Application of Firewalls in The Core Network PS Domain - Huawei

5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei
 MENU  
Support Documentation Security Products Recommend USG6700E Configuration & Commissioning Technical
Translation
Application of Firewalls in the Core Network PS Domain Favorite
Download
Updated: 2019-06-07
Rate and give feedback:
Page navigation
Related
Introduction
Documents
Application of Firewalls in the Core Network PS Domain Solution Overvi
Application of Firewalls in t
ew
he LTE IPSec Solution
Introduction Solution Design
Solution Overview Application of Firewalls in t
Typical Networki
he Security Solution for Cl
Solution Design ng
oud Computing Networks
Typical Networking Service Planning
Service Planning Application of Firewalls in t

he CGN Solution
Precautions
Solution Configuration
Configuration Procedure
Verification
Share
Configuration Scripts
Other Solutions
VRRP + OSPF (Active/Standby Backup)
OSPF (Load Balancing)
Introduction
This section describes the application of firewalls in the PS security solution. By analyzing the security issues
faced by the mobile core network, this section provides a typical application solution of the firewall.
This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00 and can be

used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00, Eudemon200E-
G&Eudemon1000E-G V600R006C00, and later versions. Document content may vary according to version.
Solution Overview
Introduction to Mobile Core Networks
Figure 1-1 shows the architecture of a mobile network. Data from a mobile terminal passes through the mobile
access/aggregation network (or RAN) and the mobile core network before it arrives at the Internet.
https://support.huawei.com/enterprise/en/doc/EDOC1100087916 1/26
Figure 1-1 Application of the FW on the mobile core network
 MENU  
Translation
Favorite
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
The 2G/3G mobile core network includes a Circuit Switched (CS) domain and a Packet Switched (PS) domain. The
CS domain deals with voice services (such as telephony); the PS domain provides data services (such as Internet
access).
Long Term Evolution (LTE) is the evolutionary technology of 3G. Currently, all mainstream carriers are regarding
LTE as the major 4G trend. The LTE network includes the E-UTRAN (radio access subsystem) and SAE (core
network subsystem). The LTE architecture builds entirely on the PS domain and has no CS domain of 2G/3G. The
LTE core network is also referred to as the Evolved Packet Core (EPC).
Share
Application of the FW on the Mobile Core Network
Because public IPv4 addresses are limited, private addresses are generally allocated to mobile terminals on the
core network, and public addresses are normally not allocated. Therefore, where a mobile terminal needs to
access the Internet, address translation is required.
As shown in Figure 1-1, the FW is deployed at the Internet egress of a mobile core network (the Internet egress
of 2G/3G core networks is the Gi interface, and the Internet egress of 4G core networks is the SGi interface). The
FW provides NAT, inter-zone isolation, and border protection.
Traffic Model
Tra c on the FW comes mainly from the Gi/SGi interface. Some of the tra c is directly routed to the Internet;
other tra c is routed to the WAP gateway (and then forwarded by the WAP gateway to the Internet). The tra c
from the mobile terminal directly to the Internet is referred to as Internet tra c; the tra c from the mobile
terminal to the WAP gateway is referred to as WAP tra c. Internet tra c and WAP tra c are collectively referred
as Gi/SGi tra c.
In addition to the Gi/SGi tra c, Gn and Gp tra c sometimes also passes through the firewall. Gn tra c is the
tra c between the local GGSN (P-GW) and SGSN (S-GW).
The paths for various types of service tra c are as follows:
Internet tra c
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > Internet
Packets of the mobile terminal pass through the access/aggregation network and the core network and arrive
at the Gi/SGi interface. Then the FW performs NAT for the packets and forwards them to the Internet. In this
case, the FW processes the original TCP/UDP packets from the mobile terminal.
WAP tra c
Mobile terminal > SGSN (S-GW) > GGSN (P-GW) > Firewall > Backbone > WAP gateway
A GRE tunnel is set up directly between the GGSN (P-GW) and WAP gateway. The tra c is sent to the WAP
gateway which serves as a proxy to forward the packets to the Internet. In this case, the FW processes GRE
packets. Such tra c shrinks on 4G networks.
 MENU  
Solution Design
Typical Networking
Translation
Networking Diagram
Favorite
Figure 1-2 shows the typical networking of the FW at the Gi/SGi egress of a mobile core network. The service
interface works at Layer 3, and the FW is connected to the backbone and GGSN/P-GW through routers. Download
Figure 1-2 Typical networking of the FW in a mobile core network
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
Share
The following functions are deployed on the FW in the networking:
1. HRP is configured on the FWs so that the FWs work in active/standby mode, improving network reliability
and preventing single points of failure. A heartbeat link is connected between the two FWs for active/standby
negotiation and status backup.
If a great deal of data needs to be backed up, multiple heartbeat links are recommended. When a 10GE link
serves as an HRP backup channel, it can support 50,000/s new session rate or 5 million concurrent sessions or
carry 5G service tra c. The number of required interfaces is assessed based on the actual tra c volume. The
N+1 backup mode is recommended for the interfaces. For example, if there are 10 million concurrent sessions,
at least two 10GE links are required as HRP backup channels. During design, three 10GE interfaces are
bundled for backup.
2. OSPF is deployed between the FWs and their upstream and downstream devices. The FWs run in OSPF1
process with their upstream backbone network and in OSPF2 process with their downstream GGSN network.
The hrp adjust ospf-cost enable command is run to enable the function of adjusting the OSPF cost based on
the active/standby status for HRP-OSPF association. In normal cases, the cost of OSPF routes advertised by
the standby firewall increases by 65,500 so that the tra c is routed to the active firewall in priority. When an
interface of the FW or the FW itself fails, an active/standby switchover takes place, and the cost of OSPF
routes is adjusted. The cost of the OSPF route over the primary link increases by 65,500, and the cost of the
OSPF route over the backup link decreases, so that tra c is routed to the original standby firewall in priority,
ensuring service continuity.
3. The hrp track command is configured on the upstream and downstream interfaces of the FW to monitor
these interfaces.
4. Unforced delivery of default routes is configured in OSPF2 process to divert tra c to the backbone network
from the firewall.
5. The HRP track BFD function is configured to detect remote link faults, such as faults in the link between
RouterC and the backbone network.
The bfd cfg-name bind peer-ip peer-ip [ interface interface-type interface-number ] command is used to bind
a BFD session with a peer IP address, and the link to be detected needs to be specified. The process-interface-
 MENU  
status command is used to associate the BFD session with the bound interface.
If the peer device does not support BFD, IP-link can be used to carry out an active/standby switchover in case
of a fault.
Translation
Availability Analysis
Figure 1-3 shows the switchover upon failure of the active firewall FW_A. The specific process is as follows: Favorite
Switchover upon failure: Download

FW_A fails, and FW_B becomes active. The OSPF neighbor relationships between the routers RouterA, RouterC,
and FW_A no longer exist, and the route is switched to FW_B.
Recovery from failure: Page navigation

After FW_A recovers from the failure, the OSPF neighbor relationships between the routers RouterA, RouterC,
and FW_A are restored, and FW_A becomes active. The route is switched back to FW_A, and tra c is routed to Introduction
FW_A again.
Solution Overvi
Figure 1-3 Firewall failure
ew
Solution Design
Typical Networki
ng
Service Planning
Share
Figure 1-4 shows the switchover upon failure of the link connecting the active firewall FW_A fails (the link to the
backbone or GGSN/P-GW). The specific process is as follows:
Switchover upon failure:

When the active link fails, FW_A becomes standby, and its neighbor relationship with RouterA (RouterC) is torn
down. FW_B becomes active, and the cost of the OSPF routes is adjusted. The route on the right side is
selected in priority, and tra c is switched over to the corresponding link.
Recovery from failure:

After the links recovers from the failure, FW_A becomes active, and its neighbor relationship with RouterA
(RouterC) is restored. The route is switched back to FW_A, and the tra c is switched back to the original link.
Figure 1-4 Link failure
 MENU  
Translation
Favorite
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
Service Planning
Interfaces and Security Zones
To prevent communication failures between active and standby firewalls due to heartbeat interface faults, using
an Eth-Trunk interface as the heartbeat interface is recommended. For devices on which multiple NICs can be
installed (for the support situation, see the hardware guide), an inter-board Eth-Trunk interface is required. That
is, the member interfaces of the Eth-Trunk interface are on di erent LPUs. The inter-board Eth-Trunk improves Share
reliability and increases bandwidth. For devices that do not support interface expansion or inter-board Eth-Trunk,
it is possible that a faulty LPU may cause all HRP backup channels to be unavailable and compromise services.
The upstream and downstream physical links must have the same bandwidth that is greater than the peak tra c.
Otherwise, services are a ected due to tra c congestion in case of tra c burst.
Table 1-1 describes the planning of interfaces and security zones on the FWs.
Table 1-1 Planning of interfaces and security zones
FW_A FW_B Description
Eth-Trunk0: Eth-Trunk0: HRP backup interface.

Member ports: Member ports:
a. GE1/0/1 a. GE1/0/1
b. GE2/0/1 b. GE2/0/1
IP address: 192.168.3.1/24 IP address: 192.168.3.2/24
Security zone: hrpzone Security zone: hrpzone
Eth-Trunk1: Eth-Trunk1: Interface connecting the

Member ports: Member ports: Internet.
a. GE2/0/2 a. GE2/0/2
b. GE2/0/3 b. GE2/0/3
Security zone: untrust Security zone: untrust
FW_A FW_B Description

 MENU  
Eth-Trunk2: Eth-Trunk2: Eth-Trunk2 is the interface
Member ports: Member ports: connecting to Gi/SGi services.
a. GE2/0/4 a. GE2/0/4
b. GE2/0/5 b. GE2/0/5 Translation
Security zone: trust Security zone: trust Favorite
Download
Security Policies
Page navigation
Table 1-2 describes the planning of security policies on the FW.
Table 1-2 Planning of security policies Introduction
Item Source Destination Description Solution Overvi

Zone Zone ew
Local - Trust Local Trust The security policy for access of the FW to the trust Solution Design
zone, which may be set to permit all packets. If a fine-
Typical Networki
grained policy is required, note that OSPF packets ng
should be permitted.
Service Planning
Trust Local The security policy for access from the Trust zone to
the FW, which may be set to:
Permit packets for login and device management,
including SSH and HTTPS packets.
Permit OSPF packets.
Share
Local - Untrust Local Untrust The security policy for access of the FW to the untrust
zone, which may be set to permit all packets. If a fine-
grained policy is required, note that OSPF packets
should be permitted.
Untrust Local The security policy for access from the untrust zone to
the FW, which may be set to:
Permit packets for login and device management,
including SSH and HTTPS packets.
Permit OSPF packets.
Local - Local hrpzone Security policy between the backup interfaces of the
hrpzone active and standby firewalls, which can be used for the
login switching between the firewalls.
hrpzone local Security policy between the backup interfaces of the

active and standby firewalls, which can be used for the
login switching between the firewalls.
Trust - Untrust Trust Untrust Configure a rule that permits packets whose source
address is a private address of a mobile terminal,
and configure NAT for the private address.
Configure packet filtering for the start GGSN and
WAP-side end router of a GRE tunnel.
Untrust Trust Configure packet filtering for the start GGSN and
WAP-side end router of a GRE tunnel.
Routes
 MENU  
The route planning is as follows:
1. Black-hole routes are configured for NAT addresses, and static routes are advertised to avoid routing loops.
2. The firewall learns the default route from the Internet-side device and advertises the default route to the core
network-side device in the way of unforced delivery of OSPF routes. Routing policies also need to be Translation
configured. When the firewall and Internet-side device import static routes, only the routes to addresses in
the NAT address pool are advertised, and the routes to the other private addresses are not advertised. Favorite
3. The firewall learns the addresses of intranet servers and terminal IP addresses from the core network side
Download
device and advertises the routes of the servers to the Internet side device. Filtering policies are configured for
the firewall and the core network side device, and the firewall does not need to learn the default route from
the core network side device.
Page navigation
Table 1-3 describes the planning of routes on the FWs.
Introduction
Table 1-3 Planning of routes
Solution Overvi
FW_A FW_B Description ew
Destination address: Destination address: Default routes learned through OSPF.
Solution Design
0.0.0.0/0 0.0.0.0/0
Typical Networki
Next hop: Next hop: ng
1.1.1.2 (IP address of 1.1.2.2 (IP address of
Service Planning
RouterC) RouterD)
Destination address: Destination address: The route to the GGSN side learned
10.20.0.0/16 10.20.0.0/16 through OSPF.
Next hop: Next hop:

10.14.1.2 (IP address 10.14.2.2 (IP address of
of RouterA) RouterB) Share
Destination address: Destination address: Black-hole routes to prevent route loops.

1.1.10.10 1.1.10.10
1.1.10.11 1.1.10.11
1.1.10.12 1.1.10.12
1.1.10.13 1.1.10.13
1.1.10.14 1.1.10.14
1.1.10.15 1.1.10.15
Next hop: Next hop:
NULL0 NULL0
NAT
If the IP address obtained by a mobile terminal is a private address, NAT is required on the FW. The public
address obtained through NAT is used for Internet access. NAT reduces the use of public addresses and improves
the intranet security.
The usual NAT mode for FWs is NAT PAT. Empirically, one NAT address supports the NAT for 5000 to 10,000
private IP addresses. Table 1-4 describes the planning of the NAT address pool. The configuration is the same for
the active and standby firewalls.
Table 1-4 Planning of the NAT address pool
Item FW_A FW_B
ID 1 1
Mode pat pat
Item FW_A FW_B

 MENU  
Addresses 1.1.10.10-1.1.10.15 1.1.10.10-1.1.10.15
Table 1-5 describes the planning of NAT policies.

Translation
Table 1-5 Planning of NAT policies
Favorite
Item FW_A FW_B
Download
Security zone Trust - Untrust Trust - Untrust
Direction Outbound Outbound

Page navigation
Match All packets from the 10.10.0.0/16 All packets from the 10.10.0.0/16 network
condition network segment segment Introduction
Solution Overvi
Action source-nat source-nat
ew
NAT address 1 1 Solution Design

pool ID
Typical Networki
ng
NAT is performed by the FW for FTP, RTSP, and PPTP tra c from mobile terminals to the Internet. It is necessary Service Planning
to configure ASPF between the zone where the Gi/SGi interface resides and the Untrust zone to ensure normal
functioning of these applications.
Attack Defense
Attack defense should be enabled on the FW for security defense. The recommended configuration is as follows:
firewall defend land enable
Share
firewall defend smurf enable
firewall defend fraggle enable
firewall defend ip-fragment enable

firewall defend tcp-flag enable
firewall defend winnuke enable

firewall defend source-route enable
firewall defend teardrop enable

firewall defend route-record enable
firewall defend time-stamp enable

firewall defend ping-of-death enable
Network Management (SNMP)
The Simple Network Management Protocol (SNMP) is the most widely used network management protocol on
TCP/IP networks. An SNMP proxy should be configured on the FW so that the FW can be managed through an
NMS server.
Log (eLog)
The eLog server is used to collect NAT session logs for source tracing. Configure the FW to output session logs to
the eLog server, including the log output format, source address, and source port.
Precautions
Hot Standby
The recommended preemption delay of a VGMP group is 300s.
Hot standby supports only OSPF and BGP route adjustment, but not IS-IS route adjustment. If OSPF or BGP
route adjustment
 MENUis configured, configure an interzone policy to permit OSPF or BGP packets.  
In hot standby networking, if the upstream device runs BGP, the downstream device runs OSPF, and OSPF uses
default-route-advertise to generate a default route, ,perform the following configurations to avoid loops:
Change the BGP route priority to a value larger than 10 and smaller than 150.
The default priority of an intra-area route is 10 (highest priority). The default route is an external route, and Translation
its default priority is 150. The default priority of a BGP route is 255 (lowest priority). If the default priority is
used, the BGP route cannot take e ect. Favorite
Configure route filtering to prevent the learning of the default downstream OSPF route.
Download
If the upstream device learns the default downstream route, the tra c of the upstream device cannot reach
the extranet.
HRP is associated with routing protocols for cost adjustment. Table 1-6 describes the support for routes. Page navigation
Table 1-6 Routing protocols for cost adjustment associated with HRP
Introduction
Item Supported or Not
Solution Overvi
BGP routes that can be By route type
ew
a. BGP IPv4 unicast routes
associated with HRP b. BGP VPNv4 routes Solution Design
c. BGP IPv6 unicast routes
Typical Networki
ng
By route origin a. Routes learned from IBGP peers Service Planning
b. Routes learned from EBGP peers
c. Routes learned from other routing
protocols
d. Advertised default routes
OSPF routes that can be By route origin a. Direct routes advertised using the
associated with HRP network command Share
b. Imported external routes
c. Advertised default routes
By LSA type a. Type 1 LSA: router LSA

b. Type 3 LSA: summary LSA
c. Type 5 LSA: AS-external-LSA
d. Type 7 LSA: NSSA AS-external-LSA
Security Policies
Considering security, interzone security policies are designed based on the security policy planning. Do not open
all interzone security policies.
Attack Defense
The recommended configuration should be used.
NAT
When planning the NAT address pool, keep the ratio of public addresses to private addresses at about 1:5,000.
If servers on the core network provide extranet access services, use port-based mapping, but not one-to-one IP
address mapping, when configuring the NAT server.
The recommended NAT mode is 5-tuple NAT. If customers require to use triplet NAT, contact service or R&D
engineers to reassess the solution.
In load balancing scenarios, both devices process service tra c. If NAT is configured, the devices may have
conflicting public ports in the NAPT mode. To prevent such conflicts, configure respective NAT port resources
for the devices. You can run the hrp nat resource primary-group command on the active device. The standby
device will automatically
 MENU generate the hrp nat resource secondary-group command.  
You are advised to configure blackhole routes for the NAT address pool to prevent such issues as routing loops.
GRE
When the following conditions are met, you are recommended to enable the function of using GRE inner packets Translation
for selecting the SPU. In this way, tra c is evenly distributed on multiple CPUs.
Favorite
All tra c is encapsulated over one or more GRE tunnels.
The number of CPU sessions over a single GRE tunnel is more than 1,000,000. Download
You can run the firewall gre inner hash enable command to enable the function of selecting a CPU based on the
hash value calculated according to GRE inner packet information. Page navigation
Performance
Introduction
In load-balancing hot standby scenarios, ensure that the tra c does not exceed 70% of the interface bandwidth
utilization and SPU CPU processing capability after being switched to a device. You can run the display interface Solution Overvi
command to check the interface bandwidth utilization and the display cpu-usage command to check the SPU ew
CPU processing capability.
Solution Design
Typical Networki
Solution Configuration ng
Service Planning
Configuration Procedure
Procedure
1. Configure interfaces and security zones.
a. Configure the interfaces and security zones of FW_A.

# Create Eth-Trunk0, setting its IP address. Share
<FW_A> system-view
[FW_A] interface Eth-Trunk 0
[FW_A-Eth-Trunk0] description To_FW_B
[FW_A-Eth-Trunk0] ip address 192.168.3.1 24
[FW_A-Eth-Trunk0] undo service-manage enable
[FW_A-Eth-Trunk0] quit
# Create Eth-Trunk1, setting its IP address.

[FW_A-Eth-Trunk1] description To_Backbone

[FW_A-Eth-Trunk2] description To_GI
# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.
[FW_A] interface GigabitEthernet 1/0/1

[FW_A-GigabitEthernet2/0/0] Eth-Trunk 0
[FW_A-GigabitEthernet2/0/0] quit
[FW_A-GigabitEthernet2/0/1]
 MENU quit  

[FW_A-GigabitEthernet2/0/2] Eth-Trunk 1 Translation
[FW_A] interface GigabitEthernet 2/0/3 Favorite
[FW_A-GigabitEthernet2/0/3] quit Download

Page navigation
[FW_A-GigabitEthernet2/0/4] quit Introduction
Solution Overvi
ew
Solution Design
# Add Eth-Trunk0 to the hrpzone security zone.
Typical Networki
[FW_A] firewall zone name hrpzone ng
[FW_A-zone-hrpzone] set priority 65 Service Planning
[FW_A-zone-hrpzone] add interface Eth-Trunk 0
[FW_A-zone-hrpzone] quit
# Add Eth-Trunk1 to the untrust security zone.
[FW_A] firewall zone untrust

[FW_A-zone-untrust] add interface Eth-Trunk 1
[FW_A-zone-untrust] quit Share
# Add Eth-Trunk2 to the trust security zone.
[FW_A] firewall zone trust

[FW_A-zone-trust] add interface Eth-Trunk 2
[FW_A-zone-trust] quit
b. Configure the interfaces and security zones of FW_B.

<FW_B> system-view
[FW_B] interface Eth-Trunk 0
[FW_B-Eth-Trunk0] description To_FW_A
[FW_B-Eth-Trunk0] ip address 192.168.3.2 24
[FW_B-Eth-Trunk0] undo service-manage enable
[FW_B-Eth-Trunk0] quit

[FW_B-Eth-Trunk1] description To_Backbone
[FW_B-Eth-Trunk1] quit
# Create Eth-Trunk 2, setting its IP address.

[FW_B-Eth-Trunk2] description To_GI
[FW_B-Eth-Trunk2]
 MENU quit  
[FW_B] interface GigabitEthernet 1/0/1

[FW_B-GigabitEthernet2/0/0] Eth-Trunk 0 Translation
[FW_B-GigabitEthernet2/0/0] quit
[FW_B] interface GigabitEthernet 2/0/1 Favorite
[FW_B-GigabitEthernet2/0/1] Eth-Trunk 0
[FW_B-GigabitEthernet2/0/1] quit Download

Page navigation
[FW_B-GigabitEthernet2/0/2] quit Introduction
[FW_B-GigabitEthernet2/0/3] Eth-Trunk 1 Solution Overvi
ew
Solution Design
Typical Networki
[FW_B] interface GigabitEthernet 2/0/4 ng
[FW_B-GigabitEthernet2/0/4] Eth-Trunk 2 Service Planning
# Add Eth-Trunk0 to the hrpzone security zone.
[FW_B] firewall zone name hrpzone Share

[FW_B-zone-hrpzone] set priority 65
[FW_B-zone-hrpzone] add interface Eth-Trunk 0
[FW_B-zone-hrpzone] quit
# Add Eth-Trunk1 to the untrust security zone.
[FW_B] firewall zone untrust

[FW_B-zone-untrust] add interface Eth-Trunk 1
[FW_B-zone-untrust] quit
# Add Eth-Trunk2 to the trust security zone.
[FW_B] firewall zone trust

[FW_B-zone-trust] add interface Eth-Trunk 2
[FW_B-zone-trust] quit
2. Configure security policies.
a. Configure the security policies of FW_A.

# Configure the security policy between the local and trust zones.
[FW_A] security-policy
[FW_A-policy-security] rule name local_trust_outbound
[FW_A-policy-security-rule-local_trust_outbound] source-zone local
[FW_A-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_A-policy-security-rule-local_trust_outbound] source-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_outbound] action permit
[FW_A-policy-security-rule-local_trust_outbound] quit
[FW_A-policy-security] rule name local_trust_inbound
[FW_A-policy-security-rule-local_trust_inbound] source-zone trust
[FW_A-policy-security-rule-local_trust_inbound] destination-zone local
[FW_A-policy-security-rule-local_trust_inbound] destination-address 10.14.1.0 24
[FW_A-policy-security-rule-local_trust_inbound]
 MENU action permit  
[FW_A-policy-security-rule-local_trust_inbound] quit
# Configure the security policy between the local and untrust zones.
[FW_A-policy-security] rule name local_untrust_outbound Translation

[FW_A-policy-security-rule-local_untrust_outbound] source-zone local
[FW_A-policy-security-rule-local_untrust_outbound] destination-zone untrust Favorite
[FW_A-policy-security-rule-local_untrust_outbound] source-address 1.1.1.0 24
[FW_A-policy-security-rule-local_untrust_outbound] action permit Download
[FW_A-policy-security-rule-local_untrust_outbound] quit
[FW_A-policy-security] rule name local_untrust_inbound
[FW_A-policy-security-rule-local_untrust_inbound] source-zone untrust Page navigation
[FW_A-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_A-policy-security-rule-local_untrust_inbound] destination-address 1.1.1.0 24
Introduction
[FW_A-policy-security-rule-local_untrust_inbound] action permit
[FW_A-policy-security-rule-local_untrust_inbound] quit
Solution Overvi
ew
# Configure the security policy between the local and hrpzone zones.
Solution Design
[FW_A-policy-security] rule name local_hrpzone_outbound
Typical Networki
[FW_A-policy-security-rule-local_hrpzone_outbound] source-zone local
ng
[FW_A-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24 Service Planning
[FW_A-policy-security-rule-local_hrpzone_outbound] action permit
[FW_A-policy-security-rule-local_hrpzone_outbound] quit
[FW_A-policy-security] rule name local_hrpzone_inbound
[FW_A-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_A-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_A-policy-security-rule-local_untrust_inbound] action permit
Share
[FW_A-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the Trust and Untrust zones, permitting tunnel packets from
mobile terminals to the WAP gateway. Configure more refined security policies based on site
requirements.
[FW_A-policy-security] rule name trust_untrust_outbound1

[FW_A-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_A-policy-interzone-trust_untrust_outbound1] destination-zone untrust
[FW_A-policy-interzone-trust_untrust_outbound1] action permit
[FW_A-policy-interzone-trust_untrust_outbound1] quit
[FW_A-policy-security] rule name trust_untrust_inbound1
[FW_A-policy-interzone-trust_untrust_inbound1] source-zone untrust
[FW_A-policy-interzone-trust_untrust_inbound1] destination-zone trust
[FW_A-policy-interzone-trust_untrust_inbound1] action permit
[FW_A-policy-interzone-trust_untrust_inbound1] quit
# Configure the security policy between the trust and untrust zones, permitting packets from mobile
terminals to the Internet. All packets from the 10.10.0.0/16 network segment are matched. In practice,
you can add rules as needed.
[FW_A-policy-security] rule name trust_untrust_outbound2

[FW_A-policy-security-rule-trust_untrust_outbound2] source-zone trust
[FW_A-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_A-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_A-policy-security-rule-trust_untrust_outbound2] action permit
[FW_A-policy-security-rule-trust_untrust_outbound2] quit
b. Configure the security policies of FW_B.

# Configure the security policy between the local and trust zones.
[FW_B] security-policy
 MENU
[FW_B-policy-security] rule name local_trust_outbound
 
[FW_B-policy-security-rule-local_trust_outbound] source-zone local
[FW_B-policy-security-rule-local_trust_outbound] destination-zone trust
[FW_B-policy-security-rule-local_trust_outbound] source-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_outbound] action permit
Translation
[FW_B-policy-security-rule-local_trust_outbound] quit
[FW_B-policy-security] rule name local_trust_inbound
Favorite
[FW_B-policy-security-rule-local_trust_inbound] source-zone trust
[FW_B-policy-security-rule-local_trust_inbound] destination-zone local
Download
[FW_B-policy-security-rule-local_trust_inbound] destination-address 10.14.2.0 24
[FW_B-policy-security-rule-local_trust_inbound] action permit
[FW_B-policy-security-rule-local_trust_inbound] quit
Page navigation
# Configure the security policy between the local and untrust zones.
Introduction
[FW_B-policy-security] rule name local_untrust_outbound
[FW_B-policy-security-rule-local_untrust_outbound] source-zone local Solution Overvi
[FW_B-policy-security-rule-local_untrust_outbound] destination-zone untrust ew
[FW_B-policy-security-rule-local_untrust_outbound] source-address 1.1.2.0 24
Solution Design
[FW_B-policy-security-rule-local_untrust_outbound] action permit
[FW_B-policy-security-rule-local_untrust_outbound] quit Typical Networki
[FW_B-policy-security] rule name local_untrust_inbound ng
[FW_B-policy-security-rule-local_untrust_inbound] source-zone untrust Service Planning
[FW_B-policy-security-rule-local_untrust_inbound] destination-zone local
[FW_B-policy-security-rule-local_untrust_inbound] destination-address 1.1.2.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the local and hrpzone zones.
[FW_B-policy-security] rule name local_hrpzone_outbound Share

[FW_B-policy-security-rule-local_hrpzone_outbound] source-zone local
[FW_B-policy-security-rule-local_hrpzone_outbound] destination-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_outbound] source-address 192.168.3.0 24
[FW_B-policy-security-rule-local_hrpzone_outbound] action permit
[FW_B-policy-security-rule-local_hrpzone_outbound] quit
[FW_B-policy-security] rule name local_hrpzone_inbound
[FW_B-policy-security-rule-local_hrpzone_inbound] source-zone hrpzone
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-zone local
[FW_B-policy-security-rule-local_hrpzone_inbound] destination-address 192.168.3.0 24
[FW_B-policy-security-rule-local_untrust_inbound] action permit
[FW_B-policy-security-rule-local_untrust_inbound] quit
# Configure the security policy between the Trust and Untrust zones, permitting tunnel packets from
mobile terminals to the WAP gateway. Configure more refined security policies based on site
requirements.
[FW_B-policy-security] rule name trust_untrust_outbound1

[FW_B-policy-interzone-trust_untrust_outbound1] source-zone trust
[FW_B-policy-interzone-trust_untrust_outbound1] destination-zone untrust
[FW_B-policy-interzone-trust_untrust_outbound1] action permit
[FW_B-policy-interzone-trust_untrust_outbound1] quit
[FW_B-policy-security] rule name trust_untrust_inbound1
[FW_B-policy-interzone-trust_untrust_inbound1] source-zone untrust
[FW_B-policy-interzone-trust_untrust_inbound1] destination-zone trust
[FW_B-policy-interzone-trust_untrust_inbound1] action permit
[FW_B-policy-interzone-trust_untrust_inbound1] quit
# Configure the security policy between the trust and untrust zones, permitting packets from mobile
terminals to the Internet. All packets from the 10.10.0.0/16 network segment are matched. In practice,
you can add rules as needed.
[FW_B-policy-security] rule name trust_untrust_outbound2

 MENU
[FW_B-policy-security-rule-trust_untrust_outbound2] source-zone trust
 
[FW_B-policy-security-rule-trust_untrust_outbound2] destination-zone untrust
[FW_B-policy-security-rule-trust_untrust_outbound2] source-address 10.10.0.0 16
[FW_B-policy-security-rule-trust_untrust_outbound2] action permit
[FW_B-policy-security-rule-trust_untrust_outbound2] quit
Translation
3. Configure routes.
Favorite
Download
Specify di erent router IDs for the active and standby firewalls to support the OSPF process to
prevent OSPF route flapping. Page navigation
Introduction
a. Configure the OSPF routes of FW_A.
# Configure routing policies to advertise only addresses in the NAT address pool but not VPN addresses Solution Overvi
when static routes are imported to the side of the FW_A connecting the backbone. ew
[FW_A] ip ip-prefix natAddress permit 1.1.10.10 32 Solution Design

[FW_A] ip ip-prefix natAddress permit 1.1.10.11 32 Typical Networki
[FW_A] ip ip-prefix natAddress permit 1.1.10.12 32 ng
[FW_A] ip ip-prefix natAddress permit 1.1.10.13 32 Service Planning
[FW_A] ip ip-prefix natAddress permit 1.1.10.14 32
[FW_A] ip ip-prefix natAddress permit 1.1.10.15 32
[FW_A] route-policy PS_NAT permit node 10
[FW_A-route-policy] if-match ip-prefix natAddress
[FW_A-route-policy] quit
[FW_A] ospf 1 router-id 1.1.1.1
[FW_A-ospf-1] import-route static route-policy PS_NAT
[FW_A-ospf-1] area 0.0.0.0 Share
[FW_A-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.0] quit
[FW_A-ospf-1] quit
# Configure route filtering policies for the side of the FW_A connecting the core network so as not to
learn the default route.
[FW_A] ip ip-prefix no-default deny 0.0.0.0 0

[FW_A] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_A] ospf 2 router-id 10.14.1.1
[FW_A-ospf-2] filter-policy ip-prefix no-default import
[FW_A-ospf-2] default-route-advertise
[FW_A-ospf-2] area 0.0.0.0
[FW_A-ospf-2-area-0.0.0.0] network 10.14.1.0 0.0.0.255
[FW_A-ospf-2-area-0.0.0.0] quit
[FW_A-ospf-2] quit
# Configure black-hole routes.
[FW_A] ip route-static 1.1.10.10 32 NULL 0

b. Configure the OSPF routes of FW_B.

# Configure routing policies to advertise only addresses in the NAT address pool but not VPN addresses
when static routes are imported to the side of the FW_B connecting the backbone.
[FW_B] ip ip-prefix natAddress permit 1.1.10.10 32

 MENU
 
Translation
[FW_B] route-policy PS_NAT permit node 10
[FW_B-route-policy] if-match ip-prefix natAddress
Favorite
[FW_B-route-policy] quit
[FW_B] ospf 1 router-id 1.1.2.1
Download
[FW_B-ospf-1] import-route static route-policy PS_NAT
[FW_B-ospf-1] area 0.0.0.0
[FW_B-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255
Page navigation
[FW_B-ospf-1-area-0.0.0.0] quit
[FW_B-ospf-1] quit
Introduction
# Configure route filtering policies for the side of the FW_B connecting the core network so as not to
learn the default route. Solution Overvi
ew
[FW_B] ip ip-prefix no-default deny 0.0.0.0 0
Solution Design
[FW_B] ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
[FW_B] ospf 2 router-id 10.14.2.1 Typical Networki
[FW_B-ospf-2] filter-policy ip-prefix no-default import ng
[FW_B-ospf-2] default-route-advertise Service Planning
[FW_B-ospf-2] area 0
[FW_B-ospf-2-area-0.0.0.0] network 10.14.2.0 0.0.0.255
[FW_B-ospf-2-area-0.0.0.0] quit
[FW_B-ospf-2] quit
# Configure black-hole routes.
[FW_B] ip route-static 1.1.10.10 32 NULL 0 Share

[FW_B] ip route-static 1.1.10.11 32 NULL 0
4. Complete the availability configuration.
a. Complete the hot standby configuration of FW_A.

# Configure HRP to track the interfaces connecting FW_A to the backbone and core networks.
[FW_A] hrp track interface Eth-Trunk 1

[FW_A] hrp track interface Eth-Trunk 2
# Enable OSPF cost adjustment based on the HRP state.
[FW_A] hrp adjust ospf-cost enable
# Configure the heartbeat interface.
[FW_A] hrp interface Eth-Trunk 0 remote 192.168.3.2
# Enable HRP.
[FW_A] hrp enable
# Set the preemption delay of the VGMP group to 300s.
[FW_A] hrp preempt delay 300
b. Complete the hot standby configuration of FW_B.

# Configure HRP to track the upstream and downstream interfaces.
[FW_B] hrp track interface Eth-Trunk 1

 MENU
[FW_B] hrp track interface Eth-Trunk 2
 
# Enable OSPF cost adjustment based on the HRP state.
[FW_B] hrp adjust ospf-cost enable

Translation
# Configure the heartbeat interface.
Favorite
[FW_B] hrp interface Eth-Trunk 0 remote 192.168.3.1
Download
# Enable HRP.
[FW_B] hrp enable Page navigation

# Configure the current device as the standby device.
Introduction
[FW_B] hrp standby-device
Solution Overvi
ew
5. Configure NAT and ASPF.
Solution Design
Typical Networki
ng
After hot standby is enabled, the NAT and ASPF configuration of FW_A is automatically synchronized Service Planning
to FW_B.
# Create the NAT address pool.
a. Configure NAT for FW_A.
HRP_M[FW_A] nat address-group addressgroup1

HRP_M[FW_A-address-group-addressgroup1] section 1.1.10.10 1.1.10.15 Share
HRP_M[FW_A-address-group-addressgroup1] quit
# Configure the NAT policy. The source addresses of all packets from the 10.10.0.0/16 network segment
are translated. In practice, you can add rules as needed.
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name trust_untrust_outbound
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-zone trust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] source-address 10.10.0.0 0.0.255.255
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] action source-nat address-group addre
HRP_M[FW_A-policy-nat-rule-trust_untrust_outbound] quit
HRP_M[FW_A-policy-nat] quit
b. Configure ASPF for FW_A.
HRP_M[FW_A] firewall interzone trust untrust

HRP_M[FW_A-interzone-trust-untrust] detect rtsp
HRP_M[FW_A-interzone-trust-untrust] detect ftp
HRP_M[FW_A-interzone-trust-untrust] detect pptp
HRP_M[FW_A-interzone-trust-untrust] quit
6. Configure attack defense.
After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized
to FW_B.
Configure attack defense for FW_A.
 MENU  
HRP_M[FW_A] firewall defend land enable
HRP_M[FW_A] firewall defend smurf enable
HRP_M[FW_A] firewall defend fraggle enable
HRP_M[FW_A] firewall defend ip-fragment enable
HRP_M[FW_A] firewall defend tcp-flag enable Translation
HRP_M[FW_A] firewall defend winnuke enable
HRP_M[FW_A] firewall defend source-route enable Favorite
HRP_M[FW_A] firewall defend teardrop enable
HRP_M[FW_A] firewall defend route-record enable Download
HRP_M[FW_A] firewall defend time-stamp enable
HRP_M[FW_A] firewall defend ping-of-death enable
Page navigation
7. Configure network management (SNMP).
a. Configure network management (SNMP) on FW_A. Introduction

# Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3.
Solution Overvi
Carry out this step if it is not SNMPv3.
ew
HRP_M[FW_A] snmp-agent sys-info version v3 Solution Design
# Configure the SNMPv3 user group. Typical Networki

ng
HRP_M[FW_A] snmp-agent group v3 NMS1 privacy Service Planning
# Configure the SNMPv3 user.
HRP_M[FW_A] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 priva
# Configure the contact information.
HRP_M[FW_A] snmp-agent sys-info contact Mr.zhang

Share
# Configure the location information.
HRP_M[FW_A] snmp-agent sys-info location Beijing
# Configure the alarm function of SNMP on the FW.
HRP_M[FW_A] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

HRP_M[FW_A] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
b. Configure network management (SNMP) on FW_B.

# Configure the SNMP version of the FW. This step is optional. By default, the SNMP version is SNMPv3.
Carry out this step if it is not SNMPv3.
HRP_S[FW_B] snmp-agent sys-info version v3
# Configure the SNMPv3 user group.
HRP_S[FW_B] snmp-agent group v3 NMS1 privacy
# Configure the SNMPv3 user.
HRP_S[FW_B] snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 Admin@123 priva
# Configure the contact information.
HRP_S[FW_B] snmp-agent sys-info contact Mr.zhang
# Configure the location information.
HRP_S[FW_B] snmp-agent sys-info location Beijing

 MENU  
# Configure the alarm function of SNMP on the FW.
HRP_S[FW_B] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname

HRP_M[FW_B] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y Translation
Favorite
8. Configure the LogCenter.
Download
Page navigation
For the configuration on the LogCenter log server, see the product manual of the LogCenter. Only the
configuration on the FW is described.
Introduction
After hot standby is enabled, the LogCenter configuration of FW_A is automatically synchronized to
FW_B. However, the source address and source port for log export need to be configured on FW_B. Solution Overvi
ew
a. Configure FW_A. Solution Design

# Configure a log host. When the log format is syslog, the address of the log host is 2.2.2.2, and the host Typical Networki
port must be 514. ng
Service Planning
HRP_M[FW_A] firewall log host 1 2.2.2.2 514
# Enable the session log function in the security policy as required. Configure this function depending on
the actual situation.
HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_untrust
HRP_M[FW_A-policy-security-rule-trust_untrust] session logging
Share
HRP_M[FW_A-policy-security-rule-trust_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_untrust] quit
HRP_M[FW_A-policy-security] quit
Configure the log output format, concurrent mode, and source address/port (3.3.3.3/ 6000) of the logs.
HRP_M[FW_A] firewall log session log-type syslog

HRP_M[FW_A] firewall log session multi-host-mode concurrent
HRP_M[FW_A] firewall log source 3.3.3.3 6000
b. Configure FW_B.
Configure the source address and source port for log export (3.3.3.4/6000).
HRP_S[FW_B] firewall log source 3.3.3.4 6000
Verification
1. Run the display hrp state command on FW_A to view the current HRP state. The following information
indicates that HRP is successfully set up.
HRP_M[FW_A] display hrp stateRole: active, peer: standby

Running priority: 46002, peer: 46002
Backup channel usage: 7%
Stable time: 0 days, 0 hours, 12 minutes
2. Users can browse web pages and receive and send multimedia messages using mobile terminals.
3. Users can roam normally with their mobile terminals.
4. Run the shutdown command on GigabitEthernet2/0/0 of FW_A to simulate a link fault. The active/standby
switchover is normal without services interrupted.
Configuration Scripts
 MENU  
FW_A
#
Translation
sysname FW_A
#
Favorite
info-center source default channel 2 log level warning
info-center loghost 10.2.0.10 Download
#
firewall log session log-type syslog
firewall log session multi-host-mode concurrent Page navigation
firewall log source 3.3.3.3 6000
firewall log host 1 2.2.2.2 514
# Introduction
nat address-group 1
mode pat
Solution Overvi
ew
status active
section 0 1.1.10.10 1.1.10.15 Solution Design
#
Typical Networki
hrp enable
ng
hrp interface Eth-Trunk 0 remote 192.168.3.2
hrp adjust ospf-cost enable Service Planning
hrp preempt delay 300
hrp track interface Eth-Trunk 1
hrp track interface Eth-Trunk 2
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
Share
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend winnuke enable
firewall defend source-route enable
firewall defend teardrop enable
firewall defend route-record enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
#
interface Eth-Trunk0
description To_FW_B
ip address 192.168.3.1 255.255.255.0
undo service-manage enable
#
description To_Backbone
ip address 1.1.1.1 255.255.255.0
#
description To_GI
ip address 10.14.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
eth-trunk 0
#
eth-trunk 0
#
FW_A
 MENU
eth-trunk 1
 
#
eth-trunk 1
#
Translation
eth-trunk 2
Favorite
#
Download
eth-trunk 2
#
firewall zone trust
Page navigation
set priority 85
add interface Eth-Trunk2
# Introduction
firewall zone untrust
set priority 5 Solution Overvi
ew
# Solution Design
firewall zone hrpzone
set priority 65 Typical Networki
ng
# Service Planning
firewall interzone trust untrust
detect rtsp
detect ftp
detect pptp
#
security-policy
rule name local_trust_outbound
Share
source-zone local
destination-zone trust
source-address 10.14.1.0 24
action permit
rule name local_trust_inbound
source-zone trust
destination-zone local
destination-address 10.14.1.0 24
action permit
rule name local_untrust_outbound
source-zone local
destination-zone untrust
action permit
rule name local_untrust_inbound
source-zone untrust
action permit
rule name local_hrpzone_outbound
source-zone local
destination-zone hrpzone
action permit
rule name local_hrpzone_inbound
source-zone hrpzone
action permit
rule name trust_untrust_outbound1
source-zone trust
FW_A
 MENU
 
action permit
rule name trust_untrust_inbound1
source-zone untrust
destination-zone trust
Translation
action permit
rule name trust_untrust_outbound2
Favorite
source-zone trust
Download
action permit
rule name trust_untrust
Page navigation
session logging
action permit
# Introduction
nat-policy
rule name trust_untrust_outbound Solution Overvi
ew
source-zone trust
destination-zone untrust Solution Design
action source-nat address-group addressgroup1 Typical Networki
ng
#
ip ip-prefix natAddress permit 1.1.10.10 32 Service Planning
ip ip-prefix natAddress permit 1.1.10.11 32
ip ip-prefix no-default deny 0.0.0.0 0
ip ip-prefix no-default permit 0.0.0.0 0 less-equal 32
Share
#
route-policy PS_NAT permit node 10
if-match ip-prefix natAddress
#
ospf 1 router-id 1.1.1.1
import-route static route-policy PS_NAT
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
ospf 2 router-id 10.14.1.1
default-route-advertise
filter-policy ip-prefix no-default import
area 0.0.0.0
network 10.14.1.0 0.0.0.255
#
ip route-static 1.1.10.10 255.255.255.255 NULL0
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF000077D0
snmp-agent sys-info version v3
snmp-agent sys-info contact Mr.zhang
snmp-agent sys-info location Beijing
snmp-agent group v3 NMS1 privacy
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname %$%$Lch*5Z>Q0:B
private-netmanager
snmp-agent usm-user v3 Admin123 NMS1 authentication-mode md5 %$%$q:JqX0VlJ,5ykB"H'lF&kd[REP
FW_A
 MENU
privacy-mode aes256 %$%$.AA`F.dEUJ8Dl33bz;0PYcZQ">eB&vh6t$]4
 
#
return
Translation
Favorite
Other Solutions
Download
VRRP + OSPF (Active/Standby Backup)

Page navigation
Networking Diagram
As shown in Figure 1-5, the service interfaces of both firewalls work at Layer 3, connecting to the backbone Introduction
through routers and to the GGSN/P-GW through Layer 2 switches. OSPF runs between the firewall and router,
and VRRP is enabled on the interface connecting the firewall to the switch. Solution Overvi
ew
The two firewalls work in active/standby mode. Normally, tra c is forwarded by FW_A. When FW_A fails, tra c
is forwarded by FW_B. This ensures that the services are not interrupted. Solution Design
Figure 1-5 Active/standby backup with OSPF+VRRP running on the FW Typical Networki
ng
Service Planning
Share
Switchover upon Failure
When the link to the backbone fails, the priority of FW_A is lowered through the HRP track function
configured on the interface to trigger an active/standby switchover. The active route is switched to FW_B that
becomes the active device in the VRRP group, and thereby the tra c is switched over.
The upstream and downstream interfaces of the FW are bound to the same link group, and the HRP track
function is configured to monitor these interfaces. The switchover mode in case of a fault in the link to the
GGSN/P-GW is the same as that in case of a fault in the link to the backbone network.
Configuration Difference
Item FW_A
Item FW_A
 MENU  
Interfaces
#
description TO-FW-B
ip address 192.168.3.1 255.255.255.240 Translation
#
interface Eth-Trunk1 Favorite
ip address 1.1.1.1 255.255.255.0
# Download
description TO-GI
ip address 10.14.1.1 255.255.255.0 Page navigation
vrrp vrid 20 virtual-ip 10.14.1.3 active
#
Introduction
Solution Overvi
Routes
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2//Configure a default route to the publi ew
ip route-static x.x.x.x x.x.x.x 10.14.1.5//Configure a route to the private add
Solution Design
Typical Networki
ng
Service Planning
OSPF (Load Balancing)
Networking Diagram
As shown in Figure 1-6, the service interfaces of both firewalls work at Layer 3 and connect to both the backbone
and GGSN/P-GW through routers. OSPF runs between the firewall and router.
The two firewalls work in active/standby mode. Normally, tra c is forwarded by FW_A. When FW_A fails, tra c Share
is forwarded by FW_B. This ensures that the services are not interrupted.
Figure 1-6 OSPF (load sharing) networking
The two firewalls are expected to work in load balancing mode. Normally, FW_A and FW_B forward tra c
together. When one firewall fails, the other firewall forwards all tra c. The services are not interrupted.
Switchover upon Failure
When FW_A fails, the OSPF route is switched to FW_B through hot standby so that the tra c is switched over.
When FW_B fails, the OSPF route is switched to FW_A through hot standby so that the tra c is switched over.
 MENU  
Configuration Difference
Item FW_A
Translation
Hot
hrp enable
standby Favorite
hrp interface Eth-Trunk0 remote 192.168.3.2
hrp mirror session enable Download
hrp preempt delay 120
hrp adjust ospf-cost enable
hrp track interface Eth-Trunk1 Page navigation
hrp track interface Eth-Trunk2
hrp nat resource primary-group //Set the NAT port segment of the dual firewalls
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
    
About Huawei
About Huawei About Huawei Enterprise
Share
Branch Office News Room
Huawei Events Huawei Facts
How to Buy
Get Pricing eDeal Ordering System
Find a Reseller
Partner
Become a Partner Get Permissions
Partner Training
Resources
Webinar eBlog
Resource Center Video Library
Publications Case Studies
ICT Insights Podcast
Others  MENU  
Support Community HUAWEI CLOUD
FusionSolar Smart PV Honor Official Site

Translation
Enterprise App  Favorite
Download
Page navigation
Introduction
Solution Overvi
ew
Solution Design
Typical Networki
ng
Service Planning
Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.
Privacy | Terms of use | RSS Subscribe | Sitemap Share

Application of Firewalls in The Core Network PS Domain - Huawei

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Application of Firewalls in The Core Network PS Domain - Huawei

Uploaded by

Copyright:

Available Formats

5/26/2020 Application of Firewalls in the Core Network PS Domain - Huawei

Service Planning Application of Firewalls in t

VRRP + OSPF (Active/Standby Backup)

OSPF (Load Balancing)

This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00 and can be

Introduction to Mobile Core Networks

The paths for various types of service tra c are as follows:

Figure 1-2 Typical networking of the FW in a mobile core network

The following functions are deployed on the FW in the networking:

Switchover upon failure: Download

Recovery from failure: Page navigation

Switchover upon failure:

Recovery from failure:

Interfaces and Security Zones

Table 1-1 Planning of interfaces and security zones

FW_A FW_B Description

Eth-Trunk0: Eth-Trunk0: HRP backup interface.

Eth-Trunk1: Eth-Trunk1: Interface connecting the

FW_A FW_B Description

Table 1-2 Planning of security policies Introduction

Item Source Destination Description Solution Overvi

hrpzone local Security policy between the backup interfaces of the

Next hop: Next hop:

Destination address: Destination address: Black-hole routes to prevent route loops.

Table 1-4 Planning of the NAT address pool

Item FW_A FW_B

Mode pat pat

Item FW_A FW_B

Table 1-5 describes the planning of NAT policies.

Direction Outbound Outbound

NAT address 1 1 Solution Design

ﬁrewall defend ip-fragment enable

ﬁrewall defend winnuke enable

ﬁrewall defend teardrop enable

ﬁrewall defend time-stamp enable

Network Management (SNMP)

The recommended preemption delay of a VGMP group is 300s.

By LSA type a. Type 1 LSA: router LSA

The recommended conﬁguration should be used.

1. Conﬁgure interfaces and security zones.

a. Conﬁgure the interfaces and security zones of FW_A.

# Create Eth-Trunk1, setting its IP address.

[FW_A] interface Eth-Trunk 1

# Create Eth-Trunk2, setting its IP address.

[FW_A] interface Eth-Trunk 2

# Add GigabitEthernet1/0/1 and GigabitEthernet2/0/1 to Eth-Trunk 0.

[FW_A] interface GigabitEthernet 1/0/1

[FW_A] interface GigabitEthernet 2/0/2

# Add GigabitEthernet2/0/4 and GigabitEthernet2/0/5 to Eth-Trunk 2.

# Add Eth-Trunk1 to the untrust security zone.

[FW_A] firewall zone untrust

# Add Eth-Trunk2 to the trust security zone.

[FW_A] firewall zone trust

b. Conﬁgure the interfaces and security zones of FW_B.

# Create Eth-Trunk1, setting its IP address.

[FW_B] interface Eth-Trunk 1

# Create Eth-Trunk 2, setting its IP address.

[FW_B] interface Eth-Trunk 2

[FW_B] interface GigabitEthernet 1/0/1

# Add GigabitEthernet2/0/2 and GigabitEthernet2/0/3 to Eth-Trunk 1.

# Add Eth-Trunk0 to the hrpzone security zone.

[FW_B] firewall zone name hrpzone Share

# Add Eth-Trunk1 to the untrust security zone.