HCNA Intermediate Lab PDF

The privilege of HCNA/HCNP/HCIE: e n
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
m /
1Comprehensive E-Learning Courses c o
i .
ContentAll Huawei Career Certification E-Learning courses
w e

u a
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
. h
2 Training Material Download
n g

n i
Content: Huawei product training material and Huawei career certification training material
a r
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
e

l
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC) //
p : all ICT technical domains like R&S, UC&C, Security,

t tprofessional instructors
ContentThe Huawei career certification training covering
Storage and so on, which are conducted by Huawei
h

s :
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
c e
eNSP (Enterprise Network Simulation r Platform) is a graphical network simulation tool which is developed by

u
o mainly simulates enterprise routers, switches as close to the real hardware as
Huawei and free of charge. eNSP
it possible, which makes the e
s
R lab practice available and easy without any real device.
Huawei experts , share n

g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
n i exam experiences with others or be acquainted with Huawei Products(
r
http://support.huawei.com/ecommunity/
a
Le
r e TECHNOLOGIES CO., LTD. Huawei Confidential
o
HUAWEI 1
Huawei Certification
HCNA-HNTD / e
om
INTERMEDIATE . c
e i
u aw
. h
Huawei Networking Technology and Device
n g
Lab Guide n i
a r
l e
/ /
p :
t
ht
s:
c e
u r
s o
Re
n g
rni
e a
L
r e
Mo
Huawei Technologies Co.,Ltd
Copyright Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by

any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
/ e
and other Huawei trademarks are trademarks of Huawei Technologies
om
Co., Ltd. All other trademarks and trade names mentioned in this document
. c
i
are the property of their respective holders.
e
aw
Notice
h u
The information in this document is subject to change without notice. Every
g.
effort has been made in the preparation of this document to ensure accuracy of
i n
the contents, but all statements, information, and recommendations in this
n
document do not constitute the warranty of any kind, express or implied.
e ar
l
: //
p
h tt
Huawei Certification
s:
HCNA-HNTD Huawei c eNetworking Technology and Device
u r
s o Intermediate Lab Guide
Re
n g Version 2.0
n i
a r
Le
r e
Mo
Huawei Certification System
Relying on its strong technical and professional training and certification system
and in accordance with customers of different ICT technology levels, Huawei
certification is committed to providing customers with authentic, professional
certification, and addresses the need for the development of quality engineers that
/ e
are capable of supporting enterprise networks in the face of an ever changing ICT
om
industry. The Huawei certification portfolio for routing and switching (R&S) is
. c
comprised of three levels to support and validate the growth and value of customer
e i
aw
skills and knowledge in routing and switching technologies.
h u
The Huawei Certified Network Associate (HCNA) certification validates the skills
and knowledge of IP network engineers to implement and support small to
g.
i n
medium-sized enterprise networks. The HCNA certification provides a rich
n
ar
foundation of skills and knowledge for the establishment of such enterprise
l e
networks, along with the capability to implement services and features within
existing enterprise networks, to effectively support true industry operations.
: //
p
HCNA certification covers fundamental skills for TCP/IP, routing, switching and
h tt
related IP network technologies, together with Huawei data communications
products, and skills for versatile routing platform (VRP) operation and
management.
s:
c e
r
The Huawei Certified Network Professional (HCNP-R&S (HCDP)) certification is
u
s o
aimed at enterprise network engineers involved in design and maintenance, as well
as professionals who wish to develop an in depth knowledge of routing, switching,
R e
network efficiency and optimization technologies. HCNP-R&S consists of three
g
units including Implement Enterprise Switch Network (IESN), Implement Enterprise
n
i
Routing Network (IERN), and Improving Enterprise Network Performance (IENP),
n
a rwhich includes advanced IPv4 routing and switching technology principles,
Le
network security, high availability and QoS, as well as application of the covered
technologies in Huawei products.
r e
Mo
The Huawei Certified Internet Expert (HCIE-R&S) certification is designed to imbue
engineers with a variety of IP network technologies and proficiency in maintenance,
for the diagnosis and troubleshooting of Huawei products, to equip engineers with
in-depth competency in the planning, design and optimization of large-scale IP
networks.
/ e
om
. c
e i
u aw
. h
n g
n i
ear
l
://
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
Reference Icons
/ e
Router L3 Switch L2 Switch Cloud
om
. c
e i
u aw
Ethernet link Serial link
. h
n g
n i
ar
Lab environment specification
l e
//
In order to ensure that that the configuration given in this lab is supported on all
:
devices, it is recommended that the following device models and VRP versions
be used:
p
h tt
Identifier Device Model
s: VRP version
c e
R1
r
AR 2220
u
Version 5.120 (AR2200 V200R003C00SPC200)
R2
s o
AR 2220 Version 5.120 (AR2200 V200R003C00SPC200)
R e
ng
R3 AR 2220 Version 5.120 (AR2200 V200R003C00SPC200)
n i S1 S5700-28C-EI-24S Version 5.70 (S5700 V100R006C00SPC800)
ar
L e S2 S5700-28C-EI-24S Version 5.70 (S5700 V100R006C00SPC800)
r e S3 S3700-28TP-EI-AC Version 5.70 (S3700 V100R006C00SPC800)
Mo S4 S3700-28TP-EI-AC Version 5.70 (S3700 V100R006C00SPC800)

/ e
om
. c
e i
u aw
. h
n g
n i
ear
l
://
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
HCNA-HNTD Content
CONTENTS
CHAPTER 1 ETHERNET AND VLAN ...................................................................................................... 1
LAB 1-1 ETHERNET INTERFACE AND LINK CONFIGURATION ................................................................................ 1
/ e
m
LAB 1-2 VLAN CONFIGURATION................................................................................................................ 10
LAB 1-3 GVRP CONFIGURATION ............................................................................................................... 21

c o
i .
e
LAB 1-4 VLAN ROUTING.......................................................................................................................... 33
LAB 1-5 CONFIGURING LAYER 3 SWITCHING................................................................................................. 41
u aw
CHAPTER 2 ENTERPRISE WAN CONFIGURATION .............................................................................. 56
. h
n g
i
LAB 2-1 HDLC AND PPP CONFIGURATION .................................................................................................. 56
n
ar
LAB 2-2 CONFIGURING FRAME RELAY AT THE CUSTOMER EDGE ....................................................................... 73
l e
LAB 2-3 PPPOE CLIENT SESSION ESTABLISHMENT ......................................................................................... 94
: //
CHAPTER 3 IMPLEMENTING IP SECURITY ....................................................................................... 103
p
h tt
LAB 3-1 FILTERING ENTERPRISE DATA WITH ACCESS CONTROL LISTS. .............................................................. 103
LAB 3-2 NETWORK ADDRESS TRANSLATION ............................................................................................... 114
s:
e
LAB 3-3 ESTABLISHING LOCAL AAA SOLUTIONS .......................................................................................... 124
rc
LAB 3-4 SECURING TRAFFIC WITH IPSEC VPN............................................................................................. 132
ou
s
LAB 3-5 SUPPORTING DYNAMIC ROUTING WITH GRE .................................................................................. 147
R e
CHAPTER 4 MANAGING ENTERPRISE NETWORKS ........................................................................... 158
n g
i
LAB 4-1 MANAGING NETWORKS WITH SNMP ........................................................................................... 158
r n
a CHAPTER 5 ESTABLISHING IPV6 NETWORKS................................................................................... 169
Le LAB 5-1 IMPLEMENTING IPV6 NETWORKS AND SOLUTIONS........................................................................... 169
r e
Mo
HC Series HUAWEI TECHNOLOGIES Page1

/ e
om
. c
e i
u aw
. h
n g
n i
ear
l
://
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo
HCNA-HNTD Chapter 1 Ethernet and VLAN
Chapter 1 Ethernet and VLAN
Lab 1-1 Ethernet Interface and Link Configuration
Learning Objectives
/ e
om
As a result of this lab section, you should achieve the following tasks:
. c
Manually set the line rate and duplex mode on an interface.
e i

Configuration of manual mode link aggregation.
Configuration of link aggregation using static LACP mode.
u aw
Management of the priority of interfaces in static LACP mode.
. h
n g
Topology
n i
e ar
l
: //
p
h tt
s:
c e
u r
Figure 1.1 Ethernet link aggregation topology
s o
Scenario e
R
As a n
g
n i that the connections between the switches be used more effectively
network administrator of an existing enterprise network, it has been
arby preparing the switches to support link aggregation before establishing

requested
Le manual link aggregation, for which the media between the switches are to be
r e configured as member links.
Mo

Tasks
Step 1 Perform basic configuration on the Ethernet switches.
Auto-negotiation is enabled on Huawei switch interfaces by default. The rate

and duplex mode of G0/0/9 and G0/0/10 on S1 and S2 are to be set manually.
/ e
Change the system name and view detailed information for G0/0/9 and
om
G0/0/10 on S1.
. c
<Quidway>system-view
e i
aw
[Quidway]sysname S1
[S1]display interface GigabitEthernet 0/0/9
h u
.
GigabitEthernet0/0/9 current state : UP
Line protocol current state : UP
n g
Description:HUAWEI, Quidway Series, GigabitEthernet0/0/9 Interface
n i
ar
Switch Port,PVID : 1,The Maximum Frame Length is 1600
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0018-82e1-aea6
Port Mode: COMMON COPPER
l e
//
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
p :
tt
Mdi : AUTO
Last 300 seconds input rate 752 bits/sec, 0 packets/sec
h
Last 300 seconds output rate 720 bits/sec, 0 packets/sec
s:
Input peak rate 1057259144 bits/sec,Record time: 2008-10-01 00:08:58
e
Output peak rate 1057267232 bits/sec,Record time: 2008-10-01 00:08:58
c
r
Input: 11655141 packets, 960068100 bytes
Unicast :
ou 70,Multicast : 5011357
Broadcast
es : 6643714,Jumbo : 0
R
CRC : 0,Giants : 0
Jabbers : 0,Throttles : 0
Runts
ng : 0,DropEvents : 0
ni
Alignments : 0,Symbols : 0
ar
Ignoreds : 0,Frames : 0
Le
Discard : 69,Total Error : 0
Output: 11652169 packets, 959869843 bytes
r e Unicast : 345,Multicast : 5009016
Mo
Broadcast : 6642808,Jumbo : 0
Collisions : 0,Deferreds : 0
Late Collisions : 0,ExcessiveCollisions : 0
Buffers Purged : 0
Page2 HUAWEI TECHNOLOGIES HC Series

Input bandwidth utilization threshold : 100.00%

Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.00%

/ e
om
. c
i
e
u aw
h
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
g.
Last 300 seconds input rate 1312 bits/sec, 0 packets/sec
Last 300 seconds output rate 72 bits/sec, 0 packets/sec
i n
n
ar
Input peak rate 1057256792 bits/sec,Record time: 2008-10-01 00:08:58
e
Output peak rate 1057267296 bits/sec,Record time: 2008-10-01 00:08:58
l
Unicast : 115,Multicast
: // : 5009062
p
Broadcast : 6642648,Jumbo : 0
tt
CRC : 3,Giants : 0
h
Jabbers : 0,Throttles : 0
Runts : 0,DropEvents : 0
Alignments :
s: 0,Symbols : 4
Ignoreds :
c e 0,Frames : 0
Discard :
u r 218,Total Error : 7
o
s
e
Unicast : 245,Multicast : 5011284
Broadcast
R : 6643751,Jumbo : 0
g
Collisions : 0,Deferreds : 0
i n
Late Collisions : 0,ExcessiveCollisions : 0
r n
Buffers Purged : 0
a
Le
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
r e Input bandwidth utilization : 0.01%
Mo
Output bandwidth utilization : 0.00%
Set the rate of G0/0/9 and G0/0/10 on S1 to 100 Mbit/s and configure them to
work in full duplex mode. Before changing the interface rate and duplex mode,
disable auto-negotiation.

[S1]interface GigabitEthernet 0/0/9

[S1-GigabitEthernet0/0/9]undo negotiation auto
[S1-GigabitEthernet0/0/9]speed 100
[S1-GigabitEthernet0/0/9]duplex full
[S1-GigabitEthernet0/0/9]quit
/ e
om
. c
Set the rate of G0/0/9 and G0/0/10 on S2 to 100 Mbit/s and configure them to
e i
aw
work in full duplex mode.
h u
.
[Quidway]sysname S2
n g
i
n
e ar
l
//
:
p
htt
:
Confirm that the rate and duplex mode of G0/0/9 and G0/0/10 have been set
s
on S1.
c e
r
u
o
s
e
R
ng
i
r nPort Mode: COMMON COPPER
a
L e Duplex: FULL, Negotiation: DISABLE

Mdi : AUTO
r e output omitted
Mo


/ e
Duplex: FULL, Negotiation: DISABLE
om
Mdi : AUTO
. c
i
output omitted
e
Step 2 Configure manual link aggregation.
u aw
h
. G0/0/9
and G0/0/10 on S1 and S2, and then add G0/0/9 and G0/0/10 to n
g
Create Eth-Trunk 1 on S1 and S2. Delete the default configuration from
n i Eth-Trunk 1.
[S1]interface Eth-Trunk 1
a r
[S1-Eth-Trunk1]quit
l e
/ /
:
[S1-GigabitEthernet0/0/9]eth-trunk 1
t p
ht
[S1-GigabitEthernet0/0/9]interface GigabitEthernet 0/0/10
s :
e
[S2-Eth-Trunk1]quit
r c
u
o
s
Re
g
n
n i the Eth-Trunk configuration.
ar
Verify
Le
[S1]display eth-trunk 1
Eth-Trunk1's state information is:
r e WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Mo
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
----------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/9 Up 1

WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
----------------------------------------------------------------------------
/ e
PortName Status Weight
om
. c
i
we
u a
The greyed lines in the preceding information indicate that the Eth-Trunk works
properly.
. h
Step 3 Configuring Link Aggregation in Static LACP n g
n i Mode
a r
Delete the configurations from G0/0/9 and G0/0/10 on S1
l e and S2.
/ /
:
[S1-GigabitEthernet0/0/9]undo eth-trunk
t p
h t
s:
e
c
r
u
o
s
e
R
LACP n
g
Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to static
n i mode.
ar
Le
[S1-Eth-Trunk1]mode lacp-static
[S1-Eth-Trunk1]quit
r e [S1]interface GigabitEthernet 0/0/9
Mo

[S2-Eth-Trunk1]quit
/ e
om
c
Verify that the LACP-static mode has been enabled on the two links.
[S1]display eth-trunk
i.
e
Local:
u aw
h
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
g.
System Priority: 32768 System ID: 4c1f-cc45-aace
i n
n
Least Active-linknumber: 1 Max Active-linknumber: 8
ar
e
----------------------------------------------------------------------------
ActorPortName Status
l
PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/9 Selected 100M 32768
: //
9 289 10111100 1
p
GigabitEthernet0/0/10 Selected 100M 32768 10 289 10111100 1
tt
Partner:
SysPri h
----------------------------------------------------------------------------
ActorPortName SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/9 32768
s: 4c1f-cc45-aacc 32768 9 289 10111100
GigabitEthernet0/0/10
c
32768
e 4c1f-cc45-aacc 32768 10 289 10111100
r
uon S1 to 100 to ensure S1 remains the Actor.
s o
Set the system priority
R e
[S1]lacp priority 100
n g of the interface and determine active links on S1.

i
Set the priority
n
ar
Le
[S1-GigabitEthernet0/0/9]lacp priority 100
r e [S1]interface GigabitEthernet 0/0/10

[S1-GigabitEthernet0/0/10]lacp priority 100
Mo

Verify the Eth-Trunk configuration.

Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 100 System ID: 4c1f-cc45-aace
/ e
m
Least Active-linknumber: 1 Max Active-linknumber: 8
c o
----------------------------------------------------------------------------
i.
e
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
aw
GigabitEthernet0/0/9 Selected 100M 100 9 289 10111100 1
Partner:
Selected 100M 100 10 289
u
10111100 1
h
---------------------------------------------------------------------------
g.
ActorPortName SysPri SystemID
i n
PortPri PortNo PortKey PortState
GigabitEthernet0/0/9 32768 4c1f-cc45-aacc 32768 9
n 289 10111100
GigabitEthernet0/0/10 32768 4c1f-cc45-aacc 32768
e ar
10 289 10111100
l
//
:
Local:
p
LAG ID: 1
Preempt Delay: Disabled
h tt
WorkingMode: STATIC
Hash arithmetic: According to SA-XOR-DA
System Priority: 32768
s: System ID: 4c1f-cc45-aacc

Least Active-linknumber: 1
c e Max Active-linknumber: 8
r
u
----------------------------------------------------------------------------
o
s
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
R e
Selected 100M
Selected 100M
32768
32768
9
10
289
289
10111100 1
10111100 1
n
Partner:
g
i
----------------------------------------------------------------------------
rn
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
ea
GigabitEthernet0/0/9 100 4c1f-cc45-aace 100 9 289 10111100
L GigabitEthernet0/0/10 100 4c1f-cc45-aace 100 10 289 10111100
r e
Mo
Final Configuration
[S1]display current-configuration
#
!Software Version V100R006C00SPC800

sysname S1
#
lacp priority 100
#
interface Eth-Trunk1
mode lacp-static
#
interface GigabitEthernet0/0/9
/ e
eth-trunk 1
om
lacp priority 100
. c
i
undo negotiation auto
speed 100
e
#
u aw
h
eth-trunk 1
g.
lacp priority 100
i n
n
ar
speed 100
e
#
return
l
: //
p
tt
#
h
sysname S2
#
s:
c e
mode lacp-static
u r
#
s o
e
eth-trunk 1
R
g
n
speed 100
i
r
#
n
a
Le
eth-trunk 1
r e speed 100
Mo
#
return

Lab 1-2 VLAN Configuration
Learning Objectives
Assign port interfaces to become access and trunk ports.
/ e
Create VLANs.
om
Configure VLAN tagging over ports using the hybrid port link type.
. c
Configure the default VLAN for an interface using the Port VLAN ID.
e i
u aw
Topology
. h
n g
n i
e ar
l
: //
p
htt
s:
c e
u r
s o Figure 1.2 VLAN topology
R e
Scenario
n g
i
n enterprise network currently operates in a single broadcast domain
rThe
a resulting in a large amount of traffic being flooded to all network nodes. It is
Le required that the administrator attempt to control the flow of traffic at the link
r e layer by implementing VLAN solutions. The VLAN solutions are to be applied
Mo
to switches S1 and S2.

Tasks
Step 1 Preparing the environment.
If you are starting this section with a non-configured device, begin here and
then move to step 2. For those continuing from previous labs, begin at step 2.
/ e
Establish an Eth-trunk link between S1 and S2.
om
. c
[Quidway]sysname S1
e i
aw
[S1]interface Eth-trunk 1
h u
.
[S1-Eth-Trunk1]quit
[S1]interface GigabitEthernet0/0/9
n g
[S1-Gigabitethernet0/0/9]eth-trunk 1
n i
ar
[S1-Gigabitethernet0/0/9]interface GigabitEthernet0/0/10
[S1-Gigabitethernet0/0/10]eth-trunk 1
l e
//
On S2, add interfaces to an Eth-Trunk using the Eth-Trunk view.
p :
tt
[Quidway]sysname S2
[S2]interface eth-trunk 1
h
:
s
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/9
e
c
[S2-Eth-Trunk1]trunkport GigabitEthernet 0/0/10
r
o
Step 2 Disable unusedu interfaces and establish a VLAN trunk.
e s
R
Unused interfaces must be disabled to ensure test result accuracy. In this lab,
g
nbe shut down.
interfaces Ethernet 0/0/1 and Ethernet 0/0/23 on S3 and Ethernet0/0/14 on S4
i
need to
n
a r<Quidway>system-view
Le
Enter system view, return user view with Ctrl+Z.
[Quidway]sysname S3
r e [S3]interface Ethernet 0/0/1
Mo
[S3-Ethernet0/0/1]shutdown
[S3-Ethernet0/0/1]quit
[S3]interface Ethernet 0/0/23

[Quidway]sysname S4
The link type of a switch port interface is hybrid by default. Configure the port
/ e
link-type for Eth-Trunk 1 to become a trunk port. Additionally, allow all VLANS
om
to be permitted over the trunk port.
. c
e i
aw
[S1-Eth-Trunk1]port link-type trunk
[S1-Eth-Trunk1]port trunk allow-pass vlan all
h u
g.
i n
n
e ar
Step 3 Configure VLANs. l
: //
p
Use S3, R1, R3, and S4 as non-VLAN aware hosts. There are two methods to
htt
create VLANs, and two methods to bind interfaces to the created VLANs, S1
and S2 are used to demonstrate the two methods. All interfaces associated
:
with hosts should be configured as access ports.
s
c e
On S1, associate interface Gigabit Ethernet 0/0/13 with VLAN 3, and interface
u r
Gigabit Ethernet 0/0/1 with VLAN 4.
s o
On S2, associate interface Gigabit Ethernet 0/0/2 with VLAN4, and Gigabit
Re
Ethernet 0/0/24 with VLAN 2.
g
n
i
[S1-GigabitEthernet0/0/13]port link-type access
n
ar
Le
r e [S1]vlan 2
Mo
[S1-vlan2]vlan 3
[S1-vlan3]port GigabitEthernet0/0/13
[S1-vlan3]vlan 4
[S1-vlan4]port GigabitEthernet0/0/1

[S2]vlan batch 2 to 4
[S2-GigabitEthernet0/0/3]port default vlan 4
/ e
om
Verify that the VLAN configuration has been correctly applied to S1 and S2.
. c
<S1>display vlan
e i
The total number of vlans is : 4
u aw
h
----------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
g.
MP: Vlan-mapping;
#: ProtocolTransparent-vlan;
ST: Vlan-stacking;
*: Management-vlan;
i n
n
ar
----------------------------------------------------------------------------
VID Type Ports

l e
//
----------------------------------------------------------------------------
:
p
1 common UT:GE0/0/2(U) GE0/0/3(U) GE0/0/4(U) GE0/0/5(U)
tt
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(D)
h
GE0/0/12(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(U)
s:
GE0/0/22(U) GE0/0/23(U) GE0/0/24(D)
c
Eth-Trunk1(U)
e
2
r
common TG:Eth-Trunk1(U)
u
3
o
common UT:GE0/0/13(U)
s
e
TG:Eth-Trunk1(U)
4
R
g
TG:Eth-Trunk1(U)
n
output omitted
i
r n
a
Le
r e
Mo

<S2>display vlan
----------------------------------------------------------------------------
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------
/ e
VID Type Ports
om
----------------------------------------------------------------------------
. c
i
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/4(U) GE0/0/5(U)
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(U)
e
GE0/0/12(U) GE0/0/13(U) GE0/0/14(D) GE0/0/15(D)
u aw
h
GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D)
GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
.
GE0/0/23(D)
g
2
Eth-Trunk1(U)
i n
n
ar
TG:Eth-Trunk1(U)
e
3 common TG:Eth-Trunk1(U)
4 common UT:GE0/0/3(U)
l
TG:Eth-Trunk1(U)
: //
p
output omitted
t t of the interfaces to each created

VLAN. All VLANs are permitted overh
The highlighted entries confirm the binding
:
the trunk (TG) port Eth-Trunk 1.
e s
r c
Step 4 Configure IP addressing for each VLAN.
o u on hosts, R1, S3, R3, and S4 as part of the respective

sport interfaces on switches cannot be configured with IP
Configure IP addresses
e
R configure the native management interface Vlanif1 with
VLANs. Physical
n g for the switch.

addresses, therefore
the IP address
n i
ar
<Huawei>system-view
[Huawei]sysname R1
Le [R1]interface GigabitEthernet0/0/1
e
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
r
Mo
[S3]interface vlanif 1
[S3-vlanif1]ip address 10.0.4.2 24

<Huawei>system-view
[Huawei]sysname R3
[R3]interface GigabitEthernet0/0/2
[S4-vlanif1]ip address 10.0.4.4 24
/ e
om
Step 5 Verify the configuration, by checking the connectivity.
. c
e i
Use the ping command. R1 and R3 in VLAN 4 should be able to communicatew
u a
h
with one another. Devices in other VLANs should be unable to communicate.
[R1]ping 10.0.4.3
g.
PING 10.0.4.3: 56 data bytes, press CTRL_C to break
i n
n
Reply from 10.0.4.3: bytes=56 Sequence=1 ttl=255 time=6 ms
r
a
e
l
/
/
:
tp
t
--- 10.0.4.3 ping statistics ---
5 packet(s) transmitted
h
5 packet(s) received
s :
e
0.00% packet loss
c
round-trip min/avg/max = 2/2/6 ms
r
ou
s
[R1]ping 10.0.4.4
Re
Request time out
g
Request time out
n
n iRequest time out
ar
Request time out
Request time out
Le --- 10.0.4.4 ping statistics ---
r e 5 packet(s) transmitted
Mo
100.00% packet loss
You may wish to also try between R1 and S3, and between R3 and S4.

Step 6 Configure a hybrid interface.
Use the hybrid port link type to allow VLAN tagging to be closely managed at a
port interface level. We shall use hybrid ports to allow tagged frames from
VLAN 4 to be received by VLAN 2 and vice versa.
Set the port link type of port interface Gigabit Ethernet 0/0/1 of port S1 and the
/ e
interfaces Gigabit Ethernet 0/0/3 and 0/0/24 of S2 as hybrid ports. Additionally
set the hybrid ports to untag all frames associated with VLAN 2 and 4.
om
. c
i
[S1-GigabitEthernet0/0/1]undo port default vlan
e
[S1-GigabitEthernet0/0/1]port link-type hybrid
u aw
h
[S1-GigabitEthernet0/0/1]port hybrid untagged vlan 2 4
[S1-GigabitEthernet0/0/1]port hybrid pvid vlan 4
g.
i n
n
ar
e
l
: //
p
tt
h
s:
c e
r
u vlan command will ensure frames received from the
o
s the appropriate VLAN tag. Frames received from VLAN 2
The port hybrid pvid
e
R at the interface before being forwarded to the host.
host are tagged with
or 4 will be untagged
n g
Usei
n the ping command to verify that R3 in VLAN 4 is still reachable.
ar
Le
<R1>ping 10.0.4.3
r e Reply from 10.0.4.3: bytes=56 Sequence=1 ttl=255 time=1 ms
Mo


0.00% packet loss
Use the ping command to test whether S4 in VLAN 2 is now reachable from R1
in VLAN 4.
/ e
om
<R1>ping 10.0.4.4
. c
i
e
u aw
h
g.
i n
n
ar
e
l
0.00% packet loss
://
p
t toriginating from VLAN 4 are now able

h whilst still being unable to reach the
In using the hybrid port link type, frames
:3.
to be received by VLAN 2 and vice versa,
host address of 10.0.4.2 in VLAN
e s
r c
Final Configuration
o u
s
Re
[R1]display current-configuration
n g
[V200R003C00SPC200]
#
n i
ar
sysname R1
#
Le interface GigabitEthernet0/0/1
e
ip address 10.0.4.1 255.255.255.0
r #
Mo return
#


sysname S3
#
interface Vlanif1
ip address 10.0.4.2 255.255.255.0
#
interface Ethernet0/0/1
shutdown
/ e
#
om
. c
i
shutdown
#
e
return
u aw
. h
#
n g
n i
ar
sysname S1
e
#
vlan batch 2 to 4
l
#
: //
p
lacp priority 100
tt
#
h
port link-type trunk
s
port trunk allow-pass vlan 2 to 4094:
mode lacp-static
c e
#
u r
o
s
e
port hybrid pvid vlan 4
R
port hybrid untagged vlan 2 4
g
#
n
i
r n
eth-trunk 1
a
lacp priority 100
Le
speed 100
r e #
Mo
eth-trunk 1
lacp priority 100
speed 100

#
port link-type access
port default vlan 3
#
return
/ e
#
om
. c
i
sysname S2
#
e
vlan batch 2 4
u aw
h
#
g.
port trunk allow-pass vlan 2 to 4094
i n
n
ar
mode lacp-static
e
#
l
: //
p
tt
#
h
eth-trunk 1
s:
speed 100
c e
#
u r
o
s
e
eth-trunk 1
R
g
speed 100
#
i n
r n
a
Le
#
r e interface NULL0
Mo
#
user-interface con 0
user-interface vty 0 4
#
return

[V200R003C00SPC200]
#
sysname R3
#
ip address 10.0.4.3 255.255.255.0
/ e
#
om
return
. c
e i
#
u aw
h
sysname S4
g.
#
interface Vlanif1
in
n
ar
ip address 10.0.4.4 255.255.255.0
e
#
l
shutdown
: //
p
#
tt
return
h
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

Lab 1-3 GVRP Configuration
Learning Objectives
Configuration of GVRP.
/ e
Setting of the GVRP registration mode.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
Figure 1.3 GVRP topology
s:
Scenario
c e
r
u contains multiple switches which are expected to be
o
s VLANs are required to be applied and removed as
The enterprise network
e
Rall switches however this tends to be a laborious task for the
regularly managed.
necessary on
n g
administrator and often configuration mistakes occur due to human error. The
i
n that GVRP be enabled on all switchs and the registration mode on
administrator wishes to simplify the VLAN management process and has
rrequested
a the interfaces be set.
Le
r e
Mo

Tasks
Step 1 Preparing the environment
/ e
om
[Quidway]sysname S1
. c
e i
aw
[S1-GigabitEthernet0/0/9]shutdown
h u
g.
in
n
ar
[Quidway]sysname S2
l e
//
p :
tt
h
:
[Quidway]sysname S3
e s
c
r
ou
es
[Quidway]sysname S4
R
n g
Stepi2 Clean up the previous configuration
r n
a Remove the unsed VLANs and disable the Eth-Trunk interface on S1 and S2.
Le Remove Vlanif1 on S3 and S4 and bring up interface Ethernet 0/0/1 on S3.
r e [S1]undo vlan batch 2 to 4
Mo Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y

Info: This operation may take a few seconds. Please wait for a moment...done.
[S1-Eth-Trunk1]shutdown

[S2]undo vlan batch 2 to 4

Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
[S2-Eth-Trunk1]shutdown
[S2-Eth-Trunk1]quit
[S2-GigabitEthernet0/0/24]undo port hybrid vlan 2 4
/ e
om
. c
i
[S3-Ethernet0/0/1]undo shutdown
e
[S3]undo interface Vlanif 1
u aw
h
Info: This operation may take a few seconds. Please wait for a moment...succeeded.
g.
i n
Info: This operation may take a few seconds. Please wait for a moment...succeeded.
rn
e a
l
Step 3 Configure trunk links between the switches.
/ /
:
p
[S1-Gigabitethernet0/0/13]port link-type trunk
t
t
[S1-Gigabitethernet0/0/13]port trunk allow-pass vlan all
h
:
s
e
[S3-Ethernet0/0/13]port link-type trunk
c
[S3-Ethernet0/0/13]port trunk allow-pass vlan all
r
u
o
s
Re
n g
i
n
ar
[S2-Gigabitethernet0/0/24]port link-type trunk
[S2-Gigabitethernet0/0/24]port trunk allow-pass vlan all
Le [S4]interface Ethernet 0/0/24
r e [S4-Ethernet0/0/24]port link-type trunk
Mo

Step 1 Enable GVRP globally, and on all relevant interfaces.
[S1]gvrp
[S1-GigabitEthernet0/0/13]gvrp
[S3]gvrp
/ e
om
[S3-Ethernet0/0/13]gvrp
. c
e i
aw
h u
[S2]gvrp
g.
n
[S2-Gigabitethernet0/0/24]gvrp
n i
[S4]gvrp
e ar
[S4]interface Ethernet0/0/24
l
//
p :
tt
h
s:
Create VLAN 100 on S1, VLAN 200 on S2 and VLAN 2 on S1, S2, S3 and S4.
[S1]vlan batch 2 100
c e
u
[S2]vlan batch 2 200
r
[S3]vlan 2
s o
[S4]vlan 2
R e
g
Run the display gvrp statistics command on S3 and S4 to view the GVRP
n
i
statistics.
n
a r[S3]display gvrp statistics
Le
GVRP statistics on port Ethernet0/0/1
GVRP status : Enabled
r e GVRP registrations failed : 0
Mo
GVRP last PDU origin : 5489-98ec-f012
GVRP registration type : Normal


GVRP registrations failed : 0

GVRP last PDU origin : 4c1f-cc45-aace
[S4]display gvrp statistics

/ e
GVRP last PDU origin : 781d-ba99-d977
om
. c
e i
u aw
h
GVRP last PDU origin : 4c1f-cc45-aacc
g.
i n
n
ar
The registration type is set as normal by default. Use the display vlan
command to verify the VLAN configuration on S3 and S4.
l e
//
[S3]display vlan
:
p
----------------------------------------------------------------------------
U: Up;
MP: Vlan-mapping;
D: Down; TG: Tagged;
h tt
ST: Vlan-stacking;
UT: Untagged;
#: ProtocolTransparent-vlan;
s:*: Management-vlan;
e
----------------------------------------------------------------------------
c
VID Type Ports
u r
s o
----------------------------------------------------------------------------
1 common
R e
UT:Eth0/0/1(U) Eth0/0/2(D)
Eth0/0/5(D) Eth0/0/6(D)
Eth0/0/3(D)
Eth0/0/7(D)
Eth0/0/4(D)
Eth0/0/8(D)
ng
Eth0/0/9(D) Eth0/0/10(D) Eth0/0/11(D) Eth0/0/12(D)
ni
Eth0/0/13(U) Eth0/0/14(D) Eth0/0/15(D) Eth0/0/16(D)
a r Eth0/0/17(D)
Eth0/0/21(D)
Eth0/0/18(D)
Eth0/0/22(D)
Eth0/0/19(D)
Eth0/0/23(D)
Eth0/0/20(D)
Eth0/0/24(D)
Le GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
e
2 common TG:Eth0/0/1(U) Eth0/0/13(U)
r 100 dynamic TG:Eth0/0/13(U)
Mo 200 dynamic TG:Eth0/0/1(U)

output omitted

[S4]display vlan
----------------------------------------------------------------------------
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
----------------------------------------------------------------------------
VID Type Ports
/ e
----------------------------------------------------------------------------
om
1 common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
. c
i
e
u aw
h
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D)
.
Eth0/0/24(U)
g
2 common
GE0/0/1(D) GE0/0/2(D)
TG:Eth0/0/1(U) Eth0/0/24(U)
GE0/0/3(D)
n
GE0/0/4(D)
i
n
ar
100 dynamic TG:Eth0/0/1(U)
e
output omitted
S3 and S4 are learning VLAN 100 and VLAN 200/

l
: / dynamically, but only in one
t p
direction. VLAN 2 has been statically defined. Create VLAN 200 on S1 and
[S1]vlan 200 h t
VLAN 100 on S2 to enable 2-way propagation.
[S2]vlan 100
s:to verify the configuration.
c e
Run the display vlan command
[S3]display vlan
u r
s
output omitted
o
Re
VID Type Ports
----------------------------------------------------------------------------
1
n g
common UT:Eth0/0/1(U) Eth0/0/2(D) Eth0/0/3(D) Eth0/0/4(D)
n i Eth0/0/5(D) Eth0/0/6(D) Eth0/0/7(D) Eth0/0/8(D)
ar
Le Eth0/0/17(D) Eth0/0/18(D) Eth0/0/19(D) Eth0/0/20(D)
e
r GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
Mo 2 common TG:Eth0/0/1(U) Eth0/0/13(U)

100 dynamic TG:Eth0/0/1(U) Eth0/0/13(U)
output omitted

[S4]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
/ e
om
Eth0/0/21(D) Eth0/0/22(D) Eth0/0/23(D) Eth0/0/24(U)
. c
i
GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
2 common TG:Eth0/0/1(U) Eth0/0/24(U)
e
u aw
h
output omitted
g .
i n added to
n
The highlighted entries indicate the interfaces that have been
VLAN100 and VLAN200 on both S3 and S4.
r
ea
Step 2 Change the registration type for thelinterfaces
/ /
Change the registration type of Ethernet 0/0/1:on S3 to fixed. The same steps
t p
ht
can be performed on Ethernet 0/0/1 of S4.
s :
[S3-Ethernet0/0/1]gvrp registration fixed
c e command on S3 and S4 to view the changes.

r
Run the display gvrp statistics
u
s o
[S3]display gvrp statistics interface Ethernet 0/0/1
Re
n g
n i GVRP last PDU origin : 5489-98ec-f012
ar
GVRP registration type : Fixed
Le The GVRP registration type is verified as fixed on Ethernet 0/0/1 interface.
r e Dynamic VLANs are not allowed to register on this interface.
Mo

Run the display vlan command to view the effect of the fixed registration type.
[S3]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
/ e
m
c o
i.
e
aw
GE0/0/1(D) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
2 common TG:Eth0/0/1(U)
Eth0/0/13(U)
h u
g.
i n
n
The highlighted entries show that interface Ethernet 0/0/1 is not in registering
dynamic VLANs 100 and 200.
e ar
l
//
Configure interface Ethernet 0/0/1 of S3 to use the forbidden registration type.
The same steps can be performed on Ethernet 0/0/1 of S4.
p :
tt
[S3-Ethernet0/0/1]gvrp registration forbidden
h
s:
Run the display gvrp statistics command to view the changes to GVRP.
c e
[S3]display gvrp statistics interface Ethernet 0/0/1
u r
o
s
e
R
ng
GVRP last PDU origin : 5489-98ec-f012
i
GVRP registration type : Forbidden
n
rThe GVRP registration type is set to forbidden on the Ethernet 0/0/1 interface.
e a
L
r e
Mo

Run the display vlan command to view the effect of the forbidden registration.
[S3]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
/ e
m
c o
i.
e
aw
2 common
GE0/0/1(D)
TG:Eth0/0/13(U)
GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
h u
g.
i n
n
Forbidden mode only allows VLAN1 pass over interfacerEthernet 0/0/1, all
e a
other VLANS are restricted.
/ l
Final Configuration
: /
tp
[S1]dis current-configuration
ht
:
#
s
e
sysname S1
#
r c
o u
vlan batch 2 100 200
s
Re
#
gvrp
#
n g
i
n
shutdown
ar
Le
mode lacp-static
r e #
Mo
#
shutdown

eth-trunk 1
lacp priority 100
speed 100
#
shutdown
eth-trunk 1
/ e
lacp priority 100
om
. c
i
speed 100
#
e
u aw
h
g.
gvrp
#
in
n
ar
return
[S2]dis current-configuration
l e
#
: //
p
tt
sysname S2
h
#
vlan batch 2 100 200
#
s:
gvrp
c e
#
u r
o
s
e
shutdown
R
g
n
mode lacp-static
i
r
#
n
a
Le
#
r e interface GigabitEthernet0/0/9
Mo
shutdown
eth-trunk 1
speed 100
#

shutdown
eth-trunk 1
speed 100
#
/ e
om
gvrp
. c
i
#
return
e
u aw
h
#
g.
sysname S3
i n
n
ar
#
e
vlan batch 2
#
l
gvrp
: //
p
#
tt
h
gvrp
s:
c
gvrp registration forbidden
e
#
u r
o
s
e
R
g
gvrp
#
i n
r n
a
shutdown
Le
#
return
r e
Mo
#
sysname S4
#

vlan batch 2
#
gvrp
#
gvrp
/ e
gvrp registration forbidden
om
#
. c
i
shutdown
e
#
u aw
h
g.
gvrp
in
n
ar
#
e
return
l
: //
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

Lab 1-4 VLAN Routing
Learning Objectives
Establishment of a trunk inteface for VLAN routing.
/ e
Configuration of sub-interfaces on a single physical interface.
om
Enabling of ARP messages to be broadcast between VLANS.
. c
Topology e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
g
Figure 1.4 VLAN routing topology using a layer 2 switch.
i n
r n
a Scenario
Le
r e The implementation of VLANs in the enterprise network has resulted in groups
Mo
of users being isolated from other users that are part of different subnets. As
the network administrator you have been given the task to ensure that the
broadcast domains are maintained whilst allowing communication between the
disparate users.

Tasks
/ e
om
c
Configure the system name for R1, R3 and S1. Configure the IP address
10.0.4.1/24 on interface Gigabit Ethernet 0/0/1.
i.
e
aw
<Huawei>system-view
h u
.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
n g
i
n
<Huawei>system-view
e ar
l
//
[Huawei]sysname R3
p :
tt
[Quidway]sysname S1
h
s:
Step 2 Clean up the previous configuration
c e
u r
Remove the IP address 10.0.4.3 from R3, and disable the swich interfaces
s o
between S1 and S3 and S2 and S4 respectively.
R e
g
[R3-GigabitEthernet0/0/2]undo ip address
n
n i
a r[S1]undo gvrp
Le Warning: All information about the GVRP will be deleted . Continue?[Y/N]:y
e
r [S1]interface GigabitEthernet 0/0/13
Mo
[S1-GigabitEthernet0/0/13]undo port trunk allow-pass vlan 2 to 4094


[S1]undo vlan batch 2 100 200
[S2]undo gvrp
Warning: All information about the GVRP will be deleted . Continue?[Y/N]:y
/ e
om
. c
i
[S2-GigabitEthernet0/0/24]undo port trunk allow-pass vlan 2 to 4094
e
u aw
h
g.
[S2]undo vlan batch 2 100 200
i n
n
ar
e
l
[S3]undo gvrp
: //
p
tt
h
[S3-Ethernet0/0/13]undo port trunk allow-pass vlan 2 to 4094
s:
[S3-Ethernet0/0/13]port link-type hybrid
c
e
r
u
o
s
e
R
[S3]undo vlan 2
n g
[S4]undo gvrp
n i
a rInfo: This operation may take a few seconds. Please wait for a moment...done.
Le
r e [S4-Ethernet0/0/24]port link-type hybrid
Mo
[S4]undo vlan 2

Step 3 Configure an IP address for R3
Configure an IP address in the 10.0.8.0/24 network range on R1 interface

Gigabit Ethetnet 0/0/1

/ e
om
Step 4 Establish two VLANs
. c
Create VLANs 4 and 8 on S1, configure interface Gigabit Ethernet 0/0/1 to
e i
aw
belong to VLAN 4, and interface Gigabit Ethernet 0/0/3 to belong to VLAN 8.
h u
[S1]vlan batch 4 8
g.
in
n
ar
l e
//
p :
tt
h
s : as a trunk link for VLANs 4 and 8.
Set interface Gigabit Ethernet 0/0/2
c e
r
u
o
[S1-GigabitEthernet0/0/2]port link-type trunk
s
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan 4 8
e
R
g
Step 5 Configure VLAN routing through the sub-interface of R2
n
n i sub-interfaces GigabitEthernet0/0/1.1 and GigabitEthernet0/0/1.3,
Configure
arto act as the gateway of VLAN 4, and act as the gateway of VLAN 8.
Le <Huawei>system-view
r e Enter system view, return user view with Ctrl+Z.
Mo
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1.1
[R2-GigabitEthernet0/0/1.1]ip address 10.0.4.254 24
[R2-GigabitEthernet0/0/1.1]dot1q termination vid 4

[R2-GigabitEthernet0/0/1.1]arp broadcast enable

[R2-GigabitEthernet0/0/1.1]quit
[R2]interface GigabitEthernet0/0/1.3
[R2-GigabitEthernet0/0/1.3]ip address 10.0.8.254 24
[R2-GigabitEthernet0/0/1.3]dot1q termination vid 8
[R2-GigabitEthernet0/0/1.3]arp broadcast enable
Test connectivity between R1 and R3.

/ e
om
<R1>ping 10.0.8.1
. c
i
Request time out
e
Request time out
u aw
h
Request time out
Request time out
g.
Request time out
i n
n
ar
e
l
100.00% packet loss
: //
p
tt
Configure a default route on R1 and R3.
h
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s:
c e
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.8.254
r
u R1 and R3 again.
o
Test connectivity between
s
R e
<R1>ping 10.0.8.1
g
i n
n Reply from 10.0.8.1: bytes=56 Sequence=2 ttl=254 time=1 ms
ar
Le
r e
Mo
0.00% packet loss

[R2]display ip routing-table
Route Flags: R - relay, D - download to fib
-------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
/ e
10.0.4.0/24 Direct 0 0 D 10.0.4.254 GigabitEthernet0/0/1.1
om
. c
i
e
10.0.8.254/32 Direct 0 0 D 127.0.0.1
aw
GigabitEthernet0/0/1.3
u
h
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
g.
127.0.0.1/32 Direct 0
127.255.255.255/32 Direct 0
0
0
D
D
127.0.0.1
127.0.0.1 n
InLoopBack0
i
InLoopBack0
n
ar
Final Configuration l e
: //
p
[V200R003C00SPC200]
#
h tt
sysname R1
s:
#
c e
r
u
ip address 10.0.4.1 255.255.255.0
o
s
#
# R e
ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
n g
i
authentication-mode password
rn set authentication password
ea
cipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
L user-interface vty 0 4
e
#
r return
Mo

[V200R003C00SPC200]
#
sysname R2
#
#
interface GigabitEthernet0/0/1.1
/ e
dot1q termination vid 4
om
ip address 10.0.4.254 255.255.255.0
. c
i
arp broadcast enable
#
e
interface GigabitEthernet0/0/1.3
u aw
h
dot1q termination vid 8
ip address 10.0.8.254 255.255.255.0
g.
#
arp broadcast enable
i n
n
ar
e
set authentication password
l
//
cipher %$%$|nRPL^hr2IXi7LHDID!/,.*%.8%h;3:,hXO2dk#ikaWI.*(,%$%$
:
p
tt
#
h
return
s:
c e
[R3]dis current-configuration
[V200R003C00SPC200]
u r
#
s o
e
sysname R3
#
R
g
n
ip address 10.0.8.1 255.255.255.0
i
r n #
a
ip route-static 0.0.0.0 0.0.0.0 10.0.8.254
Le
#
r e authentication-mode password
Mo
cipher %$%$W|$)M5D}v@bY^gK\;>QR,.*d;8Mp>|+EU,:~D~8b59~..*g,%$%$
#
return

#
sysname S1
#
vlan batch 4 8
#
/ e
om
port default vlan 4
. c
i
#
e
u aw
h
port trunk allow-pass vlan 4 8
#
g.
in
n
ar
port default vlan 8
e
#
l
: //
p
#
tt
return
h
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

Lab 1-5 Configuring Layer 3 Switching
Learning Objectives
Configuration of VLAN interfaces.
/ e
Establishment of VLAN routing on a single switch
om
Perform VLAN routing over an Ethernet Trunk link.
. c
Perform dynamic routing between VLAN interfaces using OSPF.
e i
Topology
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
o
Figure 5.5 Layer 3 switching topology
e s
Scenario R
n g of layer three switches into the enterprise network opened up

n i for streamlining the current VLAN routing configuration. The
The introduction
arnetwork administrator has been given the task to implement VLAN routing
opportunities
Le using only the layer three switches to support communication between the
r e VLANs in the network as displayed in the topology. VLANs should be capable
Mo
of inter VLAN communication. Additionally S1 and S2 are expected to
communicate over a Layer 3 for which routing protocol support is required.

Tasks
/ e
Configure R1 with the address 10.0.4.1/24 on interface Gigabit Ethernet 0/0/1.
om
Establish an Eth-Trunk beween S1 an S2. Disable any unnecessary interfaces
. c
on S1 and S2 to S3 and S4.
e i
aw
<Huawei>system-view
h u
.
[Huawei]sysname R1
n g
n i
<Huawei>system-view
e ar
l
//
[Huawei]sysname R3
p :
tt
[Quidway]sysname S1
[S1]interface Eth-Trunk 1 h
s:
e
c
[S1-Eth-Trunk1]quit
u r
s o
R e
n g
n i
a r<Quidway>system-view
Le
[Quidway]sysname S2
r e [S2-Eth-Trunk1]mode lacp-static
Mo
[S2-Eth-Trunk1]quit


[Quidway]sysname S3
/ e
om
[Quidway]sysname S4
. c
i
e
u aw
. h
g
ndevices.
i
Remove the VLAN routing configuration and sub-interfaces on the
n
[R1]undo ip route-static 0.0.0.0 0
a r
l e
[R2]undo interface GigabitEthernet 0/0/1.1
/ /
:
[R2]undo interface GigabitEthernet 0/0/1.3
p
t
ht
s :
[R3-GigabitEthernet0/0/1]quit
e
c
u r
o
[S1]undo vlan batch 4 8
s
Re
n g
[S1-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 4 8
n i
ar
Le
[S1-GigabitEthernet0/0/13]undo shutdown
r e [S2]interface GigabitEthernet0/0/24
Mo
[S2-GigabitEthernet0/0/24]undo shutdown

Re-enable the Eth-Trunk interface between S1 and S2
[S1-Eth-Trunk1]undo shutdown
[S2-Eth-Trunk1]undo shutdown
/ e
Step 3 Configure VLAN 3 through to VLAN 7 for S1 and S2.
om
. c
e i
aw
h u
g.
n
n i
ar
Verify that the VLANs have been created.
[S1]display vlan
l e
//
:
output omitted
VID Type Ports
p
tt
----------------------------------------------------------------------------
h
GE0/0/2(D) GE0/0/3(U) GE0/0/4(U)
GE0/0/5(U)
s:
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
e
GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D)
rc
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
ou
GE0/0/19(D)
GE0/0/23(U)
GE0/0/20(D)
GE0/0/24(D)
GE0/0/21(U)
Eth-Trunk1(U)
GE0/0/22(U)
3
es
4
R
5
g
n
6
i
rn
e a output omitted
L
r e
Mo

[S2]display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(D) GE0/0/3(U) GE0/0/4(U)
GE0/0/5(U) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/11(U) GE0/0/12(U) GE0/0/13(U) GE0/0/14(D)
/ e
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
om
GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
. c
i
GE0/0/23(D) GE0/0/24(D) Eth-Trunk1(U)
e
u aw
h
g.
i n
r n
Step 4 Set the Eth-Trunk link between S1 and S2 with PVID 5.
a
e 0/0/3 and G0/0/24 to
l
Add interfaces Gigabit Ethernet 0/0/1 and 0/0/13 of S1 to VLAN 4 and VLAN 3
/
respectively. For S2, add interfaces Gigabit Ethernet
/
VLAN 6 and VLAN 7 respectively.
p :
t t
h
[S1-Eth-Trunk1]port trunk pvid vlan 5
[S1-Eth-Trunk1]quit
s :
c e
r
u
o
s
Re
g
i n
n
ar
[S2-Eth-Trunk1]port trunk pvid vlan 5
Le
[S2-Eth-Trunk1]quit
r e [S2-GigabitEthernet0/0/3]port link-type access
Mo

<S1>display vlan
output omitted
VID Type Ports
----------------------------------------------------------------------------
1 common UT:GE0/0/2(D) GE0/0/3(U) GE0/0/4(U) GE0/0/5(U)
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(D)
GE0/0/12(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
/ e
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
om
GE0/0/21(U) GE0/0/22(U) GE0/0/23(U) GE0/0/24(D)
. c
i
Eth-Trunk1(U)
e
TG:Eth-Trunk1(U)
u aw
h
TG:Eth-Trunk1(U)
g.
5
6
i n
n
ar
e
output omitted
l
<S2>display vlan
: //
p
tt
output omitted
VID Type Ports h

s:
----------------------------------------------------------------------------
1
c
e GE0/0/2(D) GE0/0/4(U) GE0/0/5(U)
u r
GE0/0/6(D) GE0/0/7(D) GE0/0/8(D) GE0/0/11(U)
s o
GE0/0/12(U) GE0/0/13(U) GE0/0/14(D) GE0/0/15(D)
e
GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D)
R GE0/0/20(D) GE0/0/21(D) GE0/0/22(D) GE0/0/23(D)
g
Eth-Trunk1(U)
3
n
i
r
4
n common TG:Eth-Trunk1(U)
a
Le
TG:Eth-Trunk1(U)
r e 7 common UT:GE0/0/24(U)
Mo
TG:Eth-Trunk1(U)

Step 5 Configure gateway addresses for VLANs on S1 and S2.
Configure IP addresses for Vlanif3, Vlanif4, and Vlanif5 on S1, and for Vlanif5,
Vlanif6, and Vlanif7 on S2.
[S1]interface Vlanif 3
[S1-Vlanif3]ip address 10.0.3.254 24
/ e
m
[S1-Vlanif3]interface Vlanif 4
c o
.
e i
u aw
. h
n g
n i
ar
l e
Step 6 IP addressing and default routes/
: / for R1, R3, S3 and S4.
tp
common (untagged) Vlanif. InterfacestEthernet 0/0/13 of S3 and Ethernet
IP addresses on a switch much be assigned to a Vlanif, where Vlanif1 is a
0/0/24 of S4 should be associatedh with the common VLAN1. R1 should

s : 10.0.4.1/24.
already be configured with the address
c e
u r
[R1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s o
Re
g
[S3-Vlanif1]quit
n
i
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.3.254
n
ar [R3]interface GigabitEthernet 0/0/2
Le
r e [R3]ip route-static 0.0.0.0 0.0.0.0 10.0.6.254
Mo [S4]interface Vlanif 1
[S4-Vlanif1]quit
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.7.254

Step 7 Test connectivity between VLAN 3 and VLAN 4.
Test connectivity between S3 and R1.

<R1>ping 10.0.3.3
/ e
om
. c
e i
u aw
. h
g
0.00% packet loss
in
n
Test connectivity between R3 and R1.
e ar
l
//
<R1>ping 10.0.6.3
:
p
tt
Request time out
h
Request time out
Request time out
Request time out
s:
Request time out
c e
u r
o
s
e
R
g
100.00% packet loss
Thei
n
r n connectivity between R1 and R3 fails. Use the tracert command to
a
troubleshoot the fault:
Le [R1]tracert 10.0.6.3
e
traceroute to 10.0.6.3(10.0.6.3), max hops: 30 ,packet length: 40,press CTRL_C
r to break
Mo
1 10.0.4.254 17 ms 4 ms 4 ms
2 * * *

According to the command output, R1 has sent data packets to the destination
address 10.0.6.3, but the gateway at 10.0.4.254 responds that the network is
unreachable.
Check whether the network is unreachable on the gateway (S1).
[S1]display ip routing-table
----------------------------------------------------------------------------
/ e
om
. c
e i
aw
10.0.3.0/24 Direct 0 0 D 10.0.3.254 Vlanif3

h u
10.0.3.254/32 Direct 0 0 D 127.0.0.1
.
InLoopBack0
g
10.0.4.0/24 Direct 0 0 D 10.0.4.254
i n
Vlanif4
n
ar
10.0.5.0/24 Direct 0 0 D 10.0.5.1 Vlanif5
10.0.5.1/32
127.0.0.0/8
Direct
Direct
0
0
0
0
D
l
D e 127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
127.0.0.1/32 Direct 0 0
: //D 127.0.0.1 InLoopBack0
p
tt
According to the command output, S1 does not have a route to the network
h
segment 10.0.6.0 because the network segment is not directly connected to
to advertise the routes.

s:
S1. In addition, no static route or dynamic routing protocol has been configured
c e
u r
Step 8 Enable OSPF on S1 and S2.
s o
[S1]ospf
R e
[S1-ospf-1]area 0
n g
[S1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
n i
a r[S2]ospf
[S2-ospf-1]area 0
Le [S2-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255
r e
Mo

After the configuration, wait until S1 and S2 exchange OSPF routes and
complete the link state database, then view the resulting routing table of S1.
[S1]display ip routing-table
----------------------------------------------------------------------------
/ e
om
. c
10.0.3.0/24 Direct 0 0 D 10.0.3.254 Vlanif3
e i
aw
10.0.4.0/24 Direct 0 0 D 10.0.4.254 Vlanif4
h u
.
10.0.5.0/24 Direct 0 0 D 10.0.5.1
g
Vlanif5
n
i
10.0.6.0/24 OSPF 10 2 D 10.0.5.2
n Vlanif5
10.0.7.0/24 OSPF 10 2 D 10.0.5.2
e ar Vlanif5
l
//
p :
tt
S1 has learned two routes using OSPF. Test connectivity between R1 and R3.
[R1]ping 10.0.6.3
h
:
s
e
c
r
u
o
es
R
n g
i
rn 5 packet(s) received
ea
0.00% packet loss
L round-trip min/avg/max = 1/4/11 ms
r e
Mo

[R1]ping 10.0.7.4
/ e
om
. c
i
0.00% packet loss
e
u aw
Final Configuration . h
n g
n i
[V200R003C00SPC200]
e ar
l
#
//
sysname R1
:
#
p
ip address 10.0.4.1 255.255.255.0
#
h tt
:
ip route-static 0.0.0.0 0.0.0.0 10.0.4.254
s
#
c e
r
u
o
s
R e
#
n g
return
n i
a r
Le [S1]display current-configuration
e
#
r !Software Version V100R006C00SPC800
Mo sysname S1
#
vlan batch 3 to 7
#

interface Vlanif3
ip address 10.0.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.0.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.0.5.1 255.255.255.0
/ e
#
om
. c
i
e
mode lacp-static
u aw
h
#
g.
port default vlan 4
in
n
ar
#
e
eth-trunk 1
l
lacp priority 100
: //
p
tt
speed 100
h
#
eth-trunk 1
s:
lacp priority 100
c e
u r
speed 100
s o
e
#
R
g
n
port default vlan 3
i
r
#
n
a
ospf 1
Le
area 0.0.0.0
network 10.0.0.0 0.255.255.255
r e #
Mo
#
return

#
sysname S2
#
vlan batch 3 to 7
#
/ e
interface Vlanif5
om
ip address 10.0.5.2 255.255.255.0
. c
i
#
interface Vlanif6
e
ip address 10.0.6.254 255.255.255.0
u aw
h
#
interface Vlanif7
g.
ip address 10.0.7.254 255.255.255.0
#
i n
n
ar
e
l
mode lacp-static
: //
p
#
tt
h
port default vlan 6
#
s:
c e
eth-trunk 1
u r
o
s
e
speed 100
#
R
g
n
eth-trunk 1
i
r n
a
speed 100
Le
#
r e port link-type access
Mo
port default vlan 7
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.255.255.255

#
#
return
#
/ e
om
sysname S3
. c
i
#
interface Vlanif1
e
ip address 10.0.3.3 255.255.255.0
u aw
h
#
g.
shutdown
#
in
n
ar
ip route-static 0.0.0.0 0.0.0.0 10.0.3.254
e
#
l
: //
p
#
tt
return
h
s:
#
c e
r
u
sysname S4
s o
e
#
R
undo http server enable
g
#
n
drop illegal-mac alarm
i
r
#
n
a
aaa
Le
authentication-scheme default
authorization-scheme default
r e accounting-scheme default
Mo
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#

interface Vlanif1
ip address 10.0.7.4 255.255.255.0
#
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.0.7.254
#
/ e
om
. c
i
#
return
e
u aw
. h
n g
n i
e ar
l
: //
p
htt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

HCNA-HNTD Chapter 2 Enterprise WAN Configuration
Chapter 2 Enterprise WAN Configuration
Lab 2-1 HDLC and PPP Configuration
Learning Objectives
/ e
om
. c
Establish HDLC encapsulation as the serial link layer protocol.
e i

Change the DCE clock baud rate on a serial link.
Establish PPP encapsulation as the serial link layer protocol.
u aw
Implementation of PAP authentication on the PPP link.
. h
Implementation of CHAP authentication on the PPP link.
n g
n i
ar
Topology
l e
: //
p
h tt
s:
Figure 2.1 HDLC and PPP configuration topology
c e
Scenario
u r
o
s enterprise business, multiple branch offices have been
As an expanding
R
established and
e are to be part of the companys administrative domain. WAN
solutionsgare required and as the network administrator the company you have
i n with establishing HDLC and PPP solutions at the edge router to

been tasked
bencarried over some service provider network, possibly MPLS, however the
r
a details of this have not been revealed to you since the service provider network
Le remains outside of the scope of your task. R2 is an edge router located in the
r e HQ, and R1 and R3 are located in branch offices. The HQ and branches need
Mo
to be established as a single administrative domain. Use HDLC and PPP on
the WAN links, and establish authentication as a simple security measure.

Tasks
/ e
om
c
<Huawei>system-view
i.
e
[Huawei]sysname R1
<Huawei>system-view
u aw
. h
[Huawei]sysname R2
n g
<Huawei>system-view
n i
e ar
l
[Huawei]sysname R3
: //
p
t the Ethernet interfaces to avoid
h t
Remove the static routes to R2 and disable
:
creating alternative routes. Remove any unnecessary VLAN configuration.
s
c e
u r
s o
[R1-GigabitEthernet0/0/1]shutdown
Re
g
n
i
n
ar [S1]undo interface Vlanif 3
Le [S1]undo interface Vlanif 5
e
[S1]undo vlan batch 3 5 to 7
r Warning: The configurations of the VLAN will be deleted. Continue?[Y/N]:y
Mo
[S1]undo ospf 1


[S2]undo vlan batch 3 to 5 7
/ e
[S2]undo ospf 1
om
. c
i
e
u aw
h
. & R3
g
Step 3 Configure serial interface IP addressing for R1, R2
n
n i
r
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
e a
/l
/
:
p
[R2-Serial1/0/0]quit
t
ht
s :
e
c
r
u
Step 4 Enable s
o
Re
the HDLC protocol on the serial interfaces.
n g
i
[R1-Serial1/0/0]link-protocol hdlc
n
ar
Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N]:y
Le [R2]interface Serial 1/0/0
r e [R2-Serial1/0/0]link-protocol hdlc
Mo


After HDLC is enabled on the serial interfaces, view the serial interface status.
The displayed information for R1 should be used as an example.
[R1]display interface Serial1/0/0
/ e
m
Serial1/0/0 current state : UP
c o
Last line protocol up time : 2013-12-10 11:25:08
i.
e
Description:HUAWEI, AR Series, Serial1/0/0 Interface
aw
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 10.0.12.1/24
h u
.
Link layer protocol is nonstandard HDLC
Last physical up time : 2013-12-10 11:23:55
n g
i
Last physical down time : 2013-12-10 11:23:55
Current system time: 2013-12-10 11:25:46
n
Physical layer is synchronous, Baudrate is 64000 bps
e ar
l
Interface is DCE, Cable type is V24, Clock mode is DCECLK
//
Last 300 seconds input rate 3 bytes/sec 24 bits/sec 0 packets/sec
:
Last 300 seconds output rate 3 bytes/sec 24 bits/sec 0 packets/sec
p
Broadcast: 0, Multicast:
h tt 0
Errors:
:
0, Runts:
s
0
Giants:
c e
0, CRC: 0
Alignments:
u r 0, Overruns: 0
Dribbles:
s o 0, Aborts: 0
No Buffers:
R e 0, Frame Error: 0
n g
i
Total Error: 0, Overruns: 0
rn Collisions: 0, Deferred: 0
ea
No Buffers: 0
L DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP
e
Input bandwidth utilization : 0.06%
r Output bandwidth utilization : 0.06%
Mo

Test connectivity of the directly connected link after verifying that the physical
status and protocol status of the interface are Up.
<R2>ping 10.0.12.1
/ e
m
c o
i.
e
aw
h u
.
0.00% packet loss
n g
[R2]ping 10.0.23.3
n i
e ar
l
//
:
p
tt
h
s:
c e
r
u
0.00% packet loss
o
s
R e
g
Step 5 Configure RIPv2.
n
n i the RIP routing protocol to advertise the remote networks of R1 & R3
ar
Enable
Le
[R1]rip
[R1-rip-1]version 2
r e [R1-rip-1]network 10.0.0.0
Mo [R2]rip
[R2-rip-1]version 2
[R2-rip-1]network 10.0.0.0

[R3]rip
[R3-rip-1]version 2
After the configuration is complete, check that all the routes have been learned.
Verify that corresponding routes are learned by RIP.
<R1>display ip routing-table
/ e
m
----------------------------------------------------------------------------
c o
i.
e
Destination/Mask Proto Pre Cost Flags NextHop

u
Interface
aw
. h
10.0.12.0/24 Direct 0 0 D 10.0.12.1
g
Serial1/0/0
n
i
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.12.255/32 Direct 0 0 D 127.0.0.1
n Serial1/0/0
10.0.23.0/24 RIP 100 1 D 10.0.12.2
e ar Serial1/0/0
l
//
:
255.255.255.255/32 Direct 0 0
p D 127.0.0.1 InLoopBack0
h tt
s:
e
On R1, run the ping command to test connectivity between R1 and R3.
c
<R1>ping 10.0.23.3
u r
o
s
e
R
n g
n i
a r
Le
r e 5 packet(s) received
Mo
0.00% packet loss

Step 6 Manage the serial connection
View the type of the cable connected to the serial interface, interface status,
and clock frequency, and change the clock frequency.
<R1>display interface Serial1/0/0
/ e
m
c o
.
e i
aw
u
. h
n g
n i
ar
e
l
//
:
output omitted
t p
and the clock frequency is 64000 bit/s.tThe DCE controls the clock frequency
The preceding information shows that S1/0/0 on R1 connects to a DCE cable
h
s:the link between R1 and R2 to 128000 bit/s.
and bandwidth.
Change the clock frequencyeon
r c on the DCE, R1.

This operation must be performed
o u
s
e
[R1-Serial1/0/0]baudrate 128000
R
After theg
i n configuration is complete, view the serial interface status.
r n
a
Le
r e Description:HUAWEI, AR Series, Serial1/0/0 Interface
Mo


output omitted
/ e
Step 7 Configure PPP on the serial interfaces.
om
. c
i
Configure PPP between R1 and R2, as well as R2 and R3. Both ends of the
link must use the same encapsulation mode. If different encapsulation modes
e
are used, interfaces may display as Down.
u aw
. h
[R1-Serial1/0/0]link-protocol ppp
n g
i
n
ar
e
l
: //
p
h tt

s:
c e
r
uis complete, test link connectivity.

s o
After the configuration
R e
<R2>ping 10.0.12.1
g
i n
ar
Le
r e
Mo
0.00% packet loss

<R2>ping 10.0.23.3
/ e
om
. c
i
0.00% packet loss
e
u aw
. h
If the ping operation fails, check the interface status and whether the link layer
protocol type is correct.
n g
n i
e ar
l
//
:
p
Link layer protocol is PPP
h tt
LCP opened, IPCP opened
s:
Last physical up time
c e
: 2013-12-10 11:57:20
r
u
o
s
R e
n g
i
output omitted
n
r
a Step 8 Check routing entry changes.
Le
r e After PPP configuration is complete, routers establish connections at the data
Mo link layer. The local device sends a route to the peer device. The route
contains the interface IP address and a 32-bit mask.

The following information uses R2 as an example, for which the routes to R1

and R3 can be seen.
[R2]display ip routing-table
----------------------------------------------------------------------------
/ e
om
. c
10.0.12.0/24 Direct 0 0 D 10.0.12.2 Serial1/0/0
e i
aw
10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 127.0.0.1
u
Serial1/0/0
h
.
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2
g
Serial2/0/0
n
i
10.0.23.2/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.23.3/32 Direct 0 0 D 10.0.23.3
n Serial2/0/0
10.0.23.255/32 Direct 0 0 D 127.0.0.1
e ar Serial2/0/0
l
//
:
255.255.255.255/32 Direct 0 0
pD 127.0.0.1 InLoopBack0
htt
:
Think about the origin and functions of the two routes. Check the following
items:
e s
r c
If HDLC encapsulation is used, do these two routes exist?
ou using HDLC or PPP when the IP addresses of

Can R1 and R2 communicate
S1/0/0 interfacess
R e on R1 and R2 are located on different network segments?
g
Step 9 Enable PAP authentication between R1 and R2.
n
n i PAP authentication with R1 as the PPP PAP authenticator.
ar
Configure
Le
[R1-Serial1/0/0]ppp authentication-mode pap
r e [R1-Serial1/0/0]quit
Mo
[R1]aaa
[R1-aaa]local-user huawei password cipher huawei
info: A new user added

[R1-aaa]local-user huawei service-type ppp

Configure PAP authentication with R2 acting as the PAP authenticated device.

[R2-Serial1/0/0]ppp pap local-user huawei password cipher huawei
After R2 sends an authentication request to R1, R1 sends a response

message to R2, requesting R2 to use PAP authentication following which R2
/ e
will send its password to R1.
om
After the configuration is complete, test connectivity between R1 and R2.
. c
<R1>debugging ppp pap packet
e i
<R1>terminal debugging
u aw
h
<R1>display debugging
PPP PAP packets debugging switch is on
g.
<R1>system-view
in
n
ar
[R1-Serial1/0/0]shutdown
e
[R1-Serial1/0/0]undo shutdown
l
Dec 10 2013 14:44:22.440.1+00:00 R1 PPP/7/debug2:
: //
p
PPP Packet:
tt
Serial1/0/0 Input PAP(c023) Pkt, Len 22
h
State ServerListen, code Request(01), id 1, len 18
Host Len: 6 Name:huawei
[R1-Serial1/0/0]
s:
c e
Dec 10 2013 14:44:22.440.2+00:00 R1 PPP/7/debug2:
PPP Packet:
u r
o
Serial1/0/0 Output PAP(c023) Pkt, Len 52
s
e
State WaitAAA, code Ack(02), id 1, len 48
R
Msg Len: 43 Msg:Welcome to use Quidway ROUTER, Huawei Tech.
n g
[R1-Serial1/0/0]return
n i
<R1>undo debugging all
a rInfo: All possible debugging has been turned off
Le
r e Step 10 Enable CHAP authentication between R2 and R3.
Mo Configure R3 as the authenticator. After R2 sends an authentication request to

R3, R3 sends a response message to R2, requesting R2 to use CHAP
authentication following which a challenge is sent to R3.


[R3-Serial2/0/0]ppp authentication-mode chap
[R3]aaa
[R3-aaa]local-user huawei password cipher huawei
info: A new user added
[R3-aaa]local-user huawei service-type ppp
[R3-aaa]quit
/ e
om
. c
i
e
On R3, the following information is displayed.
u aw
Dec 10 2013 15:06:00+00:00 R3 %%01PPP/4/PEERNOCHAP(l)[5]:On the interface
. h
g
Serial2/0/0, authentication failed and PPP link was closed because CHAP was
n
i
disabled on the peer.
[R3-Serial2/0/0]
n
ar
Dec 10 2013 15:06:00+00:00 R3 %%01PPP/4/RESULTERR(l)[6]:On the interface
e
l
Serial2/0/0, LCP negotiation failed because the result cannot be accepted.
/ / is unable to initialize.
:
The highlighted output indicates that authentication
p
Configure R2 as the CHAP client.
t t
h
:
[R2-Serial2/0/0]ppp chap user huawei
s
e
[R2-Serial2/0/0]ppp chap password cipher huawei
c
u rcomplete, the interface changes to an Up state. The
After the configuration is
s
command output
ping o is as follows:
Re
<R2>ping 10.0.23.3
g
n
i
ar
Le
r e
Mo
0.00% packet loss

Step 11 PPP CHAP debugging
Run the debug command to view negotiation of the PPP connection between
R2 and R3. The PPP connection is established using CHAP. Disable interface
Serial 2/0/0 on R2, run the debug command, and enable Serial 2/0/0 on R2.
/ e
m
c o
Run the debugging ppp chap all and the terminal debugging commands to
i.
e
display the debugging information.
u aw
h
<R2>debugging ppp chap all
<R2>terminal debugging
g.
n
Info: Current terminal debugging is on.
<R2>display debugging
n i
ar
PPP CHAP packets debugging switch is on
e
PPP CHAP events debugging switch is on
PPP CHAP errors debugging switch is on
l
PPP CHAP state change debugging switch is on
: //
p
tt
Force CHAP authentication to initialize on S2/0/0 of R2.
<R2>system-view
h
:
s
e
c
r
o u information is displayed:
s
The following debugging
e
R
Dec 10 2013 09:10:38.700.1+00:00 R2 PPP/7/debug2:
g
PPP State Change:
i nSerial2/0/0 CHAP : Initial --> ListenChallenge
n
[R2-Serial2/0/0]
ar
Dec 10 2013 09:10:38.710.1+00:00 R2 PPP/7/debug2:
Le
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 25
r e State ListenChallenge, code Challenge(01), id 1, len 21
Mo
Value_Size: 16 Value: fc 9b 56 e1 53 e3 a6 26 1b 54 e5 e2 a1 ed 90 87
Name:
[R2-Serial2/0/0]
Dec 10 2013 09:10:38.710.2+00:00 R2 PPP/7/debug2:
PPP Event:

Serial2/0/0 CHAP Receive Challenge Event

state ListenChallenge
[R2-Serial2/0/0]
Dec 10 2013 09:10:38.710.3+00:00 R2 PPP/7/debug2:
PPP Packet:
Serial2/0/0 Output CHAP(c223) Pkt, Len 31
State ListenChallenge, code Response(02), id 1, len 27
Value_Size: 16 Value: f9 54 1 69 30 59 a0 af 52 a1 1d de 85 77 27 6b
/ e
Name: huawei
om
[R2-Serial2/0/0]
. c
i
Dec 10 2013 09:10:38.710.4+00:00 R2 PPP/7/debug2:
PPP State Change:
e
Serial2/0/0 CHAP : ListenChallenge --> SendResponse
u aw
h
[R2-Serial2/0/0]
Dec 10 2013 09:10:38.720.1+00:00 R2 PPP/7/debug2:
g.
PPP Packet:
Serial2/0/0 Input CHAP(c223) Pkt, Len 20
i n
n
ar
State SendResponse, code SUCCESS(03), id 1, len 16
e
Message: Welcome to .
[R2-Serial2/0/0]
l
//
Dec 10 2013 09:10:38.720.2+00:00 R2 PPP/7/debug2:
:
p
PPP Event:
tt
Serial2/0/0 CHAP Receive Success Event
h
state SendResponse
[R2-Serial2/0/0]
s:
Dec 10 2013 09:10:38.720.3+00:00 R2 PPP/7/debug2:
PPP State Change:
c e
r
Serial2/0/0 CHAP : SendResponse --> ClientSuccess
u information shows the key CHAP behavior. Disable

s o
the debugging e
The highlighted debugging
R process.
n g
i
<R2>undo debugging all
n
ar
Info: All possible debugging has been turned off
Le Additional Exercises: Analyzing and Verifying
r e
Mo
Why is the PPP Challenge Handshake Authentication Protocol (CHAP) more
secure than the PPP Password Authentication Protocol (PAP)?

Final Configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
aaa
om
c
i.
accounting-scheme default
e
aw
domain default
h u
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
g.
local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$
in
n
ar
local-user huawei service-type ppp
#
interface Serial1/0/0
l e
//
link-protocol ppp
ppp authentication-mode pap
p :
tt
ip address 10.0.12.1 255.255.255.0
baudrate 128000
# h
rip 1
s:
version 2
c e
network 10.0.0.0
u r
o
#
s
e
R
n g
n i
a r#
Le
return
r e
Mo
[V200R003C00SPC200]
#
sysname R2
#

link-protocol ppp
ppp pap local-user huawei password cipher %$%$u[hr6d<JVHR@->T7xr1<$.iv%$%$
ip address 10.0.12.2 255.255.255.0
#
link-protocol ppp
ppp chap user huawei
/ e
ppp chap password cipher %$%$e{5h)gh"/Uz0mUC%vEx3$4<m%$%$
om
ip address 10.0.23.2 255.255.255.0
. c
i
#
rip 1
e
version 2
u aw
h
network 10.0.0.0
#
g.
i n
n
ar
e
l
#
: //
p
return
[R3]display current-configuration h tt
[V200R003C00SPC200]
s:
#
c e
sysname R3
u r
#
s o
e
aaa
R
g
n
i
r n
domain default
a
Le
r e local-user huawei password cipher %$%$fZsyUk1=O=>:L4'ytgR~D*Im%$%$
Mo
#
link-protocol ppp
ppp authentication-mode chap

ip address 10.0.23.3 255.255.255.0

#
rip 1
version 2
network 10.0.0.0
#
/ e
om
. c
i
#
e
return
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

Lab 2-2 Configuring Frame Relay at the Customer Edge
Learning Objectives
Configuration of frame relay interfaces on the customer edge.
/ e
Establishment of RIP in a hub and spoke network.
om
Establishment of OSPF in a hub and spoke (NBMA) network.
. c
Configuration of frame relay interfaces when using the OSPF
e i
aw
point-to-multipoint network type.
Topology
h u
g.
i n
n
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e Figure 2.2 Lab topology for frame relay configuration
n g
i
Scenario
n enterprise network has existing frame relay virtual circuits between the HQ
a r
Le
The
and some branch offices. A recent change in equipment requires that these
r e frame relay VC be re-established. The virtual circuits had been provided by the
Mo
service provider at the time the service was first implemented and it is the task
of the administrator to implement the frame relay configuration on the edge
routers for the HQ and branch offices. The administrator must configure frame
relay on the WAN links and perform mapping between the local DLCI and IP
addresses.

Tasks
/ e
<Huawei>system-view
om
. c
[Huawei]sysname R1
e i
<Huawei>system-view
u aw
[Huawei]sysname R2
. h
n g
<Huawei>system-view
n i
ar
[Huawei]sysname R3
l e
/ /
Step 2 Clean up the previous configuration.
p :
t t the HDLC & PPP networks.
h
Disable the serial interfaces used for establishing

s :
c e
u r
s o
Re
[R2-Serial1/0/0]interface Serial 2/0/0
g
i n
n
ar
Le
r e Step 3 Establish frame relay encapsulation.
Mo Set basic parameters, including IP addresses. Manually define the mapping

between the peer and DLCI. The inverse ARP function should be disabled.
Ensure that the broadcast parameter is used in the fr map command to allow
the network on the loopback interface to be advertised using RIP.


[R1-Serial2/0/0]link-protocol fr
[R1-Serial2/0/0]undo fr inarp
[R1-Serial2/0/0]fr map ip 10.0.123.2 102 broadcast
[R1-Serial2/0/0]interface loopback 0
/ e
[R1-LoopBack0]ip address 10.0.1.1 24
om
. c
i
e
u aw
h
g.
i n
n
ar

l e
: //
p
tt
h
s:
c e
r
uare configured, test network connectivity.
o
After the IP addresses
s
R e
<R1>ping 10.0.123.2
n g
n iReply from 10.0.123.2: bytes=56 Sequence=2 ttl=255 time=59 ms
ar
Le Reply from 10.0.123.2: bytes=56 Sequence=5 ttl=255 time=59 ms
r e --- 10.0.123.2 ping statistics ---
Mo 5 packet(s) transmitted
0.00% packet loss

<R1>ping 10.0.123.3
/ e
om
. c
i
0.00% packet loss
e
u aw
. h
Run the following commands to view the FR encapsulation information for the
R1 interfaces.
n g
<R1>display fr interface Serial 2/0/0
n i
Serial2/0/0, DTE, physical up, protocol up
e ar
l
//
<R1>display fr lmi-info interface Serial 2/0/0
:
Frame relay LMI statistics for interface Serial2/0/0 (DTE, Q933)
T391DTE = 10 (hold timer 10)
p
N391DTE = 6, N392DTE = 3, N393DTE = 4
out status enquiry = 180, in status = 178
h tt
:
status timeout = 0, discarded messages = 0
s
c e
r
<R1>display fr map-info interface Serial 2/0/0
u
Map Statistics for interface Serial2/0/0 (DTE)
o
s
DLCI = 102, IP 10.0.123.2, Serial2/0/0
R e
create time = 2011/11/16 09:28:49, status = ACTIVE
encapsulation = ietf, vlink = 1, broadcast
n g
DLCI = 103, IP 10.0.123.3, Serial2/0/0
i
arn encapsulation = ietf, vlink = 2, broadcast
L e
r e
Mo

Step 4 Configure RIPv2 between R1, R2, and R3.
Configure RIPv2 on R1, R2 and R3. If you are continuing from the previous
HDLC/PPP lab, the RIP routes for network 10.0.0.0 may have already been
configured, however the automatic summary must still be disabled to uniquely
identify the routes of the peers.
In addition, split horizon is disabled by default on frame relay networks, and so
/ e
It is not necessary for the split horizon parameters to be modified in this
om
exercise.
. c
[R1]rip 1
e i
aw
[R1-rip-1]version 2
h u
.
[R1-rip-1]undo summary
n g
i
[R2]rip 1
[R2-rip-1]version 2
n
e ar
l
[R3]rip 1
: //
[R3-rip-1]version 2
p
htt
s:
e
View the routing tables on R1, R2, and R3 to check the learned routes.
c
r
<R1>display ip routing-table protocol rip
u
o
s
e
----------------------------------------------------------------------------
R
Public routing table : RIP
ng
n i
RIP routing table status : <Active>
ar Destinations : 2 Routes : 2
L e Destination/Mask Proto Pre Cost Flags NextHop Interface
r e
Mo
10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0
RIP routing table status : <Inactive>


<R2>display ip routing-table protocol rip

----------------------------------------------------------------------------
RIP routing table status : <Active>

/ e
om
. c
i
e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial3/0/0
u aw
h
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0
g.
i n
n
[R3]display ip routing-table protocol rip
e ar
l
//
----------------------------------------------------------------------------
:
p
tt
RIP routing table status : <Active> h

Destinations : 2
s:Routes : 2
c e
Destination/Mask
u r Proto Pre Cost Flags NextHop Interface
s o
e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
R
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0
n g
n i Destinations : 0 Routes : 0
a r
Le
r e
Mo

Verify that the 10.0.3.0 network of R3 is capable of reaching the 10.0.1.0

network of R1.
[R3]ping a 10.0.3.3 10.0.1.1
/ e
m
c o
i.
e
aw
h u
.
0.00% packet loss
n g
n i
Perform the same test to network 10.0.2.2 of R2 from network 10.0.3.3 of R3.
e ar
l
<R3>ping -a 10.0.3.3 10.0.2.2
//
:
p
h tt
:
s
c e
r
u
o
s
R e
0.00% packet loss
n g
i
The RIP routing protocol has enabled a route between the loopback interfaces
n
a rof R2 and R3 to be established via R1.
Le
r e
Mo

Attempt the same procedure to network 10.0.2.2 of R2 from the S2/0/0

(10.0.123.3) interface of R3.
[R3]ping 10.0.2.2
Request time out
Request time out
Request time out
/ e
Request time out
om
Request time out
. c
e i
u aw
h
100.00% packet loss
g .
i n with R2
n the routes to
The preceding test results indicate that R3 is unable to communicate
r
(and vice versa) when the serial interface is the source. Check
a
find out why R3 and R2 are disconnected. The procedure
l e for diagnosing this
/
fault is as follows:
View the R3 routing table and check whether any
: / route is destined for the IP
address 10.0.2.2.
t p
h t hop IP address of this route. Then
If there is such a route, find out the next
: and layer-2 PVCs.

check whether R3 can reach the next hop and whether there is mapping
s
ehop and there is mapping between Layer-3 IP
between the layer-3 IP addresses
If R3 can reach the next c
rPVCs, check the devices on the route to determine
addresses and Layer-2 u
o route that can reach IP address 10.0.2.2, whether the
whether there is any
e s
R
next hop of this route is reachable, and whether there is mapping between
gis a route that can reach IP address 10.0.2.2 and there is mapping
Layer-3 IP addresses and Layer-2 PVCs.
n
i Layer-3 IP addresses and Layer-2 PVCs, check R2 to determine
If there
n
arwhether there is any route that reaches the destination IP address of the
between
Le response packets and whether the next hop of this route is reachable.
r e If the next hop of this route is unreachable and the destination IP address of
Mo
the response packets is 10.0.123.3, R2 has the route that reaches this address
but there is no mapping between Layer-3 IP addresses and Layer-2 PVCs.
The following is the output of the commands used in the preceding fault
diagnosis procedure.

----------------------------------------------------------------------------
/ e
10.0.1.0/24 RIP 100 1 D 10.0.123.1 Serial1/0/0
om
10.0.2.0/24 RIP 100 2 D 10.0.123.1 Serial1/0/0
. c
i
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
e
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1
.
Serial1/0/0
g
10.0.123.3/32 Direct 0
10.0.123.255/32 Direct 0
0
0
D
D
127.0.0.1
127.0.0.1
i n
InLoopBack0
InLoopBack0
n
ar
e
127.255.255.255/32 Direct 0 0 D
l
127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0
:
D
//
p
tt
h
DLCI = 301, IP 10.0.123.1, Serial1/0/0
s:
c e
u r
o
s
e
R
----------------------------------------------------------------------------
g
i nDestinations : 14 Routes : 14
r n
a
Le 10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
r e 10.0.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Mo
10.0.2.0/24 RIP 100 1 D 10.0.123.2 Serial2/0/0
10.0.3.0/24 RIP 100 1 D 10.0.123.3 Serial2/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0

10.0.123.2/32 Direct 0 0 D 10.0.123.2 Serial2/0/0

10.0.123.3/32 Direct 0 0 D 10.0.123.3 Serial2/0/0
/ e
om
. c
i
DLCI = 102, IP 10.0.123.2, Serial2/0/0
e
u aw
h
DLCI = 103, IP 10.0.123.3, Serial2/0/0
g.
in
n
ar
e
l
----------------------------------------------------------------------------
: //
p
Destination/Mask Proto Pre Cost

h tt Flags NextHop Interface
10.0.1.0/24 RIP
s:
100 1 D 10.0.123.1 Serial3/0/0
10.0.2.0/24
c
Direct
e
0 0 D 10.0.2.2 LoopBack0
10.0.2.2/32
u r Direct 0 0 D 127.0.0.1 InLoopBack0

10.0.2.255/32
s o Direct 0 0 D 127.0.0.1 InLoopBack0
e
10.0.3.0/24 RIP 100 2 D 10.0.123.1 Serial3/0/0
R
10.0.123.0/24 Direct 0 0 D 10.0.123.2 Serial3/0/0
g
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial3/0/0
i n
r n 10.0.123.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
a
Le
r e 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Mo


DLCI = 201, IP 10.0.123.1, Serial3/0/0
The conclusion is that there is no PVC that allows R2 to reach IP address

10.0.123.3.
/ e
om
Step 5 Modify network parameters to enable the connection
. c
between R2 and R3. e i
a w
u In
The fault diagnosis results from step 2 indicate that communication fails since
there is no virtual circuit between the frame relay interfaces on R2 andhR3.
g . on
order to resolve this, configure a frame relay PVC between the interfaces
R2 and R3.
i n
r n
[R2-Serial3/0/0]fr map ip 10.0.123.3 201
e a
/ l
: /
p
[R3-Serial1/0/0]fr map ip 10.0.123.2 301
t
t between IP addresses and PVCs,
After the mapping has been configured
h
:
check the IP address-PVC mapping tables on R2 and R3 and detect network
s
e
connectivity.
r c
<R3>display fr lmi-info inter Serial 1/0/0
u
Frame relay LMI statistics for interface Serial1/0/0 (DTE, Q933)
o
s
T391DTE = 10 (hold timer 10)
Re
N391DTE = 6, N392DTE = 3, N393DTE = 4
out status enquiry = 326, in status = 324
n g
status timeout = 0, discarded messages = 0
n i
ar
Le
DLCI = 301, IP 10.0.123.1, Serial1/0/0
r e create time = 2011/11/16 09:22:30, status = ACTIVE
Mo
DLCI = 301, IP 10.0.123.2, Serial1/0/0
encapsulation = ietf, vlink = 2

<R3>ping 10.0.2.2
/ e
om
. c
i
0.00% packet loss
e
u aw
. h
Step 6 Configure OSPF between R1 and R2.
n g
n i
ar
Delete the RIP configurations referenced in step 2 and the frame relay
e
mapping between R2 and R3 that was established during step 3.
l
//
[R1]undo rip 1
:
Warning: The RIP process will be deleted. Continue?[Y/N]y
p
tt
[R2-Serial3/0/0]undo fr map ip 10.0.123.3 201
h
s:
e
[R2]undo rip 1
c
r
ou
s
R e
[R3-Serial1/0/0]undo fr map ip 10.0.123.2 301
g
[R3]undo rip 1
n
i
n
r
[R3]
a
Le Configure single-area OSPF on R1, R2, and R3.
r e [R1]ospf 1 router-id 10.0.1.1
Mo
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

[R2]ospf 1 router-id 10.0.2.2

[R2-ospf-1]area 0

[R3-ospf-1]area 0
/ e
After the basic parameters are set, OSPF cannot establish neighbor
om
adjacencies. When using frame relay for data link layer encapsulation, OSPF
. c
will set the network type to NBMA by default. As a result, OSPF does not
e i
aw
support broadcasts, and therefore cannot automatically discover neighbors.
h u
.
<R3>display ospf interface Serial 1/0/0 verbose
OSPF Process 1 with Router ID 10.0.3.3
n g
i
Interfaces
n
Interface: 10.0.123.3 (Serial1/0/0)
e ar
l
Cost: 1562 State: DR Type: NBMA MTU: 1500
//
Priority: 1
Designated Router: 10.0.123.3
p :
tt
Backup Designated Router: 0.0.0.0
Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1
IO Statistics
h
Type Input
s: Output
Hello
c e
0 0
r
DB Description 0 0
Link-State Req
ou 0 0
Link-State Update
Link-State Ack
es 0
0
0
0
OpaqueId: 0 R PrevState: Waiting
n g
Stepi7 Configuring the NBMA environment.
r n
a
Le While R3 is the DR, R2 is unable to establish a full adjacency with the DR
r e since R3 is not reachable via the PVC between R2 and R1. Therefore the DR
must be set on R1. Additionally OSPF hello messages are unicast in an NBMA
Mo network. Peers must be manually specified to allow hello packet forwarding.

[R1]ospf
[R1-ospf-1]peer 10.0.123.2
[R1-ospf-1]peer 10.0.123.3
[R1-ospf-1]interface Serial 2/0/0
[R1-Serial2/0/0]ospf dr-priority 255
[R2]ospf
[R2-ospf-1]peer 10.0.123.1
/ e
om
[R3]ospf
. c
i
[R3-ospf-1]peer 10.0.123.1
Optionally the DR priority for R2 and R3 can be set to 0 to force theirw

e
u a
h
exemption from any DR election.
g .
<R1>display ospf interface Serial 2/0/0 verbose
i n
Interfaces
r n
e a
Interface: 10.0.123.1 (Serial2/0/0)
/ l
Cost: 1562 State: DR Type: NBMA
: / MTU: 1500
p
Priority: 255
Designated Router: 10.0.123.1
t t
h
Backup Designated Router: 10.0.123.3
Timers: Hello 30 , Dead 120 , Poll 120 , Retransmit 5 , Transmit Delay 1
IO Statistics
s :
Type
c eInput Output
Hello
u r 32 32
DB Description
s o 8 29
Re
Link-State Req 3 2
Link-State Update 16 30
g
Link-State Ack 20 9
i n
OpaqueId: 0 PrevState: BDR
n
Effective cost: 1562, enabled by OSPF Protocol
arIf R1 is not the designated router, reset the ospf process on all routers using
Le the following command and reattempt the above display command
r e
Mo
<R1>reset ospf process graceful-restart
Display the routing table to confirm that OSPF has been established over the
frame relay network.

----------------------------------------------------------------------------
/ e
om
. c
i
10.0.2.2/32 OSPF 10 1562 D 10.0.123.2 Serial2/0/0
e
10.0.3.3/32 OSPF 10 1562 D 10.0.123.3 Serial2/0/0
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.1/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.123.2/32
10.0.123.3/32
Direct
Direct
0
0
0
0
D
D
10.0.123.2
10.0.123.3
i n
Serial2/0/0
Serial2/0/0
n
ar
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
127.0.0.1/32 Direct 0 0 D
l
127.255.255.255/32 Direct 0 0
:
D
//
p
<R1>ping -a 10.0.1.1 10.0.2.2

htt
s:
c e
r
u
o
s
e
R
g
n
i
r n 5 packet(s) received
a
0.00% packet loss
Le
r e Attempts to establish a connection between 10.0.2.2 and 10.0.3.3 when using
Mo
the NBMA network type will fail unless a virtual circuit (PVC) is established
between R2 and R3. Alternatively the point-to-multipoint network type can be
applied.

Step 8 Setting the OSPF network type to point-to-multipoint.
OSPF configuration can also use the point-to-multipoint OSPF network type
over frame relay networks. First remove the manual peering and change the
network type to point-to-multipoint.
[R1]ospf
/ e
[R1-ospf-1]undo peer 10.0.123.2
om
. c
[R2]ospf
e i
aw
h u
[R3]ospf
g.
n
n i
ar
Establish the Point-to-multipoint network type.

l e
//
[R1-Serial2/0/0]ospf network-type p2mp
p :
tt
h

s:
e
c
u r
s o
After setting the OSPF network type, wait until the neighbor relationship is
established, then check the neighbor relationship and route information.
R e
g
<R1>display ospf peer brief
n
n i
ar
Peer Statistic Information
Le ----------------------------------------------------------------------------
Area Id Interface Neighbor id State
r e 0.0.0.0 Serial2/0/0 10.0.2.2 Full
Mo
0.0.0.0 Serial2/0/0 10.0.3.3 Full
----------------------------------------------------------------------------

----------------------------------------------------------------------------
/ e
om
. c
i
10.0.2.2/32 OSPF 10 1562 D 10.0.123.2 Serial2/0/0
e
10.0.3.3/32 OSPF 10 1562 D 10.0.123.3 Serial2/0/0
u aw
h
10.0.123.0/24 Direct 0 0 D 10.0.123.1 Serial2/0/0
10.0.123.1/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.123.2/32
10.0.123.3/32
Direct
Direct
0
0
0
0
D
D
10.0.123.2
10.0.123.3
i n
Serial2/0/0
Serial2/0/0
n
ar
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
127.0.0.1/32 Direct 0 0 D
l
127.255.255.255/32 Direct 0 0
:
D
//
p

htt
s:
c e
r
----------------------------------------------------------------------------
u
Area Id
s oInterface Neighbor id State
e
0.0.0.0 Serial3/0/0 10.0.1.1 Full
R
----------------------------------------------------------------------------
n g
n i
a r----------------------------------------------------------------------------
Le
r e
Mo
10.0.1.1/32 OSPF 10 1562 D 10.0.123.1 Serial3/0/0



10.0.3.3/32 OSPF 10 3124 D 10.0.123.1 Serial3/0/0
10.0.123.0/24 Direct 0 0 D 10.0.123.2 Serial3/0/0
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial3/0/0
10.0.123.2/32 Direct 0 0 D 127.0.0.1 Serial3/0/0
10.0.123.3/32 OSPF 10 3124 D 10.0.123.1 Serial3/0/0
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial3/0/0
/ e
om
. c
i
e
u aw
. h
n g
----------------------------------------------------------------------------
n i
ar
e
0.0.0.0 Serial1/0/0 10.0.1.1 Full
l
----------------------------------------------------------------------------
: //
p
tt
h
----------------------------------------------------------------------------
Destinations : 14
s: Routes : 14
c e
Destination/Mask
u r Proto Pre Cost Flags NextHop Interface
s o
e
10.0.1.1/32 OSPF 10 1562 D 10.0.123.1 Serial1/0/0
R
10.0.2.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0
g
i n
r n 10.0.3.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
a
10.0.123.0/24 Direct 0 0 D 10.0.123.3 Serial1/0/0
Le
10.0.123.1/32 Direct 0 0 D 10.0.123.1 Serial1/0/0
10.0.123.2/32 OSPF 10 3124 D 10.0.123.1 Serial1/0/0
r e 10.0.123.3/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
Mo
10.0.123.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0

Perform a network connectivity test on R3 from the source 10.0.3.3.

<R3>ping -a 10.0.3.3 10.0.1.1
/ e
m
c o
i.
e
aw
u
0.00% packet loss
. h
n g
<R3>ping -a 10.0.3.3 10.0.123.2
n i
e ar
l
//
:
p
tt
h
:
s
c
5 packet(s) received e
u r
0.00% packet loss
s o
R e
<R3>ping -a 10.0.3.3 10.0.2.2
n g
i Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=102 ms
rn
ea
L Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=101 ms
e
r
Mo --- 10.0.2.2 ping statistics ---
0.00% packet loss

Final Configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
om
c
link-protocol fr
undo fr inarp
i.
fr map ip 10.0.123.2 102 broadcast
e
aw
ip address 10.0.123.1 255.255.255.0
h u
ospf network-type p2mp
ospf dr-priority 255
g.
#
in
n
ar
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
l e
//
ospf 1 router-id 10.0.1.1
area 0.0.0.0
p :
tt
network 10.0.0.0 0.255.255.255
#
user-interface con 0 h
s:
c e
r
u
o
#
es
R
return
n g
n i
[V200R003C00SPC200]
a r#
Le
sysname R2
#
r e interface Serial3/0/0
Mo
link-protocol fr
undo fr inarp
ip address 10.0.123.2 255.255.255.0

#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
/ e
om
. c
i
e
u aw
h
#
return
g.
i n
n
ar
[V200R003C00SPC200]
e
#
sysname R3
l
#
: //
p
tt
link-protocol fr
h
undo fr inarp
s:
ip address 10.0.123.3 255.255.255.0
c e
#
u r
interface LoopBack0
s o
e
ip address 10.0.3.3 255.255.255.0
#
R
g
n
area 0.0.0.0
i
r n network 10.0.0.0 0.255.255.255
a
#
Le
r e set authentication password
Mo
#
return

Lab 2-3 PPPoE Client Session Establishment
Learning Objectives
Configuration of a Dialer interface for PPPoE
/ e
Authentication of a client over PPPoE.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
i ng Figure 2.3 PPPoE Server and Client Topology
n
rScenario
e a The enterprise subscribes to a (typically high speed) DSL service from the
L
r e service provider over which WAN services are supported. R1 and R3 are
Mo
enterprise edge routers of different offices, and establish a connection to the
service provider through the PPPoE server (R2). The enterprise is required to
establish a PPPoE dialer on the edge routers to allow hosts in the local area
network to access external resources transparently via the service provider
network over PPPoE.

Tasks
/ e
<Huawei>system-view
om
. c
[Huawei]sysname R1
e i
<Huawei>system-view
u aw
[Huawei]sysname R2
. h
n g
<Huawei>system-view
n i
ar
[Huawei]sysname R3
l e
/ /
p :
t t over the frame relay network.
h
Disable the serial interfaces to avoid routing

s :
c e
u r
s o
R e
n g
Step 3 Configure PPPoE Server.
i
n PPPoE server is not part of the enterprise network, however it is required
rThe
a to allow the enterprise edge routers R1 and R3 to be authenticated.
Le [R2]ip pool pool1
r e Info: It's successful to create an IP address pool.
Mo
[R2-ip-pool-pool1]network 119.84.111.0 mask 255.255.255.0
[R2-ip-pool-pool1]gateway-list 119.84.111.254
[R2-ip-pool-pool1]quit
[R2]interface Virtual-Template 1
[R2-Virtual-Template1]ppp authentication-mode chap

[R2-Virtual-Template1]ip address 119.84.111.254 255.255.255.0

[R2-Virtual-Template1]remote address pool pool1
[R2-Virtual-Template1]quit
Bind the Virtual Template to interface Gigabit Ethernet 0/0/0.

[R2-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1
/ e
m
c o
Configure a PPPoE authenticated user.
i.
[R2]aaa
e
[R2-aaa]local-user huawei1 password cipher huawei
u aw
h
Info: Add a new user.
[R2-aaa]local-user huawei1 service-type ppp
g.
[R2-aaa]local-user huawei2 password cipher huawei
in
n
Info: Add a new user.
ar
[R2-aaa]local-user huawei2 service-type ppp
e
[R2-aaa]quit
l
Step 4 Configure PPPoE Client.
: //
Configure R1 as a PPPoE client, for t
p
t the dialer interface needs to be
h The PPP authenticated username
which
created, and PPP authentication enabled.
and password should match that:configured on the PPPoE server.
e s
[R1]dialer-rule
r c
o u
[R1-dialer-rule]dialer-rule 1 ip permit
s
[R1-dialer-rule]quit
e
R
[R1]interface Dialer 1
g
[R1-Dialer1]dialer user user1
n
[R1-Dialer1]dialer-group 1
i
n
[R1-Dialer1]dialer bundle 1
ar
[R1-Dialer1]ppp chap user huawei1
Le
[R1-Dialer1]ppp chap password cipher huawei
[R1-Dialer1]dialer timer idle 300
r e [R1-Dialer1]dialer queue-length 8
Mo
[R1-Dialer1]ip address ppp-negotiate
[R1-Dialer1]quit

Bind the PPPoE Dialer to the outbound interface

[R1-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1
Configure a default static route to the PPPoE server

[R1]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
/ e
Configure R3 as a PPPoE client, for which the dialer interface needs to be
om
created, and PPP authentication enabled. The PPP authenticated username
. c
and password should match that configured on the PPPoE server.
[R3]dialer-rule
e i
[R3-dialer-rule]dialer-rule 1 ip permit
u aw
h
[R3-dialer-rule]quit
g.
[R3-Dialer1]dialer user user2
[R3-Dialer1]dialer-group 1
i n
n
ar
[R3-Dialer1]dialer bundle 1
e
[R3-Dialer1]ppp chap user huawei2
[R3-Dialer1]ppp chap password cipher huawei
l
[R3-Dialer1]dialer timer idle 300
: //
p
[R3-Dialer1]dialer queue-length 8
tt
[R3-Dialer1]ip address ppp-negotiate
h
[R3-Dialer1]quit
s:
Bind the PPPoE Dialer to the outbound interface
c e
r
[R3-GigabitEthernet0/0/0]pppoe-client dial-bundle-number 1
u
o
s static route to the PPPoE server

R e
Configure a default
g
[R3]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
n
i5 Verify the configuration results
n
arExecute the command display pppoe-server session all command to view
Step
Le the status and configuration information.
r e <R2>display pppoe-server session all
Mo
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE0/0/0 00e0.fc03.d0ae 00e0.fc03.7516
2 Virtual-Template1:1 UP GE0/0/0 00e0.fc03.aedd 00e0.fc03.7516
According to displayed information, the session state is normal.

<R2>display virtual-access
Virtual-Template1:0 current state : UP
Description:HUAWEI, AR Series, Virtual-Template1:0 Interface
/ e
om
Input bandwidth utilization : 0%
. c
i
Output bandwidth utilization : 0%
e
Virtual-Template1:1 current state : UP
u aw
h
g.
Description:HUAWEI, AR Series, Virtual-Template1:1 Interface
i n
n
ar
e
l
Input bandwidth utilization : 0%
: //
p
Output bandwidth utilization : 0%
t tand ensure both can obtain an IP

h
Check the dialer interface of R1 and R3,
:
address from the PPPoE server.
e s
c
<R1>display ip interface brief
r
*down: administratively down
u
^down: standby
s o
Re
(l): loopback
(s): spoofing
g
The number of interface that is UP in Physical is 7
i n
The number of interface that is DOWN in Physical is 4
n The number of interface that is UP in Protocol is 5
ar
The number of interface that is DOWN in Protocol is 6
Le Interface IP Address/Mask Physical Protocol
r e Cellular0/0/0 unassigned down down
Mo
Cellular0/0/1 unassigned down down
Dialer1 119.84.111.253/32 up up(s)
GigabitEthernet0/0/0 unassigned up down
output omitted

<R3>display ip interface brief

output omitted
Interface IP Address/Mask Physical Protocol
Dialer1 119.84.111.252/32 up up(s)
GigabitEthernet0/0/0 unassigned up down
output omitted
/ e
om
Final Configuration
. c
e i
aw
[V200R003C00SPC200]
#
h u
sysname R1
g.
#
i n
aaa
n
e ar
l
//
:
domain default
p
h tt
:
s
e
c
r
#
interface Dialer1
ou
s
link-protocol ppp
R e
ppp chap user huawei1
ppp chap password cipher %$%$A8E~UjX}@;bhCL*C4w#<%"Ba%$%$
n g
ip address ppp-negotiate
i
dialer user user1
n
a rdialer bundle 1
dialer queue-length 8
Le dialer timer idle 300
e
dialer-group 1
r #
Mo interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
#
dialer-rule

dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
/ e
om
#
. c
i
return
e
u aw
h
[R2]dis current-configuration
[V200R003C00SPC200]
g.
#
sysname R2
in
n
ar
#
e
ip pool pool1
gateway-list 119.84.111.254
l
network 119.84.111.0 mask 255.255.255.0
: //
p
#
tt
aaa
h
s:
domain default
c e
u r
o
s
e
R
local-user huawei1 password cipher %$%$MjCY6,a82N4W`]F]3LMAKG9+%$%$
g
local-user huawei1 service-type ppp
n
local-user huawei2 password cipher %$%$Ctq55RX:]R,8Jc13{|,)KH!m%$%$
i
r n
local-user huawei2 service-type ppp
a
#
Le
interface Virtual-Template1
r e remote address pool pool1
Mo
ip address 119.84.111.254 255.255.255.0
#
pppoe-server bind Virtual-Template 1
#

#
return
/ e
om
. c
i
[V200R003C00SPC200]
#
e
sysname R3
u aw
h
#
aaa
g.
i n
n
ar
e
domain default
l
//
:
p
tt
local-user huawei password cipher %$%$fZsyUk1=O=>:L4'ytgR~D*Im%$%$
h
#
interface Dialer1
s:
link-protocol ppp
c e
ppp chap user huawei2
u r
o
ppp chap password cipher %$%$0f8(;^]1NS:q;SPo8TyP%.Ei%$%$
s
e
ip address ppp-negotiate
R
dialer user user2
g
dialer bundle 1
n
dialer queue-length 8
i
r n
dialer timer idle 300
a
dialer-group 1
Le
#
r e pppoe-client dial-bundle-number 1
Mo
#
#
dialer-rule
dialer-rule 1 ip permit
#

ip route-static 0.0.0.0 0.0.0.0 Dialer1

#
#
/ e
return
om
. c
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

HCNA-HNTD Chapter 3 Implementing IP Security
Chapter 3 Implementing IP Security
Lab 3-1 Filtering Enterprise Data with Access Control Lists.
Learning Objectives
/ e
om
. c
Establishment of a basic ACL to implement source based filtering.
e i
Establishment of an advanced ACL to implement enhanced filtering.
u aw
Topology . h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
Figure 3.1 Filtering enterprise network data with Access Control Lists
R e
g
Scenario
n
n i that you are a network administrator of a company that has three
arnetworks belonging to three sites. R2 is deployed at the border of the network
Assume
Le for the main site, while R1 and R3 are deployed at the boundary of the
r e remaining sites. The routers are interconnected over a private WAN

connection. The company needs to control the access of employees to telnet
Mo and FTP services. Only site R1 has permission to access the telnet server in
the main site. Only site R3 has permission to access the FTP server.

Tasks
/ e
om
c
[Huawei]sysname R1
[Huawei]sysname R2
i.
e
[Huawei]sysname R3
[Huawei]sysname S1
u aw
[S1]vlan 4
. h
[S1-vlan4]quit
n g
n i
ar
[Huawei]sysname S2
l e
//
[S2]vlan 6
[S2-vlan6]quit
p :
tt
h
s:
c e
u r
Remove the current network being advertised in OSPF, the PPPoE dialer
s o
interfaces, as well as the PPPoE server virtual template configuration from R2.
[R1]ospf
R e
g
[R1-ospf-1]area 0
n
i
[R1-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255
n
r
a [R1-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1
Le
[R1-Dialer1]undo dialer user
r e [R1]undo interface Dialer 1
Mo
[R1]dialer-rule
[R1-dialer-rule]undo dialer-rule 1
[R2]ospf

[R2-ospf-1]area 0
[R2-GigabitEthernet0/0/0]undo pppoe-server bind
[R2]undo interface Virtual-Template 1
[R2]undo ip pool pool1
[R2]aaa
[R2-aaa]undo local-user huawei1
/ e
[R2-aaa]undo local-user huawei2
om
. c
i
[R3]ospf
[R3-ospf-1]area 0
e
u aw
h
[R3-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1
g.
[R3-Dialer1]undo dialer user
i n
n
ar
[R3]undo interface Dialer 1
e
[R3]dialer-rule
[R3-dialer-rule]undo dialer-rule 1
l
: //
Step 3 Configure IP addressing
p
h tt
Configure addressing for the 10.0.13.0/24. 10.0.4.0/24 and 10.0.6.0/24
s:
networks as shown in the topology of figure 7.1.
c e
r
u
o
es
R
n g
[R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
i
n
a r[R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
Le
r e [R3]interface GigabitEthernet 0/0/0
Mo
Establish VLAN trunks on S1 and S2. The port link type should already be
configured for interface GigabitEthernet 0/0/2 on S1.


[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[S1-GigabitEthernet0/0/2]port trunk pvid vlan 4

/ e
om
. c
i
e
u aw
Step 4 Configure OSPF to enable internetwork communication
. h
g
Configure OSPF for R1, R2, and R3. Ensure that all are partnof the same
OSPF area and advertise the networks that have been created.i
r n
e a
l
[R1]ospf
[R1-ospf-1]area 0
/ /
:
p
t
ht
[R2]ospf
[R2-ospf-1]area 0
:
s
e
c
r
o u
[R3]ospf
s
Re
[R3-ospf-1]area 0
n ga static route on S1 and S2, the nexthop as the private networks

n i
Configure
ar
gateway.
Le [S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
r e [S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
Mo
Verify that a path exists from R1 and R3 to S1 and S2.

<R1>ping 10.0.4.254
/ e
om
. c
i
0.00% packet loss
e
u aw
<R1>ping 10.0.6.254
. h
n g
n i
ar
e
l
//
:
p
tt
h
0.00% packet loss
s:
c e
u r
<R3>ping 10.0.4.254
s o
e
R
g
n
i
r n Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=10 ms
a
Le --- 10.0.4.254 ping statistics ---
r e 5 packet(s) transmitted
Mo
0.00% packet loss

<R3>ping 10.0.6.254
/ e
om
. c
i
0.00% packet loss
e
u aw
. h
Step 5 Configure Filters using Access Control Lists
n g
n i
r
Configure S1 as a telnet server.
[S1]user-interface vty 0 4
e a
l
[S1-ui-vty0-4]authentication-mode password
/
[S1-ui-vty0-4]set authentication password cipher huawei
/
p :
t
Configure S2 as an FTP server.
ht
[S2]ftp server enable
[S2]aaa
:
[S2-aaa]local-user huawei password cipher huawei
s
e
[S2-aaa]local-user huawei service-type ftp
c
r
[S2-aaa]local-user huawei ftp-directory flash:
o u
s
Configure an access control list on R2 to allow R1 to access the telnet server,
Re
and R3 to access the FTP server.
[R2]acl 3000
n g
[R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination
i
10.0.4.254 0.0.0.0 destination-port eq 23
n
ar
Le
10.0.6.254 0.0.0.0 destination-port range 20 21
[R2-acl-adv-3000]rule 15 deny ip source any
r e [R2-acl-adv-3000]quit
Mo Apply the ACL to the Gigabit Ethernet 0/0/0 interface of R2.

[R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000

Verify the results of the access control list on the network.
<R1>telnet 10.0.4.254
Press CTRL_] to quit telnet mode
Trying 10.0.4.254 ...
Connected to 10.0.4.254 ...
Login authentication
/ e
om
. c
i
Password:
Info: The max number of VTY users is 5, and the number
e
of current VTY users on line is 1.
u aw
h
<S1>
g.
Note: use the quit command to exit the telnet session
i n
n
ar
<R1>ftp 10.0.6.254
e
Trying 10.0.6.254 ...
Press CTRL+K to abort
l
Error: Failed to connect to the remote host.
: //
p
tt
Note: The FTP connection may take a while to respond (approx 60 seconds).
<R3>telnet 10.0.4.254 h
s:
Trying 10.0.4.254 ...
c e
r
Error: Can't connect to the remote host
u
s o
e
<R3>ftp 10.0.6.254
R
Trying 10.0.6.254 ...
g
n
Connected to 10.0.6.254.
i
r n
220 FTP service ready.
a
User(10.0.6.254:(none)):huawei
Le
331 Password required for huawei.
Enter password:
r e 230 User logged in.
Mo
[R3-ftp]
Note: The bye command can be used to close the FTP connection

Additional Exercises: Analyzing and Verifying
FTP requires two ports to be defined in the access control list, why is this?
Should basic ACL and advanced ACL be deployed near the source network or
target network, and why?
Final Configuration / e
om
. c
i
<R1>display current-configuration
[V200R003C00SPC200]
e
aw
#
sysname R1
h u
#
g.
n
aaa
n i
ar
e
domain default
l
//
:
p
tt
h
#
s:
c e
r
ip address 10.0.13.1 255.255.255.0
u
o
#
s
e
area 0.0.0.0
R
g
network 10.0.13.0 0.0.0.255
#
i n
n
a rauthentication-mode password
Le
r e user-interface vty 0 4
Mo
#
return

[V200R003C00SPC200]
#
sysname R2
#
acl number 3000
rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port
eq telnet
/ e
om
range ftp-data ftp
. c
i
rule 15 deny ip
#
e
u aw
h
ip address 10.0.13.2 255.255.255.0
traffic-filter inbound acl 3000
g.
#
i n
n
ar
ip address 10.0.4.2 255.255.255.0
e
#
l
ip address 10.0.6.2 255.255.255.0
: //
p
#
tt
h
area 0.0.0.0
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
s:
c e
network 10.0.13.0 0.0.0.255
#
u r
s o
e
R
g
n
i
r
#
n
a
return
Le
r e <R3>display current-configuration
Mo
[V200R003C00SPC200]
#
sysname R3
#

ip address 10.0.13.3 255.255.255.0

#
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
/ e
om
. c
i
#
e
return
u aw
. h
<S1>display current-configuration
n g
#
n i
ar
e
sysname S1
#
l
vlan batch 4
://
p
#
tt
interface Vlanif4
h
ip address 10.0.4.254 255.255.255.0
#
s:
c e
port trunk pvid vlan 4
u r
o
s
e
#
R
ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
g
#
n
i
r n
a
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
Le
#
return
r e
Mo

<S2>dis current-configuration
#
sysname S2
#
FTP server enable
#
vlan batch 6
/ e
#
om
aaa
. c
i
e
u aw
h
domain default
g.
local-user admin password simple admin
i n
n
ar
local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
e
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
l
#
: //
p
interface Vlanif6
tt
ip address 10.0.6.254 255.255.255.0
h
#
s:
c e
r
u
#
s o
e
ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
#
R
g
n
i
r
#
n
a
return
Le
r e
Mo

Lab 3-2 Network Address Translation
Learning Objectives
Translation of addresses between networks (NAT).
/ e
Configuration of Easy IP.
om
. c
Topology
e i
u aw
. h
n g
n i
e ar
l
://
p
h tt
s:
c e
u r
s o
R e Figure 3.2 Network Address Translation Topology
n
Scenariog
n i
r
a implemented private addressing internally. Users however require a means to
In order to conserve addressing the offices of the enterprise network have
Le be routed between these private networks and the public network domain. R1
r e and R3 represent edge routers of the enterprise branch offices ,the branch
Mo
network need access to the public network. The administrator of the network is
requested to configure dynamic NAT solutions on the in order to allow R1 to
perform address translation. An easyIP NAT solution is to be applied to R3.

Tasks
/ e
om
c
[Huawei]sysname R1
[R1]inter GigabitEthernet0/0/1
i.
e
[Huawei]sysname R3
u aw
. h
n g
[Huawei]sysname S1
n i
[S1]vlan 4
e ar
l
[S1-vlan3]quit
//
p :
tt
[S1-Vlanif4]quit
[Huawei]sysname S2
h
[S2]vlan 6
s:
[S2-vlan6]quit
c e
r
u
o
[S2-Vlanif6]quit
es
R
g
n
n i the connection to S1 and S2 via Gigabit Ethernet 0/0/1 on R1 and
arGigabit Ethernet 0/0/2 on R3. Remove OSPF from all routers.
Re-establish
Le
e
r [R1-GigabitEthernet0/0/0]undo ip address
Mo
[R1-GigabitEthernet0/0/1]undo shutdown
[R1]undo ospf 1
Warning: The OSPF process will be deleted. Continue? [Y/N]:y

[R2]undo ospf 1
[R3-GigabitEthernet0/0/2]undo shutdown
[R3]undo ospf 1
/ e
om
Remove the static routes pointing to R2 on S1 and S2.
. c
[S1]undo ip route-static 0.0.0.0 0.0.0.0
e i
u aw
h
[S2]undo ip route-static 0.0.0.0 0.0.0.0
g.
Step 3 Implement VLAN configuration for S1 and S2 n
n i
a r
l e
/ /
:
p
t t
h
s:
e
c
r
u
s o
Re
n g
n i
ar
Le
r e
Mo

Verify that R1 is able to reach both S1 and R3.

<R1>ping 10.0.4.254
/ e
om
. c
i
e
0.00% packet loss
u aw
h
g.
<R1>ping 119.84.111.3
i n
n
ar
e
l
//
:
p
--- 119.84.111.3 ping statistics ---

5 packet(s) transmitted h tt
s:
0.00% packet loss
c e
r
u
o
s Access Control Lists for R1 and R3
e
Step 4 Configure
R
g
Configure an advanced ACL on R1 and select the data flow with the source of
n
n i
S1, the destination of R3, and destined for the telnet service port.
ar
[R1]acl 3000
Le 119.84.111.3 0.0.0.0 destination-port eq 23

[R1-acl-adv-3000]rule 10 permit ip source 10.0.4.0 0.0.0.255 destination any
r e [R1-acl-adv-3000]rule 15 deny ip
Mo Configure a basic ACL on R3 and select the data flow whose source IP
address is 10.0.6.0/24.
[R3]acl 2000
[R3-acl-basic-2000]rule permit source 10.0.6.0 0.0.0.255

Step 5 Configure Dynamic NAT
Configure static route on S1 and S2,the nexthop as the private networks

gateway.
[S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
[S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.3
/ e
m
Configure dynamic NAT on the GigabitEthernet0/0/0 interface of R1.
[R1]nat address-group 1 119.84.111.240 119.84.111.243
c o
.
[R1-GigabitEthernet0/0/0]nat outbound 3000 address-group 1
e i
Configure R3 as the telnet server.
u aw
[R3]user-interface vty 0 4
. h
[R3-ui-vty0-4]authentication-mode password
[R3-ui-vty0-4]set authentication password cipher huawei
n g
[R3-ui-vty0-4]quit
n i
Verify the address group has been configured correctly a
r
l e
<R1>display nat address-group
/ /
:
NAT Address-Group Information:
p
--------------------------------------
t
t
Index Start-address End-address
h
--------------------------------------
1 119.84.111.240
s: 119.84.111.243
e
--------------------------------------
Total : 1
r c
o u
s
Test connectivity to the gateway of the remote peer from the internal network.
Re
<S1>ping 119.84.111.3
g
Request time out
n
n iReply from 119.84.111.3: bytes=56 Sequence=2 ttl=254 time=1 ms
ar
Le Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=254 time=1 ms
r e --- 119.84.111.3 ping statistics ---
Mo
20.00% packet loss

Establish a telnet connection to the public address of the remote peer.

<S1>telnet 119.84.111.3
Trying 119.84.111.3 ...
Connected to 119.84.111.3 ...
/ e
Password:
om
<R3>
. c
Do not exit the telnet session, instead open a second session window to R1
and view the results of the ACL and NAT session translation.
e i
u aw
h
<R1>display acl 3000
Advanced ACL 3000, 2 rules
g.
Acl's step is 5
i n
n
ar
eq telnet (1 matches)
e
rule 10 permit ip source 10.0.4.0 0.0.0.255 (1 matches)
rule 15 deny ip
l
: //
p
<R1>display nat session all
tt
NAT Session Table Information:
Protocol : ICMP(1) h
SrcAddr Vpn
s:
: 10.0.4.254
DestAddr Vpn
c e
: 119.84.111.3
Type Code IcmpId
u r : 8 0 44003
NAT-Info
s o
e
New SrcAddr : 119.84.111.242
R
New DestAddr : ----
g
New IcmpId : 10247
i n
r n Protocol : TCP(6)
a
SrcAddr Port Vpn : 10.0.4.254 49646
Le
DestAddr Port Vpn : 119.84.111.3 23
NAT-Info
r e New SrcAddr : 119.84.111.242
Mo
New SrcPort : 10249
New DestAddr : ----
New DestPort : ----
Total : 2

The ICMP session has a lifetime of only 20 seconds and therefore may not
appear to be present when displaying the NAT session results. The following
command can be used in this case to extend the period over which the ICMP
results are maintained:
[R1]firewall-nat session icmp aging-time 300
/ e
Configure easyIP on the Gigabit Ethernet 0/0/0 interface of R3, associating the
om
easyIP configuration with ACL 2000 that had been configured earlier.
. c
[R3-GigabitEthernet0/0/0]nat outbound 2000
e i
u aw
h
Test the connectivity from S2 to R1 via R3.
<S2>ping 119.84.111.1
g.
i n
n
ar
e
l
//
:
p
tt
--- 119.84.111.1 ping statistics ---
h
0.00% packet loss
s:
c e
u r
o
<R3>display acl 2000
s
e
Basic ACL 2000, 1 rule
R
Acl's step is 5
g
rule 5 permit source 10.0.6.0 0.0.0.255 (1 matches)
i n
r n
<R3>display nat outbound acl 2000
a
NAT Outbound Information:
Le
---------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
r e ---------------------------------------------------------------------
Mo
GigabitEthernet0/0/0 2000 119.84.111.3 easyip
---------------------------------------------------------------------
Total : 1

Final Configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
firewall-nat session icmp aging-time 300
om
c
#
acl number 3000
i.
e
aw
eq telnet
rule 10 permit ip source 10.0.4.0 0.0.0.255
h u
rule 15 deny ip
#
g.
nat address-group 1 119.84.111.240 119.84.111.243
i n
n
ar
#
ip address 119.84.111.1 255.255.255.0
l e
//
nat outbound 3000 address-group 1
#
p :
tt
ip address 10.0.4.1 255.255.255.0
# h
s:
c e
r
u
o
s
e
R
#
return
n g
n i
a r<R3>display current-configuration
Le
[V200R003C00SPC200]
#
r e sysname R3
Mo
#
acl number 2000
rule 5 permit source 10.0.6.0 0.0.0.255
#

ip address 119.84.111.3 255.255.255.0

nat outbound 2000
#
ip address 10.0.6.3 255.255.255.0
#
/ e
om
. c
i
e
u aw
h
cipher %$%$7ml|,!ccE$SQ~CZ{GtaE%hO>v}~bVk18p5qq<:UPtI:9hOA%%$%$
#
g.
return
in
n
e ar
#
l
://
p
sysname S1
tt
#
h
vlan batch 4
#
interface Vlanif4
s:
c
ip address 10.0.4.254 255.255.255.0
e
#
u r
o
s
e
R
g
#
i n
r n
a
Le
r e #
Mo
shutdown
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
#

set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
return
/ e
#
om
. c
i
sysname S2
#
e
vlan batch 6
u aw
h
#
interface Vlanif6
g.
ip address 10.0.6.254 255.255.255.0
#
i n
n
ar
e
l
: //
p
#
tt
h
s:
#
c e
r
u
shutdown
s o
e
#
R
ip route-static 0.0.0.0 0.0.0.0 10.0.6.3
g
#
n
i
r n
a
#
Le
return
r e
Mo

Lab 3-3 Establishing Local AAA solutions
Learning Objectives
Configuration of local AAA for which authentication and authorization
/ e
schemes are to be used.
om
Establishment of a domain named huawei
. c
Implementation of privilege levels for authenticated users.
e i
Topology
u aw
. h
n g
n i
e ar
l
://
p
tt
Figure 3-3 AAA configuration
h
Scenario
s:
c e
r
R1 and R3 have been deployed on the network and are to provide remote
u
o
authentication services using AAA. The company requires that both routers
s
are made part of the huawei domain and that the telnet service is made
e
R
available to users, with limited privileges given once authenticated.
n g
n i
a r
Le
r e
Mo

Tasks
/ e
om
c
[Huawei]sysname R1
i.
e
[Huawei]sysname R3
u aw
[R3]inter GigabitEthernet0/0/0
. h
n g
n i
e ar
Remove the previous NAT and ACL configuration/
l
: / from R1 and R3.
t p
t
h
[R1-GigabitEthernet0/0/0]undo nat outbound 3000 address-group 1
:
s
e
[R1]undo nat address-group 1
[R1]undo acl 3000
rc
o u
s
Re
[R3-GigabitEthernet0/0/0]undo nat outbound 2000
g
[R3]undo acl 2000
n
Stepi3 Verify connectivity between R1 and R3
r n
a
Le
<R1>ping 119.84.111.3
r e Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=70 ms
Mo

--- 119.84.111.3 ping statistics ---

0.00% packet loss
Step 4 Perform AAA configuration on R1

/ e
om
c
Configure an authentication-scheme and authorization-scheme on R1. The
configuration for R3 can be found at step 5.
i.
e
aw
[R1]aaa
[R1-aaa]authentication-scheme auth1
h u
.
Info: Create a new authentication scheme.
[R1-aaa-authen-auth1]authentication-mode local
n g
[R1-aaa-authen-auth1]quit
n i
ar
[R1-aaa]authorization-scheme auth2
Info: Create a new authorization scheme.
[R1-aaa-author-auth2]authorization-mode local
l e
//
[R1-aaa-author-auth2]quit
p :
tt
Configure the domain huawei on R1, then create a user and apply the user to
this domain.
h
[R1-aaa]domain huawei
s:
e
[R1-aaa-domain-huawei]authentication-scheme auth1
c
r
[R1-aaa-domain-huawei]authorization-scheme auth2
u
[R1-aaa-domain-huawei]quit
o
s
[R1-aaa]local-user user1@huawei password cipher huawei
e
R
[R1-aaa]local-user user1@huawei service-type telnet
[R1-aaa]local-user user1@huawei privilege level 0
n g
n i
Configure R1 as the telnet server, using AAA authentication mode.
a r
Le
[R1-ui-vty0-4]authentication-mode aaa
r e
Mo

Verify whether the telnet service on R1 has been established successfully.
<R3>telnet 119.84.111.1
Trying 119.84.111.1 ...
Connected to 119.84.111.1 ...
/ e
om
Username:user1@huawei
. c
i
Password:
<R1>system-view
e
^
u aw
h
Error: Unrecognized command found at '^' position.
<R1>quit
g .
i n level 0 for
n
Operations are restricted as user privileges are limited to privilege
user1@huawei.
a r
Step 5 Perform AAA configuration on R3 l
e
/ /
p :
t
[R3]aaa
[R3-aaa]authentication-scheme auth1
h t
Info: Create a new authentication scheme.
:
[R3-aaa-authen-auth1]authentication-mode local
s
[R3-aaa-authen-auth1]quit
c e
r
[R3-aaa]authorization-scheme auth2
u
Info: Create a new authorization scheme.
o
s
[R3-aaa-author-auth2]authorization-mode local
Re
[R3-aaa-author-auth2]quit
n
Configureg the domain huawei on R3, then create a user and apply the user to
n i
this domain.
a r
Le
[R3-aaa]domain huawei
[R3-aaa-domain-huawei]authentication-scheme auth1
r e [R3-aaa-domain-huawei]authorization-scheme auth2
Mo
[R3-aaa-domain-huawei]quit
[R3-aaa]local-user user3@huawei password cipher huawei
[R3-aaa]local-user user3@huawei service-type telnet

Configure the telnet service on R3 to use AAA authentication mode.
[R3-ui-vty0-4]authentication-mode aaa
Verify the results of implementing AAA on the vty interface.

.
<R1>telnet 119.84.111.3
/ e
om
Trying 119.84.111.1 ...
. c
i
Connected to 119.84.111.1 ...
e
u aw
Username:user3@huawei
. h
Password:
n g
<R3>system-view
n i
ar
^
e
Error: Unrecognized command found at '^' position.
<R3>
l
/set to privilege level 0 for
: /
p
Operations are restricted as user privileges are
user3@huawei.
t t
h
:
Step 6 Observe the results of the AAA configuration
s
c e
r
<R1>display domain name huawei
o u
Domain-name
s : huawei
Re
Domain-state : Active
Authentication-scheme-name : auth1
n g
Accounting-scheme-name : default
n i
Authorization-scheme-name : auth2
ar
Service-scheme-name : -
Le
RADIUS-server-template : -
HWTACACS-server-template : -
r e User-group : -
Mo

<R1>display local-user username user1@huawei

The contents of local user(s):
Password : ****************
State : active
Service-type-mask : T
Privilege level : 0
Ftp-directory : -
Access-limit : -
/ e
Accessed-num : 0
om
Idle-timeout : -
. c
i
User-group : -
e
<R3>display domain name huawei
u aw
Domain-name : huawei
. h
Domain-state : Active
n g
Authentication-scheme-name : auth1
n i
ar
Accounting-scheme-name : default
e
Authorization-scheme-name : auth2
Service-scheme-name : -
l
RADIUS-server-template : -
: //
p
HWTACACS-server-template : -
tt
User-group : -
h
<R3>display local-user username user3@huawei
The contents of local user(s):
s:
Password
c e
: ****************
State
u r: active
Service-type-mask
s o : T
e
Privilege level : 0
Ftp-directory
R : -
g
Access-limit : -
i n
Accessed-num : 0
r n
Idle-timeout : -
a
User-group : -
Le
r e
Mo

Final Configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
aaa
om
c
authentication-scheme auth1
i.
e
aw
authorization-scheme auth2
h u
domain default
g.
domain huawei
in
n
ar
l e
//
:
p
tt
local-user user1@huawei password cipher %$%$^L*5IP'0^A!;R)R*L=LFcXgv%$%$
local-user user1@huawei privilege level 0 h
s:
local-user user1@huawei service-type telnet
#
c e
r
u
o
ip address 119.84.111.1 255.255.255.0
s
nat outbound 3000 address-group 1 //may remain from previous labs
e
R
#
n g
n i
a rcipher %$%$dD#}P<HzJ;Xs%X>hOkm!,.+Iq61QK`K6tI}cc-;k_o`C.+L,%$%$
Le
authentication-mode aaa
r e #
Mo
return

<R3>dis current-configuration
[V200R003C00SPC200]
#
sysname R3
#
aaa
/ e
om
. c
i
domain default
e
u aw
h
domain huawei
g.
i n
n
ar
e
l
//
local-user user3@huawei password cipher %$%$WQt.;bEsR<8fz3LCiPY,che_%$%$
:
p
local-user user3@huawei privilege level 0
tt
h
#
s:
ip address 119.84.111.3 255.255.255.0
c e
nat outbound 2000 //may remain from previous labs
#
u r
s o
e
R
g
n
i
r n
a
#
Le
return
r e
Mo

Lab 3-4 Securing Traffic with IPsec VPN
Learning Objectives
Configuration of an IPsec proposal using an esp transform set.
/ e
Configuration of an ACL used to determine interesting traffic.
om
Configuration of an IPsec policy
. c
The binding of an IPsec policy to an interface.
e i
Topology
u aw
. h
n g
n i
e ar
l
://
p
h tt
Figure 3.4 IPsec VPN topology
s:
Scenario
c e
u r
In the interests of protecting both the integrity and confidentiality of company
s o
data, it is required that the communication between the offices of the
R e
enterprise secure specific private data as it is transmitted over the public
network infrastructure. As the network administrator of the company, the task
n g
has been assigned to implement IPsec VPN solutions between the HQ edge
n i
router (R1) and the branch office (R3). Currently only select departments
a rwithin the HQ require secured communication over the public network (R2).
Le
The administrator should establish IPsec using tunnel mode between the two
offices for all traffic originating from the department.
r e
Mo

Tasks

<Huawei>system-view
/ e
[Huawei]sysname R1
om
. c
i
e
u aw
<Huawei>system-view
. h
[Huawei]sysname R2
n g
n i
ar
e
[R2-Serial1/0/0]interface serial 2/0/0
l
: //
p
<Huawei>system-view
[Huawei]sysname R3 htt
s:
c e
r
u
o
e s
Step 2 CleanR up the previous configuration.
n gthe addressing for the Gigabit Ethernet 0/0/0 interface on R1 & R3,
andi
Remove
n disable the interfaces as shown to prevent alternative routes.
ar [R1]interface GigabitEthernet 0/0/0
Le [R1-GigabitEthernet0/0/0]undo ip address
e
r [R1]interface GigabitEthernet 0/0/1
Mo [R1-GigabitEthernet0/0/1]shutdown



/ e
om
. c
i
e
Step 3 Establish additional logical interfaces.
u aw
. h
[R1-LoopBack0]interface loopback 1
n g
n i
[R3-LoopBack0]interface loopback 1
e ar
l
://
Step 4 Configure OSPF.
p
h tt
Use the IP address of Loopback 0 as the router ID, use the default OSPF
s:
process (1), and specify the public network segments 10.0.12.0/24, and
e
10.0.23.0/24 as part of OSPF area 0.
c
u r
[R1]ospf router-id 10.0.1.1
[R1-ospf-1]area 0
s o
R e
g
n
n i
[R2]ospf router-id 10.0.2.2
a r[R2-ospf-1]area 0
Le
r e [R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
Mo [R3]ospf router-id 10.0.3.3

[R3-ospf-1]area 0


After OSPF route convergence is complete, view the configuration.

/ e
m
----------------------------------------------------------------------------
c o
0.0.0.0 Serial1/0/0 10.0.1.1 Full
i.
e
0.0.0.0 Serial2/0/0 10.0.3.3 Full
aw
----------------------------------------------------------------------------
h u
g.
i
----------------------------------------------------------------------------
n
n
e ar
l
//
10.0.1.0/24 Direct 0 0
p : D 10.0.1.1 LoopBack0
10.0.1.1/32
10.0.1.255/32
Direct
Direct
0
0
0
0
htt D
D
127.0.0.1
127.0.0.1
LoopBack0
LoopBack0
10.0.2.2/32 OSPF 10
s: 781 D 10.0.12.2 Serial1/0/0

10.0.3.3/32 OSPF
c e
10 2343 D 10.0.12.2 Serial1/0/0
r
10.0.11.11/32
ou Direct 0 0 D 127.0.0.1 LoopBack1
s
R e
10.0.12.0/24
10.0.12.1/32
Direct
Direct
0
0
0
0
D
D
10.0.12.1
127.0.0.1
Serial1/0/0
Serial1/0/0
ng
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
ni
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
r
10.0.23.0/24 OSPF 10 2343 D 10.0.12.2 Serial1/0/0
e a 10.0.33.33/32 OSPF 10 2343 D 10.0.12.2 Serial1/0/0
L 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
e
r 127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Mo 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
If the baudrate is maintained as 128000 from lab 6-1, the OSPF cost will be set
as shown, and thus may vary due to the the metric calculation used by OSPF.

----------------------------------------------------------------------------
/ e
10.0.1.1/32 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
om
10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
. c
i
e
u aw
h
10.0.11.11/32 OSPF 10 3124 D 10.0.23.2 Serial2/0/0
10.0.12.0/24 OSPF 10 3124 D 10.0.23.2
.
Serial2/0/0
g
10.0.23.0/24
10.0.23.2/32
Direct
Direct
0
0
0
0
D
D
10.0.23.3
10.0.23.2
in
Serial2/0/0
Serial2/0/0
n
ar
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
e
10.0.23.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.33.0/24 Direct 0 0 D
l
10.0.33.33 LoopBack1
10.0.33.33/32 Direct 0 0 D
: //
127.0.0.1 LoopBack1
p
tt
h
255.255.255.255/32 Direct 0
s: 0 D 127.0.0.1 InLoopBack0
c e
u r
Step 5 Configure the ACL to define interesting traffic
o
s is created to identify interesting traffic for which the IPsec
e
VPN will beRapplied. The advanced ACL is capable of filtering based on
An advanced ACL
specific g
i n parameters for selective traffic filtering.
n
ar
[R1]acl 3001
[R1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0
Le 0.0.0.255
r e [R3]acl 3001
Mo
[R3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0
0.0.0.255

Step 6 Configure IPsec VPN Proposal
Create an IPsec proposal and enter the IPsec proposal view to specify the
security protocols to be used. Ensure both peers use the same protocols.
[R1]ipsec proposal tran1
[R1-ipsec-proposal-tran1]esp authentication-algorithm sha1
/ e
m
[R1-ipsec-proposal-tran1]esp encryption-algorithm 3des
c o
.
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran1]esp authentication-algorithm sha1
e i
aw
[R3-ipsec-proposal-tran1]esp encryption-algorithm 3des
Run the display ipsec proposal command to verify the configuration.

h u
g.
n
[R1]display ipsec proposal
n i
ar
Number of proposals: 1
IPSec proposal name : tran1

l e
//
Encapsulation mode : Tunnel
Transform : esp-new
p :
tt
ESP protocol : Authentication SHA1-HMAC-96
h
Encryption 3DES
[R3]display ipsec proposal

s:
c e
r
Number of proposals: 1
u
s o
IPSec proposal name : tran1
R e
Encapsulation mode : Tunnel
g
Transform : esp-new
i n
ESP protocol : Authentication SHA1-HMAC-96
n
Encryption 3DES
a r
Le Step 7 IPsec Policy Creation
r e
Mo
Create an IPsec policy and define the parameters for establishing the SA.
[R1]ipsec policy P1 10 manual
[R1-ipsec-policy-manual-P1-10]security acl 3001
[R1-ipsec-policy-manual-P1-10]proposal tran1
[R1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3

[R1-ipsec-policy-manual-P1-10]tunnel local 10.0.12.1

[R1-ipsec-policy-manual-P1-10]sa spi outbound esp 54321
[R1-ipsec-policy-manual-P1-10]sa spi inbound esp 12345
[R1-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
[R1-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[R3]ipsec policy P1 10 manual

[R3-ipsec-policy-manual-P1-10]security acl 3001
/ e
[R3-ipsec-policy-manual-P1-10]proposal tran1
om
[R3-ipsec-policy-manual-P1-10]tunnel remote 10.0.12.1
. c
i
[R3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3
[R3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
e
[R3-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
u aw
h
[R3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
.
[R3-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
g
i n
n
Run the display ipsec policy command to verify the configuration.
<R1>display ipsec policy
a r
l e
===========================================
/ /
:
IPSec policy group: "P1"
Using interface:
t p
ht
===========================================
Sequence number: 10
s :
e
Security data flow: 3001
c
r
Tunnel local address: 10.0.12.1
u
Tunnel remote address: 10.0.23.3
o
s
Qos pre-classify: Disable
Re
Proposal name:tran1
Inbound AH setting:
n g
AH SPI:
n i AH string-key:
ar
AH authentication hex key:
Inbound ESP setting:
Le ESP SPI: 12345 (0x3039)
e
ESP string-key: huawei
r ESP encryption hex key:
Mo ESP authentication hex key:

Outbound AH setting:
AH SPI:
AH string-key:


Outbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP encryption hex key:
ESP authentication hex key:
<R3>display ipsec policy

/ e
om
===========================================
. c
i
IPSec policy group: "P1"
Using interface:
e
===========================================
u aw
Sequence number: 10
. h
Security data flow: 3001
n g
Tunnel local address: 10.0.23.3
n i
ar
Tunnel remote address: 10.0.12.1
e
Qos pre-classify: Disable
Proposal name:tran1
l
Inbound AH setting:
: //
p
AH SPI:
tt
AH string-key:
h
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
s:
c
e
r
u
o
ESP authentication hex key:
s
e
Outbound AH setting:
AH SPI:
R
g
AH string-key:
n
i
r n Outbound ESP setting:
a
ESP SPI: 12345 (0x3039)
Le
r e ESP authentication hex key:
Mo

Step 8 Applying IPsec Policies to Interfaces
Apply the policy to the physical interface upon which traffic will be subjected to
IPsec processing.
[R1-Serial1/0/0]ipsec policy P1
/ e
om
[R3-Serial2/0/0]ipsec policy P1
. c
e i
aw
Step 9 Test connectivity between the IP networks.
h u
Observe and verity that non-interesting traffic bypasses the IPsec processing.
g.
n
<R1>ping -a 10.0.11.11 10.0.33.33
n i
ar
l e
//
:
p
tt
h
0.00% packet loss
s:
e
c
u r
o
<R1>display ipsec statistics esp
Inpacket count
es : 0
R
Inpacket auth count
Inpacket decap count
: 0
g
: 0
i n
Outpacket count : 0
n
Outpacket auth count : 0
a rOutpacket encap count : 0
Le
Inpacket drop count : 0
Outpacket drop count : 0
r e BadAuthLen count : 0
Mo
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count : 0
PktInSAMissDrop count : 0

Observe that only the interesting traffic will be secured by the IPsec VPN.
<R1>ping -a 10.0.1.1 10.0.3.3
/ e
m
c o
i.
e
aw
0.00% packet loss
h u
g.
i n
Inpacket count : 5
n
Inpacket auth count : 0
e ar
l
Inpacket decap count : 0
//
Outpacket count : 5
:
Outpacket auth count : 0
Outpacket encap count : 0
p
Inpacket drop count
Outpacket drop count
: 0
: 0
h tt
BadAuthLen count : 0
s:
AuthFail count
c e
: 0
r
InSAAclCheckFail count : 0
ou
PktDuplicateDrop count : 0
s
R e
n g Redefine interesting traffic

i
Step 10
r n
a Change the ACL to define OSPF traffic as interesting traffic.
Le [R1]acl 3001
r e [R1-acl-adv-3001]rule 5 permit ospf source any destination any
Mo [R3]acl 3001
[R3-acl-adv-3001]rule 5 permit ospf source any destination any


----------------------------------------------------------------------------
0.0.0.0 Serial1/0/0 10.0.2.2 Init
----------------------------------------------------------------------------
/ e
om
. c
i
----------------------------------------------------------------------------
e
u aw
h
g.
Destination/Mask Proto Pre Cost Flags NextHop
n
Interface
i
n
ar
e
10.0.1.255/32 Direct 0 0 D
l
127.0.0.1 LoopBack0
10.0.11.0/24 Direct 0 0 D
: //
10.0.11.11 LoopBack1
p
tt
h
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.12.2/32 Direct 0
s: 0 D 10.0.12.2 Serial1/0/0
c
10.0.12.255/32 Direct
e0 0 D 127.0.0.1 Serial1/0/0
127.0.0.0/8
u r Direct 0 0 D 127.0.0.1 InLoopBack0

127.0.0.1/32
s o Direct 0 0 D 127.0.0.1 InLoopBack0
e
R
n g
n i
a r OSPF Process 1 with Router ID 10.0.3.3
Le
----------------------------------------------------------------------------
r e Area Id Interface Neighbor id State
Mo
0.0.0.0 Serial2/0/0 10.0.2.2 Init
----------------------------------------------------------------------------

----------------------------------------------------------------------------
/ e
om
. c
i
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
e
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
u aw
h
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
10.0.23.255/32 Direct 0 0 D 127.0.0.1
.
Serial2/0/0
g
10.0.33.0/24
10.0.33.33/32
Direct
Direct
0
0
0
0
D
D
10.0.33.33
127.0.0.1
i n
LoopBack1
LoopBack1
n
ar
e
127.0.0.1/32 Direct 0 0 D
l
127.255.255.255/32 Direct 0 0
:
D
//
p
htt
:
OSPF hello messages fail to be encapsulated using IPsec, causing the link
s
state to fail, returning OSPF to an Init state and effectively breaking the
e
c
established OSPF adjacent relationship of R1 and R3 with R2. Lab 7-5 will
r
u
introduce solutions to the problem of dynamic routing over IPsec VPN.
s o
e
Final Configuration
R
n g
i
[V200R003C00SPC200]
n
ar
#
Le
sysname R1
#
r e acl number 3001

rule 5 permit ospf
Mo #
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des

#
ipsec policy P1 10 manual
security acl 3001
proposal tran1
tunnel local 10.0.12.1
tunnel remote 10.0.23.3
sa spi inbound esp 12345
sa string-key inbound esp simple huawei
/ e
sa spi outbound esp 54321
om
sa string-key outbound esp simple huawei
. c
i
#
e
link-protocol ppp
u aw
h
ip address 10.0.12.1 255.255.255.0
g.
ipsec policy P1
baudrate 128000
in
n
ar
#
e
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
l
#
://
p
interface LoopBack1
tt
ip address 10.0.11.11 255.255.255.0
h
#
area 0.0.0.0
s:
c
network 10.0.1.0 0.0.0.255
e
r
network 10.0.11.0 0.0.0.255
u
o
network 10.0.12.0 0.0.0.255
s
e
#
R
g
n
i
r n
a
Le
#
r e return
Mo

[V200R003C00SPC200]
#
sysname R2
#
link-protocol ppp
/ e
ip address 10.0.12.2 255.255.255.0
om
#
. c
i
link-protocol ppp
e
u aw
h
ip address 10.0.23.2 255.255.255.0
g.
#
interface LoopBack0
i n
n
ar
ip address 10.0.2.2 255.255.255.0
e
#
l
area 0.0.0.0
: //
p
network 10.0.12.0 0.0.0.255
tt
network 10.0.23.0 0.0.0.255
h
#
s:
c
e
r
u
o
s
e
#
return
R
n g
n i
a r[V200R003C00SPC200]
Le
#
sysname R3
r e #
Mo
acl number 3001
rule 5 permit ospf
#


#
security acl 3001
proposal tran1
/ e
om
. c
i
#
e
u aw
h
link-protocol ppp
g.
ip address 10.0.23.3 255.255.255.0
ipsec policy P1
in
n
ar
#
e
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
l
#
://
p
interface LoopBack1
tt
ip address 10.0.33.33 255.255.255.0
h
#
area 0.0.0.0
s:
c
network 10.0.3.0 0.0.0.255
e
r
network 10.0.23.0 0.0.0.255
u
o
network 10.0.33.0 0.0.0.255
s
e
#
R
g
n
i
r n
a
Le
#
r e return
Mo

Lab 3-5 Supporting Dynamic Routing with GRE
Learning Objectives
Configuration of an ACL to support GRE encapsulation
/ e
Establishment of a tunnel interface for GRE
om
Implementation of the GRE keepalive feature.
. c
Topology e i
u aw
. h
n g
n i
e ar
l
: //
p
tt
Figure 3.5 Dynamic routing with GRE topology
h
Scenario
s:
c e
r
A requirement has been made to allow networks from other offices to be
u
o
advertised to the HQ. Following the implementation of IPsec VPN solutions, it
s
was discovered that this was not possible. After some consultation the
e
R
administrator has been advised to implement a GRE solution over the existing
IPsec network to enable the enterprise offices to truly operate as a single
n g
administrative domain.
n i
a r
Le
r e
Mo

Tasks
Note: It is a prerequisite that lab 3-4 be completed before attempting this lab.
Step 1 Set GRE traffic as the interesting traffic

/ e
om
c
Reconfigure the access control list establish GRE encapsulation over IPsec.
[R1]acl 3001
i.
e
aw
[R1-acl-adv-3001]rule 5 permit gre source 10.0.12.1 0 destination 10.0.23.3 0
[R3]acl 3001
h u
.
[R3-acl-adv-3001]rule 5 permit gre source 10.0.23.3 0 destination 10.0.12.1 0
g
in
n
ar
Step 2 Configure a tunnel interface.
l e
Create a tunnel interface and specify GRE as the encapsulation type. Set the
//
tunnel source address or source interface, and set the tunnel destination
:
address.
p
[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]ip address 100.1.1.1 24
h tt
[R1-Tunnel0/0/1]tunnel-protocol gre
s:
[R1-Tunnel0/0/1]source 10.0.12.1
c e
r
[R1-Tunnel0/0/1]destination 10.0.23.3
ou
s
[R3]interface Tunnel 0/0/1
R e
[R3-Tunnel0/0/1]ip address 100.1.1.2 24
[R3-Tunnel0/0/1]tunnel-protocol gre
n g
[R3-Tunnel0/0/1]source 10.0.23.3
i
[R3-Tunnel0/0/1]destination 10.0.12.1
n
a r
Le Step 3 Configure a second OSPF process to route the tunnel.
r e
Mo Add the tunnel interface network to OSPF 1 process, and create a second
OSPF instance of the link state database (process 2) for the 10.0.12.0 and
10.0.23.0 networks, be sure to remove these networks from OSPF 1.

[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-2]area 0
/ e
[R3]ospf 1
om
[R3-ospf-1]area 0
. c
i
e
u aw
h
[R3-ospf-2]area 0
g .
i n routes
from OSPF LSDB 2 of R1 and R3 to reach OSPF LSDB 1 ofn
OSPF LSDB are significant only to the local router, therefore allowing
a r R2.
Run the display interface Tunnel 0/0/1 command to e

/ l verify the configuration.
<R1>display interface Tunnel 0/0/1
: /
Tunnel0/0/1 current state : UP
t p
ht
:
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
s
e
Route Port,The Maximum Transmit Unit is 1500
c
r
u
Encapsulation is TUNNEL, loopback not set
o
s
Tunnel source 10.0.12.1 (Serial1/0/0), destination 10.0.23.3
Re
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
n g
Checksumming of packets disabled
i
n
ar
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 9 bytes/sec, 0 packets/sec
Le Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec
e
Realtime 0 seconds output rate 0 bytes/sec, 0 packets/sec
r 0 packets input, 0 bytes, 0 drops
Mo 145 packets output, 14320 bytes, 0 drops

Input bandwidth utilization : --
Output bandwidth utilization : --


/ e
om
. c
i
keepalive disabled
e
u aw
h
g.
Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec
in
n
ar
0 packets input, 0 bytes, 0 drops
e
162 packets output, 14420 bytes, 15 drops
l
: //
p
t carried via GRE
t
Step 4 Verify that the routes are being
h
s :command to check the IPv4 routing table.
Run the display ip routing-table
c e
u r
o
----------------------------------------------------------------------------
s
Re
n g
n i
ar 10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
Le
r e 10.0.2.2/32 OSPF 10 781 D 10.0.12.2 Serial1/0/0
Mo
10.0.3.3/32 OSPF 10 1562 D 100.1.1.2 Tunnel0/0/1

10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial1/0/0

10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial1/0/0
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial1/0/0
10.0.23.0/24 OSPF 10 2343 D 10.0.12.2 Serial1/0/0
10.0.33.33/32 OSPF 10 1562 D 100.1.1.2 Tunnel0/0/1
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Tunnel0/0/1
100.1.1.1/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
/ e
100.1.1.255/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
om
. c
i
e
u aw
. h
n g
i
----------------------------------------------------------------------------
n
ar
e
l
Destination/Mask Proto Pre Cost
: //
Flags NextHop Interface
p
tt
10.0.1.1/32 OSPF 10 1562 D 100.1.1.1 Tunnel0/0/1
h
10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial2/0/0
10.0.3.3/32 Direct 0
s: 0 D 127.0.0.1 LoopBack0
10.0.3.255/32
c
Direct
e
0 0 D 127.0.0.1 LoopBack0
10.0.11.11/32
u r
OSPF 10 1562 D 100.1.1.1 Tunnel0/0/1
10.0.12.0/24
s o OSPF 10 3124 D 10.0.23.2 Serial2/0/0
e
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial2/0/0
R
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial2/0/0
g
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
i n
10.0.23.255/32 Direct 0 0 D 127.0.0.1 Serial2/0/0
r n 10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1
a
Le
100.1.1.0/24 Direct 0 0 D 100.1.1.2 Tunnel0/0/1
r e 100.1.1.2/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1
Mo
100.1.1.255/32 Direct 0 0 D 127.0.0.1 Tunnel0/0/1

After a GRE tunnel is set up, the router can exchange OSPF packets through
the GRE tunnel. Clear the IPsec statistics and test the connection
<R1>reset ipsec statistics esp
[R1]ping -a 10.0.1.1 10.0.3.3
/ e
m
c o
i.
e

u aw
. h
n g
i
0.00% packet loss
n
e ar
l
//
Inpacket count : 8
:
Inpacket auth count : 0
Inpacket decap count : 0
p
Outpacket count
Outpacket auth count
: 8
: 0
h tt
Outpacket encap count
:
: 0
s
Inpacket drop count
c e: 0
r
Outpacket drop count : 0
BadAuthLen count
ou : 0
s
AuthFail count : 0
R e
InSAAclCheckFail count
PktDuplicateDrop count
: 0
: 0
n g
n i
a r
Le
GRE encapsulates all OSPF traffic including the hello packets over IPsec, the
gradual increment of the IPsec esp statistics verifies this.
r e Step 5 Implement the keepalive feature on the GRE tunnel.
Mo [R1]interface Tunnel 0/0/1

[R1-Tunnel0/0/1]keepalive period 3

Verify that the keepalive feature has been enabled on the tunnel interface.

/ e
om
. c
i
e
u aw
h
keepalive enable period 3 retry-times 3
g.
i n
n
ar
e
Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec
l
0 packets input, 0 bytes, 0 drops
: //
p
503 packets output, 47444 bytes, 0 drops
tt
h
Final Configuration s:
c e
u r
s o
[V200R003C00SPC200]
#
sysname R1 R e
#
n g
i
acl number 3001
n
a rrule 5 permit gre source 10.0.12.1 0 destination 10.0.23.3 0
#
Le ipsec proposal tran1
e
r esp encryption-algorithm 3des
Mo #
security acl 3001
proposal tran1


#
/ e
link-protocol ppp
om
. c
i
ip address 10.0.12.1 255.255.255.0
ipsec policy P1
e
baudrate 128000
u aw
h
#
interface LoopBack0
g.
ip address 10.0.1.1 255.255.255.0
#
in
n
ar
interface LoopBack1
e
ip address 10.0.11.11 255.255.255.0
#
l
interface Tunnel0/0/1
://
p
ip address 100.1.1.1 255.255.255.0
tt
tunnel-protocol gre
h
keepalive period 3
source 10.0.12.1
destination 10.0.23.3
s:
#
c e
r
u
area 0.0.0.0
s o
e
network 10.0.1.0 0.0.0.255
R
network 10.0.11.0 0.0.0.255
g
network 100.1.1.0 0.0.0.255
#
i n
r n
a
area 0.0.0.0
Le
network 10.0.12.0 0.0.0.255
#
r e user-interface con 0
Mo

#
return
[V200R003C00SPC200]
#
sysname R2
/ e
#
om
. c
i
link-protocol ppp
e
ip address 10.0.12.2 255.255.255.0
u aw
h
#
g.
link-protocol ppp
i n
n
ar
e
ip address 10.0.23.2 255.255.255.0
#
l
interface LoopBack0
: //
p
ip address 10.0.2.2 255.255.255.0
tt
#
h
area 0.0.0.0
network 10.0.2.0 0.0.0.255
s:
c e
network 10.0.12.0 0.0.0.255
r
network 10.0.23.0 0.0.0.255
u
#
s o
e
R
g
n
i
r n
a
#
Le
return
r e
Mo
[V200R003C00SPC200]
#
sysname R3
#

acl number 3001

rule 5 permit gre source 10.0.23.3 0 destination 10.0.12.1 0
#
#
/ e
security acl 3001
om
proposal tran1
. c
i
e
u aw
h
g.
#
in
n
ar
e
link-protocol ppp
l
ip address 10.0.23.3 255.255.255.0
://
p
ipsec policy P1
tt
#
h
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
s:
interface LoopBack1
c e
r
ip address 10.0.33.33 255.255.255.0
u
#
s o
e
interface Tunnel0/0/1
R
ip address 100.1.1.2 255.255.255.0
g
tunnel-protocol gre
n
source 10.0.23.3
i
r n
destination 10.0.12.1
a
#
Le
area 0.0.0.0
r e network 10.0.3.0 0.0.0.255
Mo
network 10.0.33.0 0.0.0.255
network 100.1.1.0 0.0.0.255
#
area 0.0.0.0

network 10.0.23.0 0.0.0.255

#
/ e
#
om
return
. c
e i
u aw
. h
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e
Mo

HCNA-HNTD Chapter 4 Managing Enterprise Networks
Chapter 4 Managing Enterprise Networks
Lab 4-1 Managing Networks with SNMP
Learning Objectives
/ e
om
. c
Configuration of an SNMP agent for a network element.
e i

Configuration of SNMP agent traps.
Application of the NMS in managing network elements.
u aw
. h
Topology
n g
n i
e ar
l
: //
p
h tt
s:
c e
u r
s o
R e Figure 4.1 Network management with SNMP topology
n g
i
Scenario
n
a r
With the continued growth of the enterprise network it has become apparent
Le that new measures need to be taken to manage and monitor the health of the
r e network so as to minimize network downtime. The network administrator has

decided that an NMS solution should be deployed, with tests performed to
Mo observe the basic capability of the NMS solution to monitor devices, before
deploying the solution in the enterprise network.

Tasks
/ e
om
c
<Huawei>system-view
[Huawei]sysname R1
i.
e
[R1]interface LoopBack 0
aw
h u
.
<Huawei>system-view
[Huawei]sysname R3
n g
n i
ar

l e
: //
p
Disable the unused serial interfaces and remove the OSPF processes from all
routers.
h tt
s:
e
rc
u
[R1]undo ospf 1
o
s
[R1]undo ospf 2
R e
n g
i
n
r
a [R3-Serial2/0/0]quit
Le
[R3]undo ospf 1
r e [R3]undo ospf 2
Mo

Step 3 Estabish routes between hosts and the NMS.
Configure the IP address and route on the router, make sure the route
between the device and the NMS is reachable.

/ e
om
. c
e i
aw
[R1]ospf
h u
[R1-ospf-1]area 0
g.
n
n i
e ar
[R3-ospf-1]area 0
l
//
p :
Test the network connectivity. h tt
s:
[R1]ping 10.0.13.254
c e
PING 10.0.13.254: 56
u r data bytes, press CTRL_C to break
o
s
e
R
n g
n i
a r --- 10.0.13.254 ping statistics ---
Le
r e 0.00% packet loss
Mo

Step 4 Configure SNMP on R1.
Enable the SNMP agent and confige the version SNMPv2c on the R1.
[R1]snmp-agent
[R1]snmp-agent sys-info version v2c
/ e
Configure SNMP read and write community
om
[R1]snmp-agent community read public
. c
[R1]snmp-agent community write private
e i
a w
Enable the trap function of R1. Configure contact information about the
h u
device administrator.
g .
[R1]snmp-agent trap enable
i n
rn
Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[R1]snmp-agent trap queue-size 200
e a
[R1]snmp-agent trap life 60
/ l
/
[R1]snmp-agent target-host trap-hostname NMS address 10.0.13.254 trap-paramsname
public
p :
t
[R1]snmp-agent target-host trap-paramsname public v2c securityname public
ht
[R1]snmp-agent sys-info contact Call the operator at 010-12345678
s :
After the configuration is complete, run the following commands to verify that
e
the configuration has taken effect.
c
u r
o
<R1>display snmp-agent sys-info
s
The contact person for this managed node:
Re
Call the operator at 010-12345678
n g
The physical location of this node:
n i Shenzhen China
ar
Le
SNMP version running in the system:
SNMPv2c
r e
Mo
<R1>display snmp-agent community write
Community name: %$%$ZR)y~^VY9I"~n`=b`KR1(OX%%$%$
Storage type: nonVolatile
View name: ViewDefault

<R1>display snmp-agent target-host

Traphost list:
Target host name: NMS
Traphost address: 10.0.13.254
Traphost portnumber: 162
Target host parameter: public
Total number is 1
/ e
om
Parameter list trap target host:
. c
i
Parameter name of the target host: public
Message mode of the target host: SNMPV2C
e
Trap version of the target host: v2c
u aw
h
Security name of the target host: public
g.
Total number is 1
in
n
ar
Step 5 Configure Network Elements on the NMS
l e
Under the Resource > Add Device > Single path, add the Network Element
//
(NE) R1 and R3 to the NMS, and configure the SNMP parameters as shown.
p :
h tt
s:
c e
u r
s o
R e
n g
i
n that the Network Elements have been added to the NMS under the
rVerify
a Resource > Resource Management > Equipment Resources > NE Resources
Le path.
r e
Mo

Click on the resource name R1 and R3 to view the basic information.
/ e
om
. c
e i
u aw
. h
n g
n i
e ar
Select the Interface Manager option under Device/
l
/ Config in the resource menu
:completed in succession, thus
p
to the left of the screen. The given output represents a scenario in which all
labs throughout the lab guide have been
t t
producing multiple addresses.
h
s :
c e
u r
s o
Re
n g
n i
ar
Le
r e
Mo

Select the Telnet Parameters option under Protocol Parameters of the

resource menu, to configure the telnet parameters for accessing each network
element from the NMS. If the AAA local user authentication of lab 7-3 has been
maintained in the current configuration, it can be applied as shown. Note: the
password is huawei.
/ e
om
. c
e i
u aw
. h
g
n of R1
n i
Optionally, if the AAA authentication is not present on the VTY interface
a r
and/or R3, a simple telnet authentication process can be applied as follows
before registering the telnet parameters in the NMS.
l e
/ /
[R1-ui-vty0-4]authentication-mode password
p :
t
[R1-ui-vty0-4]set authentication password cipher huawei
ht
[R1-ui-vty0-4]user privilege level 0
s :
The telnet feature in the Basic Information panel of the resource menu grants
remote management of theeNE via the NMS, however privileges currently
prevent configuration.
r c
o u
e s
R
n g
n i
ar
Le
r e
Mo

If the AAA configuration has been maintained from lab 7-3, first increase the
privilege from level 0 to level 3.
[R1]aaa
Alternatively, if the simple telnet authentication process has been used,

/ e
change the privilege on the VTY user interface.
om
. c
i
[R1-ui-vty0-4]user privilege level 3
e
Step 6 Manage Basic NMS Trap Functions
u aw
h
. which
g
Changes that occur to the NE can be monitored in the NMS using traps
trigger alarms. Select the Alarm List from the view panel fromn
n i the resource
r
menu .
e a
/l
: /
tp
t
Currently no alarms are recorded. Access the NE through the telnet feature in
the NMS and shut down the loopbackh0 interface to trigger alarms on the NMS.
s:
c e
r
[R1-LoopBack0]shutdown
u
[R1-LoopBack0]undo shutdown
o
s
Re
n g
n i
ar
Le
r e
Mo

Verify that the relevant alarms have been generated in the Alarm List for the
resource, once the interface state has been changed.
Additional Exercises: Analyzing and Verifying

/ e
om
If the interface of R1 that is linked to the NMS is down, will the failure be
. c
detected by the NMS?
e i
Final Configuration u aw
. h
<R1>dis current-configuration
n g
[V200R003C00SPC200]
n i
ar
#
sysname R1
l e
//
#
snmp-agent local-engineid 800007DB0354899876830A
p :
snmp-agent community read %$%$><Oc4D:9(4}bjw"Bu'd7(ONp%$%$
tt
snmp-agent community write %$%$ZR)y~^VY9I"~n`=b`KR1(OX%%$%$
h
snmp-agent sys-info contact Call the operator at 010-12345678
:
snmp-agent sys-info version v2c
s
snmp-agent target-host trap-hostname NMS address 10.0.13.254 udp-port 162
e
trap-paramsname public
rc
snmp-agent target-host trap-paramsname public v2c securityname public
ou
snmp-agent trap enable
es
snmp-agent trap queue-size 200
R
snmp-agent trap life 60
snmp-agent
n g
i
#
r n
aaa
a
Le
r e authorization-scheme auth2
Mo
domain default
domain huawei

local-user user1@huawei password cipher %$%$^L*5IP'0^A!;R)R*L=LFcXgv%$%$
/ e
om
#
. c
i
ip address 10.0.13.1 255.255.255.0
e
#
u aw
h
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
g.
#
i n
n
ar
area 0.0.0.0
e
network 10.0.1.0 0.0.0.255
network 10.0.13.0 0.0.0.255
l
#
: //
p
tt
h
s:
c e
#
u r
return
s o
R e
g
n
[V200R003C00SPC200]
i
r
#
n
a
sysname R3
Le
#
snmp-agent local-engineid 800007DB03548998768222
r e snmp-agent community read %$%$I^)/SB#f|Q#U\*Fd^xVX(bwT%$%$
Mo
snmp-agent community write %$%$,CnkQV6[!*c.&0/wn>HU(b{n%$%$
snmp-agent sys-info contact Call the operator at 010-12345678
snmp-agent sys-info version v2c
snmp-agent target-host trap-hostname NMS address 10.0.13.254 udp-port 162
trap-paramsname public

snmp-agent target-host trap-paramsname public v2c securityname public

snmp-agent trap enable
snmp-agent trap queue-size 200
snmp-agent trap life 60
snmp-agent
#
aaa
/ e
om
. c
i
e
domain default
u aw
h
domain huawei
g.
in
n
ar
e
l
: //
p
local-user user3@huawei password cipher %$%$WQt.;bEsR<8fz3LCiPY,che_%$%$
tt
h
#
s:
c
ip address 10.0.13.3 255.255.255.0
e
#
u r
o
s
e
area 0.0.0.0
R
network 10.0.3.0 0.0.0.255
g
network 10.0.13.0 0.0.0.255
#
i n
r n
a
Le
r e user-interface vty 0 4
Mo
#
return

HCNA-HNTD Chapter 5 Establishing IPv6 Networks
Chapter 5 Establishing IPv6 Networks
Lab 5-1 Implementing IPv6 Networks and Solutions
Learning Objectives
/ e
om
. c
Configuration of basic IPv6 addressing.
e i

Configuration of the OSPFv3 routing protocol.
Configuration of DHCPv6 server functions.
u aw
Verification of the results using IPv6 display commands.
. h
n g
n i
ar
Topology
l e
: //
p
h tt
s:
c e
u r
s o
R e
n g
n i
a r
Le
r e Figure 5-1 IPv6 topology
Mo

Scenario
In line with plans for deployment of solutions for next generation networks, it
has been decided that the enterprise network should implement an IPv6
design to the existing infrastructure. As the administrator you have been
tasked with the job of implementing the addressing scheme and routing for
IPv6, as well as providing stateful addressing solutions for IPv6.
/ e
om
Tasks
. c
e i
u aw
If you are starting this section with a non-configured device, begin . h
n g here and
n i
<huawei>system-view
a r
[huawei]sysname R1
l e
<huawei>system-view
/ /
[huawei]sysname R2
p :
t
<huawei>system-view
ht
[huawei]sysname R3
s :
c e
u r
Step 2 Configure
s oIPv6 addressing
R e
manuallygconfigure link local addressing on interface Gigabit Ethernet 0/0/0 of
Establish IPv6 global unicast addressing on the loopback interfaces and
i n
n
all routers.
r
a
Le
[R1]ipv6
[R1]interface loopback 0
r e [R1-LoopBack0]ipv6 enable
Mo
[R1-LoopBack0]ipv6 address 2001:1::A 64
[R1-GigabitEthernet0/0/0]ipv6 enable
[R1-GigabitEthernet0/0/0]ipv6 address fe80::1 link-local

[R2]ipv6
[R2-LoopBack0]ipv6 enable
[R2-LoopBack0]ipv6 address 2001:2::B 64
/ e
om
[R3]ipv6
. c
i
[R3-LoopBack0]ipv6 enable
e
[R3-LoopBack0]ipv6 address 2001:3::C 64
u aw
h
g.
i n
n
<R1>display ipv6 interface GigabitEthernet 0/0/0
e ar
l
IPv6 protocol current state : UP
: //
p
IPv6 is enabled, link-local address is FE80::1
tt
No global unicast address configured
h
Joined group address(es):
FF02::1:FF00:1
FF02::2
s:
FF02::1
c e
MTU is 1500 bytes
u r
o
ND DAD is enabled, number of DAD attempts: 1
s
e
ND reachable time is 30000 milliseconds
R
ND retransmit interval is 1000 milliseconds
g
Hosts use stateless autoconfig for addresses
n
IPv6iinterfaces become part of various multicast groups for support of
r n address auto-configuration (SLAAC). The Network Discovery (ND)
a Duplicate Address Detection (DAD) verifies the link local address is unique.
stateless
Le
r e
Mo

Step 3 Configure OSPFv3.
Enable the OSPFv3 process and specify its router ID on R1, R2 and R3.
OSPFv3 must then be enabled on the interface.
[R1]ospfv3 1
[R1-ospfv3-1]router-id 1.1.1.1
/ e
[R1-ospfv3-1]quit
om
[R1-GigabitEthernet0/0/0]ospfv3 1 area 0
. c
e i
aw
[R1-LoopBack0]ospfv3 1 area 0
h u
g.
n
[R2]ospfv3 1
n i
ar
[R2-ospfv3-1]quit
l e
//
p :
tt
[R3]ospfv3 1 h
s:
[R3-ospfv3-1]quit
c e
r
u
o
s
e
R
Runi n g
r n has been established.
the display ospfv3 peer command on R1 and R3 to verify the OSPFv3
peering
a
Le <R1>display ospfv3 peer
r e OSPFv3 Process (1)
Mo
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
2.2.2.2 1 Full/Backup 00:00:30 GE0/0/0 0
3.3.3.3 1 Full/DROther 00:00:40 GE0/0/0 0

<R3>display ospfv3 peer

OSPFv3 Process (1)
OSPFv3 Area (0.0.0.0)
Neighbor ID Pri State Dead Time Interface Instance ID
1.1.1.1 1 Full/DR 00:00:32 GE0/0/0 0
2.2.2.2 1 Full/Backup 00:00:38 GE0/0/0 0
If 1.1.1.1 is not currently the DR, the following command can be used to reset
/ e
the OSPFv3 process
om
. c
i
<R1>reset ospfv3 1 graceful-restart
Test connectivity to the peer link local address and the global unicast addressw
e
u a
h
of interface LoopBack 0.
g .
<R1>ping ipv6 fe80::3 -i GigabitEthernet 0/0/0
PING fe80::3 : 56 data bytes, press CTRL_C to break
i n
Reply from FE80::3
r n
bytes=56 Sequence=1 hop limit=64 time = 2 ms
e a
Reply from FE80::3
/ l
: /
p
Reply from FE80::3
t
t
h
Reply from FE80::3
Reply from FE80::3
s :
c e
u r
o
--- fe80::3 ping statistics ---
s
Re
g
0.00% packet loss
n
i
n
ar
<R1>ping ipv6 2001:3::C
Le
PING 2001:3::C : 56 data bytes, press CTRL_C to break
Reply from 2001:3::C
r e bytes=56 Sequence=1 hop limit=64 time = 11 ms
Mo


--- 2001:3::C ping statistics ---

0.00% packet loss
/ e
om
. c
Step 4 Configure DHCPv6 to distribute IPv6 addresses.
e i
a w
Enable the DHCPv6 Server function on R2 so that devices can be assigned
h u
IPv6 addresses using DHCPv6.
g .
[R2]dhcp enable
i n
[R2]dhcpv6 pool pool1
rn
[R2-dhcpv6-pool-pool1]address prefix 2001:FACE::/64
e a
l
[R2-dhcpv6-pool-pool1]dns-server 2001:444e:5300::1
/
[R2-dhcpv6-pool-pool1]excluded-address 2001:FACE::1
/
[R2-dhcpv6-pool-pool1]quit
:
p 0/0/0 interface.
t
htthe interface.
Configure IPv6 functions on the GigabitEthernet
Enable the DHCPv6 server function on
s :
e
c
r
[R2-GigabitEthernet0/0/0]ipv6 address 2001:FACE::1 64
u
[R2-GigabitEthernet0/0/0]dhcpv6 server pool1
o
e s
R
Enable the DHCPv6 client function on R1 and R3 so that devices can obtain
IPv6 addresses using DHCPv6.
n g
i
[R1]dhcp enable
n
ar
[R1]interface gigabitethernet 0/0/0
Le
[R1-GigabitEthernet0/0/0]ipv6 address auto dhcp
r e [R3]dhcp enable
Mo
[R3-GigabitEthernet0/0/0]ipv6 address auto dhcp

Run the display dhcpv6 pool command on R2 to check information about the
DHCPv6 address pool.
<R2>display dhcpv6 pool

DHCPv6 pool: pool1
Address prefix: 2001:FACE::/64
Lifetime valid 172800 seconds, preferred 86400 seconds
2 in use, 0 conflicts
/ e
Excluded-address 2001:FACE::1
om
1 excluded addresses
. c
i
Information refresh time: 86400
DNS server address: 2001:444E:5300::1
e
Conflict-address expire-time: 172800
u aw
h
Active normal clients: 2
.
Run the display ipv6 interface brief command on R1 and R3 togcheck the
i n
n
IPv6 address information.
a r
e
[R1]display ipv6 interface brief
/l
(l): loopback
: /
p
(s): spoofing
Interface
t
Physical Protocol
ht
GigabitEthernet0/0/0 up up
[IPv6 Address] 2001:FACE::2
LoopBack0
s: up up(s)
c
[IPv6 Address] 2001:1::A
e
u r
o
[R3]display ipv6 interface brief
s
Re
(l): loopback
g
(s): spoofing
i n
Interface Physical Protocol
n
GigabitEthernet0/0/0 up up
ar
[IPv6 Address] 2001:FACE::3
Le
LoopBack0 up up(s)
[IPv6 Address] 2001:3::C
r e
Mo

Final Configuration
[V200R003C00SPC200]
#
sysname R1
#
/ e
ipv6
om
c
#
dhcp enable
i.
#
e
aw
ospfv3 1
router-id 1.1.1.1
h u
#
g.
ipv6 enable
in
n
ar
ip address 10.0.13.1 255.255.255.0
ipv6 address FE80::1 link-local
ospfv3 1 area 0.0.0.0
l e
//
ipv6 address auto dhcp
#
p :
tt
interface LoopBack0
ipv6 enable
ip address 10.0.1.1 255.255.255.0 h
ipv6 address 2001:1::A/64
s:
c e
#
u r
o
s
e
R
n g
n i
a r#
Le
return
r e
Mo

[V200R003C00SPC200]
#
sysname R2
#
ipv6
#
dhcp enable
/ e
#
om
dhcpv6 pool pool1
. c
i
address prefix 2001:FACE::/64
excluded-address 2001:FACE::1
e
dns-server 2001:444E:5300::1
u aw
h
#
ospfv3 1
g.
router-id 2.2.2.2
#
i n
n
ar
e
ipv6 enable
ip address 10.0.13.2 255.255.255.0
l
ipv6 address 2001:FACE::1/64
: //
p
tt
h
traffic-filter inbound acl 3000
dhcpv6 server pool1
#
s:
interface LoopBack0
c e
ipv6 enable
u r
o
ip address 10.0.2.2 255.255.255.0
s
e
ipv6 address 2001:2::B/64
R
g
#
n
i
r n
a
Le
r e #
Mo
return

[V200R003C00SPC200]
#
sysname R3
#
ipv6
#
dhcp enable
/ e
#
om
ospfv3 1
. c
i
router-id 3.3.3.3
#
e
u aw
h
ipv6 enable
ip address 10.0.13.3 255.255.255.0
g.
in
n
ar
ipv6 address auto dhcp
e
#
interface LoopBack0
l
ipv6 enable
://
p
ip address 10.0.3.3 255.255.255.0
tt
ipv6 address 2001:3::C/64
h
#
s:
c
e
r
u
o
s
e
R
g
#
return
i n
r n
a
Le
r e
Mo

The privilege of HCNA/HCNP/HCIE: e n
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
m /
1Comprehensive E-Learning Courses c o
i .
ContentAll Huawei Career Certification E-Learning courses
w e

u a
Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
. h
2 Training Material Download
n g

n i
Content: Huawei product training material and Huawei career certification training material
a r
MethodLogon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can
e

l
download training material in the specific training introduction page.
3 Priority to participate in Huawei Online Open Class(LVC) //
p : all ICT technical domains like R&S, UC&C, Security,

t tprofessional instructors
ContentThe Huawei career certification training covering
Storage and so on, which are conducted by Huawei
h

s :
MethodThe plan and participate method please refer to LVC Open Courses Schedule
4Learning Tool: eNSP
c e
eNSP (Enterprise Network Simulation r Platform) is a graphical network simulation tool which is developed by

u
o mainly simulates enterprise routers, switches as close to the real hardware as
Huawei and free of charge. eNSP
it possible, which makes the e
s
R lab practice available and easy without any real device.
Huawei experts , share n

g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
n i exam experiences with others or be acquainted with Huawei Products(
r
http://support.huawei.com/ecommunity/
a
Le
r e TECHNOLOGIES CO., LTD. Huawei Confidential
o
HUAWEI 1

HCNA Intermediate Lab PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HCNA Intermediate Lab PDF

Uploaded by

Copyright:

Available Formats

The privilege of HCNA/HCNP/HCIE: e n

p : all ICT technical domains like R&S, UC&C, Security,

Huawei experts , share n

n i exam experiences with others or be acquainted with Huawei Products(

No part of this document may be reproduced or transmitted in any form or by

Trademarks and Permissions

n i S1 S5700-28C-EI-24S Version 5.70 (S5700 V100R006C00SPC800)

r e S3 S3700-28TP-EI-AC Version 5.70 (S3700 V100R006C00SPC800)

Mo S4 S3700-28TP-EI-AC Version 5.70 (S3700 V100R006C00SPC800)

CHAPTER 1 ETHERNET AND VLAN ...................................................................................................... 1

LAB 1-1 ETHERNET INTERFACE AND LINK CONFIGURATION ................................................................................ 1

LAB 1-3 GVRP CONFIGURATION ............................................................................................................... 21

LAB 1-5 CONFIGURING LAYER 3 SWITCHING................................................................................................. 41

LAB 3-2 NETWORK ADDRESS TRANSLATION ............................................................................................... 114

Le LAB 5-1 IMPLEMENTING IPV6 NETWORKS AND SOLUTIONS........................................................................... 169

HC Series HUAWEI TECHNOLOGIES Page1

Chapter 1 Ethernet and VLAN

Lab 1-1 Ethernet Interface and Link Configuration

arby preparing the switches to support link aggregation before establishing

r e configured as member links.

HC Series HUAWEI TECHNOLOGIES Page1

Step 1 Perform basic configuration on the Ethernet switches.

Auto-negotiation is enabled on Huawei switch interfaces by default. The rate

r e Unicast : 345,Multicast : 5009016

Page2 HUAWEI TECHNOLOGIES HC Series

Input bandwidth utilization threshold : 100.00%

[S1]display interface GigabitEthernet 0/0/10

r e Input bandwidth utilization : 0.01%

HC Series HUAWEI TECHNOLOGIES Page3

[S1]interface GigabitEthernet 0/0/9

r nPort Mode: COMMON COPPER

L e Duplex: FULL, Negotiation: DISABLE

Page4 HUAWEI TECHNOLOGIES HC Series

[S1]display interface GigabitEthernet 0/0/10

r e WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA

HC Series HUAWEI TECHNOLOGIES Page5

r e [S1]interface GigabitEthernet 0/0/9

Page6 HUAWEI TECHNOLOGIES HC Series

n g of the interface and determine active links on S1.

r e [S1]interface GigabitEthernet 0/0/10

HC Series HUAWEI TECHNOLOGIES Page7

Verify the Eth-Trunk configuration.

s: System ID: 4c1f-cc45-aacc

L GigabitEthernet0/0/10 100 4c1f-cc45-aace 100 10 289 10111100

Page8 HUAWEI TECHNOLOGIES HC Series

HC Series HUAWEI TECHNOLOGIES Page9

Lab 1-2 VLAN Configuration

r e layer by implementing VLAN solutions. The VLAN solutions are to be applied

Page10 HUAWEI TECHNOLOGIES HC Series

Step 1 Preparing the environment.

r e [S3]interface Ethernet 0/0/1

HC Series HUAWEI TECHNOLOGIES Page11

Page12 HUAWEI TECHNOLOGIES HC Series

VID Type Ports

HC Series HUAWEI TECHNOLOGIES Page13

t t of the interfaces to each created

o u on hosts, R1, S3, R3, and S4 as part of the respective

n g for the switch.

Page14 HUAWEI TECHNOLOGIES HC Series

Le --- 10.0.4.4 ping statistics ---

HC Series HUAWEI TECHNOLOGIES Page15

Step 6 Configure a hybrid interface.

r e Reply from 10.0.4.3: bytes=56 Sequence=1 ttl=255 time=1 ms