< Home

CLI: Example for Configuring Interworking Between BFD and Hot Standby

Introduce the example for configuring interworking between BFD and hot standby according to the example for configuring active/standby mode.

Network Requirements

The FW is deployed on the service node as a security device. Upstream and downstream devices are routers. FW_A and FW_B work in active/standby mode

Figure 1 shows the networking diagram. The detailed description is as follows:

  • OSPF is applied among the router and two FWs. The router sends service packets to the Active FW according to the route calculation result.
  • FW monitor the network egress through the interworking function between BFD and hot standby. When the network egress on the link where FW_A resides is down, FW_B can switch to active device and the service packets are sent to FW_B.
Figure 1 Networking diagram of the example for configuring interworking between BFD and hot standby

Procedure

  1. Configure the hot standby function on FW_A.

    # Set an IP address for GigabitEthernet 0/0/1.

    <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 10.100.10.2 24
[FW_A-GigabitEthernet0/0/1] quit

    # Add GigabitEthernet 0/0/1 to the Trust zone.

    [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/1
[FW_A-zone-trust] quit

    # Set an IP address for GigabitEthernet 0/0/3.

    [FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 10.100.30.2 24
[FW_A-GigabitEthernet0/0/3] quit

    # Add GigabitEthernet 0/0/3 to the Untrust zone.

    [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/3
[FW_A-zone-untrust] quit

    # Set an IP address for GigabitEthernet 0/0/2.

    [FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.100.50.2 24
[FW_A-GigabitEthernet0/0/2] quit

    # Add GigabitEthernet 0/0/2 to the DMZ zone.

    [FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/2
[FW_A-zone-dmz] quit

    # Run the OSPF dynamic routing protocol on FW_A.

    [FW_A] ospf 101
[FW_A-ospf-101] area 0
[FW_A-ospf-101-area-0.0.0.0] network 10.100.10.0 0.0.0.255
[FW_A-ospf-101-area-0.0.0.0] network 10.100.30.0 0.0.0.255
[FW_A-ospf-101-area-0.0.0.0] quit
[FW_A-ospf-101] quit

    # Enable the function of adjusting the related cost value of OSPF according to the HRP status.

    [FW_A] hrp adjust ospf-cost enable

    # Configure the VGMP group to monitor the status of interfaces.

    [FW_A] hrp track interface GigabitEthernet 0/0/1
[FW_A] hrp track interface GigabitEthernet 0/0/3

    # Configure an HRP backup channel.

    [FW_A] hrp interface GigabitEthernet 0/0/2 remote 10.100.50.3

    # Enable HRP.

    [FW_A] hrp enable

  2. Configure the hot standby function on FW_B.

    The configuration on the FW_B is similar to that on the FW_A. The differences are as follows:

    • The IP addresses of interfaces on FW_B should be different from those of interfaces on FW_A; moreover, the IP addresses of the service interfaces corresponding to FW_B and FW_A should not be on the same network segment.
    • When OSPF is executed on FW_B, the route to the network segment directly connected to the service interface on FW_B should be advertised.
    • Run the hrp standby-device command on FW_B to specify FW_B as a standby device.

  3. Configure IP addresses and OSPF on the router to ensure the network is reachable. For detailed configuration commands, refer to documents related to the router.
  4. Configure security policies.

    The security policy configured on FW_A are automatically backed up to FW_B.

    # Configure security policy to ensure that the users on network segment 192.168.1.0/24 can access the Untrust zone.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy1 
HRP_M[FW_A-policy-security-rule-policy1] source-zone trust
HRP_M[FW_A-policy-security-rule-policy1] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy1] source-address 192.168.1.0 24
HRP_M[FW_A-policy-security-rule-policy1] action permit
HRP_M[FW_A-policy-security-rule-policy1] quit

    # Configure security policies between the Local zone and the security zone where GE 1/0/3 resides to permit BFD packets.

    HRP_M[FW_A-policy-security] rule name bfd1
HRP_M[FW_A-policy-security-rule-bfd1] source-zone local
HRP_M[FW_A-policy-security-rule-bfd1] destination-zone untrust
HRP_M[FW_A-policy-security-rule-bfd1] source-address 10.100.30.2 32
HRP_M[FW_A-policy-security-rule-bfd1] source-address 10.100.40.2 32
HRP_M[FW_A-policy-security-rule-bfd1] destination-address 1.1.1.2 32
HRP_M[FW_A-policy-security-rule-bfd1] destination-address 2.2.2.2 32
HRP_M[FW_A-policy-security-rule-bfd1] action permit
HRP_M[FW_A-policy-security-rule-bfd1] quit
HRP_M[FW_A-policy-security] rule name bfd2
HRP_M[FW_A-policy-security-rule-bfd2] source-zone untrust
HRP_M[FW_A-policy-security-rule-bfd2] destination-zone local
HRP_M[FW_A-policy-security-rule-bfd2] source-address 1.1.1.2 32
HRP_M[FW_A-policy-security-rule-bfd2] source-address 2.2.2.2 32
HRP_M[FW_A-policy-security-rule-bfd2] destination-address 10.100.30.2 32
HRP_M[FW_A-policy-security-rule-bfd2] destination-address 10.100.40.2 32
HRP_M[FW_A-policy-security-rule-bfd2] action permit
HRP_M[FW_A-policy-security-rule-bfd2] quit

  5. Configure BFD sessions on FW_A and Router_A.

    # Configure BFD session 1 with peer IP address 1.1.1.2, local discriminator 10, and remote discriminator 20 on FW_A.

    HRP_M[FW_A] bfd
HRP_M[FW_A-bfd] quit
HRP_M[FW_A] bfd 1 bind peer-ip 1.1.1.2
HRP_M[FW_A-bfd-session-1] discriminator local 10
HRP_M[FW_A-bfd-session-1] discriminator remote 20
HRP_M[FW_A-bfd-session-1] commit
HRP_M[FW_A-bfd-session-1] quit

    # Configure BFD session 1 with peer IP address 10.100.30.2, local discriminator 20, and remote discriminator 10 on Router_A.

    <Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 10.100.30.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit

  6. Configure interworking between BFD and hot standby on FW_A.

    HRP_M[FW_A] hrp track bfd-session 10

  7. Configure BFD sessions on FW_B and Router_B.

    # Configure BFD session 1 with peer IP address 2.2.2.2, local discriminator 10, and remote discriminator 20 on FW_B.

    HRP_S[FW_B] bfd
HRP_S[FW_B-bfd] quit
HRP_S[FW_B] bfd 1 bind peer-ip 2.2.2.2
HRP_S[FW_B-bfd-session-1] discriminator local 10
HRP_S[FW_B-bfd-session-1] discriminator remote 20
HRP_S[FW_B-bfd-session-1] commit
HRP_S[FW_B-bfd-session-1] quit

    # Configure BFD session 1 with peer IP address 10.100.40.2, local discriminator 20, and remote discriminator 10 on Router_B.

    <Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 1 bind peer-ip 10.100.40.2
[Router_B-bfd-session-1] discriminator local 20
[Router_B-bfd-session-1] discriminator remote 10
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit

  8. Configure interworking between BFD and hot standby on FW_B.

    HRP_S[FW_B] hrp track bfd-session 10

Configuration Script

FW_A

FW_B

 
#  
sysname FW_A
#
bfd
#  
 hrp enable
 hrp interface GigabitEthernet 0/0/2 remote 10.100.50.3
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
 hrp track bfd-session 10
#
interface GigabitEthernet 0/0/1
 ip address 10.100.10.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 0/0/3
 ip address 10.100.30.2 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 add interface GigabitEthernet 0/0/3
#
bfd 1 bind peer-ip 1.1.1.2 
 discriminator local 10
 discriminator remote 20
 commit
#     
ospf 101  
 area 0.0.0.0 
  network 10.100.10.0 0.0.0.255
  network 10.100.30.0 0.0.0.255
#     
security-policy  
  rule name policy1  
    source-zone trust          
    destination-zone untrust   
    source-address 192.168.1.0 24  
    action permit 
  rule name bfd1
   source-zone local
   destination-zone untrust
   source-address 10.100.30.2 32
   source-address 10.100.40.2 32
   destination-address 1.1.1.2 32
   destination-address 2.2.2.2 32
   action permit
  rule name bfd2
   source-zone untrust
   destination-zone local
   source-address 1.1.1.2 32
   source-address 2.2.2.2 32
   destination-address 10.100.30.2 32
   destination-address 10.100.40.2 32
   action permit
#
return
 
#   
sysname FW_B
#
bfd
#  
 hrp enable
 hrp standby-device
 hrp interface GigabitEthernet 0/0/2 remote 10.100.50.2
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
 hrp track bfd-session 10
#
interface GigabitEthernet 0/0/1
 ip address 10.100.20.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.100.50.3 255.255.255.0
#
interface GigabitEthernet 0/0/3
 ip address 10.100.40.2 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 add interface GigabitEthernet 0/0/2
#
firewall zone untrust
 add interface GigabitEthernet 0/0/3
#
bfd 1 bind peer-ip 2.2.2.2 
 discriminator local 10
 discriminator remote 20
 commit
#       
ospf 101 
 area 0.0.0.0     
  network 10.100.20.0 0.0.0.255    
  network 10.100.40.0 0.0.0.255    
#         
security-policy  
  rule name ha       
    source-zone trust     
    destination-zone untrust      
    source-address 192.168.1.0 24      
    action permit  
  rule name bfd1
   source-zone local
   destination-zone untrust
   source-address 10.100.30.2 32
   source-address 10.100.40.2 32
   destination-address 1.1.1.2 32
   destination-address 2.2.2.2 32
   action permit
  rule name bfd2
   source-zone untrust
   destination-zone local
   source-address 1.1.1.2 32
   source-address 2.2.2.2 32
   destination-address 10.100.30.2 32
   destination-address 10.100.40.2 32
   action permit
#
return
Parent Topic: Configuration Examples for BFD
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >