This experiment builds upon previous firewall configurations, expanding functionality with dual-hot standby setup and bandwidth control. For foundational knowledge, refer to prior articles covering NAT and intelligent routing, as well as security policies.
Experiment Overview
- DMZ servers accessible only during office hours (9:00–18:00) by the office zone; production zone devices have full access.
- Production zone cannot access the internet; office and guest zones can.
- Device 10.0.2.10 in office zone restricted from accessing FTP and HTTP DMZ servers but allowed to ping 10.0.3.10.
- Office zone divided into marketing and R&D departments: marketing uses anonymous authentication, R&D requires IP-bound user authentication.
- Guest zone users are unregistered, denied access to DMZ and production zones, authenticated via Guest account with password Admin@123.
- Production zone access to DMZ requires portal authentication with organizational structure including three departments, each with three users, all sharing password openlab123. First login mandates password change, expiration set at 10 days, single-user restriction enabled.
- Create a custom admin without system management privileges.
- Office devices may use both Telecom and Mobile links (NAT, one public IP reserved).
- Branch office clients can access DMZ HTTP server through corporate Telecom and Mobile links.
- Multi-path routing based on bandwidth proportion; however, device 10.0.2.10 restricted to Telecom link for internet access. Link overload protcetion threshold set at 80%.
- Branch internal clients and external users can resolve internal server hostnames.
- Guest zone limited to Mobile link internet access only.
- Network upgraded from single firewall to dual-hot standby with load-sharing mode: Guest and DMZ traffic routed through FW3, Production and Office traffic through FW1.
- Office users capped at 100Mbps total bandwidth; Sales department members further limited to 60Mbps total, i.e., 6Mbps per member.
- Sales team guaranteed minimum 10Mbps email bandwidth during office hours, with individual minimum of 1Mbps.
- Mobile link bandwidth is 100Mbps; guest users limited to 50Mbps, dynamically allocated per online address.
- Inbound traffic from external to internal servers capped at 40Mbps; each DMZ server limited to 20Mbps outbound bandwidth.
Configuration Steps
3.1 Dual-Hot Standby Load Sharing Setup
Configure inter-firewall link aggregation to enhance stability:
FW1:
[USG6000V1]int Eth-Trunk 0
[USG6000V1-Eth-Trunk0]trunkport g
[USG6000V1-Eth-Trunk0]trunkport GigabitEthernet 1/0/5 to 1/0/6
FW2:
[USG6000V1]int Eth-Trunk 0
[USG6000V1-Eth-Trunk0]trunkport GigabitEthernet 1/0/5
[USG6000V1-Eth-Trunk0]trunkport GigabitEthernet 1/0/5 to 1/0/6
After configuration, interfaces g1/0/5 and g1/0/6 disappear, replaced by the aggregated Eth-Trunk0 interface.
3.2 Virtual IP Configuration and Traffic Routing
Production and Office traffic directed through FW1:
[FW1]ip address 192.168.1.1 255.255.255.0
Guest and DMZ traffic routed via FW3:
[FW3]ip address 192.168.3.1 255.255.255.0
3.3 Bandwidth Channel and Policy Creation
Office user bandwidth limit:
[FW1]bandwidth channel office-bandwidth
[FW1]bandwidth policy office-policy
[FW1]bandwidth rule 1
[FW1]bandwidth rule 1 bandwidth 100mbps
Sales department bandwidth restriction:
[FW1]bandwidth rule 2
[FW1]bandwidth rule 2 bandwidth 60mbps
Email application bandwidth guarantee:
[FW1]bandwidth rule 3
[FW1]bandwidth rule 3 bandwidth 10mbps
Guest mobile internet usage limit:
[FW3]bandwidth channel guest-mobile
[FW3]bandwidth rule 1
[FW3]bandwidth rule 1 bandwidth 50mbps
External-to-internal server traffic restriction:
[FW1]bandwidth channel external-inbound
[FW1]bandwidth rule 1
[FW1]bandwidth rule 1 bandwidth 40mbps
Note: Bandwidth policies must be applied after security policies are defined.