HCNP-IENP en Lab Guide-Content

Huawei Certification
HCDP-IENP
Improving Enterprise Network Performance
Lab Guide
Huawei Technologies Co.,Ltd

)UV_XOMNZj.[G]KO:KINTURUMOKY)U2ZJ'RRXOMNZYXKYKX\KJ
No part of this document may be reproduced or transmitted in any form or

by any means without prior written consent of Huawei Technologies Co., Ltd.
:XGJKSGXQYGTJ6KXSOYYOUTY
and other Huawei trademarks are trademarks of Huawei Technologies

Co., Ltd. All other trademarks and trade names mentioned in this document
are the property of their respective holders.
4UZOIK
The information in this document is subject to change without notice. Every

effort has been made in the preparation of this document to ensure accuracy of
the contents, but all statements, information, and recommendations in this
document do not constitute the warranty of any kind, expressed or implied.
.[G]KO)KXZOLOIGZOUT
.)*6/+46/SVXU\OTM+TZKXVXOYK4KZ]UXQ6KXLUXSGTIK
2GH-[OJK
+JOZOUT

Huawei Certification System
Relying on its strong technical and professional training system, in accordance

with different customers at different levels of ICT technology, Huawei
certification is committed to provide customs with authentic, professional
certification.
Based on characteristics of ICT technologies and customers’needs at different
levels, Huawei certification provides customers with certification system of four
levels.
HCDA (Huawei Certification Datacom Associate) is primary for IP network

maintenance engineers, and any others who want to build an understanding of
the IP network. HCDA certification covers the TCP/IP basics, routing, switching
and other common foundational knowledge of IP networks, together with
Huawei communications products, versatile routing platform VRP
characteristics and basic maintenance.
HCDP-Enterprise (Huawei Certification Datacom Professional-Enterprise) is
aimed at enterprise-class network maintenance engineers, network design
engineers, and any others who want to grasp in depth routing, switching,
network adjustment and optimization technologies. HCDP-Enterprise consists
of IESN (Implementing Enterprise Switch Networks), IERN (Implementing
Enterprise Routing Networks), and IENP (Improving Enterprise Network
performance), which includes advanced IPv4 routing and switching technology
principles, network security, high availability and QoS, as well as the
configuration of Huawei products.
HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is designed

to endue engineers with a variety of IP technologies and proficiency in the
maintenance, diagnostics and troubleshooting of Huawei products, which
equips engineers with competence in planning, design and optimization of
large-scale IP networks.
Proposed Advanced Necessary advanced
relationship relationship
ICT Career Certification

Routing & Switching WLAN Wireless Transmission Security UC&C VC Cloud Storage ICT Convergence
Design
HCNA(HCDA)
HCNA- HCNA- HCNA- HCNA- HCNA- HCNA- HCNA- HCNA- HCNA- HCNA-
WLAN LTE Transmission Security UC CC VC Cloud Storage Design
Associate
HCNP-R&S
H HCNP-Carrier HCNP- HCNP- HCNP- HCNP- HCNP- HCNP- HCNP- HCNP- HCNP- HCNP-
(HCDP) (HCDP-Carrier) WLAN LTE Transmission Security UC CC VC Cloud Storage Design
Professional
HCIE- HCIE- HCIE-
HCIE- HCIE- HCIE- HCIE- HCIE- HCIE- HCIE- HCIE- HCIE-
R&S Carrier Transmissio
WLAN LTE Security UC CC VC Cloud Storage Design
n
Expert
HCAr
Architect
Referenced icon
8U[ZKX 29]OZIN 29]OZIN ,OXK]GRR 4KZIRU[J
9KXOGRROTK
+ZNKXTKZROTK

Lab environment specification
:NK2GHKT\OXUTSKTZOYY[MMKYZKJHKRU]
/JKTZOLOKX *K\OIK 59\KXYOUT
8 '8 <KXYOUT<8)96)
8 '8 <KXYOUT<8)96)
8 '8 <KXYOUT<8)96)
8 '8 <KXYOUT<8)96)
8 '8 <KXYOUT<8)96)
9 9)+/9 <KXYOUT<8)96)
9 9)+/9 <KXYOUT<8)96)
9 9:6+/') <KXYOUT<8)96)
9 9:6+/') <KXYOUT<8)96)
,= ;9- <KXYOUT<8)96)
,= ;9- <KXYOUT<8)96)

HCDP-IENP Content
CONTENTS
Chapter 1 Implementing firewall functions and features ................................................................... 1
Lab 1-1 Security Zone Configuration and Configurations for Other Basic Functions on a Firewall .. 1
Lab 1-2 IPSec VPN Configuration on a USG Firewall ..................................................................... 21
Lab 1-3 Attack Defense Configuration on a Firewall ..................................................................... 45
Lab 1-4 NAT Configuration on a USG Firewall ............................................................................... 59
Lab 1-5 Dual-System Hot Backup Configuration for USG Firewalls ............................................... 73
Chapter 2 QoS and traffic flow management ................................................................................. 102
Lab 2-1 QoS ................................................................................................................................ 102
Lab 2-2 Traffic Control Based on the Traffic Policy ..................................................................... 122
Chapter 3 Integrated Lab Assessment ............................................................................................ 140
Lab 3-1 Integrated Lab-1 (Optional) ........................................................................................... 140
Lab 3-2 Integrated Lab2 (Optional)............................................................................................. 145
HC Series HUAWEI TECHNOLOGIES Page 1

HCDP-IENP Chapter 1 Implementing firewall functions and features
Chapter 1 Implementing firewall functions and features
Lab 1-1 Security Zone Configuration and Configurations for
Other Basic Functions on a Firewall
Learning Objectives
The objectives of this lab are to learn and understand:

x Security zone configuration for the firewall
x Packet filtering configuration in the interzone
x Static and dynamic blacklist configurations
x Packet filtering configuration at the application layer
Topology
Figure 1-1 Zone configuration
HC Series HUAWEI TECHNOLOGIES Page1

Scenario
Assume that you are a network administrator of an enterprise. The

headquarters network consists of an internal zone (trusted), an external zone
(untrusted), and a server zone (DMZ). You need to use a firewall to control
data and create blacklists to protect the intranet against network attacks.
Tasks
Step 1 Configure IP addresses.
Configure IP addresses for R1, R2, and R3.

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.10.1 24
[R1-GigabitEthernet0/0/1]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24
<Huawei>system-view
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1
<Huawei>system-view
[Huawei]sysname R3
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be

configured with an IP address. In the lab, configure VLAN 12 on the firewall
and create a VLANIF 12. Configure the VLANIF 12 IP address as the IP
address of the gateway for the trusted zone.
Page2 HUAWEI TECHNOLOGIES HC Series

By default, the firewall configures an IP address for VLANIF 1. To prevent

interference, delete the VLANIF 1 configuration.
<USG2100>system-view
[USG2100]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface vlanif 12
[FW-Vlanif12]ip address 10.0.20.254 24
[FW-Vlanif12]interface Ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 12
[FW-Ethernet1/0/0]interface Ethernet 0/0/0
[FW-Ethernet0/0/0]ip address 10.0.10.254 24
[FW-Ethernet0/0/0]interface ethernet 2/0/0
[FW-Ethernet2/0/0]quit
[FW]interface Vlanif 1
[FW-Vlanif1]undo ip address
Plan VLANs for interfaces on S1.

[Quidway]sysname S1
[S1]vlan batch 11 to 13
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]port default vlan 11
[S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2

By default, four security zones are located on a firewall. They are local,
trusted, untrusted, and DMZ zones. In this lab, we need to add interfaces to
the trusted, untrusted, and DMZ zones.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
Check communication among all zones whether is normal by default,.

[FW]display firewall packet-filter default all
10:28:18 2011/12/24
Firewall default packet-filter action is :
packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: deny; || IPv6-acl: null
local -> dmz :
trust -> untrust :
outbound : default: deny; || IPv6-acl: null
trust -> dmz :
dmz -> untrust :
packet-filter between VFW:
Test connectivity between security zones.

From the untrusted zone to the trusted zone:
<R1>ping -a 10.0.1.1 10.0.2.2

PING 10.0.2.2: 56 data bytes, press CTRL_C to break

Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.0.2.2 ping statistics ---

5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
From the untrusted zone to the DMZ zone:

<R1>ping -a 10.0.1.1 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the trusted zone to the untrusted zone:

<R2>ping -a 10.0.2.2 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss

From the trusted zone to the DMZ zone:

<R2>ping -a 10.0.2.2 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the DMZ zone to the untrusted zone:

<R3>ping -a 10.0.3.3 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the DMZ zone to the trusted zone:

<R3>ping -a 10.0.3.3 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out


100.00% packet loss
Test the connectivity between FW and R1,R2,R3.

[FW]ping 10.0.10.1
Request time out
Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms

20.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[FW]ping 10.0.20.1
Request time out

20.00% packet loss
[FW]ping 10.0.30.1
Request time out


20.00% packet loss

Configure default routes for R1, R2, and R3. Configure static routes on the
FW to implement communication among network segments to which three
loopback 0 interfaces are connected.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[FW]ip route-static 10.0.1.0 24 10.0.10.1

[FW]firewall packet-filter default permit all
Test the connectivity among network segments to which three loopback 0

interfaces are connected.
[R1]ping -a 10.0.1.1 10.0.2.2

0.00% packet loss
[R1]ping -a 10.0.1.1 10.0.3.3



0.00% packet loss
Step 2 Configure interzone packet filtering.
The packet filtering policy controls packet forwarding among security

zones. The packet filtering policy configuration affects most devices functions.
Configure a default packet filtering policy that allows packets to be sent
only from the trusted zone to other security zones.
[FW]firewall packet-filter default deny all
[FW]firewall packet-filter default permit interzone trust untrust direction
outbound
[FW]firewall packet-filter default permit interzone trust dmz direction outbound
[FW]firewall session link-state check
Test connectivity between security zones.

From the untrusted zone to the trusted zone:
[R1]ping -a 10.0.1.1 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the untrusted zone to the DMZ zone:

[R1]ping -a 10.0.1.1 10.0.3.3
Request time out
Request time out

Request time out

Request time out
Request time out

100.00% packet loss
From the trusted zone to the untrusted zone:

[R2]ping -a 10.0.2.2 10.0.1.1

0.00% packet loss
From the trusted zone to the DMZ zone:

[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss
From the DMZ zone to the untrusted zone:

[R3]ping -a 10.0.3.3 10.0.1.1


Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the DMZ zone to the trusted zone:

[R3]ping -a 10.0.3.3 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
Configure an interzone packet filtering policy that allows packets to be sent

from the untrusted zone to a specific server in the DMZ zone.
The server's IP address is 10.0.3.3. Enable Telnet in the untrusted zone.
Enable ICMP ping for connectivity tests.
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound]policy 1
[FW-policy-interzone-dmz-untrust-inbound-1]policy service service-set icmp
[FW-policy-interzone-dmz-untrust-inbound-1]policy destination 10.0.3.3 0
[FW-policy-interzone-dmz-untrust-inbound-1]action permit
[FW-policy-interzone-dmz-untrust-inbound-1]quit
[FW-policy-interzone-dmz-untrust-inbound-2]policy service service-set telnet
HC Series HUAWEI TECHNOLOGIES

Page11
[FW-policy-interzone-dmz-untrust-inbound-3]action deny
Enable Telnet on R3 for Telnet tests.

[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode none
Test network connectivity.

<R1>ping 10.0.3.3

0.00% packet loss
<R1>ping 10.0.30.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
<R1>telnet 10.0.3.3
Press CTRL_] to quit telnet mode
Trying 10.0.3.3 ...
Connected to 10.0.3.3 ...
<R3>quit

Configuration console exit, please retry to log on
The connection was closed by the remote host

<R1>telnet 10.0.30.3
Trying 10.0.30.3 ...
Step 3 Configure blacklists.
A blacklist identifies IP addresses and match entries to quickly filter out

users with specific IP addresses. The blacklist can be dynamically added or
deleted. Compared to packet filtering, the blacklist matches entries and filters
out users faster and consumes fewer system resources. If a device considers
a user untrusted, the device adds the user's IP address to the blacklist. Upon
receiving a packet whose source IP address is the IP address in the blacklist,
the device discards the packet to protect the network.
The following assumes that multiple IP addresses continually scan
interfaces in the untrusted zone of the enterprise network. You need to take
preventive measures.
The IP address 10.0.111.1 launches multiple attacks. You need to filter out
packets sent from this IP address.
Create a loopback interface on R1 to simulate an attack. Configure a static
route for the firewall.
[R1]interface LoopBack 1
Enable the defense against port scanning. The test results on port
scanning attacks are automatically imported to the blacklist.
[FW]firewall defend port-scan enable
Set the threshold of the scanning rate to 5000 pps. The threshold specifies
the rate at which a source IP address changes IP packets that are to be sent to
the destination port. If the rate is high, there is a high probability that the source
IP address is scanning all ports in the destination IP address.
[FW]firewall defend port-scan max-rate 5000

Page13
Set the timeout period of the blacklist to 30 minutes. The blacklist entries
dynamically generated are deleted after 30 minutes.
[FW]firewall defend port-scan blacklist-timeout 30
Before creating a blacklist statically, ensure that the loopback interface

with the IP address of 10.0.111.1 can communicate with the loopback interface
on R3.
Test the connectivity.

[R1]ping -a 10.0.111.1 10.0.3.3

0.00% packet loss
Create a blacklist statically and add 10.0.111.1 to the blacklist. The firewall
discards packets sent from this IP address before the IP address is manually
deleted from the blacklist.
[FW]firewall blacklist enable
[FW]firewall blacklist item 10.0.111.1
Test the connectivity.

[R1]ping -a 10.0.111.1 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out


100.00% packet loss
Step 4 Configure ASPF.
Application Specific Packet Filter (ASPF) functions as an important help

among multi-channel protocols and NAT applications.
ASPF allows an intranet to provide FTP and TFTP services to external
users and prevents intranet users from downloading risky controls when they
access web servers on extranets.
Besides FTP and TFTP services that the enterprise provides, intranet
users need to access extranet web pages. Risky java controls may exist on
these web pages. FTP is a predefined protocol. Devices in security zones can
forward FTP packets properly after the detect ftp function is applied. TFTP
packets, however, can only be forwarded after triplet ASPF is enabled.
Create ACL.
ACL 3001 defines matching rules for traffic sent to the TFTP server on the
intranet. TFTP services require user-defined port number. Create a separate
ACL.
[FW]acl 3001
[FW-acl-adv-3001]rule permit udp destination-port eq tftp
[FW-acl-adv-3001]quit
Detect FTP services in the interzone to implement proper forwarding of

FTP packets. Run the detect user-define command to implement proper
forwarding of TFTP packets.
[FW]firewall interzone trust dmz
[FW-interzone-trust-dmz]detect ftp
[FW-interzone-trust-dmz]detect user-defined 3001 outbound
[FW-interzone-trust-dmz]quit
Run the detect java-blocking command in the interzone to prevent the

download of risky java controls.
[FW]firewall interzone trust untrust
[FW-interzone-trust-untrust]detect java-blocking 2001 outbound
[FW-interzone-trust-untrust]quit

Page15
The ASPF function determines whether packets of some special protocols

are properly forwarded. When an exception occurs on services of a special
protocol, locate the problem in the following method:
Run the display interzone command to view the interzone configuration.
Verify the ASPF configuration.
[FW]display interzone
15:42:11 2011/12/25
interzone trust untrust
detect java-blocking
#
interzone trust dmz
detect ftp
detect user-defined 3001 outbound
#
Additional Exercises: Analyzing and Verifying
How can you plan the network for an enterprise that has a large number of
users and requires multiple services? What methods can simplify the
configuration?
Final Configurations
[R1]display current-configuration
[V200R001C00SPC200]
#
sysname R1
#
interface GigabitEthernet0/0/1
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.0.111.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#

return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.30.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
return
[FW]display current-configuration
#
sysname FW
#
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
#
vlan batch 1 12
#
firewall defend port-scan enable

Page17
firewall defend port-scan max-rate 5000

firewall defend port-scan blacklist-timeout 30
#
firewall statistic system enable
#
acl number 3001
rule 5 permit udp destination-port eq tftp
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
interface Ethernet0/0/0
ip address 10.0.10.254 255.255.255.0
#
portswitch
port link-type access
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet1/0/0
add interface Vlanif1
#
firewall zone untrust
set priority 5
#
firewall zone dmz

set priority 50
#
firewall interzone trust untrust
detect java-blocking
#
firewall interzone trust dmz
detect ftp
detect user-defined 3001 outbound
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.1
ip route-static 10.0.3.0 255.255.255.0 10.0.30.1
ip route-static 10.0.111.0 255.255.255.0 10.0.10.1
#
firewall blacklist enable
firewall blacklist item 10.0.111.1
#
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 10.0.3.3 0
policy 2
action permit
policy service service-set telnet
policy 3
action deny
#
return
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
vlan batch 11 to 13
#

Page19

port default vlan 11
#
#
#
#
#
#
return

Lab 1-2 IPSec VPN Configuration on a USGFirewall
Learning Objectives

x IPSec VPN configuration on a USG
x GRE over IPSec VPN configuration on a USG
x IPSec VPN configuration on a router
x GRE over IPSec VPN configuration on a router
Topology
Figure 1-2 VPN configuration for USGs
Scenario

enterprise network consists of the headquarters network, branch networks,
and branch office networks. You need to configure users in the trusted zones
of branch networks and branch office networks to access the trusted zone of
the headquarters network. Data is encrypted and transmitted between the
headquarters network and branch networks, and between the headquarters
network and branch office networks.

Page21
Tasks
S1 and S2 connect the firewall to routers in the lab and require no

configuration. Before the lab, reset configurations of S1 and S2 and restart S1
and S2.
Configure IP addresses and masks for all routers. The mask length of each
loopback interface is 24 bits.
<Huawei>system-view
[Huawei]sysname R1
[R1-GigabitEthernet0/0/1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]interface loopback 0
<Huawei>system-view
[Huawei]sysname R2
[R2-Serial1/0/0]interface Serial2/0/0
<Huawei>system-view
[Huawei]sysname R3
[R3]interface Serial2/0/0
Configure IP addresses for interfaces on FW1 and FW2.

[USG2100]sysname FW1
[FW1]interface Ethernet 0/0/0
[FW1-Ethernet0/0/0]ip address 10.0.100.1 24
[FW1-Ethernet0/0/0]interface Ethernet 2/0/0
[FW1-Ethernet2/0/0]interface vlan 1
[FW1-Vlanif1]undo ip address
[USG2100]sysname FW2
[FW2]interface Ethernet 0/0/0
[FW2-Ethernet0/0/0]interface Ethernet 2/0/0
[FW2-Ethernet2/0/0]interface vlan 1
Configure trusted zones of FW1 and FW2, and add interfaces to the
trusted zones.
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface Ethernet 2/0/0
[FW1-zone-untrust]undo add interface Ethernet0/0/0
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface Ethernet 0/0/0
[FW2]firewall zone untrust

[FW2-zone-untrust]add interface Ethernet 2/0/0
[FW2-zone-untrust]undo add interface Ethernet0/0/0
[FW2-zone-untrust]quit
[FW2-zone-trust]add interface Ethernet 0/0/0
Step 2 Configuring security filtering between zones.
Configure packets to transmit only from the trusted zone to the untrusted
zone and from the untrusted zone to the local zone.

Page23
[FW1]firewall packet-filter default permit interzone trust untrust

[FW1]firewall packet-filter default permit interzone local untrust
[FW2]firewall packet-filter default permit interzone trust untrust

[FW2]firewall packet-filter default permit interzone local untrust
Step 3 Configure routes to connect networks.
Configure single-area OSPF on R1, R3, R3, FW1, and FW2. The network
segments 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24, and 10.0.23.0/24 are
connected.
[R1]ospf 1
[R1-ospf-1]area 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[R2]ospf 1
[R2-ospf-1]area 0.0.0.0
[R3]ospf 1
[R3-ospf-1]area 0.0.0.0
[FW1]ospf 1
[FW1-ospf-1]area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[FW2]ospf 1
[FW2-ospf-1]area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
Test the connectivity between network segments on FW1 and FW2.

[FW1]ping 10.0.20.2


0.00% packet loss
[FW1]ping 10.0.23.3
0.00% packet loss
[FW2]ping 10.0.10.1
0.00% packet loss
[FW2]ping 10.0.23.3

Page25
0.00% packet loss

The test results show that the network segments 10.0.10.0/24,

10.0.20.0/24, 10.0.12.0/24, and 10.0.23.0/24 are connected.
Step 4 Configure IPSec VPN between a branch network and the
headquarters network.
Create an ACL to identify IPSec VPN traffic between FW1 and FW2.
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination
10.0.200.0 0.0.0.255
[FW2]acl 3000
10.0.100.0 0.0.0.255
Configure static routes from a branch network to the headquarters intranet.

[FW1]ip route-static 10.0.200.0 24 10.0.10.2
Configure an IPSec proposal on FW1 and FW2.

Set the encapsulation mode to tunnel mode. Use ESP to protect data. ESP
uses the DES encryption algorithm and SHA1 authentication algorithm.
[FW1]ipsec proposal tran1
[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW1-ipsec-proposal-tran1]transform esp
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW1-ipsec-proposal-tran1]esp encryption-algorithm des
[FW2]ipsec proposal tran1

[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW2-ipsec-proposal-tran1]transform esp
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW2-ipsec-proposal-tran1]esp encryption-algorithm des
Configure an IKE proposal on FW1 and FW2.

Set the encryption algorithm to DES and authentication algorithm to SHA1.

[FW1]ike proposal 10
[FW1-ike-proposal-10]authentication-algorithm sha1
[FW1-ike-proposal-10]encryption-algorithm des
[FW2]ike proposal 10
[FW2-ike-proposal-10]authentication-algorithm sha1
[FW2-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation by default.
Apply the IKE proposal and configure the preshared key and peer end's IP
address on FW1 and FW2.
[FW1]ike peer fw12
[FW1-ike-peer-fw12]ike-proposal 10
[FW1-ike-peer-fw12]remote-address 10.0.20.2
[FW1-ike-peer-fw12]pre-shared-key abcde
[FW2]ike peer fw21

Configure an IPSec policy on FW1 and FW2.
During the IPSec policy configuration, bind the ACL, IPSec proposal, and
IKE peer to the IPSec policy.
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-isakmp-map1-10]security acl 3000
[FW1-ipsec-policy-isakmp-map1-10]proposal tran1
[FW1-ipsec-policy-isakmp-map1-10]ike-peer fw12

Apply IPSec policies to interfaces on FW1 and FW2.

[FW1]interface Ethernet2/0/0
[FW1-Ethernet2/0/0]ipsec policy map1

Page27
Test the connectivity between the branch intranet and the headquarters
intranet. View the established IPSec.
[FW1]ping -a 10.0.100.1 10.0.200.1
0.00% packet loss
[FW1]display ike sa
current ike sa number: 2
---------------------------------------------------------------------
connection-id peer vpn flag phase vpn
--------------------------------------------------------------------
40001 10.0.20.2 0 RD|ST v2:2 public
1 10.0.20.2 0 RD|ST v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D—DPD
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: public
-----------------------------
connection id: 40001
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 0m 16s

tunnel local : 10.0.10.1 tunnel remote: 10.0.20.2

flow source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
[inbound ESP SAs]

spi: 74331737 (0x46e3659)
vpn: 0 said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3584
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 18969668 (0x1217444)
max sent sequence-number: 5
The branch intranet can communicate with the headquarters intranet.

Two ESP SAs are established bidirectionally between FW1 and FW2. Data
is encrypted and transmitted between the branch networks and headquarters
network.
Step 5 Configure IPSec VPN between a branch office network
and the headquarters network.
Create an ACL to identify IPSec VPN traffic to be sent between the branch
office and the headquarters.
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0
0.0.0.255
[FW2]acl 3001
10.0.3.0 0.0.0.255
Configure static routes from a branch network to the headquarters intranet.

[R3]ip route-static 10.0.200.0 24 10.0.23.2

Page29
Configure an IPSec proposal on R3.

Set the encapsulation mode to tunnel mode. Use ESP to protect data. ESP
uses the DES encryption algorithm and SHA1 authentication algorithm.
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran1]encapsulation-mode tunnel
[R3-ipsec-proposal-tran1]transform esp
[R3-ipsec-proposal-tran1]esp authentication-algorithm sha1
[R3-ipsec-proposal-tran1]esp encryption-algorithm des
Configure an IKE proposal on FW2 and R3.

Set the encryption algorithm to DES and authentication algorithm to SHA1.
[R3]ike proposal 10
[R3-ike-proposal-10]authentication-algorithm sha1
[R3-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation.

Apply the IKE proposal and configure the preshared key and peer end's IP
address on FW2 and R3.
[FW2]ike peer fw23
[R3]ike peer r32 v2

[R3-ike-peer-r32]ike-proposal 10
[R3-ike-peer-r32]remote-address 10.0.20.2
[R3-ike-peer-r32]pre-shared-key abcde
Configure an IPSec policy on F2W and R3.

During the IPSec policy configuration, bind the ACL, IPSec proposal, and
IKE peer to the IPSec policy.

[R3]ipsec policy map1 10 isakmp

[R3-ipsec-policy-isakmp-map2-10]security acl 3000
[R3-ipsec-policy-isakmp-map2-10]proposal tran1
[R3-ipsec-policy-isakmp-map2-10]ike-peer r32
Apply IPSec policies to interfaces on FW2 and R3.

[R3]interface Serial2/0/0
[R3- Serial2/0/0]ipsec policy map1
Test the connectivity between the branch office intranet and the
headquarters intranet. View the established IPSec.
To view the established IKE SA, use the v2 parameter in the command.
[R3]ping -a 10.0.3.3 10.0.200.1
0.00% packet loss
[R3]display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
2 10.0.20.2 0 RD|ST 2
1 10.0.20.2 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500

Page31
===============================
-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 10.0.23.3
Tunnel remote : 10.0.20.2
[Outbound ESP SAs]
SPI: 247406703 (0xebf206f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436380/3534
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 155207494 (0x9404746)
Max received sequence-number: 5
The branch office intranet can communicate with the headquarters

intranet.
An IPSec VPN tunnel is established between FW2 and R3. Data is
encrypted and transmitted between the branch office networks and
Step 6 Configure a GRE over IPSec VPN between a branch
network and the headquarters network.
The preceding steps configure static routes to implement communication

among intranets.
As the scale of the network expands, the complexity associated with using
a static route solution also increases. To solve this problem, use dynamic
routing protocols to implement communication among networks.
Dynamic routing protocols cannot function on IPSec tunnels.

GRE over IPSec supports dynamic routing protocols for network

communication.
Create a tunnel interface on FW1 and enable GRE.
Add the tunnel interface to the untrusted zone of FW1.
[FW1]interface tunnel 1
[FW1-Tunnel1]tunnel-protocol gre
[FW1-Tunnel1]ip address 30.1.1.1 24
[FW1-Tunnel1]source 10.0.10.1
[FW1-Tunnel1]destination 10.0.20.2
[FW1-Tunnel1]firewall zone untrust
[FW1-zone-untrust]add interface Tunnel 1

Delete static routes configured in the preceding steps. Enable RIP (version 2)
between a branch network and the headquarters intranet.
[FW1]undo ip route-static 10.0.200.0 24 10.0.10.2
[FW1]rip
[FW1-rip-1]version 2
[FW1-rip-1]network 30.0.0.0

[FW2]rip
Create an ACL and configure GRE encapsulated data packets to be

encrypted by the IPSec policy on FW1 and FW2.

Page33
Bind the IPSec policy to the new ACLs on FW1 and FW2.
[FW1]acl 3001
[FW1-acl-adv-3001]rule permit gre source 10.0.10.1 0 destination 10.0.20.2 0
[FW1-acl-adv-3001]quit
[FW2]acl 3002
Maintain all other configuration.
Test the connectivity between the branch intranet and the headquarters
intranet. View the established IPSec.
[FW1]ping -a 10.0.100.1 10.0.200.1
0.00% packet loss
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: public
-----------------------------
connection id: 40003
rule number: 5

encapsulation mode: tunnel

holding time: 0d 0h 5m 21s
tunnel local : 10.0.10.1 tunnel remote: 10.0.20.2
flow source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
[inbound ESP SAs]
spi: 240396810 (0xe542a0a)
max received sequence-number: 9
[outbound ESP SAs]
spi: 208723708 (0xc70defc)
max sent sequence-number: 10
The branch intranet can communicate with the headquarters intranet.

A GRE over IPSec VPN tunnel is established between FW1 and FW2. RIP
routing information is transmitted between the branch network and the
Step 7 Configure a GRE over IPSec VPN between a branch
office network and the headquarters network.


Page35
Create a tunnel interface on R3 and enable GRE.

