H3c-technologies H3C SecPath F5020 Manual de usuario

H3C Firewall DevicesVirtual TechnologiesConfiguration Guide (Comware V7) Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com So

1 IRF overview H3C Intelligent Resilient Framework (IRF) technology combines multiple physical devices into one virtual system to provide data center

2 IRF functionality Network topology A security device IRF fabric can only use the daisy-chain topology. The device does not support the full mesh or

3 Figure 2 Two-chassis IRF fabric implementation schematic diagram Single point of management An IRF fabric is accessible at a single IP address on

4 Multichassis link aggregation You can use the Ethernet link aggregation feature to aggregate the physical links between an upstream or downstream d

5 • After you assign a distributed device with a member ID of 2 to an IRF fabric, the name of the interface GigabitEthernet 3/0/1 changes to Gigabit

6 For more information about physical interfaces that can be used for IRF links, see "IRF physical interface requirements." For more inform

7 IRF split IRF split occurs when an IRF fabric breaks up into multiple IRF fabrics because of IRF link failures, as shown in Figure 4. The split IRF

8 1. Current master, even if a new member has higher priority. When an IRF fabric is being formed, all members consider themselves as the master. T

9 Figure 6 BFD MAD scenario To use BFD MAD: • Set up dedicated BFD MAD link between each pair of IRF members or between each IRF member and the in

10 Collision handling MAD mechanisms remove multi-active collisions by setting one IRF fabric to the Detect state and other IRF fabrics to the Recove

Copyright © 2015, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmitted

11 MAD mechanism Advantages Disadvantages Application scenario ARP MAD • No intermediate device is required. • Intermediate device, if used, can c

12 Figure 7 BFD MAD scenario BFD MAD (distributed devices) BFD MAD can work with or without intermediate devices. Figure 8 shows a typical BFD MAD

13 Figure 8 BFD MAD scenario ARP MAD ARP MAD is available only for distributed devices. ARP MAD detects multi-active collisions by using extended A

14 Figure 9 ARP MAD scenario Each IRF member compares the domain ID and the active ID in incoming extended ARP packets with its domain ID and activ

15 Figure 10 ND MAD scenario Each IRF member device compares the domain ID and the active ID in incoming NS packets with its domain ID and active I

16 Setting up an IRF fabric (centralized IRF devices) This chapter guides you through the IRF fabric setup procedure for centralized IRF devices. Har

17 Feature compatibility and configuration restrictions To form an IRF fabric, all member devices in the IRF fabric must use the same ACL hardware mo

18 Tasks at a glance Remarks 11. (Optional.) Setting the IRF link down report delay N/A 12. (Optional.) Configuring BFD MAD N/A 13. (Optional.) Ex

19 Step Command Remarks 3. (Optional.) Save the configuration. save If you have bound physical interfaces to IRF ports or assigned member priority,

20 Binding physical interfaces to IRF ports When you bind physical interfaces to IRF ports, follow these guidelines: • Follow the restrictions in &q

Preface The H3C firewall devices configuration guides (Comware V7) describe the software features and configuration procedures for the Comware V7-base

21 Step Command Remarks 8. Enter interface view or interface range view. • Enter interface range view: { Method 1: interface range { interface-typ

22 Configuring a member device description Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a description for a member devi

23 Step Command Remarks 3. Configure a port-specific load sharing mode. irf-port load-sharing mode { destination-ip | destination-mac | source-ip |

24 Enabling software auto-update for software image synchronization IMPORTANT: To ensure a successful software auto-update in a multi-user environme

25 Setting the IRF link down report delay To prevent frequent IRF splits and merges when IRF links flap, configure the IRF ports to delay reporting l

26 Configuration procedure To configure BFD MAD: Step Command Remarks 1. Enter system view. system-view N/A 2. (Optional.) Assign a domain ID to

27 Excluding a port from the shutdown action upon detection of multi-active collision By default, all ports except the console and IRF physical inter

28 Figure 12 Recovering the IRF fabric If the active IRF fabric fails before the IRF link is recovered (see Figure 13), use the mad restore command

29 Displaying and maintaining an IRF fabric Execute display commands in any view. Task Command Display information about all IRF members. display ir

30 Configuration procedure 1. Configure Device A: # Bind Ten-GigabitEthernet 1/0/24 to IRF port 1/2, and save the configuration. <Sysname> sys

Conventions This section describes the conventions used in this document. Command conventions Convention Description Boldface Bold text represents co

31 [Sysname] interface route-aggregation 3 [Sysname-Route-Aggregation3] quit # Add GigabitEthernet 1/0/1 and GigabitEthernet 2/0/1 to aggregation gro

32 Setting up an IRF fabric (distributed devices) This chapter guides you through the IRF fabric setup procedure for M9000 security gateways. Hardwa

33 • You must use all or none of the four 10-GE breakout interfaces for IRF links. The four breakout interfaces can be bound to different IRF ports.

34 Tasks at a glance Remarks 7. (Optional.) Configuring IRF member devices in IRF mode: { Changing the member ID of a device { Changing the priori

35 Step Command Remarks 1. (Optional.) Verify the member ID assignment status. display irf configuration Check the MemberID field. If the device doe

36 Step Command Remarks 3. Bind a physical interface to the IRF port. port group interface interface-type interface-number [ mode { enhanced | norma

37 Setting the operating mode to IRF mode By default, the device operates in standalone mode. To assign the device to an IRF fabric, you must change

38 Changing the member ID of a device CAUTION: In IRF mode, an IRF member ID change can invalidate member ID-related settings and cause data loss. B

39 To configure IRF ports: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or interface range view. •

40 Step Command Remarks 8. Enter interface view or interface range view. • Enter interface range view: { Method 1: interface range { interface-typ

Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a ro

41 Step Command Remarks 2. Enable IRF auto-merge. irf auto-merge enable By default, this feature is enabled. Configuring a member device descriptio

42 To configure a port-specific load sharing mode for an IRF port: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IRF port v

43 Step Command Remarks 2. Configure IRF bridge MAC persistence. • Retain the bridge MAC address permanently even if the address owner has left the

44 If sufficient storage space is not available, the MPU automatically deletes the current software images. If the reclaimed space is still insuffici

45 { In a context environment, if you change the IRF domain ID on one context, the IRF domain IDs on all other contexts change automatically. The ir

46 Step Command Remarks 5. Enter interface view or interface range view. • Enter interface range view: { Method 1: interface range { interface-typ

47 { Enable the IRF fabric to change its bridge MAC address as soon as the address owner leaves. { Create an ARP MAD VLAN and assign the ports on t

48 Step Command Remarks 11. Enable ARP MAD. mad arp enable By default, ARP MAD is disabled. Configuring ND MAD When you use ND MAD, follow these gu

49 Step Command Remarks 7. Assign the port or the range of ports to the ND MAD VLAN. • Assign the port to the VLAN as an access port: port access

50 Figure 16 Recovering the IRF fabric If the active IRF fabric fails before the IRF link is recovered (see Figure 17), use the mad restore command

Obtaining documentation Access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the following links to

51 Displaying and maintaining an IRF fabric Execute display commands in any view. Task Command Display information about all IRF members. display ir

52 Figure 18 Network diagram Configuration procedure 1. Configure Device A: # Assign member ID 1 to Device A, and bind Ten-GigabitEthernet 3/0/1 t

53 Device A becomes a one-chassis IRF fabric. 2. Configure Device B: # Assign member ID 2 to Device B, and bind Ten-GigabitEthernet 3/0/1 to IRF-por

54 [Sysname] interface gigabitethernet 2/4/0/1 [Sysname-gigabitethernet2/4/0/1] undo stp enable ARP MAD-enabled IRF configuration example Network req

55 Do you want to convert the content of the next startup configuration file flash:/startup.cfg to make it available in IRF mode? [Y/N]:y Please wa

56 [Sysname] undo irf mac-address persistent # Set the domain ID of the IRF fabric to 1. [Sysname] irf domain 1 # Create VLAN 3, and add GigabitEther

57 Figure 20 Network diagram Configuration procedure 1. Configure Device A: # Assign member ID 1 to Device A, and bind Ten-GigabitEthernet 3/0/1 t

58 [Sysname] irf member 2 Info: Member ID change will take effect after the member reboots and operates in IRF mode. [Sysname] irf-port 1 [Sysname-

59 [Sysname-Vlan-interface3] mad nd enable You need to assign a domain ID (range: 0-4294967295) [Current domain is: 1]: The assigned domain ID is

60 Configuration procedure 1. Identify the master. <IRF> display irf MemberID Slot Role Priority CPU-Mac Description *+1

i Contents IRF overview ·····························································································································

61 Now rebooting, please wait... Device A automatically reboots to complete the operating mode change. 6. Log in to Device B and change its operati

62 Configuring contexts Overview A physical firewall or an IRF fabric can be virtualized into multiple logical firewalls called contexts. Each contex

63 • Manage the entire physical firewall. • Create and delete non-default contexts (for example, Context 1, Context 2, and Context 3 in Figure 22).

64 • All contexts without the VLAN-unshared attribute share the same VLAN resources (VLAN 1 through VLAN 4094). You create VLANs on the default cont

65 Assigning a context to a security engine group A context assigned to a security engine group resides on all security engines in the group. You can

66 • Use the display context resource command to view the amount of disk space that has been used by the context before assigning disk space to the

67 Assigning interfaces to a context By default, all interfaces belong to the default context. A non-default context cannot use any interfaces. To en

68 Hardware Resource limits compatibility F5020/F5040 No M9006/M9010/M9014 Yes VFW1000 No Setting a throughput threshold This feature limits the thr

69 Setting the upper limit of session establishment rate This feature limits the number of sessions that can be established per second for a context.

70 Task Command Display contexts. display context [ name context-name ] Display interfaces assigned to contexts. display context [ name context-name

ii Configuring a member device description ··········································································································

71 Configuration procedure 1. Configure security engine group test: # Create security engine group test. <Sysname> system-view [Sysname] blade

72 [Sysname-context-3-cnt2] allocate interface gigabitethernet 1/0/2 gigabitethernet 1/0/12 [Sysname-context-3-cnt2] quit 4. Configure context cnt3:

73 Index A B C D E F G H I M O P R S A Accessing a context,69 Accessing the IRF fabric,21 Accessing the IRF fabric,37 Assigning a member ID to each

iii ND MAD-enabled IRF configuration example ···································································································· 56