CLI: Example for Connecting to Router (Route-based Traffic Diversion)

This section provides an example for configuring a cluster in which devices connect to routers in the upstream and downstream directions.

Networking Requirements

As shown in Figure 1, the upstream network uses BGP, the downstream network uses OSPF, and multiple DCs connect to the Internet through router R4.

Traffic of a DC should be preferentially carried on the FW in the DC. If a FW fails, traffic can be switched to other FWs.

Configure route-based traffic diversion to implement association between business groups and routing protocols. When the downstream traffic is switched, the routing protocol adjusts the cost value of the advertised route according to the status of the business group. In this manner, the upstream traffic is synchronously switched.

Figure 1 Networking of routers connected in the upstream and downstream directions

Data Planning

Item	Data	Description
FW_A	GE0/0/1: 10.1.2.1/24 GE0/0/2: 10.2.2.1/24 Eth-Trunk1: 10.1.5.1/24; member interfaces: GE0/0/3 and GE0/0/4 Eth-Trunk2: 10.1.6.1/24; member interfaces: GE0/0/5 and GE0/0/6 Eth-Trunk3: 10.1.7.1/24; member interfaces: GE0/0/7 and GE0/0/8 Tunnel1: 10.1.10.1/24 Tunnel2: 10.1.11.1/24 Business group 1: priority 100, bound to OSPF 1 Business group 2: priority 80, bound to OSPF 2 Business group 3: priority 90, bound to OSPF 3	Eth-Trunk1: cluster negotiation channel Eth-Trunk2: cluster backup channel Eth-Trunk3: cluster forwarding channel Business group 1: processes services of DC1 Business group 2: processes services of DC2 Business group 3: processes services of DC3 Tunnel1: sets up a GRE channel with R2, with the peer IP address being 10.1.10.2. Tunnel2: sets up a GRE channel with R3, with the peer IP address being 10.1.11.2.
FW_B	GE0/0/1: 10.1.3.1/24 GE0/0/2: 10.2.3.1/24 Eth-Trunk1: 10.1.5.2/24; member interfaces: GE0/0/3 and GE0/0/4 Eth-Trunk2: 10.1.6.2/24; member interfaces: GE0/0/5 and GE0/0/6 Eth-Trunk3: 10.1.7.2/24; member interfaces: GE0/0/7 and GE0/0/8 Tunnel1: 10.1.12.1/24 Tunnel2: 10.1.13.1/24 Business group 1: priority 90, bound to OSPF 1 Business group 2: priority 100, bound to OSPF 2 Business group 3: priority 80, bound to OSPF 3	Eth-Trunk1: cluster negotiation channel Eth-Trunk2: cluster backup channel Eth-Trunk3: cluster forwarding channel Business group 1: processes services of DC1 Business group 2: processes services of DC2 Business group 3: processes services of DC3 Tunnel1: sets up a GRE channel with R1, with the peer IP address being 10.1.12.2. Tunnel2: sets up a GRE channel with R3, with the peer IP address being 10.1.13.2.
FW_C	GE0/0/1: 10.1.4.1/24 GE0/0/2: 10.2.4.1/24 Eth-Trunk1: 10.1.5.3/24; member interfaces: GE0/0/3 and GE0/0/4 Eth-Trunk2: 10.1.6.3/24; member interfaces: GE0/0/5 and GE0/0/6 Eth-Trunk3: 10.1.7.3/24; member interfaces: GE0/0/7 and GE0/0/8 Tunnel1: 10.1.14.1/24 Tunnel2: 10.1.15.1/24 Business group 1: priority 80, bound to OSPF 1 Business group 2: priority 90, bound to OSPF 2 Business group 3: priority 100, bound to OSPF 3	Eth-Trunk1: cluster negotiation channel Eth-Trunk2: cluster backup channel Eth-Trunk3: cluster forwarding channel Business group 1: processes services of DC1 Business group 2: processes services of DC2 Business group 3: processes services of DC3 Tunnel1: sets up a GRE channel with R1, with the peer IP address being 10.1.14.2. Tunnel2: sets up a GRE channel with R2, with the peer IP address being 10.1.15.2.

Procedure

Complete basic network configurations. Configure interface IP addresses, assign interfaces to security zones, and routes.

Perform the configuration on each cluster member. The following part is the configuration of FW_A. The configurations of FW_B and FW_C are similar.

# Assign IP addresses to interfaces.

<FW_A> system-view 
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 10.1.2.1 24
[FW_A-GigabitEthernet0/0/1] quit 
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.1.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface Eth-Trunk 1
[FW_A-Eth-Trunk1] ip address 10.1.5.1 24
[FW_A-Eth-Trunk1] trunkport GigabitEthernet 0/0/3 to 0/0/4
[FW_A-Eth-Trunk1] quit
[FW_A] interface Eth-Trunk 2
[FW_A-Eth-Trunk2] ip address 10.1.6.1 24
[FW_A-Eth-Trunk2] trunkport GigabitEthernet 0/0/5 to 0/0/6
[FW_A-Eth-Trunk2] quit
[FW_A] interface Eth-Trunk 3
[FW_A-Eth-Trunk3] ip address 10.1.7.1 24
[FW_A-Eth-Trunk3] trunkport GigabitEthernet 0/0/7 to 0/0/8
[FW_A-Eth-Trunk3] quit

# Assign the interfaces to security zones.

[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface Eth-Trunk 1
[FW_A-zone-dmz] add interface Eth-Trunk 2
[FW_A-zone-dmz] add interface Eth-Trunk 3
[FW_A-zone-dmz] add interface Tunnel 1
[FW_A-zone-dmz] add interface Tunnel 2
[FW_A-zone-dmz] quit
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit

# Configure the GRE tunnel.

[FW_A] interface Tunnel 1
[FW_A-Tunnel1] ip address 10.1.10.1 255.255.255.0
[FW_A-Tunnel1] tunnel-protocol gre
[FW_A-Tunnel1] source 10.2.2.1
[FW_A-Tunnel1] destination 10.2.3.2
[FW_A-Tunnel1] quit
[FW_A] interface Tunnel 2
[FW_A-Tunnel2]  ip address 10.1.11.1 255.255.255.0
[FW_A-Tunnel2] tunnel-protocol gre
[FW_A-Tunnel2] source 10.2.2.1
[FW_A-Tunnel2] destination 10.2.4.2
[FW_A-Tunnel2] quit

# Configure OSPF to ensure IP connectivity.

[FW_A] ospf 1
[FW_A-ospf-1] area 0.0.0.1
[FW_A-ospf-1-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[FW_A-ospf-1-area-0.0.0.1] quit
[FW_A-ospf-1] quit
[FW_A] ospf 2
[FW_A-ospf-2] area 0.0.0.1
[FW_A-ospf-2-area-0.0.0.1] network 10.1.10.0 0.0.0.255
[FW_A-ospf-2-area-0.0.0.1] quit
[FW_A-ospf-2] quit
[FW_A] ospf 3
[FW_A-ospf-3] area 0.0.0.1
[FW_A-ospf-3-area-0.0.0.1] network 10.1.11.0 0.0.0.255
[FW_A-ospf-3-area-0.0.0.1] quit
[FW_A-ospf-3] quit

# Configure BGP to ensure IP connectivity.

[FW_A] bgp 10
[FW_A-bgp] router-id 1.1.1.1
[FW_A-bgp] peer 10.1.2.2 as-number 10
[FW_A-bgp] ipv4-family unicast
[FW_A-bgp-af-ipv4] undo synchronization
[FW_A-bgp-af-ipv4] import-route ospf 1
[FW_A-bgp-af-ipv4] import-route ospf 2
[FW_A-bgp-af-ipv4] import-route ospf 3
[FW_A-bgp-af-ipv4] peer 10.1.2.2 enable
[FW_A-bgp-af-ipv4] quit
[FW_A-bgp] quit

Enable the cluster function.

Perform the configuration on each cluster member.

# Set cluster negotiation parameters.

[FW_A] cluster id 1000
[FW_A] cluster detect-interval 2
[FW_A] cluster timer holding-multiplier 4
[FW_A] cluster timer hello 2
[FW_A] cluster backup node-num 2
[FW_A] cluster preempt delay 70
[FW_A] cluster ip-list node 1 negotiation 10.1.5.1 backup 10.1.6.1 forward 10.1.7.1
[FW_A] cluster ip-list node 2 negotiation 10.1.5.2 backup 10.1.6.2 forward 10.1.7.2
[FW_A] cluster ip-list node 3 negotiation 10.1.5.3 backup 10.1.6.3 forward 10.1.7.3
[FW_A] cluster node bind 1
[FW_A] cluster standby config enable
[FW_A] cluster session fast-sync enable
[FW_A] cluster enable

Configure business groups and associate the business group with the OSPF process to implement route-based traffic diversion.

Perform the following configuration on the management master device. The configuration will be automatically synchronized to other members in the cluster.

C_No1_M[FW_A] business-group 1
C_No1_M[FW_A-business-group-1] node 1 priority 100
C_No1_M[FW_A-business-group-1] node 2 priority 90
C_No1_M[FW_A-business-group-1] node 3 priority 80
C_No1_M[FW_A-business-group-1] bind ospf 1
C_No1_M[FW_A-business-group-1] quit
C_No1_M[FW_A] business-group 2
C_No1_M[FW_A-business-group-2] node 1 priority 80
C_No1_M[FW_A-business-group-2] node 2 priority 100
C_No1_M[FW_A-business-group-2] node 3 priority 90
C_No1_M[FW_A-business-group-2] bind ospf 2
C_No1_M[FW_A-business-group-2] quit
C_No1_M[FW_A] business-group 3
C_No1_M[FW_A-business-group-3] node 1 priority 90
C_No1_M[FW_A-business-group-3] node 2 priority 80
C_No1_M[FW_A-business-group-3] node 3 priority 100
C_No1_M[FW_A-business-group-3] bind ospf 3
C_No1_M[FW_A-business-group-3] quit

Configure security policies.

Perform the following configuration on the management master device. The configuration will be automatically synchronized to other members in the cluster.

# Configure a security policy to allow intranet users to access the Internet.

C_No1_M[FW_A] security-policy
C_No1_M[FW_A-policy-security] rule name policy_sec1 
C_No1_M[FW_A-policy-security-rule-policy_sec1] source-zone trust
C_No1_M[FW_A-policy-security-rule-policy_sec1] destination-zone untrust
C_No1_M[FW_A-policy-security-rule-policy_sec1] source-address 10.4.0.0 16
C_No1_M[FW_A-policy-security-rule-policy_sec1] action permit
C_No1_M[FW_A-policy-security-rule-policy_sec1] quit

# Configure a security policy to allow the FW to exchange OSPF/BGP packets with upstream and downstream routers.

C_No1_M[FW_A-policy-security] rule name policy_sec2
C_No1_M[FW_A-policy-security-rule-policy_sec2] source-zone local
C_No1_M[FW_A-policy-security-rule-policy_sec2] destination-zone trust untrust
C_No1_M[FW_A-policy-security-rule-policy_sec2] action permit
C_No1_M[FW_A-policy-security-rule-policy_sec2] quit
C_No1_M[FW_A-policy-security] rule name policy_sec3
C_No1_M[FW_A-policy-security-rule-policy_sec3] source-zone trust untrust
C_No1_M[FW_A-policy-security-rule-policy_sec3] destination-zone local
C_No1_M[FW_A-policy-security-rule-policy_sec3] action permit
C_No1_M[FW_A-policy-security-rule-policy_sec3] quit

# Configure a Local-DMZ interzone security policy to allow encapsulated GRE packets to pass.

C_No1_M[FW_A-policy-security] rule name policy2
C_No1_M[FW_A-policy-security-rule-policy2] source-zone local dmz
C_No1_M[FW_A-policy-security-rule-policy2] destination-zone dmz local
C_No1_M[FW_A-policy-security-rule-policy2] action permit
C_No1_M[FW_A-policy-security-rule-policy2] quit
C_No1_M[FW_A-policy-security] quit

Configure router R1. For configuration commands, refer to the documents of the routers.

Basic configurations on R1, such as the interface IP address configuration, are not described here. The configurations on R2 and R3 are similar to those on R1. Configure R2 and R3 as follows:

# Configure GRE tunnels. Establish a GRE tunnel between Tunnel1 and FW_B and between Tunnel2 and FW_C.

<R1> system-view
[R1] interface Tunnel 1
[R1-Tunnel1] ip address 10.1.12.2 24
[R1-Tunnel1] tunnel-protocol gre
[R1-Tunnel1] source 10.2.2.2
[R1-Tunnel1] destination 10.2.3.1
[R1-Tunnel1] quit
[R1] interface Tunnel 2
[R1-Tunnel2] ip address 10.1.14.2 24
[R1-Tunnel2] tunnel-protocol gre
[R1-Tunnel2] source 10.2.2.2
[R1-Tunnel2] destination 10.2.4.1
[R1-Tunnel2] quit

# Configure OSPF.

[R1] ospf 1
[R1-ospf-1] import-route static type 1
[R1-ospf-1] area 0.0.0.1
[R1-ospf-1-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[R1-ospf-1-area-0.0.0.1] quit
[R1-ospf-1] area 0.0.0.2
[R1-ospf-1-area-0.0.0.2] network 10.1.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.2] quit
[R1-ospf-1] area 0.0.0.3
[R1-ospf-1-area-0.0.0.3] network 10.1.14.0 0.0.0.255
[R1-ospf-1-area-0.0.0.3] quit
[R1-ospf-1] quit

Configure router R4. For configuration commands, refer to the documents of the routers.

Basic configurations on R4, such as the interface IP address configuration, are not described here.

<R4> system-view
[R4] bgp 10
[R4-bgp] router-id 4.4.4.4
[R4-bgp] peer 10.1.2.1 as-number 10
[R4-bgp] peer 10.1.3.1 as-number 10
[R4-bgp] peer 10.1.4.1 as-number 10
[R4-bgp] quit

Verification

Run the display cluster negotiation status command on the cluster management master device to view the cluster negotiation status.

C_No1_M<FW_A> display cluster negotiation status

ID    status   health   version   join                 leave                    
------------------------------------------------------------                    
3     slave    10000    A         2018/02/20 16:56:14  NA                       
2     slave    10000    A         2018/02/20 16:56:17  NA      
1*    master   10000    A         2018/02/20 16:55:32  NA

The preceding information shows that cluster 1000 has been established. The cluster has three members that use the same version and have the same health rating (10000).

Run the display business-group brief command on the management master device to view business group information.

C_No1_M<FW_A> display business-group brief
TotalBG:3   Master:1    Slave:2    Invalid:0   Init:0                           
BGID   State      TopThree         IP_num  Pre_Preempt  next_master             
------------------------------------------------------------------------------- 
  1   master      1 2 3               0        NO            -                  
  2   slave       2 3 1               0        NO            -                  
  3   slave       3 1 2               0        NO            -

The preceding information shows that FW_A serves as the master device in business group 1 and the backup device in business groups 2 and 3. The ranking of each business group meets the expectation.

Check the routing table on R4. Normally, the next-hop address to DC1 is 10.1.2.1. When FW_A fails, the next-hop address to DC1 becomes 10.1.3.1. That is, traffic is forwarded through FW_B.

Configuration Scripts

In this example, the configurations of cluster members are almost the same. The major differences are the interface IP addresses and cluster IDs of devices.

The following part is the configuration script of FW_A. The difference content is bold. Remember to modify such parts when configuring other devices.

#
cluster id 1000
cluster detect-interval 2
cluster timer holding-multiplier 4
cluster timer hello 2
cluster backup node-num 2
cluster preempt delay 70
cluster standby config enable
cluster session fast-sync enable
cluster preempt
cluster ip-list node 1 negotiation 10.1.5.1 backup 10.1.6.1 forward 10.1.7.1
cluster ip-list node 2 negotiation 10.1.5.2 backup 10.1.6.2 forward 10.1.7.2
cluster ip-list node 3 negotiation 10.1.5.3 backup 10.1.6.3 forward 10.1.7.3
cluster node bind 1
cluster enable
#
 business-group 1
  node 1 priority 100
  node 2 priority 90
  node 3 priority 80
  bind ospf 1
 business-group 2
  node 1 priority 80
  node 2 priority 100
  node 3 priority 90
  bind ospf 2
 business-group 3
  node 1 priority 90
  node 2 priority 80
  node 3 priority 100
  bind ospf 3
#
ospf 1
 area 0.0.0.1
  network 10.2.2.0 0.0.0.255
#
ospf 2
 area 0.0.0.1
  network 10.1.10.0 0.0.0.255
#
ospf 3
 area 0.0.0.1
  network 10.1.11.0 0.0.0.255
#
bgp 10
 router-id 1.1.1.1
 peer 10.1.2.2 as-number 10
 ipv4-family unicast
  undo synchronization
  import-route ospf 1
  import-route ospf 2
  import-route ospf 3
  peer 10.1.2.2 enable
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
# 
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
# 
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
 add interface Eth-Trunk2
 add interface Eth-Trunk3
 add interface Tunnel1
 add interface Tunnel2
#
interface GigabitEthernet 0/0/1
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 10.2.2.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 eth-trunk 1
#
interface GigabitEthernet 0/0/4
 eth-trunk 1
#
interface GigabitEthernet 0/0/5
 eth-trunk 2
#
interface GigabitEthernet 0/0/6
 eth-trunk 2
#
interface GigabitEthernet 0/0/7
 eth-trunk 3
#
interface GigabitEthernet 0/0/8
 eth-trunk 3
#
interface Eth-Trunk1
 ip address 10.1.5.1 255.255.255.0
#
interface Eth-Trunk2
 ip address 10.1.6.1 255.255.255.0
#
interface Eth-Trunk3
 ip address 10.1.7.1 255.255.255.0
#
interface Tunnel1
 ip address 10.1.10.1 255.255.255.0
 tunnel-protocol gre
 source 10.2.2.1
 destination 10.2.3.2
#
interface Tunnel2
 ip address 10.1.11.1 255.255.255.0
 tunnel-protocol gre
 source 10.2.2.1
 destination 10.2.4.2
#
security-policy
 rule name policy_sec1
  source-zone trust
  destination-zone untrust
  source-address 10.4.0.0 16
  action permit
 rule name policy_sec2
  source-zone local
  destination-zone local
  destination-zone untrust
  action permit    
 rule name policy_sec3
  source-zone untrust
  source-zone trust
  destination-zone local
  action permit
 rule name policy2
  source-zone local
  source-zone dmz
  destination-zone local
  destination-zone dmz
  action permit
#