[R3]interface tunnel 0/0/1
[R3-Tunnel0/0/1]tunnel-protocol gre
[R3-Tunnel0/0/1]ip address 40.1.1.2 24
[R3-Tunnel0/0/1]source 10.0.23.3
[R3-Tunnel0/0/1]destination 10.0.20.2
Delete static routes configured in the preceding steps. Enable RIP (version
2) between a branch office network and the headquarters intranet.
[FW2]rip
[R3]undo ip route-static 10.0.200.0 24 10.0.23.2

[R3]rip
[R3-rip-1]version 2
[R3-rip-1]network 40.0.0.0
[R3-rip-1]network 10.0.0.0
Create an ACL to specify GRE encapsulated packets to be encrypted by

the IPSec policy on R3 and FW2.
Configure an IPSec policy and bind the IPSec policy to the ACL, IPSec
proposal and IKE peer.
[R3]acl 3001
[R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0
[R3-acl-adv-3001]quit
[R3]ipsec policy map1 20 isakmp
[R3-ipsec-policy-isakmp-map1-10]security acl 3001
[R3-ipsec-policy-isakmp-map1-20]proposal tran1
[R3-ipsec-policy-isakmp-map1-20]ike-peer r32
[FW2]acl 3003

Maintain all other configuration.
Test the connectivity between the branch office intranet and the
headquarters intranet. View the established IPSec.
[R3]ping -a 10.0.3.3 10.0.200.1
0.00% packet loss
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500
===============================
-----------------------------
Mode : ISAKMP
-----------------------------
Connection ID : 2
[Outbound ESP SAs]

SPI: 145201056 (0x8a797a0)
[Inbound ESP SAs]

SPI: 1040062082 (0x3dfe1682)

Page37

-----------------------------
Mode : ISAKMP
-----------------------------
Connection ID : 5
[Outbound ESP SAs]

SPI: 97199512 (0x5cb2598)
[Inbound ESP SAs]

SPI: 2570078602 (0x9930498a)
The branch office network can communicate with the headquarters

intranet.
A GRE over IPSec VPN tunnel is established between FW2 and R3. Data
is transmitted between the branch office network and the headquarters
network using RIP.
For the IPSec configuration between the branch office network and the
headquarters network described in Step 5, if R3 did not use IKEv2 to negotiate
with FW2, could the IKE SA still be established?

[FW1]display current-configuration
#
sysname FW1
#
acl number 3000
rule 5 permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
#
acl number 3001
rule 5 permit gre source 10.0.10.1 0 destination 10.0.20.2 0
#
ike proposal 10
#
ike peer fw12
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.20.2
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3001
ike-peer fw12
proposal tran1
#
ip address 10.0.100.1 255.255.255.0
#
ip address 10.0.10.1 255.255.255.0
ipsec policy map1
#
interface Tunnel1
ip address 30.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.10.1
destination 10.0.20.2
#
firewall zone local

Page39
set priority 100

#
firewall zone trust
set priority 85
#
set priority 5
add interface Tunnel1
#
ospf 1
area 0.0.0.0
network 10.0.10.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
#
Return
#
sysname FW2
#
acl number 3000
#
acl number 3001
#
acl number 3002
#
acl number 3003
#
ike proposal 10
#
ike peer fw21
ike-proposal 10

#
ike peer fw23
ike-proposal 10
#
#
security acl 3002
ike-peer fw21
proposal tran1
#
security acl 3001
ike-peer c
proposal tran1
#
security acl 3003
ike-peer fw23
proposal tran1
#
ip address 10.0.200.1 255.255.255.0
#
ip address 10.0.20.2 255.255.255.0
ipsec policy map1
#
interface Tunnel1
ip address 30.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.20.2
#
interface Tunnel2
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.20.2

Page41
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ospf 1
area 0.0.0.0
network 10.0.20.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
network 40.0.0.0
#
Return
[V200R001C00SPC200]
#
sysname R3
#
acl number 3000
#
acl number 3001
#

#
ike proposal 10
#
ike peer r32 v2
ike-proposal 10
#
security acl 3000
ike-peer r32
proposal tran1
#
security acl 3001
ike-peer r32
proposal tran1
#
interface Serial2/0/0
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
ipsec policy map1
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.23.3
#
ospf 1
area 0.0.0.0
network 10.0.23.0 0.0.0.255
#
rip 1
version 2
network 40.0.0.0
network 10.0.0.0
#
Return

Page43

Lab 1-3 Attack Defense Configuration on a Firewall
Learning Objectives

x Methods used to configure attack defense against traffic attacks
x Methods used to configure attack defense against scanning and
snooping attacks
x Methods used to configure attack defense against malformed packet
attacks
x Methods used to configure attack defense against special packet
attacks
Topology
Figure 1-3 Attack defense configuration
Scenario

enterprise network includes a firewall and a switch. R1 functions as a DHCP
server, FW functions as the egress to the Internet, and S2 simulates a PC on
the extranet.
To improve network security, you need to apply security policies to the

Page45
network and configure security policies on the firewall and the switch.
Tasks
Step 1 Perform basic configurations and configure IP
addresses.
Configure IP addresses and masks for all devices.

<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
<Quidway>system-view
[Quidway]sysname S1
[USG2100]sysname FW
[FW]interface Ethernet 0/0/0
[FW]firewall packet-filter default permit all
[FW]firewall zone untrust

<Quidway>system-view
[Quidway]sysname S2
[S2]vlan 100
[S2-vlan100]quit
[S2-GigabitEthernet0/0/9]quit
[S2]interface Vlanif 100
[S2-Vlanif100]ip address 100.0.0.2 24
[S1]vlan 100
[S1-vlan100]quit
Shut down G0/0/10, G0/0/13, and G0/0/14 on S1 to prevent side impacts

on the lab.
[S1-GigabitEthernet0/0/10]shutdown
After configurations are complete, test the connectivity of direct links.

[R1]ping -c 1 10.0.10.2

0.00% packet loss

Page47
[R1]ping -c 1 10.0.10.3

0.00% packet loss
[R1]ping -c 1 10.0.10.254

0.00% packet loss
[FW]ping -c 1 100.0.0.2
10:47:09 2011/12/27

0.00% packet loss
Step 2 Implement network communication.
To implement network communication, configure a correct default route for

each device that simulates a PC.
Configure default routes for R1, R2, R3, and S2.
[R1]ip route-static 0.0.0.0 0 10.0.10.254

[R2]ip route-static 0.0.0.0 0 10.0.10.254
[R3]ip route-static 0.0.0.0 0 10.0.10.254
[S2]ip route-static 0.0.0.0 0 100.0.0.1
On S2, test the connectivity among R1, R2, and R3.

[S2]ping -c 1 10.0.10.1

0.00% packet loss
[S2]ping -c 1 10.0.10.2

0.00% packet loss
[S2]ping -c 1 10.0.10.3

0.00% packet loss
Step 3 Configuring defense against traffic attacks.
Attackers send a large amount of unnecessary data to a server. The

Page49
server fails to respond to service requests from authorized users.
To protect networks against such attacks, enable defense against SYN

flood attacks, TCP full-connection attacks, HTTP flood attacks, UDP flood
attacks, and ICMP flood attacks.
Enable defense against reverse source tracing based on TCP on E2/0/0 of
FW.
[FW]firewall source-ip detect interface Ethernet 2/0/0 alert-rate 10000 max-rate
30000
Enable defense against TCP full-connection attacks on FW.

[FW]firewall blacklist enable
[FW]firewall defend tcp-illegal-session enable
Warning: Configuring this command will affect the P2P service. To protect the
server from TCP connection exhaustion, configure this command.
Continue? [Y/N]:y
Enable defense against HTTP flood attacks on E2/0/0 of FW.

[FW]firewall defend http-flood enable
[FW]firewall defend http-flood source-detect interface Ethernet 2/0/0 alert-rate
10000 max-rate 30000
Enable defense against UDP flood attacks on E2/0/0 of FW.

[FW]firewall defend udp-flood enable
[FW]firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000
Enable defense against ICMP flood attacks on E2/0/0 of FW.

[FW]firewall defend icmp-flood enable
[FW]firewall defend icmp-flood interface Ethernet 2/0/0 max-rate 10000
Step 4 Configure defense against scanning and snooping
attacks.
Attackers continually send different packets to the destination port for

scanning service types and security vulnerabilities on the port. To prevent such
attacks, enable defense against scanning and snooping attacks.

Enable defense against scanning and snooping attacks on FW.

[FW]firewall defend port-scan enable
[FW]firewall defend port-scan max-rate 5000
Step 5 Configure defense against malformed packet attacks.
If attackers send malformed IP packets to a user system, an exception

may occur when the system processes these packets, affecting proper system
operating. To prevent such attacks, enable defense against Smurf attacks,
Land attacks, and Fraggle attacks. Configure DHCP snooping on the access
network to improve network security.
Enable Smurf attack defense on FW.

[FW]firewall defend smurf enable
Enable Land attack defense on FW.

[FW]firewall defend land enable
Enable Fraggle attack defense on FW.

[FW]firewall defend fraggle enable
Enable IP fragment attack defense on FW.

[FW]firewall defend ip-fragment enable
Enable defense against attacks from packets with invalid TCP flag bits on
FW.
[FW]firewall defend tcp-flag enable
Use R1 as the DHCP server.

[R1]dhcp enable
[R1-GigabitEthernet0/0/1]dhcp select global
[R1-GigabitEthernet0/0/1]quit
[R1]ip pool company
[R1-ip-pool-company]network 10.0.10.0 mask 24
[R1-ip-pool-company]excluded-ip-address 10.0.10.1
[R1-ip-pool-company]gateway-list 10.0.10.254

Page51
Configure G0/0/1 of R2 and R3 to automatically obtain IP addresses.

[R2]dhcp enable
[R2-GigabitEthernet0/0/1]undo ip address
[R2-GigabitEthernet0/0/1]ip address dhcp-alloc
Info: The operation may take a few seconds, please wait.
Succeed.
[R3]dhcp enable
[R3-GigabitEthernet0/0/1]undo ip address
[R3-GigabitEthernet0/0/1]ip address dhcp-alloc
Info: The operation may take a few seconds, please wait.
Succeed.
Enable DHCP Snooping on S1 and configure interfaces as trusted

interfaces.
[S1]dhcp enable
[S1]dhcp snooping enable
[S1-GigabitEthernet0/0/1]dhcp snooping trusted
[S1-GigabitEthernet0/0/1]inter GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]dhcp snooping enable
[S1-GigabitEthernet0/0/2]inter GigabitEthernet 0/0/3
[S1-GigabitEthernet0/0/3]dhcp snooping enable
View the MAC addresses of G0/0/1 on R1 and E0/0/0 on FW, and

configure a static user binding entry.
[R1]display interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2011-12-27 10:21:41
Description:HUAWEI, AR Series, GigabitEthernet0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.10.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 5489-9876-81f0
Last physical up time : 2011-12-27 10:14:07
Last physical down time : 2011-12-27 10:13:48
Current system time: 2011-12-27 16:24:49
Port Mode: COMMON COPPER

Speed : 1000, Loopback: NONE

Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 704 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 7392 bits/sec,Record time: 2011-12-27 10:17:53
Output peak rate 2816 bits/sec,Record time: 2011-12-27 10:17:13
Input: 12040 packets, 1641163 bytes

Unicast: 0, Multicast: 0
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
……output omit……
[FW]display interface Ethernet 0/0/0

Ethernet0/0/0 current state : UP
Line protocol current state : UP
Description : Huawei, usg2160 serials, Ethernet0/0/0 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.0.10.254/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a109-68b2
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
Output flow-control is unsupported, input flow-control is unsupported
QoS max-bandwidth : 100000 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last 300 seconds input rate 59.50 bytes/sec, 0.50 packets/sec
Last 300 seconds output rate 0.00 bytes/sec, 0.00 packets/sec
Input: 11778 packets, 1527521 bytes
478 broadcasts(4.06%), 11230 multicasts(95.35%)
0 runts, 0 giants,
0 errors, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 0 Resource errors,
0 other errors
……output omit……
[S1]user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0

[S1]user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2

Page53
Enable IP address anti-spoofing.

[S1-GigabitEthernet0/0/2]ip source check user-bind enable
Info: Add permit rule for dynamic snooping bind-table, please wait a minute!
[S1-GigabitEthernet0/0/3]ip source check user-bind enable
Info: Add permit rule for dynamic snooping bind-table, please wait a minute!
Configure the items in an IP packet to be checked.

[S1-GigabitEthernet0/0/2]ip source check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!
[S1-GigabitEthernet0/0/3]ip source check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!
Check source MAC addresses of ARP packets.

[S1]arp anti-attack packet-check sender-mac
Configure defense against ARP man-in-the-middle attacks.

[S1-GigabitEthernet0/0/2]arp anti-attack check user-bind enable
[S1-GigabitEthernet0/0/2]arp anti-attack check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a
minute!
[S1-GigabitEthernet0/0/3]arp anti-attack check user-bind enable
[S1-GigabitEthernet0/0/3]arp anti-attack check user-bind check-item ip-address

mac-address
Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a
minute!

Step 6 Configure defense against special packet attacks.
Attackers send some seldom used valid packets to detect the network. To
prevent such attacks, enable defense against large ICMP packet attacks,
ICMP redirection packet attacks, and ICMP destination-unreachable packet
attacks.
Enable defense against large ICMP packet attacks on FW.

[FW]firewall defend large-icmp enable
[FW]firewall defend large-icmp max-length 3000
Enable defense against ICMP redirection packet attacks on FW.

[FW]firewall defend icmp-redirect enable
Enable defense against ICMP destination-unreachable packet attacks on

FW.
[FW]firewall defend icmp-unreachable enable
Enable defense against attacks of IP packets with the route record option
on FW.
[FW]firewall defend route-record enable
Enable defense against attacks of IP packets with the source route option
on FW.
[FW]firewall defend source-route enable
Enable Tracert attack defense on FW.

[FW]firewall defend tracert enable
Enable defense against attacks of IP packets with the timestamp option on

FW.
[FW]firewall defend time-stamp enable
The firewall functions are limited on actual networks. IPS devices need to

Page55
be deployed to defend against attacks at another layer.
Collect information about IPS and compare the IPS to the firewall.
#
firewall packet-filter default permit interzone local trust direction inbound

firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
firewall defend tcp-illegal-session enable
firewall defend http-flood enable
firewall defend port-scan enable
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend fraggle enable
firewall defend tracert enable
firewall defend icmp-unreachable enable
firewall defend icmp-redirect enable
firewall defend large-icmp enable
firewall defend icmp-flood enable
firewall defend udp-flood enable
firewall defend smurf enable
firewall defend land enable
firewall defend port-scan max-rate 5000
firewall defend large-icmp max-length 3000
firewall defend http-flood source-detect interface Ethernet2/0/0 alert-rate
10000 max-rate 30000

firewall source-ip detect interface Ethernet2/0/0 alert-rate 10000 max-rate

30000
firewall defend icmp-flood interface Ethernet2/0/0 max-rate 10000
firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000
#
ip address 10.0.10.254 255.255.255.0
#
ip address 100.0.0.1 255.255.255.0
#
interface NULL0
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall blacklist enable
#
Return
#
sysname S1
#
vlan batch 100
#
dhcp enable
dhcp snooping enable
user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0
user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2
#
dhcp snooping trusted
#

Page57
arp anti-attack check user-bind enable

arp anti-attack check user-bind check-item ip-address mac-address
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
arp anti-attack check user-bind enable
arp anti-attack check user-bind check-item ip-address mac-address
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
#
shutdown
#
shutdown
#
shutdown
#
#
#
return

Lab 1-4 NAT Configuration on a USG Firewall
Learning Objectives

x NAT Easy IP configuration on a USG
x NAPT configuration on a USG
x NAT Server configuration on a USG
x NAT configuration on a USG in a zone
Topology
Figure 1-4 USG configuration
Scenario

headquarters network includes a trusted zone, an untrusted zone, and a DMZ
zone. You need to configure users in the trusted area to access the extranet,

Page59
and advertise Telnet and FTP services provided by a server with the IP
address of 10.0.4.4 in the DMZ zone. The public address of the server is
1.1.1.100/24.
You also need to advertise Telnet services provided by a server with the IP
address of 10.0.3.3 in the trusted zone. Users in the trusted zone can access
the Telnet services using 1.1.1.200/24, and cannot access services in other
zones.
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
<Huawei>system-view

[Huawei]sysname R4
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be

configured with an IP address. In the lab, configure VLAN 12 on the firewall
and create a VLANIF 12 interface. Configure the VLANIF 12 interface's IP
address as the IP address of the gateway in the trusted zone and set the IP
address to 10.0.20.254/24.
By default, the firewall configures an IP address for VLANIF 1. To prevent
interference, delete the VLANIF 1 configuration.
[USG2100]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface Vlanif 12
[FW-Vlanif12]ip address 10.0.20.254 24
[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 12
[FW-Ethernet0/0/0]interface ethernet 2/0/0
[FW]interface vlanif 1
[FW-Vlanif1]undo ip address
Add G0/0/1 and G0/0/21 to VLAN 11.

Add G0/0/2, G0/0/3, and G0/0/22 to VLAN 12.
Add G0/0/4 and G0/0/23 to VLAN 13.
[Quidway]sysname S1

Page61

Step 2 Configure static routes to connect networks.
Configure default routes for R2, R3, and R4. Configure static routes to
implement communication across network segments to which four loopback 0
interfaces are connected. R1 requires no static route because R1 functions as
an Internet device and does not require information about the private networks
in the trusted zone and DMZ zone.
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.20.254
[R4]ip route-static 0.0.0.0 0 10.0.40.254

Step 3 Add interfaces to security zones.
By default, four zones locate on a firewall. They are local, trusted,

untrusted, and DMZ zones.
This lab uses trusted, untrusted, and DMZ zones.

[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
Step 4 Configure security filtering between zones.
Configure packets to transmit from 10.0.2.0 and 10.0.3.0 segments in the

trusted zone to the untrusted zone. Configure Telnet and FTP request packets
to transmit from the untrusted zone to the 10.0.4.4 network segment in the
DMZ zone.
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy 0
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0 0.0.0.255
[FW-policy-interzone-trust-untrust-outbound-0]action permit
[FW-policy-interzone-trust-untrust-outbound-0]quit
[FW-policy-interzone-trust-untrust-outbound]quit
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set ftp
Step 5 Configure NAT Easy IP.
Configure NAT Easy IP on an interface to translate the source address and

bind a NAT policy to the interface.
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 0

Page63
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0

0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0
Test connectivity of the trusted zone and the untrusted zone.

[R2]ping 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
[R2]ping -a 10.0.2.2 10.0.1.1


0.00% packet loss
If you ping 10.0.1.1 from R2 directly, the ping fails. Use the extended ping.
After a source IP address is specified as 10.0.2.2, the ping succeeds.
This is because that the source IP address of the packet is 10.0.20.2,
which is not in the NAT address range.
[FW]display nat-policy interzone trust untrust outbound
10:46:37 2011/12/26
nat-policy interzone trust untrust outbound
policy 0 (1 times matched)

action source-nat
policy service service-set ip
policy source 10.0.2.0 0.0.0.255
policy destination any
easy-ip Ethernet0/0/0
Step 6 Configure an address group.
Configure an address group to translate the source IP address and bind a

NAT policy to the address group.
[FW]nat address-group 1 1.1.1.3 1.1.1.10
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]address-group 1

[R3]ping -a 10.0.3.3 10.0.1.1

0.00% packet loss
Use the extended ping. After a source IP address is specified as 10.0.3.3,

the ping succeeds.
[FW]display nat-policy interzone trust untrust outbound
10:52:37 2011/12/26
action source-nat

Page65

policy source 10.0.2.0 0.0.0.255

action source-nat
policy source 10.0.3.0 0.0.0.255
address-group 1
The IP address 10.0.2.0/24 and 10.0.3.0/24 in the trusted zone can access
the untrusted zone.
Step 7 Advertise services provided by the intranet server with
the IP address of 10.0.4.4.
Map Telnet and FTP services on 10.0.4.4 to 1.1.1.100.

[FW]nat server protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet
[FW]nat server protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp
FTP is a multi-channel protocol, so NAT translation takes effect only after

NAT ALG is configured.
Configure NAT ALG between the DMZ and untrusted zones so that the
server can properly provide FTP services.
[FW]firewall interzone dmz untrust
[FW-interzone-dmz-untrust]detect ftp
Enable Telnet and FTP on R4, and test on R1. The advertised IP address
is 1.1.1.100, which is the actual destination IP address when R1 accesses
services on 10.0.4.4.
[R4]aaa
[R4-aaa]local-user huawei password simple huawei
[R4-aaa]local-user huawei service-type ftp
[R4-aaa]local-user huawei ftp-directory flash:
[R4-aaa]quit

[R4-ui-vty0-4]quit
[R4]ftp server enable
<R1>telnet 1.1.1.100
Trying 1.1.1.100 ...
<R4>quit
<R1>ftp 1.1.1.100
Trying 1.1.1.100 ...
Press CTRL+K to abort
Connected to 1.1.1.100.
220 FTP service ready.
User(1.1.1.100:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[R1-ftp]
Users in the untrusted zone can access Telnet and FTP services provided
by 1.1.1.100/24 in the DMZ zone.
Step 8 Configure NAT in an inside zone.
Configure NAT on the server with the IP address of 10.0.3.3 and maps the
address to 1.1.1.200.
[FW]nat server protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet
Configure NAT to translate the source address into a public address when
a user on the intranet accesses 1.1.1.200.
[FW]nat-policy zone trust
[FW-nat-policy-zone-trust]policy 0
[FW-nat-policy-zone-trust-0]policy source 10.0.2.0 0.0.0.255
[FW-nat-policy-zone-trust-0]policy destination 1.1.1.200 0
[FW-nat-policy-zone-trust-0]action source-nat
[FW-nat-policy-zone-trust-0]address-group 1
Enable Telnet on R3, and test connectivity of the trusted area and
1.1.1.200 on R2. The advertised IP address is 1.1.1.200, which is the actual
destination IP address when R2 accesses 10.0.3.3.

Page67
<R2>telnet -a 10.0.2.2 1.1.1.200

Trying 1.1.1.200 ...
<R3>
How do you advertise services provided by intranet servers when the

firewall is connected to two carrier networks at the same time?
#
sysname FW
#
nat address-group 1 1.1.1.3 1.1.1.10
nat server 0 protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet
nat server 1 protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp
nat server 2 protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet
#
vlan batch 1 12
#
firewall session link-state check
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 1.1.1.254 255.255.255.0
#
portswitch
port access vlan 12
#

ip address 10.0.40.254 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall interzone dmz untrust
detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.20.3
ip route-static 10.0.4.0 255.255.255.0 10.0.40.4
#
policy interzone trust untrust outbound
policy 0
action permit
policy source 10.0.2.0 0.0.0.255
policy source 10.0.3.0 0.0.0.255
#
policy interzone dmz untrust inbound
policy 0
action permit
policy service service-set ftp
policy service service-set telnet
#
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255

Page69
policy 1
action source-nat
policy source 10.0.3.0 0.0.0.255
address-group 1
#
nat-policy zone trust
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255
address-group 1
#
Return
<R1>display current-configuration
[V200R001C00SPC200]
#
sysname R1
#
#
ip address 1.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
Return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
Return

[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.20.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
user-interface vty 0 4
authentication-mode none
#
Return
[V200R001C00SPC500]
#
sysname R4
ftp server enable
#
#
aaa
local-user huawei password simple huawei
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
ip address 10.0.40.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.254
#
user-interface vty 0 4
authentication-mode none
#
Return

Page71
<S1>display current-configuration
#
sysname S1
#
vlan batch 11 to 13
#
#
#
#
#
#
#
#
return

Lab 1-5 Dual-System Hot Backup Configuration for USG
Firewalls
Learning Objectives

x Dual-system hot backup configuration
x VRRP configuration
x HRP configuration
Topology
Figure 1-5a Physical topology
Figure 1-5b Logical topology

Page73
Scenario
Assume that you are a network administrator of an enterprise. You need to

configure dual-system hot backup for the firewalls to ensure communication
reliability.
The current communication requires dual-system hot backup based on
load balancing. When users in the trusted zone access services in the
untrusted zone, packets sent from different routes are forwarded by the
primary firewall to implement load balancing. When a fault occurs on the
primary firewall, packets are switched to the secondary firewall to implement
hot backup.
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3

<Huawei>system-view
[Huawei]sysname R4
Configure VLAN 11, 12, 13, and 14 and corresponding VLANIF addresses
for firewalls. Ethernet1/0/0 on the firewall is a Layer 2 switch interface and
cannot be configured with an IP address. By default, the firewall configures an
IP address for VLANIF 1. To prevent interference, delete the VLANIF 1
configuration.
<FW1>system-view
[FW1]vlan batch 11 to 14
[FW1]interface vlanif 11
[FW1-Vlanif11]ip address 10.0.10.2 24
[FW1-Vlanif11]interface vlanif 12
[FW1-Vlanif12]interface Vlanif 13
[FW1-Vlanif14]interface Ethernet0/0/0
[FW1-Ethernet0/0/0]quit
<FW2>system-view
[FW2]vlan batch 11 to 14

Page75

[FW2-Vlanif14]interface Ethernet0/0/0
[FW2-Ethernet0/0/0]quit
Plan VLANs for interfaces on switches.

<S1>system-view
[S1-GigabitEthernet0/0/2]interface gigabitEthernet 0/0/4
<S2>system-view
[S2-GigabitEthernet0/0/1]interface gigabitEthernet 0/0/3
Set G0/0/9 on S1 and G0/0/9 on S2 to trunk interfaces and allow packets

from VLAN 11, 12, 13, and 14 to pass through.
[S1-GigabitEthernet0/0/9]port link-type trunk
[S1-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14

[S2-GigabitEthernet0/0/9]port link-type trunk
[S2-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14
Assign G0/0/21 and G0/0/10 on S1 and G0/0/10 and G0/0/11 on S2 to

VLAN 10. This line is the firewall heartbeat line.

Enable MSTP on VLAN 10 so that the default process 0 of MSTP cannot

shut down G0/0/10 interfaces on S1 and S2.
Set the region name of S1 and S2 both to be FW.
[S1]vlan 10
[S1-vlan10]quit
[S1]stp region-configuration
[S1-mst-region]region-name FW
[S1-mst-region]instance 1 vlan 10
[S1-mst-region]active region-configuration
[S2]vlan 10
[S2-vlan10]quit
[S2]stp region-configuration
[S2-mst-region]region-name FW
[S2-mst-region]instance 1 vlan 10
[S2-mst-region]active region-configuration
Set E1/0/0 on FW1 and G0/0/22 on S1 to trunk interfaces and allow

packets from VLAN 11, 12, 13, and 14 to pass through.Set E1/0/0 on FW2 and
G0/0/12 on S2 to trunk interfaces and allow packets from VLAN 11, 12, 13,
and 14 to pass through.
[FW1]port link-type trunk
[FW1]port trunk permit vlan 11 to 14

Page77
[S1]port link-type trunk

[S1]port trunk allow-pass vlan 11 to 14
[FW2]port link-type trunk
[FW2]port trunk permit vlan 11 to 14

[S2]port link-type trunk
[S2]port trunk allow-pass vlan 11 to 14
Step 2 Add interfaces to security zones.
By default, four zones locate on a firewall. They are local, trusted,

untrusted, and DMZ zones.
In the lab, add VLANIF 12 and VLANIF 13 to the trusted zone, and add
VLANIF 11 and VLANIF 14 to the untrusted zone. Create a zone abc on FW1
and set the zone priority to 80. Add the heartbeat line interface E0/0/0 on FW1
to the abc zone. Perform the same operations on FW2.
[FW1-zone-trust]add interface vlanif 12
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add interface vlanif 11
[FW1-zone-untrust]firewall zone name abc
[FW1-zone-abc]set priority 80
[FW1-zone-abc]add interface Ethernet 0/0/0
[FW1-zone-abc]quit
[FW1]firewall packet-filter default permit all

[FW2-zone-trust]firewall zone untrust
[FW2-zone-untrust]firewall zone name abc
[FW2-zone-abc]set priority 80

[FW2-zone-abc]add interface Ethernet 0/0/0

[FW2-zone-abc]quit
[FW2]firewall packet-filter default permit all
Test connectivity of FW1 and FW2.

[FW1]ping 10.0.20.1
09:47:13 2011/12/27

0.00% packet loss
[FW1]ping 10.0.30.1
09:47:35 2011/12/27

0.00% packet loss
[FW1]ping 10.0.40.1
09:48:01 2011/12/27

Page79


0.00% packet loss
[FW1]ping 10.0.10.1
09:48:34 2011/12/27

0.00% packet loss
[FW2]ping 10.0.10.1
03:51:04 2011/12/27

0.00% packet loss
[FW2]ping 10.0.20.1
03:51:23 2011/12/27



0.00% packet loss
[FW2]ping 10.0.30.1
03:51:47 2011/12/27

0.00% packet loss
[FW2]ping 10.0.40.1
03:52:15 2011/12/27

0.00% packet loss

Page81
Step 3 Configure a VRRP backup group.
Configure a Virtual Router Redundancy Protocol (VRRP) backup group on

FW1 and configure a virtual IP address for the backup group.
[FW1-Vlanif12]vrrp vrid 12 virtual-ip 10.0.20.254 master
[FW1-Vlanif13]vrrp vrid 13 virtual-ip 10.0.30.254 slave
Configure a VRRP backup group on FW2 and configure a virtual IP

address for the backup group.
When configuring the VRRP backup group on FW2, map the Master of
FW1 to the Slave of FW2, and map the Slave of FW1 to the Master of FW2.
Check the VRRP configurations of FW1 and FW2. Verify that the
command outputs display VRRP group states correctly.
[FW1]display vrrp
20:56:41 2011/12/28
Vlanif13 | Virtual Router 13
VRRP Group : Slave
state : Backup
Virtual IP : 10.0.30.254
Virtual MAC : 0000-5e00-010d
Primary IP : 10.0.30.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0

Advertisement Timer : 1
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.10.254
Virtual MAC : 0000-5e00-010b
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Backup
Virtual IP : 10.0.40.254
Virtual MAC : 0000-5e00-010e
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Backup
Virtual IP : 10.0.20.254
Virtual MAC : 0000-5e00-010c
PriorityRun : 100

Page83
Auth Type : NONE
Check TTL : YES
[FW2]display vrrp
14:32:32 2011/12/28
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.40.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.30.254
PriorityRun : 100


Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES
Step 4 Configure an HRP backup channel.
Configure a backup channel interface on FW1 and FW2 and enable

Huawei Redundancy Protocol (HRP) on the interfaces. The firewall works on a
dual-system hot backup network. If the inbound and outbound paths are
different, run the hrp mirror session enable command to fast back up
sessions. Information about sessions on the primary firewall is synchronized to
the secondary firewall in a timely manner.
When a fault occurs on the primary firewall, packets are forwarded by the
secondary firewall, ensuring uninterrupted sessions between internal and
external users.
[FW1]hrp interface Ethernet0/0/0
[FW1]hrp mirror session enable
[FW1]hrp enable
[FW2]hrp interface Ethernet0/0/0

[FW2]hrp mirror session enable
[FW2]hrp enable

Page85
After the preceding configuration is complete, HRP_M or HRP_S is added

to the prompt based on the HRP status.
After a backup channel is configured, the primary and secondary firewalls
negotiate on the master and backup status. Check the VRRP status of the
firewall.
HRP_M[FW1]display vrrp
21:32:17 2011/12/28
VRRP Group : Slave
state : Backup
Virtual IP : 10.0.30.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.40.254

PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
HRP_S[FW2]display vrrp
15:08:31 2011/12/28
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.40.254

Page87

PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.30.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
Step 5 Configure packet filtering in the interzone.
Run the following command to configure automatic backup on FW1.

Packet filtering rules in the interzone configured on FW1 are automatically

backed up to FW2.
HRP_M[FW1]hrp auto-sync config
By default, security zones are connected. When configuring the packet

filtering policy in the interzone, disconnect security zones. Allow only users in
the trusted zone to access services in the untrusted zones.
HRP_M[FW1]firewall packet-filter default deny all
HRP_M[FW1]firewall packet-filter default permit interzone trust untrust
direction outbound
HRP_M[FW1]firewall session link-state check
Step 6 Configure static routes to connect networks.
Configure default routes for R1, R2, R3, and R4. Configure a specific static
route between FW1 and FW2.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[R4]ip route-static 0.0.0.0 0 10.0.40.254
HRP_M[FW1]ip route-static 10.0.1.0 24 10.0.10.1

HRP_S[FW2]ip route-static 10.0.1.0 24 10.0.10.1


[R2]ping -a 10.0.2.2 10.0.1.1

Page89


0.00% packet loss
[R2]ping -a 10.0.2.2 10.0.4.4


0.00% packet loss
[R3]ping -a 10.0.3.3 10.0.4.4


0.00% packet loss

Step 7 Test dual-system hot backup.
By default, FW1 forwards packets from R2 and R4, and FW2 functions as
the backup firewall.
Simulate a fault on VLANIF 12 of FW1 during communication between R2
and R4. The communication functions normally.
Send 20 packets from R2 to R4. During packet sending, shut down
VLANIF 12 and check communication status.
When running the ping command, shut down VLANIF 12 on FW1 before all
packets are sent.
[R2]ping -c 20 -a 10.0.2.2 10.0.4.4
HRP_S[FW1]interface vlanif 12
HRP_S[FW1-Vlanif12]shutdown
No packet is lost even when a fault is simulated on VLANIF 12 of FW1.

[R2]ping -c 20 -a 10.0.2.2 10.0.4.4

Page91

0.00% packet loss
Check the VRRP status on FW2. VLANIF 12 and VLANIF 14 on FW2 are
in Master state. If a fault occurs on VLANIF 12 on FW1, backup VLANIF
interfaces on FW2 switch to the Master status and forward packets.
HRP_M[FW2]display vrrp
03:14:23 2011/12/29
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.40.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master

Virtual IP : 10.0.30.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
If a fault occurs on the heartbeat line, what status will FW1 and FW2
have and how will packets be forwarded between the trusted zone and the
untrusted zone?
[V200R001C00SPC200]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0

Page93
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.30.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
return
[V200R001C00SPC500]
#
sysname R4
#

ip address 10.0.40.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.254
#
return
#
sysname S1
#
vlan batch 10 to 14
#
stp region-configuration
region-name FW
instance 1 vlan 10
active region-configuration
#
#
#
port link-type trunk
port trunk allow-pass vlan 11 to 14
#
#
#

Page95
#
return
#
sysname S2
#
vlan batch 10 to 14
#
stp region-configuration
region-name FW
instance 1 vlan 10
active region-configuration
#
#
#
#
#
#
#
return

HRP_M<FW1>display current-configuration
#
sysname FW1
#
hrp mirror session enable
hrp enable
hrp interface Ethernet0/0/0
#
firewall packet-filter default deny interzone local trust direction inbound
firewall packet-filter default deny interzone local trust direction outbound
firewall packet-filter default deny interzone local untrust direction inbound
firewall packet-filter default deny interzone local untrust direction outbound
firewall packet-filter default deny interzone local dmz direction inbound
firewall packet-filter default deny interzone local dmz direction outbound
firewall packet-filter default deny interzone local abc direction inbound
firewall packet-filter default deny interzone local abc direction outbound
firewall packet-filter default deny interzone trust untrust direction inbound
firewall packet-filter default deny interzone trust dmz direction inbound
firewall packet-filter default deny interzone trust dmz direction outbound
firewall packet-filter default deny interzone trust abc direction inbound
firewall packet-filter default deny interzone trust abc direction outbound
firewall packet-filter default deny interzone dmz untrust direction inbound
firewall packet-filter default deny interzone dmz untrust direction outbound
firewall packet-filter default deny interzone abc untrust direction inbound
firewall packet-filter default deny interzone abc untrust direction outbound
firewall packet-filter default deny interzone abc dmz direction inbound
firewall packet-filter default deny interzone abc dmz direction outbound
#
undo firewall ipv6 session link-state check
#
vlan batch 1 11 to 14
#
undo firewall session link-state check
#
#
runmode firewall
#
interface Vlanif11
ip address 10.0.10.2 255.255.255.0
vrrp vrid 11 virtual-ip 10.0.10.254 slave
#

Page97
interface Vlanif12
ip address 10.0.20.2 255.255.255.0
vrrp vrid 12 virtual-ip 10.0.20.254 master
#
interface Vlanif13
ip address 10.0.30.2 255.255.255.0
#
interface Vlanif14
ip address 10.0.40.2 255.255.255.0
#
ip address 10.0.50.2 255.255.255.0
#
portswitch
port trunk permit vlan 1 11 to 14
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name abc
set priority 80
#
nqa-jitter tag-version 1
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1

ip route-static 10.0.2.0 255.255.255.0 10.0.20.1

ip route-static 10.0.3.0 255.255.255.0 10.0.30.1
ip route-static 10.0.4.0 255.255.255.0 10.0.40.1
#
slb
#
cwmp
#
right-manager server-group
#
return
HRP_S<FW2>display current-configuration
#
sysname FW2
#
hrp mirror session enable
hrp enable
hrp interface Ethernet0/0/0
#
firewall packet-filter default deny interzone local trust direction inbound
firewall packet-filter default deny interzone local trust direction outbound
firewall packet-filter default deny interzone local untrust direction inbound
firewall packet-filter default deny interzone local untrust direction outbound
firewall packet-filter default deny interzone local dmz direction inbound
firewall packet-filter default deny interzone local dmz direction outbound
firewall packet-filter default deny interzone local abc direction inbound
firewall packet-filter default deny interzone local abc direction outbound
firewall packet-filter default deny interzone trust untrust direction inbound
firewall packet-filter default deny interzone trust dmz direction inbound
firewall packet-filter default deny interzone trust dmz direction outbound
firewall packet-filter default deny interzone trust abc direction inbound
firewall packet-filter default deny interzone trust abc direction outbound
firewall packet-filter default deny interzone dmz untrust direction inbound
firewall packet-filter default deny interzone dmz untrust direction outbound
firewall packet-filter default deny interzone abc untrust direction inbound
firewall packet-filter default deny interzone abc untrust direction outbound
firewall packet-filter default deny interzone abc dmz direction inbound
firewall packet-filter default deny interzone abc dmz direction outbound
#
undo firewall ipv6 session link-state check
#

Page99
vlan batch 1 11 to 14
#
undo firewall session link-state check
#
interface Vlanif11
ip address 10.0.10.3 255.255.255.0
#
interface Vlanif12
ip address 10.0.20.3 255.255.255.0
#
interface Vlanif13
ip address 10.0.30.3 255.255.255.0
#
interface Vlanif14
ip address 10.0.40.3 255.255.255.0
#
ip address 10.0.50.3 255.255.255.0
#
portswitch
port trunk permit vlan 1 11 to 14
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50

#
firewall zone name abc
set priority 80
#
nqa-jitter tag-version 1
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.1
ip route-static 10.0.3.0 255.255.255.0 10.0.30.1
ip route-static 10.0.4.0 255.255.255.0 10.0.40.1
#
slb
#
cwmp
#
right-manager server-group
#
return

Page101
HCDP-IENP Chapter 2 QoS and traffic flow management
Chapter 2 QoS and traffic flow management
Lab 2-1 QoS
Learning Objectives

x Method used to analyze the SLA using NQA
x Priority mapping and traffic policing
x Traffic shaping
x Congestion management based on queues and traffic classifiers
x Method used to configure congestion avoidance based on WRED
Topology
Figure 2-1 QoS
Scenario
Assume that you are a network administrator of an enterprise. R1 and S1

are located in the enterprise headquarters, and R2 and S2 are located in the
enterprise branch. The headquarters and branch are connected through a
leased line.
The internal network bandwidth increases gradually, but the leased line

bandwidth does not increase. As a result, important services are delayed or

some services are unavailable.
You can use differentiated services and adjust QoS parameters to ensure
that important service data is first sent to the destination.
In the lab, S3 and S4 use NQA to exchange a large flow of generated
data. R3, R4, and R5 simulate the clients and server to check whether
important applications are available.
Tasks
Step 1 Perform basic configuration and configure IP
addresses.
Configure IP addresses and masks for all the routers and switches S3 and
S4.
Set the baud rate of S1/0/0 on R1 to 72000 and configure the link of S1/0/0
as the WAN link where congestion occurs because of insufficient bandwidth.
<Huawei>system-view
[Huawei]sysname R1
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 255.255.255.0
[R1-Serial1/0/0]baudrate 72000
[R1-Serial1/0/0]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.145.1 255.255.255.0
<Huawei>system-view
[Huawei]sysname R2
[R2]interface s1/0/0
<Huawei>system-view
[Huawei]sysname R3

Page103

<Huawei>system-view
[Huawei]sysname R4
<Huawei>system-view
[Huawei]sysname R5
<Huawei>system-view
[Huawei]sysname S3
[S3]interface vlan
[S3-Vlanif1]ip address 10.0.145.3 255.255.255.0
<Huawei>system-view
[Huawei]sysname S4
After the configurations are complete, test link connectivity.

[R1]ping -c 1 10.0.12.2

0.00% packet loss
[R1]ping -c 1 10.0.145.3


0.00% packet loss
[R1]ping -c 1 10.0.145.4

0.00% packet loss
[R1]ping -c 1 10.0.145.5

0.00% packet loss
[R2]ping -c 1 10.0.34.3

0.00% packet loss
[R2]ping -c 1 10.0.34.4

Page105
0.00% packet loss
Step 2 Configure static routes and NQA.
Configure static routes for all the routers and switches S3 and S4.
[R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
[R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
[R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configurations are complete, test network connectivity.

[S3]ping -c 1 10.0.34.4

0.00% packet loss
[R4]ping -c 1 10.0.34.3


0.00% packet loss

[R5]ping -c 1 10.0.34.3

0.00% packet loss
The links between S3 and S4, between R4 and R3, and between R5 and
R3 are reachable, indicating that network communication is normal.
Congestion easily occurs on the 72 kbit/s serial link between the
headquarters and branch.
Use NQA to generate traffic. S4 functions as the NQA server and S3
functions as the NQA client.
Create NQA UDP and jitter test instances to simulate data traffic and voice
traffic respectively.
Set parameters in NQA test instances to simulate an environment where

congestion does not occur if there is only data or voice traffic, and where
congestion occurs if there is data and voice traffic.
Configure S4 as the NQA server, and set the IP address of the interface
used for monitoring UDP services to 10.0.34.4 and port number to 6000.
[S4]nqa-server udpecho 10.0.34.4 6000
On S3, configure an NQA UDP test instance to simulate data traffic, and
set the ToS to 28, packet size to 5800 bytes, interval at which packets are sent
to 1 second, interval for the NQA test to 3 seconds, and timeout interval for the
NQA test to 1s, and start the NQA UDP test.
[S3]nqa test-instance admin udp
[S3-nqa-admin-udp]test-type udp
[S3-nqa-admin-udp]destination-address ipv4 10.0.34.4
[S3-nqa-admin-udp]destination-port 6000
[S3-nqa-admin-udp]tos 28
[S3-nqa-admin-udp]datasize 5000

Page107
[S3-nqa-admin-udp]interval seconds 1
[S3-nqa-admin-udp]frequency 3
[S3-nqa-admin-udp]timeout 1
[S3-nqa-admin-udp]start now
Check the NQA UDP test result.

[S3]display nqa results test-instance admin udp
1 . Test 2 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.0.34.4
Min/Max/Average Completion Time: 930/950/943
Sum/Square-Sum Completion Time: 2830/2669900
Last Good Probe Time: 2008-01-28 23:10:02.4
Lost packet ratio: 0 %
No packet is discarded and congestion does not occur. Shut down the
NQA UDP test.
[S3-nqa-admin-udp]stop
On S3, configure an NQA jitter test instance to simulate voice traffic, and
set the ToS to 46, packet size to 90 bytes, interval at which packets are sent to
20 milliseconds, the interval for the NQA test to 3 seconds, and timeout interval
for the NQA test to 1 second, and start the NQA jitter test.
[S3]nqa test-instance admin jitter
[S3-nqa-admin-jitter]test-type jitter
[S3-nqa-admin-jitter]destination-address ipv4 10.0.34.4
[S3-nqa-admin-jitter]destination-port 6000
[S3-nqa-admin-jitter]tos 46
[S3-nqa-admin-jitter]datasize 90
[S3-nqa-admin-jitter]interval milliseconds 20
[S3-nqa-admin-jitter]frequency 3
[S3-nqa-admin-jitter]timeout 1
[S3-nqa-admin-jitter]start now
Check the NQA jitter test result.

[S3]display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is active ,testtype is jitter

1 . Test 1 result The test is finished
SendProbe:60 ResponseProbe:60
Completion:success RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:40/70/54/3260 RTT Square Sum:179800
NumOfRTT:60 Drop operation number:0
Operation sequence errors number:0 RTT Stats errors number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:10 Min Positive DS:10
Max Positive SD:10 Max Positive DS:10
Positive SD Number:5 Positive DS Number:11
Positive SD Sum:50 Positive DS Sum:110
Positive SD Square Sum:500 Positive DS Square Sum:1100
Min Negative SD:10 Min Negative DS:10
Max Negative SD:10 Max Negative DS:20
Negative SD Number:4 Negative DS Number:10
Negative SD Sum:40 Negative DS Sum:110
Negative SD Square Sum:400 Negative DS Square Sum:1300
Min Delay SD:20 Min Delay DS:19
Avg Delay SD:27 Avg Delay DS:26
Max Delay SD:35 Max Delay DS:34
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 jitter out value:0.0937500
jitter in value:0.2291667 NumberOfOWD:60
OWD SD Sum:1630 OWD DS Sum:1570
TimeStamp unit: ms
No packet is discarded and congestion does not occur. Shut down the
NQA jitter test.
[S3]nqa test-instance admin jitter
[S3-nqa-admin-jitter]stop
Step 3 Configure priority mapping.
Run the ping command to simulate traffic of less important services, and
map DSCP priorities of the traffic to BE without QoS guarantee.
Configure G0/0/1 and S1/0/0 on R1 to trust DSCP priorities of packets.

Page109

[R1-GigabitEthernet0/0/1]trust dscp override
[R1-Serial1/0/0]trust dscp
Specify override in the trust command on G0/0/1 so that DSCP priorities

are changed to mapped values after priority mapping is configured on R1.
Run the ping command on R4 to simulate the traffic destined for R3 and
set the ToS to 26.
[R4]ping –tos 26 10.0.34.3
Configure priority mapping on R1 and map DSCP priority 26 to 0.

[R1]qos map-table dscp-dscp
[R1-maptbl-dscp-dscp]input 26 output 0
View the priority mapping information on R1.

[R1]display qos map-table dscp-dscp
Input DSCP DSCP
-------------------
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 8
9 9
10 10
11 11
12 12
13 13
14 14
15 15
16 16
17 17
18 18
19 19
20 20

21 21
22 22
23 23
24 24
25 25
26 0
27 27
28 28
29 29
30 30
The preceding information shows that DSCP priority 26 is mapped to 0 and

other DSCP priorities use default values.
Step 4 Configure traffic shaping and traffic policing.
Start NQA UDP and jitter tests on S3 to simulate congestion on the 72

kbit/s link between the headquarters and branch.
[S3-nqa-admin-udp]start now
[S3-nqa-admin-udp]nqa test-instance admin jitter
[S3-nqa-admin-jitter]start now
On R4, run the ping command with the packet size as 700 bytes and packet
count as 10 to simulate the traffic destined for R3.
[R4]ping -s 700 -c 10 10.0.34.3
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out


Page111
90.00% packet loss
Congestion occurs on the link between the headquarters and branch, a

large number of packets are discarded, and even the forwarded packets are
delayed. R4 cannot communicate with R3.
The following describes how to configure traffic policing and traffic shaping
to remove congestion on the link so that R4 can communicate with R3.
Configure traffic policing to remove congestion. On S1, configure traffic

policing on G0/0/13 and set the CIR to 64 kbit/s.
[S1-GigabitEthernet0/0/13]qos lr inbound cir 64
View the traffic policing configuration on S1.

[S1]display qos lr inbound interface GigabitEthernet 0/0/13
GigabitEthernet0/0/13 lr inbound:
cir: 64 Kbps, cbs: 8000 Byte
On R4, run the ping command with the packet size as 700 bytes and
packet count as 10 to simulate the traffic destined for R3.
[R4]ping -s 700 -c 10 10.0.34.3

0.00% packet loss

Packets are not discarded and R4 can communicate with R3, indicating
that traffic policing takes effect.
Delete the traffic policing configuration from S1.
[S1-GigabitEthernet0/0/13]undo qos lr inbound
The following uses traffic shaping to remove congestion. On S3, configure

traffic shaping on E0/0/13 and set the CIR to 64 kbit/s.
[S3]interface Ethernet0/0/13
[S3-Ethernet0/0/13]qos lr outbound cir 64
[R4]ping -s 700 -c 10 10.0.34.3

0.00% packet loss
Packets are not discarded and R4 can communicate with R3, indicating
that traffic shaping takes effect.
Delete the traffic shaping configuration from S3.
[S3]interface Ethernet0/0/13
[S3-Ethernet0/0/13]undo qos lr outbound

Page113

[R4]ping -s 700 -c 10 10.0.34.3
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out

80.00% packet loss
After the configuration is deleted, many packets are discarded and

forwarded data packets are delayed. R4 cannot communicate with R3.
Step 5 Configure flow-based congestion management and
congestion avoidance.
To prevent network congestion on the link between the headquarters and

branch, configure queue-based congestion management and congestion
avoidance.
On R1, create a WRED drop profile named data based on DSCP priorities
and set the upper drop threshold to 90, lower drop threshold to 50, and
maximum drop probability to 30.
[R1]drop-profile data
[R1-drop-profile-data]wred dscp
[R1-drop-profile-data]dscp af32 low-limit 50 high-limit 90 discard-percentage
30
Create a queue profile named queue-profile1 on R1, put data traffic into
WFQ queues; bind the queue profile to the WRED drop profile data, and put

high-priority and delay-sensitive voice traffic to PQ queues.

[R1]qos queue-profile queue-profile1
[R1-qos-queue-profile-queue-profile1]queue 3 drop-profile data
[R1-qos-queue-profile-queue-profile1]schedule wfq 3 pq 5
Apply the queue profile to S1/0/0 of R1.

[R1- Serial0/0/1]qos queue-profile queue-profile1
View the queue profile information.

[R1]display qos queue-profile queue-profile1
Queue-profile: queue-profile1
Queue Schedule Weight Length(Bytes/Packets) Gts(CIR/CBS)
-----------------------------------------------------------------
3 WFQ 10 0/0 -/-
5 PQ - 0/0 -/-
Data traffic and voice traffic enter WFQ and PQ queues respectively.
View the WRED drop profile information.
[R1]display drop-profile data
Drop-profile[1]: data
DSCP Low-limit High-limit Discard-percentage
-----------------------------------------------------------------
default 30 100 10
1 30 100 10
2 30 100 10
3 30 100 10
4 30 100 10
5 30 100 10
6 30 100 10
7 30 100 10
cs1 30 100 10
9 30 100 10
af11 30 100 10
11 30 100 10
af12 30 100 10
13 30 100 10
af13 30 100 10
15 30 100 10

Page115
cs2 30 100 10
17 30 100 10
af21 30 100 10
19 30 100 10
af22 30 100 10
21 30 100 10
af23 30 100 10
23 30 100 10
cs3 30 100 10
25 30 100 10
af31 30 100 10
27 30 100 10
af32 50 90 30
29 30 100 10
af33 30 100 10
31 30 100 10
cs4 30 100 10
33 30 100 10
af41 30 100 10
Parameters in the WRED drop profile data take effect, and other
parameters use default values.
Step 6 Configure flow-based congestion management and
congestion avoidance.
To prevent network congestion on the link between the headquarters and

branch, configure flow-based congestion management and congestion
avoidance.
Define the traffic exchanged between R4 and R3 as important traffic and
perform QoS guarantee for the traffic so that R4 can communicate with R3.
Delete the queue profile from S1/0/0 on R1.
[R1-GigabitEthernet0/0/1]undo qos queue-profile
On R4, run the ping command with the source address as 10.0.145.4,
packet size as 700 bytes, and packet count as 10 to test connectivity between
R4 and R3.
[R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3


Request time out
Request time out
Request time out
Request time out
Request time out
Request time out

60.00% packet loss
Congestion has occurred on the link between the headquarters and branch.
A large number of packets are discarded, and R4 cannot communicate with
R3.
On R1, create ACL 3001 to match the traffic sent from 10.0.145.4 to
10.0.34.3.
[R1]acl number 3001
[R1-acl-adv-3001]rule 0 per ip source 10.0.145.4 0.0.0.0 destination 10.0.34.3
0.0.0.0
Create a traffic classifier class-ef, reference ACL 3001 in the traffic

classifier, create a traffic behavior behavior-ef, set the queue scheduling
mode to EF, and set the bandwidth to 10 kbit/s.
[R1]traffic classifier class-ef
[R1-classifier-class-ef]if-match acl 3001
[R1-classifier-class-ef]traffic behavior behavior-ef
[R1-behavior-behavior-ef]queue ef bandwidth 8
Create a traffic classifier class-af32 to match data traffic with the DSCP
priority as AF32, set the traffic behavior as behavior-af32, set the queue
scheduling mode to AF, set the bandwidth to 30 kbit/s, and bind the traffic
behavior to the drop profile data.
[R1]traffic classifier class-af32

Page117
[R1-classifier-class-af32]if-match dscp af32

[R-classifier-class-af321]traffic behavior behavior-af32
[R1-behavior-behavior-af32]queue af bandwidth 30
[R1-behavior-behavior-af32]drop-profile data
Create a traffic policy policy-1, associate the traffic policy with the traffic
classifier class-ef and traffic behavior behavior-ef, and the traffic classifier
class-af32 and traffic behavior behavior-af32, and apply the traffic policy to
S1/0/0 on R1.
[R1]traffic policy policy-1
[R1-trafficpolicy-policy-1]classifier class-ef behavior behavior-ef
[R1-trafficpolicy-policy-1]classifier class-af32 behavior behavior-af32
[R1-trafficpolicy-policy-1]interface Serial 1/0/0
[R1-Serial1/0/0]traffic-policy policy-1 outbound
On R4, run the ping command with the source address as 10.0.145.4,
packet size as 700 bytes, and packet count as 10 to test connectivity between
R4 and R3.
[R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3

0.00% packet loss
Configure traffic from R1 to R3 to enter EF queues. Then R1 can

communicate with R3.

QoS uses differentiated services to ensure bandwidth and shorten delay

for various services. Can high bandwidth improve service quality instead of
QoS?
After the lab, summarize the QoS process.
[V200R001C00SPC200]
#
sysname R1
#
acl number 3001
rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0
#
drop-profile data
wred dscp
dscp af32 low-limit 50 high-limit 90 discard-percentage 30
#
qos queue-profile queue-profile1
queue 3 drop-profile data
schedule wfq 3 pq 5
#
qos map-table dscp-dscp
input 26 output 0
#
traffic classifier class-ef operator or
if-match acl 3001
traffic classifier class-af32 operator or
if-match dscp af32
#
traffic behavior behavior-ef
queue ef bandwidth 10 cbs 250
traffic behavior behavior-af32
queue af bandwidth 30
drop-profile data
traffic behavior behavir-af32
queue af bandwidth 30

Page119
#
traffic policy policy-1
classifier class-ef behavior behavior-ef
classifier class-af32 behavior behavior-af32
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
trust dscp
traffic-policy policy-1 outbound
baudrate 72000
#
ip address 10.0.145.1 255.255.255.0
trust dscp override
#
ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
#
Return
[V200R001C00SPC200]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
ip address 10.0.34.2 255.255.255.0
#
ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0

#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
return
[V200R001C00SPC200]
#
sysname R4
#
ip address 10.0.145.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
[V200R001C00SPC200]
#
sysname R5
#
ip address 10.0.145.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.145.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
nqa test-instance admin udp
test-type udp
destination-address ipv4 10.0.34.4

Page121
destination-port 6000
tos 28
frequency 3
interval seconds 1
timeout 1
datasize 5800
start now
nqa test-instance admin jitter
test-type jitter
destination-address ipv4 10.0.34.4
destination-port 6000
tos 46
frequency 3
interval milliseconds 20
timeout 1
datasize 90
start now
#
return
#
sysname S4
#
interface Vlanif1
ip address 10.0.34.4 255.255.255.0
#
nqa-server udpecho 10.0.34.4 6000
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
Return
Lab 2-2 Traffic Control Based on the Traffic Policy
Learning Objectives

x End-to-end QoS configuration

x Traffic control based on the traffic policy
Topology
Figure 2-2 Traffic control based on the traffic policy
Scenario
Assume that you are a network administrator of an enterprise. R1 and S1

are located in the enterprise headquarters, and R2 and S2 are located in the
enterprise branch. The headquarters and branch are connected through the
leased line. The required internal network bandwidth increases gradually, but
the leased line bandwidth does not increase. As a result, important services
are delayed or some services are unavailable.
Configure end-to-end QoS and adjust QoS parameters so that important
service data can be sent to the destination and the traffic policy is used to
control traffic.
Tasks
addresses.
Configure IP addresses and masks for all the routers and switches S3 and
S4.

Page123
<R1>system-view
[R1-GigabitEthernet0/0/1]ip add 10.0.145.1 255.255.255.0
<R2>system-view
<R3>system-view
<R4> system-view
<R5>system-view
<S3>system-view
<S4>system-view
After the configurations are complete, test link connectivity.

[R1]ping -c 1 10.0.12.2


0.00% packet loss
[R1]ping -c 1 10.0.145.3

0.00% packet loss
[R1]ping -c 1 10.0.145.4

0.00% packet loss
[R1]ping -c 1 10.0.145.5

0.00% packet loss
[R2]ping -c 1 10.0.34.3

Page125

0.00% packet loss
[R2]ping -c 1 10.0.34.4

0.00% packet loss
Step 2 Configure static routes.
Configure static routes for all the routers and switches S3 and S4.
[R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
[R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
[R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configuration is complete, test network connectivity.

[S3]ping -c 1 10.0.34.4


0.00% packet loss
[R4]ping -c 1 10.0.34.3

0.00% packet loss
[R5]ping -c 1 10.0.34.3

0.00% packet loss
Step 3 Configure DSCP priority re-marking.
Voice, video, and data services are transmitted on the enterprise network.
Because the bandwidth of the leased line between the enterprise headquarters
and branch does not increase, congestion occurs.
Configure end-to-end QoS to ensure that voice packets are sent first and
bandwidth for video packets is guaranteed.
Simulate voice packets between R4 and R3, video packets between R5 and
R3, and data packets between S3 and S4. Perform QoS configuration for voice
packets and video packets and configure BE for data packets.
Mark the DSCP priority of voice packets with EF, and the DSCP priority of
video packets with AF32.
On S1, create ACL 3001 and ACL 3002 to match the traffic sent from R4 to
R3 and the traffic sent from R5 to R3 respectively.

Page127
[S1]acl number 3001

[S1-acl-adv-3001]rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0
[S1-acl-adv-3001]acl number 3002
Create a traffic classifier class-voice-s1 and reference ACL 3001 in the

traffic classifier. Create a traffic behavior behavior-voice-s1 and re-mark
DSCP priorities with EF.
Create a traffic policy policy-voice-s1 and associate the traffic classifier
class-voice-s1 and traffic behavior behavior-voice-s1 with the traffic policy,
and apply the traffic policy to G0/0/4 in the inbound direction.
[S1]traffic classifier class-voice-s1
[S1-classifier-class-voice-s1]if-match acl 3001
[S1-classifier-class-voice-s1]traffic behavior behavior-voice-s1
[S1-behavior-behavior-voice-s1]remark dscp ef
[S1-behavior-behavior-voice-s1]traffic policy policy-voice-s1
[S1-trafficpolicy-policy-voice-s1]classifier class-voice-s1 behavior
behavior-voice-s1
[S1-trafficpolicy-policy-voice-s1]interface GigabitEthernet 0/0/4
[S1-GigabitEthernet0/0/4]traffic-policy policy-voice-s1 inbound
Create a traffic classifier class-video-s1 and reference ACL 3002 in the

traffic classifier. Create a traffic behavior behavior-video-s1 and re-mark the
DSCP priority with AF32. Create a traffic policy policy-video-s1 and associate
the traffic classifier class-video-s1 and traffic behavior behavior-video-s1
with the traffic policy, and apply the traffic policy to G0/0/5 in the inbound
direction.
[S1]traffic classifier class-video-s1
[S1-classifier-class-video-s1]if-match acl 3002
[S1-classifier-class-video-s1]traffic behavior behavior-video-s1
[S1-behavior-behavior-video-s1]remark dscp af32
[S1-behavior-behavior-video-s1]traffic policy policy-video-s1
[S1-trafficpolicy-policy-video-s1]classifier class-video-s1 behavior
behavior-video-s1
[S1-trafficpolicy-policy-video-s1]interface GigabitEthernet 0/0/5
[S1-GigabitEthernet0/0/5]traffic-policy policy-video-s1 inbound
On S2, create ACL 3001 and ACL 3002 to match the traffic sent from R3 to
R4 and the traffic sent from R3 to R5 respectively.
[S2]acl number 3001


[S2-acl-adv-3001]acl number 3002
On S2, create a traffic classifier class-voice-s2 and reference ACL 3001

in the traffic classifier. Create a traffic behavior behavior-voice-s2 and
re-mark the DSCP priority with EF.
[S2]traffic classifier class-voice-s2
[S2-classifier-class-voice-s2]if-match acl 3001
[S2-classifier-class-voice-s2]traffic behavior behavior-voice-s2
[S2-behavior-behavior-voice-s2]remark dscp ef
On S2, create a traffic classifier class-video-s2 and reference ACL 3002

in the traffic classifier. Create a traffic behavior behavior-video-s2 and
re-mark the DSCP priority with AF32.
[S2]traffic classifier class-video-s2
[S2-classifier-class-video-s2]if-match acl 3002
[S2-classifier-class-video-s2]traffic behavior behavior-video-s2
[S2-behavior-behavior-video-s2]remark dscp af32
Create a traffic policy policy-voice-video-s2 and associate the traffic

policy with the traffic classifier class-voice-s2 and traffic behavior
behavior-voice-s2, and the traffic classifier class-video-2 and traffic behavior
behavior-video-s2, and apply the traffic policy to G0/0/3 in the inbound
direction.
[S2]traffic policy policy-voice-video-s2
[S2-trafficpolicy-policy-voice-video-s2]classifier class-voice-s2 behavior
behavior-voice-s2
[S2-trafficpolicy-policy-voice-video-s2]classifier class-video-s2 behavior
behavior-video-s2
[S2-GigabitEthernet0/0/3]traffic-policy policy-voice-video-s2 inbound
Step 4 Configure traffic shaping and traffic policing.
Configure traffic shaping on core switches of the headquarters and branch

to lessen network congestion.
Configure traffic shaping on G0/0/1 of S1 in the outbound direction and set

Page129
the CIR to 128 kbit/s.

[S1-GigabitEthernet0/0/1]qos lr outbound cir 128
View the traffic shaping configuration.

[S1]display qos lr outbound interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 lr outbound:
Configure traffic shaping on G0/0/2 of S2 in the outbound direction and set

[S2-GigabitEthernet0/0/2]qos lr outbound cir 128
View the traffic shaping configuration.

[S2]display qos lr outbound interface GigabitEthernet 0/0/2
GigabitEthernet0/0/2 lr outbound:
Configure traffic policing on egress routers of the headquarters and branch

to further lessen network congestion.
Configure traffic policing on G0/0/1 of R1 in the inbound direction and set
[R1-GigabitEthernet0/0/1]qos car inbound cir 72
Configure traffic policing on G0/0/2 of R2 in the inbound direction and set

[R2-GigabitEthernet0/0/2]qos car inbound cir 72
Step 5 Configure traffic policy-based congestion management
and congestion avoidance.
Configure traffic policy-based congestion management and congestion

avoidance on egress routers of the headquarters and branch. Ensure that

voice traffic is sent first and video traffic has sufficient bandwidth.
Configure G0/0/1 on R1 to trust DSCP priorities.

[R1-GigabitEthernet0/0/1]trust dscp
On R1, create a WRED drop profile named video-r1 based on DSCP

priorities and set the upper drop threshold to 90, lower drop threshold to 50,
and maximum drop probability to 30.
[R1]drop-profile video
[R1-drop-profile-video-r1]wred dscp
[R1-drop-profile-video-r1]dscp af32 low-limit 50 high-limit 90
discard-percentage 30
On R1, create a traffic classifier class-af32-r1 to match video traffic with

the DSCP priority of AF32. Set the traffic behavior as behavior-af32-r1, set
the queue scheduling mode to AF, the dedicated interface bandwidth to 40%,
and bind the traffic behavior to the WRED drop profile video-r1.
[R1]traffic classifier class-af32-r1
[R1-classifier-class-af32-r1]if-match dscp af32
[R1-classifier-class-af32-r1]traffic behavior behavior-af32-r1
[R1-behavior-behavior-af32-r1]queue af bandwidth pct 40
[R1-behavior-behavior-af32-r1]drop-profile video-r1
On R1, create a traffic classifier class-ef-r1 to match video traffic with the
DSCP priority of EF. Create a traffic behavior behavior-ef-r1, and set the
queue scheduling mode to EF and the dedicated interface bandwidth to 30%.
[R1]traffic classifier class-ef-r1
[R1-classifier-class-ef-r1]if-match dscp ef
[R1-classifier-class-ef-r1]traffic behavior behavior-ef-r1
[R1-behavior-behavior-ef-r1]queue ef bandwidth pct 30
On R1, create a traffic policy policy-r1 and associate the traffic policy with
the traffic classifier class-af32-r1 and traffic behavior behavior-af32-r1, the
traffic classifier class-ef-r1 and traffic behavior behavior-ef-r1, and apply the
traffic policy to S1/0/0 in the outbound direction.
[R1]traffic policy policy-r1
[R1-trafficpolicy-policy-r1]classifier class-af32-r1 behavior behavior-af32-r1
[R1-trafficpolicy-policy-r1]classifier class-ef-r1 behavior behavior-ef-r1
[R1-trafficpolicy-policy-r1]interface Serial 1/0/0

Page131
[R1-Serial1/0/0]traffic-policy policy-r1 outbound
Perform similar configuration on R2.

Configure G0/0/2 on R2 to trust DSCP priorities.
[R2-GigabitEthernet0/0/2]trust dscp
On R2, create a WRED drop profile named video-r2 based on DSCP

priorities and set the upper drop threshold to 90, lower drop threshold to 50,
and maximum drop probability to 30.
[R2]drop-profile video-r2
[R2-drop-profile-video-r2]wred dscp
[R2-drop-profile-video-r2]dscp af32 low-limit 50 high-limit 90
discard-percentage 30
On R2, create a traffic classifier class-af32-r2 to match video traffic with

the DSCP priority of AF32. Set the traffic behavior as behavior-af32-r2, set
the queue scheduling mode to AF, the dedicated interface bandwidth to 40%,
and bind the traffic behavior to the WRED drop profile video-r2.
[R2]traffic classifier class-af32-r2
[R2-classifier-class-af32-r2]if-match dscp af32
[R2-classifier-class-af32-r2]traffic behavior behavior-af32-r2
[R2-behavior-behavior-af32-r2]queue af bandwidth pct 40
[R2-behavior-behavior-af32-r2]drop-profile video-r2
On R2, create a traffic classifier class-ef-r2 to match video traffic with the
DSCP priority of EF. Set the traffic behavior as behavior-ef-r2, set the queue
scheduling mode to EF and the dedicated interface bandwidth to 30%.
[R2]traffic classifier class-ef-r2
[R2-classifier-class-ef-r2]if-match dscp ef
[R2-classifier-class-ef-r2]traffic behavior behavior-ef-r2
[R2-behavior-behavior-ef-r2]queue ef bandwidth pct 30
On R2, create a traffic policy policy-r2 and associate the traffic policy with
the traffic classifier class-af32-r2 and traffic behavior behavior-af32-r2, the
traffic classifier class-ef-r2 and traffic behavior behavior-ef-r2, and apply the
traffic policy to S1/0/0 in the outbound direction.
[R2]traffic policy policy-r2
[R2-trafficpolicy-policy-r2]classifier class-af32-r2 behavior behavior-af32-r2

[R2-trafficpolicy-policy-r2]classifier class-ef-r2 behavior behavior-ef-r2

[R2-Serial1/0/0]traffic-policy policy-r2 outbound
Step 6 Configure traffic control based on the traffic policy.
The headquarters wants to discard some video traffic with UDP port
numbers 4000 to 5000.
On R1, create ACL 3003 to match the traffic that is sent from R5 to R3 and
has UDP ports 4000 to 5000.
[R1]acl number 3003
[R1-acl-adv-3003]rule 0 permit udp source-port range 4000 5000 source 10.0.145.5
0 destination 10.0.34.3 0
On R1, create a traffic classifier class-drop and reference ACL 3003 in the
traffic classifier.
[R1]traffic classifier class-drop
[R1-classifier-class-drop]if-match acl 3003
On R1, create a traffic behavior behavior-drop and configure the deny

action in the traffic behavior.
[R1]traffic behavior behavior-drop
[R1-behavior-behavior-drop]deny
On R1, create a traffic policy policy-drop and associate the traffic policy
with the traffic classifier class-drop and traffic behavior behavior-drop, and
apply the traffic policy to G0/0/5 in the inbound direction.
[R1]traffic policy policy-drop
[R1-trafficpolicy-policy-drop]classifier class-drop behavior behavior-drop
[R1-trafficpolicy-policy-drop]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]traffic-policy policy-drop inbound
View the traffic policy configuration.

[R1]dis traffic policy user-defined policy-drop
User Defined Traffic Policy Information:
Policy: policy-drop
Classifier: class-drop

Page133
Operator: OR
Behavior: behavior-drop
Deny
After the configuration, summarize QoS policies and application scenarios.
[V200R001C00SPC200]
#
sysname R1
#
acl number 3003
rule 0 permit udp source 10.0.145.5 0 source-port range 4000 5000 destination
10.0.34.3 0
#
drop-profile video-r1
wred dscp
#
traffic classifier class-drop operator or
if-match acl 3003
traffic classifier class-ef-r1 operator or
if-match dscp ef
traffic classifier class-af32-r1 operator or
if-match dscp af32
#
traffic behavior behavior-af32-r1
queue af bandwidth pct 40
traffic behavior behavior-ef-r1
queue ef bandwidth pct 30
traffic behavior behavior-drop
deny
#
traffic policy policy-drop
classifier class-drop behavior behavior-drop
traffic policy policy-r1

classifier class-af32-r1 behavior behavior-af32-r1

classifier class-ef-r1 behavior behavior-ef-r1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
traffic-policy policy-r1 outbound
#
ip address 10.0.145.1 255.255.255.0
trust dscp
qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard
traffic-policy policy-drop inbound
#
ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
#
return
[V200R001C00SPC200]
#
sysname R2
#
wred dscp
#
traffic classifier class-ef-r2 operator or
if-match dscp ef
traffic classifier class-af32-r2 operator or
if-match dscp af32
#
traffic behavior behavior-af32-r2
queue af bandwidth pct 40
traffic behavior behavior-ef-r2
queue ef bandwidth pct 30
#
traffic policy policy-r2
classifier class-af32-r2 behavior behavior-af32-r2
classifier class-ef-r2 behavior behavior-ef-r2
#

Page135
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
traffic-policy policy-r2 outbound
#
ip address 10.0.34.2 255.255.255.0
trust dscp
qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard
#
ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
return
[V200R001C00SPC200]
#
sysname R4
#
ip address 10.0.145.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
[V200R001C00SPC200]
#
sysname R5
#

ip address 10.0.145.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
#
sysname S1
#
acl number 3001
acl number 3002
#
traffic classifier class-video-s1 operator and
if-match acl 3002
traffic classifier class-voice-s1 operator and
if-match acl 3001
#
traffic behavior behavior-video-s1
remark dscp af32
traffic behavior behavior-voice-s1
remark dscp ef
#
traffic policy policy-video-s1
classifier class-video-s1 behavior behavior-video-s1
traffic policy policy-voice-s1
classifier class-voice-s1 behavior behavior-voice-s1
#
qos lr outbound cir 128 cbs 16000
#
traffic-policy policy-voice-s1 inbound
#
traffic-policy policy-video-s1 inbound
#
return

Page137
#
sysname S2
#
acl number 3001
acl number 3002
#
traffic classifier class-video-s2 operator and
if-match acl 3002
traffic classifier class-voice-s2 operator and
if-match acl 3001
#
traffic behavior behavior-video-s2
remark dscp af32
traffic behavior behavior-voice-s2
remark dscp ef
#
traffic policy policy-voice-video-s2
classifier class-voice-s2 behavior behavior-voice-s2
classifier class-video-s2 behavior behavior-video-s2
#
qos lr outbound cir 128 cbs 16000
#
traffic-policy policy-voice-video-s2 inbound
#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.145.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#

return
#
sysname S4
#
interface Vlanif1
ip address 10.0.34.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
return

Page139
HCDP-IENP Chapter 3 Integrated Lab Assessment
Chapter 3 Integrated Lab Assessment
Lab 3-1 Integrated Lab-1 (Optional)
Learning Objectives

x MST configuration
x Route configuration between VLANs
x RIP configuration
x OSPF configuration
x Route import configuration
x Routing policy configuration
x Firewall configuration
x QoS configuration
Topology
Figure 3-1 Integrated lab-1

Scenario

enterprise network consists of the headquarters network, branch network, and
branch office network.
The headquarters network consists of one firewall, one router, and four
switches. The firewall controls access between the internal network and
external network, and the enterprise network is divided into trust, untrust, and
DMZ zones. The four switches use the MST technique to implement
redundancy and improve network reliability. The QoS technique is used on the
switching network to control transmission of data flows.
Routers on the headquarters network and branch office network are
connected through leased lines and belong to the OSPF routing domain. To
optimize network performance in the OSPF routing domain, the headquarters
network and branch office network are configured as OSPF stub areas.
Because the branch network uses RIP, route import is required at the OSPF
boundary to implement interworking between the RIP routing domain and the
OSPF routing domain.
Tasks
This lab provides the procedure and verification method, and does not
provide commands.
Step 1 Complete basic configuration and configure IP
addresses.
Configure IP addresses and masks for all devices and test connectivity of
directly connected devices.
6WHS
Configure MST.
Switches S1 and S2 are connected by an Eth-Trunk link.
Set the link type of interfaces between the switches to trunk and configure
the interfaces to allow packets from VLAN 10, VLAN 20, VLAN 30, and VLAN

Page141
40 to pass through.
Create VLANs 10, 20, 30, 40, and 100 on all the switches and configure
two MSTIs. VLANs 10, 20, and 100 use S1 as the root and VLANs 30 and 40
use S2 as the root.
Step 3 Configure routes between VLANs.
Add G0/0/22 and G0/0/1 on S1 to VLAN 100, and add G0/0/1 on S2 to

VLAN 10.
Create VLANIF interfaces for VLANs 10, 20, 30, and 40 on S1 and S2 to
implement communication between VLANs.
Step 4 Configure OSPF.
Configure OSPF on R1, R2, R3, R4, S1, and S2. Configure the link
between R1 and R2 in OSPF area 0. Configure OSPF area 1 on the
headquarters network and OSPF area 2 on the branch office network, and
configure area 1 and area 2 as OSPF stub areas. Configure area 3 on the
network through which R2 and R3 are connected and configure area 3 as the
NSSA area. OSPF is not required on the network through which R1 and FW1
are connected.
Step 5 Configure route import.
Configure RIP on R3 and R5. On R3, configure RIP and OSPF to import
routes from each other. On R3, configure a routing policy to import only RIP
routes from R5 in the OSPF routing domain.
On FW1, create VLAN 100 and VLANIF 100, and configure an IP address
for VLANIF 100. On R1, configure a default route with the IP address of

VLANIF 100 on FW1 as the next hop. Import the default route into OSPF so
that R5 can learn this route.
On FW1, create a static route 10.0.0.0/16, with the IP address of G0/0/1 on

R1 as the next hop so that FW1 can communicate with all the devices on the
internal network.
Step 6 Configure the firewall.
Add interfaces on FW1 to trust, untrust, and DMZ zones. Devices in the
trust zone can access resources in all the zones, devices in the untrust zone
can access only port 80 of the server at 10.0.20.1 in the DMZ zone, and
devices in the DMZ zone cannot access other zones.
Step 7 Optimize network performance.
S4 needs to limit the rate of data packets for some users and raise the
priority of data packets for other users. E0/0/1 belongs to VLAN 10 and
E0/0/2 belongs to VLAN 30. Set the rate limit on E0/0/1 to 128 kbit/s, change
DSCP priority for packets on E0/0/2 to 45, and configure E0/0/2 to trust DSCP.
Compare this lab with the original lab.

Page143

Lab 3-2 Integrated Lab2 (Optional)
Learning Objectives

x IBGP and EBGP configuration
x BGP attribute configuration
x SEP configuration
x NAT and IPSec configuration on the USG firewalls
x End-to-end configuration on the router
Topology
Figure 3-2 Integrated lab 2
Scenario

enterprise headquarters and branch networks use BGP to connect to ISP1 and
ISP2. The headquarters network uses AS 100, the branch network uses AS
200, ISP 1 uses AS 1, and ISP 2 uses AS 2.

Page145
The link connected to ISP1 is the primary link and the link connected to
ISP2 is the standby link. The USG firewall is deployed between the core
switching network of the enterprise headquarters and the egress router. The
core switching network uses SEP to implement redundancy. An IPSec VPN is
established between firewalls of the headquarters and branch networks.
Tasks
addresses.
Configure IP addresses and masks for physical interfaces and loopback

interfaces on all routers and test connectivity. Each Loopback0 uses the 32-bit
mask.
Step 2 Configure BGP.
Configure IBGP and EBGP on R1, R2, R3, R4, and R5, and use physical
interfaces to establish BGP peer relationships. BGP load balancing is disabled
by default. To prevent the impact of BGP load balancing on route selection,
enable BGP load balancing and allow packets to be load balanced on a
maximum of four links.
On R1, R2, and R5, advertise their loopback interfaces' IP addresses to

BGP and check the BGP routing table. R5 learns routes 12.0.1.1/32 and
12.0.2.2/32 from R3, R1 learns the route 12.0.5.5/32 from R4, and R2 learns
the route 12.0.5.5/32 from R3.
The enterprise headquarters and branch need to use the primary link to
communicate with each other.
Create a routing policy named as_path in which two values of AS 100 are
added to the two routes 12.0.1.1/32 and 12.0.2.2/32 learned from R3. Check
the BGP routing table. R5 learns the two routes from R4.

On R1, create a routing policy local_pref, set the local priority of the route
12.0.5.5/32 to 200, and apply the routing policy to R2. Check the routing table
of R2. R2 learns the route 12.0.5.5/32 from R4.
Step 3 Configure SEP.
To improve network robustness, switches S1, S2, and S3 use redundant

links, forming a loop. SEP is used to provide redundancy protection.
Shut down G0/0/9 and G0/0/10 on S1 and S2, E0/0/23 on S3, and E0/0/14
on S4.
Create a SEP segment and configure VLAN 100 as the control VLAN.
Specify all instances as protected VLANs.
Add G0/0/13 and G0/0/14 on S1 to the SEP segment, and configure

G0/0/13 as the primary edge interface and G0/0/14 as the secondary edge
interface. Add interfaces on S3 and S4 to the SEP segment.
Configure S1 to block interfaces based on the interface priority.
Set the priority of E0/0/1 on S3 to 128.
Set the preemption mode on S1 where the primary edge interface resides
to delayed preemption, and set the preemption delay to 30s.
After the configuration is complete, check the SEP running information.

E0/0/1 on S3 should be in blocking state.

Page147
Step 4 Configure NAT on the firewall.
Configure NAT on FW1.
Create VLAN 10 on S1 and add G0/0/22 to VLAN 10. Create VLANIF 10

and assign the IP address 10.0.111.11/24 to VLANIF 10. Configure VLAN 10
on FW1 and create VLANIF 10. Assign IP address 10.0.111.21/24 to VLANIF
10 and use this IP address as the gateway address in the trust area. By default,
an IP address is assigned to VLANIF 1. Delete this configuration to ensure lab
accuracy.
On R2, advertise the route 12.0.112.0/24 into BGP. On R2, configure a

default route with the next hop as the IP address of FW1 and import the default
route to BGP. On FW1, configure a default route with the next hop as the IP
address of R2. On S1, configure a default route with the next hop as the IP
address of FW1.
On FW1, add E0/0/0 to the untrust zone, add E1/0/0 to the trust zone.
Configure filtering rules between zones to allow packets sent from the network
segment 10.0.111.0/24 in the trust zone to the untrust zone to pass through.
On FW1, configure Easy IP to translate the source IP address of packets

sent to 10.0.111.0/24. Bind NAT to E0/0/0.
After the configuration is complete, FW1 allows the trust zone and untrust
zone to communicate.
Step 5 Configure IPSec VPN on the firewall.
Configure IPSec VPN on FW1 and FW2 on the headquarters and branch
networks.
Configure an IP address for Ethernet 2/0/0 on FW2. On FW2, add E0/0/0
to the untrust zone and add E2/0/0 to the trust zone. Configure FW1 and FW2
to allow data packets sent from the trust zone to the untrust zone to pass
through, and data packets sent from the untrust zone to the local zone.

Advertise the route 12.0.5.0/24 to BGP. On FW2, configure a default route

with the next hop as the IP address of R5. On FW1, configure a static route to
12.0.222.0/24. On FW2, configure a static route to 10.0.111.0/24.
On FW1 and FW2, define the data flows to be protected. On FW1,

configure ACL 3000 to match the traffic sent from 10.0.111.0/24 to
12.0.222.0/24. On FW2, configure ACL 3000 to match the traffic sent from
12.0.222.0/24 to 10.0.111.0/24.
On FW1 and FW2, configure IPSec proposals in which the encapsulation

mode is tunnel, security protocol is ESP, and encryption algorithm is DES. On
FW1 and FW2, configure IKE proposals in which the authentication algorithm
is SHA1 and the encryption algorithm is DES.
On FW1 and FW2, configure IKE peers. IKE peers use IKEv2 negotiation
by default.
On FW1 and FW2, configure IPSec policies. Apply IPSec policies to

E0/0/0.
The IPSec VPN between FW1 and FW2 is established.
Step 6 Configure QoS.
All the traffic between R1 and R5 and between R2 and R5 is transmitted

from the primary link, so QoS deployment may cause congestion.
Create ACL 3001 and ACL 3002 on R1 to match the traffic sent from R1 to
R5 and R2 respectively.
Create a traffic classifier class_r1_r2 containing ACL 3001 and ACL 3002.
Create a traffic behavior behavior_r1_r2 containing traffic shaping and set the
CIR to 10000. Create a traffic policy policy_r1_r2, associate the traffic

Page149
classifier and traffic behavior with the traffic policy, and apply the traffic policy
to G0/0/2.
Configure traffic policing on G0/0/2 and G0/0/1 of R4 and set the CIR to
8000.
Create ACL 3001 and ACL 3002 on R5 to match the traffic sent from R5 to
R1 and R2 respectively.
Create a traffic classifier class_r5 containing ACL 3001 and ACL 3002.
Create a traffic behavior behavior_r5 containing traffic shaping and set the
CIR to 10000. Create a traffic policy policy_r5, associate the traffic classifier
and traffic behavior with the traffic policy, and apply the traffic policy to G0/0/1
in the outbound direction.


Page151

HCNP-IENP en Lab Guide-Content

Uploaded by

Copyright:

Available Formats

HCNP-IENP en Lab Guide-Content

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCNP-IENP en Lab Guide-Content

Uploaded by

Copyright:

Available Formats

Huawei Certification

Huawei Technologies Co.,Ltd

No part of this document may be reproduced or transmitted in any form or

and other Huawei trademarks are trademarks of Huawei Technologies

The information in this document is subject to change without notice. Every

Relying on its strong technical and professional training system, in accordance

HCDA (Huawei Certification Datacom Associate) is primary for IP network

HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is designed

ICT Career Certification

8U[ZKX 29]OZIN 29]OZIN ,OXK]GRR 4KZIRU[J

/JKTZOLOKX *K\OIK 59\KXYOUT

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

9 9)+/9 <KXYOUT<8)96)

9 9)+/9 <KXYOUT<8)96)

9 9:6+/') <KXYOUT<8)96)

9 9:6+/') <KXYOUT<8)96)

,= ;9- <KXYOUT<8)96)

,= ;9- <KXYOUT<8)96)

Chapter 1 Implementing firewall functions and features ................................................................... 1

Lab 1-2 IPSec VPN Configuration on a USG Firewall ..................................................................... 21

Lab 1-3 Attack Defense Configuration on a Firewall ..................................................................... 45

Lab 1-4 NAT Configuration on a USG Firewall ............................................................................... 59

Chapter 2 QoS and traffic flow management ................................................................................. 102

Lab 2-1 QoS ................................................................................................................................ 102

Chapter 3 Integrated Lab Assessment ............................................................................................ 140

Lab 3-1 Integrated Lab-1 (Optional) ........................................................................................... 140

Lab 3-2 Integrated Lab2 (Optional)............................................................................................. 145

HC Series HUAWEI TECHNOLOGIES Page 1

Chapter 1 Implementing firewall functions and features

Lab 1-1 Security Zone Configuration and Configurations for

Other Basic Functions on a Firewall

The objectives of this lab are to learn and understand:

Figure 1-1 Zone configuration

HC Series HUAWEI TECHNOLOGIES Page1

Assume that you are a network administrator of an enterprise. The

Step 1 Configure IP addresses.

Configure IP addresses for R1, R2, and R3.

Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot be

Page2 HUAWEI TECHNOLOGIES HC Series

By default, the firewall configures an IP address for VLANIF 1. To prevent

Plan VLANs for interfaces on S1.

HC Series HUAWEI TECHNOLOGIES Page3

Check communication among all zones whether is normal by default,.

packet-filter between VFW:

Test connectivity between security zones.

Page4 HUAWEI TECHNOLOGIES HC Series

PING 10.0.2.2: 56 data bytes, press CTRL_C to break

--- 10.0.2.2 ping statistics ---

100.00% packet loss

From the untrusted zone to the DMZ zone:

--- 10.0.3.3 ping statistics ---

100.00% packet loss

From the trusted zone to the untrusted zone:

--- 10.0.1.1 ping statistics ---

100.00% packet loss

8U[ZKX 29]OZIN 29]OZIN ,OXK]GRR 4KZIRU[J

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

8 '8 <KXYOUT<8)96)

9 9)+/9 <KXYOUT<8)96)

9 9)+/9 <KXYOUT<8)96)

9 9:6+/') <KXYOUT<8)96)

9 9:6+/') <KXYOUT<8)96)

,= ;9- <KXYOUT<8)96)

,= ;9- <KXYOUT<8)96)