Huawei Firewall Enterprise Dual Egress Firewall Load Configuration Example|LinkNewNet

New Products

New Promotion

-50%

C9500-40X-A

$4000 $2000

-29%

C9300-24T-A

$1750 $1250

-31%

DS-C9250I-K9

$1600 $1100

-38%

WS-C2960L-48PQ-LL

$800 $500

-42%

A9K-750W-AC

$600 $350

New Accessories

Huawei Firewall Enterprise Dual Egress Firewall Load Configuration Example

Sep 24 , 2022 2102

Case Study

---Huawei Enterprise dual firewall

Project Requirement:

There are 2 channels internal network in the company, FW1 and FW2 set as enterprise dual output firewall, internal network runs OSPF contract with firewall, output firewall works as load sharing, Vlan 10 through AR1, Vlan 20 trough AR2.

Topology as follow:

Related Devices:

Firewall：USG6000 Series

Router：AR2200 Series

Switch：S5700 Series

SW3 Dispose：

1、Create VLAN

vlan batch 10 13 20 23

2、Dispose Interface

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

stp edged-port enable

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

stp edged-port enable

interface GigabitEthernet0/0/23

port link-type access

port default vlan 13

stp edged-port enable

interface GigabitEthernet0/0/24

port link-type access

port default vlan 23

stp edged-port enable

3、Dispose IP address and DHCP

dhcp enable

interface Vlanif10

ip address 192.168.10.1 255.255.255.0

dhcp select interface

dhcp server excluded-ip-address 192.168.10.200 192.168.10.254

dhcp server dns-list 114.114.114.114

interface Vlanif13

ip address 13.0.0.3 255.255.255.0

interface Vlanif20

ip address 192.168.20.1 255.255.255.0

dhcp select interface

dhcp server excluded-ip-address 192.168.20.200 192.168.20.254

dhcp server dns-list 114.114.114.114

interface Vlanif23

ip address 23.0.0.3 255.255.255.0

4、Dispose OSPF

ospf 10 router-id 3.3.3.3

area 0.0.0.0

network 192.168.10.1 0.0.0.0

network 13.0.0.3 0.0.0.0

network 192.168.20.1 0.0.0.0

network 23.0.0.3 0.0.0.0

network 3.3.3.3 0.0.0.0

FW1 Dispose

1、Dispose interface IP

interface Eth-Trunk12

ip address 10.1.12.1 255.255.255.0

truckport gigabitethernet 1/0/5 1/0/6

service-manage ping permit

interface GigabitEthernet1/0/0

undo shutdown

ip address 100.1.11.1 255.255.255.0

gateway 100.1.11.254

interface GigabitEthernet1/0/1

undo shutdown

ip address 100.1.12.1 255.255.255.0

gateway 100.1.12.254

interface GigabitEthernet1/0/2

undo shutdown

ip address 13.0.0.1 255.255.255.0

service-manage ping permit

interface LoopBack0

ip address 1.1.1.1 255.255.255.255

2、Interface Zone

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/2

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/1

firewall zone dmz

set priority 50

add interface Eth-Trunk12

3、Switch-on IP-LINK and Dispose

ip-link check enable

ip-link name isp1

destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254

ip-link name isp2

destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254

4、Dispose Default routing points to AR1 and combine to IP-LINK， Default routing enable and switch to another link when error occur,

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1

5、Dispose safety strategy

security-policy

rule name internet

source-zone trust

destination-zone untrust

action permit

rule name inside

source-zone dmz

source-zone local

source-zone trust

destination-zone dmz

destination-zone local

destination-zone trust

service icmp

service ospf

action permit

6、Dispose OSPF

ospf 10 router-id 1.1.1.1

default-route-advertise

area 0.0.0.0

network 1.1.1.1 0.0.0.0

network 13.0.0.1 0.0.0.0

7、Dispose NAT Strategy

nat-policy

rule name internet

source-zone trust

destination-zone untrust

action source-nat easy-ip

8、Dispose PBR redirection VLAN20 to AR2 as load sharing，and combine to IP-LINK，Redirection enable and switch to another link when error occur,

policy-based-route

rule name toisp2 1

source-zone trust

source-address address-set vlan20

track ip-link isp2

action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254

9、Output dispose vrrp, set analog interface 100.1.11.3 和100.1.12.3

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 100.1.11.3 active

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 100.1.12.3 standby

10、Start HRP，ensure the two firewall chatting chart synchronized

hrp enable

hrp interface Eth-Trunk12 remote 10.1.12.2

hrp mirror session enable

FW2 dispose

1、dispose interface IP

interface Eth-Trunk12

ip address 10.1.12.2 255.255.255.0

truckport gigabitethernet 1/0/5 1/0/6

service-manage ping permit

interface GigabitEthernet1/0/0

undo shutdown

ip address 100.1.11.2 255.255.255.0

gateway 100.1.11.254

interface GigabitEthernet1/0/1

undo shutdown

ip address 100.1.12.2 255.255.255.0

gateway 100.1.12.254

interface GigabitEthernet1/0/2

undo shutdown

ip address 23.0.0.2 255.255.255.0

service-manage ping permit

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

2、Interface zone

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/2

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

add interface GigabitEthernet1/0/1

firewall zone dmz

set priority 50

add interface Eth-Trunk12

3、Start IP-LINK and dispose

ip-link check enable

ip-link name isp1

destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254

ip-link name isp2

destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254

4、Dispose default routing and points to AR1 and combine to IP-LINK，Default routing enable and switch to another link when error occurs,

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1

5、Dispose Safety Strategy

security-policy

rule name internet

source-zone trust

destination-zone untrust

action permit

rule name inside

source-zone dmz

source-zone local

source-zone trust

destination-zone dmz

destination-zone local

destination-zone trust

service icmp

service ospf

action permit

6、Dispose OSPF

ospf 10 router-id 2.2.2.2

default-route-advertise

area 0.0.0.0

network 2.2.2.2 0.0.0.0

network 23.0.0.2 0.0.0.0

7、Dispose NAT Strategy

nat-policy

rule name internet

source-zone trust

destination-zone untrust

action source-nat easy-ip

8、Dispose PBR Redirection VLAN20 to AR2 as load sharing，and combine to IP-LINK，Redirection enable and switch to another link when error occurs,

policy-based-route

rule name toisp2 1

source-zone trust

source-address address-set vlan20

track ip-link isp2

action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254

9、Output dispose vrrp, set analog interface 100.1.11.3 和100.1.12.3

interface GigabitEthernet1/0/0

vrrp vrid 1 virtual-ip 100.1.11.3 standby

interface GigabitEthernet1/0/1

vrrp vrid 2 virtual-ip 100.1.12.3 active

10、Start HRP，ensure twp firewall chatting chat synchronized

hrp enable

hrp interface Eth-Trunk12 remote 10.1.12.1

hrp mirror session enable

Dual firewall setting L2TP&IPSEC

Dispose as follow：

FW1

No need to explain too clear about interface and zone here,

1、Dispose and synchronized chatting chart

hrp interface Eth-Trunk12 remote 10.1.12.2

hrp mirror session enable

hrp enable

2、Dispose Safety zone.

Allow tunnel flow：

rule name untrust_local

source-zone untrust

destination-zone local

destination-address 10.1.1.3 mask 255.255.255.255

action permit

rule name VPN

source-zone untrust

destination-zone trust

destination-address address-set neiwang

action permit

3、Dispose admin user

Graphic Create

4、Dispose L2TP&IPSEC

Dispose encode flow

acl number 3000

rule 5 permit udp source-port eq 1701

Dispose IPSEC Suggestions

ipsec proposal prop25815354029

encapsulation-mode auto

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

Dispose IKE Suggestions

ike proposal 1

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

Dipose IKE

ike peer ike258153540293

exchange-mode auto

pre-shared-key %^%#vHz}X2hmkWAE[x.+(R9OUK8fG-~)):#E$<0jc!r9%^%#

ike-proposal 1

remote-id-type none

dpd type periodic

ike negotiate compatible

Dipose IPSEC Strategy

ipsec policy-template tpl258153540293 1

security acl 3000

ike-peer ike258153540293

proposal prop25815354029

tunnel local 10.1.1.3

alias zon

sa duration traffic-based 10485760

sa duration time-based 3600

scenario point-to-multi-point l2tp-user-access

Dispose application IPSEC strategy

ipsec policy ipsec2581535397 10000 isakmp template tpl258153540293

Dispose VPN link address

ip pool server

section 0 172.16.10.10 172.16.10.100

excluded-ip-address 172.16.10.10

dns-list 114.114.114.114

Dispose L2TP

l2tp-group default-lns

allow l2tp virtual-template 0

interface Virtual-Template0

ppp authentication-mode chap pap

remote service-scheme l2tpScheme_1661412940479

ip address 172.16.10.10 255.255.255.255

alias L2TP_LNS_0

undo service-manage enable

5、Interface Application

interface GigabitEthernet1/0/0

ipsec policy ipsec2581535397

FW2

1、Configure the heartbeat synchronization session table

hrp interface Eth-Trunk12 remote 10.1.12.2

hrp mirror session enable

hrp enable

2、Configure heartbeat synchronization safety zone and L2TP&IPSEC configuration

No more extra explanation here.

Next: What's the difference between a switch and a router?

Tags: Huawei Enterprise firewall

Related Blogs

Sep 26 , 2024

What is the difference between a router and a switch?

In the modern networking world, we often use routers and switches for networking, and they play an important role in network circulation in their respective fields. Due to the many similarities in the functions of these two devices, many people are confused about what exactly is a router? What is a switch is more or less confused. What are the differences between them? Today we will reveal them one by one.

Sep 21 , 2024

Creating and Deleting VLANs on Cisco Switches

In modern enterprise networks, VLANs play a very important role in network transmission. Administrators can use VLANs to divide a physical switch into multiple logical switches to simplify network management and improve network performance and security. As network administrators, learning how to create and delete VLANs on Cisco Catalyst switches is a must-have skill.

Sep 10 , 2024

Cisco 3750X Switch vs 3850 Switch, which is better for your business?

When choosing an enterprise switch, network administrators and IT engineers often encounter a situation where they are torn between two models, especially products with similar performance, such as the Cisco 3750X and 3850 series is a typical example. These two switches, as Cisco's classics, have a wide range of applications in the market. So, what is the difference between these two? And how are they related to each other?

Sep 04 , 2024

What is console cable? How to manage the switch easily through console cable?

In modern IT equipment management, the switch is the core of the network, and to manage it in the simplest way during daily use, it is indispensable to support the Console cable. Although many people do not understand this small cable, but it is the network administrator's daily work in the “secret weapon”. Whether you are configuring a device for the first time or troubleshooting a problem, the console cable is an indispensable networking tool.

Aug 29 , 2024

How do I connect a Cisco wireless AP to a wireless controller?

Wireless access points are primarily responsible for providing wireless signal coverage and connectivity, while wireless controllers are responsible for centrally managing and optimizing the performance and security of multiple access points. Used in combination, the two can build an efficient, stable and secure wireless network. How to connect wireless controller with wireless access point

Jul 05 , 2022

Cisco Catalyst 2960 Series Switches Overview

Cisco Catalyst 2960 series switches provide services for conventional office, branches, workspaces, medium-sized deployments and infrastructure networks. This series offers forwarding bandwidths up to 100-108 Gigabyte per second (Gbps) and switching bandwidth, which is full duplex up to 216 Gigabyte per second (Gbps). In addition, this series includes several other sub-series: Cisco 2960S, Cisco 2960X, Cisco 2960+, Cisco 2960L, and 2960XR.

Jul 05 , 2022

How To Upgrade IOS On Cisco 3560 Switches?

Do you want to upgrade Cisco 3560 switch IOS? It is very easy, you only need to do these 4 steps. Below are the details about how to do it.

Jul 05 , 2022

Top 9 Reasons for Network Switches Failure

The switch will inevitably encounter failures during normal use. Network switch failures can cause network downtime, affecting our business, production, and damage to our property, so we have to troubleshoot and repair the switch in the shortest possible time. Here we introduce you to the 9 common hardware and software failures of the switch.

Jul 06 , 2022

What Are the 4 Types of Network Switches?

The Internet of Everything is inseparable from the essential network equipment - switches, which will play a vital role in the networking of the Internet of Things. Below is an introduction to four network switch architectures, their types include Cascade Connection,Port Aggregation,Stacking,Layered.

Jul 06 , 2022

How Do I Troubleshooting Cisco Switches Hardware Issue

During the daily use of the switch, we may encounter some failures, the faults of the switch are mainly divided into two categories. The first type is a hardware failure, which is a problem on the hardware. The second type is software failure, which is a problem inside the switch. Now let's troubleshooting the hardware failure.