< Home

Web: Example for Configuring Hot Standby in Active/Standby Mode Where Firewalls connect to Switches Transparently in Upstream and Downstream Directions

This section provides a web example of configuring hot standby in active/standby mode in which the service interfaces of the firewalls work at Layer 2 and connect to switches in upstream and downstream directions.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 2 and are directly connected to switches. The uplink and downlink service interfaces of each FW are added to VLAN10 and VLAN20.

The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. When FW_A goes faulty, FW_B takes over.

Figure 1 Networking diagram for configuring active/standby when service interfaces work at Layer 2 and connect to switches

Procedure

  1. Configure interfaces and basic network configurations.
    1. Configure interfaces on FW_A.

      1. Choose Network > Interface.

      2. Click GE0/0/3, set the parameters as follows, and click OK.

        Zone

        untrust

        Mode

        Switching

        Connection Type

        Trunk

        Trunk VLAN ID

        10,20

      3. Repeat the preceding steps to set the parameters of GE0/0/7.

        Zone

        trust

        Mode

        Switching

        Connection Type

        Trunk

        Trunk VLAN ID

        10,20

      4. Repeat the preceding steps to set the parameters of GE0/0/2.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.1/24

    2. Configure interfaces on FW_B.

      1. Choose Network > Interface.

      2. Click GE0/0/3, set the parameters as follows, and click OK.

        Zone

        untrust

        Mode

        Switching

        Connection Type

        Trunk

        Trunk VLAN ID

        10,20

      3. Repeat the preceding steps to set the parameters of GE0/0/7.

        Zone

        trust

        Mode

        Switching

        Connection Type

        Trunk

        Trunk VLAN ID

        10,20

      4. Repeat the preceding steps to set the parameters of GE0/0/2.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.2/24

  2. Configure hot standby.
    1. Configure hot standby on FW_A.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.

      2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.

    2. Configure hot standby on FW_B.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.
      2. Enable Dual-System Hot Standby, set the parameters as follows, and click OK.

  3. Configure the security policies.

    After hot standby relationship is established, the security policy on FW_A will be automatically backed up to FW_B.

    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy, set the parameters as follows, and click OK.

      Name

      policy_sec1

      Source Zone

      trust

      Destination Zone

      untrust

      Action

      Permit

  4. Configure the switches.

    Add the three interfaces of the switches to the same VLANs accordingly. For configuration commands, refer to related documents of the switches.

Verification

Choose System > High Availability > Dual-System Hot Standby to view the operating status of hot standby.

  • Normally, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Active. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Standby. This shows that traffic is forwarded by FW_A.
  • When FW_A goes faulty, the Current Running Mode of FW_A is Active/Standby Backup and the Current Status is Standby. The Current Running Mode of FW_B is Active/Standby Backup and the Current Status is Active. This shows that traffic is forwarded by FW_B.

Configuration Scripts

FW_A

FW_B

 
#
sysname FW_A
# 
vlan batch 10 20
#
 hrp enable
 hrp interface GigabitEthernet0/0/2 remote 10.10.0.2 
 hrp track vlan 10
 hrp track vlan 20
#
interface GigabitEthernet0/0/3
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/7
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/2
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/7
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#    
security-policy
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  action permit
 
#
sysname FW_B
# 
vlan batch 10 20
#
 hrp enable
 hrp interface GigabitEthernet0/0/2 remote 10.10.0.1 
 hrp track vlan 10
 hrp track vlan 20
 hrp standby-device
#
interface GigabitEthernet0/0/3
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/7
 portswitch
 port link-type trunk
 port trunk allow-pass vlan 10 20
 undo port trunk allow-pass vlan 1
#
interface GigabitEthernet0/0/2
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/7
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/3
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
#    
security-policy
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  action permit
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >