Exemplos Config H3C

Firewall Blacklist Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 1 4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure......................................................................... 4.4 Complete Configuration ..........................................................................
Copyright 2007 Hangzhou H3C Technologies Co., Ltd.
www.h3c.com
Firewall Blacklist Configuration Examples 1 Feature Introduction

Blacklist is a filtering method according to the source IP address of packets. The zone for blacklist to match is very simple, which enables quick filtering of packets, so as to effectively shield the packets sent from a specific IP address. The most important feature of blacklist is that SecBlade can dynamically add or delete a blacklist. When detecting that a specific IP address attempts to attack according to the packet action, SecBlade can modify blacklist list to filter the packet sent from this IP address..
2 Versions Applicable
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support.) Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward packets, you need to execute the firewall packet-filter default permit command
4 Configuration Examples
4.1 Network Requirements
In the network shown in Figure 4-1, assume that the firewall board is seated in slot 4 of the S9500 switch. The internal host and the external host reside in the Trust zone and the Untrust zone of the firewall respectively. Now it is required that all the packets sourced from the external host be filtered within 100 minutes. The IP address of the external network host is 202.0.0.1.
Page 1 of 5
4.2 Networking Diagram
Figure 4-1 Networking diagram of blacklist of firewall
4.3 Configuration Procedure

# Add internal VLAN 10, external VLAN 50 and SecBlade interface VLAN 30.
<S9500> system-view [S9500] vlan 10 [S9500-vlan10] port E2/1/2 [S9500] vlan 50 [S9500-vlan50] port E3/1/1 [S9500] vlan 30
# Configure IP addresses for the internal VLAN interfaces.

[S9500] interface vlan-interface 10 [S9500-Vlan-interface10] ip address 10.0.0.1 24 [S9500] interface vlan-interface 30 [S9500-Vlan-interface30] ip address 30.0.0.1 24
# Configure a route, setting the next hop of the external network packets to the SecBlade firewall.
[S9500] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the SecBlade module. Configure VLAN 50 as security-vlan.

[S9500] secblade module test [S9500-secblade-test] secblade-interface vlan-interface 30 [S9500-secblade-test] security-vlan 50 [S9500-secblade-test] map to slot 4
# Enter SecBlade view, configure the interconnecting sub-interface and external network sub-interface of the SecBlade (by default, the username and password are SecBlade, case sensitive).
Copyright 2007 Hangzhou H3C Technologies Co., Ltd. Page 2 of 5
<S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system-view [SecBlade_FW]interface GigabitEthernet 0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW-GigabitEthernet0/0.50] ip address 50.0.0.254 24 [SecBlade_FW] interface g0/0.30 [SecBlade_FW-GigabitEthernet0/0.30] vlan-type dot1q vid 30 [SecBlade_FW-GigabitEthernet0/0.30] ip address 30.0.0.254 24
# Add the interconnecting sub-interface to the trust zone and the external network sub-interface to the untrust zone.
[SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.30 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.50
# Configure the routes, the next hop of the internal network packet is S9500, and the next hop of external network packet is the router.
[SecBlade_FW] ip route-static 0.0.0.0 0 50.0.0.1 [SecBlade_FW] ip route-static 10.0.0.0 24 30.0.0.1
# In the SecBlade view, configure the blacklist.

[SecBlade_FW] firewall blacklist 202.0.0.1 timeout 100 [SecBlade_FW] firewall blacklist enable
4.4 Complete Configuration

# vlan 10 # vlan 30 # vlan 50 # interface vlan-interface 10 ip address 10.0.0.1 24 # interface vlan-interface 30 ip address 30.0.0.1 24 # interface Ethernet2/1/2 port access vlan 10
Page 3 of 5
# interface Ethernet3/1/1 port access vlan 50 # ip route-static 0.0.0.0 0 30.0.0.254 preference 60 # secblade module test secblade-interface vlan-interface 30 security-vlan 50 map to slot 4
# Enter SecBlade view (by default, the username and password are SecBlade, case sensitive).
secblade slot 4 user:SecBlade password:SecBlade system
# Configure the sub-interface and its zone.

interface GigabitEthernet 0/0.50 vlan-type dot1q vid 50 ip address 50.0.0.254 24 quit interface g0/0.30 vlan-type dot1q vid 30 ip address 30.0.0.254 24 quit firewall zone untrust add interface GigabitEthernet 0/0.50 quit
# Configure the routes.

ip route-static 0.0.0.0 0 50.0.0.1 ip route-static 10.0.0.0 24 30.0.0.1
# Configure client address to blacklist entry.

firewall blacklist 202.0.0.1 timeout 100
# Enable the blacklist function.

firewall blacklist enable
Page 4 of 5
Firewall Route Mode Configuration Examples
Table of Contents
1 Versions Applicable ...................................................................................................................... 1 2 Precautions .................................................................................................................................... 1 3 Configuration Examples ............................................................................................................... 1 3.1 Network Requirements ......................................................................................................... 1 3.2 Networking Diagram ............................................................................................................. 2 3.3 Configuration Procedure....................................................................................................... 2 3.4 Complete Configuration ........................................................................................................ 3
www.h3c.com
Firewall Route Mode Configuration Examples 1 Versions Applicable

Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support.) Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
2 Precautions
By default, the firewall does not forward any packets. To enable the firewall to forward packets, you need to execute the firewall packet-filter default permit command.
In the network shown in Figure 3-1, assume that the firewall is seated in slot 4 of the S9500 switch and is operating in route mode. All the gateways of both the internal host and external host are on the firewall. In this case, you can configure no Layer 3 interfaces and the S9500 switch can act as a Layer 2-only device. All the Layer 3 forwarding operations are carried out by the firewall.
Page 1 of 5
E3/1/3 S9500 Vlan 50
Untrust zone PC 60.1.1.1/24
Vlan60 Vid 60 G0/0.60 60.1.1.254/24
E2/1/2
Vid 50 G0/0.50 50.1.1.254/24 Trust zone PC 50.1.1.1/24 Firewall
Figure 3-1 Networking diagram of route mode of firewall

# Add internal VLAN 50 and external VLAN 60.
<S9500> system-view [S9500] vlan 50 [S9500-vlan50] port E2/1/2 [S9500] vlan 60 [S9500-vlan60] port E3/1/3
# Configure SecBlade module, and configure internal VLAN 50 and external VLAN60 as safe.
[S9500]secblade module test [S9500-secblade-test] security-vlan 50 60 [S9500-secblade-test] map to slot 4
# Enter SecBlade view, configure the sub-interface and add it to the corresponding zone (by default, the username and password are SecBlade, case sensitive).
<S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system-view
# In SecBlade view, configure the firewall mode as route mode, configure and add the IP address of the interface to the corresponding zone.
[SecBlade_FW] firewall mode route [SecBlade_FW] interface g0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] ip address 50.1.1.254 24 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW] interface GigabitEthernet 0/0.60 [SecBlade_FW-GigabitEthernet0/0.60] ip address 60.1.1.254 24
Page 2 of 5
[SecBlade_FW-GigabitEthernet0/0.60] vlan-type dot1q vid 60 [SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.50 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.60

# vlan 50 # vlan 60 # interface Ethernet2/1/2 port access vlan 50 # interface Ethernet3/1/3 port access vlan 60 # secblade module test security-vlan 50 60 map to slot 4
# Configure firewall mode.

firewall mode route
# Configure the sub-interface and zone.

interface g0/0.50 vlan-type dot1q vid 50 ip address 50.1.1.254 24 quit interface GigabitEthernet 0/0.60 vlan-type dot1q vid 60 ip address 60.1.1.254 24 quit firewall zone trust add interface GigabitEthernet 0/0.50
Page 3 of 5
quit firewall zone untrust add interface GigabitEthernet 0/0.60 quit
Page 4 of 5
Transparent Firewall Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 1 4.1 Network Requirements ......................................................................................................... 1 4.2 Networking Diagram ............................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
www.h3c.com
Transparent Firewall Configuration Examples 1 Feature Introduction

When the firewall is in transparent mode (also known as bridging mode), neither interface can be configured with IP address. The interface is in 2-stratum safe zone, in the same sub-network as the external user connecting corresponding interface of 2-stratum zone is. When forwarding packet between interfaces of 2-stratum zone, it is required to find the interface according to the MAC address of packet. Now SecBlade is a transparent bridge.
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware versions: LSB1FW8DB0, LSB2FW8DB0
3 Precautions
The security-VLAN IDs on different firewall boards cannot be the same.
In the network shown in Figure 4-1, the firewall is in transparent mode. Apply a MAC address-based ACL to the firewall to permit the host in Trust Zone to access the resources in DMZ Zone and Untrust Zone. Use the blacklist to filter all the packets sent by host PC_B, which resides in Untrust Zone. The MAC address of PC_A is 000f-1f7e-fec5, while the IP address of PC_B is 10.0.0.50.
Figure 4-1 Networking diagram of transparent firewall

# Add internal VLAN 10. External VLAN 50 and DMZ VLAN 60.
<S9500> system-view [S9500] vlan 10 [S9500-vlan10] port E2/1/1 [S9500] vlan 50 [S9500-vlan50] port E2/1/2 [S9500] vlan 60 [S9500-vlan60] port E2/1/3
# Configure the SecBlade module, and configure the three VLANs as security VLANs.
[S9500] secblade module test [S9500-secblade-test] security-vlan 10 50 60 [S9500-secblade-test] map to slot 4
# Enter SecBlade view, configure the sub-interface and connect it to the corresponding zone (by default, the username and password are SecBlade, case sensitive.)
<S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system-view
# In SecBlade view, configure firewall mode as transparent, add the interface to the corresponding zone.
[SecBlade_FW] firewall mode transparent
Page 2 of 6
[SecBlade_FW] interface GigabitEthernet 0/0.10 [SecBlade_FW -GigabitEthernet0/0.10] vlan-type dot1q vid 10 [SecBlade_FW] interface g0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW] interface GigabitEthernet 0/0.60 [SecBlade_FW-GigabitEthernet0/0.60] vlan-type dot1q vid 60 [SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.10 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.50 [SecBlade_FW] firewall zone DMZ [SecBlade_FW-zone- DMZ] add interface GigabitEthernet 0/0.60
# In SecBlade view, configure the blacklist and ACL.

[SecBlade_FW] acl number 4000 [SecBlade_FW-acl-ethernetframe-4000] rule permit source-mac 000f-1f7efec5 0000-0000-0000 [SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] firewal ethernet-frame-filter 4000 outbound [SecBlade_FW] interface GigabitEthernet 0/0.60 [SecBlade_FW-GigabitEthernet0/0.60] firewal ethernet-frame-filter 4000 outbound [SecBlade_FW] firewall blacklist item 10.0.0.50 timeout 60 [SecBlade_FW] firewall blacklist enable

# vlan 10 # vlan 50 # vlan 60 # interface Ethernet2/1/1 port access vlan 10 # interface Ethernet2/1/2 port access vlan 50 # interface Ethernet2/1/3 port access vlan 60
Page 3 of 6
# secblade module test security-vlan 10 50 60 map to slot 4
secblade slot 4 user: SecBlade password: SecBlade system
# Configure the firewall mode.

firewall mode transparent
# Configure the sub-interface and zones.

interface GigabitEthernet 0/0.10 vlan-type dot1q vid 10 quit interface g0/0.50 vlan-type dot1q vid 50 quit interface GigabitEthernet 0/0.60 vlan-type dot1q vid 60 quit firewall zone trust add interface GigabitEthernet 0/0.10 quit firewall zone untrust add interface GigabitEthernet 0/0.50 quit firewall zone DMZ add interface GigabitEthernet 0/0.60 quit
# Configure the MAC-based ACL rule.

acl number 4000 rule permit source-mac 000f-1f7e-fec5 0000-0000-0000 quit
# Configure frame filter.

interface GigabitEthernet 0/0.50 firewal ethernet-frame-filter 4000 outbound interface GigabitEthernet 0/0.60 firewal ethernet-frame-filter 4000 outbound
Page 4 of 6
# Configure the address of PC_B to the blacklist entry.

firewall blacklist 10.0.0.50 timeout 60
# Enable the blacklist function.

firewall blacklist enable
Page 5 of 6
ASPF Configuration Examples
Table of Contents
www.h3c.com
ASPF Configuration Examples 1 Feature Introduction

ASPF (Application Specific Packet Filter) can enhance the firewall capability on CMW platform, providing the filtering function for packets at application layer. It is a high level communication filtering, detecting application layer protocol information and supervising the status of application layer protocol that provides connection. For all the connections, the state information about each connection will be maintained by ASPF and used to dynamically decide if a data packet is permitted to pass firewall or discarded.
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware versions: LSB1FW8DB0, LSB2FW8DB0.
3 Precautions
In the network shown in Figure 4-1, configure an ASPF policy on the SecBlade to detect FTP traffic that passes the firewall. Requirement: Response packets of the FTP connection requests initiated by internal network users are permitted to enter the internal network; while other packets are denied. This example is suitable for cases where local users access a remote network.
Page 1 of 6
Figure 4-1 Networking diagram of ASPF of firewall

[S9500] vlan 10 [S9500-vlan10] port E2/1/2 [S9500] vlan 50 [S9500-vlan50] port E3/1/1 [S9500] vlan 30
# Configure the internal VLAN, interconnect VLAN and configure interface address.
# Configure the routes, the next hop of external network packets is firewall SecBlade.
[S9500] ip route-static 0.0.0.0 0 30.0.0.254
# Configure SecBlade module, configure VLAN 50 as security-VLAN and interconnecting VLAN as VLAN 30.
# Enter SecBlade view, configure interconnecting sub-interface VLAN 30 and external network sub-interface VLAN 50 (by default, the username and password are SecBlade, case sensitive.)
<S9500> secblade slot 4
Page 2 of 6
user:SecBlade password:SecBlade <SecBlade_FW> system [SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW -GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW -GigabitEthernet0/0.50] ip address 50.0.0.254 24 [SecBlade_FW] interface g0/0.30 [SecBlade_FW -GigabitEthernet0/0.30] vlan-type dot1q vid 30 [SecBlade_FW -GigabitEthernet0/0.30] ip address 30.0.0.254 24
# Add the interconnecting sub-interface to the trust zone and the external network sub-interface to the untrust zone
[SecBlade_FW] firewall zone trust [SecBlade_FW -zone-trust] add interface GigabitEthernet 0/0.30 [SecBlade_FW] firewall zone untrust [SecBlade_FW -zone-untrust] add interface GigabitEthernet 0/0.50
# Configure the routes, the next hop of external network packets is the router, the next hop of internal network packets is the S9500.
[SecBlade_FW] ip route-static 0.0.0.0 0 50.0.0.1 [SecBlade_FW] ip route-static 10.0.0.0 24 30.0.0.1
# In SecBlade view, configure the ACL and ASPF policy to detect FTP packets.
[SecBlade_FW] firewall packet-filter enable [SecBlade_FW] acl number 3111 [SecBlade_FW-acl-adv-3111] rule deny ip [SecBlade_FW] aspf-policy 1 [SecBlade_FW -aspf-policy-1] detect ftp aging-time 3000
# In SecBlade view, enable ASPF policy on the external network sub-interface.

[SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW -GigabitEthernet0/0.50] firewall aspf 1 outbound [SecBlade_FW -GigabitEthernet0/0.50] interface GigabitEthernet 0/0.50 [SecBlade_FW -GigabitEthernet0/0.50] firewall packet-filter 3111inbound

# vlan 10 # vlan 30 # vlan 50 # interface vlan-interface 10
Page 3 of 6
ip address 10.0.0.1 24 # interface vlan-interface 30 ip address 30.0.0.1 24 # interface Ethernet2/1/2 port access vlan 10 # interface Ethernet3/1/1 port access vlan 50 # ip route-static 0.0.0.0 0 30.0.0.254 preference 60 # secblade module test secblade-interface vlan-interface 30 security-vlan 50 map to slot 4
secblade slot 4 user: SecBlade password: SecBlade system

interface GigabitEthernet 0/0.50 vlan-type dot1q vid 50 ip address 50.0.0.254 24 quit interface g0/0.30 vlan-type dot1q vid 30 ip address 30.0.0.254 24 quit firewall zone trust add interface GigabitEthernet 0/0.30 quit firewall zone untrust add interface GigabitEthernet 0/0.50 quit

ip route-static 0.0.0.0 0 50.0.0.1 ip route-static 10.0.0.0 24 30.0.0.1
Page 4 of 6
# Configure the ACL and ASPF policy.

firewall packet-filter enable acl number 3111 rule deny ip quit aspf-policy 1 detect ftp aging-time 3000
# Apply the ASPF policy on the interface.

interface GigabitEthernet 0/0.50 firewall aspf 1 outbound
# Apply ACL 3111 on the external network sub-interface.

interface GigabitEthernet 0/0.50 firewall packet-filter 3111 inbound
Page 5 of 6
Firewall NAT Configuration Examples
Table of Contents
www.h3c.com
Firewall NAT Configuration Examples 1 Feature Introduction

Network Address Translation (NAT) is the process in which the IP address in an IP data header is translated into another IP address. In actual applications, NAT is used to enable private networks to access exterior networks. With a small number of IP addresses representing a large number of private IP addresses, this can effectively cut down the consumption of available IP addresses.
3 Precautions
In the network shown in Figure 4-1, users access the Internet through the address translation function of the Firewall. The company provides WWW and FTP services outside. The internal address of the FTP server is 192.168.2.3/24, that of the WWW server is 192.168.2.2/24. It is desired that the two servers can be accessed through the same external IP address. Internal network segment 192.168.3.0/24 can access the Internet while PCs in other network segments can not access the Internet. An external PC can access the internal servers. The company has 10 valid external IP
Page 1 of 6
addresses ranging from 202.115.1.1 to 202.115.1.10. Use 202.115.1.1 as the external IP address of the company.

Firewall Vid 200 G0/0.200 202.115.1.1/24 untrust Vid 50 G0/0.50 50.1.1.2/24 trust Vlan50 50.1.1.1/24 Vlan 3 192.168.3.1/24 E2/1/2 Vlan 200 E3/1/1 Internet
S9500
Vlan 2 192.168.2.1/24 E2/1/1
PC 192.168.3.2/24
WWW 192.168.2.2/24
FTP 192.168.2.3/24
Figure 4-1 NAT networking diagram of firewall

# Add internal VLAN 2 and VLAN 3, external VLAN 200 and SecBlade Interface VLAN 50.
[S9500] vlan 2 [S9500-vlan2] port E2/1/1 [S9500] vlan 3 [S9500-vlan3] port E2/1/2 [S9500] vlan 200 [S9500-vlan200] port E3/1/1 [S9500] vlan 50
# Configure the address of the internal VLAN interface.

[S9500] interface vlan-interface 2 [S9500-Vlan-interface2] ip address 192.168.2.1 24 [S9500] interface vlan-interface 3 [S9500-Vlan-interface3] ip address 192.168.3.1 24 [S9500] interface vlan-interface 50 [S9500-Vlan-interface50] ip address 50.1.1.1 24
# Configure the default route, specify the next hop of the packet to the external network as the SecBlade firewall.
[S9500] ip route-static 0.0.0.0 0 50.1.1.2
# Configure the SecBlade module, configure VLAN 200 as security-vlan.

# Enter SecBlade view (by default, the username and password are SecBlade, case sensitive.)
<S9500> secblade slot 4 user:SecBlade password:SecBlade
# Configure the interconnect sub-interface VLAN 50 and external sub-interface VLAN 200 of SecBlade, add interconnecting sub-interface to the trust zone and external network sub-interface to the untrust zone.
[SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW -GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW -GigabitEthernet0/0.50] ip address 50.1.1.2 24 [SecBlade_FW] interface g0/0.200 [SecBlade_FW -GigabitEthernet0/0.200] vlan-type dot1q vid 200 [SecBlade_FW -GigabitEthernet0/0.200] ip address 202.115.1.1 24 [SecBlade_FW] firewall zone trust [SecBlade_FW -zone-trust] add interface GigabitEthernet 0/0.50 [SecBlade_FW] firewall zone untrust [SecBlade_FW -zone-untrust] add interface GigabitEthernet 0/0.200
# Configure the routes. The next hop of the external network route is the router, and the next hop of the internal network route is the S9500.
[SecBlade_FW] ip route-static 0.0.0.0 0 202.115.1.2 [SecBlade_FW] ip route-static 192.168.2.0 24 50.1.1.1 [SecBlade_FW] ip route-static 192.168.3.0 24 50.1.1.1
# In SecBlade view, configure the NAT address pool.

[SecBlade_FW] nat address-group 1 202.115.1.2 202.115.1.10
# In SecBlade view, configure the ACL rule, specify the internal network users who can access through NAT and bind NAT on the interface.
[SecBlade_FW] acl number 2001 [SecBlade_FW -acl-basic-2001] rule permit source 192.168.2.0 0.0.0.255 [SecBlade_FW -acl-basic-2001] rule permit source 192.168.3.0 0.0.0.255 [SecBlade_FW -acl-basic-2001] rule deny source any [SecBlade_FW] interface GigabitEthernet 0/0.200 [SecBlade_FW -GigabitEthernet0/0.200] nat outbound 2001 address-group 1
Page 3 of 6
# Configure the internal servers to provide services to external network users.

[SecBlade_FW -GigabitEthernet0/0.200] nat server protocol tcp global 202.115.1.1 inside 192.168.2.3 ftp [SecBlade_FW -GigabitEthernet0/0.200] nat server protocol tcp global 202.115.1.1 inside 192.168.2.2 www

# vlan 2 # vlan 3 # vlan 50 # vlan 200 # interface vlan-interface 2 ip address 192.168.2.1 24 # interface vlan-interface 3 ip address 192.168.3.1 24 # interface vlan-interface 50 ip address 50.1.1.1 24 # interface Ethernet2/1/1 port access vlan 2 # interface Ethernet2/1/2 port access vlan 3 # interface Ethernet3/1/1 port access vlan 200 # ip route-static 0.0.0.0 0 50.1.1.2 preference 60 # secblade module test secblade-interface vlan-interface 50 security-vlan 200 map to slot 2
Page 4 of 6


ip route-static 0.0.0.0 0 202.115.1.2 ip route-static 192.168.2.0 24 50.1.1.1 ip route-static 192.168.3.0 24 50.1.1.1
# Configure the address pool and ACL.

nat address-group 1 202.115.1.2 202.115.1.10 acl number 2001 rule permit source 192.168.2.0 0.0.0.255 rule permit source 192.168.3.0 0.0.0.255 rule deny source any quit interface GigabitEthernet 0/0.200 nat outbound 2001 address-group 1
# Configure the inside server.

interface GigabitEthernet 0/0.200 nat server protocol tcp global 202.115.1.1 inside 192.168.2.3 ftp nat server protocol tcp global 202.115.1.1 inside 192.168.2.2 www
Page 5 of 6
Packet Filtering Firewall Configuration Examples
Table of Contents
www.h3c.com
Packet Filtering Firewall Configuration Examples 1 Feature Introduction

Application of packet filter in SecBlade can add the packet filtering function for SecBlade. For packets to be forwarded by SecBlade, SecBlade first gets the header information of the packets, including the protocol number of the upper layer protocol that the IP layer loads, the source address, destination address, source port and destination port of the packet. Then SecBlade compares them with the ACL rule and decides to either forward or discard the packet according to the result.
3 Precautions
In the network shown in Figure 4-1, users access the Internet through SecBlade of the 9500 series switch. The company provides WWW and FTP services outside. The IP address of the WWW server is 20.0.0.1 and the IP address of the FTP server address is 20.0.0.2. Only a specific external PC is permitted to access the two servers. Other resources of the internal network are inaccessible to external users. Assume that the IP address of the external user is 203.1.1.1.
Page 1 of 6
Figure 4-1 Networking diagram of packet filter of firewall

# Add internal VLAN 20 and VLAN 3, external VLAN 200 and SecBlade Interface VLAN 50.
[S9500] vlan 20 [S9500-vlan20] port E2/1/1 [S9500] vlan 3 [S9500-vlan3] port E2/1/2 [S9500] vlan 200 [S9500-vlan200] port E3/1/1 [S9500] vlan 50
# Configure the IP address of internal VLAN interface.

[S9500] interface vlan-interface 20 [S9500-Vlan-interface20] ip address 20.0.0.254 24 [S9500] interface vlan-interface 3 [S9500-Vlan-interface3] ip address 15.0.0.2 24 [S9500] interface vlan-interface 50 [S9500-Vlan-interface50] ip address 50.1.1.1 24
# Configure the routes. The next hop of the outbound packets is the SecBlade firewall.
[S9500] ip route-static 0.0.0.0 0 50.1.1.2
# Configure module SecBlade, and configure VLAN 200 as security-vlan.

[S9500] secblade module test [S9500-secblade-test] secblade-interface vlan-interface 50
Page 2 of 6
[S9500-secblade-test] security-vlan 200 [S9500-secblade-test] map to slot 4
<S9500> secblade slot 4 user:SecBlade password:SecBlade
# Configure the sub-interface. SecBlade interconnects sub-interface VLAN 50 and external sub-interface VLAN 200. Add the interconnected sub-interface to the trust zone and external sub-interface to the untrust zone
[SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW -GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW -GigabitEthernet0/0.50] ip address 50.1.1.2 24 [SecBlade_FW] interface g0/0.200 [SecBlade_FW -GigabitEthernet0/0.200] vlan-type dot1q vid 200 [SecBlade_FW -GigabitEthernet0/0.200] ip address 202.115.1.1 24 [SecBlade_FW -zone-trust] add interface GigabitEthernet 0/0.50 [SecBlade_FW] firewall zone untrust [SecBlade_FW -zone-untrust] add interface GigabitEthernet 0/0.200
# Configure the routes. The next hop of the internal network packets is the router, and the next hop of the internal network is the S9500.
[SecBlade_FW] ip route-static 0.0.0.0 0 202.115.1.2 [SecBlade_FW] ip route-static 20.0.0.0 24 50.1.1.1 [SecBlade_FW] ip route-static 15.0.0.0 24 50.1.1.1
# In SecBlade view, configure the ACL rule, designate specific user to access the internal user.
[SecBlade_FW] firewall packet-filter enable [SecBlade_FW] acl number 3002 [SecBlade_FW-acl-adv-3002] rule permit tcp source 203.1.1.1 0 destination 20.0.0.1 0 destination-port eq 80 [SecBlade_FW-acl-adv-3002] rule permit tcp source 203.1.1.1 0 destination 20.0.0.2 0 destination-port eq 25 [SecBlade_FW-acl-adv-3002] rule deny ip [SecBlade_FW-GigabitEthernet0/0.200] firewall packet-filter 3002 inbound

# vlan 20 #
Page 3 of 6
vlan 50 # vlan 200 # interface vlan-interface 3 ip address 15.0.0.2 24 # interface vlan-interface 20 ip address 20.0.0.254 24 # interface vlan-interface 50 ip address 50.1.1.1 24 # interface Ethernet2/1/1 port access vlan 20 interface Ethernet2/1/2 port access vlan 3 interface Ethernet3/1/1 port access vlan 200 # ip route-static 0.0.0.0 0 50.1.1.2 preference 60 # secblade module test secblade-interface vlan-interface 50 security-vlan 200 map to slot 4
# Enter SecBlade configure the SecBlade (by default, the username and password are SecBlade, case sensitive.)

interface GigabitEthernet 0/0.50 vlan-type dot1q vid 50 ip address 50.1.1.2 24 quit interface g0/0.200 vlan-type dot1q vid 200 ip address 202.115.1.1 24 quit firewall zone trust
Page 4 of 6
add interface GigabitEthernet 0/0.50 quit firewall zone untrust add interface GigabitEthernet 0/0.200 quit

ip route-static 0.0.0.0 0 202.115.1.2 ip route-static 20.0.0.0 24 50.1.1.1 ip route-static 15.0.0.0 24 50.1.1.1
# Configure ACL.
firewall packet-filter enable acl number 3002
# Configuration rule allows only specific external users to access the internal server from external network, not other resources of the internal network.
rule permit tcp source 203.1.1.1 0 destination 20.0.0.1 0 destinationport eq 80 rule permit tcp source 203.1.1.1 0 destination 20.0.0.2 0 destinationport eq 25 rule deny ip
# Apply the rule ACL 3002 to the inbound data stream of the external sub-interface.
interface GigabitEthernet 0/0.200 firewall packet-filter 3002 inbound
Page 5 of 6
Address Binding Configuration Examples
Table of Contents
www.h3c.com
Address Binding Configuration Examples 1 Feature Introduction

Binding MAC with IP address refers that SecBlade can form an association relation between specific IP address and MAC address. For packets claimed to have been sent from this IP address, if their MAC address is not the one in the designated relation pair, SecBlade will discard them. The packets sent to this IP address will be sent to this MAC address forcibly when passing SecBlade. This is an effective protection method to avoid false attack by IP address.
3 Precautions
In the network shown in Figure 4-1, Server and Client are in the Trust zone and the Untrust zone of the firewall. The IP address of Client is 50.0.0.1, the corresponding MAC address is 00e0-fc00-0100. Configure address-binding on SecBlade to ensure that packets complying with the binding relation can pass the firewall. The destination MAC address of the packets sent to 50.0.0.1 is 00e0-fc00-0100.
Page 1 of 5
Figure 4-1 Networking diagram of address-binding of firewall

[S9500] vlan 10 [S9500-vlan10] port E2/1/2 [S9500] vlan 50 [S9500-vlan50] port E2/1/1 [S9500] vlan 30
# Configure the address for interconnecting the internal VLAN, the VLAN where the server exists, SecBlade and VLAN
# Configure the routes. The next hop of external network packets is firewall SecBlade.
[S9500] ip route-static 0.0.0.0 0 30.0.0.254
# Configure the SecBlade module, configure the external network VLAN as the security VLAN, enter the SecBlade view (by default, the username and password are SecBlade, case sensitive.)
[S9500] secblade module test [S9500-secblade-test] secblade-interface vlan-interface 30 [S9500-secblade-test] security-vlan 50 [S9500-secblade-test] map to slot 4 <S9500> secblade slot 4 user:SecBlade password:SecBlade <SecBlade_FW> system
Page 2 of 5
# Enter SecBlade view, configure the sub-interface and connect it to the corresponding zone.
[SecBlade_FW] interface GigabitEthernet 0/0.50 [SecBlade_FW-GigabitEthernet0/0.50] vlan-type dot1q vid 50 [SecBlade_FW-GigabitEthernet0/0.50] ip address 50.0.0.254 24 [SecBlade_FW] interface g0/0.30 [SecBlade_FW-GigabitEthernet0/0.30] vlan-type dot1q vid 30 [SecBlade_FW-GigabitEthernet0/0.30] ip address 30.0.0.254 24 [SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] add interface GigabitEthernet 0/0.30 [SecBlade_FW] firewall zone untrust [SecBlade_FW-zone-untrust] add interface GigabitEthernet 0/0.50
# Configure the routes. The next hop of the internal network packet is the S9500.
[SecBlade_FW] ip route-static 10.0.0.0 24 30.0.0.1
# In SecBlade view, configure address-binding, configure client IP address and MAC address to the address-binding relation.
[SecBlade_FW] firewall mac-binding 50.0.0.1 00e0-fc00-0100 [SecBlade_FW] firewall mac-binding enable

# vlan 10 # vlan 50 # vlan 30 # interface vlan-interface 10 ip address 10.0.0.1 24 # interface vlan-interface 30 ip address 30.0.0.1 24 # interface Ethernet2/1/2 port access vlan 10 # interface Ethernet2/1/1 port access vlan 50 # ip route-static 0.0.0.0 0 30.0.0.254 preference 60 #
Page 3 of 5
secblade module test secblade-interface vlan-interface 30 security-vlan 50 map to slot 4


ip route-static 10.0.0.0 24 30.0.0.1
# Configure client IP address and MAC address to the address-binding relation.

firewall mac-binding 50.0.0.1 00e0-fc00-0100
# Enable the address-binding function.

firewall mac-binding enable
Page 4 of 5
PING Optimization Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 2 4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram .................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Information ..................................................................................................... 3
www.h3c.com
PING Optimization Configuration Examples 1 Feature Introduction

Ping is a tool of testing the link connectivity. Ping test failure does not affect the transmission of service packets. Therefore, the priority of ping test packets is normally low. As a result of that, when the CPU is busy handling services or is attacked by a large amount of packets, the ping packets may experience serious delay or failure. Some applications are very sensitive to the delay and failure of ping packets. To guarantee the smooth operation of these applications, we can redirect the ping packets to a separate channel to CPU for higher processing priority.
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware version: S9500 whole series hardware versions.
3 Precautions
When configuring the packet redirection, do not specify an entire network segment for matching the destination IP address of the ICMP packets to be redirected. Otherwise, ICMP packets destined for other devices will also be redirected to the CPU, which will not only increase the CPU load, but also disable the S9500 from pinging other devices.
When the system is not being attacked, the non-fragmented packet has a smaller delay in ping test. If the application does not require a specifically small delay and high stability, do not configure any additional packet redirection.
Only the non-fragmented packets on the common VLAN interfaces will be guaranteed a small delay after redirection. For fragmented packets or packets destined for VPLS-enabled interfaces, the redirection can guarantee a higher stability, but little improvement on delay.
Currently, only the delay of passive ping meets the requirement, but the delay of active ping cannot.
Page 1 of 4
When a line processing unit (LPU) is attacked by a large amount of ping packets, the stability of the ping test on the LPU cannot be guaranteed.
In the network shown in Figure 4-1, the S9500 is connected to the GSR through its port G1/1/1, and is connected to the L2 switch through its port G2/1/1. It requires that the responses to ping packets from ports G1/1/1 and G2/1/1 for the S9500 loopback interface 10.0.0.0, upstream virtual interface 20.0.0.1 and downstream 30.0.0.1 must be stable and reliable.
4.2 Network Diagram

GSR
G1/1/1 20.0.0.1/24 Loop 10.0.0.1/24 S9500 30.0.0.1/24 G2/1/1 L2Switch
Figure 4-1 Ping optimization network diagram

# Configure the ACL rule for ICMP request packets with the destination IP address matching 10.0.0.1, 20.0.0.1 and 30.0.0.1.
<H3C> system-view [H3C] acl number 3000 [H3C-acl-adv-3000] rule 0 permit icmp destination 10.0.0.1 0 icmp-type echo [H3C-acl-adv-3000] rule 1 permit icmp destination 20.0.0.1 0 icmp-type echo [H3C-acl-adv-3000] rule 2 permit icmp destination 30.0.0.1 0 icmp-type echo
# Apply the rule on the ingress interface.

[h3c-GigabitEthernet1/1/1] traffic-redirect in ip-group 3000 cpu [h3c-GigabitEthernet2/1/1] traffic-redirect in ip-group 3000 cpu
4.4 Configuration Information

# acl number 3000 rule 0 permit icmp destination 10.0.0.1 0 icmp-type echo rule 1 permit icmp destination 20.0.0.1 0 icmp-type echo rule 2 permit icmp destination 30.0.0.1 0 icmp-type echo # interface GigabitEthernet1/1/1 traffic-redirect inbound ip-group 3000 rule 0 system-index 2 cpu traffic-redirect inbound ip-group 3000 rule 1 system-index 3 cpu traffic-redirect inbound ip-group 3000 rule 2 system-index 4 cpu # interface GigabitEthernet2/1/1 traffic-redirect inbound ip-group 3000 rule 0 system-index 2 cpu traffic-redirect inbound ip-group 3000 rule 1 system-index 3 cpu traffic-redirect inbound ip-group 3000 rule 2 system-index 4 cpu #
Page 3 of 4
Portal Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 2 4.1 Network Requirements ......................................................................................................... 2 4.2 Network Diagram .................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Configuration Procedure..................................................................................................... 11
www.h3c.com
Portal Configuration Examples 1 Feature Introduction

Portal is also known as portal web. Portal authentication is also known as Web authentication. The advantages of Portal are:

No need to install client software; New service has high supporting capacity; through the portal function for Portal. authentication, Carrier can place information query and online shopping to Portal.
The rationale of Portal: Unauthenticated user can access the specific web server only, any other access will be redirected to Portal server unconditionally; user cannot access Internet until the authentication is passed.
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware version: S9500 whole series hardware versions.
3 Precautions

Note that CAMS and DHCP Server must always stay connected to the switch; On DHCP Server, configure the IP address that can allocate 192.169.1.1/24 and 192.169.2.1/24; If iNode is used on the client, the listening port of the CAMS must be port 80. After the configuration on CAMS, click Enable Configuration; You cannot use Portal and 802.1x at the same time. If 802.1x is enabled, you cannot enable portal on the vlan interface; Board NAM is required if to jointly use the portal and traffic accounting function.

Page 1 of 12
Applicable to cases, such as school or some ISPs where authentication is required; No need to use client software. Using IE navigator can complete the authentication.
4.2 Network Diagram

DHCP Server 30.0.2.2
202.103.0.2 S9500 DHCP relay G3/2/4 Portal VLAN 192 Radius Server 202.103.0.1
PC
Figure 4-1 Portal network diagram

I. Configure the Switch
Configuring the DHCP Relay. 1) Global configuration
portal server portal1 ip 202.103.0.1 key hello url
[S9500] portal method redhcp [S9500]
http://202.103.0.1/portal
The portal method redhcp comannd designates the authentication method of portal is re-authentication; The portal server portal1 ip 202.103.0.1 key hello url http://202.103.0.1/portal command designates the portal service name is portal1, the ip of portal server is 202.103.0.1. The key between the portal server and the switch is hello, and the redirected URL address at authentication of user is http://202.103.0.1/portal.
2)
Configure the vlan interface

Page 2 of 12
# Configure the IP of vlan interface

[S9500] interface Vlan-interface 192 [S9500-Vlan-interface192] ip address 192.169.1.1 24 [S9500-Vlan-interface192] ip address 192.169.2.1 24 sub
# In the Vlan interface View. Designate this switch as DHCP RELAY

[S9500-Vlan-interface192] dhcp select relay
# In the Vlan interface view, configure the IP address of DHCP Server

[S9500-Vlan-interface192] ip relay address 30.0.2.2
# In the Vlan interface view. Enable DHCP security entry-check function.

[S9500-Vlan-interface192] dhcp relay security address-check enable
# In the Vlan interface view, enable Portal

[S9500-Vlan-interface192] portal portal1
3)
Configure the Radius scheme
# In system view, create the radius scheme

[S9500] radius scheme portal New Radius scheme added.
# Configure the IP address and port of the primary authentication/accounting server

[S9500-radius-portal] primary authentication 202.103.0.1 1812 [S9500-radius-portal] primary accounting 202.103.0.1 1813
# Configure the negotiation key between the switch and the radius server
[S9500-radius-portal] key authentication hello [S9500-radius-portal] key accounting hello
# Configure the username from the switch to the radius server without a domain
[S9500-radius-portal] user-name-format without-domain
4)
Configure ISP domain
# In system view, create ISP domain

[S9500] domain portal New Domain added. Designate the domain name as radius-scheme of portal [S9500-isp-portal] radius-scheme portal
Configuring the DHCP Server. # Creating a DHCP Address Pool

[S9500] dhcp server ip-pool dhcp_direct [S9500-dhcp-dhcp_direct] network 192.169.1.0 mask 255.255.266.0 [S9500-dhcp-dhcp_direct] gateway-list 192.169.1.1 [S9500-dhcp-dhcp_direct] quit [S9500] dhcp server ip-pool dhcp_second [S9500-dhcp-dhcp_second] network 192.169.2.0 mask 255.255.255.0
Page 3 of 12
[S9500-dhcp-dhcp_second] gateway-list 192.169.2.1 [S9500-dhcp-dhcp_ second] quit
II. Configure CAMS (Radius&Portal server)

The following Configurations are carried out on CAMS 2.10-R0208/CAMS V200R001B02D027 version. 1) Configure Access Device
On the CAMS menu, click System Management->System Configuration->Access Device Configuration. The window below appears:
Figure 4-2 Add access device

Ensure the address of the VLAN interface connecting the switch and CAMS ranges between Start IP address and End IP address, indicating that CAMS trusts the switches within this range of IP addresses;
Configure the same shared key and the key in the Radius scheme on the switch as hello; For service type, select LAN Access Service; Configure Port List as 1812,1813, indicating the port on which Radius server monitors Radius packet; Configure Protocol Type as Extensible Protocol.

Now the configuration of Access Device is complete. 2) Configure the Portal component
# Configure service information On the CAMS menu, click Component Management->Portal Component->Server Info. The window below appears:
Page 4 of 12
Figure 4-3 Manage portal server information

Configure the primary IP address of the server as Portal Server address of 202.103.0.1; For Listening Port Number, use the default value of 50100; Configure Portal Homepage as http://202.103.0.1/portal that is selected when setting up CAMS Portal component; Other configurations are to defaulted value;

Click OK. The configuration of Portal Server Info Management now is complete. # Configure IP Address Group On the CAMS menu, click Component Management->Portal Component->IP Address Group. The window below appears: Add IP Address Group
Figure 4-4 Add IP address group (1) Enter direct for Name, Start IP is 192.169.1.1 and End IP is 192.169.1.254.
Add IP Address Group
Figure 4-5 Add IP address group (2) Enter second for Name, Start IP is 192.169.2.1 and End IP is 192.169.2.254. Now the configuration of IP Address Group is complete. # Configure Device Info On the CAMS menu, click Component Management->Portal Component->Device Info. The window below appears:
Figure 4-6 Add device information

Device Name is S9500; Configure IP Address as the IP address of the switch of 202.103.0.2; Version is Portal 2.0; Key is hello; Reallocate IP Address is Yes; For other options, select the default value, click Add to complete Add Device Info.
Now the configuration of Add Device Info is complete. # Configure Port Info On the CAMS menu, click Component Management->Portal Component->Device Info. The window below appears:
Page 6 of 12
Figure 4-7 Manage port information Click Port Info Management, and click Add:
Figure 4-8 Add port group

Port group is direct; Select s9500-vlan-03-0002 for Start and s9500-vlan-03-4094 for End. The configuration must be in a fixed format of sysname-vlan-slotid-vlanid. Of them, configure sysname as the sysname of the device, and configure vlan as the fixed vlan. For slotid, configure it as the slotid of the vlan internal port that enables portal (it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in Start vlan, for End port, fill in End vlan. This is to ensure that the vlan interface that enables portal is within the range of this vlan.). Here vlan ranges from 0002 to 4094;

For IP address group, select direct from the dropdown menu; For other options, select the default value;
Click OK to complete the configuration of direct for Add Port Group. To add another port group, repeat the above process;
Figure 4-9 Add port group


Port group is second; Select s9500-vlan-03-0002 for Start and s9500-vlan-03-4094 for End. The configuration must be in a fixed format of sysname-vlan-slot-vlanid. Of them, configure sysname as the sysname of the device, and configure vlan as the fixed vlan. For slot, configure it as the slot of the vlan internal port that enables portal (it is slot 3), for vlanid, configure it as Start/End vlan (for Start port, fill in Start vlan, for End port, fill in End vlan. This is to ensure that the vlan interface that enables portal is within the range of this vlan.). Here vlan ranges from 0002 to 4094;

For IP address group, select second from the dropdown menu; For other options, select the default value;
Click OK. The configuration of second for Add Port Group now is complete. # Validate Configuration On the CAMS menu, click Component Management->Portal Component->Validate Configuration.
Figure 4-10 Validate configuration Click Validate Configuration. The configuration of Portal Components now is complete; 3) Other Adds
# Add Accounting Policy On the CAMS menu, click User Management->Bill Management->Accounting Policy. The window below appears:
Page 8 of 12
Figure 4-11 Add accounting policy

Configure Name as Portal; Configure Description as For Portal; Configure Service Type as LAN Access; Configure Subtype as Ordinary; Configure Policy Template as Normal usage;
Click Next:
Figure 4-12 Set accounting attributes

Accounting Type is By duration; Unit of Usage is hour; Default Rate is 1 dollar/1 hour;
Click OK. The configuration of Accounting Policy now is complete; # Add Service On the CAMS menu, click User Management->Service Management->Configure Service. The window below appears:
Page 9 of 12
Figure 4-13 Add service

Configure Service Name as portal; Configure Accounting Policy as Portal; Configure Security Policy as Do not use security policy;
For other options, select the default value. Add Service now is complete. # Add Account On the CAMS menu, click User Management->Account User and Add Account:
Figure 4-14 Add account

Account is portaluser; Configure Password as 111111; Configure Full Name as PortalUser; Configure Account Type as Prepaid Account; Configure Prepaid Money as 8000 dollar; Tick Portal under Service Information;
Click OK. The configuration of Add portaluser Account now is complete.

The above is a typical configuration process of Portal re-authentication. After that, user can use Portal authentication normally.

Configurations on DHCP Relay
# portal method redhcp portal server portal1 ip 202.103.0.1 key hello url
http://202.103.0.1/portal # interface vlan-interface192 ip address 192.169.1.1 255.255.255.0 ip address 192.169.2.1 255.255.255.0 sub ip relay address 30.0.2.2 dhcp select relay dhcp relay security address-check enable # radius scheme portal primary authentication 202.103.0.1 primary accounting 202.103.0.1 key authentication hello key accounting hello user-name-format without-domain # domain portal scheme radius-scheme portal vlan-assignment-mode integer access-limit disable state active idle-cut disable self-service-url disable #
Configurations on DHCP Server

# dhcp server ip-pool direct network 192.169.1.0 mask 255.255.255.0 gateway-list 192.169.1.1 # dhcp server ip-pool second network 192.169.2.0 mask 255.255.255.0 gateway-list 192.169.2.1
Page 11 of 12
SecBlade VPN Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Precautions .................................................................................................................................... 1 4 Configuration Examples ............................................................................................................... 1 4.1 Network Requirements ......................................................................................................... 1 4.2 Network Diagram .................................................................................................................. 2 4.3 Configuration Procedure....................................................................................................... 2 4.4 Complete Configuration ........................................................................................................ 3
www.h3c.com
SecBlade VPN Configuration Examples 1 Feature Introduction

The SecBlade VPN module supports various VPN services, in which the IPSec (IP Security) protocol suite provides high quality, interoperable and cryptography-based security for IP packets. The communication parties on the IP network uses encryption, data source authentication and other methods to ensure the privacy, integrity, validity and anti-replay of the data in network transmission. Terms used in this chapter: Authentication header (AH): The AH protocol provides data source authentication, data integrity and anti-replay functions. However, AH does not encrypt the IP packets to be protected. Encapsulating security payload (ESP): This protocol provides all functions of the AH protocol, plus the encryption function for IP packets.
Software versions: S9500-CMW310-R1628 and newer versions (Version R2126 and newer versions do not support). Hardware versions: LSB1IPSEC8DB0LSB2IPSEC8DB0
3 Precautions
N/A
As shown in Figure 4-1, the private network packets of VLAN 76 and VLAN 77 are encrypted by the IPSec boards installed on the S9505 devices, so that they can be transmitted securely.
4.2 Network Diagram
Figure 4-1 IPSec network diagram

1) Configure the S9505_1: # Configure VLANs and assign the ports connecting the PCs and the ports connecting the two S9505 devices to their respective VLANs.
<S9500_1> system-view [S9505_1] vlan 50 [S9505_1-vlan50] port Ethernet 2/1/1 [S9505_1-vlan50] quit [S9505_1] vlan 77 [S9505_1-vlan77] port Ethernet 2/1/2 [S9505_1-vlan77] quit
# Configure the SecBlade module, configure VLAN 50 and VLAN 77 as security-vlan, and map the SecBlade module to the IPSec board inserted in slot 3.
[S9505_1] secblade module test [S9505_1-secblade-test] security-vlan 50 [S9505_1-secblade-test] security-vlan 77 [S9505_1-secblade-test] map to slot 3
2)
Configure the SecBlade on the S9505_1:
# Configure the IP address of the interface.

[SecBlade_VPN] interface GigabitEthernet 0/0.50 [SecBlade_VPN-GigabitEthernet0/0] ip address 172.16.50.2 24 [SecBlade_VPN-GigabitEthernet0/0] vlan-type dot1q vid 50 [SecBlade_VPN-GigabitEthernet0/0] quit [SecBlade_VPN] interface GigabitEthernet 0/0.77 [SecBlade_VPN-GigabitEthernet0/0] ip address 10.13.77.2 24 [SecBlade_VPN-GigabitEthernet0/0] vlan-type dot1q vid 77 [SecBlade_VPN-GigabitEthernet0/0] quit
# Configure the ACL rule.

[SecBlade_VPN] acl number 3000 [SecBlade_VPN-acl-adv-3000] rule permit ip source 10.13.77.0 0.0.0.255
destination 10.13.76.0 0.0.0.255 [SecBlade_VPN-acl-adv-3000] quit
# Configure the IPSec IKE.

[SecBlade_VPN] ike peer peer [SecBlade_VPN-ike-peer-peer] pre-shared-key vpn [SecBlade_VPN-ike-peer-peer] remote-address 172.16.50.1 [SecBlade_VPN] quit
# Configure the IPSec protocol.

[SecBlade_VPN Router] ipsec proposal h3c [SecBlade_VPN Router-ipsec-proposal-tran] encapsulation-mode tunnel [SecBlade_VPN Router-ipsec-proposal-tran] transform ah-esp [SecBlade_VPN Router-ipsec-proposal-tran] ah authentication-algorithm sha1 [SecBlade_VPN Router-ipsec-proposal-tran] esp encryption-algorithm 3des [SecBlade_VPN sha1 Router-ipsec-proposal-tran] esp authentication-algorithm
# Configure the IPSec policy.

[SecBlade_VPN] ipsec policy h3cpolicy 10 isakmp [SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] ike-peer peer [SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] proposal h3c [SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] security acl 3000 [SecBlade_VPN-ipsec-policy-isakmp-h3cpolicy-10] quit
# Apply the security policy on the subinterface of the public network.

[SecBlade_VPN] interface GigabitEthernet 0/0.50 [SecBlade_VPN-GigabitEthernet0/0.50] ipsec policy h3cpolicy [SecBlade_VPN-GigabitEthernet0/0.50] quit
# Configure the static route.

[SecBlade_VPN] ip route-static 10.13.76.0 255.255.255.0 172.16.50.1
3)
Configure the S9505_2:
Refer to the configurations on the S9505_1. 4) Configure the SecBlade on the S9505_2:
Refer to the SecBlade configurations on the S9505_1.

1) Configurations on the S9505_1. Key configurations:
#
Page 3 of 7
secblade module test security-vlan 50 77 map to slot 3 #
2)
#
SecBlade configurations on the S9505_1:
sysname SecBlade_VPN # radius scheme system # domain system # ike peer peer pre-shared-key vpn remote-address 172.16.50.1 # ipsec proposal h3c # ipsec policy h3cpolicy 10 isakmp security acl 3000 pfs dh-group1 ike-peer peer proposal h3c # acl number 3000 rule 0 permit ip source 10.13.77.0 0.0.0.255 destination 10.13.76.0
0.0.0.255 # interface Aux0 async mode flow # interface Ethernet0/1 # interface Ethernet0/2 # interface Ethernet0/3 # interface GigabitEthernet0/0 # interface GigabitEthernet0/0.50 ip address 172.16.50.2 255.255.255.0 vlan-type dot1q vid 50 ipsec policy h3cpolicy
Page 4 of 7
# interface GigabitEthernet0/0.77 ip address 10.13.77.2 255.255.255.0 vlan-type dot1q vid 77 # interface Encrypt1/0 # interface NULL0 # ip route-static 10.13.76.0 255.255.255.0 172.16.50.1 preference 60 # user-interface con 0 user-interface aux 0 authentication-mode password user-interface vty 0 4 authentication-mode none # return
3)
Configurations on the S9505_2.
Key configurations:
# secblade module test security-vlan 50 76 map to slot 1 #
4)
#
SecBlade configurations on the S9505_2:
sysname SecBlade_VPN # radius scheme system # domain system # ike peer peer pre-shared-key vpn remote-address 172.16.50.2 local-address 172.16.50.1 # ipsec proposal h3c # ipsec policy h3cpolicy 10 isakmp security acl 3000
Page 5 of 7
pfs dh-group1 ike-peer peer proposal h3c # acl number 3000 rule 0 permit ip source 10.13.76.0 0.0.0.255 destination 10.13.77.0
0.0.0.255 # interface Aux0 async mode flow # interface Ethernet0/1 # interface Ethernet0/2 # interface Ethernet0/3 # interface GigabitEthernet0/0 # interface GigabitEthernet0/0.50 ip address 172.16.50.1 255.255.255.0 vlan-type dot1q vid 50 ipsec policy h3cpolicy # interface GigabitEthernet0/0.76 ip address 10.13.76.2 255.255.255.0 vlan-type dot1q vid 76 # interface Encrypt1/0 shutdown # interface NULL0 # ip route-static 10.13.77.0 255.255.255.0 172.16.50.2 preference 60 # user-interface con 0 user-interface aux 0 authentication-mode password user-interface vty 0 4 authentication-mode none user privilege level 3 #
Page 6 of 7
VPN NAT Comprehensive Networking Configuration Examples
Table of Contents
1 Feature Introduction...................................................................................................................... 1 2 Versions Applicable ...................................................................................................................... 1 3 Configuration Requirements ........................................................................................................ 1 4 Configuration Examples ............................................................................................................... 4 4.1 Network Requirements ......................................................................................................... 4 4.2 Network Diagram .................................................................................................................. 5 4.3 Configuration Procedure....................................................................................................... 5
www.h3c.com
VPN NAT Comprehensive Networking Configuration Examples 1 Feature Introduction

MPLS L3VPN, inheriting the advantages of IP routing technology and integrating fast forwarding and flexible networking of MPLS technology, has been applied widely. Especially in a relatively large enterprise network, MPLS L3VPN enables clearer network architecture, easier maintenance, more stable performance and more secure access. Together with NAT function, MPLS L3VPN hides the private network side to the public network and enables address reuse, thus enhancing network security and saving user investment.
Software versions: S9500-CMW310-R1628 and newer versions. Hardware version: 1) 2) Interface boards that support MPLS VPN NAT board Type LSB1NATB0 NAT board Description
3 Configuration Requirements
When advertising the default route in the MP-BGP on the device P, you must use the network command. As a valid address, the address of the address pool must be unique within the network. Do not assign this address to any host or switch within the network (it is allowed but not recommended to assign it to the interface binding the NAT on the switch). In network deployment, make sure that the address of the address pool is in the same network segment as the public network address.
Page 1 of 13
Only assign export-rt for the route corresponding to the public network address in the VPN. No need to advertise the private network address routes or import them to other VPNs, and no need to assign the export-rt for the private network address routes. This needs to be done by routing policies.
In this networking example, you are recommended to use the CE devices for network layer access, to reduce the routing and ARP loads on the PE devices, thus ensuring the network maintainability.
When configuring the QACL redirection, specify accurate rules so that only the traffic which needs to be translated is redirected to the NAT board. When configuring QACL redirection and binding VLAN interface to VPN, make sure that you bind the VLAN interface to VPN first, and then redirect QACL packets. Reversely, delete the QACL redirection first, and then delete the VLAN interface binding to VPN.
To inherit the security of MPLS VPN, if you want to segregate two VPNs, you can configure a black hole route between these two VPNs, for which you can aggregate the routes to simplify the configuration complexity. Or, you can segregate the network by other means.
In the network diagram below, the core layer takes into consideration the redundancy of the physical link. However, you can simplify the core layer network layout and deployment according to your actual situation.
To ensure the compatibility of the software installed on the devices on the network, you must use the software version R1628 or later. In this chapter, the device P also acts as a provider edger (PE) device, with a VPN created on it. If the VPN needs NAT processing, you need to bind NAT to each VLAN interface connected to the public network for the VPN, which will use multiple address pools and require complicated configurations and more maintenance work. Therefore, you are recommended to avoid using the device P as a PE. However, if the VPN does not need NAT processing, you do not need to bind NAT and can use the device P as a PE with no problem.
When configuring the internal server, make sure that you configure the internal server to the upstream port of the PE. You cannot map two different public network addresses to one private network address (this can be solved by configuring two private to public network address mappings on the internal server), or map one public network address to multiple private network addresses. When configuring link backup, you can create link backup by configuring multiple public network addresses for the internal server. But note that when one link goes down, the internal server configured on this link no longer supports services requiring the ALG function, which can only be performed by another public network address. However, services that do not require the ALG function (such as WWW) can continue (provided that the route of the public network address of the internal server can be advertised through another link).
Page 2 of 13
In the internal server applications, the access request within a local VPN to the public network address of the internal server is not supported. The VPN can only access the private network address of the internal server, and traffic for such access will not involve NAT processing. Similarly, access requests from other local VPNs to the public network address of the internal server is also not supported. But you can configure the binding of VPN1 internal server and VPN2 NAT on the upstream interface, to enable the VPN2 private network address access the public network address of VPN1 internal server for NAT services and services on the internal server. Therefore, for VPNs to access the internal server, you can configure the NAT binding in all VPNs to enable them access the public network address of the internal server.
In the internal server applications, you can configure the internal server on the upstream interface on PE to allow both the public and private network addresses of the same remote VPN and other remote VPNs to perform services on the internal server by accessing its public network address (note that for cross-VPN access, you need to advertise the public network address of the internal server to other VPNs).
In the NAT applications, you can have the link backup by binding two different NAT address pools on two egress interfaces with the same NAT rule. But you cannot bind the same NAT address to different egress interfaces. Note that when one link goes down, its NAT table entries are not deleted immediately. The old traffic will still be translated using these entries and forwarded via another link. New traffic will be translated by the NAT table entries of another link. Therefore, if an application has multiple sessions, it might happen that this application is mapped to several public network addresses, which may be denied service in the client/server mode. This problem will be resolved after the aging time of NAT table entries of the downed link expires (210 seconds by default).
When a packet matching multiple NAT bindings, the binding with the highest priority will be adopted. The larger the ACL number in the NAT binding, the higher the NAT binding priority.
Page 3 of 13
Users in VPN1 and VPN2 need to access all servers on the network and access the Internet. Some of the users use public network addresses (201.1.x.0/24), others use private network addresses (10.x.0.0/16). When users with private network addresses access hosts or servers not on the same CE side), the packets must be processed by NAT. Servers with private network addresses must be mapped to public network addresses by the NAT server before they can be accessed by public network users.
Note: In the network shown in Figure 4-1, the P devices and PE devices need to be NATcapable and thus need to be S9500 series switches.
Page 4 of 13
4.2 Network Diagram

Paradigm Primary Link Secondary Link General Link Link Aggregation PC Server Global IP Private IP
Internet 201.1.X.0/24 10.X.0.0/16 F/W
10 .105.0.11/16
201.1.105.11/24 CE5
201 .1.106.11/24 CE6
201.1.106.12/24
VLAN 105 G3/1/1 VPN1 rt:65000:1 201.1.105.1/24 P1 ( Master reflector ) VLAN11 G3/2/1 201.1.11.1/24 NAT1:VPN1
VLAN10 G3/1/2 internet_vpn rt:65000:0 201.1.10.1/24 NAT5:VPN1
VLAN106 G3/1/3 server_vpn rt:65000:3 201.1.106.1/24 NAT4:VPN1 VLAN30 G3/2/4 G3/2/5 201.1.30.1/24 NAT3:VPN1
VLAN205 G3/1/1 VPN1 rt:65000:1 201.1.205.1/24
VLAN20 G3/1/2 internet_vpn rt:65000:0 201.1.20.1/24 NAT3:VPN1
VLAN12 G3/2/2 201.1.12.1/24 NAT2:VPN1
VLAN 30 G3/2/4 G3/2/5 201.1.30.2/24 NAT4:VPN1
VLAN206 G3/1/3 server_vpn rt:65000:3 201.1.206.1/24 NAT2:VPN1 P2 ( Slave reflector ) VLAN22 G3/2/3 201.1.22.1/24 NAT1:VPN1
VLAN11 G3/1/3 201.1.11.2/24 NAT1:VPN1 NAT2:VPN2 Server2:VPN2 PE1 VLAN101 G3/1/1 VPN1 rt:65000:1 201.1.101.1/24 CE1 VLAN102 G3/1/2 VPN2 rt:65000:2 201.1.102.1/24 CE2
MPLS BGP VLAN12 G3/2/3 IP:201.1.12.2/24 NAT2:VPN2 VLAN22 G3/2/4 201.1.22.2/24 NAT1:VPN2 PE2 VLAN203 VLAN204 G3/1/1 G3/1/2 VPN1 VPN2 rt:65000:1 rt:65000:2 201.1.203.1/24 201.1.204.1/24 CE4
CE3 10.102.0.12/16
201.1.101.11/24 10.101.0.11/16 10 .102.0.11/16 201.1.102.11/24 201.1.203.11/24
10.204.0.11/24 201.1.204.11/24 201.1.203.12/24
Figure 4-1 VPN NAT comprehensive network diagram

I. Configuration Design
1)
Configurations on P1. Create the Internet_VPN and configure a route for it. Advertise this route and import the VPN routes on all PE devices in the access layer.
Page 5 of 13
Create a VLAN for the Internet_VPN and configure VPN binding and the IP address for it. Create VPN1 and configure a routing policy for it. Advertise only the public network address route of the 202.0.0.0/8 network segment. Do not advertise the private network address route of the 10.0.0.0/8 network segment. Import routes advertised by the Internet_VPN, Server_VPN and VPN2.

Create a VLAN for VPN1 and configure VPN binding and the IP address for it. Configure a black hole route for VPN1 to control the communication between VPNs (optional). Create the Server_VPN and configure a route for it. Advertise this route and import the VPN routes on all PE devices in the access layer. Create a VLAN for Server_VPN and configure VPN binding and the IP address for it. Create a VLAN which connects P1 and other devices. Configure the link aggregation between P1 and P2 (optional). Configure the loopback interface (for establishing the BGP neighbor). Enable routing protocols such as OSPF, and advertise the route. Configure MP-BGP, and create a peer of P2. Configure P1 to be the master BGP reflector (configure P1 to be the master reflector for both BGP and MP-BGP at the same time). Configure MP-BGP, create a peer of all PE devices, and advertise a default route to all VPN in the Internet_VPN. Advertise the VPN1 route to other VPN and remote ends through MP-BGP. Configure NAT binding on all egress interfaces of VPN1 on P1, to perform NAT translation for outbound packets from VPN1 with private network addresses. The egress interfaces include VLAN 10, 11, 12, 30 and 106.

2)
Configurations on P2. Configure NAT binding on all egress interfaces of VPN1 on P2, to perform NAT translation for outbound packets from VPN1 with private network addresses. The egress interfaces include VLAN 20, 22, 30 and 206.
The configurations on P2 and P1 are basically the same. The only different is that there is no VLAN interfaces between P2 and PE1, so no need to configure NAT binding for VPN1. Note that when configuring the P2 reflector, you must configure the same reflector cluster-id as P1.
3)
Configurations on PE1. For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer to the configurations on P1. Note that only advertise the 201.1.101.0/24 public network segment routes through the routing policy. Do not advertise the 10.101.0.0/16 private network segment routes.
The configurations on VPN2 are the same for VPN1. Note that only advertise the 201.1.102.0/24 public network segment routes through the routing policy. Do not advertise the 10.102.0.0/16 private network segment routes.
Page 6 of 13
Configure the VPN2 internal server on the upstream VLAN interface on PE1, and allow other VPNs to access the VPN2 internal server 10.12.0.12. Configure the NAT binding for the internal server. Configurations on PE2. For the VPN1 creation and configurations on OSPF, MPLS and BGP, refer to the configurations on P1. The configurations on VPN2 are the same as VPN1. In addition, configure NAT binding on VLAN 12 and 22 to have address translation for the private network segment 10.204.0.0/24 and to have link backup.
4)
II. Configuration Procedure

1) Configurations on P1.
# Create the Internet_VPN, configure a route for it, and import VPN1 (65000:1), VPN2 (65000:2), Server_VPN (65000:3) and the export route of the Internet_VPN (65000:0).
[P1] ip vpn-instance Internet_VPN [P1-vpn-Internet_VPN] route-distinguisher 65000:0 [P1-vpn-Internet_VPN] vpn-target 65000:0 both [P1-vpn-Internet_VPN] vpn-target 65000:1 import-extcommunity [P1-vpn-Internet_VPN] vpn-target 65000:2 import-extcommunity [P1-vpn-Internet_VPN] vpn-target 65000:3 import-extcommunity [P1-vpn-Internet_VPN] quit
# Create VLAN 10 and bind the Internet_VPN.

[P1] vlan 10 [P1-vlan10] port GigabitEthernet 3/1/2 [P1-vlan10] quit [P1] int vlan 10 [P1-Vlan-interface10] ip binding vpn-instance Internet_VPN [P1-Vlan-interface10] ip address 201.1.10.1 255.255.255.0 [P1-Vlan-interface10] quit
# Create VPN1, import Internet_VPN, Server_VPN, VPN2 and the export route of the same VPN.
[P1] ip vpn-instance VPN1 [P1-vpn-VPN] route-distinguisher 65000:1 [P1-vpn- VPN] vpn-target 65000:0 import-extcommunity [P1-vpn- VPN] vpn-target 65000:1 import-extcommunity [P1-vpn- VPN] vpn-target 65000:2 import-extcommunity [P1-vpn- VPN] vpn-target 65000:3 import-extcommunity [P1-vpn- VPN] quit
# Configure the ACL used by the rt-policy of VPN1. Assign the routes after matching the ACL.
[P1] acl number 2013
Page 7 of 13
[P1-acl-basic-2013] rule permit source 201.1.105.0 0.255.255.255 [P1-acl-basic-2013] quit
# Configure the rt-policy of VPN1 export-rt. Assign only route 65000:1 for 201.1.105.0/24. Do not assign 10.0.0.0/16. So only the routes on the 201 network segment are advertised.
[P1] route-policy vpn1 permit node 0 [P1-route-policy] if-match acl 2013 [P1-route-policy] apply extcommunity rt 65000:1 additive [P1-route-policy] quit [P1] ip vpn-instance VPN1 [P1-vpn-VPN1] export route-policy vpn1 [P1-vpn-VPN1] quit
# Create VLAN 105 and bind VPN1.

[P1] vlan 105 [P1-vlan105] port GigabitEthernet 3/1/1 [P1-vlan105] quit [P1] int vlan 105 [P1-Vlan-interface105] ip binding vpn-instance VPN1 [P1-Vlan-interface105] ip address 201.1.105.1 255.255.255.0 [P1-Vlan-interface105] quit
# Configure a black hole route for VPN1.

[P1] ip route-static vpn-instance VPN1 201.1.0.0 16 NULL 0 blackhole
Note: Because VPN1 learns the default route of the Internet_VPN, so packets not matching the exact route will be forwarded to the Internet_VPN by default. And because the Internet_VPN has routes of all VPNs, VPN1 can access all other VPNs. For security reason, the user does not want hosts in VPN1 to be able to access all other VPNs by default. So, the user can configure a black hole route to shield all other VPNs to VPN1 by default. In the network diagram above, DIP:201.1.0.0/16 is configured as the black hole route to prevent VPN1 from accessing other VPNs. Note that in this configuration, the Internet address 201.1.0.0/16 will no longer be accessible.
# Create the Server_VPN. The configurations for the Server_VPN are the same as the Internet_VPN. # Create VLANs connecting P1 and other devices, including VLAN 11, 12 and 30.
[P1] vlan 11 [P1-vlan11] port GigabitEthernet 3/1/3
Page 8 of 13
[P1-vlan11] quit [P1] int vlan 11 [P1-Vlan-interface11] ip address 201.1.11.1 255.255.255.0
The configurations for other VLANs are the same as VLAN 11. # Configure the link aggregation (optional).
[P1] link-aggregation GigabitEthernet3/2/4 to GigabitEthernet 3/2/5 both
# Configure the loopback interface for establishing the BGP neighbor.

[P1] interface LoopBack 0 [P1-LoopBack0] ip address 201.255.98.1 32 [P1-LoopBack0] quit
# Enable the routing protocol OSPF, and advertise the routes of the local segment interface and the loopback interface.
[P1] router id 201.255.98.1 [P1] ospf 200 [P1-ospf-200] area 0 [P1-ospf-200-area-0.0.0.0] network 201.1.11.0 0.0.0.255 [P1-ospf-200-area-0.0.0.0] network 201.1.12.0 0.0.0.255 [P1-ospf-200-area-0.0.0.0] network 201.1.30.0 0.0.0.255 [P1-ospf-200-area-0.0.0.0] network 201.255.98.1 0.0.0.0 [P1-ospf-200-area-0.0.0.0] quit [P1-ospf-200] quit
# Enable the MPLS protocol on P1 and on the VLANs connecting P1 and other PE switches.
[P1] mpls lsr-id 201.255.98.1 [P1] mpls [P1-mpls] quit [P1] mpls ldp [P1] int vlan 11 [P1-Vlan-interface11] mpls [P1-Vlan-interface11] mpls ldp enable [P1-Vlan-interface11] quit
The configurations on VLAN 12 and 30 are the same as VLAN 11. # Configure a peer of P2.
[P1] bgp 65000 [P1-bgp] group PtoP internal [P1-bgp] peer PtoP connect-interface LoopBack0 [P1-bgp] peer 201.255.98.2 group PtoP
Note: 201.255.98.2 is the IP address of interface LoopBack0 on P2. # Configure a peer of PE1 and a peer of PE2.
[P1-bgp] group 65000 internal [P1-bgp] peer 65000 connect-interface LoopBack0 [P1-bgp] peer 201.255.98.11 group 65000 [P1-bgp] peer 201.255.98.12 group 65000
Note: 201.255.98.11 and 201.255.98.12 are the IP addresses of interface LoopBack0 on PE1 and PE2 respectively. # Configure the BGP reflector.
[P1-bgp] reflector cluster-id 201.255.98.1 [P1-bgp] peer 65000 reflect-client
# Configure MP-BGP peers.

[P1-bgp] ipv4-family vpnv4 [P1- bgp-af-vpn] peer PtoP enable [P1- bgp-af-vpn] peer 201.255.98.2 group PtoP [P1- bgp-af-vpn] peer 65000 enable [P1- bgp-af-vpn] reflector cluster-id 201.255.98.1 [P1- bgp-af-vpn] peer 65000 reflect-client [P1- bgp-af-vpn] peer 201.255.98.11 group 65000 [P1- bgp-af-vpn] peer 201.255.98.12 group 65000 [P1- bgp-af-vpn] quit [P1-bgp] quit
# Configure the default route of Internet_VPN to the public network and advertise it. 201.1.10.6 is the IP address of the interface between F/W and P1.
[P1] ip route-static vpn-instance Internet_VPN 0.0.0.0 0 201.1.10.6 [P1] bgp 65000 [P1-bgp] ipv4-family vpn-instance Internet_VPN [P1-bgp-af-vpn-instance] network 0.0.0.0 [P1-bgp-af-vpn-instance] quit
# Import routes of other protocols (including NAT routes) into VPN1 and advertise them through MP-BGP.
[P1-bgp] ipv4-family vpn-instance VPN1 [P1-bgp-af-vpn-instance] import-route direct [P1-bgp-af-vpn-instance] import-route static [P1-bgp-af-vpn-instance] import-route nat [P1-bgp] quit
Note: If the address pool address used by NAT binding is the same as the local network segment in the VPN1, you do not need to advertise the NAT routes. # Configure the rule used by NAT binding. If the rule is to be applicable to VPN1, VPN1 must be configured in this rule.
[P1] acl number 3000
Page 10 of 13
[P1-acl-adv-3000] 0.0.255.255
rule
permit
ip
vpn-instance
VPN1
source
10.105.0.0
[P1-acl-adv-3000] quit
# Configure the address pool address.

[P1] nat address-group 100 201.1.105.100 201.1.105.110
# Configure the maximum numbers of users and links allowed for VPN1 in NAT address translation (the maximum number of users should be configured according to the actual user number of VPN1).
[P1] nat vpn limit vpn-instance VPN1 1000 500000
# Configure NAT binding on the interface VLAN 11 between P1 and PE1.

[P1] int vlan 11 [P1-Vlan-interface11] nat outbound 3000 address-group 100 slot 6
Note: The NAT configurations on other egress interfaces on P1 are the same as VLAN 11. But the address pool used by NAT binding cannot be the same as that used on VLAN 11. In this network diagram shown above, the VLANs that you need to configure for NAT binding include VLAN 10, 12, 30 and 106. # Configure QACL redirection on the ingress interface corresponding to VPN1, to redirect the packets which need NAT translation to the NAT board.
[P1] acl number 2001 [P1-acl-adv-2001] rule permit source 10.105.0.0 0.0.255.255 [P1-acl-adv-2001] quit [P1] interface GigabitEthernet 3/1/1 [P1-GigabitEthernet3/1/1] traffic-redirect inbound ip-group 2001 slot 6 designated-vlan 105 [P1-GigabitEthernet3/1/1] quit
Caution: You must configure the VPN binding on the corresponding VLAN before you configure QACL redirection on the port. The ACL rule of redirecting to the NAT board cannot contain the key word vpn-instance. The redirection to the NAT board configuration under the port must contain the argument designated-vlan, with its value being the VLAN to which the port belongs.
2)
Configurations on P2.
Configurations on P2 are similar to those on P1. Please refer to the section above. Note that when configuring the reflector on P2, configure the same reflector cluster-id as P1.
3)
Configurations on PE1.
# For the VPN1 creation and configurations on NAT, OSPF, MPLS and BGP, refer to the configurations on P1. The difference between P1 and PE1 is the peer configuration. PE1 does not need to configure a reflector. It only needs to enable the peer of P1 and P2 in ipv4-family vpnv4 in BGP view. # The NAT configuration on VPN2 are the same as VPN1. # Configure the internal server to allow other VPNs to access the internal server of VPN2 10.102.0.12 for WWW and FTP services.
[PE1] int vlan 11 [PE1-Vlan-interface11] nat server protocol tcp global 201.1.102.12 www inside vpn2 10.102.0.12 www slot 6 [PE1-Vlan-interface11] nat server protocol tcp global 201.1.102.12 ftp inside vpn2 10.102.0.12 ftp slot 6 [PE1-Vlan-interface11] quit
# Configure the NAT binding for the internal server.

[P1] acl number 3112 [P1-acl-adv-3112] 0.0.0.0 [P1-acl-adv-3112] quit [P1] nat address-group 12 201.1.102.12 201.1.102.12 [P1] int vlan 11 [PE1-Vlan-interface11] nat outbound 3112 address-group 12 slot 6 rule permit ip vpn-instance VPN1 source 10.102.0.12
Note:
You can only configure one address for the address pool in the NAT binding, and this address must be the same as the GlobalIP of the NAT server. If there are other NAT binding rules that may permit NAT translation for this server, you must configure the maximum ACL Number to ensure that this NAT binding has the highest priority.
The NAT server can only be accessed through the binding interface. Hosts on other interfaces are not permitted to access it.
4)
Configurations on PE2.
# The configurations on PE2 are similar to PE1. The difference is that for PE2 NAT binding needs to be configured on egress interfaces of two VLANs (VLAN 12 and 22). 5) Configurations on CE.
Omitted. It is only required to enable layer 3 routing protocols. For detailed operations, refer to H3C S9500 Series Routing Switches Configuration Manual.
Selective QinQ Configuration Examples
Table of Contents
www.h3c.com
Selective QinQ Configuration Examples 1 Feature Introduction

Although common QinQ can expand a VLAN and implement simple layer-2 VPN function, but a port can only be configured the fixed outer TAG, which cannot meet the requirement that different VLAN TAGs should be added to different service users. For example, VLANs 100~200 are users of a service, requiring outer tag 10; VLANs 201~300 are users of another service, requiring outer tag 20; while services of VLANs 10~20 want no tags. Such requirements cannot be satisfied by QinQ. Selective QinQ implements flexible configuration by configuring special ACL rules and adding our designated VLAN tag to ACL rule-compliant packets or by changing the VLAN tags of incoming packets into our designated VLAN tag.
Software versions: S9500-CMW310-R1628 and newer versions. Hardware versions: Type-D service boards of the S9500 series switches
3 Precautions

The selective QinQ function is supported by only the type-D boards. As a selective QinQ-enabled port only permits packets with modified VLAN tags, you need to disable the VLAN filtering function on a port so that the packets of different VLANs can be handled on the port.
To enable the outer VLAN tags of the response packets of the packets processed by the selective QinQ function to be removed on the outbound port (the port connected to DSLAM), make sure the port is a hybrid port and the corresponding VLAN of the outer tag is in the untagged mode.
Page 1 of 5
In the network shown in Figure 4-1, SLAM isolates the users through the VLANs. VLAN 1000 through VLAN 2999 are for common network access services. It is desired that VLAN 101 tag be inserted to the packets of these VLANs as the outer VLAN tag after the packets reach the S9500 switch. The packers are then passed to BRAS for being processed. VLAN 2000 through VLAN 2999 are for VIP users and require QoS services. VLAN 102 tag is inserted to the packets of these VLANs as the outer VLAN tag after the packets reach the S9500 switch. The packets are then passed to BRAS for being processed. The BTV traffic is passed to DSLAM through VLAN 3000 by GSR. DSLAM duplicates the multicast flow and then passes it to the user VLANs. To implement the above services, for the packets reaching port g2/1/1, the S9500 needs to insert VLAN 101 tag to packets of VLAN 1000 through VLAN 1999 and then passes the packets to BRAS through VLAN 101; it also needs to insert VLAN 102 tag to packets of VLAN 2000 through VLAN 2999 and then passes them to BRAS through VLAN 102. For packets of VLAN 3000, no VLAN tag is inserted and they can be forwarded through layer-2 multicast in VLAN 3000. To implement this, you can use the selective QinQ function on the S9500 switch.
Figure 4-1 Networking diagram of the selective QinQ configuration
Page 2 of 5

1) Configure DSLAM. On DSLAM, configure the access users to be mapped to VLAN 1000 through VLAN 2999. Configure the multicast VLAN 3000, and multicast sub-VLANs VLAN 1000 through VLAN 2999. Connect the uplink port to the S9500 switch, permitting VLAN 1000 through VLAN 3000. 2) Configure S9500.
# Configure the ACL rules that match VLAN 1000 through VLAN 1999 and VLAN 2000 through VLAN 2999.
[S9500] acl number 4000 [S9500-acl-link-4000]rule 0 permit ingress 1000 to 1999 [S9500]-acl-link-4000] rule 1 permit ingress 2000 to 2999
# Create VLAN 101, VLAN 102, and VLAN 3000.

[S9500]vlan 101 102 3000
# Configure the port connected to DSLAM as follows: permit packets of VLAN 101, VLAN 102, and VLAN 3000; disable the VLAN filtering attribute; insert VLAN 101 tag to packets matching rule 0 of ACL 4000; insert VLAN 102 tag to packets matching rule 1 of ACL 4000.
[S9500] interface GigabitEthernet 2/1/1 [S9500-GigabitEthernet2/1/1] port link-type hybrid [S9500-GigabitEthernet2/1/1] port hybrid vlan 101 102 untagged [S9500-GigabitEthernet2/1/1] port hybrid vlan 3000 tagged [S9500-GigabitEthernet2/1/1] vlan filter disable [S9500-GigabitEthernet2/1/1] traffic-redirect inbound link-group 4000 rule 0 nested-vlan 101 [S9500]-GigabitEthernet2/1/1] rule 1 nested-vlan 102 traffic-redirect inbound link-group 4000
# Configure the ports connected to GSR and BRAS respectively.

[S9500]interface g2/1/2 [S9500-GigabitEthernet2/1/2] port link-type trunk [S9500-GigabitEthernet2/1/2] port trunk permit vlan 3000 [S9500-GigabitEthernet2/1/2] interface g2/1/3 [S9500-GigabitEthernet2/1/3] port link-type trunk [S9500-GigabitEthernet2/1/3] port trunk permit vlan 101 102
# Enable Layer 2 multicast on VLAN 3000.

[S9500] igmp-snooping enable [S9500] vlan 3000 [S9500-vlan3000] igmp-snooping enable
3)
Configure BRAS and GSR.

Page 3 of 5
Configure BRAS to handle packets with dual VLAN tags and to terminate PPPOE packets. Configure GSR to enable layer-3 multicast, serving as the multicast router.

# igmp-snooping enable # acl number 4000 rule 0 permit ingress 1000 to 1999 egress any rule 1 permit ingress 2000 to 2999 egress any # vlan 1 # vlan 101 # vlan 102 # vlan 3000 igmp-snooping enable # interface GigabitEthernet2/1/1 port link-type hybrid port hybrid vlan 3000 tagged port hybrid vlan 1 101 102 untagged vlan filter disable traffic-redirect inbound link-group 4000 rule 0 system-index 1 nestedvlan 101 traffic-redirect inbound link-group 4000 rule 1 system-index 2 nested-vlan 102 # interface GigabitEthernet2/1/2 port link-type trunk port trunk permit vlan 1 3000 # interface GigabitEthernet2/1/3 port link-type trunk port trunk permit vlan 1 101 102
Page 4 of 5
VRRP Configuration Examples
Table of Contents
www.h3c.com
VRRP Configuration Examples 1 Feature Introduction

Virtual Router Redundancy Protocol (VRRP) is a fault tolerance protocol. As shown in the following figure, generally a default route is set for every host in a network (the next hop of the default route in the figure is 10.100.10.1). The packets from hosts to the external network are sent to the layer-3 Switch through the default route for communications between hosts and the external network. When the Switch fails, all the hosts in the segment that take the Switch as the next hop of the default route disconnect the communication with the outside.
Figure 1-1 Networking diagram of the LAN VRRP was put forward to solve above mentioned problems. It is specially designed for multicast or broadcast-supported LANs like Ethernet. VRRP organizes a group of switches (including a Master switch and several Backup switches) into a virtual router. This group of switches is called a backup group.
Page 1 of 12
Figure 1-2 Virtual router A virtual switch has its own IP address of 10.100.10.1 (this IP address can be the same as the interface address of a switch in the backup group). Also, the switches in the backup group have their own IP addresses (e.g., the Master IP address is 10.100.10.2, and the Backup IP address is 10.100.10.3). The hosts in LAN are only aware that the IP address of the virtual router is 10.100.10.1 (usually known as the virtual IP address of the backup group), but not aware that the specific IP address of the Master switch is 10.100.10.2 and the IP address of the Backup switch is 10.100.10.3. They specify the IP address 10.100.10.1 of the virtual router as the next hop of their own default routes. So, the hosts in LAN communicate with other networks through this virtual router. When the Master switch in the backup group fails, the Backup switch with the highest priority takes over its work and becomes the new Master to provide routing services for the hosts in LAN, implementing uninterrupted communications with external networks.
Software versions: S9500-CMW310-R1628 and newer versions. Hardware versions: The full series of hardware versions of the S9500 series switches. Networking Diagram
3 Precautions
For the backup routers of the same VRRP backup group, the VRRP group hello time must be consistent, or the VRRP group operates improperly.
Page 2 of 12
The VRRP work mode in the same VRRP backup group must be identical, i.e., either in the preemptive mode or in the non-preemptive mode. Before configuring a VRRP group, make sure the vrrp ping-enable function is enabled. Otherwise, the VRRP virtual address cannot be pinged through. A VRRP monitoring port can monitor VLAN interface address only, but not a specific port. Do not modify the hello time of a VRRP group unless absolutely needed. If multiple VRRP groups exist, set their hello times to prime numbers (such as 2, 3, 5, 7, etc) to excessive CPU load.
In the network shown in Figure 4-1, S9500-A S9500-B have multiple Layer 2 switches attached to them. Assume that the IP address of the interface of VLAN 2 created on S9500-A is 2.1.1.1, the IP address of the interface of VLAN 2 created on S9500-B is 2.1.1.2, the address of the virtual router is 2.1.1.3. Host A can access the Internet if the gateway address is set to 2.1.1.3 on it. This network is typical for VRRP. You can use the two Layer-3 switches (S9500-A and S9500-B) to form multiple VRRP backup groups. For example, you can have Layer 2 devices to connect to the virtual address 2.1.1.3, through which the hosts can access the Internet through the virtual gateway 2.1.1.3. When either of S9500-A and S9500-B fails, the other device can take over the work and ensure continued traffic.
Page 3 of 12
Figure 4-1 Networking diagram of VRRP

S9500-A and S9500-B form two virtual backup groups, In VLAN 2, S9500-A acts as Master and S9500-B as Backup; in VLAN 3, S9500-B acts as Master and S9500-A as Backup. Configure S9500-A to monitor the virtual interface of VLAN 8. When the virtual interface of VLAN 8 is unavailable, S9500-A decreases the priority of the VLAN 2 VRRP group, so that S9500-A becomes Backup. Configure S9500-B to monitor the virtual interface of VLAN 9. When the virtual interface of VLAN 9 is unavailable, S9500-B decreases the priority of the VLAN 3 VRRP group, so that S9500-B becomes Backup. 1) Configure S9500-A.
# Configure MSTP instances.

[S9500-A] stp enable [S9500-A] stp non-flooding [S9500-A] stp region-configuration [S9500-A-mst-region] region-name vrrp [S9500-A-mst-region] instance 2 vlan 2 [S9500-A-mst-region] instance 3 vlan 3 [S9500-A-mst-region] active region-configuration [S9500-A-mst-region] quit [S9500-A] stp instance 2 root primary [S9500-A] stp instance 3 root secondary
Page 4 of 12
[S9500-A] interface GigabitEthernet 3/1/1 [S9500-A-GigabitEthernet3/1/1] stp disable
# Create VLANs and their interface IP addresses.

<S9500-A> system-view [S9500-A] vlan 2 [S9500-A-vlan2] interface Vlan-interface 2 [S9500-A-Vlan-interface2] ip address 2.1.1.1 8 [S9500-A-Vlan-interface2] quit [S9500-A] vlan 3 [S9500-A-vlan3] interface vlan 3 [S9500-A-Vlan-interface3] ip address 3.1.1.1 8 [S9500-A-Vlan-interface3] quit [S9500-A] vlan 8 [S9500-A-vlan8] interface vlan 8 [S9500-A-Vlan-interface8] ip address 8.1.1.1 8 [S9500-A-Vlan-interface8] quit
# Add ports to VLANs.

[S9500-A] interface GigabitEthernet 3/1/1 [S9500-A-GigabitEthernet3/1/1] port access vlan 8 [S9500-A-GigabitEthernet3/1/1] quit [S9500-A] interface GigabitEthernet 2/1/1 [S9500-A-GigabitEthernet2/1/1] port link-type trunk [S9500-A-GigabitEthernet2/1/1] undo port trunk permit vlan 1 [S9500-A-GigabitEthernet2/1/1] port trunk permit vlan 2 to 3 [S9500-A-GigabitEthernet2/1/1] quit [S9500-A] interface GigabitEthernet 2/1/2 [S9500-A-GigabitEthernet2/1/2] port link-type trunk [S9500-A-GigabitEthernet2/1/2] undo port trunk permit vlan 1 [S9500-A-GigabitEthernet2/1/2] port trunk permit vlan 2 [S9500-A-GigabitEthernet2/1/2] quit [S9500-A] interface GigabitEthernet 2/1/3 [S9500-A-GigabitEthernet2/1/3] port link-type trunk [S9500-A-GigabitEthernet2/1/3] undo port trunk permit vlan 1 [S9500-A-GigabitEthernet2/1/3] port trunk permit vlan 3 [S9500-A-GigabitEthernet2/1/3] quit
# Configure the VRRP backup group.

[S9500-A-Vlan-interface2] vrrp vrid 1 virtual-ip 2.1.1.3 [S9500-A-Vlan-interface2] interface vlan 3 [S9500-A-Vlan-interface2] quit [S9500-A] interface vlan 3 [S9500-A-Vlan-interface3] vrrp vrid 1 virtual-ip 3.1.1.3
Page 5 of 12
# Configure the priority and hello time of the VRRP backup group (optional).
[S9500-A-Vlan-interface2] vrrp vrid 1 priority 130 [S9500-A-Vlan-interface2] vrrp vrid 1 timer advertise 2
# Configure the monitoring interface to monitor the virtual interface of VLAN 8.

[S9500-A-Vlan-interface2] vrrp vrid 1 track Vlan-interface 8 reduced 40
2)
Configure S9500-B
# Configure MSTP instances.

[S9500-B] stp enable [S9500-B] stp non-flooding [S9500-B] stp region-configuration [S9500-B-mst-region] region-name vrrp [S9500-B-mst-region] instance 2 vlan 2 [S9500-B-mst-region] instance 3 vlan 3 [S9500-B-mst-region] active region-configuration [S9500-B-mst-region] quit [S9500-B] stp instance 3 root primary [S9500-B] stp instance 2 root secondary [S9500-B] interface GigabitEthernet 3/1/1 [S9500-B-GigabitEthernet3/1/1] stp disable
# Create VLANs and their interface IP addresses.

<S9500-B> system-view [S9500-B] vlan 2 [S9500-B-vlan2] interface Vlan-interface 2 [S9500-B-Vlan-interface2] ip address 2.1.1.2 8 [S9500-B-Vlan-interface2] quit [S9500-B] vlan 3 [S9500-B-vlan3]interface vlan 3 [S9500-B-Vlan-interface3] ip address 3.1.1.2 8 [S9500-B-Vlan-interface3] quit [S9500-B] vlan 9 [S9500-B-vlan9] interface vlan 9 [S9500-B-Vlan-interface9] ip address 9.1.1.1 8 [S9500-B-Vlan-interface9] quit
# Add ports to VLANs.

[S9500-B] interface GigabitEthernet 3/1/1 [S9500-B-GigabitEthernet3/1/1] port access vlan 9 [S9500-B-GigabitEthernet3/1/1] quit [S9500-B] interface GigabitEthernet 2/1/1 [S9500-B-GigabitEthernet2/1/1] port link-type trunk [S9500-B-GigabitEthernet2/1/1] undo port trunk permit vlan 1
Page 6 of 12
[S9500-B-GigabitEthernet2/1/1] port trunk permit vlan 2 to 3 [S9500-B-GigabitEthernet2/1/1] quit [S9500-B] interface GigabitEthernet 2/1/2 [S9500-B-GigabitEthernet2/1/2] port link-type trunk [S9500-B-GigabitEthernet2/1/2] undo port trunk permit vlan 1 [S9500-B-GigabitEthernet2/1/2] port trunk permit vlan 3 [S9500-B-GigabitEthernet2/1/2] quit [S9500-B] interface GigabitEthernet 2/1/3 [S9500-B-GigabitEthernet2/1/3] port link-type trunk [S9500-B-GigabitEthernet2/1/3] undo port trunk permit vlan 1 [S9500-B-GigabitEthernet2/1/3] port trunk permit vlan 2 [S9500-B-GigabitEthernet2/1/3] quit
# Configure the VRRP backup group.

[S9500-B-Vlan-interface2] vrrp vrid 1 virtual-ip 2.1.1.3 [S9500-B-Vlan-interface2] interface vlan 3 [S9500-B-Vlan-interface3] vrrp vrid 1 virtual-ip 2.1.1.3
# Configure the priority and hello time of the VRRP backup group (optional).
[S9500-B-Vlan-interface3] vrrp vrid 1 priority 130 [S9500-B-Vlan-interface3] interface vlan 2 [S9500-B-Vlan-interface2] vrrp vrid 1 timer advertise 2
# Configure the monitoring interface to monitor the virtual interface of VLAN 9.

[S9500-B-Vlan-interface3] vrrp vrid 1 track Vlan-interface 9 reduced 40
3)
Configure L2SW-A
[L2SW-A]ivlan 2 [L2SW-A]interface Ethernet 0/1 [L2SW-A-Ethernet0/1] port link-type trunk [L2SW-A-Ethernet0/1] undo port trunk permit vlan 1 [L2SW-A-Ethernet0/1] port trunk permit vlan 2 [L2SW-A-Ethernet0/1]quit [L2SW-A]interface Ethernet0/2 [L2SW-A-Ethernet0/2] port link-type trunk [L2SW-A-Ethernet0/2] undo port trunk permit vlan 1 [L2SW-A-Ethernet0/2] port trunk permit vlan 2 [L2SW-A-Ethernet0/2] quit [L2SW-A] interface Ethernet0/3 [L2SW-A-Ethernet0/3] port access vlan 2
4)
Configure L2SW-B
[L2SW-B] vlan 3 [L2SW-B] interface Ethernet 0/1 [L2SW-B-Ethernet0/1] port link-type trunk [L2SW-B-Ethernet0/1] undo port trunk permit vlan 1
Page 7 of 12
[L2SW-B-Ethernet0/1] port trunk permit vlan 3 [L2SW-B-Ethernet0/1] quit [L2SW-B] interface Ethernet0/2 [L2SW-B-Ethernet0/2] port link-type trunk [L2SW-B-Ethernet0/2] undo port trunk permit vlan 1 [L2SW-B-Ethernet0/2] port trunk permit vlan 3 [L2SW-B-Ethernet0/2] quit [L2SW-B] interface Ethernet0/3 [L2SW-B-Ethernet0/3] port access vlan 3

1)
# vlan 2 # vlan 3 # interface Vlan-interface2 ip address 2.1.1.1 255.0.0.0 vrrp vrid 1 virtual-ip 2.1.1.3 vrrp vrid 1 priority 130 vrrp vrid 1 timer advertise 2 vrrp vrid 1 track Vlan-interface9 reduced 40 # interface Vlan-interface3 ip address 3.1.1.1 255.0.0.0 vrrp vrid 1 virtual-ip 3.1.1.3 # interface GigabitEthernet2/1/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 to 3 # interface GigabitEthernet2/1/2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # interface GigabitEthernet2/1/3 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3
Configure S9500-A.
Page 8 of 12
# interface GigabitEthernet3/1/1 stp disable port access vlan 8 # stp instance 2 root primary stp instance 3 root secondary stp enable stp region-configuration region-name vrrp instance 2 vlan 2 instance 3 vlan 3 active region-configuration #
2)
#
Configure S9500-B.
vlan 2 # vlan 3 # interface Vlan-interface2 ip address 2.1.1.2 255.0.0.0 vrrp vrid 1 virtual-ip 2.1.1.3 vrrp vrid 1 timer advertise 2 interface Vlan-interface3 ip address 3.1.1.2 255.0.0.0 vrrp vrid 1 virtual-ip 3.1.1.3 vrrp vrid 1 priority 130 vrrp vrid 1 track Vlan-interface9 reduced 40 # interface GigabitEthernet2/1/1 port link-type trunk undo port trunk permit vlan 1
port trunk permit vlan 2 to 3 interface GigabitEthernet2/1/2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # interface GigabitEthernet2/1/3 port link-type trunk undo port trunk permit vlan 1
Page 9 of 12
port trunk permit vlan 3 # interface GigabitEthernet3/1/1 stp disable port access vlan 9 # stp instance 3 root primary stp instance 2 root secondary stp enable stp region-configuration region-name vrrp instance 2 vlan 2 instance 3 vlan 3 active region-configuration
3)
#
Configure L2SW-A.
vlan 2 # interface Ethernet0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # interface Ethernet0/2 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # interface Ethernet0/3 port access vlan 2 #
4)
#
Configure L2SW-B.
vlan 3 # interface Ethernet0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 # interface Ethernet0/2 port link-type trunk undo port trunk permit vlan 1
Page 10 of 12
port trunk permit vlan 3 # interface Ethernet0/3 port access vlan 3 #
Page 11 of 12

Exemplos Config H3C

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exemplos Config H3C

Uploaded by

Copyright:

Available Formats

Firewall Blacklist Configuration Examples

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Blacklist Configuration Examples

Firewall Blacklist Configuration Examples 1 Feature Introduction

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Blacklist Configuration Examples

4.2 Networking Diagram

Figure 4-1 Networking diagram of blacklist of firewall

4.3 Configuration Procedure

# Configure IP addresses for the internal VLAN interfaces.

# Configure the SecBlade module. Configure VLAN 50 as security-vlan.

Firewall Blacklist Configuration Examples

# In the SecBlade view, configure the blacklist.

4.4 Complete Configuration

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Blacklist Configuration Examples

# Configure the sub-interface and its zone.

# Configure the routes.

# Configure client address to blacklist entry.

# Enable the blacklist function.

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Route Mode Configuration Examples

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Route Mode Configuration Examples

Firewall Route Mode Configuration Examples 1 Versions Applicable

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Route Mode Configuration Examples

3.2 Networking Diagram

E3/1/3 S9500 Vlan 50

Untrust zone PC 60.1.1.1/24

Vlan60 Vid 60 G0/0.60 60.1.1.254/24

Vid 50 G0/0.50 50.1.1.254/24 Trust zone PC 50.1.1.1/24 Firewall

Figure 3-1 Networking diagram of route mode of firewall

3.3 Configuration Procedure

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Route Mode Configuration Examples

3.4 Complete Configuration

# Configure firewall mode.

# Configure the sub-interface and zone.

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Firewall Route Mode Configuration Examples

quit firewall zone untrust add interface GigabitEthernet 0/0.60 quit

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Transparent Firewall Configuration Examples

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Transparent Firewall Configuration Examples

Transparent Firewall Configuration Examples 1 Feature Introduction

The security-VLAN IDs on different firewall boards cannot be the same.

Transparent Firewall Configuration Examples

4.2 Networking Diagram

Figure 4-1 Networking diagram of transparent firewall

4.3 Configuration Procedure

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Transparent Firewall Configuration Examples

# In SecBlade view, configure the blacklist and ACL.

4.4 Complete Configuration

Copyright 2007 Hangzhou H3C Technologies Co., Ltd.

Transparent Firewall Configuration Examples

# secblade module test security-vlan 10 50 60 map to slot 4

# Configure the firewall mode.

# Configure the sub-interface and zones.

# Configure the MAC-based ACL rule.

# Configure frame filter.