Routing deployment configuration examples

·     Introduction

·     Prerequisites

·     Example: Configuring routing deployment

Routing deployment enables the device to operate at Layer 3 (both the uplink and downlink service interfaces of the device operate at Layer 3) in the network, implementing security inspection and control for network traffic.

Routing deployment requires changing the existing network address plan, and enables the device to support various routing and security features.

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of interface configuration and security policies.

Network configuration

As shown in Figure 1, an enterprise deploys a device as a security protection device at the network border. The device can connect the internal network and the Internet, perform security inspection and control for network traffic, and support routing and various security features.

Figure 1 Network diagram

Software versions used

This configuration example was created and verified on E8371 of the F5000-AI160 device.

This configuration example was created and verified on E9671 of the M9000-X06 device.

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the IP address and security zone settings as shown in Figure 2.

a.     Select the Trust security zone.

b.     Enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.

c.     Use default settings for other parameters.

d.     Click OK.

Figure 2 Configuring interface information

# Configure the IP address and security zone settings for GE 1/0/2 in the same way you configure GE 1/0/1.

2.     Configure a static route:

You can configure a dynamic routing protocol based on network requirements. This example uses a static route as an example. Assume the next hop IP address that the device connects to the external network is 20.1.1.2.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure the following parameters:

a.     Enter the destination IP address 0.0.0.0.

b.     Specify the mask length as 0.

c.     Specify the next hop IP address as 20.1.1.2.

d.     Use default settings for other parameters.

# Click OK.

3.     Create a security policy to enable the host to access the external network.

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Select Create > Create a policy.

# In the dialog box that opens, configure the security policy as shown in Figure 3.

Figure 3 Creating a security policy 1

Figure 4 Creating a security policy 2

# Use default settings for other parameters, and then click OK.

Configuring the host

# Configure the IPv4 address of the default gateway as 10.1.1.1 for the host.

Verifying the configuration

# Verify that only the host with IP address 10.1.1.2 in the internal network can access the external network. Other hosts cannot access the external network.