The main purpose is to implement some policy restrictions on the data area using Layer 2 in most environments, such as egress firewall NAT.
Use the virtual network card of the real machine to manage two FWs:
In order not to affect the real machine's actual access to the external network, you need to add two static routes to specify the reach of the two FWs, as explained in the topology.
Core switch configuration:
dis current-configuration
version 7.1.075, Alpha 7571
dhcp enable
lldp global enable
vlan 1
vlan 2
vlan 10
description to_data
vlan 30
vlan 99 to 100
interface NULL0
interface Vlan-interface1
ip address 192.168.99.1 255.255.255.0
interface Vlan-interface2
ip address 192.168.20.1 255.255.255.0
interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0
interface Vlan-interface99
interface Vlan-interface100
ip address 10.0.0.2 255.255.255.0
interface FortyGigE1/0/53
port link-mode bridge
interface FortyGigE1/0/54
port link-mode bridge
interface GigabitEthernet1/0/1
port link-mode bridge
combo enable copper
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 100
combo enable copper
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 2
combo enable copper
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 2
combo enable copper
interface GigabitEthernet1/0/9
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 to 99
combo enable copper
interface M-GigabitEthernet0/0/0
i
line class console
user-role network-admin
line class tty
user-role network-operator
line class vty
user-role network-operator
line aux 0
user-role network-operator
line con 0
user-role network-admin
line vty 0 63
user-role network-operator
ip route-static 0.0.0.0 0 10.0.0.1
radius scheme system
user-name-format without-domain
domain system
domain default enable system
role name level-0
description Predefined level-0 role
user-group system
return
Data zone firewall:
Let’s look at the web configuration first:
Here are all the commands:
dis current-configuration
version 7.1.064, Alpha 7164
sysname H3C
context Admin id 1
telnet server enable
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
xbar load-single
password-recovery enable
lpu-type f-series
vlan 1
vlan 10
vlan 30
vlan 99
description manage
object-group ip address “vlan 20”
description vlan 20
0 network subnet 192.168.20.0 255.255.255.0
object-group ip address “vlan 99”
description vlan 99
0 network subnet 192.168.99.0 255.255.255.0
object-group ip address vlan10
0 network subnet 192.168.10.0 255.255.255.0
interface NULL0
interface Vlan-interface1
ip address 192.168.99.2 255.255.255.0
interface Vlan-interface99
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.100.11 255.255.255.0
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 30 99
combo enable copper
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 30 99
combo enable copper
object-policy ip Local-Untrust
rule 0 pass logging counting
object-policy ip Trust-Untrust
rule 1 drop source-ip vlan10 destination-ip “vlan 20” logging counting
rule 0 pass logging counting
object-policy ip Untrust-Local
rule 0 pass source-ip “vlan 20” logging counting
object-policy ip Untrust-Trust
rule 0 pass source-ip “vlan 20” destination-ip vlan10 logging counting
object-policy ip manage
rule 0 pass
security-zone name Local
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface Vlan-interface1
import interface GigabitEthernet1/0/2 vlan 1 10 30 99
security-zone name DMZ
security-zone name Untrust
import interface GigabitEthernet1/0/3 vlan 1 10 30 99
security-zone name Management
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
zone-pair security source Trust destination Local
object-policy apply ip manage
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
scheduler logfile size 16
line class aux
user-role network-operator
line class console
user-role network-admin
line class tty
user-role network-operator
line class vty
user-role network-operator
line aux 0
user-role network-admin
line con 0
authentication-mode scheme
user-role network-admin
line vty 0 4
authentication-mode scheme
user-role network-admin
line vty 5 63
user-role network-operator
ip route-static 0.0.0.0 0 192.168.99.1
domain system
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
role name level-0
description Predefined level-0 role
role name level-1
description Predefined level-1 role
role name level-2
description Predefined level-2 role
role name level-3
description Predefined level-3 role
role name level-4
description Predefined level-4 role
role name level-5
description Predefined level-5 role
role name level-6
description Predefined level-6 role
role name level-7
description Predefined level-7 role
role name level-8
description Predefined level-8 role
role name level-9
description Predefined level-9 role
role name level-10
description Predefined level-10 role
role name level-11
description Predefined level-11 role
role name level-12
description Predefined level-12 role
role name level-13
description Predefined level-13 role
role name level-14
description Predefined level-14 role
user-group system
local-user admin class manage
password hash $h 6 6 6tRsadGZK2d2hmyfJ$9zcpTloIC4X/vBhOTT3rVVk3tfplAZ8Ogu7vRiblO5eUqkQ6MafIqaXdZ/+d7bSEPrDrox/vEs2ICdwzOtYypA==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
ip http enable
ip https enable
inspect logging parameter-profile ips_logging_default_parameter
inspect logging parameter-profile url_logging_default_parameter
return
Egress firewall configuration:
Let’s look at the web configuration first:
Here is the full command line:
dis cu
dis current-configuration
version 7.1.064, Alpha 7164
sysname H3C
context Admin id 1
telnet server enable
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
nat address-group 1
address 1.1.1.2 1.1.1.2
nat log enable acl 2001
nat log flow-active 120
nat log flow-begin
nat log flow-end
nat alg h323
nat alg ils
nat alg mgcp
nat alg nbt
nat alg rsh
nat alg sccp
nat alg sip
nat alg sqlnet
nat alg tftp
nat alg xdmcp
xbar load-single
password-recovery enable
lpu-type f-series
vlan 1
object-group ip address 4
0 network subnet 192.168.20.0 255.255.255.0
object-group ip address dmz-ip
description dmz-ip
0 network host address 172.16.0.2
object-group ip address isp-add
0 network subnet 0.0.0.0 0.0.0.0
object-group ip address jyw
0 network subnet 10.0.0.0 255.255.255.0
interface NULL0
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 1.1.1.2 255.255.255.0
nat outbound 2001 address-group 1
nat server protocol icmp global 1.1.1.2 inside 172.16.0.2
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 172.16.0.1 255.255.255.0
nat hairpin enable
object-policy ip Local-Trust
rule 0 pass
object-policy ip Trust-DMZ
rule 0 pass source-ip 4 logging counting
object-policy ip Trust-Untrust
rule 0 pass source-ip 4 logging counting
object-policy ip Untrust-DMZ
rule 0 pass destination-ip dmz-ip logging counting
object-policy ip manage
rule 0 pass source-ip 4 logging counting
security-zone name Local
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
security-zone name DMZ
import interface GigabitEthernet1/0/4
security-zone name Untrust
import interface GigabitEthernet1/0/3
security-zone name Management
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
zone-pair security source Trust destination DMZ
object-policy apply ip Trust-DMZ
zone-pair security source Trust destination Local
object-policy apply ip manage
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
zone-pair security source Untrust destination DMZ
object-policy apply ip Untrust-DMZ
scheduler logfile size 16
line class aux
user-role network-operator
line class console
user-role network-admin
line class tty
user-role network-operator
line class vty
user-role network-operator
line aux 0
user-role network-admin
line con 0
authentication-mode scheme
user-role network-admin
line vty 0 4
authentication-mode scheme
user-role network-admin
line vty 5 63
user-role network-operator
ip route-static 0.0.0.0 0 1.1.1.1
ip route-static 192.168.20.0 24 10.0.0.2 description to-pc
acl basic 2000
rule 0 permit source 192.168.20.0 0.0.0.255 logging counting
acl basic 2001
rule 0 permit source 192.168.20.0 0.0.0.255
domain system
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
role name level-0
description Predefined level-0 role
role name level-1
description Predefined level-1 role
role name level-2
description Predefined level-2 role
role name level-3
description Predefined level-3 role
role name level-4
description Predefined level-4 role
role name level-5
description Predefined level-5 role
role name level-6
description Predefined level-6 role
role name level-7
description Predefined level-7 role
role name level-8
description Predefined level-8 role
role name level-9
description Predefined level-9 role
role name level-10
description Predefined level-10 role
role name level-11
description Predefined level-11 role
role name level-12
description Predefined level-12 role
role name level-13
description Predefined level-13 role
role name level-14
description Predefined level-14 role
user-group system
local-user admin class manage
password hash $h 6 6 6SM1EKyfAmPK8yywg$J7p6VViBFehLqEFuEeYKbGj+ieM+YJlb9xctxRKr+PkAtNve6XXkSHdecq4iuKq9T2Qu3kZe5KVy7KrXS5SbSg==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
ip http enable
ip https enable