< Home

CLI: Example for Configuring Active/Standby Backup by Link Priority

This section provides an example for configuring active/standby backup by link priority for the FW to use the standby interface link to forward traffic when the active interface link is faulty to improve transmission availability.

Networking Requirements

As shown in Figure 1, an enterprise has two 50M links connected to ISP1 and one 10M link connected to ISP2.

  • The enterprise requires that the two ISP1 links be used preferentially to forward Internet access traffic and ISP2 link be used only when both ISP1 links are faulty.

  • The tax declaration service is forwarded on the ISP2 link preferentially. When the ISP2 link is faulty, the tax declaration service is forwarded on the ISP1 link.

Figure 1 Networking diagram of active/standby backup by link priority

Configuration Roadmap

The enterprise needs to use ISP1 link preferentially. Therefore, set the global intelligent uplink selection mode to load balancing by link priority and set the priorities of ISP1 and ISP2 links respectively to 2 and 1. The tax declaration service needs to use the ISP2 link preferentially. Therefore, configure intelligent uplink selection based on policy-based routes for the tax declaration application, set the link selection mode to active/standby backup by link priority, and set the priority of ISP2 link to 2 and priorities of two ISP1 links to 1. To ensure that the FW can use the standby interface link to forward traffic when the active interface link is faulty, configure the health check function.

  1. Configure the health check function. Configure a health check respectively for ISP1 and ISP2.

  2. Set the interface IP address, security zone, gateway , set the bandwidth values for the links of the interfaces, and apply the health check respectively on the interfaces.

  3. Configure global route selection policies. Set the intelligent uplink selection mode to active/standby backup by link priority, add interfaces GE0/0/1 and GE0/0/2 to interface group ifgrp1, and configure interface group ifgrp1 and interface GE0/0/7 both as intelligent uplink selection members. Set priorities for interface group ifgrp1 and interface GE0/0/7. The priorities of both GE0/0/1 and GE0/0/2 are the same as that of interface group ifgrp1.

  4. Configure intelligent uplink selection based on policy-based routes. Configure a policy-based route for the tax declaration application, set the intelligent uplink selection mode to active/standby backup by link priority, and set priorities for interface group ifgrp1 and interface GE0/0/7.

  5. Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

Procedure

  1. Optional: Enable the health check function and create a health check for ISP1 and ISP2 link respectively. It is assumed that the destination network segment for health check is 3.3.10.0/24 on ISP1 network and is 9.9.20.0/24 on ISP2 network.

    <FW> system-view
[FW] healthcheck enable
[FW] healthcheck name isp1_health_01
[FW-healthcheck-isp1_health_01] destination 3.3.10.10 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10001
[FW-healthcheck-isp1_health_01] destination 3.3.10.11 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10002
[FW-healthcheck-isp1_health_01] quit
[FW] healthcheck name isp1_health_02
[FW-healthcheck-isp1_health_02] destination 3.3.10.12 interface GigabitEthernet 0/0/2 protocol tcp-simple destination-port 10001
[FW-healthcheck-isp1_health_02] destination 3.3.10.13 interface GigabitEthernet 0/0/2 protocol tcp-simple destination-port 10002
[FW-healthcheck-isp1_health_02] quit
[FW] healthcheck name isp2_health
[FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10003
[FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10004
[FW-healthcheck-isp2_health] quit

    Assume that the addresses from 3.3.10.10 to 3.3.10.13 are known device addresses on the ISP1 network and that 9.9.20.20 and 9.9.20.21 are known device addresses on the ISP2 network.

    If the state remains down after the health check configuration is complete, check the health check configuration.

  2. Configure IP addresses, gateway addresses, set the bandwidth values for the links of the interfaces, and apply health check on the interfaces.

    [FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/1] gateway 1.1.1.254
[FW-GigabitEthernet0/0/1] bandwidth ingress 50000
[FW-GigabitEthernet0/0/1] bandwidth egress 50000
[FW-GigabitEthernet0/0/1] healthcheck isp1_health_01
[FW-GigabitEthernet0/0/1] quit
[FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 1.1.2.2 255.255.255.0
[FW-GigabitEthernet0/0/2] gateway 1.1.2.254
[FW-GigabitEthernet0/0/2] bandwidth ingress 50000
[FW-GigabitEthernet0/0/2] bandwidth egress 50000
[FW-GigabitEthernet0/0/2] healthcheck isp1_health_02
[FW-GigabitEthernet0/0/2] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/7
[FW-GigabitEthernet0/0/7] ip address 2.2.2.2 255.255.255.0
[FW-GigabitEthernet0/0/7] gateway 2.2.2.254
[FW-GigabitEthernet0/0/7] bandwidth ingress 10000
[FW-GigabitEthernet0/0/7] bandwidth egress 10000
[FW-GigabitEthernet0/0/7] healthcheck isp2_health
[FW-GigabitEthernet0/0/7] quit

