< Home

Example: Configuring a TCP Test

The FW_A serves as an NQA client to measure the speed at which the NQA client sets up a TCP connection to a TCP server through a three-way handshake.

Networking Requirements

As shown in Figure 1, FW_A serves as an NQA client, while FW_B serves as an NQA server. A TCP test is configured to measure the speed at which FW_A sets up a TCP connection to FW_B.

Figure 1 Networking diagram for a TCP test

Procedure

  1. Set IP addresses for interfaces and assign the interfaces to security zones.

    # Set an IP address for the interface on FW_A.

    <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
[FW_A-GigabitEthernet0/0/1] quit

    # Assign the interface on FW_A to the Untrust zone.

    [FW_A] firewall zone untrust
[FW_A-untrust] add interface GigabitEthernet 0/0/1
[FW_A-untrust] quit

    # Set an IP address for the interface on FW_B.

    <FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 2.2.2.2 24
[FW_B-GigabitEthernet0/0/1] quit

    # Assign the interface on FW_B to the Untrust zone.

    [FW_B] firewall zone untrust
[FW_B-untrust] add interface GigabitEthernet 0/0/1
[FW_B-untrust] quit

  2. Configure security policies.

    # Configure a security policy on FW_A.

    [FW_A] security-policy
[FW_A-policy-security] rule name nqa
[FW_A-policy-security-rule-nqa] source-zone local
[FW_A-policy-security-rule-nqa] destination-zone untrust
[FW_A-policy-security-rule-nqa] source-address 1.1.1.1 32
[FW_A-policy-security-rule-nqa] destination-address 2.2.2.2 32
[FW_A-policy-security-rule-nqa] action permit
[FW_A-policy-security-rule-nqa] quit
[FW_A-policy-security] quit

    # Configure a security policy on FW_B.

    [FW_B] security-policy
[FW_B-policy-security] rule name nqa
[FW_B-policy-security-rule-nqa] source-zone untrust
[FW_B-policy-security-rule-nqa] destination-zone local
[FW_B-policy-security-rule-nqa] source-address 1.1.1.1 32
[FW_B-policy-security-rule-nqa] destination-address 2.2.2.2 32
[FW_B-policy-security-rule-nqa] action permit
[FW_B-policy-security-rule-nqa] quit
[FW_B-policy-security] quit

  3. Configure FW_B as the NQA server.

    # Set an IP address and a port number for listening to TCP connection requests.

    [FW_B] nqa-server tcpconnect 2.2.2.2 9000

  4. Configure FW_A as the NQA client.

    # Configure a TCP test instance.

    [FW_A] nqa test-instance admin tcp
[FW_A-nqa-admin-tcp] test-type tcp
[FW_A-nqa-admin-tcp] destination-address ipv4 2.2.2.2
[FW_A-nqa-admin-tcp] destination-port 9000

    # Immediately start the test.

    [FW_A-nqa-admin-tcp] start now

Verification

Run the display nqa results command on FW_A to view the test results.

<FW_A> display nqa results
 NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
  1 . Test 1 result   The test is finished
   Send operation times: 3              Receive response times: 3          
   Completion:success                   RTD OverThresholds number: 0       
   Attempts number:1                    Drop operation number:0            
   Disconnect operation number:0        Operation timeout number:0         
   System busy operation number:0       Connection fail number:0           
   Operation sequence errors number:0   RTT Status errors number:0         
   Destination ip address:2.2.2.2                                      
   Min/Max/Average Completion Time: 2/4/3                                
   Sum/Square-Sum  Completion Time: 9/29                                 
   Last Good Probe Time: 2016-01-21 20:36:42.3                           
   Lost packet ratio: 0 %

Configuration Scripts

Configuration script of FW_A

#
sysname FW_A
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
security-policy
 rule name nqa
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 32
  destination-address 2.2.2.2 32
  action permit
#
nqa test-instance admin tcp
 test-type tcp
 destination-address ipv4 2.2.2.2
 destination-port 9000
 start now /*This command is a one-time action. Therefore, the result is not saved in the configuration file.*/

Configuration script of FW_B

#
sysname FW_B
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 2.2.2.2 255.255.255.0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
security-policy
 rule name nqa
  source-zone untrust
  destination-zone local
  source-address 1.1.1.1 32
  destination-address 2.2.2.2 32
  action permit
#
nqa-server tcpconnect 2.2.2.2 9000
Parent Topic: Configuration Examples for NQA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >