< Home

CLI: Example for Configuring Load Balancing by Link Bandwidth

This section provides an example for configuring load balancing by link bandwidth for the FW to forward traffic to each link based on the specified bandwidth ratio to maximize the efficiency of bandwidth resources.

Networking Requirements

As shown in Figure 1, an enterprise has a 100M link connected to ISP1 and a 50M link connected to ISP2.

  • The enterprise requires that traffic be forwarded to ISP1 and ISP2 links based on the bandwidth ratio to ensure that bandwidth resources are used to the greatest extent.

  • When one ISP link is overloaded, follow-up traffic will be forwarded on the other ISP link to ensure access availability.

Figure 1 Networking diagram of load balancing by link bandwidth

Configuration Roadmap

The enterprise requires traffic distribution by bandwidth ratio. Therefore, set the intelligent uplink selection mode to load balancing by link bandwidth. To ensure that the FW can use other links to forward traffic when a link is faulty or overloaded, you need to configure health check and link overload protection functions.

  1. Configure the health check function. Configure a health check respectively for ISP1 and ISP2.

  2. Set the interface IP address, security zone, gateway, bandwidth, and overload protection threshold, and apply the health check respectively on the interfaces.

  3. Configure global route selection policies. Set the intelligent uplink selection mode to load balancing by link bandwidth and configure the outbound interfaces on the FW connecting to ISP1 and ISP2 networks as intelligent uplink selection member interfaces.

  4. Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

Procedure

  1. Enable the health check function and create a health check for ISP1 and ISP2 link respectively. It is assumed that the destination network segment for health check is 3.3.10.0/24 on ISP1 network and is 9.9.20.0/24 on ISP2 network.

    <FW> system-view
[FW] healthcheck enable
[FW] healthcheck name isp1_health
[FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10001
[FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10002
[FW-healthcheck-isp1_health] quit
[FW] healthcheck name isp2_health
[FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10003
[FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10004
[FW-healthcheck-isp2_health] quit

    Assume that 3.3.10.10 and 3.3.10.11 are known device addresses on the ISP1 network and that 9.9.20.20 and 9.9.20.21 are known device addresses on the ISP2 network.

    If the state remains down after the health check configuration is complete, check the health check configuration.

  2. Configure IP addresses, gateway addresses, bandwidth, overload protection thresholds for interfaces and apply health check on the interfaces.

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet0/0/1] bandwidth ingress 100000 threshold 95
[FW-GigabitEthernet0/0/1] bandwidth egress 100000 threshold 95
[FW-GigabitEthernet0/0/1] healthcheck isp1_health
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet0/0/7] ip address 2.2.2.2 255.255.255.0
[FW-GigabitEthernet0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet0/0/7] bandwidth ingress 50000 threshold 90
[FW-GigabitEthernet0/0/7] bandwidth egress 50000 threshold 90
[FW-GigabitEthernet0/0/7] healthcheck isp2_health
[FW-GigabitEthernet0/0/7] quit

  3. Configure a global route selection policy to load balance traffic by link bandwidth.

    [FW] multi-interface
[FW-multi-inter] mode proportion-of-bandwidth
[FW-multi-inter] add interface GigabitEthernet0/0/1
[FW-multi-inter] add interface GigabitEthernet0/0/7
[FW-multi-inter] quit

  4. Assign the interfaces to security zones.

    [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] add interface GigabitEthernet 0/0/7
[FW-zone-untrust] quit

  5. Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.

    [FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

Configuration Scripts

#
healthcheck enable
healthcheck name isp1_health
 destination 3.3.10.10 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10001
 destination 3.3.10.11 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10002
healthcheck name isp2_health
 destination 9.9.20.20 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10003
 destination 9.9.20.21 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10004
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 gateway 1.1.1.254
 bandwidth ingress 100000 threshold 95
 bandwidth egress 100000 threshold 95
 healthcheck isp1_health
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/7
 ip address 2.2.2.2 255.255.255.0
 gateway 2.2.2.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
 healthcheck isp2_health
#
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
#
 multi-interface
  mode proportion-of-bandwidth
  add interface GigabitEthernet0/0/1
  add interface GigabitEthernet0/0/7
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
return
Parent Topic: Configuring Equal Cost Route-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >