< Home

Web: Example for Connecting to Router (Route-based Traffic Diversion)

This section provides an example for configuring a cluster in which devices connect to routers in the upstream and downstream directions.

Networking Requirements

As shown in Figure 1, the upstream network uses BGP, the downstream network uses OSPF, and multiple DCs connect to the Internet through router R4.

Traffic of a DC should be preferentially carried on the FW in the DC. If a FW fails, traffic can be switched to other FWs.

Configure route-based traffic diversion to implement association between business groups and routing protocols. When the downstream traffic is switched, the routing protocol adjusts the cost value of the advertised route according to the status of the business group. In this manner, the upstream traffic is synchronously switched.

Figure 1 Networking of routers connected in the upstream and downstream directions

Data Planning

Item

Data

Description

FW_A
  • GE0/0/1: 10.1.2.1/24
  • GE0/0/2: 10.2.2.1/24
  • Eth-Trunk1: 10.1.5.1/24; member interfaces: GE0/0/3 and GE0/0/4
  • Eth-Trunk2: 10.1.6.1/24; member interfaces: GE0/0/5 and GE0/0/6
  • Eth-Trunk3: 10.1.7.1/24; member interfaces: GE0/0/7 and GE0/0/8
  • Tunnel1: 10.1.10.1/24
  • Tunnel2: 10.1.11.1/24
  • Business group 1: priority 100, bound to OSPF 1
  • Business group 2: priority 80, bound to OSPF 2
  • Business group 3: priority 90, bound to OSPF 3
  • Eth-Trunk1: cluster negotiation channel
  • Eth-Trunk2: cluster backup channel
  • Eth-Trunk3: cluster forwarding channel
  • Business group 1: processes services of DC1
  • Business group 2: processes services of DC2
  • Business group 3: processes services of DC3
  • Tunnel1: sets up a GRE channel with R2, with the peer IP address being 10.1.10.2.
  • Tunnel2: sets up a GRE channel with R3, with the peer IP address being 10.1.11.2.

FW_B
  • GE0/0/1: 10.1.3.1/24
  • GE0/0/2: 10.2.3.1/24
  • Eth-Trunk1: 10.1.5.2/24; member interfaces: GE0/0/3 and GE0/0/4
  • Eth-Trunk2: 10.1.6.2/24; member interfaces: GE0/0/5 and GE0/0/6
  • Eth-Trunk3: 10.1.7.2/24; member interfaces: GE0/0/7 and GE0/0/8
  • Tunnel1: 10.1.12.1/24
  • Tunnel2: 10.1.13.1/24
  • Business group 1: priority 90, bound to OSPF 1
  • Business group 2: priority 100, bound to OSPF 2
  • Business group 3: priority 80, bound to OSPF 3
  • Eth-Trunk1: cluster negotiation channel
  • Eth-Trunk2: cluster backup channel
  • Eth-Trunk3: cluster forwarding channel
  • Business group 1: processes services of DC1
  • Business group 2: processes services of DC2
  • Business group 3: processes services of DC3
  • Tunnel1: sets up a GRE channel with R1, with the peer IP address being 10.1.12.2.
  • Tunnel2: sets up a GRE channel with R3, with the peer IP address being 10.1.13.2.

FW_C
  • GE0/0/1: 10.1.4.1/24
  • GE0/0/2: 10.2.4.1/24
  • Eth-Trunk1: 10.1.5.3/24; member interfaces: GE0/0/3 and GE0/0/4
  • Eth-Trunk2: 10.1.6.3/24; member interfaces: GE0/0/5 and GE0/0/6
  • Eth-Trunk3: 10.1.7.3/24; member interfaces: GE0/0/7 and GE0/0/8
  • Tunnel1: 10.1.14.1/24
  • Tunnel2: 10.1.15.1/24
  • Business group 1: priority 80, bound to OSPF 1
  • Business group 2: priority 90, bound to OSPF 2
  • Business group 3: priority 100, bound to OSPF 3
  • Eth-Trunk1: cluster negotiation channel
  • Eth-Trunk2: cluster backup channel
  • Eth-Trunk3: cluster forwarding channel
  • Business group 1: processes services of DC1
  • Business group 2: processes services of DC2
  • Business group 3: processes services of DC3
  • Tunnel1: sets up a GRE channel with R1, with the peer IP address being 10.1.14.2.
  • Tunnel2: sets up a GRE channel with R2, with the peer IP address being 10.1.15.2.

Procedure

  1. Complete basic network configurations. Configure interface IP addresses, assign interfaces to security zones, and routes.

    Perform the configuration on each cluster member. The following part is the configuration of FW_A. The configurations of FW_B and FW_C are similar.

    # Assign IP addresses to interfaces.

    1. Choose Network > Interface.

    2. Click GE0/0/1, set the parameters as shown in the following table, and click OK.

      Zone

      untrust

      IPv4

      IP Address

      10.1.2.1/24

    3. Configure GE0/0/2 based on the preceding step.

      Zone

      trust

      IPv4

      IP Address

      10.2.2.1/24
    4. Click Add to create Eth-Trunk1.

      Interface Name

      Eth-Trunk1

      Type

      Aggregation Interface

      Zone

      dmz

      Interface

      GE0/0/3 and GE0/0/4

      IP Address

      10.1.5.1/24

      Repeat the preceding steps to configure Eth-Trunk2 and Eth-Trunk3.

      Interface Name

      Eth-Trunk2

      Type

      Aggregation Interface

      Zone

      dmz

      Interface

      GE0/0/5 and GE0/0/6

      IP Address

      10.1.6.1/24

      Interface Name

      Eth-Trunk3

      Type

      Aggregation Interface

      Zone

      dmz

      Interface

      GE0/0/7 and GE0/0/8

      IP Address

      10.1.7.1/24

    # Configure the GRE tunnel.

    1. Choose Network > GRE > GRE and click Add.

    2. Set the parameters as shown in the following figure to create tunnel1 and tunnel2 interfaces.

    # Configure OSPF to ensure IP connectivity.

    1. Choose Network > Route > OSPF.

    2. Click Add, create an OSPF process based on the following parameter values, and click OK.

      Type

      OSPFv2

      Process ID

      1

    3. Click , click Add, create an area based on the following parameter values, and click OK.

      Area

      0.0.0.1

      IP Network

      10.2.2.0

      Mask/Wildcard Mask

      255.255.255.0

    4. Repeat the preceding steps to configure OSPF 2 and OSPF 3.

      Item

      OSPF 2

      OSPF 3

      Area

      0.0.0.1

      0.0.0.1

      IP Network

      10.1.10.0

      10.1.11.0

      Mask/Wildcard Mask

      255.255.255.0

      255.255.255.0

    # Configure BGP to ensure IP connectivity.

    1. Choose Network > Route > BGP.

    2. Enable BGP, set the following parameters, and click Apply.

    3. In Peer Configuration List, click Add to configure the peer.

      Peer IP

      10.1.2.2

      Peer AS

      10
    4. In Imported Route List, click Add to import the OSPF process.

      Protocol Type

      OSPF

      Process ID
      Process ID that needs to be specified during OSPF import.
      • 1
      • 2
      • 3

  2. Set cluster negotiation parameters and enable the cluster function.

    Perform the configuration on each cluster member.

    1. Choose System > Inter-DC Cluster > Basic Configuration to set negotiation parameters.



    2. In Node Configuration, click Add to add three cluster nodes one by one.







      The configuration of FW_B/C is the same as the configuration of FW_A except the bound node.

    3. In Business Group Configuration, click Add to configure business groups in sequence.

  3. Configure business groups and associate the business group with the OSPF process to implement route-based traffic diversion.

    Perform the following configuration on the management master device. The configuration will be automatically synchronized to other members in the cluster.

    1. Choose System > Inter-DC Cluster > Traffic Diversion Configuration.

    2. In the Route-based Traffic Diversion tab, click Add to associate business groups with OSPF processes in sequence.

      Business Group ID

      1

      Process ID

      OSPFv2/1

      Business Group ID

      2

      Process ID

      OSPFv2/2

      Business Group ID

      3

      Process ID

      OSPFv2/3

  4. Configure security policies.

    Perform the following configuration on the management master device. The configuration will be automatically synchronized to other members in the cluster.

    1. Choose Policy > Security Policy > Security Policy.

    2. Click Add Security Policy to configure security policies based on the following parameter values, and click OK.

      # Configure a security policy to allow intranet users to access the Internet.

      Name

      policy_sec1

      Source Zone

      trust

      Destination Zone

      untrust

      Source Address/Region

      10.4.0.0/16

      Action

      Permit

      # Configure a security policy to allow the FW to exchange OSPF/BGP packets with upstream and downstream routers.

      Name

      policy_sec2

      Source Zone

      local

      Destination Zone

      trust;untrust

      Action

      Permit

      Name

      policy_sec3

      Source Zone

      trust;untrust

      Destination Zone

      local

      Action

      Permit
      # Configure a Local-DMZ interzone security policy to allow encapsulated GRE packets to pass.

      Name

      policy2

      Source Zone

      local;dmz

      Destination Zone

      local;dmz

      Action

      Permit

  5. Configure router R1. For configuration commands, refer to the documents of the routers.

    Basic configurations on R1, such as the interface IP address configuration, are not described here. The configurations on R2 and R3 are similar to those on R1. Configure R2 and R3 as follows:

    # Configure GRE tunnels. Establish a GRE tunnel between Tunnel1 and FW_B and between Tunnel2 and FW_C.

    <R1> system-view
[R1] interface Tunnel 1
[R1-Tunnel1] ip address 10.1.12.2 24
[R1-Tunnel1] tunnel-protocol gre
[R1-Tunnel1] source 10.2.2.2
[R1-Tunnel1] destination 10.2.3.1
[R1-Tunnel1] quit
[R1] interface Tunnel 2
[R1-Tunnel2] ip address 10.1.14.2 24
[R1-Tunnel2] tunnel-protocol gre
[R1-Tunnel2] source 10.2.2.2
[R1-Tunnel2] destination 10.2.4.1
[R1-Tunnel2] quit

    # Configure OSPF.

    [R1] ospf 1
[R1-ospf-1] import-route static type 1
[R1-ospf-1] area 0.0.0.1
[R1-ospf-1-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[R1-ospf-1-area-0.0.0.1] quit
[R1-ospf-1] area 0.0.0.2
[R1-ospf-1-area-0.0.0.2] network 10.1.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.2] quit
[R1-ospf-1] area 0.0.0.3
[R1-ospf-1-area-0.0.0.3] network 10.1.14.0 0.0.0.255
[R1-ospf-1-area-0.0.0.3] quit
[R1-ospf-1] quit

  6. Configure router R4. For configuration commands, refer to the documents of the routers.

    Basic configurations on R4, such as the interface IP address configuration, are not described here.

    <R4> system-view
[R4] bgp 10
[R4-bgp] router-id 4.4.4.4
[R4-bgp] peer 10.1.2.1 as-number 10
[R4-bgp] peer 10.1.3.1 as-number 10
[R4-bgp] peer 10.1.4.1 as-number 10
[R4-bgp] quit

Configuration Verification

Choose System > Inter-DC Cluster > Cluster Status to view the cluster running status.

  • In normal situations, FW_A serves as the master device in business group 1; FW_B serves as the master device in business group 2; FW_C serves as the master device in business group 3.
  • The ranking of business group 1 is 1 > 2 > 3; the ranking of business group 2 is 2 > 3 > 1; the ranking of business group 3 is 3 > 1 > 2.
  • If FW_A fails, services can be switched to FW_B.

Check the routing table on R4. Normally, the next-hop address to DC1 is 10.1.2.1. When FW_A fails, the next-hop address to DC1 becomes 10.1.3.1. That is, traffic is forwarded through FW_B.

Configuration Script

In this example, the configurations of cluster members are almost the same. The major differences are the interface IP addresses and cluster IDs of devices.

The following part is the configuration script of FW_A. The difference content is bold. Remember to modify such parts when configuring other devices.

#
cluster id 1000
cluster detect-interval 2
cluster timer holding-multiplier 4
cluster timer hello 2
cluster backup node-num 2
cluster preempt delay 70
cluster standby config enable
cluster session fast-sync enable
cluster preempt
cluster ip-list node 1 negotiation 10.1.5.1 backup 10.1.6.1 forward 10.1.7.1
cluster ip-list node 2 negotiation 10.1.5.2 backup 10.1.6.2 forward 10.1.7.2
cluster ip-list node 3 negotiation 10.1.5.3 backup 10.1.6.3 forward 10.1.7.3
cluster node bind 1
cluster enable
#
 business-group 1
  node 1 priority 100
  node 2 priority 90
  node 3 priority 80
  bind ospf 1
 business-group 2
  node 1 priority 80
  node 2 priority 100
  node 3 priority 90
  bind ospf 2
 business-group 3
  node 1 priority 90
  node 2 priority 80
  node 3 priority 100
  bind ospf 3
#
ospf 1
 area 0.0.0.1
  network 10.2.2.0 0.0.0.255
#
ospf 2
 area 0.0.0.1
  network 10.1.10.0 0.0.0.255
#
ospf 3
 area 0.0.0.1
  network 10.1.11.0 0.0.0.255
#
bgp 10
 router-id 1.1.1.1
 peer 10.1.2.2 as-number 10
 ipv4-family unicast
  undo synchronization
  import-route ospf 1
  import-route ospf 2
  import-route ospf 3
  peer 10.1.2.2 enable
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
# 
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
# 
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
 add interface Eth-Trunk2
 add interface Eth-Trunk3
 add interface Tunnel1
 add interface Tunnel2
#
interface GigabitEthernet 0/0/1
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.2.2.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 eth-trunk 1
#
interface GigabitEthernet 0/0/4
 eth-trunk 1
#
interface GigabitEthernet 0/0/5
 eth-trunk 2
#
interface GigabitEthernet 0/0/6
 eth-trunk 2
#
interface GigabitEthernet 0/0/7
 eth-trunk 3
#
interface GigabitEthernet 0/0/8
 eth-trunk 3
#
interface Eth-Trunk1
 ip address 10.1.5.1 255.255.255.0
#
interface Eth-Trunk2
 ip address 10.1.6.1 255.255.255.0
#
interface Eth-Trunk3
 ip address 10.1.7.1 255.255.255.0
#
interface Tunnel1
 ip address 10.1.10.1 255.255.255.0
 tunnel-protocol gre
 source 10.2.2.1
 destination 10.2.3.2
#
interface Tunnel2
 ip address 10.1.11.1 255.255.255.0
 tunnel-protocol gre
 source 10.2.2.1
 destination 10.2.4.2
#
security-policy
 rule name policy_sec1
  source-zone trust
  destination-zone untrust
  source-address 10.4.0.0 16
  action permit
 rule name policy_sec2
  source-zone local
  destination-zone local
  destination-zone untrust
  action permit    
 rule name policy_sec3
  source-zone untrust
  source-zone trust
  destination-zone local
  action permit
 rule name policy2
  source-zone local
  source-zone dmz
  destination-zone local
  destination-zone dmz
  action permit
#
Parent Topic: Inter-DC Cluster
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >