is 192.168.2.2/24. It is desired that the two servers can be accessed through
the same external IP address. Internal network segment 192.168.3.0/24 can access
the Internet while PCs in other network segments can not access the Internet. An
external PC can access the internal servers. The company has 10 valid external IP
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 25/92
Firewall NAT Configuration Examples
addresses ranging from 202.115.1.1 to 202.115.1.10. Use 202.115.1.1 as the external
IP address of the company.
4.2 Networking Diagram
PC 192.168.3.2/24
S9500
Firewall
WWW 192.168.2.2/24
Vlan 3192.168.3.1/24
E2/1/2
E3/1/1Vlan50
50.1.1.1/24
Vid 200 G0/0.200
202.115.1.1/24 untrust
Vid 50 G0/0.50
50.1.1.2/24 trust Vlan200
Vlan 2192.168.2.1/24E2/1/1
FTP 192.168.2.3/24
Internet
Figure 4-1 NAT networking diagram of firewall
4.3 Configuration Procedure
# Add internal VLAN 2 and VLAN 3, external VLAN 200 and SecBlade Interface
VLAN 50.
[ S9500] vl an 2
[ S9500- vl an2] port E2/ 1/ 1
[ S9500] vl an 3
[ S9500- vl an3] port E2/ 1/ 2
[ S9500] vl an 200
[ S9500- vl an200] port E3/ 1/ 1
[ S9500] vl an 50
# Configure the address of the internal VLAN interface.
[ S9500] i nt er f ace vl an- i nt er f ace 2
[ S9500- Vl an- i nt erf ace2] i p address 192. 168. 2. 1 24
[ S9500] i nt er f ace vl an- i nt er f ace 3
[ S9500- Vl an- i nt erf ace3] i p address 192. 168. 3. 1 24
[ S9500] i nt er f ace vl an- i nt er f ace 50
[ S9500- Vl an- i nt erf ace50] i p addr ess 50. 1. 1. 1 24
# Configure the default route, specify the next hop of the packet to the external
network as the SecBlade firewall.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 6
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 26/92
Firewall NAT Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 6
[ S9500] i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2
# Configure the SecBlade module, configure VLAN 200 as security-vlan.
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 50[ S9500- secbl ade- t est] secur i t y- vl an 200
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive.)
<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
# Configure the interconnect sub-interface VLAN 50 and external sub-interface VLAN
200 of SecBlade, add interconnecting sub-interface to the trust zone and external
network sub-interface to the untrust zone.
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] vl an- t ype dot1q vi d 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] i p addr ess 50. 1. 1. 2 24
[ SecBl ade_FW] i nter f ace g0/ 0. 200
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] vl an- t ype dot 1q vi d 200
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] i p address 202. 115. 1. 1 24
[ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 50[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW - zone- unt r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 200
# Configure the routes. The next hop of the external network route is the router, and
the next hop of the internal network route is the S9500.
[ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 202. 115. 1. 2
[ SecBl ade_FW] i p rout e-s t at i c 192. 168. 2. 0 24 50. 1. 1. 1
[ SecBl ade_FW] i p rout e-s t at i c 192. 168. 3. 0 24 50. 1. 1. 1
# In SecBlade view, configure the NAT address pool.
[ SecBl ade_FW] nat address- group 1 202. 115. 1. 2 202. 115. 1. 10
# In SecBlade view, configure the ACL rule, specify the internal network users who
can access through NAT and bind NAT on the interface.
[ SecBl ade_FW] acl number 2001
[ SecBl ade_FW - acl - basi c- 2001] r ul e per mi t sour ce 192. 168. 2. 0 0. 0. 0. 255
[ SecBl ade_FW - acl - basi c- 2001] r ul e per mi t sour ce 192. 168. 3. 0 0. 0. 0. 255
[ SecBl ade_FW - acl - basi c- 2001] r ul e deny sour ce any
[ SecBl ade_FW] i nter f ace Gi gabi t Ethernet 0/ 0. 200
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] nat out bound 2001 addr ess- group 1
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 27/92
Firewall NAT Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 6
# Configure the internal servers to provide services to external network users.
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] nat ser ver prot ocol t cp gl obal
202. 115. 1. 1 i nsi de 192. 168. 2. 3 f t p
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] nat ser ver prot ocol t cp gl obal
202. 115. 1. 1 i nsi de 192. 168. 2. 2 www
4.4 Complete Configuration
#
vl an 2
#
vl an 3
#
vl an 50#
vl an 200
#
i nt er f ace vl an- i nt erf ace 2
i p address 192. 168. 2. 1 24
#
i nt er f ace vl an- i nt erf ace 3
i p address 192. 168. 3. 1 24
#
i nt er f ace vl an- i nt er f ace 50
i p address 50. 1. 1. 1 24
#
i nt er f ace Et her net 2/ 1/ 1
por t access vl an 2
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 3
#
i nt er f ace Et her net 3/ 1/ 1por t access vl an 200
#
i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2 pr ef er ence 60
#
secbl ade modul e t est
secbl ade- i nt er f ace vl an- i nt er f ace 50
secur i t y- vl an 200
map t o sl ot 2
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 28/92
Firewall NAT Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 6
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive.)
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the sub-interface and zones.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
vl an- t ype dot1q vi d 50
i p addr ess 50. 1. 1. 2 24
qui t
i nt erf ace g0/ 0. 200
vl an- t ype dot1q vi d 200
i p address 202. 115. 1. 1 24
qui t
f i rewal l zone tr ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 200
qui t
# Configure the routes.
i p r out e- st at i c 0. 0. 0. 0 0 202. 115. 1. 2
i p rout e- st at i c 192. 168. 2. 0 24 50. 1. 1. 1
i p rout e- st at i c 192. 168. 3. 0 24 50. 1. 1. 1
# Configure the address pool and ACL.
nat address- group 1 202. 115. 1. 2 202. 115. 1. 10
acl number 2001
r ul e permi t sour ce 192. 168. 2. 0 0. 0. 0. 255
r ul e permi t sour ce 192. 168. 3. 0 0. 0. 0. 255
r ul e deny sour ce any
qui t
i nt erf ace Gi gabi t Et hernet 0/ 0. 200
nat out bound 2001 address- group 1
# Configure the inside server.
i nt erf ace Gi gabi t Et hernet 0/ 0. 200
nat server prot ocol t cp gl obal 202. 115. 1. 1 i nsi de 192. 168. 2. 3 f t p
nat server pr otocol t cp gl obal 202. 115. 1. 1 i nsi de 192. 168. 2. 2 www
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 29/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 30/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 6
Packet Filtering Firewall Configuration Examples
1 Feature Introduction
Application of packet filter in SecBlade can add the packet filtering function for
SecBlade. For packets to be forwarded by SecBlade, SecBlade first gets the header
information of the packets, including the protocol number of the upper layer protocol
that the IP layer loads, the source address, destination address, source port and
destination port of the packet. Then SecBlade compares them with the ACL rule and
decides to either forward or discard the packet according to the result.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, users access the Internet through SecBlade of
the 9500 series switch. The company provides WWW and FTP services outside. The
IP address of the WWW server is 20.0.0.1 and the IP address of the FTP server
address is 20.0.0.2. Only a specific external PC is permitted to access the two
servers. Other resources of the internal network are inaccessible to external users.
Assume that the IP address of the external user is 203.1.1.1.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 31/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 6
4.2 Networking Diagram
Figure 4-1 Networking diagram of packet filter of firewall
4.3 Configuration Procedure
# Add internal VLAN 20 and VLAN 3, external VLAN 200 and SecBlade Interface
VLAN 50.
[ S9500] vl an 20
[ S9500- vl an20] por t E2/ 1/ 1
[ S9500] vl an 3
[ S9500- vl an3] port E2/ 1/ 2
[ S9500] vl an 200
[ S9500- vl an200] port E3/ 1/ 1
[ S9500] vl an 50
# Configure the IP address of internal VLAN interface.
[ S9500] i nt er f ace vl an- i nt er f ace 20
[ S9500- Vl an- i nt erf ace20] i p addr ess 20. 0. 0. 254 24
[ S9500] i nt er f ace vl an- i nt er f ace 3
[ S9500- Vl an- i nt erf ace3] i p addr ess 15. 0. 0. 2 24
[ S9500] i nt er f ace vl an- i nt er f ace 50
[ S9500- Vl an- i nt erf ace50] i p addr ess 50. 1. 1. 1 24
# Configure the routes. The next hop of the outbound packets is the SecBlade firewall.
[ S9500] i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2
# Configure module SecBlade, and configure VLAN 200 as security-vlan.
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 50
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 32/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 6
[ S9500- secbl ade- t est] secur i t y- vl an 200
[ S9500- secbl ade- t est ] map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive.)<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
# Configure the sub-interface. SecBlade interconnects sub-interface VLAN 50 and
external sub-interface VLAN 200. Add the interconnected sub-interface to the trust
zone and external sub-interface to the untrust zone
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] vl an- t ype dot1q vi d 50
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 50] i p addr ess 50. 1. 1. 2 24[ SecBl ade_FW] i nter f ace g0/ 0. 200
[ SecBl ade_FW - Gi gabi t Et hernet 0/ 0. 200] vl an- t ype dot 1q vi d 200
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 200] i p address 202. 115. 1. 1 24
[ SecBl ade_FW- zone- t r ust ] add i nt er f ace Gi gabi t Et her net 0/ 0. 50
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW - zone- unt r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 200
# Configure the routes. The next hop of the internal network packets is the router, and
the next hop of the internal network is the S9500.
[ SecBl ade_FW] i p r out e-s t at i c 0. 0. 0. 0 0 202. 115. 1. 2[ SecBl ade_FW] i p r out e-s t at i c 20. 0. 0. 0 24 50. 1. 1. 1
[ SecBl ade_FW] i p r out e-s t at i c 15. 0. 0. 0 24 50. 1. 1. 1
# In SecBlade view, configure the ACL rule, designate specific user to access the
internal user.
[ SecBl ade_FW] f i r ewal l packet - f i l t er enabl e
[ SecBl ade_FW] acl number 3002
[ SecBl ade_FW- acl - adv- 3002] r ul e permi t t cp source 203. 1. 1. 1 0
desti nati on 20. 0. 0. 1 0 desti nati on- por t eq 80
[ SecBl ade_FW- acl - adv- 3002] r ul e permi t t cp source 203. 1. 1. 1 0desti nati on 20. 0. 0. 2 0 desti nati on- por t eq 25
[ SecBl ade_FW- acl - adv- 3002] r ul e deny i p
[ SecBl ade_FW- Gi gabi t Et hernet 0/ 0. 200] f i r ewal l packet - f i l t er 3002
i nbound
4.4 Complete Configuration
#
vl an 20
#
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 33/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 6
vl an 50
#
vl an 200
#
i nt er f ace vl an- i nt erf ace 3
i p address 15. 0. 0. 2 24
#
i nt er f ace vl an- i nt er f ace 20
i p address 20. 0. 0. 254 24
#
i nt er f ace vl an- i nt er f ace 50
i p address 50. 1. 1. 1 24
#
i nt er f ace Et her net 2/ 1/ 1por t access vl an 20
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 3
i nt er f ace Et her net 3/ 1/ 1
por t access vl an 200
#
i p r out e- st at i c 0. 0. 0. 0 0 50. 1. 1. 2 pr ef er ence 60
#
secbl ade modul e t est
secbl ade- i nt er f ace vl an- i nt er f ace 50
secur i t y- vl an 200
map t o sl ot 4
# Enter SecBlade configure the SecBlade (by default, the username and password
are SecBlade, case sensitive.)
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the sub-interface and zone.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
vl an- t ype dot1q vi d 50
i p addr ess 50. 1. 1. 2 24
qui t
i nt erf ace g0/ 0. 200
vl an- t ype dot1q vi d 200
i p address 202. 115. 1. 1 24
qui t
f i rewal l zone tr ust
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 34/92
Packet Filtering Firewall Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 6
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 200
qui t
# Configure the routes.
i p r out e- st at i c 0. 0. 0. 0 0 202. 115. 1. 2
i p r out e- st at i c 20. 0. 0. 0 24 50. 1. 1. 1
i p r out e- st at i c 15. 0. 0. 0 24 50. 1. 1. 1
# Configure ACL.
f i rewal l packet - f i l ter enabl e
acl number 3002
# Configuration rule allows only specific external users to access the internal server
from external network, not other resources of the internal network.
r ul e permi t t cp sour ce 203. 1. 1. 1 0 dest i nat i on 20. 0. 0. 1 0 desti nati on-
por t eq 80
r ul e permi t t cp sour ce 203. 1. 1. 1 0 dest i nat i on 20. 0. 0. 2 0 desti nati on-
por t eq 25
r ul e deny i p
# Apply the rule ACL 3002 to the inbound data stream of the external sub-interface.
i nt erf ace Gi gabi t Et hernet 0/ 0. 200
f i r ewal l packet - f i l t er 3002 i nbound
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 35/92
Address Binding Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 36/92
Address Binding Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 5
Address Binding Configuration Examples
1 Feature Introduction
Binding MAC with IP address refers that SecBlade can form an association relation
between specific IP address and MAC address. For packets claimed to have been
sent from this IP address, if their MAC address is not the one in the designated
relation pair, SecBlade will discard them. The packets sent to this IP address will be
sent to this MAC address forcibly when passing SecBlade. This is an effective
protection method to avoid false attack by IP address.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward
packets, you need to execute the firewall packet-filter default permit command.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, Server and Client are in the Trust zone and the
Untrust zone of the firewall. The IP address of Client is 50.0.0.1, the corresponding
MAC address is 00e0-fc00-0100. Configure address-binding on SecBlade to ensure
that packets complying with the binding relation can pass the firewall. The destination
MAC address of the packets sent to 50.0.0.1 is 00e0-fc00-0100.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 37/92
Address Binding Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
4.2 Networking Diagram
Figure 4-1 Networking diagram of address-binding of firewall
4.3 Configuration Procedure
# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30.
[ S9500] vl an 10
[ S9500- vl an10] por t E2/ 1/ 2
[ S9500] vl an 50
[ S9500- vl an50] por t E2/ 1/ 1
[ S9500] vl an 30
# Configure the address for interconnecting the internal VLAN, the VLAN where theserver exists, SecBlade and VLAN
[ S9500] i nt er f ace vl an- i nt er f ace 10
[ S9500- Vl an- i nt erf ace10] i p addr ess 10. 0. 0. 1 24
[ S9500] i nt er f ace vl an- i nt er f ace 30
[ S9500- Vl an- i nt erf ace30] i p addr ess 30. 0. 0. 1 24
# Configure the routes. The next hop of external network packets is firewall SecBlade.
[ S9500] i p rout e- st at i c 0. 0. 0. 0 0 30. 0. 0. 254
# Configure the SecBlade module, configure the external network VLAN as the
security VLAN, enter the SecBlade view (by default, the username and password are
SecBlade, case sensitive.)
[ S9500] secbl ade modul e t est
[ S9500- secbl ade- t est ] secbl ade- i nt er f ace vl an- i nt er f ace 30
[ S9500- secbl ade- t est] secur i t y- vl an 50
[ S9500- secbl ade- t est ] map t o sl ot 4
<S9500> secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
<SecBl ade_FW> syst em
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 38/92
Address Binding Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 5
# Enter SecBlade view, configure the sub-interface and connect it to the
corresponding zone.
[ SecBl ade_FW] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] vl an- t ype dot 1q vi d 50
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 50] i p addr ess 50. 0. 0. 254 24
[ SecBl ade_FW] i nter f ace g0/ 0. 30
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 30] vl an- t ype dot 1q vi d 30
[ SecBl ade_FW- Gi gabi t Ethernet 0/ 0. 30] i p addr ess 30. 0. 0. 254 24
[ SecBl ade_FW] f i r ewal l zone t r ust
[ SecBl ade_FW- zone- t r ust ] add i nt erf ace Gi gabi t Et her net 0/ 0. 30
[ SecBl ade_FW] f i r ewal l zone unt r ust
[ SecBl ade_FW- zone- unt r ust ] add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
# Configure the routes. The next hop of the internal network packet is the S9500.
[ SecBl ade_FW] i p r out e-s t at i c 10. 0. 0. 0 24 30. 0. 0. 1
# In SecBlade view, configure address-binding, configure client IP address and MAC
address to the address-binding relation.
[ SecBl ade_FW] f i r ewal l mac- bi ndi ng 50. 0. 0. 1 00e0- f c00- 0100
[ SecBl ade_FW] f i r ewal l mac- bi ndi ng enabl e
4.4 Complete Configuration
#
vl an 10
#
vl an 50
#
vl an 30
#
i nt er f ace vl an- i nt er f ace 10
i p address 10. 0. 0. 1 24
#
i nt er f ace vl an- i nt er f ace 30i p address 30. 0. 0. 1 24
#
i nt er f ace Et her net 2/ 1/ 2
por t access vl an 10
#
i nt er f ace Et her net 2/ 1/ 1
por t access vl an 50
#
i p r out e- st ati c 0. 0. 0. 0 0 30. 0. 0. 254 pr eference 60
#
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 39/92
Address Binding Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 5
secbl ade modul e t est
secbl ade- i nt er f ace vl an- i nt er f ace 30
secur i t y-vl an 50
map t o sl ot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case
sensitive.)
secbl ade sl ot 4
user : SecBl ade
password: SecBl ade
system
# Configure the sub-interface and zone.
i nt er f ace Gi gabi t Et her net 0/ 0. 50
vl an- t ype dot1q vi d 50i p addr ess 50. 0. 0. 254 24
qui t
i nt er f ace g0/ 0. 30
vl an- t ype dot1q vi d 30
i p addr ess 30. 0. 0. 254 24
qui t
f i rewal l zone tr ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 30
qui t
f i rewal l zone unt r ust
add i nt erf ace Gi gabi t Et hernet 0/ 0. 50
qui t
# Configure the routes.
i p r out e- st at i c 10. 0. 0. 0 24 30. 0. 0. 1
# Configure client IP address and MAC address to the address-binding relation.
f i r ewal l mac- bi ndi ng 50. 0. 0. 1 00e0- f c00- 0100
# Enable the address-binding function.
f i r ewal l mac- bi ndi ng enabl e
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 40/92
PING Optimization Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 2
4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram.................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Information ..................................................................................................... 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 41/92
PING Optimization Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 4
PING Optimization Configuration Examples
1 Feature Introduction
Ping is a tool of testing the link connectivity. Ping test failure does not affect the
transmission of service packets. Therefore, the priority of ping test packets is normally
low. As a result of that, when the CPU is busy handling services or is attacked by a
large amount of packets, the ping packets may experience serious delay or failure.
Some applications are very sensitive to the delay and failure of ping packets. To
guarantee the smooth operation of these applications, we can redirect the pingpackets to a separate channel to CPU for higher processing priority.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware version: S9500 whole series hardware versions.
3 Precautions
When configuring the packet redirection, do not specify an entire network
segment for matching the destination IP address of the ICMP packets to be
redirected. Otherwise, ICMP packets destined for other devices will also be
redirected to the CPU, which will not only increase the CPU load, but also
disable the S9500 from pinging other devices.
When the system is not being attacked, the non-fragmented packet has a
smaller delay in ping test. If the application does not require a specifically small
delay and high stability, do not configure any additional packet redirection.
Only the non-fragmented packets on the common VLAN interfaces will be
guaranteed a small delay after redirection. For fragmented packets or packets
destined for VPLS-enabled interfaces, the redirection can guarantee a higher
stability, but little improvement on delay.
Currently, only the delay of passive ping meets the requirement, but the delay of
active ping cannot.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 42/92
PING Optimization Configuration Examples
When a line processing unit (LPU) is attacked by a large amount of ping packets,
the stability of the ping test on the LPU cannot be guaranteed.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, the S9500 is connected to the GSR through its
port G1/1/1, and is connected to the L2 switch through its port G2/1/1. It requires that
the responses to ping packets from ports G1/1/1 and G2/1/1 for the S9500 loopback
interface 10.0.0.0, upstream virtual interface 20.0.0.1 and downstream 30.0.0.1 must
be stable and reliable.
4.2 Network Diagram
GSR
S9500
L2Switch
G1/1/1
G2/1/1
20.0.0.1/24
30.0.0.1/24
Loop
10.0.0.1/24
Figure 4-1 Ping optimization network diagram
4.3 Configuration Procedure
# Configure the ACL rule for ICMP request packets with the destination IP address
matching 10.0.0.1, 20.0.0.1 and 30.0.0.1.
<H3C> syst em- vi ew
[ H3C] acl number 3000
[ H3C- acl - adv- 3000] r ul e 0 permi t i cmp desti nati on 10. 0. 0. 1 0 i cmp- t ype
echo
[ H3C- acl - adv- 3000] r ul e 1 permi t i cmp desti nati on 20. 0. 0. 1 0 i cmp- t ype
echo
[ H3C- acl - adv- 3000] r ul e 2 permi t i cmp desti nati on 30. 0. 0. 1 0 i cmp- t ype
echo
# Apply the rule on the ingress interface.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 4
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 43/92
PING Optimization Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 4
[ h3c- Gi gabi t Et hernet 1/ 1/ 1] t r af f i c- r edi r ect i n i p- gr oup 3000 cpu
[ h3c- Gi gabi t Et hernet 2/ 1/ 1] t r af f i c- r edi r ect i n i p- gr oup 3000 cpu
4.4 Configuration Information
#
acl number 3000
r ul e 0 permi t i cmp dest i nat i on 10. 0. 0. 1 0 i cmp- t ype echo
r ul e 1 permi t i cmp dest i nat i on 20. 0. 0. 1 0 i cmp- t ype echo
r ul e 2 permi t i cmp dest i nat i on 30. 0. 0. 1 0 i cmp- t ype echo
#
i nt er f ace Gi gabi t Et her net 1/ 1/ 1
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 0 system- i ndex 2 cpu
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 1 system- i ndex 3 cpu
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 2 system- i ndex 4 cpu
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 1
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 0 system- i ndex 2 cpu
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 1 system- i ndex 3 cpu
t r af f i c- r edi r ect i nbound i p- gr oup 3000 r ul e 2 system- i ndex 4 cpu
#
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 44/92
Portal Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 2
4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram .................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Procedure..................................................................................................... 11
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 45/92
Portal Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 12
Portal Configuration Examples
1 Feature Introduction
Portal is also known as portal web. Portal authentication is also known as Web
authentication. The advantages of Portal are:
No need to install client software;
New service has high supporting capacity; through the portal function for Portal.
authentication, Carrier can place information query and online shopping to Portal.
The rationale of Portal: Unauthenticated user can access the specific web server only,
any other access will be redirected to Portal server unconditionally; user cannot
access Internet until the authentication is passed.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware version: S9500 whole series hardware versions.
3 Precautions
Note that CAMS and DHCP Server must always stay connected to the switch;
On DHCP Server, configure the IP address that can allocate 192.169.1.1/24 and
192.169.2.1/24;
If iNode is used on the client, the listening port of the CAMS must be port 80. After the configuration on CAMS, click “Enable Configuration”;
You cannot use Portal and 802.1x at the same time. If 802.1x is enabled, you
cannot enable portal on the vlan interface;
Board NAM is required if to jointly use the portal and traffic accounting function.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 46/92
Portal Configuration Examples
4 Configuration Examples
4.1 Network Requirements Applicable to cases, such as school or some ISPs where authentication is
required;
No need to use client software. Using IE navigator can complete the
authentication.
4.2 Network Diagram
DHCP Server
202.103.0.2
Radius Server
202.103.0.1
PC
S9500
DHCP relay
G3/2/4
PortalVLAN 192
30.0.2.2
Figure 4-1 Portal network diagram
4.3 Configuration Procedure
I. Configure the Switch
Configuring the DHCP Relay.
1) Global configuration
[ S9500] por t al met hod r edhcp
[ S9500] port al server por t al 1 i p 202. 103. 0. 1 key hel l o ur l
ht t p: / / 202. 103. 0. 1/ por t al
The portal method redhcp comannd designates the authentication method of
portal is re-authentication;
The portal server portal1 ip 202.103.0.1 key hello url http://202.103.0.1/portal
command designates the portal service name is portal1, the ip of portal server is
202.103.0.1. The key between the portal server and the switch is hello, and the
redirected URL address at authentication of user is http://202.103.0.1/portal.
2) Configure the vlan interface
# Configure the IP of vlan interface
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 47/92
Portal Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 12
[ S9500] i nt er f ace Vl an- i nt erf ace 192
[ S9500- Vl an- i nt erf ace192] i p address 192. 169. 1. 1 24
[ S9500- Vl an- i nt erf ace192] i p address 192. 169. 2. 1 24 sub
# In the Vlan interface View. Designate this switch as DHCP RELAY[ S9500- Vl an- i nt erf ace192] dhcp sel ect r el ay
# In the Vlan interface view, configure the IP address of DHCP Server
[ S9500- Vl an- i nt erf ace192] i p r el ay addr ess 30. 0. 2. 2
# In the Vlan interface view. Enable DHCP security entry-check function.
[ S9500- Vl an- i nt erf ace192] dhcp r el ay secur i t y addr ess- check enabl e
# In the Vlan interface view, enable Portal
[ S9500- Vl an- i nt er f ace192] por t al por t al 1
3) Configure the Radius scheme
# In system view, create the radius scheme
[ S9500] r adi us scheme por t al
New Radi us scheme added.
# Configure the IP address and port of the primary authentication/accounting server
[ S9500- r adi us- port al ] pr i mary aut hent i cat i on 202. 103. 0. 1 1812
[ S9500- r adi us- por t al ] pr i mary account i ng 202. 103. 0. 1 1813
# Configure the negotiation key between the switch and the radius server
[ S9500- r adi us- por t al ] key aut hent i cat i on hel l o[ S9500- r adi us- port al ] key account i ng hel l o
# Configure the username from the switch to the radius server without a domain
[ S9500- r adi us- por t al ] user - name- f ormat wi t hout - domai n
4) Configure ISP domain
# In system view, create ISP domain
[ S9500] domai n port al
New Domai n added.
Desi gnat e t he domai n name as r adi us- scheme of “port al ”
[ S9500- i sp- port al ] r adi us- scheme port al
Configuring the DHCP Server.
# Creating a DHCP Address Pool
[ S9500] dhcp ser ver i p- pool dhcp_di r ect
[ S9500- dhcp- dhcp_di r ect ] net work 192. 169. 1. 0 mask 255. 255. 266. 0
[ S9500- dhcp- dhcp_di r ect ] gateway- l i st 192. 169. 1. 1
[ S9500- dhcp- dhcp_di r ect ] qui t
[ S9500] dhcp ser ver i p- pool dhcp_second
[ S9500- dhcp- dhcp_second] net work 192. 169. 2. 0 mask 255. 255. 255. 0
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 48/92
Portal Configuration Examples
[ S9500- dhcp-dhcp_second] gateway- l i st 192. 169. 2. 1
[ S9500- dhcp- dhcp_ second] qui t
II. Configure CAMS (Radius&Portal server)
The following Configurations are carried out on CAMS 2.10-R0208/CAMS
V200R001B02D027 version.
1) Configure Access Device
On the CAMS menu, click System Management->System Configuration->Access
Device Configuration. The window below appears:
Figure 4-2 Add access device
Ensure the address of the VLAN interface connecting the switch and CAMS
ranges between Start IP address and End IP address, indicating that CAMS
trusts the switches within this range of IP addresses;
Configure the same shared key and the key in the Radius scheme on the switch
as “hello”;
For service type, select “LAN Access Service”;
Configure Port List as “1812,1813”, indicating the port on which Radius server
monitors Radius packet;
Configure Protocol Type as “Extensible Protocol”.
Now the configuration of Access Device is complete.
2) Configure the Portal component
# Configure service information
On the CAMS menu, click Component Management->Portal Component->Server
Info. The window below appears:
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 49/92
Portal Configuration Examples
Figure 4-3 Manage portal server information
Configure the primary IP address of the server as Portal Server address of
“202.103.0.1”;
For Listening Port Number, use the default value of “50100”;
Configure Portal Homepage as “http://202.103.0.1/portal” that is selected when
setting up CAMS Portal component;
Other configurations are to defaulted value;Click OK. The configuration of Portal Server Info Management now is complete.
# Configure IP Address Group
On the CAMS menu, click Component Management->Portal Component->IP
Address Group. The window below appears:
Add IP Address Group
Figure 4-4 Add IP address group (1)
Enter “direct” for Name, Start IP is “192.169.1.1” and End IP is “192.169.1.254”.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 50/92
Portal Configuration Examples
Add IP Address Group
Figure 4-5 Add IP address group (2)
Enter “second” for Name, Start IP is “192.169.2.1” and End IP is “192.169.2.254”.
Now the configuration of IP Address Group is complete.
# Configure Device Info
On the CAMS menu, click Component Management->Portal Component->Device
Info. The window below appears:
Figure 4-6 Add device information
Device Name is “S9500”;
Configure IP Address as the IP address of the switch of “202.103.0.2”;
Version is “Portal 2.0”;
Key is “hello”; Reallocate IP Address is “Yes”;
For other options, select the default value, click Add to complete Add Device Info.
Now the configuration of Add Device Info is complete.
# Configure Port Info
On the CAMS menu, click Component Management->Portal Component->Device
Info. The window below appears:
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 6 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 51/92
Portal Configuration Examples
Figure 4-7 Manage port information
Click Port Info Management, and click Add:
Figure 4-8 Add port group
Port group is “direct”;
Select “s9500-vlan-03-0002” for Start and “s9500-vlan-03-4094” for End. The
configuration must be in a fixed format of sysname-vlan-slotid-vlanid. Of them,
configure sysname as the sysname of the device, and configure vlan as the fixed
“vlan”. For slotid, configure it as the slotid of the vlan internal port that enables
portal (it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in
Start vlan, for End port, fill in End vlan. This is to ensure that the vlan interface
that enables portal is within the range of this vlan.). Here vlan ranges from 0002
to 4094;
For IP address group, select “direct” from the dropdown menu;
For other options, select the default value;
Click OK to complete the configuration of “direct” for Add Port Group. To add another
port group, repeat the above process;
Figure 4-9 Add port group
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 7 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 52/92
Portal Configuration Examples
Port group is “second”;
Select “s9500-vlan-03-0002” for Start and “s9500-vlan-03-4094” for End. The
configuration must be in a fixed format of sysname-vlan-slot-vlanid. Of them,
configure sysname as the sysname of the device, and configure vlan as the fixed
“vlan”. For slot, configure it as the slot of the vlan internal port that enables portal
(it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in Start
vlan, for End port, fill in End vlan. This is to ensure that the vlan interface that
enables portal is within the range of this vlan.). Here vlan ranges from 0002 to
4094;
For IP address group, select “second” from the dropdown menu;
For other options, select the default value;
Click OK. The configuration of “second” for Add Port Group now is complete.
# Validate Configuration
On the CAMS menu, click Component Management->Portal Component->Validate
Configuration.
Figure 4-10 Validate configuration
Click Validate Configuration. The configuration of Portal Components now is
complete;
3) Other Adds
# Add Accounting Policy
On the CAMS menu, click User Management->Bill Management-> Accounting
Policy. The window below appears:
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 8 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 53/92
Portal Configuration Examples
Figure 4-11 Add accounting policy
Configure Name as “Portal”;
Configure Description as “For Portal”;
Configure Service Type as “LAN Access”;
Configure Subtype as “Ordinary”;
Configure Policy Template as “Normal usage”;
Click Next:
Figure 4-12 Set accounting attributes
Accounting Type is “By duration”; Unit of Usage is “hour”;
Default Rate is 1 dollar/1 hour;
Click OK. The configuration of Accounting Policy now is complete;
# Add Service
On the CAMS menu, click User Management->Service Management->Configure
Service. The window below appears:
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 9 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 54/92
Portal Configuration Examples
Figure 4-13 Add service
Configure Service Name as “portal”;
Configure Accounting Policy as “Portal”;
Configure Security Policy as “Do not use security policy”;
For other options, select the default value. Add Service now is complete.
# Add Account
On the CAMS menu, click User Management-> Account User and Add Account:
Figure 4-14 Add account
Account is “portaluser”;
Configure Password as “111111”;
Configure Full Name as “PortalUser”;
Configure Account Type as “Prepaid Account”;
Configure Prepaid Money as “8000” dollar;
Tick “Portal” under “Service Information”;
Click OK. The configuration of Add “portaluser” Account now is complete.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 10 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 55/92
Portal Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 11 of 12
The above is a typical configuration process of Portal re-authentication. After that,
user can use Portal authentication normally.
4.4 Configuration Procedure
Configurations on DHCP Relay
#
por t al met hod r edhcp
por t al ser ver por t al 1 i p 202. 103. 0. 1 key hel l o ur l
ht t p: / / 202. 103. 0. 1/ por t al
#
i nt er f ace vl an- i nt er f ace192
i p address 192. 169. 1. 1 255. 255. 255. 0
i p address 192. 169. 2. 1 255. 255. 255. 0 subi p r el ay addr ess 30. 0. 2. 2
dhcp sel ect r el ay
dhcp r el ay secur i t y address- check enabl e
#
r adi us scheme port al
pr i mary authent i cati on 202. 103. 0. 1
pri mary account i ng 202. 103. 0. 1
key aut hent i cat i on hel l o
key account i ng hel l o
user- name- f ormat wi t hout - domai n
#
domai n por t al
scheme r adi us- scheme port al
vl an- assi gnment - mode i nteger
access- l i mi t di sabl e
st at e acti ve
i dl e- cut di sabl e
sel f - serv i ce- ur l di sabl e
#
Configurations on DHCP Server
#
dhcp ser ver i p- pool di r ect
net work 192. 169. 1. 0 mask 255. 255. 255. 0
gat eway- l i st 192. 169. 1. 1
#
dhcp ser ver i p- pool second
net work 192. 169. 2. 0 mask 255. 255. 255. 0
gat eway- l i st 192. 169. 2. 1
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 56/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 1
4.1 Network Requirements ......................................................................................................... 1 4.2 Network Diagram.................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 57/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 7
SecBlade VPN Configuration Examples
1 Feature Introduction
The SecBlade VPN module supports various VPN services, in which the IPSec (IP
Security) protocol suite provides high quality, interoperable and cryptography-based
security for IP packets. The communication parties on the IP network uses encryption,
data source authentication and other methods to ensure the privacy, integrity, validity
and anti-replay of the data in network transmission.
Terms used in this chapter:
Authentication header (AH): The AH protocol provides data source authentication,
data integrity and anti-replay functions. However, AH does not encrypt the IP packets
to be protected.
Encapsulating security payload (ESP): This protocol provides all functions of the AH
protocol, plus the encryption function for IP packets.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and
newer versions do not support).
Hardware versions: LSB1IPSEC8DB0、LSB2IPSEC8DB0
3 Precautions
N/A
4 Configuration Examples
4.1 Network Requirements
As shown in Figure 4-1, the private network packets of VLAN 76 and VLAN 77 are
encrypted by the IPSec boards installed on the S9505 devices, so that they can be
transmitted securely.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 58/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 7
4.2 Network Diagram
Figure 4-1 IPSec network diagram
4.3 Configuration Procedure
1) Configure the S9505_1:
# Configure VLANs and assign the ports connecting the PCs and the ports
connecting the two S9505 devices to their respective VLANs.
<S9500_1> syst em- vi ew
[ S9505_1] vl an 50
[ S9505_1- vl an50] por t Et her net 2/ 1/ 1
[ S9505_1- vl an50] qui t
[ S9505_1] vl an 77
[ S9505_1- vl an77] por t Et her net 2/ 1/ 2[ S9505_1- vl an77] qui t
# Configure the SecBlade module, configure VLAN 50 and VLAN 77 as security-vlan,
and map the SecBlade module to the IPSec board inserted in slot 3.
[ S9505_1] secbl ade modul e t est
[ S9505_1-secbl ade- t est ] secur i t y- vl an 50
[ S9505_1-secbl ade- t est ] secur i t y- vl an 77
[ S9505_1- secbl ade- t est ] map t o sl ot 3
2) Configure the SecBlade on the S9505_1:
# Configure the IP address of the interface.
[ SecBl ade_VPN] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] i p address 172. 16. 50. 2 24
[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] vl an- t ype dot1q vi d 50
[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0] qui t
[ SecBl ade_VPN] i nt erf ace Gi gabi t Et hernet 0/ 0. 77
[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] i p address 10. 13. 77. 2 24
[ SecBl ade_VPN- Gi gabi t Ethernet 0/ 0] vl an- t ype dot1q vi d 77
[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0] qui t
# Configure the ACL rule.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 59/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 7
[ SecBl ade_VPN] acl number 3000
[ SecBl ade_VPN- acl - adv- 3000] r ul e permi t i p sour ce 10. 13. 77. 0 0. 0. 0. 255
desti nati on 10. 13. 76. 0 0. 0. 0. 255
[ SecBl ade_VPN- acl - adv- 3000] qui t
# Configure the IPSec IKE.
[ SecBl ade_VPN] i ke peer peer
[ SecBl ade_VPN- i ke- peer- peer] pre- shar ed- key vpn
[ SecBl ade_VPN- i ke- peer- peer] r emote- addr ess 172. 16. 50. 1
[ SecBl ade_VPN] qui t
# Configure the IPSec protocol.
[ SecBl ade_VPN Rout er] i psec proposal h3c
[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] encapsul at i on- mode tunnel
[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] t r ansf orm ah- esp
[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] ah aut hent i cat i on- al gor i t hm sha1
[ SecBl ade_VPN Rout er- i psec- pr oposal - t r an] esp encrypt i on- al gor i t hm 3des
[ SecBl ade_VPN Rout er - i psec- pr oposal - t r an] esp aut hent i cat i on- al gor i t hm
sha1
# Configure the IPSec policy.
[ SecBl ade_VPN] i psec pol i cy h3cpol i cy 10 i sakmp
[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] i ke- peer peer
[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] pr oposal h3c
[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] secur i t y acl 3000
[ SecBl ade_VPN- i psec- pol i cy- i sakmp- h3cpol i cy- 10] qui t
# Apply the security policy on the subinterface of the public network.
[ SecBl ade_VPN] i nt erf ace Gi gabi t Et hernet 0/ 0. 50
[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0. 50] i psec pol i cy h3cpol i cy
[ SecBl ade_VPN- Gi gabi t Et hernet 0/ 0. 50] qui t
# Configure the static route.
[ SecBl ade_VPN] i p r out e- st ati c 10. 13. 76. 0 255. 255. 255. 0 172. 16. 50. 1
3) Configure the S9505_2:
Refer to the configurations on the S9505_1.
4) Configure the SecBlade on the S9505_2:
Refer to the SecBlade configurations on the S9505_1.
4.4 Complete Configuration
1) Configurations on the S9505_1.
Key configurations:
#
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 60/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 7
secbl ade modul e t est
secur i t y- vl an 50 77
map t o sl ot 3
#
2) SecBlade configurations on the S9505_1:
#
sysname SecBl ade_VPN
#
r adi us scheme syst em
#
domai n syst em
#
i ke peer peer
pre- shared- key vpnr emote- address 172. 16. 50. 1
#
i psec pr oposal h3c
#
i psec pol i cy h3cpol i cy 10 i sakmp
secur i t y acl 3000
pf s dh- group1
i ke- peer peer
proposal h3c
#
acl number 3000
r ul e 0 permi t i p sour ce 10. 13. 77. 0 0. 0. 0. 255 desti nati on 10. 13. 76. 0
0. 0. 0. 255
#
i nter f ace Aux0
async mode f l ow
#
i nt er f ace Et her net 0/ 1
#i nt er f ace Et her net 0/ 2
#
i nt er f ace Et her net 0/ 3
#
i nt er f ace Gi gabi t Et her net 0/ 0
#
i nt er f ace Gi gabi t Et her net 0/ 0. 50
i p address 172. 16. 50. 2 255. 255. 255. 0
vl an- t ype dot1q vi d 50
i psec pol i cy h3cpol i cy
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 61/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 7
#
i nt er f ace Gi gabi t Et her net 0/ 0. 77
i p address 10. 13. 77. 2 255. 255. 255. 0
vl an- t ype dot1q vi d 77
#
i nt erf ace Encrypt 1/ 0
#
i nter f ace NULL0
#
i p r out e- st ati c 10. 13. 76. 0 255. 255. 255. 0 172. 16. 50. 1 pref erence 60
#
user- i nt er f ace con 0
user- i nt er f ace aux 0
aut hent i cat i on- mode passworduser - i nt er f ace vty 0 4
aut hent i cat i on- mode none
#
return
3) Configurations on the S9505_2.
Key configurations:
#
secbl ade modul e t est
secur i t y- vl an 50 76map t o sl ot 1
#
4) SecBlade configurations on the S9505_2:
#
sysname SecBl ade_VPN
#
r adi us scheme syst em
#
domai n syst em
#
i ke peer peer
pre- shared- key vpn
r emote- address 172. 16. 50. 2
l ocal - addr ess 172. 16. 50. 1
#
i psec pr oposal h3c
#
i psec pol i cy h3cpol i cy 10 i sakmp
secur i t y acl 3000
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 62/92
SecBlade VPN Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 6 of 7
pf s dh- group1
i ke- peer peer
proposal h3c
#
acl number 3000
r ul e 0 permi t i p sour ce 10. 13. 76. 0 0. 0. 0. 255 desti nati on 10. 13. 77. 0
0. 0. 0. 255
#
i nter f ace Aux0
async mode f l ow
#
i nt er f ace Et her net 0/ 1
#
i nt er f ace Et her net 0/ 2#
i nt er f ace Et her net 0/ 3
#
i nt er f ace Gi gabi t Et her net 0/ 0
#
i nt er f ace Gi gabi t Et her net 0/ 0. 50
i p address 172. 16. 50. 1 255. 255. 255. 0
vl an- t ype dot1q vi d 50
i psec pol i cy h3cpol i cy
#
i nt er f ace Gi gabi t Et her net 0/ 0. 76
i p address 10. 13. 76. 2 255. 255. 255. 0
vl an- t ype dot1q vi d 76
#
i nt erf ace Encrypt 1/ 0
shut down
#
i nter f ace NULL0
#i p r out e- st ati c 10. 13. 77. 0 255. 255. 255. 0 172. 16. 50. 2 pref erence 60
#
user- i nt er f ace con 0
user- i nt er f ace aux 0
aut hent i cat i on- mode password
user - i nt er f ace vty 0 4
aut hent i cat i on- mode none
user pr i vi l ege l evel 3
#
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 63/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Conf iguration Requirements ........................................................................................................ 1 4 Conf iguration Examples ............................................................................................................... 4
4.1 Network Requirements ......................................................................................................... 4 4.2 Network Diagram.................................................................................................................. 5 4.3 Configuration Procedure....................................................................................................... 5
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 64/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 13
VPN NAT Comprehensive Networking
Configuration Examples
1 Feature Introduction
MPLS L3VPN, inheriting the advantages of IP routing technology and integrating fast
forwarding and flexible networking of MPLS technology, has been applied widely.
Especially in a relatively large enterprise network, MPLS L3VPN enables clearer
network architecture, easier maintenance, more stable performance and more secureaccess.
Together with NAT function, MPLS L3VPN hides the private network side to the public
network and enables address reuse, thus enhancing network security and saving
user investment.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions.
Hardware version:
1) Interface boards that support MPLS VPN
2) NAT board
Type Description
LSB1NATB0 NAT board
3 Configuration Requirements
When advertising the default route in the MP-BGP on the device P, you must use
the network command.
As a valid address, the address of the address pool must be unique within the
network. Do not assign this address to any host or switch within the network (it is
allowed but not recommended to assign it to the interface binding the NAT on the
switch). In network deployment, make sure that the address of the address pool
is in the same network segment as the public network address.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 65/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 13
Only assign export-rt for the route corresponding to the public network address in
the VPN. No need to advertise the private network address routes or import them
to other VPNs, and no need to assign the export-rt for the private network
address routes. This needs to be done by routing policies.
In this networking example, you are recommended to use the CE devices for
network layer access, to reduce the routing and ARP loads on the PE devices,
thus ensuring the network maintainability.
When configuring the QACL redirection, specify accurate rules so that only the
traffic which needs to be translated is redirected to the NAT board.
When configuring QACL redirection and binding VLAN interface to VPN, make
sure that you bind the VLAN interface to VPN first, and then redirect QACL
packets. Reversely, delete the QACL redirection first, and then delete the VLAN
interface binding to VPN.
To inherit the security of MPLS VPN, if you want to segregate two VPNs, youcan configure a black hole route between these two VPNs, for which you can
aggregate the routes to simplify the configuration complexity. Or, you can
segregate the network by other means.
In the network diagram below, the core layer takes into consideration the
redundancy of the physical link. However, you can simplify the core layer
network layout and deployment according to your actual situation.
To ensure the compatibility of the software installed on the devices on the
network, you must use the software version R1628 or later.
In this chapter, the device P also acts as a provider edger (PE) device, with a
VPN created on it. If the VPN needs NAT processing, you need to bind NAT to
each VLAN interface connected to the public network for the VPN, which will use
multiple address pools and require complicated configurations and more
maintenance work. Therefore, you are recommended to avoid using the device P
as a PE. However, if the VPN does not need NAT processing, you do not need
to bind NAT and can use the device P as a PE with no problem.
When configuring the internal server, make sure that you configure the internal
server to the upstream port of the PE. You cannot map two different public
network addresses to one private network address (this can be solved by
configuring two private to public network address mappings on the internalserver), or map one public network address to multiple private network
addresses. When configuring link backup, you can create link backup by
configuring multiple public network addresses for the internal server. But note
that when one link goes down, the internal server configured on this link no
longer supports services requiring the ALG function, which can only be
performed by another public network address. However, services that do not
require the ALG function (such as WWW) can continue (provided that the route
of the public network address of the internal server can be advertised through
another link).
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 66/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 13
In the internal server applications, the access request within a local VPN to the
public network address of the internal server is not supported. The VPN can only
access the private network address of the internal server, and traffic for such
access will not involve NAT processing. Similarly, access requests from other
local VPNs to the public network address of the internal server is also not
supported. But you can configure the binding of VPN1 internal server and VPN2
NAT on the upstream interface, to enable the VPN2 private network address
access the public network address of VPN1 internal server for NAT services and
services on the internal server. Therefore, for VPNs to access the internal server,
you can configure the NAT binding in all VPNs to enable them access the public
network address of the internal server.
In the internal server applications, you can configure the internal server on the
upstream interface on PE to allow both the public and private network addresses
of the same remote VPN and other remote VPNs to perform services on theinternal server by accessing its public network address (note that for cross-VPN
access, you need to advertise the public network address of the internal server
to other VPNs).
In the NAT applications, you can have the link backup by binding two different
NAT address pools on two egress interfaces with the same NAT rule. But you
cannot bind the same NAT address to different egress interfaces. Note that when
one link goes down, its NAT table entries are not deleted immediately. The old
traffic will still be translated using these entries and forwarded via another link.
New traffic will be translated by the NAT table entries of another link. Therefore,
if an application has multiple sessions, it might happen that this application is
mapped to several public network addresses, which may be denied service in
the client/server mode. This problem will be resolved after the aging time of NAT
table entries of the downed link expires (210 seconds by default).
When a packet matching multiple NAT bindings, the binding with the highest
priority will be adopted. The larger the ACL number in the NAT binding, the
higher the NAT binding priority.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 67/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 13
4 Configuration Examples
4.1 Network RequirementsUsers in VPN1 and VPN2 need to access all servers on the network and access the
Internet. Some of the users use public network addresses (201.1.x.0/24), others use
private network addresses (10.x.0.0/16). When users with private network addresses
access hosts or servers not on the same CE side), the packets must be processed by
NAT. Servers with private network addresses must be mapped to public network
addresses by the NAT server before they can be accessed by public network users.
Note:
In the network shown in Figure 4-1, the P devices and PE devices need to be NAT-
capable and thus need to be S9500 series switches.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 68/92
VPN NAT Comprehensive Networking Configuration Examples
4.2 Network Diagram
201.1.101.11/24
Primary Link
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 13
MPLS
BGP
PE1PE2
VLAN10G3/1/2internet_vpnrt:65000:0
201.1.10.1/24NAT5:VPN1
VLAN20
G3/1/2internet_vpnrt:65000:0
201.1.20.1/24NAT3:VPN1
VLAN101G3/1/1
VPN1rt:65000:1
201.1.101.1/24
VLAN102
G3/1/2VPN2
rt:65000:2201.1.102.1/24
CE1CE2 CE3 CE4
201.1.204.11/24201.1.203.12/24
P2 ( Slavereflector )
P1 ( Master
reflector )
F/W
CE5 CE6
10 .102.0.11/16
10.204.0.11/24
10.105.0.11/16 201.1.105.11/24 201 .1.106.11/24 201.1.106.12/24
VLAN203G3/1/1VPN1
rt:65000:1
201.1.203.1/24
VLAN204
G3/1/2VPN2
rt:65000:2201.1.204.1/24
VLAN 105G3/1/1VPN1
rt:65000:1201.1.105.1/24
VLAN205G3/1/1VPN1
rt:65000:1
201.1.205.1/24
VLAN106G3/1/3
server_vpnrt:65000:3
201.1.106.1/24NAT4:VPN1
VLAN206G3/1/3
server_vpnrt:65000:3
201.1.206.1/24NAT2:VPN1
VLAN11G3/1/3
201.1.11.2/24NAT1:VPN1
NAT2:VPN2Server2:VPN2
VLAN11
G3/2/1201.1.11.1/24NAT1:VPN1
VLAN12G3/2/2
201.1.12.1/24NAT2:VPN1
VLAN22G3/2/3
201.1.22.1/24
NAT1:VPN1
VLAN30
G3/2/4 G3/2/5201.1.30.1/24
NAT3:VPN1
VLAN12G3/2/3
IP:201.1.12.2/24NAT2:VPN2
VLAN22G3/2/4
201.1.22.2/24NAT1:VPN2
VLAN 30G3/2/4 G3/2/5201.1.30.2/24NAT4:VPN1
10.X.0.0/16201.1.X.0/24
Secondary LinkGeneral Link
PC
Global IPPrivate IP
Link Aggregation
Paradigm
Internet
Server
10.102.0.12/16
10.101.0.11/16 201.1.102.11/24
201.1.203.11/24
Figure 4-1 VPN NAT comprehensive network diagram
4.3 Configuration Procedure
I. Configuration Design
1) Configurations on P1.
Create the Internet_VPN and configure a route for it. Advertise this route and
import the VPN routes on all PE devices in the access layer.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 69/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 6 of 13
Create a VLAN for the Internet_VPN and configure VPN binding and the IP
address for it.
Create VPN1 and configure a routing policy for it. Advertise only the public
network address route of the 202.0.0.0/8 network segment. Do not advertise the
private network address route of the 10.0.0.0/8 network segment. Import routes
advertised by the Internet_VPN, Server_VPN and VPN2.
Create a VLAN for VPN1 and configure VPN binding and the IP address for it.
Configure a black hole route for VPN1 to control the communication between
VPNs (optional).
Create the Server_VPN and configure a route for it. Advertise this route and
import the VPN routes on all PE devices in the access layer.
Create a VLAN for Server_VPN and configure VPN binding and the IP address
for it.
Create a VLAN which connects P1 and other devices. Configure the link aggregation between P1 and P2 (optional).
Configure the loopback interface (for establishing the BGP neighbor).
Enable routing protocols such as OSPF, and advertise the route.
Configure MP-BGP, and create a peer of P2.
Configure P1 to be the master BGP reflector (configure P1 to be the master
reflector for both BGP and MP-BGP at the same time).
Configure MP-BGP, create a peer of all PE devices, and advertise a default
route to all VPN in the Internet_VPN.
Advertise the VPN1 route to other VPN and remote ends through MP-BGP.
Configure NAT binding on all egress interfaces of VPN1 on P1, to perform NAT
translation for outbound packets from VPN1 with private network addresses. The
egress interfaces include VLAN 10, 11, 12, 30 and 106.
2) Configurations on P2.
Configure NAT binding on all egress interfaces of VPN1 on P2, to perform NAT
translation for outbound packets from VPN1 with private network addresses. The
egress interfaces include VLAN 20, 22, 30 and 206.
The configurations on P2 and P1 are basically the same. The only different is
that there is no VLAN interfaces between P2 and PE1, so no need to configure
NAT binding for VPN1. Note that when configuring the P2 reflector, you mustconfigure the same reflector cluster-id as P1.
3) Configurations on PE1.
For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer
to the configurations on P1. Note that only advertise the 201.1.101.0/24 public
network segment routes through the routing policy. Do not advertise the
10.101.0.0/16 private network segment routes.
The configurations on VPN2 are the same for VPN1. Note that only advertise the
201.1.102.0/24 public network segment routes through the routing policy. Do not
advertise the 10.102.0.0/16 private network segment routes.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 70/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 7 of 13
Configure the VPN2 internal server on the upstream VLAN interface on PE1, and
allow other VPNs to access the VPN2 internal server 10.12.0.12.
Configure the NAT binding for the internal server.
4) Configurations on PE2.
For the VPN1 creation and configurations on OSPF, MPLS and BGP, refer to the
configurations on P1.
The configurations on VPN2 are the same as VPN1. In addition, configure NAT
binding on VLAN 12 and 22 to have address translation for the private network
segment 10.204.0.0/24 and to have link backup.
II. Configuration Procedure
1) Configurations on P1.
# Create the Internet_VPN, configure a route for it, and import VPN1 (65000:1), VPN2
(65000:2), Server_VPN (65000:3) and the export route of the Internet_VPN (65000:0).
[ P1] i p vpn- i nst ance I nt er net _VPN
[ P1- vpn- I nt er net_VPN] r out e-di st i ngui sher 65000: 0
[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 0 both
[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 1 i mpor t - ext communi t y
[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 2 i mpor t - ext communi t y
[ P1- vpn- I nter net_VPN] vpn- t arget 65000: 3 i mpor t - ext communi t y
[ P1- vpn- I nt er net _VPN] qui t
# Create VLAN 10 and bind the Internet_VPN.
[ P1] vl an 10
[ P1- vl an10] por t Gi gabi t Et her net 3/ 1/ 2
[ P1- vl an10] qui t
[ P1] i nt vl an 10
[ P1- Vl an- i nt erf ace10] i p bi ndi ng vpn- i nst ance I nt er net _VPN
[ P1- Vl an- i nt erf ace10] i p addr ess 201. 1. 10. 1 255. 255. 255. 0
[ P1- Vl an- i nt erf ace10] qui t
# Create VPN1, import Internet_VPN, Server_VPN, VPN2 and the export route of the
same VPN.
[ P1] i p vpn- i nst ance VPN1
[ P1- vpn- VPN] r out e- di st i ngui sher 65000: 1
[ P1- vpn- VPN] vpn- t arget 65000: 0 i mpor t - ext communi t y
[ P1- vpn- VPN] vpn- t arget 65000: 1 i mpor t - ext communi t y
[ P1- vpn- VPN] vpn- t arget 65000: 2 i mpor t - ext communi t y
[ P1- vpn- VPN] vpn- t arget 65000: 3 i mpor t - ext communi t y
[ P1- vpn- VPN] qui t
# Configure the ACL used by the rt-policy of VPN1. Assign the routes after matching
the ACL.
[ P1] acl number 2013
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 71/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 8 of 13
[ P1- acl - basi c- 2013] r ul e permi t sour ce 201. 1. 105. 0 0. 255. 255. 255
[ P1- acl - basi c-2013] qui t
# Configure the rt-policy of VPN1 export-rt. Assign only route 65000:1 for
201.1.105.0/24. Do not assign 10.0.0.0/16. So only the routes on the 201 networksegment are advertised.
[ P1] r out e- pol i cy vpn1 per mi t node 0
[ P1- r out e- pol i cy] i f - mat ch acl 2013
[ P1- r out e- pol i cy] appl y extcommuni t y r t 65000: 1 addi t i ve
[ P1- rout e- pol i cy] qui t
[ P1] i p vpn- i nst ance VPN1
[ P1- vpn- VPN1] export r out e- pol i cy vpn1
[ P1- vpn- VPN1] qui t
# Create VLAN 105 and bind VPN1.[ P1] vl an 105
[ P1- vl an105] port Gi gabi t Et hernet 3/ 1/ 1
[ P1- vl an105] qui t
[ P1] i nt vl an 105
[ P1- Vl an- i nt erf ace105] i p bi ndi ng vpn- i nst ance VPN1
[ P1- Vl an- i nt erf ace105] i p addr ess 201. 1. 105. 1 255. 255. 255. 0
[ P1- Vl an- i nt er f ace105] qui t
# Configure a black hole route for VPN1.
[ P1] i p r out e- st ati c vpn- i nstance VPN1 201. 1. 0. 0 16 NULL 0 bl ackhol e
Note:
Because VPN1 learns the default route of the Internet_VPN, so packets not matching
the exact route will be forwarded to the Internet_VPN by default. And because the
Internet_VPN has routes of all VPNs, VPN1 can access all other VPNs. For security
reason, the user does not want hosts in VPN1 to be able to access all other VPNs by
default. So, the user can configure a black hole route to shield all other VPNs to
VPN1 by default. In the network diagram above, DIP:201.1.0.0/16 is configured as the
black hole route to prevent VPN1 from accessing other VPNs. Note that in this
configuration, the Internet address 201.1.0.0/16 will no longer be accessible.
# Create the Server_VPN.
The configurations for the Server_VPN are the same as the Internet_VPN.
# Create VLANs connecting P1 and other devices, including VLAN 11, 12 and 30.
[ P1] vl an 11
[ P1- vl an11] por t Gi gabi t Et her net 3/ 1/ 3
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 72/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 9 of 13
[ P1- vl an11] qui t
[ P1] i nt vl an 11
[ P1- Vl an- i nt erf ace11] i p addr ess 201. 1. 11. 1 255. 255. 255. 0
The configurations for other VLANs are the same as VLAN 11.# Configure the link aggregation (optional).
[ P1] l i nk- aggr egat i on Gi gabi t Et hernet 3/ 2/ 4 t o Gi gabi t Et hernet 3/ 2/ 5 bot h
# Configure the loopback interface for establishing the BGP neighbor.
[ P1] i nter f ace LoopBack 0
[ P1- LoopBack0] i p addr ess 201. 255. 98. 1 32
[ P1- LoopBack0] qui t
# Enable the routing protocol OSPF, and advertise the routes of the local segment
interface and the loopback interface.
[ P1] r out er i d 201. 255. 98. 1
[ P1] ospf 200
[ P1- ospf - 200] area 0
[ P1- ospf - 200- ar ea- 0. 0. 0. 0] network 201. 1. 11. 0 0. 0. 0. 255
[ P1- ospf - 200- ar ea- 0. 0. 0. 0] network 201. 1. 12. 0 0. 0. 0. 255
[ P1- ospf - 200- ar ea- 0. 0. 0. 0] network 201. 1. 30. 0 0. 0. 0. 255
[ P1- ospf - 200- ar ea- 0. 0. 0. 0] network 201. 255. 98. 1 0. 0. 0. 0
[ P1- ospf - 200- ar ea- 0. 0. 0. 0] qui t
[ P1- ospf - 200] qui t
# Enable the MPLS protocol on P1 and on the VLANs connecting P1 and other PE
switches.
[ P1] mpl s l sr - i d 201. 255. 98. 1
[ P1] mpl s
[ P1- mpl s] qui t
[ P1] mpl s l dp
[ P1] i nt vl an 11
[ P1- Vl an- i nt erf ace11] mpl s
[ P1- Vl an- i nt erf ace11] mpl s l dp enabl e
[ P1- Vl an- i nt er f ace11] qui t
The configurations on VLAN 12 and 30 are the same as VLAN 11.
# Configure a peer of P2.
[ P1] bgp 65000
[ P1- bgp] group PtoP i nter nal
[ P1- bgp] peer Pt oP connect- i nter f ace LoopBack0
[ P1- bgp] peer 201. 255. 98. 2 group Pt oP
Note: 201.255.98.2 is the IP address of interface LoopBack0 on P2.
# Configure a peer of PE1 and a peer of PE2.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 73/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 10 of 13
[ P1- bgp] group 65000 i nternal
[ P1- bgp] peer 65000 connect - i nter f ace LoopBack0
[ P1- bgp] peer 201. 255. 98. 11 group 65000
[ P1- bgp] peer 201. 255. 98. 12 group 65000
Note: 201.255.98.11 and 201.255.98.12 are the IP addresses of interface LoopBack0
on PE1 and PE2 respectively.
# Configure the BGP reflector.
[ P1- bgp] r ef l ector cl uster- i d 201. 255. 98. 1
[ P1- bgp] peer 65000 ref l ect- cl i ent
# Configure MP-BGP peers.
[ P1- bgp] i pv4- f ami l y vpnv4
[ P1- bgp- af - vpn] peer PtoP enabl e
[ P1- bgp- af - vpn] peer 201. 255. 98. 2 gr oup Pt oP
[ P1- bgp- af - vpn] peer 65000 enabl e
[ P1- bgp- af - vpn] r ef l ector cl ust er - i d 201. 255. 98. 1
[ P1- bgp- af - vpn] peer 65000 r ef l ect- cl i ent
[ P1- bgp- af - vpn] peer 201. 255. 98. 11 gr oup 65000
[ P1- bgp- af - vpn] peer 201. 255. 98. 12 gr oup 65000
[ P1- bgp- af - vpn] qui t
[ P1- bgp] qui t
# Configure the default route of Internet_VPN to the public network and advertise it.
201.1.10.6 is the IP address of the interface between F/W and P1.
[ P1] i p rout e- st at i c vpn- i nst ance I nt er net _VPN 0. 0. 0. 0 0 201. 1. 10. 6
[ P1] bgp 65000
[ P1- bgp] i pv4- f ami l y vpn- i nst ance I nt ernet _VPN
[ P1- bgp- af - vpn- i nst ance] net work 0. 0. 0. 0
[ P1- bgp- af - vpn- i nst ance] qui t
# Import routes of other protocols (including NAT routes) into VPN1 and advertise
them through MP-BGP.
[ P1- bgp] i pv4- f ami l y vpn- i nstance VPN1
[ P1- bgp- af - vpn- i nst ance] i mpor t - r out e di r ect
[ P1- bgp- af - vpn- i nst ance] i mpor t - r out e st at i c
[ P1- bgp- af - vpn- i nst ance] i mport - r out e nat
[ P1- bgp] qui t
Note: If the address pool address used by NAT binding is the same as the local
network segment in the VPN1, you do not need to advertise the NAT routes.
# Configure the rule used by NAT binding. If the rule is to be applicable to VPN1,
VPN1 must be configured in this rule.
[ P1] acl number 3000
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 74/92
VPN NAT Comprehensive Networking Configuration Examples [ P1- acl - adv- 3000] r ul e per mi t i p vpn- i nstance VPN1 sour ce 10. 105. 0. 0
0. 0. 255. 255
[ P1- acl - adv-3000] qui t
# Configure the address pool address.[ P1] nat address - group 100 201. 1. 105. 100 201. 1. 105. 110
# Configure the maximum numbers of users and links allowed for VPN1 in NAT
address translation (the maximum number of users should be configured according to
the actual user number of VPN1).
[ P1] nat vpn l i mi t vpn- i nst ance VPN1 1000 500000
# Configure NAT binding on the interface VLAN 11 between P1 and PE1.
[ P1] i nt vl an 11
[ P1- Vl an- i nter f ace11] nat out bound 3000 address- group 100 sl ot 6
Note: The NAT configurations on other egress interfaces on P1 are the same as
VLAN 11. But the address pool used by NAT binding cannot be the same as that used
on VLAN 11. In this network diagram shown above, the VLANs that you need to
configure for NAT binding include VLAN 10, 12, 30 and 106.
# Configure QACL redirection on the ingress interface corresponding to VPN1, to
redirect the packets which need NAT translation to the NAT board.
[ P1] acl number 2001
[ P1- acl - adv- 2001] r ul e permi t sour ce 10. 105. 0. 0 0. 0. 255. 255
[ P1- acl - adv-2001] qui t
[ P1] i nt er f ace Gi gabi t Et her net 3/ 1/ 1
[ P1- Gi gabi t Et her net 3/ 1/ 1] t r af f i c- r edi r ect i nbound i p- gr oup 2001 sl ot 6
desi gnated- vl an 105
[ P1- Gi gabi t Et her net 3/ 1/ 1] qui t
Caution:
You must configure the VPN binding on the corresponding VLAN before you
configure QACL redirection on the port. The ACL rule of redirecting to the NAT board
cannot contain the key word vpn-instance. The redirection to the NAT board
configuration under the port must contain the argument designated-vlan, with its value
being the VLAN to which the port belongs.
2) Configurations on P2.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 11 of 13
Configurations on P2 are similar to those on P1. Please refer to the section above.
Note that when configuring the reflector on P2, configure the same reflector cluster-id
as P1.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 75/92
VPN NAT Comprehensive Networking Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 12 of 13
3) Configurations on PE1.
# For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer to
the configurations on P1. The difference between P1 and PE1 is the peer
configuration. PE1 does not need to configure a reflector. It only needs to enable thepeer of P1 and P2 in ipv4-family vpnv4 in BGP view.
# The NAT configuration on VPN2 are the same as VPN1.
# Configure the internal server to allow other VPNs to access the internal server of
VPN2 10.102.0.12 for WWW and FTP services.
[ PE1] i nt vl an 11
[ PE1- Vl an- i nt erf ace11] nat ser ver pr otocol t cp gl obal 201. 1. 102. 12 www
i nsi de vpn2 10. 102. 0. 12 www sl ot 6
[ PE1- Vl an- i nt er f ace11] nat server prot ocol t cp gl obal 201. 1. 102. 12 f t p
i nsi de vpn2 10. 102. 0. 12 f t p sl ot 6[ PE1- Vl an- i nt er f ace11] qui t
# Configure the NAT binding for the internal server.
[ P1] acl number 3112
[ P1- acl - adv- 3112] r ul e permi t i p vpn- i nstance VPN1 sour ce 10. 102. 0. 12
0. 0. 0. 0
[ P1- acl - adv-3112] qui t
[ P1] nat address - group 12 201. 1. 102. 12 201. 1. 102. 12
[ P1] i nt vl an 11
[ PE1- Vl an- i nt erf ace11] nat out bound 3112 addr ess- gr oup 12 sl ot 6
Note:
You can only configure one address for the address pool in the NAT binding, and
this address must be the same as the GlobalIP of the NAT server.
If there are other NAT binding rules that may permit NAT translation for this server,
you must configure the maximum ACL Number to ensure that this NAT binding
has the highest priority.
The NAT server can only be accessed through the binding interface. Hosts on
other interfaces are not permitted to access it.
4) Configurations on PE2.
# The configurations on PE2 are similar to PE1. The difference is that for PE2 NAT
binding needs to be configured on egress interfaces of two VLANs (VLAN 12 and 22).
5) Configurations on CE.
Omitted. It is only required to enable layer 3 routing protocols. For detailed operations,
refer to H3C S9500 Series Routing Switches Configuration Manual.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 76/92
Selective QinQ Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Conf iguration Examples ............................................................................................................... 2
4.1 Network Requirements ......................................................................................................... 2 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 3 4.4 Complete Configuration ........................................................................................................ 4
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 77/92
Selective QinQ Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 5
Selective QinQ Configuration Examples
1 Feature Introduction
Although common QinQ can expand a VLAN and implement simple layer-2 VPN
function, but a port can only be configured the fixed outer TAG, which cannot meet the
requirement that different VLAN TAGs should be added to different service users. For
example, VLANs 100~200 are users of a service, requiring outer tag 10; VLANs
201~300 are users of another service, requiring outer tag 20; while services of VLANs
10~20 want no tags. Such requirements cannot be satisfied by QinQ.
Selective QinQ implements flexible configuration by configuring special ACL rules and
adding our designated VLAN tag to ACL rule-compliant packets or by changing the
VLAN tags of incoming packets into our designated VLAN tag.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions.
Hardware versions: Type-D service boards of the S9500 series switches
3 Precautions
The selective QinQ function is supported by only the type-D boards.
As a selective QinQ-enabled port only permits packets with modified VLAN tags,
you need to disable the VLAN filtering function on a port so that the packets of
different VLANs can be handled on the port. To enable the outer VLAN tags of the response packets of the packets
processed by the selective QinQ function to be removed on the outbound port
(the port connected to DSLAM), make sure the port is a hybrid port and the
corresponding VLAN of the outer tag is in the untagged mode.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 78/92
Selective QinQ Configuration Examples
4 Configuration Examples
4.1 Network RequirementsIn the network shown in Figure 4-1, SLAM isolates the users through the VLANs.
VLAN 1000 through VLAN 2999 are for common network access services. It is
desired that VLAN 101 tag be inserted to the packets of these VLANs as the outer
VLAN tag after the packets reach the S9500 switch. The packers are then passed to
BRAS for being processed. VLAN 2000 through VLAN 2999 are for VIP users and
require QoS services. VLAN 102 tag is inserted to the packets of these VLANs as the
outer VLAN tag after the packets reach the S9500 switch. The packets are then
passed to BRAS for being processed. The BTV traffic is passed to DSLAM through
VLAN 3000 by GSR. DSLAM duplicates the multicast flow and then passes it to theuser VLANs.
To implement the above services, for the packets reaching port g2/1/1, the S9500
needs to insert VLAN 101 tag to packets of VLAN 1000 through VLAN 1999 and then
passes the packets to BRAS through VLAN 101; it also needs to insert VLAN 102 tag
to packets of VLAN 2000 through VLAN 2999 and then passes them to BRAS through
VLAN 102. For packets of VLAN 3000, no VLAN tag is inserted and they can be
forwarded through layer-2 multicast in VLAN 3000. To implement this, you can use
the selective QinQ function on the S9500 switch.
4.2 Networking Diagram
Figure 4-1 Networking diagram of the selective QinQ configuration
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 79/92
Selective QinQ Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 5
4.3 Configuration Procedure
1) Configure DSLAM.
On DSLAM, configure the access users to be mapped to VLAN 1000 through VLAN
2999. Configure the multicast VLAN 3000, and multicast sub-VLANs VLAN 1000
through VLAN 2999. Connect the uplink port to the S9500 switch, permitting VLAN
1000 through VLAN 3000.
2) Configure S9500.
# Configure the ACL rules that match VLAN 1000 through VLAN 1999 and VLAN
2000 through VLAN 2999.
[ S9500] acl number 4000
[ S9500- acl - l i nk- 4000] r ul e 0 permi t i ngr ess 1000 to 1999
[ S9500] - acl - l i nk- 4000] r ul e 1 permi t i ngr ess 2000 t o 2999
# Create VLAN 101, VLAN 102, and VLAN 3000.
[ S9500]vl an 101 102 3000
# Configure the port connected to DSLAM as follows: permit packets of VLAN 101,
VLAN 102, and VLAN 3000; disable the VLAN filtering attribute; insert VLAN 101 tag
to packets matching rule 0 of ACL 4000; insert VLAN 102 tag to packets matching rule
1 of ACL 4000.
[ S9500] i nt er f ace Gi gabi t Et her net 2/ 1/ 1
[ S9500- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype hybr i d
[ S9500- Gi gabi t Ethernet2/ 1/ 1] port hybr i d vl an 101 102 unt agged
[ S9500- Gi gabi t Ethernet2/ 1/ 1] por t hybr i d vl an 3000 t agged
[ S9500- Gi gabi t Et her net 2/ 1/ 1] vl an fi l t er di sabl e
[ S9500- Gi gabi t Et her net 2/ 1/ 1] t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 r ul e
0 nest ed- vl an 101
[ S9500] - Gi gabi t Et her net 2/ 1/ 1] t r af f i c- r edi r ect i nbound l i nk- gr oup 4000
r ul e 1 nest ed- vl an 102
# Configure the ports connected to GSR and BRAS respectively.
[ S9500] i nt erf ace g2/ 1/ 2
[ S9500- Gi gabi t Et her net 2/ 1/ 2] por t l i nk- t ype t r unk
[ S9500- Gi gabi t Et hernet 2/ 1/ 2] por t t r unk per mi t vl an 3000
[ S9500- Gi gabi t Et her net 2/ 1/ 2] i nt er f ace g2/ 1/ 3
[ S9500- Gi gabi t Et her net 2/ 1/ 3] por t l i nk- t ype t r unk
[ S9500- Gi gabi t Et hernet 2/ 1/ 3] por t t r unk per mi t vl an 101 102
# Enable Layer 2 multicast on VLAN 3000.
[ S9500] i gmp- snoopi ng enabl e
[ S9500] vl an 3000
[ S9500- vl an3000] i gmp- snoopi ng enabl e
3) Configure BRAS and GSR.
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 80/92
Selective QinQ Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 5
Configure BRAS to handle packets with dual VLAN tags and to terminate PPPOE
packets. Configure GSR to enable layer-3 multicast, serving as the multicast router.
4.4 Complete Configuration
#
i gmp- snoopi ng enabl e
#
acl number 4000
r ul e 0 per mi t i ngr ess 1000 t o 1999 egress any
r ul e 1 per mi t i ngr ess 2000 t o 2999 egress any
#
vl an 1
#
vl an 101
#
vl an 102
#
vl an 3000
i gmp- snoopi ng enabl e
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 1
por t l i nk-t ype hybri d
por t hybri d vl an 3000 t agged
por t hybri d vl an 1 101 102 unt agged
vl an f i l t er di sabl e
t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 r ul e 0 system- i ndex 1 nest ed-
vl an 101
t r af f i c- r edi r ect i nbound l i nk- gr oup 4000 rul e 1 syst em- i ndex 2 nest ed- vl an
102
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 2
por t l i nk-t ype t r unk
por t t r unk per mi t vl an 1 3000
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 3
por t l i nk-t ype t r unk
por t t r unk permi t vl an 1 101 102
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 81/92
VRRP Configuration Examples
Table of Contents
1 Feature Introduct ion...................................................................................................................... 1 2 Versions App licable ...................................................................................................................... 2 3 Precautions .................................................................................................................................... 2 4 Conf iguration Examples ............................................................................................................... 3
4.1 Network Requirements ......................................................................................................... 3 4.2 Networking Diagram ............................................................................................................. 4 4.3 Configuration Procedure....................................................................................................... 4 4.4 Complete Configuration ........................................................................................................ 8
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. www.h3c.com
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 82/92
VRRP Configuration Examples
VRRP Configuration Examples
1 Feature Introduction
Virtual Router Redundancy Protocol (VRRP) is a fault tolerance protocol. As shown in
the following figure, generally a default route is set for every host in a network (the next
hop of the default route in the figure is 10.100.10.1). The packets from hosts to the
external network are sent to the layer-3 Switch through the default route for
communications between hosts and the external network. When the Switch fails, all the
hosts in the segment that take the Switch as the next hop of the default routedisconnect the communication with the outside.
Figure 1-1 Networking diagram of the LAN
VRRP was put forward to solve above mentioned problems. It is specially designed for
multicast or broadcast-supported LANs like Ethernet. VRRP organizes a group of
switches (including a Master switch and several Backup switches) into a virtual router.
This group of switches is called a backup group.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 1 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 83/92
VRRP Configuration Examples
Figure 1-2 Virtual router
A virtual switch has its own IP address of 10.100.10.1 (this IP address can be the same
as the interface address of a switch in the backup group). Also, the switches in the
backup group have their own IP addresses (e.g., the Master IP address is 10.100.10.2,
and the Backup IP address is 10.100.10.3). The hosts in LAN are only aware that the IP
address of the virtual router is 10.100.10.1 (usually known as the virtual IP address of
the backup group), but not aware that the specific IP address of the Master switch is
10.100.10.2 and the IP address of the Backup switch is 10.100.10.3. They specify the
IP address 10.100.10.1 of the virtual router as the next hop of their own default routes.
So, the hosts in LAN communicate with other networks through this virtual router. Whenthe Master switch in the backup group fails, the Backup switch with the highest priority
takes over its work and becomes the new Master to provide routing services for the
hosts in LAN, implementing uninterrupted communications with external networks.
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions.
Hardware versions: The full series of hardware versions of the S9500 series switches.
Networking Diagram
3 Precautions
For the backup routers of the same VRRP backup group, the VRRP group hello
time must be consistent, or the VRRP group operates improperly.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 84/92
VRRP Configuration Examples
The VRRP work mode in the same VRRP backup group must be identical, i.e.,
either in the preemptive mode or in the non-preemptive mode.
Before configuring a VRRP group, make sure the vrrp ping-enable function is
enabled. Otherwise, the VRRP virtual address cannot be pinged through.
A VRRP monitoring port can monitor VLAN interface address only, but not a
specific port.
Do not modify the hello time of a VRRP group unless absolutely needed. If multiple
VRRP groups exist, set their hello times to prime numbers (such as 2, 3, 5, 7, etc)
to excessive CPU load.
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, S9500-A S9500-B have multiple Layer 2 switches
attached to them. Assume that the IP address of the interface of VLAN 2 created on
S9500-A is 2.1.1.1, the IP address of the interface of VLAN 2 created on S9500-B is
2.1.1.2, the address of the virtual router is 2.1.1.3. Host A can access the Internet if the
gateway address is set to 2.1.1.3 on it.
This network is typical for VRRP. You can use the two Layer-3 switches (S9500-A and
S9500-B) to form multiple VRRP backup groups. For example, you can have Layer 2
devices to connect to the virtual address 2.1.1.3, through which the hosts can access
the Internet through the virtual gateway 2.1.1.3. When either of S9500-A and S9500-B
fails, the other device can take over the work and ensure continued traffic.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 3 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 85/92
VRRP Configuration Examples
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 4 of 12
4.2 Networking Diagram
Figure 4-1 Networking diagram of VRRP
4.3 Configuration Procedure
S9500-A and S9500-B form two virtual backup groups, In VLAN 2, S9500-A acts as
Master and S9500-B as Backup; in VLAN 3, S9500-B acts as Master and S9500-A as
Backup. Configure S9500-A to monitor the virtual interface of VLAN 8. When the virtual
interface of VLAN 8 is unavailable, S9500-A decreases the priority of the VLAN 2 VRRP
group, so that S9500-A becomes Backup. Configure S9500-B to monitor the virtual
interface of VLAN 9. When the virtual interface of VLAN 9 is unavailable, S9500-B
decreases the priority of the VLAN 3 VRRP group, so that S9500-B becomes Backup.
1) Configure S9500-A.
# Configure MSTP instances.
[ S9500- A] st p enabl e
[ S9500- A] st p non- f l oodi ng
[ S9500- A] st p regi on- conf i gur at i on
[ S9500- A- mst - r egi on] r egi on- name vr r p
[ S9500- A- mst - r egi on] i nst ance 2 vl an 2
[ S9500- A- mst - r egi on] i nst ance 3 vl an 3
[ S9500- A- mst - r egi on] act i ve regi on- conf i gur at i on
[ S9500- A- mst - r egi on] qui t
[ S9500- A] st p i nstance 2 r oot pr i mary
[ S9500- A] st p i nstance 3 r oot secondary
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 86/92
VRRP Configuration Examples
[ S9500- A] i nt er f ace Gi gabi t Et her net 3/ 1/ 1
[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] st p di sabl e
# Create VLANs and their interface IP addresses.
<S9500- A> syst em- vi ew[ S9500- A] vl an 2
[ S9500- A- vl an2] i nt er f ace Vl an- i nt er f ace 2
[ S9500- A- Vl an- i nt er f ace2] i p addr ess 2. 1. 1. 1 8
[ S9500- A- Vl an- i nt er f ace2] qui t
[ S9500- A] vl an 3
[ S9500- A- vl an3] i nt er f ace vl an 3
[ S9500- A- Vl an- i nt er f ace3] i p addr ess 3. 1. 1. 1 8
[ S9500- A- Vl an- i nt er f ace3] qui t
[ S9500- A] vl an 8
[ S9500- A- vl an8] i nt er f ace vl an 8
[ S9500- A- Vl an- i nt er f ace8] i p addr ess 8. 1. 1. 1 8
[ S9500- A- Vl an- i nt er f ace8] qui t
# Add ports to VLANs.
[ S9500- A] i nt er f ace Gi gabi t Et her net 3/ 1/ 1
[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] port access vl an 8
[ S9500- A- Gi gabi t Et her net 3/ 1/ 1] qui t
[ S9500- A] i nt er f ace Gi gabi t Et her net 2/ 1/ 1
[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype t r unk
[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] undo port t r unk permi t vl an 1
[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] port t r unk permi t vl an 2 t o 3
[ S9500- A- Gi gabi t Et her net 2/ 1/ 1] qui t
[ S9500- A] i nt er f ace Gi gabi t Et her net 2/ 1/ 2
[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] por t l i nk- t ype t r unk
[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] undo port t r unk permi t vl an 1
[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] port t r unk permi t vl an 2
[ S9500- A- Gi gabi t Et her net 2/ 1/ 2] qui t
[ S9500- A] i nt er f ace Gi gabi t Et her net 2/ 1/ 3
[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] por t l i nk- t ype t r unk[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] undo port t r unk permi t vl an 1
[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] port t r unk permi t vl an 3
[ S9500- A- Gi gabi t Et her net 2/ 1/ 3] qui t
# Configure the VRRP backup group.
[ S9500- A- Vl an- i nt er f ace2] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3
[ S9500- A- Vl an- i nt er f ace2] i nt er f ace vl an 3
[ S9500- A- Vl an- i nt er f ace2] qui t
[ S9500- A] i nt er f ace vl an 3
[ S9500- A- Vl an- i nt er f ace3] vrr p vr i d 1 vi r t ual - i p 3. 1. 1. 3
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 5 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 87/92
VRRP Configuration Examples
# Configure the priority and hello time of the VRRP backup group (optional).
[ S9500- A- Vl an- i nt er f ace2] vrr p vri d 1 pr i or i t y 130
[ S9500- A- Vl an- i nt er f ace2] vrr p vr i d 1 t i mer adver t i se 2
# Configure the monitoring interface to monitor the virtual interface of VLAN 8.
[ S9500- A- Vl an- i nt erf ace2] vrr p vri d 1 t r ack Vl an- i nt er f ace 8 r educed 40
2) Configure S9500-B
# Configure MSTP instances.
[ S9500- B] st p enabl e
[ S9500- B] st p non- f l oodi ng
[ S9500- B] st p regi on- conf i gur at i on
[ S9500- B- mst - r egi on] r egi on- name vr r p
[ S9500- B- mst - r egi on] i nst ance 2 vl an 2
[ S9500- B- mst - r egi on] i nst ance 3 vl an 3
[ S9500- B- mst - r egi on] act i ve r egi on- conf i gur at i on
[ S9500- B- mst - r egi on] qui t
[ S9500- B] st p i nstance 3 r oot pr i mary
[ S9500- B] st p i nstance 2 r oot secondary
[ S9500- B] i nt er f ace Gi gabi t Et her net 3/ 1/ 1
[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] st p di sabl e
# Create VLANs and their interface IP addresses.
<S9500- B> syst em- vi ew
[ S9500- B] vl an 2
[ S9500- B- vl an2] i nt er f ace Vl an- i nt er f ace 2
[ S9500- B- Vl an- i nt er f ace2] i p addr ess 2. 1. 1. 2 8
[ S9500- B- Vl an- i nt er f ace2] qui t
[ S9500- B] vl an 3
[ S9500- B- vl an3] i nt erf ace vl an 3
[ S9500- B- Vl an- i nt er f ace3] i p addr ess 3. 1. 1. 2 8
[ S9500- B- Vl an- i nt er f ace3] qui t
[ S9500- B] vl an 9
[ S9500- B- vl an9] i nt er f ace vl an 9
[ S9500- B- Vl an- i nt er f ace9] i p addr ess 9. 1. 1. 1 8
[ S9500- B- Vl an- i nt er f ace9] qui t
# Add ports to VLANs.
[ S9500- B] i nt er f ace Gi gabi t Et her net 3/ 1/ 1
[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] port access vl an 9
[ S9500- B- Gi gabi t Et her net 3/ 1/ 1] qui t
[ S9500- B] i nt er f ace Gi gabi t Et her net 2/ 1/ 1
[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] por t l i nk- t ype t r unk
[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] undo port t r unk permi t vl an 1
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 6 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 88/92
VRRP Configuration Examples
[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] port t r unk permi t vl an 2 t o 3
[ S9500- B- Gi gabi t Et her net 2/ 1/ 1] qui t
[ S9500- B] i nt er f ace Gi gabi t Et her net 2/ 1/ 2
[ S9500- B- Gi gabi t Et her net 2/ 1/ 2] por t l i nk- t ype t r unk
[ S9500- B- Gi gabi t Et her net 2/ 1/ 2] undo port t r unk permi t vl an 1
[ S9500- B- Gi gabi t Et her net 2/ 1/ 2] port t r unk permi t vl an 3
[ S9500- B- Gi gabi t Et her net 2/ 1/ 2] qui t
[ S9500- B] i nt er f ace Gi gabi t Et her net 2/ 1/ 3
[ S9500- B- Gi gabi t Et her net 2/ 1/ 3] por t l i nk- t ype t r unk
[ S9500- B- Gi gabi t Et her net 2/ 1/ 3] undo port t r unk permi t vl an 1
[ S9500- B- Gi gabi t Et her net 2/ 1/ 3] port t r unk permi t vl an 2
[ S9500- B- Gi gabi t Et her net 2/ 1/ 3] qui t
# Configure the VRRP backup group.
[ S9500- B- Vl an- i nt er f ace2] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3
[ S9500- B- Vl an- i nt er f ace2] i nt er f ace vl an 3
[ S9500- B- Vl an- i nt er f ace3] vrr p vr i d 1 vi r t ual - i p 2. 1. 1. 3
# Configure the priority and hello time of the VRRP backup group (optional).
[ S9500- B- Vl an- i nt er f ace3] vrr p vri d 1 pr i or i t y 130
[ S9500- B- Vl an- i nt er f ace3] i nt er f ace vl an 2
[ S9500- B- Vl an- i nt er f ace2] vrr p vr i d 1 t i mer adver t i se 2
# Configure the monitoring interface to monitor the virtual interface of VLAN 9.
[ S9500- B- Vl an- i nt erf ace3] vrr p vri d 1 t r ack Vl an- i nt er f ace 9 r educed 40
3) Configure L2SW-A
[ L2SW- A] i vl an 2
[ L2SW- A] i nt er f ace Et hernet 0/ 1
[ L2SW- A- Et her net 0/ 1] por t l i nk- t ype t r unk
[ L2SW- A- Et her net0/ 1] undo por t t r unk per mi t vl an 1
[ L2SW- A- Et her net0/ 1] por t t r unk per mi t vl an 2
[ L2SW- A- Et her net0/ 1] qui t
[ L2SW- A] i nt er f ace Et hernet 0/ 2
[ L2SW- A- Et her net 0/ 2] por t l i nk- t ype t r unk
[ L2SW- A- Et her net0/ 2] undo por t t r unk per mi t vl an 1
[ L2SW- A- Et her net0/ 2] por t t r unk per mi t vl an 2
[ L2SW- A- Et her net0/ 2] qui t
[ L2SW- A] i nt erf ace Et her net 0/ 3
[ L2SW- A- Et her net0/ 3] por t access vl an 2
4) Configure L2SW-B
[ L2SW- B] vl an 3
[ L2SW- B] i nt erf ace Et her net 0/ 1
[ L2SW- B- Et her net 0/ 1] por t l i nk- t ype t r unk
[ L2SW- B- Et her net0/ 1] undo por t t r unk per mi t vl an 1
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 7 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 89/92
VRRP Configuration Examples
[ L2SW- B- Et her net0/ 1] por t t r unk per mi t vl an 3
[ L2SW- B- Et her net0/ 1] qui t
[ L2SW- B] i nt erf ace Et her net 0/ 2
[ L2SW- B- Et her net 0/ 2] por t l i nk- t ype t r unk
[ L2SW- B- Et her net0/ 2] undo por t t r unk per mi t vl an 1
[ L2SW- B- Et her net0/ 2] por t t r unk per mi t vl an 3
[ L2SW- B- Et her net0/ 2] qui t
[ L2SW- B] i nt erf ace Et her net 0/ 3
[ L2SW- B- Et her net0/ 3] por t access vl an 3
4.4 Complete Configuration
1) Configure S9500-A.
#
vl an 2
#
vl an 3
#
i nt er f ace Vl an- i nt erf ace2
i p addr ess 2. 1. 1. 1 255. 0. 0. 0
vrr p vr i d 1 vi rt ual - i p 2. 1. 1. 3
vrr p vr i d 1 pr i or i t y 130
vrr p vr i d 1 t i mer adver t i se 2
vrr p vri d 1 t r ack Vl an- i nt er f ace9 r educed 40
#
i nt er f ace Vl an- i nt erf ace3
i p addr ess 3. 1. 1. 1 255. 0. 0. 0
vrr p vr i d 1 vi rt ual - i p 3. 1. 1. 3
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 1
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2 to 3
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 2
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 3
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 3
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 8 of 12
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 90/92
VRRP Configuration Examples
#
i nt er f ace Gi gabi t Et her net 3/ 1/ 1
st p di sabl e
por t access vl an 8
#
st p i nst ance 2 root pr i mar y
st p i nstance 3 r oot secondar y
st p enabl e
st p r egi on- conf i gur at i on
r egi on- name vr r p
i nst ance 2 vl an 2
i nst ance 3 vl an 3
acti ve r egi on- conf i gurat i on
#
2) Configure S9500-B.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 9 of 12
#
vl an 2
#
vl an 3
#
i nt er f ace Vl an- i nt erf ace2
i p addr ess 2. 1. 1. 2 255. 0. 0. 0
vrr p vr i d 1 vi rt ual - i p 2. 1. 1. 3
vr r p vr i d 1 t i mer adver t i se 2
i nt er f ace Vl an- i nt erf ace3
i p addr ess 3. 1. 1. 2 255. 0. 0. 0
vrr p vr i d 1 vi rt ual - i p 3. 1. 1. 3
vr rp vr i d 1 pri ori t y 130
vrr p vri d 1 t r ack Vl an- i nt erf ace9 r educed 40
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 1
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2 to 3
i nt er f ace Gi gabi t Et her net 2/ 1/ 2
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2
#
i nt er f ace Gi gabi t Et her net 2/ 1/ 3
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 91/92
VRRP Configuration Examples
por t t r unk per mi t vl an 3
#
i nt er f ace Gi gabi t Et her net 3/ 1/ 1
st p di sabl e
por t access vl an 9
#
st p i nst ance 3 root pr i mar y
st p i nstance 2 r oot secondar y
st p enabl e
st p r egi on- conf i gur at i on
r egi on- name vr r p
i nst ance 2 vl an 2
i nst ance 3 vl an 3
acti ve r egi on- conf i gurat i on
3) Configure L2SW-A.
#
vl an 2
#
i nt er f ace Et her net 0/ 1
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2
#
i nt er f ace Et her net 0/ 2
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 2
#
i nt er f ace Et her net 0/ 3
por t access vl an 2
#
4) Configure L2SW-B.
Copyright © 2007 Hangzhou H3C Technologies Co., Ltd. Page 10 of 12
#vl an 3
#
i nt er f ace Et her net 0/ 1
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
por t t r unk per mi t vl an 3
#
i nt er f ace Et her net 0/ 2
por t l i nk-t ype t r unk
undo por t t r unk per mi t vl an 1
7/21/2019 Exemplos Config H3C
http://slidepdf.com/reader/full/exemplos-config-h3c 92/92
VRRP Configuration Examples
por t t r unk per mi t vl an 3
#
i nt er f ace Et her net 0/ 3
por t access vl an 3
#