< Home

Web: Load Balancing Networking in Which the Firewalls Work as the Gateways and Multi-ISP Accesses Are Provided

This section provides an example of configuring hot standby in load balancing mode in which multi-ISP accesses are provided, the service interfaces work at Layer 3 and are upstream and downstream connected to switches.

Networking Requirements

As shown in Figure 1, service interfaces of the two FW devices work at Layer 3, having upstream and downstream connections to Layer-2 switches.

The upstream two switches are connected to two ISPs. ISP1 assigns the IP addresses of 1.1.1.1, 1.1.1.2, and 1.1.1.3, and ISP2 assigns the IP addresses of 2.2.2.1, 2.2.2.2, and 2.2.2.3 to the enterprise.

Now, the two FW devices are supposed to work in load balancing mode so that traffic from Dept. A (IP address range: 10.3.0.51 to 10.3.0.100) goes to ISP1 and traffic from Dept. B (IP address range: 10.3.0.101 to 10.3.0.150) goes to ISP2. Normally, both FW_A and FW_B forward traffic. If either FW fails, the other FW forwards all traffic to ensure service continuity.

Figure 1 Load balancing networking in which the service interfaces work at Layer 3 and are upstream and downstream connected to switches

Procedure

  1. Configure interfaces and perform basic network configurations.
    1. Configure the interfaces on FW_A.

      ISP1 and ISP2 are security zones that have been created.

      1. Choose Network > Interface.

      2. Click GE0/0/1, set the parameters as follows, and click OK.

        Zone

        isp1

        IPv4

        IP Address

        1.1.1.1/24

      3. Repeat the preceding steps to set the following parameters for the GE0/0/2 interface.

        Zone

        isp2

        IPv4

        IP Address

        2.2.2.1/24

      4. Repeat the preceding steps to set the following parameters for the GE0/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        10.3.0.1/24

      5. Repeat the preceding steps to set the following parameters for the GE0/0/7 interface.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.1/24

    2. Configure the interfaces on FW_B.

      1. Choose Network > Interface.

      2. Click GE0/0/1, set the parameters as follows, and click OK.

        Zone

        isp1

        IPv4

        IP Address

        1.1.1.2/24

      3. Repeat the preceding steps to set the following parameters for the GE0/0/2 interface.

        Zone

        isp2

        IPv4

        IP Address

        2.2.2.2/24

      4. Repeat the preceding steps to set the following parameters for the GE0/0/3 interface.

        Zone

        trust

        IPv4

        IP Address

        10.3.0.2/24

      5. Repeat the preceding steps to set the following parameters for the GE0/0/7 interface.

        Zone

        dmz

        IPv4

        IP Address

        10.10.0.2/24

  2. Configure the routing function to ensure that routes are reachable.

    Ensure consistent route configurations on FW_A and FW_B.

    1. Choose Network > Route > Intelligent Uplink Selection.
    2. On the Intelligent Uplink Selection Policy tab, click Add in the Policy-based Route list, configure a policy-based route (PBR) to ISP1 as follows, and click OK.

      Name

      route_policy_isp1

      Type

      Source Zone

      Source Zone

      trust

      Source Address

      10.3.0.51-10.3.0.100

      Action

      Forward

      Egress Type

      Single

      Next Hop

      1.1.1.254

    3. Repeat the preceding steps and configure a PBR to ISP2.

      Name

      route_policy_isp2

      Type

      Source Zone

      Source Zone

      trust

      Source Address

      10.3.0.101-10.3.0.150

      Action

      Forward

      Egress Type

      Single

      Next Hop

      2.2.2.254

  3. Configure dual-system hot standby.
    1. Configure dual-system hot standby on FW_A.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.

      2. Select the Enable check box, set the parameters as follows, and click OK.

    2. Configure dual-system hot standby on FW_B.

      1. Choose System > High Availability > Dual-System Hot Standby and click Edit.

      2. Select the Enable check box, set the parameters as follows, and click OK.

  4. Configure default routes on the Intranet devices to set virtual IP address 10.3.0.3 of VRRP backup group 3 as the next hop for Dept. A and virtual IP address 10.3.0.4 of VRRP backup group 4 as the next hop for Dept. B.
  5. Configure a security policy.

    The security policy configurations on FW_A will be automatically backed up to FW_B.

    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy, set the following parameters to configure security policies, and click OK.

      Name

      policy_sec

      Source Zone

      trust

      Destination Zone

      isp1,isp2

      Action

      Permit

  6. Configure a NAT policy to allow intranet users to access the Internet using the public IP address after NAT.

    The NAT policy configurations on FW_A will be automatically backed up to FW_B.

    1. Choose Policy > NAT Policy > NAT Policy.
    2. Click the Source Translation Address Pool tab, click Add, set the following parameters to configure NAT address pool 1, and click OK.

      Name

      1

      IP Address Range

      1.1.1.3-1.1.1.3

    3. Repeat the preceding steps to configure NAT address pool 2.

      Name

      2

      IP Address Range

      2.2.2.3-2.2.2.3

    4. Click the NAT Policy tab, click Add, set the following parameters to configure a NAT policy between the Trust zone and ISP1 zone, and click OK.

      Name

      policy_nat_1

      NAT Type

      NAT

      NAT Mode

      Source address translation

      Original Data Packet

      Source Zone

      trust

      Destination Zone

      isp1

      Translated Data Packet

      Source Address

      Addresses in the IP Address Pool

      Source Translation Address Pool

      1

    5. Repeat the preceding steps to configure a NAT policy between the Trust and ISP2 zones.

      Name

      policy_nat_2

      NAT Type

      NAT

      NAT Mode

      Source address translation

      Original Data Packet

      Source Zone

      trust

      Destination Zone

      isp2

      Translated Data Packet

      Source Address

      Addresses in the IP Address Pool

      Source Translation Address Pool

      2

Verification

Choose System > High Availability > Dual-System Hot Standby and check the running status of dual-system hot standby.

  • Normally, Working Mode is Load Sharing for FW_A and FW_B; Current Status is Active for FW_A and Standby for FW_B. In this case, both FW forward traffic.
  • If FW_A malfunctions, Working Mode is Active/Standby Backup for both FW_A and FW_B; Current Status is Standby for FW_A and Active for FW_B. In this case, FW_B only forwards traffic.

Configuration Script

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror session enable
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 active
#
interface GigabitEthernet 0/0/2
 ip address 2.2.2.1 255.255.255.0
 vrrp vrid 2 virtual-ip 2.2.2.3 standby
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 active
 vrrp vrid 4 virtual-ip 10.3.0.4 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone isp1
 set priority 10   
 add interface GigabitEthernet 0/0/1
#
firewall zone isp2
 set priority 15
 add interface GigabitEthernet 0/0/2
#
 nat address-group 1
 section 0 1.1.1.3 1.1.1.3
 nat address-group 2
 section 0 2.2.2.3 2.2.2.3
#
security-policy  
 rule name policy_sec
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  action permit    
#
policy-based-route
 rule name route_policy_isp1
  source-zone trust
  source-address range 10.3.0.51 10.3.0.100
  action pbr next-hop 1.1.1.254
 rule name route_policy_isp2
  source-zone trust
  source-address range 10.3.0.101 10.3.0.150
  action pbr next-hop 2.2.2.254
#
nat-policy  
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  action source-nat address-group 1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group 2
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp mirror session enable
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 1.1.1.3 standby
#
interface GigabitEthernet 0/0/2
 ip address 2.2.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 2.2.2.3 active
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.2 255.255.255.0
 vrrp vrid 3 virtual-ip 10.3.0.3 standby
 vrrp vrid 4 virtual-ip 10.3.0.4 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet0/0/7
#
firewall zone isp1
 set priority 10 
 add interface GigabitEthernet 0/0/1
#
firewall zone isp2
 set priority 15   
 add interface GigabitEthernet 0/0/2
#
 nat address-group 1
 section 0 1.1.1.3 1.1.1.3
 nat address-group 2
 section 0 2.2.2.3 2.2.2.3
#
security-policy  
 rule name policy_sec
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  action permit    
#
policy-based-route
 rule name route_policy_isp1
  source-zone trust
  source-address range 10.3.0.51 10.3.0.100
  action pbr next-hop 1.1.1.254
 rule name route_policy_isp2
  source-zone trust
  source-address range 10.3.0.101 10.3.0.150
  action pbr next-hop 2.2.2.254
#
nat-policy
 rule name policy_nat_1
  source-zone trust
  destination-zone isp1
  action source-nat address-group 1
 rule name policy_nat_2
  source-zone trust
  destination-zone isp2
  action source-nat address-group 2
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >