< Home

CLI: Example for Configuring Load Balancing by Link Quality

After load balancing by link quality is configured, the FW can forward traffic through the link of the best quality.

Networking Requirements

As shown in Figure 1, an enterprise has two 50M links connected respectively to ISP1 and ISP2.

  • The enterprise intends to use the link with the best transmission quality to forward Internet access traffic.

  • When one ISP link is overloaded (the threshold is 90%), follow-up traffic will be forwarded on the other ISP link to ensure access availability.

Figure 1 Networking diagram of load balancing by link quality

Configuration Roadmap

Set the intelligent uplink selection mode to load balancing by link quality. To ensure that the FW can use other links to forward traffic when a link is faulty or overloaded, you need to configure health check and link overload protection functions.

  1. Configure the health check function. Configure a health check respectively for ISP1 and ISP2.

  2. Set the interface IP address, security zone, gateway, bandwidth, and overload protection threshold, and apply the health check respectively on the interfaces.

  3. Configure global route selection policies. Set the intelligent uplink selection mode to load balancing by link quality and configure the outbound interfaces on the FW connecting to ISP1 and ISP2 networks as intelligent uplink selection member interfaces.

  4. Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

Procedure

  1. Enable the health check function and create a health check for ISP1 and ISP2 link respectively. It is assumed that the destination network segment for health check is 3.3.10.0/24 on ISP1 network and is 9.9.20.0/24 on ISP2 network.

    <FW> system-view
[FW] healthcheck enable
[FW] healthcheck name isp1_health
[FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10001
[FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10002
[FW-healthcheck-isp1_health] quit
[FW] healthcheck name isp2_health
[FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10003
[FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10004
[FW-healthcheck-isp2_health] quit

    Assume that 3.3.10.10 and 3.3.10.11 are known device addresses on the ISP1 network and that 9.9.20.20 and 9.9.20.21 are known device addresses on the ISP2 network.

    If the state remains down after the health check configuration is complete, check the health check configuration.

  2. Configure IP addresses, gateway addresses, bandwidth, overload protection thresholds for interfaces and apply health check on the interfaces.

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet0/0/1] bandwidth ingress 50000 threshold 90
[FW-GigabitEthernet0/0/1] bandwidth egress 50000 threshold 90
[FW-GigabitEthernet0/0/1] healthcheck isp1_health
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet0/0/7] ip address 2.2.2.2 255.255.255.0
[FW-GigabitEthernet0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet0/0/7] bandwidth ingress 50000 threshold 90
[FW-GigabitEthernet0/0/7] bandwidth egress 50000 threshold 90
[FW-GigabitEthernet0/0/7] healthcheck isp2_health
[FW-GigabitEthernet0/0/7] quit

  3. Configure a global route selection policy to load balance traffic by link quality.

    [FW] multi-interface
[FW-multi-inter] mode priority-of-link-quality
[FW-multi-inter] add interface GigabitEthernet0/0/1
[FW-multi-inter] add interface GigabitEthernet0/0/7

  4. Set parameters for load balancing by link quality.
    1. Set a protocol type for link quality detection packets.

      [FW-multi-inter] priority-of-link-quality protocol tcp-simple

    2. Set quality parameters for link quality probing.

      [FW-multi-inter] priority-of-link-quality parameter delay jitter loss

    3. Set the number of probes and interval of link quality detection.

      [FW-multi-inter] priority-of-link-quality interval 3 times 5

    4. Set the aging time of link quality detection entries.

      [FW-multi-inter] priority-of-link-quality table aging-time 60
[FW-multi-inter] quit

  5. Assign the interfaces to security zones.

    [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] add interface GigabitEthernet 0/0/7
[FW-zone-untrust] quit

  6. Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.

    [FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

Configuration Scripts

#
healthcheck enable
healthcheck name isp1_health
 destination 3.3.10.10 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10001
 destination 3.3.10.11 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10002
healthcheck name isp2_health
 destination 9.9.20.20 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10003
 destination 9.9.20.21 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10004
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 gateway 1.1.1.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
 healthcheck isp1_health
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/7
 ip address 2.2.2.2 255.255.255.0
 gateway 2.2.2.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
 healthcheck isp2_health
#
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
#
 multi-interface
  mode priority-of-link-quality
  priority-of-link-quality parameter delay jitter loss
  priority-of-link-quality protocol tcp-simple
  priority-of-link-quality interval 3 times 5
  priority-of-link-quality table aging-time 60
  add interface GigabitEthernet0/0/1
  add interface GigabitEthernet0/0/7
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
return
Parent Topic: Configuring Equal Cost Route-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >