Manualshelf

HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
851852853854855856857858859860
837
# When the two links between Firewall A and Firewall B are both up, Firewall B adopts the link
Firewall A<—>Router A<—>Firewall B to exchange packets with network 1200::0/64. (Set a
higher MED value for route 1200::0/64 sent to peer 2002::2 on Firewall A.)
{ Create IPv6 ACL 2000 to permit 1200::0/64 to pass.
[FirewallA] acl ipv6 number 2000
[FirewallA-acl6-basic-2000] rule permit source 1200::0 64
[FirewallA-acl6-basic-2000] quit
{ Create two route policies, apply_med_50 and apply_med_100. Policy apply_med_50 sets the
MED for route 1200::0/64 to 50. Policy apply_med_100 sets that to 100.
[FirewallA] route-policy apply_med_50 permit node 10
[FirewallA-route-policy] if-match ipv6 address acl 2000
[FirewallA-route-policy] apply cost 50
[FirewallA-route-policy] quit
[FirewallA] route-policy apply_med_100 permit node 10
[FirewallA-route-policy] if-match ipv6 address acl 2000
[FirewallA-route-policy] apply cost 100
[FirewallA-route-policy] quit
{ Apply routing policy apply_med_50 to routes outgoing to peer 3002::2, and apply routing
policy apply_med_100 to routes outgoing to peer 2002::2.
[FirewallA] bgp 200
[FirewallA-bgp] ipv6-family
[FirewallA-bgp-af-ipv6] network 1200:: 64
[FirewallA-bgp-af-ipv6] peer 3002::2 route-policy apply_med_50 export
[FirewallA-bgp-af-ipv6] peer 2002::2 route-policy apply_med_100 export
# Configure BFD over the link to peer 3002::2 so that when the link Firewall A<—>Router
A<—>Firewall B fails, BFD can quickly detect the failure and notify it to IPv6 BGP, and then the link
Firewall A<—>Router B<—>Firewall B takes effect immediately.
[RouterA-bgp-af-ipv6] peer 3002::2 bfd
[RouterA-bgp-af-ipv6] quit
[RouterA-bgp] quit
4. Configure IPv6 BGP on Firewall B:
<FirewallB> system-view
[FirewallB] bgp 200
[FirewallB-bgp] ipv6-family
[FirewallB-bgp-af-ipv6] peer 3001::1 as-number 200
[FirewallB-bgp-af-ipv6] peer 3001::1 bfd
[FirewallB-bgp-af-ipv6] peer 2001::1 as-number 200
[FirewallB-bgp-af-ipv6] quit
[FirewallB-bgp] quit
5. Configure BFD parameters (you can use default BFD parameters instead):
# Configure Firewall A.
[FirewallA] bfd session init-mode active
[FirewallA] interface gigabitethernet 1/2
{ Configure the minimum interval for transmitting BFD control packets as 500 milliseconds.
[FirewallA-GigabitEthernet1/2] bfd min-transmit-interval 500
{ Configure the minimum interval for receiving BFD control packets as 500 milliseconds.
[FirewallA-GigabitEthernet1/2] bfd min-receive-interval 500