  3. Create interface group ifgrp1 and add GE0/0/1 and GE0/0/2 to the interface group.

    [FW] interface-group 1 name ifgrp1
[FW-interface-group-1] add interface GigabitEthernet 0/0/1
[FW-interface-group-1] add interface GigabitEthernet 0/0/2
[FW-interface-group-1] quit

  4. Configure a global route selection policy for active/standby backup by link priority.

    [FW] multi-interface
[FW-multi-inter] mode priority-of-userdefine
[FW-multi-inter] add interface-group ifgrp1 priority 2
[FW-multi-inter] add interface GigabitEthernet0/0/7
[FW-multi-inter] quit

  5. Define a tax declaration application. It is assumed that the application server IP address is 8.8.8.8 and the port number is 20001.

    [FW] sa
[FW-sa] user-defined-application name UD_tax_system
[FW-sa-user-defined-app-UD_tax_system] rule name 1
[FW-sa-user-defined-app-UD_tax_system-rule-1] ip-address 8.8.8.8 32
[FW-sa-user-defined-app-UD_tax_system-rule-1] port 20001
[FW-sa-user-defined-app-UD_tax_system-rule-1] quit
[FW-sa-user-defined-app-UD_tax_system] quit
[FW-sa] quit

  6. Configure PBR intelligent uplink selection for active/standby backup by link priority.

    [FW] policy-based-route
[FW-policy-pbr] rule name tax_system
[FW-policy-pbr-rule-tax_system] source-zone trust
[FW-policy-pbr-rule-tax_system] application app UD_tax_system
[FW-policy-pbr-rule-tax_system] action pbr egress-interface multi-interface
[FW-policy-pbr-rule-tax_system-multi-inter] mode priority-of-userdefine
[FW-policy-pbr-rule-tax_system-multi-inter] add interface-group ifgrp1
[FW-policy-pbr-rule-tax_system-multi-inter] add interface GigabitEthernet0/0/7 priority 2
[FW-policy-pbr-rule-tax_system-multi-inter] quit
[FW-policy-pbr] quit

  7. Assign the interfaces to security zones.

    [FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] add interface GigabitEthernet 0/0/7
[FW-zone-untrust] quit

  8. Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.

    [FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

Configuration Scripts

#
healthcheck enable
healthcheck name isp1_health_01
 destination 3.3.10.10 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10001
 destination 3.3.10.11 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10002
healthcheck name isp1_health_02
 destination 3.3.10.12 interface GigabitEthernet0/0/2 protocol tcp-simple destination-port 10001
 destination 3.3.10.13 interface GigabitEthernet0/0/2 protocol tcp-simple destination-port 10002
healthcheck name isp2_health
 destination 9.9.20.20 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10003
 destination 9.9.20.21 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10004
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 gateway 1.1.1.254
 bandwidth ingress 50000
 bandwidth egress 50000
 healthcheck isp1_health_01
#
interface GigabitEthernet0/0/2
 ip address 1.1.2.2 255.255.255.0
 gateway 1.1.2.254
 bandwidth ingress 50000
 bandwidth egress 50000
 healthcheck isp1_health_02
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/7
 ip address 2.2.2.2 255.255.255.0
 gateway 2.2.2.254
 bandwidth ingress 10000
 bandwidth egress 10000
 healthcheck isp2_health
#
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/7
#
sa
 user-defined-application name UD_tax_system
  rule name 1
   ip-address 8.8.8.8 32
   port 20001
#
interface-group 0 name ifgrp1
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
#
 multi-interface
  mode priority-of-userdefine
  add interface GigabitEthernet0/0/7
  add interface-group ifgrp1 priority 2
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
policy-based-route
 rule name tax_system
  source-zone trust
  application app UD_tax_system
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface GigabitEthernet0/0/7 priority 2
   add interface-group ifgrp1
#
return
Parent Topic: Configuring Equal Cost Route-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic