Huawei Certification HCNP Lab Guide HCNP-IENP v1.6 PDF

The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
 1、E-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/E-Learning
 Content：All Huawei Career Certification E-Learning courses
 Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
 2、 Training Material Download
 Content: Huawei product training material and Huawei career certification training material
 Method：Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can
download training material in the specific training introduction page.
 3、 Priority to participate in Huawei Online Open Class (LVC)
 The Huawei career certification training and product training covering all ICT technical domains like R&S,
UC&C, Security, Storage and so on, which are conducted by Huawei professional instructors
 4、Learning Tool:s
 eNSP ：Simulate single Router&Switch device and large network
 WLAN Planner ：Network planning tools for WLAN AP products.
 In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
Huawei experts , share exam experiences with others or be acquainted with Huawei Products.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1

HCNP-IENP
Huawei Certification
HCNP-IENP
Improving Enterprise Network Performance
Lab Guide
Huawei Technologies Co.,Ltd
HUAWEI TECHNOLOGIES
HCNP-IENP
Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.
No part of this document may be reproduced or transmitted in any

form or by any means without prior written consent of Huawei
Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei

Technologies Co., Ltd. All other trademarks and trade names mentioned
in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice.

Every effort has been made in the preparation of this document to
ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of
any kind, expressed or implied.
Huawei Certification
HCNP-IENP Improving Enterprise Network Performance
Lab Guide
Edition 1.6
HUAWEI TECHNOLOGIES
HCNP-IENP
Huawei Certification System
Relying on its strong technical and professional training system, in

accordance with different customers at different levels of ICT
technology, Huawei certification is committed to provide customs with
authentic, professional certification.
Based on characteristics of ICT technologies and customers’needs at
different levels, Huawei certification provides customers with
certification system of four levels.
HCNA (Huawei Certified Network Associate) is primary for IP network

maintenance engineers, and any others who want to build an
understanding of the IP network. HCNA certification covers the TCP/IP
basics, routing, switching and other common foundational knowledge of
IP networks, together with Huawei communications products, versatile
routing platform VRP characteristics and basic maintenance.
HCNP-Enterprise (Huawei Certified Network Professional-Enterprise) is
aimed at enterprise-class network maintenance engineers, network
design engineers, and any others who want to grasp in depth routing,
switching, network adjustment and optimization technologies.
HCNP-Enterprise consists of IESN (Implement Enterprise Switch
Network), IERN (Implement Enterprise Routing Network), and IENP
(Improving Enterprise Network performance), which includes advanced
IPv4 routing and switching technology principles, network security,
high availability and QoS, as well as the configuration of Huawei
products.
HCIE-Enterprise (Huawei Certified Internetwork Expert-Enterprise) is
designed to endue engineers with a variety of IP technologies and
proficiency in the maintenance, diagnostics and troubleshooting of
Huawei products, which equips engineers with competence in planning,
design and optimization of large-scale IP networks.
HUAWEI TECHNOLOGIES
HCNP-IENP
Referenced icon
Router L3 Switch L2 Switch Firewall Net cloud
Serial line
Ethernet line
HUAWEI TECHNOLOGIES
HCNP-IENP
Lab environment specification
The Lab environment is suggested below:
Identifier Device OS version
R1 AR 2220 Version 5.90 ( V200R001C01SPC300)
S1 S5700-28C-EI-24S Version 5.70 (V100R006C00SPC800)
S2 S5700-28C-EI-24S Version 5.70 (V100R006C00SPC800)
S3 S3700-28TP-EI-AC Version 5.70 (V100R006C00SPC800)
S4 S3700-28TP-EI-AC Version 5.70 (V100R006C00SPC800)
FW1 Eudemon 200E-X2 Version 5.30 (V100R005C00SPC100)
FW2 Eudemon 200E-X2 Version 5.30 (V100R005C00SPC100)
HUAWEI TECHNOLOGIES
HCNP-IENP
CONTENTS
Chapter 1 Implementing firewall functions and features ................................................................... 1
Lab 1-1 Security Zone Configuration and Configurations for Other Basic Functions on a Firewall .. 1
Lab 1-2 IPSec VPN Configuration on a Eudemon Firewall ............................................................. 23
Lab 1-3 Attack Defense Configuration on a Firewall ..................................................................... 46
Lab 1-4 NAT Configuration on a Eudemon Firewall ...................................................................... 61
Lab 1-5 Dual-System Hot Backup Configuration for Eudemon Firewalls ....................................... 77
Chapter 2 QoS and traffic flow management ................................................................................. 106
Lab 2-1 QoS ................................................................................................................................ 106
Lab 2-2 Traffic Control Based on the Traffic Policy ..................................................................... 127
Chapter 3 Integrated Lab Assessment ............................................................................................ 144
Lab 3-1 Integrated Lab-1 (Optional) ........................................................................................... 144
Lab 3-2 Integrated Lab2 (Optional)............................................................................................. 150
HUAWEI TECHNOLOGIES
HCNP-IENP Chapter 1 Implementing firewall functions and features
Chapter 1 Implementing firewall functions and

features
Lab 1-1 Security Zone Configuration and Configurations
for Other Basic Functions on a Firewall
Learning Objectives
The objectives of this lab are to learn and understand:
• Security zone configuration for the firewall
• Packet filtering configuration in the interzone
• Static and dynamic blacklist configurations
• Packet filtering configuration at the application layer
HC Series HUAWEI TECHNOLOGIES 1

Topology
Figure 1-1 Zone configuration
Scenario
Assume that you are a network administrator of an enterprise. The

headquarters network consists of an internal zone (trusted), an external
zone (untrusted), and a server zone (DMZ). You need to use a firewall to
control data and create blacklists to protect the intranet against network
attacks.
Tasks
Step 1 Configure IP addresses.
Configure IP addresses for R1, R2, and R3.

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
2 HUAWEI TECHNOLOGIES HC Series

[R1]interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1]ip address 10.0.10.1 24
[R1-GigabitEthernet0/0/1]interface loopback 0
[R1-LoopBack0]ip address 10.0.1.1 24
<Huawei>system-view
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1
<Huawei>system-view
[Huawei]sysname R3
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot

be configured with an IP address. In the lab, configure VLAN 12 on the
firewall and create a VLANIF 12. Configure the VLANIF 12 IP address as
the IP address of the gateway for the trusted zone.
By default, the firewall configures an IP address for VLANIF 1. To
prevent interference, delete the VLANIF 1 configuration.
<Eudemon 200E>system-view
[Eudemon 200E]sysname FW
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface vlanif 12
[FW-Vlanif12]ip address 10.0.20.254 24
[FW-Vlanif12]interface Ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 12
[FW-Ethernet1/0/0]interface Ethernet 0/0/0
[FW-Ethernet0/0/0]ip address 10.0.10.254 24
[FW-Ethernet0/0/0]interface ethernet 2/0/0
[FW-Ethernet2/0/0]quit
[FW]undo interface Vlanif 1

Plan VLANs for interfaces on S1.

[Quidway]sysname S1
[S1]vlan batch 11 to 13
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]port default vlan 11
[S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
Test the connectivity on each zone on the FW.

[FW]ping 10.0.10.1
PING 10.0.10.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.0.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms
--- 10.0.10.1 ping statistics ---

5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 1/1/1 ms
[FW]ping 10.0.20.1
Request time out



20.00% packet loss
[FW]ping 10.0.30.1
Request time out

20.00% packet loss
Configure default routes for R1, R2, and R3. Configure static routes
on the FW to implement communication among network segments to
which three loopback 0 interfaces are connected.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[FW]ip route-static 10.0.1.0 24 10.0.10.1

Test the connectivity among network segments to which three

loopback 0 interfaces are connected.
[R1]ping -a 10.0.1.1 10.0.2.2



0.00% packet loss
[R1]ping -a 10.0.1.1 10.0.3.3


0.00% packet loss
By default, four security zones are located on a firewall. They are local,
trusted, untrusted, and DMZ zones. In this lab, we need to add interfaces
to the trusted, untrusted, and DMZ zones.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
By default, communication among all zones is normal. Therefore, the

communication does not need to be checked.
[FW]dis firewall packet-filter default all
10:28:18 2011/12/24
Firewall default packet-filter action is :

packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
local -> dmz :
trust -> untrust :
trust -> dmz :
dmz -> untrust :
packet-filter between VFW:
The preceding information shows that all security zones allow

packets in all directions to pass through.
Test connectivity between security zones.
From the untrusted zone to the trusted zone:
<R1>ping -a 10.0.1.1 10.0.2.2

0.00% packet loss
From the untrusted zone to the DMZ zone:

<R1>ping -a 10.0.1.1 10.0.3.3


0.00% packet loss
From the trusted zone to the untrusted zone:

<R2>ping -a 10.0.2.2 10.0.1.1

0.00% packet loss
From the trusted zone to the DMZ zone:

<R2>ping -a 10.0.2.2 10.0.3.3

0.00% packet loss

From the DMZ zone to the untrusted zone:

<R3>ping -a 10.0.3.3 10.0.1.1

0.00% packet loss
From the DMZ zone to the trusted zone:

<R3>ping -a 10.0.3.3 10.0.2.2

0.00% packet loss
Step 2 Configure interzone packet filtering.
The packet filtering policy controls packet forwarding among

security zones. The packet filtering policy configuration affects most
devices functions.
Configure a default packet filtering policy that allows packets to be
sent only from the trusted zone to other security zones.

[FW]firewall packet-filter default deny all

[FW]firewall packet-filter default permit interzone trust untrust direction
outbound
[FW]firewall packet-filter default permit interzone trust dmz direction outbound
[FW]firewall session link-state check
Test connectivity between security zones.

From the untrusted zone to the trusted zone:
[R1]ping -a 10.0.1.1 10.0.2.2
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the untrusted zone to the DMZ zone:

[R1]ping -a 10.0.1.1 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the trusted zone to the untrusted zone:

[R2]ping -a 10.0.2.2 10.0.1.1



0.00% packet loss
From the trusted zone to the DMZ zone:

[R2]ping -a 10.0.2.2 10.0.3.3

0.00% packet loss
From the DMZ zone to the untrusted zone:

[R3]ping -a 10.0.3.3 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
From the DMZ zone to the trusted zone:

[R3]ping -a 10.0.3.3 10.0.2.2

Request time out

Request time out
Request time out
Request time out
Request time out

100.00% packet loss
Configure an interzone packet filtering policy that allows packets to

be sent from the untrusted zone to a specific server in the DMZ zone.
The server's IP address is 10.0.3.3. Enable Telnet in the untrusted
zone. Enable ICMP ping for connectivity tests.
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound]policy 1
[FW-policy-interzone-dmz-untrust-inbound-1]policy service service-set icmp
[FW-policy-interzone-dmz-untrust-inbound-1]policy destination 10.0.3.3 0
[FW-policy-interzone-dmz-untrust-inbound-1]action permit
[FW-policy-interzone-dmz-untrust-inbound-1]quit
[FW-policy-interzone-dmz-untrust-inbound-2]policy service service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-3]action deny
Enable Telnet on R3 for Telnet tests.

[R3]user-interface vty 0 4
[R3-ui-vty0-4]authentication-mode none
Test network connectivity.

<R1>ping 10.0.3.3


0.00% packet loss
<R1>ping 10.0.30.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
<R1>telnet 10.0.3.3
Press CTRL_] to quit telnet mode
Trying 10.0.3.3 ...
Connected to 10.0.3.3 ...
<R3>quit
Configuration console exit, please retry to log on
The connection was closed by the remote host

<R1>telnet 10.0.30.3
Trying 10.0.30.3 ...
Step 3 Configure blacklists.
A blacklist identifies IP addresses and match entries to quickly filter

out users with specific IP addresses. The blacklist can be dynamically
added or deleted. Compared to packet filtering, the blacklist matches
entries and filters out users faster and consumes fewer system resources.
If a device considers a user untrusted, the device adds the user's IP

address to the blacklist. Upon receiving a packet whose source IP

address is the IP address in the blacklist, the device discards the packet
to protect the network.
The following assumes that multiple IP addresses continually scan
interfaces in the untrusted zone of the enterprise network. You need to
take preventive measures.
The IP address 10.0.111.1 launches multiple attacks. You need to
filter out packets sent from this IP address.
Create a loopback interface on R1 to simulate an attack. Configure a
static route for the firewall.
[R1]int LoopBack 1
Enable the defense against port scanning. The test results on port
scanning attacks are automatically imported to the blacklist.
[FW]firewall defend port-scan enable
Set the threshold of the scanning rate to 5000 pps. The threshold
specifies the rate at which a source IP address changes IP packets that
are to be sent to the destination port. If the rate is high, there is a high
probability that the source IP address is scanning all ports in the
destination IP address.
[FW]firewall defend port-scan max-rate 5000
Set the timeout period of the blacklist to 30 minutes. The blacklist

entries dynamically generated are deleted after 30 minutes.
[FW]firewall defend port-scan blacklist-timeout 30
Before creating a blacklist statically, ensure that the loopback

interface with the IP address of 10.0.111.1 can communicate with the
loopback interface on R3.
Test the connectivity.
[R1]ping -a 10.0.111.1 10.0.3.3



0.00% packet loss
Create a blacklist statically and add 10.0.111.1 to the blacklist. The

firewall discards packets sent from this IP address before the IP address
is manually deleted from the blacklist.
[FW]firewall blacklist enable
[FW]firewall blacklist item 10.0.111.1
Test the connectivity.

[R1]ping -a 10.0.111.1 10.0.3.3
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
Step 4 Configure ASPF.
Application Specific Packet Filter (ASPF) functions as an important

help among multi-channel protocols and NAT applications.
ASPF allows an intranet to provide FTP and TFTP services to external
users and prevents intranet users from downloading risky controls when
they access web servers on extranets.
Besides FTP and TFTP services that the enterprise provides, intranet
users need to access extranet web pages. Risky java controls may exist

on these web pages. FTP is a predefined protocol. Devices in security

zones can forward FTP packets properly after the detect ftp function is
applied. TFTP packets, however, can only be forwarded after triplet ASPF
is enabled.
Create two ACLs. ACL 2001 defines matching rules for traffic that web
servers on extranets send to the intranet and matches traffic used for
blocking risky controls.
[FW]acl 2001
[FW-acl-basic-2001]rule permit source 10.0.2.0 0.0.0.255
[FW-acl-basic-2001]quit
ACL 3001 defines matching rules for traffic sent to the TFTP server on
the intranet. TFTP services require user-defined port number. Create a
separate ACL.
[FW]acl 3001
[FW-acl-adv-3001]rule permit udp destination-port eq tftp
[FW-acl-adv-3001]quit
Detect FTP services in the interzone to implement proper forwarding

of FTP packets. Run the detect user-define command to implement
proper forwarding of TFTP packets.
[FW]firewall interzone trust dmz
[FW-interzone-trust-dmz]detect ftp
[FW-interzone-trust-dmz]detect user-defined 3001 outbound
[FW-interzone-trust-dmz]quit
Run the detect java-blocking command in the interzone to prevent

the download of risky java controls.
[FW]firewall interzone trust untrust
[FW-interzone-trust-untrust]detect java-blocking 2001 outbound
[FW-interzone-trust-untrust]quit
The ASPF function determines whether packets of some special

protocols are properly forwarded. When an exception occurs on services
of a special protocol, locate the problem in the following method:
Run the display interzone command to view the interzone
configuration. Verify the ASPF configuration.
[FW]display interzone
15:42:11 2011/12/25

interzone trust untrust

detect java-blocking 2001 outbound
#
interzone trust dmz
detect ftp
detect user-defined 3001 outbound
#
Additional Exercises: Analyzing and Verifying
How can you plan the network for an enterprise that has a large
number of users and requires multiple services? What methods can
simplify the configuration?
Final Configurations
[R1]display current-configuration
[V200R001C00SPC200]
#
sysname R1
#
interface GigabitEthernet0/0/1
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
interface LoopBack1
ip address 10.0.111.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#
return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.1 255.255.255.0
#

interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.30.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
return
[FW]display current-configuration
#
sysname FW
#
firewall packet-filter default deny interzone local trust direction inbound
firewall packet-filter default deny interzone local trust direction outbound
firewall packet-filter default deny interzone local untrust direction inbound
firewall packet-filter default deny interzone local untrust direction outbound
firewall packet-filter default deny interzone local dmz direction inbound
firewall packet-filter default deny interzone local dmz direction outbound
firewall packet-filter default deny interzone trust untrust direction inbound
firewall packet-filter default deny interzone trust dmz direction inbound
firewall packet-filter default deny interzone dmz untrust direction inbound
firewall packet-filter default deny interzone dmz untrust direction outbound
#
undo firewall ipv6 session link-state check
#
vlan batch 1 12
#
undo firewall session link-state check
#

firewall defend port-scan enable

firewall defend port-scan max-rate 5000
firewall defend port-scan blacklist-timeout 30
#
runmode firewall
#
update schedule ips daily 5:51
update schedule av daily 5:51
security server domain sec.huawei.com
#
web-manager enable
#
l2fwdfast enable
#
acl number 2001
rule 5 permit source 10.0.2.0 0.0.0.255
#
acl number 3001
rule 5 permit udp destination-port eq tftp
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
ip address 10.0.10.254 255.255.255.0
#
portswitch
port link-type access
port access vlan 12
#
ip address 10.0.30.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif12

#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall interzone trust untrust
detect java-blocking 2001 outbound
#
firewall interzone trust dmz
detect ftp
detect user-defined 3001 outbound
#
nqa-jitter tag-version 1
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.1
ip route-static 10.0.3.0 255.255.255.0 10.0.30.1
ip route-static 10.0.111.0 255.255.255.0 10.0.10.1
#
banner enable
#
firewall blacklist enable
firewall blacklist item 10.0.111.1
#
user-interface con 0
user-interface tty 2
authentication-mode none
modem both
user-interface vty 0 4
#
slb
#
cwmp
#
right-manager server-group
#
policy interzone dmz untrust inbound
policy 1

action permit
policy service service-set icmp
policy destination 10.0.3.3 0
policy 2
action permit
policy service service-set telnet
policy 3
action deny
#
return
[S1]display current-configuration
#
!Software Version V100R006C00SPC800
sysname S1
#
vlan batch 11 to 13
#
port default vlan 11
#
#
#
#
#


#
return

Lab 1-2 IPSec VPN Configuration on a Eudemon Firewall
Learning Objectives
• IPSec VPN configuration on a Eudemon
• GRE over IPSec VPN configuration on a Eudemon
• IPSec VPN configuration on a router
• GRE over IPSec VPN configuration on a router
Topology
Figure 1-2 VPN configuration for Eudemons
Scenario

enterprise network consists of the headquarters network, branch
networks, and branch office networks. You need to configure users in the
trusted zones of branch networks and branch office networks to access
the trusted zone of the headquarters network. Data is encrypted and
transmitted between the headquarters network and branch networks,

and between the headquarters network and branch office networks.
Tasks
S1 and S2 connect the firewall to routers in the lab and require no

configuration. Before the lab, reset configurations of S1 and S2 and
restart S1 and S2.
Configure IP addresses and masks for all routers. The mask length of
each loopback interface is 24 bits.
<Huawei>system-view
[Huawei]sysname R1
[R1-GigabitEthernet0/0/1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 24
[R1-Serial1/0/0]interface loopback 0
<Huawei>system-view
[Huawei]sysname R2
[R2-Serial1/0/0]interface Serial2/0/0
<Huawei>system-view
[Huawei]sysname R3
[R3]interface Serial2/0/0

Configure IP addresses for interfaces on FW1 and FW2.

[Eudemon 200E]sysname FW1
[FW1]interface Ethernet 0/0/0
[FW1-Ethernet0/0/0]ip address 10.0.100.1 24
[FW1-Ethernet0/0/0]interface Ethernet 2/0/0
[Eudemon 200E]sysname FW2
[FW2]interface Ethernet 0/0/0
[FW2-Ethernet0/0/0]interface Ethernet 2/0/0
Configure trusted zones of FW1 and FW2, and add interfaces to the
trusted zones.
[FW1-zone-dmz]firewall zone trust
[FW1-zone-dmz]add interface Ethernet 0/0/0
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add interface Ethernet 2/0/0
[FW2-zone-dmz]firewall zone trust

[FW2-zone-dmz]add interface Ethernet 0/0/0
[FW2-zone-untrust]add interface Ethernet 2/0/0
Step 2 Configuring security filtering between zones.
Configure packets to transmit only from the trusted zone to the

untrusted zone and from the untrusted zone to the local zone.
[FW1]firewall packet-filter default permit interzone trust untrust
[FW1]firewall packet-filter default permit interzone local untrust
[FW2]firewall packet-filter default permit interzone trust untrust

[FW2]firewall packet-filter default permit interzone local untrust

Step 3 Configure routes to connect networks.
Configure single-area OSPF on R1, R3, R3, FW1, and FW2. The
network segments 10.0.10.0/24, 10.0.20.0/24, 10.0.12.0/24, and
10.0.23.0/24 are connected.
[R1]ospf 1
[R1-ospf-1]area 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[R2]ospf 1
[R2-ospf-1]area 0.0.0.0
[R3]ospf 1
[R3-ospf-1]area 0.0.0.0
[FW1]ospf 1
[FW1-ospf-1]area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255
[FW2]ospf 1
[FW2-ospf-1]area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
Test the connectivity between network segments on FW1 and FW2.

[FW1]ping 10.0.20.2
0.00% packet loss

[FW1]ping 10.0.23.3
0.00% packet loss
[FW2]ping 10.0.10.1
0.00% packet loss
[FW2]ping 10.0.23.3
0.00% packet loss
The test results show that the network segments 10.0.10.0/24,

10.0.20.0/24, 10.0.12.0/24, and 10.0.23.0/24 are connected.

Step 4 Configure IPSec VPN between a branch network
and the headquarters network.
Create an ACL to identify IPSec VPN traffic between FW1 and FW2.
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination
10.0.200.0 0.0.0.255
[FW2]acl 3000
10.0.100.0 0.0.0.255
Configure static routes from a branch network to the headquarters

intranet.
[FW1]ip route-static 10.0.200.0 24 10.0.10.2
Configure an IPSec proposal on FW1 and FW2.
Set the encapsulation mode to tunnel mode. Use ESP to protect data.
ESP uses the DES encryption algorithm and SHA1 authentication
algorithm.
[FW1]ipsec proposal tran1
[FW1-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW1-ipsec-proposal-tran1]transform esp
[FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW1-ipsec-proposal-tran1]esp encryption-algorithm des
[FW2]ipsec proposal tran1

[FW2-ipsec-proposal-tran1]encapsulation-mode tunnel
[FW2-ipsec-proposal-tran1]transform esp
[FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1
[FW2-ipsec-proposal-tran1]esp encryption-algorithm des
Configure an IKE proposal on FW1 and FW2.

Set the encryption algorithm to DES and authentication algorithm to
SHA1.
[FW1]ike proposal 10

[FW1-ike-proposal-10]authentication-algorithm sha1
[FW1-ike-proposal-10]encryption-algorithm des
[FW2]ike proposal 10
[FW2-ike-proposal-10]authentication-algorithm sha1
[FW2-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation by default.

Apply the IKE proposal and configure the preshared key and peer
end's IP address on FW1 and FW2.
[FW1]ike peer fw12
[FW1-ike-peer-fw12]ike-proposal 10
[FW1-ike-peer-fw12]remote-address 10.0.20.2
[FW1-ike-peer-fw12]pre-shared-key abcde
[FW2]ike peer fw21

Configure an IPSec policy on FW1 and FW2.

During the IPSec policy configuration, bind the ACL, IPSec proposal,
and IKE peer to the IPSec policy.
[FW1]ipsec policy map1 10 isakmp
[FW1-ipsec-policy-isakmp-map1-10]security acl 3000
[FW1-ipsec-policy-isakmp-map1-10]proposal tran1
[FW1-ipsec-policy-isakmp-map1-10]ike-peer fw12

Apply IPSec policies to interfaces on FW1 and FW2.

[FW1]interface Ethernet2/0/0
[FW1-Ethernet2/0/0]ipsec policy map1

Test the connectivity between the branch intranet and the

headquarters intranet. View the established IPSec.
[FW1]ping -a 10.0.100.1 10.0.200.1
0.00% packet loss
[FW1]display ike sa
current ike sa number: 1
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x1a 10.0.20.2 0 RD v2:2 IPSEC
0x1 10.0.20.2 0 RD|ST v2:1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D—DPD
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: 0
-----------------------------
connection id: 9
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 0m 16s
tunnel local : 10.0.10.1 tunnel remote: 10.0.20.2
flow source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0

[inbound ESP SAs]

spi: 74331737 (0x46e3659)
vpn: 0 said: 0 cpuid: 0x0000
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3584
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 18969668 (0x1217444)
max sent sequence-number: 5
The branch intranet can communicate with the headquarters

intranet.
Two ESP SAs are established bidirectionally between FW1 and FW2.
Data is encrypted and transmitted between the branch networks and
headquarters network.
Step 5 Configure IPSec VPN between a branch office
network and the headquarters network.
Create an ACL to identify IPSec VPN traffic to be sent between the

branch office and the headquarters.
[R3]acl 3000
[R3-acl-adv-3000]rule permit ip source 10.0.3.0 0.0.0.255 destination 10.0.200.0
0.0.0.255
[FW2]acl 3001
10.0.3.0 0.0.0.255
Configure static routes from a branch network to the headquarters

intranet.
[R3]ip route-static 10.0.200.0 24 10.0.23.2

Configure an IPSec proposal on R3.
Set the encapsulation mode to tunnel mode. Use ESP to protect data.
ESP uses the DES encryption algorithm and SHA1 authentication
algorithm.
[R3]ipsec proposal tran1
[R3-ipsec-proposal-tran2]encapsulation-mode tunnel
[R3-ipsec-proposal-tran2]transform esp
[R3-ipsec-proposal-tran2]esp authentication-algorithm sha1
[R3-ipsec-proposal-tran2]esp encryption-algorithm des
Configure an IKE proposal on FW2 and R3.

Set the encryption algorithm to DES and authentication algorithm to
SHA1.
[R3]ike proposal 10
[R3-ike-proposal-10]authentication-algorithm sha1
[R3-ike-proposal-10]encryption-algorithm des
Configure an IKE peer that uses IKEv2 negotiation.

Apply the IKE proposal and configure the preshared key and peer
end's IP address on FW2 and R3.
[FW2]ike peer fw23
[R3]ike peer r32 v2

[R3-ike-peer-r32]ike-proposal 10
[R3-ike-peer-r32]remote-address 10.0.20.2
[R3-ike-peer-r32]pre-shared-key abcde
Configure an IPSec policy on F2W and R3.

During the IPSec policy configuration, bind the ACL, IPSec proposal,
and IKE peer to the IPSec policy.

[R3]ipsec policy map1 10 isakmp

[R3-ipsec-policy-isakmp-map2-10]security acl 3000
[R3-ipsec-policy-isakmp-map2-10]proposal tran1
[R3-ipsec-policy-isakmp-map2-10]ike-peer r32
Apply IPSec policies to interfaces on FW2 and R3.

[R3]interface Ethernet2/0/0
[R3-Ethernet2/0/0]ipsec policy map1
Test the connectivity between the branch office intranet and the
To view the established IKE SA, use the v2 parameter in the
command.
[R3]ping -a 10.0.3.3 10.0.200.1
0.00% packet loss
[R3]display ike sa v2
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
2 10.0.20.2 0 RD|ST 2
1 10.0.20.2 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500

===============================
-----------------------------
IPSec policy name: "map2"
Sequence number : 10
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 10.0.23.3
Tunnel remote : 10.0.20.2
[Outbound ESP SAs]
SPI: 247406703 (0xebf206f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
SA remaining key duration (bytes/sec): 1887436380/3534
Max sent sequence-number: 5
UDP encapsulation used for NAT traversal: N
[Inbound ESP SAs]
SPI: 155207494 (0x9404746)
Max received sequence-number: 5
The branch office intranet can communicate with the headquarters

intranet.
An IPSec VPN tunnel is established between FW2 and R3. Data is
encrypted and transmitted between the branch office networks and
headquarters network.
Step 6 Configure a GRE over IPSec VPN between a branch
network and the headquarters network.
The preceding steps configure static routes to implement

communication among intranets.
As the scale of the network expands, the complexity associated with
using a static route solution also increases. To solve this problem, use
dynamic routing protocols to implement communication among
networks.
Dynamic routing protocols cannot function on IPSec tunnels.

GRE over IPSec supports dynamic routing protocols for network

communication.
Create a tunnel interface on FW1 and enable GRE.
Add the tunnel interface to the untrusted zone of FW1.
[FW1]interface tunnel 1
[FW1-Tunnel1]tunnel-protocol gre
[FW1-Tunnel1]ip address 30.1.1.1 24
[FW1-Tunnel1]source 10.0.10.1
[FW1-Tunnel1]destination 10.0.20.2
[FW1-Tunnel1]firewall zone untrust
[FW1-zone-untrust]add interface Tunnel 1

Delete static routes configured in the preceding steps. Enable RIP (version 2)
between a branch network and the headquarters intranet.
[FW1]undo ip route-static 10.0.200.0 24 10.0.10.2
[FW1]rip
[FW1-rip-1]version 2
[FW1-rip-1]network 30.0.0.0

[FW2]rip
Create an ACL and configure GRE encapsulated data packets to be

encrypted by the IPSec policy on FW1 and FW2.
Bind the IPSec policy to the new ACLs on FW1 and FW2.

[FW1]acl 3001
[FW1-acl-adv-3001]rule permit gre source 10.0.10.1 0 destination 10.0.20.2 0
[FW1-acl-adv-3001]quit
[FW2]acl 3002
Maintain all other configuration.

Test the connectivity between the branch intranet and the
[FW1]ping -a 10.0.100.1 10.0.200.1
0.00% packet loss
[FW1]display ipsec sa
===============================
Interface: Ethernet2/0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
vpn: 0
-----------------------------
connection id: 26
rule number: 5
encapsulation mode: tunnel
holding time: 0d 0h 5m 21s

tunnel local : 10.0.10.1 tunnel remote: 10.0.20.2

flow source: 10.0.100.0-10.0.100.255 0-65535 0
flow destination: 10.0.200.0-10.0.200.255 0-65535 0
[inbound ESP SAs]
spi: 240396810 (0xe542a0a)
max received sequence-number: 9
[outbound ESP SAs]
spi: 208723708 (0xc70defc)
max sent sequence-number: 10
The branch intranet can communicate with the headquarters

intranet.
A GRE over IPSec VPN tunnel is established between FW1 and FW2.
RIP routing information is transmitted between the branch network and
the headquarters network.
Step 7 Configure a GRE over IPSec VPN between a branch
office network and the headquarters network.

Create a tunnel interface on R3 and enable GRE.

[R3]interface tunnel 0/0/1

[R3-Tunnel0/0/1]tunnel-protocol gre
[R3-Tunnel0/0/1]ip address 40.1.1.2 24
[R3-Tunnel0/0/1]source 10.0.23.3
[R3-Tunnel0/0/1]destination 10.0.20.2
Delete static routes configured in the preceding steps. Enable RIP

(version 2) between a branch office network and the headquarters
intranet.
[FW2]rip
[R3]undo ip route-static 10.0.200.0 24 10.0.23.2

[R3]rip
[R3-rip-1]version 2
[R3-rip-1]network 40.0.0.0
[R3-rip-1]network 10.0.0.0
Create an ACL to specify GRE encapsulated packets to be encrypted

by the IPSec policy on R3 and FW2.
Configure an IPSec policy and bind the IPSec policy to the ACL, IPSec
proposal and IKE peer.
[R3]acl 3001
[R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0
[R3-acl-adv-3001]quit
[R3]ipsec policy map1 20 isakmp
[R3-ipsec-policy-isakmp-map1-10]security acl 3001
[R3-ipsec-policy-isakmp-map1-20]proposal tran1
[R3-ipsec-policy-isakmp-map1-20]ike-peer r32
[FW2]acl 3003
Maintain all other configuration.

Test the connectivity between the branch office intranet and the
[R3]ping -a 10.0.3.3 10.0.200.1
0.00% packet loss
[R3]display ipsec sa
===============================
Interface: Serial2/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "map2"
Sequence number : 10
Mode : ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 10.0.23.3
Tunnel remote : 10.0.20.2
[Outbound ESP SAs]
SPI: 247406703 (0xebf206f)
Max sent sequence-number: 20
[Inbound ESP SAs]
SPI: 155207494 (0x9404746)
Max received sequence-number: 20
The branch office network can communicate with the headquarters

intranet.
A GRE over IPSec VPN tunnel is established between FW2 and R3.
Data is transmitted between the branch office network and the
headquarters network using RIP.
For the IPSec configuration between the branch office network and
the headquarters network described in Step 5, if R3 did not use IKEv2 to
negotiate with FW2, could the IKE SA still be established?
[FW1]display current-configuration
#
sysname FW1
#
acl number 3000
rule 5 permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255
#
acl number 3001
rule 5 permit gre source 10.0.10.1 0 destination 10.0.20.2 0
#
ike proposal 10
#
ike peer fw12
pre-shared-key abcde
ike-proposal 10
remote-address 10.0.20.2
#
ipsec proposal tran1
esp authentication-algorithm sha1
#
ipsec policy map1 10 isakmp
security acl 3001
ike-peer fw12
proposal tran1
#
ip address 10.0.100.1 255.255.255.0
#

ip address 10.0.10.1 255.255.255.0
ipsec policy map1
#
interface Tunnel1
ip address 30.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.10.1
destination 10.0.20.2
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
add interface Tunnel1
#
ospf 1
area 0.0.0.0
network 10.0.10.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
#
Return
#
sysname FW2
#
acl number 3000
#
acl number 3001
#

acl number 3002

#
acl number 3003
#
ike proposal 10
#
ike peer fw21
ike-proposal 10
#
ike peer fw23
ike-proposal 10
#
#
security acl 3002
ike-peer fw21
proposal tran1
#
security acl 3001
ike-peer c
proposal tran1
#
security acl 3003
ike-peer fw23
proposal tran1
#
ip address 10.0.200.1 255.255.255.0
#
ip address 10.0.20.2 255.255.255.0
ipsec policy map1
#

interface Tunnel1
ip address 30.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.20.2
#
interface Tunnel2
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 10.0.20.2
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
ospf 1
area 0.0.0.0
network 10.0.20.0 0.0.0.255
#
rip 1
version 2
network 30.0.0.0
network 10.0.0.0
network 40.0.0.0
#
Return
[V200R001C00SPC200]
#

sysname R3
#
acl number 3000
#
acl number 3001
#
#
ike proposal 10
#
ike peer r32 v2
ike-proposal 10
#
security acl 3000
ike-peer r32
proposal tran1
#
security acl 3001
ike-peer r32
proposal tran1
#
interface Serial2/0/0
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
ipsec policy map1
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 10.0.23.3
#
ospf 1

area 0.0.0.0
network 10.0.23.0 0.0.0.255
#
rip 1
version 2
network 40.0.0.0
network 10.0.0.0
#
Return

Lab 1-3 Attack Defense Configuration on a Firewall
Learning Objectives
• Methods used to configure attack defense against traffic attacks
• Methods used to configure attack defense against scanning and
snooping attacks
• Methods used to configure attack defense against malformed
packet attacks
• Methods used to configure attack defense against special packet
attacks
Topology
Figure 1-3 Attack defense configuration

Scenario

enterprise network includes a firewall and a switch. R1 functions as a
DHCP server, FW functions as the egress to the Internet, and S2
simulates a PC on the extranet.
To improve network security, you need to apply security policies to
the network and configure security policies on the firewall and the
switch.
Tasks
Step 1 Perform basic configurations and configure IP
addresses.
Configure IP addresses and masks for all devices.

<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
<Quidway>system-view
[Quidway]sysname S1


[FW]interface Ethernet 0/0/0
[FW-Ethernet0/0/0]interface Ethernet 2/0/0
<Quidway>system-view
[Quidway]sysname S2
[S2]vlan 100
[S2-vlan100]quit
[S2-GigabitEthernet0/0/9]quit
[S2]interface Vlanif 100
[S2-Vlanif100]ip address 100.0.0.2 24
[S1]vlan 100
[S1-vlan100]quit
Shut down G0/0/10, G0/0/13, and G0/0/14 on S1 to prevent side

impacts on the lab.
[S1-GigabitEthernet0/0/10]shutdown
After configurations are complete, test the connectivity of direct

links.
[R1]ping -c 1 10.0.10.2


0.00% packet loss
[R1]ping -c 1 10.0.10.3

0.00% packet loss
[R1]ping -c 1 10.0.10.254

0.00% packet loss
[FW]ping -c 1 100.0.0.2
10:47:09 2011/12/27

0.00% packet loss
Step 2 Implement network communication.
To implement network communication, configure a correct default

route for each device that simulates a PC.
Configure default routes for R1, R2, R3, and S2.

[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.10.254
[R3]ip route-static 0.0.0.0 0 10.0.10.254
[S2]ip route-static 0.0.0.0 0 100.0.0.1
On S2, test the connectivity among R1, R2, and R3.

[S2]ping -c 1 10.0.10.1

0.00% packet loss
[S2]ping -c 1 10.0.10.2

0.00% packet loss
[S2]ping -c 1 10.0.10.3

0.00% packet loss

Step 3 Configuring defense against traffic attacks.
Attackers send a large amount of unnecessary data to a server. The

server fails to respond to service requests from authorized users.
To protect networks against such attacks, enable defense against
SYN flood attacks, TCP full-connection attacks, HTTP flood attacks, UDP
flood attacks, and ICMP flood attacks.
Enable defense against reverse source tracing based on TCP on
E2/0/0 of FW.
[FW]firewall source-ip detect interface Ethernet 2/0/0 alert-rate 10000 max-rate
30000
Enable defense against TCP full-connection attacks on FW.

[FW]firewall blacklist enable
[FW]firewall defend tcp-illegal-session enable
Warning: Configuring this command will affect the P2P service. To protect the
server from TCP connection exhaustion, configure this command.
Continue? [Y/N]:y
Enable defense against HTTP flood attacks on E2/0/0 of FW.

[FW]firewall defend http-flood enable
[FW]firewall defend http-flood source-detect interface Ethernet 2/0/0 alert-rate
10000 max-rate 30000
Enable defense against UDP flood attacks on E2/0/0 of FW.

[FW]firewall defend udp-flood enable
[FW] firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000
Enable defense against ICMP flood attacks on E2/0/0 of FW.

[FW]firewall defend icmp-flood enable
[FW]firewall defend icmp-flood interface Ethernet 2/0/0 max-rate 10000

Step 4 Configure defense against scanning and snooping
attacks.
Attackers continually send different packets to the destination port

for scanning service types and security vulnerabilities on the port. To
prevent such attacks, enable defense against scanning and snooping
attacks.
Enable defense against scanning and snooping attacks on FW.

[FW]firewall defend port-scan enable
[FW]firewall defend port-scan max-rate 5000
Step 5 Configure defense against malformed packet
attacks.
If attackers send malformed IP packets to a user system, an exception

may occur when the system processes these packets, affecting proper
system operating. To prevent such attacks, enable defense against Smurf
attacks, Land attacks, and Fraggle attacks. Configure DHCP snooping on
the access network to improve network security.
Enable Smurf attack defense on FW.
[FW]firewall defend smurf enable
Enable Land attack defense on FW.

[FW]firewall defend land enable
Enable Fraggle attack defense on FW.

[FW]firewall defend fraggle enable
Enable IP fragment attack defense on FW.

[FW]firewall defend ip-fragment enable
Enable defense against attacks from packets with invalid TCP flag bits
on FW.
[FW]firewall defend tcp-flag enable

Use R1 as the DHCP server.

[R1]dhcp enable
[R1-GigabitEthernet0/0/1]dhcp select global
[R1-GigabitEthernet0/0/1]quit
[R1]ip pool company
[R1-ip-pool-company]network 10.0.10.0 mask 24
[R1-ip-pool-company]excluded-ip-address 10.0.10.1
[R1-ip-pool-company]gateway-list 10.0.10.254
Configure G0/0/1 of R2 and R3 to automatically obtain IP addresses.

[R2]dhcp enable
[R2-GigabitEthernet0/0/1]undo ip address
[R2-GigabitEthernet0/0/1]ip address dhcp-alloc
Info: The operation may take a few seconds, please wait.
Succeed.
[R3]dhcp enable
[R3-GigabitEthernet0/0/1]undo ip address
[R3-GigabitEthernet0/0/1]ip address dhcp-alloc
Info: The operation may take a few seconds, please wait.
Succeed.
Enable DHCP Snooping on S1 and configure interfaces as trusted

interfaces.
[S1]dhcp enable
[S1]dhcp snooping enable
[S1-GigabitEthernet0/0/1]dhcp snooping trusted
[S1-GigabitEthernet0/0/1]inter GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]dhcp snooping enable
[S1-GigabitEthernet0/0/2]inter GigabitEthernet 0/0/3
[S1-GigabitEthernet0/0/3]dhcp snooping enable
View the MAC addresses of G0/0/1 on R1 and E0/0/0 on FW, and

configure a static user binding entry.
[R1]display interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP

Line protocol current state : UP

Last line protocol up time : 2011-12-27 10:21:41
Description:HUAWEI, AR Series, GigabitEthernet0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.0.10.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 5489-9876-81f0
Last physical up time : 2011-12-27 10:14:07
Last physical down time : 2011-12-27 10:13:48
Current system time: 2011-12-27 16:24:49
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 704 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 7392 bits/sec,Record time: 2011-12-27 10:17:53
Output peak rate 2816 bits/sec,Record time: 2011-12-27 10:17:13
Input: 12040 packets, 1641163 bytes

Unicast: 0, Multicast: 0
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
……output omit……
[FW]display interface Ethernet 0/0/0

Ethernet0/0/0 current state : UP
Line protocol current state : UP
Description : Huawei, Eudemon 200E serials, Ethernet0/0/0 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.0.10.254/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a109-68b2
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
Output flow-control is unsupported, input flow-control is unsupported
QoS max-bandwidth : 100000 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last 300 seconds input rate 59.50 bytes/sec, 0.50 packets/sec
Last 300 seconds output rate 0.00 bytes/sec, 0.00 packets/sec
Input: 11778 packets, 1527521 bytes
478 broadcasts(4.06%), 11230 multicasts(95.35%)

0 runts, 0 giants,
0 errors, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 0 Resource errors,
0 other errors
……output omit……
[S1]user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0

[S1]user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2
Enable IP address anti-spoofing.

[S1-GigabitEthernet0/0/2]ip source check user-bind enable
Info: Add permit rule for dynamic snooping bind-table, please wait a minute!
[S1-GigabitEthernet0/0/3]ip source check user-bind enable
Info: Add permit rule for dynamic snooping bind-table, please wait a minute!
Configure the items in an IP packet to be checked.

[S1-GigabitEthernet0/0/2]ip source check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!
[S1-GigabitEthernet0/0/3]ip source check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!
Check source MAC addresses of ARP packets.

[S1]arp anti-attack packet-check sender-mac
Configure defense against ARP man-in-the-middle attacks.

[S1-GigabitEthernet0/0/2]arp anti-attack check user-bind enable
[S1-GigabitEthernet0/0/2]arp anti-attack check user-bind check-item ip-address
mac-address
Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a
minute!
[S1-GigabitEthernet0/0/3]arp anti-attack check user-bind check-item ip-address
mac-address

Info: Change permit rule for dynamic dhcp snooping bind-table, please wait a
minute!
Step 6 Configure defense against special packet attacks.
Attackers send some seldom used valid packets to detect the

network. To prevent such attacks, enable defense against large ICMP
packet attacks, ICMP redirection packet attacks, and ICMP
destination-unreachable packet attacks.
Enable defense against large ICMP packet attacks on FW.
[FW]firewall defend large-icmp enable
[FW]firewall defend large-icmp max-length 3000
Enable defense against ICMP redirection packet attacks on FW.

[FW]firewall defend icmp-redirect enable
Enable defense against ICMP destination-unreachable packet attacks

on FW.
[FW]firewall defend icmp-unreachable enable
Enable defense against attacks of IP packets with the route record

option on FW.
[FW]firewall defend route-record enable
Enable defense against attacks of IP packets with the source route

option on FW.
[FW]firewall defend source-route enable
Enable Tracert attack defense on FW.

[FW]firewall defend tracert enable
Enable defense against attacks of IP packets with the timestamp

option on FW.
[FW]firewall defend time-stamp enable

The firewall functions are limited on actual networks. IPS devices

need to be deployed to defend against attacks at another layer.
Collect information about IPS and compare the IPS to the firewall.
#
sysname FW
#
#
vlan batch 1
#
firewall session link-state check
#
firewall defend tcp-illegal-session enable
firewall defend http-flood enable
firewall defend port-scan enable
firewall defend time-stamp enable
firewall defend route-record enable
firewall defend source-route enable
firewall defend ip-fragment enable
firewall defend tcp-flag enable
firewall defend fraggle enable
firewall defend tracert enable
firewall defend icmp-unreachable enable
firewall defend icmp-redirect enable
firewall defend large-icmp enable
firewall defend icmp-flood enable
firewall defend udp-flood enable
firewall defend smurf enable
firewall defend land enable
firewall defend port-scan max-rate 5000
firewall defend large-icmp max-length 3000
firewall defend http-flood source-detect interface Ethernet2/0/0 alert-rate
10000 max-rate 30000
firewall source-ip detect interface Ethernet2/0/0 alert-rate 10000 max-rate
30000

firewall defend icmp-flood interface Ethernet2/0/0 max-rate 10000

firewall defend udp-flood interface Ethernet2/0/0 max-rate 20000
#
runmode firewall
#
update schedule ips daily 5:37
update schedule av daily 5:37
security server domain sec.huawei.com
#
web-manager enable
#
l2fwdfast enable
#
interface Vlanif1
ip address 192.168.0.1 255.255.255.0
dhcp select interface
#
ip address 10.0.10.254 255.255.255.0
#
ip address 100.0.0.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type web terminal
local-user admin level 3
authentication-scheme default
#
authorization-scheme default
#

accounting-scheme default
#
domain default
domain dot1x
#
#
#
banner enable
#
firewall blacklist enable
#
user-interface con 0
user-interface tty 2
modem both
set authentication password simple Admin@123
#
slb
#
cwmp
#
#
return
#
sysname S1
#
vlan batch 100
#
dhcp enable
dhcp snooping enable
user-bind static ip-address 10.0.10.1 mac-address 5489-9876-81f0
user-bind static ip-address 10.0.10.254 mac-address 0022-a109-68b2
#
dhcp snooping trusted
#

arp anti-attack check user-bind enable
arp anti-attack check user-bind check-item ip-address mac-address
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
arp anti-attack check user-bind enable
arp anti-attack check user-bind check-item ip-address mac-address
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address
#
#
shutdown
#
shutdown
#
shutdown
#
#
#
return

Lab 1-4 NAT Configuration on a Eudemon Firewall
Learning Objectives
• NAT Easy IP configuration on a Eudemon
• NAPT configuration on a Eudemon
• NAT Server configuration on a Eudemon
• NAT configuration on a Eudemon in a zone
Topology
Figure 1-4 NAT configuration

Scenario

headquarters network includes a trusted zone, an untrusted zone, and a
DMZ zone. You need to configure users in the trusted area to access the
extranet, and advertise Telnet and FTP services provided by a server with
the IP address of 10.0.4.4 in the DMZ zone. The public address of the
server is 1.1.1.100/24.
You also need to advertise Telnet services provided by a server with
the IP address of 10.0.3.3 in the trusted zone. Users in the trusted zone
can access the Telnet services using 1.1.1.200/24, and cannot access
services in other zones.
Tasks
<Huawei>system-view
[Huawei]sysname R1
<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3


<Huawei>system-view
[Huawei]sysname R4
Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot

be configured with an IP address. In the lab, configure VLAN 12 on the
firewall and create a VLANIF 12 interface. Configure the VLANIF 12
interface's IP address as the IP address of the gateway in the trusted
zone and set the IP address to 10.0.20.254/24.
By default, the firewall configures an IP address for VLANIF 1. To
prevent interference, delete the VLANIF 1 configuration.
[FW]vlan 12
[FW-vlan-12]quit
[FW]interface Vlanif 12
[FW-Vlanif12]ip address 10.0.20.254 24
[FW-Vlanif12]interface ethernet 1/0/0
[FW-Ethernet1/0/0]port access vlan 12
[FW-Ethernet1/0/0]undo interface Vlanif 1
[FW]interface Ethernet 0/0/0
[FW-Ethernet0/0/0]interface ethernet 2/0/0
Add G0/0/1 and G0/0/21 to VLAN 11.

Add G0/0/2, G0/0/3, and G0/0/22 to VLAN 12.
Add G0/0/4 and G0/0/23 to VLAN 13.
[Quidway]sysname S1


Step 2 Configure static routes to connect networks.
Configure default routes for R2, R3, and R4. Configure static routes to
implement communication across network segments to which four
loopback 0 interfaces are connected. R1 requires no static route because
R1 functions as an Internet device and does not require information
about the private networks in the trusted zone and DMZ zone.
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.20.254
[R4]ip route-static 0.0.0.0 0 10.0.40.254

Test connectivity of 10.0.1.0, 10.0.2.0, 10.0.3.0, and 10.0.4.0 network
segments on the firewall.

[FW]ping 10.0.1.1

0.00% packet loss
[FW]ping 10.0.2.2

0.00% packet loss
[FW]ping 10.0.3.3

0.00% packet loss
[FW]ping 10.0.4.4



0.00% packet loss
Step 3 Add interfaces to security zones.
By default, four zones locate on a firewall. They are local, trusted,

untrusted, and DMZ zones.
This lab uses trusted, untrusted, and DMZ zones.
[FW]firewall zone dmz
[FW-zone-dmz]add interface Ethernet 2/0/0
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface Vlanif 12
[FW-zone-trust]firewall zone untrust
[FW-zone-untrust]add interface Ethernet 0/0/0
By default, communication among all zones is normal. NAT is not

enabled; therefore, external zones cannot communicate with inside
zones and DMZ zone.
Step 4 Configure security filtering between zones.
Configure packets to transmit from 10.0.2.0 and 10.0.3.0 segments in

the trusted zone to the untrusted zone. Configure Telnet and FTP
request packets to transmit from the untrusted zone to the 10.0.4.4
network segment in the DMZ zone.
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy 0
[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-0]action permit
[FW-policy-interzone-trust-untrust-outbound-0]quit
[FW-policy-interzone-trust-untrust-outbound]quit
[FW]policy interzone dmz untrust inbound
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-0]policy service service-set ftp
Step 5 Configure NAT Easy IP.
Configure NAT Easy IP on an interface to translate the source address

and bind a NAT policy to the interface.
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 0
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.2.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ip Ethernet 0/0/0
Test connectivity of the trusted zone and the untrusted zone.

[R2]ping 10.0.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
[R2]ping -a 10.0.2.2 10.0.1.1




0.00% packet loss
If you ping 10.0.1.1 from R2 directly, the ping fails. Use the extended
ping. After a source IP address is specified as 10.0.2.2, the ping succeeds.
This is because that the source IP address of the packet is 10.0.20.2,
which is not in the NAT address range.
[FW]display nat-policy interzone trust untrust outbound
10:46:37 2011/12/26
nat-policy interzone trust untrust outbound
policy 0 (1 times matched)
action source-nat
policy service service-set ip
policy source 10.0.2.0 0.0.0.255
policy destination any
easy-ip Ethernet0/0/0
Step 6 Configure an address group.
Configure an address group to translate the source IP address and

bind a NAT policy to the address group.
[FW]nat address-group 1 1.1.1.3 1.1.1.10
[FW]nat-policy interzone trust untrust outbound
[FW-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW-nat-policy-interzone-trust-untrust-outbound-0]policy source 10.0.3.0
0.0.0.255
[FW-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[FW-nat-policy-interzone-trust-untrust-outbound-0]address-group 1

[R3]ping -a 10.0.3.3 10.0.1.1



0.00% packet loss
Use the extended ping. After a source IP address is specified as

10.0.3.3, the ping succeeds.
[FW]display nat-policy interzone trust untrust outbound
10:52:37 2011/12/26
action source-nat
policy source 10.0.2.0 0.0.0.255

action source-nat
policy source 10.0.3.0 0.0.0.255
address-group 1
The IP address 10.0.2.0/24 and 10.0.3.0/24 in the trusted zone can

access the untrusted zone.
Step 7 Advertise services provided by the intranet server
with the IP address of 10.0.4.4.
Map Telnet and FTP services on 10.0.4.4 to 1.1.1.100.

[FW]nat server protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet

[FW]nat server protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp
FTP is a multi-channel protocol, so NAT translation takes effect only

after NAT ALG is configured.
Configure NAT ALG between the DMZ and untrusted zones so that
the server can properly provide FTP services.
[FW]firewall interzone dmz untrust
[FW-interzone-dmz-untrust]detect ftp
Enable Telnet and FTP on R4, and test on R1. The advertised IP
address is 1.1.1.100, which is the actual destination IP address when R1
accesses services on 10.0.4.4.
[R4]aaa
[R4-aaa]local-user huawei password simple huawei
[R4-aaa]local-user huawei service-type ftp
[R4-aaa]local-user huawei ftp-directory flash:
[R4-aaa]quit
[R4-ui-vty0-4]quit
[R4]ftp server enable
<R1>telnet 1.1.1.100
Trying 1.1.1.100 ...
<R4>quit
<R1>ftp 1.1.1.200
Trying 1.1.1.200 ...
Press CTRL+K to abort
Connected to 1.1.1.200.
220 FTP service ready.
User(1.1.1.200:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[R1-ftp]
Users in the untrusted zone can access Telnet and FTP services
provided by 1.1.1.100/24 in the DMZ zone.

Step 8 Configure NAT in an inside zone.
Configure NAT on the server with the IP address of 10.0.3.3 and maps
the address to 1.1.1.200.
[FW]nat server protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet
Configure NAT to translate the source address into a public address

when a user on the intranet accesses 1.1.1.200.
[FW]nat-policy zone trust
[FW-nat-policy-zone-trust]policy 0
[FW-nat-policy-zone-trust-0]policy source 10.0.2.0 0.0.0.255
[FW-nat-policy-zone-trust-0]policy destination 1.1.1.200 0
[FW-nat-policy-zone-trust-0]action source-nat
[FW-nat-policy-zone-trust-0]address-group 1
Enable Telnet on R3, and test connectivity of the trusted area and
1.1.1.200 on R2. The advertised IP address is 1.1.1.200, which is the actual
destination IP address when R2 accesses 10.0.3.3.
<R2>telnet -a 10.0.2.2 1.1.1.200

Trying 1.1.1.200 ...
<R3>
How do you advertise services provided by intranet servers when the

firewall is connected to two carrier networks at the same time?
#
sysname FW
#

nat address-group 1 1.1.1.3 1.1.1.10

nat server 0 protocol tcp global 1.1.1.100 telnet inside 10.0.4.4 telnet
nat server 1 protocol tcp global 1.1.1.100 ftp inside 10.0.4.4 ftp
nat server 2 protocol tcp global 1.1.1.200 telnet inside 10.0.3.3 telnet
#
vlan batch 1 12
#
firewall session link-state check
#
interface Vlanif12
ip address 10.0.20.254 255.255.255.0
#
ip address 1.1.1.254 255.255.255.0
#
portswitch
port access vlan 12
#
ip address 10.0.40.254 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall interzone dmz untrust
detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.20.3
ip route-static 10.0.4.0 255.255.255.0 10.0.40.4
#

policy interzone trust untrust outbound

policy 0
action permit
policy source 10.0.2.0 0.0.0.255
policy source 10.0.3.0 0.0.0.255
#
policy interzone dmz untrust inbound
policy 0
action permit
policy service service-set ftp
policy service service-set telnet
#
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255
policy 1
action source-nat
policy source 10.0.3.0 0.0.0.255
address-group 1
#
nat-policy zone trust
policy 0
action source-nat
policy source 10.0.2.0 0.0.0.255
address-group 1
#
Return
<R1>display current-configuration
[V200R001C00SPC200]
#
sysname R1
#
#
ip address 1.1.1.1 255.255.255.0
#
interface LoopBack0

ip address 10.0.1.1 255.255.255.0

#
Return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
Return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.20.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
#
Return
[V200R001C00SPC500]
#
sysname R4
ftp server enable
#

#
aaa
local-user huawei password simple huawei
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
ip address 10.0.40.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.254
#
#
Return
<S1>display current-configuration
#
sysname S1
#
vlan batch 11 to 13
#
#
#
#
#


#
#
#
return

Lab 1-5 Dual-System Hot Backup Configuration for
Eudemon Firewalls
Learning Objectives
• Dual-system hot backup configuration
• VRRP configuration
• HRP configuration
Topology
Figure 1-5a Physical topology

Figure 1-5b Logical topology
Scenario
Assume that you are a network administrator of an enterprise. You

need to configure dual-system hot backup for the firewalls to ensure
communication reliability.
The current communication requires dual-system hot backup based
on load balancing. When users in the trusted zone access services in the
untrusted zone, packets sent from different routes are forwarded by the
primary firewall to implement load balancing. When a fault occurs on the
primary firewall, packets are switched to the secondary firewall to
implement hot backup.
Tasks
<Huawei>system-view
[Huawei]sysname R1

<Huawei>system-view
[Huawei]sysname R2
<Huawei>system-view
[Huawei]sysname R3
<Huawei>system-view
[Huawei]sysname R4
Configure VLAN 11, 12, 13, and 14 and corresponding VLANIF

addresses for firewalls. Ethernet1/0/0 on the firewall is a Layer 2 switch
interface and cannot be configured with an IP address. By default, the
firewall configures an IP address for VLANIF 1. To prevent interference,
delete the VLANIF 1 configuration.
<FW1>system-view
[FW1]vlan batch 11 to 14
[FW1]interface vlanif 11
[FW1-Vlanif11]ip address 10.0.10.2 24
[FW1-Vlanif11]interface vlanif 12
[FW1-Vlanif12]interface Vlanif 13
[FW1-Vlanif14]interface Ethernet0/0/0


[FW1-Ethernet0/0/0]quit
[FW1]undo interface vlanif 1
<FW2>system-view
[FW2]vlan batch 11 to 14
[FW2-Vlanif14]interface Ethernet0/0/0
[FW2-Ethernet0/0/0]quit
[FW2]undo interface vlanif 1
Plan VLANs for interfaces on switches.

<S1>system-view
[S1-GigabitEthernet0/0/2]interface gigabitEthernet 0/0/4
<S2>system-view
[S2-GigabitEthernet0/0/1]interface gigabitEthernet 0/0/3
Set G0/0/9 on S1 and G0/0/9 on S2 to trunk interfaces and allow

packets from VLAN 11, 12, 13, and 14 to pass through.
[S1-GigabitEthernet0/0/9]port link-type trunk

[S1-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14


[S2-GigabitEthernet0/0/9]port link-type trunk
[S2-GigabitEthernet0/0/9]port trunk allow-pass vlan 11 to 14
Assign G0/0/21 and G0/0/10 on S1 and G0/0/10 and G0/0/11 on S2

to VLAN 10. This line is the firewall heartbeat line.
Enable MSTP on VLAN 10 so that the default process 0 of MSTP
cannot shut down G0/0/10 interfaces on S1 and S2.
Set the region name of S1 and S2 both to be FW.
[S1]vlan 10
[S1-vlan10]quit
[S1]stp region-configuration
[S1-mst-region]region-name FW
[S1-mst-region]instance 1 vlan 10
[S1-mst-region]active region-configuration
[S2]vlan 10
[S2-vlan10]quit
[S2]stp region-configuration
[S2-mst-region]region-name FW
[S2-mst-region]instance 1 vlan 10
[S2-mst-region]active region-configuration

Set E1/0/0 on FW1 and G0/0/22 on S1 to trunk interfaces and allow

packets from VLAN 11, 12, 13, and 14 to pass through.Set E1/0/0 on FW2
and G0/0/12 on S2 to trunk interfaces and allow packets from VLAN 11,
12, 13, and 14 to pass through.
[FW1]port link-type trunk
[FW1]port trunk permit vlan 11 to 14

[S1]port link-type trunk
[S1]port trunk allow-pass vlan 11 to 14
[FW2]port link-type trunk
[FW2]port trunk permit vlan 11 to 14

[S2]port link-type trunk
[S2]port trunk allow-pass vlan 11 to 14
Test connectivity of FW1 and FW2.

[FW1]ping 10.0.20.1
09:47:13 2011/12/27

0.00% packet loss
[FW1]ping 10.0.30.1
09:47:35 2011/12/27



0.00% packet loss
[FW1]ping 10.0.40.1
09:48:01 2011/12/27

0.00% packet loss
[FW1]ping 10.0.10.1
09:48:34 2011/12/27

0.00% packet loss
[FW2]ping 10.0.10.1
03:51:04 2011/12/27



0.00% packet loss
[FW2]ping 10.0.20.1
03:51:23 2011/12/27

0.00% packet loss
[FW2]ping 10.0.30.1
03:51:47 2011/12/27

0.00% packet loss
[FW2]ping 10.0.40.1

03:52:15 2011/12/27

0.00% packet loss
Step 2 Add interfaces to security zones.
By default, four zones locate on a firewall. They are local, trusted,

untrusted, and DMZ zones.
In the lab, add VLANIF 12 and VLANIF 13 to the trusted zone, and
add VLANIF 11 and VLANIF 14 to the untrusted zone. Create a zone abc
on FW1 and set the zone priority to 80. Add the heartbeat line interface
E0/0/0 on FW1 to the abc zone. Perform the same operations on FW2.
[FW1]firewall zone trust
[FW1-zone-trust]add interface vlanif 12
[FW1-zone-untrust]add interface vlanif 11
[FW1-zone-untrust]firewall zone name abc
[FW1-zone-abc]add interface Ethernet 0/0/0
[FW2]firewall zone trust

[FW2-zone-untrust]firewall zone name abc
[FW2-zone-abc]add interface Ethernet 0/0/0

Step 3 Configure a VRRP backup group.
Configure a Virtual Router Redundancy Protocol (VRRP) backup

group on FW1 and configure a virtual IP address for the backup group.
[FW1-Vlanif12]vrrp vrid 12 virtual-ip 10.0.20.254 master
[FW1-Vlanif13]vrrp vrid 13 virtual-ip 10.0.30.254 slave
Configure a VRRP backup group on FW2 and configure a virtual IP

address for the backup group.
When configuring the VRRP backup group on FW2, map the Master
of FW1 to the Slave of FW2, and map the Slave of FW1 to the Master of
FW2.
Check the VRRP configurations of FW1 and FW2. Verify that the
command outputs display VRRP group states correctly.
[FW1]display vrrp
20:56:41 2011/12/28
Vlanif13 | Virtual Router 13
VRRP Group : Slave
state : Backup
Virtual IP : 10.0.30.254
Virtual MAC : 0000-5e00-010d
Primary IP : 10.0.30.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100

Preempt : YES Delay Time : 0

Advertisement Timer : 1
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.10.254
Virtual MAC : 0000-5e00-010b
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Backup
Virtual IP : 10.0.40.254
Virtual MAC : 0000-5e00-010e
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Backup
Virtual IP : 10.0.20.254
Virtual MAC : 0000-5e00-010c
PriorityRun : 100

Auth Type : NONE
Check TTL : YES
[FW2]display vrrp
14:32:32 2011/12/28
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.40.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.30.254
PriorityRun : 100


Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 100
Auth Type : NONE
Check TTL : YES
Step 4 Configure an HRP backup channel.
Configure a backup channel interface on FW1 and FW2 and enable

Huawei Redundancy Protocol (HRP) on the interfaces. The firewall works
on a dual-system hot backup network. If the inbound and outbound
paths are different, run the hrp mirror session enable command to fast
back up sessions. Information about sessions on the primary firewall is
synchronized to the secondary firewall in a timely manner.
When a fault occurs on the primary firewall, packets are forwarded by
the secondary firewall, ensuring uninterrupted sessions between internal
and external users.
[FW1]hrp interface Ethernet0/0/0
[FW1]hrp mirror session enable
[FW1]hrp enable
[FW2]hrp interface Ethernet0/0/0

[FW2]hrp mirror session enable
[FW2]hrp enable
After the preceding configuration is complete, HRP_M or HRP_S is

added to the prompt based on the HRP status.
After a backup channel is configured, the primary and secondary

firewalls negotiate on the master and backup status. Check the VRRP
status of the firewall.
HRP_M[FW1]display vrrp
21:32:17 2011/12/28
VRRP Group : Slave
state : Backup
Virtual IP : 10.0.30.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.40.254
PriorityRun : 120

Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
HRP_S[FW2]display vrrp
15:08:31 2011/12/28
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.40.254
PriorityRun : 120

Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.30.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Backup
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
Step 5 Configure packet filtering in the interzone.
Run the following command to configure automatic backup on FW1.

Packet filtering rules in the interzone configured on FW1 are
automatically backed up to FW2.

HRP_M[FW1]hrp auto-sync config
By default, security zones are connected. When configuring the

packet filtering policy in the interzone, disconnect security zones. Allow
only users in the trusted zone to access services in the untrusted zones.
HRP_M[FW1]firewall packet-filter default deny all
HRP_M[FW1]firewall packet-filter default permit interzone trust untrust
direction outbound
HRP_M[FW1]firewall session link-state check
HRP_S[FW2]firewall packet-filter default deny all

HRP_S[FW2]firewall packet-filter default permit interzone trust untrust
direction outbound
HRP_S[FW2]firewall session link-state check
Step 6 Configure static routes to connect networks.
Configure default routes for R1, R2, R3, and R4. Configure a specific
static route between FW1 and FW2.
[R1]ip route-static 0.0.0.0 0 10.0.10.254
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[R4]ip route-static 0.0.0.0 0 10.0.40.254
HRP_M[FW1]ip route-static 10.0.1.0 24 10.0.10.1


[R2]ping -a 10.0.2.2 10.0.1.1


0.00% packet loss
[R2]ping -a 10.0.2.2 10.0.4.4


0.00% packet loss
[R3]ping -a 10.0.3.3 10.0.4.4


0.00% packet loss
Step 7 Test dual-system hot backup.
By default, FW1 forwards packets from R2 and R4, and FW2 functions
as the backup firewall.
Simulate a fault on VLANIF 12 of FW1 during communication

between R2 and R4. The communication functions normally.
Send 20 packets from R2 to R4. During packet sending, shut down

VLANIF 12 and check communication status.
When running the ping command, shut down VLANIF 12 on FW1
before all packets are sent.
[R2]ping -c 20 -a 10.0.2.2 10.0.4.4
HRP_S[FW1]interface vlanif 12
HRP_S[FW1-Vlanif12]shutdown
No packet is lost even when a fault is simulated on VLANIF 12 of

FW1.
[R2]ping -c 20 -a 10.0.2.2 10.0.4.4

0.00% packet loss

Check the VRRP status on FW2. VLANIF 12 and VLANIF 14 on FW2

are in Master state. If a fault occurs on VLANIF 12 on FW1, backup
VLANIF interfaces on FW2 switch to the Master status and forward
packets.
HRP_M[FW2]display vrrp
03:14:23 2011/12/29
VRRP Group : Master
state : Master
Virtual IP : 10.0.10.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.40.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES

VRRP Group : Master
state : Master
Virtual IP : 10.0.30.254
PriorityRun : 120

Auth Type : NONE
Check TTL : YES

VRRP Group : Slave
state : Master
Virtual IP : 10.0.20.254
PriorityRun : 120
Auth Type : NONE
Check TTL : YES
If a fault occurs on the heartbeat line, what status will FW1 and FW2
have and how will packets be forwarded between the trusted zone and
the untrusted zone?
[V200R001C00SPC200]
#
sysname R1
#
ip address 10.0.10.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.1.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.10.254
#

return
[V200R001C00SPC200]
#
sysname R2
#
ip address 10.0.20.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.30.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.30.254
#
return
[V200R001C00SPC500]
#
sysname R4
#
ip address 10.0.40.1 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#

ip route-static 0.0.0.0 0.0.0.0 10.0.40.254

#
return
#
sysname S1
#
vlan batch 10 to 14
#
stp region-configuration
region-name FW
instance 1 vlan 10
active region-configuration
#
#
#
port link-type trunk
port trunk allow-pass vlan 11 to 14
#
#
#
#
return

#
sysname S2
#
vlan batch 10 to 14
#
stp region-configuration
region-name FW
instance 1 vlan 10
active region-configuration
#
#
#
#
#
#
#
return
HRP_M<FW1>display current-configuration
#
sysname FW1
#
hrp mirror session enable
hrp enable

hrp interface Ethernet0/0/0

#
firewall packet-filter default deny interzone local abc direction inbound
firewall packet-filter default deny interzone local abc direction outbound
firewall packet-filter default deny interzone trust dmz direction outbound
firewall packet-filter default deny interzone trust abc direction inbound
firewall packet-filter default deny interzone trust abc direction outbound
firewall packet-filter default deny interzone abc untrust direction inbound
firewall packet-filter default deny interzone abc untrust direction outbound
firewall packet-filter default deny interzone abc dmz direction inbound
firewall packet-filter default deny interzone abc dmz direction outbound
#
#
vlan batch 1 11 to 14
#
#
#
runmode firewall
#
interface Vlanif11
ip address 10.0.10.2 255.255.255.0
vrrp vrid 11 virtual-ip 10.0.10.254 slave
#
interface Vlanif12
ip address 10.0.20.2 255.255.255.0
vrrp vrid 12 virtual-ip 10.0.20.254 master
#
interface Vlanif13
ip address 10.0.30.2 255.255.255.0
#

interface Vlanif14
ip address 10.0.40.2 255.255.255.0
#
ip address 10.0.50.2 255.255.255.0
#
portswitch
port trunk permit vlan 1 11 to 14
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name abc
set priority 80
#
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.1
ip route-static 10.0.3.0 255.255.255.0 10.0.30.1
ip route-static 10.0.4.0 255.255.255.0 10.0.40.1
#
slb
#
cwmp
#

#
return
HRP_S<FW2>display current-configuration
#
sysname FW2
#
hrp mirror session enable
hrp enable
hrp interface Ethernet0/0/0
#
firewall packet-filter default deny interzone local abc direction inbound
firewall packet-filter default deny interzone local abc direction outbound
firewall packet-filter default deny interzone trust dmz direction outbound
firewall packet-filter default deny interzone trust abc direction inbound
firewall packet-filter default deny interzone trust abc direction outbound
firewall packet-filter default deny interzone abc untrust direction inbound
firewall packet-filter default deny interzone abc untrust direction outbound
firewall packet-filter default deny interzone abc dmz direction inbound
firewall packet-filter default deny interzone abc dmz direction outbound
#
#
vlan batch 1 11 to 14
#
#
interface Vlanif11
ip address 10.0.10.3 255.255.255.0
#
interface Vlanif12

ip address 10.0.20.3 255.255.255.0

#
interface Vlanif13
ip address 10.0.30.3 255.255.255.0
#
interface Vlanif14
ip address 10.0.40.3 255.255.255.0
#
ip address 10.0.50.3 255.255.255.0
#
portswitch
port trunk permit vlan 1 11 to 14
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
set priority 5
#
firewall zone dmz
set priority 50
#
firewall zone name abc
set priority 80
#
#
ip route-static 10.0.1.0 255.255.255.0 10.0.10.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.1

ip route-static 10.0.3.0 255.255.255.0 10.0.30.1

ip route-static 10.0.4.0 255.255.255.0 10.0.40.1
#
slb
#
cwmp
#
#
return

HCNP-IENP Chapter 2 QoS and traffic flow management
Chapter 2 QoS and traffic flow management
Lab 2-1 QoS
Learning Objectives
• Method used to analyze the SLA using NQA
• Priority mapping and traffic policing
• Traffic shaping
• Congestion management based on queues and traffic classifiers
• Method used to configure congestion avoidance based on WRED
Topology
Figure 2-1 QoS

Scenario
Assume that you are a network administrator of an enterprise. R1 and

S1 are located in the enterprise headquarters, and R2 and S2 are located
in the enterprise branch. The headquarters and branch are connected
through a leased line.
The internal network bandwidth increases gradually, but the leased
line bandwidth does not increase. As a result, important services are
delayed or some services are unavailable.
You can use differentiated services and adjust QoS parameters to
ensure that important service data is first sent to the destination.
In the lab, S3 and S4 use NQA to exchange a large flow of
generated data. R3, R4, and R5 simulate the clients and server to check
whether important applications are available.
Tasks
Step 1 Perform basic configuration and configure IP
addresses.
Configure IP addresses and masks for all the routers and switches S3
and S4.
Set the baud rate of S1/0/0 on R1 to 72000 and configure the link of
S1/0/0 as the WAN link where congestion occurs because of insufficient
bandwidth.
<Huawei>system-view
[Huawei]sysname R1
[R1]interface Serial 1/0/0
[R1-Serial1/0/0]ip address 10.0.12.1 255.255.255.0
[R1-Serial1/0/0]baudrate 72000
[R1-Serial1/0/0]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.145.1 255.255.255.0
<Huawei>system-view
[Huawei]sysname R2

[R2]interface s1/0/0
<Huawei>system-view
[Huawei]sysname R3
<Huawei>system-view
[Huawei]sysname R4
<Huawei>system-view
[Huawei]sysname R5
<Huawei>system-view
[Huawei]sysname S3
[S3]interface vlan
[S3-Vlanif1]ip address 10.0.145.3 255.255.255.0
<Huawei>system-view
[Huawei]sysname S4
After the configurations are complete, test link connectivity.

[R1]ping -c 1 10.0.12.2

0.00% packet loss
[R1]ping -c 1 10.0.145.3

0.00% packet loss
[R1]ping -c 1 10.0.145.4

0.00% packet loss
[R1]ping -c 1 10.0.145.5

0.00% packet loss
[R2]ping -c 1 10.0.34.3

0.00% packet loss

[R2]ping -c 1 10.0.34.4

0.00% packet loss
Step 2 Configure static routes and NQA.
Configure static routes for all the routers and switches S3 and S4.
[R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
[R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
[R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configurations are complete, test network connectivity.

[S3]ping -c 1 10.0.34.4

0.00% packet loss

[R4]ping -c 1 10.0.34.3

0.00% packet loss
[R5]ping -c 1 10.0.34.3

0.00% packet loss
The links between S3 and S4, between R4 and R3, and between R5
and R3 are reachable, indicating that network communication is normal.
Congestion easily occurs on the 72 kbit/s serial link between the
headquarters and branch.
Use NQA to generate traffic. S4 functions as the NQA server and S3
functions as the NQA client.
Create NQA UDP and jitter test instances to simulate data traffic and
voice traffic respectively.
Set parameters in NQA test instances to simulate an environment

where congestion does not occur if there is only data or voice traffic, and
where congestion occurs if there is data and voice traffic.
Configure S4 as the NQA server, and set the IP address of the
interface used for monitoring UDP services to 10.0.34.4 and port number
to 6000.
[S4]nqa-server udpecho 10.0.34.4 6000
On S3, configure an NQA UDP test instance to simulate data traffic,

and set the ToS to 28, packet size to 5800 bytes, interval at which packets
are sent to 1 second, interval for the NQA test to 3 seconds, and timeout

interval for the NQA test to 1s, and start the NQA UDP test.
[S3]nqa test-instance admin udp
[S3-nqa-admin-udp]test-type udp
[S3-nqa-admin-udp]destination-address ipv4 10.0.34.4
[S3-nqa-admin-udp]destination-port 6000
[S3-nqa-admin-udp]tos 28
[S3-nqa-admin-udp]datasize 5000
[S3-nqa-admin-udp]interval seconds 1
[S3-nqa-admin-udp]frequency 3
[S3-nqa-admin-udp]timeout 1
[S3-nqa-admin-udp]start now
Check the NQA UDP test result.

[S3]display nqa results test-instance admin udp
1 . Test 2 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.0.34.4
Min/Max/Average Completion Time: 930/950/943
Sum/Square-Sum Completion Time: 2830/2669900
Last Good Probe Time: 2008-01-28 23:10:02.4
Lost packet ratio: 0 %
No packet is discarded and congestion does not occur. Shut down the
NQA UDP test.
[S3-nqa-admin-udp]stop
On S3, configure an NQA jitter test instance to simulate voice traffic,

and set the ToS to 46, packet size to 90 bytes, interval at which packets
are sent to 20 milliseconds, the interval for the NQA test to 3 seconds,
and timeout interval for the NQA test to 1 second, and start the NQA
jitter test.
[S3]nqa test-instance admin jitter
[S3-nqa-admin-jitter]test-type jitter
[S3-nqa-admin-jitter]destination-address ipv4 10.0.34.4

[S3-nqa-admin-jitter]destination-port 6000
[S3-nqa-admin-jitter]tos 46
[S3-nqa-admin-jitter]datasize 90
[S3-nqa-admin-jitter]interval milliseconds 20
[S3-nqa-admin-jitter]frequency 3
[S3-nqa-admin-jitter]timeout 1
[S3-nqa-admin-jitter]start now
Check the NQA jitter test result.

[S3]display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is active ,testtype is jitter

1 . Test 1 result The test is finished
SendProbe:60 ResponseProbe:60
Completion:success RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:40/70/54/3260 RTT Square Sum:179800
NumOfRTT:60 Drop operation number:0
Operation sequence errors number:0 RTT Stats errors number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:10 Min Positive DS:10
Max Positive SD:10 Max Positive DS:10
Positive SD Number:5 Positive DS Number:11
Positive SD Sum:50 Positive DS Sum:110
Positive SD Square Sum:500 Positive DS Square Sum:1100
Min Negative SD:10 Min Negative DS:10
Max Negative SD:10 Max Negative DS:20
Negative SD Number:4 Negative DS Number:10
Negative SD Sum:40 Negative DS Sum:110
Negative SD Square Sum:400 Negative DS Square Sum:1300
Min Delay SD:20 Min Delay DS:19
Avg Delay SD:27 Avg Delay DS:26
Max Delay SD:35 Max Delay DS:34
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 jitter out value:0.0937500
jitter in value:0.2291667 NumberOfOWD:60
OWD SD Sum:1630 OWD DS Sum:1570
TimeStamp unit: ms
No packet is discarded and congestion does not occur. Shut down the
NQA jitter test.
[S3]nqa test-instance admin jitter
[S3-nqa-admin-jitter]stop

Step 3 Configure priority mapping.
Run the ping command to simulate traffic of less important services,

and map DSCP priorities of the traffic to BE without QoS guarantee.
Configure G0/0/1 and S1/0/0 on R1 to trust DSCP priorities of
packets.
[R1-GigabitEthernet0/0/1]trust dscp override
[R1-Serial1/0/0]trust dscp
Specify override in the trust command on G0/0/1 so that DSCP

priorities are changed to mapped values after priority mapping is
configured on R1.
Run the ping command on R4 to simulate the traffic destined for R3
and set the ToS to 26.
[R4]ping –tos 26 10.0.34.3
Configure priority mapping on R1 and map DSCP priority 26 to 0.

[R1]qos map-table dscp-dscp
[R1-maptbl-dscp-dscp]input 26 output 0
View the priority mapping information on R1.

[R1]display qos map-table dscp-dscp
Input DSCP DSCP
-------------------
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 8
9 9
10 10

11 11
12 12
13 13
14 14
15 15
16 16
17 17
18 18
19 19
20 20
21 21
22 22
23 23
24 24
25 25
26 0
27 27
28 28
29 29
30 30
The preceding information shows that DSCP priority 26 is mapped to

0 and other DSCP priorities use default values.
Step 4 Configure traffic shaping and traffic policing.
Start NQA UDP and jitter tests on S3 to simulate congestion on the

72 kbit/s link between the headquarters and branch.
[S3-nqa-admin-udp]start now
[S3-nqa-admin-udp]nqa test-instance admin jitter
[S3-nqa-admin-jitter]start now
On R4, run the ping command with the packet size as 700 bytes and
packet count as 10 to simulate the traffic destined for R3.
[R4]ping -s 700 -c 10 10.0.34.3
Request time out
Request time out
Request time out
Request time out

Request time out

Request time out
Request time out
Request time out
Request time out

90.00% packet loss
Congestion occurs on the link between the headquarters and branch,

a large number of packets are discarded, and even the forwarded
packets are delayed. R4 cannot communicate with R3.
The following describes how to configure traffic policing and traffic
shaping to remove congestion on the link so that R4 can communicate
with R3.
Configure traffic policing to remove congestion. On S1, configure
traffic policing on G0/0/13 and set the CIR to 64 kbit/s.
[S1-GigabitEthernet0/0/13]qos lr inbound cir 64
View the traffic policing configuration on S1.

[S1]display qos lr inbound interface GigabitEthernet 0/0/13
GigabitEthernet0/0/13 lr inbound:
cir: 64 Kbps, cbs: 8000 Byte
[R4]ping -s 700 -c 10 10.0.34.3



0.00% packet loss
Packets are not discarded and R4 can communicate with R3,

indicating that traffic policing takes effect.
Delete the traffic policing configuration from S1.
[S1-GigabitEthernet0/0/13]undo qos lr inbound
The following uses traffic shaping to remove congestion. On S3,

configure traffic shaping on E0/0/13 and set the CIR to 64 kbit/s.
[S3]interface Ethernet0/0/13
[S3-Ethernet0/0/13]qos lr outbound cir 64
[R4]ping -s 700 -c 10 10.0.34.3

0.00% packet loss

Packets are not discarded and R4 can communicate with R3,

indicating that traffic shaping takes effect.
Delete the traffic shaping configuration from S3.
[S3]interface Ethernet0/0/13
[S3-Ethernet0/0/13]undo qos lr outbound
[R4]ping -s 700 -c 10 10.0.34.3
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out

80.00% packet loss
After the configuration is deleted, many packets are discarded and

forwarded data packets are delayed. R4 cannot communicate with R3.
Step 5 Configure flow-based congestion management
and congestion avoidance.
To prevent network congestion on the link between the

headquarters and branch, configure queue-based congestion
management and congestion avoidance.
On R1, create a WRED drop profile named data based on DSCP
priorities and set the upper drop threshold to 90, lower drop threshold

to 50, and maximum drop probability to 30.

[R1]drop-profile data
[R1-drop-profile-data]wred dscp
[R1-drop-profile-data]dscp af32 low-limit 50 high-limit 90 discard-percentage
30
Create a queue profile named queue-profile1 on R1, put data traffic

into WFQ queues; bind the queue profile to the WRED drop profile data,
and put high-priority and delay-sensitive voice traffic to PQ queues.
[R1]qos queue-profile queue-profile1
[R1-qos-queue-profile-queue-profile1]queue 3 drop-profile data
[R1-qos-queue-profile-queue-profile1]schedule wfq 3 pq 5
Apply the queue profile to S1/0/0 of R1.

[R1- Serial0/0/1]qos queue-profile queue-profile1
View the queue profile information.

[R1]display qos queue-profile queue-profile1
Queue-profile: queue-profile1
Queue Schedule Weight Length(Bytes/Packets) Gts(CIR/CBS)
-----------------------------------------------------------------
3 WFQ 10 0/0 -/-
5 PQ - 0/0 -/-
Data traffic and voice traffic enter WFQ and PQ queues respectively.
View the WRED drop profile information.
[R1]display drop-profile data
Drop-profile[1]: data
DSCP Low-limit High-limit Discard-percentage
-----------------------------------------------------------------
default 30 100 10
1 30 100 10
2 30 100 10
3 30 100 10
4 30 100 10
5 30 100 10
6 30 100 10
7 30 100 10
cs1 30 100 10

9 30 100 10
af11 30 100 10
11 30 100 10
af12 30 100 10
13 30 100 10
af13 30 100 10
15 30 100 10
cs2 30 100 10
17 30 100 10
af21 30 100 10
19 30 100 10
af22 30 100 10
21 30 100 10
af23 30 100 10
23 30 100 10
cs3 30 100 10
25 30 100 10
af31 30 100 10
27 30 100 10
af32 50 90 30
29 30 100 10
af33 30 100 10
31 30 100 10
cs4 30 100 10
33 30 100 10
af41 30 100 10
Parameters in the WRED drop profile data take effect, and other
parameters use default values.
Step 6 Configure flow-based congestion management
and congestion avoidance.
To prevent network congestion on the link between the

headquarters and branch, configure flow-based congestion
Define the traffic exchanged between R4 and R3 as important traffic
and perform QoS guarantee for the traffic so that R4 can communicate
with R3.
Delete the queue profile from S1/0/0 on R1.


[R1-GigabitEthernet0/0/1]undo qos queue-profile
On R4, run the ping command with the source address as 10.0.145.4,
packet size as 700 bytes, and packet count as 10 to test connectivity
between R4 and R3.
[R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3
Request time out
Request time out
Request time out
Request time out
Request time out
Request time out

60.00% packet loss
Congestion has occurred on the link between the headquarters and

branch. A large number of packets are discarded, and R4 cannot
communicate with R3.
On R1, create ACL 3001 to match the traffic sent from 10.0.145.4 to
10.0.34.3.
[R1]acl number 3001
[R1-acl-adv-3001]rule 0 per ip source 10.0.145.4 0.0.0.0 destination 10.0.34.3
0.0.0.0
Create a traffic classifier class-ef, reference ACL 3001 in the traffic

classifier, create a traffic behavior behavior-ef, set the queue scheduling
mode to EF, and set the bandwidth to 10 kbit/s.
[R1]traffic classifier class-ef
[R1-classifier-class-ef]if-match acl 3001
[R1-classifier-class-ef]traffic behavior behavior-ef
[R1-behavior-behavior-ef]queue ef bandwidth 8

Create a traffic classifier class-af32 to match data traffic with the

DSCP priority as AF32, set the traffic behavior as behavior-af32, set the
queue scheduling mode to AF, set the bandwidth to 30 kbit/s, and bind
the traffic behavior to the drop profile data.
[R1]traffic classifier class-af32
[R1-classifier-class-af32]if-match dscp af32
[R-classifier-class-af321]traffic behavior behavior-af32
[R1-behavior-behavior-af32]queue af bandwidth 30
[R1-behavior-behavior-af32]drop-profile data
Create a traffic policy policy-1, associate the traffic policy with the
traffic classifier class-ef and traffic behavior behavior-ef, and the traffic
classifier class-af32 and traffic behavior behavior-af32, and apply the
traffic policy to S1/0/0 on R1.
[R1]traffic policy policy-1
[R1-trafficpolicy-policy-1]classifier class-ef behavior behavior-ef
[R1-trafficpolicy-policy-1]classifier class-af32 behavior behavior-af32
[R1-trafficpolicy-policy-1]interface Serial 1/0/0
[R1-Serial1/0/0]traffic-policy policy-1 outbound
On R4, run the ping command with the source address as 10.0.145.4,
packet size as 700 bytes, and packet count as 10 to test connectivity
between R4 and R3.
[R4]ping -a 10.0.145.4 -s 700 -c 10 10.0.34.3

0.00% packet loss

Configure traffic from R1 to R3 to enter EF queues. Then R1 can

communicate with R3.
QoS uses differentiated services to ensure bandwidth and shorten

delay for various services. Can high bandwidth improve service quality
instead of QoS?
After the lab, summarize the QoS process.
[V200R001C00SPC200]
#
sysname R1
#
acl number 3001
rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0
#
drop-profile data
wred dscp
dscp af32 low-limit 50 high-limit 90 discard-percentage 30
#
qos queue-profile queue-profile1
queue 3 drop-profile data
schedule wfq 3 pq 5
#
qos map-table dscp-dscp
input 26 output 0
#
traffic classifier class-ef operator or
if-match acl 3001
traffic classifier class-af32 operator or
if-match dscp af32
#
traffic behavior behavior-ef
queue ef bandwidth 10 cbs 250
traffic behavior behavior-af32

queue af bandwidth 30
drop-profile data
traffic behavior behavir-af32
queue af bandwidth 30
#
traffic policy policy-1
classifier class-ef behavior behavior-ef
classifier class-af32 behavior behavior-af32
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
trust dscp
traffic-policy policy-1 outbound
baudrate 72000
#
ip address 10.0.145.1 255.255.255.0
trust dscp override
#
ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
#
Return
[V200R001C00SPC200]
#
sysname R2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
ip address 10.0.34.2 255.255.255.0
#
ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
#
return
[V200R001C00SPC200]
#

sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
return
[V200R001C00SPC200]
#
sysname R4
#
ip address 10.0.145.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
[V200R001C00SPC200]
#
sysname R5
#
ip address 10.0.145.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.145.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#

nqa test-instance admin udp

test-type udp
destination-address ipv4 10.0.34.4
destination-port 6000
tos 28
frequency 3
interval seconds 1
timeout 1
datasize 5800
start now
nqa test-instance admin jitter
test-type jitter
destination-address ipv4 10.0.34.4
destination-port 6000
tos 46
frequency 3
interval milliseconds 20
timeout 1
datasize 90
start now
#
return
#
sysname S4
#
interface Vlanif1
ip address 10.0.34.4 255.255.255.0
#
nqa-server udpecho 10.0.34.4 6000
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
Return

Lab 2-2 Traffic Control Based on the Traffic Policy
Learning Objectives
• End-to-end QoS configuration
• Traffic control based on the traffic policy
Topology
Figure 2-2 Traffic control based on the traffic policy
Scenario
Assume that you are a network administrator of an enterprise. R1 and

S1 are located in the enterprise headquarters, and R2 and S2 are located
in the enterprise branch. The headquarters and branch are connected
through the leased line. The required internal network bandwidth
increases gradually, but the leased line bandwidth does not increase. As
a result, important services are delayed or some services are unavailable.
Configure end-to-end QoS and adjust QoS parameters so that
important service data can be sent to the destination and the traffic
policy is used to control traffic.

Tasks
addresses.
Configure IP addresses and masks for all the routers and switches S3
and S4.
<R1>system-view
[R1-GigabitEthernet0/0/1]ip add 10.0.145.1 255.255.255.0
<R2>system-view
<R3>system-view
<R4> system-view
<R5>system-view
<S3>system-view

<S4>system-view
After the configurations are complete, test link connectivity.

[R1]ping -c 1 10.0.12.2

0.00% packet loss
[R1]ping -c 1 10.0.145.3

0.00% packet loss
[R1]ping -c 1 10.0.145.4

0.00% packet loss
[R1]ping -c 1 10.0.145.5


0.00% packet loss
[R2]ping -c 1 10.0.34.3

0.00% packet loss
[R2]ping -c 1 10.0.34.4

0.00% packet loss
Step 2 Configure static routes.
Configure static routes for all the routers and switches S3 and S4.
[R1]ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
[R2]ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
[R3]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
[R4]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[R5]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
[S3]ip route-static 0.0.0.0 0.0.0.0 10.0.145.1

[S4]ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
After the configuration is complete, test network connectivity.

[S3]ping -c 1 10.0.34.4

0.00% packet loss
[R4]ping -c 1 10.0.34.3

0.00% packet loss
[R5]ping -c 1 10.0.34.3

0.00% packet loss
Step 3 Configure DSCP priority re-marking.
Voice, video, and data services are transmitted on the enterprise

network. Because the bandwidth of the leased line between the
enterprise headquarters and branch does not increase, congestion
occurs.

Configure end-to-end QoS to ensure that voice packets are sent first
and bandwidth for video packets is guaranteed.
Simulate voice packets between R4 and R3, video packets between R5 and
R3, and data packets between S3 and S4. Perform QoS configuration for voice
packets and video packets and configure BE for data packets.
Mark the DSCP priority of voice packets with EF, and the DSCP
priority of video packets with AF32.
On S1, create ACL 3001 and ACL 3002 to match the traffic sent from
R4 to R3 and the traffic sent from R5 to R3 respectively.
[S1]acl number 3001
[S1-acl-adv-3001]rule 0 permit ip source 10.0.145.4 0 destination 10.0.34.3 0
[S1-acl-adv-3001]acl number 3002
Create a traffic classifier class-voice-s1 and reference ACL 3001 in

the traffic classifier. Create a traffic behavior behavior-voice-s1 and
re-mark DSCP priorities with EF.
Create a traffic policy policy-voice-s1 and associate the traffic
classifier class-voice-s1 and traffic behavior behavior-voice-s1 with the
traffic policy, and apply the traffic policy to G0/0/4 in the inbound
direction.
[S1]traffic classifier class-voice-s1
[S1-classifier-class-voice-s1]if-match acl 3001
[S1-classifier-class-voice-s1]traffic behavior behavior-voice-s1
[S1-behavior-behavior-voice-s1]remark dscp ef
[S1-behavior-behavior-voice-s1]traffic policy policy-voice-s1
[S1-trafficpolicy-policy-voice-s1]classifier class-voice-s1 behavior
behavior-voice-s1
[S1-trafficpolicy-policy-voice-s1]interface GigabitEthernet 0/0/4
[S1-GigabitEthernet0/0/4]traffic-policy policy-voice-s1 inbound
Create a traffic classifier class-video-s1 and reference ACL 3002 in

the traffic classifier. Create a traffic behavior behavior-video-s1 and
re-mark the DSCP priority with AF32. Create a traffic policy
policy-video-s1 and associate the traffic classifier class-video-s1 and
traffic behavior behavior-video-s1 with the traffic policy, and apply the
traffic policy to G0/0/5 in the inbound direction.
[S1]traffic classifier class-video-s1
[S1-classifier-class-video-s1]if-match acl 3002

[S1-classifier-class-video-s1]traffic behavior behavior-video-s1

[S1-behavior-behavior-video-s1]remark dscp af32
[S1-behavior-behavior-video-s1]traffic policy policy-video-s1
[S1-trafficpolicy-policy-video-s1]classifier class-video-s1 behavior
behavior-video-s1
[S1-trafficpolicy-policy-video-s1]interface GigabitEthernet 0/0/5
[S1-GigabitEthernet0/0/5]traffic-policy policy-video-s1 inbound
On S2, create ACL 3001 and ACL 3002 to match the traffic sent from
R3 to R4 and the traffic sent from R3 to R5 respectively.
[S2]acl number 3001
[S2-acl-adv-3001]acl number 3002
On S2, create a traffic classifier class-voice-s2 and reference ACL

3001 in the traffic classifier. Create a traffic behavior behavior-voice-s2
and re-mark the DSCP priority with EF.
[S2]traffic classifier class-voice-s2
[S2-classifier-class-voice-s2]if-match acl 3001
[S2-classifier-class-voice-s2]traffic behavior behavior-voice-s2
[S2-behavior-behavior-voice-s2]remark dscp ef
On S2, create a traffic classifier class-video-s2 and reference ACL

3002 in the traffic classifier. Create a traffic behavior behavior-video-s2
and re-mark the DSCP priority with AF32.
[S2]traffic classifier class-video-s2
[S2-classifier-class-video-s2]if-match acl 3002
[S2-classifier-class-video-s2]traffic behavior behavior-video-s2
[S2-behavior-behavior-video-s2]remark dscp af32
Create a traffic policy policy-voice-video-s2 and associate the traffic

policy with the traffic classifier class-voice-s2 and traffic behavior
behavior-voice-s2, and the traffic classifier class-video-2 and traffic
behavior behavior-video-s2, and apply the traffic policy to G0/0/3 in the
inbound direction.
[S2]traffic policy policy-voice-video-s2
[S2-trafficpolicy-policy-voice-video-s2]classifier class-voice-s2 behavior
behavior-voice-s2
[S2-trafficpolicy-policy-voice-video-s2]classifier class-video-s2 behavior
behavior-video-s2


[S2-GigabitEthernet0/0/3]traffic-policy policy-voice-video-s2 inbound
Step 4 Configure traffic shaping and traffic policing.
Configure traffic shaping on core switches of the headquarters and

branch to lessen network congestion.
Configure traffic shaping on G0/0/1 of S1 in the outbound direction
and set the CIR to 128 kbit/s.
[S1-GigabitEthernet0/0/1]qos lr outbound cir 128
View the traffic shaping configuration.

[S1]display qos lr outbound interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 lr outbound:
Configure traffic shaping on G0/0/2 of S2 in the outbound direction

[S2-GigabitEthernet0/0/2]qos lr outbound cir 128
View the traffic shaping configuration.

[S2]display qos lr outbound interface GigabitEthernet 0/0/2
GigabitEthernet0/0/2 lr outbound:
Configure traffic policing on egress routers of the headquarters and

branch to further lessen network congestion.
Configure traffic policing on G0/0/1 of R1 in the inbound direction
[R1-GigabitEthernet0/0/1]qos car inbound cir 72
Configure traffic policing on G0/0/2 of R2 in the inbound direction


[R2-GigabitEthernet0/0/2]qos car inbound cir 72
Step 5 Configure traffic policy-based congestion
Configure traffic policy-based congestion management and

congestion avoidance on egress routers of the headquarters and branch.
Ensure that voice traffic is sent first and video traffic has sufficient
bandwidth.
Configure G0/0/1 on R1 to trust DSCP priorities.
[R1-GigabitEthernet0/0/1]trust dscp
On R1, create a WRED drop profile named video-r1 based on DSCP

[R1]drop-profile video
[R1-drop-profile-video-r1]wred dscp
[R1-drop-profile-video-r1]dscp af32 low-limit 50 high-limit 90
discard-percentage 30
On R1, create a traffic classifier class-af32-r1 to match video traffic

with the DSCP priority of AF32. Set the traffic behavior as
behavior-af32-r1, set the queue scheduling mode to AF, the dedicated
interface bandwidth to 40%, and bind the traffic behavior to the WRED
drop profile video-r1.
[R1]traffic classifier class-af32-r1
[R1-classifier-class-af32-r1]if-match dscp af32
[R1-classifier-class-af32-r1]traffic behavior behavior-af32-r1
[R1-behavior-behavior-af32-r1]queue af bandwidth pct 40
[R1-behavior-behavior-af32-r1]drop-profile video-r1
On R1, create a traffic classifier class-ef-r1 to match video traffic with

the DSCP priority of EF. Create a traffic behavior behavior-ef-r1, and set
the queue scheduling mode to EF and the dedicated interface bandwidth
to 30%.
[R1]traffic classifier class-ef-r1

[R1-classifier-class-ef-r1]if-match dscp ef
[R1-classifier-class-ef-r1]traffic behavior behavior-ef-r1
[R1-behavior-behavior-ef-r1]queue ef bandwidth pct 30
On R1, create a traffic policy policy-r1 and associate the traffic policy
with the traffic classifier class-af32-r1 and traffic behavior
behavior-af32-r1, the traffic classifier class-ef-r1 and traffic behavior
behavior-ef-r1, and apply the traffic policy to S1/0/0 in the outbound
direction.
[R1]traffic policy policy-r1
[R1-trafficpolicy-policy-r1]classifier class-af32-r1 behavior behavior-af32-r1
[R1-trafficpolicy-policy-r1]classifier class-ef-r1 behavior behavior-ef-r1
[R1-trafficpolicy-policy-r1]interface Serial 1/0/0
[R1-Serial1/0/0]traffic-policy policy-r1 outbound
Perform similar configuration on R2.

Configure G0/0/2 on R2 to trust DSCP priorities.
[R2-GigabitEthernet0/0/2]trust dscp
On R2, create a WRED drop profile named video-r2 based on DSCP

[R2]drop-profile video-r2
[R2-drop-profile-video-r2]wred dscp
[R2-drop-profile-video-r2]dscp af32 low-limit 50 high-limit 90
discard-percentage 30
On R2, create a traffic classifier class-af32-r2 to match video traffic

with the DSCP priority of AF32. Set the traffic behavior as
behavior-af32-r2, set the queue scheduling mode to AF, the dedicated
interface bandwidth to 40%, and bind the traffic behavior to the WRED
drop profile video-r2.
[R2]traffic classifier class-af32-r2
[R2-classifier-class-af32-r2]if-match dscp af32
[R2-classifier-class-af32-r2]traffic behavior behavior-af32-r2
[R2-behavior-behavior-af32-r2]queue af bandwidth pct 40
[R2-behavior-behavior-af32-r2]drop-profile video-r2
On R2, create a traffic classifier class-ef-r2 to match video traffic with

the DSCP priority of EF. Set the traffic behavior as behavior-ef-r2, set the
queue scheduling mode to EF and the dedicated interface bandwidth
to 30%.
[R2]traffic classifier class-ef-r2
[R2-classifier-class-ef-r2]if-match dscp ef
[R2-classifier-class-ef-r2]traffic behavior behavior-ef-r2
[R2-behavior-behavior-ef-r2]queue ef bandwidth pct 30
On R2, create a traffic policy policy-r2 and associate the traffic policy
with the traffic classifier class-af32-r2 and traffic behavior
behavior-af32-r2, the traffic classifier class-ef-r2 and traffic behavior
behavior-ef-r2, and apply the traffic policy to S1/0/0 in the outbound
direction.
[R2]traffic policy policy-r2
[R2-trafficpolicy-policy-r2]classifier class-af32-r2 behavior behavior-af32-r2
[R2-trafficpolicy-policy-r2]classifier class-ef-r2 behavior behavior-ef-r2
[R2-Serial1/0/0]traffic-policy policy-r2 outbound
Step 6 Configure traffic control based on the traffic
policy.
The headquarters wants to discard some video traffic with UDP port
numbers 4000 to 5000.
On R1, create ACL 3003 to match the traffic that is sent from R5 to R3
and has UDP ports 4000 to 5000.
[R1]acl number 3003
[R1-acl-adv-3003]rule 0 permit udp source-port range 4000 5000 source 10.0.145.5
0 destination 10.0.34.3 0
On R1, create a traffic classifier class-drop and reference ACL 3003 in

the traffic classifier.
[R1]traffic classifier class-drop
[R1-classifier-class-drop]if-match acl 3003
On R1, create a traffic behavior behavior-drop and configure the

deny action in the traffic behavior.

[R1]traffic behavior behavior-drop

[R1-behavior-behavior-drop]deny
On R1, create a traffic policy policy-drop and associate the traffic

policy with the traffic classifier class-drop and traffic behavior
behavior-drop, and apply the traffic policy to G0/0/5 in the inbound
direction.
[R1]traffic policy policy-drop
[R1-trafficpolicy-policy-drop]classifier class-drop behavior behavior-drop
[R1-trafficpolicy-policy-drop]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]traffic-policy policy-drop inbound
View the traffic policy configuration.

[R1]dis traffic policy user-defined policy-drop
User Defined Traffic Policy Information:
Policy: policy-drop
Classifier: class-drop
Operator: OR
Behavior: behavior-drop
Deny
After the configuration, summarize QoS policies and application

scenarios.
[V200R001C00SPC200]
#
sysname R1
#
acl number 3003
rule 0 permit udp source 10.0.145.5 0 source-port range 4000 5000 destination
10.0.34.3 0
#
drop-profile video-r1
wred dscp


#
traffic classifier class-drop operator or
if-match acl 3003
traffic classifier class-ef-r1 operator or
if-match dscp ef
traffic classifier class-af32-r1 operator or
if-match dscp af32
#
traffic behavior behavior-af32-r1
queue af bandwidth pct 40
traffic behavior behavior-ef-r1
queue ef bandwidth pct 30
traffic behavior behavior-drop
deny
#
traffic policy policy-drop
classifier class-drop behavior behavior-drop
traffic policy policy-r1
classifier class-af32-r1 behavior behavior-af32-r1
classifier class-ef-r1 behavior behavior-ef-r1
#
link-protocol ppp
ip address 10.0.12.1 255.255.255.0
traffic-policy policy-r1 outbound
#
ip address 10.0.145.1 255.255.255.0
trust dscp
qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard
traffic-policy policy-drop inbound
#
ip route-static 10.0.34.0 255.255.255.0 10.0.12.2
#
return
[V200R001C00SPC200]
#
sysname R2
#

wred dscp
#
traffic classifier class-ef-r2 operator or
if-match dscp ef
traffic classifier class-af32-r2 operator or
if-match dscp af32
#
traffic behavior behavior-af32-r2
queue af bandwidth pct 40
traffic behavior behavior-ef-r2
queue ef bandwidth pct 30
#
traffic policy policy-r2
classifier class-af32-r2 behavior behavior-af32-r2
classifier class-ef-r2 behavior behavior-ef-r2
#
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
traffic-policy policy-r2 outbound
#
ip address 10.0.34.2 255.255.255.0
trust dscp
qos car inbound cir 72 cbs 13536 pbs 22536 green pass yellow pass red discard
#
ip route-static 10.0.145.0 255.255.255.0 10.0.12.1
#
return
[V200R001C00SPC200]
#
sysname R3
#
ip address 10.0.34.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#

return
[V200R001C00SPC200]
#
sysname R4
#
ip address 10.0.145.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
[V200R001C00SPC200]
#
sysname R5
#
ip address 10.0.145.5 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
#
sysname S1
#
acl number 3001
acl number 3002
#
traffic classifier class-video-s1 operator and
if-match acl 3002
traffic classifier class-voice-s1 operator and
if-match acl 3001
#
traffic behavior behavior-video-s1
remark dscp af32

traffic behavior behavior-voice-s1

remark dscp ef
#
traffic policy policy-video-s1
classifier class-video-s1 behavior behavior-video-s1
traffic policy policy-voice-s1
classifier class-voice-s1 behavior behavior-voice-s1
#
qos lr outbound cir 128 cbs 16000
#
traffic-policy policy-voice-s1 inbound
#
traffic-policy policy-video-s1 inbound
#
return
#
sysname S2
#
acl number 3001
acl number 3002
#
traffic classifier class-video-s2 operator and
if-match acl 3002
traffic classifier class-voice-s2 operator and
if-match acl 3001
#
traffic behavior behavior-video-s2
remark dscp af32
traffic behavior behavior-voice-s2
remark dscp ef
#
traffic policy policy-voice-video-s2
classifier class-voice-s2 behavior behavior-voice-s2
classifier class-video-s2 behavior behavior-video-s2
#

qos lr outbound cir 128 cbs 16000
#
traffic-policy policy-voice-video-s2 inbound
#
return
#
sysname S3
#
interface Vlanif1
ip address 10.0.145.3 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.145.1
#
return
#
sysname S4
#
interface Vlanif1
ip address 10.0.34.4 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.34.2
#
return

HCNP-IENP Chapter 3 Integrated Lab Assessment
Chapter 3 Integrated Lab Assessment
Lab 3-1 Integrated Lab-1 (Optional)
Learning Objectives
• MST configuration
• Route configuration between VLANs
• RIP configuration
• OSPF configuration
• Route import configuration
• Routing policy configuration
• Firewall configuration
• QoS configuration

Topology
Figure 3-1 Integrated lab-1
Scenario

enterprise network consists of the headquarters network, branch
network, and branch office network.
The headquarters network consists of one firewall, one router, and
four switches. The firewall controls access between the internal network
and external network, and the enterprise network is divided into trust,
untrust, and DMZ zones. The four switches use the MST technique to
implement redundancy and improve network reliability. The QoS
technique is used on the switching network to control transmission of
data flows.
Routers on the headquarters network and branch office network are
connected through leased lines and belong to the OSPF routing domain.
To optimize network performance in the OSPF routing domain, the
headquarters network and branch office network are configured as OSPF
stub areas. Because the branch network uses RIP, route import is
required at the OSPF boundary to implement interworking between the

RIP routing domain and the OSPF routing domain.
Tasks
This lab provides the procedure and verification method, and does
not provide commands.
Step 1 Complete basic configuration and configure IP
addresses.
Configure IP addresses and masks for all devices and test

connectivity of directly connected devices.
Step 2 Configure MST.
Switches S1 and S2 are connected by an Eth-Trunk link.
Set the link type of interfaces between the switches to trunk and
configure the interfaces to allow packets from VLAN 10, VLAN 20, VLAN
30, and VLAN 40 to pass through.
Create VLANs 10, 20, 30, 40, and 100 on all the switches and
configure two MSTIs. VLANs 10, 20, and 100 use S1 as the root and
VLANs 30 and 40 use S2 as the root.
Step 3 Configure routes between VLANs.
Add G0/0/22 and G0/0/1 on S1 to VLAN 100, and add G0/0/1 on S2

to VLAN 10.
Create VLANIF interfaces for VLANs 10, 20, 30, and 40 on S1 and S2
to implement communication between VLANs.

Step 4 Configure OSPF.
Configure OSPF on R1, R2, R3, R4, S1, and S2. Configure the link
between R1 and R2 in OSPF area 0. Configure OSPF area 1 on the
headquarters network and OSPF area 2 on the branch office network,
and configure area 1 and area 2 as OSPF stub areas. Configure area 3 on
the network through which R2 and R3 are connected and configure area
3 as the NSSA area. OSPF is not required on the network through which
R1 and FW1 are connected.
Step 5 Configure route import.
Configure RIP on R3 and R5. On R3, configure RIP and OSPF to

import routes from each other. On R3, configure a routing policy to
import only RIP routes from R5 in the OSPF routing domain.
On FW1, create VLAN 100 and VLANIF 100, and configure an IP

address for VLANIF 100. On R1, configure a default route with the IP
address of VLANIF 100 on FW1 as the next hop. Import the default route
into OSPF so that R5 can learn this route.
On FW1, create a static route 10.0.0.0/16, with the IP address of

G0/0/1 on R1 as the next hop so that FW1 can communicate with all the
devices on the internal network.
Step 6 Configure the firewall.
Add interfaces on FW1 to trust, untrust, and DMZ zones. Devices in

the trust zone can access resources in all the zones, devices in the untrust
zone can access only port 80 of the server at 10.0.20.1 in the DMZ zone,
and devices in the DMZ zone cannot access other zones.

Step 7 Optimize network performance.
S4 needs to limit the rate of data packets for some users and raise
the priority of data packets for other users. E0/0/1 belongs to VLAN 10
and E0/0/2 belongs to VLAN 30. Set the rate limit on E0/0/1 to 128 kbit/s,
change DSCP priority for packets on E0/0/2 to 45, and configure E0/0/2
to trust DSCP.
Compare this lab with the original lab.


Lab 3-2 Integrated Lab2 (Optional)
Learning Objectives
• IBGP and EBGP configuration
• BGP attribute configuration
• SEP configuration
• NAT and IPSec configuration on the Eudemon firewalls
• End-to-end configuration on the router
Topology
Figure 3-2 Integrated lab 2

Scenario

enterprise headquarters and branch networks use BGP to connect to
ISP1 and ISP2. The headquarters network uses AS 100, the branch
network uses AS 200, ISP 1 uses AS 1, and ISP 2 uses AS 2.
The link connected to ISP1 is the primary link and the link connected
to ISP2 is the standby link. The Eudemon firewall is deployed between
the core switching network of the enterprise headquarters and the
egress router. The core switching network uses SEP to implement
redundancy. An IPSec VPN is established between firewalls of the
headquarters and branch networks.
Tasks
addresses.
Configure IP addresses and masks for physical interfaces and

loopback interfaces on all routers and test connectivity. Each Loopback0
uses the 32-bit mask.
Step 2 Configure BGP.
Configure IBGP and EBGP on R1, R2, R3, R4, and R5, and use physical
interfaces to establish BGP peer relationships. BGP load balancing is
disabled by default. To prevent the impact of BGP load balancing on
route selection, enable BGP load balancing and allow packets to be load
balanced on a maximum of four links.
On R1, R2, and R5, advertise their loopback interfaces' IP addresses

to BGP and check the BGP routing table. R5 learns routes 12.0.1.1/32 and
12.0.2.2/32 from R3, R1 learns the route 12.0.5.5/32 from R4, and R2
learns the route 12.0.5.5/32 from R3.

The enterprise headquarters and branch need to use the primary link
to communicate with each other.
Create a routing policy named as_path in which two values of AS 100
are added to the two routes 12.0.1.1/32 and 12.0.2.2/32 learned from R3.
Check the BGP routing table. R5 learns the two routes from R4.
On R1, create a routing policy local_pref, set the local priority of the
route 12.0.5.5/32 to 200, and apply the routing policy to R2. Check the
routing table of R2. R2 learns the route 12.0.5.5/32 from R4.
Step 3 Configure SEP.
To improve network robustness, switches S1, S2, and S3 use

redundant links, forming a loop. SEP is used to provide redundancy
protection.
Shut down G0/0/9 and G0/0/10 on S1 and S2, E0/0/23 on S3, and
E0/0/14 on S4.
Create a SEP segment and configure VLAN 100 as the control VLAN.
Specify all instances as protected VLANs.
Add G0/0/13 and G0/0/14 on S1 to the SEP segment, and configure

G0/0/13 as the primary edge interface and G0/0/14 as the secondary
edge interface. Add interfaces on S3 and S4 to the SEP segment.
Configure S1 to block interfaces based on the interface priority.
Set the priority of E0/0/1 on S3 to 128.
Set the preemption mode on S1 where the primary edge interface

resides to delayed preemption, and set the preemption delay to 30s.

After the configuration is complete, check the SEP running

information. E0/0/1 on S3 should be in blocking state.
Step 4 Configure NAT on the firewall.
Configure NAT on FW1.

Create VLAN 10 on S1 and add G0/0/22 to VLAN 10. Create VLANIF
10 and assign the IP address 10.0.111.11/24 to VLANIF 10. Configure
VLAN 10 on FW1 and create VLANIF 10. Assign IP address 10.0.111.21/24
to VLANIF 10 and use this IP address as the gateway address in the trust
area. By default, an IP address is assigned to VLANIF 1. Delete this
configuration to ensure lab accuracy.
On R2, advertise the route 12.0.112.0/24 into BGP. On R2, configure a

default route with the next hop as the IP address of FW1 and import the
default route to BGP. On FW1, configure a default route with the next
hop as the IP address of R2. On S1, configure a default route with the
next hop as the IP address of FW1.
On FW1, add E0/0/0 to the untrust zone, add E1/0/0 to the trust zone.
Configure filtering rules between zones to allow packets sent from the
network segment 10.0.111.0/24 in the trust zone to the untrust zone to
pass through.
On FW1, configure Easy IP to translate the source IP address of

packets sent to 10.0.111.0/24. Bind NAT to E0/0/0.
After the configuration is complete, FW1 allows the trust zone and
untrust zone to communicate.
Step 5 Configure IPSec VPN on the firewall.
Configure IPSec VPN on FW1 and FW2 on the headquarters and

branch networks.
Configure an IP address for Ethernet 2/0/0 on FW2. On FW2, add

E0/0/0 to the untrust zone and add E2/0/0 to the trust zone. Configure
FW1 and FW2 to allow data packets sent from the trust zone to the
untrust zone to pass through, and data packets sent from the untrust
zone to the local zone.
Advertise the route 12.0.5.0/24 to BGP. On FW2, configure a default
route with the next hop as the IP address of R5. On FW1, configure a
static route to 12.0.222.0/24. On FW2, configure a static route to
10.0.111.0/24.
On FW1 and FW2, define the data flows to be protected. On FW1,

configure ACL 3000 to match the traffic sent from 10.0.111.0/24 to
12.0.222.0/24. On FW2, configure ACL 3000 to match the traffic sent
from 12.0.222.0/24 to 10.0.111.0/24.
On FW1 and FW2, configure IPSec proposals in which the

encapsulation mode is tunnel, security protocol is ESP, and encryption
algorithm is DES. On FW1 and FW2, configure IKE proposals in which the
authentication algorithm is SHA1 and the encryption algorithm is DES.
On FW1 and FW2, configure IKE peers. IKE peers use IKEv2
negotiation by default.
On FW1 and FW2, configure IPSec policies. Apply IPSec policies to

E0/0/0.
The IPSec VPN between FW1 and FW2 is established.
Step 6 Configure QoS.
All the traffic between R1 and R5 and between R2 and R5 is

transmitted from the primary link, so QoS deployment may cause

congestion.
Create ACL 3001 and ACL 3002 on R1 to match the traffic sent from
R1 to R5 and R2 respectively.
Create a traffic classifier class_r1_r2 containing ACL 3001 and ACL

3002. Create a traffic behavior behavior_r1_r2 containing traffic shaping
and set the CIR to 10000. Create a traffic policy policy_r1_r2, associate
the traffic classifier and traffic behavior with the traffic policy, and apply
the traffic policy to G0/0/2.
Configure traffic policing on G0/0/2 and G0/0/1 of R4 and set the CIR
to 8000.
Create ACL 3001 and ACL 3002 on R5 to match the traffic sent from
R5 to R1 and R2 respectively.
Create a traffic classifier class_r5 containing ACL 3001 and ACL 3002.
Create a traffic behavior behavior_r5 containing traffic shaping and set
the CIR to 10000. Create a traffic policy policy_r5, associate the traffic
classifier and traffic behavior with the traffic policy, and apply the traffic
policy to G0/0/1 in the outbound direction.


The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
 1、E-Learning Courses： Logon http://learning.huawei.com/en and enter Huawei Training/E-Learning
 Content：All Huawei Career Certification E-Learning courses
 Methods to get the E-learning privilege : submit Huawei Account and email being used for Huawei Account
registration to Learning@huawei.com .
 2、 Training Material Download
 Content: Huawei product training material and Huawei career certification training material
 Method：Logon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can
download training material in the specific training introduction page.
 3、 Priority to participate in Huawei Online Open Class (LVC)
 The Huawei career certification training and product training covering all ICT technical domains like R&S,
UC&C, Security, Storage and so on, which are conducted by Huawei professional instructors
 4、Learning Tool:s
 eNSP ：Simulate single Router&Switch device and large network
 WLAN Planner ：Network planning tools for WLAN AP products.
 In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with
Huawei experts , share exam experiences with others or be acquainted with Huawei Products.
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1

Huawei Certification HCNP Lab Guide HCNP-IENP v1.6 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Huawei Certification HCNP Lab Guide HCNP-IENP v1.6 PDF

Uploaded by

Copyright:

Available Formats

The privilege of HCNA/HCNP/HCIE:

 3、 Priority to participate in Huawei Online Open Class (LVC)

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1

Huawei Technologies Co.,Ltd

Copyright © Huawei Technologies Co., Ltd. 2010. All rights reserved.

No part of this document may be reproduced or transmitted in any

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei

The information in this document is subject to change without notice.

HCNP-IENP Improving Enterprise Network Performance

Huawei Certification System

Relying on its strong technical and professional training system, in

HCNA (Huawei Certified Network Associate) is primary for IP network

Router L3 Switch L2 Switch Firewall Net cloud

Lab environment specification

The Lab environment is suggested below:

Identifier Device OS version

R1 AR 2220 Version 5.90 ( V200R001C01SPC300)

R2 AR 2220 Version 5.90 ( V200R001C01SPC300)

R3 AR 2220 Version 5.90 ( V200R001C01SPC300)

R4 AR 1220 Version 5.90 ( V200R001C01SPC300)

R5 AR 1220 Version 5.90 ( V200R001C01SPC300)

S1 S5700-28C-EI-24S Version 5.70 (V100R006C00SPC800)

S2 S5700-28C-EI-24S Version 5.70 (V100R006C00SPC800)

S3 S3700-28TP-EI-AC Version 5.70 (V100R006C00SPC800)

S4 S3700-28TP-EI-AC Version 5.70 (V100R006C00SPC800)

FW1 Eudemon 200E-X2 Version 5.30 (V100R005C00SPC100)

FW2 Eudemon 200E-X2 Version 5.30 (V100R005C00SPC100)

Chapter 1 Implementing firewall functions and features ................................................................... 1

Lab 1-2 IPSec VPN Configuration on a Eudemon Firewall ............................................................. 23

Lab 1-3 Attack Defense Configuration on a Firewall ..................................................................... 46

Lab 1-4 NAT Configuration on a Eudemon Firewall ...................................................................... 61

Chapter 2 QoS and traffic flow management ................................................................................. 106

Lab 2-1 QoS ................................................................................................................................ 106

Chapter 3 Integrated Lab Assessment ............................................................................................ 144

Lab 3-1 Integrated Lab-1 (Optional) ........................................................................................... 144

Lab 3-2 Integrated Lab2 (Optional)............................................................................................. 150

Chapter 1 Implementing firewall functions and

Lab 1-1 Security Zone Configuration and Configurations

for Other Basic Functions on a Firewall

The objectives of this lab are to learn and understand:

• Security zone configuration for the firewall

• Packet filtering configuration in the interzone

• Static and dynamic blacklist configurations

• Packet filtering configuration at the application layer

HC Series HUAWEI TECHNOLOGIES 1

Figure 1-1 Zone configuration

Assume that you are a network administrator of an enterprise. The

Step 1 Configure IP addresses.

Configure IP addresses for R1, R2, and R3.

2 HUAWEI TECHNOLOGIES HC Series

[R1]interface GigabitEthernet 0/0/1

Ethernet1/0/0 on the firewall is a Layer 2 switch interface and cannot

HC Series HUAWEI TECHNOLOGIES 3

Plan VLANs for interfaces on S1.

Test the connectivity on each zone on the FW.

--- 10.0.10.1 ping statistics ---

4 HUAWEI TECHNOLOGIES HC Series

Reply from 10.0.20.1: bytes=56 Sequence=3 ttl=255 time=1 ms

--- 10.0.20.1 ping statistics ---

--- 10.0.30.1 ping statistics ---

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254