Professional Documents
Culture Documents
HCNA Intermediate Lab PDF
HCNA Intermediate Lab PDF
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
m /
1Comprehensive E-Learning Courses c o
i .
ContentAll Huawei Career Certification E-Learning courses
w e
u a
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
. h
2 Training Material Download
n g
n i
Content: Huawei product training material and Huawei career certification training material
a r
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
e
l
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC) //
t tprofessional instructors
ContentThe Huawei career certification training covering
Storage and so on, which are conducted by Huawei
h
s :
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
c e
eNSP (Enterprise Network Simulation r Platform) is a graphical network simulation tool which is developed by
u
o mainly simulates enterprise routers, switches as close to the real hardware as
Huawei and free of charge. eNSP
it possible, which makes the e
s
R lab practice available and easy without any real device.
r
http://support.huawei.com/ecommunity/
a
Le
r e TECHNOLOGIES CO., LTD. Huawei Confidential
o
HUAWEI 1
Huawei Certification
HCNA-HNTD / e
om
INTERMEDIATE . c
e i
u aw
. h
Huawei Networking Technology and Device
n g
Lab Guide n i
a r
l e
/ /
p :
t
ht
s:
c e
u r
s o
Re
n g
rni
e a
L
r e
Mo
Huawei Technologies Co.,Ltd
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
/ e
and other Huawei trademarks are trademarks of Huawei Technologies
om
Co., Ltd. All other trademarks and trade names mentioned in this document
. c
i
are the property of their respective holders.
e
aw
Notice
h u
The information in this document is subject to change without notice. Every
g.
effort has been made in the preparation of this document to ensure accuracy of
i n
the contents, but all statements, information, and recommendations in this
n
document do not constitute the warranty of any kind, express or implied.
e ar
l
: //
p
h tt
Huawei Certification
s:
HCNA-HNTD Huawei c eNetworking Technology and Device
u r
s o Intermediate Lab Guide
Re
n g Version 2.0
n i
a r
Le
r e
Mo
Huawei Certification System
Relying on its strong technical and professional training and certification system
and in accordance with customers of different ICT technology levels, Huawei
certification is committed to providing customers with authentic, professional
certification, and addresses the need for the development of quality engineers that
/ e
are capable of supporting enterprise networks in the face of an ever changing ICT
om
industry. The Huawei certification portfolio for routing and switching (R&S) is
. c
comprised of three levels to support and validate the growth and value of customer
e i
aw
skills and knowledge in routing and switching technologies.
h u
The Huawei Certified Network Associate (HCNA) certification validates the skills
and knowledge of IP network engineers to implement and support small to
g.
i n
medium-sized enterprise networks. The HCNA certification provides a rich
n
ar
foundation of skills and knowledge for the establishment of such enterprise
l e
networks, along with the capability to implement services and features within
existing enterprise networks, to effectively support true industry operations.
: //
p
HCNA certification covers fundamental skills for TCP/IP, routing, switching and
h tt
related IP network technologies, together with Huawei data communications
products, and skills for versatile routing platform (VRP) operation and
management.
s:
c e
r
The Huawei Certified Network Professional (HCNP-R&S (HCDP)) certification is
u
s o
aimed at enterprise network engineers involved in design and maintenance, as well
as professionals who wish to develop an in depth knowledge of routing, switching,
R e
network efficiency and optimization technologies. HCNP-R&S consists of three
g
units including Implement Enterprise Switch Network (IESN), Implement Enterprise
n
i
Routing Network (IERN), and Improving Enterprise Network Performance (IENP),
n
a rwhich includes advanced IPv4 routing and switching technology principles,
Le
network security, high availability and QoS, as well as application of the covered
technologies in Huawei products.
r e
Mo
The Huawei Certified Internet Expert (HCIE-R&S) certification is designed to imbue
engineers with a variety of IP network technologies and proficiency in maintenance,
for the diagnosis and troubleshooting of Huawei products, to equip engineers with
in-depth competency in the planning, design and optimization of large-scale IP
networks.
/ e
om
. c
e i
u aw
. h
n g
n i
ear
l
://
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Reference Icons
/ e
Router L3 Switch L2 Switch Cloud
om
. c
e i
u aw
Ethernet link Serial link
. h
n g
n i
ar
Lab environment specification
l e
//
In order to ensure that that the configuration given in this lab is supported on all
:
devices, it is recommended that the following device models and VRP versions
be used:
p
h tt
Identifier Device Model
s: VRP version
c e
R1
r
AR 2220
u
Version 5.120 (AR2200 V200R003C00SPC200)
R2
s o
AR 2220 Version 5.120 (AR2200 V200R003C00SPC200)
R e
ng
R3 AR 2220 Version 5.120 (AR2200 V200R003C00SPC200)
ar
L e S2 S5700-28C-EI-24S Version 5.70 (S5700 V100R006C00SPC800)
CONTENTS
/ e
m
LAB 1-2 VLAN CONFIGURATION................................................................................................................ 10
u aw
CHAPTER 2 ENTERPRISE WAN CONFIGURATION .............................................................................. 56
. h
n g
i
LAB 2-1 HDLC AND PPP CONFIGURATION .................................................................................................. 56
n
ar
LAB 2-2 CONFIGURING FRAME RELAY AT THE CUSTOMER EDGE ....................................................................... 73
l e
LAB 2-3 PPPOE CLIENT SESSION ESTABLISHMENT ......................................................................................... 94
: //
CHAPTER 3 IMPLEMENTING IP SECURITY ....................................................................................... 103
p
h tt
LAB 3-1 FILTERING ENTERPRISE DATA WITH ACCESS CONTROL LISTS. .............................................................. 103
s:
e
LAB 3-3 ESTABLISHING LOCAL AAA SOLUTIONS .......................................................................................... 124
rc
LAB 3-4 SECURING TRAFFIC WITH IPSEC VPN............................................................................................. 132
ou
s
LAB 3-5 SUPPORTING DYNAMIC ROUTING WITH GRE .................................................................................. 147
R e
CHAPTER 4 MANAGING ENTERPRISE NETWORKS ........................................................................... 158
n g
i
LAB 4-1 MANAGING NETWORKS WITH SNMP ........................................................................................... 158
r n
a CHAPTER 5 ESTABLISHING IPV6 NETWORKS................................................................................... 169
r e
Mo
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Manually set the line rate and duplex mode on an interface.
e i
Configuration of manual mode link aggregation.
Configuration of link aggregation using static LACP mode.
u aw
Management of the priority of interfaces in static LACP mode.
. h
n g
Topology
n i
e ar
l
: //
p
h tt
s:
c e
u r
Figure 1.1 Ethernet link aggregation topology
s o
Scenario e
R
As a n
g
n i that the connections between the switches be used more effectively
network administrator of an existing enterprise network, it has been
Le manual link aggregation, for which the media between the switches are to be
Mo
Tasks
h u
.
GigabitEthernet0/0/9 current state : UP
Line protocol current state : UP
n g
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface
n i
ar
Switch Port,PVID : 1,The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
Port Mode: COMMON COPPER
l e
//
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
p :
tt
Mdi : AUTO
Last 300 seconds input rate 752 bits/sec, 0 packets/sec
h
Last 300 seconds output rate 720 bits/sec, 0 packets/sec
s:
Input peak rate 1057259144 bits/sec,Record time: 2008-10-01 00:08:58
e
Output peak rate 1057267232 bits/sec,Record time: 2008-10-01 00:08:58
c
r
Input: 11655141 packets, 960068100 bytes
Unicast :
ou 70,Multicast : 5011357
Broadcast
es : 6643714,Jumbo : 0
R
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts
ng : 0,DropEvents : 0
ni
Alignments : 0,Symbols : 0
ar
Ignoreds : 0,Frames : 0
Le
Discard : 69,Total Error : 0
Output: 11652169 packets, 959869843 bytes
Mo
Broadcast : 6642808,Jumbo : 0
Collisions : 0,Deferreds : 0
Late Collisions : 0,ExcessiveCollisions : 0
Buffers Purged : 0
Discard : 5,Total Error : 0
. c
i
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
Port Mode: COMMON COPPER
e
Speed : 1000, Loopback: NONE
u aw
h
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
g.
Last 300 seconds input rate 1312 bits/sec, 0 packets/sec
Last 300 seconds output rate 72 bits/sec, 0 packets/sec
i n
n
ar
Input peak rate 1057256792 bits/sec,Record time: 2008-10-01 00:08:58
e
Output peak rate 1057267296 bits/sec,Record time: 2008-10-01 00:08:58
Input: 11651829 packets, 959852817 bytes
l
Unicast : 115,Multicast
: // : 5009062
p
Broadcast : 6642648,Jumbo : 0
tt
CRC : 3,Giants : 0
h
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments :
s: 0,Symbols : 4
Ignoreds :
c e 0,Frames : 0
Discard :
u r 218,Total Error : 7
o
Output: 11655280 packets, 960072712 bytes
s
e
Unicast : 245,Multicast : 5011284
Broadcast
R : 6643751,Jumbo : 0
g
Collisions : 0,Deferreds : 0
i n
Late Collisions : 0,ExcessiveCollisions : 0
r n
Buffers Purged : 0
a
Discard : 107,Total Error : 0
Le
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Mo
Output bandwidth utilization : 0.00%
Set the rate of G0/0/9 and G0/0/10 on S1 to 100 Mbit/s and configure them to
work in full duplex mode. Before changing the interface rate and duplex mode,
disable auto-negotiation.
h u
.
[Quidway]sysname S2
[S2]interface GigabitEthernet 0/0/9
n g
i
[S2-GigabitEthernet0/0/9]undo negotiation auto
[S2-GigabitEthernet0/0/9]speed 100
n
[S2-GigabitEthernet0/0/9]duplex full
e ar
l
[S2-GigabitEthernet0/0/9]quit
//
[S2]interface GigabitEthernet 0/0/10
:
[S2-GigabitEthernet0/0/10]undo negotiation auto
[S2-GigabitEthernet0/0/10]speed 100
p
[S2-GigabitEthernet0/0/10]duplex full
htt
:
Confirm that the rate and duplex mode of G0/0/9 and G0/0/10 have been set
s
on S1.
c e
r
[S1]display interface GigabitEthernet 0/0/9
u
o
GigabitEthernet0/0/9 current state : UP
s
e
Line protocol current state : UP
R
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface
ng
Switch Port,PVID : 1,The Maximum Frame Length is 1600
i
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
a
Speed : 100, Loopback: NONE
r e output omitted
Mo
. c
i
output omitted
e
Step 2 Configure manual link aggregation.
u aw
h
. G0/0/9
and G0/0/10 on S1 and S2, and then add G0/0/9 and G0/0/10 to n
g
Create Eth-Trunk 1 on S1 and S2. Delete the default configuration from
n i Eth-Trunk 1.
[S1]interface Eth-Trunk 1
a r
[S1-Eth-Trunk1]quit
l e
[S1]interface GigabitEthernet 0/0/9
/ /
:
[S1-GigabitEthernet0/0/9]eth-trunk 1
[S1-GigabitEthernet0/0/9]quit
t p
ht
[S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
[S1-GigabitEthernet0/0/10]eth-trunk 1
s :
e
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]quit
r c
u
[S2]interface GigabitEthernet 0/0/9
o
s
[S2-GigabitEthernet0/0/9]eth-trunk 1
Re
[S2-GigabitEthernet0/0/9]quit
[S2-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
g
[S2-GigabitEthernet0/0/10]eth-trunk 1
n
n i the Eth-Trunk configuration.
ar
Verify
Le
[S1]display eth-trunk 1
Eth-Trunk1's state information is:
Mo
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
----------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/9 Up 1
GigabitEthernet0/0/10 Up 1
[S2]display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
----------------------------------------------------------------------------
/ e
PortName Status Weight
om
GigabitEthernet0/0/9 Up 1
. c
i
GigabitEthernet0/0/10 Up 1
we
u a
The greyed lines in the preceding information indicate that the Eth-Trunk works
properly.
. h
Step 3 Configuring Link Aggregation in Static LACP n g
n i Mode
a r
Delete the configurations from G0/0/9 and G0/0/10 on S1
l e and S2.
[S1]interface GigabitEthernet 0/0/9
/ /
:
[S1-GigabitEthernet0/0/9]undo eth-trunk
[S1-GigabitEthernet0/0/9]quit
t p
[S1]interface GigabitEthernet 0/0/10
h t
[S1-GigabitEthernet0/0/10]undo eth-trunk
s:
e
[S2]interface GigabitEthernet 0/0/9
c
[S2-GigabitEthernet0/0/9]undo eth-trunk
r
u
[S2-GigabitEthernet0/0/9]quit
o
s
[S2]interface GigabitEthernet 0/0/10
e
[S2-GigabitEthernet0/0/10]undo eth-trunk
R
LACP n
g
Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static
n i mode.
ar
[S1]interface Eth-Trunk 1
Le
[S1-Eth-Trunk1]mode lacp-static
[S1-Eth-Trunk1]quit
Mo
[S1-GigabitEthernet0/0/9]eth-trunk 1
[S1-GigabitEthernet0/0/9]quit
[S1]interface GigabitEthernet 0/0/10
[S1-GigabitEthernet0/0/10]eth-trunk 1
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]mode lacp-static
[S2-Eth-Trunk1]quit
[S2]interface GigabitEthernet 0/0/9
[S2-GigabitEthernet0/0/9]eth-trunk 1
[S2-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
[S2-GigabitEthernet0/0/10]eth-trunk 1
/ e
om
c
Verify that the LACP-static mode has been enabled on the two links.
[S1]display eth-trunk
i.
Eth-Trunk1's state information is:
e
Local:
u aw
h
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
g.
System Priority: 32768 System ID: 4c1f-cc45-aace
i n
n
Least Active-linknumber: 1 Max Active-linknumber: 8
ar
Operate status: up Number Of Up Port In Trunk: 2
e
----------------------------------------------------------------------------
ActorPortName Status
l
PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/9 Selected 100M 32768
: //
9 289 10111100 1
p
GigabitEthernet0/0/10 Selected 100M 32768 10 289 10111100 1
tt
Partner:
SysPri h
----------------------------------------------------------------------------
ActorPortName SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/9 32768
s: 4c1f-cc45-aacc 32768 9 289 10111100
GigabitEthernet0/0/10
c
32768
e 4c1f-cc45-aacc 32768 10 289 10111100
r
uon S1 to 100 to ensure S1 remains the Actor.
s o
Set the system priority
R e
[S1]lacp priority 100
n
ar
[S1]interface GigabitEthernet 0/0/9
Le
[S1-GigabitEthernet0/0/9]lacp priority 100
[S1-GigabitEthernet0/0/9]quit
Mo
/ e
m
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
c o
----------------------------------------------------------------------------
i.
e
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
aw
GigabitEthernet0/0/9 Selected 100M 100 9 289 10111100 1
GigabitEthernet0/0/10
Partner:
Selected 100M 100 10 289
u
10111100 1
h
---------------------------------------------------------------------------
g.
ActorPortName SysPri SystemID
i n
PortPri PortNo PortKey PortState
GigabitEthernet0/0/9 32768 4c1f-cc45-aacc 32768 9
n 289 10111100
GigabitEthernet0/0/10 32768 4c1f-cc45-aacc 32768
e ar
10 289 10111100
l
//
[S2]display eth-trunk 1
:
Eth-Trunk1's state information is:
Local:
p
LAG ID: 1
Preempt Delay: Disabled
h tt
WorkingMode: STATIC
Hash arithmetic: According to SA-XOR-DA
System Priority: 32768
c e Max Active-linknumber: 8
r
Operate status: up Number Of Up Port In Trunk: 2
u
----------------------------------------------------------------------------
o
s
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
R e
GigabitEthernet0/0/9
GigabitEthernet0/0/10
Selected 100M
Selected 100M
32768
32768
9
10
289
289
10111100 1
10111100 1
n
Partner:
g
i
----------------------------------------------------------------------------
rn
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
ea
GigabitEthernet0/0/9 100 4c1f-cc45-aace 100 9 289 10111100
r e
Mo
Final Configuration
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
#
interface GigabitEthernet0/0/9
/ e
eth-trunk 1
om
lacp priority 100
. c
i
undo negotiation auto
speed 100
e
#
u aw
h
interface GigabitEthernet0/0/10
eth-trunk 1
g.
lacp priority 100
undo negotiation auto
i n
n
ar
speed 100
e
#
return
l
: //
p
[S2]display current-configuration
tt
#
h
!Software Version V100R006C00SPC800
sysname S2
#
s:
interface Eth-Trunk1
c e
mode lacp-static
u r
#
s o
e
interface GigabitEthernet0/0/9
eth-trunk 1
R
g
undo negotiation auto
n
speed 100
i
r
#
n
a
interface GigabitEthernet0/0/10
Le
eth-trunk 1
undo negotiation auto
r e speed 100
Mo
#
return
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Assign port interfaces to become access and trunk ports.
/ e
Create VLANs.
om
Configure VLAN tagging over ports using the hybrid port link type.
. c
Configure the default VLAN for an interface using the Port VLAN ID.
e i
u aw
Topology
. h
n g
n i
e ar
l
: //
p
htt
s:
c e
u r
s o Figure 1.2 VLAN topology
R e
Scenario
n g
i
n enterprise network currently operates in a single broadcast domain
rThe
a resulting in a large amount of traffic being flooded to all network nodes. It is
Le required that the administrator attempt to control the flow of traffic at the link
Mo
to switches S1 and S2.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 2. For those continuing from previous labs, begin at step 2.
/ e
Establish an Eth-trunk link between S1 and S2.
om
<Quidway>system-view
. c
[Quidway]sysname S1
e i
aw
[S1]interface Eth-trunk 1
[S1-Eth-Trunk1]mode lacp-static
h u
.
[S1-Eth-Trunk1]quit
[S1]interface GigabitEthernet0/0/9
n g
[S1-Gigabitethernet0/0/9]eth-trunk 1
n i
ar
[S1-Gigabitethernet0/0/9]interface GigabitEthernet0/0/10
[S1-Gigabitethernet0/0/10]eth-trunk 1
l e
//
On S2, add interfaces to an Eth-Trunk using the Eth-Trunk view.
<Quidway>system-view
p :
tt
[Quidway]sysname S2
[S2]interface eth-trunk 1
h
:
[S2-Eth-Trunk1]mode lacp-static
s
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/9
e
c
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10
r
o
Step 2 Disable unusedu interfaces and establish a VLAN trunk.
e s
R
Unused interfaces must be disabled to ensure test result accuracy. In this lab,
g
nbe shut down.
interfaces Ethernet 0/0/1 and Ethernet 0/0/23 on S3 and Ethernet0/0/14 on S4
i
need to
n
a r<Quidway>system-view
Le
Enter system view, return user view with Ctrl+Z.
[Quidway]sysname S3
Mo
[S3-Ethernet0/0/1]shutdown
[S3-Ethernet0/0/1]quit
[S3]interface Ethernet 0/0/23
[S3-Ethernet0/0/23]shutdown
<Quidway>system-view
Enter system view, return user view with Ctrl+Z.
[Quidway]sysname S4
[S4]interface Ethernet 0/0/14
[S4-Ethernet0/0/14]shutdown
The link type of a switch port interface is hybrid by default. Configure the port
/ e
link-type for Eth-Trunk 1 to become a trunk port. Additionally, allow all VLANS
om
to be permitted over the trunk port.
. c
[S1]interface Eth-Trunk 1
e i
aw
[S1-Eth-Trunk1]port link-type trunk
[S1-Eth-Trunk1]port trunk allow-pass vlan all
h u
[S2]interface Eth-Trunk 1
g.
[S2-Eth-Trunk1]port link-type trunk
i n
[S2-Eth-Trunk1]port trunk allow-pass vlan all
n
e ar
Step 3 Configure VLANs. l
: //
p
Use S3, R1, R3, and S4 as non-VLAN aware hosts. There are two methods to
htt
create VLANs, and two methods to bind interfaces to the created VLANs, S1
and S2 are used to demonstrate the two methods. All interfaces associated
:
with hosts should be configured as access ports.
s
c e
On S1, associate interface Gigabit Ethernet 0/0/13 with VLAN 3, and interface
u r
Gigabit Ethernet 0/0/1 with VLAN 4.
s o
On S2, associate interface Gigabit Ethernet 0/0/2 with VLAN4, and Gigabit
Re
Ethernet 0/0/24 with VLAN 2.
g
[S1]interface GigabitEthernet0/0/13
n
i
[S1-GigabitEthernet0/0/13]port link-type access
n
[S1-GigabitEthernet0/0/13]quit
ar
[S1]interface GigabitEthernet0/0/1
Le
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]quit
r e [S1]vlan 2
Mo
[S1-vlan2]vlan 3
[S1-vlan3]port GigabitEthernet0/0/13
[S1-vlan3]vlan 4
[S1-vlan4]port GigabitEthernet0/0/1
[S2]vlan batch 2 to 4
[S2]interface GigabitEthernet 0/0/3
[S2-GigabitEthernet0/0/3]port link-type access
[S2-GigabitEthernet0/0/3]port default vlan 4
[S2-GigabitEthernet0/0/3]quit
[S2]interface GigabitEthernet 0/0/24
[S2-GigabitEthernet0/0/24]port link-type access
[S2-GigabitEthernet0/0/24]port default vlan 2
/ e
om
Verify that the VLAN configuration has been correctly applied to S1 and S2.
. c
<S1>display vlan
e i
The total number of vlans is : 4
u aw
h
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
g.
MP: Vlan-mapping;
#: ProtocolTransparent-vlan;
ST: Vlan-stacking;
*: Management-vlan;
i n
n
ar
----------------------------------------------------------------------------
:
p
1 common UT:GE0/0/2(U) GE0/0/3(U) GE0/0/4(U) GE0/0/5(U)
tt
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(D)
h
GE0/0/12(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(U)
s:
GE0/0/22(U) GE0/0/23(U) GE0/0/24(D)
c
Eth-Trunk1(U)
e
2
r
common TG:Eth-Trunk1(U)
u
3
o
common UT:GE0/0/13(U)
s
e
TG:Eth-Trunk1(U)
4
R
common UT:GE0/0/1(U)
g
TG:Eth-Trunk1(U)
n
output omitted
i
r n
a
Le
r e
Mo
<S2>display vlan
The total number of vlans is : 4
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------
/ e
VID Type Ports
om
----------------------------------------------------------------------------
. c
i
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/4(U) GE0/0/5(U)
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(U)
e
GE0/0/12(U) GE0/0/13(U) GE0/0/14(D) GE0/0/15(D)
u aw
h
GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D)
GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
.
GE0/0/23(D)
g
2
Eth-Trunk1(U)
common UT:GE0/0/24(U)
i n
n
ar
TG:Eth-Trunk1(U)
e
3 common TG:Eth-Trunk1(U)
4 common UT:GE0/0/3(U)
l
TG:Eth-Trunk1(U)
: //
p
output omitted
:
the trunk (TG) port Eth-Trunk 1.
e s
r c
Step 4 Configure IP addressing for each VLAN.
n i
ar
<Huawei>system-view
[Huawei]sysname R1
Le [R1]interface GigabitEthernet0/0/1
e
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
r
Mo
[S3]interface vlanif 1
[S3-vlanif1]ip address 10.0.4.2 24
<Huawei>system-view
[Huawei]sysname R3
[R3]interface GigabitEthernet0/0/2
[R3-GigabitEthernet0/0/2]ip address 10.0.4.3 24
[S4]interface vlanif 1
[S4-vlanif1]ip address 10.0.4.4 24
/ e
om
Step 5 Verify the configuration, by checking the connectivity.
. c
e i
Use the ping command. R1 and R3 in VLAN 4 should be able to communicatew
u a
h
with one another. Devices in other VLANs should be unable to communicate.
[R1]ping 10.0.4.3
g.
PING 10.0.4.3: 56 data bytes, press CTRL_C to break
i n
n
Reply from 10.0.4.3: bytes=56 Sequence=1 ttl=255 time=6 ms
r
a
Reply from 10.0.4.3: bytes=56 Sequence=2 ttl=255 time=2 ms
e
Reply from 10.0.4.3: bytes=56 Sequence=3 ttl=255 time=2 ms
l
/
Reply from 10.0.4.3: bytes=56 Sequence=4 ttl=255 time=2 ms
/
:
Reply from 10.0.4.3: bytes=56 Sequence=5 ttl=255 time=2 ms
tp
t
--- 10.0.4.3 ping statistics ---
5 packet(s) transmitted
h
5 packet(s) received
s :
e
0.00% packet loss
c
round-trip min/avg/max = 2/2/6 ms
r
ou
s
[R1]ping 10.0.4.4
Re
PING 10.0.4.4: 56 data bytes, press CTRL_C to break
Request time out
g
Request time out
n
n iRequest time out
ar
Request time out
Request time out
r e 5 packet(s) transmitted
Mo
0 packet(s) received
100.00% packet loss
You may wish to also try between R1 and S3, and between R3 and S4.
Use the hybrid port link type to allow VLAN tagging to be closely managed at a
port interface level. We shall use hybrid ports to allow tagged frames from
VLAN 4 to be received by VLAN 2 and vice versa.
Set the port link type of port interface Gigabit Ethernet 0/0/1 of port S1 and the
/ e
interfaces Gigabit Ethernet 0/0/3 and 0/0/24 of S2 as hybrid ports. Additionally
set the hybrid ports to untag all frames associated with VLAN 2 and 4.
om
. c
i
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]undo port default vlan
e
[S1-GigabitEthernet0/0/1]port link-type hybrid
u aw
h
[S1-GigabitEthernet0/0/1]port hybrid untagged vlan 2 4
[S1-GigabitEthernet0/0/1]port hybrid pvid vlan 4
g.
[S2]interface GigabitEthernet 0/0/3
i n
n
ar
[S2-GigabitEthernet0/0/3]undo port default vlan
e
[S2-GigabitEthernet0/0/3]port link-type hybrid
l
[S2-GigabitEthernet0/0/3]port hybrid untagged vlan 2 4
[S2-GigabitEthernet0/0/3]port hybrid pvid vlan 4
: //
p
[S2-GigabitEthernet0/0/3]quit
tt
[S2]interface GigabitEthernet 0/0/24
h
[S2-GigabitEthernet0/0/24]undo port default vlan
[S2-GigabitEthernet0/0/24]port link-type hybrid
s:
[S2-GigabitEthernet0/0/24]port hybrid untagged vlan 2 4
c e
[S2-GigabitEthernet0/0/24]port hybrid pvid vlan 2
r
u vlan command will ensure frames received from the
o
s the appropriate VLAN tag. Frames received from VLAN 2
The port hybrid pvid
e
R at the interface before being forwarded to the host.
host are tagged with
or 4 will be untagged
n g
Usei
n the ping command to verify that R3 in VLAN 4 is still reachable.
ar
Le
<R1>ping 10.0.4.3
PING 10.0.4.3: 56 data bytes, press CTRL_C to break
Mo
Reply from 10.0.4.3: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.0.4.3: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 10.0.4.3: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 10.0.4.3: bytes=56 Sequence=5 ttl=255 time=1 ms
Use the ping command to test whether S4 in VLAN 2 is now reachable from R1
in VLAN 4.
/ e
om
<R1>ping 10.0.4.4
. c
i
PING 10.0.4.4: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.4: bytes=56 Sequence=1 ttl=255 time=41 ms
e
Reply from 10.0.4.4: bytes=56 Sequence=2 ttl=254 time=2 ms
u aw
h
Reply from 10.0.4.4: bytes=56 Sequence=3 ttl=254 time=3 ms
Reply from 10.0.4.4: bytes=56 Sequence=4 ttl=254 time=2 ms
g.
Reply from 10.0.4.4: bytes=56 Sequence=5 ttl=254 time=2 ms
i n
n
ar
--- 10.0.4.4 ping statistics ---
e
5 packet(s) transmitted
5 packet(s) received
l
0.00% packet loss
://
p
round-trip min/avg/max = 2/10/41 ms
:3.
to be received by VLAN 2 and vice versa,
host address of 10.0.4.2 in VLAN
e s
r c
Final Configuration
o u
s
Re
[R1]display current-configuration
n g
[V200R003C00SPC200]
#
n i
ar
sysname R1
#
Le interface GigabitEthernet0/0/1
e
ip address 10.0.4.1 255.255.255.0
r #
Mo return
[S3]display current-configuration
#
. c
i
shutdown
#
e
return
u aw
[S1]display current-configuration
. h
#
n g
!Software Version V100R006C00SPC800
n i
ar
sysname S1
e
#
vlan batch 2 to 4
l
#
: //
p
lacp priority 100
tt
#
h
interface Eth-Trunk1
port link-type trunk
s
port trunk allow-pass vlan 2 to 4094:
mode lacp-static
c e
#
u r
o
interface GigabitEthernet0/0/1
s
e
port hybrid pvid vlan 4
R
port hybrid untagged vlan 2 4
g
#
n
interface GigabitEthernet0/0/9
i
r n
eth-trunk 1
a
lacp priority 100
Le
undo negotiation auto
speed 100
r e #
Mo
interface GigabitEthernet0/0/10
eth-trunk 1
lacp priority 100
undo negotiation auto
speed 100
#
interface GigabitEthernet0/0/13
port link-type access
port default vlan 3
#
return
[S2]display current-configuration
/ e
#
om
!Software Version V100R006C00SPC800
. c
i
sysname S2
#
e
vlan batch 2 4
u aw
h
#
interface Eth-Trunk1
g.
port link-type trunk
port trunk allow-pass vlan 2 to 4094
i n
n
ar
mode lacp-static
e
#
interface GigabitEthernet0/0/3
l
port hybrid pvid vlan 4
: //
p
port hybrid untagged vlan 2 4
tt
#
h
interface GigabitEthernet0/0/9
eth-trunk 1
undo negotiation auto
s:
speed 100
c e
#
u r
o
interface GigabitEthernet0/0/10
s
e
eth-trunk 1
R
undo negotiation auto
g
speed 100
#
i n
r n
interface GigabitEthernet0/0/24
a
port hybrid pvid vlan 2
Le
port hybrid untagged vlan 2 4
#
r e interface NULL0
Mo
#
user-interface con 0
user-interface vty 0 4
#
return
[R3]display current-configuration
[V200R003C00SPC200]
#
sysname R3
#
interface GigabitEthernet0/0/2
ip address 10.0.4.3 255.255.255.0
/ e
#
om
return
. c
[S4]display current-configuration
e i
#
u aw
h
!Software Version V100R006C00SPC800
sysname S4
g.
#
interface Vlanif1
in
n
ar
ip address 10.0.4.4 255.255.255.0
e
#
interface Ethernet0/0/14
l
shutdown
: //
p
#
tt
return
h
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of GVRP.
/ e
Setting of the GVRP registration mode.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
Figure 1.3 GVRP topology
s:
Scenario
c e
r
u contains multiple switches which are expected to be
o
s VLANs are required to be applied and removed as
The enterprise network
e
Rall switches however this tends to be a laborious task for the
regularly managed.
necessary on
n g
administrator and often configuration mistakes occur due to human error. The
i
n that GVRP be enabled on all switchs and the registration mode on
administrator wishes to simplify the VLAN management process and has
rrequested
a the interfaces be set.
Le
r e
Mo
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
<Quidway>system-view
om
[Quidway]sysname S1
. c
[S1]interface GigabitEthernet 0/0/9
e i
aw
[S1-GigabitEthernet0/0/9]shutdown
[S1-GigabitEthernet0/0/9]quit
[S1]interface GigabitEthernet 0/0/10
h u
[S1-GigabitEthernet0/0/10]shutdown
g.
in
n
<Quidway>system-view
ar
[Quidway]sysname S2
[S2]interface GigabitEthernet 0/0/9
l e
//
[S2-GigabitEthernet0/0/9]shutdown
[S2-GigabitEthernet0/0/9]quit
[S2]interface GigabitEthernet 0/0/10
p :
tt
[S2-GigabitEthernet0/0/10]shutdown
h
:
<Quidway>system-view
[Quidway]sysname S3
e s
c
[S3-Ethernet0/0/23]shutdown
r
ou
<Quidway>system-view
es
[Quidway]sysname S4
R
[S4-Ethernet0/0/14]shutdown
n g
Stepi2 Clean up the previous configuration
r n
a Remove the unsed VLANs and disable the Eth-Trunk interface on S1 and S2.
Le Remove Vlanif1 on S3 and S4 and bring up interface Ethernet 0/0/1 on S3.
. c
i
[S3-Ethernet0/0/1]undo shutdown
[S3-Ethernet0/0/1]quit
e
[S3]undo interface Vlanif 1
u aw
h
Info: This operation may take a few seconds. Please wait for a moment...succeeded.
g.
[S4]undo interface Vlanif 1
i n
Info: This operation may take a few seconds. Please wait for a moment...succeeded.
rn
e a
l
Step 3 Configure trunk links between the switches.
/ /
:
[S1]interface GigabitEthernet 0/0/13
p
[S1-Gigabitethernet0/0/13]port link-type trunk
t
t
[S1-Gigabitethernet0/0/13]port trunk allow-pass vlan all
h
:
[S3]interface Ethernet 0/0/13
s
e
[S3-Ethernet0/0/13]port link-type trunk
c
[S3-Ethernet0/0/13]port trunk allow-pass vlan all
r
u
[S3-Ethernet0/0/13]quit
o
s
[S3]interface Ethernet 0/0/1
Re
[S3-Ethernet0/0/1]port link-type trunk
[S3-Ethernet0/0/1]port trunk allow-pass vlan all
n g
i
[S2]interface GigabitEthernet 0/0/24
n
ar
[S2-Gigabitethernet0/0/24]port link-type trunk
[S2-Gigabitethernet0/0/24]port trunk allow-pass vlan all
Mo
[S4-Ethernet0/0/24]port trunk allow-pass vlan all
[S4-Ethernet0/0/24]quit
[S4]interface Ethernet 0/0/1
[S4-Ethernet0/0/1]port link-type trunk
[S4-Ethernet0/0/1]port trunk allow-pass vlan all
[S1]gvrp
[S1]interface GigabitEthernet 0/0/13
[S1-GigabitEthernet0/0/13]gvrp
[S3]gvrp
/ e
[S3]interface Ethernet 0/0/13
om
[S3-Ethernet0/0/13]gvrp
[S3-Ethernet0/0/13]quit
. c
[S3]interface Ethernet 0/0/1
e i
aw
[S3-Ethernet0/0/1]gvrp
h u
[S2]gvrp
g.
n
[S2]interface GigabitEthernet 0/0/24
[S2-Gigabitethernet0/0/24]gvrp
n i
[S4]gvrp
e ar
[S4]interface Ethernet0/0/24
l
//
[S4-Ethernet0/0/24]gvrp
[S4-Ethernet0/0/24]quit
p :
tt
[S4]interface Ethernet 0/0/1
h
[S4-Ethernet0/0/1]gvrp
s:
Create VLAN 100 on S1, VLAN 200 on S2 and VLAN 2 on S1, S2, S3 and S4.
[S1]vlan batch 2 100
c e
u
[S2]vlan batch 2 200
r
[S3]vlan 2
s o
[S4]vlan 2
R e
g
Run the display gvrp statistics command on S3 and S4 to view the GVRP
n
i
statistics.
n
a r[S3]display gvrp statistics
Le
GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
Mo
GVRP last PDU origin : 5489-98ec-f012
GVRP registration type : Normal
. c
GVRP statistics on port Ethernet0/0/24
e i
GVRP status : Enabled
u aw
h
GVRP registrations failed : 0
GVRP last PDU origin : 4c1f-cc45-aacc
g.
GVRP registration type : Normal
i n
n
ar
The registration type is set as normal by default. Use the display vlan
command to verify the VLAN configuration on S3 and S4.
l e
//
[S3]display vlan
:
The total number of vlans is : 4
p
----------------------------------------------------------------------------
U: Up;
MP: Vlan-mapping;
D: Down; TG: Tagged;
h tt
ST: Vlan-stacking;
UT: Untagged;
#: ProtocolTransparent-vlan;
s:*: Management-vlan;
e
----------------------------------------------------------------------------
c
VID Type Ports
u r
s o
----------------------------------------------------------------------------
1 common
R e
UT:Eth0/0/1(U) Eth0/0/2(D)
Eth0/0/5(D) Eth0/0/6(D)
Eth0/0/3(D)
Eth0/0/7(D)
Eth0/0/4(D)
Eth0/0/8(D)
ng
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
ni
Eth0/0/13(U) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
a r Eth0/0/17(D)
Eth0/0/21(D)
Eth0/0/18(D)
Eth0/0/22(D)
Eth0/0/19(D)
Eth0/0/23(D)
Eth0/0/20(D)
Eth0/0/24(D)
e
2 common TG:Eth0/0/1(U) Eth0/0/13(U)
[S4]display vlan
The total number of vlans is : 4
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------
VID Type Ports
/ e
----------------------------------------------------------------------------
om
1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
. c
i
Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D) Eth0/0/8(D)
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
e
Eth0/0/13(D) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
u aw
h
Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D)
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D)
.
Eth0/0/24(U)
g
2 common
GE0/0/1(D) GE0/0/2(D)
TG:Eth0/0/1(U) Eth0/0/24(U)
GE0/0/3(D)
n
GE0/0/4(D)
i
n
ar
100 dynamic TG:Eth0/0/1(U)
e
200 dynamic TG:Eth0/0/24(U)
output omitted
t p
direction. VLAN 2 has been statically defined. Create VLAN 200 on S1 and
[S1]vlan 200 h t
VLAN 100 on S2 to enable 2-way propagation.
[S2]vlan 100
s:to verify the configuration.
c e
Run the display vlan command
[S3]display vlan
u r
s
output omitted
o
Re
VID Type Ports
----------------------------------------------------------------------------
1
n g
common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
ar
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
Eth0/0/13(U) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
e
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D) Eth0/0/24(D)
[S4]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D) Eth0/0/8(D)
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
Eth0/0/13(D) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
/ e
Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D)
om
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D) Eth0/0/24(U)
. c
i
GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
2 common TG:Eth0/0/1(U) Eth0/0/24(U)
e
100 dynamic TG:Eth0/0/1(U) Eth0/0/24(U)
u aw
h
200 dynamic TG:Eth0/0/1(U) Eth0/0/24(U)
output omitted
g .
i n added to
n
The highlighted entries indicate the interfaces that have been
VLAN100 and VLAN200 on both S3 and S4.
r
ea
Step 2 Change the registration type for thelinterfaces
/ /
Change the registration type of Ethernet 0/0/1:on S3 to fixed. The same steps
t p
ht
can be performed on Ethernet 0/0/1 of S4.
[S3]interface Ethernet 0/0/1
s :
[S3-Ethernet0/0/1]gvrp registration fixed
Re
GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
n g
GVRP registrations failed : 12
ar
GVRP registration type : Fixed
Mo
Run the display vlan command to view the effect of the fixed registration type.
[S3]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D) Eth0/0/8(D)
/ e
m
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
Eth0/0/13(U) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
c o
Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D)
i.
e
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D) Eth0/0/24(D)
aw
GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
2 common TG:Eth0/0/1(U)
100 dynamic TG:Eth0/0/13(U)
Eth0/0/13(U)
h u
200 dynamic TG:Eth0/0/13(U)
g.
i n
n
The highlighted entries show that interface Ethernet 0/0/1 is not in registering
dynamic VLANs 100 and 200.
e ar
l
//
Configure interface Ethernet 0/0/1 of S3 to use the forbidden registration type.
The same steps can be performed on Ethernet 0/0/1 of S4.
p :
tt
[S3]interface Ethernet 0/0/1
[S3-Ethernet0/0/1]gvrp registration forbidden
h
s:
Run the display gvrp statistics command to view the changes to GVRP.
c e
[S3]display gvrp statistics interface Ethernet 0/0/1
u r
o
GVRP statistics on port Ethernet0/0/1
s
e
GVRP status : Enabled
R
GVRP registrations failed : 18
ng
GVRP last PDU origin : 5489-98ec-f012
i
GVRP registration type : Forbidden
n
rThe GVRP registration type is set to forbidden on the Ethernet 0/0/1 interface.
e a
L
r e
Mo
Run the display vlan command to view the effect of the forbidden registration.
[S3]display vlan
The total number of vlans is : 4
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
/ e
m
Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D) Eth0/0/8(D)
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
c o
Eth0/0/13(U) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
i.
e
Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D)
aw
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D) Eth0/0/24(D)
2 common
GE0/0/1(D)
TG:Eth0/0/13(U)
GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
h u
100 dynamic TG:Eth0/0/13(U)
g.
200 dynamic TG:Eth0/0/13(U)
i n
n
Forbidden mode only allows VLAN1 pass over interfacerEthernet 0/0/1, all
e a
other VLANS are restricted.
/ l
Final Configuration
: /
tp
[S1]dis current-configuration
ht
:
#
s
!Software Version V100R006C00SPC800
e
sysname S1
#
r c
o u
vlan batch 2 100 200
s
Re
#
gvrp
#
n g
i
interface Eth-Trunk1
n
shutdown
ar
port link-type trunk
Le
port trunk allow-pass vlan 2 to 4094
mode lacp-static
r e #
Mo
interface GigabitEthernet0/0/1
port hybrid untagged vlan 2 4
#
interface GigabitEthernet0/0/9
shutdown
eth-trunk 1
lacp priority 100
undo negotiation auto
speed 100
#
interface GigabitEthernet0/0/10
shutdown
eth-trunk 1
/ e
lacp priority 100
om
undo negotiation auto
. c
i
speed 100
#
e
interface GigabitEthernet0/0/13
u aw
h
port link-type trunk
port trunk allow-pass vlan 2 to 4094
g.
gvrp
#
in
n
ar
return
[S2]dis current-configuration
l e
#
: //
p
!Software Version V100R006C00SPC800
tt
sysname S2
h
#
vlan batch 2 100 200
#
s:
gvrp
c e
#
u r
o
interface Eth-Trunk1
s
e
shutdown
R
port link-type trunk
g
port trunk allow-pass vlan 2 to 4094
n
mode lacp-static
i
r
#
n
a
interface GigabitEthernet0/0/3
Le
port hybrid untagged vlan 2 4
#
r e interface GigabitEthernet0/0/9
Mo
shutdown
eth-trunk 1
undo negotiation auto
speed 100
#
interface GigabitEthernet0/0/10
shutdown
eth-trunk 1
undo negotiation auto
speed 100
#
interface GigabitEthernet0/0/24
port link-type trunk
/ e
port trunk allow-pass vlan 2 to 4094
om
gvrp
. c
i
#
return
e
u aw
h
[S3]display current-configuration
#
g.
!Software Version V100R006C00SPC800
sysname S3
i n
n
ar
#
e
vlan batch 2
#
l
gvrp
: //
p
#
tt
interface Ethernet0/0/1
h
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
s:
c
gvrp registration forbidden
e
#
u r
o
interface Ethernet0/0/13
s
e
port link-type trunk
R
port trunk allow-pass vlan 2 to 4094
g
gvrp
#
i n
r n
interface Ethernet0/0/23
a
shutdown
Le
#
return
r e
Mo
[S4]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S4
#
vlan batch 2
#
gvrp
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
/ e
gvrp registration forbidden
om
#
. c
i
interface Ethernet0/0/14
shutdown
e
#
u aw
h
interface Ethernet0/0/24
port link-type trunk
g.
port trunk allow-pass vlan 2 to 4094
gvrp
in
n
ar
#
e
return
l
: //
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Establishment of a trunk inteface for VLAN routing.
/ e
Configuration of sub-interfaces on a single physical interface.
om
Enabling of ARP messages to be broadcast between VLANS.
. c
Topology e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
g
Figure 1.4 VLAN routing topology using a layer 2 switch.
i n
r n
a Scenario
Le
r e The implementation of VLANs in the enterprise network has resulted in groups
Mo
of users being isolated from other users that are part of different subnets. As
the network administrator you have been given the task to ensure that the
broadcast domains are maintained whilst allowing communication between the
disparate users.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
Configure the system name for R1, R3 and S1. Configure the IP address
10.0.4.1/24 on interface Gigabit Ethernet 0/0/1.
i.
e
aw
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
h u
.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
n g
i
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
n
<Huawei>system-view
e ar
l
Enter system view, return user view with Ctrl+Z.
//
[Huawei]sysname R3
p :
tt
<Quidway>system-view
[Quidway]sysname S1
h
s:
Step 2 Clean up the previous configuration
c e
u r
Remove the IP address 10.0.4.3 from R3, and disable the swich interfaces
s o
between S1 and S3 and S2 and S4 respectively.
R e
[R3]interface GigabitEthernet 0/0/2
g
[R3-GigabitEthernet0/0/2]undo ip address
n
n i
a r[S1]undo gvrp
e
Info: This operation may take a few seconds. Please wait for a moment...done.
Mo
[S1-GigabitEthernet0/0/13]undo port trunk allow-pass vlan 2 to 4094
[S1-GigabitEthernet0/0/13]shutdown
[S1-GigabitEthernet0/0/13]quit
[S1]interface GigabitEthernet 0/0/1
[S2]undo gvrp
Warning: All information about the GVRP will be deleted . Continue?[Y/N]:y
/ e
Info: This operation may take a few seconds. Please wait for a moment...done.
om
[S2]interface GigabitEthernet 0/0/24
. c
i
[S2-GigabitEthernet0/0/24]undo port trunk allow-pass vlan 2 to 4094
[S2-GigabitEthernet0/0/24]shutdown
e
[S2-GigabitEthernet0/0/24]quit
u aw
h
[S2]interface GigabitEthernet 0/0/3
[S2-GigabitEthernet0/0/3]undo port hybrid vlan 2 4
g.
[S2-GigabitEthernet0/0/3]quit
[S2]undo vlan batch 2 100 200
i n
n
ar
Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
e
Info: This operation may take a few seconds. Please wait for a moment...done.
l
[S3]undo gvrp
: //
p
Warning: All information about the GVRP will be deleted . Continue?[Y/N]:y
tt
Info: This operation may take a few seconds. Please wait for a moment...done.
h
[S3]interface Ethernet 0/0/13
[S3-Ethernet0/0/13]undo port trunk allow-pass vlan 2 to 4094
s:
[S3-Ethernet0/0/13]port link-type hybrid
c
[S3-Ethernet0/0/13]quit
e
r
[S3]interface Ethernet 0/0/1
u
o
[S3-Ethernet0/0/1]undo port trunk allow-pass vlan 2 to 4094
s
e
[S3-Ethernet0/0/1]quit
R
[S3]undo vlan 2
n g
[S4]undo gvrp
n i
Warning: All information about the GVRP will be deleted . Continue?[Y/N]:y
a rInfo: This operation may take a few seconds. Please wait for a moment...done.
Le
[S4]interface Ethernet 0/0/24
[S4-Ethernet0/0/24]undo port trunk allow-pass vlan 2 to 4094
Mo
[S4-Ethernet0/0/24]quit
[S4]interface Ethernet 0/0/1
[S4-Ethernet0/0/1]undo port trunk allow-pass vlan 2 to 4094
[S4-Ethernet0/0/1]quit
[S4]undo vlan 2
/ e
om
Step 4 Establish two VLANs
. c
Create VLANs 4 and 8 on S1, configure interface Gigabit Ethernet 0/0/1 to
e i
aw
belong to VLAN 4, and interface Gigabit Ethernet 0/0/3 to belong to VLAN 8.
h u
[S1]vlan batch 4 8
g.
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1]interface GigabitEthernet 0/0/1
in
n
ar
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]port default vlan 4
[S1-GigabitEthernet0/0/1]quit
l e
//
[S1]interface GigabitEthernet0/0/3
[S1-GigabitEthernet0/0/3]port link-type access
p :
tt
[S1-GigabitEthernet0/0/3]port default vlan 8
[S1-GigabitEthernet0/0/3]quit
h
s : as a trunk link for VLANs 4 and 8.
Set interface Gigabit Ethernet 0/0/2
c e
r
[S1]interface GigabitEthernet0/0/2
u
o
[S1-GigabitEthernet0/0/2]port link-type trunk
s
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 4 8
e
R
g
Step 5 Configure VLAN routing through the sub-interface of R2
n
n i sub-interfaces GigabitEthernet0/0/1.1 and GigabitEthernet0/0/1.3,
Configure
arto act as the gateway of VLAN 4, and act as the gateway of VLAN 8.
Le <Huawei>system-view
Mo
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1.1
[R2-GigabitEthernet0/0/1.1]ip address 10.0.4.254 24
[R2-GigabitEthernet0/0/1.1]dot1q termination vid 4
. c
i
PING 10.0.8.1: 56 data bytes, press CTRL_C to break
Request time out
e
Request time out
u aw
h
Request time out
Request time out
g.
Request time out
i n
n
ar
--- 10.0.8.1 ping statistics ---
e
5 packet(s) transmitted
0 packet(s) received
l
100.00% packet loss
: //
p
tt
Configure a default route on R1 and R3.
h
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s:
c e
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.8.254
r
u R1 and R3 again.
o
Test connectivity between
s
R e
<R1>ping 10.0.8.1
g
PING 10.0.8.1: 56 data bytes, press CTRL_C to break
i n
Reply from 10.0.8.1: bytes=56 Sequence=1 ttl=254 time=10 ms
ar
Reply from 10.0.8.1: bytes=56 Sequence=3 ttl=254 time=1 ms
Le
Reply from 10.0.8.1: bytes=56 Sequence=4 ttl=254 time=10 ms
Reply from 10.0.8.1: bytes=56 Sequence=5 ttl=254 time=1 ms
r e
Mo
--- 10.0.8.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/4/10 ms
[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
-------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
/ e
10.0.4.0/24 Direct 0 0 D 10.0.4.254 GigabitEthernet0/0/1.1
om
10.0.4.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1.1
. c
i
10.0.4.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1.1
10.0.8.0/24 Direct 0 0 D 10.0.8.254 GigabitEthernet0/0/1.3
e
10.0.8.254/32 Direct 0 0 D 127.0.0.1
aw
GigabitEthernet0/0/1.3
u
h
10.0.8.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/1.3
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
g.
127.0.0.1/32 Direct 0
127.255.255.255/32 Direct 0
0
0
D
D
127.0.0.1
127.0.0.1 n
InLoopBack0
i
InLoopBack0
n
ar
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Final Configuration l e
: //
[R1]display current-configuration
p
[V200R003C00SPC200]
#
h tt
sysname R1
s:
#
c e
r
interface GigabitEthernet0/0/1
u
ip address 10.0.4.1 255.255.255.0
o
s
#
# R e
ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
n g
user-interface con 0
i
authentication-mode password
ea
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
L user-interface vty 0 4
e
#
r return
Mo
[R2]display current-configuration
[V200R003C00SPC200]
#
sysname R2
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
/ e
dot1q termination vid 4
om
ip address 10.0.4.254 255.255.255.0
. c
i
arp broadcast enable
#
e
interface GigabitEthernet0/0/1.3
u aw
h
dot1q termination vid 8
ip address 10.0.8.254 255.255.255.0
g.
#
arp broadcast enable
i n
n
ar
user-interface con 0
e
authentication-mode password
set authentication password
l
//
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
:
p
user-interface vty 0 4
tt
#
h
return
s:
c e
[R3]dis current-configuration
[V200R003C00SPC200]
u r
#
s o
e
sysname R3
#
R
g
interface GigabitEthernet0/0/1
n
ip address 10.0.8.1 255.255.255.0
i
r n #
a
ip route-static 0.0.0.0 0.0.0.0 10.0.8.254
Le
#
user-interface con 0
r e authentication-mode password
Mo
set authentication password
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
user-interface vty 0 4
#
return
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
vlan batch 4 8
#
interface GigabitEthernet0/0/1
/ e
port link-type access
om
port default vlan 4
. c
i
#
interface GigabitEthernet0/0/2
e
port link-type trunk
u aw
h
port trunk allow-pass vlan 4 8
#
g.
interface GigabitEthernet0/0/3
port link-type access
in
n
ar
port default vlan 8
e
#
user-interface con 0
l
user-interface vty 0 4
: //
p
#
tt
return
h
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of VLAN interfaces.
/ e
Establishment of VLAN routing on a single switch
om
Perform VLAN routing over an Ethernet Trunk link.
. c
Perform dynamic routing between VLAN interfaces using OSPF.
e i
Topology
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
o
Figure 5.5 Layer 3 switching topology
e s
Scenario R
arnetwork administrator has been given the task to implement VLAN routing
opportunities
Le using only the layer three switches to support communication between the
Mo
of inter VLAN communication. Additionally S1 and S2 are expected to
communicate over a Layer 3 for which routing protocol support is required.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
Configure R1 with the address 10.0.4.1/24 on interface Gigabit Ethernet 0/0/1.
om
Establish an Eth-Trunk beween S1 an S2. Disable any unnecessary interfaces
. c
on S1 and S2 to S3 and S4.
e i
aw
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
h u
.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
n g
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
n i
<Huawei>system-view
e ar
Enter system view, return user view with Ctrl+Z.
l
//
[Huawei]sysname R3
p :
tt
<Quidway>system-view
[Quidway]sysname S1
[S1]interface Eth-Trunk 1 h
[S1-Eth-Trunk1]mode lacp-static
s:
e
[S1-Eth-Trunk1]port link-type trunk
c
[S1-Eth-Trunk1]quit
u r
[S1-Eth-Trunk1]port trunk allow-pass vlan all
s o
[S1]interface GigabitEthernet 0/0/9
R e
[S1-GigabitEthernet0/0/9]eth-trunk 1
[S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
n g
[S1-GigabitEthernet0/0/10]eth-trunk 1
n i
a r<Quidway>system-view
Le
[Quidway]sysname S2
[S2]interface Eth-Trunk 1
r e [S2-Eth-Trunk1]mode lacp-static
Mo
[S2-Eth-Trunk1]port link-type trunk
[S2-Eth-Trunk1]port trunk allow-pass vlan all
[S2-Eth-Trunk1]quit
[S2]interface GigabitEthernet 0/0/9
[S2-GigabitEthernet0/0/9]eth-trunk 1
<Quidway>system-view
[Quidway]sysname S3
[S3]interface Ethernet 0/0/23
[S3-Ethernet0/0/23]shutdown
/ e
<Quidway>system-view
om
[Quidway]sysname S4
. c
i
[S4]interface Ethernet 0/0/14
[S4-Ethernet0/0/14]shutdown
e
u aw
Step 2 Clean up the previous configuration
. h
g
ndevices.
i
Remove the VLAN routing configuration and sub-interfaces on the
n
[R1]undo ip route-static 0.0.0.0 0
a r
l e
[R2]undo interface GigabitEthernet 0/0/1.1
/ /
:
[R2]undo interface GigabitEthernet 0/0/1.3
p
t
ht
[R3]interface GigabitEthernet 0/0/1
[R3-GigabitEthernet0/0/1]undo ip address
s :
[R3-GigabitEthernet0/0/1]quit
e
[R3]undo ip route-static 0.0.0.0 0
c
u r
o
[S1]undo vlan batch 4 8
s
Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
Re
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1]interface GigabitEthernet 0/0/2
n g
[S1-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 4 8
n i
[S1-GigabitEthernet0/0/2]quit
ar
[S1]interface GigabitEthernet 0/0/13
Le
[S1-GigabitEthernet0/0/13]undo shutdown
r e [S2]interface GigabitEthernet0/0/24
Mo
[S2-GigabitEthernet0/0/24]undo shutdown
[S1]interface Eth-Trunk 1
[S1-Eth-Trunk1]undo shutdown
[S2]interface Eth-Trunk 1
[S2-Eth-Trunk1]undo shutdown
/ e
Step 3 Configure VLAN 3 through to VLAN 7 for S1 and S2.
om
. c
[S1]vlan batch 3 to 7
e i
aw
Info: This operation may take a few seconds. Please wait for a moment...done.
h u
[S2]vlan batch 3 to 7
g.
n
Info: This operation may take a few seconds. Please wait for a moment...done.
n i
ar
Verify that the VLANs have been created.
[S1]display vlan
l e
//
The total number of vlans is : 6
:
output omitted
VID Type Ports
p
tt
----------------------------------------------------------------------------
1 common UT:GE0/0/1(U)
h
GE0/0/2(D) GE0/0/3(U) GE0/0/4(U)
GE0/0/5(U)
s:
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
e
GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D)
rc
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
ou
GE0/0/19(D)
GE0/0/23(U)
GE0/0/20(D)
GE0/0/24(D)
GE0/0/21(U)
Eth-Trunk1(U)
GE0/0/22(U)
3
es
common TG:Eth-Trunk1(U)
4
R
common TG:Eth-Trunk1(U)
5
g
common TG:Eth-Trunk1(U)
n
6
i
common TG:Eth-Trunk1(U)
rn
7 common TG:Eth-Trunk1(U)
e a output omitted
L
r e
Mo
[S2]display vlan
The total number of vlans is : 6
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(D) GE0/0/3(U) GE0/0/4(U)
GE0/0/5(U) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/11(U) GE0/0/12(U) GE0/0/13(U) GE0/0/14(D)
/ e
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
om
GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
. c
i
GE0/0/23(D) GE0/0/24(D) Eth-Trunk1(U)
3 common TG:Eth-Trunk1(U)
e
4 common TG:Eth-Trunk1(U)
u aw
h
5 common TG:Eth-Trunk1(U)
6 common TG:Eth-Trunk1(U)
g.
7 common TG:Eth-Trunk1(U)
i n
r n
Step 4 Set the Eth-Trunk link between S1 and S2 with PVID 5.
a
e 0/0/3 and G0/0/24 to
l
Add interfaces Gigabit Ethernet 0/0/1 and 0/0/13 of S1 to VLAN 4 and VLAN 3
/
respectively. For S2, add interfaces Gigabit Ethernet
/
VLAN 6 and VLAN 7 respectively.
p :
[S1]interface Eth-Trunk 1
t t
h
[S1-Eth-Trunk1]port trunk pvid vlan 5
[S1-Eth-Trunk1]quit
s :
[S1]interface GigabitEthernet 0/0/1
c e
[S1-GigabitEthernet0/0/1]port link-type access
r
[S1-GigabitEthernet0/0/1]port default vlan 4
u
o
[S1-GigabitEthernet0/0/1]quit
s
[S1]interface GigabitEthernet 0/0/13
Re
[S1-GigabitEthernet0/0/13]port link-type access
g
[S1-GigabitEthernet0/0/13]port default vlan 3
i n
n
[S2]interface Eth-Trunk 1
ar
[S2-Eth-Trunk1]port trunk pvid vlan 5
Le
[S2-Eth-Trunk1]quit
[S2]interface GigabitEthernet 0/0/3
Mo
[S2-GigabitEthernet0/0/3]port default vlan 6
[S2-GigabitEthernet0/0/3]quit
[S2]interface GigabitEthernet 0/0/24
[S2-GigabitEthernet0/0/24]port link-type access
[S2-GigabitEthernet0/0/24]port default vlan 7
<S1>display vlan
The total number of vlans is : 6
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:GE0/0/2(D) GE0/0/3(U) GE0/0/4(U) GE0/0/5(U)
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(D)
GE0/0/12(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
/ e
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
om
GE0/0/21(U) GE0/0/22(U) GE0/0/23(U) GE0/0/24(D)
. c
i
Eth-Trunk1(U)
3 common UT:GE0/0/13(U)
e
TG:Eth-Trunk1(U)
u aw
h
4 common UT:GE0/0/1(U)
TG:Eth-Trunk1(U)
g.
5
6
common TG:Eth-Trunk1(U)
common TG:Eth-Trunk1(U)
i n
n
ar
7 common TG:Eth-Trunk1(U)
e
output omitted
l
<S2>display vlan
: //
p
The total number of vlans is : 6
tt
output omitted
u r
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(U)
s o
GE0/0/12(U) GE0/0/13(U) GE0/0/14(D) GE0/0/15(D)
e
GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D)
g
Eth-Trunk1(U)
3
n
common TG:Eth-Trunk1(U)
i
r
4
n common TG:Eth-Trunk1(U)
a
5 common TG:Eth-Trunk1(U)
Le
6 common UT:GE0/0/3(U)
TG:Eth-Trunk1(U)
r e 7 common UT:GE0/0/24(U)
Mo
TG:Eth-Trunk1(U)
Configure IP addresses for Vlanif3, Vlanif4, and Vlanif5 on S1, and for Vlanif5,
Vlanif6, and Vlanif7 on S2.
[S1]interface Vlanif 3
[S1-Vlanif3]ip address 10.0.3.254 24
/ e
m
[S1-Vlanif3]interface Vlanif 4
[S1-Vlanif4]ip address 10.0.4.254 24
c o
.
[S1-Vlanif4]interface Vlanif 5
[S1-Vlanif5]ip address 10.0.5.1 24
e i
[S2]interface Vlanif 5
u aw
[S2-Vlanif5]ip address 10.0.5.2 24
. h
[S2-Vlanif5]interface Vlanif 6
[S2-Vlanif6]ip address 10.0.6.254 24
n g
[S2-Vlanif6]interface Vlanif 7
n i
ar
[S2-Vlanif7]ip address 10.0.7.254 24
l e
Step 6 IP addressing and default routes/
: / for R1, R3, S3 and S4.
tp
common (untagged) Vlanif. InterfacestEthernet 0/0/13 of S3 and Ethernet
IP addresses on a switch much be assigned to a Vlanif, where Vlanif1 is a
c e
u r
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s o
Re
[S3]interface Vlanif 1
[S3-Vlanif1]ip address 10.0.3.3 24
g
[S3-Vlanif1]quit
n
i
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.3.254
n
ar [R3]interface GigabitEthernet 0/0/2
Le
[R3-GigabitEthernet0/0/2]ip address 10.0.6.3 24
[R3-GigabitEthernet0/0/2]quit
Mo [S4]interface Vlanif 1
[S4-Vlanif1]ip address 10.0.7.4 24
[S4-Vlanif1]quit
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.7.254
e i
--- 10.0.3.3 ping statistics ---
u aw
5 packet(s) transmitted
. h
g
5 packet(s) received
0.00% packet loss
in
round-trip min/avg/max = 2/10/37 ms
n
Test connectivity between R3 and R1.
e ar
l
//
<R1>ping 10.0.6.3
:
PING 10.0.6.3: 56 data bytes, press CTRL_C to break
p
tt
Request time out
h
Request time out
Request time out
Request time out
s:
Request time out
c e
u r
o
--- 10.0.6.3 ping statistics ---
s
5 packet(s) transmitted
e
R
0 packet(s) received
g
100.00% packet loss
Thei
n
r n connectivity between R1 and R3 fails. Use the tracert command to
a
troubleshoot the fault:
Le [R1]tracert 10.0.6.3
e
traceroute to 10.0.6.3(10.0.6.3), max hops: 30 ,packet length: 40,press CTRL_C
r to break
Mo
1 10.0.4.254 17 ms 4 ms 4 ms
2 * * *
According to the command output, R1 has sent data packets to the destination
address 10.0.6.3, but the gateway at 10.0.4.254 responds that the network is
unreachable.
Check whether the network is unreachable on the gateway (S1).
[S1]display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
/ e
Routing Tables: Public
om
Destinations : 8 Routes : 8
. c
e i
aw
Destination/Mask Proto Pre Cost Flags NextHop Interface
g
10.0.4.0/24 Direct 0 0 D 10.0.4.254
i n
Vlanif4
n
10.0.4.254/32 Direct 0 0 D 127.0.0.1 InLoopBack0
ar
10.0.5.0/24 Direct 0 0 D 10.0.5.1 Vlanif5
10.0.5.1/32
127.0.0.0/8
Direct
Direct
0
0
0
0
D
l
D e 127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
127.0.0.1/32 Direct 0 0
p
tt
According to the command output, S1 does not have a route to the network
h
segment 10.0.6.0 because the network segment is not directly connected to
c e
u r
Step 8 Enable OSPF on S1 and S2.
s o
[S1]ospf
R e
[S1-ospf-1]area 0
n g
[S1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
n i
a r[S2]ospf
[S2-ospf-1]area 0
r e
Mo
After the configuration, wait until S1 and S2 exchange OSPF routes and
complete the link state database, then view the resulting routing table of S1.
[S1]display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
/ e
Destination/Mask Proto Pre Cost Flags NextHop Interface
om
. c
10.0.3.0/24 Direct 0 0 D 10.0.3.254 Vlanif3
e i
aw
10.0.3.254/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.0.4.0/24 Direct 0 0 D 10.0.4.254 Vlanif4
h u
.
10.0.4.254/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.0.5.0/24 Direct 0 0 D 10.0.5.1
g
Vlanif5
n
i
10.0.5.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.0.6.0/24 OSPF 10 2 D 10.0.5.2
n Vlanif5
10.0.7.0/24 OSPF 10 2 D 10.0.5.2
e ar Vlanif5
l
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
//
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
p :
tt
S1 has learned two routes using OSPF. Test connectivity between R1 and R3.
[R1]ping 10.0.6.3
h
:
PING 10.0.6.3: 56 data bytes, press CTRL_C to break
s
e
Reply from 10.0.6.3: bytes=56 Sequence=1 ttl=253 time=11 ms
c
r
Reply from 10.0.6.3: bytes=56 Sequence=2 ttl=253 time=1 ms
u
Reply from 10.0.6.3: bytes=56 Sequence=3 ttl=253 time=10 ms
o
es
Reply from 10.0.6.3: bytes=56 Sequence=4 ttl=253 time=1 ms
Reply from 10.0.6.3: bytes=56 Sequence=5 ttl=253 time=1 ms
R
n g
--- 10.0.6.3 ping statistics ---
i
5 packet(s) transmitted
rn 5 packet(s) received
ea
0.00% packet loss
r e
Mo
[R1]ping 10.0.7.4
PING 10.0.7.4: 56 data bytes, press CTRL_C to break
Reply from 10.0.7.4: bytes=56 Sequence=1 ttl=253 time=30 ms
Reply from 10.0.7.4: bytes=56 Sequence=2 ttl=252 time=2 ms
Reply from 10.0.7.4: bytes=56 Sequence=3 ttl=252 time=3 ms
Reply from 10.0.7.4: bytes=56 Sequence=4 ttl=252 time=2 ms
Reply from 10.0.7.4: bytes=56 Sequence=5 ttl=252 time=2 ms
/ e
--- 10.0.7.4 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 2/7/30 ms
u aw
Final Configuration . h
n g
[R1]display current-configuration
n i
[V200R003C00SPC200]
e ar
l
#
//
sysname R1
:
#
interface GigabitEthernet0/0/1
p
ip address 10.0.4.1 255.255.255.0
#
h tt
:
ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s
#
c e
r
user-interface con 0
u
authentication-mode password
o
s
set authentication password
R e
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
user-interface vty 0 4
#
n g
return
n i
a r
Le [S1]display current-configuration
e
#
Mo sysname S1
#
vlan batch 3 to 7
#
interface Vlanif3
ip address 10.0.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.1 255.255.255.0
/ e
#
om
interface Eth-Trunk1
. c
i
port link-type trunk
port trunk allow-pass vlan 2 to 4094
e
mode lacp-static
u aw
h
#
interface GigabitEthernet0/0/1
g.
port link-type access
port default vlan 4
in
n
ar
#
e
interface GigabitEthernet0/0/9
eth-trunk 1
l
lacp priority 100
: //
p
undo negotiation auto
tt
speed 100
h
#
interface GigabitEthernet0/0/10
eth-trunk 1
s:
lacp priority 100
c e
undo negotiation auto
u r
speed 100
s o
e
#
R
interface GigabitEthernet0/0/13
g
port link-type access
n
port default vlan 3
i
r
#
n
a
ospf 1
Le
area 0.0.0.0
network 10.0.0.0 0.255.255.255
r e #
Mo
user-interface con 0
user-interface vty 0 4
#
return
[S2]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S2
#
vlan batch 3 to 7
#
/ e
interface Vlanif5
om
ip address 10.0.5.2 255.255.255.0
. c
i
#
interface Vlanif6
e
ip address 10.0.6.254 255.255.255.0
u aw
h
#
interface Vlanif7
g.
ip address 10.0.7.254 255.255.255.0
#
i n
n
ar
interface Eth-Trunk1
e
port link-type trunk
port trunk allow-pass vlan 2 to 4094
l
mode lacp-static
: //
p
#
tt
interface GigabitEthernet0/0/3
h
port link-type access
port default vlan 6
#
s:
c e
interface GigabitEthernet0/0/9
eth-trunk 1
u r
o
undo negotiation auto
s
e
speed 100
#
R
g
interface GigabitEthernet0/0/10
n
eth-trunk 1
i
r n
undo negotiation auto
a
speed 100
Le
#
interface GigabitEthernet0/0/24
Mo
port default vlan 7
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
user-interface con 0
user-interface vty 0 4
#
return
[S3]display current-configuration
#
/ e
!Software Version V100R006C00SPC800
om
sysname S3
. c
i
#
interface Vlanif1
e
ip address 10.0.3.3 255.255.255.0
u aw
h
#
interface Ethernet0/0/23
g.
shutdown
#
in
n
ar
ip route-static 0.0.0.0 0.0.0.0 10.0.3.254
e
#
user-interface con 0
l
user-interface vty 0 4
: //
p
#
tt
return
h
[S4]display current-configuration
s:
#
c e
r
!Software Version V100R006C00SPC800
u
sysname S4
s o
e
#
R
undo http server enable
g
#
n
drop illegal-mac alarm
i
r
#
n
a
aaa
Le
authentication-scheme default
authorization-scheme default
r e accounting-scheme default
Mo
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
ip address 10.0.7.4 255.255.255.0
#
interface Ethernet0/0/14
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.0.7.254
#
/ e
user-interface con 0
om
user-interface vty 0 4
. c
i
#
return
e
u aw
. h
n g
n i
e ar
l
: //
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Establish HDLC encapsulation as the serial link layer protocol.
e i
Change the DCE clock baud rate on a serial link.
Establish PPP encapsulation as the serial link layer protocol.
u aw
Implementation of PAP authentication on the PPP link.
. h
Implementation of CHAP authentication on the PPP link.
n g
n i
ar
Topology
l e
: //
p
h tt
s:
Figure 2.1 HDLC and PPP configuration topology
c e
Scenario
u r
o
s enterprise business, multiple branch offices have been
As an expanding
R
established and
e are to be part of the companys administrative domain. WAN
solutionsgare required and as the network administrator the company you have
r e HQ, and R1 and R3 are located in branch offices. The HQ and branches need
Mo
to be established as a single administrative domain. Use HDLC and PPP on
the WAN links, and establish authentication as a simple security measure.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
i.
e
[Huawei]sysname R1
<Huawei>system-view
u aw
Enter system view, return user view with Ctrl+Z.
. h
[Huawei]sysname R2
n g
<Huawei>system-view
n i
Enter system view, return user view with Ctrl+Z.
e ar
l
[Huawei]sysname R3
: //
p
Step 2 Clean up the previous configuration
t the Ethernet interfaces to avoid
h t
Remove the static routes to R2 and disable
:
creating alternative routes. Remove any unnecessary VLAN configuration.
s
c e
[R1]undo ip route-static 0.0.0.0 0
u r
[R1]interface GigabitEthernet 0/0/1
s o
[R1-GigabitEthernet0/0/1]shutdown
Re
[R3]undo ip route-static 0.0.0.0 0
g
[R3]interface GigabitEthernet 0/0/2
n
i
[R3-GigabitEthernet0/0/2]shutdown
n
ar [S1]undo interface Vlanif 3
e
[S1]undo vlan batch 3 5 to 7
Mo
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]undo port default vlan
[S1-GigabitEthernet0/0/1]quit
[S1]undo ospf 1
e
[S4]undo interface Vlanif 1
u aw
h
. & R3
g
Step 3 Configure serial interface IP addressing for R1, R2
n
n i
r
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
e a
/l
/
[R2]interface Serial 1/0/0
:
[R2-Serial1/0/0]ip address 10.0.12.2 24
p
[R2-Serial1/0/0]quit
t
ht
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]ip address 10.0.23.2 24
s :
e
[R3]interface Serial 2/0/0
c
r
[R3-Serial2/0/0]ip address 10.0.23.3 24
u
Step 4 Enable s
o
Re
the HDLC protocol on the serial interfaces.
n g
[R1]interface Serial 1/0/0
i
[R1-Serial1/0/0]link-protocol hdlc
n
ar
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
r e [R2-Serial1/0/0]link-protocol hdlc
Mo
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2-Serial1/0/0]quit
[R2]interface Serial 2/0/0
[R2-Serial2/0/0]link-protocol hdlc
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
After HDLC is enabled on the serial interfaces, view the serial interface status.
The displayed information for R1 should be used as an example.
[R1]display interface Serial1/0/0
/ e
m
Serial1/0/0 current state : UP
Line protocol current state : UP
c o
Last line protocol up time : 2013-12-10 11:25:08
i.
e
Description:HUAWEI, AR Series, Serial1/0/0 Interface
aw
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
h u
.
Link layer protocol is nonstandard HDLC
Last physical up time : 2013-12-10 11:23:55
n g
i
Last physical down time : 2013-12-10 11:23:55
Current system time: 2013-12-10 11:25:46
n
Physical layer is synchronous, Baudrate is 64000 bps
e ar
l
Interface is DCE, Cable type is V24, Clock mode is DCECLK
//
Last 300 seconds input rate 3 bytes/sec 24 bits/sec 0 packets/sec
:
Last 300 seconds output rate 3 bytes/sec 24 bits/sec 0 packets/sec
p
Input: 100418 packets, 1606804 bytes
Broadcast: 0, Multicast:
h tt 0
Errors:
:
0, Runts:
s
0
Giants:
c e
0, CRC: 0
Alignments:
u r 0, Overruns: 0
Dribbles:
s o 0, Aborts: 0
No Buffers:
R e 0, Frame Error: 0
n g
Output: 100418 packets, 1606830 bytes
i
Total Error: 0, Overruns: 0
rn Collisions: 0, Deferred: 0
ea
No Buffers: 0
e
Input bandwidth utilization : 0.06%
Mo
Test connectivity of the directly connected link after verifying that the physical
status and protocol status of the interface are Up.
<R2>ping 10.0.12.1
PING 10.0.12.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=44 ms
Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=39 ms
Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=39 ms
/ e
m
Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=39 ms
c o
i.
e
--- 10.0.12.1 ping statistics ---
aw
5 packet(s) transmitted
5 packet(s) received
h u
.
0.00% packet loss
round-trip min/avg/max = 39/40/44 ms
n g
[R2]ping 10.0.23.3
n i
PING 10.0.23.3: 56 data bytes, press CTRL_C to break
e ar
l
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=44 ms
//
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=39 ms
:
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=39 ms
p
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=40 ms
tt
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=39 ms
h
--- 10.0.23.3 ping statistics ---
s:
5 packet(s) transmitted
c e
r
5 packet(s) received
u
0.00% packet loss
o
s
round-trip min/avg/max = 39/40/44 ms
R e
g
Step 5 Configure RIPv2.
n
n i the RIP routing protocol to advertise the remote networks of R1 & R3
ar
Enable
Le
[R1]rip
[R1-rip-1]version 2
r e [R1-rip-1]network 10.0.0.0
Mo [R2]rip
[R2-rip-1]version 2
[R2-rip-1]network 10.0.0.0
[R3]rip
[R3-rip-1]version 2
[R3-rip-1]network 10.0.0.0
After the configuration is complete, check that all the routes have been learned.
Verify that corresponding routes are learned by RIP.
<R1>display ip routing-table
/ e
m
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
c o
Routing Tables: Public
i.
e
Destinations : 8 Routes : 8
n
i
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.12.255/32 Direct 0 0 D 127.0.0.1
n Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2
e ar Serial1/0/0
l
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
//
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
:
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0
p D 127.0.0.1 InLoopBack0
h tt
s:
e
On R1, run the ping command to test connectivity between R1 and R3.
c
<R1>ping 10.0.23.3
u r
o
PING 10.0.23.3: 56 data bytes, press CTRL_C to break
s
e
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=254 time=44 ms
R
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=254 time=39 ms
n g
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=254 time=39 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=254 time=40 ms
n i
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=254 time=39 ms
a r
Le
--- 10.0.23.3 ping statistics ---
5 packet(s) transmitted
r e 5 packet(s) received
Mo
0.00% packet loss
round-trip min/avg/max = 39/40/44 ms
View the type of the cable connected to the serial interface, interface status,
and clock frequency, and change the clock frequency.
<R1>display interface Serial1/0/0
Serial1/0/0 current state : UP
/ e
m
Line protocol current state : UP
Last line protocol up time : 2013-12-10 11:25:08
c o
.
Description:HUAWEI, AR Series, Serial1/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
e i
aw
Internet Address is 10.0.12.1/24
u
Link layer protocol is nonstandard HDLC
Last physical up time : 2013-12-10 11:23:55
. h
Last physical down time : 2013-12-10 11:23:55
Current system time: 2013-12-10 11:51:12
n g
Physical layer is synchronous, Baudrate is 64000 bps
n i
ar
Interface is DCE, Cable type is V24, Clock mode is DCECLK
e
Last 300 seconds input rate 6 bytes/sec 48 bits/sec 0 packets/sec
l
//
Last 300 seconds output rate 4 bytes/sec 32 bits/sec 0 packets/sec
:
output omitted
t p
and the clock frequency is 64000 bit/s.tThe DCE controls the clock frequency
The preceding information shows that S1/0/0 on R1 connects to a DCE cable
h
s:the link between R1 and R2 to 128000 bit/s.
and bandwidth.
Change the clock frequencyeon
o u
s
[R1]interface Serial 1/0/0
e
[R1-Serial1/0/0]baudrate 128000
R
After theg
r n
<R1>display interface Serial1/0/0
a
Serial1/0/0 current state : UP
Le
Line protocol current state : UP
Last line protocol up time : 2013-12-10 11:25:08
Mo
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is nonstandard HDLC
Last physical up time : 2013-12-10 11:23:55
Last physical down time : 2013-12-10 11:23:55
/ e
Step 7 Configure PPP on the serial interfaces.
om
. c
i
Configure PPP between R1 and R2, as well as R2 and R3. Both ends of the
link must use the same encapsulation mode. If different encapsulation modes
e
are used, interfaces may display as Down.
u aw
[R1]interface Serial 1/0/0
. h
[R1-Serial1/0/0]link-protocol ppp
n g
i
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
n
ar
[R2]interface Serial 1/0/0
e
[R2-Serial1/0/0]link-protocol ppp
l
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
[R2-Serial1/0/0]quit
: //
[R2]interface Serial 2/0/0
p
[R2-Serial2/0/0]link-protocol ppp
h tt
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
r
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
R e
<R2>ping 10.0.12.1
g
PING 10.0.12.1: 56 data bytes, press CTRL_C to break
i n
Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=22 ms
ar
Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=27 ms
Le
Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=27 ms
Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=27 ms
r e
Mo
--- 10.0.12.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 22/26/27 ms
<R2>ping 10.0.23.3
PING 10.0.23.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=35 ms
Reply from 10.0.23.3: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=40 ms
/ e
--- 10.0.23.3 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 35/39/40 ms
u aw
. h
If the ping operation fails, check the interface status and whether the link layer
protocol type is correct.
n g
<R1>display interface Serial1/0/0
n i
Serial1/0/0 current state : UP
e ar
l
Line protocol current state : UP
//
Last line protocol up time : 2013-12-10 12:35:41
:
Description:HUAWEI, AR Series, Serial1/0/0 Interface
p
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
Link layer protocol is PPP
h tt
LCP opened, IPCP opened
s:
Last physical up time
c e
: 2013-12-10 11:57:20
r
Last physical down time : 2013-12-10 11:57:19
u
Current system time: 2013-12-10 13:38:03
o
s
Physical layer is synchronous, Baudrate is 128000 bps
R e
Interface is DCE, Cable type is V24, Clock mode is DCECLK
Last 300 seconds input rate 7 bytes/sec 56 bits/sec 0 packets/sec
n g
Last 300 seconds output rate 4 bytes/sec 32 bits/sec 0 packets/sec
i
output omitted
n
r
a Step 8 Check routing entry changes.
Le
r e After PPP configuration is complete, routers establish connections at the data
Mo link layer. The local device sends a route to the peer device. The route
contains the interface IP address and a 32-bit mask.
/ e
Destination/Mask Proto Pre Cost Flags NextHop Interface
om
. c
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
e i
aw
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 127.0.0.1
u
Serial1/0/0
h
.
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2
g
Serial2/0/0
n
i
10.0.23.2/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3
n Serial2/0/0
10.0.23.255/32 Direct 0 0 D 127.0.0.1
e ar Serial2/0/0
l
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
//
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
:
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0
pD 127.0.0.1 InLoopBack0
htt
:
Think about the origin and functions of the two routes. Check the following
items:
e s
r c
If HDLC encapsulation is used, do these two routes exist?
g
Step 9 Enable PAP authentication between R1 and R2.
n
n i PAP authentication with R1 as the PPP PAP authenticator.
ar
Configure
Le
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ppp authentication-mode pap
r e [R1-Serial1/0/0]quit
Mo
[R1]aaa
[R1-aaa]local-user huawei password cipher huawei
u aw
h
<R1>display debugging
PPP PAP packets debugging switch is on
g.
<R1>system-view
in
n
[R1]interface Serial 1/0/0
ar
[R1-Serial1/0/0]shutdown
e
[R1-Serial1/0/0]undo shutdown
l
Dec 10 2013 14:44:22.440.1+00:00 R1 PPP/7/debug2:
: //
p
PPP Packet:
tt
Serial1/0/0 Input PAP(c023) Pkt, Len 22
h
State ServerListen, code Request(01), id 1, len 18
Host Len: 6 Name:huawei
[R1-Serial1/0/0]
s:
c e
Dec 10 2013 14:44:22.440.2+00:00 R1 PPP/7/debug2:
PPP Packet:
u r
o
Serial1/0/0 Output PAP(c023) Pkt, Len 52
s
e
State WaitAAA, code Ack(02), id 1, len 48
R
Msg Len: 43 Msg:Welcome to use Quidway ROUTER, Huawei Tech.
n g
[R1-Serial1/0/0]return
n i
<R1>undo debugging all
Le
r e Step 10 Enable CHAP authentication between R2 and R3.
. c
i
[R3-Serial2/0/0]undo shutdown
e
On R3, the following information is displayed.
u aw
Dec 10 2013 15:06:00+00:00 R3 %%01PPP/4/PEERNOCHAP(l)[5]:On the interface
. h
g
Serial2/0/0, authentication failed and PPP link was closed because CHAP was
n
i
disabled on the peer.
[R3-Serial2/0/0]
n
ar
Dec 10 2013 15:06:00+00:00 R3 %%01PPP/4/RESULTERR(l)[6]:On the interface
e
l
Serial2/0/0, LCP negotiation failed because the result cannot be accepted.
/ / is unable to initialize.
:
The highlighted output indicates that authentication
p
Configure R2 as the CHAP client.
t t
[R2]interface Serial 2/0/0
h
:
[R2-Serial2/0/0]ppp chap user huawei
s
e
[R2-Serial2/0/0]ppp chap password cipher huawei
c
u rcomplete, the interface changes to an Up state. The
After the configuration is
s
command output
ping o is as follows:
Re
<R2>ping 10.0.23.3
g
PING 10.0.23.3: 56 data bytes, press CTRL_C to break
n
i
Reply from 10.0.23.3: bytes=56 Sequence=1 ttl=255 time=35 ms
ar
Reply from 10.0.23.3: bytes=56 Sequence=3 ttl=255 time=41 ms
Le
Reply from 10.0.23.3: bytes=56 Sequence=4 ttl=255 time=41 ms
Reply from 10.0.23.3: bytes=56 Sequence=5 ttl=255 time=41 ms
r e
Mo
--- 10.0.23.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 35/39/41 ms
Run the debug command to view negotiation of the PPP connection between
R2 and R3. The PPP connection is established using CHAP. Disable interface
Serial 2/0/0 on R2, run the debug command, and enable Serial 2/0/0 on R2.
[R2]interface Serial 2/0/0
/ e
m
[R2-Serial2/0/0]shutdown
c o
Run the debugging ppp chap all and the terminal debugging commands to
i.
e
display the debugging information.
[R2-Serial2/0/0]return
u aw
h
<R2>debugging ppp chap all
<R2>terminal debugging
g.
n
Info: Current terminal debugging is on.
<R2>display debugging
n i
ar
PPP CHAP packets debugging switch is on
e
PPP CHAP events debugging switch is on
PPP CHAP errors debugging switch is on
l
PPP CHAP state change debugging switch is on
: //
p
tt
Force CHAP authentication to initialize on S2/0/0 of R2.
<R2>system-view
h
:
Enter system view, return user view with Ctrl+Z.
s
e
[R2]interface Serial 2/0/0
c
[R2-Serial2/0/0]undo shutdown
r
o u information is displayed:
s
The following debugging
e
R
Dec 10 2013 09:10:38.700.1+00:00 R2 PPP/7/debug2:
g
PPP State Change:
n
[R2-Serial2/0/0]
ar
Dec 10 2013 09:10:38.710.1+00:00 R2 PPP/7/debug2:
Le
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 25
Mo
Value_Size: 16 Value: fc 9b 56 e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87
Name:
[R2-Serial2/0/0]
Dec 10 2013 09:10:38.710.2+00:00 R2 PPP/7/debug2:
PPP Event:
. c
i
Dec 10 2013 09:10:38.710.4+00:00 R2 PPP/7/debug2:
PPP State Change:
e
Serial2/0/0 CHAP : ListenChallenge --> SendResponse
u aw
h
[R2-Serial2/0/0]
Dec 10 2013 09:10:38.720.1+00:00 R2 PPP/7/debug2:
g.
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 20
i n
n
ar
State SendResponse, code SUCCESS(03), id 1, len 16
e
Message: Welcome to .
[R2-Serial2/0/0]
l
//
Dec 10 2013 09:10:38.720.2+00:00 R2 PPP/7/debug2:
:
p
PPP Event:
tt
Serial2/0/0 CHAP Receive Success Event
h
state SendResponse
[R2-Serial2/0/0]
s:
Dec 10 2013 09:10:38.720.3+00:00 R2 PPP/7/debug2:
PPP State Change:
c e
r
Serial2/0/0 CHAP : SendResponse --> ClientSuccess
R process.
n g
[R2-Serial2/0/0]return
i
<R2>undo debugging all
n
ar
Info: All possible debugging has been turned off
r e
Mo
Why is the PPP Challenge Handshake Authentication Protocol (CHAP) more
secure than the PPP Password Authentication Protocol (PAP)?
Final Configuration
[R1]display current-configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
aaa
om
c
authentication-scheme default
authorization-scheme default
i.
accounting-scheme default
e
aw
domain default
domain default_admin
h u
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
local-user admin service-type http
g.
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
in
n
ar
local-user huawei service-type ppp
#
interface Serial1/0/0
l e
//
link-protocol ppp
ppp authentication-mode pap
p :
tt
ip address 10.0.12.1 255.255.255.0
baudrate 128000
# h
rip 1
s:
version 2
c e
network 10.0.0.0
u r
o
#
s
user-interface con 0
e
R
authentication-mode password
set authentication password
n g
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
n i
user-interface vty 0 4
a r#
Le
return
r e
Mo
[R2]display current-configuration
[V200R003C00SPC200]
#
sysname R2
#
interface Serial1/0/0
link-protocol ppp
ppp pap local-user huawei password cipher %$%$u[hr6d<JVHR@->T7xr1<$.iv%$%$
ip address 10.0.12.2 255.255.255.0
#
interface Serial2/0/0
link-protocol ppp
ppp chap user huawei
/ e
ppp chap password cipher %$%$e{5h)gh"/Uz0mUC%vEx3$4<m%$%$
om
ip address 10.0.23.2 255.255.255.0
. c
i
#
rip 1
e
version 2
u aw
h
network 10.0.0.0
#
g.
user-interface con 0
authentication-mode password
i n
n
ar
set authentication password
e
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
user-interface vty 0 4
l
#
: //
p
return
[R3]display current-configuration h tt
[V200R003C00SPC200]
s:
#
c e
sysname R3
u r
#
s o
e
aaa
R
authentication-scheme default
g
authorization-scheme default
n
accounting-scheme default
i
r n
domain default
a
domain default_admin
Le
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
local-user admin service-type http
Mo
local-user huawei service-type ppp
#
interface Serial2/0/0
link-protocol ppp
ppp authentication-mode chap
. c
i
user-interface vty 0 4
#
e
return
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of frame relay interfaces on the customer edge.
/ e
Establishment of RIP in a hub and spoke network.
om
Establishment of OSPF in a hub and spoke (NBMA) network.
. c
Configuration of frame relay interfaces when using the OSPF
e i
aw
point-to-multipoint network type.
Topology
h u
g.
i n
n
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e Figure 2.2 Lab topology for frame relay configuration
n g
i
Scenario
n enterprise network has existing frame relay virtual circuits between the HQ
a r
Le
The
and some branch offices. A recent change in equipment requires that these
r e frame relay VC be re-established. The virtual circuits had been provided by the
Mo
service provider at the time the service was first implemented and it is the task
of the administrator to implement the frame relay configuration on the edge
routers for the HQ and branch offices. The administrator must configure frame
relay on the WAN links and perform mapping between the local DLCI and IP
addresses.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
<Huawei>system-view
om
Enter system view, return user view with Ctrl+Z.
. c
[Huawei]sysname R1
e i
<Huawei>system-view
u aw
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
. h
n g
<Huawei>system-view
n i
ar
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
l e
/ /
Step 2 Clean up the previous configuration.
p :
t t the HDLC & PPP networks.
h
Disable the serial interfaces used for establishing
Re
[R2-Serial1/0/0]interface Serial 2/0/0
g
[R2-Serial2/0/0]shutdown
i n
n
[R3]interface Serial 2/0/0
ar
[R3-Serial2/0/0]shutdown
Le
r e Step 3 Establish frame relay encapsulation.
u aw
h
[R2-Serial3/0/0]ip address 10.0.123.2 24
[R2-Serial3/0/0]undo fr inarp
g.
[R2-Serial3/0/0]fr map ip 10.0.123.1 201 broadcast
[R2-Serial3/0/0]interface loopback 0
i n
n
ar
[R2-LoopBack0]ip address 10.0.2.2 24
: //
p
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
tt
[R3-Serial1/0/0]ip address 10.0.123.3 24
h
[R3-Serial1/0/0]undo fr inarp
[R3-Serial1/0/0]fr map ip 10.0.123.1 301 broadcast
s:
[R3-Serial1/0/0]interface loopback 0
c e
[R3-LoopBack0]ip address 10.0.3.3 24
r
uare configured, test network connectivity.
o
After the IP addresses
s
R e
<R1>ping 10.0.123.2
PING 10.0.123.2: 56 data bytes, press CTRL_C to break
n g
Reply from 10.0.123.2: bytes=56 Sequence=1 ttl=255 time=64 ms
ar
Reply from 10.0.123.2: bytes=56 Sequence=3 ttl=255 time=59 ms
Reply from 10.0.123.2: bytes=56 Sequence=4 ttl=255 time=59 ms
Mo 5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 59/60/64 ms
<R1>ping 10.0.123.3
PING 10.0.123.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.123.3: bytes=56 Sequence=1 ttl=255 time=64 ms
Reply from 10.0.123.3: bytes=56 Sequence=2 ttl=255 time=59 ms
Reply from 10.0.123.3: bytes=56 Sequence=3 ttl=255 time=59 ms
Reply from 10.0.123.3: bytes=56 Sequence=4 ttl=255 time=59 ms
Reply from 10.0.123.3: bytes=56 Sequence=5 ttl=255 time=59 ms
/ e
--- 10.0.123.3 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 59/60/64 ms
u aw
. h
Run the following commands to view the FR encapsulation information for the
R1 interfaces.
n g
<R1>display fr interface Serial 2/0/0
n i
Serial2/0/0, DTE, physical up, protocol up
e ar
l
//
<R1>display fr lmi-info interface Serial 2/0/0
:
Frame relay LMI statistics for interface Serial2/0/0 (DTE, Q933)
T391DTE = 10 (hold timer 10)
p
N391DTE = 6, N392DTE = 3, N393DTE = 4
out status enquiry = 180, in status = 178
h tt
:
status timeout = 0, discarded messages = 0
s
c e
r
<R1>display fr map-info interface Serial 2/0/0
u
Map Statistics for interface Serial2/0/0 (DTE)
o
s
DLCI = 102, IP 10.0.123.2, Serial2/0/0
R e
create time = 2011/11/16 09:28:49, status = ACTIVE
encapsulation = ietf, vlink = 1, broadcast
n g
DLCI = 103, IP 10.0.123.3, Serial2/0/0
i
create time = 2011/11/16 09:28:56, status = ACTIVE
L e
r e
Mo
Configure RIPv2 on R1, R2 and R3. If you are continuing from the previous
HDLC/PPP lab, the RIP routes for network 10.0.0.0 may have already been
configured, however the automatic summary must still be disabled to uniquely
identify the routes of the peers.
In addition, split horizon is disabled by default on frame relay networks, and so
/ e
It is not necessary for the split horizon parameters to be modified in this
om
exercise.
. c
[R1]rip 1
e i
aw
[R1-rip-1]version 2
[R1-rip-1]network 10.0.0.0
h u
.
[R1-rip-1]undo summary
n g
i
[R2]rip 1
[R2-rip-1]version 2
n
[R2-rip-1]network 10.0.0.0
e ar
l
[R2-rip-1]undo summary
[R3]rip 1
: //
[R3-rip-1]version 2
p
[R3-rip-1]network 10.0.0.0
[R3-rip-1]undo summary
htt
s:
e
View the routing tables on R1, R2, and R3 to check the learned routes.
c
r
<R1>display ip routing-table protocol rip
u
o
Route Flags: R - relay, D - download to fib
s
e
----------------------------------------------------------------------------
R
Public routing table : RIP
ng
Destinations : 2 Routes : 2
n i
RIP routing table status : <Active>
ar Destinations : 2 Routes : 2
r e
Mo
10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0
e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial3/0/0
u aw
h
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0
g.
RIP routing table status : <Inactive>
Destinations : 0 Routes : 0
i n
n
[R3]display ip routing-table protocol rip
e ar
Route Flags: R - relay, D - download to fib
l
//
----------------------------------------------------------------------------
:
p
Public routing table : RIP
tt
Destinations : 2 Routes : 2
c e
Destination/Mask
s o
e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
R
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0
n g
RIP routing table status : <Inactive>
n i Destinations : 0 Routes : 0
a r
Le
r e
Mo
/ e
m
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=63 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=63 ms
c o
i.
e
--- 10.0.1.1 ping statistics ---
aw
5 packet(s) transmitted
5 packet(s) received
h u
.
0.00% packet loss
round-trip min/avg/max = 63/64/68 ms
n g
n i
Perform the same test to network 10.0.2.2 of R2 from network 10.0.3.3 of R3.
e ar
l
<R3>ping -a 10.0.3.3 10.0.2.2
//
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
:
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=101 ms
p
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=110 ms
h tt
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=101 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=101 ms
:
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=101 ms
s
c e
r
--- 10.0.2.2 ping statistics ---
u
5 packet(s) transmitted
o
s
5 packet(s) received
R e
0.00% packet loss
round-trip min/avg/max = 101/102/110 ms
n g
i
The RIP routing protocol has enabled a route between the loopback interfaces
n
a rof R2 and R3 to be established via R1.
Le
r e
Mo
[R3]ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
/ e
Request time out
om
Request time out
. c
--- 10.0.2.2 ping statistics ---
e i
5 packet(s) transmitted
u aw
h
0 packet(s) received
100.00% packet loss
g .
i n with R2
n the routes to
The preceding test results indicate that R3 is unable to communicate
r
(and vice versa) when the serial interface is the source. Check
a
find out why R3 and R2 are disconnected. The procedure
l e for diagnosing this
/
fault is as follows:
View the R3 routing table and check whether any
: / route is destined for the IP
address 10.0.2.2.
t p
h t hop IP address of this route. Then
If there is such a route, find out the next
gis a route that can reach IP address 10.0.2.2 and there is mapping
Layer-3 IP addresses and Layer-2 PVCs.
n
i Layer-3 IP addresses and Layer-2 PVCs, check R2 to determine
If there
n
arwhether there is any route that reaches the destination IP address of the
between
Le response packets and whether the next hop of this route is reachable.
r e If the next hop of this route is unreachable and the destination IP address of
Mo
the response packets is 10.0.123.3, R2 has the route that reaches this address
but there is no mapping between Layer-3 IP addresses and Layer-2 PVCs.
The following is the output of the commands used in the preceding fault
diagnosis procedure.
<R3>display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 13
/ e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
om
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0
. c
i
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
10.0.3.3/32 Direct 0 0 D 127.0.0.1 InLoopBack0
e
10.0.3.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1
.
Serial1/0/0
g
10.0.123.3/32 Direct 0
10.0.123.255/32 Direct 0
0
0
D
D
127.0.0.1
127.0.0.1
i n
InLoopBack0
InLoopBack0
n
ar
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
e
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D
l
127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0
:
D
//
127.0.0.1 InLoopBack0
p
tt
<R3>display fr map-info interface Serial 1/0/0
h
Map Statistics for interface Serial1/0/0 (DTE)
DLCI = 301, IP 10.0.123.1, Serial1/0/0
s:
create time = 2011/11/16 09:22:30, status = ACTIVE
c e
encapsulation = ietf, vlink = 1, broadcast
u r
o
<R1>display ip routing-table
s
e
Route Flags: R - relay, D - download to fib
R
----------------------------------------------------------------------------
g
Routing Tables: Public
i nDestinations : 14 Routes : 14
r n
a
Destination/Mask Proto Pre Cost Flags NextHop Interface
Mo
10.0.1.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
/ e
<R1>display fr map-info interface Serial 2/0/0
om
Map Statistics for interface Serial2/0/0 (DTE)
. c
i
DLCI = 102, IP 10.0.123.2, Serial2/0/0
create time = 2011/11/16 09:28:49, status = ACTIVE
e
encapsulation = ietf, vlink = 1, broadcast
u aw
h
DLCI = 103, IP 10.0.123.3, Serial2/0/0
create time = 2011/11/16 09:28:56, status = ACTIVE
g.
encapsulation = ietf, vlink = 2, broadcast
in
n
ar
<R2>display ip routing-table
e
Route Flags: R - relay, D - download to fib
l
----------------------------------------------------------------------------
Routing Tables: Public
: //
p
Destinations : 13 Routes : 13
10.0.1.0/24 RIP
s:
100 1 D 10.0.123.1 Serial3/0/0
10.0.2.0/24
c
Direct
e
0 0 D 10.0.2.2 LoopBack0
10.0.2.2/32
e
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0
R
10.0.123.0/24 Direct 0 0 D 10.0.123.2 Serial3/0/0
g
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial3/0/0
i n
10.0.123.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
a
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
Le
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Mo
g . on
order to resolve this, configure a frame relay PVC between the interfaces
R2 and R3.
i n
[R2]interface Serial 3/0/0
r n
[R2-Serial3/0/0]fr map ip 10.0.123.3 201
e a
/ l
[R3]interface Serial 1/0/0
: /
p
[R3-Serial1/0/0]fr map ip 10.0.123.2 301
t
t between IP addresses and PVCs,
After the mapping has been configured
h
:
check the IP address-PVC mapping tables on R2 and R3 and detect network
s
e
connectivity.
r c
<R3>display fr lmi-info inter Serial 1/0/0
u
Frame relay LMI statistics for interface Serial1/0/0 (DTE, Q933)
o
s
T391DTE = 10 (hold timer 10)
Re
N391DTE = 6, N392DTE = 3, N393DTE = 4
out status enquiry = 326, in status = 324
n g
status timeout = 0, discarded messages = 0
n i
ar
<R3>display fr map-info interface Serial 1/0/0
Le
Map Statistics for interface Serial1/0/0 (DTE)
DLCI = 301, IP 10.0.123.1, Serial1/0/0
Mo
encapsulation = ietf, vlink = 1, broadcast
DLCI = 301, IP 10.0.123.2, Serial1/0/0
create time = 2011/11/16 09:55:23, status = ACTIVE
encapsulation = ietf, vlink = 2
<R3>ping 10.0.2.2
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=118 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=123 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=123 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=123 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=123 ms
/ e
--- 10.0.2.2 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 118/122/123 ms
u aw
. h
Step 6 Configure OSPF between R1 and R2.
n g
n i
ar
Delete the RIP configurations referenced in step 2 and the frame relay
e
mapping between R2 and R3 that was established during step 3.
l
//
[R1]undo rip 1
:
Warning: The RIP process will be deleted. Continue?[Y/N]y
p
tt
[R2]interface Serial 3/0/0
[R2-Serial3/0/0]undo fr map ip 10.0.123.3 201
h
[R2-Serial3/0/0]quit
s:
e
[R2]undo rip 1
c
Warning: The RIP process will be deleted. Continue?[Y/N]y
r
ou
s
[R3]interface Serial 1/0/0
R e
[R3-Serial1/0/0]undo fr map ip 10.0.123.2 301
[R3-Serial1/0/0]quit
g
[R3]undo rip 1
n
i
Warning: The RIP process will be deleted. Continue?[Y/N]y
n
r
[R3]
a
Le Configure single-area OSPF on R1, R2, and R3.
Mo
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
/ e
After the basic parameters are set, OSPF cannot establish neighbor
om
adjacencies. When using frame relay for data link layer encapsulation, OSPF
. c
will set the network type to NBMA by default. As a result, OSPF does not
e i
aw
support broadcasts, and therefore cannot automatically discover neighbors.
h u
.
<R3>display ospf interface Serial 1/0/0 verbose
OSPF Process 1 with Router ID 10.0.3.3
n g
i
Interfaces
n
Interface: 10.0.123.3 (Serial1/0/0)
e ar
l
Cost: 1562 State: DR Type: NBMA MTU: 1500
//
Priority: 1
Designated Router: 10.0.123.3
p :
tt
Backup Designated Router: 0.0.0.0
Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1
IO Statistics
h
Type Input
s: Output
Hello
c e
0 0
r
DB Description 0 0
Link-State Req
ou 0 0
Link-State Update
Link-State Ack
es 0
0
0
0
OpaqueId: 0 R PrevState: Waiting
n g
Stepi7 Configuring the NBMA environment.
r n
a
Le While R3 is the DR, R2 is unable to establish a full adjacency with the DR
r e since R3 is not reachable via the PVC between R2 and R1. Therefore the DR
must be set on R1. Additionally OSPF hello messages are unicast in an NBMA
[R1]ospf
[R1-ospf-1]peer 10.0.123.2
[R1-ospf-1]peer 10.0.123.3
[R1-ospf-1]interface Serial 2/0/0
[R1-Serial2/0/0]ospf dr-priority 255
[R2]ospf
[R2-ospf-1]peer 10.0.123.1
/ e
om
[R3]ospf
. c
i
[R3-ospf-1]peer 10.0.123.1
g .
<R1>display ospf interface Serial 2/0/0 verbose
OSPF Process 1 with Router ID 10.0.1.1
i n
Interfaces
r n
e a
Interface: 10.0.123.1 (Serial2/0/0)
/ l
Cost: 1562 State: DR Type: NBMA
: / MTU: 1500
p
Priority: 255
Designated Router: 10.0.123.1
t t
h
Backup Designated Router: 10.0.123.3
Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1
IO Statistics
s :
Type
c eInput Output
Hello
u r 32 32
DB Description
s o 8 29
Re
Link-State Req 3 2
Link-State Update 16 30
g
Link-State Ack 20 9
i n
OpaqueId: 0 PrevState: BDR
n
Effective cost: 1562, enabled by OSPF Protocol
arIf R1 is not the designated router, reset the ospf process on all routers using
Le the following command and reattempt the above display command
r e
Mo
<R1>reset ospf process graceful-restart
Display the routing table to confirm that OSPF has been established over the
frame relay network.
<R1>display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
/ e
10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
om
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
. c
i
10.0.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 1562 D 10.0.123.2 Serial2/0/0
e
10.0.3.3/32 OSPF 10 1562 D 10.0.123.3 Serial2/0/0
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.1/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.123.2/32
10.0.123.3/32
Direct
Direct
0
0
0
0
D
D
10.0.123.2
10.0.123.3
i n
Serial2/0/0
Serial2/0/0
n
ar
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D
l
127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0
:
D
//
127.0.0.1 InLoopBack0
p
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
s:
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=51 ms
c e
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=255 time=60 ms
r
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=255 time=51 ms
u
o
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=255 time=51 ms
s
e
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=255 time=60 ms
R
g
--- 10.0.2.2 ping statistics ---
n
5 packet(s) transmitted
i
r n 5 packet(s) received
a
0.00% packet loss
Le
round-trip min/avg/max = 51/54/60 ms
Mo
the NBMA network type will fail unless a virtual circuit (PVC) is established
between R2 and R3. Alternatively the point-to-multipoint network type can be
applied.
OSPF configuration can also use the point-to-multipoint OSPF network type
over frame relay networks. First remove the manual peering and change the
network type to point-to-multipoint.
[R1]ospf
/ e
[R1-ospf-1]undo peer 10.0.123.2
om
[R1-ospf-1]undo peer 10.0.123.3
. c
[R2]ospf
e i
aw
[R2-ospf-1]undo peer 10.0.123.1
h u
[R3]ospf
g.
n
[R3-ospf-1]undo peer 10.0.123.1
n i
ar
Establish the Point-to-multipoint network type.
p :
tt
[R2]interface Serial 3/0/0
h
[R2-Serial3/0/0]ospf network-type p2mp
c
u r
s o
After setting the OSPF network type, wait until the neighbor relationship is
established, then check the neighbor relationship and route information.
R e
g
<R1>display ospf peer brief
n
n i
ar
OSPF Process 1 with Router ID 10.0.1.1
Peer Statistic Information
Le ----------------------------------------------------------------------------
Area Id Interface Neighbor id State
Mo
0.0.0.0 Serial2/0/0 10.0.3.3 Full
----------------------------------------------------------------------------
<R1>display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
/ e
10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
om
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
. c
i
10.0.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 1562 D 10.0.123.2 Serial2/0/0
e
10.0.3.3/32 OSPF 10 1562 D 10.0.123.3 Serial2/0/0
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.1/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.123.2/32
10.0.123.3/32
Direct
Direct
0
0
0
0
D
D
10.0.123.2
10.0.123.3
i n
Serial2/0/0
Serial2/0/0
n
ar
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D
l
127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0
:
D
//
127.0.0.1 InLoopBack0
p
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
c e
Peer Statistic Information
r
----------------------------------------------------------------------------
u
Area Id
e
0.0.0.0 Serial3/0/0 10.0.1.1 Full
R
----------------------------------------------------------------------------
n g
<R2>display ip routing-table
n i
Route Flags: R - relay, D - download to fib
a r----------------------------------------------------------------------------
Le
Routing Tables: Public
Destinations : 14 Routes : 14
r e
Mo
Destination/Mask Proto Pre Cost Flags NextHop Interface
. c
i
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
e
<R3>display ospf peer brief
u aw
OSPF Process 1 with Router ID 10.0.3.3
. h
Peer Statistic Information
n g
----------------------------------------------------------------------------
n i
ar
Area Id Interface Neighbor id State
e
0.0.0.0 Serial1/0/0 10.0.1.1 Full
l
----------------------------------------------------------------------------
: //
p
<R3>display ip routing-table
tt
Route Flags: R - relay, D - download to fib
h
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14
s: Routes : 14
c e
Destination/Mask
s o
e
10.0.1.1/32 OSPF 10 1562 D 10.0.123.1 Serial1/0/0
R
10.0.2.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0
g
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
i n
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
a
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
Le
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial1/0/0
10.0.123.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0
Mo
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
/ e
m
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=255 time=51 ms
c o
i.
e
--- 10.0.1.1 ping statistics ---
aw
5 packet(s) transmitted
u
5 packet(s) received
0.00% packet loss
. h
round-trip min/avg/max = 50/54/60 ms
n g
<R3>ping -a 10.0.3.3 10.0.123.2
n i
PING 10.0.123.2: 56 data bytes, press CTRL_C to break
e ar
l
Reply from 10.0.123.2: bytes=56 Sequence=1 ttl=254 time=110 ms
//
Reply from 10.0.123.2: bytes=56 Sequence=2 ttl=254 time=101 ms
:
Reply from 10.0.123.2: bytes=56 Sequence=3 ttl=254 time=101 ms
p
Reply from 10.0.123.2: bytes=56 Sequence=4 ttl=254 time=110 ms
tt
Reply from 10.0.123.2: bytes=56 Sequence=5 ttl=254 time=101 ms
h
:
--- 10.0.123.2 ping statistics ---
s
5 packet(s) transmitted
c
5 packet(s) received e
u r
0.00% packet loss
s o
round-trip min/avg/max = 101/104/110 ms
R e
<R3>ping -a 10.0.3.3 10.0.2.2
n g
PING 10.0.2.2: 56 data bytes, press CTRL_C to break
rn
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=101 ms
ea
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=110 ms
e
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=102 ms
r
Mo --- 10.0.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 101/103/110 ms
Final Configuration
[R1]display current-configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
interface Serial2/0/0
om
c
link-protocol fr
undo fr inarp
i.
fr map ip 10.0.123.2 102 broadcast
e
aw
fr map ip 10.0.123.3 103 broadcast
ip address 10.0.123.1 255.255.255.0
h u
ospf network-type p2mp
ospf dr-priority 255
g.
#
in
n
ar
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
l e
//
ospf 1 router-id 10.0.1.1
area 0.0.0.0
p :
tt
network 10.0.0.0 0.255.255.255
#
user-interface con 0 h
authentication-mode password
s:
set authentication password
c e
r
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
u
o
user-interface vty 0 4
#
es
R
return
n g
[R2]display current-configuration
n i
[V200R003C00SPC200]
a r#
Le
sysname R2
#
r e interface Serial3/0/0
Mo
link-protocol fr
undo fr inarp
fr map ip 10.0.123.1 201 broadcast
ip address 10.0.123.2 255.255.255.0
ospf network-type p2mp
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ospf 1 router-id 10.0.2.2
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
/ e
user-interface con 0
om
authentication-mode password
. c
i
set authentication password
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
e
user-interface vty 0 4
u aw
h
#
return
g.
[R3]display current-configuration
i n
n
ar
[V200R003C00SPC200]
e
#
sysname R3
l
#
: //
p
interface Serial1/0/0
tt
link-protocol fr
h
undo fr inarp
fr map ip 10.0.123.1 301 broadcast
s:
ip address 10.0.123.3 255.255.255.0
ospf network-type p2mp
c e
#
u r
interface LoopBack0
s o
e
ip address 10.0.3.3 255.255.255.0
#
R
g
ospf 1 router-id 10.0.3.3
n
area 0.0.0.0
i
r n network 10.0.0.0 0.255.255.255
a
#
Le
user-interface con 0
authentication-mode password
Mo
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
user-interface vty 0 4
#
return
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of a Dialer interface for PPPoE
/ e
Authentication of a client over PPPoE.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
i ng Figure 2.3 PPPoE Server and Client Topology
n
rScenario
e a The enterprise subscribes to a (typically high speed) DSL service from the
L
r e service provider over which WAN services are supported. R1 and R3 are
Mo
enterprise edge routers of different offices, and establish a connection to the
service provider through the PPPoE server (R2). The enterprise is required to
establish a PPPoE dialer on the edge routers to allow hosts in the local area
network to access external resources transparently via the service provider
network over PPPoE.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
<Huawei>system-view
om
Enter system view, return user view with Ctrl+Z.
. c
[Huawei]sysname R1
e i
<Huawei>system-view
u aw
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
. h
n g
<Huawei>system-view
n i
ar
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
l e
/ /
Step 2 Clean up the previous configuration
p :
t t over the frame relay network.
h
Disable the serial interfaces to avoid routing
R e
n g
Step 3 Configure PPPoE Server.
i
n PPPoE server is not part of the enterprise network, however it is required
rThe
a to allow the enterprise edge routers R1 and R3 to be authenticated.
Le [R2]ip pool pool1
Mo
[R2-ip-pool-pool1]network 119.84.111.0 mask 255.255.255.0
[R2-ip-pool-pool1]gateway-list 119.84.111.254
[R2-ip-pool-pool1]quit
[R2]interface Virtual-Template 1
[R2-Virtual-Template1]ppp authentication-mode chap
/ e
m
[R2-GigabitEthernet0/0/0]quit
c o
Configure a PPPoE authenticated user.
i.
[R2]aaa
e
[R2-aaa]local-user huawei1 password cipher huawei
u aw
h
Info: Add a new user.
[R2-aaa]local-user huawei1 service-type ppp
g.
[R2-aaa]local-user huawei2 password cipher huawei
in
n
Info: Add a new user.
ar
[R2-aaa]local-user huawei2 service-type ppp
e
[R2-aaa]quit
l
Step 4 Configure PPPoE Client.
: //
Configure R1 as a PPPoE client, for t
p
t the dialer interface needs to be
h The PPP authenticated username
which
created, and PPP authentication enabled.
and password should match that:configured on the PPPoE server.
e s
[R1]dialer-rule
r c
o u
[R1-dialer-rule]dialer-rule 1 ip permit
s
[R1-dialer-rule]quit
e
R
[R1]interface Dialer 1
g
[R1-Dialer1]dialer user user1
n
[R1-Dialer1]dialer-group 1
i
n
[R1-Dialer1]dialer bundle 1
ar
[R1-Dialer1]ppp chap user huawei1
Le
[R1-Dialer1]ppp chap password cipher huawei
[R1-Dialer1]dialer timer idle 300
r e [R1-Dialer1]dialer queue-length 8
Mo
[R1-Dialer1]ip address ppp-negotiate
[R1-Dialer1]quit
/ e
Configure R3 as a PPPoE client, for which the dialer interface needs to be
om
created, and PPP authentication enabled. The PPP authenticated username
. c
and password should match that configured on the PPPoE server.
[R3]dialer-rule
e i
[R3-dialer-rule]dialer-rule 1 ip permit
u aw
h
[R3-dialer-rule]quit
[R3]interface Dialer 1
g.
[R3-Dialer1]dialer user user2
[R3-Dialer1]dialer-group 1
i n
n
ar
[R3-Dialer1]dialer bundle 1
e
[R3-Dialer1]ppp chap user huawei2
[R3-Dialer1]ppp chap password cipher huawei
l
[R3-Dialer1]dialer timer idle 300
: //
p
[R3-Dialer1]dialer queue-length 8
tt
[R3-Dialer1]ip address ppp-negotiate
h
[R3-Dialer1]quit
s:
Bind the PPPoE Dialer to the outbound interface
c e
[R3]interface GigabitEthernet 0/0/0
r
[R3-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1
u
o
[R3-GigabitEthernet0/0/0]quit
g
[R3]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
n
i5 Verify the configuration results
n
arExecute the command display pppoe-server session all command to view
Step
Mo
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE0/0/0 00e0.fc03.d0ae 00e0.fc03.7516
2 Virtual-Template1:1 UP GE0/0/0 00e0.fc03.aedd 00e0.fc03.7516
<R2>display virtual-access
Virtual-Template1:0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-12-12 04:15:54
Description:HUAWEI, AR Series, Virtual-Template1:0 Interface
Route Port,The Maximum Transmit Unit is 1492, Hold timer is 10(sec)
Link layer protocol is PPP
LCP opened, IPCP opened
/ e
Current system time: 2013-12-12 04:53:01
om
Input bandwidth utilization : 0%
. c
i
Output bandwidth utilization : 0%
e
Virtual-Template1:1 current state : UP
u aw
h
Line protocol current state : UP
Last line protocol up time : 2013-12-12 04:23:13
g.
Description:HUAWEI, AR Series, Virtual-Template1:1 Interface
Route Port,The Maximum Transmit Unit is 1492, Hold timer is 10(sec)
i n
n
ar
Link layer protocol is PPP
e
LCP opened, IPCP opened
Current system time: 2013-12-12 04:53:01
l
Input bandwidth utilization : 0%
: //
p
Output bandwidth utilization : 0%
:
address from the PPPoE server.
e s
c
<R1>display ip interface brief
r
*down: administratively down
u
^down: standby
s o
Re
(l): loopback
(s): spoofing
g
The number of interface that is UP in Physical is 7
i n
The number of interface that is DOWN in Physical is 4
ar
The number of interface that is DOWN in Protocol is 6
Mo
Cellular0/0/1 unassigned down down
Dialer1 119.84.111.253/32 up up(s)
GigabitEthernet0/0/0 unassigned up down
output omitted
e ar
l
authorization-scheme default
//
accounting-scheme default
:
domain default
domain default_admin
p
local-user admin service-type http
h tt
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
:
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
s
e
local-user huawei service-type ppp
c
r
#
interface Dialer1
ou
s
link-protocol ppp
R e
ppp chap user huawei1
ppp chap password cipher %$%$A8E~UjX}@;bhCL*C4w#<%"Ba%$%$
n g
ip address ppp-negotiate
i
dialer user user1
n
a rdialer bundle 1
dialer queue-length 8
e
dialer-group 1
r #
Mo interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
user-interface con 0
authentication-mode password
set authentication password
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
/ e
user-interface vty 0 4
om
#
. c
i
return
e
u aw
h
[R2]dis current-configuration
[V200R003C00SPC200]
g.
#
sysname R2
in
n
ar
#
e
ip pool pool1
gateway-list 119.84.111.254
l
network 119.84.111.0 mask 255.255.255.0
: //
p
#
tt
aaa
h
authentication-scheme default
authorization-scheme default
accounting-scheme default
s:
domain default
c e
domain default_admin
u r
o
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
s
e
local-user admin service-type http
R
local-user huawei1 password cipher %$%$MjCY6,a82N4W`]F]3LMAKG9+%$%$
g
local-user huawei1 service-type ppp
n
local-user huawei2 password cipher %$%$Ctq55RX:]R,8Jc13{|,)KH!m%$%$
i
r n
local-user huawei2 service-type ppp
a
#
Le
interface Virtual-Template1
ppp authentication-mode chap
Mo
ip address 119.84.111.254 255.255.255.0
#
interface GigabitEthernet0/0/0
pppoe-server bind Virtual-Template 1
#
user-interface con 0
authentication-mode password
set authentication password
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
user-interface vty 0 4
#
return
/ e
om
[R3]display current-configuration
. c
i
[V200R003C00SPC200]
#
e
sysname R3
u aw
h
#
aaa
g.
authentication-scheme default
authorization-scheme default
i n
n
ar
accounting-scheme default
e
domain default
domain default_admin
l
//
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
:
p
local-user admin service-type http
tt
local-user huawei password cipher %$%$fZsyUk1=O=>:L4'ytgR~D*Im%$%$
h
local-user huawei service-type ppp
#
interface Dialer1
s:
link-protocol ppp
c e
ppp chap user huawei2
u r
o
ppp chap password cipher %$%$0f8(;^]1NS:q;SPo8TyP%.Ei%$%$
s
e
ip address ppp-negotiate
R
dialer user user2
g
dialer bundle 1
n
dialer queue-length 8
i
r n
dialer timer idle 300
a
dialer-group 1
Le
#
interface GigabitEthernet0/0/0
r e pppoe-client dial-bundle-number 1
Mo
#
#
dialer-rule
dialer-rule 1 ip permit
#
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Establishment of a basic ACL to implement source based filtering.
e i
Establishment of an advanced ACL to implement enhanced filtering.
u aw
Topology . h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
Figure 3.1 Filtering enterprise network data with Access Control Lists
R e
g
Scenario
n
n i that you are a network administrator of a company that has three
arnetworks belonging to three sites. R2 is deployed at the border of the network
Assume
Le for the main site, while R1 and R3 are deployed at the boundary of the
Mo and FTP services. Only site R1 has permission to access the telnet server in
the main site. Only site R3 has permission to access the FTP server.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
[Huawei]sysname R1
[Huawei]sysname R2
i.
e
[Huawei]sysname R3
[Huawei]sysname S1
u aw
[S1]vlan 4
. h
[S1-vlan4]quit
n g
[S1]interface vlanif 4
n i
ar
[S1-Vlanif4]ip address 10.0.4.254 24
[Huawei]sysname S2
l e
//
[S2]vlan 6
[S2-vlan6]quit
p :
tt
[S2]interface vlanif 6
[S2-Vlanif6]ip address 10.0.6.254 24
h
s:
Step 2 Clean up the previous configuration
c e
u r
Remove the current network being advertised in OSPF, the PPPoE dialer
s o
interfaces, as well as the PPPoE server virtual template configuration from R2.
[R1]ospf
R e
g
[R1-ospf-1]area 0
n
i
[R1-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
n
r
[R1]undo ip route-static 0.0.0.0 0
Le
[R1]interface Dialer 1
[R1-Dialer1]undo dialer user
Mo
[R1]dialer-rule
[R1-dialer-rule]undo dialer-rule 1
[R2]ospf
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]undo pppoe-server bind
[R2]undo interface Virtual-Template 1
[R2]undo ip pool pool1
[R2]aaa
[R2-aaa]undo local-user huawei1
/ e
[R2-aaa]undo local-user huawei2
om
. c
i
[R3]ospf
[R3-ospf-1]area 0
e
[R3-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
u aw
h
[R3]undo ip route-static 0.0.0.0 0
[R3-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1
g.
[R3]interface Dialer 1
[R3-Dialer1]undo dialer user
i n
n
ar
[R3]undo interface Dialer 1
e
[R3]dialer-rule
[R3-dialer-rule]undo dialer-rule 1
l
: //
Step 3 Configure IP addressing
p
h tt
Configure addressing for the 10.0.13.0/24. 10.0.4.0/24 and 10.0.6.0/24
s:
networks as shown in the topology of figure 7.1.
c e
r
[R1]interface GigabitEthernet 0/0/0
u
[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
o
es
R
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 10.0.13.2 24
n g
[R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
i
[R2-GigabitEthernet0/0/1]ip address 10.0.4.2 24
n
a r[R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
Le
[R2-GigabitEthernet0/0/2]ip address 10.0.6.2 24
Mo
[R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24
Establish VLAN trunks on S1 and S2. The port link type should already be
configured for interface GigabitEthernet 0/0/2 on S1.
. c
i
[S2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[S2-GigabitEthernet0/0/2]quit
e
u aw
Step 4 Configure OSPF to enable internetwork communication
. h
g
Configure OSPF for R1, R2, and R3. Ensure that all are partnof the same
OSPF area and advertise the networks that have been created.i
r n
e a
l
[R1]ospf
[R1-ospf-1]area 0
/ /
:
[R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
p
t
ht
[R2]ospf
[R2-ospf-1]area 0
:
[R2-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
s
e
[R2-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
c
r
[R2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255
o u
[R3]ospf
s
Re
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
ar
gateway.
Mo
Verify that a path exists from R1 and R3 to S1 and S2.
<R1>ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=10 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=1 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=2 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
/ e
--- 10.0.4.254 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 1/3/10 ms
u aw
<R1>ping 10.0.6.254
. h
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
n g
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms
n i
ar
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms
e
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms
l
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms
//
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
:
p
tt
--- 10.0.6.254 ping statistics ---
h
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
s:
c e
round-trip min/avg/max = 2/5/10 ms
u r
<R3>ping 10.0.4.254
s o
e
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
R
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=10 ms
g
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=2 ms
n
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=2 ms
i
r n Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=10 ms
a
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
r e 5 packet(s) transmitted
Mo
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/5/10 ms
<R3>ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
/ e
--- 10.0.6.254 ping statistics ---
om
5 packet(s) transmitted
. c
i
5 packet(s) received
0.00% packet loss
e
round-trip min/avg/max = 2/5/10 ms
u aw
. h
Step 5 Configure Filters using Access Control Lists
n g
n i
r
Configure S1 as a telnet server.
[S1]user-interface vty 0 4
e a
l
[S1-ui-vty0-4]authentication-mode password
/
[S1-ui-vty0-4]set authentication password cipher huawei
/
p :
t
Configure S2 as an FTP server.
ht
[S2]ftp server enable
[S2]aaa
:
[S2-aaa]local-user huawei password cipher huawei
s
e
[S2-aaa]local-user huawei service-type ftp
c
r
[S2-aaa]local-user huawei ftp-directory flash:
o u
s
Configure an access control list on R2 to allow R1 to access the telnet server,
Re
and R3 to access the FTP server.
[R2]acl 3000
n g
[R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination
i
10.0.4.254 0.0.0.0 destination-port eq 23
n
ar
[R2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination
Le
10.0.6.254 0.0.0.0 destination-port range 20 21
[R2-acl-adv-3000]rule 15 deny ip source any
r e [R2-acl-adv-3000]quit
<R1>telnet 10.0.4.254
Press CTRL_] to quit telnet mode
Trying 10.0.4.254 ...
Connected to 10.0.4.254 ...
Login authentication
/ e
om
. c
i
Password:
Info: The max number of VTY users is 5, and the number
e
of current VTY users on line is 1.
u aw
h
<S1>
g.
Note: use the quit command to exit the telnet session
i n
n
ar
<R1>ftp 10.0.6.254
e
Trying 10.0.6.254 ...
Press CTRL+K to abort
l
Error: Failed to connect to the remote host.
: //
p
tt
Note: The FTP connection may take a while to respond (approx 60 seconds).
<R3>telnet 10.0.4.254 h
s:
Press CTRL_] to quit telnet mode
Trying 10.0.4.254 ...
c e
r
Error: Can't connect to the remote host
u
s o
e
<R3>ftp 10.0.6.254
R
Trying 10.0.6.254 ...
g
Press CTRL+K to abort
n
Connected to 10.0.6.254.
i
r n
220 FTP service ready.
a
User(10.0.6.254:(none)):huawei
Le
331 Password required for huawei.
Enter password:
Mo
[R3-ftp]
Note: The bye command can be used to close the FTP connection
FTP requires two ports to be defined in the access control list, why is this?
Should basic ACL and advanced ACL be deployed near the source network or
target network, and why?
Final Configuration / e
om
. c
i
<R1>display current-configuration
[V200R003C00SPC200]
e
aw
#
sysname R1
h u
#
g.
n
aaa
authentication-scheme default
n i
ar
authorization-scheme default
e
accounting-scheme default
domain default
l
//
domain default_admin
:
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
p
tt
local-user admin service-type http
h
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
local-user huawei service-type ppp
#
s:
interface GigabitEthernet0/0/0
c e
r
ip address 10.0.13.1 255.255.255.0
u
o
#
s
ospf 1 router-id 10.0.1.1
e
area 0.0.0.0
R
g
network 10.0.13.0 0.0.0.255
#
i n
n
user-interface con 0
a rauthentication-mode password
Le
set authentication password
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
r e user-interface vty 0 4
Mo
#
return
<R2>display current-configuration
[V200R003C00SPC200]
#
sysname R2
#
acl number 3000
rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port
eq telnet
/ e
rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port
om
range ftp-data ftp
. c
i
rule 15 deny ip
#
e
interface GigabitEthernet0/0/0
u aw
h
ip address 10.0.13.2 255.255.255.0
traffic-filter inbound acl 3000
g.
#
interface GigabitEthernet0/0/1
i n
n
ar
ip address 10.0.4.2 255.255.255.0
e
#
interface GigabitEthernet0/0/2
l
ip address 10.0.6.2 255.255.255.0
: //
p
#
tt
ospf 1 router-id 10.0.2.2
h
area 0.0.0.0
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
s:
c e
network 10.0.13.0 0.0.0.255
#
u r
user-interface con 0
s o
e
authentication-mode password
R
set authentication password
g
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
n
user-interface vty 0 4
i
r
#
n
a
return
Le
r e <R3>display current-configuration
Mo
[V200R003C00SPC200]
#
sysname R3
#
interface GigabitEthernet0/0/0
. c
i
user-interface vty 0 4
#
e
return
u aw
. h
<S1>display current-configuration
n g
#
n i
ar
!Software Version V100R006C00SPC800
e
sysname S1
#
l
vlan batch 4
://
p
#
tt
interface Vlanif4
h
ip address 10.0.4.254 255.255.255.0
#
interface GigabitEthernet0/0/2
s:
port link-type trunk
c e
port trunk pvid vlan 4
u r
o
port trunk allow-pass vlan 2 to 4094
s
e
#
R
ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
g
#
n
user-interface con 0
i
r n
user-interface vty 0 4
a
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
Le
#
return
r e
Mo
<S2>dis current-configuration
#
!Software Version V100R006C00SPC800
sysname S2
#
FTP server enable
#
vlan batch 6
/ e
#
om
aaa
. c
i
authentication-scheme default
authorization-scheme default
e
accounting-scheme default
u aw
h
domain default
domain default_admin
g.
local-user admin password simple admin
local-user admin service-type http
i n
n
ar
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
e
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
l
#
: //
p
interface Vlanif6
tt
ip address 10.0.6.254 255.255.255.0
h
#
interface GigabitEthernet0/0/2
port link-type trunk
s:
port trunk pvid vlan 6
c e
r
port trunk allow-pass vlan 2 to 4094
u
#
s o
e
ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
#
R
g
user-interface con 0
n
user-interface vty 0 4
i
r
#
n
a
return
Le
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Translation of addresses between networks (NAT).
/ e
Configuration of Easy IP.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
://
p
h tt
s:
c e
u r
s o
R e Figure 3.2 Network Address Translation Topology
n
Scenariog
n i
r
a implemented private addressing internally. Users however require a means to
In order to conserve addressing the offices of the enterprise network have
Le be routed between these private networks and the public network domain. R1
r e and R3 represent edge routers of the enterprise branch offices ,the branch
Mo
network need access to the public network. The administrator of the network is
requested to configure dynamic NAT solutions on the in order to allow R1 to
perform address translation. An easyIP NAT solution is to be applied to R3.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
[Huawei]sysname R1
[R1]inter GigabitEthernet0/0/1
i.
e
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
[Huawei]sysname R3
u aw
[R3]interface GigabitEthernet0/0/2
. h
[R3-GigabitEthernet0/0/2]ip address 10.0.6.3 24
n g
[Huawei]sysname S1
n i
[S1]vlan 4
e ar
l
[S1-vlan3]quit
//
[S1]interface vlanif 4
[S1-Vlanif4]ip address 10.0.4.254 24
p :
tt
[S1-Vlanif4]quit
[Huawei]sysname S2
h
[S2]vlan 6
s:
[S2-vlan6]quit
c e
r
[S2]interface vlanif 6
u
[S2-Vlanif6]ip address 10.0.6.254 24
o
[S2-Vlanif6]quit
es
R
g
Step 2 Clean up the previous configuration
n
n i the connection to S1 and S2 via Gigabit Ethernet 0/0/1 on R1 and
arGigabit Ethernet 0/0/2 on R3. Remove OSPF from all routers.
Re-establish
Le
e
[R1]interface GigabitEthernet 0/0/0
r [R1-GigabitEthernet0/0/0]undo ip address
Mo
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]undo shutdown
[R1]undo ospf 1
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
[R2]undo ospf 1
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
[R3-GigabitEthernet0/0/0]undo ip address
[R3]interface GigabitEthernet 0/0/2
[R3-GigabitEthernet0/0/2]undo shutdown
[R3]undo ospf 1
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
/ e
om
Remove the static routes pointing to R2 on S1 and S2.
. c
[S1]undo ip route-static 0.0.0.0 0.0.0.0
e i
u aw
h
[S2]undo ip route-static 0.0.0.0 0.0.0.0
g.
Step 3 Implement VLAN configuration for S1 and S2 n
n i
[S1]interface GigabitEthernet 0/0/1
a r
l e
[S1-GigabitEthernet0/0/1]port link-type trunk
/ /
[S1-GigabitEthernet0/0/1]port trunk pvid vlan 4
:
[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
p
[S1-GigabitEthernet0/0/1]quit
t t
h
[S2]interface GigabitEthernet 0/0/3
s:
[S2-GigabitEthernet0/0/3]port link-type trunk
e
[S2-GigabitEthernet0/0/3]port trunk pvid vlan 6
c
r
[S2-GigabitEthernet0/0/3]port trunk allow-pass vlan all
u
s o
[R1]interface GigabitEthernet0/0/0
Re
[R1-GigabitEthernet0/0/0]ip address 119.84.111.1 24
n g
[R3]interface GigabitEthernet0/0/0
n i
[R3-GigabitEthernet0/0/0]ip address 119.84.111.3 24
ar
Le
r e
Mo
. c
i
5 packet(s) transmitted
5 packet(s) received
e
0.00% packet loss
u aw
h
round-trip min/avg/max = 1/7/23 ms
g.
<R1>ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
i n
n
ar
Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=1 ms
e
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=10 ms
l
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=1 ms
//
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=1 ms
:
p
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=10 ms
u
o
s Access Control Lists for R1 and R3
e
Step 4 Configure
R
g
Configure an advanced ACL on R1 and select the data flow with the source of
n
n i
S1, the destination of R3, and destined for the telnet service port.
ar
[R1]acl 3000
[R1-acl-adv-3000]rule 5 permit tcp source 10.0.4.254 0.0.0.0 destination
r e [R1-acl-adv-3000]rule 15 deny ip
Mo Configure a basic ACL on R3 and select the data flow whose source IP
address is 10.0.6.0/24.
[R3]acl 2000
[R3-acl-basic-2000]rule permit source 10.0.6.0 0.0.0.255
/ e
m
Configure dynamic NAT on the GigabitEthernet0/0/0 interface of R1.
[R1]nat address-group 1 119.84.111.240 119.84.111.243
c o
.
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 3000 address-group 1
e i
Configure R3 as the telnet server.
u aw
[R3]user-interface vty 0 4
. h
[R3-ui-vty0-4]authentication-mode password
[R3-ui-vty0-4]set authentication password cipher huawei
n g
[R3-ui-vty0-4]quit
n i
Verify the address group has been configured correctly a
r
l e
<R1>display nat address-group
/ /
:
NAT Address-Group Information:
p
--------------------------------------
t
t
Index Start-address End-address
h
--------------------------------------
1 119.84.111.240
s: 119.84.111.243
e
--------------------------------------
Total : 1
r c
o u
s
Test connectivity to the gateway of the remote peer from the internal network.
Re
<S1>ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
g
Request time out
n
n iReply from 119.84.111.3: bytes=56 Sequence=2 ttl=254 time=1 ms
ar
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=254 time=1 ms
Mo
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 1/1/1 ms
Login authentication
/ e
Password:
om
<R3>
. c
Do not exit the telnet session, instead open a second session window to R1
and view the results of the ACL and NAT session translation.
e i
u aw
h
<R1>display acl 3000
Advanced ACL 3000, 2 rules
g.
Acl's step is 5
i n
rule 5 permit tcp source 10.0.4.254 0 destination 119.84.111.3 0 destination-port
n
ar
eq telnet (1 matches)
e
rule 10 permit ip source 10.0.4.0 0.0.0.255 (1 matches)
rule 15 deny ip
l
: //
p
<R1>display nat session all
tt
NAT Session Table Information:
Protocol : ICMP(1) h
SrcAddr Vpn
s:
: 10.0.4.254
DestAddr Vpn
c e
: 119.84.111.3
Type Code IcmpId
u r : 8 0 44003
NAT-Info
s o
e
New SrcAddr : 119.84.111.242
R
New DestAddr : ----
g
New IcmpId : 10247
i n
r n Protocol : TCP(6)
a
SrcAddr Port Vpn : 10.0.4.254 49646
Le
DestAddr Port Vpn : 119.84.111.3 23
NAT-Info
Mo
New SrcPort : 10249
New DestAddr : ----
New DestPort : ----
Total : 2
The ICMP session has a lifetime of only 20 seconds and therefore may not
appear to be present when displaying the NAT session results. The following
command can be used in this case to extend the period over which the ICMP
results are maintained:
/ e
Configure easyIP on the Gigabit Ethernet 0/0/0 interface of R3, associating the
om
easyIP configuration with ACL 2000 that had been configured earlier.
. c
[R3-GigabitEthernet0/0/0]nat outbound 2000
e i
u aw
h
Test the connectivity from S2 to R1 via R3.
<S2>ping 119.84.111.1
g.
PING 119.84.111.1: 56 data bytes, press CTRL_C to break
Reply from 119.84.111.1: bytes=56 Sequence=1 ttl=254 time=1 ms
i n
n
ar
Reply from 119.84.111.1: bytes=56 Sequence=2 ttl=254 time=1 ms
e
Reply from 119.84.111.1: bytes=56 Sequence=3 ttl=254 time=1 ms
l
Reply from 119.84.111.1: bytes=56 Sequence=4 ttl=254 time=1 ms
//
Reply from 119.84.111.1: bytes=56 Sequence=5 ttl=254 time=1 ms
:
p
tt
--- 119.84.111.1 ping statistics ---
h
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
s:
c e
round-trip min/avg/max = 1/1/1 ms
u r
o
<R3>display acl 2000
s
e
Basic ACL 2000, 1 rule
R
Acl's step is 5
g
rule 5 permit source 10.0.6.0 0.0.0.255 (1 matches)
i n
r n
<R3>display nat outbound acl 2000
a
NAT Outbound Information:
Le
---------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
r e ---------------------------------------------------------------------
Mo
GigabitEthernet0/0/0 2000 119.84.111.3 easyip
---------------------------------------------------------------------
Total : 1
Final Configuration
<R1>display current-configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
firewall-nat session icmp aging-time 300
om
c
#
acl number 3000
i.
rule 5 permit tcp source 10.0.4.254 0 destination 119.84.111.3 0 destination-port
e
aw
eq telnet
rule 10 permit ip source 10.0.4.0 0.0.0.255
h u
rule 15 deny ip
#
g.
nat address-group 1 119.84.111.240 119.84.111.243
i n
n
ar
#
interface GigabitEthernet0/0/0
ip address 119.84.111.1 255.255.255.0
l e
//
nat outbound 3000 address-group 1
#
p :
tt
interface GigabitEthernet0/0/1
ip address 10.0.4.1 255.255.255.0
# h
user-interface con 0
s:
authentication-mode password
c e
r
set authentication password
u
o
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
s
user-interface vty 0 4
e
R
#
return
n g
n i
a r<R3>display current-configuration
Le
[V200R003C00SPC200]
#
r e sysname R3
Mo
#
acl number 2000
rule 5 permit source 10.0.6.0 0.0.0.255
#
interface GigabitEthernet0/0/0
. c
i
user-interface vty 0 4
authentication-mode password
e
set authentication password
u aw
h
cipher %$%$7ml|,!ccE$SQ~CZ{GtaE%hO>v}~bVk18p5qq<:UPtI:9hOA%%$%$
#
g.
return
in
n
<S1>display current-configuration
e ar
#
l
!Software Version V100R006C00SPC800
://
p
sysname S1
tt
#
h
vlan batch 4
#
interface Vlanif4
s:
c
ip address 10.0.4.254 255.255.255.0
e
#
u r
o
interface GigabitEthernet0/0/1
s
e
port link-type trunk
R
port trunk pvid vlan 4
g
port trunk allow-pass vlan 2 to 4094
#
i n
r n
interface GigabitEthernet0/0/2
a
port link-type trunk
Le
port trunk pvid vlan 4
port trunk allow-pass vlan 2 to 4094
r e #
Mo
interface GigabitEthernet0/0/14
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
#
user-interface con 0
user-interface vty 0 4
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
<S2>display current-configuration
/ e
#
om
!Software Version V100R006C00SPC800
. c
i
sysname S2
#
e
vlan batch 6
u aw
h
#
interface Vlanif6
g.
ip address 10.0.6.254 255.255.255.0
#
i n
n
ar
interface GigabitEthernet0/0/2
e
port link-type trunk
port trunk pvid vlan 6
l
port trunk allow-pass vlan 2 to 4094
: //
p
#
tt
interface GigabitEthernet0/0/3
h
port link-type trunk
port trunk pvid vlan 6
s:
port trunk allow-pass vlan 2 to 4094
#
c e
r
interface GigabitEthernet0/0/23
u
shutdown
s o
e
#
R
ip route-static 0.0.0.0 0.0.0.0 10.0.6.3
g
#
n
user-interface con 0
i
r n
user-interface vty 0 4
a
#
Le
return
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of local AAA for which authentication and authorization
/ e
schemes are to be used.
om
Establishment of a domain named huawei
. c
Implementation of privilege levels for authenticated users.
e i
Topology
u aw
. h
n g
n i
e ar
l
://
p
tt
Figure 3-3 AAA configuration
h
Scenario
s:
c e
r
R1 and R3 have been deployed on the network and are to provide remote
u
o
authentication services using AAA. The company requires that both routers
s
are made part of the huawei domain and that the telnet service is made
e
R
available to users, with limited privileges given once authenticated.
n g
n i
a r
Le
r e
Mo
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
[Huawei]sysname R1
[R1]interface GigabitEthernet0/0/0
i.
e
[R1-GigabitEthernet0/0/0]ip address 119.84.111.1 24
[Huawei]sysname R3
u aw
[R3]inter GigabitEthernet0/0/0
. h
[R3-GigabitEthernet0/0/0]ip address 119.84.111.3 24
n g
n i
Step 2 Clean up the previous configuration
e ar
Remove the previous NAT and ACL configuration/
l
: / from R1 and R3.
t p
t
[R1]interface GigabitEthernet 0/0/0
h
[R1-GigabitEthernet0/0/0]undo nat outbound 3000 address-group 1
:
[R1-GigabitEthernet0/0/0]quit
s
e
[R1]undo nat address-group 1
[R1]undo acl 3000
rc
o u
[R3]interface GigabitEthernet 0/0/0
s
Re
[R3-GigabitEthernet0/0/0]undo nat outbound 2000
[R3-GigabitEthernet0/0/0]quit
g
[R3]undo acl 2000
n
Stepi3 Verify connectivity between R1 and R3
r n
a
Le
<R1>ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
Mo
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=10 ms
h u
.
Info: Create a new authentication scheme.
[R1-aaa-authen-auth1]authentication-mode local
n g
[R1-aaa-authen-auth1]quit
n i
ar
[R1-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[R1-aaa-author-auth2]authorization-mode local
l e
//
[R1-aaa-author-auth2]quit
p :
tt
Configure the domain huawei on R1, then create a user and apply the user to
this domain.
h
[R1-aaa]domain huawei
s:
e
[R1-aaa-domain-huawei]authentication-scheme auth1
c
r
[R1-aaa-domain-huawei]authorization-scheme auth2
u
[R1-aaa-domain-huawei]quit
o
s
[R1-aaa]local-user user1@huawei password cipher huawei
e
R
[R1-aaa]local-user user1@huawei service-type telnet
[R1-aaa]local-user user1@huawei privilege level 0
n g
n i
Configure R1 as the telnet server, using AAA authentication mode.
a r
Le
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
r e
Mo
<R3>telnet 119.84.111.1
Press CTRL_] to quit telnet mode
Trying 119.84.111.1 ...
Connected to 119.84.111.1 ...
Login authentication
/ e
om
Username:user1@huawei
. c
i
Password:
<R1>system-view
e
^
u aw
h
Error: Unrecognized command found at '^' position.
<R1>quit
g .
i n level 0 for
n
Operations are restricted as user privileges are limited to privilege
user1@huawei.
a r
Step 5 Perform AAA configuration on R3 l
e
/ /
p :
t
[R3]aaa
[R3-aaa]authentication-scheme auth1
h t
Info: Create a new authentication scheme.
:
[R3-aaa-authen-auth1]authentication-mode local
s
[R3-aaa-authen-auth1]quit
c e
r
[R3-aaa]authorization-scheme auth2
u
Info: Create a new authorization scheme.
o
s
[R3-aaa-author-auth2]authorization-mode local
Re
[R3-aaa-author-auth2]quit
n
Configureg the domain huawei on R3, then create a user and apply the user to
n i
this domain.
a r
Le
[R3-aaa]domain huawei
[R3-aaa-domain-huawei]authentication-scheme auth1
r e [R3-aaa-domain-huawei]authorization-scheme auth2
Mo
[R3-aaa-domain-huawei]quit
[R3-aaa]local-user user3@huawei password cipher huawei
[R3-aaa]local-user user3@huawei service-type telnet
[R3-aaa]local-user user3@huawei privilege level 0
[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode aaa
. c
i
Connected to 119.84.111.1 ...
e
Login authentication
u aw
Username:user3@huawei
. h
Password:
n g
<R3>system-view
n i
ar
^
e
Error: Unrecognized command found at '^' position.
<R3>
l
/set to privilege level 0 for
: /
p
Operations are restricted as user privileges are
user3@huawei.
t t
h
:
Step 6 Observe the results of the AAA configuration
s
c e
r
<R1>display domain name huawei
o u
Domain-name
s : huawei
Re
Domain-state : Active
Authentication-scheme-name : auth1
n g
Accounting-scheme-name : default
n i
Authorization-scheme-name : auth2
ar
Service-scheme-name : -
Le
RADIUS-server-template : -
HWTACACS-server-template : -
r e User-group : -
Mo
. c
i
User-group : -
e
<R3>display domain name huawei
u aw
Domain-name : huawei
. h
Domain-state : Active
n g
Authentication-scheme-name : auth1
n i
ar
Accounting-scheme-name : default
e
Authorization-scheme-name : auth2
Service-scheme-name : -
l
RADIUS-server-template : -
: //
p
HWTACACS-server-template : -
tt
User-group : -
h
<R3>display local-user username user3@huawei
The contents of local user(s):
s:
Password
c e
: ****************
State
u r: active
Service-type-mask
s o : T
e
Privilege level : 0
Ftp-directory
R : -
g
Access-limit : -
i n
Accessed-num : 0
r n
Idle-timeout : -
a
User-group : -
Le
r e
Mo
Final Configuration
<R1>display current-configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
aaa
om
c
authentication-scheme default
authentication-scheme auth1
i.
authorization-scheme default
e
aw
authorization-scheme auth2
accounting-scheme default
h u
domain default
domain default_admin
g.
domain huawei
in
n
ar
authentication-scheme auth1
authorization-scheme auth2
l e
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
//
local-user admin service-type http
:
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
p
tt
local-user huawei service-type ppp
local-user user1@huawei password cipher %$%$^L*5IP'0^A!;R)R*L=LFcXgv%$%$
local-user user1@huawei privilege level 0 h
s:
local-user user1@huawei service-type telnet
#
c e
r
interface GigabitEthernet0/0/0
u
o
ip address 119.84.111.1 255.255.255.0
s
nat outbound 3000 address-group 1 //may remain from previous labs
e
R
#
user-interface con 0
n g
authentication-mode password
n i
set authentication password
a rcipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
Le
user-interface vty 0 4
authentication-mode aaa
r e #
Mo
return
<R3>dis current-configuration
[V200R003C00SPC200]
#
sysname R3
#
aaa
authentication-scheme default
authentication-scheme auth1
/ e
authorization-scheme default
om
authorization-scheme auth2
. c
i
accounting-scheme default
domain default
e
domain default_admin
u aw
h
domain huawei
authentication-scheme auth1
g.
authorization-scheme auth2
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
i n
n
ar
local-user admin service-type http
e
local-user huawei password cipher %$%$fZsyUk1=O=>:L4'ytgR~D*Im%$%$
local-user huawei service-type ppp
l
//
local-user user3@huawei password cipher %$%$WQt.;bEsR<8fz3LCiPY,che_%$%$
:
p
local-user user3@huawei privilege level 0
tt
local-user user3@huawei service-type telnet
h
#
interface GigabitEthernet0/0/0
s:
ip address 119.84.111.3 255.255.255.0
c e
nat outbound 2000 //may remain from previous labs
#
u r
user-interface con 0
s o
e
authentication-mode password
R
set authentication password
g
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
n
user-interface vty 0 4
i
r n
authentication-mode aaa
a
#
Le
return
r e
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of an IPsec proposal using an esp transform set.
/ e
Configuration of an ACL used to determine interesting traffic.
om
Configuration of an IPsec policy
. c
The binding of an IPsec policy to an interface.
e i
Topology
u aw
. h
n g
n i
e ar
l
://
p
h tt
Figure 3.4 IPsec VPN topology
s:
Scenario
c e
u r
In the interests of protecting both the integrity and confidentiality of company
s o
data, it is required that the communication between the offices of the
R e
enterprise secure specific private data as it is transmitted over the public
network infrastructure. As the network administrator of the company, the task
n g
has been assigned to implement IPsec VPN solutions between the HQ edge
n i
router (R1) and the branch office (R3). Currently only select departments
a rwithin the HQ require secured communication over the public network (R2).
Le
The administrator should establish IPsec using tunnel mode between the two
offices for all traffic originating from the department.
r e
Mo
Tasks
om
[R1]interface Serial 1/0/0
. c
i
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]interface loopback 0
e
[R1-LoopBack0]ip address 10.0.1.1 24
u aw
<Huawei>system-view
. h
[Huawei]sysname R2
n g
[R2]interface Serial 1/0/0
n i
ar
[R2-Serial1/0/0]ip address 10.0.12.2 24
e
[R2-Serial1/0/0]interface serial 2/0/0
[R2-Serial2/0/0]ip address 10.0.23.2 24
l
[R2-Serial2/0/0]interface loopback 0
: //
p
[R2-LoopBack0]ip address 10.0.2.2 24
<Huawei>system-view
[Huawei]sysname R3 htt
[R3]interface Serial 2/0/0
s:
c e
[R3-Serial2/0/0]ip address 10.0.23.3 24
r
[R3-Serial2/0/0]interface loopback 0
u
o
[R3-LoopBack0]ip address 10.0.3.3 24
e s
Step 2 CleanR up the previous configuration.
n gthe addressing for the Gigabit Ethernet 0/0/0 interface on R1 & R3,
andi
Remove
Le [R1-GigabitEthernet0/0/0]undo ip address
e
[R1-GigabitEthernet0/0/0]quit
Mo [R1-GigabitEthernet0/0/1]shutdown
[R1-GigabitEthernet0/0/1]quit
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]undo shutdown
. c
i
[R3-Serial2/0/0]undo shutdown
e
Step 3 Establish additional logical interfaces.
u aw
. h
[R1-LoopBack0]interface loopback 1
n g
[R1-LoopBack1]ip address 10.0.11.11 24
n i
[R3-LoopBack0]interface loopback 1
e ar
[R3-LoopBack1]ip address 10.0.33.33 24
l
://
Step 4 Configure OSPF.
p
h tt
Use the IP address of Loopback 0 as the router ID, use the default OSPF
s:
process (1), and specify the public network segments 10.0.12.0/24, and
e
10.0.23.0/24 as part of OSPF area 0.
c
u r
[R1]ospf router-id 10.0.1.1
[R1-ospf-1]area 0
s o
R e
[R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
g
[R1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
n
n i
[R2]ospf router-id 10.0.2.2
a r[R2-ospf-1]area 0
Le
[R2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
/ e
m
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
c o
0.0.0.0 Serial1/0/0 10.0.1.1 Full
i.
e
0.0.0.0 Serial2/0/0 10.0.3.3 Full
aw
----------------------------------------------------------------------------
<R1>display ip routing-table
h u
Route Flags: R - relay, D - download to fib
g.
i
----------------------------------------------------------------------------
n
Routing Tables: Public
n
Destinations : 17 Routes : 17
e ar
l
//
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.0/24 Direct 0 0
p : D 10.0.1.1 LoopBack0
10.0.1.1/32
10.0.1.255/32
Direct
Direct
0
0
0
0
htt D
D
127.0.0.1
127.0.0.1
LoopBack0
LoopBack0
10.0.2.2/32 OSPF 10
c e
10 2343 D 10.0.12.2 Serial1/0/0
r
10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
10.0.11.11/32
s
10.0.11.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
R e
10.0.12.0/24
10.0.12.1/32
Direct
Direct
0
0
0
0
D
D
10.0.12.1
127.0.0.1
Serial1/0/0
Serial1/0/0
ng
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
ni
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
r
10.0.23.0/24 OSPF 10 2343 D 10.0.12.2 Serial1/0/0
e
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
If the baudrate is maintained as 128000 from lab 6-1, the OSPF cost will be set
as shown, and thus may vary due to the the metric calculation used by OSPF.
<R3>display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 17 Routes : 17
/ e
10.0.1.1/32 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
om
10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
. c
i
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
e
10.0.3.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
u aw
h
10.0.11.11/32 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 OSPF 10 3124 D 10.0.23.2
.
Serial2/0/0
g
10.0.23.0/24
10.0.23.2/32
Direct
Direct
0
0
0
0
D
D
10.0.23.3
10.0.23.2
in
Serial2/0/0
Serial2/0/0
n
ar
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
10.0.23.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.33.0/24 Direct 0 0 D
l
10.0.33.33 LoopBack1
10.0.33.33/32 Direct 0 0 D
: //
127.0.0.1 LoopBack1
p
10.0.33.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
tt
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
h
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0
s: 0 D 127.0.0.1 InLoopBack0
c e
u r
Step 5 Configure the ACL to define interesting traffic
o
s is created to identify interesting traffic for which the IPsec
e
VPN will beRapplied. The advanced ACL is capable of filtering based on
An advanced ACL
specific g
i n parameters for selective traffic filtering.
n
ar
[R1]acl 3001
[R1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0
Le 0.0.0.255
r e [R3]acl 3001
Mo
[R3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0
0.0.0.255
Create an IPsec proposal and enter the IPsec proposal view to specify the
security protocols to be used. Ensure both peers use the same protocols.
[R1]ipsec proposal tran1
[R1-ipsec-proposal-tran1]esp authentication-algorithm sha1
/ e
m
[R1-ipsec-proposal-tran1]esp encryption-algorithm 3des
c o
.
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran1]esp authentication-algorithm sha1
e i
aw
[R3-ipsec-proposal-tran1]esp encryption-algorithm 3des
n i
ar
Number of proposals: 1
p :
tt
ESP protocol : Authentication SHA1-HMAC-96
h
Encryption 3DES
u
s o
IPSec proposal name : tran1
R e
Encapsulation mode : Tunnel
g
Transform : esp-new
i n
ESP protocol : Authentication SHA1-HMAC-96
n
Encryption 3DES
a r
Le Step 7 IPsec Policy Creation
r e
Mo
Create an IPsec policy and define the parameters for establishing the SA.
[R1]ipsec policy P1 10 manual
[R1-ipsec-policy-manual-P1-10]security acl 3001
[R1-ipsec-policy-manual-P1-10]proposal tran1
[R1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3
. c
i
[R3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3
[R3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
e
[R3-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
u aw
h
[R3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
.
[R3-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
g
i n
n
Run the display ipsec policy command to verify the configuration.
<R1>display ipsec policy
a r
l e
===========================================
/ /
:
IPSec policy group: "P1"
Using interface:
t p
ht
===========================================
Sequence number: 10
s :
e
Security data flow: 3001
c
r
Tunnel local address: 10.0.12.1
u
Tunnel remote address: 10.0.23.3
o
s
Qos pre-classify: Disable
Re
Proposal name:tran1
Inbound AH setting:
n g
AH SPI:
n i AH string-key:
ar
AH authentication hex key:
Inbound ESP setting:
e
ESP string-key: huawei
. c
i
IPSec policy group: "P1"
Using interface:
e
===========================================
u aw
Sequence number: 10
. h
Security data flow: 3001
n g
Tunnel local address: 10.0.23.3
n i
ar
Tunnel remote address: 10.0.12.1
e
Qos pre-classify: Disable
Proposal name:tran1
l
Inbound AH setting:
: //
p
AH SPI:
tt
AH string-key:
h
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
s:
c
ESP string-key: huawei
e
r
ESP encryption hex key:
u
o
ESP authentication hex key:
s
e
Outbound AH setting:
AH SPI:
R
g
AH string-key:
n
AH authentication hex key:
i
r n Outbound ESP setting:
a
ESP SPI: 12345 (0x3039)
Le
ESP string-key: huawei
ESP encryption hex key:
Mo
Apply the policy to the physical interface upon which traffic will be subjected to
IPsec processing.
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ipsec policy P1
/ e
[R3]interface Serial 2/0/0
om
[R3-Serial2/0/0]ipsec policy P1
. c
e i
aw
Step 9 Test connectivity between the IP networks.
h u
Observe and verity that non-interesting traffic bypasses the IPsec processing.
g.
n
<R1>ping -a 10.0.11.11 10.0.33.33
PING 10.0.33.33: 56 data bytes, press CTRL_C to break
n i
ar
Reply from 10.0.33.33: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.0.33.33: bytes=56 Sequence=2 ttl=254 time=50 ms
l e
Reply from 10.0.33.33: bytes=56 Sequence=3 ttl=254 time=50 ms
//
Reply from 10.0.33.33: bytes=56 Sequence=4 ttl=254 time=60 ms
:
Reply from 10.0.33.33: bytes=56 Sequence=5 ttl=254 time=50 ms
p
tt
--- 10.0.33.33 ping statistics ---
h
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
s:
e
round-trip min/avg/max = 50/54/60 ms
c
u r
o
<R1>display ipsec statistics esp
Inpacket count
es : 0
R
Inpacket auth count
Inpacket decap count
: 0
g
: 0
i n
Outpacket count : 0
n
Outpacket auth count : 0
Le
Inpacket drop count : 0
Outpacket drop count : 0
r e BadAuthLen count : 0
Mo
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count : 0
PktInSAMissDrop count : 0
Observe that only the interesting traffic will be secured by the IPsec VPN.
<R1>ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=77 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=77 ms
/ e
m
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=80 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=77 ms
c o
--- 10.0.3.3 ping statistics ---
i.
e
5 packet(s) transmitted
aw
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 77/78/80 ms
h u
g.
<R1>display ipsec statistics esp
i n
Inpacket count : 5
n
Inpacket auth count : 0
e ar
l
Inpacket decap count : 0
//
Outpacket count : 5
:
Outpacket auth count : 0
Outpacket encap count : 0
p
Inpacket drop count
Outpacket drop count
: 0
: 0
h tt
BadAuthLen count : 0
s:
AuthFail count
c e
: 0
r
InSAAclCheckFail count : 0
ou
PktDuplicateDrop count : 0
s
PktSeqNoTooSmallDrop count : 0
R e
PktInSAMissDrop count : 0
r n
a Change the ACL to define OSPF traffic as interesting traffic.
Le [R1]acl 3001
Mo [R3]acl 3001
[R3-acl-adv-3001]rule 5 permit ospf source any destination any
. c
i
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
e
Routing Tables: Public
u aw
h
Destinations : 14 Routes : 14
g.
Destination/Mask Proto Pre Cost Flags NextHop
n
Interface
i
n
ar
10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
e
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.1.255/32 Direct 0 0 D
l
127.0.0.1 LoopBack0
10.0.11.0/24 Direct 0 0 D
: //
10.0.11.11 LoopBack1
p
10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
tt
10.0.11.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
h
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.12.2/32 Direct 0
s: 0 D 10.0.12.2 Serial1/0/0
c
10.0.12.255/32 Direct
e0 0 D 127.0.0.1 Serial1/0/0
127.0.0.0/8
e
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
R
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
n g
<R3>display ospf peer brief
n i
a r OSPF Process 1 with Router ID 10.0.3.3
Le
Peer Statistic Information
----------------------------------------------------------------------------
Mo
0.0.0.0 Serial2/0/0 10.0.2.2 Init
----------------------------------------------------------------------------
<R3>display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
/ e
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
om
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
. c
i
10.0.3.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
e
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
u aw
h
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.23.255/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.33.0/24
10.0.33.33/32
Direct
Direct
0
0
0
0
D
D
10.0.33.33
127.0.0.1
i n
LoopBack1
LoopBack1
n
ar
10.0.33.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
e
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D
l
127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0
:
D
//
127.0.0.1 InLoopBack0
p
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
htt
:
OSPF hello messages fail to be encapsulated using IPsec, causing the link
s
state to fail, returning OSPF to an Init state and effectively breaking the
e
c
established OSPF adjacent relationship of R1 and R3 with R2. Lab 7-5 will
r
u
introduce solutions to the problem of dynamic routing over IPsec VPN.
s o
e
Final Configuration
R
n g
<R1>display current-configuration
i
[V200R003C00SPC200]
n
ar
#
Le
sysname R1
#
Mo #
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy P1 10 manual
security acl 3001
proposal tran1
tunnel local 10.0.12.1
tunnel remote 10.0.23.3
sa spi inbound esp 12345
sa string-key inbound esp simple huawei
/ e
sa spi outbound esp 54321
om
sa string-key outbound esp simple huawei
. c
i
#
interface Serial1/0/0
e
link-protocol ppp
u aw
h
ppp authentication-mode pap
ip address 10.0.12.1 255.255.255.0
g.
ipsec policy P1
baudrate 128000
in
n
ar
#
e
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
l
#
://
p
interface LoopBack1
tt
ip address 10.0.11.11 255.255.255.0
h
#
ospf 1 router-id 10.0.1.1
area 0.0.0.0
s:
c
network 10.0.1.0 0.0.0.255
e
r
network 10.0.11.0 0.0.0.255
u
o
network 10.0.12.0 0.0.0.255
s
e
#
R
user-interface con 0
g
authentication-mode password
n
set authentication password
i
r n
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
a
user-interface vty 0 4
Le
authentication-mode aaa
#
r e return
Mo
<R2>display current-configuration
[V200R003C00SPC200]
#
sysname R2
#
interface Serial1/0/0
link-protocol ppp
ppp pap local-user huawei password cipher %$%$u[hr6d<JVHR@->T7xr1<$.iv%$%$
/ e
ip address 10.0.12.2 255.255.255.0
om
#
. c
i
interface Serial2/0/0
link-protocol ppp
e
ppp chap user huawei
u aw
h
ppp chap password cipher %$%$e{5h)gh"/Uz0mUC%vEx3$4<m%$%$
ip address 10.0.23.2 255.255.255.0
g.
#
interface LoopBack0
i n
n
ar
ip address 10.0.2.2 255.255.255.0
e
#
ospf 1 router-id 10.0.2.2
l
area 0.0.0.0
: //
p
network 10.0.12.0 0.0.0.255
tt
network 10.0.23.0 0.0.0.255
h
#
user-interface con 0
authentication-mode password
s:
c
set authentication password
e
r
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
u
o
user-interface vty 0 4
s
e
#
return
R
n g
n i
<R3>display current-configuration
a r[V200R003C00SPC200]
Le
#
sysname R3
r e #
Mo
acl number 3001
rule 5 permit ospf
#
ipsec proposal tran1
esp authentication-algorithm sha1
. c
i
sa string-key outbound esp simple huawei
#
e
interface Serial2/0/0
u aw
h
link-protocol ppp
ppp authentication-mode chap
g.
ip address 10.0.23.3 255.255.255.0
ipsec policy P1
in
n
ar
#
e
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
l
#
://
p
interface LoopBack1
tt
ip address 10.0.33.33 255.255.255.0
h
#
ospf 1 router-id 10.0.3.3
area 0.0.0.0
s:
c
network 10.0.3.0 0.0.0.255
e
r
network 10.0.23.0 0.0.0.255
u
o
network 10.0.33.0 0.0.0.255
s
e
#
R
user-interface con 0
g
authentication-mode password
n
set authentication password
i
r n
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
a
user-interface vty 0 4
Le
authentication-mode aaa
#
r e return
Mo
Learning Objectives
As a result of this lab section, you should achieve the following tasks:
Configuration of an ACL to support GRE encapsulation
/ e
Establishment of a tunnel interface for GRE
om
Implementation of the GRE keepalive feature.
. c
Topology e i
u aw
. h
n g
n i
e ar
l
: //
p
tt
Figure 3.5 Dynamic routing with GRE topology
h
Scenario
s:
c e
r
A requirement has been made to allow networks from other offices to be
u
o
advertised to the HQ. Following the implementation of IPsec VPN solutions, it
s
was discovered that this was not possible. After some consultation the
e
R
administrator has been advised to implement a GRE solution over the existing
IPsec network to enable the enterprise offices to truly operate as a single
n g
administrative domain.
n i
a r
Le
r e
Mo
Tasks
Note: It is a prerequisite that lab 3-4 be completed before attempting this lab.
[R3]acl 3001
h u
.
[R3-acl-adv-3001]rule 5 permit gre source 10.0.23.3 0 destination 10.0.12.1 0
g
in
n
ar
Step 2 Configure a tunnel interface.
l e
Create a tunnel interface and specify GRE as the encapsulation type. Set the
//
tunnel source address or source interface, and set the tunnel destination
:
address.
p
[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]ip address 100.1.1.1 24
h tt
[R1-Tunnel0/0/1]tunnel-protocol gre
s:
[R1-Tunnel0/0/1]source 10.0.12.1
c e
r
[R1-Tunnel0/0/1]destination 10.0.23.3
ou
s
[R3]interface Tunnel 0/0/1
R e
[R3-Tunnel0/0/1]ip address 100.1.1.2 24
[R3-Tunnel0/0/1]tunnel-protocol gre
n g
[R3-Tunnel0/0/1]source 10.0.23.3
i
[R3-Tunnel0/0/1]destination 10.0.12.1
n
a r
Le Step 3 Configure a second OSPF process to route the tunnel.
r e
Mo Add the tunnel interface network to OSPF 1 process, and create a second
OSPF instance of the link state database (process 2) for the 10.0.12.0 and
10.0.23.0 networks, be sure to remove these networks from OSPF 1.
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]undo network 10.0.12.0 0.0.0.255
[R1]ospf 2 router-id 10.0.1.1
[R1-ospf-2]area 0
[R1-ospf-2-area-0.0.0.0]network 10.0.12.0 0.0.0.255
/ e
[R3]ospf 1
om
[R3-ospf-1]area 0
. c
i
[R3-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]undo network 10.0.23.0 0.0.0.255
e
[R3]ospf 2 router-id 10.0.3.3
u aw
h
[R3-ospf-2]area 0
[R3-ospf-2-area-0.0.0.0]network 10.0.23.0 0.0.0.255
g .
i n routes
from OSPF LSDB 2 of R1 and R3 to reach OSPF LSDB 1 ofn
OSPF LSDB are significant only to the local router, therefore allowing
a r R2.
t p
ht
Line protocol current state : UP
Last line protocol up time : 2013-12-17 17:10:16
:
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
s
e
Route Port,The Maximum Transmit Unit is 1500
c
r
Internet Address is 100.1.1.1/24
u
Encapsulation is TUNNEL, loopback not set
o
s
Tunnel source 10.0.12.1 (Serial1/0/0), destination 10.0.23.3
Re
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
n g
Checksumming of packets disabled
i
Current system time: 2013-12-17 17:35:39
n
ar
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 9 bytes/sec, 0 packets/sec
e
Realtime 0 seconds output rate 0 bytes/sec, 0 packets/sec
. c
i
keepalive disabled
Checksumming of packets disabled
e
Current system time: 2013-12-17 17:36:44
u aw
h
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 9 bytes/sec, 0 packets/sec
g.
Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec
Realtime 0 seconds output rate 0 bytes/sec, 0 packets/sec
in
n
ar
0 packets input, 0 bytes, 0 drops
e
162 packets output, 14420 bytes, 15 drops
Input bandwidth utilization : --
l
Output bandwidth utilization : --
: //
p
t carried via GRE
t
Step 4 Verify that the routes are being
h
s :command to check the IPv4 routing table.
Run the display ip routing-table
c e
<R1>display ip routing-table
u r
Route Flags: R - relay, D - download to fib
o
----------------------------------------------------------------------------
s
Re
Routing Tables: Public
Destinations : 21 Routes : 21
n g
n i
Destination/Mask Proto Pre Cost Flags NextHop Interface
Le
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
Mo
10.0.3.3/32 OSPF 10 1562 D 100.1.1.2 Tunnel0/0/1
10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
10.0.11.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
. c
i
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
e
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
u aw
<R3>display ip routing-table
. h
Route Flags: R - relay, D - download to fib
n g
i
----------------------------------------------------------------------------
n
ar
Routing Tables: Public
e
Destinations : 21 Routes : 21
l
Destination/Mask Proto Pre Cost
: //
Flags NextHop Interface
p
tt
10.0.1.1/32 OSPF 10 1562 D 100.1.1.1 Tunnel0/0/1
h
10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
10.0.3.3/32 Direct 0
s: 0 D 127.0.0.1 LoopBack0
10.0.3.255/32
c
Direct
e
0 0 D 127.0.0.1 LoopBack0
10.0.11.11/32
u r
OSPF 10 1562 D 100.1.1.1 Tunnel0/0/1
10.0.12.0/24
e
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
R
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
g
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
i n
10.0.23.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
a
10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1
Le
10.0.33.255/32 Direct 0 0 D 127.0.0.1 LoopBack1
100.1.1.0/24 Direct 0 0 D 100.1.1.2 Tunnel0/0/1
Mo
100.1.1.255/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
After a GRE tunnel is set up, the router can exchange OSPF packets through
the GRE tunnel. Clear the IPsec statistics and test the connection
<R1>reset ipsec statistics esp
[R1]ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=69 ms
/ e
m
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=255 time=68 ms
c o
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=255 time=68 ms
i.
e
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=255 time=68 ms
. h
5 packet(s) received
n g
i
0.00% packet loss
round-trip min/avg/max = 68/68/70 ms
n
e ar
l
<R1>display ipsec statistics esp
//
Inpacket count : 8
:
Inpacket auth count : 0
Inpacket decap count : 0
p
Outpacket count
Outpacket auth count
: 8
: 0
h tt
Outpacket encap count
:
: 0
s
Inpacket drop count
c e: 0
r
Outpacket drop count : 0
BadAuthLen count
ou : 0
s
AuthFail count : 0
R e
InSAAclCheckFail count
PktDuplicateDrop count
: 0
: 0
n g
PktSeqNoTooSmallDrop count : 0
n i
PktInSAMissDrop count : 0
a r
Le
GRE encapsulates all OSPF traffic including the hello packets over IPsec, the
gradual increment of the IPsec esp statistics verifies this.
Verify that the keepalive feature has been enabled on the tunnel interface.
. c
i
Encapsulation is TUNNEL, loopback not set
Tunnel source 10.0.12.1 (Serial1/0/0), destination 10.0.23.3
e
Tunnel protocol/transport GRE/IP, key disabled
u aw
h
keepalive enable period 3 retry-times 3
Checksumming of packets disabled
g.
Current system time: 2013-12-18 11:05:49
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
i n
n
ar
Last 300 seconds output rate 8 bytes/sec, 0 packets/sec
e
Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec
l
Realtime 0 seconds output rate 0 bytes/sec, 0 packets/sec
0 packets input, 0 bytes, 0 drops
: //
p
503 packets output, 47444 bytes, 0 drops
tt
Input bandwidth utilization : --
h
Output bandwidth utilization : --
Final Configuration s:
c e
u r
<R1>display current-configuration
s o
[V200R003C00SPC200]
#
sysname R1 R e
#
n g
i
acl number 3001
n
a rrule 5 permit gre source 10.0.12.1 0 destination 10.0.23.3 0
#
e
esp authentication-algorithm sha1
Mo #
ipsec policy P1 10 manual
security acl 3001
proposal tran1
. c
i
ip address 10.0.12.1 255.255.255.0
ipsec policy P1
e
baudrate 128000
u aw
h
#
interface LoopBack0
g.
ip address 10.0.1.1 255.255.255.0
#
in
n
ar
interface LoopBack1
e
ip address 10.0.11.11 255.255.255.0
#
l
interface Tunnel0/0/1
://
p
ip address 100.1.1.1 255.255.255.0
tt
tunnel-protocol gre
h
keepalive period 3
source 10.0.12.1
destination 10.0.23.3
s:
#
c e
r
ospf 1 router-id 10.0.1.1
u
area 0.0.0.0
s o
e
network 10.0.1.0 0.0.0.255
R
network 10.0.11.0 0.0.0.255
g
network 100.1.1.0 0.0.0.255
#
i n
r n
ospf 2 router-id 10.0.1.1
a
area 0.0.0.0
Le
network 10.0.12.0 0.0.0.255
#
r e user-interface con 0
Mo
authentication-mode password
set authentication password
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
user-interface vty 0 4
authentication-mode aaa
#
return
<R2>display current-configuration
[V200R003C00SPC200]
#
sysname R2
/ e
#
om
interface Serial1/0/0
. c
i
link-protocol ppp
ppp pap local-user huawei password cipher %$%$u[hr6d<JVHR@->T7xr1<$.iv%$%$
e
ip address 10.0.12.2 255.255.255.0
u aw
h
#
interface Serial2/0/0
g.
link-protocol ppp
ppp chap user huawei
i n
n
ar
ppp chap password cipher %$%$e{5h)gh"/Uz0mUC%vEx3$4<m%$%$
e
ip address 10.0.23.2 255.255.255.0
#
l
interface LoopBack0
: //
p
ip address 10.0.2.2 255.255.255.0
tt
#
h
ospf 1 router-id 10.0.2.2
area 0.0.0.0
network 10.0.2.0 0.0.0.255
s:
c e
network 10.0.12.0 0.0.0.255
r
network 10.0.23.0 0.0.0.255
u
#
s o
e
user-interface con 0
R
authentication-mode password
g
set authentication password
n
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
i
r n
user-interface vty 0 4
a
#
Le
return
r e
Mo
<R3>display current-configuration
[V200R003C00SPC200]
#
sysname R3
#
. c
i
tunnel local 10.0.23.3
tunnel remote 10.0.12.1
e
sa spi inbound esp 54321
u aw
h
sa string-key inbound esp simple huawei
sa spi outbound esp 12345
g.
sa string-key outbound esp simple huawei
#
in
n
ar
interface Serial2/0/0
e
link-protocol ppp
ppp authentication-mode chap
l
ip address 10.0.23.3 255.255.255.0
://
p
ipsec policy P1
tt
#
h
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
s:
interface LoopBack1
c e
r
ip address 10.0.33.33 255.255.255.0
u
#
s o
e
interface Tunnel0/0/1
R
ip address 100.1.1.2 255.255.255.0
g
tunnel-protocol gre
n
source 10.0.23.3
i
r n
destination 10.0.12.1
a
#
Le
ospf 1 router-id 10.0.3.3
area 0.0.0.0
Mo
network 10.0.33.0 0.0.0.255
network 100.1.1.0 0.0.0.255
#
ospf 2 router-id 10.0.3.3
area 0.0.0.0
. c
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Configuration of an SNMP agent for a network element.
e i
Configuration of SNMP agent traps.
Application of the NMS in managing network elements.
u aw
. h
Topology
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e Figure 4.1 Network management with SNMP topology
n g
i
Scenario
n
a r
With the continued growth of the enterprise network it has become apparent
Le that new measures need to be taken to manage and monitor the health of the
Mo observe the basic capability of the NMS solution to monitor devices, before
deploying the solution in the enterprise network.
Tasks
If you are starting this section with a non-configured device, begin here and
then move to step 3. For those continuing from previous labs, begin at step 2.
/ e
om
c
<Huawei>system-view
[Huawei]sysname R1
i.
e
[R1]interface LoopBack 0
aw
[R1-LoopBack0]ip address 10.0.1.1 24
h u
.
<Huawei>system-view
[Huawei]sysname R3
n g
[R3]interface LoopBack 0
n i
ar
[R3-LoopBack0]ip address 10.0.3.3 24
s:
e
[R1-Serial1/0/0]shutdown
[R1-Serial1/0/0]quit
rc
u
[R1]undo ospf 1
o
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
s
[R1]undo ospf 2
R e
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
n g
i
[R3]interface Serial 2/0/0
n
r
[R3-Serial2/0/0]shutdown
a [R3-Serial2/0/0]quit
Le
[R3]undo ospf 1
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
r e [R3]undo ospf 2
Mo
Warning: The OSPF process will be deleted. Continue? [Y/N]:y
Configure the IP address and route on the router, make sure the route
between the device and the NMS is reachable.
h u
[R1-ospf-1]area 0
g.
n
[R1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
n i
[R3]ospf 1 router-id 10.0.3.3
e ar
[R3-ospf-1]area 0
l
//
[R3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
p :
Test the network connectivity. h tt
s:
[R1]ping 10.0.13.254
c e
PING 10.0.13.254: 56
o
Reply from 10.0.13.254: bytes=56 Sequence=1 ttl=128 time=1 ms
s
Reply from 10.0.13.254: bytes=56 Sequence=2 ttl=128 time=1 ms
e
R
Reply from 10.0.13.254: bytes=56 Sequence=3 ttl=128 time=10 ms
Reply from 10.0.13.254: bytes=56 Sequence=4 ttl=128 time=1 ms
n g
Reply from 10.0.13.254: bytes=56 Sequence=5 ttl=128 time=1 ms
n i
a r --- 10.0.13.254 ping statistics ---
Le
5 packet(s) transmitted
5 packet(s) received
Mo
round-trip min/avg/max = 1/2/10 ms
Enable the SNMP agent and confige the version SNMPv2c on the R1.
[R1]snmp-agent
[R1]snmp-agent sys-info version v2c
/ e
Configure SNMP read and write community
om
[R1]snmp-agent community read public
. c
[R1]snmp-agent community write private
e i
a w
Enable the trap function of R1. Configure contact information about the
h u
device administrator.
g .
[R1]snmp-agent trap enable
i n
rn
Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[R1]snmp-agent trap queue-size 200
e a
[R1]snmp-agent trap life 60
/ l
/
[R1]snmp-agent target-host trap-hostname NMS address 10.0.13.254 trap-paramsname
public
p :
t
[R1]snmp-agent target-host trap-paramsname public v2c securityname public
ht
[R1]snmp-agent sys-info contact Call the operator at 010-12345678
s :
After the configuration is complete, run the following commands to verify that
e
the configuration has taken effect.
c
u r
o
<R1>display snmp-agent sys-info
s
The contact person for this managed node:
Re
Call the operator at 010-12345678
n g
The physical location of this node:
n i Shenzhen China
ar
Le
SNMP version running in the system:
SNMPv2c
r e
Mo
<R1>display snmp-agent community write
Community name: %$%$ZR)y~^VY9I"~n`=b`KR1(OX%%$%$
Storage type: nonVolatile
View name: ViewDefault
Total number is 1
/ e
om
Parameter list trap target host:
. c
i
Parameter name of the target host: public
Message mode of the target host: SNMPV2C
e
Trap version of the target host: v2c
u aw
h
Security name of the target host: public
g.
Total number is 1
in
n
ar
Step 5 Configure Network Elements on the NMS
l e
Under the Resource > Add Device > Single path, add the Network Element
//
(NE) R1 and R3 to the NMS, and configure the SNMP parameters as shown.
p :
h tt
s:
c e
u r
s o
R e
n g
i
n that the Network Elements have been added to the NMS under the
rVerify
a Resource > Resource Management > Equipment Resources > NE Resources
Le path.
r e
Mo
/ e
om
. c
e i
u aw
. h
n g
n i
e ar
Select the Interface Manager option under Device/
l
/ Config in the resource menu
:completed in succession, thus
p
to the left of the screen. The given output represents a scenario in which all
labs throughout the lab guide have been
t t
producing multiple addresses.
h
s :
c e
u r
s o
Re
n g
n i
ar
Le
r e
Mo
/ e
om
. c
e i
u aw
. h
g
n of R1
n i
Optionally, if the AAA authentication is not present on the VTY interface
a r
and/or R3, a simple telnet authentication process can be applied as follows
before registering the telnet parameters in the NMS.
l e
[R1]user-interface vty 0 4
/ /
[R1-ui-vty0-4]authentication-mode password
p :
t
[R1-ui-vty0-4]set authentication password cipher huawei
ht
[R1-ui-vty0-4]user privilege level 0
s :
The telnet feature in the Basic Information panel of the resource menu grants
remote management of theeNE via the NMS, however privileges currently
prevent configuration.
r c
o u
e s
R
n g
n i
ar
Le
r e
Mo
If the AAA configuration has been maintained from lab 7-3, first increase the
privilege from level 0 to level 3.
[R1]aaa
[R1-aaa]local-user user1@huawei privilege level 3
e
Step 6 Manage Basic NMS Trap Functions
u aw
h
. which
g
Changes that occur to the NE can be monitored in the NMS using traps
trigger alarms. Select the Alarm List from the view panel fromn
n i the resource
r
menu .
e a
/l
: /
tp
t
Currently no alarms are recorded. Access the NE through the telnet feature in
the NMS and shut down the loopbackh0 interface to trigger alarms on the NMS.
s:
[R1]interface LoopBack 0
c e
r
[R1-LoopBack0]shutdown
u
[R1-LoopBack0]undo shutdown
o
s
Re
n g
n i
ar
Le
r e
Mo
Verify that the relevant alarms have been generated in the Alarm List for the
resource, once the interface state has been changed.
l e
//
#
snmp-agent local-engineid 800007DB0354899876830A
p :
snmp-agent community read %$%$><Oc4D:9(4}bjw"Bu'd7(ONp%$%$
tt
snmp-agent community write %$%$ZR)y~^VY9I"~n`=b`KR1(OX%%$%$
h
snmp-agent sys-info contact Call the operator at 010-12345678
:
snmp-agent sys-info version v2c
s
snmp-agent target-host trap-hostname NMS address 10.0.13.254 udp-port 162
e
trap-paramsname public
rc
snmp-agent target-host trap-paramsname public v2c securityname public
ou
snmp-agent trap enable
es
snmp-agent trap queue-size 200
R
snmp-agent trap life 60
snmp-agent
n g
i
#
r n
aaa
a
authentication-scheme default
Le
authentication-scheme auth1
authorization-scheme default
r e authorization-scheme auth2
Mo
accounting-scheme default
domain default
domain default_admin
domain huawei
authentication-scheme auth1
authorization-scheme auth2
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
local-user admin service-type http
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
local-user huawei service-type ppp
local-user user1@huawei password cipher %$%$^L*5IP'0^A!;R)R*L=LFcXgv%$%$
local-user user1@huawei privilege level 3
/ e
local-user user1@huawei service-type telnet
om
#
. c
i
interface GigabitEthernet0/0/0
ip address 10.0.13.1 255.255.255.0
e
#
u aw
h
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
g.
#
ospf 1 router-id 10.0.1.1
i n
n
ar
area 0.0.0.0
e
network 10.0.1.0 0.0.0.255
network 10.0.13.0 0.0.0.255
l
#
: //
p
user-interface con 0
tt
authentication-mode password
h
set authentication password
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
user-interface vty 0 4
s:
authentication-mode aaa
c e
#
u r
return
s o
R e
g
<R3>display current-configuration
n
[V200R003C00SPC200]
i
r
#
n
a
sysname R3
Le
#
snmp-agent local-engineid 800007DB03548998768222
Mo
snmp-agent community write %$%$,CnkQV6[!*c.&0/wn>HU(b{n%$%$
snmp-agent sys-info contact Call the operator at 010-12345678
snmp-agent sys-info version v2c
snmp-agent target-host trap-hostname NMS address 10.0.13.254 udp-port 162
trap-paramsname public
. c
i
authorization-scheme auth2
accounting-scheme default
e
domain default
u aw
h
domain default_admin
domain huawei
g.
authentication-scheme auth1
authorization-scheme auth2
in
n
ar
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
e
local-user admin service-type http
l
local-user huawei password cipher %$%$fZsyUk1=O=>:L4'ytgR~D*Im%$%$
local-user huawei service-type ppp
: //
p
local-user user3@huawei password cipher %$%$WQt.;bEsR<8fz3LCiPY,che_%$%$
tt
local-user user3@huawei privilege level 3
h
local-user user3@huawei service-type telnet
#
interface GigabitEthernet0/0/0
s:
c
ip address 10.0.13.3 255.255.255.0
e
#
u r
o
ospf 1 router-id 10.0.3.3
s
e
area 0.0.0.0
R
network 10.0.3.0 0.0.0.255
g
network 10.0.13.0 0.0.0.255
#
i n
r n
user-interface con 0
a
authentication-mode password
Le
set authentication password
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
r e user-interface vty 0 4
Mo
authentication-mode aaa
#
return
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Configuration of basic IPv6 addressing.
e i
Configuration of the OSPFv3 routing protocol.
Configuration of DHCPv6 server functions.
u aw
Verification of the results using IPv6 display commands.
. h
n g
n i
ar
Topology
l e
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e Figure 5-1 IPv6 topology
Mo
Scenario
In line with plans for deployment of solutions for next generation networks, it
has been decided that the enterprise network should implement an IPv6
design to the existing infrastructure. As the administrator you have been
tasked with the job of implementing the addressing scheme and routing for
IPv6, as well as providing stateful addressing solutions for IPv6.
/ e
om
Tasks
. c
e i
Step 1 Preparing the environment
u aw
If you are starting this section with a non-configured device, begin . h
n g here and
then move to step 2. For those continuing from previous labs, begin at step 2.
n i
<huawei>system-view
a r
[huawei]sysname R1
l e
<huawei>system-view
/ /
[huawei]sysname R2
p :
t
<huawei>system-view
ht
[huawei]sysname R3
s :
c e
u r
Step 2 Configure
s oIPv6 addressing
R e
manuallygconfigure link local addressing on interface Gigabit Ethernet 0/0/0 of
Establish IPv6 global unicast addressing on the loopback interfaces and
i n
n
all routers.
r
a
Le
[R1]ipv6
[R1]interface loopback 0
r e [R1-LoopBack0]ipv6 enable
Mo
[R1-LoopBack0]ipv6 address 2001:1::A 64
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ipv6 enable
[R1-GigabitEthernet0/0/0]ipv6 address fe80::1 link-local
[R2]ipv6
[R2]interface loopback 0
[R2-LoopBack0]ipv6 enable
[R2-LoopBack0]ipv6 address 2001:2::B 64
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ipv6 enable
[R2-GigabitEthernet0/0/0]ipv6 address fe80::2 link-local
/ e
om
[R3]ipv6
. c
i
[R3]interface loopback 0
[R3-LoopBack0]ipv6 enable
e
[R3-LoopBack0]ipv6 address 2001:3::C 64
u aw
h
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ipv6 enable
g.
[R3-GigabitEthernet0/0/0]ipv6 address fe80::3 link-local
i n
n
<R1>display ipv6 interface GigabitEthernet 0/0/0
e ar
GigabitEthernet0/0/0 current state : UP
l
IPv6 protocol current state : UP
: //
p
IPv6 is enabled, link-local address is FE80::1
tt
No global unicast address configured
h
Joined group address(es):
FF02::1:FF00:1
FF02::2
s:
FF02::1
c e
MTU is 1500 bytes
u r
o
ND DAD is enabled, number of DAD attempts: 1
s
e
ND reachable time is 30000 milliseconds
R
ND retransmit interval is 1000 milliseconds
g
Hosts use stateless autoconfig for addresses
n
IPv6iinterfaces become part of various multicast groups for support of
r n address auto-configuration (SLAAC). The Network Discovery (ND)
a Duplicate Address Detection (DAD) verifies the link local address is unique.
stateless
Le
r e
Mo
Enable the OSPFv3 process and specify its router ID on R1, R2 and R3.
OSPFv3 must then be enabled on the interface.
[R1]ospfv3 1
[R1-ospfv3-1]router-id 1.1.1.1
/ e
[R1-ospfv3-1]quit
om
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ospfv3 1 area 0
. c
[R1-GigabitEthernet0/0/0]quit
e i
aw
[R1]interface loopback 0
[R1-LoopBack0]ospfv3 1 area 0
h u
g.
n
[R2]ospfv3 1
[R2-ospfv3-1]router-id 2.2.2.2
n i
ar
[R2-ospfv3-1]quit
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ospfv3 1 area 0
l e
//
[R2-GigabitEthernet0/0/0]quit
[R2]interface loopback 0
p :
tt
[R2-LoopBack0]ospfv3 1 area 0
[R3]ospfv3 1 h
[R3-ospfv3-1]router-id 3.3.3.3
s:
[R3-ospfv3-1]quit
c e
r
[R3]interface GigabitEthernet 0/0/0
u
o
[R3-GigabitEthernet0/0/0]ospfv3 1 area 0
s
[R3-GigabitEthernet0/0/0]quit
e
R
[R3]interface loopback 0
[R3-LoopBack0]ospfv3 1 area 0
Runi n g
r n has been established.
the display ospfv3 peer command on R1 and R3 to verify the OSPFv3
peering
a
Le <R1>display ospfv3 peer
Mo
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/Backup 00:00:30 GE0/0/0 0
3.3.3.3 1 Full/DROther 00:00:40 GE0/0/0 0
If 1.1.1.1 is not currently the DR, the following command can be used to reset
/ e
the OSPFv3 process
om
. c
i
<R1>reset ospfv3 1 graceful-restart
Test connectivity to the peer link local address and the global unicast addressw
e
u a
h
of interface LoopBack 0.
g .
<R1>ping ipv6 fe80::3 -i GigabitEthernet 0/0/0
PING fe80::3 : 56 data bytes, press CTRL_C to break
i n
Reply from FE80::3
r n
bytes=56 Sequence=1 hop limit=64 time = 2 ms
e a
Reply from FE80::3
/ l
bytes=56 Sequence=2 hop limit=64 time = 2 ms
: /
p
Reply from FE80::3
t
bytes=56 Sequence=3 hop limit=64 time = 11 ms
t
h
Reply from FE80::3
bytes=56 Sequence=4 hop limit=64 time = 2 ms
Reply from FE80::3
s :
c e
bytes=56 Sequence=5 hop limit=64 time = 2 ms
u r
o
--- fe80::3 ping statistics ---
s
Re
5 packet(s) transmitted
5 packet(s) received
g
0.00% packet loss
n
round-trip min/avg/max = 2/3/11 ms
i
n
ar
<R1>ping ipv6 2001:3::C
Le
PING 2001:3::C : 56 data bytes, press CTRL_C to break
Reply from 2001:3::C
Mo
Reply from 2001:3::C
bytes=56 Sequence=2 hop limit=64 time = 6 ms
Reply from 2001:3::C
bytes=56 Sequence=3 hop limit=64 time = 2 ms
Reply from 2001:3::C
g .
[R2]dhcp enable
i n
[R2]dhcpv6 pool pool1
rn
[R2-dhcpv6-pool-pool1]address prefix 2001:FACE::/64
e a
l
[R2-dhcpv6-pool-pool1]dns-server 2001:444e:5300::1
/
[R2-dhcpv6-pool-pool1]excluded-address 2001:FACE::1
/
[R2-dhcpv6-pool-pool1]quit
:
p 0/0/0 interface.
t
htthe interface.
Configure IPv6 functions on the GigabitEthernet
Enable the DHCPv6 server function on
s :
e
[R2]interface GigabitEthernet 0/0/0
c
r
[R2-GigabitEthernet0/0/0]ipv6 address 2001:FACE::1 64
u
[R2-GigabitEthernet0/0/0]dhcpv6 server pool1
o
e s
R
Enable the DHCPv6 client function on R1 and R3 so that devices can obtain
IPv6 addresses using DHCPv6.
n g
i
[R1]dhcp enable
n
ar
[R1]interface gigabitethernet 0/0/0
Le
[R1-GigabitEthernet0/0/0]ipv6 address auto dhcp
r e [R3]dhcp enable
Mo
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ipv6 address auto dhcp
Run the display dhcpv6 pool command on R2 to check information about the
DHCPv6 address pool.
. c
i
Information refresh time: 86400
DNS server address: 2001:444E:5300::1
e
Conflict-address expire-time: 172800
u aw
h
Active normal clients: 2
.
Run the display ipv6 interface brief command on R1 and R3 togcheck the
i n
n
IPv6 address information.
a r
e
[R1]display ipv6 interface brief
*down: administratively down
/l
(l): loopback
: /
p
(s): spoofing
Interface
t
Physical Protocol
ht
GigabitEthernet0/0/0 up up
[IPv6 Address] 2001:FACE::2
LoopBack0
s: up up(s)
c
[IPv6 Address] 2001:1::A
e
u r
o
[R3]display ipv6 interface brief
s
Re
*down: administratively down
(l): loopback
g
(s): spoofing
i n
Interface Physical Protocol
n
GigabitEthernet0/0/0 up up
ar
[IPv6 Address] 2001:FACE::3
Le
LoopBack0 up up(s)
[IPv6 Address] 2001:3::C
r e
Mo
Final Configuration
<R1>display current-configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
ipv6
om
c
#
dhcp enable
i.
#
e
aw
ospfv3 1
router-id 1.1.1.1
h u
#
interface GigabitEthernet0/0/0
g.
ipv6 enable
in
n
ar
ip address 10.0.13.1 255.255.255.0
ipv6 address FE80::1 link-local
ospfv3 1 area 0.0.0.0
l e
//
ipv6 address auto dhcp
#
p :
tt
interface LoopBack0
ipv6 enable
ip address 10.0.1.1 255.255.255.0 h
ipv6 address 2001:1::A/64
s:
ospfv3 1 area 0.0.0.0
c e
#
u r
o
user-interface con 0
s
authentication-mode password
e
R
set authentication password
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
n g
user-interface vty 0 4
n i
authentication-mode aaa
a r#
Le
return
r e
Mo
<R2>display current-configuration
[V200R003C00SPC200]
#
sysname R2
#
ipv6
#
dhcp enable
/ e
#
om
dhcpv6 pool pool1
. c
i
address prefix 2001:FACE::/64
excluded-address 2001:FACE::1
e
dns-server 2001:444E:5300::1
u aw
h
#
ospfv3 1
g.
router-id 2.2.2.2
#
i n
n
ar
interface GigabitEthernet0/0/0
e
ipv6 enable
ip address 10.0.13.2 255.255.255.0
l
ipv6 address 2001:FACE::1/64
: //
p
ipv6 address FE80::2 link-local
tt
ospfv3 1 area 0.0.0.0
h
traffic-filter inbound acl 3000
dhcpv6 server pool1
#
s:
interface LoopBack0
c e
ipv6 enable
u r
o
ip address 10.0.2.2 255.255.255.0
s
e
ipv6 address 2001:2::B/64
R
ospfv3 1 area 0.0.0.0
g
#
n
user-interface con 0
i
r n
authentication-mode password
a
set authentication password
Le
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
user-interface vty 0 4
r e #
Mo
return
<R3>display current-configuration
[V200R003C00SPC200]
#
sysname R3
#
ipv6
#
dhcp enable
/ e
#
om
ospfv3 1
. c
i
router-id 3.3.3.3
#
e
interface GigabitEthernet0/0/0
u aw
h
ipv6 enable
ip address 10.0.13.3 255.255.255.0
g.
ipv6 address FE80::3 link-local
ospfv3 1 area 0.0.0.0
in
n
ar
ipv6 address auto dhcp
e
#
interface LoopBack0
l
ipv6 enable
://
p
ip address 10.0.3.3 255.255.255.0
tt
ipv6 address 2001:3::C/64
h
ospfv3 1 area 0.0.0.0
#
user-interface con 0
s:
c
authentication-mode password
e
r
set authentication password
u
o
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
s
e
user-interface vty 0 4
R
authentication-mode aaa
g
#
return
i n
r n
a
Le
r e
Mo
i .
ContentAll Huawei Career Certification E-Learning courses
w e
u a
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
. h
2 Training Material Download
n g
n i
Content: Huawei product training material and Huawei career certification training material
a r
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
e
l
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC) //
t tprofessional instructors
ContentThe Huawei career certification training covering
Storage and so on, which are conducted by Huawei
h
s :
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
c e
eNSP (Enterprise Network Simulation r Platform) is a graphical network simulation tool which is developed by
u
o mainly simulates enterprise routers, switches as close to the real hardware as
Huawei and free of charge. eNSP
it possible, which makes the e
s
R lab practice available and easy without any real device.
r
http://support.huawei.com/ecommunity/
a
Le
r e TECHNOLOGIES CO., LTD. Huawei Confidential
o
HUAWEI 1